{ "id": "5a6733d6-4d1c-4557-991b-ce5635181b8d", "created_at": "2026-04-06T01:28:59.824737Z", "updated_at": "2026-04-10T03:38:01.70657Z", "deleted_at": null, "sha1_hash": "1618dabcb33c58ce1804bccb2e71df09c140b620", "title": "using RTF object dimensions to track APT phishing weaponizers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 471744, "plain_text": "using RTF object dimensions to track APT phishing weaponizers\r\nArchived: 2026-04-06 00:29:46 UTC\r\nVB2019 paper: Attribution is in the object: using RTF object dimensions to track APT\r\nphishing weaponizers\r\nGhareeb Saad\r\nAnomali, UK\r\nMichael A. Raggi\r\nProofpoint, USA\r\nTable of contents\r\nAbstract\r\nTypographers and font designers sometimes quip that the divine fingerprint of the artist exists in the spaces between the\r\nletters (‘God is in the Kerning’ – Matteo Bologna). They have also said ‘Nothing made by a human can avoid personal\r\nexpression’ (Hrant Papazian). Anomali Labs has conducted an in-depth study of the unique object dimensions present in\r\nweaponized RTF exploits used in phishing attacks. Through this research we have found that, like typographers, the\r\ndevelopers of malicious RTF weaponizers leave behind a unique fingerprint on the malicious phishing attachments they\r\ncreate. This fingerprint can be found in the unique height and width of the malicious objects present in a phishing\r\nattachment. So, if God can be found in the kerning, we, as threat researchers, believe that attribution is in the object.\r\nRTF files are among the most popular file formats used in phishing attacks today. Anomali Labs has tracked the unique\r\nobject dimensions present in 22 RTF exploits for CVE-2018-8570, CVE-2018-0802, CVE-2017-11882, CVE-2017-0199,\r\nCVE-2014-1761 and CVE-2012-0158 to gain insight into the adversary’s weaponization process. By identifying the height\r\nand width of malicious RTF objects and creating YARA signatures to track them, analysts have identified APT campaigns\r\nrelated to three distinct Chinese APT groups (Temp.Periscope, Temp.Trident and Goblin Panda), one South Asian APT\r\n(Sidewinder), and the cybercriminal campaigns of a known Pakistani APT group (Gorgon Group/Subaat). This paper will\r\ncover basic RTF object metadata structure, how this data, when unique, can be used to track threat actors, and an in-depth\r\ncase study of Chinese and Indian APTs utilizing a shared RTF phishing weaponizer to carry out diverse espionage\r\ncampaigns across Asia and Central Europe.\r\nExploit supply chain \u0026 the need for weaponizer attribution\r\nThe use of weaponized exploits in targeted phishing attacks continues to be among the most popular and effective\r\ntechniques observed by cybersecurity researchers today. The 2019 Verizon DBIR report cites ‘Email Attachment’ as the top\r\nmalware infection vector in incidents and reports that Office documents and Windows applications are the most common\r\ninfection vectors [1]. Among the Office documents utilized in cyber attacks, RTF file format is often used for phishing\r\nattachments and is regularly observed in espionage campaigns linked to prominent Advanced Persistent Threat (APT)\r\nadversaries. Rich Text Format (RTF) is a proprietary document file format created by Microsoft which has found popularity\r\nsince its creation in 1987. The ubiquity of RTF attachments in APT attacks has led researchers to conduct an in-depth\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 1 of 23\n\nanalysis of hundreds of weaponized RTF exploit files. This analysis has resulted in the development of a repeatable process\r\nfor tracking the malicious files created by RTF phishing weaponizers and has introduced visibility into the threat actors’\r\nsupply chain for these weaponizer tools. Often, scripted phishing weaponizers will create malicious documents with\r\npredictable object dimensions for certain Common Vulnerability Exposures (CVEs). Based on these artifacts, it is possible\r\nto develop YARA detection signatures to allow analysts to study the spread and dissemination of phishing weaponizers\r\nacross the threat landscape. With this visibility into the weaponization phase of the cyber kill chain, researchers can\r\nunderstand the origination point of weaponizers, which is invaluable for threat actor attribution. Additionally, the ability to\r\ndetect and track these RTFs is highly advantageous to infosec organizations as it provides attack visibility during the\r\ndelivery phase of a potential intrusion.\r\nThis paper presents a new technique for attributing RTF weaponizers using object dimensions. Researchers have studied\r\nmore than 6,000 malicious RTF samples and have been able to group and attribute more than 27 different RTF weaponizers\r\nusing object dimensions. An RTF weaponizer for CVE-2017-11882, CVE-2018-0802 and CVE-2018-0798, dubbed ‘Royal\r\nRoad’, was discovered being used in espionage campaigns, and ultimately released into the commodity threat landscape.\r\nRoyal Road is believed to have originated amongst a group of Chinese APTs conducting espionage campaigns from 2017 to\r\n2019. In 2018, it was observed being used by the Indian APT actor Sidewinder, and in 2019 it was seen being adopted by\r\ncybercriminal actors. The diffusion of custom weaponizers like Royal Road, from exclusive usage by its developers or\r\npurchasers through to its ultimate emergence as a commodity tool, will be explored as a recurring pattern which we refer to\r\nas the ‘Weaponizer Life Cycle’.\r\nRTF exploitation\r\nRich Text Format was developed by Microsoft from 1987 until 2008, and remains supported by Windows, Mac and Linux\r\noperating systems. The RTF format was created to enable cross-platform document interchange. This file format has, for\r\nyears, been a popular target for vulnerability researchers and exploit developers because it can host different object types.\r\nThe object types include: annotations, fonts, pictures, OLE and SWF. This allows adversaries to deliver exploits from\r\ndifferent object types, often by attaching RTF files to phishing emails. The versatility of the RTF format for exploit delivery\r\nfrom different object types has given rise to the following popular CVEs:\r\nCVE-2014-1761\r\nCVE-2015-7645\r\nCVE-2016-4117\r\nCVE-2016-1019\r\nCVE-2017-0199\r\nCVE-2017-8570\r\nCVE-2017-11882\r\nCVE-2018-0802\r\nCVE-2018-0798\r\nRTF tracking and attribution techniques\r\nThere are many aspects of RTF files that can be used to conduct analysis or track weaponized exploits for attribution\r\npurposes. In this paper we will focus on four specific techniques that can provide insight into both adversary operators and\r\nadversary supply chains. These four techniques include the tracking of RTF metadata, shellcode, obfuscation, encoding\r\nartifacts and object dimensions.\r\nMetadata \u0026 author name\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 2 of 23\n\nIn addition to accommodating objects, RTF files can include metadata ‘Tag ID’ values that can be used to support threat\r\nactor attribution. Specifically, analysis of the metadata tag IDs for ‘author’, ‘company’, ‘operator (last modified by)’, ‘title’\r\nand ‘vern’ (internal version number) associated with RTF phishing attachments can provide string values that can be\r\nleveraged as indicators of compromise. These metadata tag IDs should be recorded and attributed to a threat actor if\r\nobserved in multiple campaigns over time, alongside additional overlapping IoCs or tactics techniques and procedures\r\n(TTPs). Metadata tag ID values can be observed in the strings of the RTF as well as through proprietary analysis tools such\r\nas VirusTotal Enterprise in the description section of an uploaded malware binary. The tag values for author and operator\r\nfields are derived from the machine used to create the RTF phishing attachment. In some instances, if the operator is using\r\nan application like Microsoft Office to create a weaponized phishing attachment, file compilation will apply the author value\r\nassociated with the operator’s application to the created malicious file. Additionally, a unique value for the ‘vern’ or internal\r\nversion number will be applied to all malicious phishing attachments created by that code base. The example shown in\r\nFigure 1 from the VirusTotal interface demonstrates a recurring metadata author value that was used by a CVE-2012-0158\r\nphishing weaponizer attributed to the Chinese Goblin Panda APT, also known as Conimes. This technique has been explored\r\nat length in a SANS CTI Summit presentation on the topic [2].