{ "id": "aaf42f90-8c3e-47d1-9931-66a77a25a0a9", "created_at": "2026-04-06T00:18:32.64977Z", "updated_at": "2026-04-10T03:33:46.019978Z", "deleted_at": null, "sha1_hash": "0b9cbbe9338f13b5e1bfe97b8e4015e44ba5a810", "title": "CUCKOO SPEAR Part 2: Threat Actor Arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5380288, "plain_text": "CUCKOO SPEAR Part 2: Threat Actor Arsenal\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 23:36:48 UTC\r\nIn the previous installment of our Cuckoo Spear series, we introduced the Cuckoo Spear campaign and provided\r\nan overview of the APT10 threat actor’s tactics and objectives. If you missed Part 1, you can catch up here.\r\nIn this follow-up, we dive deeper into the technical aspects of the NOOPDOOR and NOOPLDR malwares that\r\nAPT10 employed in the Cuckoo Spear campaign. Our analysis reveals how NOOPDOOR operates and the\r\npotential risks it poses to organizations. This breakdown will help cybersecurity professionals better understand\r\nand defend against the sophisticated strategies of this persistent adversary.\r\nARSENAL ANALYSIS\r\nThis section will mainly focus on the reverse engineering of the Cuckoo Spear tools : NOOPLDR and\r\nNOOPDOOR.\r\nDLL Loader Analysis / NOOPLDR-DLL\r\nCybereason has discovered different variants of NOOPLDR-DLL differ in how they load the malicious code,\r\nillustrated below.\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 1 of 33\n\nLoaded as Service DLL-SideLoading \r\nCapabilities\r\nThe capabilities of NOOPLDR-DLL are the following:\r\nEstablishes persistence by registering as a Service\r\nObfuscates code with Control Flow Flattening\r\nEncodes strings with XOR\r\nCreates process and injects shellcode obtained from registry\r\nPossibly evade user-mode hooks by dynamic custom syscalls\r\nService Persistence\r\nCybereason observed telemetry of several unsigned DLL files under C:\\Windows\\System32 that were loaded as\r\npart of the services started by the command svchost.exe -k netsvcs. This eventually injected a multitude of\r\nNOOPDOOR payloads into arbitrary processes. Further investigation revealed that the malicious DLL files are\r\ncreated by modifying a segment of legitimate DLLs. The modified section is given a randomly generated function\r\nname in the export table as shown here.\r\nExport Table With Randomly Generated Function Names\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 2 of 33\n\nThis malicious export function is called as the service’s ServiceMain function, which is the entry point for a\r\nservice that is implemented in a service DLL running within a SVCHOST instance.\r\nServiceMain Function\r\nControl Flow Flattening\r\nThe entire DLL file, including the legitimate functions, has been heavily obfuscated with Control Flow Flattening\r\nto potentially slow down analysis efforts. \r\nControl Flow Flattening Observed In NOOPLDR\r\nXOR String\r\nStrings used to register the service and query the registry are XOR encoded, and are decoded with bytes that are\r\nhardcoded within the .rdata section of the binary.  \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 3 of 33\n\nXOR  In NOOPLDR\r\nCrafting a script that will decode all the strings reveals information related to the service settings, registry key\r\npath, and a command that starts a windows service and sets its security descriptor.\r\nSoftware\\Microsoft\\SQMClient\r\nMachineId\r\nSOFTWARE\\Microsoft\\UserData\r\ncmd /c \"sc start %s \u0026\u0026 sc sdset %s D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)\r\n(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)\r\n(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:\r\n(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\r\nnetsvcs\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 4 of 33\n\n%SystemRoot%\\System32\\svchost.exe -k netsvcs\r\nSYSTEM\\CurrentControlSet\\Services\\\r\nDescription\r\n\\Parameters\r\nServiceDll\r\nServiceMain\r\nDaTRhAZpRFqHdgnuLZCUdP\r\n*.exe\r\ncalc.exe\r\nwin32calc.exe\r\n_config\r\n-install\r\nDecrypt NOOPDOOR Shellcode\r\nNOOPLDR performs WinAPI calls to obtain encrypted shellcode from several different registry keys. A list of\r\nregistry key paths observed by Cybereason are the following: \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\OneSettings\r\nHKEY_CURRENT_USER\\HKCU\\Software\\Microsoft\\OneDrive\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\UserData\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\F12\r\nHKEY_CURRENT_USER\\Software\\Licenses\r\nHKEY_CURRENT_USER\\Software\\License\r\nHKEY_CURRENT_USER\\COM3\r\nThe decryption method utilizes AES-CBC mode with an initialization vector (IV) that contains the first 16 bytes\r\nof the MachineId. It uses standard WinAPIs from advapi32.dll to derive an AES key based on a SHA1 hash. The\r\nSHA1 hash is created from the following combined data:\r\n1. The MachineId value from HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\SQMClient \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 5 of 33\n\n2. A NULL byte\r\n3. Hardcoded bytes within the .text and .rdata sections\r\nHardcoded Bytes In NOOPLDR\r\n1. The Registry key name that contains the shellcode\r\nAs an example, the data that will be hashed would look like below:\r\nData Prior To Getting Hashed\r\nOnce hashed, the hash object is then passed to the CryptDeriveKey function to craft the key used for decryption.\r\nCode Injection with Syscalls\r\nExecutables under C:\\Windows\\System32 are started as dummy processes to inject the decrypted NOOPDOOR\r\ncode with a common WinAPI pattern of \r\nCreateProcess\r\nVirtualAlloc\r\nWriteProcessMemory\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 6 of 33\n\nCreateRemoteThread\r\nHowever, Native APIs are implemented instead along with custom syscalls where the SSN (System Service\r\nNumber) is loaded dynamically right before each call. Although most SSNs are consistent across many Windows\r\nversions, some are not. \r\nThe malicious code resolves  the correct value for each syscall. For example, NtCreateThreadEx would be 0xBA\r\non Windows 10 version 1709.\r\nCustom Syscall In NOOPLDR\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 7 of 33\n\nWindows 64-bit Syscall Table\r\nSince the Native APIs are being called directly from the process’s memory space, any user mode hooks on\r\nNTDLL or kernel32 will be ineffective in detecting this injection.\r\nAn interesting difference between the two DLLs is the version that used DLL Side-Loading performed local code\r\ninjection as opposed to the DLL that used CreateProcess \u003e NtWriteVirtualMemory. \r\nIt instead dynamically allocates the decrypted shellcode within its process memory, uses NtProtectVirtualMemory\r\nsyscall to change protections, then executes the newly allocated NOOPDOOR code.\r\nDecrypted NOOPDOOR In Debugger\r\nC# Loader Analysis / NOOPLDR-C#\r\nThis C# code is stored in an XML file generally stored in the C:\\Windows\\System32 folder. In some specific\r\ncases, that XML file was stored in other folders. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 8 of 33\n\nThe code is highly obfuscated, but Cybereason de-obfuscated it in order to identify how it worked. \r\nMainly, the code is loaded using the Microsoft Windows tool msbuild.exe, which compiles and runs code in one\r\ncommand. The command line msbuild.exe [NOOPLDR XML FILE NAME].xml is generally built-in to the\r\nvictim system through persistence mechanisms such as scheduled tasks, services or WMI consumer events, as\r\ndocumented in the TTPs section.\r\nNOOPLDR-C# Execution Flow\r\nCapabilities\r\nThe capabilities of NOOPLDR-C# are the following:\r\nCode obfuscation\r\nTime stomping, basing code off kernel32.dll MTime\r\nLoading shellcode / loadable code either from a specific .dat file or from registry \r\nContains unique configurations for each affected victim device\r\nEach NOOPLDR-C# sample Cybereason analyzed was different depending on the machine. Some loaders\r\nincluded different organization of the functions, and loaded the shellcode from a different registry hive (some\r\nloaded from HKCU, and other loaded from HKLM). \r\nMSBuild Project File Schema Reference\r\nEach item is using the Project File format by Microsoft, in order to be  interpreted by the LOLBin msbuild.exe.\r\nThat binary takes a .csproj file (here renamed XML) which is then compiled and ran:\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 9 of 33\n\nSource : https://lolbas-project.github.io/lolbas/Binaries/Msbuild/\nThat XML file, our starting point, begins with the following code:\n[C# CODE] The C# Code mentioned above is extremely obfuscated to complicate analysis.