VERY IMPORTANT

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat actors such as Tick, Tonto Team and TA428, all of which employ RoyalRoad regularly for spear-phishing in targeted attacks against high-value targets. While analyzing newly discovered RoyalRoad samples observed in-the-wild, the Nocturnus Team detected one that not only exhibits anomalous characteristics, but also delivers PortDoor malware, a previously undocumented backdoor assessed to have been developed by a threat actor likely operating on behalf of Chinese state-sponsored interests.