Home/Threat Actor/CosmicStrand
Threat Actor

CosmicStrand

cosmicstrand_uefi · china · active since 2016-12

CosmicStrand (canonical Kaspersky GReAT naming per July 25, 2022 disclosure.

Qihoo360 original 2017 Chinese-side naming "Spy Shadow Trojan") is a Chinese-speaking threat actor signature UEFI firmware rootkit specialist cluster active publicly since end of 2016, operationally one of the earliest documented in-the-wild UEFI rootkits chronologically (operationally pre-dating LoJax 2018 first widespread UEFI rootkit publication)

Chinese-speaking attribution operates at strong-indicator level per Kaspersky GReAT via code overlaps with two adjacent Chinese-speaking malware families: MyKings (Smominru / DarkCloud) cryptocurrency botnet, Sophos attribution analysis found Chinese-language artefacts.

and MoonBounce UEFI implant, Kaspersky January 2022 disclosure attributed to China-linked Winnti / APT41 cluster (apt41_wickedpanda curated separately), the MoonBounce code overlap operationally suggests potential Chinese- state-aligned offensive cyber capability development ecosystem connection though CosmicStrand is operationally tracked as a distinct cluster from APT41.

signature operational tradecraft is UEFI firmware rootkit capability (cluster-defining 96.84KB file located in firmware images of Gigabyte or Asus motherboards with Intel H81 chipset, UEFI is the first software to execute during boot allowing access and control over all hardware components.

persists through OS reinstall and hard drive replacement)

modified CSMCORE DXE driver tradecraft (signature firmware modification patching the CSMCORE DXE driver which facilitates legacy boot via MBR to intercept the boot sequence and introduce malicious logic)

kernel- level Windows implant deployment via boot chain hijack (tampers with OS loading process to deploy kernel-level implant into Windows every time it boots, using entrenched access to launch shellcode that connects to remote C&C server to fetch actual malicious payload); PatchGuard disable capability + local administrators user account creation + two-variant operational pattern (2016- 2017 + 2020 each with separate C&C server)

specific hardware targeting (Gigabyte + Asus + H81 chipset operationally suggesting common vulnerability or supply- chain compromise vector specific to H81 chipset designs); hardware supply-chain compromise hypothesis per Qihoo360 2017 analysis (second-hand backdoored motherboard from reseller hypothesis based on actual ASUS motherboard victim analyzed by Qihoo360, "their report, the compromised system ran on a second-hand ASUS motherboard that the owner had purchased from an online store")

mixed- geography private-individual victim distribution (China + Vietnam + Iran + Russia, operationally distinct targeting pattern from typical APT clusters with organizational targets, no organizational ties or industry vertical identified)

operationally distinct from existing 34 China-attributed clusters in the curated corpus through signature firmware-level (pre-OS) implant capability; fills the UEFI firmware rootkit specialist capability cell in the curated corpus as 35th China-attributed cluster, operationally significant for being among the earliest documented in-the-wild UEFI rootkits chronologically within the broader UEFI rootkit ecosystem (LoJax 2018 APT28 + MosaicRegressor 2020 + TrickBoot 2020 + FinFisher 2021 + MoonBounce 2022 APT41 + CosmicStrand 2022 + ESPecter + BlackLotus 2023 cybercriminal dark-web sale).

china confidence: high 10 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

CosmicStrand (canonical Kaspersky GReAT naming per July 25, 2022 disclosure.

