{ "id": "00f1412e-f66d-41f3-9cb7-d99ed5741ea3", "created_at": "2026-04-06T01:32:18.618748Z", "updated_at": "2026-04-10T13:11:37.720202Z", "deleted_at": null, "sha1_hash": "1f97c6b7e1ee62dcb786ab14c98d47761812226d", "title": "APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2169686, "plain_text": "APT10: sophisticated multi-layered loader Ecipekac discovered in\r\nA41APT campaign\r\nBy GReAT\r\nPublished: 2021-03-30 · Archived: 2026-04-06 00:56:36 UTC\r\nWhy is the campaign called A41APT?\r\nIn 2019, we observed an APT campaign targeting multiple industries, including the Japanese manufacturing\r\nindustry and its overseas operations, that was designed to steal information. We named the campaign A41APT (not\r\nAPT41) which is derived from the host name “DESKTOP-A41UVJV” from the attacker’s system used in the\r\ninitial infection. The actor leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions, or\r\ntook advantage of system credentials that were stolen in previous operations.\r\nLog of the hijacking VPN session from DESKTOP-A41UVJV\r\nA41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020.\r\nMost of the discovered malware families are fileless malware and they have not been seen before. One particular\r\npiece of malware from this campaign is called Ecipekac (a.k.a DESLoader, SigLoader, and HEAVYHAND). It is a\r\nvery sophisticated multi-layer loader module used to deliver payloads such as SodaMaster (a.k.a DelfsCake, dfls,\r\nand DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti (a.k.a DILLJUICE stage2) which\r\nloads QuasarRAT.\r\nIn November and December 2020, Symantec and LAC both published blogposts about this campaign. A month\r\nlater, we discovered new activities from A41APT that utilized modified and updated payloads, and that’s what we\r\ncover in this blog.\r\nIn February 2021, a GReAT security expert and his friends gave a presentation on the A41APT campaign at the\r\nGReAT Ideas event. You can download the slides here. Further information about A41APT is available to\r\ncustomers of the Kaspersky Intelligence Reporting service. Contact intelreports@kaspersky.com\r\nTechnical analysis: Ecipekac\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 1 of 20\n\nWe observed a multi-layer x64 loader used exclusively by this actor and dubbed Ecipekac after a unique string\r\nfound in the second layer of the Ecipekac loader. The string is “Cake piece” in reverse (with a typo).\r\nThe hardcoded unique string “ecipekac”\r\nEcipekac uses a new, complicated loading schema: it uses the four files listed below to load and decrypt four\r\nfileless loader modules one after the other to eventually load the final payload in memory.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 2 of 20\n\nEcipekac infection flow\r\nThe files are:\r\nFilename MD5 Hash Description\r\npolicytool.exe 7e2b9e1f651fa5454d45b974d00512fb Legitimate exe for DLL side-loading\r\njli.dll be53764063bb1d054d78f2bf08fb90f3 Ecipekac Layer I loader\r\nvac.dll f60f7a1736840a6149d478b23611d561 Encrypted Ecipekac Layer II loader (shellcode)\r\npcasvc.dll 59747955a8874ff74ce415e56d8beb9c Encrypted Ecipekac Layer IV loader (shellcode)\r\nPlease note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader.\r\nEcipekac: Layer I loader\r\nLayer I of Ecipekac infection flow\r\nThe Ecipekac Layer I loader abuses policytool.exe, a legitimate application that is normally packaged in the IBM\r\nDevelopment Package for Eclipse, to load a malicious DLL named ‘jli.dll’ in the current directory via the DLL\r\nside-loading technique. The ‘jli.dll’ file acts as the first layer of the Ecipekac loader. This DLL file has a number\r\nof export functions; however, all of them refer to a similar function that carries the main loading feature. The\r\nloader reads 0x40408 bytes of data from the end of another DLL – ‘vac.dll’ (where the data section starts at the\r\noffset of 0x66240). The data size of 0x40408 is derived from a hardcoded value, 0x40405, incremented until it’s\r\ndivisible by eight.