{
	"id": "77378965-ef7c-4e7e-9167-95ebf5b46dd7",
	"created_at": "2026-04-06T00:07:34.226165Z",
	"updated_at": "2026-04-10T03:26:42.755104Z",
	"deleted_at": null,
	"sha1_hash": "23fa5421c81d318d293978d47e7e65739fbce42f",
	"title": "The Slingshot APT FAQ",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 252243,
	"plain_text": "The Slingshot APT FAQ\r\nBy Alexey Shulmin\r\nPublished: 2018-03-09 · Archived: 2026-04-05 16:27:31 UTC\r\nWhile analysing an incident which involved a suspected keylogger, we identified a malicious library able to\r\ninteract with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a\r\nmalicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals\r\nProject Sauron and Regin in complexity.\r\nThe initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the\r\nsame size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network\r\nsniffer, own base-independent packer, and virtual filesystem, among others.\r\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to find several cases\r\nwhere the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a\r\nmanagement suite for Mikrotik routers. In turn, this infected the administrator of the router.\r\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February\r\n2018).\r\nWhy did you call the intruder Slingshot?\r\nThe name appears unencrypted in some of the malicious samples – it is the name of one of the threat actor’s\r\ncomponents, so we decided to extend it to the APT as a whole.\r\nWhen was Slingshot active?\r\nThe earliest sample we found was compiled in 2012 and the threat was still active in February 2018.\r\nHow did the threat attack and infect its victims?\r\nSlingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its\r\ncreation. Its infection vector is remarkable – and, to the best of our knowledge, unique.\r\nWe believe that most of the victims we observed appeared to have been initially infected through a Windows\r\nexploit or compromised Mikrotik routers.\r\nhttps://securelist.com/apt-slingshot/84312/\r\nPage 1 of 5\n\nHow exactly does infection happen?\r\nThe exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user\r\nruns Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and\r\ndownloads some DLLs (dynamic link libraries) from the router’s file system.\r\nOne of them – ipv4.dll – has been placed by the APT with what is, in fact, a downloader for other malicious\r\ncomponents. Winbox Loader downloads this ipv4.dll library to the target’s computer, loads it in memory and runs\r\nit.\r\nThis DLL then connects to a hardcoded IP and port (in every cases we saw it was the router’s IP address),\r\ndownloads the other malicious components and runs them.\r\nTo run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature\r\nEnforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. .\r\nFollowing infection, Slingshot would load a number of modules onto the victim device, including two huge and\r\npowerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are\r\nconnected and able to support each other in information gathering, persistence and data exfiltration.\r\nThe most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most\r\nof the above described routines for persistence, file system control and C\u0026C communications.\r\nCanhadr, also known as NDriver, contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen –\r\na remarkable achievement. Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and\r\nhttps://securelist.com/apt-slingshot/84312/\r\nPage 2 of 5\n\noperating memory despite device security restrictions, and carries out integrity control of various system\r\ncomponents to avoid debugging and security detection.\r\nAre Mikrotik the only affected routers?\r\nSome victims may have been infected through other routes. During our research we also found a component called\r\nKPWS that turned out to be another downloader for Slingshot components.\r\nDid you inform the affected vendor?\r\nAlthough the available intelligence is limited and we are not sure what kind of exploit was used to infect routers,\r\nwe provided Mikrotik with all information available.\r\nWhat can users of Mikrotik routers do to protect themselves?\r\nUsers of Mikrotik routers should upgrade to the latest software version as soon as possible to ensure protection\r\nagainst known vulnerabilities. Further, Mikrotik Winbox no longer downloads anything from the router to the\r\nuser’s computer.\r\nWhat are the advantages of achieving kernel mode?\r\nIt gives intruders complete control over the victim computer. In kernel mode malware can do everything. There\r\nare no restrictions, no limitations, and no protection for the user (or none that the malware can’t easily bypass).\r\nWhat kind of information does Slingshot appear to be looking for?