{
	"id": "9e27f271-02ff-4ddc-898d-4de92d6ef07e",
	"created_at": "2026-04-06T00:17:57.840555Z",
	"updated_at": "2026-04-10T03:33:36.906323Z",
	"deleted_at": null,
	"sha1_hash": "13e39e781ae002a15b922c973678664897d03cb7",
	"title": "Webworm: Espionage Attackers Testing and Using Older Modified RATs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61461,
	"plain_text": "Webworm: Espionage Attackers Testing and Using Older Modified\r\nRATs\r\nBy About the Author\r\nArchived: 2026-04-05 13:12:23 UTC\r\nSymantec, by Broadcom Software, has gained insight into the current activities of a group we call Webworm. The\r\ngroup has developed customized versions of three older remote access Trojans (RATs), including Trochilus, Gh0st\r\nRAT, and 9002 RAT. At least one of the indicators of compromise (IOCs) observed by Symantec was used in an\r\nattack against an IT service provider operating in multiple Asian countries, while others appear to be in pre-deployment or testing stages.\r\nSymantec’s Webworm has links to a group dubbed Space Pirates, which was previously documented in a May\r\n2022 report from Positive Technologies. It is likely that the two groups are one and the same.\r\nActive since at least 2017, Webworm has been known to target government agencies and enterprises involved in\r\nIT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and a number of other\r\nAsian countries.\r\nPrevious research on the group’s activity found that it uses custom loaders hidden behind decoy documents and\r\nmodified backdoors that have been around for quite some time. This corresponds with recent Webworm activity\r\nobserved by Symantec.\r\nMalware used by Webworm includes versions of the following threats:\r\nTrochilus RAT\r\nFirst spotted back in 2015, Trochilus is a RAT implemented in C++ and its source code is available for download\r\non GitHub. The malware has been used in targeted threat operations by multiple groups and has features that can\r\nhelp it evade sandbox analysis and be useful in cyber-espionage operations. The RAT’s features include, but are\r\nnot limited to, the ability to remotely uninstall a file manager, and the ability to download, upload, and execute\r\nfiles.\r\nTrochilus has been previously linked to malware operations from threat actors also using malware such as PlugX\r\nand a variant of the 9002 RAT.\r\n9002 RAT\r\nThe 9002 RAT appears to have been in use since at least 2009 and has historically been used by state-sponsored\r\nactors. The malware provides attackers with extensive data exfiltration capabilities. Some variants of 9002 RAT\r\ninject into memory and do not write to the disk, something that also applies to the sample analyzed by Symantec.\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nPage 1 of 5\n\nThe malware has been used in multiple campaigns by a range of actors, including in a hacking operation targeting\r\nseveral large corporations located in South Korea. The RAT was used to deliver additional malware, including the\r\nPlugX RAT, onto compromised machines. It has also been involved in attacks making use of zero-day exploits.\r\nGh0st RAT\r\nWhile the source code for Gh0st RAT was released online in 2008, the malware has continued to be used by\r\nadvanced persistent threat (APT) groups.\r\nGh0st RAT first made headlines back in 2009, when a cyber-espionage group called GhostNet used it to target\r\ndiplomatic, political, economic, and military targets around the world.\r\nObserved Webworm activity\r\nSymantec observed three malware droppers developed by Webworm:\r\n6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e (Trochilus dropper)\r\nb9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646 (Trochilus Dropper)\r\nc71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8 (Trochilus Dropper)\r\nAnalysis of one of the droppers revealed that it drops the following files:\r\n[TEMP]\\Logger.exe (28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679)\r\n[TEMP]\\sc.cfg (a618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536)\r\n[TEMP]\\logexts.dat (a6b9975bfe02432e80c7963147c4011a4f7cdb9baaee4ae8d27aaff7dff79c2b)\r\n[TEMP]\\logexts.dll (a73a4c0aa557241a09e137387537e04ce582c989caa10a6644d4391f00a836ef)\r\n[TEMP]\\logger.dat (10456bc3b5cfd2f1b1ab9c3833022ef52f5e9733d002ab237bdebad09b125024)\r\n [TEMP]\\[RANDOM_DIGITS].doc\r\n(d295712185de2e5f8811b0ce7384a04915abdf970ef0f087c294bb00e340afad)\r\nThe legitimate executable Logger.exe is used to call the “LoadLibraryA” API in order to load the malicious \"\r\n[TEMP]\\logexts.dll\" file.