{ "id": "7bcf4a99-e3c1-4909-9e76-5cf3eb6da979", "created_at": "2026-04-06T00:08:11.734452Z", "updated_at": "2026-04-10T03:35:20.399827Z", "deleted_at": null, "sha1_hash": "007e0129347fec461e4591b03298dcd7ceec468e", "title": "APT-C-36: from NjRAT to LimeRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9133833, "plain_text": "APT-C-36: from NjRAT to LimeRAT\r\nPublished: 2023-03-15 · Archived: 2026-04-05 16:23:51 UTC\r\nLast February a Blackberry report alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many\r\nsimilarities in terms of tactics, techniques and procedures (TTPs) with the group Hagga / Aggah, as we have been able to\r\nobserve at Lab52. Particularly, this article describes one of the campaigns that has been linked to APT-C-36, where the\r\nartefacts used are noticeable Hagga artefacts. \r\nThis group’s campaigns during the last quarter are summarised in the following image.\r\nAPT-C-36: last campaigns\r\nThe diagram refers to the malware that is actually executed after the infection phase, i.e., after successful deployment of the\r\nfirst stages of the infection process. In fact, it is a successful deployment which will allow the malware to be executed, and\r\nwhich also allows the identification of TTPs prior to full compromise.  \r\nGoing back to the previous image, the following should be noted:\r\nFrom December 2, 2022 until February 2, 2023, multiple campaigns were observed deploying NjRat in its final stage.\r\nOn February 20, a campaign was observed which varied slightly in its deployment, and which purpose was the\r\ndeployment of AsyncRat. \r\nBy the end of February was observed the use of LimeRAT, but with a very similar operation in the deployment\r\nused during the rest of the campaigns, from the first ones whose objective was the execution of NjRAT.\r\nThis last point has caught the attention of the Lab52 team, since, as analysed in previous articles, LimeRat is considered an\r\nevolution of NjRAT. Moreover, this takes place in a context in which the previous NjRAT campaigns linked to APT-C-36 are\r\nstill fresh and, in fact, NjRAT is an active malware through campaigns of various actors.\r\nIn this post we are going back to the December 5, 2022 campaign to explain in detail the deployment process of the malware\r\nin 5 stages observed until triggering NjRAT, considering this campaign as a case study. The objective is to show, by means\r\nof a simplified comparison, how the deployment for these RATs is very similar. In addition, It is provided a list of the\r\nIOCs of the previous campaigns, a summary of the behaviour in communications and a comparison of the adaptations/\r\nmodifications made in the last campaign that  triggers in LimeRAT.\r\nPreparing the path for NjRAT: the beginning\r\nThis analysis takes as a starting point a post on twitter which shows a document with APT-C-36 compatible techniques and\r\nappearances. As a part of that  post, a .docx file hash is obtained used for doing the phishing, which data is shown below:\r\nfile Juzgado 09 civil del circuito de Bogotá D. C. Col..docx\r\nmd5 4a69b0a3796dd688d57e11658ac1058c\r\nsha1 e707fe51fb330b7aed5db5882b316dde1ef5f5a9\r\nsha256 dfc497c7cb4cac21d5b4760dcc9df8c4379e7f4290a8ff06265225704819761c\r\nThe following picture shows the file appearance once it is opened using Microsoft word.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 1 of 32\n\nMalicious document appearance\r\nThis group is characterised by the impersonation of official entities. As it can be seen, another of their characteristics is to\r\nkeep a good level of appearance in the text and fake documents used in spear phishing campaigns.\r\nThe document is revised to see which is the trigger of the infection, finding a suspicious  OLE object (Object Linking and\r\nEmbedding) which in turn will lead to a WSF file (Windows Script File).\r\nOLE object\r\nThe analysis is structured around the stages of the malware based on the previous resource. The following image shows the\r\nsummary of the stages identified.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 2 of 32\n\nAnalysed activity flow\r\nThe final purpose of the malware in this case is the deployment of the remote access trojan (RAT) NjRAT, but it is the way\r\nto such deployment that motivates the analysis which is described below; a set of procedures that are in fact been maintained\r\nwith little variation through the rest of campaings until the date.