\r\nMD5 f60f7a1736840a6149d478b23611d561\r\nSHA1 5eb69114b2405a6ea0780b627cd68b86954a596b\r\nSHA256 3b8ce709fc2cee5e7c037a242ac8c84e2e00bd597711093d7c0e85ec68e14a4c\r\nLink time 2033-11-13 08:50:03\r\nFile type PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nCompiler Linker Version: 14.13, OS Version: 10.0\r\nFile size 681544 (666KB)\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 3 of 20\n\nFile name vac.dll\r\nEmbedded data at 0x66240\r\n(size:0x40405)\r\n00066240: febe d990 66de 1bc9 75b7 dc2c 3e1f 3ef2\r\n00066250: 78d0 0005 5c27 a511 c122 bdf4 15e7 052c\r\n00066260: af72 7e08 064c f7b9 70f0 57bf 250a 3b4d\r\n[..skipped..]  \r\n000a6630: ee4b b1f2 294d eea1 290e aba2 6954 130f\r\n000a6640: 1267 9ab3 f800 0000\r\nThe ‘vac.dll’ DLL file is signed with a valid, legitimate digital signature, although the file has been tampered with.\r\nAt first glance, the fact that its digital signature is valid would suggest the file has not been manipulated after\r\nbeing digitally signed.\r\nThe signed digital certificate of vac.dll\r\nHowever, what happened was that the actor resized the Certificate Table in the digitally signed ‘vac.dll’ and\r\ninserted their own data in the Certificate Table so it doesn’t affect the digital signature. This technique was\r\npublished at BlackHat 2016 as MS13-098.\r\nThe layer I loader decrypts the layer II loader shellcode from the embedded data in ‘vac.dll’. Several crypto\r\nalgorithms are used, such as XOR, AES and DES. The order and combination of algorithms, as well as the\r\ndecryption keys, are different from one sample to another.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 4 of 20\n\nDecryption flow in first loader\r\nFor example, in the sample shown above, the order of crypto algorithms was a one-byte XOR using the hardcoded\r\nkey of ‘0x9F’, followed by an AES CBC mode decryption with the AES key\r\n’83H4uREKfFClDH8ziYTH8xsBYa32p3wl’ and the IV key ’83H4uREKfFClDH8z’.\r\nOne interesting characteristic of Ecipekac is that the attackers implemented these cryptographic algorithms in their\r\nown code instead of using the Windows API. The attackers have also made slight modifications compared to the\r\noriginal implementation. For instance, in the function related to the AES algorithm, they intentionally referenced\r\nthe third byte of the AES key as shown in the following code.\r\nA small modification in the AES function\r\nApart from the AES algorithm mentioned, the attackers have also modified the DES algorithm.\r\nEcipekac: Layer II loader shellcode\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 5 of 20\n\nLayer II of infection flow using Ecipekac\r\nThe Ecipekac Layer II loader is a simple shellcode which contains the data of the next layer DLL in disordered\r\nparts. At first, this shellcode checks for the magic string “ecipekac” in this data set. Then it reconstructs and loads\r\neach part of the embedded data into allocated memory in the correct order to create the original code of the DLL\r\nas shown below.\r\nReconstruction for the divided PE BLOB in memory\r\nThen it calls the entry point of the loaded DLL which is the third layer of Ecipekac. Based on our investigation,\r\nthe magic string used in this module is not exclusively “ecipekac” in all instances. We also observed “9F 8F 7F\r\n6F” and “BF AF BF AF” being used in several samples instead.\r\nEcipekac Layer III loader DLL\r\nLayer III of infection flow using Ecipekac\r\nThe third layer’s method of loading the next layer resembles the first layer. It reads encrypted data from the end of\r\n‘pcasvc.dll’, which is signed using a digital certificate as is the case with ‘vac.dll’.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 6 of 20\n\nMD5 59747955a8874ff74ce415e56d8beb9c\r\nSHA1 0543bfebff937039e304146c23bbde7693a67f4e\r\nSHA256 a04849da674bc8153348301d2ff1103a7537ed2ee55a1588350ededa43ff09f6\r\nLink time 2017-02-24 15:47:04\r\nFile type PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nCompiler Linker Version: 14.13, OS Version: 10.0\r\nFile size 733232 (717KB)\r\nFile name pcasvc.dll\r\nEmbedded data at 0x87408\r\n(size:0x2BC28)\r\n00087408: 98e4 1def 8519 d194 3c70 4e84 458a e34c\r\n00087418: b145 74da c353 8cf8 1d70 d024 8a54 8bde\r\n[..skipped..]  \r\n000b3010: 2c1b 6736 8935 d55d 8090 0829 5dfc 7352\r\n000b3020: 44bd c35b 9b23 1cb6 0000 0000 0000 0000\r\nThe crypto algorithms are again one-byte XOR and AES CBC mode, this time to decrypt the fourth loader\r\nshellcode from the embedded data of ‘pcasvc.dll’. However, the sequence of algorithms is in reverse order\r\ncompared to the first layer. The hardcoded keys are also different: “0x5E” is used as the XOR key, while the AES\r\nkey and IV are “K4jcj02QSLWp8lK9gMK9h7W0L9iB2eEW” and “K4jcj02QSLWp8lK9” respectively.\r\nEcipekac: Layer IV loader shellcode\r\nLayer IV of infection flow using Ecipekac\r\nDuring our research, we found three different types of shellcode used as the fourth layer of Ecipekac.\r\nLayer IV loader shellcode – first type\r\nThe first shellcode type’s procedure acts the same way as the Ecipekac Layer II shellcode, with the only difference\r\nbeing the embedded PE, which is the final payload of Ecipekac in this case. The payload of the first type shellcode\r\nis either “P8RAT” or “FYAnti loader”. An analysis of these payloads is provided in the later sections of this report.\r\nLayer IV loader shellcode – second type\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 7 of 20\n\nThe second type of shellcode is totally different from the other loader types. This shellcode has a unique data\r\nstructure shown in the table below.\r\nOffset Example Data Description\r\n0x000 90 90 90 90 90 90 90 90\r\nmagic number to check before proceeding\r\nto data processing.\r\n0x008 0x11600 size of encrypted data\r\n0x00C\r\nA9 5B 7B 84 9C CB CF E8 B6 79 F1 9F 05 B6 2B\r\nFE\r\n16 bytes RC4 key\r\n0x01C\r\nC7 36 7E 93 D3 07 1E 86 23 75 10 49 C8 AD 01\r\n9F 6E D0 9F 06 85 97 B2\r\n[skipped]\r\nEncrypted payload (SodaMaster) by RC4\r\nThis shellcode confirms the presence of the magic number “90 90 90 90 90 90 90 90” at the beginning of this data\r\nstructure, before proceeding to decrypt a payload at offset 0x01C using RC4 with a 16-byte key of “A9 5B 7B 84\r\n9C CB CF E8 B6 79 F1 9F 05 B6 2B FE”. The decrypted payload is “SodaMaster”, and is described later in this\r\nreport.\r\nLayer IV loader shellcode – third type\r\nThe last type of shellcode is a Cobalt Strike stager. We have confirmed the use of several different Cobalt Strike\r\nstager shellcodes since October 2019. In addition, some of the observed Cobalt Strike stager samples included a\r\nsetting in the HTTP header of their malicious communications to disguise them as common jQuery request in\r\norder to evade detection by security products.\r\nHardcoded HTTP header to impersonate jQuery request\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 8 of 20\n\nThe actual hardcoded C2 used in the HTTP header for the C2 communication impersonating JQuery requests was\r\n“51.89.88[.]126” with the respective port 443.\r\nPayloads of Ecipekac\r\nPayload of Infection flow using Ecipekac\r\nAs mentioned previously, apart from the Cobalt Strike stager, we observed three types of final payload implanted\r\nby the Ecipekac loader during this long-running campaign.\r\nP8RAT\r\nSodaMaster\r\nFYAnti loader for QuasarRAT\r\nThe following timeline shows samples of the Ecipekac loader together with their respective filename and payload\r\ntype based on a compilation timestamp of the first layer DLL:\r\nTimeline of the Ecipekac loader files and payloads\r\nCobalt Strike’s stager has been used throughout the research period. FYAntiLoader for QuasarRAT was monitored\r\nin October 2019, and has not been observed since then. Instead of this, SodaMaster and P8RAT were monitored\r\nfrom May 2020.\r\nP8RAT\r\nOne of Ecipekac’s payloads is a new fileless malware which we call P8RAT (a.k.a GreetCake). P8RAT has the\r\nfollowing unique data structure used to store the C2 communication configuration. We collected several samples\r\nof P8RAT during our research and found no C2 address of P8RAT that was used more than once. In total we found\r\n10 backdoor commands in all the collected P8RAT samples. The most recent P8RAT sample, with the compilation\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 9 of 20\n\ntimestamp of December 14, 2020, shows a new backdoor command with the code number of “309” implemented.\r\nThe command “304”, which was present in earlier samples and carries similar functionality, was removed.\r\nCommand Description\r\nCompilation time of P8RAT\r\n2020-03-30 2020-08-26\r\n2020-12-\r\n14\r\n300 Closing socket Enabled Enabled Enabled\r\n301\r\nCreating a thread for executing/loading a\r\ndownloaded PE file\r\nEnabled Enabled Enabled\r\n302 No functionality Enabled Removed Removed\r\n303 Sending randomly generated data Enabled Enabled Enabled\r\n304 Executing/loading downloaded PE/shellcode Enabled Removed Removed\r\n305\r\nSetting value of “Set Online Time” (the string\r\nwas hardcoded in the P8RAT version compiled\r\non 2020-03-30 and removed from the P8RAT\r\nversion compiled on 2020-08-26).\r\nEnabled Enabled Enabled\r\n306\r\nSetting value of “Set Reconnect TimeOut”\r\n(the string was hardcoded in the P8RAT\r\nversion compiled on 2020-03-30 and removed\r\nfrom the P8RAT version compiled on 2020-\r\n08-26).\r\nEnabled Enabled Enabled\r\n307\r\nSetting value of “Set Reconnect times” (the\r\nstring was hardcoded in the P8RAT version\r\ncompiled on 2020-03-30 and removed from\r\nthe P8RAT version compiled on 2020-08-26).\r\nEnabled Enabled Enabled\r\n308\r\nSetting value of “Set Sleep time” (the string\r\nwas hardcoded in the P8RAT version compiled\r\non 2020-03-30 and removed from the P8RAT\r\nversion compiled on 2020-08-26).\r\nEnabled Enabled Enabled\r\n309\r\nCreating thread for executing downloaded\r\nshellcode was implemented from the P8RAT\r\nversion compiled on 2020-12-14.\r\nNot\r\nimplemented\r\nNot\r\nimplemented\r\nEnabled\r\nThe main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2\r\nserver. However, we were unable to obtain any sample of the subsequent payloads for this malware.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 10 of 20\n\nIn the P8RAT sample from March 2020, hardcoded strings such as “Set Online Time”, “Set Reconnect TimeOut”,\r\n“Set Reconnect Times” and “Set Sleep Time” were used in regard to backdoor commands “305” to “308”, which\r\npoint to the possible purpose of these commands. Based on these strings, which were removed from the P8RAT\r\nsamples in August 2020, we speculate that these commands are possibly used to control the intervals of the C2\r\ncommunication by defining sleep time, reconnect time and reconnect timeout in order to blend C2 communication\r\nwith normal network traffic of the system.\r\nIn another update, the P8RAT sample from August 2020 looks for two process names (“VBoxService.exe” and\r\n“vmtoolsd.exe”) on the victim’s system, to detect VMware or VirtualBox environments at the beginning of its\r\nmain malicious function.\r\nHardcoded file names to detect VMware and VirtualBox\r\nInterestingly the attacker made some modifications to P8RAT in December 2020, shortly after the publication of\r\nthe two blogposts from Symantec on November 17, 2020, and LAC on December 1, 2020 (in Japanese). We\r\nstrongly believe that this actor had examined these security vendors’ publications carefully and then modified\r\nP8RAT accordingly.\r\nSodaMaster\r\nAnother payload of the Ecipekac loader, which we call SodaMaster (a.k.a DelfsCake), is also a new fileless\r\nmalware. In our research we found more than 10 samples of SodaMaster. All the collected samples of this module\r\nwere almost identical, with the offsets and hex patterns of all functions perfectly matching. The only differences\r\nwere in the configuration data, including a hardcoded C2, an encoded RSA key and additional data for calculating\r\na mutex value.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 11 of 20\n\nConfiguration of SodaMaster\r\nWhen execution of this malware begins, it creates a mutex with a name in the reverse order of the CRC32\r\nchecksum calculated from the encoded RSA key and its following additional data. Then the malware randomly\r\ngenerates a value as an RC4 key for C2 communication. The first data block sent to the C2 server includes the\r\nuser_name, the host_name, PID of the malware module, OS_version, socket_name, the generated RC4 key and\r\nthe malware’s elapsed running time.\r\nC2 communication of SodaMaster\r\nWe confirmed four backdoor commands, coded as “d”, “f”, “l” and “s”, in the recent SodaMaster sample. In\r\naddition, we also discovered an old SodaMaster sample which has only two commands. A description of each\r\ncommand is shown in the following table.\r\nCommand Description Compilation time of\r\nSodaMaster\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 12 of 20\n\n2019-01-07\r\n2019-06-\r\n10\r\nd\r\nCreate thread for launching downloaded DLL and call\r\nexport function of the DLL.