Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Tmanger

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionExploited in the wild

攻撃者はEternal Blueを悪用して同一ネットワーク上のいくつかのホストに移動することに成功すると、そのうちの1つのホスト上で興味深いマルウェアを動かし始めました。 | PDBに Tmanger と書かれたRATは今までに見たことがない未知のマルウェアでした。... 今回はTA428がOperation LagTime ITの中で使用したTmangerというRATについて紹介しました。

via ntt security japaninsight-jp.nttsecurity.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TA428

PDBに Tmanger と書かれたRATは今までに見たことがない未知のマルウェアでした。... 今回はTA428がOperation LagTime ITの中で使用したTmangerというRATについて紹介しました。

via ntt security japaninsight-jp.nttsecurity.com
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195.002Compromise Software Supply ChainEvidence1

One of the Able update servers was likely compromised in order to deploy HyperBro and Tmanger.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

コマンド 説明 1, 17 特定のプロセスの起動 ... 34 CreateProcessによるプロセスの起動

T1569.002Service ExecutionEvidence1

ServiceMain takes a service name as an argument and attempts to register a service control handler with a specific HandlerProc function meant to check and set the status of that service. With a valid service status handle, Mail-O detaches the calling process from its console, changes the service status values to reflect its current running state, and calls the Entery function.

Persistence

2 techniques
T1543.003Windows ServiceEvidence1

先程System32に作成したDLLをサービスとして登録します。最後に、そのサービスを起動します。

T1547.001Registry Run Keys / Startup FolderEvidence1

存在しない場合、自分自身をRahoto.exeという名前でTempディレクトリにコピーし、レジストリのCurrentVersion\Runを使って自動起動の設定を行います。

Privilege Escalation

2 techniques
T1543.003Windows ServiceEvidence1

先程System32に作成したDLLをサービスとして登録します。最後に、そのサービスを起動します。

T1547.001Registry Run Keys / Startup FolderEvidence1

存在しない場合、自分自身をRahoto.exeという名前でTempディレクトリにコピーし、レジストリのCurrentVersion\Runを使って自動起動の設定を行います。

Stealth

1 technique
T1140Deobfuscate/Decode Files or InformationEvidence1

HyperBro and Korplug payloads are XOR encoded. Tmanger configuration is RC4 encrypted.

Credential Access

1 technique
T1056.001KeyloggingEvidence2

80, 81 キーログの取得

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

CreateEventなどの処理を行った後、以下のような端末情報を収集します。 OSやアーキテクチャ情報 ドライブ情報 ホスト情報 ユーザ情報

T1083File and Directory DiscoveryEvidence1

2 ディレクトリ情報の取得 4 ファイル情報の取得

Lateral Movement

1 technique
T1210Exploitation of Remote ServicesEvidence1

攻撃者はEternal Blueを悪用して同一ネットワーク上のいくつかのホストに移動することに成功すると、そのうちの1つのホスト上で興味深いマルウェアを動かし始めました。

Collection

2 techniques
T1056.001KeyloggingEvidence2

80, 81 キーログの取得

T1113Screen CaptureEvidence2

96 画面キャプチャの取得

Command and Control

5 techniques
T1008Fallback ChannelsEvidence1

Tmanger can fallback to a secondary C&C.

T1071Application Layer ProtocolEvidence1

その後、スレッドが作成され、一連のループを繰り返します。はじめに、ソケットを作成し、成功するとCreateMutexで以下のMutexを作成します。次に、C&Cサーバーとの接続が確立するかチェックを行います。接続できた場合、C&Cサーバーからのコマンド操作を待ちます。

T1095Non-Application Layer ProtocolEvidence1

Tmanger communicates using raw TCP.

T1573Encrypted ChannelEvidence1

トラフィックはRC4によって暗号化されていますが、それをデコードすると図 4のような構造になっています。

T1573.001Symmetric CryptographyEvidence1

Tmanger messages are RC4 encrypted.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

3, 19, 35 クライアントからC&Cサーバーへファイルの送信

INDICATORS OF COMPROMISE

IOCs tracked for this family

23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
21 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 year ago
hash.md5●●●●●●●●●●●●View more in app6 years ago
hash.md5●●●●●●●●●●●●View more in app6 years ago
hash.md5●●●●●●●●●●●●View more in app6 years ago
hash.md5●●●●●●●●●●●●View more in app6 years ago
hash.md5●●●●●●●●●●●●View more in app6 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
sentinelone labsNews
Jan 9, 2025
ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op - SentinelLabs

Malware noted for sharing the unusual exported function name 'Entery' and overlapping function layout/strings with Mail-O, and correlated in the content with TA428.

Read more
web archiveNews
May 17, 2022
Space Pirates: analyzing the tools and connections of a new hacker group

TA428-attributed malware referenced as present in the same broader operational context as Zupdax (Space Pirates-associated), suggesting tool sharing or joint operations; no further technical detail provided here.

Read more
eset welivesecurity blogNews
Dec 10, 2020
Operation StealthyTrident: corporate software under attack

RAT delivered by the legitimate Able Desktop software after HyperBro, replacing it in July 2020. It uses RC4-encrypted configuration and communications over raw TCP, supports keylogging, screen capture, fallback C2, and file exfiltration.

Read more
ntt security japanNews
Oct 15, 2020
Panda's New Arsenal: Part 1 Tmanger | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社

TA428に利用されるRAT。SetUp、MloadDll、Clientの3パートで構成され、永続化、サービス登録、設定復号、C&C通信、端末情報収集、ファイル操作、プロセス起動、キーログ取得、画面キャプチャ取得などの機能を持つ。通信はRC4で暗号化される。

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching23

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.