{ "id": "7a4124b0-9a86-4844-8f5f-5601b6b2879f", "created_at": "2026-04-06T00:18:25.817776Z", "updated_at": "2026-04-10T13:13:03.891564Z", "deleted_at": null, "sha1_hash": "13456200b3e126e86c47b487f54b5be4fb24ccdf", "title": "Taiwan Government Targeted by Multiple Cyberattacks in April 2020", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 695773, "plain_text": "Taiwan Government Targeted by Multiple Cyberattacks in April\r\n2020\r\nBy CyCraft Technology Corp\r\nPublished: 2022-06-10 · Archived: 2026-04-05 16:26:56 UTC\r\nPress enter or click to view image in full size\r\nPart 2: Owlproxy Malware\r\nIn April 2020, CyCraft observed highly malicious cyber activity in several Taiwan government agencies. Some of\r\nthese attacks have been attributed to the same threat actor due to similar techniques, tactics, and procedures — the\r\nmost important of which is the utilization of Skeleton Keys and Owlproxy malware.\r\nThis article is Part 2 of a series of articles. Click here to read Part 1: Waterbear Malware.\r\nWhat is a Skeleton Key?\r\nIn 2014, Dell Secureworks Counter Threat Unit observed the earliest use of a digital Skeleton Key. Their observed\r\nSkeleton Key was able to bypass authentication on Active Directory (AD) systems implementing single-factor\r\nverification (T1556.001 Modify Authentication Process: Domain Controller Authentication). Using this method,\r\nmuch like how a physical Skeleton Key can open any door in a house, a digital Skeleton Key gives its user\r\nunfettered access to remote access services.\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 1 of 8\n\nIn 2019, CyCraft observed a possible China-sponsored APT group, APT Chimera, target the Taiwan\r\nsemiconductor industry in a year-long campaign. Chimera added extracted key code snippets from both Mimikatz\r\nand Dumpert to their customized Skeleton Key. The Chimera Skeleton Key sought to bypass API monitoring,\r\nwhich is widely used in anti-virus and EDR products, by directly invoking syscalls and implementing high-level\r\nAPI logic.\r\n“Even though several of the April 2020 attacks use the same techniques as APT Chimera, available\r\nevidence and artifacts in the April 2020 attacks do not suggest attribution to APT Chimera. However,\r\nthis does suggest that China-based APT groups may share malware, tools, or even similar techniques.\r\nThis sharing of tools, techniques, and malware adds difficulty to the attribution process.”\r\n-C.K. Chen, CyCraft Senior Researcher\r\nWhat is Owlproxy?\r\nOwlproxy is one of the primary malware discovered in several of the April 2020 incidents. In order to bridge the\r\ninternet and intranet, the threat actor used this malware with backdoor functionality to tunnel in and out of the\r\nnetwork. This backdoor functionality enables threat actors to launch any commands directly into the target system.\r\nWhile the program database (PDB) information is resident in the binary, the malware’s name, Owlproxy, comes\r\nfrom the project name of the PDB file.\r\nHow to inject a Skeleton Key\r\nPress enter or click to view image in full size\r\nThe malware, tncpb.exe, would first drop msehp.dat, which also contained Windows Event Manageex.dll,\r\nMimikatz.dll and Mimikatz.sys (with the name WinHelp.sys). While Windows Event Manageex.dll was loading, it\r\nwould also invoke Mimikatz.dll for a Skeleton Key. If it fails to open lsass, Mimikatz.sys would be loaded as the\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 2 of 8\n\nalternative to unprotect Isass.exe (T1003.001 OS Credential Dumping: LSASS Memory). As a result, the Skeleton\r\nKey would be injected, and the attackers could then gain unfettered access to the domain endpoints.\r\nwmipd.dll\r\nThe wmipd.dll is the main remote administration tool (RAT) in this attack. The most important characteristic of\r\nthis malware is that it is an HTTP proxy (T1071.001 Application Layer Protocol: Web Protocols) with backdoor\r\nfunctionality. This malware can be accessed via port 80 to execute commands (T1059.003 Command and\r\nScripting Interpreter: Windows Command Shell) and proxy traffic in and out of the victim’s network.