MINIRECON
Intelligence Profile
According to Acronis, MINIRECON is a shellcode-based implant derived from the Toneshell8 family, written in C/C++ and deployed in memory by SHARDLOADER after reconstruction from an obfuscated, XOR-decrypted payload. It retains core Toneshell characteristics such as PEB-walking to resolve kernel32.dll, a 13131313 hash multiplier for API resolution, an LCG-based session key, a 256-byte XOR beacon scheme, and an opcode-driven dispatcher supporting two parallel reverse shells, file upload/download, remote command execution, and a drop-and-execute chain. Its main evolution is in command-and-control communications, shifting to WebSocket-over-HTTPS beaconing via the native WinHTTP API with self-signed certificate handling and a proxy fallback to blend into enterprise environments.
Threat Analysis
MINIRECON is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.