SyncFuture TSM
SyncFuture TSM (Terminal Security Management System) is a legitimate commercial remote monitoring and management / endpoint security product developed by Nanjing Zhongke Huasai Technology Co., Ltd in China and associated with SyncFutureTec Company Limited utilities. In the reported campaign, it was repurposed by attackers as an all-in-one espionage framework. eSentire reported its use in an ongoing multi-stage cyber-espionage operation targeting Indian users via phishing emails impersonating the Income Tax Department of India. The infection chain used a malicious ZIP archive containing a visible executable, "Inspection Document Review.exe," to sideload a malicious DLL, perform anti-debugging checks, contact external infrastructure, download additional payloads, bypass UAC via a COM-based technique, and masquerade as explorer.exe by modifying the PEB. A later stage retrieved "180.exe" from eaxwwyr[.]cn and adapted behavior based on whether Avast Free Antivirus was present. If Avast was detected, a Blackmoon (KRBanker) variant automated GUI interaction to add attacker files to Avast exclusions, including C:\Windows\SysWOW64\msres\Setup.exe. "Setup.exe" was described as a SyncFutureTec Company Limited utility that wrote "mysetup.exe" to disk; "mysetup.exe" was assessed to be SyncFuture TSM. Once deployed, the repurposed SyncFuture TSM provided persistent remote access, remote control of infected endpoints, user activity recording, monitoring, centralized logging/orchestration, and data exfiltration. Supporting components included MANC.exe for service orchestration and extensive logging, service-based persistence including SafeBoot registry modifications, and batch scripts that created custom directories, weakened ACLs by granting broad permissions, manipulated Desktop-folder permissions, and performed cleanup/restoration. Reported infrastructure and configuration associated with the campaign included C2 endpoint 8.217.152[.]225:80 requesting /1bin, download domain eaxwwyr[.]cn, server IP 49.204.200[.]100 in YTSysConfig.ini, and a connection check to timecha[.]com:443. The campaign was described as suspected cyber espionage and had not been attributed to any known threat actor or group.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate enterprise tool repurposed by attackers as an espionage framework to provide persistent access, monitoring, and data exfiltration capabilities.
A legitimate commercial remote monitoring/management tool repurposed as an espionage framework to provide persistent remote control, user activity monitoring/recording, centralized management, and data exfiltration from infected endpoints.
A legitimate commercial endpoint security/management platform repurposed as the final payload to provide resilient persistence and centralized surveillance/exfiltration capabilities (remote control/assistance, extensive auditing and screen recording, policy enforcement, and data movement controls).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.