{ "id": "6f95a26b-ea8f-45ad-9462-df11bb708a28", "created_at": "2026-04-06T01:32:37.691032Z", "updated_at": "2026-04-10T13:11:52.311504Z", "deleted_at": null, "sha1_hash": "07ab21c8b14475626d5c966fa9fb891857f9bd11", "title": "Backdoors, RATs, Loaders evasion techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 154978, "plain_text": "Backdoors, RATs, Loaders evasion techniques\r\nBy Josh Pyorre\r\nPublished: 2021-06-01 · Archived: 2026-04-06 01:11:40 UTC\r\nIn this second edition of the Cybersecurity Threat Spotlight, we’re examining the most important current threats\r\nincluding a backdoor threat,  a remote access trojan (RAT), and a loader. Obfuscation, encryption, weaponization\r\nof normally benign files, and remote (frequently C2) execution continue to be primary techniques in ongoing use.\r\nThreat Name: GoldMax\r\nThreat Type: Backdoor\r\nActor: NOBELIUM\r\nhttps://attack.mitre.org/groups/G0118/\r\nDelivery and Exfiltration:\r\nCisco Umbrella detects SUNBURST domains, domains hosting GoldMax payload, and C\u0026C\r\nservers.\r\nDescription: GoldMax (also known as SUNSHUTTLE) is a post-exploitation malware currently used as part of a\r\nSUNBURST attack. SUNBURST uses multiple techniques to obfuscate its actions and evade detection. GoldMax\r\npersists on systems as a scheduled task, impersonating systems management software.\r\nGoldMax Spotlight: Written in Go, GoldMax acts as a command-and-control backdoor for the actor. The\r\nmalware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique\r\nper implant, and based on environmental variables and information about the network where it is running. The C2\r\ncan send commands to be launched for various operations, including native OS commands, via pseudo-randomly\r\ngenerated cookies. The hardcoded cookies are unique to each implant, mapping to victims and operations on the\r\nactor side. GoldMax is equipped with a decoy network traffic generation feature that allows it to surround its\r\nmalicious network traffic with seemingly benign traffic.\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 1 of 6\n\nTarget geolocations: North America, Europe\r\nTarget data: Any\r\nTarget businesses: Government, public entities, private entities\r\nMitre Att\u0026ck, GoldMax\r\nInitial access: Supply chain compromise\r\nPersistence: Scheduled task\r\nExecution: Command and scripting interpreter: windows command shell\r\nEvasion: Deobfuscate/decode files or information, obfuscated files or information: software packing, indirect\r\ncommand execution, masquerade task or service, system checks\r\nCollection: N/A\r\nCommand and Control: Encrypted channel: symmetric cryptography, data encoding, data obfuscation, ingress\r\ntool transfer, web protocols\r\nExfiltration: exfiltration over C2 channel\r\nIOCs:\r\nDomains:\r\nsrfnetwork[.]org\r\nreyweb[.]com\r\nonetechcompany[.]com\r\nIPs:\r\n185.225.69[.]69\r\nSHA-256 Hashes:\r\n70d93035b0693b0e4ef65eb7f8529e6385d698759cc5b8666a394b2136cc06eb\r\n0e1f9d4d0884c68ec25dec355140ea1bab434f5ea0f86f2aade34178ff3a7d91\r\n247a733048b6d5361162957f53910ad6653cdef128eb5c87c46f14e7e3e46983\r\nF28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c\r\n611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c\r\nB9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8\r\nbbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c\r\nAdditional Information:\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nWhich Cisco products can block GoldMax:\r\nCisco Secure Endpoint (AMP for Endpoints)\r\nCisco Cloud Web Security (CWS)\r\nCisco Network Security\r\nCisco Secure Network Analytics\r\nCisco Secure Cloud Analytics\r\nCisco Secure Web Appliance\r\nCisco Threat Grid\r\nCisco Umbrella\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 2 of 6\n\nThreat Name: ObliqueRAT\r\nThreat Type: Remote Access Trojan\r\nActor: Transparent Tribe\r\nDelivery and Exfiltration:\r\nCisco Umbrella detects domains hosting malicious documents, malicious Zip files, and C\u0026C\r\nservers.\r\nDescription: Oblique is a popular Remote Access Trojan, currently being used to take remote control of infected\r\nsystems and steal data. The malware has the following capabilities: get the running process on the system, get the\r\ndrives, directories, and files on the system, get the host names, user IDs, capture screenshots, get the data from C2\r\nserver, using custom ports to connect to C2 server.\r\nObliqueRAT Spotlight: ObliqueRAT is related to CrimsonRAT, sharing the same malware documents and\r\nmacros, but using its macro code to download its malicious payload from actor-controlled websites. The malicious\r\npayload appears to be benign BMP image files. These files contain a ZIP, which holds the ObliqueRAT payload.\r\nOnce downloaded and extracted, the file is renamed with a .pif file extension. Persistence is achieved by creating a\r\nshortcut with a .URL file extension in the infected user’s Startup.