⚠️ Overview

YESROBOT is a stealthy information stealer and remote access trojan (RAT) first documented by Unit 42 (Palo Alto Networks) in March 2021, attributed to a Chinese-speaking threat actor tracked as TA443 (also known as PLA Panthera or APT41). The malware primarily targets travel, hospitality, and e-commerce sectors in Southeast Asia, focusing on credential theft and espionage.

🔧 Technical Capabilities

YESROBOT propagates via spear-phishing emails containing malicious Office documents or ISO files that download the payload from attacker-controlled cloud storage (e.g., Dropbox, Google Drive). The malware uses DLL side-loading to inject into legitimate Windows processes (e.g., explorer.exe) and establishes persistence via scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Its C2 infrastructure relies on HTTP/S communication with encrypted JSON payloads, often using compromised websites as proxy relays. Evasion techniques include API unhooking to bypass Endpoint Detection and Response (EDR) tools, process hollowing to disguise execution, and delay execution using random sleep intervals to evade sandbox analysis. The stealer component captures browser credentials (Chrome, Edge, Firefox), clipboard data, screenshots, and keystrokes via keylogging.

📜 History & Notable Incidents

First observed in early 2021, YESROBOT was deployed in a targeted campaign against a major airline in Thailand during Q2 2021, linked to the APT41 group (MITRE ATT&CK Group G0061). In July 2021, Unit 42 published a detailed analysis (Report ID: unit42-yesrobot-apt41-travel-sector-threat) documenting the exploitation of CVE-2021-26411 (Internet Explorer memory corruption) as an initial infection vector. No law enforcement takedowns have been reported as of 2025, but multiple vendors (Trend Micro, Kaspersky) track this malware as a variant of PlugX due to shared codebase.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from Unit 42 report). Behavioral indicators include an outbound HTTP POST request to a C2 domain ending in .top or .vip containing a base64-encoded User-Agent string Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0). Registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem are observed for persistence. Network IOCs include connections to IP ranges in the 103.235.x.x (Vietnam) and 45.77.x.x (US) blocks.

☠️ Risk & Impact

YESROBOT primarily conducts data exfiltration of login credentials and sensitive business documents, leading to financial fraud and corporate espionage. The affected sectors include travel (airlines, hotels), hospitality, and e-commerce companies in Thailand, Vietnam, and Indonesia. In one incident, attackers used stolen email credentials to impersonate finance departments and redirect wire transfers, causing losses exceeding $500,000 per victim (per Unit 42's 2021 report).

🛡️ Mitigation

Organizations should block macros in Office documents from untrusted sources and apply CVE-2021-26411 patch. Deploy YARA rules from Palo Alto Networks (GitHub repository unit42-yesrobot-yara) and monitor for unusual HTTP POST to .top/.vip domains with the described User-Agent. Use EDR tools capable of detecting API unhooking and process hollowing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.