{ "id": "10617314-3d17-42a4-965a-539eaba006eb", "created_at": "2026-04-06T00:11:59.756424Z", "updated_at": "2026-04-10T13:12:19.685678Z", "deleted_at": null, "sha1_hash": "1462fbf6ec95a7af225c762507eac744ab78599f", "title": "Update to the REF2924 intrusion set and related campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1704379, "plain_text": "Update to the REF2924 intrusion set and related campaigns\r\nBy Salim Bitam, Remco Sprooten, Cyril François, Andrew Pease, Devon Kerr, Seth Goodwin\r\nPublished: 2023-02-07 · Archived: 2026-04-05 16:26:54 UTC\r\nKey takeaways\r\nDOORME is a malicious IIS module that provides remote access to a contested network.\r\nSIESTAGRAPH interacts with Microsoft’s GraphAPI for command and control using Outlook and\r\nOneDrive.\r\nSHADOWPAD is a backdoor that has been used in multiple campaigns attributed to a regional threat group\r\nwith non-monetary motivations.\r\nREF2924 analytic update incorporating third-party and previously undisclosed incidents linking the\r\nREF2924 adversary to Winnti Group and ChamelGang along technical, tactical, and victim targeting lines.\r\nPreamble\r\nThis research highlights the capabilities and observations of the two backdoors, named \"DOORME\" and\r\n\"SIESTAGRAPH\", and a backdoor called “SHADOWPAD” that was disclosed by Elastic in December of 2022.\r\nDOORME is an IIS (Internet Information Services) backdoor module, which is deployed to web servers running\r\nthe IIS software. SIESTAGRAPH is a .NET backdoor that leverages the Microsoft Graph interface, a collection of\r\nAPIs for accessing various Microsoft services. SHADOWPAD is an actively developed and maintained modular\r\nremote access toolkit.\r\nDOORME, SIESTAGRAPH, and SHADOWPAD each implement different functions that can be used to gain and\r\nmaintain unauthorized access to an environment. The exact details of these functionalities will be described in\r\nfurther detail in this research publication. It is important to note that these backdoors can be used to steal sensitive\r\ninformation, disrupt operations, and gain a persistent presence in a victim environment.\r\nAdditionally, we will discuss the relationships between REF2924 and three other intrusions carried out by the\r\nsame threat group, intrusion set, or both. These associations are made using first-party observations and third-party reporting. They have allowed us to state with moderate confidence that SIESTAGRAPH, DOORME,\r\nSHADOWPAD, and other elements of REF2924 are attributed to a regional threat group with non-monetary\r\nmotivations.\r\nAdditional information on the REF2924 intrusion setFor additional information on this intrusion set,\r\nwhich includes our initial disclosure as well as information into the campaign targeting the Foreign\r\nMinistry of an ASEAN member state, check out our previous research into REF2924.\r\nDOORME code analysis\r\nIntroduction to backdoored IIS modules\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 1 of 26\n\nIIS, developed by Microsoft, is an extensible web server software suite that serves as a platform for hosting\r\nwebsites and server-side applications within the Windows environment. With version 7.0, Microsoft has equipped\r\nIIS with a modular architecture that allows for the dynamic inclusion or exclusion of modules to suit various\r\nfunctional requirements. These modules correspond to specific features that the server can utilize to handle\r\nincoming requests.\r\nAs an example, a backdoored module that overrides the OnGlobalPreBeginRequestevent can be used to perform\r\nvarious malicious activities - such as capturing sensitive user information submitted to webpages, injecting\r\nmalicious code into content served to visitors, or providing the attacker remote access to the web server. It is\r\npossible that a malicious module could intercept and modify a request before it is passed on to the server, adding\r\nan HTTP header or query string parameter that includes malicious code. When the server processes that modified\r\nrequest, the malicious code might be executed, allowing the attacker to gain unauthorized access or control the\r\nserver and its resources.\r\nAdding to the danger of IIS backdoors is that they can be stealthy and organizations may not be aware that they\r\nhave been compromised. Many companies do not have the resources or expertise to regularly monitor and test\r\ntheir IIS modules for vulnerabilities and malicious code, which can make it difficult to detect and remediate\r\nbackdoors. To mitigate these risks, organizations should maintain a comprehensive inventory of all IIS modules\r\nand implement network and endpoint protection solutions to help detect and respond to malicious activities.\r\nElastic Security Labs has seen increased use of this persistence mechanism coupled with defense evasions, which\r\nmay disproportionately impact those hosting on-premises servers running IIS.\r\nIntroduction to the DOORME IIS module\r\nDOORME is a native backdoor module that is loaded into a victim's IIS infrastructure and used to provide remote\r\naccess to the target infrastructure. We first discussed the DOORME sample that we observed targeting the Foreign\r\nMinistry of an ASEAN member nation in December of 2022.\r\nDOORME uses the RegisterModule function, which is an export of a malicious C++ DLL module and is\r\nresponsible for loading the module and setting up event handler methods. It also dynamically resolves API\r\nlibraries that will be used later. The main functionality of the backdoor is implemented in the\r\nCGlobalModuleclass and its event handler, OnGlobalPreBeginRequest. This event handler is overridden by\r\nDOORME, allowing it to be loaded before a web request enters the IIS pipeline. The core functions of the\r\nbackdoor (including cookie validation, parsing commands, and calling underlying command functions) are all\r\nlocated within this event handler. DOORME uses multiple obfuscation methods, an authentication mechanism,\r\nAES encryption implementation, and a purpose-built series of commands.\r\nThis diagram illustrates the contrast between an attacker attempting to connect to a backdoored IIS server and a\r\nlegitimate user simply trying to access a webpage.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 2 of 26\n\nOverview diagram of the DOORME backdoor\r\nObfuscation\r\nString obfuscation\r\nDOORME XOR-encrypts strings to evade detection. These encrypted strings are then stored on the memory stack.\r\nAs the original plaintext is obscured this string obfuscation makes it more difficult for security software or\r\nresearchers to understand the purpose or meaning of the strings. The malware uses the first byte of every\r\nencrypted blob to XOR-decrypt the strings.\r\nPseudocode showcasing string obfuscation\r\nAnti-disassembly technique\r\nThe malware employs a technique that can cause disassemblers to incorrectly split functions in the code, which\r\nleads to the generation of incorrect assembly graphs. This technique can make it more challenging for analysts to\r\nunderstand the malware's behavior and create an effective defense against it.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 3 of 26\n\nGaps in the assembly view of IDA pro\r\nControl flow obfuscation\r\nThe malware in question also employs a technique known as Control Flow Obfuscation (CFO) to complicate the\r\nanalysis of its behavior. CFO is a technique where the flow of instructions in the code is deliberately manipulated\r\nto make it more difficult for security software and researchers to understand the malware's functionality.\r\nThe malware uses CFO to complicate the analysis process, but it is noteworthy that this technique is not applied to\r\nthe entire codebase. From an analysis point of view, this tells us that these strings are of particular importance to\r\nthe malware author - possibly to frustrate specific security tooling. The following example serves as a\r\ndemonstration of how the malware uses CFO to conceal its functionality in the context of stack string XOR\r\ndecryption.\r\nPseudocode showcasing CFO example\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 4 of 26\n\nDynamic import table resolution obfuscation\r\nDynamic import table resolution is a technique used by malicious software to evade detection by security\r\nsoftware. It involves resolving the names of the Windows APIs that the malware needs to function at runtime,\r\nrather than hard coding the addresses of these APIs in the malware's import table.\r\nDOORME first resolves the address of LoadLibraryA and GetProcAddress Windows API by parsing the\r\nkernel32.dll module export table, then uses the GetProcAddress function to locate the desired APIs within the\r\nmodules by specifying the name of the API and the name of the DLL module that contains it.\r\nPseudocode showcasing import address table resolution\r\nExecution flow\r\nAuthentication\r\nThe malicious IIS module backdoor operates by looking for the string \" 79cfdd0e92b120faadd7eb253eb800d0\"\r\n(the MD5 hash sum of a profane string), in a specific cookie of the incoming HTTP requests, when found it will\r\nparse the rest of the request.\r\nGET request handling\r\nGET requests are used to perform a status check: the malware returns the string “ It works!” followed by the\r\nusername and the hostname of the infected machine. This serves as a means for the malware to confirm its\r\npresence on an infected machine.\r\nGET request to the backdoor using curl command\r\nPOST requests handling\r\nThe backdoor operator sends commands to the malware through HTTP POST requests as data which is doubly\r\nencrypted. Commands are AES-encrypted and then Base64 encoded, which the DOORME backdoor then\r\ndecrypts.\r\nBase64 implementation\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 5 of 26\n\nThe malware's implementation of Base64 uses a different index table compared to the default Base64 encoding\r\nRFC. The specific index table used by the malware is\r\n\"VZkW6UKaPY8JR0bnMmzI4ugtCxsX2ejiE5q/9OH3vhfw1D+lQopdABTLrcNFGSy7\" , while the normal\r\nindex table used by the Base64 algorithm is\r\n\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\". This deviation\r\nfrom the standard index table makes it more difficult to decode the encoded data and highlights additional custom\r\nobfuscation techniques by the DOORME malware author in an attempt to frustrate analysis.\r\nAES algorithm implementation\r\nThe malware uses AES (Advanced Encryption Standard) in CBC (Cipher Block Chaining) mode to encrypt and\r\ndecrypt data. It uses the MD5 hash of the first 16 bytes of the authentication hash \"\r\n79cfdd0e92b120faadd7eb253eb800d0\", as the AES key. The initialization vector (IV) of the algorithm is the\r\nMD5 hash of the AES key.\r\nIn our case the AES key is “ 5a430ab45c7e142c70018b99fe0d2da3” and the AES IV is “ 57ce15b304a97772”.\r\nCommand handling table\r\nThe backdoor is capable of executing four different commands, each with its own set of parameters. To specify\r\nwhich command to run and pass the necessary parameters, the operators of the backdoor use a specific syntax. The\r\ncommand ID and its parameters are separated by the \"pipe\" symbol( | ).\r\nCommand ID 0x42\r\nThe first command implemented has the ID 0x42 and generates a Globally Unique Identifier (GUID) by calling\r\nthe API CoCreateGuid. Used to identify the infected machine, this helps to track infected machines and allows\r\nthe attacker to focus on specific high-value environments.\r\nPseudocode generating the GUID\r\nCommand ID 0x43\r\nAnother command, ID 0x43 , is particularly noteworthy as it allows the attacker to execute shellcode in the\r\nmemory of the same process. This functionality is achieved by utilizing the Windows native functions\r\nNtAllocateVirtualMemory and NtCreateThreadEx.\r\nThe NtAllocateVirtualMemory function is used to allocate memory in the same process for shellcode, while the\r\nNtCreateThreadEx function creates an execution thread with shellcode in that newly-allocated memory.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 6 of 26\n\nPseudocode self-shellcode injection\r\nCommand ID 0x63\r\nCommand ID 0x63 allows the attacker to send a blob of shellcode in chunks, which the malware reassembles to\r\nexecute. It works by sending this command ID with a shellcode chunk as a parameter. Implants can detect that the\r\nshellcode has been fully received when the server communicates a different shellcode size than expected. This\r\napproach allows the malware to handle large shellcode objects with minimal validation.\r\nCommand ID 0x44\r\nCommand ID 0x44 provides a means of interacting with the shellcode being executed on the infected system. The\r\nattacker can send input to the shellcode and retrieve its output via a named pipe. This allows the attacker to control\r\nthe execution of the shellcode and receive feedback, which may help to capture the output of tools deployed in the\r\nenvironment via the DOORME implant.\r\nDOORME Summary\r\nIn summary, DOORME provides a dangerous capability allowing attackers to gain unauthorized access to the\r\ninternal network of victims through an internet-facing IIS web server. It includes multiple obfuscation techniques\r\nto evade detection, as well as the ability to execute additional malware and tools. Malware authors are\r\nincreasingly leveraging IIS as covert backdoors that hide deep within the system. To protect against these threats,\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 7 of 26\n\nit is important to continuously monitor IIS servers for any suspicious activity, processes spawned from the IIS\r\nworker process ( w3wp.exe ), and the creation of new executables.\r\nSIESTAGRAPH code analysis\r\nIntroduction to the SIESTAGRAPH implant\r\nThe implant utilizes the Microsoft Graph API to access Microsoft 365 Mail and OneDrive for its C2\r\ncommunication. It uses a predetermined tenant identifier and a refresh token to obtain access tokens. The implant\r\nuses the legitimate OneDriveAPI library which simplifies the process of interacting with the Microsoft API and\r\nallows for efficient management of access and refresh tokens. The implant leverages sleep timers in multiple\r\nlocations as a defense evasion technique. This led to the implant’s name: SIESTAGRAPH.\r\nOverview diagram of the SIESTAGRAPH implant\r\nExecution flow\r\nSIESTAGRAPH starts and enters its main function which will set up the needed parameters to access Microsoft\r\nGraphAPI by requesting an access token based on a hard coded refresh token.\r\n![Initial setup of SIESTAGRAPH](/assets/images/update-to-the-REF2924-intrusion-set-and-related-campaigns/image26.jpg\r\nDuring the setup phase the malware uses the Microsoft Office GUID ( d3590ed6-52b3-4102-aeff-aad2292ab01c\r\n). This is needed to supply access to both Microsoft 365 Mail and OneDrive.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 8 of 26\n\nRequest an authentication token\r\nAuthentication\r\nThe SIESTAGRAPH author utilized a pre-determined tenant identifier and a refresh token to obtain access tokens.\r\nBoth of these elements are essential in making a request for an access token. It is important to note that access\r\ntokens possess a limited lifespan, however, the refresh token can be utilized to request new access tokens as\r\nnecessary.\r\nHard coded tenant and refresh tokens\r\nTo facilitate this process, the attacker utilized a third-party and legitimate library named OneDriveAPI. This\r\nlibrary simplifies the process of interacting with the Microsoft API and allows for efficient management of access\r\nand refresh tokens. It should be noted that although third-party libraries such as OneDriveAPI can provide a\r\nconvenient way to interact with APIs, they should not be considered to be malicious.\r\nUse of third-party libraries\r\nThe malware utilizes the GetAccessTokenFromRefreshToken method to request an authentication token. This\r\ntoken is then used in all subsequent API requests.\r\nRefresh tokens have a 90-day expiration window. So while the access token was being used by the Graph API for\r\nC2, the refresh token, which is needed to generate new access tokens, was not used within the expiration window.