Today we want to tell you about the DropboxAES trojan used by the APT31 group in cyber espionage campaigns and also give a link to the Community Sigma rule to detect this malware.

In general, DropboxAES does not stand out from the rest of the remote access trojan. This is a relatively new tool in the arsenal of APT31 (also known as BRONZE VINEWOOD). The malware owes its name to the usage of the Dropbox file-sharing service for its command and control communications. The APT31 group previously deployed the trojan with HanaLoader malware, but more about that in our next blog posts. The loader uses the DLL Search Order Hijacking technique to execute the final payload. DropboxAES RAT allows adversaries to upload files from the infected host to the C&C server, download files from the C&C server to the infected host, execute commands on the infected host via a non-interactive command-line based reverse shell, upload basic system information about the compromised host to the C&C server, and completely remove itself from the infected system.

Researchers discovered the trojan in a campaign targeted at legal, consulting, and software development organizations. They believe that attackers are interested in government or defense supply chains. 

APT31 as a Chinese threat actor specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. 

Ariel Millahuel released new threat hunting rule that uncovers the presence of this persistent malware in organization’s network:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko