{ "id": "25e10461-5a89-4524-842d-7d5d3ff440f5", "created_at": "2026-04-06T00:16:06.158023Z", "updated_at": "2026-04-10T13:12:05.286289Z", "deleted_at": null, "sha1_hash": "06ef43d33895d54f8d961eeb107907052cdfcc9f", "title": "Deep Dive Into DownEx Espionage Operation in Central Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1089027, "plain_text": "Deep Dive Into DownEx Espionage Operation in Central Asia\r\nBy Martin Zugec\r\nArchived: 2026-04-05 15:56:49 UTC\r\nIn late 2022, Bitdefender Labs detected a cyberattack targeting foreign government institutions in Kazakhstan.\r\nWhile investigating this incident, it was revealed that this was a highly targeted attack designed to exfiltrate data.\r\nWe decided to postpone publishing our findings and monitored the region for other similar attacks. This effort was\r\nrewarded, when we detected another attack in Afghanistan and collected additional samples and observations. \r\nBy sharing this information, we hope to raise awareness about the current threat landscape and help public and\r\nprivate organizations to protect themselves. \r\nAnatomy of an attack\r\nThe domain and IP addresses involved do not appear in any previously documented incidents, and the malware\r\ndoes not share any code similarities with previously known malicious software. Since this appears to be a new\r\nmalware family, we named it DownEx.\r\nBy analyzing indirect indicators such as the specific targets of the attacks, the document metadata impersonating a\r\nreal diplomat, and the primary focus being on data exfiltration, we can make an educated guess that a state-sponsored group is responsible for these incidents. Despite trying various methods, we have been unable to\r\nattribute these attacks to a specific threat actor. One clue pointing at the origin of the attack is the use of a cracked\r\nversion of Microsoft Office 2016 popular in Russian-speaking countries (known as “SPecialisST RePack” or\r\n“Russian RePack by SPecialiST). It is also unusual to see the same backdoor written in two languages - this\r\npractice was previously observed with group APT28 (Russian-based) with their backdoor Zebrocy. Based on a\r\ncombination of indicators we are attributing this campaign to a group associated with Russia, albeit with low\r\nconfidence.\r\nInitial access\r\nWhile the initial infection vector remains unclear, we expect that threat actors used social engineering techniques\r\nto deliver a spear-phishing email with a malicious payload. The attack used a simple technique of using an icon\r\nfile associated with .docx files to masquerade an executable file as a Microsoft Word document. The attachment\r\nfile did not use double-extension (commonly detected as a suspicious practice) and was simply named “! to\r\n\u003credacted\u003e embassy kazakh 2022.exe” . Unfortunately, it seems that email remains an effective route for\r\ndelivering malicious payloads in 2023. \r\nThis executable is a self-contained loader. After executing this attachment, two files are extracted to disk and\r\nexecuted: \r\nC:\\Users\\\u003cRedacted\u003e\\Appdata\\Local\\Temp\\! to \u003cRedacted\u003e Embassy kazakh 2022.doc\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 1 of 8\n\nC:\\ProgramData\\Utility\\log\r\nThe extracted Word document is a simple disguise and designed as a way for the attacker to not raise suspicion\r\nwhile the malicious script ran in the background. \r\nFig 1: The extracted Word document is inconspicuous and seemed to be designed only as a way for the attacker to\r\nnot raise suspicion while the malicious script ran in the background. \r\nThe second file log is extension-less HTA file (normally .hta ) with embedded VBScript code. HTA stands for\r\n\"HTML Application\" and it is a file type that contains VBscript, HTML, CSS, or JavaScript code that can be\r\nexecuted as a standalone application on a Windows operating system. HTA was a popular method for sysadmins to\r\nadd basic user interface to their scripts or create simple utility programs.