Taj Mahal is a previously unknown and technically sophisticated Advanced Persistent Threat (APT) espionage framework, developed by a nation-state, discovered by Kaspersky Lab in the autumn of 2018. This multi-stage framework has two stages, 'Tokyo' and 'Yokohama', and is believed to have been in use for 5 years without detection. Only one known victim has been documented, a diplomatic entity from an undisclosed Central Asian country.
The second stage includes roughly 80 different modules with various capabilities including: backdoors, loaders, orchestrators, Command and Control (C2) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptography key stealers, and file indexer for the victim’s machine.
WatchPoints Document stealer, C2 communication and command processor
LocalInfo Performs system reconnaissance, outputs to file titled “TAJ MAHAL”
AudioRecorder Captures audio from microphone, Windows COM, VOIP and Windows Metro applications
Orchestrator Update/install/uninstall, selects target processes and loads plugins
SuicideWatcher Cleanly removes the framework after a designated time
IM-Stealer Steals conversation content from chat windows of instant messaging applications
Indexer Indexes files on victim drives, user profiles, removable drives
Thumbnailer Makes and prepares to send thumbnails of found picture files
Keylogger Keystroke logger & clipboard monitor
DocumentStealer Steals printed documents from spooler queue
EgressSender Sends files from output queue to C2
ClientRecon Daily stateful scan of the compromised machine, sends system changes to C2
Screenshoter Takes periodic low-resolution screenshots
DocumentStealer Steal documents from fixed and removable drives and written CD images
WebcamSnapshot Periodically takes webcamera snapshots
Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).