Chargeweapon

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

ChargeWeapon is a malicious software (malware) that exploits compromised web servers to gain unauthorized access and gather sensitive data from infected systems. The malware was first identified on the Cobra DocGuard web server, where it was deployed as a previously unknown Go-based backdoor. This backdoor is designed to gather host data and transmit it to the command-and-control (C2) server in a base64-encoded form. The threat actors used the compromised Cobra DocGuard web server to deliver a McAfee binary and then employed DLL side-loading for the Cobalt Strike shellcode before deploying the ChargeWeapon backdoor. The functionality of ChargeWeapon extends beyond simple data collection. It is engineered to facilitate remote access, enabling attackers to control infected hosts remotely. Moreover, it sends device and network information from the compromised system to an attacker-controlled C2 server. To evade detection, ChargeWeapon uses simple evasion methods provided by the "garble" open-source tool. In one instance, the hackers exploited another attack vector by using a Cobra DocGuard web server to deliver a McAfee binary. They then used DLL side-loading for the Cobalt Strike shellcode and subsequently deployed the Go-based ChargeWeapon backdoor. It's crucial to note the indicators of compromise associated with ChargeWeapon. These include specific hash values related to HyperBro Loader and ChargeWeapon itself, along with certain IP addresses linked to the C2 server and second stage malware artifacts. Users are advised to protect themselves from vulnerabilities by using tools like Patch Manager Plus to patch over 850 third-party applications promptly. Once infected, the ChargeWeapon backdoor starts transmitting data about the compromised host in JSON format, obfuscated by base64 encoding.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cobra	1	Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
Cobra Docguard	1	Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Downloader

Malware

Loader

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
HyperBro	Unspecified	1	HyperBro is a malicious software (malware) that has been utilized in a sophisticated cyber espionage campaign targeting semiconductor industries primarily in Taiwan, Hong Kong, and Singapore. This malware was discovered being used in conjunction with a lure purporting to be from the Taiwan Semicondu

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Chargeweapon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
CERT-EU	10 months ago	Chinese Hackers Attacking Semiconductor Industries using Cobalt Strike beacon
CERT-EU	10 months ago	China-based spies are hacking East Asian semiconductor companies, report says \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Semiconductor firms targeted by Chinese hackers
CERT-EU	10 months ago	China-linked cyberspies backdoor semiconductor firms with Cobalt Strike