\r\nParticularly, it should be noted that various stages of the malware deployment are produced entirely in memory, making\r\ndetection by antivirus tools more challenging.\r\nThis article will address the deployment chain in five stages, to then make a comparison between this operation and the last\r\ncampaign in which LimeRat is deployed. In addition,  findings regarding the behaviour of the campaigns with respect to the\r\ncommunications model are included. Finally, the indicators of compromise of the different campaigns are summarised for\r\npossible consultation.\r\nStage 1: Infection using an OLE object\r\nAs anticipated, in the 5th of december campaign, the malicious file contains an OLE object whose properties are\r\ninvestigated, inside a controlled environment. \r\nOLE object properties\r\nAs can be seen, when the object is activated, it will produce the execution of a WSF file  (Windows Script File),\r\nNotificación Jurídica.wsf, and thus triggering the infection in the machine.\r\nOLE object detailed\r\nWithout further complication at this point, the files script can be extracted to do the analysis:\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 3 of 32\n\nScript WSF\r\nThe file has numerous repeated lines exactly the same to camouflage inside a piece of malicious code.\r\nBroadly speaking, in the WSF file, we can see the definition of a job in VBS language that, through powershell, will\r\ndownload a VBS file from the domain cdn.discordapp[.]com and then launch it via Explorer. The VBS script will later be\r\ndeleted from the system. This file is analysed below.\r\nStage 2: Camouflaged downloader\r\nTo carry on with the infection chain it is revised the VBS file downloaded, to which allusion is made with the Debug.vbs\r\nname, because of its later reference in the code. Indeed, at this point of the execution, this file can take any name, depending\r\nalso on the campaign. The key issue here is that the script shows the appearance of a legitimate Microsoft WinRM file.\r\nVBS script: first view\r\nHowever, after a detailed analysis the section which triggers the malicious logic can be seen.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 4 of 32\n\nVBS implant in WinRM.vbs file\r\nIn fact, it can be seen that the code is obfuscated, although after some operations it is possible to extract the original code it\r\nexecutes:\r\nMalicious code deobfuscated\r\nSpecifically, an array of bytes in memory is declared to hold a PE file downloaded from the above IP after Base64 decoding.\r\nThis file corresponds to a DLL (DLL.PPAM) and will be loaded into memory within the application domain of the current\r\npowershell process.\r\nSubsequently, the VAI method of the Fiber.Home class will be invoked by passing it as a parameter the URL written in\r\nreverse that can be seen at the end of the image. This will cause it to execute in a fileless way, making it more complicated to\r\ndetect with antivirus tools.\r\nStage 3: First DLL injected inside the powershell environment: DLL.PAM (Fiber.dll)\r\nAs it has been indicated, the first DLL injected in the powershell environment will be DLL.PPAM (Fiber.dll).\r\nmd5 2552287b4733078f12b4a831c698cab6\r\nsha1 c615919f27daeeab06be9a669bebd547e557bf38\r\nsha256 7f0289f08df904da436b8e99605e74518c29f3321a10c7c0b37fced0f1e93202\r\nGoing into further detail,  DLL.PPAM is a .NET DLL with Yano protector (1.X).\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 5 of 32\n\nFiber.dll properties\r\nAfter reviewing the general properties of the DLL it can be observed the original name of the DLL: Fiber.dll.\r\nNo obfuscation or similar action by the protector is appreciated.\r\nEntry Point (EP) in Fiber.dll (third stage)\r\nFiber.dll checks if the file C:\\Windows\\Temp\\Debug.vbs exists on the computer. If so, Fiber.dll uses the name it was given\r\nin the previous step, to refer to it. If no such file exists, it copies the .vbs from the current path to the location mentioned\r\nunder the name Debug.vbs. This file is the one that persists on the machine and the one that will be launched when the user\r\nsession is started as seen in the persistence previously.\r\nIt then performs a series of consecutive steps in an infinite loop to prepare and trigger the next stages of infection.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 6 of 32\n\nDownload and preparation of the injector (fourth stage)\r\nIn particular, it is observed that it downloads resources that will be used in the next phase of the infection. Once the\r\ndownload is done, it prepares the received data by reverting the obfuscated paths.