PowerPoint 簡報


Evolution after prosecution
: Psychedelic APT41



Aragorn Tseng Charles Li Peter Syu Tom Lai

Malware Analysis
Incident Response
Threat Intelligence

Malware Analysis
Incident Response
Tool Development

Incident Response
Malware Analysis

Penetration 

Malware Analysis
Threat Hunting

Threat Intelligence

Who we are

2



AGENDA

01

02

03

04

05

Initial Access

Cobalt Strike Loader

APT41’s Backdoor

C2 Hiding Technique

Relation to other operations

06 Takeaway



The content of APT41 in this 
talk is mainly from 
2020/9 to 2021/8

Evolution after prosecution: Psychedelic APT41



Target Country Talk in last section

5



Target Industry

High-techHealthcare Airlines

Financial ResearchGovernment

Media

Gaming

Telecom

EnergyEducation

Manufacturing

6



New TTP

◆ Dll hollowing technique 

◆ Certificate bypass

◆ InstallUtil

◆ Early bird code injection

◆ CDN service and Cloudfare worker

◆ Some new backdoor

7



Initial Access

◆ CVE-2021-34527(printnightmare)

◆ SQL vulnerabilities

◆ phpmyadmin vulnerabilities

◆ Web vulnerabilities

◆ Flash installer

◆ Fake Decoy Icon

8



Cobalt Strike loader

Evolution after prosecution: Psychedelic APT41



Timeline for disseminating the 
Cobalt Strike

2020.7

2020.11

2021.1

2021.3

2021.4

Chacha20 
shellcode or 
loader(Chatloader) 
appeared to 
extract Cobalt 
strike Beacon

Use CDN service in 
Cobalt Strike, 
especially DNS 
beacon

Use Cloudfare
worker to hide real 
C2 IP

Use certificate 
bypass and dll
hollowing 
technique in 
Chatloader

Use multiple .NET 
loaders and 
misuse InstallUtil
to load 
CobaltStrike 2021.6

Use funnyswitch to 
load Cobalt Strike 
and use early bird 
code injection 
technique

10



Chatloader

◆ Uses chacha20 algorithm to decrypt the payload

◆ Most of the payload is Cobalt Strike, but we have also seen another backdoor

◆ ETW bypass

◆ Dll hollowing

◆ Certificate bypass(MS13-098)

offset length data

0x0:0xC 0xC config nonce

0xc:0x10 0x4 config crc32

0x10:0x14 0x4c config_enc_length

0x14:0x14+config_enc
_length

config_enc_length ciphertext

0x100:0x120 0x20 config key
11



length data

0x4 Header

0x4 Check User is SYSTEM

0x4 Mutex trigger

0x4 Delete Loader trigger

0x4 Patch EtwEventWrite trigger

0x4 Process Hollowing trigger

0x4 Injected Process Name Length(x2)

InjectedProcess
Name 

Length(x2)

InjectedProcess Name

0x4 Payload in Loader

0x4 Payload Name Length(x2)

Payload Name 
Length(x2)

Payload Name

0x4 Payload Size

0x4 Payload FilePointor

0x4 Payload crc32

0xC Payload Nonce

length data

0x4 Header

0x4 Check User is SYSTEM

0x4 Mutex trigger

0x4 Delete Loader trigger

0x4 Patch EtwEventWrite trigger

0x4 Payload in Loader

0x4 Payload Name Length(x2)

Payload Name 
Length(x2)

Payload Name

0x4 Payload Size

0x4 Payload FilePointor

0x4 Payload crc32

0xC Payload Nonce

Header:CB2F29AD

Header:8BD6488B

12



Chatloader config example
====== Decrypt Config ======

Config Nonce (12 bytes) = 0xb5 0x5e 0x14 0x8d 0x46 0xe1 0x2e 0x97 0x5d 0x3d 0x75 0xf1

Config Nonce (base64) = tV4UjUbhLpddPXXx

Config CRC32 = 0xe 0xdc 0xac 0xad

Config CRC32 (base64) = DtysrQ==

Ciphertext length = 48

Config Key = 0xa2 0x42 0x99 0x5 0x5f 0x1f 0xc 0x14 0xcb 0xdd 0xb 0x1 0xdf 0xa6 0x4c 0x34 0xf5 0xfd 0x3 0x3c 0xa7 0xf1 0xaf 0x30 0xa0 0xc7 0x5c 0x57 0x35 0x9d 0x41 0xe0

Config Key (base64) = okKZBV8fDBTL3QsB36ZMNPX9Azyn8a8woMdcVzWdQeA=

====== Config ======

Head = 0xad 0x29 0x2f 0xcb

Check User is SYSTEM = 0

Mutex trigger = 0

Delete Loader trigger = 0

Patch EtwEventWrite trigger = 1

Payload in Loader = 0

Payload Name Length = 14

Payload Name = Despxs.dll

Payload Size = 3f800

Payload FilePointor = 0

Payload CRC32 = 0x40 0xf6 0x8f 0xa7

Payload Nonce (12 bytes) = 0x93 0x49 0x68 0x79 0x6a 0xda 0xb5 0xcf 0xf0 0xf1 0xb3 0x4f
13



Dll Hollowing

Signed file

Dll hijack

libEGL.dll

wlbsctrl.dll

Find target dll in 
System32

Kernel32.dll

User32.dll

aaclient.dll

DLL Hollowing: Inject 
malware payload in 
aaclinet.dll’s .text section

Synchost.exe

Create 
Process

Synchost.exe’s
Module

Read File

Load module
launcher

payload

Choose 
aaclient.dll

dll hollowing

14



Dll Hollowing (cont.)

https://github.com/forrest-orr/phantom-dll-hollower-poc 15

https://github.com/forrest-orr/phantom-dll-hollower-poc


Certificate bypass

セワシ

Valid 
certificate

Valid 
certificate

セワシ

Shell
code

The address of the Certificate Table

signature length

16



.NET loader

InstallUtil.exe KBDHE475.
dll

kstvmutil.ax

payload

1. 
System.Configur
ation.Install.Inst
aller

3.Inject 
payload via 
Process 
Hollowing

2.Read File 
and decrypt 
with AES

sdiagnhost.exe

Payload:
cobalt strike or 
other backdoor: 
ex: Natwalk

Use InstallUtil to bypass application 
allowlist restrictions.

.NET 
loader(obfuscation by 
ConfuserEx)

17



.NET loader structure

offset data

offset 38(h) –
47

md5 hash of offset 48 until end

offset 48-53 Sha256 as AES key

offset 54-67 MD5 as AES IV

offset 68 - end Encrypted payload with AES(ECB)

offset data

offset 0-3 must be 1F A4 3A AC

offset 4-7 the length of the payload

offset 8 - end malware payload

Version 2.63

offset Data

offset 84(h) -93 md5 hash of offset 48 until end

offset 94-9f Sha256 as AES key

offset a0-ab MD5 as AES IV

offset ac - end Encrypted payload with AES(ECB)

offset data

offset 0-3 must be 0C C0 73 95

offset 4-7 the length of the payload

offset 8 - end malware payload

Version 17.102

After decryption

18



Fishmaster loader

◆ PDB : C:\Users\test\Desktop\fishmaster\x64\Release\fishmaster.pdb

◆ Some have “Bidenhappyhappyhappy” in strings

◆ Two ways to decrypt payload

◆ Xor with hardcode key, ex:” Bsiq_gsus” or “miat_mg”

◆ Use UUIDShellcode and callback function

19



Funnyswitch loader

◆ Name from ptsecurity*, which will inject .NET backdoor funny.dll in memory

◆ We found new version loader(mcvsocfg.dll) which may target McAfee user

◆ E:\VS2019_Project\while_dll_ms\whilte\x64\Release\macoffe.pdb

◆ Another : 
E:\\VS2019_Project\\prewhiltedll\\x64\\Release\\prewhiltedll.pdb

◆ We found the new loader inject Cobalt Strike and funny.dll

*https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-
backdoors-old-and-new/

Cobaltstrike funnydll 20

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/


Early code injection Loader

◆ Using open source Alaris loader* to use  
syscalls to run cobalt strike

◆ Load PNG resource as payload and decrypt 
with RC4

◆ Using Detour to hook the Freelibrary API of 
the launcher

◆ Using early bird code injection technique

◆ NtTestAlert

◆ KiUserApcDispatcher

*https://github.com/cribdragg3r/Alaris
21

https://github.com/cribdragg3r/Alaris


Backdoor

Evolution after prosecution: Psychedelic APT41



APT41’s Backdoor during 2020-2021

Natwalk

APT41 Errorroot

HIGHNOON

Funnydll

Shadowpad

Cobalt strike

RBRAT

PlugX

Spyder

Winnti
Linux RAT

23



errorroot

◆ A listening-port backdoor, was first found in 2019

◆ New version in 2021 

◆ c:\js\js.pdb

◆ add “http://+:80/default” to the URL Group of the server to enable the server 
to open port 80

◆ If the format of packet which connecting to the errorroot is wrong, the server 
will send a unique error message:" <meta http-equiv="refresh" 
content="0;url=/">" and redirect you to http://[IP]/

◆ It can just use curl to send the instruction to errorroot

"curl -v http://[ip]/default -d echo -e ‘\x00\x00\x00\x00\x65\x71\xae\xdc\x12\x34\x56\x78\x01\xbc’ --output -"

24

http://[IP]/


Command of errorroot

command description

0x0 send victim info(computer name, 
User name, Process name, Os

versiion, IP)

0x1 Open shell

0x2 close process/thread/handle

0x3 write data to pipe(must use 0x1 to 
open a pipe)

0x4 send pipe info

0x7 send logic drive info

0x9 List File

0xB Upload File

0xD Download File

0xF Delete File

0x11 List Process

command description

0x12 Kill Process

0x13 Mimikatz_kuhl_m_ts_session

0x18 Start process

0x19 Call function by 
address(offset+0x50,0x58,0x60)

0x1A Call function by address 
(offset+0x70,0x80)

0x1B Call function by address 
(offset+0x68)

0x1C Call function by address 
(offset+0x78)

25



RBRAT

◆ Name from its function prefix 

◆ Ex: “RB”Shell

◆ May have some relations to Rbdoor

◆ Mutex

◆ googleupdater1.0.1

◆ Listen port backdoor

◆ Import table with windivert

◆ Add firewall rule

command description

0 beacon

1 Open a shell(RBShell)

2 Upload file(RBUpload)

3 download file(RBDownload)

4 collect system info

5 collect network info

6 list process

7 collect service info

8 take screenshot

250 File Exploer(RBFileExploer)

26



RBRAT(cont.)

◆ Having magic number of packets just like 
Rbdoor /Stone

◆ Magic number (static key)

◆ 0xA1B5D2F，0x4A3C7FD5

◆ One of Rbdoor’s magic number : 
0xABC18CBA*

◆ Shell command of RBRAT

◆ May modified from Cryptcat

*https://github.com/TKCERT/winnti-nmap-
script/blob/master/winnti-detect.nse

27

https://github.com/TKCERT/winnti-nmap-script/blob/master/winnti-detect.nse


Natwalk

◆ Dropped by chatloader

◆ First seen in the wild in 2021/3, and first seen on VT in 2021/7

◆ Shellcode based backdoor 

◆ It uses register + offset to call the Windows api (also used by crosswalk)

◆ The name is from the unique file path it will look up : 
“%AllUserProfile%\UTXP\nat\”

rbx = 7FEF1431534
28



Natwalk(cont.)

◆ Transport protocol
◆ Raw TCP socket
◆ HTTPS:Post requests to C2 server

◆ gtsid : generated by CryptGenRamdom
◆ gtuvid : generated by CryptGenRamdom and md5 operation
◆ Uses chacha20 md5 to encrypt/decrypt the message to/from C2 server

29

the post request of Natwalk

raw TCP



Natwalk(cont.)

