{ "id": "ca9ecd52-7e17-40d9-baf5-04ce9d8421d7", "created_at": "2026-04-06T00:11:07.05201Z", "updated_at": "2026-04-10T03:35:59.997957Z", "deleted_at": null, "sha1_hash": "197d02b4e62679b155c1cc1b0d5576e02216ad35", "title": "StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 740279, "plain_text": "StormBamboo Compromises ISP to Abuse Insecure Software\r\nUpdate Mechanisms\r\nBy mindgrub\r\nPublished: 2024-08-02 · Archived: 2026-04-05 15:40:49 UTC\r\nIn mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with\r\nmalware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”).\r\nIn those incidents, multiple malware families were found being deployed to macOS and Windows systems across\r\nthe victim organizations’ networks.\r\nThe infection vector for this malware was initially difficult to establish but later proved to be the result of a DNS\r\npoisoning attack at the internet service provider (ISP) level. Volexity determined that StormBamboo was altering\r\nDNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo\r\nappeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate\r\ndigital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of\r\ninstalling the intended update, they would install malware, including but not limited to MACMA and\r\nPOCOSTICK (aka MGBot). The overall workflow used by the attackers is similar to a previous incident\r\ninvestigated by Volexity that was attributed to DriftingBamboo, a threat actor which is possibly related to\r\nStormBamboo.\r\nIn April 2023, ESET published a blog post about a malware family that Volexity has tracked since 2018 as\r\nPOCOSTICK. ESET did not have direct evidence but proposed the most likely source of infection was an\r\nadversary-in-the-middle (AiTM). Volexity can now confirm this scenario in a real-world case and prove the\r\nattacker was able to control the target ISP’s DNS infrastructure in order to modify DNS responses in the victim\r\norganization’s network.\r\nThis blog post explains the infection vector and gives an example of where an automatic update was abused by\r\nStormBamboo. Note that this is just one example; the threat actor has modified installation workflows for a range\r\nof applications whose update mechanisms are vulnerable to this type of attack.\r\nOverview\r\nDuring one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to\r\ndeploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that\r\nwere used as second-stage, command-and-control (C2) servers.\r\nThe DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address\r\n103.96.130[.]107 . Initially, Volexity suspected the initial victim organization’s firewall may have been\r\ncompromised. However, further investigation revealed the DNS poisoning was not performed within the target\r\ninfrastructure, but further upstream at the ISP level. Volexity notified and worked with the ISP, who investigated\r\nvarious key devices providing traffic-routing services on their network. As the ISP rebooted and took various\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 1 of 12\n\ncomponents of the network offline, the DNS poisoning immediately stopped. During this time, it was not possible\r\nto pinpoint a specific device that was compromised, but various components of the infrastructure were updated or\r\nleft offline and the activity ceased.\r\nThis is not the first case where Volexity has encountered an attacker utilizing DNS poisoning to facilitate initial\r\naccess to a target network. In the May 2023 Cyber Session, Volexity presented details of a malware family it calls\r\nCATCHDNS, DNS poisoning malware used by DriftingBamboo that was deployed to a network appliance (in that\r\ninstance, a Sophos XG Firewall). Volexity cannot confirm what mechanism was used by StormBamboo on the\r\nISP’s routers to modify DNS responses; however, CATCHDNS would be a well-designed tool to achieve this goal\r\nin an ISP environment. An analysis of CATCHDNS can be found in the Appendix.\r\nDNS Poisoning: Now with Abuse of Insecure Automatic Update Mechanisms!\r\nIn the previously analyzed case where CATCHDNS was used to modify DNS responses, the end goal of the\r\nattacks was to modify the content of pages users browsed. This resulted in a popup JavaScript alert on the page\r\nasking the user to “update their browser”, which would download a malicious file from the attacker’s server. In\r\nthis most recent case, the attacker’s method of delivering malware was more sophisticated, abusing insecure\r\nautomatic update mechanisms present in software in the victim’s environment, thus requiring no user interaction.