Chinese APT17 Group Targets Italian Companies and Govt Entities with Malware

Published on July 18, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Edited by:
Novak Bozovic
Novak Bozovic
Tech & VPN Content Specialist

A China-linked threat actor called APT17 was seen targeting Italian companies and government entities with a variant of the 9002 RAT malware, aka Hydraq and McRAT, in diskless mode. The RAT was distributed via an email campaign using malicious URLs in the email body or attached MS Office documents.

The first targeted attack occurred on June 24, and the second on July 2, 2024. Both campaigns downloaded a seemingly legit, customized Microsoft Software Installer (MSI) package for Skype for Business via a link. The malicious URL led to an attacker-controlled domain that impersonated an Italian government website.

The custom MSI installed the basic Skype app and executed a Java app via a VBS script that contained a shellcode encrypted with RC4, which decompressed and executed the Remote Access Trojan (RAT).

Skype for Business Malware Propagation
Image Source: TG Soft

9002 RAT then communicates with the attacker’s command and control server (C2) hosted on a domain that simulates a Microsoft domain, shows network discovery abilities, performs proxy functions to monitor network traffic, downloads additional diskless plugins that can add various features to the malware.

The variant of RAT 9002 analyzed contains an old value indicator, which shows that it continues to be actively developed in 2024.

9002 RAT Propagation
Image Source: TG Soft

RAT 9002 and other variants named RAT 3102 are notoriously linked to APT17, which was linked to Operations DeputyDog and Ephemeral Hydra due to exploiting zero-days Microsoft's Internet Explorer and targeting Japan and other countries.

The Chinese APT17 cyber-criminal group – also dubbed Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers – is known for targeted attacks on companies and government entities.

RATs were lately seen distributed via various pirated software, including cracked versions of legitimate programs Microsoft Office and Windows downloaded from torrent websites.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: