{ "id": "d3199162-6ef3-40e7-a0d4-1afe0cad7541", "created_at": "2026-04-06T00:11:43.392604Z", "updated_at": "2026-04-10T03:32:09.332057Z", "deleted_at": null, "sha1_hash": "2aeb2eacfc08fac049dbeb48b3fec5bfd314a568", "title": "Malware Gh0stTimes Used by BlackTech - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1459774, "plain_text": "Malware Gh0stTimes Used by BlackTech - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2021-10-03 · Archived: 2026-04-05 16:52:14 UTC\r\nBlackTech\r\nAn attack group BlackTech has been actively conducting attacks against Japanese organisations since 2018.\r\nAlthough it is not as prominent as before, JPCERT/CC is still seeing some cases as of now. This article introduces\r\nthe details of the malware Gh0stTimes, which is used by this group.\r\nGh0stTimes overview\r\nGh0stTimes is customised based on Gh0st RAT and has been used in some attack cases since 2020. Figure 1\r\nshows the comparison of Gh0stTimes and Gh0st RAT code.\r\nFigure 1: Comparison of Gh0stTimes and Gh0st RAT (CFileManager) code\r\n(Left: Gh0stTimes / Right: Gh0st RAT)\r\nBoth sets of code are functions for file operation, and they are almost identical. Many of the Gh0st RAT functions\r\nare upgraded in Gh0stTimes, but some parts of the code are just kept as is. The next sections explain the features\r\nof Gh0stTimes.\r\nCommunication protocol\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 1 of 11\n\nCommands\r\nDummy code\r\nC2 server control panel\r\nCommunication protocol\r\nJust like Gh0st RAT, Gh0stTimes communicates with C2 servers with its custom protocol, but the packet format is\r\ndifferent. Figure 2 shows the flow of communication.\r\nFigure 2: Gh0stTimes communication flow\r\nAt the beginning of its communication with a C2 server, Gh0stTimes sends an authentication ID and data (The\r\n\"Key\" in Figure 2) to generate an encryption key for the following communication. The C2 server checks the\r\nauthentication ID and only accepts the communication with certain IDs. Figure 3 shows an example of the specific\r\nauthentication IDs.\r\nFigure 3: Gh0stTimes authentication ID sample\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 2 of 11\n\nAfter the successful authentication, the communication that follows is encrypted with the key provided at the\r\nbeginning of the communication. The next round of communication includes the information of infected hosts,\r\nsuch as hostname, username and processor name (Figure 4).\r\nFigure 4: Information of infected hosts sent by Gh0stTimes\r\nAfter sending the information of infected hosts, commands are exchanged. See Appendix A for the format of data\r\nexchanged. When exchanging commands, the data is RC4-encrypted and then zlib-compressed. Gh0stTimes uses\r\nits custom RC4 algorithm, which has XOR 0xAC process over the encrypted data.\r\nFigure 5: Part of Gh0stTimes code to encrypt data with RC4\r\nThe following is Python code to decode data exchanged.\r\nimport zlib\r\n# Load keydata for first packet\r\nwith open(args[1], \"rb\") as fb:\r\n keydata = fb.read()\r\n# Load encoded packet data\r\nwith open(args[2], \"rb\") as fb:\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 3 of 11\n\ndata = fb.read()\r\ncomp_data = custom_rc4(data[12:], keydata[5:21])\r\ndec_data = zlib.decompress(comp_data)\r\ndef custom_rc4(data, keydata):\r\n key = []\r\n key_1 = [0x98, 0x19, 0x3C, 0x56, 0xD9, 0xBB, 0xC7, 0x86, 0xFF, 0x3E]\r\n key_2 = [0] * 16\r\n key_3 = [0xAC, 0xBB, 0x30, 0x5E, 0xCC, 0xDD, 0x19, 0x23, 0xFC, 0xBD]\r\n keybox = [7, 0, 2, 3, 9, 10, 4, 13, 14, 8, 1, 11, 5, 6, 12, 15]\r\n i = 0\r\n for i in range(16):\r\n key_2[i] = keydata[keybox[i]]\r\n key = key_1 + key_2 + key_3\r\n x = 0\r\n box = list(range(256))\r\n for i in range(256):\r\n x = (x + box[i] + key[i % len(key)]) % 256\r\n box[i], box[x] = box[x], box[i]\r\n x = 0\r\n y = 0\r\n out = []\r\n for char in data:\r\n x = (x + 1) % 256\r\n y = (y + box[x]) % 256\r\n box[x], box[y] = box[y], box[x]\r\n out.append((char ^ box[(box[x] + box[y]) % 256] ^ 0xAC).to_bytes(1, byteorder='little'))\r\n return b''.join(out)\r\nCommands\r\nGh0stTimes is equipped with the following 5 types of commands:\r\nFileManager (command number 0x1): File operation\r\nShellManager (command number 0x28): Remote shell execution\r\nPortmapManager (command number 0x32): C2 server redirect function\r\nUltraPortmapManager (command number 0x3F): Proxy function\r\nNo name (command number 0): End communication\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 4 of 11\n\nFigure 6: List of commands\r\nShellManager and FileManager are the same as Gh0st RAT's original functions. FileManager has multiple\r\nfunctions to operate files on infected hosts. (See Appendix B for details.)