{ "id": "92a23ad5-79ef-4f6e-a3ff-b68c21005494", "created_at": "2026-04-06T00:16:27.8447Z", "updated_at": "2026-04-10T03:33:20.062175Z", "deleted_at": null, "sha1_hash": "266191b305ea4b9c53d0a8bda5806ded730cb778", "title": "PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1227294, "plain_text": "PcShare Backdoor Attacks Targeting Windows Users with\r\nFakeNarrator Malware\r\nBy Cylance Research and Intelligence Team\r\nArchived: 2026-04-05 14:17:06 UTC\r\nIntroduction\r\nOver the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced\r\npersistent threat (APT) group conducting attacks against technology companies located in south-east Asia. \r\nThe threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application. \r\nThe attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator “Ease of Access” feature\r\nin Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the\r\nneed for credentials.\r\nThis report outlines the public-domain malware samples related to this threat actor. It includes insight into the malicious\r\nuse of Narrator.exe and modifications to the PcShare backdoor.\r\nOur research will benefit security-minded professionals by detailing the evolving tactics, techniques, and procedures\r\n(TTPs) of a capable threat actor. For CISOs, familiarizing yourself with how the threat landscape is changing will better\r\nposition you to protect your organization.\r\nAnalysis\r\nThe attackers use a modified version of a Chinese open-source backdoor called PcShare as their main foothold on the\r\nvictim's machine. The backdoor is specifically tailored to the needs of the campaign, with additional command-and-control (C\u0026C) encryption and proxy bypass functionality, and any unused functionality removed from the code. It arrives\r\nwith a bespoke loader utilizing DLL sideloading technique.\r\nAfter gaining access to the victim’s machine, the attackers deploy a range of post-exploitation tools, many of them based\r\non publicly available code often found on Chinese programming portals. One of these tools stood out, a bespoke Trojan\r\nthat abuses Microsoft Accessibility Features to gain SYSTEM-level access on the compromised machine in a way similar\r\nto the infamous \"Sticky Keys\" attack. In this case, instead of replacing the usual sethc.exe or utilman.exe binaries, the\r\nattackers chose to Trojanize the Narrator executable - a Windows utility that reads aloud the text on the screen and can be\r\ninvoked on the login screen with a keyboard shortcut. The use of Fake Narrator to gain SYSTEM-level access to the\r\nvictim’s machine suggests the attackers are interested in maintaining a long-term foothold.\r\nThe campaign is characterized by a fair level of stealthiness as the threat actor made a concerted effort to avoid detection.\r\nThe use of DLL side-loading technique together with a bespoke loader utilizing memory injection ensures that the main\r\nbackdoor binary is never dropped to the disk. A simple but effective anti-sandboxing technique of payload encoding\r\nbased on execution path is also implemented to avoid detection. The C\u0026C infrastructure is protected by a level of\r\nindirection. The configuration supplied by the loader is passed as plain text, but the URL it contains is not the real C\u0026C\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 1 of 25\n\naddress. It instead points to a remote file that provides the actual details to be used in the C\u0026C communication. This\r\nallows the attackers to easily change the preferred C\u0026C address, decide the timing of the communication, and – by\r\napplying server-side filtering – restrict revealing the real address to requests coming from specific regions or at specific\r\ntimes.\r\nAs of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the\r\ngeographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively\r\ntargeting government institutions and heavy industry companies in Taiwan and Philippines.