{
	"id": "e8c2a093-152f-4fb9-9d3a-6e9c7af22085",
	"created_at": "2026-04-06T00:16:01.476194Z",
	"updated_at": "2026-04-10T03:31:57.096018Z",
	"deleted_at": null,
	"sha1_hash": "121b003cbfaa03e181cea7f1e2ad0a988ce0d7ea",
	"title": "Operation Earth Kitsune A Dance of Two New Backdoors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1630637,
	"plain_text": "Operation Earth Kitsune A Dance of Two New Backdoors\r\nPublished: 2020-10-28 · Archived: 2026-04-05 13:15:05 UTC\r\nCyber Threats\r\nWe uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post\r\nprovides details about these malware types, including the relationship between them and their command and control (C\u0026C)\r\nservers\r\nBy: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen,\r\nJohn Zhang Oct 28, 2020 Read time: 9 min (2544 words)\r\nWe recently published a research paper on Operation Earth Kitsunenews article, a watering hole campaign aiming to steal\r\ninformation by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage\r\nbackdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the attackers’ three-letter naming\r\nscheme.\r\nOur previous research on the operation found that, while SLUB was primarily used to exfiltrate data, agfSpy and dneSpy\r\nwere employed for the same purpose but also for seizing control of affected systems. This post provides more details about\r\nthese malware types, including the relation between them and their command and control (C\u0026C) servers.\r\nFigure 1 shows how agfSpy and dneSpy are used in the attacks. We were able to identify five C\u0026C servers communicating\r\nand providing instructions to the espionage backdoors. \r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 1 of 14\n\nFigure 1. Overview of the attack\r\nDneSpy and agfSpy’s C\u0026C servers\r\nThe campaign used inexpensive external resources located in several countries. The attackers set up services using budget\r\nservice providers for the different samples. Table 1 shows how the C\u0026C servers are distributed. It also shows that all the\r\nregistered domains are using the “no-ip.com” registration service. Note that these are legitimate services that have been\r\nabused by the threat actors behind the operation.\r\nSample     Domain IP Provider\r\nPresumed\r\nLocation\r\nShellcode\r\nDropper.dll\r\nrs[.]myftp[.]biz 37.120.145.235 hxxps://m247[.]com/ Denmark\r\nagfSpy       agf[.]zapto[.]org 2.56.213.162 hxxps://www[.]mvps[.]net/ Netherlands\r\nagfSpy selectorioi[.]ddns[.]net\r\n193.142.59.196 https://hostslick[.]com/ Netherlands\r\n89.38.225.241 hxxps://m247[.]com/ Singapore\r\ndneSpy whoami2[.]ddns[.]net\r\n37.120.145.235\r\n(same as\r\nshellcode)\r\nhxxps://m247[.]com/ Denmark\r\ndneSpy whoamimaster[.]ddns[.]net 93.115.23.193 hxxps://www[.]mvps[.]net/ Sweden\r\nSLUB\r\n(mm)\r\n185.234.52.129 hxxps://www[.]mvps[.]net/ Greece\r\nTable 1. Discovered C\u0026C servers\r\nDneSpy used a dynamic C\u0026C discovery mechanism that first connects to whoami2[.]ddns[.]net then receives information\r\nabout the master server whoamimaster[.]ddns[.]net.\r\nAs a part of its deployment, dneSpy also delivers agfSpy, as shown in Figure 2. \r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 2 of 14\n\nFigure 2. How dneSpy delivers agfSpy\r\nThis scheme shows why dneSpy first checks, using the CreateMutexopen on a new tab technique, if agfSpy is already\r\ninstalled on the system. With this architecture, the attacker is looking to have a certain level of resiliency during deployment\r\n— even when agfSpy was already delivered as part of the initial vector, the attacker tries it again. For these two backdoors,\r\nthe saying \"it takes two to tango\" applies, as the pair acts as partners in this \"dance.\"\r\nDneSpy espionage backdoor\r\nDneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious\r\ncomponents in the infected system. The malware is designed to receive a “policy” file in JSON format with all the\r\ncommands to execute. The policy file sent by the C\u0026C server can be changed and updated over time, making dneSpy\r\nflexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C\u0026C server.\r\nThese characteristics make dneSpy a fully functional espionage backdoor.\r\nDneSpy C\u0026C communication\r\nUpon execution, dneSpy generates a unique ID for its victim based on the system parameters by executing the command\r\nshown in Figure 3.\r\nFigure 3. Victim ID identification parameters\r\nFrom the full output of the command (full text) in Figure 3, a 4-byte hash is created and concatenated with the computer\r\nname to form an ‘id’ parameter in the communication requests with the C\u0026C server. The generated unique victim ID is then\r\nused to track unique first-time infections, and the C\u0026C server makes decisions based on that. Figure 4 shows a Python\r\nimplementation of the algorithm generating the custom 4-byte hash.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 3 of 14\n\nFigure 4. Algorithm for computing a custom 4-byte hash\r\nBefore sending the request, C\u0026C server details are decoded first. DneSpy uses multiple obfuscation string mechanisms in\r\nthe same binary, sometimes using either XOR encryption or ROT cipher. In the case of the C\u0026C URL path, it uses ROT, as\r\nseen in Figure 5.\r\nFigure 5. Deobfuscation of C\u0026C parameters using ROT\r\nDneSpy then creates a directory or account on the C\u0026C server to register a new victim. The first request, shown in Figure 6,\r\nhas the format of the victim ID: CC669737_WIN-RSG1AKRI2C4.\r\nFigure 6. dneSpy’s first request\r\nOne interesting aspect of dneSpy’s design is its C\u0026C pivoting behavior. The central C\u0026C server's response is actually the\r\nnext-stage C\u0026C server's domain/IP, which dneSpy has to communicate with to receive further instructions.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 4 of 14\n\nFigure 7. Dynamic C\u0026C server selection\r\nThe pivoting design suggests that the malware can be used as a service where the actual samples are distributed to collect\r\ninformation for a selected C\u0026C server on demand.\r\nThe dneSpy C\u0026C server uses HTTP with the HTTP data body encrypted with AES CBC cipher. The dneSpy binary needs to\r\nreceive a command-line parameter when it is launched. Figure 8 shows an example.\r\nFigure 8. dneSpy parameters\r\nThe parameter “helloworld” is used during the communication with the C\u0026C server to decrypt the received data. Using the\r\ncommand line parameter and the first 16 bytes of the response from the server, which is actually the initialization vector for\r\nAES, the payload data (from the 17th byte of the received blob) decrypts into a ZIP file. This ZIP archive contains an\r\nadditional TXT file called “DNS_PROFILE,” which contains a new domain name. Figure 9 shows the full process, starting\r\nfrom decrypting the first response from the central C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 5 of 14\n\nFigure 9. The first response decryption process\r\nDuring the decryption and decompression process, multiple temporary files are created in the current user’s TEMP folder, as\r\ndisplayed in Figure 10.\r\nFigure 10. Decrypting the first request and getting the next C\u0026C server\r\nOnce the new C\u0026C URL name is received and decrypted, dneSpy constructs an HTTP POST request and sends it to the new\r\nC\u0026C server. The server then responds with an “Account Created!” message if everything is working properly. This is a way\r\nto authenticate the victim with the pivoted C\u0026C server and protect the C\u0026C channel.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 6 of 14\n\nFigure 11. Victim account created on the dynamically defined C\u0026C server\r\nOnce the account is created on the current C\u0026C server, dneSpy sends an HTTP GET request to receive the policy.txt file\r\n(with commands to be executed) and further malware payloads.\r\nThe following section will detail the exfiltration mechanism and the data capture method used by this specific version.