In December 2024, Thai government officials became targets of a new campaign involving malware known as Yokai. The malware employs DLL side-loading techniques to infiltrate systems and gain unauthorized access to sensitive information.
The attack begins with a RAR archive containing Windows shortcut files disguised as official documents from the U.S. Department of Justice. When executed, these files deploy the Yokai backdoor, which establishes persistence on the host system and connects to a command-and-control server. This connection allows attackers to execute shell commands remotely, posing a significant threat to the confidentiality and integrity of governmental data.
Contextal Platform was designed from the ground up to proactively combat threats like these. Upon its initial release in November 2024, it included a recommended set of detection scenarios, which the company actively updates.
One such scenario, designed to analyze and block suspicious shortcut files, has been successfully proactively detecting the droppers used by Yokai.
The effectiveness of Contextal Platform in identifying the Yokai malware underscores the critical role of contextual approach and future-proof design.
For a detailed analysis of the Yokai malware and its implications, refer to the ThaiCERT report.