Kaspersky cybersecurity researchers have found new attacks utilizing an improved variant of the long-dormant MysterySnail RAT — a sophisticated remote access trojan first discovered in 2021 while exploiting a zero-day vulnerability CVE-2021-40449. This RAT is attributed to the Chinese-speaking APT group IronHusky. Now it seems IronHusky APT revived MysterySnail RAT to target governments in Mongolia and Russia.

IronHusky APT Revives MysterySnail RAT

MysterySnail RAT has effectively vanished from the public threat landscape since its initial documentation in 2021, with no activity reported -until now. Security analysts recently intercepted fresh deployment attempts of a new version of the implant, reaffirming IronHusky’s long-observed interest in targeting Eastern Asia and neighboring states.

This discovery indicates that the backdoor has remained operational and actively used throughout the years, operating under the radar of traditional detection systems.

Attack Chain of MysterySnailRAT

The infection vector employed in the recent campaign is highly targeted. Threat actors distributed a malicious Microsoft Management Console (MMC) script disguised as a document from the Mongolian National Land Agency (ALAMGAC). The file icon was crafted to mimic a standard Microsoft Word document.

Disguised script in a document(Source: Kaspersky)

Upon execution, the script performed several malicious actions:

  • Download a ZIP archive containing a second-stage payload and a decoy DOCX file from a public file-sharing service (file[.]io).
  • Decompressed the archive and placed the decoy document in %AppData%\Cisco\Plugins\X86\bin\etc\Update
  • Launch CiscoCollabHost.exe — a legitimate executable bundled in the archive
  • Established persistence via the Windows Registry
  • Displayed the decoy document to avoid suspicion

While CiscoCollabHost.exe itself is legitimate, attackers bundled it with a malicious dynamic-link library (DLL) — CiscoSparkLauncher.dll — designed to be sideloaded.This intermediary backdoor exploited the DLL sideloading technique to maintain stealth.

The DLL uses the open-source piping-server project for Command and Control (C2) communication, transmitting data via the legitimate ppng.io server. The backdoor’s use of encrypted external configuration data (stored in log\MYFC.log) complicates analysis.

Without this file, reverse engineering becomes harder due to obscured Windows API function calls — a calculated approach to hinder analysis.

Through this channel, attackers deployed additional files:

  • sophosfilesubmitter.exe(legitimate executable)
  • fltlib.dll(malicious sideloaded library)

Both artifacts have signs of the original MysterySnail RAT, affirming the continuity of the malware family.

New Iterations of MysterySnailRAT

There is also a new iteration of MysterySnailRAT. This variant is designed to persist on infected systems. Its core payload is encrypted using a combination of RC4 and XOR and stored in a file named attach.dat. Once decrypted, it is reflectively loaded via DLL hollowing, using code from the run_pe library.

Like its predecessor, the malware communicates with attacker-controlled servers via HTTP. Active C2 domains include:

        • watch-smcsvc[.]com</li>
        • leotolstoys[.]com

This variant supports more than 40 operational commands for:

        • File system manipulation (list, read, write, delete)
        • Shell command execution
        • Process and service management
        • Network resource access

Researchers have also observed a simplified version of the RAT, dubbed MysteryMonoSnail. This variant composes operations into a single component, replacing HTTP with WebSocket-based C2 communication, though it connects to the same infrastructure.

MysteryMonoSnail is less feature-rich, supporting only 13 basic commands for directory listing, file writing, process launching, and remote shell execution. This approach is avoid detection and reduce its footprint in compromised environments.

Conclusion

Despite minimal changes in its codebase, the RAT remains a potent tool for espionage and cyber-intrusions, particularly when paired with stealthy delivery techniques like DLL. Security teams are urged to maintain historical threat detection signatures and remain vigilant for older implants, especially those tied to established APT groups.

Follow us on X and Linkedin for the latest cybersecurity news

Source:hxxps[://]securelist[.]com/mysterysnail-new-version/116226/