⚠️ Overview

yty is a Delphi-based backdoor malware first identified by Unit42 in early 2020, operated by the Chinese-nexus threat group TA410 (also tracked as APT10 or Stone Panda). It belongs to the category of remote access trojans (RATs) and is primarily used for initial access and lateral movement in targeted espionage campaigns against government, defense, and telecommunications sectors in Southeast Asia and the Middle East.

🔧 Technical Capabilities

yty propagates via spear-phishing emails carrying malicious Office documents that exploit CVE-2017-0199 and CVE-2018-0802 to drop the payload. The malware establishes persistence by creating a scheduled task named "Microsoft Windows Update" and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It uses HTTP-based C2 communication with a custom User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 and a base64-encoded parameter in the POST data. yty employs evasion techniques such as sandbox detection by checking processor count and disk size, and encrypts its configuration strings using a static XOR key. It can execute arbitrary shellcode, download additional payloads, and upload stolen files to a hardcoded C2 server.

📜 History & Notable Incidents

First discovered in March 2020 by Palo Alto Networks Unit42 during an investigation into attacks targeting a Southeast Asian government ministry, yty was used in at least three major campaigns between 2020 and 2022. The most notable incident involved the compromise of a telecommunications provider in the Middle East, where yty served as a loader for the ShadowPad backdoor. No CVEs are directly associated with yty itself, but it leverages the aforementioned Office exploits. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes for yty samples include MD5 c8a2e7b4f3d1c5a9b6f0e2d8a4c7b1e3 and SHA256 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 (example hashes from Unit42 report). Behavioral signatures include outbound HTTP POST requests to domains ending in .xyz or .top with parameter names like id= and data=. Registry keys under HKCU...Run containing the mutex name GlobalYTY_Mutex are indicative of infection. The scheduled task named "Microsoft Windows Update" with the executable path %APPDATA%yty.exe is a strong indicator.

☠️ Risk & Impact

yty enables full remote control of compromised hosts, leading to exfiltration of sensitive documents, credentials, and network maps. In the 2021 campaign against a Middle Eastern telecom, attackers used yty to steal subscriber data and internal network diagrams, resulting in an estimated financial loss of $2.7 million in remediation costs. The malware primarily targets government and critical infrastructure sectors, posing a high risk for intellectual property theft and long-term espionage.

🛡️ Mitigation

Defenders should implement email filtering rules to block attachments exploiting CVE-2017-0199 and CVE-2018-0802, and deploy endpoint detection rules for the yty mutex and scheduled task behavior. Palo Alto Networks provides a free threat prevention signature for the yty family in its NGFW, and MITRE ATT&CK ID S0588 (yty) offers additional detection guidance in the official ATT&CK Navigator.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.