\r\nDownload and preparation of the RAT (final payload)\r\nSimilar to the previous block, it also downloads the RAT that will eventually be deployed on the machine. In this case the\r\nURL downloaded it is received as a parameter when invoking the DLL with a simple obfuscation (reverse text). It also\r\nconstructs a path that will be used later to pass the value as a parameter in the next stage.\r\nThe next step is to ensure persistence in a simple but functional way:\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 7 of 32\n\nPersistence\r\nAs can be seen,  the persistence is done by creating a link in the user’s Startup folder, camouflaging itself under the guise of\r\nNotepad.\r\nStartup persistence\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 8 of 32\n\nInvocation of stage 4 (injector)\r\nFinally, it loads a payload (injector) obtained in the first download into the current application domain. Once the base64\r\nencoding has been decoded, it invokes the “Ande” method of the “Tools” class of the “FSociety” module, passing as\r\narguments the path previously constructed from the .NET path and the payload received from the second download, after\r\ndecoding the base64 encoding as well.\r\nStage 4: Second DLL injected inside the powershell environment: RUMP.DLL\r\n(Fsociety.dll)\r\nAt this stage the malware is already operating with fileless files in memory. In this case, we focus on the second DLL that\r\nwill be injected into powershell space, rump.dll (fsociety.dll).  The hashes that define this artefact are listed below:\r\nmd5 a703c90e7ed1b0eb8ab552ec112f46c1\r\nsha1 b7e6a0a39e50383823f0d48db77347a3dc2fdbbc\r\nsha256 5d910ee5697116faa3f4efe230a9d06f6e3f80a7ad2cf8e122546b10e34a0088\r\nThis is another unpacked .NET DLL with the same protector: Yano (1.X).\r\nFsociety.dll properties\r\nAfter a static review of the binary, it shows that the import of functions clearly associated with process injection:\r\nThe original name of this DLL is Fsociety.dll.\r\nThe method used during the execution of the third phase will expect two parameters:\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 9 of 32\n\n1. Route of the binary where the final payload will be injected:\r\nC:\\windows\\Microsoft.Net\\Framework\\4.0.30319\\RegAsm.exe\r\n2. Final payload (NjRAT).\r\n“Ande” method in the “Tool” Class (Fsociety.dll)\r\nThis function will be used to trigger the whole process of launching and injecting the final payload (NjRAT).\r\nThis binary, as we have seen above, imports functions associated with the injection/management of\r\nprocesses/sections/threads, etc. Therefore, since they are not implemented within the C# code, the malware must import\r\nthem from external libraries (kernel32.dll). So, as a result, the following API functions are declared by the malware.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 10 of 32\n\nDeclaration of API functions\r\nThe main functionality of this binary is to inject NjRAT using the Process Hollowing technique, as will be shown later.\r\nTo describe and clarify the behavior of the malicious dll, the detailed steps performed by the malware until the injection\r\nbecomes effective are shown below:\r\n1.- A legitimate suspended RegAsm.exe process is created by calling to CreateProcess:\r\nCreation of the victim process\r\n2.- The GetThreadContext is obtained from the Regasm.exe process previously created.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 11 of 32\n\nProcessHollowing: GetThreatContext\r\n3.- A call to ReadProcessMemory is made on RegAsm:\r\nProces Hollowing: Obtaining the ImageBaseAddress of the victim process\r\nThis call reads 4 bytes from the PEB, specifically the IBA (Image Base Address) of the RegAsm process.\r\nThen, it compares the IBA of the binary to be injected, which has been previously obtained, with the IBA of the victim\r\nprocess extracted from the call to ReadProcessMemory. In case they are the same, it makes a call to\r\nNTUnMapViewOfSection to unlink the section of the process memory.\r\n4.- A new memory section is reserved with VirtualAllocEx to hold the final NjRAT payload.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 12 of 32\n\nMemory reservation for the final payload\r\nAs can be seen, 64KB of memory has been reserved under address 0x400000 with read, write and execute (RWX)\r\npermissions.