Hidden for 5 years, complex ‘TajMahal’ spyware discovered

April 24, 2019
Malware and Spyware Protection

From the Abyss

Researchers has recently unveil new form of sophisticated cyber espionage framework that has been active since at 2013,dubbed as the TajMahal named after one of its XML file used for exfiltration, and an unknown origin and crafter, Its modules and bundles functionality which have never been before seen in an advanced persistent threat (APT) and malware.

Key components

TajMahal include two main packages:

Tokyo  contains the main backdoor functionality, it represents the stage one of the infection and periodically connects with the command and control servers.

Yokohama is bigger; an encrypted virtual file system contains around 80 modules including plug-ins, libraries and configuration files.


  • Can steal browser(s) cookies
  • Unique toolkit
  • Take screenshots of the desktop and webcam, and use keylogging to steal usernames, passwords and other information
  • Take screenshots of information from burned CDs
  • Ability to intercept and steal information from printer queues
  • Grab previously seen index files to a reinstalled USB sticks
  • Registry values can reappear at startup, its name and type can change as well
  • Ability to take screenshots when recording audio from VoiceIP applications

Suspected offenders

There has been no known potential group identified as of yet, the only possible association is a Russian-linked hacking group called Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group). Another group could also be the Russian-linked Turla/Uroboros Trojan also involved a backdoor known as TadjMakhal.

Targeted victim(s)

No known method of infection and has only been seen in the wild once a diplomatic entity from a country in Central Asia’, was found to be the lone victim, such an advance platform is highly unlikely targeting one victim, and potentially there are other more victims are yet to be found.

How can we be safe?

Zero day could be a thing of the past or at least reduced suggestively, only if we pay more attention to security patches that covers known vulnerabilities and software used by the entire organization, employ the use of network firewall, Malware and Spyware Protection, up- to- date AV software, enabled browser protection, website scanning, and use buffer overflows. Bear in mind to have a scheduled maintenance window before upgrading to a newer version of any software.


About the author

Leave a Reply