\r\nThe refresh token was generated on 2022-11-01T03:03:44.3138133Z and expired on 2023-01-\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 9 of 26\n\n30T03:03:44.3138133Z. This means that a new refresh token will be needed before a new access token can be\r\ngenerated. As the refresh token is hard coded into the malware, we can expect SIESTAGRAPH to be updated with\r\na new refresh token if it is intended to be used in the future.\r\nCommand and control\r\nA session token ( sessionToken ) is created by concatenating the process ID, machine name, username, and\r\noperating system. The session token is later used to retrieve commands intended for this specific implant.\r\nDefining the session token\r\nAfter obtaining authentication and session tokens, the malware collects system information and exfiltrates it using\r\na method called sendSession.\r\nInspecting the sendSession method we see that it creates an email message and saves it as a draft. Using draft\r\nmessages is common C2 tradecraft as a way to avoid email interception and inspection.\r\nThe sendMessage method\r\nAfter sending the session information to the attacker, the implant enters a loop in which it will check for new\r\ncommands. By default, this beaconing interval is every 5 seconds, however, this can be adjusted by the attacker at\r\nany time.\r\nWhen receiving a command, the implant will use the getMessages method to check for any draft emails with\r\ncommands from the attacker.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 10 of 26\n\nThe getMessage method\r\nWith every call that contacts the Graph API, SIESTAGRAPH will receive the current authentication token (\r\nauthToken ). This token is then used in the HTTP request header following the Authorization: Bearer (\r\n“Authorization”, “Bearer “ + authToken ).\r\nEvery call to this method will contain the sessionToken , a command, and command arguments, separated with\r\ncolons ( : ) ( \u003csessionToken\u003e:\u003cCommand\u003e:\u003ccommand arguments\u003e ).\r\nIf a command has multiple arguments they will be split by a pipe ( | ). An example of this is the rename command\r\nwhere the source and destination names are split by a pipe.\r\nUsing a pipe for separating arguments\r\nWe have identified the following commands:\r\nCommand text Description\r\nC Run a command\r\nN Update the amount of time the binary will sleep between check-ins\r\nD Upload a file to OneDrive\r\nU Download Item from Onedrive\r\nUU Check to see is Core.bin exists then Download item from Onedrive\r\nListDrives Send a list of the logical drives\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 11 of 26\n\nCommand text Description\r\nGetDirectories Send a list of given subdirectories\r\nGetFiles Send a list of files in a given directory\r\nDel Delete a given file\r\nRename Rename a given file or directory\r\nP Get a list of running processes\r\nE Ends the execution of the binary\r\nK Kill a given process ID\r\nS Update the amount of time the binary will sleep between check-ins (same as N)\r\nNET Get network information\r\nSS Take a screenshot\r\nSeveral commands are self-explanatory ( ListDrives , Rename , etc.), however the run commands, update sleep\r\ntimer, upload and download files, and take screenshots are more interesting and can provide a better understanding\r\nof the capabilities of SIESTAGRAPH.\r\nC - run command\r\nWhen the C command is received the malware runs the runCommand method. This method takes in the name of\r\ncmd.exe , the command line to run, and the number of milliseconds to wait for the new process to exit.\r\nIf the command parameter is not null or empty, the method proceeds to create a new instance of the\r\nSystem.Diagnostics.Process class, which is used to start and interact with a new process. It sets the properties of\r\nthe process instance's StartInfo property, which is of the ProcessStartInfo class, such as the FileName property\r\nto the cmd parameter passed to the method, the Arguments property to /c concatenated with the command\r\nparameter, and also sets UseShellExecute , RedirectStandardInput , RedirectStandardOutput ,\r\nRedirectStandardError, and CreateNoWindow property. As this method is only called with the hard coded\r\nvalue of cmd for the cmd parameter, the resulting command will always be cmd /c \u003ccommand to run\u003e . This is a\r\ncommon way to run commands if one does not have direct access to an interactive shell.\r\n![The runCommand method](/assets/images/update-to-the-REF2924-intrusion-set-and-related-campaigns/image26.jpg\r\nN - Sleep timer update\r\nThe sleep command is a single instruction. If the argument for the command is larger than 1000, the value for the\r\nSleepTimer variable is updated. This variable is later used to determine how long the process will sleep in\r\nbetween check-ins.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 12 of 26\n\nUpdating the SleepTimer\r\nD - Upload to OneDrive\r\nThe D command is issued from the attacker’s perspective, so while they’re “downloading” from OneDrive, the\r\nhost is “uploading” to OneDrive\r\nThe method receives a filePath , and the authentication and session tokens. It will then upload the requested file to\r\nOneDrive. If the file is successfully uploaded, a response message is sent to the attacker using the format\r\nOK|C:\\foo\\file.txt.\r\nIf the upload did not succeed the attacker will receive the error message OK|\u003cError message\u003e .