{
	"id": "d9527d34-ce91-4bc4-bca9-97c3de89812c",
	"created_at": "2026-04-06T00:18:18.813723Z",
	"updated_at": "2026-04-10T03:20:17.790813Z",
	"deleted_at": null,
	"sha1_hash": "3ae9bad6c709a9f03148f0b30db6f8af6683813a",
	"title": "How to detect Yellow Cockatoo remote access trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121142,
	"plain_text": "How to detect Yellow Cockatoo remote access trojan\r\nBy Brian Donohue\r\nArchived: 2026-04-05 19:00:45 UTC\r\nYellow Cockatoo: Search engine redirects, in-memory remote access trojan, and\r\nmore\r\nYellow Cockatoo: Search engine redirects, in-memory remote access trojan, and\r\nmore\r\nThis summer, Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple\r\nindustries. Here’s what to look out for.\r\nOriginally published December 4, 2020. Last modified May 7, 2025.\r\nYellow Cockatoo is our name for a cluster of activity involving the execution of a .NET remote access trojan\r\n(RAT) that runs in memory and drops other payloads. We’ve been tracking this threat since June 2020. Yellow\r\nCockatoo has targeted a range of victims across multiple industries and company sizes, and we continue to see it,\r\nas recently as this week.\r\nOverlaps with other research\r\nOther than a tweet from June referencing a related PowerShell script, Yellow Cockatoo mostly evaded public\r\nnotice until November 2020, when researchers from Morphisec published a detailed overview of a threat they call\r\nJupyter Infostealer. Jupyter Infostealer overlaps significantly with the threat we call Yellow Cockatoo, and we’ll\r\nexplain just exactly how later in this post. Special thanks to Michael Gorelik and Arnold Osipov of Morphisec for\r\ntaking the time compare notes on our respective research.\r\nYou may be wondering why we gave this activity a different name\r\nWe dubbed the threat we’ve been tracking “Yellow Cockatoo” several months ago. Morphisec has done excellent\r\nanalysis of Jupyter Infostealer, but because we define Yellow Cockatoo based on our visibility, we want to make it\r\nclear that we track this activity slightly differently than Morphisec does. Additionally, as we see more Yellow\r\nCockatoo activity, we may choose to define this cluster differently, and we don’t want to inherit other teams’\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 1 of 7\n\nanalyses by adopting their names. We’ve included a detailed overview of how our research overlaps with—and\r\ndeviates from—Morphisec’s research at the end of this article.\r\nDetecting Yellow Cockatoo\r\nWhile we haven’t developed any bespoke detection analytics that are designed to specifically detect Yellow\r\nCockatoo, we have a handful of detectors that have done a good job of alerting our detection engineering team of\r\npotentially related behaviors, including those that turned us onto Yellow Cockatoo in the first place.\r\nSecurity teams have a number of distinct detection opportunities to catch Yellow Cockatoo. What follows is a\r\nrough chronology of what is likely to occur during an infection, organized by ATT\u0026CK tactics and detection\r\nopportunities, as well as descriptions of the behavioral analytics that help us uncover Yellow Cockatoo activity.\r\nWhether you think you’re dealing with a Yellow Cockatoo infection or not, the following detection ideas should\r\nprovide decent coverage against a variety of additional threats as well.\r\nInitial access\r\nYellow Cockatoo appears to gain initial access by redirecting search engine queries to a website that attempts to\r\nupload a malicious executable onto victim machines. The executable feigns legitimacy by using the Microsoft\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 2 of 7\n\nWord icon. Its name is dependent on the victim’s search query. For example, if the victim searched for “search-query” then the executable would be named search-query.exe .\r\nExecution\r\nFollowing installation, the executable spawns a command line and creates a similarly named .tmp file that\r\nlaunches PowerShell. All of this is effectively precursor activity that leads to the execution of a malicious dynamic\r\nlink library (DLL) that is a remote access trojan (RAT) implemented as a .NET assembly designed to be loaded in\r\nmemory.\r\nBelow are the redacted contents of the PowerShell script for your convenience:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -command \"$p='C:\\Users\\REDACTED\\e091d09fa72e9b46db8\r\nWithin the above script, we have our first and second strong detection opportunities.\r\nDetection opportunity #1: Base64 obfuscation in command line\r\nEncoded PowerShell isn’t inherently malicious or suspicious, but it’s less common for a well meaning\r\nadministrator to encode PowerShell. It’s even less common for a legitimate PowerShell script to be stored in\r\nBase64 form and read on runtime, as seen here. As such, looking for the execution of PowerShell along with a\r\ncorresponding command line containing the term base64 is a good way to catch Yellow Cockatoo and a wide\r\nvariety of other threats. That said, without the ability to effectively tune your detection logic, detecting this\r\nbehavior alone might generate high volumes of false positives.