{ "id": "c3a2d887-0422-40bd-a03e-6d8c50e35cdb", "created_at": "2026-04-06T00:22:30.479215Z", "updated_at": "2026-04-10T03:33:56.227895Z", "deleted_at": null, "sha1_hash": "0c2f13e1290caeb1e6c077096a5952ea3c57b187", "title": "Security vendors take action against Hidden Lynx malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137175, "plain_text": "Security vendors take action against Hidden Lynx malware\r\nPublished: 2014-10-14 · Archived: 2026-04-05 15:49:00 UTC\r\nA coordinated operation involving Symantec and a number of other security companies has delivered a blow\r\nagainst Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group\r\nHidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share\r\nintelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may\r\nsignificantly blunt the effectiveness of this malware. The organizations involved in this operation include Cisco,\r\nFireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, ThreatConnect, Tenable, ThreatTrack Security,\r\nNovetta, and Volexity.\r\nThe Hikit back door has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan,\r\nSouth Korea, and other regions. Attackers using Hikit have focused their energies against organizations associated\r\nwith the government, technology, research, defense, and aerospace sectors among other targets.\r\nOperation SMN is the first time a cross-industry group has come together to disrupt an advanced persistent threat\r\n(APT) group. Previous collaborations, such as operations against the gangs behind the Gameover Zeus and\r\nShylock Trojans, have usually been focused on cybercriminal gangs.\r\nCoordinated by security firm Novetta under Microsoft’s new Coordinated Malware Eradication program,\r\nOperation SMN has resulted in a significant amount of intelligence being shared among vendors, leading to the\r\nrollout of more effective protection against Hikit and a number of other associated pieces of malware, including\r\none previously unknown malware tool.\r\nHikit\r\nThe main target for this operation was Backdoor.Hikit, a sophisticated and stealthy remote access Trojan (RAT)\r\nwhich has been used in high profile attacks since 2011. Hikit provides the attackers with a back door on the\r\nvictim’s computer. It enables them to download information from the infected computer and upload commands\r\nand other malware.\r\nNetwork-tunneling capabilities allow the threat to create proxies, while an ad-hoc network generation feature\r\nallows it to connect multiple compromised computers to create a secondary network. Hikit comes in 32-bit and\r\n64-bit versions, which are deployed depending on the target’s infrastructure.\r\nHikit has been used by at least two Chinese-based APT groups to launch cyberespionage attacks: Hidden Lynx\r\nand Pupa (also known as Deep Panda). Whether the groups are related in some way or whether they simply have\r\naccess to the same malware tools is currently unknown.\r\nhttps://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware\r\nPage 1 of 3\n\nFigure 1. Hikit infections by region\r\nHidden Lynx\r\nHidden Lynx, also known in the industry as Aurora, is a highly capable and well-resourced group of attackers that\r\nis based in China. The group has a track record of mounting relentless and persistent attacks against a broad range\r\nof targets.\r\nSymantec has carried out extensive research on Hidden Lynx and has concluded that the group has between 50\r\nand 100 operatives at its disposal and is capable of carrying out hundreds of simultaneous attacks against diverse\r\ntargets. Given its broad focus, the group appears to operate as a “hackers for hire”-type operation, mounting\r\nattacks on demand as directed by its paymasters.\r\nHidden Lynx is regarded as one of the pioneers of the “watering-hole” attack method and it appears to have early\r\naccess to zero-day vulnerabilities. If it cannot mount direct attacks against a target, Hidden Lynx has the\r\ncapabilities and the patience to work its way up through the supply chain, compromising the security at companies\r\nthat are suppliers to the target organization and using them a stepping stone towards the ultimate goal.\r\nHidden Lynx used Hikit during its compromise of Bit9’s trusted file-signing infrastructure in 2012. This attack\r\nwas then leveraged to mount the VOHO campaign in July 2012 using Bit9-signed malware. The ultimate target of\r\nthis campaign was US companies whose computers were protected by Bit9. Hikit once again played a key role in\r\nthis attack campaign.\r\nhttps://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware\r\nPage 2 of 3\n\nSince then, Hidden Lynx has continued to use Hikit in its attacks against organizations predominantly in Taiwan,\r\nthe US, Japan, and South Korea. In 2013, Hidden Lynx underwent a significant re-tooling effort, introducing two\r\nnew malware tools, Backdoor.Fexel and Backdoor.Gresim, which it continues to use in conjunction with Hikit.\r\nBackdoor.Gresim was undiscovered prior to this collaboration effort.\r\nThis is the first time that a significant effort to disrupt the activities of an APT has been made. Symantec\r\nwelcomes the work between industry partners to share intelligence and coordinate efforts to provide the maximum\r\nimpact against APT groups. Through effective collaboration, we can help ensure that any organization likely to be\r\ntargeted by these groups will be better protected in the future.  \r\nSymantec protection\r\nSymantec has the following detections in place for the malware used in these attacks:\r\nAV\r\nBackdoor.Hikit\r\nBackdoor.Hikit!gen1\r\nBackdoor.Fexel\r\nBackdoor.Gresim\r\nInfostealer.Derusbi\r\nTrojan.Naid\r\nTrojan.Naid!gm2\r\nTrojan.Naid!gen1\r\nBackdoor.Moudoor\r\nBackdoor.ZXShell\r\nBackdoor.Darkmoon\r\nIPS\r\nSystem Infected: Backdoor.Hikit Activity 2\r\nSystem Infected: Backdoor.Fexel Activity 3\r\nSystem Infected: Gresim Activity\r\nSystem Infected: Backdoor.Fexel Activity\r\nSystem Infected: Infostealer.Derusbi Activity\r\nSystem Infected: Trojan.Naid Activity 2\r\nSystem Infected: Moudoor Backdoor Activity\r\nSystem Infected: Backdoor DarkMoon Activity\r\nSource: https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-ly\r\nnx-malware\r\nhttps://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "report_names": [ "security-vendors-take-action-against-hidden-lynx-malware" ], "threat_actors": [ { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c2f13e1290caeb1e6c077096a5952ea3c57b187.pdf", "text": "https://archive.orkl.eu/0c2f13e1290caeb1e6c077096a5952ea3c57b187.txt", "img": "https://archive.orkl.eu/0c2f13e1290caeb1e6c077096a5952ea3c57b187.jpg" } }