{ "id": "17cd9193-1894-4452-b277-d4451a025327", "created_at": "2026-04-06T00:07:50.106217Z", "updated_at": "2026-04-10T13:12:27.165677Z", "deleted_at": null, "sha1_hash": "2b3082d75dd39ff900b4b17fca8d1f22109d2655", "title": "Octopus-infested seas of Central Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 396467, "plain_text": "Octopus-infested seas of Central Asia\r\nBy GReAT\r\nPublished: 2018-10-15 · Archived: 2026-04-02 12:45:16 UTC\r\nFor the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central\r\nAsian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports\r\nto our customers on four of their campaigns involving custom Android and Windows malware. In this blogpost we\r\ncover a malicious program for Windows called Octopus that mostly targets diplomatic entities.\r\nThe name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2\r\nservers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity\r\nalgorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. In our\r\ntelemetry we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly\r\nRussian-speaking), plus Afghanistan.\r\nIn the case of Octopus, DustSquad used Delphi as their programming language of choice, which is unusual for\r\nsuch an actor. Among others exceptions are the Russian-language Zebrocy (Sofacy’s Delphi malware), the Hindi-language DroppingElephant and the Turkish-language StrongPity. Although we detected Octopus victims that\r\nwere also infected with Zebrocy/Sofacy, we didn’t find any strong similarities and we don’t consider the two\r\nactors to be related.\r\nWhat happened?\r\nIn April 2018 we discovered a new Octopus sample pretending to be Telegram Messenger with a Russian\r\ninterface. We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don\r\n´t believe it exists. The Trojan uses third-party Delphi libraries like The Indy Project for JSON-based C2\r\ncommunications and TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression. Malware\r\npersistence is basic and achieved via the system registry. The server side uses commercial hosting in different\r\ncountries with .php scripts deployed. Kaspersky Lab products detect the Octopus Trojan as\r\nTrojan.Win32.Octopus.gen. For more information, please contact: intelreports@kaspersky.com.\r\nTechnical details\r\nThe attackers used the potential Telegram ban in Kazakhstan to push its dropper as an alternative communication\r\nsoftware for the political opposition.\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 1 of 9\n\n‘Telegram messenger’ establishes network module persistence in the simplest way and starts the module\r\nWe can’t confirm how this malware is being distributed, although it clearly uses some form of social engineering.\r\nThis actor previously used spear phishing to spread malware.\r\nDropper\r\nMD5 hash 979eff03faeaeea5310df53ee1a2fc8e\r\nName dvkmailer.zip\r\nArchive contents\r\nd6e813a393f40c7375052a15e940bc67 CsvHelper.dll Legit .NET CSV files parser\r\n664a15bdc747c560c11aa0cf1a7bf06e Telegram Messenger.exe Persistence and launcher\r\n87126c8489baa8096c6f30456f5bef5e TelegramApi.dll Network module\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 2 of 9\n\nd41d8cd98f00b204e9800998ecf8427e Settings.json Empty\r\nLauncher\r\nMD5 hash 664a15bdc747c560c11aa0cf1a7bf06e\r\nFile name Telegram Messenger.exe\r\nPE timestamp 2018.03.18 21:34:12 (GMT)\r\nLinker version 2.25 (Embarcadero Delphi)\r\nBefore any user interaction, inside the FormCreate() function the launcher checks for a file named\r\nTelegramApi.dll in the same directory. If it exists, the launcher copies the network module to the startup directory\r\nas Java.exe and runs it.\r\nDelphi Visual Component Library (VCL) programs are based on event handlers for form elements. Such programs\r\nare extremely large (about 2.6 MB and 12,000 functions), but all this code is mostly used to handle the visual\r\ncomponents and run-time libraries. There are only three programmer-defined handlers for controlling elements\r\ninside the Octopus launcher.\r\nFunction name Functionality\r\nFormCreate()\r\nRuns as constructor before any user activity. Makes the network module persistent\r\nvia Startup directory and runs it\r\nButton1Click() Shows the explorer dialog window to choose the “mailing file”\r\nDateTimePicker1Click() Shows calendar to select the “mailing date”\r\nThere is no handler for the ‘Send mailing’ button, so the launcher pretends to be an alternative communicator that\r\nin reality does nothing. This may be because the malware is still unfinished – after all, messages sent through it\r\ncould be of value to the attackers. However, we believe it is more likely that the malware was created in a hurry\r\nand the attackers decided to skip any communication features.