RedLeaves
RedLeaves is a Windows remote access trojan/backdoor, also referred to as BUGJUICE in some reporting, observed since around October 2016 in attachments to targeted emails. It has been linked in multiple reports to China-nexus activity, including APT10/MenuPass and later reporting that notes use by or overlap with other China-linked clusters such as UAT-7290. JPCERT/CC assessed that RedLeaves was likely built on top of the publicly available Trochilus RAT source code due to substantial code overlap, and other reporting likewise describes significant source-code overlap between RedLeaves and Trochilus.
Observed execution commonly uses a multi-stage DLL side-loading or DLL hijacking chain involving a legitimate signed executable, a malicious loader DLL, and encoded payload data written to %TEMP%. The loader decodes the payload and executes it, after which RedLeaves may launch and inject into a process such as Internet Explorer; other reporting describes creation of a suspended svchost.exe process followed by injection and resume. The malware has been observed with PE header strings such as MZ and PE replaced with 0xFF 0xFF in the injected image.
RedLeaves supports command-and-control over TCP, HTTP, HTTPS, or mixed TCP/HTTP modes, including HTTP POST requests and a custom binary protocol. Communications are encrypted with RC4 using configuration-stored keys; reported example keys include Lucky123, problems, 20161213, john1234, and minasawa. One analyzed sample compressed outbound data with LZO and used RC4 over TCP port 443 without SSL, creating a port/protocol mismatch. Reported configuration fields include up to three destinations, port, ID, mutex, injection process, and RC4 key. Reported C2 infrastructure and examples include windowsupdates.dnset.com, mailowl.jkub.com, windowsupdates.itemdb.com, microsoftstores.itemdb.com, 67.205.132.17, 144.168.45.116, and an HTTP POST path /YJCk8Di/index.php.
Capabilities directly described in the content include system and drive reconnaissance, collection of logged-on user information including local and Remote Desktop sessions, browser username and password theft, file and directory operations, upload/download, shell command execution, reverse shell functionality, screen capture, proxying, tunneling and reverse proxy traffic, communication reconfiguration, and download-and-execute behavior. NCCIC also described REDLEAVES as a Visual C++ RAT that performs system enumeration and remote shell functions.
Targeting and victimology in the provided content include numerous Japanese defense groups, and broader Chinese espionage campaigns affecting technology service providers and customers across sectors including information technology, energy, healthcare, communications, and critical manufacturing. The content also notes RedLeaves as part of toolsets used in China-linked operations alongside malware such as PlugX/SOGU, ShadowPad, PoisonIvy, ChChes, QuasarRAT, ANEL, and Cobalt Strike.
Known indicators and artifacts mentioned in the content include mutexes RedLeavesCMDSimulatorMutex and QN4869MD; execution-chain filenames VeetlePlayer.exe, libvlc.dll, and mtcReport.ktc; the sample SHA-256 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481; and the above-listed C2 hosts and IPs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware used to target numerous Japanese defense groups and found it was directly sourced from Trochilus code
UAT-7290 primarily leverages a Linux based malware suite but may also utilize Windows based bespoke implants such as RedLeaves ... commonly linked to China-nexus threat actors.
Tools QuasarRAT, RedLeaves, PoisonIvy, ChChes, QuasarRAT Loader, PlugX, ANEL, Cobalt Strike
Some of the notable Windows implants ... include RedLeaves (aka BUGJUICE) and ShadowPad
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA... Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware... found it was directly sourced from Trochilus code
Persistence
2 techniques
Persistence
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
The executed RedLeaves launches a process (Internet Explorer) depending on its configuration, and injects itself there. Then, RedLeaves starts running in the injected process.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
Stealth
5 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
A legitimate application (EXE file): a signed, executable file which reads a DLL file located in the same folder
The executed RedLeaves launches a process (Internet Explorer) depending on its configuration, and injects itself there. Then, RedLeaves starts running in the injected process.
Credential Access
1 technique
Credential Access
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Depending on the received commands, RedLeaves executes the following functions... Send system information
Collection
1 technique
Collection
Command and Control
7 techniques
Command and Control
The data is encrypted with RC4 (the key is stored in its configuration)
Analysis of the SprySOCKS backdoor reveals some interesting findings... Meanwhile, the structure of SprySOCKS’s command-and-control (C&C) protocol is similar to one used by the RedLeaves backdoor...
The injected RedLeaves connects to command and control (C&C) servers by HTTP POST request... Destination hosts and communication methods are specified in its configuration.
Depending on the received commands, RedLeaves executes the following functions... Execute proxy function
Depending on the received commands, RedLeaves executes the following functions... Upload/download files
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor with significant source code overlap with SprySOCKS, built on the Trochilus codebase.
A backdoor with extensive source code overlaps with Trochilus and common traits shared with SprySOCKS.
A backdoor referenced as sharing characteristics with SprySOCKS.
A Windows payload included in UAT-7290's toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.