New Yokai Side-loaded Backdoor Targets Thai Officials

Netskope Threat Labs describes an infection chain where RAR-contained LNK shortcuts use alternate data streams to drop a legitimate iTop Data Recovery executable that side-loads a previously undocumented backdoor named "Yokai." The report details persistence mechanisms (scheduled task, mutex, process spawning), the bespoke XOR-based C2 protocol and encryption, supported commands (remote shell, command execution), observed C2 IPs/URLs and file artefacts, and provides detection and mitigation guidance including IOC listings and recommended network/content inspection.