Operation Jacana Reveals DinodasRAT Custom Backdoor

The previously undocumented data exfiltration malware was part of a successful cyber-espionage campaign against the Guyanese government, likely by the Chinese.

A fresh malware threat dubbed DinodasRAT has been uncovered, after being used in a targeted cyber-espionage campaign against a governmental entity in Guyana.
The campaign, which ESET calls Operation Jacana after water birds that are native to the South American country, could be linked to (unnamed)
Chinese state-sponsored cyberattackers
, researchers noted.
The campaign started with targeted spear-phishing emails that referenced recent Guyanese public and political affairs. Once in, the attackers moved laterally throughout the internal network; DinodasRAT was then used to exfiltrate files, manipulate Windows registry keys, and execute commands, according to
ESETs Thursday analysis of the Jacana operation
.
The malware got its name based on the use of Din at the beginning of each of the victim identifiers it sends to the attackers, and that strings similarity to the name of the diminutive hobbit Dinodas Brandybuck from
The Lord of the Rings
. Perhaps related: DinodasRAT uses the Tiny encryption algorithm to lock away its communications and exfiltration activities from prying eyes.
ESET attributes the campaign and the custom RAT to a Chinese advanced persistent threat (APT) with medium confidence, based in particular on the attacks use of the
Korplug RAT (aka PlugX)
— a favorite tool of
China-aligned cyberthreat groups like Mustang Panda
.
The attack could be in retaliation for recent hiccups in Guyana–China diplomatic relations, according to ESET, such as Guyanas arrest of three people in a money-laundering investigation involving Chinese companies. Those allegations were disputed by the local Chinese embassy.
Interestingly, one lure mentioned a Guyanese fugitive in Vietnam, and served malware from a legitimate domain ending with gov.vn.
This domain indicates a Vietnamese governmental website; thus, we believe that the operators were able to compromise a Vietnamese governmental entity and use its infrastructure to host malware samples, said ESET researcher Fernando Tavella in the report — again suggesting that the activity is the work of a more sophisticated player.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Operation Jacana Reveals DinodasRAT Custom Backdoor