◆ Crosswalk also uses register + offset to call the Windows api in shellcode

◆ First cammand code are both 0x64

◆ But commands are different

30



Natwalk(cont.)
command description

0x64 close connection

0x5C create session key

0x66 open a shell

0x68 download file

0x70 Upload file

0x74 Delete File

0x78 kill process

0x7c run shellcode

0x7e Unknown

0x80 Unknown

0x82 list process

0x84 Unknown

0x8C list service

0x8E list directory

31

Software\Microsoft\Windows\CurrentVersion\Intern
et Settings
ProxyServer
texplorer.exe
%AllUsersProfile%\UTXP\nat\
%02X
POST
Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36
gtsid:
gtuvid:
https://msdn.microsoft.com
https://www.google.com
https://www.twitter.com
https://www.facebook.com

Unique string in the bottom of Natwalk



HIGHNOON(Botdll64)

wbemcomn.dll sdhasjk.dllWmiApSrv.exe

Dll hijack IAT modify

Decrypt 
payload with 
DPIAPI/AES

Botdll64.dll

Packed with 
UPX in 
memory

HIGHNOON

Windivert.dll

Windivert.sys

User mode

Kernel 
mode

Reflective 
injection

(1) packet

(2a) 
Matching 
packet

(2b) non-matching packet

(3) re-
injected 
packet

32



HIGHNOON Loader 

DPAPI version
AES version

choose the driver determined by the dwMinorVersion 33

“F:\2019\RedEye\Door\Bin\Middle64.pdb”



HIGHNOON command

◆ Command is same as the HIGHNOON mentioned by Macnica* in 2018

command description

0 Bind Network Socket

1 Check IP address change and 
Receive Packet, Console Output

3 Console Output

4 Read //DEV//NULL and Console 
Output

5 Check IP address change and 
Receive Packet, Console Output

*https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf

34

https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf


Funnydll*

config

<?xml version="1.0" encoding="utf-8"?> <Config Group="redacted" 
Password="test" StartTime="0" EndTime="24" 
WeekDays="0,1,2,3,4,5,6"> <TcpConnector
address="4iiiessb.wikimedia.vip" port="443" interval="30-60"/>
</Config>

mcvsocfg.dll Stage_1.shellcode Funny.dll

Base64+AES 
decrypt

Js module                   

35*https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-
backdoors-old-and-new/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/


Funnydll

◆ In 2020, the config of funnydll is plaintext, in 2021, the config will decrypt by 
funny.core.run which using AES and base64

◆ Command, protocol, and js module are same as 2020*

36



Shadowpad
◆ APT41 used the new builder of shadowpad in 2021, which was mentioned in 

Ptsecurity’s report* which used new obfuscation method and decryption 
method for configuration

◆ We think this builder was a shared Tool, because we have also seen Naikon
Team use this builder 

◆ Md5 of the loader:3520e591065d3174999cc254e6f3dbf5

37

def decrypt_string(src):
key = struct.unpack("<H", bytearray(src[0:2]))[0]
data_len = struct.unpack("<H", bytearray(src[2:4]))[0]
data = src[4:4+data_len]
result = ""
i=0
while(i < data_len):

tmp = key
tmp += tmp
key = key + (( tmp * 8 ) & 0xFFFFFFFF) + 0x107E666D
result += chr(((HIBYTE(key) + BYTE2(key) + BYTE1(key) + LOBYTE(key)) ^ ord(data[i])) & 0xFF)
i+=1

return result
*https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-
backdoors-old-and-new/

The method to decrypt the 
string of the configuration

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/


Shadowpad config example

38

id = 6/18/2021 11:26:19 AM 
Messenger = TEST 
Binary Path = %ALLUSERSPROFILE%\Microsoft\WinLSAM\
Binary Name = LSAM.exe 
Loader Name = log.dll 
Payload Name = log.dll.dat 
Service Name = SystemAssociationManager
Service Display Name = System Association Manager 
Service Description = This service provides support for the device association 
software. If this service is disabled, devices may be configured with outdated 
software, and may not work correctly.  
Registry Key Install = SOFTWARE\Microsoft\Windows\CurrentVersion\Run  
Registry Value Name = LocalSystemAssociationManager
Inject Target 1 = %windir%\system32\svchost.exe  
Inject Target 2 = %windir%\system32\wininit.exe  
Inject Target 3 =   
Inject Target 4 =   
Supposed to have 4 server
Server1 = TCP://1dfpi2d8kx.wikimedia.vip:443  
Server2 =   
Server3 =   
Server4 =   
Socket 1 = SOCKS4
Socket 2 = SOCKS4
Socket 3 = SOCKS5 
Socket 4 = SOCKS5 
DNS 1 = 8.8.8.8
DNS 2 = 8.8.8.8
DNS 3 = 8.8.8.8
DNS 4 = 8.8.8.8