\r\nDetection opportunity #2: XOR obfuscation in command line\r\nPowerShell commands including the logical XOR operator are often malicious, so it makes sense to look for\r\nprocesses that appear to be PowerShell executing in conjunction with a command line containing the -bxor\r\noperator. We commonly see XOR operations used to great effect for obfuscation of threats such as Cobalt Strike\r\nbeacons.\r\nPersistence\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 3 of 7\n\nWhile that PowerShell command contains our first two detection opportunities within it, it also creates a number\r\nof .lnk and .dat files that serve the purpose of loading the command-line script to execute the malicious DLL\r\nreferenced earlier and analyzed in depth in the “Technical Analysis” section below.\r\nDetection opportunity 3: PowerShell writing startup shortcuts\r\nWe frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory. In the\r\ncontext of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to\r\nthe installation of the malicious DLL. In this way, it pays to alert on processes that appear to be PowerShell\r\ncreating .lnk files within appdata or startup file paths or executing in conjunction with command lines\r\ncontaining appdata . In more PowerShell code below, Yellow Cockatoo creates and configures the .lnk files.\r\nWhen detecting and investigating, you can treat startup .lnk files containing PowerShell, cmd.exe , or\r\nmshta.exe commands as suspicious.\r\nExecution (again)\r\nThe .lnk and .dat files above (and sometimes an additional .cmd file) eventually launch cmd.exe , which launches\r\nanother suspicious block of PowerShell (included below), offering us some added opportunities to detect Yellow\r\nCockatoo.\r\nThis PowerShell activity alone contains a bunch of detection opportunities, including two of the activities we\r\nsuggested looking out for earlier:\r\nBase64 obfuscation in command line\r\nXOR obfuscation in command line\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 4 of 7\n\nHowever, we’ve got two additional detectors that alert on the elements of this PowerShell script, which you can\r\nexamine in the code block below:\r\npowershell -w hidden -command \"$abab188938847d9e028b83169bd97=$env:appdata+'\\microsoft\\windows\\start menu\\progr\r\nDetection opportunity #4: PowerShell writing startup shortcuts\r\nPowerShell is using System.Reflection.Assembly to load a .NET executable in memory. Adversaries frequently\r\nuse this technique to introduce a malicious executable into an environment without it residing on disk. In this case,\r\nYellow Cockatoo saved its .NET executable on disk but in obfuscated form. The only deobfuscated copy of the\r\nexecutable would exist in memory at runtime. Looking for the execution of PowerShell along with a\r\ncorresponding command line containing System.Reflection has allowed us to catch many threats leveraging\r\nthis technique.\r\nParallel activity\r\nThat last bit of PowerShell referenced above ultimately loads the DLL containing the in-memory .NET RAT that\r\nwe’re going to spend the better part of the rest of this blog post discussing. In turn, we’ve observed Yellow\r\nCockatoo delivering other payloads in parallel with the RAT, although we haven’t fully analyzed these\r\nexecutables.\r\nHowever, a cursory analysis of one of these binaries (the middle bullet) revealed that it reaches out to C2 domains\r\nthat we have previously associated with malicious behavior, one of which is referenced multiple times in the\r\n“Technical analysis” section below. These executables have varied over time, and have included (but probably\r\naren’t limited to) the following:\r\nJune and October 2020: docx2rtf.exe / docx2rtf-setup-v1.0-x64.exe (MD5:\r\nba95ebd0d6f6e7861b75149561f1fbd3 )\r\nSeptember 2020: photodesigner7_x86-64.exe (MD5: 63c9ace2fb8d1cb7eccf4e861d0e4e45 )\r\nNovember 2020: Expert_PDF.exe (MD5: 156c5402667e5aae6971faea8e87bc62 )\r\nDeep dive on the .NET RAT\r\nThis section details our analysis of a version of a RAT that constitutes just one component of the overall cluster of\r\nactivity we call Yellow Cockatoo.\r\nWe analyzed the following Yellow Cockatoo sample:\r\nFilename: 111bc461-1ca8-43c6-97ed-911e0e69fdf8.dll\r\nSHA256 hash: 30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85\r\nMD5 hash: 4EB6170524B5E18D95BB56B937E89B36\r\nThe above DLL conceals a .NET RAT that loads in memory. From a high level, it can:\r\n1. Connect to, and communicate with, a command and control (C2) domain\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 5 of 7\n\n2. Download a second-stage payload\r\n3. Execute the payload in a loop (i.e., repeats steps 1 and 2 in an infinite loop)\r\nOn a more granular level, Yellow Cockatoo performs the following C2-related actions:\r\n1. It collects a variety of host information (some of it listed below).