Security Experts:

Connect with us

Hi, what are you looking for?



TajMahal APT Can Steal Data From CDs, Printer Queues

Kaspersky Lab security researchers have discovered a sophisticated advanced persistent threat (APT) framework that provides a full set of spying capabilities.

Kaspersky Lab security researchers have discovered a sophisticated advanced persistent threat (APT) framework that provides a full set of spying capabilities.

Dubbed TajMahal, the framework includes backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer.

First observed in the autumn of 2018, the tool consists of two packages named ‘Tokyo’ and ‘Yokohama’, and the security researchers found around 80 malicious modules stored in the framework’s encrypted Virtual File System (VFS).

Although it was discovered only recently, the framework has been in use for at least five years, with the first sample having a timestamp of August 2013 (the last one is from April 2018). The earliest known TajMahal samples were seen on a victim’s device in August 2014.

The security researchers observed that both TajMahal packages were found on infected machines, suggesting that Tokyo was employed during the first stage of the infection. Capable of delivering the Yokohama package, Tokyo would also serve for backup purposes.

TajMahal, Kaspersky reveals, can even steal data from a CD burnt by a victim and from the printer queue. Additionally, it can exfiltrate files from previously seen USB sticks when they are connected to the infected computer a second time.

The malware can gather a large amount of data from the victim machines, including the backup list for Apple mobile devices, can take screenshots when recording VoiceIP app audio, and can steal Internet Explorer, Netscape Navigator, Firefox and RealNetworks cookies. It also features an indexer and emergency C&C servers.

The malware also packs a persistence mechanism that allows it to reappear after a reboot if it has been deleted.

Kaspersky said they were able to identify a single victim so far, a diplomatic entity from a country in Central Asia. However, the researchers believe that other victims do exist, although they haven’t been identified yet.

Moreover, they believe that additional versions of the malware exist, but haven’t been detected yet. This hypothesis is based on the fact that they couldn’t determine how one of the files in the VFS was used by the discovered framework samples.

“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity,” Kaspersky concludes.

Related: New Version of Flame Malware Platform Discovered

Related: Duqu Remained Active After Operations Were Exposed in 2011

Related: New Module Suggests Fourth Team Involved in Stuxnet Development

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...