\r\nWhile this method might seem simple it helps to avoid detection by using common libraries while achieving the\r\ngoal of exfiltrating data from the victim. While unconfirmed, this could be how the exported Exchange mailboxes\r\nwere collected by the threat actor.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 13 of 26\n\nThe uploadFile method\r\nU - Download from OneDrive\r\nThe download function is similar to the upload function. Again, from the attacker's perspective, the U command\r\nstands for upload. As the file is downloaded from OneDrive by the implant, but uploaded by the attacker.\r\nNET - Gather network information\r\nThe NET command will gather network information and send it back to the attacker. In order to gather the\r\ninformation the binary first resolves two functions from the DLLs, Ws2_32.dll (the Windows socket API) and\r\niphlpapi.dll (the Windows IP helper API).\r\nRevolve functions from Ws2_32.dll and iphlpapi.dll\r\nThe NET command gathers information about open TCP connections from the system's TCP table. It then loops\r\nover all open connections and stores the information in an array that is sent back to the attacker. This code helps\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 14 of 26\n\nthe attacker to get a better insight into the system's purpose within the network. As an example, if there are open\r\nconnections for ports 587, 993, and 995, the host could be a Microsoft Exchange server.\r\nSS - Take screenshot\r\nTo see the victim's desktop, SIESTAGRAPH can call the method named TakeScreenShot which takes a\r\nscreenshot of the primary monitor and returns the screenshot as a Base64 encoded string.\r\nThe TakeScreenShot method\r\nThis function creates a new Bitmap object with the width and height of the primary screen's bounds. Then it\r\ncreates a new Graphics object from the Bitmap object and uses the CopyFromScreen function to take a\r\nscreenshot and copy it to the Graphics object.\r\nIt then creates a new MemoryStream object and uses the Save method of the Bitmap object to save the\r\nscreenshot as a PNG image into the memory stream. The image in the memory stream is then converted to a\r\nBase64 encoded string using the Convert.ToBase64String method. The resulting Base64 string is then sent back\r\nto the attacker by saving it as an email draft.\r\nSIESTAGRAPH Summary\r\nSIESTAGRAPH is a purpose-built and full-featured implant that acts as a proxy for the threat actor. What makes\r\nSIESTAGRAPH more than a generic implant is that it uses legitimate and common, but adversary-controlled,\r\ninfrastructure to deliver remote capabilities on the infected host.\r\nSHADOWPAD loader code analysis\r\nIntroduction to log.dll\r\nWhen Elastic Security Labs disclosed REF2924 in December of 2022, we observed an unknown DLL. We have\r\nsince collected and analyzed the DLL, concluding it is a loader for the SHADOWPAD malware family.\r\nThe DLL, log.dll , was observed on two Domain Controllers and was being side-loaded by an 11-year-old version\r\nof the Bitdefender Crash Handler (compiled name: BDReinit.exe ), named 13802 AR.exe (in our example). Once\r\nexecuted, SHADOWPAD copies itself to **C:\\ProgramData\\OfficeDriver** as svchost.exe before installing itself\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 15 of 26\n\nas a service. Once log.dll is loaded, it will spawn Microsoft Windows Media Player ( wmplayer.exe ) and\r\n**dllhost.exe,** injecting into them which triggers a memory shellcode detection for Elastic Defend.\r\nAt runtime, log.dll looks for the log.dll.dat file which contains the shellcode to be executed. Then log.dll will\r\nencrypt and store the shellcode in the registry and shred the original log.dll.dat file. If the file doesn’t exist it will\r\nskip this part.\r\nThen the sample will load the shellcode from the registry, RWX map it, and execute it from memory. If the\r\nregistry key doesn’t exist the sample will crash.\r\nExecution flow\r\nOur version of the SHADOWPAD DLL expects to be sideloaded by an 11-year-old and vulnerable version of the\r\nBitDefender BDReinit.exe binary. The offset to the trampoline (jump instructions) in the vulnerable application is\r\nhard coded which means that the sample is tailored for this exact version of BitDefender’s binary (\r\n386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd ). This side-loading behavior was\r\npreviously reported by Positive Technologies.\r\nlog.dll’s hard coded offsets to BDReinit.exe\r\nFor our analysis, we patched log.dll to execute without the BitDefender sideloading requirement.\r\nCapabilities\r\nObfuscation\r\nThe log.dll uses two lure functions to bypass automatic analysis.\r\nWe define lure functions as benign and not related to malware capabilities, but intended to evade defenses,\r\nobfuscate the true capabilities of the malware, and frustrate analysis. They may trick time-constrained sandbox\r\nanalysis by showcasing benign behavior while exhausting the analysis interval of the sandbox.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 16 of 26\n\nlog.dll’s lure functions\r\nlog.dll incorporates a code-scattering obfuscation technique to frustrate static analysis, however, this doesn't\r\nprotect the binary from dynamic analysis.\r\nThis technique involves fragmenting the code into gadgets and distributing those gadgets throughout the binary.\r\nEach gadget is implemented as a single instruction followed by a call to a “resolver” function.\r\nObfuscated function prologue 1/2\r\nObfuscated function prologue 2/2\r\nThe resolver function of each call resolves the address of the next gadget and passes execution.