{ "id": "02e418cf-a36c-4dd6-b4a1-25aa914691c2", "created_at": "2026-04-06T00:17:00.919006Z", "updated_at": "2026-04-10T13:11:55.869309Z", "deleted_at": null, "sha1_hash": "20ba0b316652479f77a51c3c0bbefa313f5ed038", "title": "Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68870, "plain_text": "Spyder Loader: Malware Seen in Recent Campaign Targeting\r\nOrganizations in Hong Kong\r\nBy About the Author\r\nArchived: 2026-04-05 23:13:05 UTC\r\nSymantec has observed a likely continuation of the Operation CuckooBees activity, this time targeting\r\norganizations in Hong Kong.\r\nOperation CuckooBees was first documented in May 2022 by researchers at Cybereason, who said the\r\nintelligence-gathering campaign had been operating under the radar since at least 2019, stealing intellectual\r\nproperty and other sensitive data from victims.\r\nIn the attacks observed by Symantec, the attackers remained active on some networks for more than a year. We\r\nsaw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely\r\npart of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous\r\nactivity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was\r\nintelligence collection.\r\nBackground to Operation CuckooBees \r\nThe Spyder Loader malware was first discussed publicly in a March 2021 blog by SonicWall, with the researchers\r\nsaying at the time that the malware was “being used for targeted attacks on information storage systems, collecting\r\ninformation about corrupted devices, executing mischievous payloads, coordinating script execution, and C\u0026C\r\nserver communication.”\r\nThese initial findings were expanded on substantially in a detailed Cybereason investigation published in May\r\n2022, which detailed a long-running campaign that the researchers dubbed Operation CuckooBees. They said that\r\nthis campaign had been ongoing since at least 2019. The researchers said that the attackers exfiltrated hundreds of\r\ngigabytes of information and that they “targeted intellectual property developed by the victims, including sensitive\r\ndocuments, blueprints, diagrams, formulas, and manufacturing-related proprietary data.” They also stole data that\r\ncould be leveraged for use in future cyber attacks — such as credentials, customer data, and information about\r\nnetwork architecture.\r\nAmong the tools used in that campaign was the Spyder Loader malware, which is what was also observed in the\r\nactivity seen by Symantec researchers.\r\nSpyder Loader - Technical Details\r\nThe loader sample analyzed by Symantec researchers is compiled as a 64-bit PE DLL.\r\nIt is a modified copy of sqlite3.dll, with the following malicious export added:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 1 of 7\n\nsqlite3_prepare_v4\r\nThe sqlite3_prepare_v4 export expects a string as its third argument. Reportedly, whenever an export is executed\r\nby rundll32.exe, the third argument of the called export should contain part of the process command-line. When\r\nthis loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain\r\na sequence of records. Each record has the following structure:\r\nAt minimum, the malware sample requires records storing blob_ids 1 and 2. The sample also checks for the\r\noptional blob_ids 3 and 4. For blob_ids 1 and 2, the content of encrypted_blob is encrypted using the AES\r\nalgorithm in Ciphertext Feedback (CFB) mode with segment_size of 0x80 bits.