BoxCaon
BoxCaon is a backdoor malware family associated in the provided reporting with the suspected Chinese-speaking espionage actor IndigoZebra. It was reported by Check Point in an espionage campaign targeting the Afghanistan government, including the Afghan National Security Council, using ministry-to-ministry spearphishing from compromised high-profile mailboxes. The infection chain involved a password-protected RAR decoy named "NSC Press conference.rar," which led to installation of a backdoor executable named "spools.exe."
BoxCaon uses Dropbox for command-and-control communications, specifically the Dropbox API, to camouflage malicious traffic. It creates a unique per-victim folder in an attacker-controlled Dropbox account and retrieves commands from a file named "c.txt" stored in a subfolder named "d." The malware can run arbitrary commands, obtain information about the compromised host using Windows API calls, steal confidential data stored on the device, download files, enumerate and download folder contents from the system, and upload files and collected data from the compromised host over the existing C2 channel back to its Dropbox drive. It also creates a working folder for collected files before sending them to C2.
The reporting links BoxCaon to xCaon based on similarities in tooling. Check Point identified about 30 xCaon samples, with the earliest dating to 2014; those earlier xCaon variants reportedly used HTTP for C2 and primarily targeted political entities in Kyrgyzstan and Uzbekistan. High-confidence indicators and artifacts directly mentioned in the content include the decoy archive "NSC Press conference.rar," the installed executable "spools.exe," the Dropbox-resident command file "c.txt," and the use of Dropbox-hosted per-victim folders and a "d" subfolder for command retrieval.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The backdoor, dubbed 'BoxCaon,' is capable of stealing confidential data stored on the device, running arbitrary commands, and exfiltrating the results back to the Dropbox folder."
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Discovery
2 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Collection
3 techniquesThe content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
3 techniquesThe adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.
"APT39 has communicated with C2 through files uploaded to and downloaded from DropBox."; "RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results ... back to Google Drive."; "CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data"
BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.
Exfiltration
2 techniquesMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
Akira will exfiltrate victim data using applications such as Rclone. APT41 DUST exfiltrated collected information to OneDrive. BoomBox can upload data to dedicated per-victim folders in Dropbox. During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Enterprise New Software: ... BoxCaon ... xCaon
Backdoor/implant that uses the Dropbox API for command-and-control and exfiltration. It creates a per-host Dropbox folder, retrieves attacker commands (e.g., from c.txt in a subfolder 'd'), executes arbitrary commands, and exfiltrates results and stolen data back to Dropbox.
Malware that can collect folder contents from a system and upload them to Dropbox.
Backdoor that uses Dropbox as a command-and-control channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.