\r\nThe logexts.dll file is a loader. Once run, it checks the process command-line parameters. If the command-line is\r\nthe single parameter \"isdf\", it attempts to steal a token from the \"WINLOGON.EXE\" process. It then starts the\r\nfollowing process by calling the CreateProcessAsUserW API:\r\nC:\\ProgramData\\Logger\\Logger.exe mdkv\r\nOtherwise it constructs the pathname of the second stage based on its own running executable, where it replaces\r\nthe last three characters with hardcoded \"dat\" (resulting with \"Logger.dat\"). Then it reads and executes the second\r\nstage as shellcode.\r\nThe second stage (\"Logger.dat\") constructs the pathname of the third stage also based on its own running\r\nexecutable, where it combines the directory part with hardcoded \"logexts.dat\". Finally, it reads and executes the\r\nthird stage.\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nPage 2 of 5\n\nThe logexts.dat file is obfuscated and includes several User Account Control (UAC) bypasses.\r\nIt attempts to copy the previously dropped files to the following new locations:\r\n[Temp]\\Logger.exe to C:\\ProgramData\\Logger\\Logger.exe\r\n[Temp]\\Logger.dat to C:\\ProgramData\\Logger\\logger.dat\r\n[Temp]\\logexts.dll to C:\\ProgramData\\Logger\\logexts.dll\r\n[Temp]\\logexts.dat to C:\\ProgramData\\Logger\\logexts.dat\r\n[Temp]\\sc.cfg to C:\\ProgramData\\Logger\\sc.cfg\r\nThen the file unpacks and executes in memory its backdoor payload, a variant of the Trochilus RAT\r\n(e69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90).\r\nThe Trochilus modifications include functionality to load its configuration from a file by checking for any of the\r\nfollowing locations (in order of preference):\r\nC:\\ProgramData\\Logger\\sc.cfg\r\nC:\\ProgramData\\resmon.resmoncfg\r\nC:\\ProgramData\\appsoft\\resmon.resmoncfg\r\nThe content of the configuration file is decompressed using the Lempel–Ziv–Welch (LZW) algorithm.\r\nInterestingly, one of the locations described above (“C:\\ProgramData\\resmon.resmoncfg”) is mentioned in third-party research detailing previous Space Pirates (Webworm) activity.\r\nThe malware then injects svchost.exe with the ability to:\r\nExecute commands\r\nDownload potentially malicious files\r\nFurther investigation by Symantec found that droppers that share a similar structure to the one used to deploy the\r\nversion of Trochilus RAT modified by Webworm were also used to deploy two additional modified versions of\r\nGh0st RAT and 9002 RAT. Some code modifications made to the variant of Trochilus RAT were also present in\r\nthe two additional retooled RATs. The additional RATs included:\r\nGh0st RAT:\r\n1e725f1fe67d1a596c9677df69ef5b1b2c29903e84d7b08284f0a767aedcc097 (Dropper)\r\nb0a58c6c859833eb6fb1c7d8cb0c5875ab42be727996bcc20b17dd8ad0058ffa (Shellcode loader)\r\n1CC32C7F2C90A558BA5FF6BA191E655B20D7C65C10AF0D5D06820A28C2947EFD (Shellcode\r\nloader)\r\n9002 RAT:\r\n6e46054aa9fd5992a7398e0feee894d5887e70373ca5987fc56cd4c0d28f26a1 (Dropper)\r\n37fa5108db1ae73475911a5558fba423ef6eee2cf3132e35d3918b9073aeecc1 (Packed backdoor)\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nPage 3 of 5\n\nChanges made by Webworm to this version of 9002 RAT are apparently intended to evade detection. For example,\r\nthe details of the RAT’s communication protocol, such as encryption, have also been modified by the threat actors.