{ "id": "12681756-4612-49b6-8ca3-4fe9e7880eec", "created_at": "2026-04-06T00:07:25.668987Z", "updated_at": "2026-04-10T03:36:47.663069Z", "deleted_at": null, "sha1_hash": "1ca4e65eeb605340e20fa71106d895cbbc490dde", "title": "Threats of Commercialized Malware: Knotweed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60760, "plain_text": "Threats of Commercialized Malware: Knotweed\r\nPublished: 2022-07-28 · Archived: 2026-04-02 10:37:11 UTC\r\nMicrosoft associates the private sector offensive actor (PSOA) Knotweed with the Austrian spyware distributor\r\nDSIRF. DSIRF, founded in 2016, advertises itself as an information research company that performs security and\r\nanalysis tasks for the red team while offering hacking tools and services.\r\nNow it conducts hack-for-hire operations worldwide, especially against targets in Europe and Central America,\r\nwhile using and distributing the malware toolset Subzero. The company was also seen conducting some attacks\r\nusing its own infrastructure.\r\nDSIRF conducting hack-for-hire operations using malware toolset Subzero\r\nIt is worth noting that during the 2016 US presidential election, when Russia was accused of hack operations in\r\nthe election campaign, DSIRF began advertising Subzero as a state trojan analyzing hacking operations and\r\nexposing warfare tactics. \r\nSubzero Malware Deployed in Windows and Adobe Zero Day Exploits\r\nDevices and network infrastructures can both be hack targets for Subzero. MSTIC and MSRC believe that\r\nDSIRF is responsible for the zero-day attack that took advantage of a recently fixed flaw in csrss[.]exe, CVE-2022-22047. Other zero-day exploits led to deploying Subzero: Adobe Reader RCE vulnerability (CVE-2021-\r\n28550) and exploits involving privilege escalation (CVE-2021-31199 and CVE-2021-31201).\r\nMicrosoft stated about commercialized threats such as Knotweed: “Allowing private sector offensive actors, or\r\nPSOAs, to develop and sell surveillance and intrusion capabilities to unscrupulous governments and business\r\ninterests endangers basic human rights.” \r\nMicrosoft advises customers to deploy July 2022 security updates to guard their systems from vulnerabilities that\r\ncould be exploited. \r\nHow is the Malware Deployed? \r\nThere are two stages of Subzero deployment: Corelump and Jumplump. Both sections are heavily obfuscated\r\nwith a complicated control flow. Corelump is loaded into memory by Jumplump, a persistent malware loader. It\r\nloads Corelump from a JPEG file in the %TEMP% directory. The malware’s main payload is Corelump. It can\r\navoid detection because it operates in memory. \r\nAn unusually large JPEG file downloaded from an unknown source might indicate compromise. This query looks\r\nfor those JPEG files. \r\nKeylogging, capturing screenshots, data exfiltration, running remote shells, and arbitrary plugins downloaded\r\nfrom Knotweed’s C2 server are all capabilities of Corelump. \r\nhttps://socradar.io/threats-of-commercialized-malware-knotweed/\r\nPage 1 of 3\n\nCorelump integrates malicious code while copying legitimate Windows DLLs and disables Control Flow Guard.\r\nIn Microsoft’s security advisory, it is said: “As part of this process, Corelump also modifies the fields in the PE\r\nheader to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow\r\nGuard, and modifying the image file checksum with a computed value from CheckSumMappedFile. These\r\ntrojanized binaries (Jumplump) are dropped to disk in C:WindowsSystem32spooldriverscolor, and COM\r\nregistry keys are modified for persistence.” \r\nMicrosoft observed the following post-compromise actions in attacks: \r\nUseLogonCredential set to “1” for enabling plain text credentials: \r\nreg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f \r\nDumping the credentials by comsvcs[.]dll: \r\nrundll32[.]exe C:WindowsSystem32comsvcs[.]dll, MiniDump\r\nAccess try from a Knotweed IP address to emails with dumped credentials \r\nUse of Curl to download Knotweed tools from public shared files such as vultrobjects[.]com\r\nRunning PowerShell scripts from a GitHub gist that is associated with DSIRF \r\nPrevious Attacks by Knotweed \r\nSubzero was deployed due to an exploit chain that included the Adobe Reader RCE exploit CVE-2021-28550 and\r\nWindows privilege escalation exploits CVE-2021-31199 and CVE-2021-31201. These vulnerabilities were all\r\nfixed in June 2021 updates. Later, it was discovered that a vulnerability in the Windows Update Medic Service\r\n(CVE-2021-36948) was also connected to the exploit chain. It enabled an attacker to force-load a DLL. \r\nAn Excel file posing as a real estate document was another method for an attacker to deploy Subzero. The file\r\ncontained obfuscated malicious macro.\r\nKnotweed uses fake Excel file to deploy Subzero\r\nMSTIC found another Adobe Reader RCE and zero-day Windows privilege escalation (CVE-2022-22047) exploit\r\nchain used in May 2022. The victim received a PDF file containing the exploits via email. Knotweed used CVE-2022-22047 specifically for privilege escalation. It could also be used in Chromium-based browsers. The\r\nvulnerability was patched in July 2022. This vulnerability could allow an attacker to execute arbitrary processes\r\nby creating a malicious activation context in the cache (in CSRSS). The exploit enables the escape of a sandbox\r\nenvironment after the attacker writes a malicious DLL to the disk. The next time the system process spawns, the\r\nmalicious DLL loads in the specified path, allowing the attacker to execute system-level codes. \r\nKnotweed TTPs and IOCs \r\nMicrosoft Defender (1.371.503.0) can detect the malware’s tools: \r\nBackdoor: O97M/JumplumpDropper \r\nhttps://socradar.io/threats-of-commercialized-malware-knotweed/\r\nPage 2 of 3\n\nTrojan: Win32/Jumplump \r\nTrojan: Win32/Corelump \r\nHackTool: Win32/Mexlib \r\nTrojan: Win32/Medcerc \r\nBehavior: Win32/SuspModuleLoad \r\nCheck Microsoft’s Security Advisory for all TTPs and IOCs related to Knotweed and security advice.\r\nSource: https://socradar.io/threats-of-commercialized-malware-knotweed/\r\nhttps://socradar.io/threats-of-commercialized-malware-knotweed/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socradar.io/threats-of-commercialized-malware-knotweed/" ], "report_names": [ "threats-of-commercialized-malware-knotweed" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e3cc644-b09e-4ed2-bdf8-b836e4f21319", "created_at": "2024-02-02T02:00:04.014083Z", "updated_at": "2026-04-10T02:00:03.523727Z", "deleted_at": null, "main_name": "Denim Tsunami", "aliases": [ "DSIRF" ], "source_name": "MISPGALAXY:Denim Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ca4e65eeb605340e20fa71106d895cbbc490dde.pdf", "text": "https://archive.orkl.eu/1ca4e65eeb605340e20fa71106d895cbbc490dde.txt", "img": "https://archive.orkl.eu/1ca4e65eeb605340e20fa71106d895cbbc490dde.jpg" } }