\r\nThe download of the next stage failed, and we have not been able to retrieve the payload from the command and\r\ncontrol (C2) server. Based on our analysis of similar attacks, we expect threat actors tried to download backdoor\r\nto establish persistence. \r\nSeveral other tools located on the victim’s machine were used to establish connection to the C2 server. In the next\r\nsection, we document our analysis of these tools and scripts. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 2 of 8\n\nDiscovery\r\nWe have discovered two tools written in C/C++ designed to enumerate all the resources on a network. Both\r\nexecutables wnet.exe (MD5: a45106470f946ea6798f7d42878cff51 ) and utility.exe (MD5:\r\n3ac42f25df0b600d6fc9eac73f011261 ) were in the folder C:\\\\ProgramData\\\\Programs . Functionality is using\r\nWindows Networking (WNet) functions from Win32 API. This is a common approach to network reconnaissance\r\nbecause these functions are network independent. \r\nCommand and Control\r\nTo establish communication loop with the C2 infrastructure, threat actors deployed Python-based backdoor\r\nhelp.py located in the folder C:\\ProgramData\\python\\tools\\scripts . The threat actors took an extra effort to\r\nmake this script hard to analyze. The script was protected by PyArmor, a Python obfuscation tool that can help\r\nprotect scripts from reverse engineering and tampering. We were able to retrieve the corresponding\r\nPytransform.pyd module. This compiled module (basically a DLL file used by Python script) was protected by\r\nthe Themida software protection tool, and multiple obfuscation techniques including opcode mixing have been\r\nused. \r\nThrough considerable effort, we were able to analyze this script, and reverse engineer the C2 communication\r\nprotocol and the structure of the script. \r\n1. Help.py generates an RSA public/private key pair of 2048 bits. \r\n2. The public key is shared with the C2 server ( https[:]//net-certificate[.]services:443 ) using POST\r\nmethod with the following key-value pairs.\r\n1. USR_KAF –Contains EmailID , the hardcoded value identifying a specific email campaign. \r\n2. USR_PUB – Public key generated in step 1. \r\n3. USR_CRC – The SHA256 hash of the running script ( help.py ) generated automatically. \r\n3. The C2 replies with a valid Python code to set up client ID. This client ID is used in step 4.  \r\n1. TSK_KEY – An encrypted AES key required to decrypt the TSK_BODY field. This value is\r\nencrypted using a public key from step 2. \r\n2. TSK_IV – AES Initialization Vector required to decrypt the TSK_BODY field. This value is\r\nencrypted using a public key from step 2. \r\n3. TSK_BODY – Python code encrypted with AES in CBC mode. We emulated the protocol, and the\r\nresponse was always to set up a variable USR_KAR . This seems to be client identification. In an\r\ninfinite loop, the script will make a POST request to https[:]//net-certificate.services:443/\u003c\r\nUSR_KAF\u003e , where the USR_KAF is client ID retrieved in the step 3.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 3 of 8\n\n4. In an infinite loop, the script will make a POST request to https[:]//net-certificate.services:443/\u003c\r\nUSR_KAF\u003e , where the USR_KAF is client ID retrieved in the step 3.\r\nThe C2 can respond with specific tasks to perform on compromised machine. The task contains following values:\r\nTSK_KEY and TSK_IV – AES key and initialization vector required to decrypt the TSK_BODY. These\r\nvalues are encrypted using the public key generated from step 2. \r\nTSK_LINK – Number representing a unique task ID. This seems to be incremental and global value for all\r\nvictims. The largest task ID we have detected is 115880, so we can assume that over 100K tasks were sent\r\nacross the victims. \r\nTSK_BODY – This is an encrypted Python code, representing a task to execute. \r\nThe tasks are represented by a Python class, having the form “ class A\u003cnumber\u003e ”. During our monitoring, we\r\nhave observed the 