\r\nResolver function computing the next gadget address\r\nThe obfuscation pattern is simple and a trace can be used to recover the original instructions:\r\n**result = []\r\nfor i, x in enumerate(trace):\r\n if \"ret\" in x:\r\n result.append(trace[i + 1])**\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 17 of 26\n\nAPI loading\r\nThe sample uses the common Ldr crawling technique to find the address of kernel32.dll.\r\nSearching for the process module list in the PEB’s Ldr\r\nSearching for kernel32.dll by name in the module list\r\nNext, log.dll parses the exports of kernel32.dll to get the address of the LoadLibraryA and GetProcAddress\r\nfunctions. It uses GetProcAddress to resolve imports as needed.\r\nPersistence\r\nThe sample expects to find a file called log.dll.dat in its root directory using the FindFirstFile and FindNextFile\r\nAPIs. Once log.dll.dat is located, it is loaded, encrypted, and stored in the registry under the\r\nHKEY\\_LOCAL\\_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\\\{1845df8d-241a-a0e4-\r\n02ea341a79878897\\}\\D752E7A8\\} registry value.\r\nThis registry value seems to be hard coded. If the file isn't found and the hard coded registry key doesn’t exist, the\r\napplication crashes.\r\nPayload is stored encrypted in the registry\r\nOnce the contents of log.dll.dat have been encrypted and embedded in the registry, the original file will be\r\ndeleted. On subsequent runs, the shellcode will be loaded directly from the registry key.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 18 of 26\n\nShellcode\r\nTo execute the shellcode the sample will allocate an RWX-protected memory region using the VirtualAlloc\r\nWindows API, then write the shellcode to the memory region and pass execution to it with an ESI instruction call.\r\nlog.dll allocate RWX memory for the shellcode\r\nlog.dll pass execution to the shellcode\r\nFirst instruction of the shellcode\r\nOther SHADOWPAD research\r\nWhile researching shared code and techniques, Elastic Security Labs identified a publication from SecureWorks’\r\nCTU that describes the BitDefender sideload vulnerability. Additionally, SecureWorks has shared information\r\ndescribing the functionality of a file, log.dll.dat , which is consistent with our observations. The team at Positive\r\nTechnologies ETC also published detailed research on SHADOWPAD which aligns with our research.\r\nSHADOWPAD Summary\r\nSHADOWPAD is a malware family that SecureWorks CTU has associated with the BRONZE UNIVERSITY\r\nthreat group and Positive Technologies ETC has associated with the Winnti group.\r\nCampaign and adversary modeling\r\nOur analysis of Elastic telemetry, combined with open sources and compared with third-party reporting, concludes\r\na single nationally-aligned threat group is likely responsible. We identified relationships involving shared\r\nmalware, techniques, victimology, and observed adversary priorities. Our confidence assessments vary depending\r\non the sourcing and collection fidelity.\r\nWe identified significant overlaps in the work of Positive Technologies ETC and SecureWorks CTU while\r\nresearching the DOORME, SIESTAGRAPH, and SHADOWPAD implants, and believe these are related activity\r\nclusters.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 19 of 26\n\nREF2924 intersections and associations\r\nIn the following analysis, we’ll discuss the four campaigns that we associate with this intrusion set including\r\nsourcing, intersections, and how each supported our attribution across all campaigns.\r\n1. Winnti - reported by Positive Technologies, January 2021\r\n2. Undisclosed REF, Winnti - observed by Elastic Security Labs, March 2022\r\n3. REF2924, ChamelGang, Winnti - reported by Elastic Security Labs, December 2022\r\n4. Undisclosed REF, ChamelGang - observed by Elastic Security Labs, December 2022\r\nWinnti\r\nIn January of 2021, the team at Positive Technologies ETC published research that overlapped with our\r\nobservations for REF2924; specifically SHADOWPAD malware deployed with the file names log.dll and\r\nlog.dll.dat and using the same sample of BitDefender we observed as a DLL injection vehicle.\r\nWhile the research from Positive Technologies ETC covered a different activity cluster, the adversary deployed a\r\nsimilar variant of SHADOWPAD, used a similar file naming methodology, and leveraged similar procedure-level\r\ncapabilities; these consistencies contribute to our conclusion that REF2924 is related. In the graphic above, we use\r\na dashed line to represent third-party consensus and moderate confidence because, while the reporting appears\r\nthorough and sound, we cannot independently validate all findings.\r\nUndisclosed REF, Winnti\r\nIn early 2022, Elastic observed a short-lived intrusion into a telecommunications provider in Afghanistan. Using\r\ncode analysis and event sampling, we internally attributed these sightings to WINNTI malware implants and\r\nexternal research overlaps with the Winnti Group. We continue to track this intrusion set, independently of and in\r\nrelation to REF2924 observations.\r\nREF2924, ChamelGang, Winnti\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 20 of 26\n\nIn early December 2022, we observed Powershell commands used to collect and export mailboxes from an\r\ninternet-connected Microsoft Exchange server for the Foreign Affairs Office of an Association of Southeast Asian\r\nNations (ASEAN) member. Our research identified the presence of the DOORME backdoor, SHADOWPAD, and\r\na new malware implant we call SIESTAGRAPH (discussed in the SIESTAGRAPH code analysis section above).