Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 5 actors

Trochilus

Trochilus is an open-source Windows remote access trojan (RAT) implemented in C++ and publicly available on GitHub, first reported in 2015. It has been used directly and as a codebase for multiple derivative backdoors, including RedLeaves and SprySOCKS, with substantial source-code overlap noted across those families. Reported capabilities include command execution, file download/upload and execution, and in observed modified variants, injection into svchost.exe for stealth. Symantec documented a Webworm/Space Pirates infection chain in which a legitimate executable (Logger.exe) sideloaded a malicious DLL (logexts.dll), executed staged payloads (logger.dat and logexts.dat), performed token theft from WINLOGON.EXE and UAC-bypass-related actions, copied components into C:\ProgramData\Logger, and ultimately unpacked and ran a modified Trochilus payload in memory. That payload searched for configuration at C:\ProgramData\Logger\sc.cfg, C:\ProgramData\resmon.resmoncfg, and C:\ProgramData\appsoft\resmon.resmoncfg, decompressed configuration data with LZW, injected into svchost.exe, and supported command execution and file download. Trochilus has been associated in reporting with multiple China-linked threat actors, including Webworm, APT31, and activity tied to STONE PANDA tooling history; it has also been embedded in a DOUBLESTEP dropper observed in UNC3569-related activity. In victim environments, Trochilus has been reported against government agencies and enterprises in sectors including IT services, aerospace, electric power, telecommunications, and think tanks, with targeting spanning Russia, Georgia, Mongolia, multiple Asian countries, and at least one telecom network. Known sample hashes directly referenced for Trochilus-related activity include droppers 6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e, b9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646, c71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8, and a modified Trochilus payload e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Webworm

First spotted back in 2015, Trochilus is a RAT implemented in C++ and its source code is available for download on GitHub. ... The malware then injects svchost.exe with the ability to: Execute commands Download potentially malicious files.

via symantec blogsymantec-enterprise-blogs.security.com
Space Pirates

First spotted back in 2015, Trochilus is a RAT implemented in C++ and its source code is available for download on GitHub. ... The malware then injects svchost.exe with the ability to: Execute commands Download potentially malicious files.

via symantec blogsymantec-enterprise-blogs.security.com
UNC3569

The URL https://chuanqiliebiao-1314[.]oss-cn-shanghai[.]aliyuncs[.]com/wp-content/plugins/Ssl-update.exe will download a dropper ... dubbed ‘DOUBLESTEP’ ... embedded with TROCHILUS.

via virusbulletinvirusbulletin.com
menuPass

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA

via crowdstrike blogweb.archive.org
ZIRCONIUM

Tooling-wise, APT31 initially used a number of malware families (RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, etc.)...

via harfanglab insidethelabharfanglab.io
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA... Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware... found it was directly sourced from Trochilus code

Stealth

2 techniques
T1036MasqueradingEvidence1

To cover the malicious traffic, the attackers registered C2 domains masquerading as normal AWS or AlibabaCloud domains... This cluster of activity has previously targeted entities... using malicious domains that masquerade as services such as Amazon Web Services and Microsoft Support Services.

T1140Deobfuscate/Decode Files or InformationEvidence1

The payload is often obfuscated with an additional binary layer, including techniques such as XOR encoding, custom shellcode loaders... The shellcode decrypts the embedded PE payload using a simple XOR operation and then executes the payload.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence3

Analysis of the SprySOCKS backdoor reveals some interesting findings... Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor...

T1219Remote Access ToolsEvidence1

This includes collecting system information, launching an interactive console... initialising a SOCKS proxy, uploading/downloading files, and running existing files.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
cyber security newsNews
Jun 17, 2026
FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features

An open-source Windows remote access tool that served as the basis for SprySOCKS, though SprySOCKS was sufficiently modified to be considered a distinct malware family.

Read more
security affairsNews
Jun 17, 2026
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints - Security Affairs

A Windows remote access tool that serves as the codebase foundation for SprySOCKS and RedLeaves.

Read more
the hacker newsNews
Jun 16, 2026
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

A Windows remote access trojan that served as the basis for SprySOCKS and has source code overlaps with RedLeaves.

Read more
eset welivesecurity blogNews
Jun 16, 2026
FishMonger’s arsenal upgraded: SprySOCKS for Windows

An open-source Windows RAT whose codebase was used as the basis for SprySOCKS.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.