{
	"id": "2ca25758-d772-4975-9501-163a6d5973e4",
	"created_at": "2026-04-06T00:19:24.861589Z",
	"updated_at": "2026-04-10T13:12:26.470096Z",
	"deleted_at": null,
	"sha1_hash": "069a7db773535b1e6296e415b16b267527406664",
	"title": "Polonium APT Group: Uncovering New Elements | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1536691,
	"plain_text": "Polonium APT Group: Uncovering New Elements | Deep Instinct\r\nBy Simon KeninThreat Intelligence Researcher\r\nPublished: 2022-12-06 · Archived: 2026-04-05 14:48:16 UTC\r\nThe Polonium APT group activity was first detected by Microsoft in June 2022. The group is based in Lebanon\r\nand exclusively attacks Israeli companies.\r\nThe group takes its name from chemical elements in the periodic table:\r\n“Polonium is a chalcogen. A rare and highly radioactive metal with no stable isotopes.”\r\nAt the beginning of October 2022, ESET published comprehensive research about the threat group, which\r\nincluded over a hundred hashes of malicious files. Of those files, 13 samples were found in public malware\r\nrepositories that could be further analyzed.\r\nDuring the analysis of the public samples Deep Instinct’s threat research team discovered three additional samples\r\nfrom the Polonium arsenal that were not in the original files disclosed.\r\nDeep Instinct discovered that Polonium is using small components to make investigation more difficult, as well as\r\na multi-step attack flow to make it harder to detect. The samples found by the Deep Instinct Threat Research\r\nreveal additional components and alternatives to the original Polonium attack tools. We outline the new methods\r\nbelow.\r\n#1: Additional MegaCreep Loader:\r\nIn ESET’s report, they detail a MegaCreep loader (md5: 287007b3b0c0762f79e3b8a1cf2cef86) that calls\r\n“MainZero,” an external component file that, according to ESET, contains the main code of the MegaCreep\r\nbackdoor.\r\nFigure 1: On the Right – New MegaCreep loader, On the Left – MegaCreep loader analyzed by\r\nESET\r\nThe “new” file discovered by Deep Instinct (md5: 19fe1fd29122a5092f7b680e5762fc19) is most likely another\r\nloader for MegaCreep. The main difference between the two is that the new loader found doesn’t have\r\nfunctionality by itself to create a service for persistence.\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 1 of 7\n\nHowever, thanks to the “End-user Sightings” feature in VirusTotal, we can see that the version without the service\r\nhas an auto-start registry key persistence named “MicrosoftMegUpdate.”\r\nFigure 2: MicrosoftMegUpdate persistence\r\nThe paths where the file has been observed on disk are in Users AppData subfolders:\r\nFigure 3: Paths “TaskManager.exe” has been observed in the wild, VirusTotal.\r\nTo visualize the connections between the components we created a Maltego graph:\r\nFigure 4: Relationship graph between MegaCreep Loader and its components\r\nSince “MainZero” is not publicly available, this graph could be missing additional components.\r\nThere is also a possibility that a few different versions of MainZero exist.\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 2 of 7\n\n#2: Additional files of possible new “Creepy” malware:\r\nWhile hunting for additional files, Deep Instinct identified two additional files used by Polonium.\r\nThose two files, along with the MegaCreep loader we mentioned earlier, were uploaded on the same day, seconds\r\napart, from Israel, using Sysinternals:\r\nFigure 5: VirusTotal results of files uploaded from Israel at 2022-09-23 16:01\r\nThis most likely shows that someone was doing initial triage on infected systems.\r\nThe additional files are also written in .NET, as is most Polonium malware. Moreover, the files appeared in the\r\nsame machine as the “MegaCreep” loader we mentioned earlier:\r\nFigure 6: Paths “RLVBUp.exe” has been observed in the wild\r\nIt’s interesting to note that although Polonium reuses the same file on multiple computers, they randomize the\r\npaths where they run the malware from, as can be seen in figure 5. However, it always seems to be in some sub-folder under “AppData.”