\r\nExfiltration mechanism\r\nDneSpy is very flexible in its design and dynamically receives instructions from a custom pivoted C\u0026C server. We noticed\r\nat least two versions of its samples receiving different instructions. This section details one of them.\r\nFigure 12 shows the general sequence of steps dneSpy takes to exfiltrate the collected information to the pivoted new C\u0026C\r\nserver.\r\nFigure 12. Exfiltration mechanism\r\nDneSpy first sends an HTTP GET request to receive a “crypted_package“ to get the policy.txt file, as shown in Figure 13.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 7 of 14\n\nFigure 13. Request for the “crypted_package”\r\nWhen dneSpy receives the response, a “crypted_package” file is created on the disk. The file is later decrypted to\r\n“crypted_package.zip,” as shown in Figure 14.\r\nFigure 14.\"crypted_package\" decryption\r\nAs we can see, the “crypted_package.zip” archive contains a file called “policy.txt,” which contains the commands to be\r\nexecuted by dneSpy. The policy.txt file is in JSON format, as shown in Figure 15.\r\nFigure 15. dneSpy execution policy\r\nMultiple parameters, like “test” and “etc”, were not used. However, the “cmd” attribute has all the commands to be executed\r\nby dneSpy on the victim’s machine. After execution, a custom 4-byte hash (same algorithm as the hash computing machine\r\nID) is computed for each command from the policy.txt file's “cmd” attribute. This hash is then used as a file name to store\r\nthe command result temporarily. This file is zipped, encrypted, and uploaded to the selected C\u0026C server. The example in\r\nFigure 16 shows a list of files to be exfiltrated to the C\u0026C server upon dneSpy execution.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 8 of 14\n\nFigure 16. Temporary files on disk ready to be exfiltrated to the C\u0026C\r\nThe exfiltration is implemented using an HTTP multipart request, as shown in Figure 17. All the temporary files are deleted\r\nafter exfiltration.\r\nFigure 17. Exfiltrating HTTP POST request\r\nFinally, a screenshot is taken and uploaded together with the results of the executed commands.\r\nIf dneSpy runs for the second time while the victim is already registered, the central C\u0026C server (which is responsible for\r\ngiving a new pivoting C\u0026C server) responds with a “Not regular victim!” message. Figure 18 shows an example of such a\r\nsituation.\r\nFigure 18. C\u0026C server responding with a \"Not regular victim!\" message\r\nAs mentioned earlier, dneSpy can drop agfSpy into infected systems. We found out that this is the same agfSpy sample as\r\nthe one dropped in the attacks described in the previous papernews article exploiting CVE-2019-5782open on a new tab,\r\nCVE-2020-0674open on a new tab, and CVE-2019-1458open on a new tab vulnerabilities. The next section provides some\r\ndetails about this backdoor.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 9 of 14\n\nThe agfSpy espionage backdoor\r\nThe agfSpy backdoor retrieves configuration and commands from its C\u0026C server. These commands allow the backdoor to\r\nexecute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload,\r\ndownload, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each\r\nbackdoor uses a different C\u0026C server and various formats in message exchanges.\r\nAgfSpy C\u0026C server communication\r\nAgfSpy only communicates with one C\u0026C server; it does not have the pivoting capabilities that dneSpy has. However, we\r\nfound at least two different domains in several agfSpy samples while monitoring the current campaign.\r\nThe backdoor uses the same algorithm as the dneSpy backdoor to compute the environment identifier (“\u003cHash\u003e_\u003ccomputer\r\nname\u003e”). It then sends the message with the ID (null-terminated) to its C\u0026C server with the format, as seen in Figure 19:\r\nFigure 19. ID message\r\nFigure 20 shows an example of the ID message (in Hex dump) sent by the malware.