Sakula is a Windows malware family, also referred to as Sakurel and Viper, that functions as a backdoor/RAT with command-and-control over HTTP using GET and POST requests. Reported samples encode C2 traffic with single-byte XOR keys. Sakula has been observed using DLL side-loading for execution, including abuse of digitally signed binaries such as Kaspersky Anti-Virus and McAfee Outlook Scan About Box to load malicious DLLs. It contains UAC bypass code for both 32-bit and 64-bit systems, can install itself as a Windows service for persistence, and uses cmd.exe to execute DLLs via rundll32 as well as to delete temporary files and perform cleanup. Some reporting also notes reverse shell capability. The malware is notably linked in reporting to the 2015 U.S. Office of Personnel Management (OPM) breach; in 2017, Chinese national Yu Pingan was arrested on charges of providing Sakula used in the OPM data breach and other cyber intrusions. High-confidence behavioral indicators mentioned in the content include HTTP-based C2, single-byte XOR-obfuscated traffic, DLL side-loading via signed applications, service-based persistence, rundll32 execution through cmd.exe, temporary file deletion, and embedded UAC bypass functionality.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The malware reportedly utilizes techniques similar to those observed in previous RAT families, including process injection, reflective DLL injection, and single-byte XOR encoding to obfuscate network communications and embedded strings, making detection significantly more difficult for security solutions.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The malware reportedly utilizes techniques similar to those observed in previous RAT families, including process injection, reflective DLL injection, and single-byte XOR encoding to obfuscate network communications and embedded strings, making detection significantly more difficult for security solutions.
Like the previously documented Sakula malware family identified by Dell SecureWorks researchers, it likely uses HTTP GET and POST requests for command and control (C2) communications.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously documented malware family referenced for similarity in command-and-control behavior, specifically use of HTTP GET and POST requests for C2 communications.
Backdoor with samples that install themselves as Windows services for persistence.
Backdoor malware referenced as being used in the OPM data breach; associated here with supply/provisioning by an individual later arrested, and used for cyberintrusions beyond OPM.
Contains Windows UAC bypass code for both 32-bit and 64-bit systems.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.