{
	"id": "ea6fef84-5bf0-48c6-bcca-879b95b758ac",
	"created_at": "2026-04-06T00:17:17.149872Z",
	"updated_at": "2026-04-10T13:12:08.742562Z",
	"deleted_at": null,
	"sha1_hash": "2479232f6e7a32057ba8cdfdef9cb71f4dd213b9",
	"title": "Actor behind Operation LagTime targets Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 220971,
	"plain_text": "Actor behind Operation LagTime targets Russia\r\nBy Sebdraven\r\nPublished: 2020-11-25 · Archived: 2026-04-05 20:28:13 UTC\r\nthe file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal\r\nroad document.\r\nThis file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.\r\nThis document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian\r\nauthorities.\r\nAnalysis of the backdoor in memory\r\nThis backdoor is a state machine launching different threads. (function 00401640)\r\nThe backdoor checks the disk of the computer, the processes launched, the version of windows, the privileges of\r\nthe user.\r\nThe malware tries many connections to the c2 in different functions:\r\nPress enter or click to view image in full size\r\nThe domain of the c2 is in clear text in the malware\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9\r\nPage 1 of 3\n\nThis backdoor is very simple to analyze. There are no packing and no obfuscation code.\r\nAttribution\r\nFor Intezer, the similarity is high with the file\r\n4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34be\r\nPress enter or click to view image in full size\r\nThis malware was used in operation lagtime.\r\nhttps://otx.alienvault.com/indicator/file/4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34bea\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe IP of the C2 is 95.179.131.29 in operation LagTime.\r\nSo the campaign against russia is driven by the same threat actor of Operation LagTime IT\r\nThe configuration of the backdoor’s C2, 103.106.250.239 which is hosted in Malaysia, has changed in July 2020.\r\nThis date seems to be the beginning of the operation.\r\nPress enter or click to view image in full size\r\nIOCs\r\nhttps://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9\r\nPage 2 of 3\n\nRtf file\r\nf5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5\r\n2d678cba2795d0339331125692e9a850a043a22f\r\nae1b4a5775aca501954076b8024b04ec\r\nNetwork\r\ncustom.songuulcomiss.com\r\n103.106.250.239\r\nBackdoor:\r\n46a9ca7d5364fbe5fd3d6ffb0f8d86e9a9e566708657e59ef8873d3ed536348d\r\nSource: https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9\r\nhttps://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9"
	],
	"report_names": [
		"actor-behind-operation-lagtime-targets-russia-f8c277dc52a9"
	],
	"threat_actors": [
		{
			"id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253",
			"created_at": "2022-10-25T16:07:24.277669Z",
			"updated_at": "2026-04-10T02:00:04.919609Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"Operation LagTime IT",
				"Operation StealthyTrident",
				"ThunderCats"
			],
			"source_name": "ETDA:TA428",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Albaniiutas",
				"BlueTraveller",
				"Chymine",
				"Cotx RAT",
				"CoughingDown",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"LuckyBack",
				"PhantomNet",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SManager",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TManger",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2479232f6e7a32057ba8cdfdef9cb71f4dd213b9.pdf",
		"text": "https://archive.orkl.eu/2479232f6e7a32057ba8cdfdef9cb71f4dd213b9.txt",
		"img": "https://archive.orkl.eu/2479232f6e7a32057ba8cdfdef9cb71f4dd213b9.jpg"
	}
}