\r\nProcess Hollowing: New section\r\nAt this point of the execution, the content of this memory section remains empty.\r\nEmpty content\r\n5.- A call is made to WriteProcessMemory on that section, to proceed to complete that memory area.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 13 of 32\n\nProcess Hollowing – WriteProcessMemory\r\nThrough this call, only the first 512B of the PE header have been written.\r\nPartial header in memory of NjRAT\r\nThen, using the BlockCopy method of the C# Buffer class, another part of the PE is copied to another byte array that will be\r\nused later.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 14 of 32\n\nProcess Hollowing – BlockCopy\r\nAnd finally the content of this new intermediate array is copied to the reserved section in RegAsm.exe to complete the PE in\r\nmemory.\r\nProcess Hollowing – Write process memory\r\nPartial content of NjRAT\r\nAnalogously to the previous one (blockCopy + WriteProcessMemory) another part of the binary (1024Bytes) is copied to\r\nthe memory of the RegAsm process.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 15 of 32\n\nPartial block copy of NjRAT\r\nThis set of BlockCopy + WriteProcessMemory calls will be carried out three more times until the total writing of the binary\r\ninto memory is completed. In total, five BlockCopy + WriteProcessMemory interactions were necessary to write the file\r\ncompletely into memory. Possibly this is a measure to protect against AV detection in memory.\r\n6.- A call is made to SetThreadContext to set the new entry point to the thread.\r\nProcess Hollowing – SetThreatContext\r\n7. And finally a call to ResumeThread is made to restart the execution of the new thread.\r\nProcess Hollowing – ResumeThread\r\nNjRAT ready for execution\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 16 of 32\n\nAt this point of the execution, the RegAsm process stands out for its CPU consumption and observing the analysis of the\r\ngenerated traffic, the connection attempt against the C2 of NjRAT every 2 seconds stands out.\r\nNjRAT traffic\r\nNjRAT communication\r\nNote: The IP 192.0.2.123 is a simulated IP and does not correspond to the real IP to which\r\nprueba30novok.duckdns.org would resolve.\r\nIn case any of the previous calls (e.g. VirtualAllocEx) fails to reserve memory in the victim process, the victim process will\r\nbe terminated and the whole injection chain will be started again from step 1 (CreateProcess).\r\nInstruction for killing RegAsm\r\nStage 5: NjRAT\r\nA closer look on the RegAsm process shows that NjRAT is indeed loaded in its memory and it is possible to find its\r\nconfiguration parameters:\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 17 of 32\n\nNjRAT configuration\r\nFinally, once the debugging of the process is finished, it is observed that it does not depend on explorer, and the powershell\r\nprocess that was in charge of launching the dll injector finished its execution being correctly injected NjRAT in the\r\nRegAsm.exe process.\r\nProcess tree\r\nAs already mentioned, the objective of this publication was to get to this point, perhaps in the future we will delve into the\r\nanalysis of NjRAT, something that is not addressed on this occasion so as not to detract from the publication.\r\nIt should be noted that NjRAT has been triggered at this point, but the operation could be maintained to trigger other\r\nmalware, and it is precisely in this operation where we wanted to keep the focus.\r\nComparison between APT-C-36 campaigns\r\nIn summary, all APT-C-36 campaigns detected during the last quarter are collected here in table form. The objective is to\r\nhighlight the representative artifact type in each phase for the campaigns.\r\nArtifacts used during the infection\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 18 of 32\n\nTaking into account that the first stage deals with the hook of the attack (usually a file used for phishing with the\r\ncamouflaged triggering device), we can simplify the comparison by referring to the most representative files of the rest of\r\nthe stages.\r\nAlthought for the different campaigns the .vbs file of the second phase has a different name, so far we have always identified\r\na file with this extension that would be the protagonist in this stage, which would load fiber.dll and would be used for\r\npersistence.