A previously unknown and technically sophisticated advanced persistent threat (APT) framework that has been in operation for five years has been discovered. Revealed by Kaspersky Lab and dubbed Project TajMahal, the newly discovered APT framework contains up to 80 malicious modules stored in its encrypted virtual file system (VFS) including backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and its own file indexer.\u201cThe huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity,\u201d the company said in its analysis of the malware.What do we know about TajMahal?Whether this was developed by a previously known APT group is unclear, as is the ultimate goal of the attack. The company\u2019s analysis of the malware suggested it could date back as far as August 2013, while the \u201cdiplomatic entity\u201d was infected a year later in August 2014. The most recent sample Kaspersky found was from August 2018, suggesting the group is still active.So far, TajMahal has only one confirmed victim, an unnamed \u201ccentral Asian diplomatic entity.\u201d However, Kaspersky warned that such sophisticated work wouldn\u2019t be developed and used against one target. \u201cIt seems highly unlikely that such a huge investment would be undertaken for only one victim,\u201d said Alexey Shulmin, lead malware analyst at Kaspersky Lab. \u201cThis suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.\u201d\u201cThe technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase,\u201d Shulmin added. \u201cSomehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question.\u201dWhat can TajMahal do?Named after the XML file used for data exfiltration, TajMahal is made up of two packages: Tokyo and Yokohama. Tokyo acts as the main back door (via PowerShell) and delivery mechanism for Yokohama, periodically connects with the command and control servers and remains on the victim device as a backup. Yokahama is the main payload and includes a VFS with all plugins, open-source and proprietary third-party libraries, and configuration files.It is able to steal cookies, intercept documents from the print queue, record audio, take screenshots, index files (including those on external drives connected to infected devices) and steal specific files when next they are detected, and take information burned on CDs. The fact its code base or infrastructure isn\u2019t shared with other known APTs is likely why it was able to remain undetected for so long.What don\u2019t we know about TajMahal?Kaspersky\u2019s discovery, while noteworthy, throws up many questions that haven\u2019t been answered:Who is behind TajMahal? Kaspersky hasn\u2019t identified any potential group that could be behind TajMahal and there are no attribution clues nor any links to known threat groups. According to ThreatPost, the only known victim was previously unsuccessfully targeted by Zebrocy, a malware strain associated with the Russian-linked hacking group Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group and others). Kaspersky notes that the Russian-linked Turla\/Uroboros Trojan also involved a backdoor known as TadjMakhal.How does it spread? So far, Kaspersky has said that distribution and infection vectors are is still unknown.What were they after? Given that it was able to take screenshots, record audio, keystrokes, documents, messages sent via instant messaging and more, it\u2019s unclear what intel the attackers were actually after. Given that the only known victim was a diplomatic entity, it\u2019s likely to be sensitive information.