\r\nhttps://securelist.com/apt-slingshot/84312/\r\nPage 3 of 5\n\nSlingshot’s main purpose seems to be cyber-espionage. Analysis suggests it collects screenshots, keyboard data,\r\nnetwork data, passwords, USB connections, other desktop activity, clipboard and more. But with full access to the\r\nkernel part of the system, it can steal whatever it wants – credit card numbers, password hashes, social security\r\naccount numbers – any type of data.\r\nHow did Slingshot avoid detection?\r\nThe threat actor combined a number of known approaches to protect it very effectively from detection: including\r\nencrypting all strings in its modules, calling system services directly in order to bypass security-product hooks,\r\nusing a number of Anti-bug techniques, and more.\r\nFurther, it can shut down its components, but ensure they complete their tasks before closing. This process is\r\ntriggered when there are signs of an imminent in-system event, such as a system shutdown, and is probably\r\nimplemented to allow user-mode components of the malware to complete their tasks properly to avoid detection\r\nduring any forensic research.\r\nYou said that it disables disk defragmentation module in Windows OS. Why?\r\nThis APT uses its own encrypted file system and this can be located among others in an unused part of a hard\r\ndrive. During defragmentation, the defrag tool relocates data on disk and this tool can write something to sectors\r\nwhere Slingshot keeps its file systems (because the operating system thinks these sectors are free). This will\r\ndamage the encrypted file system. We suspect that Slingshot tries to disable defragmentation of these specific\r\nareas of the hard drive in order to prevent this from happening.\r\nHow does it exfiltrate data?\r\nThe malware exfiltrates data through standard networks channels, hiding the traffic being extracted by hooking\r\nlegitimate call-backs, checking for Slingshot data packages and showing the user (and users’ programs like\r\nsniffers and so on) clear traffic without exfiltrated data.\r\nDoes it use exploits to zero-day vulnerabilities? Any other exploits?\r\nWe haven’t seen Slingshot exploit any zero-days, but that doesn’t mean that it doesn’t – that part of a story is still\r\nunclear for us. But it does exploit known vulnerabilities in drivers to pass executable code into kernel mode. These\r\nvulnerabilities include CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.\r\nWhat is the victim profile and target geography?\r\nSo far, researchers have seen around 100 victims of Slingshot and its related modules, located in Kenya, Yemen,\r\nAfghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most of the victims appear to be\r\ntargeted individuals rather than organizations, but there are some government organizations and institutions.\r\nKenya and the Yemen account for most of the victims observed to date.\r\nhttps://securelist.com/apt-slingshot/84312/\r\nPage 4 of 5\n\nWhat do we know about the group behind Slingshot?\r\nThe malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has\r\nexisted for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s\r\ncomplex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind\r\nSlingshot is likely to be highly organized and professional and probably state-sponsored.\r\nText clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the\r\nexploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey\r\nLambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to\r\nmanipulation and error.\r\nRead more in our technical paper.\r\nSource: https://securelist.com/apt-slingshot/84312/\r\nhttps://securelist.com/apt-slingshot/84312/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/apt-slingshot/84312/"
	],
	"report_names": [
		"84312"
	],
	"threat_actors": [
		{
			"id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde",
			"created_at": "2023-01-06T13:46:38.472883Z",
			"updated_at": "2026-04-10T02:00:02.989134Z",
			"deleted_at": null,
			"main_name": "ProjectSauron",
			"aliases": [
				"Sauron",
				"Project Sauron",
				"G0041"
			],
			"source_name": "MISPGALAXY:ProjectSauron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3",
			"created_at": "2023-01-06T13:46:38.995743Z",
			"updated_at": "2026-04-10T02:00:03.175285Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "MISPGALAXY:Slingshot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2",
			"created_at": "2022-10-25T16:07:24.198891Z",
			"updated_at": "2026-04-10T02:00:04.897342Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "ETDA:Slingshot",
			"tools": [
				"Cahnadr",
				"GollumApp",
				"NDriver"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775791602,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/23fa5421c81d318d293978d47e7e65739fbce42f.pdf",
		"text": "https://archive.orkl.eu/23fa5421c81d318d293978d47e7e65739fbce42f.txt",
		"img": "https://archive.orkl.eu/23fa5421c81d318d293978d47e7e65739fbce42f.jpg"
	}
}