{ "id": "d195d3f9-c81e-4565-aad1-5e6bb0176b3f", "created_at": "2026-04-06T00:15:59.311882Z", "updated_at": "2026-04-10T03:35:46.069381Z", "deleted_at": null, "sha1_hash": "11bb697ec74ff8bedc5d4284110aef0a6169afd8", "title": "EastWind campaign: new CloudSorcerer attacks on government organizations in Russia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1159540, "plain_text": "EastWind campaign: new CloudSorcerer attacks on government\r\norganizations in Russia\r\nBy GReAT\r\nPublished: 2024-08-14 · Archived: 2026-04-05 19:48:18 UTC\r\nIn late July 2024, we detected a series of ongoing targeted cyberattacks on dozens of computers at Russian\r\ngovernment organizations and IT companies. The threat actors infected devices using phishing emails with\r\nmalicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the\r\nDropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in\r\nparticular tools used by the APT31 group and an updated CloudSorcerer backdoor. We dubbed this campaign\r\nEastWind.\r\nBelow are the most interesting facts about the implants used in this campaign:\r\nThe malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. We\r\nnamed it GrewApacha.\r\nThe attackers updated the The CloudSorcerer backdoor (described by us in early July 2024) ) after we\r\npublished our blogpost. It currently uses LiveJournal (a social network popular in Russia) and Quora\r\nprofiles as initial C2 servers.\r\nThe attacks additionally deploy a previously unknown implant with a classic backdoor functionality, which\r\nwe dubbed PlugY. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It\r\nsupports three different protocols for communicating with C2, and what’s more, its code resembles that of\r\nthe DRBControl backdoor (aka Clambling), which several companies attribute to the APT27 group.\r\nTechnical information\r\nAs mentioned above, the attackers used spear phishing to gain an initial foothold into the organizations. They sent\r\nmalicious emails with attached RAR archives to target organizational email addresses. These archives had the\r\nfollowing names:\r\nинициативная группа из Черниговского района Приморского края.rar (translates as advocacy group\r\nfrom Chernigov district of Primorsky Krai.rar)\r\nвх.rar\r\nThey contained the following files:\r\n.con folder, which contained:\r\n1.docx, a legitimate decoy document\r\ndesktop.exe, a legitimate file\r\nVERSION.dll, a malicious file\r\nA malicious shortcut with a name similar to that of the archive.\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 1 of 10\n\nWhen clicked on, the shortcut executed the following command:\r\nC:\\Windows\\System32\\cmd.exe /c .con\\1.docx \u0026 echo F | move .con\\doc\r\n%public%\\Downloads\\desktop.exe \u0026 move .con\\docs %public%\\Downloads\\VERSION.dll \u0026 start /b\r\n%public%\\Downloads\\desktop.exe \u0026\u0026 exit\r\nThis command opens the document contained in the archive, copies the files desktop.exe and VERSION.dll to the\r\nC:\\Users\\Public\\Downloads folder, and then launches the desktop.exe file.\r\nNote the use of a similar infection method in an attack on a US organization that involved use of the\r\nCloudSorcerer backdoor, reported by Proofpoint in July 2024:\r\nContents of the malicious archive used in the attack on a US organization\r\nVERSION.dll – a backdoor that uses Dropbox\r\nThe attackers use classic DLL sideloading to load the malicious library VERSION.dll into the desktop.exe\r\nprocess:\r\nMD5 1f5c0e926e548de43e0039858de533fc\r\nSHA1 426bbf43f783292743c9965a7631329d77a51b61\r\nSHA256 668f61df2958f30c6a0f1356463e14069b3435fb4e8417a948b6738f5f340dd9\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 2 of 10\n\nFile size 9.82 MB\r\nThis library is a backdoor packed using the VMProtect tool. When started, it attempts to contact Dropbox using a\r\nhardcoded authentication token. Once connected to the Dropbox cloud, the backdoor reads commands to be\r\nexecuted from the file \u003ccomputer name\u003e/a.psd contained in the storage. The backdoor supports a total of five\r\ncommands, named as follows:\r\nDIR\r\nEXEC\r\nSLEEP\r\nUPLOAD\r\nDOWNLOAD\r\nThe results of running these commands are uploaded to the file \u003ccomputer name\u003e/b.psd that is stored in the\r\ncloud..\r\nGrewApacha: a RAT used by APT31 since 2021\r\nThe threat actors used the above backdoor to collect information about infected computers and install additional\r\nmalware on them. On one of these computers, we observed the download of the following files to the directory\r\nC:\\ProgramData\\USOShared\\Logs\\User:\r\nmsedgeupdate.exe, a legitimate executable file signed by Microsoft\r\nmsedgeupdate.dll, a malicious library\r\nwd, a file with an encrypted payload\r\nWhen the attackers launched msedgeupdate.exe, the malicious library msedgeupdate.dll was loaded into its\r\nprocess by means of DLL sideloading:\r\nMD5 f6245f64eaad550fd292cfb1e23f0867\r\nSHA1 fccdc059f92f3e08325208f91d4e6c08ae646a78\r\nSHA256 e2f87428a855ebc0cda614c6b97e5e0d65d9ddcd3708fd869c073943ecdde1c0\r\nFile size 9 MB\r\nWhile this set of three files resembles the “sideloading triad” that is typical of attacks involving PlugX, analysis of\r\nthese files revealed that the malware inside them is a RAT of the APT31 group, already described in 2021 and\r\n2023. We dubbed this RAT ‘GrewApacha’.\r\nThe behavior of the loader (msedgeupdate.dll) hasn’t changed since the 2023 post was published. As before, it\r\ndecrypts the payload stored on the drive using the XOR key 13 18 4F 29 0F, and loads it into the dllhost.exe\r\nprocess.\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 3 of 10\n\nWhile the GrewApacha loader has not changed since last year, there have been minor differences introduced to the\r\nRAT itself. Specifically, the new version now uses two C2 servers instead of one. Through network\r\ncommunications, the cybercriminals first retrieve a webpage with a profile bio on GitHub. This profile contains a\r\nstring encoded with the Base64 algorithm:\r\nProfile of a user created by the attackers on GitHub\r\nThe malware first decodes the string extracted from the GitHub profile, then decrypts it using a single-byte XOR\r\nalgorithm with the key 0x09, thereby obtaining the address of the main C2 server (for the screenshot above –\r\nupdate.studiokaspersky[.]com).\r\nNew version of the CloudSorcerer backdoor\r\nBesides launching the GrewApacha Trojan described above, we found that the attackers also downloaded the\r\nCloudSorcerer backdoor onto infected computers. To do that, they downloaded and launched a tool named\r\nGetKey.exe that is packed with the VMProtect obfuscator.\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 4 of 10\n\nMD5 bed245d61b4928f6d6533900484cafc5\r\nSHA1 e1cf6334610e0afc01e5de689e33190d0c17ccd4\r\nSHA256 5071022aaa19d243c9d659e78ff149fe0398cf7d9319fd33f718d8e46658e41c\r\nFile size 51 KB\r\nThe utility receives a four-byte number (the value of the GetTickCount() function at runtime), encrypts it using the\r\nCryptProtectData function, and then outputs the number with its ciphertext. The screenshot below shows the code\r\nof the tool’s main function:\r\nThe attackers used the tool output on their side as a unique key to encrypt the payload file. By handling the\r\nencryption with the CryptProtect function, the attackers made it possible to decrypt the payload only on the\r\ninfected machine.\r\nAfter running the tool, the attackers downloaded the following files to the infected machine:\r\nThe renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft\r\nThe malicious library dll\r\nA file with the .ini extension, containing the encrypted payload. The name of this file varied across infected\r\nmachines.\r\nAs in the above case of GrewApacha, this set resembles the “sideloading triad” used in attacks involving PlugX.\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 5 of 10\n\nIIn most cases, the attackers uploaded files inside a subdirectory of C:\\ProgramData, such as\r\nC:\\ProgramData\\Microsoft\\DRM. Afterwards, they used the task scheduler to configure the renamed dbgsrv.exe\r\napplication to launch at OS startup. This involved the schtasks utility (usage example: schtasks /create /RL\r\nHIGHEST /F /tn \\Microsoft\\Windows\\DRM\\DRMserver /tr \"C:\\ProgramData\\Microsoft\\DRM\\WinDRMs.exe -t\r\nrun\" /sc onstart /RU SYSTEM\").\r\nUpon startup of the renamed application, the malicious dbgeng.dll library is loaded into its process, again using\r\nDLL sideloading.\r\nMD5 d0f7745c80baf342cd218cf4f592ea00\r\nSHA1 c0e4dbaffd0b81b5688ae8e58922cdaa97c8de25\r\nSHA256 bd747692ab5db013cd4c4cb8ea9cafa7577c95bf41aa2629a7fea875f6dcbc41\r\nFile size 1.11 MB\r\nThis library was programmed to read the previously mentioned .ini file, which contains:\r\nThe ciphertext of a four-byte number generated and encrypted by the GetKey.exe utility\r\nA PE file compressed with the LZNT1 algorithm and XOR-encrypted using the four-byte number as a key.\r\nAccordingly, the library proceeded to decrypt the four-byte number using the CryptUnprotectData function, use it\r\nto decrypt the .ini file, and then load the decrypted file into the memory of the current process.\r\nAnalysis of the decrypted .ini files revealed them to be updated versions of the CloudSorcerer backdoor. After we\r\npublicly described this backdoor in early July 2024, the attackers modified it: the new version of CloudSorcerer\r\nuses profile pages on the Russian-language social network LiveJournal and the Q\u0026A site Quora as the initial C2\r\nservers:\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 6 of 10\n\nAs with past versions of CloudSorcerer, the profile bios contain an encrypted authentication token for interaction\r\nwith the cloud service.