\r\nThe encryption key is based on the name of an affected computer per GetComputerNameW() API:\r\nAnd the initialization vector (IV) is derived from the corresponding record header:\r\nThen the sample creates FileMapping with the following parameters:\r\nhFile = INVALID_HANDLE_VALUE,\r\ndwMaximumSizeLow = sum of blob_sizes for blob_ids 2, 3 and 4,\r\nlpName = \"Global\\{94803275-9AEA-474E-A8F7-904EDE192BF4}\"\r\nNext, it populates the created FileMapping with:\r\na copy of record storing blob_id 2, but decrypting the content of field encrypted_blob,\r\n(if present) copy of record storing blob_id 3, and\r\n(if present) copy of record storing blob_id 4.\r\nThen it checks the status of service IKEEXT and stops the service, if running.\r\nNext, it drops the decrypted content of blob_id 1 as the following file, before starting the service:\r\n[SystemDirectory]\\wlbsctrl.dll\r\nThis is apparently intended to execute the created wlbsctrl.dll file. It is likely that this file acts as a next-stage\r\nloader that executes the content of blob_id 2 from the created FileMapping. It is possible that the remaining\r\noptional blobs could then be used for follow-up stages and/or configuration data. However, as Symantec\r\nresearchers did not observe these additional content blobs being executed, this is speculative.\r\nAs previously mentioned, AES encryption is used where the sample uses the CryptoPP C++ library, but ChaCha20\r\nalgorithm encryption is also used to obfuscate one of the strings. The malware also cleans up created artifacts,\r\noverwriting the content of the dropped wlbsctrl.dll file before deleting it, for example. These steps are most likely\r\ntaken in order to prevent the activity being analyzed.\r\nDebug strings also indicated that the source code location of the malware was the following:\r\ne:\\works\\2021\\stonev4-legacy\\cryptopp_5_6_4\\cryptopp\\secblock.h\r\nSimilarities between this activity and the Spyder Loader activity described by Cybereason include:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 2 of 7\n\nUse of a modified version of sqlite3.dll\r\nrundll32.exe command-line example seen in Cybereason’s research seems consistent with how the third\r\nparameter of malicious export is used in this sample\r\nUse of the CryptoPP C++ library\r\nThese various similarities led us to conclude that this sample was also a version of the Spyder Loader malware.\r\nWe saw various variants of Spyder Loader on victim networks, all displaying largely the same functionality.\r\nOther Activity on Victim Networks\r\nWe saw assorted other malware samples that carried out various other types of activity on victim networks,\r\nincluding a modified SQLite DLL with the malicious export sqlite3_extension_init, which creates and starts a\r\nservice named GeneralManintenanceWork for a file named data.dat. We also saw Mimikatz being executed on\r\nvictim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to\r\nbe waiting for communication from a command-and-control (C\u0026C) server, while the other would load a payload\r\nfrom the provided file name in the command-line.\r\nAnother sample installs and runs the below component of winpcap as a service:\r\nIt accepts either -i or -v as a parameter\r\n-i installs and runs a service\r\n-v checks if winpcap is already installed\r\nFiles with the names npf.sys and packet.dll are then installed.\r\nIntelligence Gathering the Likely Goal\r\nWhile we do not see the final payload delivered in this campaign, the use of the Spyder Loader malware and\r\ncrossover with the activity previously identified by SonicWall and Cybereason, combined with the victims seen in\r\nthis recent activity, make it most likely that the motivation behind this activity is intelligence gathering.