A suspected Chinese state-sponsored hacking group, known as IronHusky, has launched a sophisticated cyber-espionage campaign targeting Russian and Mongolian government institutions. The attack involves a revamped version of the MysterySnail remote access trojan (RAT), a tool first observed in the wild in 2021.
Attack Details: How It Works
Security researchers from Kaspersky’s Global Research and Analysis Team (GReAT) uncovered the campaign, noting that the attackers disguised malicious scripts as Microsoft Word documents. These were, in fact, Microsoft Management Console (MMC) files that triggered the infection chain when opened.
Upon execution, these scripts:
- Downloaded additional payloads,
- Installed intermediary backdoors,
- Created persistent access via services, and
- Allowed attackers to execute shell commands, manage files, and manipulate processes on compromised machines.
The RAT allowed full remote control over infected systems, giving attackers the ability to:
- Transfer files,
- Launch or terminate processes,
- Access and modify system files,
- Delete traces of malicious activity.
Evolution of MysterySnail
The original MysterySnail RAT, linked to earlier cyberattacks, was reengineered by IronHusky into a more modular and efficient form—now named MysteryMonoSnail. Unlike its predecessor, the new variant uses a single, streamlined component with enhanced command capabilities. This indicates active malware development and an intent to maintain stealth and flexibility in long-term cyber operations.
Attribution and Historical Context
IronHusky has been linked to previous intrusions dating back to 2017, particularly those targeting intelligence around Russian-Mongolian military cooperation. In 2018, the group leveraged CVE-2017-11882, a Microsoft Office vulnerability, to deploy other RATs like PlugX and PoisonIvy—notorious tools favored by Chinese-speaking threat actors.
Impact and Recommendations
The use of upgraded malware in geopolitical cyber operations highlights the persistent threat of APTs and the growing complexity of cross-border espionage. Government agencies, especially those involved in defense and foreign affairs, should:
- Audit systems for suspicious MMC file usage,
- Monitor for traffic to known MysterySnail command-and-control domains,
- Apply strict email filtering and sandboxing for unknown attachments,
- Patch legacy Office software and vulnerabilities such as CVE-2017-11882.
Kaspersky has released indicators of compromise (IOCs) and technical documentation for defenders to detect and mitigate these threats.