{ "id": "0ba6694c-78c9-4dc6-85b9-e69def9f4677", "created_at": "2026-04-06T00:19:38.726191Z", "updated_at": "2026-04-10T13:12:50.119305Z", "deleted_at": null, "sha1_hash": "11705abd12aab0530ba47942bb493b5ddb600cfe", "title": "Okrum: Ke3chang group targets diplomatic missions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 877860, "plain_text": "Okrum: Ke3chang group targets diplomatic missions\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 17:34:18 UTC\r\nESET Research\r\nTracking the malicious activities of the elusive Ke3chang APT group, ESET researchers have discovered new\r\nversions of malware families linked to the group, and a previously unreported backdoor\r\n18 Jul 2019  •  , 8 min. read\r\nIn this blogpost, we will sum up the findings published in full in our white paper “Okrum and Ketrican: An\r\noverview of recent Ke3chang group activity”.\r\nThe Ke3chang group, also known as APT15, is a threat group believed to be operating out of China. Its activities\r\nwere traced back to 2010 in FireEye’s 2013 report on operation Ke3chang – a cyberespionage campaign directed\r\nat diplomatic organizations in Europe.\r\nWe have been tracking the malicious activities related to this threat actor and discovered a previously\r\nundocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum.\r\nAccording to ESET telemetry, Okrum was first detected in December 2016, and targeted diplomatic missions in\r\nSlovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 1 of 7\n\nFurthermore, from 2015 to 2019, we detected new versions of known malware families attributed to the Ke3chang\r\ngroup – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware, reported by NCC Group in\r\n2018.\r\nNote: New versions of operation Ke3chang malware from 2015-2019 are detected by ESET systems as\r\nWin32/Ketrican and collectively referred to as Ketrican backdoors/samples, marked with the relevant year, across\r\nour white paper and this blogpost.\r\nInvestigation timeline\r\n2015: Ketrican\r\nIn 2015, we identified new suspicious activities in European countries. The group behind the attacks seemed to\r\nhave a particular interest in Slovakia, where a big portion of the discovered malware samples was detected;\r\nCroatia, the Czech Republic and other countries were also affected.\r\nOur technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation\r\nKe3chang, and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted\r\nIndian embassies across the globe.\r\n2016-2017: Okrum\r\nThe story continued in late 2016, when we discovered a new, previously unknown backdoor that we named\r\nOkrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were\r\npreviously targeted by Ketrican 2015 backdoors.\r\n2017: Ketrican and RoyalDNS\r\nWe started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican\r\nbackdoor, freshly compiled in 2017.\r\nIn 2017, the same entities that were affected by the Okrum malware (and by the 2015 Ketrican backdoors) again\r\nbecame targets of the malicious actors. This time, the attackers used new versions of the RoyalDNS malware and\r\na Ketrican 2017 backdoor.\r\n2018: Ketrican\r\nIn 2018, we discovered a new version of the Ketrican backdoor that featured some code improvements.\r\n2019: Ketrican\r\nThe group continues to be active in 2019 – in March 2019, we detected a new Ketrican sample that has evolved\r\nfrom the 2018 Ketrican backdoor. It attacked the same targets as the backdoor from 2018.\r\nThis timeline of events shows that the attackers were focused on the same type of targets but were using different\r\nmalicious toolsets to compromise them. In the process, they exposed Okrum, a formerly unknown project. Figure\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 2 of 7\n\n1 shows ESET detections related to our investigation in the context of previously documented Ke3chang activity.\r\nFigure 1. Timeline of previously documented Ke3chang group activity and ESET detections related to our\r\ninvestigation\r\nLinks to Ke3chang group\r\nOur research has shown that the Ketrican, Okrum, and RoyalDNS backdoors detected by ESET after 2015 are\r\nlinked to previously documented Ke3chang group activity, and to each other, in a number of ways. These are the\r\nmost important connections: \r\nKetrican backdoors from 2015, 2017, 2018 and 2019 have all evolved from malware used in Operation\r\nKe3chang\r\nThe RoyalDNS backdoor detected by ESET in 2017 is similar to the RoyalDNS backdoor used in\r\npreviously reported attacks\r\nOkrum is linked to Ketrican backdoors in that it was used to drop a Ketrican backdoor compiled in 2017\r\nOkrum, Ketrican and RoyalDNS target the same type of organizations; some of the entities affected by\r\nOkrum were also targeted with one or more of Ketrican/RoyalDNS backdoors\r\nOkrum has a similar modus operandi as previously documented Ke3chang malware – it is equipped with\r\na basic set of backdoor commands and relies on manually typing shell commands and executing external\r\ntools for most of its malicious activity\r\nOkrum\r\nDistribution and targets\r\nAccording to our telemetry, Okrum was used to target diplomatic missions in Slovakia, Belgium, Chile,\r\nGuatemala, and Brazil, with the attackers showing a particular interest in Slovakia.\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 3 of 7\n\nThe operators of the malware tried to hide malicious traffic with its C\u0026C server within regular network traffic by\r\nregistering seemingly legitimate domain names. For example, the samples used against Slovak targets\r\ncommunicated with a domain name mimicking a Slovak map portal (support.slovakmaps[.]com). A similar\r\nmasquerade was used in a sample detected in a Spanish speaking country in South America – the operators used a\r\ndomain name that translates as “missions support” in Spanish (misiones.soportesisco[.]com).\r\nHow the Okrum malware was distributed to the targeted machines is a question that remains to be answered.\r\nTechnical details\r\nThe Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components.\r\nDuring our investigation, the implementation of these two components was being changed frequently. Every few\r\nmonths, the authors actively changed implementation of the Okrum loader and installer components to avoid\r\ndetection. By the time of publication, ESET systems have detected seven different versions of the loader\r\ncomponent and two versions of the installer, although the functionality remained the same.\r\nThe payload of Okrum is hidden in a PNG file. When the file is viewed in an image viewer, a familiar image is\r\ndisplayed, as seen in Figure 2, but the Okrum loaders are able to locate an extra encrypted file that the user cannot\r\nsee. This steganography technique is an attempt by the malicious actors to stay unnoticed and evade detection.\r\nFigure 2. An innocuous-looking PNG image with an encrypted malicious DLL embedded inside\r\nAs for functionality, Okrum is only equipped with basic backdoor commands, such as downloading and uploading\r\nfiles, executing files and shell commands. Most of the malicious activity has to be performed by typing shell\r\ncommands manually, or by executing other tools and software. This is a common practice of the Ke3chang group,\r\nwhich had also been pointed out previously in the Intezer and NCC Group reports monitoring Ke3chang group\r\nactivity.\r\nIndeed, we have detected various external tools being abused by Okrum, such as a keylogger, tools for dumping\r\npasswords, or enumerating network sessions. The Ketrican backdoors we detected from 2015 to 2019 used similar\r\nutilities. We can only guess why the Ke3chang actor uses this technique – maybe the combination of a simple\r\nbackdoor and external tools fully accommodates their needs, while being easier to develop; but it may also be an\r\nattempt to evade behavioral detection.\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 4 of 7\n\nThe detection evasion techniques we observed in the Okrum malware include embedding the malicious payload\r\nwithin a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making\r\nfrequent changes in implementation.\r\nConclusion\r\nOur analysis of the links between previously documented Ke3chang malware and the newly discovered Okrum\r\nbackdoor lets us claim with high confidence that Okrum is operated by the Ke3chang group. Having documented\r\nKe3chang group activity from 2015 to 2019, we conclude that the group continues to be active and works on\r\nimproving its code over time.\r\nESET detection names and other Indicators of Compromise for these campaigns can be found in the full white\r\npaper: “Okrum and Ketrican: An overview of recent Ke3chang group activity”.\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1059 Command-Line Interface\r\nOkrum’s backdoor uses cmd.exe to execute\r\narbitrary commands.\r\nT1064 Scripting\r\nThe backdoor uses batch scripts to update itself to a\r\nnewer version.\r\nT1035 Service Execution\r\nThe Stage 1 loader creates a new service named\r\nNtmsSvc to execute the payload.