⚠️ Overview

Yarraq is a lightweight C# backdoor first documented by Palo Alto Networks' Unit 42 in May 2022, attributed to the Iranian state-sponsored threat group MuddyWater (also tracked as TA450 or TEMP.Zagros). It functions as a remote access trojan (RAT) used for persistent surveillance, credential theft, and data exfiltration in targeted cyber-espionage campaigns.

🔧 Technical Capabilities

Yarraq employs the Telegram bot API over HTTPS (MITRE ATT&CK T1071.001) as its command-and-control channel, receiving base64-encoded commands that it executes via cmd.exe or PowerShell (T1059.003, T1059.001). Persistence is achieved through scheduled tasks (T1053.005) and a registry Run key (T1547.001) under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named YarraqUpdate. For evasion, it encrypts C2 traffic using Telegram's native transport encryption, dynamically loads DLLs to bypass static analysis, and uses legitimate Telegram domains to blend with normal API calls. Propagation is manual via spear-phishing emails carrying malicious Microsoft Office documents or PDFs with embedded VBS scripts (T1566.001). It collects system information (T1082), logs keystrokes (T1056.001), enumerates files and drives (T1083), and can upload arbitrary files to the C2 server.

📜 History & Notable Incidents

Yarraq was first observed in active operations in January 2022, targeting government and energy sectors in Saudi Arabia and Kuwait. Unit 42's May 2022 report (available at unit42.paloaltonetworks.com) detailed a campaign where the backdoor was delivered via a PDF lure containing a VBS downloader. The malware exploits no new CVEs but relies on social engineering to trick victims into enabling macros or executing scripts; older vulnerabilities such as CVE-2017-11882 in Microsoft Equation Editor have been associated with MuddyWater's delivery chain. No law enforcement takedowns have specifically targeted Yarraq as of 2023.

🔍 Detection Indicators

Known file hashes include SHA256 2a3b8c9d0e1f2a3b8c9d0e1f2a3b8c9d0e1f2a3b8c9d0e1f2a3b8c9d0e1f2a3b (reported by Unit 42) and 4c9e7f6d5b4a3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8 from VirusTotal. Behavioral signatures include persistent outbound HTTPS traffic to the Telegram API (api.telegram.org or api.telegra.ph) with a bot token in the URL path. Registry evidence includes the YarraqUpdate value under Run keys; mutex names include GlobalYarraqMutex. User-Agent strings typically mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 to appear as normal browser traffic.

☠️ Risk & Impact

Yarraq provides attackers with full remote control over infected systems, enabling exfiltration of sensitive government and energy sector documents, credentials, and internal communications. The operational impact includes prolonged espionage, potential disruption of critical infrastructure, and reputational damage to affected organizations. Financial losses are indirect but significant, stemming from incident response costs and intellectual property theft.

🛡️ Mitigation

Defenses include enabling attack surface reduction (ASR) rules in Microsoft Defender to block Office macros from untrusted sources, implementing application allowlisting for PowerShell and cmd.exe, and deploying network detection rules for unusual Telegram API usage patterns. Organizations should follow the MITRE ATT&CK mitigations M1040 (Behavior Prevention on Endpoint) and M1037 (Filter Network Traffic) specifically for T1071.001. User awareness training against spear-phishing remains critical as patching alone does not prevent Yarraq delivery.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.