\r\nPcShare loader\r\nSHA256 c5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa \r\nCLASSIFICATION  Malware/Backdoor \r\nSIZE  424 KB (434,176 bytes) \r\nTYPE  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \r\nFILENAME  NvSmartMax.dll \r\nTIMESTAMP  2017-10-20 07:08:10 \r\nSHA256 1899B3D59A9DC693D45410965C40C464224160BBEF596F51D35FDA099D609744 \r\nCLASSIFICATION  Malware/Backdoor \r\nSIZE  424 KB (434,176 bytes) \r\nTYPE  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \r\nFILENAME  NvSmartMax.dll \r\nTIMESTAMP  2017-09-28 09:01:58 \r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 2 of 25\n\nOverview\r\nThe DLL is side-loaded[1] by the legitimate “NVIDIA Smart Maximise Helper Host” application (part of NVIDIA GPU\r\ngraphics driver) instead of the original NvSmartMax.dll that the program normally uses. Its main responsibility is to\r\ndecrypt and load the encoded payload stored either in its .data section, or in a separate DAT file:\r\nFigure 1: Loader overview\r\nThe threat actor has been observed using the same PcShare payload across attacks on multiple organizations. However,\r\nthe side-loaded DLL is often modified per target (seemingly without recompiling) to update configuration details such as\r\nC\u0026C IP addresses and victim identifiers.\r\nFEATURES\r\nDLL sideloading using a choice of files tailored to the victim’s environment\r\nEmbedded plain text configuration \r\nSimple anti-sandboxing measure\r\nPayload encoded with one-byte XOR\r\nPayload injected to memory without being dropped to the disk\r\nBEHAVIOR\r\nWhile the DllMain function of the PcShare loader is empty, the library exports three other functions. An export called\r\nNvSmartMaxUseDynamicDeviceGrids contains the routine that will decrypt and execute the payload, while another one,\r\nNvSmartMaxNotifyAppHWND, is responsible for invoking the decryption routine in the context of a separate process.\r\nThe third exported function, (GetContainingRect), is irrelevant to the malicious activity but required by the legitimate\r\napplication.\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 3 of 25\n\nOnce the malicious NvSmartMaxNotifyAppHWND export is called, it will:\r\nCreate a mutex with a hardcoded GUID-like name\r\nRename the original legitimate EXE file by appending the suffix “Ex” prior to the extension\r\nSet persistence in the registry by adding an “NvSmart” entry (with the path pointing to the copy of legitimate file)\r\nto the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key\r\nThe decoding routine is then invoked in the context of a separate rundll32.exe process by calling the CreateProcess API\r\nwith the following parameters:\r\nrundll32.exe %s ,NvSmartMaxUseDynamicDeviceGrids\r\nFigure 2: rundll32.exe used to launch the decryption routine\r\nTo ensure just one instance of the payload injection routine is running, the NvSmartMaxUseDynamicDeviceGrids\r\nfunction will create another GUID-like mutex before proceeding to decrypt and execute the payload.\r\nDecoding is XOR based, and the initial one-byte XOR key is computed based on the current process path. Such anti-analysis measures can prevent the payload from being decoded properly when running in some sandboxed environments,\r\nas it will only generate the correct XOR key when its parent process name is rundll32.exe:\r\nFigure 3: Key calculation (based on executable path) and payload decryption\r\nThe XOR decoding routine can be translated into C/C++ code as follows:\r\nFigure 4: Pseudo-code for payload decryption\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 4 of 25\n\nAfter decoding the payload, the malware will reflectively load it into memory of rundll32.exe and execute, passing a\r\npointer to the hardcoded configuration as a parameter:\r\nFigure 5: Hard-coded configuration\r\nCONFIGURATION\r\nField Value\r\nVictim GUID (?)84314963-BE0E-43C9-A0BE-83B180361999\r\nServerPort 443\r\nTimeout 0x3C (60.)