\r\nThe fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader\r\nmalware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries,\r\nwith the ability to carry out stealthy operations on victim networks over a long period of time. Companies that\r\nhold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks\r\nprotected from this kind of activity.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IOCs) – Spyder Loader\r\n00634e46b14ba42c12e35a367f1c7a616fb8e8754ebb2e24ae936377a3ee544a\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 3 of 7\n\n033313b31fbea64a1a0a53b38c74236f7af2e49018faa2be6c036427c456ef6d\r\n06ed28c4ae295dec0bd692cd7fcecb5fa9de644968d281f5e4bf48eb72bc4b63\r\n091e3e806b6d66cf1eccbd57a787eec65df5f07ad88118c576b3ae06c08af744\r\n0cdbde55b23b26efd5c4503473bd673e3e5a75eae375bae866b6541edb8fcc84\r\n181a25cbcd050c1b42839a5d32df4f59055e27377e71eaa3eb9230a43667f075\r\n228784cc7dad998f1f8b7395bf758827eff9b27762a7056d9e8832bb8a029aad\r\n260d54c2fcf725a8b6d030c36ca26f65ba3d01f707fa0e841cac0166d06218c0\r\n2879253c8c8dd3ee53525c81801d813594bb657ad4f7478ba4288112f0315c9e\r\n2da683d54f12d83f0f111b5c57f7f78016cad5860b2604d38b2aba37ab3d5c55\r\n3196e74004816227323d6864448361fb173b3c96cf3d1b0aa26dfcd259a61505\r\n33aa5df5470ae59cd30c7ea4c2ad1e13901a8fd13ea6b4b5584d10ffdba31ee4\r\n396e35b2a4f920182d3148c834cf70f00b6094600e51e030d6fc297cb0ca5c06\r\n3b3df3ada05e521ec8ce2f0deaeb6fd4359a2de9cadb0dd51c0d9d7a835473a4\r\n3d96132412d8587849aa5dfd35c968755b30a08b100ec42eb810ff1f042e9fd0\r\n3e10500c3779e56d2daa05da920d014becf33597f5ccb67c069320c5c43d40d2\r\n4164cfc533621e37c8ad910f29d4afa92d0180c1697b7970746243574029a1f1\r\n417a65be8ef81cb36021dbe56b07bf5dd65b7355e61b7a94bc988aaa335b22da\r\n4221362bba10aedbb2d09729567d090f543c5de8543ec55ca4a6516815202064\r\n438dddd93333ccfce4499558c92b20341166a134a8451ffc60ebf6ec5e0890dc\r\n48658c800b724197cb91cbfd064df060221bc72bd77301707cb30b2f7c2b81fb\r\n4a9cd0c32d6992077d3140917928f1b931bb2bf28e88f0dd8e4c92cd5d9cbe00\r\n4bc3a4e4d74b81acf19621da7c8304527fff954747ab3393b78e0758306b3fa6\r\n4d8784b957d826acc00e5a87d7317bbaeb63c7f9f86a5f446a41a5a355de437e\r\n4dfae8301a9284eea4e975476ceaa652d5d3c799879dec7c5c9e18bbc2930885\r\n54bcd44d4606e0fdb1b7c2110684f429f9e234269d213ddb60c9665e7b8679c7\r\n551794bd7c66fb064d81230161b25ed81a714aa9377f2a9a1af69626dc99d385\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 4 of 7\n\n5bf03354d708d3c87e82a50d3f4c948fc8c6e8186537b0463edafd9546b51333\r\n5cf6bca323851a509120399a975edc759a9d2c5c21aff18ee6cae506b0f93d67\r\n5deab41977d5d6217b3e35cfab81015d83f270650ccc170dfb948e55e92478dd\r\n5f477c03a689b4aeed28dcb2f8bab3dfa7fc834223062f16eddb5426c2cfa2e6\r\n6741a9ea57e38d1e9d6014bd191b0ac517d2bfa2d79cb091c64fb8011c8521d3\r\n69d927abbacdfcdcad0a1d878e8c0a8543a940a101447b9127365034f7a2d773\r\n6d07ce2ca82489599ae609c6ed18f587059ed5cf2d32a513c5ea6d35861695e9\r\n6d689996a8721f8417de46d645dc6b66b261afdf8ee30b4a0853ff94ec87d3b0\r\n72424e99c1814a1d741508c198eac3e3e84626ce39d961c014718e7f8abb6fe5\r\n7443e17e80dec2db6cfffc0a272fd8a27b2a98a42ffc15fb9065c072dc5904f7\r\n74ff4db3af082d73dcba597cacfd4cae64e00c68169a64be2f3715a0f06535ae\r\n7ccb9cdaff8c6c7785ee1422aa70723c976f62795593b02fbf0923f09c6b647d\r\n7ecd5ec38db31cfb7146ac684eb75912e418c3fbb69a2562478b5fce2ae2c615\r\n8344fcc55534f0b0e08f48f44607771d7cfad130f749ddcc434ffc6fd9012eaa\r\n8535a6e49afa4057e504fa8f4a21a06f535f51bbafff0631c662d7ade5aabfb9\r\n8648bb183abf8aa2111f4d98ecc386e5bcdfa614033efdd124d61ee155261a13\r