{ "id": "bee8b58e-1a4a-45b4-aa25-d8f7f9add252", "created_at": "2026-04-06T00:17:41.253056Z", "updated_at": "2026-04-10T03:36:25.332935Z", "deleted_at": null, "sha1_hash": "1c5b2a04552c20a61d6cc296479e309a0316208c", "title": "Updates on OwlProxy malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 318995, "plain_text": "Updates on OwlProxy malware\r\nPublished: 2021-04-29 · Archived: 2026-04-05 16:21:55 UTC\r\nDuring the analysis of some malicious artifacts collected from an incident, we have recently detected a sample that\r\nhas caught our attention, the sample was deployed on a server exposed to the Internet and was packed with\r\n“VMProtect”. After analyzing this malware sample we could see that it was a recent version of a tool known as\r\nOwlProxy, which has been detected on targets hit by the APT group known as Chimera.\r\nThe use of “VMProtect” by the actors makes the analysis of their code more time-consuming (although it simplifies\r\nits detection since this is already an anomaly by itself). On the other hand, this packer has some weaknesses such as\r\nthe fact that it does not always protect part of the binary metadata and that once in memory, it does not obfuscate\r\nmost of the strings, which makes these elements of the executable relatively easy to analyze once in memory.\r\nEspecially for this sample it helps for its identification given the amount of quite unique strings it contains. An\r\nexample of this is the fact that in static you can see how it still contains the string with the original name of the\r\nbinary (iisdll.dll).\r\nFrom some of these strings, it can be seen how new samples are being uploaded regularly, which after a more\r\ndetailed analysis have been identified as different 32-bit and 64-bit versions of the same threat, some of them\r\npackaged and others not.\r\nSome of them, dating from 2019, largely coincide with the samples analyzed in the following CyCraft\r\nA summary of its capabilities can be found in this report, which explains that it acts as a proxy between the DMZ of\r\nthe victim’s infrastructure and its internal network and also allows the execution of commands remotely.\r\nThe report shows the metadata of the binary where you can see how the PDB matches with most of the more recent\r\nsamples that can be found in Virustotal.\r\nhttps://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nPage 1 of 5\n\nIt is also explained in the report that the sample puts its persistence as a Service and highlights the two endpoints it\r\nexposes while it is running.\r\nIn the case of the samples analyzed, instead of using port 80, they are exposing the port 443 using SSL and they have\r\nstopped using the string “servlet” and now they have different strings depending on the sample in question, they have\r\nkept the string “pp” for the endpoint that acts as proxy.\r\nTwo samples from 02/2019\r\nDEE3A502AEDCBE109373AA200A690D4E2D1A10FA3CF69A7B6DB68A78C6ABFC2C\r\nhttps://+:443/HelpTheme/ Remote CMD addr\r\nhttps://+:443/HelpTheme/pp/ Proxy addr\r\nFastUserSwitchingCompatibility Service Name\r\n75E616BF87AD0CBE738C4C48BC0ECD114871DEF145E21545FA11705D3A11D60E\r\nhttps://+:443/topics/ Remote CMD addr\r\nhttps://+:443/topics/pp/ Proxy addr\r\nwmipd Service Name\r\nAlong with these two samples, there are 3 more recent ones (July 2020). Two of them are newer versions of this\r\nsame 32-bit and 64-bit tool and the third one is an installer or dropper\r\nhttps://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nPage 2 of 5\n\n(9A9FFDB8FC20B6E6E6E5A1DE434F6B834E69755FD62157F91884E9A681F0073256) that when executed,\r\ndepending on the operating system architecture, extracts from its resources a suitable OwlProxy sample for the\r\narchitecture in question, installs it in system32 with the name “wmipd.dll”, gives it the same creation and\r\nmodification date as “calc.exe” and creates a service named wmipd that runs it at every system startup.\r\nThe pdb of this dropper keeps the string “owl” in its path, so we have named it OwlInstaller.\r\n“f:\\project\\owl\\isapi\\win32\\release\\iisinstaller.pdb”.\r\nThe OwlProxy sample of its resources is split into reverse ordered blocks, so the MZ header, for example, is in the\r\nlast 2634 bytes of the file.\r\nOnce extracted and installed, these more recent samples have many strings and use OutputDebugString in several\r\noccasions, which causes that in debugging or using DebugView a few of this strings can be seen as debug\r\ninformation:\r\nAlong with the fact that these also use “https” as protocol, and that they have again changed part of the path of their\r\nendpoints to use “exchangetopicservices” (probable evolution of the 2019 samples that use the string “topics”), they\r\nhave added a new endpoint to the tool, as follows:\r\nhttps://+:443/exchangetopicservices/ Remote CMD addr\r\nhttps://+:443/exchangetopicservices/pp/ Proxy\r\nhttps://+:443/exchangetopicservices/px/ Webshell\r\nThe path ending in “exchangetopicservices” still works the same way as in previous samples, executing commands\r\nin a cmd process through unnamed pipes. The proxy endpoint has also remained the same in terms of capabilities.\r\nFinally, thanks to all the strings in the binary, it is easy to spot that they call this endpoint “Webshell_run”, whose\r\nURI ends in “/px/”, and consists of a function that adds the following list of commands:\r\nget_driver\r\nget_directory\r\nupload_file\r\ndonwload_file\r\nhttps://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nPage 3 of 5\n\nThis area has many more strings than the rest, and it is curious that several of them are misspelled. In fact the first\r\nerror probably comes in the command “get_driver” since in its internal logic the only thing it does is to list the hard\r\ndisks installed in the computer:\r\nWhich suggests that probably, this functionality should be called “get_drives” :_)\r\nThe next wrong command is “donwload_file”, although in this case it’s easy to guess what it means and it does\r\nexactly that, it allows the attacker to download a file from the compromised server.\r\nThe rest do match their names since “get_directory” can be used to list the contents of a directory and “upload_file”\r\nis used to drop a file on the remote server.\r\nThe last notable error we have detected is a translation error when a file does not exist in the “get_directory”\r\ncommand.\r\nhttps://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nPage 4 of 5\n\nThe older versions have much fewer strings, so it is likely that in future versions of the threat will remove many of\r\nthose described in this post, but some of them are used to identify the command executed, so it is possible that they\r\nwill remain, along with the pdb that they have been leaving since 2019. What is clear is that they are in constant\r\ndevelopment.\r\nDEE3A502AEDCBE109373AA200A690D4E2D1A10FA3CF69A7B6DB68A78C6ABFC2C\r\nOld\r\nOwlProxy\r\nx64 version\r\n75E616BF87AD0CBE738C4C48BC0ECD114871DEF145E21545FA11705D3A11D60E\r\nOld\r\nOwlProxy\r\nx64 version\r\n16CF6924ECA8208AD9D9B8470CF0A849995ED4D981D5BC706E62AE878EF261BB\r\nRecent\r\nOwlProxy\r\nx86 version\r\nC9B8CFACC859E494984AE9DDF864314AF651FD32E60F33C7F42BFC640620E8CA\r\nRecent\r\nOwlProxy\r\nx64 version\r\n95E7E09468F7DC62DA42E036B6E36CE27DC04C2CA0BB86A2FED39B3CC2BF4A97\r\nVMProtect\r\nOwlProxy\r\nx64 version\r\n9A9FFDB8FC20B6E6E5A1DE434F6B834E69755FD62157F91884E9A681F0073256 OwlInstaller\r\nSource: https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nhttps://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/" ], "report_names": [ "chimera-apt-updates-on-its-owlproxy-malware" ], "threat_actors": [ { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434661, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c5b2a04552c20a61d6cc296479e309a0316208c.pdf", "text": "https://archive.orkl.eu/1c5b2a04552c20a61d6cc296479e309a0316208c.txt", "img": "https://archive.orkl.eu/1c5b2a04552c20a61d6cc296479e309a0316208c.jpg" } }