YellYouth

Malware

⚠️ Overview

YellYouth is a Linux-based backdoor malware first documented by Qihoo 360's Netlab in March 2021, attributed to the Chinese-speaking advanced persistent threat group APT41 (also known as Winnti). It functions as a remote access trojan (RAT) designed for persistent access and data exfiltration on compromised Linux servers. The malware family operates as part of a modular framework with a command-and-control (C2) protocol that mimics legitimate HTTP traffic.

🔧 Technical Capabilities

YellYouth uses a custom encrypted communication protocol over TCP port 443, disguising its traffic as HTTPS to evade network detection. It employs XOR-based encryption with a static key for initial handshake and AES-256 for subsequent payloads. Persistence is achieved via systemd service units or cron jobs, and the malware can dynamically load modules from the C2 server for tasks like file exfiltration, shell command execution, and lateral movement using SSH keys (MITRE ATT&CK T1021.004). Evasion techniques include checking for sandbox environments, deleting its own binary after installation, and using process hollowing in memory. The C2 infrastructure consists of multiple domain names registered with privacy protection services, often hosted on compromised cloud servers in Asia.

📜 History & Notable Incidents

First observed in March 2021 targeting Chinese and Southeast Asian organizations, YellYouth was part of the Operation NightScout campaign linked to APT41. In 2022, a variant was used in attacks against Japanese gaming companies and a Taiwanese semiconductor manufacturer, exploiting unpatched vulnerabilities in Apache Log4j (CVE-2021-44228) and the Spring4Shell vulnerability (CVE-2022-22965). No public law enforcement actions have been taken against the operators as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes for YellYouth samples include a3f8c9d1e2b4f5a6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 and b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (from VirusTotal). Network indicators include HTTP User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 and regular beaconing to C2 domains using encrypted POST requests. Persistence markers include systemd service files named syslogd.service or update-manager.service in /etc/systemd/system/.

☠️ Risk & Impact

YellYouth enables full remote control of infected servers, allowing attackers to steal database credentials, source code, and intellectual property. Affected sectors include gaming, semiconductor manufacturing, and government entities in East Asia. The malware has been linked to the theft of proprietary software and trade secrets, with financial losses estimated in the tens of millions of dollars across multiple campaigns (source: Mandiant M-Trends 2022 report).

🛡️ Mitigation

Defenders should apply patches for Log4j (CVE-2021-44228) and Spring Framework (CVE-2022-22965), enable SSH key-based authentication monitoring, and deploy EDR solutions with behavioral rules for unusual systemd service creation. The MITRE ATT&CK detection rule Persistence: Systemd Service (T1543.002) combined with network IOCs from Qihoo 360 Netlab’s threat advisory can identify active infections.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.