\r\nOn the other hand, the DLLs of the third and fourth stage are kept as fiber.dll and fsociety.dll. The name of these DLLs\r\nchanges for the deployment of LimeRAT, in which it should be noted that more obfuscation features are observed.\r\nDealing with the chain of infection for LimeRAT:\r\nThis campaing starts with the file execution ‘DOCUMENTO (FGE).vbs’.\r\nmd5 : 4cb86eadbadba68752d539597e6ab5ad\r\nsha1 : 3e1682855ad4035134f6ebd68d56824535b4ca03\r\nsha256: b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5\r\nLimeRAT campaign: .vbs\r\nThe image shows an obfuscation of the code to finally launch a powershell command:\r\nObfuscated powershell\r\nAfter some deofuscation operations, the code that will be executed is obtained:\r\nDeobfuscated powershell\r\nAnd after removing the other layer of obfuscation, you get to the code that powershell will finally run.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 19 of 32\n\nThe input method GzeUpA of the .NET module KZUTPv.WUGabK to be loaded into powershell memory is parsed.\r\nThe same type of infinite loop is observed with a switch-case structure in which the program flow executes each and every\r\none of the “cases” of the switch-case.\r\nIn this case the persistence in the machine will be done by copying the VBS file to the startup folder.\r\nPersistence\r\nAdditionally, a scheduled task will be created that will execute the previously created persistence file every minute.\r\nScheduled task\r\nIt has been disabled in order to continue with the analysis.\r\nScheduled task created\r\nNext, both the DLL injector and the final payload, in this case LimeRAT, are downloaded. The downloads and obfuscations\r\nare carried out in a similar way to the case study.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 20 of 32\n\nArtifacts downloads\r\nFinally, it will load in the memory of the powershell process the injector DLL and will invoke the PQHWQG method of the\r\nAGWNqj.ThUQsn class, passing it as arguments the path of the binary where it will inject the final payload and the\r\nLimeRAT payload downloaded previously.\r\nInjector DLL\r\nIn this case, an obfuscation of the methods and variables of the loaded DLL is observed.\r\nObfuscation of methods\r\nSimilarly, the same structure of infinite loops is observed with switch-case structures.\r\nIt is noted that the defined extern are also obfuscated, although the logic is similar to the detailed NjRAT case study.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 21 of 32\n\nDefined externs\r\nSubsequently, as in the case study, the execution flow will be started, which will use the process hollowing technique to\r\ninject the LimeRAT payload into the RegAsm.exe process.\r\nAs can be seen, a new RegAsm process has been created in a suspended state.\r\nCreateProcess in suspended state\r\nIn the following, in order not to extend the article too much, API calls have been omitted as they are similar to the case study\r\ndetailed above. The only difference is that they have an obfuscation layer.\r\nA review of the memory of the RegAsm process shows that it has successfully injected the final payload.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 22 of 32\n\nPayload injection\r\nAnd as we can see, once the call to ResumeThread happens, the process has been correctly injected and some CPU\r\nconsumption is observed.\r\nResume Thread\r\nA review of the generated traffic shows connection attempts to LimeRAT’s C2 approximately every 2 sec.\r\nLimeRAT traffic\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 23 of 32\n\nLimeRAT traffic encoded\r\nNote: The IP 192.0.2.123 is a simulated IP and does not correspond to the real IP to which\r\nprueba30novok.duckdns.org would resolve. \r\nIn addition, the creation of a mutex is observed in the processes.\r\nMutex\r\nThe LimeRAT config is extracted in memory from the RegAsm process.\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 24 of 32\n\nLimeRAT config extracted from memory\r\nFinally, once the injector has finished running, you can see that LimeRAT has been successfully injected and that the\r\nRegAsm process no longer depends on powershell.\r\nLimeRAT injected in RegAsm.exe\r\nC2 Infrastructures used by APT-C-36\r\nThe analysis on the C2 infraestructures used by APT-C-36 until february 2023 are described in this section.