{ "id": "932ff40b-5c77-4622-8da0-e99c8b12bafd", "created_at": "2026-04-06T00:15:24.844777Z", "updated_at": "2026-04-10T13:11:38.398107Z", "deleted_at": null, "sha1_hash": "1045f7a31705ddcc6a9d1b46f8c115132d8649f1", "title": "Mokes and Buerak distributed under the guise of security certificates", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3800365, "plain_text": "Mokes and Buerak distributed under the guise of security\r\ncertificates\r\nBy AMR\r\nPublished: 2020-03-05 · Archived: 2026-04-05 22:22:38 UTC\r\nIncidents\r\nIncidents\r\n05 Mar 2020\r\n 1 minute read\r\n AMR\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 1 of 8\n\nThe technique of distributing malware under the guise of legitimate software updates is not new. As a rule,\r\ncybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we\r\nrecently discovered a new approach to this well-known method: visitors to infected sites were informed that some\r\nkind of security certificate had expired. Unsurprisingly, the update on offer was malicious.\r\nWe detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest\r\ninfections found date back to January 16, 2020.\r\nAttack pattern\r\nThis is what visitors of any of the hacked websites saw:\r\nThe alarming notification consists of an iframe — with contents loaded from the third-party resource ldfidfa[.]pw\r\n— overlaid on top of the original page. The URL bar still displays the legitimate address. This is what the\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 2 of 8\n\nmalicious piece of code inserted into the original HTML page looks like:\r\nFrom the screenshot it can be seen that the script parameters depend on the referrer, user_agent, and cookie values\r\nof the user. While the following fixed values are used as the user_agent_X and timestamp_X strings:\r\nuser_agent_X = Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/79.0.3945.117 Safari/537.36\r\ntimestamp_X = 1579118411.0231 (01/15/2020 @ 8:00pm (UTC))\r\nThe code inserted by the cybercriminal loads the external malicious script ldfidfa[.]pw/jquery.js?\u0026up= \u0026ts= \u0026r=\r\n\u0026u= \u0026c=\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 3 of 8\n\nMalicious jquery.js script\r\nThe jquery.js script overlays an iframe that is exactly the same size as the page. The iframe content is loaded from\r\nthe address https[:]//ldfidfa[.]pw//chrome.html. As a result, instead of the original page, the user sees a seemingly\r\ngenuine banner urgently prompting to install a certificate update.\r\nClicking the Install (Recommended) button on the banner initiates the download of the file\r\nCertificate_Update_v02.2020.exe, which we detect as Exploit.Win32.ShellCode.gen. Analysis of the file showed\r\nit to be Trojan-Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. It is not the only\r\nmalware distributed by the attackers. For example, Backdoor.Win32.Mokes was spread via the same campaign\r\nearlier in January.\r\nIoC\r\nExploit.Win32.ShellCode.gen\r\nB3290148681F8218ECB80CA430F9FDBA (Certificate_Update_v02.2020.exe)\r\nTrojan-Downloader.Win32.Buerak\r\nCE1931C2EB82B91ADB5A9B9B1064B09F\r\nBackdoor.Win32.Mokes\r\n094ADE4F1BC82D09AD4E1C05513F686D\r\nF869430B3658A2A112FC85A1246F3F9D\r\n5FB9CB00F19EAFBF578AF693767A8754\r\n47C5782560D2FE3B80E0596F3FBA84D3\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 4 of 8\n\nC\u0026C\r\nkkjjhhdff[.]site (47.245.30[.]255)\r\noderstrg[.]site\r\nLatest Webinars\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 5 of 8\n\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 6 of 8\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 7 of 8\n\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nhttps://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/" ], "report_names": [ "96324" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434524, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1045f7a31705ddcc6a9d1b46f8c115132d8649f1.pdf", "text": "https://archive.orkl.eu/1045f7a31705ddcc6a9d1b46f8c115132d8649f1.txt", "img": "https://archive.orkl.eu/1045f7a31705ddcc6a9d1b46f8c115132d8649f1.jpg" } }