\r\nPlugY: an implant that overlaps with APT27 tools\r\nHaving analyzed the behavior of the newly found CloudSorcerer samples, we found that the attackers used it to\r\ndownload a previously unknown implant. This implant connects to the C2 server by one of three methods:\r\nTCP protocol\r\nUDP protocol\r\nNamed pipes\r\nThe set of commands this implant can handle is quite extensive, and implemented commands range from\r\nmanipulating files and executing shell commands to logging keystrokes and monitoring the screen or the\r\nclipboard.\r\nAnalysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the\r\nDRBControl (aka Clambling) backdoor was used to develop it. This backdoor was described in 2020 by Trend\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 7 of 10\n\nMicro and Talent-Jump Technologies. Later, Security Joes and Profero linked it to the APT27 group. The\r\nbackdoor also has similarities to PlugX.\r\nOur comparison of samples of the PlugY implant (MD5 example: faf1f7a32e3f7b08017a9150dccf511d) and the\r\nDRBControl backdoor (MD5: 67cfecf2d777f3a3ff1a09752f06a7f5) revealed that these two samples have the\r\nexact same architecture. Additionally, many commands in them are implemented almost identically, as evidenced\r\nby the screenshots below:\r\nCommand code for retrieving information about connected disks in the DRBControl backdoor (left) and the\r\nimplant (right)\r\nCommand code for retrieving information about the active window in the DRBControl backdoor (left) and the\r\nimplant (right)\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 8 of 10\n\nCommand code for taking screenshots in the DRBControl backdoor (left) and the implant (right)\r\nThus, the code previously observed in attacks by APT27 was likely used in developing the implant.\r\nWhile analyzing the PlugY implant we also noticed that it uses a unique malicious library to communicate with\r\nthe C2 server via UDP. We found the very same library in the DRBControl backdoor, as well as several samples of\r\nthe PlugX backdoor, which is popular among Chinese-speaking groups. Apart from DRBControl and PlugX, this\r\nlibrary has not been detected in any other malware.\r\nScreenshot of the library communicating with the C2 server via UDP\r\nTips for attack detection\r\nThe implants identified during the attack significantly differ from each other. As such, it’s necessary to use a\r\nseparate set of IoCs for each malware used in any compromise.\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 9 of 10\n\nThe backdoor that uses Dropbox and is delivered via email can be found by looking for relatively large DLL files\r\n(\u003e 5 MB) located in the directory C:\\Users\\Public. Regular access to the Dropbox cloud in network traffic can\r\nserve as an additional indicator of this backdoor’s operation.\r\nThe GrewApacha Trojan can be detected by searching for an unsigned file named msedgeupdate.dll in the file\r\nsystem. This file also reaches several megabytes in size.\r\nThe PlugY implant that is delivered using the CloudSorcerer backdoor launches a process named msiexec.exe for\r\neach user signed to the OS, and also creates named pipes with the name template \\.\\PIPE\\Y. The presence of these\r\ntwo indicators in the system is strong evidence of an infection.\r\nConclusion\r\nIn attacks on government organizations, threat actors often use toolkits that implement a wide variety of\r\ntechniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity\r\nin network traffic. For instance, the attackers behind the EastWind campaign, for instance, used popular network\r\nservices (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers.\r\nNotably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and\r\nAPT31. This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To\r\nsuccessfully counter such collaborations, we closely monitor the techniques and tactics of APT groups operating\r\naround the world.\r\nSource: https://securelist.com/eastwind-apt-campaign/113345/\r\nhttps://securelist.com/eastwind-apt-campaign/113345/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/eastwind-apt-campaign/113345/" ], "report_names": [ "113345" ], "threat_actors": [ { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "5d1a4f32-cc52-4ee8-acab-993cfa2ef5ad", "created_at": "2024-07-09T02:00:04.425917Z", "updated_at": "2026-04-10T02:00:03.67013Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [], "source_name": "MISPGALAXY:CloudSorcerer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b1db2dce-5a2b-4fc4-85c2-d184acc956a0", "created_at": "2024-08-28T02:02:09.272572Z", "updated_at": "2026-04-10T02:00:04.622449Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [ "Operation EastWind" ], "source_name": "ETDA:CloudSorcerer", "tools": [ "GrewApacha", "PlugY", "The CloudSorcerer" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775792146, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11bb697ec74ff8bedc5d4284110aef0a6169afd8.pdf", "text": "https://archive.orkl.eu/11bb697ec74ff8bedc5d4284110aef0a6169afd8.txt", "img": "https://archive.orkl.eu/11bb697ec74ff8bedc5d4284110aef0a6169afd8.jpg" } }