\r\nTarget geolocations: South Asia\r\nTarget data: Credentials from web browsers, data from removable media, local email collection\r\nTarget businesses: Any\r\nMitre Att\u0026ck, ObliqueRAT\r\nInitial access: Phishing\r\nPersistence: Registry run keys / startup folder\r\nExecution: Scheduled task/job\r\nEvasion: Impair defenses\r\nCollection: File and directory discovery, process discovery, screen capture, security software discovery, system\r\nInformation discovery, system network configuration discovery\r\nCommand and control: Data obfuscation\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 3 of 6\n\nExfiltration: Ingress tool transfer, exfiltration over command and control channel using non-application layer\r\nprotocol\r\nIOCs:\r\nDomains:\r\nlarsentobro[.]com\r\nmicrsoft[.]ddns.net\r\nURLs:\r\nhxxp://iiaonline[.]in/DefenceLogo/theta.bmp\r\nhxxp://iiaonline[.]in/timon.jpeg\r\nhxxp://iiaonline[.]in/9999.jpg\r\nhxxp://iiaonline[.]in/merj.bmp\r\nhxxp://iiaonline[.]in/111.jpg\r\nhxxp://iiaonline[.]in/sasha.jpg\r\nhxxp://iiaonline[.]in/111.png\r\nhxxp://iiaonline[.]in/camela.bmp\r\nhxxp://larsentobro[.]com/mbda/goliath1.bmp\r\nhxxp://larsentobro[.]com/mbda/mundkol\r\nhxxp://drivestransfer[.]com/myfiles/Dinner%20Invitation.doc/win10/Dinner%20Invitation.doc\r\nIPs:\r\n185[.]183.98.182\r\nAdditional Information:\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nWhich Cisco products can block ObliqueRAT:\r\nCisco Secure Endpoint\r\nCloud Web Security\r\nCisco Secure Email\r\nCisco Secure Firewall/Secure IPS\r\nCisco Secure Malware Analytics\r\nCisco Umbrella\r\nCisco Secure Web Appliance\r\nThreat Name: NimzaLoader\r\nThreat Type: Loader\r\nActor: TA800\r\nDelivery and Exfiltration:\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 4 of 6\n\nCisco Umbrella detects domains hosting malicious documents, malicious NimzaLoader payload,\r\nC\u0026C servers and Cobalt Strike communications.\r\nDescription: NimzaLoader is part of a malware family used by the TA800 threat group to gain a foothold in\r\ncompromised enterprise networks. This threat group previously used BazaLoader before switching to the new\r\nNimzaLoader in February 2021.\r\nNimzaLoader Spotlight: NimzaLoader is written in the Nim programming language in an attempt to avoid\r\ndetection. JSON files are used for data storage, memory management, and C\u0026C communication and it does not\r\nuse a domain generation algorithm. Second-stage payload is most commonly Cobalt Strike.\r\nExploitation begins with phishing emails to victims containing personalized details that can be found on social\r\nnetworking sites such as LinkedIn. The emails contain a link, labeled as ‘PDF-preview’ that leads to a\r\nNimzaLoader download webpage.\r\nNimzaLoader makes use of cmd.exe and powershell.exe to inject shellcode into a process on Windows systems. It\r\nutilizes a heartbeat mechanism to update expiration dates of the malware in memory and encodes other data in a\r\nJSON object.\r\nTarget geolocations: Any\r\nTarget data: Any\r\nTarget businesses: Any\r\nExploits: N/A\r\nMitre Att\u0026ck, NimzaLoader\r\nInitial access: Spearphishing attachment, spearphishing link\r\nPersistence: Registry run keys / startup folder, startup items, hooking\r\nEvasion:  Deobfuscate / decode files or information, masquerading, obfuscated files or information, process\r\ndoppelganging, process hollowing, process injection\r\nCollection: Account discovery, application window discovery, file and directory discovery, process discovery,\r\nquery registry, remote system discovery, security software discovery, system information discovery, system time\r\ndiscovery, system owner / user discovery\r\nExfiltration: Commonly used port, data encrypted, remote file copy, standard application layer protocol, standard\r\ncryptographic protocol, standard non-application layer protocol\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 5 of 6\n\nIOCs:\r\nDomains:\r\ncentralbancshares[.]com\r\ngariloy[.]com\r\nliqui-technik[.]com\r\nSHA-256 Hashes:\r\n540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d\r\nAdditional Information:\r\nhttps://www.technadu.com/ta800-group-using-new-initial-access-tool-nimzaloader/253752/\r\nWhich Cisco products can block NimzaLoader:\r\nCisco Secure Endpoint\r\nCloud Web Security\r\nCisco Secure Email\r\nCisco Secure Firewall/Secure IPS\r\nCisco Secure Malware Analytics\r\nCisco Umbrella\r\nCisco Secure Web Appliance\r\nSource: https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques" ], "report_names": [ "cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf32661e-7543-4b57-8665-7f8101a000e9", "created_at": "2023-01-06T13:46:39.322379Z", "updated_at": "2026-04-10T02:00:03.287241Z", "deleted_at": null, "main_name": "TA800", "aliases": [], "source_name": "MISPGALAXY:TA800", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439157, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07ab21c8b14475626d5c966fa9fb891857f9bd11.pdf", "text": "https://archive.orkl.eu/07ab21c8b14475626d5c966fa9fb891857f9bd11.txt", "img": "https://archive.orkl.eu/07ab21c8b14475626d5c966fa9fb891857f9bd11.jpg" } }