FatalRAT Phishing Attacks Target APAC Industries Utilizing Chinese Cloud Services

Executive Summary

Kaspersky ICS CERT has identified SalmonSlalom, a sophisticated cyber campaign targeting industrial organizations in the Asia-Pacific (APAC) region. The attack employs a multi-stage payload delivery system, utilizing legitimate Chinese cloud services such as Youdao Cloud Notes and myqcloud for hosting and command-and-control operations. The malware framework delivers FatalRAT, a remote access trojan (RAT), through phishing emails, WeChat, and Telegram disguised as tax documents or invoices. The malware evades detection using encryption, DLL sideloading, and dynamic infrastructure modifications. While the attackers remain unidentified, indicators suggest a Chinese-speaking threat actor is behind the campaign.

Community Impact

The retail and hospitality sectors in the APAC region could be significantly impacted by this targeted cyber campaign. Many businesses in these industries rely on third-party software providers, making them vulnerable to supply chain attacks or phishing scams disguised as legitimate business communications. The attack’s use of compromised cloud services and stolen credentials could lead to data breaches, financial fraud, or operational disruptions in retail POS systems and online booking platforms. RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original Fortinet report, linked above, and review and ingest the provided Indicators of Compromise, included below.

Technical Analysis

The SalmonSlalom campaign uses multi-layered malware delivery tactics to infiltrate industrial and government systems across APAC. The attack chain includes:

1. Initial infection via phishing emails, WeChat, or Telegram delivering malicious zip files.
2. First-stage loaders packed with UPX, AsPacker, or NSPack, which fetch configuration data from Youdao Cloud Notes to download additional malware.
3. DLL sideloading using legitimate Chinese software like DriverAssistant to execute FatalRAT while evading detection.
4. Persistence mechanisms, including Windows Group Policy manipulation and keylogging for credential theft.

FatalRAT allows attackers to steal data, manipulate devices, exfiltrate credentials, and maintain persistent remote access. Given its capabilities to spread across networks and deploy additional malware, organizations must implement network monitoring, endpoint detection, and employee training to defend against these evolving threats.

Recommendations

Kaspersky has recommended the following suggestions to combat SalmonSlalom attack campaigns:

