{ "id": "1d0e3f84-196e-4410-831b-cf05b1855d99", "created_at": "2026-04-06T00:10:05.86498Z", "updated_at": "2026-04-10T13:12:24.407394Z", "deleted_at": null, "sha1_hash": "109d5f3ab07a6e0d0e04cafb5149fb03344268c2", "title": "Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2124575, "plain_text": "Oops, they did it again: APT Targets Russia and Belarus with ZeroT and\r\nPlugX | Proofpoint US\r\nBy February 02, 2017 Darien Huss, Pierre T, Axel F and Proofpoint Staff\r\nPublished: 2017-02-03 · Archived: 2026-04-05 18:58:16 UTC\r\nOverview\r\nAlthough state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the\r\nsigning of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent\r\nthreat (APT) activity associated with Chinese actors targeting other regions. We have previously written about related\r\nactivity [2][3] in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe,\r\nRussia, Mongolia, Belarus, and other neighboring countries. Most recently, we have observed the same group targeting\r\nmilitary and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new\r\ndownloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help\r\n(.chm) as one of the initial droppers delivered in spear-phishing emails.\r\nThis blog details the function of the new malware, provides delivery details for elements of the APT activity, and describes\r\nadditional changes in tactics, techniques, and procedures (TTPs) associated with this group.\r\nDelivery\r\nIn previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158, or URLs linking to RAR-compressed executables. Although some of these patterns of behavior still continue,\r\nin June 2016 we observed the attackers using a new type of dropper to deliver a previously unknown malware we named\r\n\"ZeroT\". Specifically, the CHM file 20160621.chm (SHA256:\r\n4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff) dropped the first known sample of ZeroT.\r\nThe proprietary Microsoft HTML Help file format (.chm) is used for software documentation and may consist of HTML\r\npages and other compressed files. This particular CHM contained an HTM file and an executable file. The HTM file\r\ncontained the text displayed to the user and referenced the executable svchost.exe (SHA256:\r\nd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375). Thus, opening the CHM has the effect of\r\nrunning the executable (the UAC dialog is shown in Figure 1).\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 1 of 18\n\nFigure 1: The dropper file 20160621.chm with a Russian-language lure pretends to be from the “Defense Industry of\r\nRussia in the 21st Century”; user must accept the UAC warning before malware executes.\r\nFigure 2: Listing of the files in the CHM file and their partial contents\r\nAttackers also continued to send spear-phishing emails with Microsoft Word attachments utilizing CVE-2012-0158 to\r\nexploit the client. These documents were built with MNKit, described in detail here [6][7]. For example, the email with\r\nsubject “Федеральная целевая программа 2017-2020 гг.” (translated from Russian: “Federal Target Program 2017-2020\r\ngg.”) contained an attachment “2017-2020.doc” and was sent to a potential victim in an aerospace company in December\r\n2016.\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 2 of 18\n\nFigure 3: Email sent to potential victim in aerospace company contained a MNKit-generated CVE-2012-0158 exploit\r\ndocument\r\nThroughout the second half of 2016 we also found many RAR archives and RAR SFX (self-extracting executables) of\r\nZeroT; example names are listed in the table below. Several refer to Commonwealth of Independent States (CIS), a regional\r\norganization that includes nine out of the fifteen former Soviet Republics, including Russia and Belarus [5].\r\nFilename Translation\r\nИзменения в списке аффилированных лиц по\r\nсостоянию на 21.06.2016 г.scr\r\nChanges in the list of affiliates as of 06.21.2016 g.scr\r\nУВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ.rar NOTICE of CONFIDENTIALITY.rar\r\nПОВЕСТКА ДНЯ 72-го заседания Экономического\r\nсовета Содружества Независимых Государств.rar\r\nAGENDA OF THE DAY for 72-nd meeting of the\r\nEconomic Council of the Commonwealth of\r\nIndependent States.rar\r\nПроекты.scr Projects.scr\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 3 of 18\n\nПлан.scr Plan.scr\r\n08_11_2016 СНГ.7z 08_11_2016 CIS.7z\r\nTable 1: Examples of RAR compressed executables or simply .scr executables of ZeroT\r\nAnalysis\r\nThis section provides an analysis of ZeroT, its delivery and obfuscation techniques.