\r\nIn researching the events of REF2924, we believe they are consistent with details noted by Positive Technologies'\r\nresearch into ChamelGang, and likely represent the actions of one group with shared goals.\r\nUndisclosed REF, ChamelGang\r\nUsing the DOORME IIS backdoor that we collected during research into REF2924, we developed a scanner that\r\nidentified the presence of DOORME on an internet-connected Exchange server at a second telecommunications\r\nprovider in Afghanistan.\r\nCampaign associations\r\nBuilding associations between events, especially when relying on third-party reporting, is a delicate balance\r\nbetween surfacing value from specific observations and suppressing noise from circular reporting. Details reported\r\nby research teams and consisting of atomic indicators, techniques, procedures, and capabilities provide\r\ntremendous value in spotting associations between activity clusters. Elements of evidence that are repeated\r\nmultiple times via circular reporting can lead to over-weighting that evidence. In analyzing these activity clusters,\r\nwe have specific observations from our telemetry (host artifacts, capabilities, functionality, and adversary\r\ntechniques) and third-party reporting consistent with our findings.\r\nWe use third-party reporting as supporting, but not factual, evidence to add context to our specific observations. It\r\nmay be possible to verify a third-party had firsthand visibility of a threat, but that’s a rare luxury. We used\r\nestimative language in building associations where appropriate.\r\nTo uncover potential associations among these campaigns, we weighed host artifacts, tools, and TTPs more\r\nheavily than transitory atomic indicators like hashes, IP addresses, and domains.\r\nWe’ll discuss notable (non-exhaustive) overlaps in the following section.\r\nCampaigns 1 and 3\r\nCampaigns 1 (Winnti) and 3 (REF2924, ChamelGang, Winnti) are related by several elements: the use of the\r\nSHADOWPAD malware family, the specific file names ( log.dll and log.dll.dat ), and the injection technique\r\nusing the same BitDefender hash.\r\nCampaigns 3 and 4\r\nCampaigns 3 (REF2924, ChamelGang, Winnti) and 4 (Undisclosed REF, ChamelGang) are related by the\r\npresence of a specifically configured DOORME backdoor and a shared national strategic interest for the\r\nadversary.\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 21 of 26\n\nUsing network scan results for about 180k publicly-accessible Exchange servers, and specific authentication\r\nelements uncovered while reverse engineering REF2924’s DOORME sample, we were able to identify an\r\nidentical DOORME configuration at a second telecommunications provider in Afghanistan. This was a different\r\nvictim than Campaign 2 (Undisclosed REF, Winnti).\r\nWhile the DOORME IIS backdoor is not widely prevalent, simply having DOORME in your environment isn’t a\r\nstrong enough data point to build an association. The presence of this DOORME configuration, when compared to\r\na search of 180k other Exchange servers and the moderate confidence of the national strategic interests, led us to\r\nassociate Campaigns 3 and 4 together with high confidence and that Campaign 4 was also a part of the same threat\r\ngroup.\r\nSummary\r\nDOORME allows for a threat actor to access a targeted network through the use of a backdoored IIS module on an\r\ninternet-connected server. DOORME includes the capability to collect information about the infected host, upload\r\nshellcode chunks to evade detection, and execute shellcode in memory.\r\nSIESTAGRAPH is an implant discovered by Elastic Security Labs that uses the Microsoft Graph API for\r\ncommand and control. The Graph API is used for interacting with Microsoft Office 365, so C2 communication\r\nwould be largely masked by legitimate network traffic. Elastic Security Labs has reported the tenant ID hard\r\ncoded into SIESTAGRAPH to Microsoft.\r\nBased on our code analysis and the limited internet presence of DOORME and SIESTAGRAPH, we believe that\r\nthis intrusion set is used by a limited distribution, or singular, threat actor.\r\nSHADOWPAD is a modular malware family that is used as a way to load and execute shellcode onto a victim\r\nsystem. While it has been tracked since 2017, SHADOWPAD continues to be a capable and popular remote access\r\nand persistence tool.\r\nThe REF2924 intrusion set, using SIESTAGRAPH, DOORME, SHADOWPAD, and the system binary proxy\r\nexecution technique (among others) represents an attack group that appears focused on priorities that, when\r\nobserved across campaigns, align with a sponsored national strategic interest.\r\nDetections\r\nHunting queries\r\nHunting queries are used as a starting point for potentially malicious events, but because every environment is\r\ndifferent, an investigation should be completed.\r\nThe following KQL query can be used to hunt for additional behaviors related to SIESTAGRAPH. This query\r\nlooks for processes that are making DNS queries to graph.microsoft.com where the process does not have a\r\ntrusted code-signing certificate or the process is not signed by Microsoft.