Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Farseer’ Backdoor Targets Users in South East Asia

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

A recently discovered backdoor is used in attacks targeting victims in and around the South East Asia region, Palo Alto Networks security researchers warn.

Dubbed Farseer and targeting Windows computers, the malware appears to be connected to the HenBox Android malware family that was found last year being used in cyber-espionage attacks focused on the Uyghur population. 

The infrastructure behind both HenBox and Farseer is tied to other malware as well, including Poison Ivy, Zupdax, and PKPLUG, the security researchers say. The infrastructure used by these malware families is vast and the overlaps are plenty. 

More than 30 unique Farseer samples have emerged over the past two years, mostly in 2017, though some were seen in 2018 too. The most recent of them were spotted during the past two months. 

The most recent sample introduces a new command and control (C&C) domain to the Farseer set, but that domain was also used by some Poison Ivy samples as their C&C. Previous activity is fairly old, dating back to mid-2015, but the domain is in fairly active use, with the most recent activity dating December 2018. 

In addition to this C&C, Farseer and Poison Ivy infrastructure overlaps include the use of two other domains, as well as the use of third-level domains as the C&C, and a couple of IP addresses. On top of that, Farseer overlaps with HenBox and PlugX samples through multiple C&C domains and IP addresses. Farseer was also tied to domains and custom Gh0st RAT malware samples.

“It’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different operating systems using the various malware families described in this, and related, reports. The possible ties require further investigation,” Palo Alto Networks points out.

Farseer employs DLL sideloading to load its payload. The malware’s configuration files share similarities with those of HenBox, starting with the fact that both are text files that are read and parsed at run-time. For persistence, Farseer creates a registry entry to run a VBS script that executes bscmake.exe, and thus the malware itself. 

“In this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing knowledge based on previous research, and around malware with closely-related infrastructure, together with certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East Asia region,” Palo Alto Networks says. 

Farseer payloads, the researchers note, are backdoors that receive instructions from pre-configured C&C servers and which use various techniques to evade detection and inhibit analysis, including DLL sideloading using trusted, signed executables. Payloads are encrypted on disk and decompression and decryption occur at runtime, in-memory, where code is further altered to hinder forensic analysis.  

“Whereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more typical given previous threats seen from the group or groups behind this, and related malware,” the researchers conclude. 

Related: New “HenBox” Android Malware Discovered

Related: Backdoor Targeting Malaysian Government a “Mash-up” of Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.