\r\nCmd -\r\nServerAddr 45.32.181.48\r\nDdnsUrl \u003credacted\u003e\r\nSoftVer 1020\r\nGroup \u003credacted\u003e\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 5 of 25\n\nPort 0x50 (80.)\r\nHWnd -\r\nId -\r\nPcShare Backdoor\r\nSHA256\r\nbd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8 (encrypted)\r\n49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34 (decrypted)\r\nClassification Malware/Backdoor\r\nAliases PcClient, PcMain\r\nSize 296 KB (303,104 bytes)\r\nType Binary (PE DLL without a header)\r\nFilename PcMain.dll (internal)\r\nTimestamp N/A\r\nOverview\r\nThe payload is loaded into memory reflectively, so it will never reside on disk in decrypted form. Although the file\r\nheader is zeroed out, the binary is assumed to have originally been a PE DLL. The backdoor is based on a Chinese Open\r\nSource remote access Trojan (RAT) called PcShare, which is available in multiple versions on Github[2]. Some\r\nfunctionality found in the original code is unimplemented, suggesting the attackers stripped unnecessary code to meet\r\nspecific needs, limit the malicious footprint, and make the binary smaller. In this case, unimplemented features include\r\naudio/video streaming and keyboard monitoring, which suggests that this backdoor was used to establish an early stage\r\nfoothold and intended mainly to download and install other modules.\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 6 of 25\n\nFEATURES\r\nDifferent modes of operation, including SSH \u0026 Telnet server, self-update mode, file upload and download modes\r\nUse of custom LZW algorithm implementation for traffic compression\r\nUse of PolarSSL library to encrypt C\u0026C communication (not present in the open source version)\r\nProxy authentication via local user credentials (not present in the open source version)\r\nSeveral remote administration abilities:\r\no   List, create, rename, delete files and directories\r\no   List and kill processes\r\no   Edit registry keys and values\r\no   List and manipulate services\r\no   Enumerate and control windows\r\no   Execute binaries\r\no   Download additional files from the C\u0026C or provided URL\r\no   Upload files to the C\u0026C\r\no   Spawn command line shell\r\no   Navigate to URLs\r\no   Display message boxes\r\no   Reboot or shut down the system\r\nBEHAVIOR\r\nThe internal name of the DLL is PcMain.dll. It exports two functions, Vip20101125 and WorkMainF. These strings\r\ncorrelate with the PcShare code available on Github:\r\n Figure 6: PcMain.dll exported functions (left), and PcShare source code on GitHub (right)\r\nThe main functionality of the malware is contained in Vip20101125 export, which is invoked from inside the DllMain\r\nfunction. In order to connect to the C\u0026C server, the backdoor first needs to obtain the real C\u0026C address. This is done by\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 7 of 25\n\nreading the content of a remote file located at the URL specified in loader-supplied configuration. The remote file is\r\nexpected to be a simple plain-text file containing an IP address and a port number. In case no port number is specified,\r\nthe default port will be set to 80. The malware will then connect to the C\u0026C via TCP socket and send a beacon\r\ncontaining compressed and encrypted system information:\r\nFigure 7: Sending C\u0026C beacon\r\nIn response, the C\u0026C server is expected to send a command that will specify the requested backdoor connection mode.