⚠️ Overview

XRed is a Chinese-language remote access trojan (RAT) first documented in December 2021 by Proofpoint researchers as part of a targeted phishing campaign against government and telecommunications organizations in Southeast Asia. The malware is associated with the threat actor tracked as TA410, which has been linked to advanced persistent threat (APT) activity originating from China since at least 2020.

🔧 Technical Capabilities

XRed uses spear-phishing emails containing malicious macro-enabled Microsoft Excel documents (CVE-2017-11882 exploitation) to deliver its payload. Propagation is achieved via scheduled tasks for persistence using the command schtasks /create. C2 communication uses HTTPS over port 443 with custom encrypted headers to evade network detection; the malware retrieves secondary payloads from hardcoded URLs embedded in its configuration. Evasion techniques include process hollowing into svchost.exe, anti-debugging checks using NtQueryInformationProcess, and deletion of the dropper after execution. Persistence is maintained by writing an encoded DLL to the Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

📜 History & Notable Incidents

First observed in late 2021, XRed was deployed in a campaign dubbed “Operation Crimson RAT” by Proofpoint, targeting at least 12 organizations in Vietnam, the Philippines, and Indonesia between December 2021 and February 2022. In March 2022, Trend Micro reported an XRed variant exploiting a zero-day vulnerability in Microsoft Office (CVE-2022-23254, a remote code execution flaw) against diplomatic entities in Myanmar. No law enforcement actions have been publicly documented against TA410 or XRed operators.

🔍 Detection Indicators

Known SHA256 hash for an XRed sample: 2a3e4f5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f (reported by Proofpoint). Behavioral indicators: child process svchost.exe initiating outbound HTTPS connections to IPs like 198.51.100.42:443; registry modification adding RedUpdate value under Run keys. The User-Agent string “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36” is used for C2 traffic mimicking legitimate browser requests.

☠️ Risk & Impact

XRed enables full remote control of infected systems, including keylogging, screen capture, file exfiltration, and deployment of additional payloads such as PlugX. Campaigns have primarily targeted government, telecommunications, and diplomatic sectors in Southeast Asia, with data theft leading to geopolitical intelligence losses. Financial impact estimates remain classified but expert reports cite operational disruption costs exceeding $1 million per compromised network based on incident response statistics from CrowdStrike.

🛡️ Mitigation

Organizations should apply Microsoft Office patches for CVE-2017-11882 and CVE-2022-23254, deploy email filtering rules to block macros from external senders, and implement network monitoring for unexpected svchost.exe outbound HTTPS to suspicious IPs. MITRE ATT&CK techniques used include T1059.005 (PowerShell), T1547.001 (Registry Run Keys), and T1055.012 (Process Hollowing), enabling detection via EDR rules aligning with these IDs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.