\r\nGh0st RAT (BH_A006) was documented in third-party research detailing previous Webworm (Space Pirates)\r\nactivity. In that research, the version of Gh0st RAT included features such as layers of obfuscation to bypass\r\nsecurity protections and hinder analysis, network service creation, UAC bypassing, and shellcode unpacking and\r\nlaunching in the memory. Some of these features were also present in the version of the RAT being prepared by\r\nWebworm.\r\nConclusion\r\nWebworm’s use of customized versions of older, and in some cases open-source, malware, as well as code\r\noverlaps with the group known as Space Pirates, suggest that they may be the same threat group. However, the\r\ncommon use of these types of tools and the exchange of tools between groups in this region can obscure the traces\r\nof distinct threat groups, which is likely one of the reasons why this approach is adopted, another being cost, as\r\ndeveloping sophisticated malware can be expensive in terms of both money and time.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIOCs\r\nc71e0979336615e67006e20b24baafb19d600db94f93e3bf64181478dfc056a8 - Trochilus dropper\r\n28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679 – Logger.exe\r\na6b9975bfe02432e80c7963147c4011a4f7cdb9baaee4ae8d27aaff7dff79c2b – logexts.dat\r\na73a4c0aa557241a09e137387537e04ce582c989caa10a6644d4391f00a836ef – logexts.dll\r\n10456bc3b5cfd2f1b1ab9c3833022ef52f5e9733d002ab237bdebad09b125024 – logger.dat\r\nd295712185de2e5f8811b0ce7384a04915abdf970ef0f087c294bb00e340afad – [RANDOM_DIGITS].doc\r\ne69177e58b65dd21e0bbe4f6caf66604f120e0c835f3ee0d16a45858f5fe9d90 – Trochilus RAT\r\na618b3041935ec3ece269effba5569b610da212b1aa3968e5645f3e37d478536 - Backdoor configuration\r\n6201c604ac7b6093dc8f6f12a92f40161508af1ddffa171946b876442a66927e – Trochilus dropper\r\n3629d2ce400ce834b1d4b7764a662757a9dc95c1ef56411a7bf38fb5470efa84 - Backdoor configuration\r\nb9a0602661013d973bc978d64b7abb6bed20cf0498d0def3acb164f0d303b646 - Trochilus dropper\r\n824100a64c64f711b481a6f0e25812332cc70a13c98357dd26fb556683f8a7c7 – Packed backdoor\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nPage 4 of 5\n\nSource: http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats"
	],
	"report_names": [
		"webworm-espionage-rats"
	],
	"threat_actors": [
		{
			"id": "536ca49a-2666-4005-8a50-e552fc7e16ef",
			"created_at": "2023-11-21T02:00:07.375813Z",
			"updated_at": "2026-04-10T02:00:03.471967Z",
			"deleted_at": null,
			"main_name": "Webworm",
			"aliases": [
				"Space Pirates"
			],
			"source_name": "MISPGALAXY:Webworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3cc6c262-df23-4075-a93f-b496e8908eb2",
			"created_at": "2022-10-25T16:07:23.682239Z",
			"updated_at": "2026-04-10T02:00:04.708878Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"GhostNet",
				"Snooping Dragon"
			],
			"source_name": "ETDA:GhostNet",
			"tools": [
				"AngryRebel",
				"Farfli",
				"Gh0st RAT",
				"Gh0stnet",
				"Ghost RAT",
				"Ghostnet",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Remosh",
				"TOM-Skype"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e91dae30-a513-4fb1-aace-4457466313b3",
			"created_at": "2023-01-06T13:46:38.974913Z",
			"updated_at": "2026-04-10T02:00:03.168521Z",
			"deleted_at": null,
			"main_name": "GhostNet",
			"aliases": [
				"Snooping Dragon"
			],
			"source_name": "MISPGALAXY:GhostNet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4",
			"created_at": "2022-10-25T16:07:24.219051Z",
			"updated_at": "2026-04-10T02:00:04.902017Z",
			"deleted_at": null,
			"main_name": "Space Pirates",
			"aliases": [
				"Erudite Mogwai",
				"Webworm"
			],
			"source_name": "ETDA:Space Pirates",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"BH_A006",
				"Chymine",
				"Darkmoon",
				"Deed RAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"MyKLoadClient",
				"Mydoor",
				"PCRat",
				"PCShare",
				"POISONPLUG.SHADOW",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SnappyBee",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13e39e781ae002a15b922c973678664897d03cb7.pdf",
		"text": "https://archive.orkl.eu/13e39e781ae002a15b922c973678664897d03cb7.txt",
		"img": "https://archive.orkl.eu/13e39e781ae002a15b922c973678664897d03cb7.jpg"
	}
}