{ "id": "ff8d48ca-e676-403e-8a79-8b3d3c122f46", "created_at": "2026-04-06T00:16:07.653486Z", "updated_at": "2026-04-10T03:36:36.98653Z", "deleted_at": null, "sha1_hash": "00d51487abdfba7c4a2584942637f93eca0e69d9", "title": "SectorJ04 Group’s Increased Activity in 2019 – Red Alert", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2292148, "plain_text": "SectorJ04 Group’s Increased Activity in 2019 – Red Alert\r\nArchived: 2026-04-05 16:43:00 UTC\r\nAbstract\r\nSectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking\r\nactivities for financial profit using malware such as banking trojans and ransomware against national and\r\nindustrial sectors located across Europe, North America and West Africa.\r\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across\r\nSoutheast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for\r\nrandom victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019,\r\nhow those targets were hacked, characteristics of their hacking activities this year and recent cases of the\r\nSectorJ04 group’s hacking.\r\nSectorJ04 group activity range and hacking methods\r\nThe SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking\r\nactivities to companies in various industrial sectors located in East Asia and Southeast Asia. There was a\r\nsignificant increase in their hacking activities in 2019, especially those targeting South Korea. They mainly utilize\r\nspam email to deliver their backdoor to the infected system that can perform additional commands from the\r\nattacker’s server.\r\n \r\nMain countries and sectors targeted\r\nThe SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America\r\nand Europe, or general companies such as retail and manufacturing, but they recently expanded their areas of\r\nactivity to include the medical, pharmaceutical, media, energy and manufacturing industries. They do not appear\r\nto place much restrictions on the sectors targeted. The following are the sectors and countries under which\r\nSectorJ04 group was found in 2019.\r\nFigure 1 SectorJ04 group’s first half activity timeline in 2019\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 1 of 27\n\nTargeted Countries\r\n  We saw SectorJ04 group activity in Germany, Indonesia, the United States, Taiwan, India, France, Serbia,\r\nEcuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine,\r\nMacedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain,\r\nTurkey, Bulgaria, Bangladesh.\r\nFigure 2 SectorJ04 group targeted countries\r\nTargeted Industries\r\nFinancial-related corporate and government departments such as banks and exchanges\r\nRetail business such as shopping malls and social commerce\r\nEducational institutions such as a universities\r\nManufacturing companies such as manufactures of electronic products\r\nMedia companies such as broadcasting and media\r\nPharmaceutical and biotechnology-related companies\r\nA job-seeking company\r\nEnergy-related companies such as urban gas and wind power generation\r\n \r\nHacking Techniques\r\n  The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached, and the\r\ndocument files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 2 of 27\n\ninstall backdoor on the infected system. As anti-virus programs have recently begun to detect MSI files, in some\r\ninstances macro scripts contained in the malicious documents would install backdoors directly onto infected\r\nsystems without using MSI files.\r\nFigure 3 Schematic drawing for SectorJ04 group’s hacking method\r\nMalicious documents used for hacking are mainly written as themes related to MS Office, and the same themes\r\nare often used several times, with only language changes depending on the victim’s language.\r\nIn addition, the MSI files backdoor used by SectorJ04 mostly had valid digital signatures, and most of their\r\nmalware were signed just days before they were found.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 3 of 27\n\nFigure 4 Part of the malicious document execution screen that the SectorJ04 group attaches to the spear phishing\r\nemail\r\nFigure 5 Part of the digital signature found in the executable used for hacking\r\nDigital signature information found in malware\r\nVAL TRADEMARK TWO LIMITED\r\nALLO LTD\r\nCOME AWAY FILMS LTD\r\nAWAY PARTNERS LIMITED\r\nANG APPCONN LIMITED\r\nSTART ARCHITECTURE LTD\r\nSLON LTD\r\nDIGITAL DR\r\nFIT AND FLEX LIMITED\r\nDream Body Limited\r\nBOOK A TEACHER LTD\r\nMARK A EVANS LTD\r\nWAL GRAY LTD\r\nMISHA LONDON LTD\r\nSTART ARCHITECTURE LT\r\nBASS AUTOMOTIVE LIMITE\r\nFILESWAP GLOBAL LT\r\nHAB CLUB LT\r\nET HOMES LT\r\nMain Malware Used\r\nThe SectorJ04 group mainly used their own backdoor, ServHelper and FlawedAmmyy RAT, for hacking. They\r\nalso used the Remote Manipulator System (RMS) RAT, a legitimate remote management software created in\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 4 of 27\n\nRussia. Backdoors are installed in infected systems and they also distributed email stealers, botnet malware and\r\nransomware through those backdoors.