\r\nFigure 20. ID message example\r\nThe code snippet in Figure 21 demonstrates how the malware performs the aforementioned operations:\r\nFigure 21. Code snippets for sending ID message\r\nThe malware then receives a table from its C\u0026C server. The table is used to prevent the backdoor from uploading old and\r\nunwanted files, and contains the flags of either uploaded or unwanted files.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 10 of 14\n\nIf the server receives an uploaded file, it sets a flag in the table based on the file's path and timestamp. The server will send\r\nthe table to the malware. Before the malware uploads a file to the infected system, it will check if there is a flag for the file\r\nin the table by computing its path and timestamp. If so, it will not upload the file to the server.\r\nFigure 22 shows an example of the uploading table message sent by the malware (shown in Hex dump).\r\nFigure 22. Uploading table message example\r\nAfter this, the malware receives the encrypted JSON message from its C\u0026C server to get commands. The server response\r\nhas the format seen in Figure 23:\r\nFigure 23. Command message from the server\r\nAll payloads between the malware and the C\u0026C server are encrypted by a simple XOR encryption with the multi-byte key.\r\nThe encrypted blob is then prepended with a 2-byte marker \"SC\", followed by a 4-byte payload length.\r\nThe backdoor receives the commands from the server and executes them on the infected system. It then returns the\r\nresult/error/status messages to the server.\r\nAfter executing the commands from the server, the malware sends an \"END\" message (null-terminated) to the server, as\r\nshown in Figure 24.\r\nFigure 24. The “END” message sent to the server\r\nAgfSpy supported commands\r\nAgfSpy expects the commands to be in JSON form. It implements the following attributes and commands:\r\nCommands Description\r\ninterval\r\ntime\r\nThe delay between two consecutive requests to the C\u0026C server (3600 seconds by default)\r\nfilepaths Upload files with the desired maximum file size\r\ndirpaths\r\nUpload files in the directory with desired extensions, age, and maximal file size. Maximum of 2000 files\r\nper batch\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 11 of 14\n\nexecpaths Download and execute\r\nsearchdir Enumerate directories and files\r\nextensions File extensions used in the upload\r\ncmd Run commands via command line\r\nmaxfilesize Maximal upload file size (1MB by default)\r\ndate Only newer files than the given date will be uploaded\r\ntotalfilesize Maximal size of all files to be uploaded (4GB by default)\r\nTable 2. List of commands implemented by agfSpy\r\nThe commands in Table 2 imply that this backdoor is mainly used to exfiltrate interesting files as it implements various file\r\nsearching and uploading functions.\r\nThe examples of received commands are shown in Figure 25. The initial commands are used for basic system information\r\ncollection. The stolen and uploaded extensions are document files.\r\nFigure 25: Commands received from C\u0026C server\r\nWhen agfSpy receives the “cmd” command from the server, it retrieves the list of shell commands from the JSON message\r\n(e.g., \"systeminfo,\" \"net share,\" \"netstat –an,\" \"arp –a,\" and \"ipconfig -all\"). For each shell command, the malware creates a\r\nprocess with two pipes to execute the shell command. One pipe is created to read the standard output (stdout) of the process\r\nto obtain the shell command's output. The other pipe is used to read the standard error (stderr) of the process to obtain the\r\nerror message. After executing the shell command (e.g., systeminfo), it sends the message containing the command, which is\r\nexecuted back to the server, as seen in Figure 26.\r\nFigure 26. Systeminfo command message\r\nIt then sends the output of the executed command back to the server, as shown in Figure 27.