Derusbi
Derusbi is a stealthy remote access trojan/backdoor malware family associated with advanced persistent threat activity, particularly Chinese nexus actors including APT40, Deep Panda, and broader reporting on APT41/Wicked Panda tool usage. It is described as being used against high-value systems for espionage, data theft, and system compromise. Reported capabilities include enumerating Windows Registry keys and values, gathering the victim username, performing screen captures and audio capture, deleting files, and timestomping for defense evasion. Derusbi also uses process injection and encrypted or obfuscated communications to evade detection, and reporting notes persistence, service creation, DLL side-loading, driver loading, and lateral movement via removable drives as associated behaviors. Variants have used Registry persistence to proxy execution through regsvr32.exe, and Deep Panda reportedly used regsvr32.exe to execute a server variant of Derusbi.
Network behavior described in the content includes binding to a raw socket on a random source port between 31800 and 31900 for command and control, as well as use of unencrypted HTTP over port 443 in some cases. C2 traffic has been observed obfuscated with variable 4-byte XOR keys.
The content also describes a more advanced Derusbi-linked architecture involving a Windows x64 kernel driver/rootkit component and Linux components. The Windows driver was observed as wd.sys and udfs.sys, signed with stolen legitimate certificates, and linked to Derusbi by multiple evidences. It disables the kernel debugger, hides network connections and files, injects an encrypted userland DLL directly into memory (typically into SYSTEM svchost.exe), and communicates with userland over a named pipe of the form \.\pipe\usbpcex%d. The injected DLL stores the machine IP address in HKLM\SYSTEM\CurrentControlSet\Control\WMI\lpstatus, stores reached C2 information XORed with 0x51 in HKLM\SYSTEM\CurrentControlSet\Control\WMI\Level10, stores DNS server information in Level01, and proxy settings in Level02 through Level05. Configuration may be retrieved from a URL and parsed between the tags "$$$--Hello" and "Wrod--$$$". The driver hides connections associated with ports 1025-1777, performs kernel-level network communications using XOR encryption, optional LZO compression, and CRC32 checksums, and supports modular userland functionality including command execution, proxying, GUI/remote desktop, file operations, VPN, and uninstall/disconnect functions. The content also notes Derusbi-related Linux behavior, including loading a Linux kernel module and then deleting it from disk while overwriting the file with null bytes.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Tools Nanhaishu, Orz, SeDll, Cobalt Strike, GreenCrash, AIRBREAK, BlackCoffee, China Chopper, FUSIONBLAZE, HOMEFRY, MURKYTOP, Metasploit / Meterpreter, ScanBox, Derusbi Trojan, Derusbi, Metasploit
Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUtilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading.
"APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation..."
Execution
1 techniquePersistence
4 techniques"APT40 relies heavily on web shells for an initial foothold... provide continued access... re-infect... and facilitate lateral movement."
Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading.
Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism. Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s .
Privilege Escalation
5 techniquesKnown for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading.
Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism. Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s .
Stealth
7 techniquesKnown for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.' | The content includes secure deletion and overwrite behavior, e.g., 'APT29 has used SDelete to remove artifacts,' 'GreyEnergy can securely delete a file,' 'LiteDuke can securely delete files by first writing random data to the file,' and 'PowerDuke has a command to write random data across a file and delete it.'
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.
Credential Access
1 techniqueDiscovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Examples include 'TrickBot can identify the user and groups the user belongs to on a compromised host' and multiple entries checking whether the current user is an administrator or has elevated privileges.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Lateral Movement
1 techniqueCollection
3 techniques"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
5 techniques"Common TCP ports 80 and 443 are used to blend in with routine network traffic."
Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Derusbi is listed as malware relevant to the detection's analytic stories, implying possible use of DLL side-loading or related tradecraft. No further description is provided in the content.
Associated Analytic Story ... Derusbi
Derusbi is referenced as a backdoor/RAT in suspicious execution and driver-loading detections.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.