\r\nIn summary, it can be seen that in all six campaigns that all the C2 domains used have first resolved to an IP, either from a\r\nVPN service or a Hosting service:\r\nService\r\nWebair Internet Development Company Inc. (webair.com) Hosting\r\nprivacyfirst.sh\r\nFDCservers.net\r\nfrootvpn.com\r\nM247 Miami Infrastructure (ProtonVPN)\r\nSubsequently, it is observed that in four of the six campaings resolves to an IP associated to an ISP, so as a hypothesis, it is\r\nlikely that the router is used as a “reverse proxy” to hide the real C2. (See ref [1])\r\nService\r\nEPM-Telecomunicaciones-S.A.-E.S.P. (epm.net.co)\r\nColombia-Móvil (tigo.com.co)\r\nThe data collected to reach the above conclusions are listed below, in descending chronological order.\r\nLimeRAT (23 Feb 2023)\r\nC2: fortuna777.duckdns[.]org:1994\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 25 of 32\n\nResolve Location First Seen Last Seen Info\r\n46.246.12.12 SE 2023-02-23 02:04:00 2023-03-15 17:02:38 frootvpn.com\r\n46.246.6.24 SE 2023-03-04 08:43:36 2023-03-04 08:43:36 frootvpn.com\r\n46.246.80.10 SE 2022-12-26 18:41:27 2023-02-14 06:07:12 frootvpn.com\r\n46.246.12.10 SE 2023-02-02 02:47:49 2023-02-02 02:47:49 frootvpn.com\r\n46.246.6.3 SE 2023-01-29 16:17:41 2023-01-31 01:31:22 frootvpn.com\r\n46.246.26.12 SE 2023-01-14 06:23:17 2023-01-14 06:23:17 frootvpn.com\r\n46.246.14.10 SE 2023-01-07 05:21:02 2023-01-08 06:20:28 frootvpn.com\r\nAsyncRAT (20 Feb 2023)\r\nC2: asy1543.duckdns[.]org:1543\r\nResolve Location First Seen Last Seen Info\r\n46.246.80.20 SE 2023-03-13 19:57:05 2023-03-15 16:46:22 frootvpn.com\r\n46.246.84.5 SE 2023-03-10 19:40:45 2023-03-12 21:13:29 frootvpn.com\r\n46.246.4.11 SE 2023-03-03 13:44:11 2023-03-08 19:14:03 frootvpn.com\r\n46.246.12.20 SE 2023-03-02 12:18:57 2023-03-03 00:37:27 frootvpn.com\r\n46.246.4.12 SE 2023-03-02 07:56:45 2023-03-02 11:21:21 frootvpn.com\r\n46.246.4.14 SE 2023-03-01 18:50:08 2023-03-02 02:18:26 frootvpn.com\r\n188.126.90.17 SE 2023-02-28 10:13:49 2023-03-01 03:33:10 frootvpn.com\r\n46.246.84.13 SE 2023-02-27 14:00:37 2023-02-27 19:23:28 frootvpn.com\r\n46.246.14.13 SE 2023-02-24 18:53:01 2023-02-25 19:07:26 frootvpn.com\r\n46.246.82.15 SE 2023-02-15 18:36:30 2023-02-23 19:05:40 frootvpn.com\r\n46.246.80.19 SE 2023-02-22 15:40:29 2023-02-23 00:44:24 frootvpn.com\r\n46.246.84.6 SE 2023-02-21 19:16:46 2023-02-21 19:16:46 frootvpn.com\r\n46.246.84.10 SE 2023-02-20 19:28:57 2023-02-21 08:23:17 frootvpn.com\r\n46.246.14.9 SE 2023-02-17 18:36:11 2023-02-19 18:29:42 frootvpn.com\r\n46.246.82.9 SE 2023-02-14 18:02:09 2023-02-14 18:02:09 frootvpn.com\r\n46.246.80.15 SE 2023-02-09 18:42:44 2023-02-13 19:21:14 frootvpn.com\r\n46.246.86.9 SE 2023-02-08 19:05:39 2023-02-08 19:05:39 frootvpn.com\r\n46.246.4.2 SE 2023-02-06 19:04:03 2023-02-07 19:15:42 frootvpn.com\r\n46.246.86.3 SE 2023-02-02 20:47:52 2023-02-06 03:22:54 frootvpn.com\r\n46.246.14.5 SE 2023-02-02 17:22:34 2023-02-02 17:22:34 frootvpn.com\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 26 of 32\n\n46.246.80.9 SE 2023-02-02 03:10:11 2023-02-02 13:08:58 frootvpn.com\r\nNjRAT (2 Feb 2023)\r\nC2: env2023nue.duckdns[.]org:1986  → 190.28.222.216\r\nResolve Location First Seen Last Seen Info\r\n190.28.222.216 CO\r\n2023-02-24\r\n01:59:31\r\n2023-02-24\r\n01:59:31\r\nEPM-Telecomunicaciones-S.A.-\r\nE.S.P.\r\nadsl190-28-222-216.epm.net.co\r\n190.28.229.116 CO\r\n2023-02-22\r\n17:44:45\r\n2023-02-22\r\n17:44:45\r\nEPM-Telecomunicaciones-S.A.-\r\nE.S.P.\r\nadsl190-28-229-116.epm.net.co\r\n190.28.238.31 CO\r\n2023-02-21\r\n18:59:14\r\n2023-02-22\r\n13:50:13\r\nEPM-Telecomunicaciones-S.A.-\r\nE.S.P.\r\nadsl190-28-238-31.epm.net.co\r\n91.192.100.4 CH\r\n2023-02-15\r\n18:03:24\r\n2023-02-20\r\n18:39:18\r\nDatasource-AG\r\n91-192-100-4.gerber.non-logging.vpn\r\nprivacyfirst.sh\r\n91.192.100.6 CH\r\n2023-01-31\r\n07:53:10\r\n2023-02-14\r\n02:19:30\r\nDatasource-AG\r\n91-192-100-6.gerber.non-logging.vpn\r\nprivacyfirst.sh\r\nNjRAT (23 Jan 2023)\r\nC2: enero2023.duckdns[.]org:1986  → 190.28.222.216\r\nResolve Location First Seen Last Seen Info\r\n190.28.222.216 CO\r\n2023-02-24\r\n01:57:10\r\n2023-02-24\r\n01:57:10\r\nEPM-Telecomunicaciones-S.A.-\r\nE.S.P.\r\nadsl190-28-222-216.epm.net.co\r\n23.237.25.190 US\r\n2023-01-18\r\n21:48:21\r\n2023-01-18\r\n21:48:21\r\nCogent-Communications\r\nFDCservers.net\r\nNjRAT (5 Dec 2022)\r\nC2: prueba30novok.duckdns[.]org:8002  → NXDOMAIN  \r\nResolve Location First Seen Last Seen\r\n173.225.115.229 US 2022-12-06 18:54:46 2022-12-16 18:43:54\r\n23.237.25.120 US 2022-12-02 04:03:15 2022-12-05 16:43:30\r\n23.237.25.12\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 27 of 32\n\nAs can be seen, this IP has been resolved by multiple dynamic domains all associated with duckdns. A reuse of C2\r\n(wins23novok.duckdns[.]org) already used in the December 2 campaign can be observed.\r\n173.225.115.229\r\nNjRAT (2 Dec 2022)\r\nC2: wins23novok.duckdns[.]org:8000 → 191.89.244.1\r\nResolve Location\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nInfo\r\n191.89.244.1 CO\r\n2023-\r\n02-07\r\n18:35:36\r\n2023-\r\n02-24\r\n01:31:54\r\nColombia-Mvil\r\nDinamic-Tigo-191-89-244-1.tigo.com.co\r\n91.192.100.7 CH\r\n2023-\r\n01-31\r\n18:32:23\r\n2023-\r\n02-04\r\n18:27:34\r\nDatasource-AG\r\n91-192-100-7.gerber.non-logging.vpn\r\nprivacyfirst.sh\r\n191.92.97.65 CO\r\n2023-\r\n01-28\r\n18:23:51\r\n2023-\r\n01-30\r\n18:34:00\r\nColombia-Mvil\r\nDinamic-Tigo-191-92-97-65.tigo.com.co\r\n37.120.215.248 US\r\n2023-\r\n01-24\r\n18:08:14\r\n2023-\r\n01-28\r\n01:18:20\r\nM247-Europe-SRL\r\nM247 Miami Infrastructure\r\n178.73.192.162 SE\r\n2023-\r\n01-23\r\n18:36:41\r\n2023-\r\n01-23\r\n18:36:41\r\napdl-asadministracao_dos_portos_do_douro_e_leixoes\r\nc-178-73-192-162.ip4.frootvpn.com\r\nfrootvpn.com\r\n23.237.25.161 US\r\n2023-\r\n01-20\r\n18:00:21\r\n2023-\r\n01-21\r\n18:45:23\r\nCogent-Communications\r\nFDCservers.net\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 28 of 32\n\n23.237.25.129 US\r\n2023-\r\n01-17\r\n18:30:25\r\n2023-\r\n01-19\r\n18:30:12\r\nCogent-Communications\r\nFDCservers.net\r\n23.237.25.168 US\r\n2023-\r\n01-08\r\n17:55:26\r\n2023-\r\n01-17\r\n11:50:32\r\nCogent-Communications\r\nFDCservers.net\r\n23.237.25.120 US\r\n2022-\r\n12-02\r\n10:20:22\r\n2023-\r\n01-05\r\n18:11:50\r\nCogent-Communications\r\nFDCservers.net\r\nIndicators of Compromise (IOCs)\r\nThe compromise indicators observed in the different campaigns seen during the course of this analysis are listed below.\r\nCampaign February 23, 2023 (LimeRAT)\r\n3e1682855ad4035134f6ebd68d56824535b4ca03  DOCUMENTO (FGE).vbs\r\n59170d9b05fa7f3e33d0deaa940798a0bdf4f831  KZUTPv.dll\r\na2a209d0c24c6218ae4b0d445a47b3f5ec04918e  AGWNqj.dll\r\nf043812a9f333d57967d132f31ce43eb33e0e78d  LimeRAT.exe\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/lengua-y-literatura-1422e.appspot.com/o/dll.txt?\r\nalt=media\u0026token=1c5d4ddd-8eda-411b-9af8-dcb5ccb40c0f\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/proyecto-x-7373e.appspot.com/o/tridimensional.txt?\r\nalt=media\u0026token=3ee335b7-99d6-47c9-b7f5-80030d225cc9\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/lengua-y-literatura-1422e.appspot.com/o/Pe.txt?alt=media\u0026token=f89c2bab-01ee-4522-a904-b1664f32d06f\r\nC2: fortuna777.duckdns[.]org:1994\r\nCampaign February 20, 2023 (AsyncRAT)\r\n6d9d0eb5e8e69ffe9914c63676d293da1b7d3b7b9f3d2c8035abe0a3de8b9fca\r\nAsuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf.uue\r\n430be2a37bac2173cf47ca1376126a3e78a94904dbc5f304576d87f5a17ed366\r\nAsuntos_DIAN_N°6440005403992837L2088970004-01-02-2023-pdf.vbs\r\n5399bf1f18afcc125007d127493082005421c5ddebc34697313d62d8bc88daec Dll.ppam\r\n03b7d19202f596fe4dc556b7da818f0f76195912e29d728b14863dda7b91d9b5  Rump.xls\r\n64a08714bd5d04da6e2476a46ea620e3f7d2c8a438eda8110c3f1917d63dfcfc  AsyncRAT\r\nhxxps://cdn.discordapp[.]com/attachments/1066009888083431506/1070342535702130759/Asuntos_DIAN_N6440005403992837L2088\r\n01-02-2023-pdf[.]uue\r\nhxxp://172.174.176[.]153/dll/Dll.ppam\r\nhxxp://172.174.176[.]153/rump/Rump.xls\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 29 of 32\n\nhxxps://cdn.discordapp[.]com/attachments/1057665255750246403/1070100736463093833/asy.txt\r\nC2: asy1543.duckdns[.]org:1543\r\nCampaign February 2, 2023\r\nfb2c7ccd15fe935524f82ef93d092a4a75049549  Juzgado_11_Civil_Circuito_De_Bogota_-\r\n_Notificacio_de_ejecucion_coactiva.docx\r\n42c5a00d9394ee5e1f1481e56a9c6adcc36dd5b9  Juzgado_11_Civil_Circuito_De_Bogota_-\r\n_Notificacio_de_ejecucion_coactiva.vbs\r\n882d8bd980285e219d307e4a6db6bc784019c219  Dll.ppam\r\n2c2972950a98b670b1d52d32f7433a1c364384f1  Rump.xls\r\n3d75a0819f035af1b2d5e8e6c7a18a528bd6a91a  2023env.txt\r\nhxxps://cdn.discordapp[.]com/attachments/1042444027016003677/1062824763413762109/Juzgado_11_Civil_Circuito_De_Bogota_-\r\n_Notificacio_de_ejecucion_coactiva.vbs\r\nhxxp://172.174.176[.]153/dll/Dll.ppam\r\nhxxp://172.174.176[.]153/rump/Rump.xls\r\nhxxp://cdn.discordapp[.]com/attachments/1042444027016003677/1062794021182898277/2023env.txt\r\nC2: env2023nue.duckdns.org:1986\r\nCampaign January 23, 2023\r\ndc1ac3d9109496765c8155d1c906fa04c47d1a25  Comprobante de pago.vbs\r\n97f20536e6ab3c6dc75859e05e17527366a3f129  