\r\nPortmapManager and UltraPortmapManager are unique to Gh0stTimes, which indicates that its relay function has\r\nbeen enhanced compared to Gh0st RAT.\r\nDummy code\r\nSome types of malware that BlackTech use contains dummy code, which may make analysis difficult. Gh0stTimes\r\nhas such code (Figure 7), but it does not have much impact to the analysis.\r\nFigure 7: Gh0stTimes dummy code sample\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 5 of 11\n\nC2 server control panel\r\nIn the course of analysis, we found Gh0stTimes control panel. Figure 8 shows its GUI when the control panel is\r\nrunning. This one was named as \"Times v1.2\".\r\nFigure 8: Gh0stTimes control panel\r\nFigure 9 shows the commands that can be executed on the control panel.\r\nFigure 9: List of commands on Gh0stTimes control panel\r\nIn closing\r\nAs BlackTech has been actively carrying out attacks, we will continue our analysis and monitoring. A list of IoC is\r\navailable in Appendix C. Please make sure that none of your devices is communicating with them.\r\nWe have identified that servers infected with Gh0stTimes are also affected by other types of malware\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 6 of 11\n\n(downloader, backdoor, ELF Bifrose) and attack tools listed below. Please be aware that these tools are possibly\r\nused by BlackTech.\r\nhttps://github.com/Yang0615777/PocList\r\nhttps://github.com/liuxu54898/CVE-2021-3019\r\nhttps://github.com/knownsec/pocsuite3\r\nCitrix exploit tool\r\nMikroTik exploit tool\r\nExploit for CVE-2021-28482\r\nExploit for CVE-2021-1472/CVE-2021-1473\r\nExploit for CVE-2021-28149/CVE-2021-28152\r\nExploit for CVE-2021-21975/CVE-2021-21983\r\nExploit for CVE-2018-2628\r\nExploit for CVE-2021-2135\r\nAcknowledgement\r\nWe would like to acknowledge the support and information shared by @r3dbU7z regarding this attack group.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: Data exchanged\r\nTable A-1: Format of data sent\r\nOffset Length Contents\r\n0x00 4 ID\r\n0x04 4 Data length xor 0x3A4BFDCC\r\n0x08 4 Data length after 0x0C before compression xor 0x7C2E56D2\r\n0x0C - Encrypted data (zlib + RC4)\r\nTable A-2: Format of data received\r\nOffset Length Contents\r\n0x00 4 ID\r\n0x04 4 Data length xor 0xC3A2B5D2\r\n0x08 4 Data length after 0x0C before compression xor 0x68FC2AD3\r\n0x0C - Encrypted data (zlib + RC4)\r\nAppendix B: Commands\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 7 of 11\n\nTable B: FileManager commands\r\nValue Contents\r\n2 SendFilesList\r\n3 UploadToRemote\r\n4 CreateLocalRecvFile\r\n5 WriteLocalRecvFile\r\n7 SendFileData\r\n8 StopTransfer\r\n9 DeleteFile\r\n10 DeleteDirectory\r\n11 GetFileData\r\n12 CreateFolder\r\n13 MoveFile\r\n14 OpenFile(SW_SHOW)\r\n15 OpenFile(SW_HIDE)\r\nAppendix C: C2 servers\r\ntftpupdate.ftpserver.biz\r\n108.61.163.36\r\nupdate.centosupdates.com\r\n107.191.61.40\r\nosscach2023.hicloud.tw\r\n103.85.24.122\r\n106.186.121.154\r\nAppendix D: Malware hash value\r\n01581f0b1818db4f2cdd9542fd8d663896dc043efb6a80a92aadfac59ddb7684\r\n18a696b09d0b7e41ad8ab6a05b84a3022f427382290ce58f079dec7b07e86165\r\n15b8dddbfa37317ccdfbc340764cd0f43b1fb8915b1817b5666c4816ccb98e7c\r\n849ec6055f0c18eff76170912d8500d3da7be1435a9117d67f2134138c7e70c3\r\nf19ab3fcbc555a059d953196b6d1b04818a59e2dc5075cf1357cee84c9d6260b\r\n836b873ab9807fbdd8855d960250084c89af0c4a6ecb75991542a7deb60bd119\r\na69a2b2a6f5a68c466880f4c634bad137cb9ae39c2c3e30c0bc44c2f07a01e8a\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 8 of 11\n\nbd02ca03355e0ee423ba0e31384d21b4afbd8973dc888480bd4376310fe6af71\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 9 of 11\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 10 of 11\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nhttps://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html" ], "report_names": [ "gh0sttimes.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434303, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2aeb2eacfc08fac049dbeb48b3fec5bfd314a568.pdf", "text": "https://archive.orkl.eu/2aeb2eacfc08fac049dbeb48b3fec5bfd314a568.txt", "img": "https://archive.orkl.eu/2aeb2eacfc08fac049dbeb48b3fec5bfd314a568.jpg" } }