{
	"id": "e3223c3b-7164-4f9b-ac20-f9872b5ede1d",
	"created_at": "2026-04-06T00:16:44.409949Z",
	"updated_at": "2026-04-10T13:12:31.583632Z",
	"deleted_at": null,
	"sha1_hash": "a93b36d97bb842373a1cfc5c7a3077636ba73d31",
	"title": "IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55954,
	"plain_text": "IronHusky updates the forgotten MysterySnail RAT to target\r\nRussia and Mongolia\r\nBy GReAT\r\nPublished: 2025-04-17 · Archived: 2026-04-05 16:21:19 UTC\r\nDay after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in\r\nits own way, and as a result gets its own destiny – while the use of some malware families is reported for decades,\r\ninformation about others disappears after days, months or several years.\r\nWe observed the latter situation with an implant that we dubbed MysterySnail RAT. We discovered it back in\r\n2021, when we were investigating the CVE-2021-40449 zero-day vulnerability. At that time, we identified this\r\nbackdoor as related to the IronHusky APT, a Chinese-speaking threat actor operating since at least 2017. Since we\r\npublished a blogpost on this implant, there have been no public reports about it, and its whereabouts have\r\nremained unknown.\r\nHowever, recently we managed to spot attempted deployments of a new version of this implant, occurring in\r\ngovernment organizations located in Mongolia and Russia. To us, this observed choice of victims wasn’t\r\nsurprising, as back in 2018, we wrote that IronHusky, the actor related to this RAT, has a specific interest in\r\ntargeting these two countries. It turned out that the implant has been actively used in cyberattacks all these years\r\nalthough not reported.\r\nInfection through a malicious MMC script\r\nOne of the recent infections we spotted was delivered through a malicious MMC script, designed to be disguised\r\nas a document from the National Land Agency of Mongolia (ALAMGAC):\r\nMalicious MMC script as displayed in Windows Explorer. It has the icon of a Microsoft Word document\r\nWhen we analyzed the script, we identified that it is designed to:\r\nRetrieve a ZIP archive with a second-stage malicious payload and a lure DOCX file from the file[.]io\r\npublic file storage.\r\nUnzip the downloaded archive and place the legitimate DOCX file into the\r\n%AppData%\\Cisco\\Plugins\\X86\\bin\\etc\\Update folder\r\nStart the CiscoCollabHost.exe file dropped from the ZIP archive.\r\nConfigure persistence for the dropped CiscoCollabHost.exefile by adding an entry to the Run registry key.\r\nOpen the downloaded lure document for the victim.\r\nhttps://securelist.com/mysterysnail-new-version/116226/\r\nPage 1 of 4\n\nHaving investigated the CiscoCollabHost.exe file, we identified it as a legitimate executable. However, the\r\narchive deployed by the attackers also turned out to include a malicious library named CiscoSparkLauncher.dll,\r\ndesigned to be loaded by the legitimate process through the DLL Sideloading technique.\r\nWe found out that this DLL represents a previously unknown intermediary backdoor, designed to perform C2\r\ncommunications by abusing the open-source piping-server project. An interesting fact about this backdoor is that\r\ninformation about Windows API functions used by it is located not in the malicious DLL file, but rather in an\r\nexternal file having the log\\MYFC.log relative path. This file is encrypted with a single-byte XOR and is loaded at\r\nruntime. It is likely that the attackers introduced this file to the backdoor as an anti-analysis measure – since it is\r\nnot possible to determine the API functions called without having access to this file, the process of reverse\r\nengineering the backdoor essentially turns into guesswork.\r\nBy communicating with the legitimate https://ppng.io server powered by the piping-server project, the backdoor is\r\nable to request commands from attackers and send back their execution results. It supports the following set of\r\nbasic malicious commands:\r\nCommand name Command description\r\nRCOMM Runs command shells.\r\nFSEND Downloads files from the C2 server.\r\nFRECV Uploads files to the C2 server.\r\nFSHOW Lists directory contents.\r\nFDELE Deletes files.\r\nFEXEC Creates new processes.\r\nREXIT Terminates the backdoor.\r\nRSLEE Performs sleeping.\r\nRESET Resets the timeout counter for the C2 server connection.\r\nAs we found out, attackers used commands implemented in this backdoor to deploy the following files to the\r\nvictim machine:\r\nsophosfilesubmitter.exe, a legitimate executable\r\nfltlib.dll, a malicious library to be sideloaded\r\nIn our telemetry, these files turned out to leave footprints of the MysterySnail RAT malware, an implant we\r\ndescribed back in 2021.\r\nNew version of MysterySnail RAT\r\nhttps://securelist.com/mysterysnail-new-version/116226/\r\nPage 2 of 4\n\nIn observed infection cases, MysterySnail RAT was configured to persist on compromised machines as a service.\r\nIts malicious DLL, which is deployed by the intermediary backdoor, is designed to load a payload encrypted with\r\nRC4 and XOR, and stored inside a file named attach.dat. When decrypted, it is reflectively loaded using DLL\r\nhollowing with the help of code implemented inside the run_pe library.