4 distinct tasks, but we are confident there are more task types: \r\nA3 – DOWNLOAD_LIST – Exfiltrate files with specific extensions from a directory. \r\nDirectories D:\\ and C:\\Users are recursively parsed. \r\nList of extensions is hardcoded: doc; docx; dot; dotx; xls; xlsx; ppt; pptx; odt; pdf; rtf;\r\nrar; jpg; jpeg; bmp; heic; tiff; tif . \r\nOnly retrieves files that have been modified in the last N days. N is a hardcoded value, if its value is\r\n-1, the last modified data filter is not applied. \r\nFiles are exfiltrated in zip archives limited to 16 MBs. If needed, multiple archives are used. \r\nThe victim returns a list of the matching files to the C2 server, including information about full path,\r\nsize created, and the last modified date. \r\nA4 – DOWNLOAD_AND_DELETE_LIST – Similar to A3 task, but it also deletes the exfiltrated files.\r\nWe think this task is used to exfiltrate files generated by another malicious task/malware. This\r\nassumption is based on the observed instructions like download and delete files from: \r\nC:\\\\ProgramData\\\\Python\\\\Lib\\\\LOC\\\\F that don’t have the extension .py . \r\nC:\\\\Users\\\\\u003cUSERNAME\u003e\\\\AppData\\\\Local\\\\Diagnostics\\\\\u003cUSER_SID\u003e\\\\1cbe6654-466b-4d53-8303-2e86ab6db8a7 with extension ~tmp . \r\nA6 – SCAN_LIST – Similar to A3 task, but it only reports matching files without exfiltrating them. \r\nA7 – SCREENSHOT – Uploads a screenshot from the compromised machine. \r\nThe number of screenshots and interval between them is hardcoded value. \r\nAfter victim finish processing the tasks, it communicates back to the C2 server using the following JSON\r\nstructure: \r\nSK_LINK – Task ID, as specified in the task request from the C2 server. \r\nRESULT – The result of the task or a debug/log message. For example “Success: GET from client\r\nSCREENSHOT_START”. This field is encrypted with AES and base64 encoded.\r\nNAME_FILE – The name of the file on the server where RESULT is written. It contains a timestamp, the\r\ntask ID, and additional information (e.g. method executed). This field is encrypted with AES and base64\r\nencoded. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 4 of 8\n\nIt is important to mention that nothing prevents threat actors from delivering Python code directly instead of using\r\nclass constructs. \r\nCollection and Exfiltration\r\nDuring our investigation, we have identified multiple samples of new malware written in C++. The executable\r\ndiagsvc.exe was stored in folder C:\\\\ProgramData\\\\Programs and is designed for files exfiltration. \r\nFig 2: Different approaches to establishing the C2 connection \r\nOne of the samples included a PDB string “C:\\Projects\\DOWN\\Release\\DOWN.pdb” . PDB (Program DataBase) is\r\na file format used by Microsoft Visual Studio for storing debugging information about an executable or DLL file.\r\nWe decided to call this malware family DownEx by combining the DOWN project name with its intended\r\npurpose (Exfiltration). \r\nThere were small differences between samples that we have collected – some had more debug strings, other\r\ncontained strings encrypted with a simple XOR cipher. One simple (MD5: ae5d4b9c1038f6840b563c868692f2aa )\r\ndid not exfiltrate data by contacting the C2 server directly, instead it created and executed a VBScript\r\nC:\\\\ProgramData\\\\Temp\\\\driver.vbs responsible for exfiltration. All collected samples contacted the same C2\r\nserver located at 84.32.188[.]123 . \r\nAfter execution, DownEx starts recursively parsing both local and network drives and collects the files with the\r\nfollowing extensions: \r\n.doc, .docx, .rtf, .xlsx, .xls, .pdf, .ppt, .pptx, .