\r\nThey were recently confirmed to use additional backdoor called AdroMut and FlowerPippi, which is used to\r\ninstall other backdoor such as FlawedAmmyy RAT on behalf of the MSI file, or to collect system information and\r\nsend it to the attacker’s server.\r\n \r\nMalware Types Found Before 2019\r\n  ServHelper FlawedAmmyy RAT RMS RAT\r\nInitial Infection\r\nMethod\r\nAn MSI file that is downloaded from a document file attached to a spear phishing\r\nemail.\r\nDownloaded by\r\nMSI\r\nNullsoft Installer\r\nEncoded FlawedAmmyy\r\nRAT\r\nSFX File\r\nCharacteristic\r\nC2 response has certain\r\nseparator\r\nCheck for Antivirus\r\nRegister AutoPlay with\r\n“wsus.exe”\r\nUtilize configuration files in\r\nDAT formats\r\nMalware Types Found After 2019\r\nAdroMut FlowerPippi\r\nInitial Infection\r\nMethod\r\nDocument files attached to the spear phishing emails\r\nCharacteristics\r\nInternal-used strings are decoded into AES-256-\r\nECB mode after base64 decode.\r\nConfigure infection system information in JSON\r\nformat (encrypted)\r\nLoad into “ComputerDefaults.exe” using DLL\r\nside loading technique\r\nA simpler function than hard-coded RC4 key AdroMut\r\nBackdoor installed in the infected system distributed additional botnet malware, ransomware and email stealers.\r\nThe email stealer collects connection protocol information and account information, such as SMTP, IMAP, and\r\nPOP3, which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker\r\nserver in a specific format.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 5 of 27\n\nFigure 6 Format to send email credentials collected by email stealer\r\nFigure 7 Some of the email stealer codes that access email account information stored in the registry\r\nFigure 8 Some of the email stealer codes that access email account information stored in the registry 2\r\nAn email stealer may also have a file collection function to collect email information that is recorded in the\r\nmetadata of the file corresponding to the hard-coded extension. In addition, the malware eventually creates and\r\nexecutes a batch file for self-delete, removing the execution traces from the infected PC.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 6 of 27\n\nFigure 9 Some of the file extensions that the email stealer collects data from\r\nThe SectorJ04 group is believed to collect email accounts stored in infection systems for use in subsequent\r\nattacks.\r\nCharacteristics of hacking activities of SectorJ04 group in 2019\r\nThe following are the features of the first half of 2019 activities identified through the analysis of the SectorJ04\r\ngroup’s hacking activities.\r\nIncreased hacking activities targeting East and Southeast Asia\r\nChanges in spam email format and hacking methods\r\nChanges in targets of hacking from specific organizations and industry groups to large number of irregular\r\nones\r\nAlthough the SectorJ04 group mainly targeted countries located in Europe or North America, it has recently\r\nexpanded its field of activities to countries located in Southeast Asia and East Asia. In particular, the frequency of\r\nhacking attacks targeting South Korea has increased, and spam emails targeting China were found in May.\r\nThe changes could also be seen in attachments to spam emails used by attackers. Existing spam emails used\r\nattachments in the form of malicious documents, but attachments with HTM and HTML extensions were also\r\nfound and the text included links to download malicious documents directly.\r\nThe SectorJ04 group’s initial spam emails had no mail content or only short sentences, but the latest spam emails\r\nfound were elaborately written and included images. A new type of backdoor called AdroMut and a new malware\r\ncalled FlowerPippi was also found coming from SectorJ04.\r\nPrior to 2019, the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on\r\nwebsites to install ransomware, such as Locky and GlobeImporter, along with its banking Trojan, on its victims\r\ncomputers. But after 2019 the group has changed its hacking strategy to attack using spam email. In particular, a\r\nnumber of remote control malware are utilized to gain access to resources such as email accounts and system login\r\ninformation from the infected machine to send more spam emails and distribute their malware.