config offset:0x96



C2 Hiding

Evolution after prosecution: Psychedelic APT41



CDN service

◆ Https beacon : direct use CDN service 
◆ Ex: microgoogle[.]ml

◆ DNS beacon

Real C2 IP

40

ns1.hkserch.com

No resolution



parks their DNS 
beacon C2 domain on 
some specific IP, ex: 
8.8.8.251, 4.2.2.2



Cloudfare Worker
◆ use Cloudflare Workers as redirector to hide the real C2 IP

Real C2proxyVictim

Cloudfare worker

cdn.cdnfree.workers.dev
42



Relation to other operations

Evolution after prosecution: Psychedelic APT41



Cobalt strike 
payload

Same Xor key:
0x3A

Funnyswitch
dropper which  
injected 
cobalt strike

ITW Url

Fishmaster operation – TAG-22*

Funnyswitch
dropper which  
injected funnydll

Connection of 
APT41 and 
fishmaster operation

New builder 
of Shadowpad

IR case

Same PDB string

* https://www.recordedfuture.com/chinese-group-
tag-22-targets-nepal-philippines-taiwan/

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/


Other operation

cobaltstrike

cobaltstrike

IR case

IR case

#Goblin 
panda

*RedFoxtrot
Drop PCshare

# https://community.riskiq.com/article/56fa1b2f
* https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

security_audit_template_final.doc

https://community.riskiq.com/article/56fa1b2f
https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf
https://www.virustotal.com/gui/search/name%253Asecurity_audit_template_final.doc


# https://community.riskiq.com/article/56fa1b2f
* https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

security_audit_template_final.doc

#Goblin panda

*RedFoxtrot
Drop PCshare

Connection to 
Gobling Panda or 
Other Chinese APT

https://community.riskiq.com/article/56fa1b2f
https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf
https://www.virustotal.com/gui/search/name%253Asecurity_audit_template_final.doc


HW operation

◆ To detect the security issues of key national infrastructure, and to test their 
event monitoring and ability to quickly coordinate with emergency incident

◆ The target involves many industries, including government, finance, electricity, 
and business key enterprises in China. 

◆ From OSINT, the operation started from 4/8 in 2021

47



南京木百文化传媒有限公司.exe



Maybe link to HW operation

49

Cobalt strike loader in IR case
which use alaris loader with 
resource png payload 

Same loader

南京木百文化传媒有限公司.exe

Funnyswitch

Same unique 
shellcode in 
caculating
api hash 

调整中移在线服务有限公司
职工五险一金缴纳比例的通
知.exe

Cobalt strike loader in IR case
which used early bird code injection 

VPN统一身份证认证
ID.exe

运维安全管理与审计系统
单点登录插件.exe

Same Cobalt 
strike payload 
header



Used(stolen) certificate

◆ Happytuk Co.,Ltd.

◆ Serial Number : 0E D4 DF 10 33 39 3F F2 AF 41 C5 71 A6 AA 19 D7

◆ Rhaon Entertainment Inc

◆ Serial Number : 06 80 8C 59 34 DA 03 6A 12 97 A9 36 D7 2E 93 D4

◆ Subgroup which maybe had relation to APT41

◆ Quickteck.com
◆ Serial Number : 70 D8 96 11 7E 15 30 2C 7E EF EC B2 89 B3 BF E0

◆ 주식회사엘리시온랩(Elysion Lab Co., Ltd.)
◆ Serial Number : 03 D4 33 FD C2 46 9E 9F D8 78 C8 0B C0 54 51 47

◆ 1.A Connect GmbH
◆ Serial Number : 00 A7 E4 DE D4 BF 94 9D 15 AA 42 01 84 3F 1A B6 4D