1. Enable two-factor authentication for logging in to administration consoles and web interfaces of security solutions. In the Kaspersky Security Center, for example, this can be done by following instructions.
2. Install up-to-date versions of centrally managed security solutions on all systems and update antivirus databases and program modules on a regular basis.
3. Check that all security solutions components are enabled on all systems and that active policies prohibit disabling protection and terminating or removing solutions components without entering the administrator password.
4. Check that security solutions receive up-to-date threat information from the Kaspersky Security Network on those groups of systems on which using cloud security services is not forbidden by laws or regulations.
5. Check that license keys of security solutions have been distributed to all devices and that periodical system scanning tasks have been created for all device groups.
6. Update operating systems and applications, to versions currently supported by the vendors. Install the latest security updates (patches) for operating systems and applications.
7. Implement the following correlation rules into the SIEM system:
   • New services created on Windows-based systems.
   • The appearance of new applications in startup, in particular, monitoring the values ​​of the Run registry keys.
   • The appearance of new Logon Scripts on Windows-based systems.
   • Logins of domain accounts to systems they have not logged into before.
   • Windows Event Logs clearing.
   • Security solutions shut down.
   • Password brute force (multiple unsuccessful login attempts).
   • Port scanning of systems inside enterprise network, as well as attempts to detect network shared folders.
   • Attempts to communicate over non-standard ports for known protocols, such as TCP port 82 for the  HXXP requests.
8. Check that Active Directory policies include restrictions on user attempts to log in to the system. Users should be allowed to log in only to those systems accessing which is required for them to perform their job responsibilities.
9. Utilize EDR/XDR/MDR solutions for establishing a baseline regarding the most commonly observed grandparent-parent-child process relationship in OT environments. This highly recommended advice stems from our observation that a legitimate function of the binary “pureplayer” was exploited to execute the subsequent staged payload.
10. Train employees of the enterprise to work securely with the internet, email, messengers and other communication channels. Specifically, explain the possible consequences of downloading and launching files from unverified sources. Make an emphasis on phishing email control, as well as secure practices related to working with archives.
11. Configure filtration of content sent via email and set up multitier filtration of incoming email traffic. Consider using sandbox solutions designed to automatically test attachments in inbound email traffic; make sure your sandbox solution is configured not to skip emails from “trusted” sources, including partner and contact organizations.
12. Implement application whitelisting solutions to allow only approved and digitally signed applications to run on your network. It would mitigate the risk of DLL sideloading techniques commonly exploited by threat actors.
13. Establish the following password complexity requirements in Active Directory group policies:
    • Password length: at least 10 characters for unprivileged accounts and 16 characters for privileged accounts.
    • A password should contain uppercase letters, lowercase letters, digits, and special characters:
      (! @ # $ % ^ & * ( ) – _ + = ~ [ ] { } | \ : ; ‘ ” < > , . ? /)
      • A password should not contain dictionary words or the user’s personal data that could be used to crack the password, such as:
        • the user’s name(s), telephone numbers, memorable dates (birthdays, etc.);
        • characters located sequentially on the keyboard (“12345678”, “QWERTY”, etc.);
        • common abbreviations and terms (“USER”, “TEST”, “ADMIN”, etc.).
14. Prohibit storing and sending passwords in plain text; use dedicated password management software to store and transfer passwords.
15. Implement two-factor authentication for authorization (using RDP or other protocols) on systems that contain confidential data and systems that are critical to the organization’s IT infrastructure, such as domain controllers.
16. Use Active Directory group policies to restrict the execution of binaries signed with revoked digital signatures. Group Policy settings can help enforce specific security configurations across multiple machines.
17. Enhance network segmentation. Configure the networks of different divisions (as well as different enterprises) as separate segments. Limit data transfers between network segments to a minimal list of ports and protocols necessary for the organization’s operations.
18. Make it the responsibility of administrators to avoid using privileged accounts, except in cases where their duties can only be performed using these accounts. We also recommend restarting the system after using a privileged account on it – this will clear RAM and make it impossible to extract the privileged account’s authentication credentials using hacking utilities. It is also recommended to use different dedicated accounts to administer different groups of systems, such as databases.
19. Segregate services related to maintaining the organization’s information security into a dedicated segment and, if possible, a separate domain. Limit data transfers between that segment and the rest of the network to a minimal list of ports and protocols necessary to operate security solutions and perform monitoring to identify information security incidents.
20. If remote access to systems in other network segments is required, set up demilitarized zones (DMZ) for communication between network segments and perform remote access via terminal servers.
21. Use dedicated protection for industrial processes.
22. Configure the backup storage system to store backups on a separate server that is not part of the domain, and ensure that backup deletion and modification rights are held only by a dedicated account that is also not part of the domain. This measure can help protect backups in the event that the domain is compromised.
23. Increase the frequency of backups to ensure that the failure of a server does not result in the loss of a critical volume of information.
24. Store at least three backups for each server and other systems critical to the normal operation of the organization. In addition, at least one backup should be stored on a separate, autonomous data storage device.
25. Use RAID arrays on servers where backups are stored. This will help improve the backup system’s fault tolerance.
26. Implement a procedure to periodically check the integrity and usability of backups. In addition, implement a procedure to periodically scan backups with an antimalware solution.
27. Irrespective of whether there are signs of an information security incident or not, we recommend that you adjust the Kaspersky Security Center settings in accordance with the best practices described in the Hardening Guide.

Indicators of Compromise

Kaspersky has also provided the following Indicators of Compromise for ingestion:

02fb1958a901d7d1c8b60ecc0e59207c

033a8d6ec5a738a1a90dd4a86c7259c8

04aa425d86f4ef8dc4fc1509b195838a

096c34df242562d278fc1578dc31df92

09a50edb49cbb59a34828a37e63be846

0a49345c77da210ab0cd031fda6bc962

0a70ea6596c92fbfb461909ed57503fa

0b20f0ff1aaff4068f99f4db69ba9c1e

0c33792c6ed37452f44ca94ce7385250

142eb5106fcc2f95b7daf37dca970595

15b7990bd006d857ee02c529b45783ac

1c79abe9f52cbe92f042615a9f6b6f10

1e80a8b3f4efb4bb27771d729f5ced85

2026ead0c2366d049ecd5e42ac1b1b07

24ecb197ee73e5b1eef2ded592640cf2

26f0806932dfd029f0fe12e49bb4c799

28231ce260ce66388d58ce536d7ed201

2aa41ae3d3ae789147218652e6593161

2bccd50322afb7a349c163ce9b76bb66

357534f6a2bffa77b83501715e382a94

362fc5799ecef8e9e328cfbf6272c48f

3843ef98a4c7ee88f10078e6a38f15ee

3883957530482a399abb5e1f06e4581f

3b32fc9115c224653f5afba793c0bbef

3ca82fd8d12967c32388ad18e9727fac

44b47fdab8ca3375fe5a875deefa265c

4fc6dbb9beeecb2d60f3fef356c6df01

502054d938a18172a3657aaf2326bcf4

50a5c5a3c07f04d96f5f1968996cfb74

50d29ee29b54685bd10b8d2917696413

58a8daae643a84c112ddc6e79c750271

58e44c4d797cecfed42c1fdf18c2d5f9

58fe500e022ea1aeebbe72c4ce694531

5b730131c3271820c03d711f2549b894

5c1de870ea1e08b25e7ce4397372f5a6

5d7fba23a44683c0b471d9a7cc7f5042

632c0808e4d0c7b293642e4c4ae8e2a2

63562347202715eff0e7f2d6ad07a2aa

63c600434def54157204765619838372

64013e613a0130cb1b7845139537bc5e

64d72e8d0539e6a0b74fb1c6e5127c05

64fdeed776cfd5e260444ae2e4a5b1a4

699ad2a5b6d9b9b59df79e9265ebd47a

6a5e3776c3bfdadd899704589f28e9fd

6a73f3bab8fb205ed46e57cf076b6f6d

7081b6781e66bdceb2b119a783b6c7fd

771a5d8fc6829618f15abe49796d1c44

790cf080abb18af471d465998b37fd1b

797d111244805e897db5c21010ee8e12

7ba376f5a71ffa21a92c7b35c3b000eb

82394a97458094b1cb22c4e243f4e9db

8c0599c0a6b7ffaff93762d0c3ea2569

8da2c4796c439f4a57536bd5c5d3f811

8e474f9321fc341770c9100853eb41eb

9037ccfcd3d3d1542089d30d3041db1c

936c16a64432348176f9183cd1524cef

93f12cbfb9ba1a66d3a050a74bab690b

949f086c40cfc5144243a24688961414

9636309c41e8a33507c349b8e9053c49

991cb5f8476edbc73223d1331704a9fd

9bb22b91b5ad59972130a3a428f7b5bb

9bf2e34511619b7c4573c3974bdbaa39

9e8a08fcddb10db8d58e17b544d81bff

a009b341aa6f5bda61300dc5e7822480

a7b20338dd9ed5462ddff312b67556e9

ab5f57681299933c1f70b938caa526d3

ac3fbdbfbc08f41e4ad1c004180093f1

ad216eaf11500eb73c6cdafc18cb49d8

ae735b1d9b7e9dd496d22409ceaeda66

b0c315c5dcda6e4442280c07b11d1ba5

b1ad89be2632933350683b91011a4aee

b37917ea3849607d02d330130a823567

b3f8f1272813bff80630b9caab6e5089

b5c46f829fed11b4ddc2e155dc5cf974

bc36b1be438f92fe5f9a47f13244503e

bd6b8574738c7589887b61d4fad68fce

bdd68e7733c09fad48d4642689741ea4

be15a198f05eb39277720defa9188f62

c4579aa972d32e946752357ca56ee501

c555cc05f9d16b9e9222693e523e0ba5

c89a4a106619c67b8410efa695d78ef3

ca7dc49e80b2a77677718c72f3cc6bc1

cbc36deadef17a4c315cbbff3f74439f

d35635e8d07b923d1e89f541d4f03b90

d413cf08ef7c6357dd0215b8b9ebe6f4

d494efc086447c543d0c3c7beecf2bc6

d6bda8be4ba9563844b3b9367b73bd2e

dc2676b0c54b31a017ada4f62693de54

dded5d108b6a9ee50d629148d8ed4ec5

df6f5f4b7b8ba3c2c0ddc00d47e33218

e0d5b46dffee56c337fdc172ce617850

e32020ab02e11a995effb7781aabd92f

e6ef56c91bd735542775dfef277e0cc7

e8204900e8acb502ca6e008f9532b35e

e91991304abf5d881545bc127e7fb324

eb9419aa5c6fee96defad140450a9633

ec0bdf52c113487e803028dbc52e8173

ed036740be0a8e3203a54edd4d4b735c

f9e461cc83076d5f597855165e89f0db

fdc35392af34ef43291b8f7f959ef501

feb8e6059a234ea689404d3d4336e8af

4e40c9945cc8b62c123e5636155e96a7 

6bfe01cd9c038aa90bcd600d49657c21 

80c7667c14df5b92ab206b2ea9b42aff 

eb53df9fe23d469350885164aa82215e 

32c105c5229843aaebf12621359195a9 

34b29454676e780d81d8bba066d7d94f 

8577438ecff5753ddcf427b93c5976c8 

f481a67933055956e8dd77b4b2bde9ed 

f8136c909fb35457fc963d87b50bc158 

02477e031f776539c8118b8e0e6663b0 

02d8c59e5e8a85a81ee75ce517609739 

05c528a2b8bb20aad901c733d146d595 

15962f79997a308ab3072c10e573e97c 

