{
	"id": "fd38d781-e873-4a83-a2a8-fd73fcd179d8",
	"created_at": "2026-04-06T00:12:34.948225Z",
	"updated_at": "2026-04-10T03:24:29.683671Z",
	"deleted_at": null,
	"sha1_hash": "225a6e6af694e8e3c92e763367d41d7d3c084bf5",
	"title": "Duuzer Trojan: A New Backdoor Targeting South Korean Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145206,
	"plain_text": "Duuzer Trojan: A New Backdoor Targeting South Korean\r\nOrganizations\r\nBy The Hacker News\r\nPublished: 2015-10-27 · Archived: 2026-04-05 19:47:06 UTC\r\nSecurity researchers at Symantec have uncovered a new Backdoor Trojan that grants hackers remote access and\r\nsome control over infected machines.\r\n\"Duuzer,\" as dubbed by the researchers, has been targeting organizations in South Korea and elsewhere in an\r\nattempt to steal valuable information.\r\nThe Trojan is designed to infect both 32-bit and 64-bit computers running Windows 7, Windows Vista, and\r\nWindows XP.\r\nDuuzer gives attackers remote access to the compromised computer, allowing them to:\r\nCollect system and drive information\r\nCreate, enumerate, and end processes\r\nhttps://thehackernews.com/2015/10/computer-malware-attack.html\r\nPage 1 of 3\n\nAccess, modify and delete files\r\nUpload and Download additional files\r\nChange the time attributes of files\r\nExecute malicious commands\r\nSteal data from infected system\r\nKnow about victim’s Operating System\r\nDuuzer Infects via Spear Phishing or Watering Hole Attacks\r\nIt is currently unclear how the malware is being distributed, but according to Symantec Researchers, the most\r\nobvious routes are Spear Phishing campaigns and Watering Hole attacks.\r\nOnce infected, Duuzer checks if the system is running on a virtual machine like VMWare or Virtual Box to\r\nensure that security researchers are not analyzing the malware before performing its malicious routines.\r\nMoreover, the Trojan identifies the existing software configured to run on startup and takes the name of that\r\nlegitimate software on an infected computer and spread across the system.\r\nDuuzer's first sets up a backdoor on the machine, allowing attackers physical access to the system.\r\nThe attackers then manually run commands through the backdoor on affected computers. They can perform a\r\nvariety of operations mentioned above.\r\n\"Based on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have\r\nknowledge about security researchers' analysis techniques,\" researchers said. \"Their motivation seems\r\nto be obtaining valuable information from their targets’ computers.\"\r\n'Brambul' Worm and 'Joanap' Trojan also Detected\r\nResearch also discovered a dropper that infects computers with a worm known as Brambul and a Backdoor\r\nTrojan called Joanap. Both of them mostly work together and typically used to log and monitor infected systems\r\nremotely.\r\nIt is still unclear how the dropper is being distributed; however, it is believed that it comes from malicious emails.\r\nThe worm detected as W32.Brambul uses brute-force attacks via the Server Message Block (SMB) protocol to\r\nspread from one computer to another.\r\nOnce infected, the Brambul worm connects to random IP addresses on the local network and authenticates itself\r\nthrough SMB using common passwords, like 'password,' 'login,' '123123,' 'abc123' and 'iloveyou.'\r\nBesides attacking other computers via SMB, Brambul creates a network share on compromised computers,\r\nusually the system drive, and then sends the computer's details and login credentials to a predefined email address.\r\nConnection between Duuzer, Brambul and Joanap\r\nAccording to Symantec, Duuzer has a connection with both Joanap and Brambul...But how?\r\nhttps://thehackernews.com/2015/10/computer-malware-attack.html\r\nPage 2 of 3\n\nOnce infected, Brambul drops other pieces of malware on infected machines, either Duuzer or Joanap.\r\nSystems infected with Brambul have been used as command-and-control (CnC) servers for Duuzer and have also\r\nbeen compromised with Duuzer.\r\nIf Joanap is dropped, the Trojan will register itself as a local OS service, named \"SmartCard Protector.\" The Trojan\r\nopens a backdoor on the compromised machine and starts:\r\nSending specific files to the attackers\r\nSaving or deleting files\r\nDownloading and executing files\r\nExecuting or terminating processes\r\nPropagating instructions it receives from the C\u0026C server\r\nHow to get rid of this ARMY?\r\nThough Duuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korean\r\norganizations with a very low-risk level.\r\nBut still, it is recommended for the users and businesses to keep themselves safe and protected by following these\r\nsteps and prevent their systems from being compromised with this malware:\r\n1. Use a firewall to block all incoming connections from the Internet to services that shouldn't be publicly\r\navailable.\r\n2. You should, by default, deny all incoming connections and only allow services you explicitly want to offer\r\nto the outside world.\r\n3. Use Complex Passwords as it makes it difficult to crack.\r\n4. Turned OFF Bluetooth if it is not required for mobile devices. Also, turn off other services not required at\r\npresent.\r\n5. Train your employees not to open email or messages attachments unless they are expecting them.\r\nFor more details, head on the Symantec's official blog.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2015/10/computer-malware-attack.html\r\nhttps://thehackernews.com/2015/10/computer-malware-attack.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2015/10/computer-malware-attack.html"
	],
	"report_names": [
		"computer-malware-attack.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/225a6e6af694e8e3c92e763367d41d7d3c084bf5.pdf",
		"text": "https://archive.orkl.eu/225a6e6af694e8e3c92e763367d41d7d3c084bf5.txt",
		"img": "https://archive.orkl.eu/225a6e6af694e8e3c92e763367d41d7d3c084bf5.jpg"
	}
}