{ "id": "fab513df-c846-48fd-8740-b680e4d6263b", "created_at": "2026-04-06T00:13:05.173956Z", "updated_at": "2026-04-10T13:12:36.509354Z", "deleted_at": null, "sha1_hash": "14c4740ee973189f87735a5f59cb5c759914a179", "title": "New Yokai Side-loaded Backdoor Targets Thai Officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 351336, "plain_text": "New Yokai Side-loaded Backdoor Targets Thai Officials\r\nBy Nikhil Hegde, Jan Michael Alcantara\r\nPublished: 2024-12-13 · Archived: 2026-04-05 18:12:58 UTC\r\nSummary\r\nDLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of\r\na benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that\r\nexclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy\r\nDUSTTRAP and Daggerfly to deliver Nightdoor backdoor.\r\nDuring threat hunting activities, the Netskope team discovered a legitimate iTop Data Recovery application side-loading a backdoor we named Yokai that, to the best of our knowledge, has not been publicly documented yet. In\r\nthis blog we will analyze the infection chain and dive deep into the internals of the Yokai backdoor.\r\nDecoy documents\r\nDuring our threat hunting activities, we discovered a RAR file that contained two LNK shortcut files named in\r\nThai, named กระทรวงยุติธรรมสหรัฐอเมริกา.pdf and ด่วนที่สุด ทางการสหรัฐอเมริกาขอความร่วมมือระหว่าง\r\nประเทศในเรื่องทางอาญา.docx. Translated, both documents are called “United States Department of Justice.pdf”\r\nand “Urgently, United States authorities ask for international cooperation in criminal matters.docx” respectively.\r\nClicking the shortcut files triggers the copying of content from an alternate data stream (ADS) named “file.exf”\r\ninto decoy PDF and Word documents using esentutl.Esentutl is a Windows binary commonly abused to transfer\r\nmalicious payload from alternate data streams.\r\nAfter the copying is complete, the shortcut files open the decoy documents, giving the impression that their sole\r\npurpose is to display harmless content.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 1 of 15\n\nDropper emerges from an alternate data stream\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 2 of 15\n\nThe shortcut file with a DOCX extension contains two data streams: the “file.exf” which is used to create a decoy\r\ndocument, and “file.ext” which contains the malicious payload.\r\nThe malicious payload is copied to an executable named “file.exe” using esentutl. If successful, the command\r\nprompt launches “file.exe” using start command.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 3 of 15\n\nUpon execution of file.exe, it drops three files on the folder path C:\\ProgramData\\police. IdrInit.exe is a legitimate\r\niTop Data Recovery application abused to side-load the malicious DLL ProductStatistics3.dll. IdrInit.exe is\r\nexecuted by file.exe. The file IdrInit.exe.data contains information sent by the C2. The contents will be described\r\nlater in this blog.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 4 of 15\n\nYokai Backdoor\r\nUpon execution, IdrInit.exe side-loads the Yokai backdoor (ProductStatistics3.dll) and calls the “SetStatParam3”\r\nfunction from it. This function is simply a wrapper around the malicious “pfc_init” function.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 5 of 15\n\nIn another variant of this backdoor, we found a PDB string\r\n“E:\\Project\\YK0163\\src\\YK0163_v2.0.0\\YK0163\\Release\\EACore.pdb”, which we used as an inspiration to name\r\nthis backdoor, “Yokai”.\r\nScheduled task and duplicate executions\r\nIf IdrInit.exe is executed as a non-admin user, Yokai creates a scheduled task, even if it already exists, named\r\n“MicrosoftTSUpdate” which executes IdrInit.exe every five minutes.\r\ncmd.exe /c schtasks /create /f /sc MINUTE /MO 5 /tn \"MicrosoftTSUpdate\" /tr \u003cpath_to_IdrInit.exe\u003e\r\nIf IdrInit.exe is executed as an admin user, it spawns a copy of itself. Each spawned process, in turn, spawns its\r\nown copy, and so on. If the number of spawned processes continuously increases, it could negatively impact\r\nsystem performance and raise likelihood of detection. Additionally, this behavior would be clearly visible if the\r\nuser inspected the processes running on their system, further reducing the stealth aspect of the malware.