Ddos 
In a newly released report, Kaspersky’s Global Research and Analysis Team (GReAT) has revealed the resurgence of IronHusky, a Chinese-speaking APT group known for its espionage operations targeting Russia and Mongolia. Central to this campaign is a new, modular evolution of the MysterySnail RAT, an implant originally discovered during investigations into the CVE-2021-40449 zero-day.
“We discovered it back in 2021, when we were investigating the CVE-2021-40449 zero-day vulnerability,” the researchers explain. “At that time, we identified this backdoor as related to the IronHusky APT.”
Despite the group’s relative quiet since 2021, IronHusky appears to have never ceased operations. Kaspersky analysts recently observed new deployments of MysterySnail against government organizations in Mongolia and Russia, using cleverly disguised lures and sophisticated persistence techniques.
“The implant has been actively used in cyberattacks all these years although not reported.”
A particularly deceptive infection involved a malicious MMC script disguised as a document from Mongolia’s National Land Agency. This script downloaded a ZIP archive containing a legitimate DOCX file, a malicious DLL, and CiscoCollabHost.exe, which was configured for persistence and served as a vehicle for DLL sideloading.
At the heart of the attack chain was a previously unknown intermediary backdoor, delivered via the legitimate Cisco executable and a malicious CiscoSparkLauncher.dll. This DLL communicates with C2 infrastructure using the open-source piping-server project hosted at https://ppng.io, with anti-analysis evasion mechanisms involving encrypted API function mappings stored in an external file.
“It is likely that the attackers introduced this file to the backdoor as an anti-analysis measure.”
The backdoor supported a set of commands including RCOMM, FSEND, FRECV, FDELE, and FEXEC—used for shell execution, file transfer, and process creation.
The MysterySnail RAT itself has evolved into a modular architecture. The latest version relies on five additional DLL modules dynamically downloaded at runtime, each responsible for specific actions:
| Module ID | DLL Name | Functionality |
|---|---|---|
| 0 | BasicMod.dll |
File operations, host fingerprinting |
| 1 | ExplorerMoudleDll.dll |
Service management, file reading, processes |
| 2 | process.dll |
Process listing and termination |
| 3 | cmd.dll |
Shell commands and new process spawning |
| 4 | tcptran.dll |
Network resource connections |
Notably, Kaspersky points out the persistent presence of a typo in one of the module names—ExplorerMoudleDll.dll—from both the 2021 and 2025 samples, suggesting codebase continuity.
“This transition to a modular architecture isn’t something new – as we have seen modular versions of the MysterySnail RAT deployed as early as 2021.”
Shortly after blocking recent MysterySnail infections, Kaspersky identified a repurposed version named MysteryMonoSnail. Unlike its modular counterpart, this version comprises a single component and uses WebSocket instead of HTTP for C2 communication.
Though lighter, MysteryMonoSnail retains core RAT features, supporting 13 commands for directory browsing, file writing, and shell access.
Related Posts:
- North Korean Cyberattacks Persist: Developers Targeted via npm
- Kaspersky Report: Criminals earning millions through mining malware
About The Author
