Shakti Trojan – latest malware revealed

New Trojan found – Shakti modifies Windows settings to steal files

Perspective Risk’s Cyber Security expert Sasha Raljic explores Shakti – a Trojan threat, in this blog post.

Shakti is a data exfiltration Trojan. It emerged a few days ago when it was sent to by one of their readers. On closer inspection, it was discovered that this type of Trojan searches for particular file types on the victim’s computer and uploads them to a central server.

Trojan Horse

Want to check how good your organisation’s security is? Click here.


There are many indications that this Trojan was developed for industrial espionage; however, according to Malwarebytes (who performed deep technical analysis on Shakti), it is not sophisticated enough to be state sponsored. Instead, it seems to be developed by either an individual or a group of people who understand the basic concepts of malware development.

This article aims to provide a high-level overview of the malicious file and the actions it takes to remain invisible while harvesting potentially sensitive data and sending them to a command & control server.

Malware Infection and Persistence

Upon initial infection, the malware will configure itself to start automatically, by modifying Windows settings to allow such actions to take place. It will either install itself as a Windows service or by adding a special registry key that enables auto run every time an infected computer starts.

In order to disguise itself, it injects itself into a running process. The technical analysis shows that it tends to inject itself into one of the browser processes, such as Firefox or Google Chrome, thus remaining undetected from a windows process list.

One interesting behavior is that it does not attempt to move the original files to a new location, instead the original executable is left in its default location. This further indicates that the malware is either unsophisticated or was released prematurely.

Malware Network activity

Once the initial stage has been completed, the malicious executable begins basic operating system detection. This information is then transmitted to the command & control server (C&C) alongside the list of installed programs on the infected operating system.

The C&C server resolves to This address did host a website which it was loading using an Iframe, making it appear like a trusted website; however, at the time of writing, no content is hosted at this address.

Malware Data exfiltration

The information that the malware transmits is as follows:

  • User name
  • Version of Windows
  • Service Pack
  • Computer name

Windows version detection is rather detailed and individual versions are hard-coded into the malware. The following screenshot demonstrates some of the Windows versions capable of being detected.

Windows versions capable of detection

The full list lacks version detection for Windows 8, 8.1 and 10. This could confirm the initial assumption that the malware was designed back in 2012, as Windows 8 was not released until October 2012. Furthermore, the compilation stamps on several DLL files point back to February 2012.

The C&C server is registered in India, as seen from the screenshot below:

C&C server registered in India
C&C server registered in India

Once the initial host information is sent to the server, the malicious code will start uploading files that have specific extensions:

  Extension   Description


   Up to Microsoft Office 2007 (Word)


   Microsoft Office 2007 and later (Word)


   Up to Microsoft Office 2007 (Powerpoint)


   Microsoft Office 2007 and later (Powerpoint)


   Up to Microsoft Office 2007 (Excel)


   Microsoft Office 2007 and later (Excel)


   Plain Text files


   Rich Text Format


   Database Dumps


   Inpage Word processor for Arabic and Urdu languages


   Portable Document Format

If and when one of these file types are detected, they are uploaded to the C&C server located on the

A full log of uploaded files along with file paths is stored in C:Users[username]uninst.dll. File permissions have been changed to prevent users from opening this file; however, it is possible to mount the Windows partition and inspect this file using an operating system booted from a flash drive.

Want to know more? Get in touch with one of our experts today

Anti-virus Detection

At the time of writing, 37 out of 53 antivirus products successfully detect this malware; however, only 4 products successfully identify it as Shakti.

AV Product Detection Result
ALYac Trojan.GenericKD.3441125
AVG Generic37.CLGV
AVware Trojan.Win32.Generic!BT
Ad-Aware Trojan.GenericKD.3441125
AegisLab Troj.W32.Generic!c
AhnLab-V3 Trojan/Win32.Agent.N81
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric
Arcabit Trojan.Generic.D3481E5
Baidu Win32.Trojan.WisdomEyes.151026.9950.9999
BitDefender Trojan.GenericKD.3441125
CAT-QuickHeal Trojan.Shakti
Cyren W32/Trojan.JSUY-8015
DrWeb Trojan.DownLoad3.43078
ESET-NOD32 Win32/Spy.Agent.OYE
Emsisoft Trojan-Spy.Win32.Infostealer (A)
F-Secure Trojan.GenericKD.3441125
Fortinet PossibleThreat
GData Trojan.GenericKD.3441125
Ikarus Trojan-Dropper.Win32.Dorifel
Jiangmin Trojan.Generic.agmkl
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.Downloader
McAfee RDN/Generic.grp
eScan Trojan.GenericKD.3441125
Microsoft TrojanSpy:Win32/Skeeyah.A!rfn
NANO-Antivirus Trojan.Win32.DownLoad3.efbfni
Panda Trj/CI.A
Sophos Troj/Agent-ASZJ
Symantec Trojan.Gen
TrendMicro-HouseCall TROJ_SHAKTI.A
VIPRE Trojan.Win32.Generic!BT
ViRobot Trojan.Win32.Shakti.164698[h]
Zillya Trojan.GenericKD.Win32.17311
Alibaba Trojan.GenericKD.3441125
Avira (no cloud) NO DETECTION

Checking for Malware Presence

If you suspect that you have been infected with this malware, there are a couple of things you can do to confirm your suspicions. Having up-to-date antivirus signatures is crucial, as the detection rate is improving on a daily basis.

The malicious executable has a number of files associated with it. If these files, registry keys and network connections are present on your computer, there is a high probability that you have been infected; however, further investigation and professional advice would be required to rule out false positives.

The following table summarises files, registry keys, network connection and executable hash sums associated with this malware:

Description   Value
Malware Executable Name   Aug_1st_java.exe (this can be changed easily)
File associated   %UserProfile%uninst.dll (contains logs of uploaded files)
Registry Key   HKCUSoftwareMicrosoftWindowsCurrentVersionRunigfxtray [pathtotrojan.exe]
Network Connections
Hash Sum (SHA25)   d6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b

Malware Detection Delay

If this malware was designed back in 2012, then why has it remained undetected for over 4 years, especially as this malware is not sophisticated? In 2014, a generic Trojan Downloader was described that performs similar functionalities. It communicates with the domain name that is registered to the same person as the one used for the Shakti C&C ( It is also using http://domain_name/external/update URL to download and upload relevant files.

Apart from this information, no other useful information is revealed about this malware. While this does not prove that Shakti was detected back in 2014, this is certainly a strong indicator.

It is possible that Shakti was created for small operations and corporate espionage, meaning that it consistently remained under the radar.

Shakti Trojan Malware Conclusion

The risk of infection is no greater or lower than being infected with any other malware. Apart from stealing certain documents, this malware does not perform any other actions. For example, it does not contain any cryptolocker properties, where it would hold files at ransom, nor does it record key strokes.

Deep technical analysis has been performed by Malwarebytes Labs explaining the individual components that make up Shakti. Disassembled code snippets are also available further describing actions that Shakti undertakes during and after the infection phase.

The best way to mitigate the risk of infection is to have an up-to-date anti-virus solution. Being cautious when opening and running files originating from external sources is still applicable.

References – Shakti Trojan

New Information Stealing Trojan Steals and Uploads Corporate Files (Bleeping Computer) –

Shakti Trojan: Document Thief (Malwarebytes Labs)

Shakti Trojan: Technical Analysis (Malwarebytes Labs)

Shakti Deepviz Analysis (Deepviz)

Virus Total Anti-virus detection (Virus Total)