\r\nUAC Bypass and Sideloading\r\nThroughout our investigation, many of the analyzed ZeroT RAR SFX samples (e.g.\r\n67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b) contained a file named Go.exe which\r\nperforms Windows UAC bypass. This executable contains a PDB path indicating its purpose of bypassing UAC (Fig. 4).\r\nFigure 4: PDB path containing Chinese characters translating to “Desktop”\r\nThis executable is obfuscated using the same technique that is reused in the sideload DLL and the ZeroT payload\r\n(described later). When run, Go.exe modifies the registry key shown in Figure 5 to perform the UAC bypass by exploiting\r\nEvent Viewer [1].\r\nFigure 5: Modified registry key to execute Zlh.exe exploiting a UAC bypass vulnerability in eventvwr.exe\r\nIt then executes eventvwr.exe which proceeds to execute Zlh.exe using the UAC bypass vulnerability (Fig. 6).\r\nFigure 6: Zlh.exe is executed via the eventvwr.exe UAC bypass vulnerability\r\nZlh.exe is a legitimate, signed Norman Safeground AS application, which is used to sideload a malicious nflogger.dll\r\nDLL.The encrypted ZeroT payload is usually named NO.2.mui. The sideloaded DLL does not always use the same\r\nvulnerable executable, but it is always similar in functionality. Usually the DLL is not packed, but we have observed\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 4 of 18\n\ninstances compressed by UPX. This malicious DLL is usually obfuscated with the same junk code: dummy API calls\r\ninserted in between real instructions (Fig. 7). The same obfuscation can be found in multiple functions in ZeroT itself.\r\nFigure 7: Dummy API calls for obfuscation\r\nThis DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the\r\nencrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Even if the\r\nprocess is similar for the PlugX RAT sideloaded later, the shellcode and obfuscation have nothing in common. Once loaded\r\nin memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. This shellcode is charged\r\nwith unpacking the encrypted and compressed payload. As in the new PlugX dropper detailed below, this is done using\r\nRC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the\r\n“MZ” and “PE” constants (Fig. 8). On some PlugX versions, either “GULP” or “XV” are common as tags replacing the\r\n“MZ” constant.\r\nFigure 8 : Altered ZeroT PE Header\r\nZeroT Command and Control Protocol\r\nZeroT communicates with its command and control (C\u0026C) over HTTP. A fake User-Agent is used in all the requests made\r\nby this malware: “Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a\r\ntypo of “Trident.” In all the samples we observed, ZeroT first beacons to index.php expecting an RC4-encrypted response\r\nusing a static key: “(*^GF(9042\u0026*” (Fig. 9).\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 5 of 18\n\nFigure 9: ZeroT initial beacon over HTTP requesting URL configuration\r\nIn the decrypted initial server response (Fig. 10,11), ZeroT expects several URLs including a location to POST system\r\ninformation prefixed with “w:” and a download location for any stage 2 payloads denoted with an “r:” prefix.\r\nFigure 10: Decrypted tassnews[.]net index.php response containing several URLs\r\nNext, ZeroT uses HTTP POST beacons to transmit information about the infected system to the C\u0026C. The first beacon\r\ncontains the following data: “Cn=%s\u0026La=%s\u0026” where Cn is the computername and La is the local IP address (Fig. 11).\r\nWhile the first beacon is transmitted in cleartext it is probable that this behavior was unintentional as subsequent POST\r\nbeacons in the loop are encrypted. The first POST beacon is followed by another in the following format (Fig. 11,12):\r\n“Lg=%d\u0026Pv=%d\u0026Bu=%%s\u0026Cn=%s\u0026Cu=%s\u0026Dn=%s\u0026Ki=%s\u0026La=%s\u0026Me=%s\u0026Os=%s\u0026Ov=%s\u0026Pt=%s\u0026Fl=%%d”\r\nthat is RC4-encrypted with the following key: “s2-18rg1-41g3j_.;”. This POST sends basic fingerprinting data including\r\ncomputer name, system language, domain information and Windows versioning.