17278c3f4e8bf56d9c1054f67f19b82c 

172ee543d8a083177fc1832257f6d57d 

1fe3885dea6be2e1572d8c61e3910d19 

249f568f8b8709591e7afd934ebea299 

266bb19f9ceb1a4ccbf45577bbeaac1a 

3c583e01eddd0ea6fe59a89aea4503b4 

3ec20285d88906336bd4119a74d977a0 

43156787489e6aa3a853346cded3e67b 

46630065be23c229adff5e0ae5ca1f48 

577e1a301e91440b920f24e7f6603d45 

5be46b50cac057500ea3424be69bf73a 

60a92d76e96aaa0ec79b5081ddcc8a24 

60dbc3ef17a50ea7726bdb94e96a1614 

635f3617050e4c442f2cbd7f147c4dcf 

675a113cdbcce171e1ff172834b5f740 

68a27f7ccbfa7d3b958fad078d37e299 

73e49ddf4251924c66e3445a06250b10 

787f2819d905d3fe684460143e01825c 

7ac3ebac032c4afd09e18709d19358ed 

8f67a7220d36d5c233fc70d6ecf1ee33 

9b4d46177f24ca0a4881f0c7c83f5ef8 

9c3f469a5b54fb2ec29ac7831780ed6d 

9d34d83e4671aaf23ff3e61cb9daa115 

a935ef1151d45c7860bfe799424bea4b 

bcec6b78adb3cf966fab9025dacb0f05 

d0d3efcff97ef59fe269c6ed5ebb06c9 

ebc0809580940e384207aa1704e5cc8e 

eca08239da3acaf0d389886a9b91612a 

ed6837f0e351aff09db3c8ee93fbcf06 

fb8dc76a0cb0a5d32e787a1bb21f92d2 

feb49021233524bd64eb6ce37359c425

101.33.243[.]31:82

43.154.238[.]130:6000

134.122.137[.]252:6000

43.154.238[.]130:8081

111.230.93[.]174:8081

43.159.192[.]196:6000

43.138.199[.]241:6000

175.178.166[.]216:6000

43.139.35[.]42:6000

43.139.101[.]11:6000

81.71.1[.]107:6000

175.178.89[.]24:6000

106.52.216[.]112:6000

43.154.68[.]193:6000

107.148.54[.]105:6000

47.106.224[.]107:6000

154.39.238[.]101:6000

206.233.130[.]141:6000

107.148.50[.]116:6000

103.144.29[.]211:6000

107.148.52[.]241:6000

107.148.50[.]112:6000

107.148.52[.]242:6000

111.230.10[.]93:6000

111.230.32[.]52:6000

107.148.50[.]113:6000

111.230.108[.]14:6000

175.178.96[.]9:8081

1.12.37[.]113:8081

111.230.15[.]48:8081

111.230.91[.]145:8081

111.230.45[.]217:8081

154.91.227[.]32:6000

82.156.145[.]216:6000

122.152.231[.]146:6000

154.206.236[.]9:6000

119.29.219[.]211:6000

107.148.52[.]176:6000

120.78.173[.]89:6000

120.79.91[.]168:6000

114.132.46[.]48:6000

123.207.35[.]145:6000

8.217.0[.]16:6000

123.207.1[.]145:6000

114.132.56[.]175:6000

119.29.235[.]38:6000

123.207.79[.]195:6000

139.199.168[.]63:6000

123.207.55[.]60:6000

43.138.176[.]5:6000

123.207.16[.]43:6000

123.207.58[.]147:6000

103.144.29[.]123:6000

156.236.67[.]181:6000

123.207.44[.]193:6000

123.207.8[.]204:6000

114.132.121[.]130:6000

154.197.6[.]103:6000

42.193.242[.]180:6000

47.57.68[.]157:8080

 hxxp://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae

 hxxp://note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2auto.dll

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL.dll

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2.dll

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAOtest.dll

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll

 hxxp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll

 hxxp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll

 hxxp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll

 hxxp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll

 hxxp://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll

 hxxp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll

 hxxp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll

 hxxp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before1/BEFORE.dll

 hxxp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before2/BEFORE.dll

 hxxp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll

 hxxp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll

 hxxp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll

 hxxp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll

 hxxp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll

 hxxp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll

 hxxp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll

 hxxp://530-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll