{ "id": "402df505-c67e-42b4-9383-1520b2935ef6", "created_at": "2026-04-29T02:20:34.548961Z", "updated_at": "2026-04-29T08:22:57.903567Z", "deleted_at": null, "sha1_hash": "1222546fb5627db22f997954d3a646ce69c76479", "title": "TA505 Continues to Infect Networks With SDBbot RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76780, "plain_text": "TA505 Continues to Infect Networks With SDBbot RAT\r\nBy Melissa Frydrych\r\nPublished: 2020-04-14 · Archived: 2026-04-29 02:03:33 UTC\r\nIBM X-Force Incident Response and Intelligence Services (IRIS) responds to security incidents around the globe. During\r\nanalysis and comparison of malicious activity on enterprise networks, our team identified attacks likely linked to Hive0065,\r\nalso known as TA505. We observed that Hive0065 continues to spread the SDBbot remote-access Trojan (RAT) alongside\r\nother custom malware and continues to display tactics used against companies within the past year.\r\nAttacks that deploy malware and RATs on targeted networks are a way for cybercrime groups to compromise networks and\r\nopen channels for further activity, which could be immediate, or take place at a later stage. RATs are a common tool in\r\ntargeted attacks as they enable a vast array of remote actions for the attacker. Those include deploying additional malware,\r\nspying on users and carrying out actions from the infected device or server where they are installed.\r\nHive0065 is a financially motivated cybercrime group that has been actively targeting various industries, including finance,\r\nretail and restaurants, since at least 2014. This group primarily conducts malicious spam campaigns delivering a wide range\r\nof custom and open-source malware. The most notorious among these are campaigns involving banking Trojans such as\r\nDridex and TrickBot, ransomware such as Clop/Cryptomix and MINEBRIDGE, and extortion schemes demanding payment\r\nin bitcoin.\r\nSDBbot and Familiar TTPs\r\nIn November 2019, X-Force IRIS observed a threat actor targeting enterprise employees in Europe with a spear phishing\r\nemail impersonating Onehub, a legitimate, cloud-based file-sharing application for businesses. The email was designed to\r\nextract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT.\r\nBased on our investigation and analysis of the actor’s tactics, techniques and procedures (TTPs), their command-and-control\r\n(C\u0026C) infrastructure and the use of specific malware previously attributed to the group, X-Force IRIS suspects it is highly\r\nlikely that Hive0065 was behind the attacks.\r\nSDBbot RAT has been observed in Hive0065 attacks since at least September 2019 and has been used primarily as a\r\nsecondary payload. This malware features remote-access capabilities, accepts commands from a C\u0026C server such as video\r\nrecording, and has the ability to exfiltrate data from the victimized devices and networks.\r\nIn a variety of campaigns attributed to this group previously reported by Proofpoint and ZeroFOX, Hive0065 was observed\r\nto be conducting phishing campaigns that delivered malicious Excel (.XLS) files hosted on domains spoofed to appear as the\r\ncloud storage sites Sync and Dropbox. The campaigns also featured C\u0026C infrastructure that spoofs other legitimate services,\r\nlike Google Drive and Microsoft Office.\r\nMore recent Hive0065 campaigns reported in March 2020 exploited the current interest in the COVID-19 pandemic, using\r\nCoronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan. In some campaigns,\r\nHive0065 targeted healthcare organizations with emails purporting to come from medical research groups and offering\r\nsupposed Coronavirus remedies in exchange for bitcoin payments. The TTPs used in these campaigns align with those of\r\nHive0065/TA505, specifically the spoofing of cloud storage websites to distribute malware files.\r\nContinued Malicious Activity\r\nResearch conducted during X-Force IRIS investigations found continued malicious activity from Hive0065 that infected\r\ncompany networks with malware and the SDBbot RAT. The TTPs that we found are consistent with previous activity\r\nattributed to Hive0065:\r\nSpear phishing to deliver malware\r\nMacro-enabled documents\r\nThe use of droppers containing embedded dynamic-link libraries (DLLs)\r\nThe use of an installer component\r\nThe use of legitimate cloud hosting services for malware distribution\r\nSpoofing legitimate services like Microsoft and Google\r\nC\u0026C domains similar in naming convention and structure (sample of domain names shown below)\r\nDomains reported\r\nby X-Force\r\nDomains reported\r\nby Proofpoint\r\nDomains reported\r\nby ZeroFOX\r\ndrm-server-booking[.]com news-server-drm-google[.com office-en-service[.]com\r\nmicrosoft-live-us[.]com update365-office-ens[.]com googledrive-download[.]com\r\nhttps://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/\r\nPage 1 of 4\n\ndl1.sync-share[.]com office365-update-en[.]com d1.syncdownloading[.]com\r\nCompromise Summary\r\nIn order to gain access to victim environments, Hive0065 sends a malicious email to employees purporting to be from an\r\nHR representative’s account. The email body impersonated Onehub, inviting the recipient to download a malicious\r\ndocument named Resume.doc.\r\nThe employee receiving this email downloaded and opened the document, which contained malicious code. Once the code\r\nwas executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance,\r\nonce the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently\r\ncreated and executed additional files. The actor used the initially compromised system to escalate privileges and move\r\nlaterally across additional systems on the network.\r\nHive0065’s Arsenal of Tools\r\nVSPUB DLLs With CobaltStrike Code Similarities\r\nThe malicious email delivering the file named Resume.doc initially led the recipient to a malicious domain. After several\r\nredirections, the final redirect pointed to the malicious URL hxxps://dl1.sync-share[.]com?Or2at. In addition, we also\r\nobserved employees who opened the document browsed to hxxps://dl1.sync-share[.]com and downloaded Resume (1).doc\r\nand a second file, Resume (3).doc.\r\nSeconds later, a suspicious document named main_template.docx was created.\r\nEvery time main_template.docx was opened, VBA macros were executed and a fake Microsoft Office login window\r\n(FakeL.exe) was displayed to the user while a malicious payload executed in the background. If the password entered was\r\ncorrect, the display disappeared. Password attempts were written into a file named Password.txt, which was subsequently\r\ndeleted.\r\nThe document may also display the fake message “This document is protected” to entice users to enable content and execute\r\nmalicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version\r\nwas dropped depending on the target operating system.\r\nThe DLLs were dropped to the following locations:\r\nx86: %APPDATA%\\Microsoft\\Windows\\Template\\vspub1.dll\r\nx64: %APPDATA%\\Microsoft\\Windows\\Template\\vspub2.dll\r\nThe DLLs were loaded to the memory space of winword.exe using LoadLibraryW API, and the DLL module was\r\ncompressed twice to hide actual code. It used a custom packer that unpacks to UPX, an open-source executable packer,\r\nwhich revealed the actual code.\r\nWhile these DLLs did not match existing, known code families, a code comparison showed that this code has similarities\r\nwith the CobaltStrike framework. The VSPUB DLLs gather system information and use HTTP POST requests to send it to\r\nthe C\u0026C domain microsoft-live-us[.]com/fidonet or the IP address 185[.]176[.]221[.]45. Code suggests that upon successful\r\nreply from the server, the DLL can download and execute additional files.\r\nTo note, microsoft-live-us[.]com was registered just days before the attack took place, along with the domain sync-share[.]com, to include subdomains dl1.sync-share[.]com, dl2.sync-share[.]com and dl3.sync-share[.]com. Sync-share[.]com is likely attacker-owned infrastructure, and although the dl2 and dl3 subdomains were not observed in this\r\nparticular activity, it is likely that these domains will be used in a similar fashion.\r\nMeterpreter Reverse Shell\r\nAfter the initial system was compromised, the actors proceeded to compromise additional systems on the network by\r\nexecuting malicious PowerShell services running as the local SYSTEM, as well as the installation of bind shells. A\r\nMeterpreter reverser shell was used in order to remotely control compromised systems within the internal network; it was\r\ninstalled as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into\r\na reverse shell connecting back to two malicious IP addresses:\r\n91[.]214[.]124[.]20\r\n91[.]214[.]124[.]25\r\nWhile most samples we found during our investigations were Meterpreter reverse shells connecting back to a C\u0026C IP\r\naddress, Meterpreter bind-shells that listen for incoming connections were also discovered. We found that a domain admin\r\naccount was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was\r\nhttps://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/\r\nPage 2 of 4\n\nable to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot\r\nRAT Loaders.\r\nTinyMet Meterpreter Stager\r\nThe investigation led our team to the discovery of a file named wsus.exe (a version of TinyMet, a tiny, flexible Meterpreter\r\nstager), along with three additional files that were created and executed on the first compromised system.\r\nDuring the investigation, TinyMet was observed being executed with the command c:\\intel\\wsus.exe 1 91.214.124[.]20\r\n43434, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or\r\nproviding specific arguments. The commands executed were used for discovery purposes, listing members of privileged\r\ngroups and network information.\r\nSDBbot RAT Installer\r\nX-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon\r\nexecution. In addition, they read a binary blob located within the registry HKLM\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\[3\r\ncharacters]\\[1 character]. Depending on user privileges, a binary blog is located in the registry value. If regular user\r\nprivileges are running, the installer component will establish persistence using the registry Run and execute ordinal #1 of the\r\nDLL:\r\nrundll32 “C:\\Users\\[USER]\\AppData\\Roaming\\xrjkrobuy.dll”,#1\r\nSDBbot RAT Loader\r\nAs part of the investigation, X-Force IRIS found that the SDBbot RAT loader we analyzed was similar in nature to the\r\nversion analyzed by Proofpoint, which was defined as the “Loader Component” of SDBbot in Hive0065 campaigns from\r\nOctober 2019. The loader component will read the binary blob and execute the contained shellcode. Once the shellcode\r\nexecutes, it decompresses and executes the SDBbot payload. The shellcode will check to see if it was executed earlier than\r\nthe loader DLL files and if found to be “TRUE,” the process is terminated.