\r\nThe logic behind the abuse of automatic updates is the same for all the applications: the legitimate application\r\nperforms an HTTP request to retrieve a text-based file (the format varies) containing the latest application version\r\nand a link to the installer. Since the attacker has control of the DNS responses for any given DNS name, they\r\nabuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a\r\nmalicious installer. The AiTM workflow is shown below.\r\nVolexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using\r\nvarying levels of complexity in their steps for pushing malware. For example, 5KPlayer uses a workflow that, for\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 2 of 12\n\neach time the application is started, the binary automatically checks if a new version of “YoutubeDL” is available.\r\nThe image below shows the HTTP request to upgrade Youtube.config .\r\nAnd the following image shows the contents of upgrade Youtube.config .\r\nIf a new version is available, it is downloaded from the specified URL and executed by the legitimate application.\r\nStormBamboo used DNS poisoning to host a modified config file indicating a new update was available. This\r\nresulted in the YoutubeDL software downloading an upgrade package from StormBamboo’s server.\r\nAs one might expect, the YoutubeDL package had been backdoored through the insertion of malicious code into\r\nthe middle of the YouTubeDL.py file that is used as part of the upgrade process. The image below shows inserted\r\nmalicious code, starting at line 164.\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 3 of 12\n\nIts purpose is to download the next stage, a PNG file containing MACMA (macOS) or POCOSTICK (Windows)\r\ndepending on the operating system.\r\nMACMA was first publicly documented in 2021 by Google TAG. In the three years since, MACMA has changed,\r\nwith more features added for the convenience of the operator and some of its architecture overhauled. For\r\nexample, the network protocol has been completely changed. The original version used a Data Distribution Server\r\n(DDS) implemented in a series of custom classes prefixed by the string “CDDS”. Now, MACMA appears to use\r\nthe kNET protocol UDP for network communications. During Volexity’s analysis, Volexity noticed significant\r\ncode similarities between the latest MACMA version and the GIMMICK malware family previously described by\r\nVolexity.\r\nFollow-on Activity\r\nIn one case, following successful compromise of a victim’s macOS device, Volexity observed StormBamboo\r\ndeploying a Google Chrome extension to the victim’s device. Volexity tracks this malicious extension under the\r\nname RELOADEXT. The extension was installed using a custom binary ( ee28b3137d65d74c0234eea35fa536af )\r\ndeveloped by the attacker. The installer supports the following parameters:\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 4 of 12\n\nParameter Description\r\n-p / --plugin Path of the plugins (must be a ZIP archive)\r\n-f / --force Kill Chrome and install the plugin\r\nThe browser extension is deployed by modifying the Secure Preferences file to include the new extension. The\r\ninstaller also correctly fixes the protections.macs and protections.super_mac values in the newly modified\r\nSecurePreferences . These values are designed to prevent tampering with a user’s browser settings, but they can\r\nbe forged. If they do not contain the expected values, Chrome will overwrite the SecurePreferences file.\r\nThe plugin passed to this tool is stored in the following location:\r\n$HOME/Library/Application Support/Google/Chrome/Default/Default/CustomPlug1n/Reload/\r\nOnce configured, it can be seen in the user’s SecurePreferences file, as shown below.\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 5 of 12\n\nFinally, the plugin ( 6abf9a7926415dc00bcb482456cc9467 ) is activated by the installer running the following\r\nAppleScript command:\r\nosascript -e tell application “Google Chrome” to activate\r\nThe extension portrays itself as an extension that loads a page in compatibility mode with Internet Explorer:\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 6 of 12\n\nThe main JavaScript logic used by the extension is obfuscated using Obfuscator.io. The purpose of the extension\r\nis to exfiltrate browser cookies to a Google Drive account controlled by the attacker. The attacker’s Google Drive\r\nclient_id , client_secret , and refresh_token are all contained in the extension. They are encrypted beyond\r\nthe default encryption afforded by Obfuscator.io using AES with the key chrome extension .\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 7 of 12\n\nThe exfiltrated data sent to Google Drive is also encrypted using AES, using the key opizmxn!@309asdf and\r\nencoded with base64 prior to exfiltration.\r\nConclusion\r\nStormBamboo is a highly skilled and aggressive threat actor who compromises third parties (in this case, an ISP)\r\nto breach intended targets. The variety of malware employed in various campaigns by this threat actor indicates\r\nsignificant effort is invested, with actively supported payloads for not only macOS and Windows, but also network\r\nappliances.\r\nThe incident described in this blog post confirms the supposition made by ESET concerning the infection vector\r\nfor the POCOSTICK malware. The attacker can intercept DNS requests and poison them with malicious IP\r\naddresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS.\r\nThis method is similar to the attack vector Volexity previously observed being used by DriftingBamboo following\r\nthe 0-day exploitation of Sophos Firewalls.\r\nTo detect the malware used in this specific attack, Volexity recommends the following:\r\nUse the rules provided here to detect related activity.\r\nBlock the IOCs provided here.\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via\r\nits Threat Intelligence Service. The content of this blog post is a summary of posts published in 2022–\r\n2024. Volexity Network Security Monitoring customers are also automatically covered through\r\nsignatures and deployed detections from the threats and IOCs described in this post.\r\nIf you are interested in learning more about these products and services, please do not hesitate to\r\ncontact us.\r\nAppendix\r\nCATCHDNS Analysis\r\nCATCHDNS is a 32-bit ELF malware that targets Linux systems which was discovered in a case investigated by\r\nVolexity which Volexity attributes to StormBamboo. CatchDNS is designed to be deployed on systems through\r\nwhich most of the network traffic passes. In the specific case investigated by Volexity, this malware was\r\ndiscovered on a perimeter firewall device. However, CATCHDNS could be deployed on any Linux device that\r\nsupports the use of libpcap .\r\nAfter initial analysis, Volexity found that the malware is fully stripped, and the library functions are statically\r\nlinked thus making further analysis more difficult. CATCHDNS stores its configuration within itself as an\r\nencrypted archive. The malware decrypts the archive and drops it on disk at runtime with the name\r\n[binary_name].tty . This archive is then decompressed in memory, and the copy on disk is deleted. In the\r\nexample analyzed, the configuration file was in a file named dns.ini . The configuration follows the INI file\r\nformat, which consists of various sections containing key-value pairs.\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 8 of 12\n\nCATCHDNS configurations can have following sections:\r\nSection Description\r\n[LISTEN_DEV]\r\n[SEND_DEV]\r\nThe listen device and send device sections have a “dev” key under them whose value\r\nrefers to the interface on which the malware intercepts the packets and sends fake packets.\r\n[DNSDomain]\r\nThis section contains the “dns” key whose value represents the domain whose DNS is to\r\nbe hijacked.\r\n[SERVER_IP]\r\nThis section contains the “ip” key whose value is the IP address to which the hijacked\r\ndomain will resolve once the malware has successfully performed hijacking.\r\n[IPLimit]\r\nThis section contains a key named “ip”. When this is defined, the malware only hijacks\r\nrequests originating from this IP address. This option only applies to HTTP requests.\r\n[HTTPConfig]\r\nThis section is interesting, as it is the only one with multiple keys. It defines various\r\nvalues that are used when the malware intercepts HTTP requests.\r\nPacket Interception\r\nPacket Interception is a key component of CATCHDNS. To intercept packets, it makes use of libpcap , a\r\ncommon library for packet monitoring on Linux. The device/interface on which the malware intercepts the packets\r\nis specified in the configuration. It uses the pcap_open_live library function to open the device for capturing\r\npackets. It installs a BPF filter on the device, and the filter program is compiled using the pcap_compile function\r\nby passing the filter string   “(udp and dst port 53 ) or (tcp and dst port 80 or 8080)” . The filter only\r\ncaptures UDP packets on port 53 and TCP packets on ports 80 or 8080. To actually install this filter, it uses the\r\npcap_setfilter call.\r\nOnce everything is set up, CATCHDNS calls pcap_loop with a handler function as an argument. For every\r\npacket that passes the filter, the handler function is called with the packet data as an argument. This handler\r\nfunction is responsible for processing every filtered packet, as shown below.\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 9 of 12\n\nThe packet processing function checks the Ethernet and IPv4 headers to determine if it is a UDP or TCP packet.\r\nDepending on the IPv4 protocol of the packet, either process_udp_packet or process_tcp_packet is called.\r\nDNS Hijacking\r\nAfter analyzing the process_udp_packet function, it is clear the function specifically processes DNS packets.\r\nWhile dealing with network packets, it a good idea to create the packet structures in IDA and apply them while\r\nanalyzing. This makes it easy to understand the whole logic. A DNS packet consists of the Ethernet header, IP\r\nheader, and UDP header, followed by the DNS header and DNS data. Using this knowledge, these structures are\r\napplied to the processing functions to reveal the function parsing the DNS header and to perform basic sanity\r\nchecks, as shown below.\r\nEach DNS packet contains queries that appear after the DNS header in the packet. The queries contain information\r\nabout the domain for which the DNS information is requested by the client. The malware parses the DNS queries\r\nand retrieves the domain name for which the DNS request is being made. Once it has the domain name, it is\r\ncompared to the DNS domain(s) present in the malware’s configuration. If there is match, the DNS request is\r\nhijacked and the malware builds a fake DNS response packet. It then sends the packet back to the client,\r\nresponding with the attacker-controlled (C2) IP address instead of the legitimate IP address. The following\r\nfunction is used to build the fake DNS packet and send it to the client:\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 10 of 12\n\nHTTP Interception and Mock Response\r\nThe process_tcp_packet function is used to intercept HTTP requests. An attacker can tune the interception\r\nusing various configuration options. Both GET and POST requests can be intercepted by the malware. As\r\npreviously mentioned, HTTP interception can also be limited to a given IP address using IPLimit . HTTP\r\ninterception works similarly to DNS interception. If a request meets the conditions specified, the malware builds\r\nan HTTP mock response and sends it back to the client. The response can be configured via the malware\r\nconfiguration, where the attacker can configure a hardcoded page to return in response to specific requests.\r\nTo successfully respond with a fake HTTP response, all conditions specified in the configuration must be satisfied.\r\nThe following keys can be specified in HTTPConfig :\r\nurl\r\nhost\r\nua (user-agent)\r\ncontent-type\r\notherhead_%s\r\nsendlimit\r\nconfigfile\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 11 of 12\n\nOther headers to be parsed and checked can be specified using the otherhead_%s key, where %s denotes the\r\nheader name. The sendlimit key defines how many times the malware will respond to requests satisfying the\r\nconfiguration. Once this limit is exceeded, the malware will no longer modify responses to requests matching the\r\npattern. The configfile key contains the path to the web page to be served if all conditions are met.\r\nConfiguration Example\r\nVolexity was able to extract all configurations from the CATCHDNS samples encountered during the intrusion by\r\nintercepting them before they were deleted from the disk. The image below shows one example of an extracted\r\nconfiguration.\r\nThe above configuration intercepts all DNS (53) and HTTP (80 and 8080) packets on the Port1 device. It\r\nhijacks the www.msftconnecttest[.]com domain and responds with IP address 122.10.90[.]20 for this domain.\r\nIn HttpConfig , the “host” key is absent, meaning the malware would intercept an HTTP request to any host if it\r\nsatisfied the other conditions. This was only one of several configurations observed; the attacker has been\r\nobserved using a variety of options offered by the malware to achieve various objectives.\r\nSource: https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nhttps://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/" ], "report_names": [ "stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms" ], "threat_actors": [ { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/197d02b4e62679b155c1cc1b0d5576e02216ad35.pdf", "text": "https://archive.orkl.eu/197d02b4e62679b155c1cc1b0d5576e02216ad35.txt", "img": "https://archive.orkl.eu/197d02b4e62679b155c1cc1b0d5576e02216ad35.jpg" } }