Qihoo360 original 2017 Chinese-side naming "Spy Shadow Trojan") is a Chinese-speaking threat actor signature UEFI firmware rootkit specialist cluster active publicly since end of 2016, operationally one of the earliest documented in-the-wild UEFI rootkits chronologically (operationally pre-dating LoJax 2018 first widespread UEFI rootkit publication). Chinese-speaking attribution operates at strong-indicator level per Kaspersky GReAT via code overlaps with two adjacent Chinese-speaking malware families: (a) MyKings (Smominru / DarkCloud) cryptocurrency botnet, Sophos attribution analysis found Chinese-language artefacts; (b) MoonBounce UEFI implant, Kaspersky January 2022 disclosure attributed to China-linked Winnti / APT41 cluster (apt41_wickedpanda curated separately). The MoonBounce code overlap operationally suggests potential Chinese-state-aligned offensive cyber capability development ecosystem connection, though CosmicStrand is operationally tracked as a distinct cluster from APT41. Operational phases: (1) OPERATIONAL EMERGENCE (End of 2016). Earliest in-the- wild UEFI implant deployment. CSMCORE DXE driver modification tradecraft established. (2) QIHOO360 SPY SHADOW TROJAN ANALYSIS (2017). First Chinese-side disclosure of early variant via second-hand ASUS motherboard victim analysis. Hardware supply-chain compromise hypothesis established. (3) 2020 VARIANT ACTIVE PERIOD. Second documented variant with separate C&C server. (4) KASPERSKY GREAT CANONICAL DISCLOSURE (July 25, 2022). Comprehensive CosmicStrand disclosure on Securelist. (5) CONTINUED OPERATIONS (2022-2026). Limited public visibility post-disclosure.

Signature operational tradecraft
  • UEFI firmware rootkit (cluster-defining): 96.84KB file size, located in firmware images of Gigabyte or Asus motherboards with Intel H81 chipset. UEFI is the first software to execute when a computer boots, allowing it to access and control all hardware components and various parts of the machine's operating system. Persists through OS reinstall and hard drive replacement.
  • Modified CSMCORE DXE driver: signature firmware modification technique, patches the CSMCORE DXE driver (which facilitates legacy boot process via MBR) to intercept the boot sequence and introduce malicious logic.
  • Kernel-level Windows implant deployment via boot chain hijack: ultimate objective of attack is to tamper with OS loading process to deploy a kernel-level implant into Windows every time it's booted, using entrenched access to launch shellcode that connects to remote C&C server to fetch actual malicious payload.
  • PatchGuard disable capability: signature Windows kernel-protection bypass, CosmicStrand observed attempting to disable Windows PatchGuard security mechanism.
  • Local administrators user account creation: signature user-mode sample observed creating user account added to local administrators group.
  • Two-variant operational pattern (2016-2017 + 2020): each variant has its own C&C server, demonstrating sustained operational tempo across years.
  • Specific hardware targeting (Gigabyte + Asus + H81 chipset): signature narrow hardware target operationally suggesting common vulnerability or supply-chain compromise vector specific to H81 chipset designs.
  • Hardware supply-chain compromise hypothesis: second- hand backdoored motherboard from reseller hypothesis per Qihoo360 2017 analysis. Alternative hypothesis: automated firmware patcher requiring physical access or precursor implant on motherboard.
  • Mixed-geography private-individual victim distribution: China + Vietnam + Iran + Russia, operationally distinct targeting pattern from typical APT clusters with organizational targets. No organizational ties or industry vertical identified.
  • MyKings (Smominru / DarkCloud) cryptomining botnet code overlap: signature attribution indicator + potential cryptocurrency ecosystem operational connection.
  • MoonBounce code overlap: signature attribution indicator suggesting potential Winnti / APT41 adjacency without direct cluster identity overlap. The cluster fills the UEFI firmware rootkit specialist capability cell in this curated corpus, 35th China- attributed cluster, operationally distinct from existing 34 China-attributed clusters through signature firmware- level (pre-OS) implant capability. Operationally significant for being among the earliest documented in- the-wild UEFI rootkits chronologically (2016+) within the broader UEFI rootkit ecosystem (LoJax 2018 APT28 + MosaicRegressor 2020 + TrickBoot 2020 + FinFisher 2021 + MoonBounce 2022 APT41 + CosmicStrand 2022 + ESPecter + BlackLotus 2023).

Aliases

10
cosmicstrandcosmic strandcosmic_strandspy_shadow_trojanspy shadow trojanspy shadowcosmicstrand_ueficosmicstrand_rootkitcosmicstrand uefi rootkituefi firmware rootkit china