\r\nFigure 11: Initial plaintext POST beacon\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 6 of 18\n\nFigure 12: RC4-encrypted POST beacon\r\nThe final piece of ZeroT’s C\u0026C protocol is to retrieve any stage-2 payloads. In the initial samples of ZeroT, the\r\ntassnews[.]net C\u0026C was used to distribute plain, non-encoded PE payloads (Fig. 13). Although we were not able to\r\nretrieve all the payloads that may have existed at this C\u0026C, the ones we did observe were RAR SFX archives used to\r\ndeliver PlugX.\r\nFigure 13: ZeroT downloading non-encoded PlugX Stage 2\r\nThe ZeroT samples communicating to versig[.]net functioned differently from samples using tassnews[.]net where Bitmap\r\n(BMP) [8] URLs (Figure 14) were provided as a stage 2 payload instead of EXEs (Fig. 14).\r\nFigure 14: Decrypted versig[.]net index.php response with F.bmp stage 2\r\nThe BMPs used for stage 2 in all the instances we analyzed looked like normal images (Fig. 15, 16) which indicated a form\r\nof steganography is being used that minimizes changes to the appearance of the image.\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 7 of 18\n\nFigure 15: F.bmp image containing stage 2 hidden using steganography\r\nAnalysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB) Steganography [9,10], a commonly\r\nused form of steganography that embeds data in an image without significantly affecting its appearance.\r\nAnalysis of ZeroT’s Bitmap LSB Steganography\r\nZeroT uses a single, large function for the custom LSB algorithm that occurs as the first function in the samples we\r\nanalyzed. It may selectively choose to extract one, two, three, or four bits per pixel byte depending on the size of the\r\nembedded payload and the image being used, meaning it is capable of 1-, 2-, 3-, and 4-bit LSB (Fig. 16).\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 8 of 18\n\nFigure 16: Diagram depicting portions of ZeroT’s LSB steganography algorithm\r\nThe first step in the algorithm extracts the width and height from the image. A 24-bit depth Bitmap is assumed while\r\ncalculating the size of memory needed (3*Width*Height) to store all the pixels in the image, which is allocated using\r\nmalloc. Next, because Bitmaps are padded to 32-bit boundaries, ZeroT will check to see if any padding exists by AND’ing\r\n3*Width. If that value is not zero, then it is subtracted from four which is then used as the padding.\r\nThe following step in the algorithm is to assemble the bitmap row by row. Technically what occurs is as follows: iteratively\r\n3*Width bytes, beginning at the hardcoded offset of 54, are copied to the end of the previously allocated memory (malloc’d\r\n3*Width*Height). Padding is then skipped, if any exists, followed by the next 3*Width bytes until all rows of pixels are\r\ncopied.\r\nNext, starting at offset 10 of the assembled bitmap, ZeroT extracts a 32-bit value from 32-bytes using 1-bit LSB that is used\r\nto indicate the size of the embedded stage 2 payload. The stage 2 file extension is then extracted starting at offset nine and\r\nworking its way backwards until a period is found (e.g., “.exe”).\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 9 of 18\n\nFinally, ZeroT checks various values such as the image length against the needed bits to complete the length of the\r\nextracted payload [8*len(extracted payload)]. Depending on the result, ZeroT will decide to use 1-, 2-, 3-, or 4-bit LSB.\r\nLastly, once each bit is extracted, all the bits will be compiled into bytes to form the extracted stage 2 payload.\r\nStage 2 Payloads\r\nUntil the end of 2016, PlugX payloads were delivered as RAR SFX archives and used one of the usual sideload executables\r\nsuch as fsguidll.exe. ZeroT sets up the persistence for these samples,  adding a new service to run PlugX during system\r\nstartup (Fig 17).