Rising Cyber Threat: Unmasking the "Yokai" Backdoor Targeting Thai Government Officials

Unknown Hackers Unleash ‘Yokai’ Backdoor Targeting Thai Government Associates

In a striking development, cybersecurity researchers from Netskope have discovered a new malware strain dubbed "Yokai" that is specifically targeting individuals linked to Thailand’s government. This unwieldy backdoor, potentially named after mythical spirits from Japanese folklore or the haunting entities featured in the video game Phasmophobia, raises alarms regarding the safety of sensitive government communication.

The attack, which has been cleverly crafted, involves two shortcut files masquerading as .pdf and .docx documents claiming to be relevant to U.S. government business with Thailand. With titles like "United States Department of Justice.pdf," the bait documents reference a high-profile criminal case connected to Woravit "Kim" Mektrakarn, a fugitive linked to a decades-old disappearance case.

"The lures suggest they are aimed at Thai police," notes Nikhil Hegde, a senior engineer at Netskope. He suggests attackers may aim to infiltrate police systems. When unsuspecting victims open these deceptive documents, they inadvertently download a hidden malware payload through a chain of legitimate Windows operations, utilizing tools like "esentutl" to manipulate alternate data streams—an often-overlooked feature in Windows’ NTFS.

Yokai itself calls home to a command-and-control server and can execute shell commands to steal sensitive data or deploy further malware. Notably, its coding exhibits both sophistication—such as structured command communication—and rough edges, including a tendency to rapidly self-replicate under certain conditions, which can severely hamper system performance.

In this alarming intersection of sophisticated cyber threats and governmental vulnerability, experts are urging increased vigilance and improved cybersecurity protocols for those associated with Thailand’s government.