hiden.ppa\r\n2c2972950a98b670b1d52d32f7433a1c364384f1  Rump.xls\r\nfdc7dcf2f41888a4b060cebf5c20159f2993b0c6  23enero.txt\r\nhxxps://drive.google[.]com/file/d/1_lpMXe_flv-KQeQfR33uRqDzN4_whSWz/view?usp=drive_web\r\nhxxp://172.174.176[.]153/dll/hiden.ppa\r\nhxxp://172.174.176[.]153/rump/Rump.xls\r\nhxxps://cdn.discordapp[.]com/attachments/1042444027016003677/1067142291736764426/23enero.txt\r\nC2: enero2023.duckdns[.]org:1986\r\nCampaign December 5, 2022\r\ne707fe51fb330b7aed5db5882b316dde1ef5f5a9  Juzgado 09 civil del circuito de Bogotá D.C..docx\r\n54f1d83bd2ad338b51dd7f5ab2d2ce70340ff029  Notificacion Juridica.wsf\r\nf53e9afdd5ba3302186b6be1ac446c9f081c362f  2dode8002.vbs\r\nec3bc2150f6a915c61432e8bccdf15b58f290d06  Dll.ppam\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 30 of 32\n\n1773c756220b81e0203f0e6e8342c7b0826531d8  Rump.xls\r\n7000261ab060e877a15aef936cb70db0349a02c8  2dode8002.txt\r\n14d354df391e447f023ddcb7f84ca2fa8e582501  njrat\r\nhxxps://cdn.discordapp[.]com/attachments/1047544891632259145/1047971566543179936/2dode8002.vbs\r\nhxxp://4.204.233[.]44/Dll/Dll.ppam\r\nhxxp://20.238.8[.]87/Online/Rump[.]xls\r\nhxxps://cdn.discordapp[.]com/attachments/1047543449777344516/1047971253056708729/2dode8002.txt\r\nC2: prueba30novok.duckdns[.]org:8002\r\nCampaign December 2, 2022\r\na5cd7f6bf2a036e52a9df856c16369f5adc8d4a4  NOTARÍA ÚNICA DE LURUACO ATLÁNTICO.docx\r\n6d39c01dcdde807f4cb6f05fd54384fc01c23d4e  NOTA MARGINAL.wsf\r\n301fed92d48e2477e6bb070b6854e853  Vbs_Startup_LNK.vbs \r\n2552287b4733078f12b4a831c698cab6  Dll.ppam\r\nb7e6a0a39e50383823f0d48db77347a3dc2fdbbc  Rump.xls\r\n9fa72138c12985058af66b328e2adf3a 23nov.txt\r\nhxxps://cdn.discordapp[.]com/attachments/1047544891632259145/1047586477921538178/Vbs_Startup_LNK.vbs\r\nhxxp://4.204.233[.]44/Dll/Dll.ppam\r\nhxxp://20.238.8[.]87/Online/Rump.xls\r\nhxxps://cdn.discordapp[.]com/attachments/1047543449777344516/1047543574381723648/23nov.txt\r\nC2: wins23novok.duckdns[.]org:8000 \r\n23.237.25[.]120\r\nAdditional information: APT-C-36 and Hagga / Aggah\r\nThe Hagga/Aggah group has typically focused on information stealing, having been detected in March 2019 by researchers\r\nat PaloAlto-Unit42. Initially it was supposed that the main target of this group were entities within a Middle Eastern country,\r\nalthough subsequent research clarified that the group was active globally, affecting targets in the United States, Europe and\r\nAsia. In 2020 Hagga performed a campaign against the Italian manufacturing sector and later that year it was observed\r\nselling or renting its malware devices to other actors.\r\nWhether it is because APT-C-36 uses Hagga artefacts or for some other reason that brings them closer together, there are\r\nsimilarities shared by both groups:\r\nUse of a high level of Spanish language in the creation of Spear Phishings.\r\nDownloading payloads from public storage (gdrive, discord).\r\nUse of dynamic domains for C2 (duckdns.org).\r\nUse of possibly compromised Colombian ISP router infrastructure to hide the real C2, using it as a ‘reverse proxy’.\r\nUse of public malware not created by them (NjRAT/AsyncRAT/LimeRAT).\r\nUse of high ports for communication with the C2 (\u003e1024).\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 31 of 32\n\nBoth share the goal of information stealing. \r\nReferences\r\n[1] – https://lab52.io/blog/apt-c-36-recent-activity-analysis/\r\n[2] – https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/\r\n[3] – https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\n[4] – https://lab52.io/blog/apt-c-36-new-anti-detection-tricks/\r\n[5] – https://web.archive.org/web/20191207233315/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/\r\n[6] – https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\n[7] – https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\n[8] – https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia?\r\nutm_medium=social\u0026utm_content=cyber\r\nSource: https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nhttps://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/" ], "report_names": [ "apt-c-36-from-njrat-to-apt-c-36" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434091, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/007e0129347fec461e4591b03298dcd7ceec468e.pdf", "text": "https://archive.orkl.eu/007e0129347fec461e4591b03298dcd7ceec468e.txt", "img": "https://archive.orkl.eu/007e0129347fec461e4591b03298dcd7ceec468e.jpg" } }