• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • Manjusaka, a new attack tool similar to Sliver and Cobalt Strike

Manjusaka, a new attack tool similar to Sliver and Cobalt Strike

Pierluigi Paganini August 03, 2022

Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike.

Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools.

The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.

The experts uncovered a campaign using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. The weaponized documents were crafted to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.

“A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.”

The researchers believe that the Manjusaka tool has the potential to become a popular post-exploitation tool like Slive and Cobal Strike.

The researchers states that malware implant is a RAT family called “Manjusaka,” while the C2 is an ELF binary written in GoLang available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” The C2 server and admin panel are built on the Gin Web Framework which allows operators to issue commands to the Rust-based implants/stagers. The implants support multiple capabilities, including executing arbitrary commands on the infected systems. Below is the full list of supported features:

  • Execute arbitrary commands
  • Get file information for a specified file: Creation and last write times, size, volume serial number and file index.
  • Get information about the current network connections (TCP and UDP) established on the system, including Local network addresses, remote addresses and owning Process IDs (PIDs).
  • Collect browser credentials: Specifically for Chromium-based browsers using the query: SELECT signon_realm, username_value, password_value FROM logins ; Browsers targeted: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.
  • Collect Wi-Fi SSID information, including passwords using the command: netsh wlan show profile <WIFI_NAME> key=clear
  • Obtain Premiumsoft Navicat credentials
  • Take screenshots of the current desktop.
  • Obtain comprehensive system information from the endpoint
  • Activate the file management module to carry out file-related activities

The experts discovered both EXE and ELF versions of the implant.

Manjusaka tool

The attribution of this campaign to Chinese threat actors is based on the following evidence:

  • the maldoc refers to a COVID-19 outbreak in Golmud City.
  • the Rust-based implant does not use the standard crates.io library repository for the dependency resolving. Instead, it was manually configured by the developers to use the mirror located at the University Science and Technology of China (ustc[.]edu[.]cn).
  • the C2 menus and options are all written in Simplified Chinese.
  • our OSINT suggests that the author of this framework is located in the GuangDong region of China.

“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages.” concluded the analysis. “The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Manjusaka)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

China Cobalt Strike hacking news information security news IT Information Security malware Manjusaka Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 24, 2025
Coyote malware is first-ever malware abusing Windows UI Automation
Read more
Pierluigi Paganini July 24, 2025
SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

    Security / July 24, 2025

    DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

    Security / July 24, 2025

    Stealth backdoor found in WordPress mu-Plugins folder

    Malware / July 24, 2025

    U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT