{
	"id": "52edfe46-6386-4b53-a346-548ee9589173",
	"created_at": "2026-04-06T00:17:23.312268Z",
	"updated_at": "2026-04-10T03:36:06.939923Z",
	"deleted_at": null,
	"sha1_hash": "13df10f1da37a2272d1d7ebdd72f0898a311e046",
	"title": "Budworm: Espionage Group Returns to Targeting U.S. Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42866,
	"plain_text": "Budworm: Espionage Group Returns to Targeting U.S.\r\nOrganizations\r\nBy About the Author\r\nArchived: 2026-04-05 16:49:37 UTC\r\nThe Budworm espionage group has mounted attacks over the past six months against a number of strategically\r\nsignificant targets, including the government of a Middle Eastern country, a multinational electronics\r\nmanufacturer, and a U.S. state legislature. The latter attack is the first time in a number of years Symantec has\r\nseen Budworm targeting a U.S-based entity. Along with the above high-value targets, the group also conducted an\r\nattack against a hospital in South East Asia.\r\nCurrent toolset\r\nIn recent attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to\r\ncompromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private\r\nServers (VPS) hosted on Vultr and Telstra as command-and-control (C\u0026C) servers.\r\nBudworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique\r\nknown as dynamic-link library (DLL) side-loading. This involves the attackers placing a malicious DLL in a\r\ndirectory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application\r\n(having installed it themselves). The legitimate application then loads and executes the payload.\r\nIn recent attacks, Budworm has used the endpoint privilege management software CyberArk Viewfinity to\r\nperform side-loading. The binary, which has the default name vf_host.exe, is usually renamed by the attackers in\r\norder to masquerade as a more innocuous file. Masqueraded names included securityhealthservice.exe, secu.exe,\r\nvfhost.exe, vxhost.exe, vx.exe, and v.exe.\r\nIn some cases, the HyperBro backdoor was loaded with its own HyperBro loader (file names: peloader.exe,\r\n12.exe). It is designed to load malicious DLLs and encrypt payloads.\r\nWhile HyperBro was frequently used, the attackers also used the PlugX/Korplug Trojan as a payload at times.\r\nOther tools used in recent attacks include:\r\nCobalt Strike: An off-the-shelf tool that can be used to load shellcode onto victim machines. It has\r\nlegitimate uses as a penetration testing tool but is frequently exploited by malicious actors.\r\nLaZagne: A publicly available credential dumping tool.\r\nIOX: A publicly available proxy and port-forwarding tool.\r\nFast Reverse Proxy (FRP): A reverse proxy tool.\r\nFscan: A publicly available intranet scanning tool.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state\r\nPage 1 of 3\n\nConclusion\r\nBudworm is known for mounting ambitious attacks against high-value targets. While there were frequent reports\r\nof Budworm targeting U.S. organizations six to eight years ago, in more recent years the group’s activity appears\r\nto have been largely focused on Asia, the Middle East, and Europe. However this is the second time in recent\r\nmonths, Budworm has been linked to attacks against a U.S-based target. A recent CISA report on multiple APT\r\ngroups attacking a defense sector organization mentioned Budworm’s toolset. A resumption of attacks against\r\nU.S.-based targets could signal a change in focus for the group.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n5aecbb6c073b0cf1ad1c6803fa1bfaa6eca2ec4311e165f25d5f7f0b3fe001db — Credential Dumper\r\n779ae012ede492b321fd86df70f7c9da94251440ebe5ec3efee84a432f432478 — FSCAN\r\nab949af896b6a6d986aed6096c36c4f323f650ccccfc7ea49004ba919d1bfa46 — HyperBro launcher\r\nbebce37572ea2856663383215a013f8115c1f81da0f2bf1233c959955c494032 — HyperBro launcher\r\n6e493ce8dccabf172d818453cc9d4e5bf4b1969ff9690c51b8cb538346e8e00e — HyperBro launcher\r\n8b2e7924f5038473736705b5c3dc3efa918fb7ffe2cc19ce48e4554658d33fe6 — HyperBro launcher\r\ncda8f76ce72759324e11c8af17736d685ca95954c0a09a682834b92a033bb11a — HyperBro launcher\r\n25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 — HyperBro launcher\r\n90eb92db757dc1ab4ca55b18b604350ecd84b7cd1d9a2555d789432f8c9a430b — HyperBro launcher\r\n6398876f73cd0157a7681de4b2326a0a313dc7f9cb2bee3001894137da41c1f0 — HyperBro launcher\r\nc53b6a2ec48647121a3e8816636b34ee2cdd6846d6d05efd9539d17a1c021da0 — HyperBro launcher\r\nc3213937c194246d29dd5fb39d8e7ef3671df58e3f01353784a06a075f21cfc5 — HyperBro launcher\r\n386c9079d65bdd7e3f7b8872024a80992b5d5c6a3c8b971c47d1ef439b9e2671 — HyperBro loader\r\nbfffc43d948d1787622bcde524e51c932a2a1fdc761539f60e777e21ef16e83d — HyperBro loader\r\n018d3a957aa0eaa7a621b52d15f4a1ed18b0f81c477e6023cd80313d83f7dbc0 — HyperBro loader\r\nd4776939dcf78f5f7491b9938480423956ac10a3c576028dec307511c586a124 — HyperBro loader\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state\r\nPage 2 of 3\n\n27c2a9608ce80a443c87a0a2947864df7d4491cfa85608c6a6b6680ec0277f9d — HyperBro loader\r\n42b603fffd4766fa22f6e10884e7fa43f449d515cfa20a18f0d07a6d4c370962 — IOX\r\n0d46907320ab55d98966389f41441aa0341a7db829cd166748d8929d466c9fba — IOX\r\n714d0101039bfd7d3db4dfe8307bc1657b7266ff2528b5e852b752879ebe7113 — IOX\r\n0129c9c7b55a6f514a9fa8c38ce59d8939efda6ece67b90c6be13aec40f1bdab — Viewfinity side-load\r\ndf847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348  — Viewfinity side-load\r\n620e401b2b7727a6c7ebc37ee1f7d8e1742d7121c1f4ea350a43d460ef9bdc4c — Viewfinity side-load\r\nc8aea84abb476ab536198a36df53b37be3d987a9ce58cb06e93cac7d2bfb3703  — Viewfinity side-load\r\n233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 — Cobalt Strike\r\nd610547c718fcca7c5c7e02c6821e9909333daf6376a1096edf21f9355754f29  — FRP\r\n5c2d05bfc9b6d4fc7aea32312c62180564fac9f65b0867e824d81051e5fc34fd  — Korplug\r\ned2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56 — Lazagne\r\n61deb3a206cc203252418b431f6556e3f7efd9556fc685eeda7281d9baf89851 — Lazagne\r\n892663bb4f3080c3f2f1915734897cab1c9ee955a77bb8541b417ec2b03cd4ef — Lazagne\r\n3d7dc77ded4022a92a32db9e10dbc67fbcc80854a281c3cc0f00b6cbd2bfd112  — Trojan Horse\r\n48e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed6 — Trojan.Dropper\r\n5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d8641285 — Trojan.Dropper\r\n139.180.146[.]101 — C\u0026C VPS\r\n45.77.46[.]54 — C\u0026C VPS\r\n139.168.200[.].123 — C\u0026C VPS\r\n207.148.76[.]235 — C\u0026C VPS\r\nsetting.101888gg[.]com/jquery-3.3.1.min.js — C\u0026C\r\n207.148.76[.]235/jquery-3.3.1.min.js — C\u0026C\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state"
	],
	"report_names": [
		"budworm-espionage-us-state"
	],
	"threat_actors": [
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434643,
	"ts_updated_at": 1775792166,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13df10f1da37a2272d1d7ebdd72f0898a311e046.pdf",
		"text": "https://archive.orkl.eu/13df10f1da37a2272d1d7ebdd72f0898a311e046.txt",
		"img": "https://archive.orkl.eu/13df10f1da37a2272d1d7ebdd72f0898a311e046.jpg"
	}
}