\r\nFigure 17: ZeroT configures PlugX service to run during startup\r\nOf interest, a recent ZeroT sample (SHA256:\r\na9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8) downloaded a much smaller BMP payload\r\n(SHA256: 25de9c3f7bf1f0be7eb84cf90efb643d5d51ce1742da8bcc4c7db0eec79a221f). This was an example where the\r\nstage 2 payload was distributed using a custom dropper instead of RAR SFX. This dropper loads the resources (Fig. 18),\r\ndecrypts them using the MD5 hash of a command line argument as the RC4 key (note: crypto API is used instead of the\r\ncustom RC4 implementation) and decompresses it with LZNT1 via the RtlDecompressBuffer API. There are three\r\nResource items contained in the payload that would eventually decrypt to: “fsguidll.exe”, “fslapi.dll”, and “flsapi.dll.gui.”\r\nUnfortunately, when the payload extracted from the BMP is executed, no command line argument is provided so none of\r\nthe resources are properly decrypted and decompressed. Based on the file names and size of fslapi.dll.gui, it is very likely\r\nthat PlugX is the intended stage 2 payload.\r\nFigure 18: Resources loaded by the custom dropper\r\nFinally, in all other cases where a stage 2 payload was successfully retrieved, PlugX was delivered. None of the PlugX\r\nsamples that we analyzed were issued from new builders (internal version 20141028), and therefore they do not present any\r\nkind of new techniques. The extracted PlugX configurations are provided in Appendices A and B [10].\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 10 of 18\n\nInfrastructure Links\r\nIn addition to their similar TTPs, ZeroT infrastructure has been continuously shared with NetTraveler and both malware\r\nfamilies share the same C\u0026C domains.\r\nThe C\u0026C domain www.tassnews[.]net was used by initial samples of ZeroT in June 2016. It was concurrently used\r\nby NetTraveler (example SHA256: b43cbc905088c08ee3b71b6e053f91f2c79d71556462eae1c13f1cc8eb5bec72) as\r\nwell as long prior [3]\r\nThe C\u0026C domain www.riaru[.]net was observed used by at least one sample of ZeroT (SHA256:\r\nfc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478). This domain was previously tied to\r\nNetTraveler as well [3]\r\nThe C\u0026C domain www.versig[.]net is used by many samples of ZeroT from September 2016 to January 2017. This\r\ndomain was also used by many NetTraveler samples as well (example SHA256:\r\n0d6d789d603d6d9ba68131592fd595c4d82c0288be309876d27a53466158b312) in the time frame from October\r\n2016 to January 2017\r\nThe PlugX samples downloaded by ZeroT exhibit infrastructure connections to PlugX samples described in our 2015 blog\r\nabout this group,  “In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia”. Specifically:\r\nThe C\u0026C domain dicemention[.]com was configured (or not removed from) in the PlugX (SHA256:\r\n3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa) downloaded by ZeroT (SHA256:\r\nd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375). This domain was also used by PlugX\r\nsamples described in the 2015 blog\r\nNote also an interesting connection: the hostname www.riaru[.]net resolved to IP 103.200.31[.]110 which also responded\r\nfor yandax[.]net. One of the PlugX C\u0026Cs (www[.].micrnet[.]net) resolved to 103.229.28[.]133 which also resolved to\r\nyandcx[.]com.\r\nFigure 19: Illustration of infrastructure connections on a limited set of samples\r\nConclusion\r\nThis APT activity represents both a change in TTPs as well as the introduction of new malware known as ZeroT by a\r\nChinese state-sponsored attack group that we have previously associated with multiple campaigns. Proofpoint researchers\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 11 of 18\n\nhave predicted that APT activity will continue to increase in the coming year and we will continue to track developments\r\namong state-sponsored actors.\r\nReferences\r\n[1] https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n[2] https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\n[3] https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests\r\n[4] https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help\r\n[5] https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States\r\n[6] http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/\r\n[7] https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-exploit-generators-szappanos.pdf\r\n[8] https://en.wikipedia.org/wiki/BMP_file_format\r\n[9] https://en.wikipedia.org/wiki/Least_significant_bit\r\n[10] https://github.com/arbor-jjones/volatility_plugins\r\nIndicators