Keypoints
- HiatusRAT samples were recompiled for additional architectures including Arm, Intel 80386, and x86-64, in addition to previously observed MIPS/MIPS64/i386 builds.
- Payload hosting shifted from VPS 207.246.80[.]240 (June–July) to 107.189.11[.]105 (starting August), while the actor reused the same heartbeat and upload servers to link new samples to prior campaigns.
- Over 91% of inbound connections to the payload host originated from Taiwan, with a preference for Ruckus-manufactured edge devices and victims across semiconductor, chemical, and municipal organizations.
- Researchers identified upstream (Tier‑2) infrastructure including 101.39.202[.]142 (PRC) and U.S. VPSs 45.63.70[.]57, 155.138.213[.]169, and 66.135.22[.]245 that manage tier‑1 servers.
- Observed data exfiltration included >11 MB of bi‑directional data exchanged with a U.S. military procurement server over ~2 hours, with discrete short sessions from different VPS nodes.
- Black Lotus Labs mapped samples to the HiatusRAT cluster via shared C2 heartbeat/upload behavior and added IoCs to their threat intelligence feed for monitoring and detection.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used edge/networking devices as an attack surface to gain access (‘leveraged edge routers, or “living on the edge” access, to passively collect traffic’)
- [T1104] Command and Control: Multi-Stage Channels – Employed tiered servers (Tier‑1 and upstream Tier‑2) to manage payloads and C2 (‘searched through our global telemetry to search for upstream, or Tier 2, servers that appear to operate and manage tier 1 servers’)
- [T1016] Discovery: System Network Configuration Discovery – Performed network enumeration to identify device types and interfaces (observed preference for specific vendor devices; ‘preference for Ruckus-manufactured edge devices’)
- [T1082] Discovery: System Information Discovery – Collected host details such as hostname, processes, and hardware configuration (‘collection of details such as the machine’s hostname, running processes, and hardware configuration’)
- [T1018] Discovery: Remote System Discovery – Enumerated connected systems and MAC addresses to map adjacent devices (‘enumeration of connected machines and their MAC addresses’)
- [T1210] Lateral Movement: Exploitation of Remote Services – Potential lateral movement into adjacent networks after escaping container boundaries (‘move laterally into adjacent networks after escaping the container environment’)
- [T1204] Execution: User Execution – Deployed HiatusRAT against web-facing container applications implying execution via exposed services (‘deployment of HiatusRAT against web-facing container applications implies the use of this technique’)
- [T1068] Privilege Escalation: Exploitation for Privilege Escalation – Used kernel vulnerability (eBPF) exploitation to escalate privileges on Linux hosts (‘the exploitation of the eBPF vulnerability in the Linux kernel for privilege escalation’)
- [T1070] Defense Evasion: Indicator Removal on Host – Removed traces to hinder detection and forensic recovery (‘actions to remove traces of its presence from the infected systems’)
- [T1105] Command and Control: Ingress Tool Transfer – Downloaded additional payloads/modules from hosting servers for expanded capabilities (‘the downloading of additional payloads and modules for further exploitation and command and control activities’)
Indicators of Compromise
- [IP Address] payload/C2 hosting and upstream management – 207.246.80[.]240, 107.189.11[.]105, and 4 more IPs (101.39.202[.]142, 45.63.70[.]57, 155.138.213[.]169, 66.135.22[.]245)
- [Sample Architectures] compiled malware targets – Arm, Intel 80386, x86-64, and previously MIPS, MIPS64, i386
Starting mid‑June 2023 Black Lotus Labs identified multiple newly compiled HiatusRAT binaries and associated hosting changes. Researchers linked new samples to the existing HiatusRAT cluster by matching heartbeat and upload server behavior; payload hosting shifted from VPS 207.246.80[.]240 (June–July) to 107.189.11[.]105 (August), while the actor recompiled payloads for a broader set of CPU architectures (Arm, Intel 80386, x86-64 in addition to MIPS/MIPS64/i386).
Telemetry analysis focused on connections to the identified payload hosts: over 91% of inbound connections originated from Taiwan and showed a preference for Ruckus edge devices, affecting semiconductor, chemical, and municipal targets. Investigators enumerated upstream Tier‑2 nodes (101.39.202[.]142 in the PRC and U.S. VPSs 45.63.70[.]57, 155.138.213[.]169, 66.135.22[.]245) that orchestrated tier‑1 servers. Researchers also observed staging behavior and data transfers to a U.S. military procurement server (≈11 MB bi‑directional across ~2 hours, with discrete sessions: a short five‑minute session from 207.246.80[.]240 followed ~10 minutes later by a 90‑minute session from 45.63.70[.]57).
For detection and tracking, the procedure combined: (1) searching global telemetry for connections to known payload‑hosting IPs; (2) correlating sample builds and C2 heartbeat/upload patterns to tie new binaries to the activity cluster; (3) identifying and mapping upstream Tier‑2 infrastructure that manages tier‑1 nodes; and (4) monitoring geographic and device‑type connection patterns (e.g., Taiwan, Ruckus devices) and unusual data transfers to sensitive web resources. Black Lotus Labs incorporated the campaign IoCs into their threat feed to support detection and recommended vigilant monitoring of edge network devices and connections to the listed IPs.