\r\nThe received command is then dispatched to a handler:\r\nFigure 8: Switch loop to handle connection mode command\r\nThere are several different backdoor modes in line with the original open source code, but some of the options have been\r\nremoved. Below is a partial list of commands supported by CMyClientMain::GetCmdFromServer:\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 8 of 25\n\nFigure 9: Backdoor modes\r\nFigure 10: Portion of original CMyClientMain::GetCmdFromServer from PcMain/MyClientMain.cpp\r\nThe switch statement that operates the backdoor functionality is contained within the CMyMainTrans::StartWork\r\nfunction. Depending on the chosen connection mode and the OS version, the SSH_MainThread function will either make\r\na direct call to the StartWork function or create another instance of the backdoor DLL and call its WorkMainF export,\r\nsupplying configuration values as parameters. In case of this particular modification, the unpacked backdoor DLL is\r\nnever dropped to the disk, so the attackers are limited to the direct method of invoking the backdoor switch:\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 9 of 25\n\nFigure 11: Executing WorkMainF with configuration parameters\r\nThe StartWork function initiates the processing of backdoor commands. The command parameters are first decrypted and\r\ndecompressed using the backdoor’s own implementation of the LZW algorithm inside a function called PcUnZip.:\r\nFigure 12: Receive, unpack and dispatch command\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 10 of 25\n\nFigure 13: Supported backdoor commands\r\nC\u0026C Communication\r\nUnlike the Github version, this version of PcShare can bypass proxies by retrieving the proxy configuration and using it\r\nto authenticate:\r\nFigure 14: Proxy authentication using user-agent string from Chrome 47 (2015-12-01)\r\nThe backdoor binary embeds a statically linked instance of the PolarSSL library. All C\u0026C communication is encrypted\r\nwith the use of an embedded RSA key and compressed using its own implementation of LZW:\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 11 of 25\n\nFigure 15: PolarSSL certificate embedded in the payload\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 12 of 25\n\nFigure 16: Polar SSL keys and certificates embedded in the payload\r\nBACKDOOR MODES\r\nThe first command from the C\u0026C server specifies the connection mode (note, parameters are sent separately):\r\nCommand\r\nCode\r\n(Hex/Decimal)\r\nFunction Parameters Comments\r\nWM_CONNECT_FRAM 0x1F41 8001 SSH_FramThread - Start the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop; the\r\ncamera capture\r\nthread\r\nassociated with\r\nthis function in\r\nthe Github\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 13 of 25\n\ncode has been\r\nremoved\r\nWM_CONNECT_FILE 0x1F42 8002 SSH_MainThread -\r\nStart the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_PROC 0x1F43 8003 SSH_MainThread -\r\nStart the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_SERV 0x1F44 8004 SSH_MainThread -\r\nStart the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_KEYM 0x1F45 8005 (unimplemented) - -\r\nWM_CONNECT_MULT 0x1F46 8006 (unimplemented) - -\r\nWM_CONNECT_TLNT 0x1F47 8007 SSH_TlntThread -\r\nOpen a\r\nterminal\r\nconnection to\r\nthe C\u0026C\r\nserver and send\r\nbasic system\r\ninfo; in a loop,\r\nread and\r\nexecute shell\r\ncommands sent\r\nby the C\u0026C\r\nWM_CONNECT_DL_FILE 0x1F48 8008 SSH_DlThread FilePath Read content\r\nof specified\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 14 of 25\n\nfile and send it\r\n(compressed\r\nand encrypted)\r\nback to the\r\nC\u0026C\r\nWM_CONNECT_UPDA 0x1F49 8009 UpdateFile BinaryData\r\nReceive file\r\nfrom C\u0026C,\r\nwrite it to a\r\ntemp file and\r\nexecute using\r\nCreateProcess\r\nfunction; then\r\nterminate self\r\nWM_CONNECT_TURL 0x1F4A 8010 SSH_TuRlThread URL\r\nDownload and\r\nexecute a file\r\nfrom specified\r\nURL\r\nWM_CONNECT_UPLO 0x1F4B 8011 SSH_FileThread BinaryData\r\nReceive a PE\r\nEXE file from\r\nC\u0026C, write it\r\nto a temp file\r\nand execute it\r\nWM_CONNECT_GDIP 0x1F4C 8012 (unimplemented) - -\r\nWM_CONNECT_QUER 0x1F4D 8013 (unimplemented) - -\r\nWM_CONNECT_REGT 0x1F4E 8014 SSH_MainThread -\r\nStart the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_CWND 0x1F4F 8015 SSH_MainThread - Spawn new\r\ninstance of the\r\nbackdoor DLL\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 15 of 25\n\nand invoke\r\nWorkMainF\r\nexport, which\r\nwill start the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_MESS 