{
	"id": "e2c483ae-da34-4f71-98ce-e3d54cf99cfc",
	"created_at": "2026-04-06T00:09:28.381072Z",
	"updated_at": "2026-04-10T03:20:03.899442Z",
	"deleted_at": null,
	"sha1_hash": "22673ce833962cc423321371536ea569172acb5f",
	"title": "Surtr: Malware Family Targeting the Tibetan Community",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109265,
	"plain_text": "Surtr: Malware Family Targeting the Tibetan Community\r\nArchived: 2026-04-05 13:22:23 UTC\r\nBackground\r\nAs part of our ongoing study into targeted attacks on human rights groups and civil society organizations, the\r\nCitizen Lab analyzed a malicious email sent to Tibetan organizations in June 2013. The email in question\r\npurported to be from a prominent member of the Tibetan community and repurposed content from a community\r\nmailing list. Attached to the email were what appeared to be three Microsoft Word documents (.doc), but which\r\nwere trojaned with a malware family we call “Surtr”.1 All three attachments drop the exact same malware. We\r\nhave seen the Surtr malware family used in attacks on Tibetan groups dating back to November 2012.\r\nDelivery Mechanism\r\nWhile the malicious attachments appear to be DOC files due to their file extension, they are actually RTFs crafted\r\nto exploit a vulnerability in Microsoft Word: CVE-2012-0158.\r\nThis particular vulnerability was first exploited in early April 2012 and a patch was released by Microsoft on April\r\n10, 2012. Currently, the sample is detected as malicious by 34 percent of antivirus (AV) engines on VirusTotal\r\n(VT).\r\nThe malicious attachment is created using a shared template that we have seen used against multiple Tibetan\r\ngroups. This template was created in March 2013 and, instead of specifically using the vulnerable ActiveX\r\ncontrols described in the vulnerability description, it utilizes the Chartspace Office Web Component. This\r\ncomponent either suffers from the same vulnerability or uses one of the named ActiveX controls resulting in the\r\nattacker being able to execute malicious code.\r\nHexdump of the malicious attachment\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 1 of 7\n\nAlthough CVE-2012-0158 was first published and used in the wild in April 2012, samples using this template\r\nwere only initially detected by three AV engines (on VT). Therefore, while a third of AV engines had a detection\r\nsignature for CVE-2012-0158 as late as April 2013, it was possible to design a document using a year old\r\nvulnerability that was recognized as malicious by very few AV products. This number has since risen and it is\r\ncurrently being detected by 34 percent of the AV products listed on VT.\r\nThis vulnerability highlights the need to keep both operating systems and applications up to date as well as to\r\nexercise vigilance concerning links and email attachments.\r\nMalicious attachments with this template all use a similar dropper which originally drops the payload to the\r\ntemporary file directory.\r\nPayload\r\nSurtr creates either a new explorer or iexplore process and injects itself into this new process using\r\nCreateRemoteThread function.\r\nIt also creates the following folders:\r\n%ALL USERS%/Application Data/Microsoft/Windows/123\r\n%ALL USERS%/Application Data/Microsoft/Windows/Burn\r\n%ALL USERS%/Application Data/Microsoft/Windows/LiveUpdata_Mem\r\nIt creates multiple copies of the payload including in both the Burn and LiveUpdata_Mem folders. The copy in the\r\nBurn folder is called [VICTIM COMPUTER NAME].dll and there are three copies in the LiveUpdata_Mem\r\nfolder whose names consist of 6 random alphanumeric characters which are then appended with .dll, _Fra.dll and\r\n_One.dll. These copies will differ from the original payload dropped in the %TEMP% folder by filling the\r\nresource section with varying amounts of 00 bytes. This also results in the malware having a much larger file size\r\n(30-50mb) possibly in an attempt to evade antivirus heuristics.\r\nSurtr connects to a command and control server (C2) and downloads a stage two component to %ALL\r\nUSERS%/Application Data/Microsoft/Windows/Burn/_[VICTIM COMPUTER NAME].log. This particular\r\nsample connects to internet.3-a.net on port 9696.\r\nIn May 2012, internet.3-a.net resolved to the same IP (184.82.123.143) as android.uyghur.dnsd.me, which is a C2\r\nused in Android malware attacks that targeted the Tibetan community as previously documented by the Citizen\r\nLab.\r\nThe stage two component that was downloaded in this particular case has an internal name of x86_GmRemote.dll,\r\nhowever we have seen an alternate stage two used with the name Remote.dll as well. Our analysis in this post\r\nfocuses on the GmRemote variation as it has been seen in multiple attacks.\r\nSurtr’s capabilities include listing of file directories and contents on the victim computer and any USB drives\r\nconnected to a victim machine, viewing web cache, executing remote commands and logging keystrokes.\r\nIn order to store temporary information, Surtr creates the following folders:\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 2 of 7\n\n%ALL USERS%/Application Data/Microsoft/Windows/MpCache\r\n%ALL USERS%/Application Data/Microsoft/Windows/nView_DiskLoydb\r\n%ALL USERS%/Application Data/Microsoft/Windows/nView_KeyLoydb\r\n%ALL USERS%/Application Data/Microsoft/Windows/nView_skins\r\n%ALL USERS%/Application Data/Microsoft/Windows/UsbLoydb\r\nFor example, in nView_DiskLoydb, a file called FileList.db that contains file and directory listings will be placed\r\nand nView_KeyLoydb will contain text files with keylogger output. The keylogger output is disguised by adding a\r\nconstant to the ordinal value of the character.\r\nThis data can then be sent to the C2. It is compressed using zlib DEFLATE so the network traffic is not human\r\nreadable without decompression.\r\nIt can also download additional malware onto the victim computer, which can provide attackers with further\r\nabilities like accessing the victim computer’s webcam or microphone. In particular, we have seen Surtr used in\r\nconjunction with the Gh0st RAT derived LURK0 malware.\r\nFor persistency, Surtr adds a key to the registry to ensure it runs when the infected computer is restarted. It also\r\nstores its C2 information and a campaign code in the registry.\r\nDepending on the configuration, Surtr will either create multiple registry keys in SoftwareMicrosoftWindows\r\nMedia in HKU (hkey users) with text data or a single key called XC consisting of binary data. These are usually\r\nxor encrypted with a key of 0x1.\r\nEncrypted data in XC key\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 3 of 7\n\nDecrypted data (note: e0 25 is 0x25e0 which is 9696 in hex)\r\nOther Samples \u0026 Variations\r\nWe have seen a large number of similar samples sent to Tibetan groups that use the same stage two (GmRemote)\r\nand communicate with the following C2s: dtl.dnsd.me, dtl.eatuo.com, dtl6.mooo.com and tbwm.wlyf.org. These\r\nC2s were also used in previous attacks documented in an earlier Citizen Lab post on LURK0 malware targeting\r\nthe Tibetan community.\r\nOne particular sample (md5: ad9e5f79585eb62bc40b737e98bfd62e) which connects to C2 domain dtl6.mooo.com\r\n(which resolved to the same IP as the other dtl domains mentioned above) on port 6178 was seen to download\r\nLURK0 malware after the initial Surtr infection. This LURK0 sample had the campaign code ZQ6 that connects\r\nto C2 domain tbwm.wlyf.org on port 3103. This domain also resolved to the same IP as the dtl domains.\r\nWe have also found reports of other Surtr stage 2 (GmRemote) samples that have campaign codes which suggest\r\nthey may be targeted at commercial and government targets.\r\nThe first sample was found via ThreatExpert. It uses campaign code kmlg-0308, and connects to a C2 at\r\nflyoutside.com. This domain and eight others are registered to toucan6712@163.com:\r\nflyoutside.com 67.198.227.162\r\n52showfly.com 112.121.169.189\r\nmydreamfly.com 112.121.186.60\r\ndreaminshy.com 119.42.147.101\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 4 of 7\n\n52flyfeel.com 119.42.147.101\r\neyesfeel.com 180.178.63.10 (now registered to lili@nuo.cn)\r\noutsidefly.com 74.55.57.85\r\nshowflyfeel.com 199.119.101.40\r\n51aspirin.com not resolving\r\nSearching for more samples in Virus Total Intelligence (VTI) using domains and other identifying features reveals\r\nfour related files:\r\n7fbdd7cb8b46291e944fcecd5f97d135 - connects to C2 domain www.flyoutside.com, campaign code kmlg-0409tb\r\n58ff38412ebbedb611a3afe4b3dbd8b0 - connects to C2 IP 112.121.182.149 (similar to above), campaign\r\ncode lly-0311\r\n81bc8974967e1c911b107a9a91e3178b - connects to C2 domain www.paulfrank166.2waky.com (192.198.85.102),\r\ncampaign code 0201-2116\r\n44758b9a7a6cafd1b8d1bd4c773a2577 - connects to C2 domain www.flyoutside.com (same as the first sample\r\nfound on ThreatExpert), campaign code lg-0109\r\nMost of these samples have campaign codes that suggest commercial targets. However, we do not have\r\ninformation about where these samples were submitted from, so the target sector and victims cannot be confirmed.