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 7 of 27\n\nIncreased hacking activities targeting East and Southeast Asia\r\n  The hacking activities of SectorJ04 group, which targeted South Korea in the first half of 2019, have been\r\ncontinuously discovered. The emails found were written in relation to invoice and tax accounting data, and were\r\nattached the MS Word or Excel files with malicious macros inserted. Malicious documents written in Korean have\r\nthe same characteristics as other language hacking activities under the theme of MS Office.\r\nFigure 10 Spear phishing emails disguised as order sheets\r\nIn June 2019, continuous hacking activities targeting South Korea were found again and spam emails were written\r\nwith various contents, including transaction statements, receipts and remittance cards. During that period, a\r\nnumber of spam emails disguised as remittance cards of the same type were found.\r\nFigure 11 Spear phishing email disguised as a remittance card\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 8 of 27\n\nThe SectorJ04 group has carried out large-scale hacking activities targeting South Korea, while also expanding the\r\nfield of attacks to Southeast Asian countries such as Taiwan and the Philippines. Spam emails and attachments\r\nwritten in Chinese were found in May, and the SectorJ04 group at that time targeted industrial sectors such as\r\nelectronics and telecommunications, international schools and manufacturing.\r\nFigure 12 Spear phishing emails written in Chinese\r\nFigure 13 Malicious excel file execution screen written in Chinese\r\nChanges in spam email format and hacking methods\r\n  In June, SectorJ04 group conducted hacking using spam emails written in various languages, including English,\r\nArabic, Korean and Italian, and the emails were written with various contents, including remittance card, invoice\r\nand tax invoice.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 9 of 27\n\nAlong with the existing method of using MS Word or Excel files as attachments, they used HTML files to\r\ndownload malicious documents as attachments, or included links to download malicious documents directly in the\r\ntext.\r\nIn the past, the emails used in attacks had little or no content, but the latest ones use elaborated spam emails for\r\nhacking, such as using images.\r\nFigure 14 Spear phishing email disguised as bank statement\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 10 of 27\n\nFigure 15 Spear phishing email disguised as a hospital certificate\r\nChanges have also been found in the hacking method of the SectorJ04 group. In addition to their preexist\r\nbackdoor, ServHelper and FlawedAmmyy, they have also been confirmed to use the backdoor called AdroMut and\r\nFlowerPippi.\r\nAdroMut downloads the malware (ServHelper and FlawedAmmyy RAT) used by the SectorJ04 group from the\r\nattacker server and simultaneously performs the functions of a backdoor.\r\nFlowerPippi collects infection system information, such as the domain of the infected system, proxy settings,\r\nadministrator rights, and OS version, and performs functions such as executing commands received, downloading\r\nand executing DLL and EXE files.\r\nFigure 16 Encoded Strings on the AdroMut Backdoor\r\nFigure 17 RC4 key with hard-coded view from the FlowerPippi back door\r\nThe SectorJ04 group is believed to have developed and used malware that functions as a downloader for the\r\npurpose of installing or downloading malware to replace the MSI installation files that they have used for hacking\r\nfor more than six months as the detection rate of security solutions increased.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 11 of 27\n\nFigure 18 Some of the digital certificate information identified in the corresponding hacking activity\r\nThe SectorJ04 group, which has been utilizing the same pattern of infection and the same malware for more than\r\nsix months, is believed to be attempting to change its infection methods such as downloading malware directly\r\nfrom malicious documents without using MSI installation files, changing their spam email format and using new\r\ntypes of backdoor.\r\n \r\nChanges in hacking targets from specific organizations and industries to random ones\r\n  Until 2019, SectorJ04 group had carried out massive website-based hacking activities that mainly utilize\r\nransomware and banking trojans for financial profit, and has also been carrying out information gathering\r\nactivities to secure attack resources such as email accounts and system login information from users since 2019.\r\nThis allows them to expand their range of targets of hacking activities for financial profit, and in this regard,\r\nSectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email\r\ntargeting executives and employees of certain South Korean companies around February 2019.