{ "id": "905691fb-ebb2-4650-87f0-68564f580ea1", "created_at": "2026-04-06T00:16:33.193081Z", "updated_at": "2026-04-10T03:33:03.065956Z", "deleted_at": null, "sha1_hash": "22efa00a0cabc17b368d870d5b5905d73f5b6ad8", "title": "Threat Assessment: Hangover Threat Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67428, "plain_text": "Threat Assessment: Hangover Threat Group\r\nBy Doel Santos, Alex Hinchliffe\r\nPublished: 2020-06-04 · Archived: 2026-04-02 10:47:20 UTC\r\nUnit 42 researchers recently published on activity by the Hangover threat group (aka Neon, Viceroy Tiger,\r\nMONSOON) carrying out targeted cyberattacks deploying BackConfig malware attacks against government and\r\nmilitary organizations in South Asia. As a result, we’ve created this threat assessment report for the Hangover\r\nGroup’s activities. The techniques and campaigns can be visualized using the Unit 42 Playbook Viewer.\r\nHangover Group is a cyberespionage group that was first observed in December 2013 carrying on a cyberattack\r\nagainst a telecom corporation in Norway. Cybersecurity firm Norman reported that the cyberattacks were\r\nemerging from India and the group sought and carried on attacks against targets of national interest, such as\r\nPakistan and China. However, there have been indicators of Hangover activity in the U.S. and Europe. Mainly\r\nfocusing on government, military, and civilian organizations. The Hangover Group's initial vector of compromise\r\nis to carry out spear-phishing campaigns. The group uses local and topical news lures from the South Asia region\r\nto make their victims more prone to falling into their social engineering techniques, making them download and\r\nexecute a weaponized Microsoft Office document. After the user executes the weaponized document, backdoor\r\ncommunication is established between BackConfig and the threat actors, allowing attackers to carry on espionage\r\nactivity, potentially exfiltrating sensitive data from compromised systems.\r\nPalo Alto Networks Threat Prevention platform with WildFire, DNS Security and Cortex XDR detects activity\r\nassociated with this threat group. Customers can also review activity associated with this Threat Assessment using\r\nAutoFocus with the following tags: Hangover and BackConfig.\r\nSeveral adversarial techniques were observed in this activity and the following measures are suggested within\r\nPalo Alto Networks’ products and services to ensure mitigation of threats related with the Hangover Group, as\r\nwell as other groups using the same techniques:\r\nTactic\r\nTechnique\r\n(Mitre ATT\u0026CK ID)\r\nProduct /\r\nService\r\nCourse of Action\r\nInitial\r\nAccess\r\nSpearphishing Link\r\n(T1192)\r\nNGFW Ensure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 1 of 10\n\nIntelligence Sources Exists\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block\r\non all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure that User Credential Submission uses\r\nthe action of 'block' or 'continue' on the URL\r\ncategories\r\nDNS\r\nSecurity\r\nEnable DNS Security in Anti-Spyware profile\r\nURL\r\nFiltering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n'block' or 'override' on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the\r\nInternet\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 2 of 10\n\nExecution\r\nExploitation for Client\r\nExecution (T1203)\r\nThreat\r\nPrevention†\r\nEnsure a Vulnerability Protection Profile is set\r\nto block attacks against critical and high\r\nvulnerabilities, and set to default on medium,\r\nlow, and informational vulnerabilities\r\nEnsure a secure Vulnerability Protection\r\nProfile is applied to all security rules allowing\r\ntraffic\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nUser Execution (T1204)\r\nNGFW\r\nEnsure that User-ID is only enabled for\r\ninternal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is\r\nused if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal\r\npermissions if User-ID is enabled\r\nEnsure that the User-ID service account does\r\nnot have interactive logon rights\r\nEnsure remote access capabilities for the\r\nUser-ID service account are forbidden.\r\nEnsure that security policies restrict User-ID\r\nAgent traffic from crossing into untrusted\r\nzones\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block\r\non all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure an anti-spyware profile is configured\r\nto block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure DNS sinkholing is configured on all\r\nanti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to\r\nenabled on all anti-spyware profiles in use\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 3 of 10\n\nEnsure a secure anti-spyware profile is applied\r\nto all security policies permitting traffic to the\r\nInternet\r\nDNS\r\nSecurity\r\nEnable DNS Security in Anti-Spyware profile\r\nURL\r\nFiltering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n'block' or 'override' on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the\r\nInternet\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nScripting (T1064) WildFire Ensure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 4 of 10\n\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nDefense\r\nEvasion\r\nBITS Jobs (T1197)\r\nNGFW\r\nEnsure that User-ID is only enabled for\r\ninternal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is\r\nused if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal\r\npermissions if User-ID is enabled\r\nEnsure that the User-ID service account does\r\nnot have interactive logon rights\r\nEnsure remote access capabilities for the\r\nUser-ID service account are forbidden.