\r\nFigure 1: VirusTotal user interface showing RTF metadata author ‘Tag ID’ and strings.\r\nAlthough RTF metadata tag ID tracking is a useful method, over time, to develop attribution based on RTF attachments in\r\ntargeted campaigns, there are limitations to this technique. In many cases RTF metadata is fleeting and trivial to alter from\r\ncampaign to campaign. Often these values are updated to mimic regionally specific personnel at targeted organizations and\r\nchanged to the native languages spoken by the targets. Additionally, RTF metadata tags are not mandatory values that must\r\nbe included upon the compilation of an RTF file. In some cases adversaries have removed RTF metadata tag IDs from\r\nweaponized RTF attachments upon updating a phishing weaponizer. Based on the inconsistent and non-essential nature of\r\nRTF metadata as a social engineering mechanism in weaponized RTFs, this tracking method provides the best visibility, over\r\nmultiple campaigns, of the operator’s personas and possible targeting intention, while being a fleeting indicator of\r\ncompromise.\r\nShellcode\r\nCertain characteristics of the shellcode used to exploit a vulnerability targeted by a malicious RTF can be used to track\r\ncertain RTF weaponizers. The most common characteristic of shellcode would be certain Return Oriented Programming\r\n(ROP) gadgets being used by the exploit or the technique used to drop and execute the payload. While these characteristics\r\nare usually permanent and rarely changed, it is usually difficult to develop YARA rules to automatically track them.\r\nObfuscation artifacts\r\nThe Office RTF parser and RTF file specification is very flexible from a development standpoint. One of the most flexible\r\nfeatures of an RTF file is the allowance of cascading objects, which can represent data in different formats and escape\r\ncharacters. Exploit developers make use of this functionality to build obfuscated payloads that are still valid when rendered\r\nin Office, but which can evade AV engines by representing malicious internal content in formats other than what is most\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 3 of 23\n\ncommonly used in AV static signature detection. This has the beneficial secondary outcome of making it harder for analysts\r\nto extract or analyse the malicious payload.\r\nActors often deploy scripts to insert custom obfuscation gadgets into their malicious RTFs. Using these gadgets as strings in\r\nYARA signatures is a very useful method for tracking RTFs created for certain campaigns or actors. There are multiple\r\narticles and papers discussing RTF obfuscation in detail [3, 4]. Figures 2 to 4 show some examples of RTF obfuscation\r\ngadgets that can be used to track malicious RTFs.\r\n  Figure 1_2.JPGFigure 2: Obfuscation gadget present in Royal Road weaponizer version 2.\r\n  Figure 1_3.JPGFigure 3: Example of obfuscation gadget used in malicious RTFs.\r\nFigure 1_4.JPGFigure 4: Example of obfuscation gadget used in malicious RTFs.\r\nObject dimensions and phishing weaponizers\r\nCVEs and exploits are often purchased from digital black markets as Python scripts that can be used to weaponize a lure\r\ndocument. Alternatively, weaponizers have been known to be developed as internal tools for APT organizations. Based on\r\nthe popularity of Word for rendering email attachments, threat actors usually build their lure ‘.doc’ using a normal Office\r\napplication and then use the acquired script to inject the malicious RTF object into the lure document once it has been\r\ncreated.\r\nBased on RTF specifications, any object that has a graphical representation (which will most commonly be rendered in\r\nWord) needs to specify the object dimension as part of the RTF object header. This is to say that the object height and width\r\nfor graphic representation are included in the strings of the compiled RTF file to ensure that an error will not occur when\r\nattempting to load the object. Table 1 includes a list of the object dimensions and attributes that can be included in an RTF\r\nobject header at the time of compilation.\r\nObject size, position,\r\ncropping and scaling\r\n \r\n\\objhN\r\nN is the original object height in twips, assuming the object has a graphical\r\nrepresentation.\r\n\\objwN\r\nN is the original object width in twips, assuming the object has a graphical\r\nrepresentation.\r\n\\objsetsize Forces the object server to set the object’s dimensions to those specified by the client.\r\n\\objalignN\r\nN is the distance in twips from the left edge of the objects that should be aligned on a tab\r\nstop. This is needed to place Equation Editor equations correctly in line.\r\n\\objtransyN\r\nN is the distance in twips the objects should be moved vertically with respect to the\r\nbaseline. This is needed to place MathType equations correctly in line.\r\n\\objcroptN N is the top cropping distance in twips.\r\n\\objcropbN N is the bottom cropping distance in twips.\r\n\\objcroplN N is the left cropping distance in twips.\r\n\\objcroprN N is the right cropping distance in twips.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 4 of 23\n\n\\objscalexN N is the horizontal scaling percentage.\r\n\\objscaleyN N is the vertical scaling percentage.\r\nTable 1: Object dimensions and attributes that may be present in RTF header.\r\nIf the malicious RTF exploit object has a graphical representation (most phishing attachments do), the object dimensions are\r\ncrafted inside the weaponizer script and included in the strings of the malicious RTF exploit. An extended study of multiple\r\nRTF weaponizers and malicious RTF files targeting numerous vulnerabilities proved that the object dimension are very often\r\nunique numbers. Specifically, the object height and width were frequently found to be unique and it was observed that they\r\nnever changed across the usage of certain weaponizers, even in instances when the weaponizer was being utilized by\r\nmultiple actors deploying diverse shellcode. Whereas the RTF obfuscation and final delivered payload may change, the RTF\r\nobject dimensions were found to remain constant.\r\nInterestingly, RTF object dimensions are rarely used by anti-virus (AV) engines to detect malicious RTF files. This current\r\nlack of object dimension-based detection may be why developers do not need to change object dimension to bypass AV\r\nengines. On the other hand, metadata, obfuscation and shellcode (all used in other attribution techniques) tend to be changed\r\nregularly by actors attempting to bypass AV detection. We noticed in multiple cases that, even when the actors were very\r\nsuccessful in updating their weaponizer to provide better AV detection evasion, a simple YARA rule tracking the object\r\ndimension was able to find the malicious RTF created by a new version of the weaponizer. Figure 5, is the strings section\r\nfrom a malicious RTF sample created by the Royal Road RTF weaponizer. We successfully tracked samples created by this\r\nweaponizer via a YARA rule to detect the unique object dimensions. The static AV detections in VirusTotal, which are shown\r\nin Figure 6, failed to detect many of these samples with accuracy. Specifically, in the sample included in Figure 6, only one\r\nAV engine identified the sample as an exploit for CVE-2017-11882. Adversaries were likely able to evade AV detection by\r\nmanipulating the shellcode and employing updated obfuscation techniques. The use of YARA signatures to detect object\r\ndimensions for phishing weaponizers provides researchers with a way to identify malicious RTFs that is independent of\r\nadversary obfuscation attempts.\r\nFigure 1_6.JPGFigure 5: Object dimension strings from a Royal Road version 2 sample.\r\nFigure 1_7.JPG Figure 6: VirusTotal AV detection for Conimes / Goblin Panda RTF sample identified via YARA\r\nsignature for RTF object dimensions ‘objh2180/objw300’.\r\nThe tracking of RTF object dimensions has led researchers to identify 27 unique weaponizers that include APT,\r\ncybercriminal and public tools. Of the over 6,000 malicious RTF files analysed, 4,445 contained unique object dimensions.\r\nThis demonstrates how distinct object dimensions are per weaponized RTF sample and reinforces that a cluster of shared\r\nobject dimensions between samples is an indication that they were likely created by the same weaponizer.\r\nComparing RTF attribution techniques: pros and cons\r\nTechnique Pros Cons\r\nMetadata and author name\r\n(fleeting \u0026 operator‑centric)\r\nOperator-centric\r\nProvides context via social engineering\r\ncontent and language of targets\r\n(‘human fingerprint’)\r\nCan be used to track specific\r\ncampaigns\r\nTrivial to change\r\nNot required in all weaponized files\r\nRegularly evolving\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 5 of 23\n\nActor-specific\r\nEasy to track\r\nRTF obfuscation artifacts\r\n(evolving \u0026 supply-chain-centric)\r\nUnique to shellcode developer\r\nSupply-chain-centric\r\nCan facilitate attribution and\r\ncorrelations between threat actors\r\nEasy to track using YARA rules\r\nRegularly evolving with high turnover so\r\nthreat actors can bypass AV detection\r\nShellcode (permanent \u0026\r\noperator-centric)\r\nA more permanent actor artifact to\r\ntrack\r\nUsually specific to a single actor\r\nDifficult for actors to change entirely\r\nComplex to create a signature,\r\nspecifically utilizing YARA rules to track\r\nshellcode\r\nObject dimensions (permanent\r\n\u0026 supply-chain-centric)\r\nVery specific to weaponizer developer\r\n\u0026 exploit supplier\r\nDoes not change regularly\r\nAllows attribution of a shared exploit\r\nsupply chain\r\nMaps relations between different\r\nconnected groups\r\nDoes not provide operator visibility\r\nIf multiple actors are using the\r\nweaponizer it does not provide deeper\r\nattribution to a specific group\r\nTable 2: Comparison of RTF attribution techniques.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 6 of 23\n\nFigure 7: Quadrant view of permanence versus operational visibility in RTF attribution techniques.\r\nThe Royal Road weaponizer\r\nResearchers have identified a unique phishing weaponizer that, to date, has been utilized in Chinese and South Asian APT\r\ntargeted attacks, as well as in cybercriminal campaigns. The weaponizer, which has been dubbed ‘Royal Road’, is believed\r\nto be a code base capable of creating weaponized RTF exploits complete with believable lure content for CVE-2017-11882,\r\nCVE-2018-0802 and CVE-2018-0798. This weaponizer has primarily been used by Chinese APT actors in espionage\r\ncampaigns supporting intelligence requirements for the Belt and Road Initiative in Central Asia, Russia, Vietnam and\r\nMongolia, but also with the targeting of US maritime, academic and defence sectors. Specifically, the weaponizer can be\r\nidentified by the unique object dimensions objh2180/objw300 appearing in the malicious RTF’s strings. Further variations of\r\nthis weaponizer can be identified by the object data which follows the object dimensions, the metadata associated with the\r\nRTF files, and an examination of post-exploitation infection techniques utilized by disparate threat actors.\r\nVersions of the Royal Road tool weaponize RTF files to exploit CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798,\r\nwhich affect the Microsoft Equation Editor. CVE-2017-11882 and CVE-2018-0802 were patched by Microsoft in November\r\n2017 and January 2018, respectively. The lesser‑known CVE-2018-0798 was also patched in January 2018. Since then, RTF\r\nfiles exploiting these vulnerabilities in malspam campaigns pushing malware like LokiBot and Formbook have been well\r\ndocumented. By now, exploits for Equation Editor vulnerabilities are old news, and more than 1,000 samples have been\r\nsubmitted to VirusTotal since November 2017. Chinese APT threat actors adapted these popular vulnerabilities into exploits\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 7 of 23\n\nimmediately following their disclosure by Microsoft. The use of a specific weaponizer to exploit well-known vulnerabilities\r\nallows analysts both to attribute In-the-Wild (ItW) samples and to gain insight into the supply chain associated with\r\nnumerous APTs across international boundaries.\r\nDistinguishing between Royal Road versions\r\nAll identified weaponized RTF samples created by the Royal Road tool were found to share the unique RTF object\r\ndimensions objh2180/objw300. This shared dimension allowed us to draw connections between diverse samples created by\r\nthe tool, as variation exists between different versions of the weaponizer which include unique object data spanning five\r\ndistinct versions. Additionally, two distinct methods for executing post-exploitation payloads were found, which serve as the\r\nprimary method for distinguishing between Chinese APT activity and activity associated with the Sidewinder APT. Finally,\r\nfurther variation was identified and documented in the methods used amongst disparate Chinese APTs to perform DLL side-loading following execution.\r\nFour distinct clusters of Chinese APT activity have been observed utilizing RTF files that contain the Royal Road unique\r\nobject dimensions. Version 1 utilizes the object data string objw2180\\objh300{\\*\\objclass Equation.3}{\\*\\objdata\r\n01050000020000000B0000004571756174 and exploits CVE-2017-11882. Versions 2 and 4 utilize the object data string\r\nobjw2180\\objh300{\\objdata 554567{\\*\\objdata 01050000020000000B0000004571756174696F6E2E and exploit both\r\nCVE-2017-11882 and CVE-2018-0802. Several of these APT groups have utilized exploits for both CVE-2017-11882 (two\r\nversions) and CVE-2018-0802 at different times, representing a shared and evolving supply chain between Chinese threat\r\nactors. Version 4 of the Royal Road weaponizer was observed being utilized by the Sidewinder APT group, using the object\r\ndata string objw2180\\objh300{\\objdata 554567{{\\*\\objdata 1389E614020000000B0000004571756174696F6E2 to exploit\r\nCVE-2017-11882. This string is highly similar to the object data string from Royal Road versions 2 and 4.\r\nA fifth variation of the Royal Road builder was also observed in use by Chinese APT actors. The analysed RTF files share\r\nthe same object dimension (objw2180\\objh300) as used to track the RTF weaponizer. However, in this case the samples\r\nwere not exploiting CVE-2017-11882 or CVE-2018-0802. After further analysis, it was discovered that the RTF files were\r\nexploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32). CVE-2018-0798 does not appear\r\nto be commonly exploited in the wild, even though is more reliable than its better-known Equation Editor RCE counterparts.\r\nIts reliability is rooted in its efficacy among all Microsoft Word versions that include the Equation Editor. Its counterparts\r\nCVE-2017-11882 and CVE-2018-0802 are limited to specific versions based on the patches that have been deployed. CVE-2017-11882 is only exploitable on an unpatched version prior to its fix, and CVE-2018-0802 is only exploitable on the\r\nversion released to fix CVE-2017-11882. In contrast, a threat actor utilizing CVE-2018-0798 has a higher likelihood of\r\nsuccess because it is not limited by version. Files containing the Royal Road object dimensions and the following string\r\nhave been classified as Royal Road v5: objw2180\\objh300\\objdata\\object 5154\\781\\'e56\\'2f7\\objdata\r\n01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01.\r\nVersion Object string Description\r\nRoyal Road\r\nv1\r\nobjw2180\\objh300{\\*\\objclass Equation.3}{\\*\\objdata\r\n01050000020000000B0000004571756174\r\nNo obfuscation\r\nExploits CVE-2017-11882\r\n8.t post-exploitation\r\ntechnique \u0026\r\nexecution of\r\nshellcode\r\nUsed by\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 8 of 23\n\nChinese APTs\r\nTemp.Periscope\r\nand Goblin\r\nPanda\r\nRoyal Road\r\nv2\r\nobjw2180\\objh300{\\objdata 554567{\\*\\objdata\r\n01050000020000000B0000004571756174696F6E2E\r\nStarted using\r\nRTF\r\nobfuscation\r\ngadgets to\r\nevade AV\r\ndetection\r\n8.t post-exploitation\r\ntechnique \u0026\r\nexecution of\r\nshellcode\r\nExploits CVE-2017-11882\r\nUsed by\r\nChinese APTs\r\nNomad Panda,\r\nDagger Panda\r\nand Goblin\r\nPanda\r\nRoyal Road\r\nv3\r\n(Sidewinder)\r\nobjw2180\\objh300{\\objdata 554567{{\\*\\objdata\r\n1389E614020000000B0000004571756174696F6E2\r\nSimilar RTF\r\nobfuscation\r\ngadgets to v2\r\nPost-exploitation\r\nuses HTA\r\ndownload \u0026\r\nexecution of\r\nshellcode\r\nExploits CVE-2017-11882\r\nUsed by\r\nSidewinder\r\nAPT\r\nRoyal Road\r\nv4\r\nobjw2180\\objh300{\\objdata 554567{\\*\\objdata\r\n01050000020000000b0000004571756174696f6e2\r\nSimilar RTF\r\nobfuscation\r\ngadgets to v2.\r\n8.t post-exploitation\r\ntechnique \u0026\r\nexecution of\r\nshellcode\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 9 of 23\n\nExploits CVE-2018-0802\r\nUsed by\r\nNomad Panda,\r\nDagger Panda,\r\nGoblin Panda,\r\nthe group\r\nresponsible for\r\nthe Reaver\r\nmalware, and\r\nTemp.Hex\r\nRoyal Road\r\nv5\r\nobjw2180\\objh300\\objdata\\object 5154\\781\\’e56\\’2f7\\objdata\r\n01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01\r\n8.t post-exploitation\r\ntechnique \u0026\r\nexecution of\r\nshellcode\r\nExploits CVE-2018-0798\r\nUsed by\r\nNomad Panda,\r\nDagger Panda,\r\nGoblin Panda,\r\nand Temp.Hex\r\nTable 3: Table comparing the different versions of Royal Road weaponizer.\r\nAmong the Chinese groups to use Royal Road are the APTs Goblin Panda (Conimes), Temp.Trident (Dagger Panda and\r\nNomad Panda, Ice Fog), Temp.Periscope (APT40, Leviathan, MudCarp), the APT group associated with the Reaver\r\nmalware, and Temp.Hex (Maudi Surveillance Operation). Goblin Panda (Conimes) has historically targeted Vietnam,\r\nutilizing Royal Road RTF phishing attachments to deliver a payload identified as ‘QCRat’. This payload is identifiable via\r\nthe vulnerable McAfee DLL that was utilized for DLL side-loading (QCLite.dll and QCConsol.exe). This group has\r\nsubsequently utilized additional malicious PE files side-loaded by legitimate dynamic-link libraries (DLLs) as well as\r\nPowerShell scripts in phishing campaigns to deliver malware families including Newcore RAT and Gh0st. Royal Road RTF\r\nsamples are often attributable to Conimes by their distinctive Vietnamese language lures and file names, as well as through\r\nrecognizable post-infection DLL side-loading techniques.\r\nActor Targeting\r\nPotential\r\nmotivation\r\nMethodology Unique tools\r\nGoblin Panda\r\n(Conimes)\r\nVietnam and\r\nSoutheast Asia\r\nEspionage aligned\r\nwith commercial\r\nand South China\r\nSea issues\r\nRTF phishing followed\r\nby shellcode executed\r\nvia an OLE package\r\ndropping distinctive\r\nsource file 8.t\r\nQCRat Gh0st\r\nNewcore\r\nTemp.Periscope\r\n(APT40, Leviathan,\r\nUS Defence;\r\nmaritime; academic\r\nIntellectual\r\nproperty theft and\r\nRTF phishing followed\r\nby shellcode executed\r\nDadBod\r\nEvilTech\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 10 of 23\n\nMudCarp) institutions;\r\ninternational \u0026\r\npolitical organizations\r\nmilitary espionage via an OLE package\r\ndropping distinctive\r\nsource file 8.t\r\nAirBreak\r\nHomeFry\r\nMurkyTop\r\nNomad Panda \u0026\r\nDagger Panda\r\n(Temp.Trident,\r\nIcefog)\r\nMongolia and Central\r\nAsia\r\nEconomic\r\nespionage for Belt\r\n\u0026 Road Initiative\r\nRTF phishing followed\r\nby shellcode executed\r\nvia an OLE package\r\ndropping distinctive\r\nsource file 8.t\r\nFucobha Icefog\r\n(shared) Gh0st\r\nTemp.Hex (The\r\nMaudi Surveillance\r\nOperation [5])\r\nMongolia\r\nLocal Chinese\r\ninterests, human\r\nrights activists,\r\nMongolian\r\ndiplomatic affairs\r\nRTF phishing followed\r\nby shellcode executed\r\nvia an OLE package\r\ndropping distinctive\r\nsource file 8.t\r\nFireShadow\r\nPoison Ivy\r\nMaudi Tool\r\nSuite\r\nPlugX\r\nAPT responsible for\r\nthe Reaver malware\r\nSE Asia and India.\r\nAreas associated with\r\ndissidents tied to the\r\nChinese Five Poisons\r\nFive Poisons\r\ntargeting\r\nRTF phishing followed\r\nby shellcode executed\r\nvia an OLE package\r\ndropping distinctive\r\nsource file 8.t\r\nReaver\r\nSun Orcal\r\nTable 4: Table characterizing Chinese APT groups utilizing the Royal Road weaponizer.\r\nTemp.Periscope (APT40, Leviathan) has historically targeted US and international institutions associated with naval and\r\nmaritime issues affecting the South China Sea while supporting the theft of intellectual property. This was the first group\r\nobserved utilizing the Royal Road weaponizer, however, it appears to have ceased using it around December 2017 following\r\npatch adoption for CVE-2017-11882.\r\nTemp.Trident (Dagger Panda \u0026 Nomad Panda, Icefog) has historically targeted the Mongolia region (Dagger Panda)\r\nalongside Russia and Central Asia (Nomad Panda), likely as part of economic espionage efforts in support of the Chinese\r\nBelt and Road Initiative. Versions of the custom payload ‘Fucobha’ or ‘Icefog’, which was first identified in 2013, have been\r\nidentified as part of these campaigns. These campaigns have also leveraged more common payloads utilized by Chinese\r\nAPT groups like Gh0st RAT. Historically, Royal Road RTF samples attributed to this APT have included distinctive RTF\r\nmetadata author information that recurs across campaigns.\r\nThe APT group responsible for the Reaver and Sun Orcal malware is also believed to utilize the Royal Road exploit builder.\r\nThis group was the first to be observed utilizing Royal Road v4, which exploited CVE-2018-0802. Historically, this group is\r\nknown to target groups that oppose the Chinese governmental doctrine of ‘One China’. The targeted groups are often\r\nreferred to as ‘the Five Poisons’ and include acolytes of Falun Gong, Muslim Uyghurs, supporters of Chinese democracy,\r\nsupporters of an independent Taiwan, and Tibetans. Since these groups consist primarily of dissidents, the geography\r\nassociated with Reaver and Sun Orcal targeting is diverse and is believed to be any location where these populations reside.\r\nResearchers at Cylance publicized Reaver RTF exploits built using the Royal Road tool in May 2019 and reinforced the\r\nobservation of tool sharing among Chinese APT groups at that time [6].\r\nAnother Chinese APT group known to target Mongolia has been identified through this research. The APT known as\r\nTemp.Hex and the Maudi Surveillance Operation has been observed utilizing the Royal Road v5 weaponizer. In addition to\r\nthese distinct Chinese APTs using a common RTF weaponizer, they all share a common post-exploitation execution\r\ntechnique. Rather than downloading and executing a malicious file, the RTF document drops and executes shellcode via an\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 11 of 23\n\nencoded OLE package which then drops a distinctive source file named ‘8.t’ to execute a payload. This method was\r\nidentified earlier by security analysts in open sources. Anomali Threat Research identified the presence of the unique object\r\ndimension objw871\\\\objh811\\\\objscalex8\\\\objscaley8 in RTF files involved with this post-exploitation method. Signature\r\nalerts for this object’s dimensions indicate the use of the 8.t exploitation technique. The presence of both a shared phishing\r\nweaponizer and a shared post-exploitation execution technique between these groups is indicative of a significant TTP\r\noverlap. It is noteworthy that, after the use of the 8.t source file that is dropped to the temp directory, different files,\r\nregistries and DLLs are used to execute the malicious payload on the host. The weaponizer and exploitation techniques are\r\nshared, but different post‑infection techniques and payloads are utilized. Varying degrees of overlap have been observed\r\nbetween the post-exploitation techniques of the five Chinese APTs using the Royal Road weaponizer.\r\nAn attribution timeline of publicly available samples is shown in Figure 8.\r\nFigure 8: Attribution timeline of public Royal Road RTF samples.\r\nUnlike the Chinese groups, limited use of the Royal Road weaponizer by the Indian APT actor Sidewinder has been\r\nobserved. Only version 3 of the weaponizer and three total samples have been observed. Specifically, the RTF exploit for\r\nCVE-2017-11882 utilized by Sidewinder contains the string objw2180\\objh300{\\objdata 554567{{\\*\\objdata\r\n1389E614020000000B0000004571756174696F6E2. These dimensions and format are notably similar to the format\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 12 of 23\n\nobserved in the Royal Road CVE-2017-11882 v2 tool used by Chinese groups with only the object data obfuscation gadget\r\nvarying between the samples. The post-exploitation methodology used by the Sidewinder operators deviates completely\r\nfrom what is utilized by other APT groups. The RTF downloads and executes a payload via an HTA file. The Sidewinder\r\nAPT has historically targeted organizations linked to the Pakistani Military and is believed by security researchers to be an\r\nactor associated with Indian espionage interests, possibly operating as a contractor in the space. However, the use of\r\nweaponized RTF files with unique object dimensions in phishing campaigns relies on the successful exploitation of CVE-2017-11882, in which the opened RTF file downloads and executes HTA files on the victim’s machine. Primarily English\r\nlanguage phishing files that utilize topics involving the military borders of India, China and Pakistan were weaponized and\r\nrequired execution by the victim to pull down additional files including a malicious HTA file. Once the HTA file was\r\ndownloaded from a C2 domain and executed, a PowerShell payload contained in the HTA file was executed on the victim’s\r\nsystem. Another noteworthy aspect of the use of the Royal Road weaponizer by the Sidewinder APT is that it was extremely\r\nbrief. Three samples have been identified from mid-2018. Subsequent Sidewinder campaigns have been identified which\r\nsuggest that the group is no longer utilizing RTF files as their initial phishing attachments, but are rather using ‘.docx’ files\r\nwhich download RTFs that exploit the Equation Editor exploit CVE-2017-11882. These new RTFs do not contain object\r\ndimensions.\r\nUtilization of the Royal Road weaponizer v5 exploiting CVE-2018-0798 was attributed to Temp.Trident (Nomad Panda and\r\nDagger Panda), Conimes (Goblin Panda) and Temp.Hex. Researchers were able to identify multiple samples of malicious\r\nRTF documents using this weaponizer in the wild. However, determining a precise date of first use is challenging. Some of\r\nthe analysed samples have a creation date of 19 November 2017 (five days after a patch was released for CVE-2017-11882)\r\n– however, that date appears to be manipulated based on the recent compilation dates of the payloads observed, many of\r\nwhich date to 2019. Researchers place a likely date of first usage in the wild around October 2018 based on a sample\r\n(e228045ef57fb8cc1226b62ada7eee9b) with a VirusTotal submission date of 29 October 2018 with the RTF creation time of\r\n23 October 2018. This earliest observed sample has been attributed to Conimes. Multiple samples analysed by security\r\nresearchers that we associate with CVE-2018-0798 have been mentioned in previous instances and detection signatures by\r\nothers in the security community. We believe that some of these samples were misattributed to CVE-2017-11882 or CVE-2018-0802 based on their exploitation of the Equation Editor, despite being classified as CVE-2018-0798.\r\nCommodity actors adopt Royal Road\r\nAfter the brief utilization of Royal Road by the Sidewinder APT and its continuous utilization by Chinese APT groups, a\r\nnew pattern of usage emerged. On 10 March 2019, analysts discovered a new man-in-the-middle (MitM) phishing campaign\r\nthat appeared ultimately to deliver the Formbook malware via CVE-2017-11882 RTF exploits. The campaign delivered\r\nmalicious attachments to users in the address books of compromised victims. These weaponized RTF attachments included\r\nthe object dimensions of the Royal Road weaponizer, objw2180\\\\objh300, along with additional object dimensions\r\nobjw1479\\\\objh975.\r\nFigure 1_10.JPGFigure 9: Unique object dimensions present in weaponized commodity RTF attachments.\r\nThe malicious emails, while sharing a broad geographic clustering, did not appear to be targeted in nature because victims\r\nexisted in different sectors and the phishing lures were found to have commodity purchase order and invoice themes. The\r\nuse of the Formbook malware in MitM phishing attacks is not unique in itself. However, the tool that threat actors used to\r\nweaponize RTF phishing attachments for this campaign had only previously been used by the Chinese and Indian APT\r\nactors noted previously.\r\nA similar campaign was observed on 6 May 2019 utilizing a tariff-themed phishing lure. After the user had executed the\r\nmalicious RTF attachment it exploited CVE-2017-11882. This gave access to the svchost.exe and wmiprvse.exe processes\r\nvia Remote Process Calls (RPCs). Wmiprvse.exe then spawns a command line shell as a child process that is used to execute\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 13 of 23\n\nthe file ‘~afer125419.tmp’. This file is created on the host by a Visual Basic script that was previously downloaded from the\r\nPastebin URL pastebin[.]com/raw/9t3R1Ng5 by the malicious RTF.\r\nFigure 1_11.JPGFigure 10: VBScript used to create malicious ~afer125419.tmp file.\r\nIn some samples from this campaign, the VBScript was found within a malicious HTA file that was downloaded directly\r\nfrom a C2 domain by the initial malicious RTF rather than from the above-referenced Pastebin URL. Notably, each of the\r\nmalicious RTF files includes the RTF metadata author tag ‘n3o’. This metadata information has been associated with\r\nmalicious purchase order and invoice phishing campaigns since at least 2017. Specifically, the ‘n3o’ metadata author tag has\r\nbeen present in identified RTF phishing files that exploited Equation Editor vulnerabilities (CVE-2017-11882 and CVE-2018-0802) from both May 2018 [7] and December 2018.\r\nThe adoption of Royal Road by an additional commodity actor occurred in April 2019. The object dimensions\r\nobjw2180\\\\objh300 were seen in a malspam campaign which appears to have delivered the commodity ransomware Osiris,\r\nwhich is an older variant of the Locky ransomware. The campaign leveraged IT themes within its phishing lures and\r\nspecifically referenced a Samsung printer [8]. The weaponized RTFs all included the metadata author tag ‘wuyan’ and\r\nincluded phishing lure themes from invoices, to payment documents and purchase orders. ‘Wuyan’ is also a known metadata\r\nauthor tag that has been associated with commodity campaigns that did not utilize the Royal Road weaponizer.\r\nWeaponizer life cycle\r\nPhishing weaponizers are created, sold and distributed in the cyber threat landscape in a similar fashion to zero-day\r\nvulnerabilities and proof-of-concept (PoC) exploits. Like zero-day exploits, a weaponizer tool consisting of code that builds\r\nphishing exploits that target vulnerabilities has the most value (both in monetary and operational terms) prior to a\r\nvulnerability’s disclosure. During this period often a single sophisticated actor is seen developing a weaponizer for a zero-day that has been identified through targeted vulnerability research. Upon a vulnerability’s disclosure by a PoC or product\r\nvendor, a period of rapid tool development by multiple actors often occurs during the time when a vulnerability is unpatched\r\n(‘1 Day’) and during the initial 90 days following the release of a patch. Ninety days is a common duration for patch\r\nimplementation at large enterprises, however, patching may occur faster or slower based on criticality prioritization within\r\nan organization. The current US Department of Defense Cybersecurity Discipline Implementation Plan strives to have all\r\nsystems patched within 21 days of patch release and provides for the network removal of high-risk unpatched devices after a\r\n120-day period [9]. During the initial patch-adoption period, targeted phishing attacks for a disclosed vulnerability will have\r\na high success rate based on the limited degree of deployed patches in the threat landscape. Therefore, the largest number of\r\nnew weaponizers for a specific vulnerability will be observed during this period.\r\nFollowing the initial patch-adoption period, continued adoption, innovation, and diffusion of weaponizer tools is often\r\nobserved with usage by less sophisticated actors including cybercriminal and commodity adversaries involved with malspam\r\ndistribution. This adoption of once-sophisticated weaponizers by unsophisticated actors is accompanied by a decrease in the\r\neffectiveness of the targeted attacks that make use of the weaponizer because the number of patched machines rises over\r\ntime. Although less effective in targeted attacks, late-stage weaponizer usage for large-scale, untargeted commodity\r\ncampaigns like malspam allow additional value to be derived from a weaponizer like Royal Road. Late-stage actor adoption\r\nof such tools can be further driven by the publication of research that may include both samples and code writeups, allowing\r\nadversaries to adopt or recreate the published weaponizer.\r\nThe diagram shown in Figure 11 maps the adoption of the Royal Road weaponizer for CVE-2017-11882, CVE-2018-0802\r\nand CVE-2018-0798 by multiple APT and cybercriminal adversaries. Royal Road has not been found to be a tool that\r\nexploited these CVEs as zero-days. CVE-2017-11882 and CVE-2018-0802 were disclosed in the threat landscape and\r\npatched by Microsoft in close succession. It is likely that sophisticated APT groups like Temp.Periscope immediately began\r\ndeveloping or purchased a functional weaponizer for CVE-2017-11882 in the days following disclosure. This conclusion is\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 14 of 23\n\nbased on the first functional Royal Road sample being observed just four days after the disclosure of CVE-2017-11882.\r\nConimes/Goblin Panda was also seen utilizing the same weaponizer and post-infection DLL hijacking methodology within\r\nthe initial 90-day patching cycle. Meanwhile, the APT group responsible for Reaver malware was found to be utilizing a\r\nfunctional exploit for CVE-2018-0802 created by the Royal Road builder within 90 days of initial exploit disclosure.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 15 of 23\n\nFigure 11: Royal Road adoption timeline.\r\nFollowing the initial patching period, new variations of the Royal Road weaponizer began to emerge, with Goblin Panda and\r\nNomad Panda deploying an updated version that exploited CVE-2017-11882. These Chinese APT groups were subsequently\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 16 of 23\n\nobserved adopting the Royal Road weaponizer version that now exploited CVE-2018-0802, first used by the Reaver Group.\r\nThe Sidewinder APT, which is believed to originate from South Asia, was also seen briefly utilizing a different version of\r\nthe Royal Road weaponizer for CVE-2017-11882 following the initial 90 days after patch disclosure.\r\nThe usage of the Royal Road version 4 weaponizer for CVE-2018-0802 persisted past the initial patching period and also\r\ncontinued following Anomali’s publication regarding the Royal Road tool that was released in February 2019 [10].\r\nInterestingly, in the period following publication, an additional cluster of phishing emails using Royal Road version 5 were\r\nidentified targeting Mongolian speakers that appeared to be related to a Chinese APT group referred to as Temp.Hex by\r\nFireEye and the Maudi Surveillance Operation by Norman Shark. Specifically, a Royal Road RTF attachment named\r\n‘Цэргийн багийн 8 ээлж ашиглагдах утасны дугаарын жагсаалт.doc’, which translates to ‘List of telephone numbers to\r\nbe used in the 8th Military Team.doc’ (1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d) was\r\nfound to utilize the C2 mtanews.vzglagtime[.]net, which resolved to the IP 217.69.8[.]255 at the time of analysis [11]. The\r\nsame IP was observed to be the C2 host used by a FIRESHADOW malware payload in a campaign in January 2019 which\r\nFireEye attributed to Temp.Hex and identified as targeting Mongolian transportation and telecommunications sectors.\r\nAdditionally, another RTF file that FireEye associates with that January campaign (5cc1272272a6de91e1c43832f289c73f)\r\nutilizes the same post-infection mechanism for DLL side-loading as the above Royal Road sample. The samples drop the\r\nencoded 8.t file to the temp folder. When this file is decoded it is the malicious executable winhelp.wll. The malicious EXE\r\nis then copied to the following directory as %APPDATA%\\Intel\\Intel(R) Processor Graphics\\RasTls.dll and side-loaded\r\nusing the legitimate executable IntelGraphicsController.exe. It is worth noting that the malicious executable file name\r\n‘winhelp.wll’ has historically been observed in campaigns linked to Dagger Panda and Nomad Panda as well.\r\nWhile the functional CVE-2017-11882 and CVE-2018-0802 were in rapid development by the groups Conimes,\r\nTemp.Periscope and Reaver following their initial disclosure, a slower adoption was observed for CVE-2018-0798. This\r\nvulnerability, which also targeted the Equation Editor, was utilized by threat actors following the initial 90-day disclosure\r\nperiod. Although the exact date of actor adoption is not known for CVE-2018-0798 samples, since the earliest testing\r\nsamples appear to be timestomped with dates from 2017, we believe ItW samples emerged in October 2018. The version 5\r\nRoyal Road weaponizer identifiable by the obfuscation gadget string objw2180\\objh300\\objdata\\object\r\n5154\\781\\'e56\\'2f7\\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01 was\r\nseen twice in October 2018. This use continued intermittently until April 2019. Following this adoption, Royal Road version\r\n5 exploiting CVE-2018-0798 weaponized RTF files became more ubiquitous among the APT groups, with Temp.Hex and\r\nTemp.Trident incorporating the tool in their tactics.\r\nFinally, following the Anomali publication on the Royal Road weaponizer, and for the first time since its initial emergence in\r\nNovember 2017, the Royal Road object dimensions began to appear in commodity campaigns delivering malicious RTF\r\nfiles weaponized for CVE-2017-11882. Appearing first in March 2019 and continuing until June 2019, the timing of this\r\nrelease in the commodity landscape is striking. Although unsubstantiated at this time, it is possible that, following the\r\nAnomali publication about the Royal Road weaponizer, the exploit was released or sold for use by an exploit broker to\r\ncommodity actors. Whereas the value of an exploit builder is greatest when no one knows of the vulnerability, its value is\r\nlowest when in-depth knowledge and detection signatures for a tool have been published. Researchers reiterate that this\r\npossibility remains unsubstantiated at this time and recognize that adoption of such a tool by both commodity and Indian\r\nAPT actors could be the result of reverse engineering a sample encountered through fourth/Nth-party collection. Intermittent\r\nuse of the Royal Road weaponizer in commodity phishing campaigns does not inform the origin of the tool as being created\r\nby an exploit broker or an APT developer. However, its commodity emergence does suggest an attempt to derive broader\r\nvalue from a tool following an open-source publication which previously documented it as part of multiple APT toolkits.\r\nAdditional threat activity clusters based on RTF object dimensions\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 17 of 23\n\nResearchers identified an additional 26 clusters of activity identifiable by their unique object dimensions, as show in Figure\r\n12. It is believed that each of the unique object dimensions and their correlated activity represent a phishing weaponizer\r\nbeing utilized in the wild. The identified activity includes additional weaponizers utilized by the APT groups responsible for\r\nthe Reaver malware and the criminal campaigns dubbed ‘Gorgon Group’ by Palo Alto Networks (believed to be associated\r\nwith the Pakistani APT group Subaat) [12, 13]. Several commodity and unidentified weaponizers were observed that are\r\nprimarily in use as part of malspam and banking trojan campaigns. Additionally, three public phishing weaponizers were\r\nidentified in open source as PoCs or GitHub projects which have been utilized in a range of campaigns including both\r\ncybercriminal and APT activity.\r\nFigure 1_13.JPGFigure 12: 26 additional RTF weaponizers identified using unique object dimensions.\r\nConclusion\r\nThe application of RTF attribution techniques across over 6,000 samples has ultimately identified 27 RTF weaponizers, 18\r\nmonths of targeted APT activity spanning six adversaries, and has demonstrated the value derived from the analysis of\r\nunique object dimensions. While the continued analysis of other aspects of the RTF file format – including metadata,\r\nshellcode and obfuscation – remains valuable, object dimensions provide a unique visibility into weaponizer tool usage in\r\nthe threat landscape. The relative ease and significant return of YARA signatures tracking these dimensions provides\r\nnetwork defenders a high-veracity, repeatable method for identifying malicious RTF phishing attachments. This high-value\r\nboon to defenders is augmented by the long-term strategic context that tracking object dimension can offer as part of threat\r\nactor profiling. Should these object dimensions remain relatively obscure in the static detections employed by anti-virus\r\nsignatures and therefore insignificant in the eyes of threat actors, we believe that attribution will remain in the object.\r\nReferences\r\n[1] 2019 Data Breach Investigations Report. May 8, 2019. https://enterprise.verizon.com/resources/reports/dbir/.\r\n[2] Raggi, M. A. Schrodinger’s Backslash: Tracking the Chinese APT Goblin Panda Using RTF Metadata. SANS Cyber\r\nThreat Intelligence Summit. January 22, 2019. https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1548184559.pdf.\r\n[3] Yang, J. How RTF Malware Evades Static Signature-based Detection. FireEye Threat Research. May 20, 2016.\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html.\r\n[4] Larin, B. How RTF Malware Evades Static Signature-based Detection. Disappearing Bytes: Reverse Engineering the MS\r\nOffice RTF Parser. February 21, 2018. https://securelist.com/disappearing-bytes/84017/.\r\n[5] Fagerland, S. The Chinese Malware Complexes: The Maudi Surveillance Operation. Seebug.org. 2012.\r\nhttps://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf.\r\n[6] Cylance Research and Intelligence Team. Reaver: Mapping Connections Between Disparate Chinese APT Groups.\r\nThreat Vector. May 14, 2019. https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html.\r\n[7] https://github.com/decalage2/oletools/issues/307; https://www.anquanke.com/post/id/168455.\r\n[8] Scan from a Samsung MFP Malspam Delivers Locky Osiris. My Security Online. December 08, 2016.\r\nhttps://myonlinesecurity.co.uk/scan-from-a-samsung-mfp-malspam-delivers-locky-osiris/.\r\n[9] United States Department of Defense. DoD Cybersecurity Discipline Implementation Plan. February 2016.\r\nhttps://dodcio.defense.gov/Portals/0/Documents/Cyber/CyberDis-ImpPlan.pdf.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 18 of 23\n\n[10] Raggi, M. A.; Saad, G. Analyzing Digital QuarterMasters in Asia. Anomali Blog. March 2019.\r\nhttps://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain.\r\n[11] Beaumont, K. Twitter. April 17, 2019. https://twitter.com/GossiTheDog/statuses/1118478326908248064.\r\n[12] Falcone, R.; Fuertes, D.; Grunzweig, J.; Wilhoit, K. The Gorgon Group: Slithering Between Nation State and\r\nCybercrime. Unit 42. August 08, 2018. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/.\r\n[13] Falcone, R.; Ash, B. Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign. Unit 42.\r\nApril 17, 2019. https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/.\r\nYARA signatures\r\nrule Royal_Road_RTF_weaponizer\r\n{\r\nmeta:\r\n author = \"Anomali\"\r\n tlp = \"GREEN\"\r\n version = \"2.0\"\r\n date = \"2018-11-10\"\r\n hash = \"9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e\"\r\n description = \"Detects malicious Royal Road RTF from object dimension\"\r\nstrings:\r\n$S1= \"objw2180\\\\objh300\"\r\n$RTF= \"{\\\\rt\"\r\ncondition:\r\n$RTF at 0 and $S1\r\n}\r\nrule RTF_Malicous_Object_8.t_Chinese_APT_Activity\r\n{\r\nmeta:\r\n author = \"Anomali\"\r\n tlp = \"GREEN\"\r\n version = \"2.0\"\r\n date = \"2018-11-10\"\r\n hash = \"9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e\"\r\n description = \"Detects malicious RTF from object dimension indicating 8.t post infection mechanism\"\r\nstrings:\r\n$S1= \"objw871\\\\objh811\\\\objscalex8\\\\objscaley8\"\r\n$RTF= \"{\\\\rt\"\r\ncondition:\r\n$RTF at 0 and $S1\r\n}\r\nIndicators of Compromise\r\nGoblin Panda / Conimes\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 19 of 23\n\n941868f366d65c8859253c869e405c5bbb91e1ed0227090656295c54bb0be9f2\r\na58366b412b6d3c5aeebd716ae81b892b51bd5dbafbe26c5bac79f06912085eb\r\n9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e\r\n332aa26d719a20f3a26b2b00a9ca5d2e090b33f5070b057f4950d4f088201ab9\r\nbd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52\r\n8f81142a9482c2a96c43c4b325f90794c2a32b61e8261da55f306a36df9ec18c\r\nb70069e1c8e829bfd7090ba3dfbf0e256fc7dfcefc6acafb3b53abcf2caa2253\r\ndd89d33e275e99e288e4c50bdafbb4584a9565189491af0a66f8a506eaf53859\r\n42162c495e835cdf28670661a53d47d12255d9c791c1c5653673b25fb587ffed\r\nc374f7f30b34d95dd99d9cf16f54192d439f830918d342558945e5809809b847\r\n344fbc5e86e6477cdb24848ace149303e22b41f7b01b2eca923109868c1f458f\r\n46714a1fd1a5ce598f761a885857dee8d90b6e7d6f4a303ecaec246a77b58fff\r\nb45087ad4f7d84758046e9d6eb174530fee98b069105a78f124cbde1ecfb0415\r\n44e564ab86be5be2ce5f31c9072cd05adb91663be4904759cbcafa30c5b87660\r\nab35b2b22718624fcaf1a290b3f138c009469b7449d1a280ec67767ea55b44ae\r\n152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914\r\nf2e28b48ee338fddd97272b191a55641c7835ad687d7b65c8db1c5f747811c57\r\n130daacff74d57bb2319fc5cf815e783c6505883f69e4adcd4c2b1cac3e598ce\r\neb772b325bdeaaa551a4f50399fe6059bc856e41ba23dd14fbc956605a9c838e\r\nc6a01f392e4c317e6c9b6b3ce860f6368fad7687336ce995246d01fb52b83ca4\r\nbf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a\r\nafcbe545dc27d757fb1231019248fdd6b3ec2237e09007656d0ccd4de094f2ef\r\n81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6\r\nd732a7741182741b6c14fdce201b839c8e380be242de034ce764c61778be8fc1\r\n5e7663f662cedcc2c520b88928824a4c7caf5a6833f77cdb0051328d74ace1c8\r\n41f0757ca4367f22b0aece325208799135c96ebe1dcafcd752d3f3c8dd4a5ccf\r\na9b3b44f048cc145bd4703ead369c9104746966f94b679da51d97bf7b70a26fb\r\naa4874e3d49e9765797b96aff5262b802352e575deee17308f7539f8916fac33\r\nReaver\r\n1c6cb02ae9dceb3a647260f409dd837fa5c66794804623c9cf97395cf406d4df\r\n9ac09ea38c9cf11ca13a2c3dbdcfbe0fe4a15cb609be451f7159ecebdd20d311\r\n3df19abbf961a6d795362f5408d65aa5a31e34620aa3518a010d4d6d9e79c60e\r\nTemp.Hex\r\n5e3cd28d9ab02de8d816b7a0719e715330b4ad28cb2d2778a5f54a3396620991\r\n16cb245d9a78c81c25605695a2cf8dbdb36d85bcb61726c56ee358254253df2e\r\n1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d\r\n5e3cd28d9ab02de8d816b7a0719e715330b4ad28cb2d2778a5f54a3396620991\r\n1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d\r\n16cb245d9a78c81c25605695a2cf8dbdb36d85bcb61726c56ee358254253df2e\r\n9be6d671dd901326fc834296fbd2ed015d64e6037e83d8d1d08a9dcdc107cb33\r\n5898e729b7305c4e5db54847396b15d06b74153213a242d295cf64c951a021ca\r\n803c25767414c31259e15f058d62b6102dfe09d3cfacece57f527d7fb2a50632\r\nTemp.Periscope / Leviathan / APT40\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 20 of 23\n\nc63ccc5c08c3863d7eb330b69f96c1bcf1e031201721754132a4c4d0baff36f8\r\nc92a26c42c5fe40bd343ee94f5022e05647876daa9b9d76a4eeb8a89b7f7103d\r\nc67625e2b5e2f01b74e854c0c1fdf0b3b4733885475fe35b80a5f4bca13eccc7\r\n138d62f8ee7e4902ad23fe81e72a1f3b7ac860d3c1fd5889ed8b8236b51ba64b\r\nc0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9\r\nTemp.Trident\r\nf5365387320ae6e6907fd2700f340ba8712cb08f7e52b2ec4dccfe99b3d648ef\r\n9d239ddd4c925d14e00b5a95827e9191bfda7d59858f141f6f5dcc52329838f0\r\na95bbc1f067783c1107566ed7897549f6504d5367b8282efe6f06dc31414c314\r\n4e1a2f731688f9aab80b1f55d9101bb1cddec08214d4379621c434899a01efbf\r\n597c0c6f397eefb06155abdf5aa9a7476c977c44ef8bd9575b01359e96273486\r\n71c94bb0944eb59cb79726b20177fb2cd84bf9b4d33b0efbe9aed58bb2b43e9c\r\n722e5d3dcc8945f69135dc381a15b5cad9723cd11f7ea20991a3ab867d9428c7\r\nc580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e\r\n87114b56ef4de4500fd0c64af913915f159b95e3cbdb7932772230aae8bfed40\r\n60ac67f0511fc984990e826d44e8a5eddd1ab7f21c7d847ee3a821875260cea6\r\n61488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee\r\nf3c120cde34e4e2a45d924ada9e53d3ebc7d73132e359eca8d48f813b6e021a1\r\nec46e1feed5199a332c76021a8bb446dca37b8e736bcd1e5505f35fb70526a04\r\n5d4de75f7900b6e765d8878234e06d8e07490d5decc6ec5d41c704af38a0abc5\r\n4fce3d38e0a308088cd75c2ef1bb5aa312e83447d63a82f62839d3609a283b02\r\n4123a19cda491f4d31a855e932b8b7afdcf3faf5b448f892da624c768205a289\r\na3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d\r\n70195e390a5cb92c2e32ded9ef80a935ad7bdda6d6d8e21cc4cf74e98998de32\r\n532b68e6bbcea3980f5fc9a2d939b062b1e3f5f5175267adc158d3a877204e1e\r\nb9e1145546dba4fe2428fdb43566a7eb5ac472bd8b5e5f30998477693a08ede1\r\ne8e86359b06cefdc5c1115dacea21240aa090450e83744b495e784d8bff49a09\r\n5238f8d8c3d16b52d39aa722daff663a5e6307c4b46e360969d84bf409a2690f\r\n97c0ba7e6cb7eb507bb6e9d819786240292f2c3c72e4d7732dd007a9bbf4af5e\r\n69f44ca082ed90c97d9c4ebaae589d7e41c69b02e582cc69886ebfd9cfb93951\r\n4f6b8f51fdaf708bb4fa0dbbc72da50d24f694bce2996eff3df7eeb3c1592e62\r\nUnattributed (Chinese APT) samples\r\n0598a55dad563ffd3d7a0bcdf8699086527104cf3bad1a0d2192fe805bfef84d\r\nfb2bfa7985be5b9855c7b114d3c201540effc6b7cb249256717d6c56cc069b09\r\n484f52e80141809f7482f027f5eadb5305ee1966f55f64656765b7408e1c60dc\r\n52730e7f52afbc6a99d3a83b12b6a8393d1e979e189cffbcf4fba2ff8a7ca99f\r\n3504d4583c59ed0fe6c2d916619714f187638bde835908e02d78cf05b1a9be53\r\ne757993b2cefe2a7dd7ea3e9222cf40e968af1c82370ee5775f768fa29d5efe5\r\n3b593d85b18c9457f8c52cf0f2c5f1f549518f9422d0a5bb10fb1edf4c9ea303\r\n3e04eb55095ad6a45905564d91f2ab6500e07afcdf9d6c710d6166d4eef28185\r\n7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff\r\nSidewinder APT\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 21 of 23\n\n892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488\r\n22062b6bcda194e3734285fed6b2de341c694c52a8f60c9f389f880cefab7644\r\n9001056791a03ec998f26805d462bc2ca336b2c3aeac2e210f73ff841dfe3eec\r\nFormbook ‘n3o’ commodity campaigns\r\n8ec1e8bc139cbd84858c3997f0635fb5640dbd85f73e8b537e3ae7e14d4870ce\r\n47880521119cee06588476fdcc7c47a91903366671448650830b7dd310c3c3ea\r\n129d74a8f31622e605cea1a03cdac723a5adb002f877c304ef2ceb5f6cdd2654\r\nc81d67472715b6d3bf601147ff8e81f670a429ea0fb8ac3ba82a19c02ad38d0b\r\nc8b5d8f4304725e19edd9ff9e7a8d3325ed06b91adecad691fea23f429072cbd\r\n2f193d55f38d1e4149aa2424f79f184e3059469be4ee386276fb946bdc83bc30\r\n2cfb86699b675919d17beeefa5d993f195358bce6119cc9cebea62d149739421\r\n6e8cd76dba16d159c4e68ed15a60af7f86afb0964ed9d2ebe43c6d6af7749397\r\nherramientasmalls\\.com\r\nanthemog\\.com\r\ntheta-solutions\\.net\r\nlucpham\\.com\r\nzettacroft\\.com\r\nred-lemon\\.biz\r\nsaleskompass\\.biz\r\ndvsprint\\.com\r\nesumaile\\.com\r\nfrenchmole\\.com\r\nvip-jinhe\\.com\r\nhijaky\\.com\r\ntheshadegame\\.info\r\nangryeggroll\\.com\r\nrisingsunchicago\\.info\r\nuploadbusiness\\.com\r\nstlchimneys\\.com\r\noakendalefarmct\\.com\r\nletitplay\\.online\r\nxn--183j3c007ntbf\\.com\r\nlegendreality\\.com\r\nysb21\\.com\r\naccuratext\\.com\r\nitsmcamiracle\\.online\r\nerdogandisticaret\\.com\r\nxdptb\\.info\r\nWuyan commodity campaigns\r\n299cc5c74b5c44aa4c270da19673f20670b00399038d7ad7dac412b91137a552\r\n30298f89888e5104145ecb1c27053640812a1545f3b7c558ec76fe302d2afb04\r\n2c8ee28cc3884d37019f7b29b37634468fcebaff4a6094564b1443de0c32cbd2\r\n48257a0d98cc8d8c31b449f7e4737507031b06a4165b305b498a8b3f136dcd6b\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 22 of 23\n\n30298f89888e5104145ecb1c27053640812a1545f3b7c558ec76fe302d2afb04\r\nc9d2728ab7d43379b8b50b3bb05f10bb39f9d073d0ad0e2d533dfab77957d13c\r\n5cd4f11155c34ba32382f297776891d6f2d9f747ffbfdba7594e5c4f1fcd0f59\r\nd3428b542596490f320b86e5473a80249082580713116aaa8299634524507102\r\n511522dd26bafc2aaf46a861e479455695f85fbde0873b23baaebcadec07bd7e\r\n5fae7d03b8113987f3c776f0988af9522688cc9ad53c5072c7cb7ba445e78aef\r\nb40fefbe1835c440da19145d825d8fbdea179d362009364af09e89b1819a6c52\r\n6be40b52667cc4876a3eabf4b671235b053e0e44bf98f80fa5394c3b2030f4eb\r\n0f515163f98845b2b2f85f8a56563a2fe29834643cb067099b209387ff14cb36\r\n8a40970e308c4e00a03a44f7cfb8decf2b788ab054bdc695dbe7225742e15944\r\n4d62e94a8adc8ab177d02ba20af3f50a0bb4a1db995630c5bbb7527c9e46d4be\r\n42afaac637e3f9e805464e2bba017ebbf3d0fd87bbea9482088ed2710683942c\r\n8dda3787bcee130ff447283fa05fdad2f68a73f6d5c321fbf723ced1660af0e5\r\nd1a5280696f1581b0b82a067cff1b5426db0429428ed2553903cc0de3021a764\r\n9341049cd265f8b03bc444de891d4e397cb6daec462e62e50306724fbe0b423f\r\n8a40970e308c4e00a03a44f7cfb8decf2b788ab054bdc695dbe7225742e15944\r\n9b7f09f16cd36ff6b50407e1823d7cf030445ad1e055cf9478ef964419c90580\r\n9fa727fbb18f84d7572dc4017bc3d1410af1c469591317415f53e99c06d68b30\r\n898117f2c43d6cfa52af70df919a366a47f31a7c902ee1bd9e2abfc52cf0b9e5\r\n22c09d51ca46efe5bb00c88841fba6ce23247e7982501fcf5f95e0a64120bef6\r\n07c59af6d98a4606a3b7a82c73a6714a6ac597192877a32e908245921d96d88c\r\nd70e5230a21921169ad729c557a9759879774445648df99eee18aa54b181b2fa\r\n90e3f6e5996b378801c0018d0aaaffd46e9e7a1fa058ad4605edf6a43078d23e\r\n6347b1a237217fc9d736094eb3d32117f8b397ec808614cddc4cda8c190b8548\r\n8414918e868dcacf59abffdfee10f487488381170f3c044338c5cec62693691c\r\nc8ec45b617e378f6fbe29027523d53f20138cc1122f899a7f61320a6acf69226\r\n126853c0b4fe9d83c06fd64cd0306b1d038bad12b2f162777e63dd0850afd7ea\r\nb6f6600d8c655610a2bf3affcaf999b1030d0559ee457b52b2b184e30e95b47e\r\nd74e7786c5c733e88eaccfbc265e155538a504f530e3ce2639c138277418c716\r\nc16f7e2dba5a2c68c0ac0efd8579e9e1260857a1de2c334466c57287e64b67dc\r\n4f57853be12840f120bf8dd4a22f16345536b2e38a4dfaa3b3ba1e3792a6e040\r\n37f464da00d5ea3a3644f3856c13427d2c50c64c4af25b4bc9b3ae3c5837dfb9\r\nbc785e8fec0e308cc587e557f3a7172b7af58bdeaa6a49c298fb2c5375e8ab6a\r\n821eaae98f64db31a6e0dc4b3e4576cc33e8d94b1e122b6397661720704953e1\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/" ], "report_names": [ "vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16", "created_at": "2023-01-06T13:46:38.907191Z", "updated_at": "2026-04-10T02:00:03.141637Z", "deleted_at": null, "main_name": "NOMAD PANDA", "aliases": [], "source_name": "MISPGALAXY:NOMAD PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438939, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1618dabcb33c58ce1804bccb2e71df09c140b620.pdf", "text": "https://archive.orkl.eu/1618dabcb33c58ce1804bccb2e71df09c140b620.txt", "img": "https://archive.orkl.eu/1618dabcb33c58ce1804bccb2e71df09c140b620.jpg" } }