\nC# Code Obfuscation\nTo start with this analysis, one needs to deobfuscate the loader. The original file looks like this at first:\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\nPage 10 of 33\n\nObfuscated Code \r\nUsing a simple IDE, one can already use C# code heuristic to indent code properly: \r\nExtract From The Code Once Indented By VSCode\r\nThe next phase is the renaming of each variable and parameter. Since WinAPI functions are being called from the\r\nC# code, it’s possible to map each randomly named variable with a properly named one: \r\nstatic extern IntPtr OpenProcess(UInt32\r\nINVCZKPHO5c4XALHLbgGfKXOlHbWSLY8uWyUlcEMwjMstIN2gHMEGy08Zgq, Int32\r\nJ2ZcgdKac1vIGDj58F, UInt32 N4iPk9uC65A5fVmdDuJlp8);\r\n[DllImport(\"...\")]\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 11 of 33\n\nstatic extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);\r\nThe following phase is a bit manual as the goal is to infer the original variable name by trying to understand how\r\nthe code works. \r\nIn the end, this allows for an easier code to understand: \r\nExtract From The Un-Obfuscated Code\r\nThe first function that is called is Execute(): \r\nFirst Function Called And Beginning Of The C# Code Flow\r\nObtaining the encrypted Shellcode\r\nThe ClInI function’s goal is to obtain the shellcode from that DAT file passed as a parameter or from the Windows\r\nregistry if the shellcode is already stored there. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 12 of 33\n\nFirst Part Of The Function\r\nThat function will first create a hash based on the machine name and a salt. Cybereason noticed this hash is not\r\nalways present in different iterations of NOOPLDR-C#.\r\nAlso, the value MachineId is obtained from the key  HKLM\\Software\\Microsoft\\SQMClient.\r\nBoth the machine name and SALT are concatenated and a SHA256 is calculated from them.\r\nThis allows to calculate the name of the key  (just the first 16 bytes will be used) that the program will try to\r\nobtain from the registry: HKLM\\Software\\License\\{SHA256(MachineName+SALT)}\r\nThen, the program attempts to load the .dat file passed as a function parameter: \r\nIf the file exists, it will load the shellcode from it \r\nIf it does not, it will load it from registry \r\nCybereason estimated that this measure was meant to initially inject the shellcode into the registry. This was\r\nconfirmed after further reading of the code: \r\nIf the file exists, the code ultimately will write the encrypted shellcode to registry and will delete the DAT\r\nfile \r\nThis enables the Threat Actor to function without the shellcode stored on the disk, apart from the registry which is\r\na more complicated place to look for. Storing shellcode in the Windows registry provides attackers with a stealthy,\r\npersistent, and potentially privileged way to execute malicious code on a system, making it an attractive option.\r\nAt this point, the encrypted shellcode content is obtained in memory and ready to be used.\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 13 of 33\n\nIntegrity Check and Shellcode Decryption\r\nThe code will first compare the SHA256 hash of the shellcode (minus the first 32 bytes) with a value stored at the\r\nvery beginning of the file/registry key: \r\nIntegrity Check\r\nThe code will continue only if, at some point in the file/registry, the SHA256 checksum, which is commonly\r\ncalled an integrity check, matches the computed SHA256 hash of the shellcode itself. The code will then\r\ncalculate the key to decrypt the shellcode. \r\nThe key is a SHA384 hash of the MachineID value from the registry and the machine name salt calculated in the\r\nprevious step. It then decrypts the shellcode content with a classic AES routine, using the first 32 bytes of the\r\nSHA384 as key and the last 16 bytes as an initialization vector (IV). \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 14 of 33\n\nDecryption Routine\r\nFinally, it will take the first 10 bytes of the decrypted content and store it in 3 variables : \r\nBoolean if the shellcode is 64 bits\r\nUnsigned integer of the shellcode size \r\nUnsigned integer of the shellcode offset in case it is not directly at the beginning of the data\r\nStore In Variables\r\nData Re-Encryption \u0026 Registry Writing \r\nThe logic will execute if the shellcode was loaded through a different offset than 0: \r\nThe code will recalculate a SHA384 key and use an AES encryption function \r\nIt will then write that content to registry \r\nIf for some reason it can’t write to registry, it will write to the DAT file \r\nOnce that is finished, the code proceeds to inject that decoded shellcode into another process’ memory.\r\nPayload Injection\r\nThe next part of the code injects the decrypted shellcode into the memory of a newly spawned process. The code\r\ncorresponding to this part is the following:\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 15 of 33\n\nRemote Injection Function\r\nThe injection process following: \r\nStartup Information Initialization\r\nProcess Attribute List Initialization\r\nProcess Creation through the CreateProcess WinAPI call\r\nMemory Allocation and Manipulation in the New Process through VirtualAllocEx and\r\nWriteProcessMemory\r\nRemote Thread Creation through the CreateRemoteThread WinAPI call\r\nExtracting the configuration \r\nIn order to extract the configuration for each iteration of NOOPLDR, one has to obtain the following elements \r\nProcess name that the loadable code will be loaded into \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 16 of 33\n\nDAT file that is going to be loaded when first infecting a machine \r\nPath in registry where the shellcode is stored (HKLM\\SOFTWARE\\License)\r\nCybereason wrote a short python script to decrypt the shellcode using parameters such as the registry key name\r\n({XXXX-XXXX-XXXX}) and the MachineId value.\r\nInjected Shellcode /  NOOPDOOR \r\nThis next section will describe the analysis of the shellcode injected from the above methods. Cybereason\r\nattributes this malware to NOOPDOOR as it has been so recently unearthed in JSAC 2024. Cybereason has\r\ndiscovered the existence of several variants of NOOPDOOR that differ in C2 urls and functionality, but they can\r\nmostly be categorized as one of the following. \r\nC2 Client\r\nC2 Server\r\nCybereason also observed single shellcode binaries that contain both of these two capabilities. But in most cases,\r\nthe client and server shellcode were separated.\r\nC2 Client NOOPDOOR Analysis\r\nCapabilities\r\nThe capabilities of the Client code of NOOPDOOR are the following:\r\nAPI hashing / Overwrite with garbage bytes\r\nAnti-Debugging\r\nDGA based onURLconfigurations\r\nCustom network protocol using TCP\r\nExfiltrating data to C2 server \r\nWinAPI Resolution\r\nEach code shared a similar Windows API hashing function that performs a rotate right instruction against the\r\nfunction names and an XOR instruction against hardcoded bytes.\r\nDynamic WinAPI Resolution Logic\r\nThe hardcoded bytes differ from each sample, but it will nevertheless create a large structure of around 250 API\r\nfunctions. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 17 of 33\n\nLoaded WinAPI Struct Example\r\nThis struct is then used to call the appropriate APIs within the code. The Cybereason IR team has created a script\r\nto resolve this API hashing function to speed up analysis.\r\nAs a means of Anti-Detection, the functions related to resolving the APIs will be overwritten with garbage bytes\r\nsuch as 0x00, 0x20, 0x90. Any signatures scanned in memory that explicitly looks for this part of the code will not\r\nbe able to detect it.\r\n                    Dumped From memory                                  Before Execution\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 18 of 33\n\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 19 of 33\n\nCode Difference In Memory\r\nAnti-Debugging Capabilities\r\nA widespread number of process names used in malware analysis are stored as stack strings. These processes are\r\nobtained via the CreateToolhelp32Snapshot API and are verified before the code’s main routine will run. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 20 of 33\n\n・x32dbg\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 21 of 33\n\n・x64dbg\r\n・ollydbg\r\n・windbg\r\n・ida\r\n・idaq\r\n・ImmunityDebugger\r\n・loaddll\r\n・ProcessHacker\r\n・StudioPE\r\n・PE Explorer\r\n・Autoruns\r\n・Process Explorer\r\n・Procmon\r\n・TcpView\r\n・010Editor\r\n・WinHex\r\n・Wireshark\r\n・zenmap\r\n・ProcessHacker\r\n・vmmap\r\n・load_sc\r\n・HttpAnalyzerStd\r\n・Fiddler\r\nDGA\r\nC2 Domain names are generated based on a URL string where the integer after the “#” acts as the number of days\r\nbefore the domain changes to its next iteration. Cybereason has observed code that generates the domains for\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 22 of 33\n\nmultiple days such as 60, 90, 180, 364, 365 days. Note that the C2 URL string contains “http”, but this is just used\r\nto create hashes for the DGA, and actual communication is done over a custom TCP protocol.\r\nC2 URLs Before DGA Resolution\r\nThe algorithm to generate the domain is as follows.\r\n1. Perform a check to see if the current date/time is between\r\nMonday 10 am to 11 am (LocalTime)\r\n2. Obtain SystemTime structure, converting it to a FileTime, then to EpochTime based on the year/month/day\r\n3. If the URL has an integer after “#”, use it to perform arithmetic against the time\r\n4. If the URL has “[]”, insert the hostname\r\n5. Create a SHA256 from the modified FileTime\r\n6. Create a SHA512 from the un-resolved C2 URL string in (4)\r\n7. Create a SHA512 from created SHA256 and un-resolved C2 URL string in (4)\r\n8. Obtain Base64 from concatenated SHA512 hash from (6) and (7), then obtain the first 17 bytes\r\n9. Remove special chars, lowercase chars, and numbers from base64 string\r\n10. Replace the “$a” part of un-resolved C2 URL with cleaned base64 string\r\nThe C2 URL could also be a subdomain as illustrated below. In this case, Cybereason observed a slightly different\r\nalgorithm. In this case, the check for Monday is not present and if it does not have the number of days after “#”,\r\nthe domain will change everyday based on the system time.\r\nC2 urls before resolution\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 23 of 33\n\nThe Cybereason team has created a script to resolve the DGA URLs and generated a list of domains from 2023 to\r\n2025. From an IR perspective, subdomains like ocouomors[.]com are easier to block than www.*.com. To prevent\r\nthe list from being too long, Cybereason only included the latter. The script can be used to block any other\r\npossible NOOPDOOR domains that could be generated within your organization..\r\nExfiltration to C2\r\nIt has the functionality to exfiltrate data to the generated domain as well as additional C2 capabilities. ESET\r\nSecurity’s presentation at JSAC 2024 documents this functionality well. \r\nSource: https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_8_Breitenbacher_en.pdf\r\nInternal C2 Server NOOPDOOR Analysis \r\nA variant of the loaded payload contained code for a possible internal C2 server. Cybereason suspects this server\r\nwas used by the Threat Actor as a means of aggregating information and pivoting within the network.\r\nCapabilities\r\nThe capabilities of the C2 Server of NOOPDOOR are the following:\r\nAPI hashing\r\nModifying Firewall Rules\r\nCustom protocol using TCP\r\nC2 framework functionality such as upload/download, read/write files, create processes, etc.\r\nAdding Firewall Rule\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 24 of 33\n\nIt adds a new firewall rule under the rule name “Cortana” by utilizing the firewall COM object, or the netsh\r\ncommand.\r\nFirewall Name\r\nThe Windows Firewall API is loaded by CoCreateInstance where the COM Firewall CLSID {304CE942-6E39-\r\n40D8-943A-B913C40C9CD4} is used as the Interface ID, and the INetFwMgr Interface CLSID {F7898AF5-\r\nCAC4-4632-A2EC-DA06E5111AF2} as the rclsid parameter. \r\nLoading Firewall API\r\nIf the COM object method of loading the Firewall API fails, it executes the below netsh command instead.\r\ncmd /c netsh firewall delete port opening TCP 5984 \u0026 netsh firewall add port opening TCP 5984 TCP\r\nServer Code\r\nUses Windows Socket APIs to listen on port for incoming connections. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 25 of 33\n\nListening Port\r\nCybereason have observed samples that listen on different ports:\r\n5984\r\n47000\r\n8532\r\nBased on the received commands, it will perform one of the following functions.\r\nServer Functionality\r\nConclusion\r\nDue to the widespread identification of Cuckoo Spear in Japan organizations, Cybereason decided to publish this\r\nThreat Analysis Report to better identify their activity and allow threat hunters to potentially identify them in their\r\nnetworks.\r\nDetection\r\nCybereason provided descriptions of queries to identify Cuckoo Spear presence in the network and has shared\r\nIndicators of Compromise (IOCs) to better detect them and potentially block Cuckoo Spear activity.\r\nIncident Response\r\nDue to the potential complexity of the containment, eradication and recovery process, it is highly recommended to\r\nhire a dedicated Incident Response team upon discovery of this Threat Actor being on the network. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 26 of 33\n\nRemediation \r\nIn many APT related cases, the Threat Actor has already gained network access for several months or years before\r\nany investigation has started. Eradication of this Threat Actor requires in-depth preparation and effective security\r\nmeasures so the attacker cannot return. Although remediation actions will differ for each organization, Cybereason\r\nSecurity Services suggest, in general, to conduct a organization scale remediation day where the following actions\r\nare implemented:\r\nPrepare a clean uncompromised network\r\nDisabled all internet access to and from the internet\r\nBlock all NOOPDOOR related C2 domains and IPs\r\nReset all user passwords\r\nRebuild infected machines\r\nConnect rebuilt machines to the clean network\r\nHunting Queries \r\nTo detect if a NOOPLDR/NOOPDOOR has been exploited in your environment, run the following hunting query\r\nin your EDR or monitoring platform. \r\nHunting For Suspicious MSBUILD Execution Via Persistence: This rule will help in detecting\r\nsuspicious activities where msbuild.exe is used with a .xml file and involves portable executable code,\r\nespecially when the parent process is one of the common Windows processes like scrcons.exe,\r\nservices.exe, or svchost.exe\r\nHunting For Suspicious Service Containing MSBUILD And .xml In The Command Line : This rule\r\nwill help in detecting suspicious activities where msbuild.exe is spawned through Service creation, with\r\n.xml embedded in the command line\r\nHunting For Suspicious WMI Consumer Event : Same as above, but modify the persistence mechanism\r\nfrom Service to WMI Consumer event\r\nHunting For Suspicious DGA-Like Behavior : This rule combines file attributes, process monitoring,\r\nand network behavior analysis. It targets unsigned files of non-trivial size, modules loaded by svchost.exe,\r\nand processes with unusual DNS query ratios (more unresolved DNS queries than resolved ones, which is\r\ncharacteristic of Domain Generation Algorithm or DGA use).\r\nConsider whether each filter adds to the detection's precision or might create noise, and adjust based\r\non the specific environment and threat landscape. The goal is a balanced rule that minimizes false\r\npositives while effectively identifying potential threats.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 27 of 33\n\nIOC* Explanation\r\n3utilities[.]com\r\nNOOPDOOR\r\nsubdomain\r\nfoeake[.]org\r\nNOOPDOOR\r\nsubdomain\r\nftp[.]sh\r\nNOOPDOOR\r\nsubdomain\r\ninbullar[.]com\r\nNOOPDOOR\r\nsubdomain\r\nmangoaiml[.]com\r\nNOOPDOOR\r\nsubdomain\r\nocouomors[.]com\r\nNOOPDOOR\r\nsubdomain\r\nonthewifi[.]com\r\nNOOPDOOR\r\nsubdomain\r\npaunsonaz[.]com\r\nNOOPDOOR\r\nsubdomain\r\nredirectme[.]net\r\nNOOPDOOR\r\nsubdomain\r\nsaraosting[.]com\r\nNOOPDOOR\r\nsubdomain\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 28 of 33\n\nserveblog[.]net\r\nNOOPDOOR\r\nsubdomain\r\ntemmans[.]com\r\nNOOPDOOR\r\nsubdomain\r\ntorefrog[.]com\r\nNOOPDOOR\r\nsubdomain\r\nea474e87f23ce6575057e76108665ffb NOOPLDR-DLL\r\ne0a8048c7f69da35bbb2cd35d86c2dc8 NOOPLDR-DLL\r\n6b3148e824fd84f54592fe5d2e766740 NOOPLDR-DLL\r\nc76b1ed6d094edbad887f68093ef6bf9 NOOPLDR-DLL\r\nd6d59b1ff85bf971286782f8f43d6326 NOOPLDR-DLL\r\ndeedb32bf51dc8f3399614c8a9718e75 NOOPLDR-DLL\r\nc39b02c9771c6be9610977408ebb509f NOOPLDR-DLL\r\n9eef43edc87ab1f301ec8730113535ee NOOPLDR-DLL\r\n73a904ba602e1bf068f5d217403fa41f NOOPLDR-DLL\r\nfe36fd0f09aadd3e7ddd7b66f18d5e93 NOOPLDR-C#\r\nf12873d8b69624d972b3c6fa55e52483 NOOPLDR-C#\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 29 of 33\n\nb5228638d5de18e59ebbddc13c120879 NOOPLDR-C#\r\n4f1c68d2fe3b0255e706e4c7de0a739f NOOPLDR-C#\r\n3b07fbaa8b9c5a53658abe3ac9f66e60 NOOPLDR-C#\r\n0dbaff93ec6243035275364d5c1c26c9 NOOPLDR-C#\r\nKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User PreferencesH\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\OneSettings\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\HKCU\\Software\\Microsoft\\OneDrive\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\UserData\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\F12\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\Software\\Licenses\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\Software\\License\r\nNOOPDOOR\r\nregistry key path\r\nHKEY_CURRENT_USER\\COM3\r\nNOOPDOOR\r\nregistry key path\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 30 of 33\n\nHKEY_LOCAL_MACHINE\\Software\\License\r\nNOOPDOOR\r\nregistry key path\r\n* NOOPDOOR shellcode hashes have been omitted from this list,\r\nas the hashes differ for every NOOPDOOR sample Cybereason has observed.\r\nMITRE ATT\u0026CK MAPPING\r\nTactic Techniques / Sub-Techniques\r\nTA0001: Initial Access T1190: Exploit Public-Facing Application\r\nTA0001: Initial Access T1566: Phishing\r\nTA0002: Execution T1053.005: Scheduled Task\r\nTA0002: Execution T1569.002: Service Execution\r\nTA0002: Execution T1047; Windows Management Instrumentation\r\nTA0003: Persistence T1053.005: Scheduled Task\r\nTA0003: Persistence T1543.003: Windows Service\r\nTA0003: Persistence T1546.003.: Windows Management Instrumentation Event Subscription\r\nTA0003: Persistence T1574.002: DLL Side-Loading\r\nTA005: Defense Evasion T1070.001: Clear Windows Event Logs\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 31 of 33\n\nTA005: Defense Evasion T1055: Process Injection\r\nTA005: Defense Evasion T1070.004: File Deletion\r\nTA005: Defense Evasion T1070.006: Timestomp\r\nTA005: Defense Evasion T1112: Modify Registry\r\nTA005: Defense Evasion T1127.001: MsBuild\r\nTA005: Defense Evasion T1140: Deobfuscate/Decode Files or Information\r\nTA005: Defense Evasion T1562.004: Disable or Modify System Firewall\r\nTA005: Defense Evasion T1622: Debugger Evasion\r\nTA0011: Command and Control T1071: Application Layer Protocol\r\nTA0011: Command and Control T1568.002: Domain Generation Algorithms\r\nTA0011: Command and Control T1573: Encrypted Channel\r\nAbout The Researchers\r\nJin Ito, Incident Response Engineer,  Cybereason IR Team\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 32 of 33\n\nJin Ito is an Incident Response Engineer with the Cybereason Incident Response team. Formerly an Incident\r\nResponse Engineer at Fujitsu, he holds several cybersecurity certificates such as GREM, GCFA, and OSCP. Aside\r\nfrom his digital forensic responsibilities, he loves creating and reverse engineering malware.\r\nLoïc Castel, Incident Response Investigator, Cybereason IR Team\r\nLoïc Castel is an Investigator with the Cybereason IR team. Loïc analyses and researches critical incidents and\r\ncybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as\r\nLead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also\r\ninterested in offensive aspects such as vulnerability research.\r\nKotaro Ogino, CTI Analyst,  Cybereason Security Operations Team\r\nKotaro is a CTI Analyst with the Cybereason Security Operations team. He is involved in threat hunting, threat\r\nintelligence enhancements and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree\r\nin information and computer science.\r\nSource: https://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nhttps://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal" ], "report_names": [ "cuckoo-spear-pt2-threat-actor-arsenal" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434712, "ts_updated_at": 1775792026, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b9cbbe9338f13b5e1bfe97b8e4015e44ba5a810.pdf", "text": "https://archive.orkl.eu/0b9cbbe9338f13b5e1bfe97b8e4015e44ba5a810.txt", "img": "https://archive.orkl.eu/0b9cbbe9338f13b5e1bfe97b8e4015e44ba5a810.jpg" } }