{
	"id": "9b2d1232-9d44-4b15-916b-167f5a98dfd4",
	"created_at": "2026-04-06T00:19:10.060194Z",
	"updated_at": "2026-04-10T03:27:39.359786Z",
	"deleted_at": null,
	"sha1_hash": "1955b31cefddc52be38b39d817ebe080ca6c4f9f",
	"title": "Whitefly: Espionage Group has Singapore in Its Sights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45995,
	"plain_text": "Whitefly: Espionage Group has Singapore in Its Sights\r\nBy About the Author\r\nArchived: 2026-04-05 18:08:29 UTC\r\nIn July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5\r\nmillion patient records being stolen. Until now, nothing was known about who was responsible for this attack.\r\nSymantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at\r\nleast 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily\r\ninterested in stealing large amounts of sensitive information.\r\nWhitefly compromises its victims using custom malware alongside open-source hacking tools and living off the\r\nland tactics, such as malicious PowerShell scripts.\r\nWhitefly’s targets\r\nFrom mid-2017 to mid-2018, Whitefly launched targeted attacks against multiple organizations. While most of\r\nthese organizations were based in Singapore, some were multinational organizations with a presence in Singapore.\r\nTo date, Whitefly has attacked organizations in the healthcare, media, telecommunications, and engineering\r\nsectors.\r\nHow Whitefly compromises its victims\r\nWhitefly first infects its victims using a dropper in the form of a malicious .exe or .dll file that is disguised as a\r\ndocument or image. These files frequently purport to offer information on job openings or appear to be documents\r\nsent from another organization operating in the same industry as the victim. Given the nature of disguise, it’s\r\nhighly likely that they are sent to the victim using spear-phishing emails.\r\nIf opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. Whitefly has consistently used a\r\ntechnique known as search order hijacking to run Vcrodat. This technique takes advantage of the fact that\r\nWindows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is\r\nprovided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers\r\ncan therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version\r\nin the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as\r\na malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors.\r\nThe group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security\r\napplications could allow the attackers to gain higher privileges for the malware, since the vendor’s component\r\nmay be run with elevated privileges.\r\nOnce executed, Vcrodat loads an encrypted payload on to the victim’s computer. The payload contacts a command\r\nand control (C\u0026C) domain. Whitefly configures multiple C\u0026C domains for each target. The payload sends system\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683\r\nPage 1 of 3\n\ninformation about the infected computer to the C\u0026C server and downloads additional tools.\r\nOnce the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins\r\nmapping the network and infecting further computers. In order to carry out this operation, it uses publicly\r\navailable tools, including Mimikatz (Hacktool.Mimikatz) and an open-source tool (SHA2:\r\n263dc5a8121d20403beeeea452b6f33d51d41c6842d9d19919def1f1cb13226c) that exploits a known Windows\r\nprivilege escalation vulnerability (CVE-2016-0051) on unpatched computers. The attackers rely heavily on tools\r\nsuch as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more\r\nmachines on the network and, from those machines, again obtain more credentials.  They perform this tactic\r\nrepeatedly until they gain access to the desired data.\r\nWhitefly usually attempts to remain within a targeted organization for long periods of time—often months—in\r\norder to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that\r\nfacilitate communication between the attackers and infected computers. These tools include a simple remote shell\r\ntool that will call back to the C\u0026C server and wait for commands, and an open-source hacking tool called Termite\r\n(Hacktool.Rootkit), which allows Whitefly to perform more complex actions such as controlling multiple\r\ncompromised machines at a time.\r\nAdditional malware used in selected attacks\r\nIn some attacks, Whitefly has used a second piece of custom malware, Trojan.Nibatad. Like Vcrodat, Nibatad is\r\nalso a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer.\r\nAnd similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer.\r\nWhile Vcrodat is delivered via the malicious dropper, we have yet to discover how Nibatad is delivered to the\r\ninfected computer. Why Whitefly uses these two different loaders in some of its attacks remains unknown. And\r\nwhile we have found both Vcrodat and Nibatad inside individual victim organizations, we have not found any\r\nevidence of them being used simultaneously on a single computer.\r\nLinks to other attacks\r\nSome of the tools that Whitefly has used in its attacks have also been deployed in other targeted attacks outside\r\nSingapore.\r\nBetween May 2017 and December 2018, a multi-purpose command tool (SHA2:\r\n7de8b8b314f2d2fb54f8f8ad4bba435e8fc58b894b1680e5028c90c0a524ccd9) that has been used by Whitefly was\r\nalso used in attacks against defense, telecoms, and energy targets in Southeast Asia and Russia. The tool appears\r\nto be custom-built and, aside from its use by Whitefly, these were the only other attacks where Symantec has\r\nobserved its use.\r\nIn another case, Vcrodat was also used in an attack on a UK-based organization in the hospitality sector.\r\nIt's possible Whitefly itself performed these attacks but it’s more likely that they were carried out by one or more\r\nother groups with access to the same tools.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683\r\nPage 2 of 3\n\nAdept attackers with a large toolset\r\nIt now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of\r\nattacks against organizations in the region. Whitefly is a highly adept group with a large arsenal of tools at its\r\ndisposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks.\r\nLinks with attacks in other regions also present the possibility that it may be part of a broader intelligence\r\ngathering operation.\r\nProtection/Mitigation\r\nSymantec has the following protection in place to protect customers against these attacks:\r\nFile-based protection\r\nTrojan.Vcrodat\r\nTrojan.Nibatad\r\nHacktool.Rootkit\r\nHacktool.Mimikatz\r\nIndicators of Compromise\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/whitefly-espionage-singapore?es_p=8774683"
	],
	"report_names": [
		"whitefly-espionage-singapore?es_p=8774683"
	],
	"threat_actors": [
		{
			"id": "ad5c6ff2-0646-4b29-88bb-d88c75e4866d",
			"created_at": "2022-10-25T15:50:23.662882Z",
			"updated_at": "2026-04-10T02:00:05.385067Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [
				"Whitefly"
			],
			"source_name": "MITRE:Whitefly",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cd9f8d91-c55c-4086-a1a0-23e78d194d46",
			"created_at": "2023-01-06T13:46:38.943454Z",
			"updated_at": "2026-04-10T02:00:03.153969Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [],
			"source_name": "MISPGALAXY:Whitefly",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "df9bfbf1-bb9d-492f-b381-95b9e1482267",
			"created_at": "2022-10-25T16:07:24.394491Z",
			"updated_at": "2026-04-10T02:00:04.973663Z",
			"deleted_at": null,
			"main_name": "Whitefly",
			"aliases": [
				"ATK 83",
				"Bronze Walker",
				"G0103",
				"G0107",
				"Mofang",
				"SectorM04",
				"TEMP.Mimic"
			],
			"source_name": "ETDA:Whitefly",
			"tools": [
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Nibatad",
				"Shim RAT",
				"ShimRAT",
				"Vcrodat"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791659,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1955b31cefddc52be38b39d817ebe080ca6c4f9f.pdf",
		"text": "https://archive.orkl.eu/1955b31cefddc52be38b39d817ebe080ca6c4f9f.txt",
		"img": "https://archive.orkl.eu/1955b31cefddc52be38b39d817ebe080ca6c4f9f.jpg"
	}
}