0x1F50 8016 SSH_MessThread Type, Text\r\nDisplay a\r\nmessage box\r\nwith the\r\nspecified text\r\nWM_CONNECT_LINK 0x1F51 8017 SSH_LinkThread\r\nShowCmd,\r\nURL\r\nOpen specified\r\nURL in\r\nInternet\r\nExplorer\r\nWM_CONNECT_SOCKS 0x1F52 8018 -\r\nWM_CONNECT_TWOO 0x1F53 8019 -\r\nWM_CONNECT_FIND 0x1F54 8020 SSH_MainThread -\r\nStart the\r\nbackdoor\r\ncommand\r\nprocessing\r\nloop\r\nWM_CONNECT_CMD 0x1F55 8021 (unimplemented) - -\r\nWM_CONNECT_VIDEO 0x1F56 8022 (unimplemented) - -\r\nWM_CONNECT_AUDIO 0x1F57 8023 (unimplemented) - -\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 16 of 25\n\nWM_CONNECT_UP_FILE 0x1F58 8024 SSH_UpThread\r\nFilePath,\r\nBinaryData\r\nReceive a file\r\nname from the\r\nC\u0026C and write\r\nit with the\r\nreceived binary\r\ndata\r\nWM_CONNECT_GET_KEY 0x1F59 8025 (unimplemented) - -\r\nWM_CONNECT_SOCKS_STOP 0x1F5A 8026 SSH_StopSocksThread -\r\nStop backdoor\r\ncommunication\r\nWM_CONNECT_CLIENT_DOWN 0x1F5B 8027 SSH_StopSocksThread -\r\nStop backdoor\r\ncommunication\r\nCLIENT_PRO_UNINSTALL 30002 - -\r\nReturn\r\n“uninstall” flag\r\nCLIENT_SYSTEM_RESTART 30004 ShutDownSystem -\r\nReboot the\r\nsystem\r\nCLIENT_SYSTEM_SHUTDOWN 30005 ShutDownSystem -\r\nPower off the\r\nsystem\r\nBACKDOOR COMMANDS\r\nThe backdoor command processing thread is started in some of the operation modes and it’s capable of processing the\r\nfollowing commands:\r\nCommand\r\nCode\r\n(Hex/Decimal)\r\nParameters Comments\r\nGetDiskInfo 0x6EB 1771 RootPath\r\nSave information about specified disk (disk\r\nname, drive type, volume information and\r\nfree space) to a temp file\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 17 of 25\n\nGetFileInfo 0x6EC 1772 FilePath\r\nSave extended attributes of a file to a temp\r\nfile\r\nGetDirInfo 0x6ED 1773 DirectoryPath\r\nSave directory info (extended attributes of a\r\ndirectory, number of subdirectories, number\r\nof files and total files size) to a temp file\r\nGetDirList 0x6EE 1774 DirectoryPath\r\nSave the list of file names found under a\r\nspecified directory to a temp file\r\nDeleteMyFile 0x6EF 1775 FilePath Delete a specified file(s)\r\nCreateDir 0x6F0 1776 DirectoryPath Create a specified directory\r\nReNameFile 0x6F1 1777\r\nExistingFileName,\r\nNewFileName\r\nMove a specified file\r\nGetDiskList 0x6F2 1778 -\r\nSave information about all disks (disk\r\nname, drive type, volume information and\r\nfree space) to a temp file\r\nExecFile 0x6F3 1779 FilePath Execute a given application\r\nKillOneProcess 0x6F4 1780 PID Terminate process with given PID\r\nMyRegEnumKey 0x6F5 1781 SubKey\r\nWrite a list of registry values stored under a\r\ngiven key to a temp file\r\nMyRegDeleteKey 0x6F6 1782 SubKey Delete a specified registry key\r\n(unimplemented) 0x6F7 1783 - -\r\nMyRegDeleteValue 0x6F8 1784 SubKey, ValueName Delete a specified registry value\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 18 of 25\n\nMyRegEditValue 0x6F9 1785\r\nSubKey, ValueName,\r\nType, Data\r\nSet a specified registry value\r\n(unimplemented) 0x6FA 1786 - -\r\nGetDownFileList 0x6FB 1787 ListOfFiles\r\nSave paths, attributes and sizes of given\r\nfiles to a temp file\r\nGetProcessList 0x6FC 1788 -\r\nWrite the list of running processes to a temp\r\nfile\r\nEnumMyServices 0x6FD 1789 -\r\nWrite the list of services (name, status,\r\nconfig) to a temp file\r\nControlMyServices 0x6FE 1790\r\nServiceName,\r\nState\r\nEither start or restart specified service,\r\ndepending on the second parameter\r\nConfigMyServices 0x6FF 1791\r\nServiceName,\r\nStartType,\r\nDisplayName\r\nChange start type and display name of a\r\ngiven service\r\n(unimplemented) 0x700 1792 - -\r\nDeleteMyServices 0x701 1793 ServiceName Delete a specified service\r\nGetFindFileList 0x702 1794 Path\r\nFind specified file or all files under\r\nspecified directory; save file names together\r\nwith their attributes to a temp file\r\nMyEnumWindows 0x703 1795 -\r\nWrite the list of open windows (window\r\ntext and