\r\nThey eventually hacked the Active Directory (AD) server and took control of the entire corporate internal\r\nnetwork, and then distributed the Clop ransomware on the AD server. From the hacking activity, we also found\r\nmalware for collecting email information and “AmadeyBot”, a botnet malware that which has its source code\r\navailable in Russia’s underground forums.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 12 of 27\n\nFigure 19 Spear phishing email used for hacking activities targeting AD servers in South Korea\r\nThey are believed to have continuously attempted to hack into companies in South Korea to distribute Clop\r\nransomware. Attackers used spam emails disguised as being sent by the National Tax Service in May to install\r\nFlawedAmmyy RAT in the infected system, during which the Clop ransomware was found using the same\r\ncertificate as the FlawedAmmyy RAT executable file.\r\nFigure 20 Spear phishing email disguised as tax bill\r\nThe SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam.\r\nMajor Malware Installation Types\r\nThe following describes three types of backdoor infections that are installed from malicious documents identified\r\nin the SectorJ04 group-related hacking cases that occurred during the first half of 2019.\r\nType 1 – Using encoded executable file\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 13 of 27\n\nSectorJ04 group carried out intensive hacking on various industrial sectors, including South Korea’s media,\r\nmanufacturing and universities, around February and March 2019. They used the spear phishing email to spread\r\nmalicious Excel or malicious Word files, and downloaded the MSI files from the attacker’s server when the\r\nmalicious documents were run.\r\nThe MSI file installs a downloader that downloads FlawedAmmyy RAT encoded in the infection system from the\r\nattacker server, and the downloaded FlawedAmmyy RAT registers an automatic execution under the name\r\n“wsus.exe.”\r\nFigure 21 Type of backdoor installation to install encoded executable file Type 1\r\nFlawedAmmyy RAT performs remote control functions in the infected system and decodes encoded executable\r\nfiles downloaded from the attacker server using certain hard-coded strings. It also has a function to check if a\r\nparticular process is running to determine whether their malware should be executed.\r\nFigure 22 “Ammy Admin” string found in FlawedAmmyy RAT\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 14 of 27\n\nFigure 23 Part of decode code that uses hard-coded strings\r\nType 2 – Using NSIS Script\r\n  SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong\r\naround April 2019. Malicious documents delivered through the spear phishing email downloaded the MSI file,\r\nwhich forwards the NSIS Installer to the infected system. The NSIS script executes the final payload, ServHelper,\r\nin the DLL file format, using “rundll32.exe”.\r\nNote that NSIS (Nullsoft Scriptable Install System) is a script-based installation system for Windows and is a\r\nlightweight installation system supported by Nullsoft.\r\nFigure 24 Backdoor installation type utilizing NSIS Installer Type 2\r\nDecompressing the NSIS installer installed by the MSI file shows that it consists of an NSIS script with an NSI\r\nextension, a ServHelper in the DLL file format, and a “ncExec.dll,” the normal DLL required to run the NSIS.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 15 of 27\n\nFigure 25 Uncompressed NSIS installer\r\nFigure 26 Part of the NSIS script for running ServHelper in the DLL file format\r\nServHelper performs the function of the backdoor in the infection system and sends specific types of responses to\r\nC2 servers using delimiters such as “key,” “sysid,” and “resp”. Different types of delimiters are sometimes found\r\ndepending on malware.\r\nFigure 27 ServHelper Backdoor C2 Communication Code Partial\r\nType 3 – Using Self-Extracting File\r\n  SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries\r\naround May 2019. Malicious documents delivered through the spear phishing email pass MSI files to the infection\r\nsystem, and MSI files download the executable self-extracting file (SFX). When the SFX file is executed, another\r\nSFX file inside is executed and the final payload, RMS RAT, is delivered to the infected system.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 16 of 27\n\nFigure 28 Backdoor installation type utilizing SFX executable files Type 3\r\nWithin the first SFX file to be downloaded by the MSI file, there are four files. When executing an SFX file, it\r\nuses a command to change the extension of the SFX file (“kernel.dll”) of the DLL extension to EXE and\r\ndecompress it using a hard-coded password. The files that make up the SFX file vary from malware to malware.