\r\nEnsure that security policies restrict User-ID\r\nAgent traffic from crossing into untrusted\r\nzones\r\nEnsure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nCortex XDR Configure Host Firewall Profile\r\nCode Signing (T1116) Cortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nHidden Files and\r\nDirectories (T1158)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 5 of 10\n\nDeobfuscate/Decode Files\r\nor Information (T1140)\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nObfuscated Files or\r\nInformation (T1027)\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nCommand\r\nand Control\r\nCommonly Used Port\r\n(T1043)\r\nNGFW\r\nEnsure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nURL\r\nFiltering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n'block' or 'override' on the \u003centerprise\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 6 of 10\n\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the\r\nInternet\r\nStandard Cryptographic\r\nProtocol (T1032)\r\nNGFW\r\nEnsure 'SSL Forward Proxy Policy' for traffic\r\ndestined to the Internet is configured\r\nEnsure 'SSL Inbound Inspection' is required\r\nfor all untrusted traffic destined for servers\r\nusing SSL or TLS\r\nEnsure that the Certificate used for Decryption\r\nis Trusted\r\nEnsure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block\r\non all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure an anti-spyware profile is configured\r\nto block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure DNS sinkholing is configured on all\r\nanti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to\r\nenabled on all anti-spyware profiles in use\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 7 of 10\n\nEnsure a secure anti-spyware profile is applied\r\nto all security policies permitting traffic to the\r\nInternet\r\nDNS\r\nSecurity\r\nEnable DNS Security in Anti-Spyware profile\r\nURL\r\nFiltering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n'block' or 'override' on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the\r\nInternet\r\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nRemote File Copy\r\n(T1105)\r\nNGFW\r\nEnsure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 8 of 10\n\nWildFire\r\nEnsure that WildFire file size upload limits are\r\nmaximized\r\nEnsure forwarding of decrypted content to\r\nWildFire is enabled\r\nEnsure all WildFire session information\r\nsettings are enabled\r\nEnsure alerts are enabled for malicious files\r\ndetected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to\r\ndownload and install updates every minute\r\nStandard Application\r\nLayer Protocol (T1071)\r\nNGFW\r\nEnsure application security policies exist\r\nwhen allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security\r\npolicy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic\r\nto/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nThreat\r\nPrevention†\r\nEnsure that antivirus profiles are set to block\r\non all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to\r\nall relevant security policies\r\nEnsure an anti-spyware profile is configured\r\nto block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure DNS sinkholing is configured on all\r\nanti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to\r\nenabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied\r\nto all security policies permitting traffic to the\r\nInternet\r\nDNS\r\nSecurity\r\nEnable DNS Security in Anti-Spyware profile\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 9 of 10\n\nURL\r\nFiltering\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of\r\n'block' or 'override' on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are\r\nenabled\r\nEnsure secure URL filtering is enabled for all\r\nsecurity policies allowing traffic to the\r\nInternet\r\nTable 1. Courses of Action for Hangover Group\r\n†These capabilities are part of the NGFW security subscriptions service\r\nSource: https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/" ], "report_names": [ "threat-assessment-hangover-threat-group" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434593, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22efa00a0cabc17b368d870d5b5905d73f5b6ad8.pdf", "text": "https://archive.orkl.eu/22efa00a0cabc17b368d870d5b5905d73f5b6ad8.txt", "img": "https://archive.orkl.eu/22efa00a0cabc17b368d870d5b5905d73f5b6ad8.jpg" } }