\r\ndns.question.name : \"graph.microsoft.com\" and (process.code_signature.trusted : “false” or not (process.code_si\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 22 of 26\n\nSignatures\r\nWindows.Trojan.DoorMe\r\nWindows.Trojan.SiestaGraph\r\nWindows.Trojan.ShadowPad\r\nYARA rules\r\nThe DOORME IIS module\r\nrule Windows_Trojan_DoorMe {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-12-09\"\r\n last_modified = \"2022-12-15\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"DoorMe\"\r\n threat_name = \"Windows.Trojan.DoorMe\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $seq_aes_crypto = { 8B 6C 24 ?? C1 E5 ?? 8B 5C 24 ?? 8D 34 9D ?? ?? ?? ?? 0F B6 04 31 32 44 24 ?? 88 04\r\n $seq_copy_str = { 48 8B 44 24 ?? 48 89 58 ?? 48 89 F1 4C 89 F2 49 89 D8 E8 ?? ?? ?? ?? C6 04 1E ?? }\r\n $seq_md5 = { 89 F8 44 21 C8 44 89 C9 F7 D1 21 F1 44 01 C0 01 C8 44 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?\r\n $seq_calc_key = { 31 FF 48 8D 1D ?? ?? ?? ?? 48 83 FF ?? 4C 89 F8 77 ?? 41 0F B6 34 3E 48 89 F1 48 C1 E9\r\n $seq_base64 = { 8A 45 ?? 8A 4D ?? C0 E0 ?? 89 CA C0 EA ?? 80 E2 ?? 08 C2 88 55 ?? C0 E1 ?? 8A 45 ?? C0 E\r\n $str_0 = \".?AVDoorme@@\" ascii fullword\r\n condition:\r\n 3 of ($seq*) or 1 of ($str*)\r\n}\r\nThe SIESTAGRAPH implant\r\nrule Windows_Trojan_SiestaGraph {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-12-14\"\r\n last_modified = \"2022-12-15\"\r\n os = \"windows\"\r\n arch_context = \"x86\"\r\n category_type = “Trojan”\r\n family = “SiestaGraph”\r\n threat_name = \"Windows.Trojan.SiestaGraph\"\r\n license = \"Elastic License v2\"\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 23 of 26\n\nstrings:\r\n $a1 = \"downloadAsync\" ascii nocase fullword\r\n $a2 = \"UploadxAsync\" ascii nocase fullword\r\n $a3 = \"GetAllDriveRootChildren\" ascii fullword\r\n $a4 = \"GetDriveRoot\" ascii fullword\r\n $a5 = \"sendsession\" wide fullword\r\n $b1 = \"ListDrives\" wide fullword\r\n $b2 = \"Del OK\" wide fullword\r\n $b3 = \"createEmailDraft\" ascii fullword\r\n $b4 = \"delMail\" ascii fullword\r\n condition:\r\n all of ($a*) and 2 of ($b*)\r\n}\r\nThe SHADOWPAD malware family\r\nrule Windows_Trojan_ShadowPad_1 {\r\nmeta:\r\nauthor = \"Elastic Security\"\r\ncreation_date = \"2023-01-23\"\r\nlast_modified = \"2023-01-31\"\r\ndescription = \"Target SHADOWPAD obfuscation loader+payload\"\r\nos = \"Windows\"\r\narch = \"x86\"\r\ncategory_type = \"Trojan\"\r\nfamily = \"ShadowPad\"\r\nthreat_name = \"Windows.Trojan.ShadowPad\"\r\nlicense = \"Elastic License v2\"\r\nstrings:\r\n$a1 = { 87 0? 24 0F 8? }\r\n$a2 = { 9C 0F 8? }\r\n$a3 = { 03 0? 0F 8? }\r\n$a4 = { 9D 0F 8? }\r\n$a5 = { 87 0? 24 0F 8? }\r\ncondition:\r\nall of them\r\n}\r\nrule Windows_Trojan_Shadowpad_2 {\r\nmeta:\r\nauthor = \"Elastic Security\"\r\ncreation_date = \"2023-01-31\"\r\nlast_modified = \"2023-01-31\"\r\ndescription = \"Target SHADOWPAD loader\"\r\nos = \"Windows\"\r\narch = \"x86\"\r\ncategory_type = \"Trojan\"\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 24 of 26\n\nfamily = \"Shadowpad\"\r\nthreat_name = \"Windows.Trojan.Shadowpad\"\r\nlicense = \"Elastic License v2\"\r\nstrings:\r\n$a1 = \"{%8.8x-%4.4x-%4.4x-%8.8x%8.8x}\"\r\ncondition:\r\nall of them\r\n}\r\nrule Windows_Trojan_Shadowpad_3 {\r\nmeta:\r\nauthor = \"Elastic Security\"\r\ncreation_date = \"2023-01-31\"\r\nlast_modified = \"2023-01-31\"\r\ndescription = \"Target SHADOWPAD payload\"\r\nos = \"Windows\"\r\narch = \"x86\"\r\ncategory_type = \"Trojan\"\r\nfamily = \"Shadowpad\"\r\nthreat_name = \"Windows.Trojan.Shadowpad\"\r\nlicense = \"Elastic License v2\"\r\nstrings:\r\n$a1 = \"hH#whH#w\" fullword\r\n$a2 = \"Yuv~YuvsYuvhYuv]YuvRYuvGYuv1:tv\u003cYuvb#tv1Yuv-8tv\u0026Yuv\" fullword\r\n$a3 = \"pH#wpH#w\" fullword\r\n$a4 = \"HH#wHH#wA\" fullword\r\n$a5 = \"xH#wxH#w:$\" fullword\r\n$re1 = /(HTTPS|TCP|UDP):\\/\\/[^:]+:443/\r\ncondition:\r\n4 of them\r\n}\r\nReferences\r\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nhttps://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\r\nhttps://www.secureworks.com/research/shadowpad-malware-analysis\r\nhttps://www.secureworks.com/research/threat-profiles/bronze-university\r\nhttps://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/\r\nIndicators\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 25 of 26\n\nArtifacts are available from the previously published REF2924 research.\r\nSource: https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" ], "report_names": [ "update-to-the-REF2924-intrusion-set-and-related-campaigns" ], "threat_actors": [ { "id": "4434c71b-c424-4c06-b923-4f3f54f24f40", "created_at": "2022-10-25T16:07:23.453526Z", "updated_at": "2026-04-10T02:00:04.611408Z", "deleted_at": null, "main_name": "ChamelGang", "aliases": [ "CamoFei" ], "source_name": "ETDA:ChamelGang", "tools": [ "7-Zip", "Agentemis", "BeaconLoader", "Cobalt Strike", "CobaltStrike", "DoorMe", "FRP", "Fast Reverse Proxy", "ProxyT", "Tiny SHell", "cobeacon", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "a0673493-5872-49a0-8d0d-4391302cff01", "created_at": "2023-03-04T02:01:54.10107Z", "updated_at": "2026-04-10T02:00:03.358084Z", "deleted_at": null, "main_name": "Chamelgang", "aliases": [ "CamoFei" ], "source_name": "MISPGALAXY:Chamelgang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434319, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1462fbf6ec95a7af225c762507eac744ab78599f.pdf", "text": "https://archive.orkl.eu/1462fbf6ec95a7af225c762507eac744ab78599f.txt", "img": "https://archive.orkl.eu/1462fbf6ec95a7af225c762507eac744ab78599f.jpg" } }