\r\nPersistence\r\nT1050 New Service\r\nTo establish persistence, Okrum installs itself as a\r\nnew service named NtmSsvc.\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nOkrum establishes persistence by creating a .lnk\r\nshortcut to itself in the Startup folder.\r\nT1053 Scheduled Task\r\nThe installer component tries to achieve persistence\r\nby creating a scheduled task.\r\nT1023 Shortcut Modification\r\nOkrum establishes persistence by creating a .lnk\r\nshortcut to itself in the Startup folder.\r\nPrivilege\r\nEscalation\r\nT1134\r\nAccess Token\r\nManipulation\r\nOkrum can impersonate a logged on user's security\r\ncontext using a call to the\r\nImpersonateLoggedOnUser API.\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 5 of 7\n\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nThe Stage 1 loader decrypts the backdoor code,\r\nembedded within the loader or within a legitimate\r\nPNG file. A custom XOR cipher or RC4 is used for\r\ndecryption.\r\nT1107 File Deletion\r\nOkrum’s backdoor deletes files after they have been\r\nsuccessfully uploaded to C\u0026C servers.\r\nT1158\r\nHidden Files and\r\nDirectories\r\nBefore exfiltration, Okrum’s backdoor uses hidden\r\nfiles to store logs and outputs from backdoor\r\ncommands.\r\nT1066\r\nIndicator Removal from\r\nTools\r\nOkrum underwent regular technical improvements\r\nto evade antivirus detection.\r\nT1036 Masquerading\r\nOkrum establishes persistence by adding a new\r\nservice NtmsSvc with the display name Removable\r\nStorage in an attempt to masquerade as a legitimate\r\nRemovable Storage Manager.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nOkrum's payload is encrypted and embedded within\r\nthe Stage 1 loader, or within a legitimate PNG file.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nThe Stage 1 loader performs several checks on the\r\nvictim's machine to avoid being emulated or\r\nexecuted in a sandbox.\r\nCredential\r\nAccess\r\nT1003 Credential Dumping\r\nOkrum was seen using MimikatzLite and modified\r\nQuarks PwDump to perform credential dumping.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nOkrum was seen using DriveLetterView to\r\nenumerate drive information.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nOkrum collects computer name, locale information,\r\nand information about the OS and architecture.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nOkrum collects network information, including host\r\nIP address, DNS and proxy information.\r\nT1049\r\nSystem Network\r\nConnections Discovery\r\nOkrum used NetSess to discover NetBIOS sessions.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nOkrum collects the victim user name.\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 6 of 7\n\nTactic ID Name Description\r\nT1124 System Time Discovery\r\nOkrum can obtain the date and time of the\r\ncompromised system.\r\nCollection T1056 Input Capture\r\nOkrum was seen using a keylogger tool to capture\r\nkeystrokes.\r\nExfiltration\r\nT1002 Data Compressed\r\nOkrum was seen using a RAR archiver tool to\r\ncompress data.\r\nT1022 Data Encrypted\r\nOkrum uses AES encryption and base64 encoding\r\nof files before exfiltration.\r\nT1041\r\nExfiltration Over\r\nCommand and Control\r\nChannel\r\nData exfiltration is done using the already opened\r\nchannel with the C\u0026C server.\r\nCommand\r\nAnd Control\r\nT1043 Commonly Used Port Okrum uses port 80 for C\u0026C.\r\nT1090 Connection Proxy\r\nOkrum identifies a proxy server if it exists and uses\r\nit to make HTTP requests.\r\nT1132 Data Encoding\r\nThe communication with the C\u0026C server is base64\r\nencoded.\r\nT1001 Data Obfuscation\r\nThe communication with the C\u0026C server is hidden\r\nin the Cookie and Set-Cookie headers of HTTP\r\nrequests.\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nOkrum uses HTTP for communication with its\r\nC\u0026C.\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nOkrum uses AES to encrypt network traffic. The\r\nkey can be hardcoded or negotiated with the C\u0026C\r\nserver in the registration phase.\r\nSource: https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nhttps://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/" ], "report_names": [ "okrum-ke3chang-targets-diplomatic-missions" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434778, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11705abd12aab0530ba47942bb493b5ddb600cfe.pdf", "text": "https://archive.orkl.eu/11705abd12aab0530ba47942bb493b5ddb600cfe.txt", "img": "https://archive.orkl.eu/11705abd12aab0530ba47942bb493b5ddb600cfe.jpg" } }