of Compromise (IOCs)\r\nRAR / 7-Zip archives\r\n38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf\r\nee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097\r\nec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462\r\nf2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168\r\nCHM droppers\r\n4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff\r\nee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2\r\n74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d\r\nWord Exploit documents\r\n9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58\r\nZeroT\r\n09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0\r\n1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 12 of 18\n\n399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343\r\n3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425\r\n67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b\r\n74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df\r\na16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3\r\na685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0\r\na9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8\r\naa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267\r\nb7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8\r\nc15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d\r\nc5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a\r\nd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375\r\nfc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478\r\n97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4\r\nPlugX:\r\nb185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f\r\n3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa\r\n07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67\r\nZeroT C\u0026C\r\nwww.tassnews[.]net\r\nwww.versig[.]net\r\nwww.riaru[.]net\r\nPlugX C\u0026C\r\nwww.micrnet[.]net\r\nwww.dicemention[.]com\r\nLikely Related C\u0026C\r\nwww.rumiany[.]com\r\nwww.yandcx[.]com\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 13 of 18\n\nET and ETPRO Suricata/Snort Coverage\r\n2810326,ETPRO TROJAN PlugX Related Checkin\r\n2821027,ETPRO TROJAN APT.ZeroT CnC Beacon Fake User-Agent\r\n2821028,ETPRO TROJAN APT.ZeroT CnC Beacon HTTP POST\r\n2824640,ETPRO TROJAN APT.ZeroT CnC Beacon\r\n2824641,ETPRO TROJAN APT.ZeroT Receiving Config\r\nAppendix A: Example PlugX Configuration\r\nSample hash: 07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67\r\nPlugX Config (0x36a4 bytes):\r\n        Hide Dll: 0\r\n        Keylogger: -1\r\n        Sleep1: 167772160\r\n        Sleep2: 0\r\n        Cnc: www.micrnet[.]net:80 (HTTP / UDP)\r\n        Cnc: www.micrnet[.]net:80 (TCP / HTTP)\r\n        Cnc: www.micrnet[.]net:80 (UDP)\r\n        Cnc: www.micrnet[.]net:443 (HTTP / UDP)\r\n        Cnc: www.micrnet[.]net:443 (TCP / HTTP)\r\n        Cnc: www.micrnet[.]net:443 (UDP)\r\n        Cnc: www.micrnet[.]net:53 (HTTP / UDP)\r\n        Cnc: www.micrnet[.]net:53 (TCP / HTTP)\r\n        Cnc: www.micrnet[.]net:53 (UDP)\r\n        Persistence: Run key\r\n        Install Folder: %AUTO%\\TCMyXfeFAd\r\n        Service Name: pQwEPnz\r\n        Service Display Name: pQwEPnz\r\n        Service Desc: Windows pQwEPnz Service\r\n        Reg Hive: HKCU\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 14 of 18\n\nReg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n        Reg Value: mJqyCsNGBsge\r\n        Injection: 1\r\n        Inject Process: %windir%\\explorer.exe\r\n        Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n        Inject Process: %windir%\\system32\\svchost.exe\r\n        Uac Bypass Injection: 1\r\n        Uac Bypass Inject: %windir%\\explorer.exe\r\n        Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n        Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n        Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n        Plugx Auth Str: TEST\r\n        Cnc Auth Str: DuICS\r\n        Mutex: Global\\WtMKAPYYxoWMoWW\r\n        Screenshots: 0\r\n        Screenshots Sec: 10\r\n        Screenshots Zoom: 50\r\n        Screenshots Bits: 16\r\n        Screenshots Qual: 50\r\n        Screenshots Keep: 3\r\n        Screenshot Folder: %AUTO%\\FS\\screen\r\n        