~tm, .bmp, .rar, .jpg, .odt, .p12, .heic, .enc, .jpeg, .tiff, .tif, .zip,\r\n.crf, .enc, .cr, .lhz, .pem, .pgp, .sbx, .tlg \r\nThreat actors are interested in confidential files like .pgp or .pem files, but also in financial data such as\r\nQuickBooks log files ( .tlg extension). \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 5 of 8\n\nAfter the files are collected, they are exfiltrated using a password-protected zip archive. Size of uncompressed\r\ndata is limited to 30 MBs for each archive. If needed, multiple archive files are generated. To limit the size of\r\nexfiltrated files, DownEx stores checksums of already exfiltrated files (CRC) to avoid duplication. The archives\r\nare exfiltrated to the C2 server by making POST request to http[:]//84.32.188[.]123/hftqlbgtg.php . \r\nDuring our investigation, we have discovered a VBScript-based version of DownEx\r\n(MD5: f3474c17d8c33055c28cb45a04ab484f ) with the same functionality as the C++ version. This is a fileless\r\nattack – the DownEx script is executed in memory and never touches the disk. The script version of DownEx was\r\ndownloaded by the encoded VBscript file slmgr.vbe from http[:]//206.166.251[.]216/www.php using a\r\ncustom user agent (to identify campaign).  \r\nFig 3: The slmgr.vbe script is downloading another script from the C2 server \r\nConclusion\r\nThis attack highlights the sophistication of a modern cyberattack. Cybercriminals are finding new methods for\r\nmaking their attacks more reliable.  To prevent attacks like this, organizations should focus on implementing a\r\ncombination of cybersecurity technologies to harden their security posture.  Technologies such as advanced\r\nmalware detection with machine learning that can identify malicious scripts, email filtering, sandbox for\r\ndetonation of suspicious files, network protection that can block C2 connections, and detection and response\r\ncapabilities that extend beyond the endpoints to networks.  These technologies are all available with Bitdefender\r\nGravityZone.  These tools can help detect and prevent attacks, as well as limit the damage caused if an attack does\r\noccur. \r\nWe would like to thank Adrian Schipor, Victor Vrabie, Cristina Vatamanu, and Alexandru Maximciuc for help with\r\nputting this advisory report together. \r\nIndicators of Compromise\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 6 of 8\n\nAn up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat\r\nIntelligence users. The currently known indicators of compromise can be found in the table below. \r\nFiles\r\nMD5  Location  Source \r\n1e46ef362b39663ce8d1e14c49899f0eUser Desktop  Bitdefender research \r\nbb7cf346c7db1c518b1a63c83e30c602   User Desktop  Bitdefender research \r\na45106470f946ea6798f7d42878cff51wnet.exe  Bitdefender research \r\n3ac42f25df0b600d6fc9eac73f011261utility.exe  Bitdefender research \r\n14a8aad94b915831fc1d3a8e7e00a5dfdriver.vbs  VirusTotal \r\n457eca2f6d11dd04ccce7308c1c327b7help.py  Bitdefender research \r\nd310a9f28893857a0dc1f7c9b624d353help.py  Bitdefender research \r\nd20e4fffbac3f46340b61ab8f7d578b1slmgr.vbe  Bitdefender research \r\n5602da1f5b034c9d2d6105cdc471852bslmgr.vbe  Bitdefender research \r\n89f15568bc19cc38caa8fd7efca977afDiagsvc.exe  VirusTotal \r\nae5d4b9c1038f6840b563c868692f2aaDiagsvc.exe  Bitdefender research \r\nc273cdfcfd808efa49ec0ed4f1c976e0   Diagsvc.exe  VirusTotal \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 7 of 8\n\nd11fcd39a30a23176337847e54d7268c\r\nDiagsvc.exe  Bitdefender research \r\n70e4305af8b00d04d95fba1f9ade222d   Diagsvc.exe  VirusTotal \r\n1492b0079b04eb850279114b4361f10c   Diagsvc.exe  Bitdefender research \r\nNetwork\r\nDomain  Source \r\nnet-certificate[.]services   Bitdefender research \r\nIP/DNS  Source \r\n139.99.126[.]38Bitdefender research \r\n84.32.188[.]123Bitdefender research \r\n206.166.251[.]216Bitdefender research \r\nCONTACT AN EXPERT\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia" ], "report_names": [ "deep-dive-into-downex-espionage-operation-in-central-asia" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434566, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06ef43d33895d54f8d961eeb107907052cdfcc9f.pdf", "text": "https://archive.orkl.eu/06ef43d33895d54f8d961eeb107907052cdfcc9f.txt", "img": "https://archive.orkl.eu/06ef43d33895d54f8d961eeb107907052cdfcc9f.jpg" } }