\r\nFile Metadata\r\nmd5: cb1f2894cd35b173140690b0a608d4b6\r\nsha1: d744fb9adbd2d79c6016044de4a75e6c4f3fefb0\r\nsha256:5b3ca2aacfa0996275c7a116bc2b14a03161b264ba4c699a55a5d19b8677969b\r\nfamily: Owlproxy (family name first designated by TrendMicro)\r\nfiletype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows\r\npdb: F:\\project\\owl\\isapi\\x64\\Release\\iisdll.pdb\r\nBehavior\r\nwmipd.dll uses WinHTTP API to create an HTTP server on port 80 with these endpoints:\r\nhttp[:]//+:80/servlet/ (General backdoor, execute any commands)http[:]//+:80/servlet/pp/ (HTTP to tcp\r\nIOC\r\nfile_path: %WINDIR%\\System32\\Windows Event Manageex.dllhttp[:]//127.0.0[.]1/servlet/http[:]//127.0.0\r\nStage One: tncpb.exe\r\nThe first stage malware tncpd.exe will drop msehp[.]dat, which further contains Windows Event Manageex.dll,\r\nMimikatz.dll, and WinHelp[.]sys (Mimikatz.sys). The mission of tncpb[.]exe is to load Windows Event\r\nManageex[.]dll — the linchpin of the attack.\r\nStage Two: Windows Event Manageex.dll\r\nThis malware has been designed for persistence. After it is dropped by tncpb.exe, Windows Event Manageex.dll\r\nself-installs. The previous stage malware (tncpb.exe) is then deleted (T1070.004 Indicator Removal on Host: File\r\nDeletion). The next stage malware (Mimikatz.dll), designed for credential access, is then triggered.\r\nFile Metadata\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 3 of 8\n\nfilename: Windows Event Manageex.dll\r\nmd5: d770a361646a0463f597c127e0705265\r\nsha1: d0c5baaa4aa4163ab6f6792ad5c394bca455f33a\r\nsha256:2adc730d232583a2efecce8b13598eb23791440f47295fa1afede26be1d6e070\r\nfiletype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows\r\nBehavior\r\n1. Windows Event Manageex.dll self installs.\r\n2. Windows Event Manageex.dll uses CreateThead() to delete tncpb.exe at location:\r\nC:\\$Recycle.Bin\\tncpb.exe (T1074.001 Data Staged: Local Data Staging).\r\n3. Execute Mimikatz[.]dll in memory.\r\n4. Windows Event Manageex.dll uses CreateThread() to drop\r\nC:\\Windows\\system32\\Windows Event Manageex.dll (Mimikatz.sys) from msehp.dat#3(x)\r\n5. Windows Event Manageex.dll deletes C:\\$Recycle.Bin\\tncpb.exe\r\n(T1070.004 Indicator Removal on Host: File Deletion\r\nT1074.001 Data Staged: Local Data Staging)\r\nIOC\r\nevent: “Global\\\\Microsoft Windows CriticalRestore Event”file_path: $SystemDirectory\\wbem\\msehp.dat\r\nStage Three: Mimikatz.DLL\r\nA customized modification of the original Mimikatz, Mimikat.dll was designed to specifically inject the Skeleton\r\nKey to allow the attackers persistent, unfettered Lateral Movement across the network. This was an interesting\r\napproach as Skeleton Keys aren’t typically used for credential access. Once injected, the modified Skeleton Key\r\nmodifies the original execution logic of lsass.exe and then injects the backdoor password. This malicious behavior\r\nis similar to legit user behavior, which helps this particular technique evade detection. In case the injection fails\r\n(cannot gain access to lsass.exe), an alternative approach is taken; the kernel driver WinHelp.sys is installed and\r\nunprotects lsass.exe, allowing the DLL malware to inject the Skeleton Key once again. Once the Skeleton Key\r\ninjection is successful, the kernel driver will be unloaded.\r\nFile Metadata\r\nfilename: msehp.dat#4\r\nmd5: 3838d0f1cb10f04632a6ca7fd79c3d0d\r\nsha1: 6641ff84b0d00431cd4bbdc9f6dee185fe137c22\r\nsha256:d88fdf1204e13472e8df87dc8e7a9d8a931e22658b88d48f510e56bc171e8938\r\nfiletype: PE32+ executable (DLL) (console) x86–64, for MS Windows\r\nfamily: mimikatz\r\nBehavior\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 4 of 8\n\n1. Inject Skeleton Key (first attempt)\r\nIf successful:\r\n createEvent(L”Global\\\\Debug_Windows_Dump_Event”)\r\nIf signature not found:\r\n createEvent(L”Global\\\\Windows_MemoryDump_Event”)\r\nIf OpenProcess failed:\r\n load mimikatz driver (WinHelp.sys)\r\n Unprotect lsass.exe\r\n Inject Skeleton Key again\r\n Unload mimikatz driver\r\n2. Delete mimikatz driver\r\nIOC\r\nfile_path: $SystemDirectory\\wbem\\msehp.datfile_path: $SystemDirectory\\Drivers\\WinHelp.sys\r\nWinHelp.sys\r\nWinHelp.sys is the Mimikatz driver used to unprotect lsass[.]exe.