\r\nSDBbot RAT Payload\r\nOnce the attackers established a foothold on the network, four new registry keys on the local Software hive were created and\r\nSDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process\r\nwinlogon.exe every time the process was executed.\r\nUpon execution, SDBbot RAT checks for the presence of the mutex windows_7_windows_10_check_running_once_mutex\r\nand proceeds to retrieve a C\u0026C address from the file C:\\ip.txt. If that file is not available, it will use the C\u0026C drm-server-booking[.]com as the default server. SDBbot RAT will subsequently gather system information and communicate back to the\r\nC\u0026C server by sending and receiving a DWORD: 0xC0DE0000. The C\u0026C will send additional arguments depending on the\r\ncommand.\r\nConclusion\r\nHive0065 has been active since at least 2014, adjusting its TTPs, targeting and infrastructure with each campaign. A\r\nrelatively recent addition to Hive0065’s toolkit, SDBbot, is being used in attacks primarily as a second-stage malware,\r\ncomposed of an installer, a loader and RAT components.\r\nSDBbot has the ability to perform typical RAT functions, such as communicating with C\u0026Cs, receiving commands and\r\nobtaining system information. On infected systems, this malware could grant attackers extensive ability to drop and execute\r\nadditional malicious payloads, control infected systems and perform actions the legitimate user would have access to.\r\nRemote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote\r\nattackers.\r\nAs X-Force IRIS continues to track Hive0065, we expect to see this group continue to target a wide range of industries using\r\nsocial engineering to deliver open-source and custom malware while constantly adjusting TTPs and C\u0026C infrastructure to\r\nevade detection.\r\nIndicators of Compromise (IoCs)\r\nC\u0026C IP Addresses\r\n91[.]214[.]124[.]25\r\n91[.]214[.]124[.]20\r\n185[.]176[.]221[.]45\r\nC\u0026C Domains\r\nhttps://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/\r\nPage 3 of 4\n\ndrm-server-booking[.]com\r\nmicrosoft-live-us[.]com\r\ndl1.sync-share[.]com\r\nURL Redirections\r\nhttps://eur01.safelinks.protection.outlook[.]com/?\r\nurl=https://clck.ru/JnFFT\u0026data=02|01||bed42450519b40df4d8808d762bd4ff1|d847080b33824b27886012fe4d8edb27|1|0|637086437565223782\u0026s\r\nhttps://clck[.]ru/JnFFT\r\nhttps://sba.yandex[.]net/redirect?url=https%3A%2F%2Fdl1.sync-share.com%3FOr2at\u0026client=clck\u0026sign=2a3f3d25a38344769c6cfb6705a0f918′\r\nFinal Redirection Hosting Malicious Document\r\nhttps://dl1.sync-share[.]com?Or2at\r\nFiles\r\nFile name SHA1 Description\r\nmain_template.docx 33094acd614825a916b77df6c5141c088fc3768b Malicious document\r\nvspub1.dll bf0f7abda2228059bb00ec9658ee447fbe84d277 CobaltStrike similarities\r\nvspub2.dll d40510da42a478d72e649993208710668a7f6c27 CobaltStrike similarities\r\nxrjkrobuy.dll 14f52ae68344e1643b3066c10f7044fdd819db4e SDBot RAT\r\nupywloeza.dll 0cc7cca16afd632857e3883c06b2f55c057b563e SDBot RAT\r\ndtzvlbtxn.dll d36e983886a084887f887c6d562d3bc0664587c4 SDBot RAT\r\nlvgoywrnxwy.dll fea7d944e317c7b2ef1aba57600a8c5310368085 SDBot RAT\r\nqcuqqgxmy.dll 35423e04e58ab1f2267e19c47e1c69ea5b7041cc SDBot RAT\r\npdxqzmftr.dll fd9620c0c295caaee3096423532bb1dbfb7064c5 SDBot RAT\r\nlowpro3.13.exe cb0b39534d99057b02b090c3650fb1de43d19a02 Binary\r\nwsus.exe caff1d315a5d87014e5fa62346f58407755d971e Meterpreter stager\r\nFakeL.exe 45c43ec18d15ba7850e6ad2e2e54671636f4d926 Password Stealer\r\nSource: https://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/\r\nhttps://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20200420201624/https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" ], "report_names": [ "ta505-continues-to-infect-networks-with-sdbbot-rat" ], "threat_actors": [ { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-29T06:58:57.944337Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-29T06:58:57.503849Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-29T06:58:57.697957Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-29T06:58:56.353641Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04 Group", "GRACEFUL SPIDER", "GOLD TAHOE", "G0092", "ATK103", "CHIMBORAZO", "Dudear", "Hive0065", "Spandex Tempest", "SectorJ04" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-29T06:58:58.204892Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429234, "ts_updated_at": 1777450977, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1222546fb5627db22f997954d3a646ce69c76479.pdf", "text": "https://archive.orkl.eu/1222546fb5627db22f997954d3a646ce69c76479.txt", "img": "https://archive.orkl.eu/1222546fb5627db22f997954d3a646ce69c76479.jpg" } }