\r\nJust as the version of MysterySnail RAT we described in 2021, the latest version of this implant uses attacker-created HTTP servers for communication. We have observed communications being performed with the following\r\nservers:\r\nwatch-smcsvc[.]com\r\nleotolstoys[.]com\r\nHaving analyzed the set of commands implemented in the latest version of this backdoor, we identified that it is\r\nquite similar to the one implemented in the 2021 version of MysterySnail RAT – the newly discovered implant is\r\nable to accept about 40 commands, making it possible to:\r\nPerform file system management (read, write and delete files; list drives and directories).\r\nExecute commands via the cmd.exe shell.\r\nSpawn and kill processes.\r\nManage services.\r\nConnect to network resources.\r\nCompared to the samples of MysterySnail RAT we described in our 2021 article, these commands were\r\nimplemented differently. While the version of MysterySnail from 2021 implements these commands inside a\r\nsingle malicious component, the newly discovered version of the implant relies on five additional DLL modules,\r\ndownloaded at runtime, for command execution. These modules are as follows:\r\nInternal\r\nmodule ID\r\nInternal\r\nmodule name\r\nModule DLL name Module description\r\n0 Basic BasicMod.dll\r\nAllows listing drives, deleting files, and\r\nfingerprinting the infected machine.\r\n1 EMode\r\nExplorerMoudleDll.dll\r\n(sic!)\r\nAllows reading files, managing services,\r\nand spawning new processes.\r\n2 PMod process.dll\r\nAllows listing and terminating running\r\nprocesses.\r\n3 CMod cmd.dll\r\nAllows creating new processes and\r\nspawning command shells.\r\n4 TranMod tcptran.dll Allows connecting to network resources.\r\nHowever, this transition to a modular architecture isn’t something new – as we have seen modular versions of the\r\nMysterySnail RAT deployed as early as 2021. These versions featured the same modules as described above,\r\nhttps://securelist.com/mysterysnail-new-version/116226/\r\nPage 3 of 4\n\nincluding the typo in the ExplorerMoudleDll.dll module name. Back then, we promptly made information about\r\nthese versions available to subscribers of our APT Intelligence Reporting service.\r\nMysteryMonoSnail – a repurposed version of MysterySnail RAT\r\nNotably, a short time after we blocked the recent intrusions related to MysterySnail RAT, we observed the\r\nattackers to continue conducting their attacks, by deploying a repurposed and more lightweight version of\r\nMysterySnail RAT. This version consists of a single component, and that’s why we dubbed it MysteryMonoSnail.\r\nWe noted that it performed communications with the same C2 server addresses as found in the full-fledged\r\nversion of MysterySnail RAT, albeit via a different protocol – WebSocket instead of HTTP.\r\nThis version doesn’t have as many capabilities as the version of MysterySnail RAT that we described above – it\r\nwas programmed to have only 13 basic commands, used to list directory contents, write data to files, and launch\r\nprocesses and remote shells.\r\nObsolete malware families may reappear at any time\r\nFour years, the gap between the publications on MysterySnail RAT, has been quite lengthy. What is notable is that\r\nthroughout that time, the internals of this backdoor hardly changed. For instance, the typo in the\r\nExplorerMoudleDll.dll that we previously noted was present in the modular version of MysterySnail RAT from\r\n2021. Furthermore, commands implemented in the 2025 version of this RAT were implemented similarly to the\r\n2021 version of the implant. That is why, while conducting threat hunting activities, it’s crucial to consider that\r\nold malware families, which have not been reported on for years, may continue their activities under the radar.\r\nDue to that, signatures designed to detect historical malware families should never be discontinued simply\r\nbecause they are too old.\r\nAt Kaspersky’s GReAT team, we have been focusing on detecting complex threats since 2008 – and we provide\r\nsets of IoCs for both old and new malware to customers of our Threat Intelligence portal. If you wish to get access\r\nto these IoCs and other information about historical and emerging threats, please contact us at\r\nintelreports@kaspersky.com.\r\nSource: https://securelist.com/mysterysnail-new-version/116226/\r\nhttps://securelist.com/mysterysnail-new-version/116226/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/mysterysnail-new-version/116226/"
	],
	"report_names": [
		"116226"
	],
	"threat_actors": [
		{
			"id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938",
			"created_at": "2023-11-08T02:00:07.135638Z",
			"updated_at": "2026-04-10T02:00:03.42332Z",
			"deleted_at": null,
			"main_name": "IronHusky",
			"aliases": [],
			"source_name": "MISPGALAXY:IronHusky",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2caf4672-1812-4bb9-9576-6011e56102d2",
			"created_at": "2022-10-25T16:07:23.742765Z",
			"updated_at": "2026-04-10T02:00:04.733853Z",
			"deleted_at": null,
			"main_name": "IronHusky",
			"aliases": [
				"BBCY-TA1",
				"Operation MysterySnail"
			],
			"source_name": "ETDA:IronHusky",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"MysterySnail",
				"MysterySnail RAT",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a93b36d97bb842373a1cfc5c7a3077636ba73d31.pdf",
		"text": "https://archive.orkl.eu/a93b36d97bb842373a1cfc5c7a3077636ba73d31.txt",
		"img": "https://archive.orkl.eu/a93b36d97bb842373a1cfc5c7a3077636ba73d31.jpg"
	}
}