\r\nBoth files also use the “Microsoft.VisualBasic.CompilerServices” library and import external components named\r\nClassVB.dll or ClassVB2.dll. This could indicate that they used a VisualBasic component and not just C#.\r\nThe ClassVB DLLs are also not publicly available, therefore, the exact functionality is unknown. They might be a\r\nvariant of “MegaCreep” or a possible previously unidentified “VBCreep” backdoor.\r\n#3: RLVB.exe:\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 3 of 7\n\nThe code of this file is very short; it is a loader for the main functionality which resides in “ClassVB.dll.”\r\nFigure 7: RLVB code thar is using external ClassVB component\r\nThis file also has an auto-start registry key, but under\r\n“HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CLVBUpdate”\r\nRLVBUp.exe\r\nThis file also uses VisualBasic and imports an external file with a similar name to the one in “RLVB.exe.”\r\nAn auto-start registry key under “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CLVB11Update”\r\nexists here as well.\r\nThis file imports “PRLib.dll” which is mentioned in ESET research as part of “MegaCreep.”\r\nFigure 8: RLVBUp code that is using external ClassVB2 component and PRLib\r\nRLVBUp reads/writes data from two external files named “WindMin.dll” and “UnInstall.dll:”\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 4 of 7\n\nFigure 9: RLVBUp code thar is using external files “WindMin.dll” and “UnInstall.dll”\r\nThe replace function with “##” is similar to the one in “MegaCreep.”\r\nMost of the external libraries are custom and not publicly available. Therefore, their functionality is not fully\r\nuncovered.\r\nSince “RLVBUp” uses “PRLib,” “RLVBUp” might be a module related to “MegaCreep” or a shared module\r\namong different Polonium backdoors.\r\nTo visualize all the currently known connections we made another Maltego graph:\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 5 of 7\n\nFigure 10: Relationship graph between Files using PRlib\r\nConclusion\r\nPolonium was uncovered only recently and is focused on attacking Israeli companies exclusively.\r\nMapping all the known components for their attack tools will help security teams identify similar activity and may\r\nlead to uncovering the missing puzzle parts.\r\nIOC\r\nFilename MD5 Hash\r\nTaskManager.exe 19fe1fd29122a5092f7b680e5762fc19\r\nRLVB.exe dbec8d9a3ea34d69733e7f5f5134f62d\r\nRLVBUp.exe a544bb442fe4342e300bc8beaef66796\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 6 of 7\n\nSource: https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nhttps://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements"
	],
	"report_names": [
		"polonium-apt-group-uncovering-new-elements"
	],
	"threat_actors": [
		{
			"id": "d866a181-c427-43df-9948-a8010a8fdad6",
			"created_at": "2022-10-27T08:27:13.080609Z",
			"updated_at": "2026-04-10T02:00:05.303153Z",
			"deleted_at": null,
			"main_name": "POLONIUM",
			"aliases": [
				"POLONIUM",
				"Plaid Rain"
			],
			"source_name": "MITRE:POLONIUM",
			"tools": [
				"CreepyDrive",
				"CreepySnail"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6cfeba14-c84e-4606-88b9-c7a7689c450f",
			"created_at": "2022-10-25T16:07:24.06766Z",
			"updated_at": "2026-04-10T02:00:04.857565Z",
			"deleted_at": null,
			"main_name": "Polonium",
			"aliases": [
				"G1005",
				"Incendiary Jackal",
				"Plaid Rain"
			],
			"source_name": "ETDA:Polonium",
			"tools": [
				"CreepyDrive",
				"CreepySnail",
				"DeepCreep",
				"FlipCreep",
				"MegaCreep",
				"PapaCreep",
				"TechnoCreep"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b7823339-891d-4ded-b01d-1f142a88bc64",
			"created_at": "2023-01-06T13:46:39.381591Z",
			"updated_at": "2026-04-10T02:00:03.308737Z",
			"deleted_at": null,
			"main_name": "POLONIUM",
			"aliases": [
				"GREATRIFT",
				"INCENDIARY JACKAL",
				"Plaid Rain",
				"UNC4453"
			],
			"source_name": "MISPGALAXY:POLONIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434764,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/069a7db773535b1e6296e415b16b267527406664.pdf",
		"text": "https://archive.orkl.eu/069a7db773535b1e6296e415b16b267527406664.txt",
		"img": "https://archive.orkl.eu/069a7db773535b1e6296e415b16b267527406664.jpg"
	}
}