\r\nEnabled Enabled\r\nf Set value as RC4 key for the encrypted C2 communication\r\nNot\r\nimplemented\r\nEnabled\r\nl Set value as sleep time\r\nNot\r\nimplemented\r\nEnabled\r\ns Create thread for executing downloaded shellcode Enabled Enabled\r\nBased on the analysis of the backdoor features of the SodaMaster module, the purpose of this malware is also to\r\ndownload and execute payloads (DLL or shellcode), like P8RAT. Unfortunately, we have not been able to obtain\r\nthese payloads yet.\r\nThe SodaMaster module also shows an anti-VM feature. The malware looks for the presence of the registry key\r\n“HKEY_CLASSES_ROOT\\\\Applications\\\\VMwareHostOpen.exe” on the victim’s system before proceeding to\r\nits main functionality. This registry key is specific to the VMware environment.\r\nSodaMaster anti-VM check\r\nAnother characteristic of SodaMaster is the use of a common obfuscation technique known as “stackstrings” to\r\ncreate the registry key in double-byte characters. We observed the same obfuscation technique used for a process\r\nname and DLL name in other SodaMaster samples.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 13 of 20\n\nFYAnti loader for QuasarRAT\r\nThe last observed type of payload deployed by Ecipekac is a loader module named FYAnti loader. In the Ecipekac\r\nloader malware of the fourth layer, the DLL is loaded into memory and an export carrying the name\r\n“F**kY**Anti” is called. We named this loader “FYAnti” because of this distinct string. The execution flow of\r\nthe FYAnti has two additional layers to implement the final stage, which is a QuasarRAT (a.k.a xRAT).\r\nInfection flow of FYAnti loader\r\nThe first layer of the FYAnti loader decrypts an embedded .NET module and executes it using the CppHostCLR\r\ntechnique. The .NET module is packed using “ConfuserEx v1.0.0” and acts as yet another loader that searches for\r\na file in the “C:\\Windows\\Microsoft.NET\\” directory with file sizes between 100,000 and 500,000. The unpacked\r\ncode is shown in the screenshot below.\r\nUnpacked code of the second layer loader of FYAnti to search a file\r\nIn this instance, an encrypted file named “web_lowtrust.config.uninnstall” is found and used as the next stage\r\nmodule. The .NET module loads and decrypts this file using AES CBC mode. The decrypted payload is another\r\n.NET module named Client.exe which is QuasarRAT, a popular open-source remote administration tool. The\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 14 of 20\n\nconfiguration data is stored in the binary with most of this data being encrypted by AES CFB mode and base64.\r\nThe AES key is generated using the hardcoded string “KCYcz6PCYZ2VSiFyu2GU”in the configuration data.\r\nMalware configuration of QuasarRAT\r\nAll loader modules and payloads are decrypted and executed in memory only.\r\nAttribution\r\nBased on our investigations, we assess with high confidence that the APT10 threat actor is behind the A41APT\r\ncampaign. This attribution is based on the following points:\r\nFirst, the hardcoded URL “www.rare-coisns[.]com” from an x86 SodaMaster sample was mentioned in the report\r\nfrom ADEO regarding APT10’s activity targeting the finance and telecommunication sectors of Turkey, also\r\nfitting the geolocation of the VirusTotal submitter.\r\nSecond, the similarity of the A41APT campaign with APT10 activities described in a Cylance blogpost. These\r\ninclude the Ecipekac Loader, FYAnti loader’s unique export name “F**kY**Anti”, using the CppHostCLR\r\ntechnique and QuasarRAT used as the FYAnti’s final payload. Moreover, as stated in the Symantec blogpost, the\r\nFYAnti loader, the export name “F**kY**Anti”, CppHostCLR technique for injection of .NET loader and the\r\nQuasarRAT were similar to the activities of the APT10 group discovered by the BlackBerry Cylance threat\r\nresearch team.