module name) to a temp file\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 19 of 25\n\nMyControlWindows 0x704 1796 hWnd, CmdShow\r\nEither close or manipulate (show, hide,\r\nminimize, maximize) a given window\r\nFake Narrator\r\nSHA256 0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c\r\nClassification Malware/Trojan\r\nAliases N/A\r\nSize 220 KB (225,280 bytes)\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nFilename Narrator.exe\r\nTimestamp 2015-06-08 05:23:07\r\nPDB pathC:\\myWork\\vc\\Narrator_window_20150606v1.2\\x64\\Release\\Narrator.pdb\r\nOverview\r\nSimilar to the aforementioned “Sticky Keys” attack[3], this binary is designed to replace Narrator.exe, a legitimate\r\nscreen-reader utility belonging to Windows. Leveraging this attack makes it possible for a remote threat actor to gain\r\nunauthenticated access to a command prompt running with system privileges via a remote desktop logon screen. In order\r\nto deploy the Trojanized Narrator, the attackers will first have had to obtain administrative privileges in the victim’s\r\nsystem.\r\nThis binary is quite novel compared to previous malware that exploits accessibility features in Windows, in that it doesn’t\r\nattempt to replicate the Narrator user-interface (which is often imitated poorly). Instead, it spawns a copy of the original\r\nNarrator.exe and draws a hidden overlapped window[4], where it waits to capture specific key combinations known only\r\nto the attacker. When the correct passphrase has been typed the malware will display a dialog that allows the attacker to\r\nspecify the path to a file to execute.\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 20 of 25\n\nFEATURES\r\nReplaces Narrator.exe, a legitimate Windows screen reader application\r\nRequires attackers to obtain administrative privileges on the victim machine prior to deployment\r\nGrants permanent SYSTEM-level access via logon screen\r\nBEHAVIOR\r\nUpon execution, the Trojanized Fake Narrator will first run the original legitimate Narrator (previously renamed by the\r\nthreat actor to NarratorMain.exe). The malware will then register a window class (\"NARRATOR\") and create a window\r\n(“Narrator”).\r\nThe window procedure creates a dialog with an edit control and a button called “r”, while a separate thread constantly\r\nmonitors keyboard strokes. If the malware detects that a specific password has been typed (hardcoded in the binary as\r\n\"showmememe\" string), it will display the previously created dialog. This will allow the attacker to specify the\r\ncommand, or the path to a file to execute via an edit control. When the “r” button is pressed the malware will read the\r\ncontents of the edit control and supply the text to a thread that will attempt to run the command via the system API:\r\nFigure 17: Fake Narrator – Monitoring the keyboard for hardcoded password\r\nOnce the Fake Narrator is enabled at the logon screen via “Ease of Access”, the malware will be executed by\r\nwinlogon.exe with SYSTEM privileges. Typing the attacker’s defined password will allow the attacker to spawn any\r\nexecutable, also running under the SYSTEM account, at the logon screen:\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 21 of 25\n\nFigure 18: Fake Narrator running at RDP login prompt\r\nThis technique ultimately allows a malicious actor to maintain a persistent shell on a system without requiring valid\r\ncredentials.\r\nConclusions\r\nThe threat actor behind these attacks tends to modify and reuse publicly available code – this is true both for the foothold\r\nbackdoor as well as majority of the post-exploitation tools they use. Such an approach requires significantly less\r\nresources and speeds up the process of developing an attack toolset. Moreover, open source code is more difficult to\r\nattribute as it can be adapted and used by anyone who has access to the Internet and an appropriate compiler.