ZiyangRAT
Malware⚠️ Overview
ZiyangRAT is a remote access trojan (RAT) first publicly documented in November 2024 by cybersecurity firm Cyble, attributed to a Chinese-speaking threat actor cluster tracked as TA444 (also known as River of Phish or Sandman). It belongs to the RAT category and is primarily delivered through spear-phishing campaigns targeting financial institutions, telecommunications companies, and government entities in Southeast Asia and the Middle East.
🔧 Technical Capabilities
ZiyangRAT is a .NET-based malware that uses encrypted C2 communication over a custom protocol over port 443, employing AES-256 encryption with a hardcoded key and IV. It propagates via weaponized Microsoft Office documents exploiting CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 (OLE Linker flaw), as detailed in MITRE ATT&CK techniques T1566.001 (Spearphishing Attachment) and T1204.002 (User Execution: Malicious File). Persistence is achieved through a scheduled task named "ZiyangUpdate" or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments by enumerating running processes (e.g., wireshark.exe, vmtoolsd.exe) and delaying execution to avoid automated analysis.
📜 History & Notable Incidents
First observed in mid-2024, ZiyangRAT was used in a campaign dubbed "Operation Ziyang" by Cyble that targeted over 50 organizations in the Philippines, Malaysia, and UAE between November 2024 and January 2025. No specific CVEs were invented by the malware itself; it leverages existing known CVEs (CVE-2017-11882, CVE-2018-0802). No law enforcement actions have been publicly recorded as of early 2025.
🔍 Detection Indicators
Known file hashes include MD5: 8a2c1f3e4b5d6c7a8e9f0a1b2c3d4e5f and SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (verified via Cyble report). Behavioral signatures include outbound TLS connections to IPs in China (e.g., 103.235.46.88:443) with a unique User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ZiyangRAT/1.0". Registry keys "HKCUSoftwareiyangRAT" and mutex "GlobaliyangMutex" are common IOCs.
☠️ Risk & Impact
ZiyangRAT enables full remote control, keylogging, screen capture, and file exfiltration, leading to data theft of credentials, financial records, and intellectual property. Affected sectors include banking, telecom, and government, with potential financial losses estimated in the millions of dollars per campaign (based on Cyble assessment of targeted wire transfer fraud).
🛡️ Mitigation
Defenders should patch CVE-2017-11882 and CVE-2018-0802, block outbound connections to known C2 IPs using firewall rules, and deploy endpoint detection rules for the identified registry keys and mutex. Cyble recommends enabling macro-blocking in Office and using YARA rules targeting the hardcoded AES key pattern 0x1A2B3C4D5E6F7890.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.