\r\nFigure 29 The first SFX file to be downloaded from an MSI file\r\nFigure 30 “i.cmd” for decompression of the second SFX file\r\nFour files can be seen in the second SFX file that has been decompressed, and as before, running “exit.exe”.\r\n“exit.exe” executes the same “i.cmd” as before, which executes an RMS RAT with the file name “winserv.exe” in\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 17 of 27\n\nthe registry. RMS RAT is a legitimate remote management software created in Russia, and files with DAT\r\nextensions contain configuration information to run the RMS RAT.\r\nFigure 31 Configuring a second SFX file disguised as a DLL file extension\r\nFigure 32 RMS RAT configuration file with a DAT extension\r\nSectorJ04 Group Activity in South Korea\r\nThe following is about the activities of the SectorJ04 group found in South Korea in July and August 2019.\r\nHacking activities disguised as electronic tickets by large airlines\r\nIn late July, SectorJ04 group used FlawedAmmyy RAT to carry out hacking attacks on companies and universities\r\nin sectors such as education, job openings, real estate and semiconductors in South Korea. Spam emails targeting\r\nemail accounts used in the integrated mail service of public officials were also found in the hacking activity.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 18 of 27\n\nFigure 33 Spam email disguised as electronic tickets\r\nThey used spam emails disguised as those sent by large South Korean airlines and used ISO-format files as\r\nattachments. The group used the same body contents of the email to deliver spam emails to multiple hacking\r\ntargets.\r\nDecompressing the ISO file attached to the spam email would show an SCR file disguised as a “.pdf” extension\r\nexists, which is a .NET executable file that downloads an MSI file. The ISO files sometimes contain LNK files,\r\nwhich, like the malware written in .NET, download an MSI files from a remote location.\r\nFigure 34 A disguised SCR file identified within an ISO file\r\nFigure 35 MSI file downloader written as .NET\r\nFigure 36 Disguised LNK file identified within ISO file\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 19 of 27\n\nThe following valid digital signatures were found in the MSI file downloaded from the attacker server. Other\r\ndigital signatures were also found issued by “HAB CLUB LT” and “LUK 4 TRANSPORT LT”.\r\nFigure 37 Digital signature information for MSI files found in hacking activities\r\nFinally, FlawedAmmyy RAT is downloaded from the remote server and the activity uses a Base64 encoded\r\nPowershell script to determine if the infected system is a PC contained in an Active Directory Domain.\r\nFigure 38 Powershell script to determine if a PC belongs to a domain\r\nHacking activity using same email content as the past\r\n  In early August, the SectorJ04 group carried out extensive hacking activities targeting the users around the world,\r\nincluding South Korea, India, Britain, the United States, Germany, Canada, Argentina, Bangladesh and Hong\r\nKong.\r\nTheir activities were particularly heavy in healthcare-related areas such as healthcare, pharmaceuticals,\r\nbiotechnology and healthcare-wage management, as well as energy-related companies such as gas and wind\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 20 of 27\n\npower. Also, they continued their attacks on preexisting hacking target areas such as manufacturing, distribution\r\nand retail.\r\nThe contents of the text written in French and English were found in the spam email, and an MS Word file with\r\nrandom numbers was used as an attachment. All emails found in the hacking activity had the same text content.\r\nFigure 39 Spear phishing emails written in French and English\r\nSpam emails in Korean were also identified in the hacking activity, indicating that the contents of the text of the\r\nemail used in the hacking activity were reused in June. Attached file is an MS Word file titled “스캔_(random\r\nnumber).doc”.\r\nFigure 40 Spear phishing email targeted to South Korea using the same text used in the past\r\nThe MS Word file used as an attachment is disguised as an order confirmation and a goods receipt. Running the\r\nmacro from the document would allow the downloader with the DLL file format to run using “rundll32.exe”. The\r\ndownloader downloads FlawedAmmyy RAT from the attacker server and runs under the name “rundl32.exe”.