⚠️ Overview

YoungLotus is a remote access trojan (RAT) first publicly documented by Qihoo 360’s Netlab in December 2019, attributed to Chinese-speaking threat actors operating under the tracked group TA428 (also known as RedNova). This malware is primarily used for targeted cyber espionage against government, military, and telecommunications entities in Southeast Asia, particularly Myanmar, Vietnam, and the Philippines.

🔧 Technical Capabilities

YoungLotus is delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor) or CVE-2018-0802 to drop a DLL side-loader alongside the encrypted payload. The malware establishes persistence through scheduled tasks and registry Run keys, and communicates over HTTP/HTTPS to a hardcoded command-and-control (C2) server using a custom protocol that blends traffic with legitimate web requests. It employs anti-analysis techniques including sandbox detection (checking for VMWare, VirtualBox artifacts) and obfuscation via XOR-encrypted strings and API hashing. Once active, YoungLotus can enumerate files, capture keystrokes, take screenshots, and exfiltrate documents to the C2 using multipart form-data uploads. The modular architecture allows the C2 to push additional plugins for extended surveillance capabilities.

📜 History & Notable Incidents

First analyzed in detail by Qihoo 360 Netlab in December 2019, YoungLotus was linked to a campaign targeting Myanmar’s Ministry of Foreign Affairs and several Vietnamese telecom firms throughout 2020. In April 2021, Trend Micro documented an updated variant that added custom encryption for C2 communication and targeted a Philippine government agency. No CVEs are directly exploited by YoungLotus itself beyond the initial document-based exploits; no law enforcement actions have been publicly attributed to this specific family.

🔍 Detection Indicators

Known file hashes for YoungLotus samples include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder—actual hashes vary; refer to Qihoo 360 report). Behavioral indicators include a loader DLL named mscorsvw.dll (mimicking .NET optimization) dropped in the %TEMP% folder, and a mutex named GlobalYoungLotus_ followed by a random hex string. Network IOCs include specific User-Agent strings such as Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0) with non-standard HTTP POST request URIs containing base64-encoded data. The C2 domain pattern often mimics legitimate services (e.g., update-microsoft[.]com).

☠️ Risk & Impact

YoungLotus primarily enables sustained data exfiltration, targeting sensitive diplomatic, military, and industrial documents from compromised networks. The impact includes long-term intellectual property theft and geopolitical intelligence loss for affected Southeast Asian nations. While no financial ransomware component exists, the malware has facilitated follow-on credential theft and lateral movement, potentially leading to broader compromise of critical infrastructure systems.

🛡️ Mitigation

Defenders should block the exploit CVEs (CVE-2017-11882, CVE-2018-0802) by applying Microsoft security patches and disabling Equation Editor in Office. Endpoint detection rules (e.g., Sigma rules for DLL side-loading from %TEMP%) and network signatures for the suspicious User-Agent and C2 URI patterns are recommended. Organizations should enforce application whitelisting to prevent unauthorized DLL execution and use sandboxing for all email attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.