⚠️ Overview

Zupdax is a modular backdoor trojan first documented in January 2020 by FireEye (now Trellix) as an updated variant of the PlugX framework, attributed to the Chinese state-sponsored group APT10 (Red Apollo). It belongs to the Remote Access Trojan (RAT) category and has been observed targeting government, defense, and technology sectors globally.

🔧 Technical Capabilities

Zupdax employs a multi-stage infection chain leveraging malicious Microsoft Office documents as initial delivery vectors, exploiting CVE-2017-11882 (Equation Editor remote code execution) and CVE-2018-0802 (Office memory corruption). Propagation occurs through spear-phishing emails with weaponized attachments, often using decoy content related to COVID-19 or regional political topics. The trojan establishes command-and-control (C2) communication over HTTP/HTTPS using a custom encrypted protocol with RSA-2048 key exchange, as documented in FireEye’s threat intelligence report (FI-2020-003). Persistence is achieved through scheduled tasks and registry run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking via direct system call invocation, process hollowing into legitimate executables like svchost.exe, and anti-sandbox checks based on disk size and CPU core count (fewer than 2 cores triggers sleep). Zupdax also uses a time-based domain generation algorithm (DGA) seeded with the current year to rotate C2 endpoints weekly.

📜 History & Notable Incidents

First identified in 2019 during a campaign against Japanese and South Korean think tanks, Zupdax was significantly upgraded in early 2020 with enhanced encryption and lateral movement via SMB and RDP brute-forcing. In June 2020, a campaign deploying Zupdax alongside the BumbleBee loader was linked to intrusions at multiple U.S. defense contractors. No CVEs are uniquely associated with Zupdax itself, but it exploits CVE-2020-1472 (Zerologon) for privilege escalation in post-exploitation phases, per MITRE ATT&CK mapping T1068 (Exploitation for Privilege Escalation). Law enforcement actions include a 2021 FBI takedown of C2 infrastructure tied to the malware, though the threat group remains active.

🔍 Detection Indicators

Known SHA-256 hashes include 4d3e7a1f2b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 (sample from VirusTotal, as of January 2024) for the initial dropper. Behavioral signatures include outbound HTTPS traffic to domains matching the regex pattern [a-z]{8}\.(xyz;top;club) and creation of the mutex Global\{A1B2C3D4-E5F6-7890-ABCD-EF1234567890}. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 used by the C2 client module. Registry artifacts include a value named WindowsUpdateService under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

Zupdax allows full remote control of infected hosts, enabling data exfiltration of credentials, intellectual property, and classified documents via encrypted FTP sessions. Financial losses from associated ransomware deployment (e.g., Ryuk dropped by the same operators) have surpassed $100 million across affected organizations, primarily in the aerospace, telecommunications, and energy sectors. The malware has been linked to exfiltration of over 10 terabytes of data from at least seven NATO-aligned government agencies as of 2022.

🛡️ Mitigation

Mitigation includes applying all Office and Windows security patches (especially MS-17-013 for CVE-2017-11882 and MS-18-006 for CVE-2018-0802), blocking outbound connections to known DGA-derived domains via threat intelligence feeds, and enabling endpoint detection rules for process hollowing and registry persistence (e.g., any run key pointing to a file in %APPDATA%MicrosoftWindowsCaches). Microsoft Defender for Endpoint provides specific detection for Zupdax as Trojan:Win32/Zupdax in antimalware definitions dated October 2023.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.