Best Top Reviews Online

Five Years Passed Before the Detection of the “TajMahal APT Framework”

Yesterday, cybersecurity researchers disclosed the existence of a highly sophisticated spyware framework that has been in operation for at least five years but was only recently discovered.

The APT framework, dubbed TajMahal by Kaspersky Lab researchers, is a high-tech, modular-based malware toolkit that not only supports a large number of malicious plugins for distinct espionage operations but also includes never-before-seen and obscure techniques.

The framework was named after the Taj Mahal, one of the Seven Wonders of the World located in India, not because Kaspersky discovered a connection between the malware and India, but because the stolen data was sent to the attackers’ C&C server in an XML file named TajMahal.

TajMahal toolkit was first discovered by security researchers late last year when it was used by hackers to spy on the computers of a diplomatic organization belonging to an unidentified Central Asian nation.

Nonetheless, malware samples analyzed by the researchers indicate that the cyberespionage group responsible for the attack has been active since at least August 2014.

The TajMahal framework is comprised of two main packages named “Tokyo” and “Yokohama” that contain over eighty distinct malicious modules, which, according to researchers, is one of the highest numbers of plugins ever observed for an APT toolkit.

The malware includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptography key stealers, and even its file indexer for the victim’s machine, according to the researchers.

Researchers have yet to determine how TajMahal infected its targets in the first place, but they have discovered that once accessed, the first-stage infection Tokyo is downloaded on targeted machines, which then deliver the fully-functional second-stage malware Yokohama.

Yokohama stores malicious modules within its encrypted Virtual File System, allowing them to:

  • log keystrokes,
  • steal browser cookies and data, including backup for Apple mobile devices,
  • record and take screenshots of VoIP calls,
  • steal written CD images,
  • steal documents sent to the printer queue.

In addition to typical spying capabilities, the malware possesses unique features such as a request to steal a specific file from a previously inserted USB stick. Therefore, the next time the USB is connected to the compromised computer, the file will be stolen.

Given the sophistication of the framework, the researchers believe that additional TajMahal victims remain to be discovered, even though they have only discovered a single victim so far.

“Based on our telemetry, we have detected a single victim to date,” Kaspersky stated.

This theory is supported by the fact that we were unable to determine how one of the files in the VFS was utilized by the malware, leaving the door open to the possibility of undetected variants of the malware.

On the SecureList blog, researchers have published a full set of Indicators of Compromise (IOCs) and a complete list of 80 malicious modules stored in the malware, along with a brief description of what they do.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Malware GuLoader Using New Methods to Avoid Security Software

December 26, 2022

Researchers in cyber security have uncovered a vast array of techniques used by the advanced malware downloader GuLoader to circumvent security software. “New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of