Project Hyphae

Chinese “Cow Flower” C2 framework has the potential to migrate across the globe.

Share This Post

A new attack framework has been discovered by Cisco Talos being used in the wild. Known by its authors as “Manjusaka,” (Simplified Chinese for ‘cow flower’) the attack is advertised as an imitation of the Cobalt Strike framework. The command and control framework is freely available and can generate new implants with custom configurations quickly and easily. These implants are written in the Rust language and can be used against Windows and Linux targets. Because of this, Talos Intelligence warns that this framework has the potential to be adopted by threat actors all over the world.

The observed malware implant, currently known as Manjusaka, is a Remote Access Trojan (RAT) written in GoLang. This malware is capable of executing arbitrary commands, pullling relevant system information, collecting information on network connections and remote IP addresses, collecting browser credentials and Wi-Fi SSID information, collecting database information and credentials, taking screenshots of the user’s screen and eventually activating the file management module to carry out malicious activities. These module activities can include file enumeration, collecting file information and details, creating new files and directories, modifying existing files and directories, and moving or deleting files and directories. This malware beacon communicates via HTTP requests to a fixed IP address (In Talos’ example incident, they discovered a copy of the C2 server binary hosted on GitHub) to generate a fixed session cookie, which is encoded with Base64. If the session cookie is not provided, the implant will receive a 302 code from the server, which redirects to http://micsoft[.]com, which then redirects the user to http://wwwmicsoft[.]com. At this time, it is believed that this redirection is a trick to misdirect investigators.

To read the full Cisco Talos notification on Manjusaka, including details of the Indicators of Compromise, capabilities, user interface details, COVID-related malicious lure documents, and details of the campaign that lead to the discovery of this framework, please visit their blog entry at:

More To Explore

The Teams Call is Coming from Inside the House

Researchers at Vectra stumbled across some genuinely troubling design flaws in Microsoft Teams.  Essentially, Teams stores authentication tokens in plaintext capable of granting access to

When Oktapuses Attack

Group-IB, a Singapore based security and threat research company, identified a multiphase smishing (I really hate that word) campaign complete with MFA capture. The campaign

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.