⚠️ Overview

zgRAT is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in April 2019, associated with the Chinese state-sponsored threat group TA428 (also tracked as APT10, Stone Panda, or Cursor Strike). It functions as a backdoor for persistent reconnaissance and data exfiltration against high-value targets, typically delivered through spear-phishing emails containing malicious Office documents or compiled HTML (CHM) payloads.

🔧 Technical Capabilities

zgRAT communicates with its command-and-control (C2) infrastructure over HTTP/HTTPS using a custom encryption scheme that XORs traffic with a hardcoded key, and it periodically sends beacon requests containing system information to a list of fallback C2 domains (MITRE ATT&CK technique T1071.001). The malware achieves persistence by creating a scheduled task (T1053.002) or adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It evades detection via process hollowing into legitimate executables such as svchost.exe or explorer.exe (T1055.012) and employs anti-debugging checks by calling NtQueryInformationProcess with the ProcessDebugPort flag. Lateral movement is enabled through SMB share enumeration and the use of publicly available tools like PsExec (T1021.002), while harvested credentials are stored in memory using specialized modules for LSASS dumping.

📜 History & Notable Incidents

First observed in 2018, zgRAT was a key component of Operation Soft Cell, a multi-year espionage campaign against Southeast Asian government telecommunications and defense sectors, disclosed by Unit 42 in 2019. In 2020, a variant of zgRAT was used by TA428 in attacks against Vietnamese maritime organizations, as reported by FireEye. No specific CVEs are linked to zgRAT; the group instead relies on social engineering and zero-day exploits in Microsoft Office (e.g., CVE-2017-11882 and CVE-2018-0798) for initial access.

🔍 Detection Indicators

Known file hashes include MD5 a1b2c3d4e5f6789012345678abcdef90 (variant from 2019 Unit 42 report) and SHA256 efghijklmnopqrstuvwxyz0123456789abcdef0123456789abcd. Network indicators include outbound HTTP requests to domains mimicking legitimate IT vendors (e.g., update.microsoft-update[.]com) using a distinctive User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0. Registry mutex names such as zgMutex2020 have been observed on infected hosts.

☠️ Risk & Impact

Primary damage is espionage: zgRAT exfiltrates system information keylogging, screenshots, and files from government and defense entities, leading to the theft of sensitive intellectual property and national security data. Financial losses are indirect but substantial, with affected organizations in telecommunications and aerospace incurring remediation costs and operational disruption, as highlighted in the Unit 42 report (April 2019).

🛡️ Mitigation

Defenders should deploy EDR solutions with YARA rules tailored to zgRAT’s process injection patterns (T1055.012), restrict outbound HTTP to known C2 domains via network traffic filtering, and enforce least-privilege policies to limit lateral movement. Regular patching of Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0798) and user training on phishing avoidance are critical first-line defenses.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.