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 6 of 15\n\nMutex creation\r\nYokai looks for the presence of a mutex named “Mutex_Local_Windows_1547”. If it exists, control returns to\r\nIdrInit.exe and it terminates itself; otherwise, the mutex is created. Malware often uses mutexes as a mechanism to\r\navoid duplicate executions on a host it has already compromised. It would have been a better design choice to first\r\ncheck for the existence of the mutex before creating a scheduled task or spawning processes, as described earlier.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 7 of 15\n\nCheck-in with the C2\r\nYokai collects the hostname and username of the logged-in user. A string “2.2.0” was also found hardcoded and\r\nthe PDB string mentioned earlier had the substring “2.0.0” in it. We believe this string indicates the version of the\r\nmalware.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 8 of 15\n\nThe data is then formatted into the following 156-byte block:\r\nHeader Payload\r\nChecksum\r\n(1 byte)\r\nAPI-INDEX\r\n(4\r\nbytes)\r\nSequence\r\nnumber\r\n(2 bytes)\r\nUndetermined\r\n(1 byte)\r\nPayload\r\nsize\r\n(4 bytes)\r\nMalware\r\nversion\r\n(16 bytes)\r\nUsername\r\n(64 bytes)\r\nHostname\r\n(64 bytes)\r\nThe first byte serves as a checksum calculated over the remaining data. (The API-INDEX value will be described\r\nlater in this blog.) The sequence number represents a 0-indexed count of the backdoor’s communication\r\ninteractions with the C2, incrementing by 1 with each new successful exchange.\r\nThe checksum is calculated via XOR operations, which, although unreliable, do provide basic error detection.\r\nThis is calculated in the following manner:\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 9 of 15\n\ndef calculate_checksum(data):\r\n for i in range(1, len(data)):\r\n data[0] ^= data[i]\r\n # The first byte of the data is the checksum\r\n return data[0]\r\nThe data is then encrypted using a series of XOR operations with a hardcoded key, “ExtensionsWindow”. The\r\nalgorithm is shown below:\r\ndef encrypt_data(plaintext, key):\r\n encrypted1 = b\"\"\r\n for i in range(0, len(plaintext)):\r\n encrypted1 += (plaintext[i] ^ key[i \u0026 0xF]).to_bytes(1, \"little\")\r\n encrypted2 = b\"\"\r\n for i in range(1, len(encrypted1)+1):\r\n encrypted2 += (encrypted1[i-1] ^ key[i \u0026 0xF]).to_bytes(1, \"little\")\r\n return encrypted2\r\nThe encrypted data is transmitted to the first available C2, which is one of the following in order:\r\n122.155.28[.]155:80/page/index.php\r\n154.90.47[.]77:80/\r\nIn another variant, we observed traffic going to port 443. The following table shows the fixed values for specific\r\nHTTP headers:\r\nHeader name Value\r\nContent-Type application/x-www-form-urlencoded\r\nUser-Agent WinHTTP Example/1.0\r\nAPI-INDEX 0\r\nAccept-Connect 0\r\nContent-Length 156\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 10 of 15\n\nThe C2 response is encrypted in the same manner and with the same encryption key as before. It can be decrypted\r\nas follows:\r\ndef decrypt_data(encrypted, key):\r\n decrypted1 = b\"\"\r\n for i in range(1, len(encrypted)+1):\r\n decrypted1 += (encrypted[i-1] ^ key[i \u0026 0xF]).to_bytes(1, \"little\")\r\n decrypted2 = b\"\"\r\n for i in range(0, len(decrypted1)):\r\n decrypted2 += (decrypted1[i] ^ key[i \u0026 0xF]).to_bytes(1, \"little\")\r\n return decrypted2\r\nThe decrypted C2 response must satisfy checksum validation, be exactly 28 bytes in size, and have a value of 1 in\r\nthe 4th byte. It has the following structure:\r\nHeader Payload\r\nChecksum\r\n(1 byte)\r\nSequence number\r\n(2 bytes)\r\nCommand code\r\n(1 byte)\r\nPayload size\r\n(4 bytes)\r\nAPI-INDEX\r\n(4 bytes)\r\nNew encryption key\r\n(16 bytes)\r\nThe value of “API-INDEX” sent by the C2 is written to a file named “IdrInit.exe.data” in the same directory as\r\nIdrInit.exe. This value is used for the “API-INDEX” HTTP header in subsequent C2 communications. While we\r\ndo not know the intention behind this header, it could be a mechanism to uniquely identify a compromised host as\r\ndetermined by the C2. The C2 also provides a new encryption key to be used for encrypting data before\r\nexfiltration.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 11 of 15\n\nC2 command codes\r\nYokai now enters a loop of processing commands sent by the C2 and data exfiltration. Its traffic to the C2 has the\r\nfollowing structure:\r\nHeader Payload\r\nChecksum\r\n(1 byte)\r\nAPI-INDEX\r\n(4 bytes)\r\nSequence number\r\n(2 bytes)\r\nUndetermined\r\n(1 byte)\r\nPayload size\r\n(4 bytes)\r\nExfiltrated data\r\n(Optional)\r\nThe following table shows the fixed values for specific HTTP headers:\r\nHeader name Value\r\nContent-Type application/x-www-form-urlencoded\r\nUser-Agent WinHTTP Example/1.0\r\nAPI-INDEX Previously sent by the C2\r\nAccept-Connect 1\r\nFor example, in the snapshot below, the traffic on the left represents an empty payload being sent to the C2,\r\nindicating idle time, while the traffic on the right represents data exfiltration.\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 12 of 15\n\nThe C2 response has the following structure:\r\nHeader Payload\r\nChecksum\r\n(1 byte)\r\nSequence number\r\n(2 bytes)\r\nCommand code\r\n(1 byte)\r\nPayload size\r\n(4 bytes)\r\nShell commands to execute\r\n(Optional)\r\nThe sequence number sent by the C2 must match the sequence number previously sent by Yokai. Otherwise, it\r\nchecks if the sequence number sent by the C2 is one behind the sequence number previously sent by Yokai. If so,\r\nit retransmits; otherwise, it restarts the entire C2 communication process.\r\nThe table below summarizes the supported command codes:\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 13 of 15\n\nCommand\r\ncode\r\nFunction\r\n1\r\nRepresents the C2 ACK to the check-in traffic first sent by Yokai. A new encryption key and\r\nAPI-INDEX value is also sent by the C2.\r\n3 Spawns cmd[.]exe and attaches its STDIN and STDOUT to anonymous pipes.\r\n4\r\nExecute shell commands by writing to pipes associated with the previously spawned\r\ncmd[.]exe.\r\n2 Do nothing\r\n5 Undetermined\r\nConclusions\r\nIn this blog, we walked through an infection chain that leveraged a RAR file that contained two LNK files. While\r\none of them had a decoy PDF document embedded in its alternate data stream, the other embedded a decoy\r\nDOCX document and a malware dropper executable. It dropped a legitimate iTop Data Recovery application\r\nalong with the side-loaded Yokai backdoor, offering console access to the threat actor.\r\nDLL side-loading continues to be a popular technique leveraged by threat actors. Netskope will continue to track\r\nthe evolution of the Yokai backdoor.\r\nRecommendations\r\nNetskope recommends that organizations review their security policies to ensure that they are adequately\r\nprotected against malware:\r\nInspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent systems from\r\ncommunicating with malicious domains and IP addresses. Netskope customers can configure their\r\nNetskope NG-SWG with a URL filtering policy to block known malicious domains, and a threat protection\r\npolicy to inspect all web content to identify malicious content using a combination of signatures, threat\r\nintelligence, and machine learning.\r\nUse Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to\r\nvisit websites that fall into categories that can present higher risk, like Newly Observed and Newly\r\nRegistered Domains.\r\nNetskope Detection\r\nNetskope Threat Protection\r\nRAR: Shortcut.Trojan.Pantera\r\nLNK: Shortcut.Trojan.Pantera\r\nDropper:\r\nTrojan.Generic.37082949\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 14 of 15\n\nGen.Detect.By.NSCloudSandbox.tr\r\nYokai Backdoor:\r\nWin32.Trojan.Generic\r\nGen:Variant.Lazy.572161\r\nGen:Variant.Mikey.170188\r\nTrojan.Generic.37080167\r\nNetskope Intrusion Prevention System\r\nYokai Backdoor C2 traffic:\r\nSID 170111: MALWARE-CNC Win.Backdoor.Yokai variant C2 outbound traffic detected\r\nSID 170112: MALWARE-CNC Win.Backdoor.Yokai variant C2 outbound traffic detected\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique\r\nTA0002: Execution\r\nT1053: Scheduled Task/Job\r\nT1559: Inter-Process Communication\r\nTA0005: Defense Evasion\r\nT1564.004: Hide Artifacts: NTFS File Attributes\r\nT1036: Masquerading\r\nT1574.002: Hijack Execution Flow: DLL Side-Loading\r\nT1480.002: Execution Guardrails: Mutual Exclusion\r\nTA0011: Command and Control\r\nT1071.001: Application Layer Protocol: Web Protocols\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nIOCs\r\nAll the IOCs and scripts related to this malware can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nhttps://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials" ], "report_names": [ "new-yokai-side-loaded-backdoor-targets-thai-officials" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434385, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14c4740ee973189f87735a5f59cb5c759914a179.pdf", "text": "https://archive.orkl.eu/14c4740ee973189f87735a5f59cb5c759914a179.txt", "img": "https://archive.orkl.eu/14c4740ee973189f87735a5f59cb5c759914a179.jpg" } }