\r\nFile Metadata\r\nmd5: c3a077bc0e4095d68569817b51bea7a2\r\nsha1: e4c9ba7299f2e201295e882ff528d2a0b89d382b\r\nsha256:75c5cc5c9e07b04d8f68b5788a4514d294be607431f37bb04f6e5d93b9936c74\r\nfiletype: PE32+ executable (native) x86–64, for MS Windows\r\npdb: u:\\skeleton\\mimikatz-master_20170107\\mimidrv\\objfre_wnet_amd64\\amd64\\mimidrv[.]pdb\r\nIOC\r\ncert_serial: 5f78149eb4f75eb17404a8143aaeaed7cert_fingerprint: 31e5380e1e0e1dd841f0c1741b38556b252e62\r\nCertificate\r\nThe certificate embedded in the driver is signed by 上海域联软件技术有限公司 (Shanghai Yulian Software\r\nTechnology Co., Ltd.).\r\nMITRE ATT\u0026CK®\r\nThe following MITRE ATT\u0026CK techniques were observed in this attack.\r\nExecution\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 5 of 8\n\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nDefense Evasion\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1556.001 Modify Authentication Process: Domain Controller Authentication\r\nCredential Access\r\nT1556.001 Modify Authentication Process: Domain Controller Authentication\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nCollection\r\nT1074.001 Data Staged: Local Data Staging\r\nCommand And Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nMitigation\r\n1. Add listed IOCs to preventative solution blacklists.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2. Adjust detection and response solutions to detect listed IOCs.\r\n3. Scan network for port 80 in non-server endpoints.\r\n4. Remove Skeleton Keys*\r\n*Be sure to first remove any malware that will inject the Skeleton Key, including Windows Event Manageex.dll as\r\nit is self-installing. Then, reboot the endpoint to clean up the modified memory.\r\nThis article is Part 2 of a series of articles. Click here to read Part 1: Waterbear Malware.\r\nFollow Us\r\nBlog | LinkedIn | Twitter | Facebook | CyCraft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 6 of 8\n\nWhen you join CyCraft, you will be in good company. CyCraft secures government agencies, police and defense\r\norganizations, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines,\r\ntelecommunications, hi-tech firms, and SMEs.\r\nWe power SOCs using innovative CyCraft AI technology to automate information security protection with built-in\r\nadvanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence\r\ngateway (TIG), security operations center (SOC) operations software, auto-generated incident response (IR)\r\nreports, system-wide network Health Check, and Secure From Home services.\r\nAdditional Related Resources\r\nLearn how we detected and defeated a China-sponsored APT targeting Taiwan’s high-tech ecosystem. Read\r\nour full analysis and malware reversal.\r\nUsing ATT\u0026CK for CTI Training | MITRE ATT\u0026CK®\r\nATT\u0026CK Evaluations: Understanding the Newly Released APT29 Results\r\nCyCraft Classroom: MITRE ATT\u0026CK vs. Cyber Kill Chain vs. Diamond Model\r\nQuantifying the MITRE ATT\u0026CK Round 2 Evaluation\r\nCyCraft CEO, Benson Wu, and CyCraft Global Project Manager, Chad Duffy, speak on the latest MITRE\r\nATT\u0026CK Evaluations. Read their thoughts on our results and the philosophy powering CyCraft.\r\nHas your organization shifted to a Work From Home environment? Learn how to receive Three FREE\r\nmonths of our Secure From Home Service.\r\nOur Enterprise Health Check drops your mean dwell time down from 197 days to under 1 day without false\r\npositives or false negatives. Know with confidence if hackers have penetrated your enterprise.\r\nREADY FOR A DEMO?\r\nContact us directly for more details: contact@cycraft.com\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 7 of 8\n\nSource: https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nhttps://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" ], "report_names": [ "taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" ], "threat_actors": [ { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13456200b3e126e86c47b487f54b5be4fb24ccdf.pdf", "text": "https://archive.orkl.eu/13456200b3e126e86c47b487f54b5be4fb24ccdf.txt", "img": "https://archive.orkl.eu/13456200b3e126e86c47b487f54b5be4fb24ccdf.jpg" } }