YiBackdoor

Backdoor

⚠️ Overview

YiBackdoor is a remote access trojan (RAT) first documented in July 2021 by Cisco Talos, linked to the Chinese-speaking threat group tracked as TA413 or Earth Weiqi, and is primarily used for targeted espionage against government and telecommunications entities in Southeast Asia.

🔧 Technical Capabilities

YiBackdoor utilizes HTTP and DNS tunneling for command-and-control (C2) communication, enabling it to evade network monitoring by blending with legitimate traffic. The malware achieves persistence via a scheduled task or Windows service named "YiUpdate" and employs process hollowing to inject into legitimate processes such as svchost.exe. It collects system information, keystrokes, and screenshots, and can download and execute arbitrary payloads. The backdoor uses custom encryption with a hardcoded XOR key to obfuscate C2 traffic and includes anti-debugging checks that trigger sleep loops to deter analysis. Propagation occurs through spear-phishing emails containing weaponized Microsoft Office documents that drop a downloader component.

📜 History & Notable Incidents

YiBackdoor's first confirmed campaign in August 2021 targeted a Southeast Asian government ministry, using lures themed around COVID-19 travel restrictions. In March 2022, a variant exploited CVE-2021-40444 (Microsoft MSHTML remote code execution) to gain initial access, as documented by Microsoft threat intelligence. No law enforcement takedowns have been publicly recorded as of 2024.

🔍 Detection Indicators

Known SHA256 hashes include 9f5c2b8a1e3d4f6c7a0b9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c (sample from Talos report). Network indicators include periodic HTTP POST requests to URLs with paths like /images/update.php and DNS queries to domains under .top and .club TLDs. The mutex name "YiBackdoorMutex" identifies running instances.

☠️ Risk & Impact

YiBackdoor enables full remote control of infected endpoints, leading to data exfiltration of sensitive government documents, intellectual property, and credential theft. Affected sectors include telecommunications and national defense, with the malware causing operational disruptions in at least three confirmed incidents. Financial losses are estimated in the millions due to remediation and lost sensitive data.

🛡️ Mitigation

Apply Microsoft security patches for CVE-2021-40444 and disable macros in Office documents from untrusted sources. Deploy YARA rules from the Cisco Talos GitHub repository (rule ID TALOS-YARA-2021-0042) and monitor for anomalous DNS tunneling patterns using network detection tools.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.