Key Takeaways
- Manjusaka implants were written in Rust for Windows and Linux systems. (Cisco Talos)
- Manjusaka is described as a post-exploitation framework with Command-and-Control (C2) capabilities, which is delivered as spear-phishing with COVID-themed documents. (Wilders Security)
Introduction
Cyber attackers are relying on post-exploitation frameworks to maintain access and control over compromised systems.
In recent years, attackers have used tools like Cobalt Strike extensively in real-world attacks. These tools allow attackers to execute commands and move laterally with ease. Once they gain broad access to an environment, exfiltrating data doesn’t take long.
Researchers have identified a new framework called Manjusaka. This framework seems to replicate many of these capabilities.
Let’s examine the framework, its features, and use in active campaigns.
Overview of the Manjusaka Framework
Researchers have disclosed a hacking framework called Manjusaka, which they describe as a “Chinese sibling of Sliver and Cobalt Strike.”
The framework appears to replicate capabilities similar to Cobalt Strike. Researchers reported that the implants are written in Rust and support both Windows and Linux environments.
“A fully functional version of the command and control (C2), written in Go with a user interface in Simplified Chinese, is freely available to download. It can generate new implants with custom configurations, increasing the likelihood of wider adoption by malicious actors,” reads the analysis published by Cisco Talos. “We have observed the same threat actor using both Cobalt Strike beacons and implants from the Manjusaka framework.”
Researchers uncovered campaigns leveraging phishing documents themed around the COVID-19 pandemic and the Haixi Mongol and Tibetan Autonomous Prefecture in Qinghai Province. These documents were weaponized to initiate the infection process and deploy Cobalt Strike beacons on compromised systems.
Similar to Sliver and Cobalt Strike, researchers believe that Manjusaka also has the potential to become a widely used post-exploitation tool.
Researchers state that the malware implant belongs to a RAT family called “Manjusaka.” The C2 server is written in Go, compiled as an ELF binary, and has been made available on GitHub at “[hxxps://github[.]com/YDHCUI/manjusaka].”
The C2 server and admin panel are built using the Gin web framework. This framework allows operators to issue commands to Rust-based implants and stagers on compromised hosts.
The implants support multiple capabilities, including arbitrary command execution on infected systems. Researchers identified both EXE and ELF variants of the implant.
Below is a list of key features of the Manjusaka framework:
- Execute arbitrary commands
- Retrieve file information and metadata
- Collect browser credentials from major browsers such as Chrome, Edge, and Opera
- Collect Wi-Fi SSIDs and stored passwords
- Obtain Premiumsoft Navicat credentials
- Capture screenshots of the desktop and active windows
- Retrieve system information from the infected endpoint
- Remotely manage files on compromised systems
The attribution of this campaign to Chinese threat actors is based on the following evidence:
- The Rust-based implant does not use the standard crates.io library repository for dependency resolution. Instead, it is configured to use a mirror hosted by the University of Science and Technology of China (ustc[.]edu[.]cn).
- The malicious document contains information about the COVID-19 outbreak specific to Golmud City.
- Attackers use simplified Chinese across the C2 interface, including menus and options.
- OSINT analysis suggests that the author of this framework is based in the Guangdong region of China.
How the Attack Works
The attack is carried out using a structured execution flow. Let’s get into the details of that:
- The attacker sends a phishing document to the target, which is based on real-world events.
- The user opens the document, which triggers payload execution.
- The payload deploys a Cobalt Strike beacon or Manjusaka implant.
- A communication is established between the infected system and the C2 server.
- Operators issue commands to execute actions like credential access and file operations. The end goal is to gain control over the whole system.
Indicators of Compromise (IOCs)
- Unusual outbound connections to unknown or untrusted servers
- Unknown processes running from temp folders or user profile paths
- Executing unexpected commands on endpoints
- Attempts to access saved credentials from browsers or local system files
- Presence of unknown EXE or ELF files on systems
- Unusual use of system tools for file access or data collection
Detection and Mitigation Measures
- Watch for unusual commands being run and unexpected processes starting on endpoints
- Detect and investigate unusual outbound network connections
- Restrict execution of unknown binaries and scripts
- Enforce least privilege access across user accounts
- Deploy endpoint detection and response solutions with behavioral monitoring
- Enable logging across endpoints and review for suspicious patterns
- Conduct regular phishing awareness and simulation exercises
Conclusion
The Manjusaka framework shows how threat actors continue to build tools that mirror established post-exploitation platforms.
Once attackers gain access, these frameworks can be used to run commands, steal credentials, gather system data, and manage files remotely. This can quickly increase the impact of a compromise.
Similar frameworks are often used in phishing-based campaigns, highlighting the need for organizations to strengthen email security, improve endpoint visibility, and faster incident response. SafeAeon delivers this through managed security services, monitoring, and user awareness programs.