{
  "name": "New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor",
  "slug": "new-version-of-mysterysnail-rat-and-lightweight-mysterymonosnail-backdoor",
  "description": "A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modules for command execution. A lightweight version dubbed MysteryMonoSnail was also observed. The infection chain involves a malicious MMC script, an intermediary backdoor, and the main MysterySnail RAT payload. The attackers use public file storage and the piping-server project for command and control. This case highlights the importance of maintaining vigilance against seemingly obsolete malware families, as they may continue operating undetected for extended periods.",
  "published": "2025-04-17T11:06:24+00:00",
  "created_at": "2025-04-17T11:06:24+00:00",
  "modified_at": "2025-04-17T13:09:00+00:00",
  "created_at_opencti": "2025-04-17T11:06:24+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-17",
    "apt",
    "ironhusky",
    "mysterymonosnail",
    "mysterysnail"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "watch-smcsvc.com"
      },
      {
        "id": "",
        "name": "leotolstoys.com"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:936d58824f97f718",
        "name": "MysteryMonoSnail",
        "slug": "mysterymonosnail"
      },
      {
        "id": "aca71b7e-1f89-4cdc-9a0c-eada49f33183",
        "name": "MysterySnail RAT",
        "slug": "mysterysnail-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "e8f04ef7-6763-4577-8c43-8339bd4a028b",
        "name": "IronHusky",
        "slug": "ironhusky"
      }
    ],
    "attack_patterns": [
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56",
        "name": "T1570"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2021-40449"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Mongolia"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/mysterysnail-new-version/116226/",
    "https://otx.alienvault.com/pulse/6800fcd0995e011520970651"
  ]
}