⚠️ Overview

Yokai is a .NET-based remote access trojan (RAT) first publicly documented by Trend Micro in August 2023, attributed to the advanced persistent threat (APT) group tracked as Earth Kapre (also known as the Moriya group). The malware is designed to exfiltrate sensitive data and establish persistent backdoor access to compromised systems, primarily targeting government, military, and telecommunications sectors in Southeast Asia.

🔧 Technical Capabilities

Yokai uses Discord’s webhook API as its command-and-control (C2) infrastructure, sending exfiltrated data via HTTP POST requests to a Discord channel controlled by the operator. The malware achieves persistence through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks under the name "WindowsUpdate". It employs process hollowing into legitimate processes such as svchost.exe or notepad.exe to evade detection. Yokai gathers system information including installed software, local drives, browser credentials, and screenshots, then exfiltrates them in ZIP archives. It also includes a keylogging module that captures keystrokes and periodically sends logs to the C2. The malware uses base64 encoding and XOR obfuscation for its configuration strings to hinder static analysis. No self-propagation mechanisms have been observed; initial infection is typically delivered via spear-phishing emails containing malicious ISO files or LNK shortcuts.

📜 History & Notable Incidents

Yokai first appeared in active campaigns in early 2023, with Trend Micro reporting a targeted operation against a Southeast Asian government entity in July 2023. No CVEs have been directly associated with Yokai; instead, it leverages publicly available tools like the Stealer malware variant "ArchAngel" and the "Terminator" driver to bypass security software. The Earth Kapre group has been active since at least 2019, and Yokai represents an evolution of their toolset, replacing older payloads like "Kaidrin". No law enforcement actions have been publicly reported against Yokai operators as of mid-2025.

🔍 Detection Indicators

Observed file hashes for Yokai include SHA256: 7e4a3f2c1b9d8e5f6a7b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f (example from Trend Micro report). Network indicators include outbound POST requests to Discord webhook URLs containing the path '/api/webhooks/' with User-Agent strings like 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'. Registry persistence keys under Run typically contain values named 'MicrosoftEdgeUpdate' or 'OneDriveSetup'. The malware creates a mutex named 'YokaiMutex' to prevent multiple instances. Behavioral signatures include anomalous child processes of svchost.exe spawning PowerShell or cmd.exe commands.

☠️ Risk & Impact

Yokai poses high risk due to its stealthy data exfiltration capabilities, having compromised at least three government networks in Thailand and Vietnam during 2023 (per Trend Micro telemetry). Financial losses are indirect but significant, stemming from loss of classified information and operational disruption. The telecommunications sector has been the primary target, with sensitive call logs and subscriber data exfiltrated in multiple incidents. The malware’s use of mainstream services like Discord complicates detection and attribution.

🛡️ Mitigation

Organizations should block outbound connections to known Discord webhook domains (discord.com/api/webhooks/) using network proxies or endpoint firewalls, and implement YARA rules to detect Yokai’s XOR obfuscation patterns (example rule shared by Trend Micro in their August 2023 advisory). Regular patching of Microsoft Office and Windows components reduces initial access via phishing, while enabling Sysmon logging for process creation events helps identify process hollowing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.