\r\nFigure 27. Output message of systeminfo command\r\nBoth dneSpy and agfSpy are written in C++ and use the standard std library. Strings are usually stored in an encrypted form\r\nin local variables, then decrypted in a simple loop by utilizing XOR or SUB instructions applied to each of their bytes.\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 12 of 14\n\nFigure 28. C\u0026C URL address stored in encrypted form (the DO WHILE loop is used for string decryption)\r\nConclusion\r\nDneSpy and agfSpy are fully functional espionage backdoors, and while they use different C\u0026C server mechanisms, they\r\nhave many things in common. Multiple tactics and procedures are implemented to give the infrastructure versatility and\r\nresiliency in its behavior.\r\nOperation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the\r\ninteractions between them. The campaign’s use of new samples to avoid detection by security products is also quite notable.\r\nFrom the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a\r\ngroup behind this operation. This group seems to be highly active this year, and we predict that they will continue going in\r\nthis direction for some time.\r\nWe recommend using a multilayered security approach that can detect and block such complex threats from infiltrating the\r\nsystem through endpointsproducts, serversproducts, networksproducts, and emailsproducts.\r\nIndicators of Compromise\r\nFilename SHA-256 Trend Micro Pa\r\nhappy.jpg\r\n20200209122021_qifxyren.jpg\r\nF28876A7F162FF9CDD608F07EE45F8E9211DA4304B3602152D0386CEEAC82442 TrojanSpy.Win32\r\nsad.jpg\r\n20200209122021_abjeuitk.jpg\r\n15D80E616B6B5FEC3CFA0EEED5AC9037F34C4547AE27F5DFCAA5475501DE4B95 TrojanSpy.Win32\r\n20200209122021_abjeuitk.jpg 8304FCCCAF18546CAF94851C63DC8293EAF8DE575AB442D4419AA9ED29EA8614 TrojanSpy.Win32\r\nURLs\r\nwhoami2[.]ddns[.]net dneSpy C2 domain\r\nwhoamimaster[.]ddns[.]net dneSpy C2 domain\r\nselectorioi[.]ddns[.]net agfSpy C2 domain\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 13 of 14\n\nagf[.]zapto[.]org agfSpy C2 domain\r\nrs[.]myftp[.]biz Shellcode C2 domain\r\nTrend Micro™ Deep Security™products protects users from exploits that target several vulnerabilities related to Operation\r\nEarth Kitsune via the following rules:\r\n1010544 - GNUBoard SQL Injection Vulnerability (EDB-ID-7927)\r\n1005613 - Generic SQL Injection Prevention – 2 \r\n1005933 - Identified Directory Traversal Sequence In Uri Query Parameter\r\n1010542 - GNUBoard 'tb.php' SQL Injection Vulnerability (CVE-2011-4066)\r\n1010543 - GNUBoard 'ajax.autosave.php' SQL Injection Vulnerability (CVE-2014-2339) \r\n1010545 - GNUBoard Local File Inclusion Vulnerability (EDB-ID-7927)\r\n1010546 - GNUBoard Local/Remote File Include Vulnerability (CVE-2009-0290)\r\n1010547 - GNUBoard Remote Code Execution Vulnerability (KVE-2018-0449 and KVE-2018-0441)\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nhttps://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html"
	],
	"report_names": [
		"operation-earth-kitsune-a-dance-of-two-new-backdoors.html"
	],
	"threat_actors": [
		{
			"id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87",
			"created_at": "2023-11-17T02:00:07.61151Z",
			"updated_at": "2026-04-10T02:00:03.459947Z",
			"deleted_at": null,
			"main_name": "Earth Kitsune",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Kitsune",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3f6650a3-9f50-47c4-bd7a-008b63bde191",
			"created_at": "2022-10-25T16:07:23.949232Z",
			"updated_at": "2026-04-10T02:00:04.803815Z",
			"deleted_at": null,
			"main_name": "Operation Earth Kitsune",
			"aliases": [],
			"source_name": "ETDA:Operation Earth Kitsune",
			"tools": [
				"SLUB",
				"WhiskerSpy",
				"agfSpy",
				"dneSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775791917,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/121b003cbfaa03e181cea7f1e2ad0a988ce0d7ea.pdf",
		"text": "https://archive.orkl.eu/121b003cbfaa03e181cea7f1e2ad0a988ce0d7ea.txt",
		"img": "https://archive.orkl.eu/121b003cbfaa03e181cea7f1e2ad0a988ce0d7ea.jpg"
	}
}