\n86a45d92282ed3c4f82687eb1d6cfa6a906d6fc5033014bdc6c57da07db1b1b2\r\n892c1f324fa5c2370b06dedf691bd60fa0aa70a4bd6502b9c615cdcd3d5e698a\r\n8a42bee7190e23f76e46e66f9194c33f33a60903a28d267acebf4fd8dead15e8\r\n8a8109f2af10898cdf7259467d18410f2b61a89d5f0d7031b5e45e1bd3b8678a\r\n8eeba9d12cd01b8eb245c76ff16e34eb0455001243fcf1889f28655e55c1d1ed\r\n8fe7cc990ffaf4f156c0868b41e1e92d09c1270e11b96c7320498e0390cc93c6\r\n9138916b9630c81a0b7b6597f4be72ca46c7e3dc1e6fd89d14ddb12f1deb7fdc\r\n95bc468f50483f337d3ef6e1c5d1765beffee4db9c057d6e49713b3a099b2eef\r\n96e22da2b69f599cba297a9aafc971a09c99433bf7f51ec37446c34ed3701d12\r\n9b114bfec2561e76fd8d0c9b31633c2089abec8f3a99c297f0f6416838567452\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 5 of 7\n\n9b7d8827685b71e92438355872f10c2364d7e3a3811df884eb41e371bcda8f6d\r\n9daa43c1204184634b9833718155404d6c0366fcdd524f945eacfc3e5760c116\r\na43c9dbfd2a9c1a065eb7a9212f2125ea6e6a73256081bc2deacd50913162a6a\r\na7f291bde213d9eb4fa60fb3517a6ec6fb7a057457534afe895c1684db0ba21d\r\nb02c10d8a83857352c99f09548397bf8e0ee0548b8e050e138b82eb08b98e938\r\nb13bc2986f098580e2432dac7004a9dca2254c6756dafa3b7f67aff743ee060f\r\nb382824cbb11c60da6c733855c825dcbdf2bbfb8104a517d27af56b56625ba9f\r\nb4703af681c75d2d16c555f008bc4308a4d03767ceed55c02d1a892341444304\r\nb4841104c663f4f013b467220d576035fd2187a92c84451709abff47c8fb162e\r\nb4cdc814f1536264cc5e469cebcbf351ee9d1b9620248bc0a6b14725fe38d5a0\r\nb82a19a06270f37e3b12047a1382796678895fe1c58a9ef799cf5250f6c96dcf\r\nc01f402b942502889aa854326405b29a4d33947547074fbb9eab7c4c4a896d77\r\nc276300d47daff9cc1e486e4ea3d776d82fa9b3f8161eccfe49fc3218afdfbe9\r\nc3d41387bcc9c9f2d9858b1286ed51369a06ed12abe7623344a31a0e0f18f36a\r\nc57236c2e7fe84334d5bdef6420cbf121ab9f918f5d8e4323d7055b12947abb6\r\nc862f2cdbf817f6d7c5568a4af2d8766a30719297e31a71620503e50176fceb2\r\nccaa5186451c0658b6294f5d8a78b3ec02505164c1ddec2b418259564cd7b23b\r\ncd5a53fc5bb675b47bb4055d8f3e4c45902a8245df2300ccf03d7da6464add78\r\ncdaaf781557e85582dd42ff6a58ecbbb68a7cb2e0dc7c7aa49b1d5df5391330b\r\nd06730e1d07491a70b4b18b52e8f35c92509b5049239e3794a6be73ce160e2c0\r\nd2939897865906fb339e878f620f928bff36c7dead15bb6ed94f7a9df16300e9\r\nd3a163a7313629cc380b9405aafb847247d2a256ae48b60bffd0bfbe3082c19c\r\nd76e32647c3890100fe994a9a0f84a3e6957af08195366e86299e4033c2551f1\r\ndbc60a4878ae9f1a2184c44837db9968a157f2008a16e3a350909a598f918dd9\r\ndc4218b67f99196fb5d71c4bd5ce762e9b8950d8206e198a755650c5e6d17fd0\r\ndc647ce87c62b0ac76530362694d1dafdca5ca414e5abb18c324dfd24f0e9644\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 6 of 7\n\ndeb0e05adad48b90a534beabe2ef4261d2a864112945907fbd2d020b90f24507\r\ne1af76d84f98eb4cd7af04d35030e37ffaa8120a7d048fafe0cbcb2a7f86c460\r\ne3b82ac4870a2ae86dfe88cf7ecf9bc0dc6ed653af0ad1aaa20194cae8aff411\r\ne4f4b3a554c8a0fd693201333e8d634f8ef1fa4ca4445ca556492bb9d0d486c4\r\nef24840ccde8c7547b3329c7854fdd22d2178c7ad7f931303da2e6eacbf16d1c\r\nf17278d4eaafff971864c02efdc0e4435defad96e7f5203e580a4e32c64681d8\r\nf8ebd94779851fbeca029db4ae938457c7ccf4e010b09f025ea5394b715b1838\r\nf90dc76a9500ee2bb3380d5f4589289ec7ffa647be4262ee7674d37ce02283b7\r\n5d868bfbfc767515c35ced7b0da36f41ed4728914ba081f132a9d9c54564ebf0\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong" ], "report_names": [ "spyder-loader-cuckoobees-hong-kong" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/20ba0b316652479f77a51c3c0bbefa313f5ed038.pdf", "text": "https://archive.orkl.eu/20ba0b316652479f77a51c3c0bbefa313f5ed038.txt", "img": "https://archive.orkl.eu/20ba0b316652479f77a51c3c0bbefa313f5ed038.jpg" } }