Skip to main content
Mallory
Back to malware
MalwareUsed by 5 actors

Trochilus

Trochilus is an open-source Windows remote access trojan (RAT), first observed in 2015, implemented in C++ and publicly available on GitHub. It is used directly as a backdoor and has also served as the code base for other malware, with multiple reports noting substantial source-code overlap between Trochilus and RedLeaves, and that SprySOCKS is based on Trochilus. Trochilus has been associated in reporting with several China-linked espionage clusters and campaigns, including APT31, Webworm, FishMonger/Earth Lusca, STONE PANDA-related activity, and UNC3569 operations distributing a customized Trochilus payload.

Documented capabilities include remote administration functions such as downloading, uploading, and executing files. In observed customized deployments, Trochilus variants were unpacked and executed in memory, injected into processes such as svchost.exe, and loaded compressed configuration data from paths including C:\ProgramData\Logger\sc.cfg, C:\ProgramData\resmon.resmoncfg, and C:\ProgramData\appsoft\resmon.resmoncfg. Symantec reported a Webworm deployment chain in which a legitimate executable (Logger.exe) loaded a malicious DLL (logexts.dll), which executed staged shellcode and ultimately launched a modified Trochilus payload in memory; associated files included sc.cfg, logexts.dat, logexts.dll, and logger.dat under TEMP and C:\ProgramData\Logger. In another reported case, a scenario used vtcp.dll from the Trochilus RAT collection. UNC3569-linked activity included a DOUBLESTEP dropper delivered from an Aliyun OSS URL that embedded a customized Trochilus backdoor encrypted with RC4 key a3s1df3a1sd3ad18a0s8daf0; the sample Ssl-update.exe had MD5 5f7764e2c6fd2185f4df9fb2873f1fe8.

Trochilus has appeared in targeted intrusions against government and enterprise victims, including telecom and think tank targets in reporting on APT31, and in Webworm operations against government agencies and enterprises in IT services, aerospace, and electric power sectors across Russia, Georgia, Mongolia, and other Asian countries. High-confidence indicators directly mentioned in the content include the modified Trochilus payload hash e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90, the Aliyun OSS delivery URL hosting Ssl-update.exe, and the configuration file paths noted above.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Webworm

SprySOCKS is based on a Windows remote access trojan called Trochilus, and shares several common traits with RedLeaves, a backdoor that also exhibits extensive source code overlaps with Trochilus.

via the hacker newsthehackernews.com
Space Pirates

First spotted back in 2015, Trochilus is a RAT implemented in C++ and its source code is available for download on GitHub. ... Then the file unpacks and executes in memory its backdoor payload, a variant of the Trochilus RAT.

via symantec enterprise blogssymantec-enterprise-blogs.security.com
UNC3569

The URL https://chuanqiliebiao-1314[.]oss-cn-shanghai[.]aliyuncs[.]com/wp-content/plugins/Ssl-update.exe will download a dropper ... dubbed ‘DOUBLESTEP’ ... embedded with TROCHILUS.

via virusbulletinvirusbulletin.com
menuPass

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA

via crowdstrike blogweb.archive.org
ZIRCONIUM

Tooling-wise, APT31 initially used a number of malware families (RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, etc.)...

via harfanglab insidethelabharfanglab.io
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA... Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware... found it was directly sourced from Trochilus code

Stealth

2 techniques
T1036MasqueradingEvidence1

To cover the malicious traffic, the attackers registered C2 domains masquerading as normal AWS or AlibabaCloud domains... This cluster of activity has previously targeted entities... using malicious domains that masquerade as services such as Amazon Web Services and Microsoft Support Services.

T1140Deobfuscate/Decode Files or InformationEvidence1

The payload is often obfuscated with an additional binary layer, including techniques such as XOR encoding, custom shellcode loaders... The shellcode decrypts the embedded PE payload using a simple XOR operation and then executes the payload.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

UNC3569’s command-and-control (C2) infrastructure reveals patterns in server configurations and subdomain usage. These C&C servers are multifunctional, hosting various malware controllers and serving as distribution points for malware.

T1219Remote Access ToolsEvidence1

This includes collecting system information, launching an interactive console... initialising a SOCKS proxy, uploading/downloading files, and running existing files.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
the hacker newsNews
Jun 16, 2026
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

A Windows remote access trojan that served as the basis for SprySOCKS and has source code overlaps with RedLeaves.

Read more
eset welivesecurity blogNews
Jun 16, 2026
FishMonger’s arsenal upgraded: SprySOCKS for Windows

An open-source Windows RAT whose codebase was used as the basis for SprySOCKS.

Read more
cyber security newsNews
May 20, 2026
GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure - Cyber Security News

Previously used backdoor associated with Webworm prior to adoption of newer stealthier malware.

Read more
eset welivesecurity blogNews
May 20, 2026
Webworm: New burrowing techniques

Established remote access trojan/backdoor previously used by Webworm in earlier operations.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.