LTS Secure Warning: Overview Of TajMahal APT Framework

TajMahal is a highly technically & a sophisticated APT framework, which was discovered by Kaspersky Lab in 2018. Developed as a spying framework, which consists of two core packages, Tokyo & Yokohama. It consists of backdoors, orchestrators, loaders, C&C communicators, keyloggers & audio recorders. Till now 80 malicious modules stored in its encrypted Virtual File System have been identified, giving the attacker to perform various kinds of attacks scenario.


Technical Details

The TajMahal framework consists of two core packages, Tokyo & Yokohama. Tokyo is used in the first stage to infect the targeted machine. The package consist of –

  • 3 modules
  • Backdoor
  • Powershell Scripts
  • Contacts C&C server
  • Stays in target machine as backup

Once done, the fully functional Yokohama package is deployed on the target machine. The package consist of –

  • Up to 80 modules
  • Encrypted Virtual file system
  • Plugin, libraries, configuration files & more

Both the packages share the same code base.


  • Steals cookies and data from browsers.
  • Steal documents that are sent to printer queue.
  • Log keystrokes
  • Steal data from a CD images
  • Steal specific files from external storage devices  once they become available again



The TajMahal framework is one of the most intriguing discovery in recent time that  is of great interest for the InfoSec community. The huge amount of modules that can be used to implement a number of features is something we have never before seen in any other APT toolset.


LTS Secure Next Gen. SIEM uses it integration with OTX to help identify earlier signs of Compromise and initiation of Risk Mitigation Automatons for such an advanced threats on IT infrastructure.