Threat Research

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

Securonix

WailingCrab is a multi-stage malware campaign that loads, injects, and decrypts payloads to establish a backdoor and C2 communication, with MQTT-based traffic hiding its command channel behind a third‑party broker. The newer variant shifts away from Discord-hosted payloads and uses client-specific MQTT topics for stealth, while leveraging DLL hijacking and registry persistence for persistence. hashtags #WailingCrab #MQTT #brokeremqxio #DiscordCDN

Keypoints

  • WailingCrab consists of a loader, an injector, and a downloader that together load and deploy a backdoor.
  • The loader uses a legitimate DLL (e.g., BingMaps.dll), patches an exported function, and runs the second stage in a new thread.

MITRE Techniques

  • [T1574.002] Hijack Execution Flow – DLL Hijacking – The loader loads a legitimate Windows DLL, such as BingMaps.dll, and patches an exported function with WailingCrab’s second-stage shellcode. “the malware first loads a legitimate Windows DLL, such as BingMaps.dll, and then overwrites the code for one of the DLL’s exported functions with WailingCrab’s second-stage shellcode.”
  • [T1055.012] Process Injection – The injector opens explorer.exe, allocates memory, decrypts third-stage payload with XOR, and creates a new thread in the target process. “The Injector component starts by looping through the currently running processes… opens it and allocates memory… creates a new thread within the target process.”
  • [T1027.001] XOR Obfuscation – The third-stage payload is decrypted using XOR. “decrypts its third-stage component using XOR”
  • [T1132.001] Data Encoding – The downloader/registration data is base64 encoded for transmission to the C2. “This string is then base64 encoded and added to the Cookie field in the HTTP registration request sent to the C2.”
  • [T1095] Non-Application Layer Protocol – C2 communications use MQTT over broker.emqx.io. “Communication between the WailingCrab backdoor component and the C2 is performed using the MQTT protocol.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence by creating a Run key and pointing to the copied executable. “persistence by creating a randomly named subkey under the registry Run key.”
  • [T1082] System Information Discovery – The backdoor gathers domain, hostname, username, language, and system time before contacting C2. “gathers basic system information including domain, hostname, username, language and system time.”

Indicators of Compromise

  • [Hash] 24c5f4868dc5af255edbb993d98de51a, f6ea7ec5d94bc65bf82a6b42b57a6c82, and 2 more hashes – first-stage WailingCrab loaders.
  • [Domain] broker.emqx.io – MQTT broker used for C2 communications.
  • [URL] https://www.wikipedia.org/ – used in prior anti-sandbox checks (older variant).
  • [URL] https://cdn.discordapp.com/attachments/ – previously used to host payloads (Discord CDN).
  • [File] BingMaps.dll – legitimate DLL loaded by the loader for second-stage execution.
  • [File] ntdll.dll – involved in API function hooking (RtlWow64GetCurrentMachine).
  • [File] explorer.exe – target process for injector/loader/delivery stages.
  • [File] printfilterpipelinesvc.exe – renamed file involved in DLL hijacking persistence.
  • [Mutex] 823264 – mutex used to prevent multiple instances of the downloader/backdoor.
  • [Registry] Run key – registry persistence mechanism for startup execution.

Read more: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint