{ "id": "abe5d2da-3acd-44f8-8162-52711ef5a7ad", "created_at": "2026-04-06T00:14:14.701742Z", "updated_at": "2026-04-10T13:11:45.385867Z", "deleted_at": null, "sha1_hash": "0ee5735cc82721915571813bb86d4ec6da6f29f4", "title": "Operation ENDTRADE: Multi-Stage Backdoors that TICK", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91697, "plain_text": "Operation ENDTRADE: Multi-Stage Backdoors that TICK\r\nBy Joey Chen, Kakara Hiroyuki, Shoji Masaoki ( words)\r\nPublished: 2019-11-29 · Archived: 2026-04-05 23:39:38 UTC\r\nWhile we have been following cyberespionage group TICK (a.k.a. “BRONZE BUTLER” or\r\n“REDBALDKNIGHT”) since 2008, we noticed an unusual increase in malware development and deployments\r\ntowards November 2018. We already know that the group uses previously deployed malware and modified tools\r\nfor obfuscation, but we also found TICK developing new malware families capable of detection evasion for initial\r\nintrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. We also\r\nfound the group using legitimate email accounts and credentials for the delivery of the malware, zeroing in on\r\nindustries with highly classified information: defense, aerospace, chemical, and satellite industries with head\r\noffices in Japan and subsidiaries in China. Given their targets, we have named this campaign “Operation\r\nENDTRADE,” and identified some of the findings in our research “Operation ENDTRADE: TICK’s Multi-Stage\r\nBackdoors for Attacking Industries and Stealing Classified Data”.\r\nThis research paper was submitted and presented for the DeepINTEL Security Intelligence 2019 Conference on\r\nNovember 27, 2019 in Vienna, Austria.\r\nTargeting and malware delivery intel\r\nFigure 1. Operation ENDTRADE’s timeline\r\nAs part of their attacks in January 2019, TICK was conducting their research by compromising a Japanese\r\neconomic research company and a public relations (PR) agency to steal email credentials and files as decoy\r\ndocuments. These email addresses were used for spear phishing, prompting potential victim organizations to open\r\nthe attachments with malware payloads. Meanwhile, the documents were embedded with malware, and sent to\r\nindividuals and companies knowledgeable in Japanese or Chinese, and interested in the Chinese economy. The\r\nemails had the following features:\r\nThey were sent from legitimate email accounts\r\nThey were written as legitimate reports and prompted the users to open the attachments\r\nThey contained subject topics related to “salary rate increase” or “job market,” or with special interests in\r\nthe economic affairs of China such as the US-China trade mandates\r\nintel\r\nFigure 2. Spear phishing sample in fluent Japanese\r\nBased on the language that was hardcoded in the samples we found, TICK appeared to be targeting Japanese\r\norganizations with subsidiaries in China to serve as footholds for intrusion: TICK hard-coded two code pages 932\r\nand 936, referring to Japanese and Simplified Chinese characters respectively. Moreover, we found successful\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nPage 1 of 5\n\ntransfers of malicious executable files in the shared folder from a Chinese subsidiary with an infected desktop, and\r\nan employee in Japan that executed the said file. intel\r\nFigure 3. Language code pages\r\nWhile we found intrusions in a large number of companies in the abovementioned industries before May 2019,\r\nfurther analysis revealed that one of the main targets was the defense sector. We found TICK trying to steal\r\nmilitary-related documents from the victim network during an extended assistance for incident response in the\r\nregion. However, TICK seemed to shift their attention to the chemical industry by mid-May, which may indicate\r\nthe group’s sponsor organization’s goal: To steal proprietary and classified information such as military data and\r\nadvanced materials.\r\nMalware Analysis\r\nOur research lists some of the new and adjusted malware routines we found from Operation ENDTRADE, which\r\nwe named based on their characteristic program database (PDB) strings. For a complete list and analyses of the\r\ntrojans, downloaders, and modified tools, you may access the research brief here.\r\nintel\r\nFigure 4. New downloaders and trojans\r\nDATPER\r\nWhile this backdoor routine has been associated with TICK’s weapons arsenal, the sample we derived from this\r\ncampaign had two adjusted mutex objects — d0ftyzxcdrfdqwe and *\u0026Hjgfc49gna-2-tjb — that retrieve\r\ninformation from the victim’s machine. The latest variant also has a new set of parameters that allow it to evade\r\nanti-virus (AV) product pattern detections, implying the ease by which the group can change their routines to suit\r\ntheir goals. intel\r\nFigure 5. DATPER’s new mutex with separate parameters\r\ndown_new\r\nThis malware combines features of existing trojans in the malware family’s development, based on the\r\nadjustments TICK made as we analyzed their test versions. It adds features (listed below) that can be found\r\nseparately on previous iterations:\r\nAdds Autorun to the registry.\r\nGets MAC address and volume information to send back to the C\u0026C.\r\nExecutes only during working hours (8:00AM-6:00PM, using kernel32.GetLocalTime API)\r\nUses AES encryption and base64 encoding method to encrypt the call back message.\r\nUses legitimate websites for the C\u0026C server.\r\nDetects anti-virus products and processes.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nPage 2 of 5\n\nFigure 6. Code showing down_new’s command function\r\nintel\r\nTable 1. down_new command list\r\nAs we studied its processes to compare with the others, the call back information stood out: The HTTP post\r\nheader is hard-coded in the sample, getting the infected machine’s specific information to single out the identity of\r\nthe users. As a cyber-espionage group with specific goals based on their sponsoring organization’s objectives,\r\nTICK only goes after specific targets and only uses other non-targeted individuals and enterprises as footholds to\r\nmeet their purposes. intel\r\nFigure 7. down_new collects home phone data and URL path\r\nAvenger\r\nOur analysis found that Avenger has a number of variants and versions depending on their targets. For example,\r\nsome variants have autorun functions while others execute a sleep mode upon system infection. We found that the\r\ndownloader has three stages:\r\n1. The first stage collects volume information, AV product, and OS bits version from the host, and sends it to\r\nthe command and control (C\u0026C) server to ensure that the host is the intended target.\r\nintel\r\nFigure 8. First stage: Information collection\r\n2. It then checks if the host matches their C\u0026C server reference. Avenger collects the victim’s detailed\r\ninformation from the system by browsing the folders, files, and domain information. intel\r\nFigure 9. Second stage: Collected information is written into a .txt file\r\n3. If the host doesn’t exist, Avenger will download an image with an embedded malware hidden via\r\nsteganography and extract a backdoor. intel\r\nFigure 10. Third stage: Sending the encrypted file to the C\u0026C\r\nWhile steganography is always used as part of TICK’s malware techniques, we found that the group used a more\r\nsophisticated steganography technique in this campaign. intel\r\nFigure 11. Backdoor found in the steganography image\r\nintel\r\nFigure 12. Upgraded steganography technique\r\nWe found a newer version of Avenger with a clearer code structure and internal IP testing URL (aptly named\r\nAvenger2 in the PDB strings), though the rest of the components had minimal differences with the previous\r\nversion. intel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nPage 3 of 5\n\nFigure 13. Avenger2 with internal URL\r\nCasper\r\nCasper is a modified version of the Cobalt Strike backdoor, showing the team server SHA1 hash if the controller\r\nconnects to the C\u0026C. If accessed by the client, Cobalt Strike confirms with the user if they recognize and match\r\nthe SHA1 hash of a specific team server’s SSL certificate. intel\r\nFigure 14. Casper C\u0026C with Cobalt Strike’s server fingerprint\r\nThe backdoor is usually hidden in the steganography photo and uses several techniques and tools to bypass AV\r\ndetection. One technique involves launching itself with a legitimate Windows application with Dynamic Link\r\nLibrary (DLL) side loading techniques. Another involves injecting the backdoor’s shellcode into svchost.exe.\r\nintel\r\nFigure 15. Shellcode injected to svchost.exe\r\nPublicly available RATs and modified tools\r\nIncluded in all the malware routines, we also found TICK using publicly available remote access trojans (RATs)\r\nand ope n source tools, and either modified or imported the techniques into their malware. For instance, they\r\ncloned Lilith RAT from GitHub, studied and implemented its features into their customized backdoor under\r\ncontinued development. The list of modified tools the group used include Mimikatz, RAR compression tool, port\r\nmapping tool, and screen capture.\r\nintel\r\nFigure 16. Modified screen capture tool\r\nintel\r\nFigure 17. Modified Mimikatz\r\nConclusion\r\nTICK is an organized and persistent cyber espionage group specialized in targeting high-value individuals and\r\norganizations, with the skills and resources needed to coordinate sophisticated attacks.\r\nThis operation not only highlights the need for stronger monitoring systems foremost in countries’ critical\r\ninfrastructures and multinational enterprises, but also firmer operational chains of command and redundant\r\nsecurity policies established. Persistent criminal groups will continue to target enterprises, and will look for\r\nsecurity gaps to exploit to gain unauthorized entry. Organizations with foreign subsidiaries can make it difficult to\r\ntake control and implement security procedures and policies, making monitoring, isolating, investigating, incident\r\nresponse, and recovery more difficult. To top it all, employees’ security awareness and consciousness will remain\r\na significant part of making sure the security measures in place are maintained for regular operations.\r\nTrend Micro™ Deep Discovery™products provides detection, in-depth analysis, and proactive response to today’s\r\nstealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nPage 4 of 5\n\norganizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and\r\nseamless correlation across the entire attack lifecycle, allowing it to detect threats like TICK’s attacks even\r\nwithout any engine or pattern update. Trend Micro™ Deep Securityproducts™ provides virtual patching that\r\nprotects endpoints from threats that abuses unpatched vulnerabilities. \r\nTrend Micro’s suite of security solutions is powered by XGen™ security, which features high-fidelity machine\r\nlearning to secure the gateway and endpointproducts data and applications. XGen™ protects against today’s\r\npurpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and\r\neither steal or encrypt personally-identifiable data.\r\nFor the full technical analyses of all the malware, techniques, tools, MITRE ATT\u0026CK techniques and indicators\r\nof compromise (IoCs) we found in this campaign, download the research brief, “Operation ENDTRADE: TICK’s\r\nMulti-Stage Backdoors for Attacking Industries and Stealing Classified Data”. intel  \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/" ], "report_names": [ "operation-endtrade-finding-multi-stage-backdoors-that-tick" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434454, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ee5735cc82721915571813bb86d4ec6da6f29f4.pdf", "text": "https://archive.orkl.eu/0ee5735cc82721915571813bb86d4ec6da6f29f4.txt", "img": "https://archive.orkl.eu/0ee5735cc82721915571813bb86d4ec6da6f29f4.jpg" } }