{ "id": "885ab01a-5095-437d-ba3d-e6a00c4e919e", "created_at": "2026-04-06T01:31:39.434958Z", "updated_at": "2026-04-10T13:11:23.098944Z", "deleted_at": null, "sha1_hash": "05492ed154eb29b8f629bdefcce596de1596d21f", "title": "“PortDoor” Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4917706, "plain_text": "“PortDoor” Malware\r\nBy Ilan Duhin\r\nPublished: 2023-07-20 · Archived: 2026-04-06 00:45:24 UTC\r\n7 min read\r\nApr 5, 2023\r\nResearched by: Ilan Duhin\r\nExecutive Summary:\r\n“PortDoor” is a Chinese Backdoor that targeted ministry and public organizations such as ministry agencies, and\r\nindustrial plants in East Europe countries (Russia, Belarus and Ukraine). It spreads via spear-phishing emails that\r\ncontain malicious RTF file as an attachment. once executed, opened a Microsoft add-in file (.wll file) that is\r\nactually a DLL file.\r\nThe dropped DLL has the capabilities of gathering reconnaissance and profiling of the victim’s machine,\r\ncommunicating with the C2 server, and privilege escalation.\r\nBehind “PortDoor” is the group dubbed “TA428” (which belongs to the Chinese government) according to the\r\nTTPs we analyze on the DLL backdoor.\r\nThe DLL gains accessibility to the network via the Microsoft vulnerability called: Equation Editor (CVE-2017–\r\n11882) which enables to execution of arbitrary code without any additional user activity.\r\nTo communicate, the malware establishes an HTTP connection on the victim’s endpoint, it uses the connection to\r\nexfiltrate the victim’s information such as username, and network configuration.\r\nThis report contains in-depth research of the Backdoor and the RTF attachment, including an analysis of its\r\nbehavior.\r\nBanker Attack Analysis:\r\nThe Backdoor’s attack steps were as follows:\r\n1. “PortDoor” encrypts its own configuration with XOR key. The XOR loop appears as part of the file run.\r\n2. After launching, the malware collects general information about the infected system via API calls, such as\r\ncomputer names, IP addresses, and sends the information collected to the C2 server.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 1 of 17\n\n3. After decrypting the configuration information, “PortDoor” check it is not running in a debugger (it uses the\r\nIsDebuggerPresent call).\r\n4. “PortDoor” establishes a connection with the C2 server via HTTP protocol. — 45.63.27[.]162\r\n5. The data that is received/sent is encrypted, using the AES key.\r\nTechnical Analysis:\r\nHeaders of spear phishing: we can see who sends and which target mail.\r\n· The sender was “Gidropribor[1]” — the research center of the Russian Federation.\r\n· The receiver was Igor Vladimirovich[2], CEO of Marine Engineering “Rubin”.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nMail Headers\r\n[1] https://gidropribor.ru/en/\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 2 of 17\n\n[2] https://www.aoosk.ru/companies/oao-tsentralnoe-konstruktorskoe-byuro-morskoy-tekhniki-rubin/\r\nPress enter or click to view image in full size\r\nWhen opening the rtf file.\r\nPress enter or click to view image in full size\r\nFrom looking at HxD and searching the header we can see that this is an RTF File.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 3 of 17\n\nThe fact that this is an RTF file rather than a typical Word Doc should raise some red flags regarding the\r\nattachment. RTF (Rich Text Format) allows other files to be embedded in the file itself and are often used by\r\nattackers to embed malware.\r\nSearching the hash in VT and see that the creation time of the RTF file was in 2007.\r\nToo long time will indicate a technique that adversaries used to try goes under the radar of the security products\r\n(especially when we see the long difference between the creation time and the last analysis section).\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 4 of 17\n\nOLE Tools:\r\nAfter extracting the file objects with rtfdump (The tool extracts file objects)\r\nI started analyzing them deeply.\r\nAn object that seems suspicious is 290.\r\nPress enter or click to view image in full size\r\nWhen I input the argument “i” to gather more information it indicates that we have a reference to the embedded\r\nfile within this object. The magic number for this object is called: “d0cfile0”.\r\nPress enter or click to view image in full size\r\nThe object that connect us to Equation Editor class name.\r\nPress enter or click to view image in full size\r\nFrom a quick look, we can see that the file contains the Equation class name. it is evidence that an Equation Editor\r\nvulnerability will be exploit.\r\nWhen I searched the Equation pattern in Google, I found that it connects to Royal Road malware or its\r\nsecond name, weaponizer, that use the same technique in previous attacks of several Chinese threat actors\r\nsuch TA428, the same APT that spread the “PortDoor”.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 5 of 17\n\nOnce the RTF document is executed, a .wll (word add-in file) is dropped to Microsoft startup folder.\r\nThis is largely done as an evasion technique as when a Word document is launched, an add-in file is loaded along\r\nwith it and security products recognize it as legitimate behavior.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nafter running the .doc, I checked the memory strings and see that the file below attached a DLL file. In other\r\nwords, our sample doing a backdoor to the DLL.