Notable Campaigns

8
2022-2026Continued Operations Through 2022-2026
2022Kaspersky GReAT Canonical Disclosure (July 25, 2022)
2020CosmicStrand 2020 Variant Active Period
2018-2023UEFI Rootkit Ecosystem Contextual Disclosure History (2018-2023)
2017-PresentHardware Supply Chain Compromise Hypothesis
2017Qihoo360 First Analysis, Spy Shadow Trojan (2017)
2016-2022Code Overlap Attribution Signature (MyKings + MoonBounce)
2016CosmicStrand Operational Emergence (End of 2016)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical July 25 2022 disclosure)Mark Lechtik (former Kaspersky reverse engineer, subsequently Mandiant, CosmicStrand research contributor)Qihoo360 (Chinese cybersecurity vendor, original 2017 Spy Shadow Trojan analysis)Sophos (MyKings cryptomining botnet Chinese-language artefacts attribution context)Mandiant / Google Threat Intelligence GroupMicrosoft Threat Intelligence CenterESET (broader UEFI rootkit ecosystem tracking)Trend MicroSOPHOS X-OpsCrowdStrikeSentinelOne / SentinelLabsRecorded FutureSymantec / Broadcom Threat Hunter Team
Key reporting
reportKaspersky GReAT: CosmicStrand, the discovery of a sophisticated UEFI firmware rootkit (Securelist, July 25, 2022), canonical CosmicStrand disclosure
reportQihoo360: Spy Shadow Trojan analysis (Chinese, 2017), first original CosmicStrand variant disclosure
reportSophos (X-Ops): MyKings botnet Chinese-language artefacts attribution context
reportMark Lechtik (former Kaspersky reverse engineer, subsequently Mandiant): CosmicStrand research + CSMCORE DXE driver modification analysis
reportESET / WeLiveSecurity: CosmicStrand UEFI firmware rootkit contextual coverage (July 2022)
reportBleepingComputer (Ionut Ilascu): CosmicStrand UEFI malware found in Gigabyte, Asus motherboards (July 26, 2022)
reportThe Hacker News: Experts Uncover New CosmicStrand UEFI Firmware Rootkit Used by Chinese Hackers (July 25, 2022)
reportSecurityWeek: Chinese UEFI Rootkit Found on Gigabyte and Asus Motherboards (July 26, 2022)
reportMicrosoft Threat Intelligence Center: CosmicStrand operational context
reportMandiant / Google Threat Intelligence Group: CosmicStrand UEFI ecosystem tracking
reportTrend Micro: CosmicStrand contextual analysis
reportSOPHOS X-Ops: CosmicStrand operational profile
reportSentinelLabs: CosmicStrand kernel-rootkit analysis
reportRecorded Future: Chinese-speaking UEFI rootkit cluster tracking
reportMalpedia Actor Profile: CosmicStrand

Operational

State sponsor

Chinese-speaking threat actor, China attribution operates at strong-indicator level per Kaspersky GReAT July 25, 2022 canonical disclosure but is not formally attributed to a specific cluster identity (Kaspersky attributes to "an unknown Chinese-speaking threat actor"). Operational attribution at high confidence based on: (a) Code overlaps with MyKings (Smominru / DarkCloud) cryptomining botnet: per Kaspersky GReAT canonical 2022 disclosure: "Kaspersky's attribution to a Chinese-speaking threat actor stems from code overlaps between CosmicStrand and other malware such as the MyKings (aka Smominru and DarkCloud) cryptocurrency botnet and MoonBounce, with the former characterized as a 'relentless' malware featuring an extensive infrastructure comprising bootkits, coin miners, droppers, and clipboard stealers, among others." MyKings is operationally a well-documented Chinese-speaking cybercrime operation. Per Sophos analysis cited by BleepingComputer: Chinese-language artefacts in MyKings cryptomining botnet provided attribution basis subsequently extended to CosmicStrand via code-overlap analysis.

(b) Code overlaps with MoonBounce (Winnti / APT41 adjacent UEFI implant): CosmicStrand shares code overlaps with MoonBounce, an earlier UEFI implant discovered by Kaspersky in January 2022 attributed to the China-linked APT41 / Winnti cluster. Per The Hacker News: "CosmicStrand, a mere 96.84KB file, is also the second strain of UEFI rootkit to be discovered this year after MoonBounce in January 2022, which was deployed as part of a targeted espionage campaign by the China-linked advanced persistent threat group known as Winnti (aka APT41)." The MoonBounce code overlap operationally suggests potential Chinese-state-aligned offensive cyber capability development ecosystem connection, though CosmicStrand is operationally tracked as distinct from APT41 (apt41_wickedpanda curated separately in this corpus). (c) Qihoo360 2017 original analysis (Chinese cybersecurity vendor): per BleepingComputer: "an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan." Per Kaspersky: "Chinese cybersecurity vendor Qihoo360, which shed light on the early version of the rootkit in 2017, raised the possibility that the code modifications may have been the result of a backdoored motherboard obtained from a second- hand reseller." The Qihoo360 2017 original analysis (in Chinese) operationally established initial documentation of an earlier CosmicStrand variant.