\r\nLast but not least, there are some similarities and common TTPs to those outlined in our previous TIP report on\r\nAPT10 activities:\r\nImplementation of the hashing or crypto algorithms done manually by the malware developers instead of\r\nusing Windows APIs, with some modifications;\r\nUse of calculated hash values (fully or partially) for some features like crypto keys, part of the crypto keys,\r\nkey generation, mutex names and so on;\r\nUsing the DLL side-loading technique to run a payload in memory;\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 15 of 20\n\nUsing PowerShell scripts for persistence and also for lateral movement;\r\nUsing exe for removing logs in order to hide their activities;\r\nSending victim machine data such as username, hostname, PID, current time and other specifics – though\r\nthis point is not unique to APT10 backdoors and is quite common in most backdoor families;\r\nModifying implants shortly after security researchers publish their analysis of the actor’s activities and\r\nTTPs;\r\nTargeting mainly Japan, alongside associated overseas branches or organizations related to Japan.\r\nHowever, we observed some interesting differences in the A41APT campaign and previous activities:\r\nP8RAT and SodaMaster did not contain a malware version number as opposed to the previous malware\r\ninstances used by APT10 such as LilimRAT, Lodeinfo and ANEL;\r\nAs for the infection vector, we could not identify any spear-phishing email in this A41APT campaign,\r\nwhich is quite common in APT10 attacks.\r\nOverall, APT10 is considered a large APT group running multiple simultaneous campaigns and, understandably,\r\nTTPs differ from one campaign to another. We believe the differences mentioned here for the A41APT campaign\r\nrepresent a normal variation of TTPs that can be expected in the case of such a large APT group.\r\nConclusions\r\nWe consider the A41APT campaign to be one of APT10’s long-running activities. This campaign introduced a\r\nvery sophisticated multi-layer malware named Ecipekac and its payloads, which include different unique fileless\r\nmalware such as P8RAT and SodaMaster.\r\nIn our opinion, the most significant aspect of the Ecipekac malware is that, apart from the large number of layers,\r\nthe encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the\r\ndigital signature. When this technique is used, some security solutions cannot detect these implants. Judging from\r\nmain features of the P8RAT and SodaMaster backdoors, we believe that these modules are downloaders\r\nresponsible for downloading further malware that, unfortunately, we have not been able to obtain so far in our\r\ninvestigation.\r\nWe see the activity outlined in this report as a continuation of the activity we previously reported in our Threat\r\nIntelligence Portal, where, in 2019, this threat actor began targeting overseas offices of Japanese associations or\r\norganizations using the ANEL malware. The operations and implants of the campaign described in this report are\r\nremarkably stealthy, making it difficult to track the threat actor’s activities. The main stealth features are the\r\nfileless implants, obfuscation, anti-VM and removal of activity tracks.\r\nWe will continue to investigate and track the activities of the APT10 actor, which are expected to keep improving\r\nits covertness with each year.\r\nAppendix I – Indicators of Compromise\r\nNote: The indicators in this section are valid at the time of publication. Any future changes will be directly\r\nupdated in the corresponding .ioc file.\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 16 of 20\n\nFile Hashes (malicious documents, trojans, emails, decoys)\r\nEcipekac loader\r\nbe53764063bb1d054d78f2bf08fb90f3   jli.dll     P8RAT\r\ncca46fc64425364774e5d5db782ddf54   vmtools.dll SodaMaster\r\ndd672da5d367fd291d936c8cc03b6467   CCFIPC64.DLL      FYAnti loader\r\nEncrypted Ecipekac Layer II, IV loader (shellcode)\r\nmd5   filename    payloads\r\nf60f7a1736840a6149d478b23611d561   vac.dll     P8RAT\r\n59747955a8874ff74ce415e56d8beb9c   pcasvc.dll  P8RAT\r\n4638220ec2c6bc1406b5725c2d35edc3    wiaky002_CNC1755D.dll   SodaMaster\r\nd37964a9f7f56aad9433676a6df9bd19    c_apo_ipoib6x.dll SodaMaster\r\n335ce825da93ed3fdd4470634845dfea   msftedit.prf.cco  FYAnti loader\r\nf4c4644e6d248399a12e2c75cf9e4bdf   msdtcuiu.adi.wdb  FYAnti loader\r\nEncrypted QuasarRAT\r\nmd5   filename    payloads\r\n019619318e1e3a77f3071fb297b85cf3   web_lowtrust.config.uninstall QuasarRAT\r\nDomains and IPs\r\n151.236.30[.]223\r\n193.235.207[.]59\r\n45.138.157[.]83\r\n88.198.101[.]58\r\nwww.rare-coisns[.]com\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nThis table contains all the TTPs identified in the analysis of the activity described in this report.\r\nTactic Technique Technique Name\r\nInitial Access\r\nT1133\r\nExternal Remote Services\r\nUses vulnerabilities in Pulse Connect Secure to hijack a VPN session.\r\nT1078\r\nValid Accounts\r\nUses stolen credentials to connect to the enterprise network as initial\r\ninfection.\r\nExecution T1059.001 Command and Scripting Interpreter: PowerShell\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 17 of 20\n\nUses PowerShell to download implants and remove logs.\r\nT1053.005\r\nScheduled Task/Job: Scheduled Task\r\nCreates a task for running a legitimate EXE with Ecipekac (malicious\r\nDLL) using DLL side-loading technique.\r\nPersistence\r\nT1574.001\r\nHijack Execution Flow: DLL Search Order Hijacking\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-Loading\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1053.005\r\nScheduled Task/Job: Scheduled Task\r\nCreates a task for running a legitimate EXE with Ecipekac (malicious\r\nDLL) using DLL side-loading technique.\r\nT1078\r\nScheduled Task/Job: Scheduled Task\r\nUses stolen credentials to connect to the enterprise network as initial\r\ninfection.\r\nPrivilege\r\nEscalation\r\nT1574.001\r\nHijack Execution Flow: DLL Search Order Hijacking\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-Loading\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1053.005\r\nScheduled Task/Job: Scheduled Task\r\nCreates a task for running a legitimate EXE with Ecipekac (malicious\r\nDLL) using DLL side-loading technique.\r\nT1078 Scheduled Task/Job: Scheduled Task\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 18 of 20\n\nUses stolen credentials to connect to the enterprise network as initial\r\ninfection.\r\nDefense Evasion\r\nT1574.001\r\nHijack Execution Flow: DLL Search Order Hijacking\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-Loading\r\nUses a legitimate EXE file which loads Ecipekac (malicious DLL) in the\r\ncurrent directory.\r\nT1053.005\r\nScheduled Task/Job: Scheduled Task\r\nCreates a task for running a legitimate EXE with Ecipekac (malicious\r\nDLL) using DLL side-loading technique.\r\nT1078\r\nScheduled Task/Job: Scheduled Task\r\nUses stolen credentials to connect to the enterprise network as initial\r\ninfection.\r\nT1070.003\r\nIndicator Removal on Host: Clear Command History\r\nRemoves Powershell execution logs using Wevtutil.exe.\r\nT1036\r\nMasquerading\r\nEncrypted shellcode of Ecipekac was embedded in the legitimate DLL.\r\nT1497.001\r\nVirtualization/Sandbox Evasion: System Checks\r\nPayloads of Ecipekac check a registry key and process names to identify\r\nVM environment.\r\nDiscovery\r\nT1057\r\nProcess Discovery\r\nChecks the process of VMware and VirtualBox to identify the VM\r\nenvironment.\r\nT1082 System Information Discovery\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 19 of 20\n\nSodaMaster sends system information such as user_name, the\r\nhost_name, PID of the malware module, OS_version, etc.\r\nT1012\r\nQuery Registry\r\nChecks a registry key of VMware to identify the VM environment.\r\nLateral\r\nMovement\r\nT1210\r\nExploitation of Remote Services\r\nUses vulnerabilities in Pulse Connect Secure to hijack a VPN session.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web Protocols\r\nCobalt Strike’s stager uses HTTP protocol for communication with C2\r\nserver to disguise as a common jQuery.\r\nT1132.002\r\nData Encoding: Non-Standard Encoding\r\nSodaMaster uses an original data structure and RSA for the first\r\ncommunication, then uses RC4 for encryption.\r\nSource: https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nhttps://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ], "report_names": [ "101519" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439138, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f97c6b7e1ee62dcb786ab14c98d47761812226d.pdf", "text": "https://archive.orkl.eu/1f97c6b7e1ee62dcb786ab14c98d47761812226d.txt", "img": "https://archive.orkl.eu/1f97c6b7e1ee62dcb786ab14c98d47761812226d.jpg" } }