\r\n2. It loads a randomly-generated string to %USERPROFILE%\\AppData\\Roaming\\solarmarker.dat , which serves\r\nas a unique identifier for the host.\r\n3. It connects to the C2 server (address: https://gogohid[.]com/gate?q=ENCODED_HOST_INFO ) sharing a\r\nvariety of host information (see below) and retrieving its first command.\r\n4. It retrieves and parses commands in an infinite loop.\r\n5. Upon executing a command, its execution status is reported to https://gogohid[.]com/success?\r\ni=ENCODED_CMD_AND_HOST_ID_INFO along with a certain information (see below).\r\nAs you can see in points 3 and 5 above, the C2 URLs contain byte-encoded JSON strings (we’ve replaced the\r\nactual strings with =ENCODED_HOST_INFO and ENCODED_CMD_AND_HOST_ID_INFO respectively).\r\nDuring the initial check-in with its C2, Yellow Cockatoo is capable of relaying the following:\r\nhwid : the randomly generated value stored in %USERPROFILE%\\AppData\\Roaming\\solarmarker.dat\r\npn : computer name\r\nos : Windows OS version\r\nx :  host machine architecture (x64 or x86) based on the running process\r\nprm : the permission level of the the running process (admin or user)\r\nver : malware version. Fixed string: DN-DN/FB1\r\nwg :  computer workgroup\r\nThe C2 responds to the initial check-in with a unique command identifier ( id ). Any time Yellow Cockatoo\r\nexecutes a command, it uses a similarly encoded URL string (see step 5 above) to send the hwid and id back\r\nto the C2 server, effectively communicating to the C2 server that the command has executed successfully.\r\nThe RAT implements the following commands:\r\nrpe : downloads an executable buffer in memory and injects and loads it into\r\nc:\\windows\\system32\\msinfo32.exe using Process Hollowing (T1055.012) technique\r\ndnr : downloads an executable to %TEMP%\\24_CHAR_RANDOM_STRING.exe and executes it\r\npsp : downloads a PowerShell script to %TEMP%\\24_CHAR_RANDOM_STRING.ps1 and executes it with\r\npowershell.exe -ExecutionPolicy bypass \"%TEMP%\\24_CHAR_RANDOM_STRING.ps1\"\r\nThe C2 can also issue an idle command that puts Yellow Cockatoo to sleep pending further commands.\r\nConclusion\r\nWe hope this information and these detection opportunities serve useful to anyone trying to improve detection\r\ncoverage across this threat. While we’re not altogether sure how widespread Yellow Cockatoo is, it’s ranked\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 6 of 7\n\namong the most common threats we’ve detected for many months now. As always, if you have any feedback or\r\nquestions, don’t hesitate to send us an email.\r\nAppendix\r\nSimilarities and differences with Jupyter Infostealer\r\nWhile this list may not be representative of all of the ways that our research overlaps, we have identified the\r\nfollowing similarities between what we define as Yellow Cockatoo and what Morphisec defines as Jupyter\r\nInfostealer:\r\n.exe naming pattern\r\nString %USERPROFILE%\\AppData\\Roaming\\solarmarker.dat\r\nDomain gogohid[.]com\r\nIP address subnet of 45.146.165[.]X\r\nHere are the aspects of Yellow Cockatoo that we believe may be distinct from Morphisec’s analysis of Jupyter:\r\nThe initial delivery of Yellow Cockatoo malware through search engine redirects\r\nAdditional IP address used for C2, 45.146.165[.]221 , albeit from the same subnet as observed by\r\nMorphisec ( 45.146.165[.]X )\r\nWe analyzed what Morphisec calls the “C2 Jupyter client” while the “infostealer” payload they analyzed is\r\na browser cookie stealer that we did not examine. To that point, we base this on differences in the version\r\nin the .NET assembly. Our technical analysis above focuses on the variant described in the Morphisec\r\nreport as DN-DN/FB1 .\r\nOur analysis focuses primarily on endpoint telemetry, including how the PowerShell loader that launched\r\nthe infostealer. The telemetry we focused on has a slightly different call run method:\r\nOne variant analyzed by Morphisec used the call run method [jupyTER.jupyTER]::RuN()\r\nThe variant we focused our analysis on used the call run method [d.m]::run()\r\nRelated Articles\r\nSubscribe to our blog\r\nYou'll receive a weekly email with our new blog posts.\r\nSource: https://redcanary.com/blog/yellow-cockatoo/\r\nhttps://redcanary.com/blog/yellow-cockatoo/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/yellow-cockatoo/"
	],
	"report_names": [
		"yellow-cockatoo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434698,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ae9bad6c709a9f03148f0b30db6f8af6683813a.pdf",
		"text": "https://archive.orkl.eu/3ae9bad6c709a9f03148f0b30db6f8af6683813a.txt",
		"img": "https://archive.orkl.eu/3ae9bad6c709a9f03148f0b30db6f8af6683813a.jpg"
	}
}