Waterbear
WaterBear is a long-running backdoor malware family active since at least 2009 and associated with the China-linked cyber-espionage group BlackTech, also referred to in Trend Micro reporting as Earth Hundun. Reporting cited in the content states the family has had more than 10 versions, with multiple versions able to coexist in the same victim environment. WaterBear has been observed targeting organizations in the Asia-Pacific region, including technology, government, and research sectors, and it was also listed by U.S. and Japanese agencies among custom malware used in BlackTech operations targeting Cisco router environments.
The malware is described as a multifaceted stage-two implant / RAT with capabilities including file transfer and file operations, remote shell access, screenshots and screen capture, remote desktop, registry operations, and process and service manipulation. WaterBear has used DLL side-loading to import and load a malicious DLL loader, and some loaders have stored an encrypted downloader in the Windows Registry and used CryptUnprotectData so the payload is decryptable only on the infected machine. The content also states WaterBear has deleted certain Registry values to load a malicious DLL.
Observed behaviors include querying the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI to check whether the OracleOcilib value exists; finding the presence of specific security software; hooking ZwOpenProcess and GetExtendedTcpTable APIs to hide PIDs and TCP records from security products; leveraging API functions for execution; injecting decrypted shellcode into the LanmanServer service; and scrambling functions with random values after execution so they are not executed again, consistent with anti-analysis and anti-detection tradecraft.
Trend Micro reporting in the content describes WaterBear loaders as commonly using a custom salted RC4 decryption routine with obfuscation, while some variants use registry-stored encrypted downloaders. WaterBear downloader traffic uses a custom protocol with a 10-byte header and salted RC4 encryption, with configuration supporting up to three XOR-obfuscated C2 addresses. The downloader generates a 16-byte KEY_RANDOM and uses it with additional keys in a staged C2 exchange to retrieve the next-stage RAT. Additional cited indicators include a downloader sample SHA-256 6b9a14d4d9230e038ffd9e1f5fd0d3065ff0a78b52ab338644462864740c2241 and use of 192.168.11[.]2 as a C2 server in one sample.
The content also notes strong code and behavioral correlation between WaterBear and BendyBear, a related downloader assessed by Unit 42 to be strongly tied to the WaterBear family. Overall, WaterBear is characterized in the provided material as a mature espionage backdoor family with extensive anti-analysis, stealth, registry interaction, process injection, and remote access functionality.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
the agencies said they have observed multiple Cisco versions targeted with custom malware, including BendyBear, Bifrose, BTSDoor FakeDead (a.k.a. TSCookie), Flagpro, FrontShell (FakeDead’s downloader module) IconDown PLEAD, SpiderPig, SpiderSpring, SpiderStack and WaterBear.
"...including Waterbear, a malware entity that has had over 10 versions since 2009."
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueA sophisticated hacking group tied to the government of China is exploiting routers in attacks on a variety of organizations... The group specifically targets “branch routers” — smaller appliances used at more remote branch offices to connect to a corporate headquarters.
Execution
2 techniquesPersistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Privilege Escalation
2 techniquesThe content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
Stealth
11 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
“bypass antivirus software adding a large amount of padding with 0x00 around the beginning and end to avoid detection.”
Transmits payloads in modified RC4-encrypted chunks... Table 1 ... Payloads in modified RC4-encrypted chunks ... T1027.002: Obfuscated Files or Information: Software Packing
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
“Makes the patched executable that appears legitimate or benign to users and/or security tools”
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
During execution, the code employs byte randomization... using the host’s current time as a seed... ~65 calls to Windows API kernel32!GetTickCount... T1497.003: Time Based Evasion
Waterbear 'can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.'
Defense Impairment
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Credential Access
1 techniqueSpecifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.
Discovery
8 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
“Downloaders check for internet connectivity on compromised systems.”
“Waterbear RAT lists network connections… by querying for information over the network.”
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The shellcode begins by locating the target’s Process Environment Block (PEB) to check if it’s currently being debugged... This routine is performed 52 times... Table 1 ... T1082: System Information Discovery
“RAT searches files and directories or in specific locations.”
Command and Control
5 techniques“Downloaders communicate with C&C by HTTP/HTTPS” and “Deuterbear downloader enables HTTPS tunnel”
The BendyBear sample was determined to be x64 shellcode for a stage-zero implant whose sole function is to download a more robust implant from a command and control (C2) server... Table 1 ... Payload transfer from remote host ... T1105: Ingress Tool Transfer
“Encodes traffic with a non-standard RC4 to make the content of traffic more difficult to detect”
“Employs a RC4/RSA to conceal command and control traffic” and “The downloader… generate an RSA… [then] RC4_KEY_1 and RC4_KEY_2… encrypted by RSA”
Obscures its connection protocol by connecting to the C2 server over a common port (443)... Table 1 ... Command and Control ... T1573.002: Encrypted Channel: Asymmetric Cryptography
Exfiltration
1 techniqueOther
1 techniqueThe content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A complex backdoor/RAT ecosystem used by Earth Hundun/BlackTech, featuring loader+downloader stages, custom (salted) RC4 and/or CryptUnprotectData-based decryption flows, extensive anti-analysis (anti-debug/anti-sandbox/AV evasion, binary padding, anti-memory scanning), and a custom C2 protocol to retrieve a next-stage RAT with broad remote administration and file/process/service/registry capabilities.
BlackTech-linked custom malware used to maintain covert access and persistence in targeted networks.
Backdoor malware that injects decrypted shellcode into the LanmanServer service.
A multifaceted stage-2 implant family (active since ~2009) with capabilities including file transfer, shell access, and screen capture; associated with BlackTech. Variants are described as using modified RC4, authenticated C2, chunked payload handling, in-memory loading, and (in some variants) API hooking for evasion/process hiding/traffic filtering.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.