███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

Fangao

loader1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Fangao

CATEGORY:

LOADER

DESCRIPTION:

Fangao is a sophisticated multi-stage loader malware associated with the SalmonSlalom threat group, targeting industrial organizations in the Asia-Pacific region. It uses complex delivery mechanisms including DLL side-loading, leverages Chinese CDN services (myqcloud) and Youdao Cloud Notes for payload storage, and employs publicly available packers for encryption. The loader is designed to bypass security solutions through dynamic C2 server changes and legitimate application functionality abuse.

ALIASES:

Fangao loader

TAGS:

loadermulti_stagedll_side_loadingcdn_abuseindustrial_targetingpacker_encryption

[MUTEX_SIGNATURES](1)

[MUTEX_01]

UniqueMutexName

ANALYST: @adhikara13 DATE: 2025-07-30

REFERENCES:

https://ics-cert.kaspersky.ru/publications/reports/2025/03/27/operation-salmonslalom/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠SalmonSlalom

FIRST_OBSERVED:

2025

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:1

TAGS:6

CATEGORY:LOADER

Malware profile loaded successfully