\r\nDespite a preference towards open source tools, the attacker doesn’t shy away from building their own bespoke utilities\r\nas needed, like Fake Narrator. The development timeline of Fake Narrator samples shows the tool was introduced more\r\nthan four years ago and is still being actively modified in order to better fit the victim’s environment. A multi-year period\r\nbetween subsequent versions suggests that this particular tool is rather uncommon and used in a very limited number of\r\ncases.\r\nThe aim of the attackers is persistent exfiltration of sensitive data, as well as local network reconnaissance and lateral\r\nmovement. The use of Fake Narrator to gain SYSTEM-level privileges indicates the threat actor is interested in long term\r\nmonitoring of the victim, as opposed to one-off data collection.\r\nBased on the use of numerous Chinese open source projects and the geographical location of the victims, we suspect the\r\nthreat actor to be of Chinese origin. The use of PcShare was previously seen in relation to a group called Tropic Trooper,\r\nwhich has been targeting government institutions and heavy industry in the same region since at least 2012. Tropic\r\nTrooper (a.k.a. KeyBoy) is known to use a toolset that includes the PcShare backdoor, alongside another popular\r\nbackdoor called Poison Ivy, and a bespoke one called Yahoyah.\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 22 of 25\n\nWith PcShare being an open source project which could be leveraged by any number of threat actors operating in this\r\nregion we cannot be completely certain the attack is attributable to Tropic Trooper at this time.\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Description\r\nc5226bfd53d789a895559e8bcbedc4ecdde543e54a427b1cb4e5d7ef90756daa SHA256 PcShare loader #1\r\n1899b3d59a9dc693d45410965c40c464224160bbef596f51d35fda099d609744 SHA256 PcShare loader #2\r\nbd345155aa4baa392c3469b9893a4751c2372ae4923cf05872bcdc159b9596f8 SHA256\r\nPcShare backdoor\r\n(encrypted)\r\n49b86ae6231d44dfc2ff4ad777ea544ae534eb40bd0209defffec1eb1fe66b34 SHA256\r\nPcShare backdoor\r\n(dump; no PE header)\r\n0022508fd02bb23c3a2c4f5de0906df506a2fcabc3e841365b60ba4dd8920e0c SHA256 Fake Narrator\r\n945F4106-C691-4921-ACAB-E58C50C5F150 Mutex PcShare loader\r\nCF08C3F3-2CA3-4215-8CB3-4CDBD3030EC4 Mutex PcShare loader\r\n45.32.181.48  C\u0026C IP PcShare loader #1\r\n142.4.124.124 C\u0026C IP PcShare loader #2\r\nC:\\myWork\\vc\\Narrator_window_20150606v1.2\\x64\\Release\\Narrator.pdb\r\nPDB\r\npath\r\nFake Narrator\r\nMITRE ATT\u0026CK\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 23 of 25\n\nTactic ID Name Observed\r\nInitial Access T1078 Valid Accounts\r\nExecution T1085 Rundll32  PcShare loader\r\nPersistence\r\nT1100 Webshell\r\nT1060 Registry Run Keys PcShare loader\r\nPrivilege Escalation T1015 Accessibility Features Fake Narrator\r\nDefense Evasion\r\nT1073 DLL Sideloading PcShare loader\r\nT1140 Deobfuscate/Decode Files or Information PcShare loader\r\nDiscovery\r\nT1010 Application Window Discovery PcShare backdoor\r\nT1083 File and Directory Discovery PcShare backdoor\r\nT1057 Process Discovery PcShare backdoor\r\nT1012 Query Registry PcShare backdoor\r\nT1082 System Information Discovery PcShare backdoor\r\nT1007 System Service Discovery PcShare backdoor\r\nCommand and Control T1032 Standard Cryptographic Protocol PcShare backdoor\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 24 of 25\n\nT1105 Remote File Copy PcShare backdoor\r\nExfiltration T1041 Exfiltration Over Command and Control Channel PcShare backdoor\r\nSource: https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nhttps://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html" ], "report_names": [ "pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434587, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/266191b305ea4b9c53d0a8bda5806ded730cb778.pdf", "text": "https://archive.orkl.eu/266191b305ea4b9c53d0a8bda5806ded730cb778.txt", "img": "https://archive.orkl.eu/266191b305ea4b9c53d0a8bda5806ded730cb778.jpg" } }