{ "id": "2361ab8d-ac4a-49f9-8b11-37e0bec9901f", "created_at": "2026-04-06T00:17:06.423363Z", "updated_at": "2026-04-10T03:38:01.766127Z", "deleted_at": null, "sha1_hash": "0b2d6c7ccfb612f155e9ab8f2e35581ea5174636", "title": "A close look at the advanced techniques used in a Malaysian-focused APT campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1184710, "plain_text": "A close look at the advanced techniques used in a Malaysian-focused APT campaign\r\nBy Samir Bousseaden, Daniel Stepanic, Elastic Security Intelligence \u0026 Analytics Team\r\nPublished: 2022-06-22 · Archived: 2026-04-02 11:41:13 UTC\r\nThe Elastic Security Intelligence \u0026 Analytics Team researches adversary innovations of many kinds, and has\r\nrecently focused on an activity group that leveraged remote templates, VBA code evasion, and DLL side-loading\r\ntechniques. Based on code similarity and shared tactics, techniques, and procedures (TTPs), the team assessed this\r\nactivity to be possibly linked to a Chinese-based group known as APT40, or Leviathan. The group’s campaign\r\nappears to target Malaysian government officials with a lure regarding the 2020 Malaysian political crisis.\r\nAnatomy of the attack\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 1 of 16\n\nFigure 1: Original image\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 2 of 16\n\nFigure 2: Lure document image\r\nTo initiate their advanced persistent threat (APT) campaign, the group likely delivered a Microsoft Word\r\ndocument as a phishing lure attachment. The image used in the lure (Figure 2) appears to be crafted from a\r\nbroadcast announcement shared by a Malaysian blogger (Figure 1). The lure image includes the same broadcast\r\ntime, but the date and speech topic are removed. Once this attachment is opened, a decoy document is presented\r\nwhile behind the scenes, taking the following actions:\r\nThe lure document downloads the remote template RemoteLoad.dotm\r\nThe remote template executes VBA macro code\r\nThe VBA macro code unpacks and executes two embedded base64-encoded DLLs (sl1.tmp and sl2.tmp) to\r\nc:\\users\\public\\\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 3 of 16\n\nThis technique is known as template injection, which you may recall from our Playing defense against Gamaredon\r\nGroup blog post. This an effective approach used by adversaries to bypass perimeter controls such as email\r\ngateways.\r\nFigure 4: Obfuscation of MZ/PE header base64\r\nBoth embedded DLLs (sl1.tmp and sl2.tmp) are similar and export the same function names: RCT and RCP. The\r\nfirst DLL (sl1.tmp) is used to download a benign executable called LogiMailApp.exe and an associated library\r\nLogiMail.dll, and the second DLL (sl2.tmp) is used to execute LogiMailApp.exe, which automatically attempts to\r\nexecute LogiMail.dll due to an inherent DLL search order vulnerability we’ll cover shortly.\r\nFile name File type\r\nSize\r\n(bytes)\r\nMD5 Compile time\r\nLogiMailApp.exe\r\nWin32\r\nEXE\r\n311656 850a163ce1f9cff0367854038d8cfa7e\r\n2012-09-26\r\n22:13:13+00:00\r\nLogiMail.dll\r\nWin32\r\nDLL\r\n105984 b5a5dc78fb392fae927e9461888f354d\r\n2020-06-03\r\n04:08:29+00:00\r\nsl1.tmp\r\nWin32\r\nDLL\r\n3072 ccbdda7217ba439dfb6bbc6c3bd594f8\r\n2019-11-29\r\n17:15:29+00:00\r\nsl2.tmp\r\nWin32\r\nDLL\r\n3072 dbfa006d64f39cde78b0efda1373309c\r\n2019-11-29\r\n21:23:44+00:00\r\nTable 1: Dropped files metadata\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 4 of 16\n\nFigure 5: Download and execution of LogiMailApp.exe and LogiMail.dll\r\nThis implementation stood out to our researchers due to a behavioral idiosyncrasy:\r\nThe Microsoft Office application winword.exe loads sl1.tmp and sl2.tmp DLLs uses the LoadLibraryA\r\nmethod, which is moderately rare\r\nThese DLLs run explicit commands or install a payload from a URL using the CallWindowProcA method,\r\nwhich appears to be exceptionally rare\r\nBoth DLLs are deleted after execution\r\nFigure 6: Download and execution module deletion\r\nEmbedded DLLs\r\nThe embedded DLLs, sl1.tmp and sl2.tmp, have very limited functionality — exporting the RCP and RCT\r\nfunctions. The RCP function implements the WinExec method to execute commands where the RCT function uses\r\nthe URLDownloadToFileA method to download a file from a specified URL.\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 5 of 16\n\nFigure 7: Exported functions – RCP and RCT\r\nDLL side-loading a backdoor\r\nLogiMailApp.exe, which is downloaded by sl1.tmp and executed by sl2.tmp, is vulnerable to a form of DLL\r\nsearch-order hijacking called side-loading, which automatically searches for and executes LogiMail.dll if found in\r\nthe same directory. Forms of DLL search-order hijacking can be used with many third-party software applications.\r\nIn this case, search-order hijacking was used to load a backdoor that exports the following notable functions:\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 6 of 16\n\nFigure 8: LogiMail.dll exports table\r\nFigure 9: LogiMailApp.exe – Logitech camera software\r\nFigure 10: LogiMail.dll side-loading\r\nThe adversary-created binary LogiMail.dll exports the function DllGetClassObject that contains critical logic for\r\nthe execution flow of this sample:\r\n1. Download an AES-encrypted second stage object to %TEMP%~liseces1.pcs\r\n2. Derive a 128-bit AES key and initialization vector from SHA256 of a hardcoded string\r\n3. Read and decrypt %TEMP%~liseces1.pcs in memory using the ReadFile and CryptDecrypt functions\r\n4. Delete %TEMP%~liseces1.pcs from disk\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 7 of 16\n\nFigure 11: Encrypted URL and hardcoded key\r\nFigure 12: Decrypted second stage URL and temp staging file\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 8 of 16\n\nFigure 13: Second stage download, in-memory decryption, execution, and file deletion\r\nSecond stage backdoor\r\nThe decrypted second stage backdoor is mapped into memory and then its original entry point (OEP) is called,\r\nthus bypassing successful detections based on file system scanning.\r\nFigure 14: LogiMail.dll — Resolving needed functions to map second stage PE into memory\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 9 of 16\n\nFigure 15: The second stage implant mapped in LogiMailApp.exe memory\r\nBoth the payload staging server and the second stage infrastructure use dynamic DNS:\r\nFigure 16: C2 HTTP POST request to /postlogin\r\nThis payload supports the following capabilities:\r\nBasic anti-debug checks\r\nSystem and user discovery\r\nExecution via command line\r\nFile discovery, upload, and download\r\nPersistence via run registry\r\nEncrypt C2 traffic using same AES key\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 10 of 16\n\nFigure 17: System and user discovery\r\nFigure 18: Execution via command-line\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 11 of 16\n\nFigure 19: File discovery, upload, and download\r\nPossible APT40/Leviathan connection\r\nEarlier in the year, the Malaysian Computer Emergency Response Team (MyCERT) issued an advisory related to\r\nespionage activity targeting their country. The report listed different TTPs and included multiple samples and\r\nother technical indicators that align with a threat group known as APT40/Leviathan.\r\nAt a high level, this sample follows the continued trend of targeting Malaysian victims using specific TTPs such\r\nas remote templates, employing macros, using DLL side-loading techniques, and leveraging an in-memory\r\nimplant with dynamic DNS for command and control. More specifically, the second stage implant from this lure\r\nshares unique strings and URL references and contains similar functionality that correlates with the previous\r\nreporting for APT40/Leviathan. With these similarities, our Intelligence \u0026 Analytics Team assesses with moderate\r\nconfidence that this activity is linked to APT40/Leviathan.\r\nImplant String Similarities with MyCERT Sample:\r\n/list_direction\r\n/post_document\r\n/post_login\r\nOpen Remote File %s Failed For: %s\r\nOpen Pipe Failed %s\r\nDownload Read Path Failed %s\r\n%02X-%02X-%02X-%02X-%02X-%02X\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nntkd\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 12 of 16\n\nFigure 20: Shared strings with MyCERT sample - 8a133a382499e08811dceadcbe07\r\nConclusion\r\nIn this post, we highlighted a recent sample that most likely represents the work of a highly organized adversary.\r\nActivity groups like this are significant for everyone to take notice of, if only because they represent a higher\r\nmaturity level of post-exploit innovation. Their cutting edge TTPs today end up being everyone’s run of the mill\r\ntomorrow; it’s important to learn from these events.\r\nWe hope that by sharing some of these insights, we can help raise awareness and continue to focus on protecting\r\nthe world's data from attack. To enable organizations further, we’ve added all the observed MITRE ATT\u0026CK®\r\ntechniques and indicators of compromise (IoCs) below.\r\nMITRE ATT\u0026CK® techniques\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 13 of 16\n\nT1193 - Spearphishing Attachment\r\nT1221 - Template Injection\r\nT1060 - Registry Run Keys / Startup Folder\r\nT1073 - DLL Side-Loading\r\nT1129 - Execution through Module Load\r\nT1055 - Process Injection\r\nT1107 - File Deletion\r\nT1140 - Deobfuscate/Decode Files or Information\r\nT1059 - Command-Line Interface\r\nIndicators of Compromise (IOCs)\r\nFile names and paths\r\nBubar Parlimen.zip\r\nBubar Parlimen.docx\r\nRemoteLoad.dotm\r\nC:\\Users\\Public\\sl1.tmp\r\nC:\\Users\\Public\\sl2.tmp\r\nC:\\Users\\*\\AppData\\Local\\Temp\\~liseces1.pcs\r\nC:\\Users\\*\\AppData\\Local\\Microsoft\\Office\\LogiMailApp.exe\r\nC:\\Users\\*\\AppData\\Local\\Microsoft\\Office\\LogiMail.dll\r\nRegistry keys\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd\r\nURLs\r\nhxxps[:]//armybar[.]hopto[.]org/LogiMail.dll\r\nhxxps[:]//armybar[.]hopto[.]org/LogiMailApp[.]exe\r\nhxxps[:]//armybar[.]hopto[.]org/Encrypted\r\nhxxp[:]//tomema.myddns[.]me/postlogin\r\nhxxp[:]//tomema[.]myddns[.]me/list_direction\r\nhxxp[:]//tomema[.]myddns[.]me/post_document\r\nIPs\r\n104[.]248[.]148[.]156\r\n139[.]59[.]31[.]188\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 14 of 16\n\nHTTPS certificate\r\n74b5e317527c93539dbaaf84d6a61da92a56012a\r\nHashes\r\n523cbdaf31ddc920e5b6c873f3ab42fb791fb4c9d1f4d9e6a7f174105d4f72a1\r\nab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7\r\n145daf50aefb7beec32556fd011e10c9eaa71e356649edfce4404409c1e8fa30\r\n93810c5fd9a287d85c182d2ad13e7d30f99df76e55bb40e5bc7a486d259810c8\r\n925f404b0207055f2a524d9825c48aa511199da95120ed7aafa52d3f7594b0c9\r\nfeca9ad5058bc8571d89c9d5a1eebce09e709cc82954f8dce1564e8cc6750a77\r\n06a4246be400ad0347e71b3c4ecd607edda59fbf873791d3772ce001f580c1d3\r\n77ef350639b767ce0a748f94f723a6a88609c67be485b9d8ff8401729b8003d2\r\nYARA\r\nrule APT_APT40_Implant_June2020 {\r\n meta:\r\n version = \"1.0\"\r\n author = \"Elastic Security\"\r\n date_added = \"2020-06-19\"\r\n description = \"APT40 second stage implant\"\r\n strings:\r\n $a = \"/list_direction\" fullword wide\r\n $b = \"/post_document\" fullword wide\r\n $c = \"/postlogin\" fullword wide\r\n $d = \"Download Read Path Failed %s\" fullword ascii\r\n $e = \"Open Pipe Failed %s\" fullword ascii\r\n $f = \"Open Remote File %s Failed For: %s\" fullword ascii\r\n $g = \"Download Read Path Failed %s\" fullword ascii\r\n $h = \"\\\\cmd.exe\" fullword wide\r\n condition:\r\n all of them\r\n}\r\nReferences\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nhttps://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 15 of 16\n\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache\r\nSource: https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign" ], "report_names": [ "advanced-techniques-used-in-malaysian-focused-apt-campaign" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b2d6c7ccfb612f155e9ab8f2e35581ea5174636.pdf", "text": "https://archive.orkl.eu/0b2d6c7ccfb612f155e9ab8f2e35581ea5174636.txt", "img": "https://archive.orkl.eu/0b2d6c7ccfb612f155e9ab8f2e35581ea5174636.jpg" } }