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 21 of 27\n\nFigure 41 Malicious document execution screen disguised as order confirmation\r\nFigure 42 Malicious document execution screen for Korea language users disguised as a receipt of goods\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 22 of 27\n\nFigure 43 Part of the macro script included in the malicious document\r\nFlawedAmmyy RAT found in the hacking activity showed the existing “Ammyy Admin” string being modified to\r\n“Popss Admin” and created Mutex with “KLGjigjuw4j892358u432i5”. In addition, the compile path\r\n“c:\\\\123\\\\123\\\\clear\\\\ammyygeneric\\\\target\\\\TrFmFileSys.h” was found inside the file.\r\nFigure 44 Change hard-coded string information in FlawedAmmyy RAT\r\nFigure 45 Mutex generation code using hard-coded string information\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 23 of 27\n\nIn addition to the above mentioned changes in the FlawedAmmyy RAT found in the most recent hacking activity,\r\nother changes such as changes in their string decoding were identified.\r\nConclusion\r\nThe SectorJ04 group’s range of targets increased sharply in 2019, and they appear to be striving to carry out\r\nelaborated attacks while at the same time targeting indiscriminately. They are one of the most active cyber crime\r\ngroups in 2019, and they often modify and tweak their hacking methods and perform periodic hacking activities.\r\nThe SectorJ04 group’s hacking activities are expected to continue to increase, and the ThreatRecon team will\r\ncontinue to monitor the attack activity against the group.\r\nIndicators of Compromise (IoCs)\r\nIoCs of the SectorJ04 group included in the report can be found here.\r\nMore information about the SectorJ04 group is available to customers of ThreatRecon Intelligence Service\r\n(service@nshc.net).\r\nMITRE ATT\u0026CK Techniques\r\nThe following is a list of MITRE ATT\u0026CK Techniques we have observed based on our analysis of these malware.\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 24 of 27\n\nInitial Access\r\nSpearphishing Attachment\r\nSpearphishing Link\r\nTrusted Relationship\r\n  Execution\r\nCommand-Line Interface\r\nExecution through API\r\nExecution through Module Load\r\nExploitation for Client Execution\r\nPowerShell\r\nRundll32\r\nScheduled Task\r\nScripting\r\nService Execution\r\nUser Execution\r\nWindows Management Instrumentation\r\n  Persistence\r\nAccount Manipulation\r\nNew Service\r\nRegistry Run Keys / Startup Folder\r\nScheduled Task\r\nStartup items\r\nSystem Firmware\r\nWindows Management Instrumentation Event Subscription\r\n  Privilege Escalation\r\nBypass User Account Control\r\nNew Service\r\nScheduled Task\r\nStartup items\r\n  Defense Evasion\r\nBypass User Account Control\r\nCode Signing\r\nDisabling Security Tools\r\nDLL Side-Loading\r\nExploitation for Defense Evasion\r\nHidden Window\r\nModify Registry\r\nObfuscated Files or Information\r\nRundll32\r\nScripting\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 25 of 27\n\nSoftware Packing\r\nVirtualization/Sandbox Evasion\r\n  Credential Access\r\nAccount Manipulation\r\nInput Capture\r\nInput Prompt\r\n  Discovery\r\nAccount Discovery\r\nFile and Directory Discovery\r\nNetwork Service Scanning\r\nNetwork Share Discovery\r\nPermission Groups Discovery\r\nProcess Discovery\r\nQuery Registry\r\nRemote System Discovery\r\nSecurity Software Discovery\r\nSystem Information Discovery\r\nSystem Network Configuration Discovery\r\nSystem Network Connections Discovery\r\nSystem Owner/User Discovery\r\nSystem Service Discovery\r\nVirtualization/Sandbox Evasion\r\n  Lateral Movement\r\nRemote Desktop Protocol\r\nRemote Services\r\n  Collection\r\nAutomated Collection\r\nData from Local System\r\nEmail Collection\r\nInput Capture\r\n  Command and Control\r\nCommonly Used Port\r\nCustom Command and Control Protocol\r\nCustom Cryptographic Protocol\r\nData Encoding\r\nRemote Access Tools\r\nStandard Application Layer Protocol\r\nStandard Cryptographic Protocol\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 26 of 27\n\nExfiltration\r\nAutomated Exfiltration\r\nData Compressed\r\nExfiltration Over Alternative Protocol\r\nExfiltration Over Command and Control Channel\r\n  Intent\r\nData Encrypted for Impact\r\nReferences\r\nKRCERT – Analysis of Attacks on AD Server (2019.04.17)\r\nhttps://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35006\r\nSource: https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nhttps://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" ], "report_names": [ "sectorj04-groups-increased-activity-in-2019" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00d51487abdfba7c4a2584942637f93eca0e69d9.pdf", "text": "https://archive.orkl.eu/00d51487abdfba7c4a2584942637f93eca0e69d9.txt", "img": "https://archive.orkl.eu/00d51487abdfba7c4a2584942637f93eca0e69d9.jpg" } }