50



Takeaway

◆ Various kind of cobalt strike loader and some new attack techniques

◆ New backdoor ex: RBRAT and Natwalk

◆ C2 hiding techniques

◆ Relation to other operations

51



IOC

52

◆ Chatloader
7ee9b79f4b5e19547707cbd960d4292f

F5158addf976243ffc19449e74c4bbad

1015fa861318acbbfd405e54620aa5e3

a1d972a6aa398d0230e577227b28e499

◆ .NET loader
bd2d24f0ffa3d38cb5415b0de2f58bb3

◆ Fishmaster loader

◆ Funnyswitch loader
e0a9d82b959222d9665c0b4e57594a75

07a61e3985b22ec859e09fa16fd28b85

d720ac7a6d054f87dbafb03e83bcb97c

F85d1c2189e261d8d3f0199bbdda3849

5b2a9a12d0c5d44537637cf04d93bec5

◆ Early bird code injection loader
4598c75007b3cd766216086415cc4335

Fd6ae1b8713746e3620386a5e6454a8d

b028b4f8421361f2485948ca7018a2b0

◆ Errorroot
e960a17265925cf0f5706c9610551dd1

be473559dbd0098baab3e2a8ac40b780

◆ RBRAT
abbf8ae67cd49376a27e91f14852427e

6b852b60fc55ae2e4bb4141968b4d941

1746e35114807673c9af708c0b08213c

◆ Natwalk
1d36404f85d94bea6c976044cb342f24

7c6e75e70d29e77f78ea708e01e19c36

◆ HIGHNOON loader
407b5200c061123c9bd32e7eea21a57b

5b99fa01c72cebc53a76cc72e9581189

◆ Funnydll
e0a9d82b959222d9665c0b4e57594a75

◆ Shadowpad
af7cef9e0e6601cae068b73787e3ae81



IOC

53

symantecupd.com

microsoftonlineupdate.dynamic-
dns.net

www.sinnb.com

pip.pythoncdn.com

img.hmmvm.com

reg.pythoncdn.com

bbwebt.com

ns1.tkti.me

test.tkti.me

ns1.microsofts.freeddns.com

api.aws3.workers.dev

ns1.hkserch.com

godaddy1.txwl.pw

godaddy2.txwl.pw

ns.cdn06.tk

update.facebookdocs.com

ns1.dns-dropbox.com

ns1.wystedba.top

ns.cloud20.tk

ns.cloud01.tk

ns1.token.dns05.com

sculpture.ns01.info

work.cloud20.tk

work.cloud01.tk

help01.softether.net

cloud.api-json.workers.dev

update.microsoft-api.workers.dev

up.linux-headers.com

p.samkdd.com

ns1.microsoftskype.ml

ns1.hongk.cf

ns1.163qq.cf

163qq.cf

depth.ddns.info

ooliviaa.ddns.info

mootoorheaad.ns01.info

token.dns04.com

ns1.watson.misecure.com

vt.livehost.live

sociomanagement.com

ns1.hash-prime.com

wntc.livehost.live

smtp.biti.ph

perfeito.my

cdn.cdnfree.workers.dev

www.microsofthelp.dns1.us

ns1.mssetting.com

www.corpsolution.net

www.mircoupdate.https443.net

publicca.twhinet.workers.dev

microgoogle.ml

www.google-dev.tk

api.gov-tw.workers.dev

103.255.179.54

www.omgod.org

154.223.175.70

687eb876e047.kasprsky.info

zk4c9u55.wikimedia.vip

193.38.54.110

api.aws3.workers.dev

4iiiessb.wikimedia.vip

45.32.123.1

158.247.215.150

ntp.windows-time.com

trulwkg5c.tg9f6zwkx.icu

windowsupdate.microsoft.365filteri
ng.com

wustat.windows.365filtering.com



Reference

◆ [1] https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-
group.pdf

◆ [2] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-
backdoors-old-and-new/

◆ [3] https://www.lac.co.jp/lacwatch/report/20210521_002618.html

◆ [4] https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/

◆ [5] https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/

◆ [6] https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf

54

https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.lac.co.jp/lacwatch/report/20210521_002618.html
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf


aragorn@teamt5.org
charles@teamt5.org
peter@teamt5.org
tom@teamt5.org

THANK YOU!