\r\nA second GmRemote sample was found via the web, called Trojan/Subxe.89E1 by Anchiva. This sample connects\r\nto google.djkcc.com and uses campaign code in1102. Other subdomains under djkcc.com include:\r\nairforce.djkcc.com\r\ndomain.djkcc.com\r\ngoogle.djkcc.com\r\nindianembassy.djkcc.com\r\nmailnic.djkcc.com (MailNIC is an Indian email site at the National Informatics Centre)\r\nmicrosoft.djkcc.com\r\nrediffmail.djkcc.com (Rediffmail is an Indian email site)\r\nWhile we do not have information about what victims these samples target, the campaign code, C2 domain, and\r\nrelated subdomains give some possible indications.\r\nOne additional find via VTI is a GmRemote sample internally named: GmKeyBoradServer_DLL.dll (MD5\r\ne7e1c69496ad7cf093945d3380a2c6f4).\r\nIt exports functions (GmFunctionType, GmInitPoint, GmMyInitPoint, GmRecvPoint, GmShutPoint, GmVerSion)\r\nthat are referenced in other GmRemote samples, although none of them have any real content.\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 5 of 7\n\nThese additional samples suggest that Surtr is being used to target groups beyond the Tibetan community and is\r\npossibly being utilized by multiple threat actors.\r\nConclusions and Recommendations\r\nThe attacks we have observed that use the Surtr malware family are another example of the persistent targeted\r\nmalware campaigns the Tibetan community faces. The specific attack reported in this post demonstrates that\r\nattackers are actively monitor mailing lists and discussion groups used by the Tibetan community and repurpose\r\nthe content for use in targeted malware attacks.\r\nFor communities under persistent threat from targeted malware campaigns, user vigilance and education are\r\nessential for reducing risk.\r\nUsers should carefully examine the sender’s email address of emails and exercise caution in opening\r\nunexpected or unsolicited attachments or opening unverified links.\r\nSee Citizen Lab’s Recommendations for defending against targeted cyber threats for additional\r\ninformation, and Tibet Action Institute’s Detach from Attachments and Think Before You Click campaigns.\r\nThe Citizen Lab is continuing to monitor targeted malware campaigns using Surtr and will post updates as they\r\nare available.\r\nAppendix MD5’s \u0026 Identifiers\r\nEmail Attachment Names \u0026 MD5s:\r\n1) TCCC PRESIDENT \u0026 BOARD MEMBERS NOMINATION \u0026 ELECTION POLICY \u0026 PROCEDURE.doc –\r\n8c06aec37c7e51f581aaa41f66d4ebad2) communication1.doc – 28444ee593653a4816deb186a6eddee83)\r\ncommunication2.doc – c269b3cf3d336a40c2fd7c2111b52982\r\nStage 1\r\nSection: .text\r\nMD5 hash: d4f9b3b573a8f1d70d58aa8daf9cb256\r\nSHA-1 hash: a1d5128cd50959bc7008be1fdfe2cf6339ed7098\r\nSHA-256 hash: aef9f55931d054dbf027639e30d0abf587696b13d8993aab6c22eb7d47f0de83\r\nSection: .rdata\r\nMD5 hash: e130ff2adbf4515b1af88b451396e1f6\r\nSHA-1 hash: 248691810ae34407aa3486ef3faca6fe3286f630\r\nSHA-256 hash: adae7b2306d7fc145ebd90fd1147bc352c56937d58e1996b89d5368cebdb438d\r\nSection: .data\r\nMD5 hash: c4fc864da3ee8462c5c25054f00e703f\r\nSHA-1 hash: b28a02f68cbacdaa89cf274dc79b3c802a21599d\r\nSHA-256 hash: 203ca80897fd63ca3fc55ec4be22cd302d5d81729ee8f347bd8f22c73ad1b61d\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 6 of 7\n\nSection: .reloc\r\nMD5 hash: bc2c349c1f4c338c6834a79c03c461fb\r\nSHA-1 hash: c71504a96ea72656ef826677a53f9a5230fcb049\r\nSHA-256 hash: 58c192f73afe761b42493a36ded1a5724f06e14f44304b946341eb46b3bdfa7d\r\nThe hashes of the resource section vary based on how much it is padded.\r\nNotable Strings:\r\ncScCssvdcfhgshtj\r\nCrtRunTime.log\r\naCvVpR\r\n_One.dll\r\n_Fra.dll\r\nasasdasrqwfsdvctyqwm\r\nefskdfjaslkfjlaksd\r\ndksfjasdklfjasd\r\ncasfjaklsdjfaskdlf\r\nbakjfasdkljfkldfjaslkd\r\nadskjfksldjfklsad\r\nsoul\r\nLiveUpdata_Mem\r\nBurn\r\nStage 2 (Downloaded Component)\r\nMD5: 21aa9dd44738d5bf9d8a8ecf53c3108c\r\nNotable Strings:\r\nx86_GmRemote.dll\r\nMark\r\nD:ProjectGTProjectPublicListListManager.cpp\r\nSource: https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nhttps://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/"
	],
	"report_names": [
		"surtr-malware-family-targeting-the-tibetan-community"
	],
	"threat_actors": [],
	"ts_created_at": 1775434168,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22673ce833962cc423321371536ea569172acb5f.pdf",
		"text": "https://archive.orkl.eu/22673ce833962cc423321371536ea569172acb5f.txt",
		"img": "https://archive.orkl.eu/22673ce833962cc423321371536ea569172acb5f.jpg"
	}
}