{ "id": "4e99df0d-b8f3-42d0-aa34-077019608479", "created_at": "2026-04-06T00:18:00.787477Z", "updated_at": "2026-04-10T13:12:43.531867Z", "deleted_at": null, "sha1_hash": "0ac93d73d37cbf64ce229f9946835026fa02c63e", "title": "Dustman APT: Art of Copy-Paste", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 351322, "plain_text": "Dustman APT: Art of Copy-Paste\r\nArchived: 2026-04-05 17:46:09 UTC\r\nDustman is a piece of data wiping malware with origin believed to be from Iran or if you like - quote from zdnet.com\r\n\"Iranian state-sponsored hackers\". \r\nThere is a full technical overview of this malware -\u003e https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report, I wouldn't waste time fully repeating it, as it gives a brief and enough description of this malware key parameters\r\nand capabilities.\r\nUsually I pay zero attention to typical APT hysterics and low quality malware pushed by mass media/various fakeAv's as\r\n\"incredible sophisticated\" spyware/whatever. With exception if there is anything related to my work, for example\r\ncopy/pasted from it. Just like in this case.\r\nThis is believed shared code with another data wiper called \"ZeroCleare\" - and IBM did analysis with 28 page PDF\r\nwhere they managed to copy-paste from my github repository without even giving a single credit or link to original.\r\nWell, ok, fuck you too IBM IRIS rippers 💩\r\nWhy this thing called Dustman? Well authors of this malware were lazy and left full pdb string inside main dropper\r\nC:\\Users\\Admin\\Desktop\\Dustman\\x64\\Release\\Dustman.pdb. This doesn't look like fake and left because Visual\r\nStudio (and this one created in it) always sets debug information to Release builds by default (Project settings-\u003eLinker-\r\n\u003eDebugging). It is something from series of small tips just like if you are wondering why some of rootkits pdb paths\r\nalways at Z: drive - easy to use hotkey while debugging on VMware.\r\nDustman main executable is a muldrop (SHA-1 e3ae32ebe8465c7df1225a51234f13e8a44969cc). \r\nIt contain three more files stored inside executable resource section. They are encrypted with simple xor.\r\nfor (ULONG i = 0; i \u003c (ResourceSize / sizeof(ULONG_PTR)); i++)\r\n        Buffer[i] ^= 0x7070707070707070;\r\nResource with id 1 (decrypted SHA-1 7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c) is a VirtualBox driver. It is ripped\r\nby me from WinNT/Turla (another APT, this time \"believed\" to be from GRU GS AF RF, that one by the way also had\r\nsome references/inspirations of my/our previous work). Dustman author(s) got it from my github repository called TDL -\r\nTurla Driver Loader (https://github.com/hfiref0x/TDL), well not only that driver, half of their work actually blatant copy-paste of this repository.\r\nResource with id 103 (decrypted SHA-1 a7133c316c534d1331c801bbcd3f4c62141013a1) is Eldos RawDisk modified\r\ndriver (version 3.0.31.121). It is modified by Dustman authors by removing digital certificate from it. Currently I have no\r\nanswer why they did this, except Eldos RawDisk certificate is widely blacklisted or detected by intrusion prevention\r\nsystems/AV as possible sign of threat as it was used before multiple times in different malwares\r\n(https://attack.mitre.org/software/S0364/)\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 1 of 7\n\nResource with id 106 (decrypted SHA-1 20d61c337653392ea472352931820dc60c37b2bc) is malware agent application\r\nthat is intended to work with Eldos RawDisk to perform data wipe. It contain pdb string\r\nC:\\Users\\Admin\\Desktop\\Dustman\\Furutaka\\drv\\agent.plain.pdb which is giving you insides on VS solution\r\nstructure. Furutaka is an internal name that I gave to TDL project executable.\r\nInitial dropper is a modified version of original TDL (Furutaka) version 1.1.5, so it is relatively new, as this is final\r\nversion in that repository before it was archived at April 2019. Just to show you how much Dustman authors copy-pasted, here is a screenshot of functions which I was able to identify in this malware (while rest of them are various trash\r\nfrom MS runtime).\r\nPic 1. Dustman dropper functions.\r\nIt seems Dustman author(s) simple took TDL solution and then modified it by removing console/debug output in code\r\nand adapting it for their specific tasks - decrypt, drop resources to the disk, load RawDisk driver and start agent\r\napplication at final stage. Lets take a look on modifications made by Dustman author(s).\r\nAt main (which is a heavily modified TDLMain from original TDL) right at the beginning Dustman attempts to block\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 2 of 7\n\nmultiple copies from installing VirtualBox/mapping Eldos driver by setting mutex with a very specific name \"Down\r\nWith Bin Salman\". I do not want to dig into politics and other bullshit but I would like to suggest in case if this is false\r\nflag operation (surprise, but we will never know this) use something more creative - like for example \"Coded by\r\nSoleimani\" or \"(c) 2019 IRGC\", \"covfefe\" is fine too. If I would doing APT of such kind I would at first refrain from\r\ncreating such wrong and stupid mutexes or build their unique names based on current environment without using any\r\nidiotic constants. Another fun message hidden inside agent executable (dropper resource 106 as mentioned above)\r\n\"Down With Saudi Kingdom Down With Bin Salman\" - very creative (not). Eldos license key is hardcoded in agent\r\nexecutable as \"b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d\".\r\nBack to initial dropper, supQueryResourceData\r\n(https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/sup.c#L99) is modified by adding xor decryption loop\r\nmentioned above. Below is screenshot of TDLStartVulnerableDriver routine slightly modified by removing console\r\noutput, code responsible for backup and new file name for dropped file.\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 3 of 7\n\nPic 2. TDLStartVulnerableDriver copy-paste.\r\nOriginal routine https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L498\r\nAssistant.sys here is VirtualBox driver which is loaded as shown on picture above. Have no idea why Dustman authors\r\nleft VirtualBox USB/Network drivers unload code intact. In original TDL this is required to load driver on machine with\r\nVirtualBox installed and this is requirement because VBoxHardenedLoader is depends on this. However this is not\r\nrequired in APT and can be removed, but it seems Dustman author(s) had mediocre understanding of what they are\r\ndoing. It is a little doubtful that target machines has VirtualBox running which can produce incompatibilities with TDL.\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 4 of 7\n\nOur next stop is TDLMapDriver routine. In original TDL proof-of-concept it setups shellcode that next will be executed\r\nin kernel by VBoxDrv, maps input file, processes it imports and merges it with shellcode. Next VBoxDrv memory\r\nmapping executed and finally exploit called. In shellcode original TDL allocates memory for driver mapping using\r\nExAllocatePoolWithTag routine with tag 'SldT' (Tdl Shellcode), processes image relocs, creates system thread\r\n(PsCreateSystemThread) with parameter set to driver entry. TDL mapped drivers must be specially designed as\r\nDriverEntry parameters in such way of loading will be invalid. Finally thread handle closed with ZwClose. Function\r\npointers passed to shellcode through registers by small bootstrap code which is constructed in user mode. Dustman\r\nauthor(s) modified this loading scheme in the following way: \r\n1) Encryption for module/function names, funny note that the following string used to decrypt strings in runtime \"I'm 22\r\nand looking for fulltime job!\". Because this is copy-paste from open source and original TDL is very well detected by\r\nvarious fakeAVs\r\n(https://www.virustotal.com/gui/file/37805cc7ae226647753aca1a32d7106d804556a98e1a21ac324e5b880b9a04da/detection)\r\nthis maybe an attempt to remove some of these detections.\r\n2) They remember ExAllocatePoolWithTag, PsCreateSystemThread and IoCreateDriver however they never use\r\nPsCreateSystemThread despite checking it resolving success and instead in their shellcode simple call IoCreateDriver\r\nwith pointer to driver entry point as InitializationFunction param.\r\nSince IoCreateDriver expects DriverName as pointer to UNICODE_STRING modified shellcode also contain\r\n\"\\Driver\\elRawDsk\" string stored as local array of bytes. IoCreateDriver will create driver object with specified name\r\nand pass it to the InitializationRoutine as parameter, exactly what Eldos RawDisk need at it driver entry. Thus original\r\nTDL limitation bypassed and mapping code can work with usual drivers. As result of successful exploitation Eldos\r\nRawDisk will be mapped to the kernel and it DriverEntry executed.\r\n \r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 5 of 7\n\nPic 3. Eldos driver object as seen by WinObjEx64.\r\nBecause driver was mapped without involving Windows loader it doesn't have corresponding entry in\r\nPsLoadedModulesList therefore WinObjEx64 shows it driver object major functions as belonging to unknown memory\r\narea which is always automatically suspicious and usually mean kernel mode malware activity. While Eldos RawDisk\r\nDriverEntry execution it creates a symbolic link to provide access for the applications. It also can be seen with\r\nWinObjEx64.\r\nPic 4. ElRawDisk symbolic link.\r\nHere is a mystery or at least question. Why do they use TDL at all? If you look at Eldos RawDisk previous versions, for\r\nexample\r\nhttps://www.virustotal.com/gui/file/c5c821f5808544a1807dc36527ef6f0248d6768ef9ac5ebabae302d17dd960e4/details\r\nyou will notice it is digitally signed. As I said at the beginning of this post there can be IPS/AV blocking Eldos driver by\r\nit certificate. However why use Eldos RawDisk if you can write your own driver which will be much simpler/smaller\r\n(because it will miss useless license check) and use it with TDL? It seems author(s) of Dustman prefer simplest ways and\r\nincapable of writing anything beyond simple copy-pasting with small additions. State sponsored hackers, rofl? It of\r\ncourse depends on effectiveness of such methods but I think someone need a bigger budget. However if you take this\r\nentire Dustman as false flag operation it looks pretty much ok, because Dustman thing can be built in 4-5 hours and cost\r\nalmost nothing, while doing severe impact as informational warfare.\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 6 of 7\n\nA little about agent application, a little because as fact there is nothing interesting inside. It is built as typical C++ MS\r\nruntime based application full of ineffective code unrelated to main purpose - wipe data on disk. To do this agent calls\r\nEldos RawDisk with mentioned above license. As data to fill it uses \"Down With Saudi Kingdom Down With Bin\r\nSalman\" string. If agent launched without elevation it will crash with error due to its code quality, state sponsored\r\nhackers do you remember?\r\nPic 5. Wipe in progress.\r\nSource: https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nhttps://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html" ], "report_names": [ "dustman-apt-art-of-copy-paste.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ac93d73d37cbf64ce229f9946835026fa02c63e.pdf", "text": "https://archive.orkl.eu/0ac93d73d37cbf64ce229f9946835026fa02c63e.txt", "img": "https://archive.orkl.eu/0ac93d73d37cbf64ce229f9946835026fa02c63e.jpg" } }