(d) Victim distribution geographic pattern: per Kaspersky: identified victims are private individuals located in China, Vietnam, Iran, and Russia. The mixed- geography victim distribution (including China itself) operationally complicates straightforward Chinese state- sponsored attribution, operationally consistent with either (i) cybercrime operation with code-overlap to state-aligned malware family (MoonBounce), or (ii) Chinese-state-aligned offensive cyber capability development with limited deployment to specific selected targets, or (iii) Chinese-speaking criminal infrastructure operationally repurposed by state-aligned actors. (e) Sustained operational period since 2016 with sophisticated UEFI tradecraft: per Kaspersky: "the most striking aspect [...] is that this UEFI implant seems to have been used in the wild since the end of 2016 long before UEFI attacks started being publicly described." The 2016-onwards operational period operationally pre-dates most publicly-disclosed UEFI attacks in the wild, placing CosmicStrand among the earliest documented in-the-wild UEFI rootkits chronologically.

Per Kaspersky: two variants identified, one used between end of 2016 and mid-2017, and a latest variant active in 2020. Operational sophistication consistent with state-sponsored offensive cyber capability investment (kernel-level + firmware-level engineering requires expert engineering capability). Operational classification: Chinese-speaking threat actor with operational lineage hypothesis to MyKings cybercrime ecosystem + adjacent code overlap to MoonBounce / Winnti / APT41 UEFI capability.

The cluster fills the UEFI firmware rootkit specialist capability cell in this curated corpus , operationally one of the earliest documented in-the-wild UEFI rootkits (2016+) alongside MoonBounce (APT41- attributed, January 2022 Kaspersky disclosure), MosaicRegressor (Kaspersky October 2020, Winnti-adjacent), LoJax (ESET 2018, APT28-attributed Russian), ESPecter, BlackLotus (cybercriminal sale), TrickBoot (TrickBot developers 2020), and FinFisher Gamma Group UEFI rootkit (2021 commercial surveillance). CosmicStrand is the 35th China-attributed cluster in the curated corpus, operationally distinct through signature UEFI firmware rootkit specialization at one of the earliest documented in-the-wild operational periods.

Motivations
chinese_speaking_threat_actor_offensive_cyber_capability_development, uefi_firmware_persistence_long_term_access, hard_drive_replacement_resistant_persistence, operating_system_reinstall_resistant_persistence, private_individual_targeting_intelligence_collection, cryptocurrency_botnet_adjacent_operations_potential, second_hand_motherboard_supply_chain_compromise_hypothesis
Sectors
private_individualssecond_hand_motherboard_usersh81_chipset_motherboard_usersgigabyte_motherboard_usersasus_motherboard_userschinese_speakersvietnamese_speakerspersian_speakers_iranrussian_speakers
Regions
chinavietnamiranrussia

Techniques Used

60
T1003T1003.001T1005T1010T1012T1014T1016T1020T1021T1027T1027.001T1027.005T1029T1033T1036T1036.005T1039T1041T1056T1056.001T1057T1059T1059.001T1059.003T1068T1070T1070.001T1070.004T1071T1071.001T1074T1078T1080T1082T1083T1087T1090T1090.001T1106T1115T1119T1129T1140T1190T1195T1195.003T1199T1213T1218T1496T1497T1518T1542T1542.001T1542.003T1543T1543.003T1547T1547.001T1548

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)29/60 · 48%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MODIFIED CSMCORE DXE DRIVERMOONBOUNCE UEFI IMPLANT CODE OVERLAPMYKINGS SMOMINRU DARKCLOUD BOTNET CODE OVERLAPSECOND-HAND BACKDOORED MOTHERBOARD SUPPLY CHAIN HYPOTHESISSPY SHADOW TROJAN 2017 VARIANT
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin