Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

Feb. 21, 2025, 3:29 p.m.

Description

Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group has been using both Bookworm and ToneShell malware in their operations. Bookworm has undergone minimal changes since 2015, demonstrating its versatility and continued effectiveness. The malware's modular design allows for flexible packaging to meet operational needs. Stately Taurus is expected to continue developing and utilizing Bookworm in future attacks targeting Southeast Asian organizations.

External References

https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/09-3-Stately-Taurus-1616x600-1.png
https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/
https://otx.alienvault.com/pulse/67b786e0692efb6b4cf8dfc5
Tags
dll sideloading
toneshell
pubload
modular malware
southeast asia
2025-02-20
asean
infrastructure overlap
bookworm

Date

  • Created: Feb. 20, 2025, 7:47 p.m.
  • Published: Feb. 20, 2025, 7:47 p.m.
  • Modified: Feb. 21, 2025, 3:29 p.m.

Attack Patterns

  • Bookworm
  • PubLoad
  • ToneShell
  • Stately Taurus
  • T1588.002
  • T1132.001
  • T1036.004
  • T1574.002
  • T1071.001
  • T1055
  • T1140
  • T1027
  • T1112

Additional Informations

  • Government
  • Myanmar