Enable Tcp P2P: 1\r\n        Tcp P2P Port: 1357\r\n        Enable Udp P2P: 1\r\n        Udp P2P Port: 1357\r\n        Enable Icmp P2P: 1\r\n        Icmp P2P Port: 1357\r\n        Enable Ipproto P2P: 1\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 15 of 18\n\nIpproto P2P Port: 1357\r\n        Enable P2P Scan: 1\r\n        P2P Start Scan1: 0.0.0.0\r\n        P2P Start Scan2: 0.0.0.0\r\n        P2P Start Scan3: 0.0.0.0\r\n        P2P Start Scan4: 0.0.0.0\r\n        P2P End Scan1: 0.0.0.0\r\n        P2P End Scan2: 0.0.0.0\r\n        P2P End Scan3: 0.0.0.0\r\n        P2P End Scan4: 0.0.0.0\r\n        Mac Disable: 00:00:00:00:00:00\r\nAppendix B: Example PlugX Configuration\r\nSample hash: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa\r\nProcess: fsguidll.exe (3980)\r\nPlugX Config (0x36a4 bytes):\r\n        Hide Dll: 0\r\n        Keylogger: -1\r\n        Sleep1: 167772160\r\n        Sleep2: 0\r\n        Cnc: www.dicemention[.]com:80 (HTTP / UDP)\r\n        Cnc: www.dicemention[.]com:443 (HTTP / UDP)\r\n        Cnc: www.dicemention[.]com:25 (HTTP / UDP)\r\n        Cnc: www.dicemention[.]com:80 (TCP / HTTP)\r\n        Cnc: www.dicemention[.]com:443 (TCP / HTTP)\r\n        Cnc: www.dicemention[.]com:25 (TCP / HTTP)\r\n        Cnc: www.dicemention[.]com:80 (UDP)\r\n        Cnc: www.dicemention[.]com:443 (UDP)\r\n        Cnc: www.dicemention[.]com:25 (UDP)\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 16 of 18\n\nPersistence: Service + Run Key\r\n        Install Folder: %AUTO%\\IZBpIciif\r\n        Service Name: yAjUgUdMGHuvGaZ\r\n        Service Display Name: yAjUgUdMGHuvGaZ\r\n        Service Desc: Windows yAjUgUdMGHuvGaZ Service\r\n        Reg Hive: HKCU\r\n        Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n        Reg Value: RqdFqFSYaBx\r\n        Injection: 1\r\n        Inject Process: %windir%\\system32\\svchost.exe\r\n        Inject Process: %windir%\\explorer.exe\r\n        Inject Process: %ProgramFiles%\\Internet Explorer\\iexplore.exe\r\n        Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n        Uac Bypass Injection: 1\r\n        Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n        Uac Bypass Inject: %windir%\\explorer.exe\r\n        Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n        Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n        Plugx Auth Str: TEST\r\n        Cnc Auth Str: NBz\r\n        Mutex: Global\\ksMoQGOTIBJXumYclXtcsAnx\r\n        Screenshots: 0\r\n        Screenshots Sec: 10\r\n        Screenshots Zoom: 50\r\n        Screenshots Bits: 16\r\n        Screenshots Qual: 50\r\n        Screenshots Keep: 3\r\n        Screenshot Folder: %AUTO%\\FS\\screen\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 17 of 18\n\nEnable Tcp P2P: 1\r\n        Tcp P2P Port: 1357\r\n        Enable Udp P2P: 1\r\n        Udp P2P Port: 1357\r\n        Enable Icmp P2P: 1\r\n        Icmp P2P Port: 1357\r\n        Enable Ipproto P2P: 1\r\n        Ipproto P2P Port: 1357\r\n        Enable P2P Scan: 1\r\n        P2P Start Scan1: 0.0.0.0\r\n        P2P Start Scan2: 0.0.0.0\r\n        P2P Start Scan3: 0.0.0.0\r\n        P2P Start Scan4: 0.0.0.0\r\n        P2P End Scan1: 0.0.0.0\r\n        P2P End Scan2: 0.0.0.0\r\n        P2P End Scan3: 0.0.0.0\r\n        P2P End Scan4: 0.0.0.0\r\n        Mac Disable: 00:00:00:00:00:00\r\nSource: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nhttps://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nPage 18 of 18\n\nZeroT uses a single, analyzed. It may large function selectively choose for the custom to extract one, LSB algorithm two, three, or that occurs as four bits per the first function pixel byte depending in the samples we on the size of the\nembedded payload and the image being used, meaning it is capable of 1-, 2-, 3-, and 4-bit LSB (Fig. 16).\n Page 8 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" ], "report_names": [ "APT-targets-russia-belarus-zerot-plugx" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434205, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/109d5f3ab07a6e0d0e04cafb5149fb03344268c2.pdf", "text": "https://archive.orkl.eu/109d5f3ab07a6e0d0e04cafb5149fb03344268c2.txt", "img": "https://archive.orkl.eu/109d5f3ab07a6e0d0e04cafb5149fb03344268c2.jpg" } }