\r\nPress enter or click to view image in full size\r\nAttach success:\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 6 of 17\n\nGet Ilan Duhin’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn other words, the file probably was exist when we run the RTF file earlier (our backdoor). The strings just verify\r\nthe information.\r\nWhen dropping the .wll file into IDA, it describe it as a DLL file.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe DLL has 33 export functions.\r\nfunctions 18 and 28 are the ones that “PortDoor” used to make his activities. The rest of them enters to sleep loop\r\nas part of the anti-analysis technique.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 7 of 17\n\nwhen investigating the two missing functions, they contains xor loop if one of them will called.\r\nPress enter or click to view image in full size\r\nTrying to achieve privilege escalation by applying the Access Token Theft Technique[1] to steal explorer.exe\r\ntokens and run under a privileged security context.\r\n[1] https://attack.mitre.org/techniques/T1134/\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 8 of 17\n\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 9 of 17\n\nAnother suspicious API call is IsDebuggerPresent. here, the malware is used to realize if it is located under\r\ndebug mode. if not it decodes the pointer that points to the victim’s process that is encrypted with the XOR key.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 10 of 17\n\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 11 of 17\n\nIn addition, I find two suspicious strings that describe HTTP connection via proxy server to a specific host.\r\nthe backdoor appears to be distinguishing between two HTTP response types ‘200’ response and ‘407’.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe full code from IDA:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 12 of 17\n\nOne of the suspicious IP addresses that I saw is: 45.63.27[.]162[1][2]\r\nThis IP address is the only one that shows up in the source and in the destination.\r\nFrom searching the IP address in attack reports, it seems that it uses “PortDoor” C2.\r\n[1] https://kcm.trellix.com/corporate/index?page=content\u0026id=KB94757\u0026locale=en_US\r\n[2] https://vuldb.com/?actor.portdoor\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 13 of 17\n\nAfter the malware establish a connection with the C2 server, the data that received/sent is encrypted using AES\r\nkey.\r\nPress enter or click to view image in full size\r\nAES encrypted information.\r\nPress enter or click to view image in full size\r\nBackdoor commands (Symbols tab). It reinforces the fact that there is C2 server.\r\nPress enter or click to view image in full size\r\nThe malware checks if the current user is a member of the Administrator’s group. If yes, use Netapi32.dll\r\n(querying and managing network interfaces) library to get information about the user.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 14 of 17\n\nPress enter or click to view image in full size\r\n“PortDoor,” writes the GetTickCount value (to see how long the hostname is awake since started).\r\nPress enter or click to view image in full size\r\nThe decryption of string by the backdoor. the register of “mov” and “add” to the “eax” register, then it repeats it\r\nwith the “ecx” register and “mov” all the parameters to him.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 15 of 17\n\nTo verify if it is the backdoor activity, we checked in the Memory map to see the permissions. Can see clearly that\r\nit the Executable code of our backdoor.\r\nPress enter or click to view image in full size\r\nCheck what cause to debugger send us an “Exception” message when we try to run until the BP on xor loop. As\r\nyou can see the xor loop is located between two IsDebuggerPresent functions that check if the malware in the\r\ndebugger or not.\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 16 of 17\n\nThe malware uses the Anti-Debugging technique before it runs the xor loop.\r\nReference: https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nIndicators of compromise:\r\nEmail- Phishing:\r\n48a312bfbcd1674501a633fbdcaa99a487e6260414a6e450a19982578b128a52\r\nRTF:\r\n774a54300223b421854d2e90bcf75ae25df75ba9f3da1b9eb01138301cdd258f\r\nDLL:\r\n2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c\r\nSource: https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nhttps://medium.com/@Ilandu/portdoor-malware-afc9d0796cba\r\nPage 17 of 17\n\n https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba \nAnother suspicious API call is IsDebuggerPresent. here, the malware is used to realize if it is located under\ndebug mode. if not it decodes the pointer that points to the victim’s process that is encrypted with the XOR key.\n Page 10 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba" ], "report_names": [ "portdoor-malware-afc9d0796cba" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439099, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05492ed154eb29b8f629bdefcce596de1596d21f.pdf", "text": "https://archive.orkl.eu/05492ed154eb29b8f629bdefcce596de1596d21f.txt", "img": "https://archive.orkl.eu/05492ed154eb29b8f629bdefcce596de1596d21f.jpg" } }