In early November, Rapid7 Labs identified a new, highly evasive malware installer, CleverSoar, targeting Chinese and Vietnamese-speaking victims. CleverSoar is designed to deploy and protect multiple malicious components within a campaign, including the advanced Winos4.0 framework and the Nidhogg rootkit.
These tools enable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control, suggesting that the campaign is part of a potentially prolonged espionage effort. Rapid7 Labs’ findings indicate a sophisticated and persistent threat, likely focused on data capture and extended surveillance.
While the majority of CleverSoar installer-related binaries were detected in November 2024, the company discovered that the initial version of these files was uploaded to VirusTotal in late July of this year. The malware distribution begins with a .msi installer package, which extracts the files and subsequently executes the CleverSoar installer.
The CleverSoar installer checks the user’s language settings to verify if they are set to Chinese or Vietnamese. If the language is not recognised, the installer terminates, effectively preventing infection. This behaviour strongly suggests that the threat actor is primarily targeting victims in these regions.
Based on the folder names generated by the malicious .msi files (e.g., Wegame, Installer), we infer that the .msi installer is being distributed as fake software or gaming-related applications.
Rapid7 Labs could not attribute the installer to a specific known threat actor. However, due to similarities in campaign characteristics, we suspect with medium confidence that the same threat actor may be responsible for both the ValleyRAT campaign and the new campaign, both reported by Fortinet this year. The techniques employed in the CleverSoar installer suggest that the threat actor possesses advanced skills and a comprehensive understanding of Windows protocols and security products.
InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following rule will alert on a wide range of malicious hashes tied to behaviour in this blog: Suspicious Process – Malicious Hash On Asset.
The CleverSoar campaign highlights an advanced and targeted threat, employing sophisticated evasion techniques and highly customised malware components like the Winos4.0 framework and Nidhogg rootkit.
The campaign’s selective targeting of Chinese and Vietnamese-speaking users, along with its layered anti-detection measures, points to a persistent espionage effort by a capable threat actor. While currently aimed at individual users, this campaign’s tactics and tools demonstrate a level of sophistication that could easily extend to organisational targets.
Organisations in the affected regions should take notice of the tactics, techniques, and procedures of this actor and monitor suspicious activity.
