MonPass CA delivered Cobalt Strike installer

MonPass was a trusted certificate authority in Mongolia. In 2021, Avast found that its public web server had been breached and that the official MonPass client installer had been replaced with a backdoored version. The affected download window ran from February 8 to March 3, 2021.

The installer was built to look normal. It downloaded the legitimate MonPass client from the official site, dropped it under C:\Users\Public\, and executed it in a new process. The user saw the expected installation path while the malicious code ran beside it.

The payload used a second channel. It fetched bitmap files from attacker infrastructure such as download.google-images.ml:8880, extracted hidden bytes from image data, decoded hexadecimal text, and XOR-decrypted the result with miat_mg. The recovered payload was a Cobalt Strike beacon.

Avast's server review found multiple webshells and backdoors on the MonPass public server, showing repeated control rather than a one-file accident. MonPass later told Avast it had resolved the issues and notified affected customers. The core failure was simple: a CA's trusted client download became a loader for remote access.

Motive

Espionage

Attribution

State

Cause

Website Compromise

Transitive

No

Actor

Nation-state

• Backdoored client from Mongolian CA MonPassgendigital.com
• Backdoored Client from Mongolian CA MonPassdecoded.avast.io
• Avast IoCs for MonPass incidentgithub.com
• Mongolian certificate authority MonPass breached, website served malwarebleepingcomputer.com
• Mongolian Certificate Authority Hacked to Distribute Backdoored CA Softwarethehackernews.com