\r\nNetwork module\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 3 of 9\n\nC2 communication scheme\r\nMD5 hash 87126c8489baa8096c6f30456f5bef5e\r\nFile name TelegramApi.dll\r\nPE timestamp 2018.02.06 11:09:28 (GMT)\r\nLinker version 2.25 (Embarcadero Delphi)\r\nDespite the file extension, this network module is a self-sufficient portable executable file and not a dynamic-link\r\nlibrary. The first sample checks for files with names like 1?????????.* in the user’s temporary folder and deletes\r\nany files it finds. Then it creates .profiles.ini in the Application Data directory where the malware stores its log.\r\nHTTP request Response\r\nGET /d.php?check JSON “ok”\r\nGET /d.php?servers JSON domain name\r\nGET /i.php?check= JSON “ok”\r\nPOST /i.php?query= JSON response code or command depends on POST data\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 4 of 9\n\nFirst stage .php script to check connection and get C2 domain name\r\nAll network modules consist of hardcoded IP addresses belonging to commercial web-hosting services based in\r\ndifferent countries. The operators simply deploy their first-stage .php script in them, which will check the\r\nconnection and get the actual C2 server domain name using an HTTP GET request.\r\nAfter the initial connection check, the malware receives a JSON with the actual C2 domain name\r\nThen the network module checks against the hardcoded victim’s id\r\nThe network module checks against a 32-digit hardcoded victim id and sends the gathered data to the C2 using a\r\nHTTP POST request. In terms of programming, this id is strange, because the malware simultaneously\r\n‘fingerprints’ its victim with an MD5 hash of its system data.\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 5 of 9\n\nJSON-based gathered data sent in a HTTP POST base64-encoded request\r\nAll communication with the C2s is based on JSON-formatted data and the HTTP protocol. For that, the developers\r\nused The Indy Project (indyproject.org) publicly available library as well as the third-party TurboPower Abbrevia\r\n(sourceforge.net/projects/tpabbrevia) for compression.\r\nAfter all the initial HTTP GET requests, the malware starts to gather JSON-formatted system data. For all the\r\nfixed drives in the system, the network module stores the disk name and size, as well as computer and user name,\r\nWindows directory, host IP, etc. One interesting field is “vr”:”2.0″ which appears to be the malware version\r\nencoded in the communication protocol.\r\nThe ‘id’ field is the victim’s fingerprint for which the malware actively uses the Windows Management\r\nInstrumentation mechanism. The Trojan runs WMIC.exe with the following arguments:\r\nC:\\WINDOWS\\system32\\wbem\\WMIC.exe computersystem get Name /format:list\r\nC:\\WINDOWS\\system32\\wbem\\WMIC.exe os get installdate /format:list\r\nC:\\WINDOWS\\system32\\wbem\\WMIC.exe path CIM_LogicalDiskBasedOnPartition get\r\nAntecedent,Dependent\r\nThen the module concatenates the gathered ids and computes an MD5 hash, which will be the victim’s final id.\r\nThe “act” field numbers the communication stage (0 for initial fingerprinting). After this, the HTTP POST control\r\nserver returns a JSON {“rt”:”30″} and the client continues with the next “act” in the HTTP POST:\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 6 of 9\n\nAt this point the C2 sends a JSON with commands to execute, including uploading/downloading files, taking a\r\nscreenshot and finding *.rar archives on the host.\r\nOther software\r\nBesides the Trojan itself, the Octopus developers used the password dumping utility fgdump.\r\nInfrastructure\r\nMD5 hash IPs C2 domain\r\n87126c8489baa8096c6f30456f5bef5e 185.106.120.27\r\n204.145.94.10\r\nporenticofacts.com\r\nee3c829e7c773b4f94b700902ea3223c\r\n38f30749a87dcbf156689300737a094e\r\n185.106.120.240\r\n204.145.94.101\r\ncertificatesshop.com\r\n6e85996c021d55328322ce8e93b31088\r\n5.188.231.101\r\n103.208.86.238\r\nblondehairman.com\r\n7c0050a3e7aa3172392dcbab3bb92566\r\n5.8.88.87\r\n103.208.86.237\r\nlatecafe.in\r\n2bf2f63c927616527a693edf31ecebea\r\n85.93.31.141\r\n104.223.20.136\r\nhovnanflovers.com\r\nd9ad277eb23b6268465edb3f68b12cb2\r\n5.188.231.101\r\n103.208.86.238\r\nblondehairman.com\r\nThe most recent samples (2017-2018) of hardcoded IPs and web domains obtained from the .php script\r\nConclusions\r\nPolitical entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra,\r\nSofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware). Interestingly, we\r\nobserved some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the\r\ninterest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative\r\nnewcomers like DustSquad that have sprung up locally.\r\nIndicators of compromise\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 7 of 9\n\nFile hashes\r\n87126c8489baa8096c6f30456f5bef5e\r\nee3c829e7c773b4f94b700902ea3223c\r\n38f30749a87dcbf156689300737a094e\r\n6e85996c021d55328322ce8e93b31088\r\n7c0050a3e7aa3172392dcbab3bb92566\r\n2bf2f63c927616527a693edf31ecebea\r\nd9ad277eb23b6268465edb3f68b12cb2\r\nDomains and IPs\r\n85.93.31.141\r\n104.223.20.136\r\n5.8.88.87\r\n103.208.86.237\r\n185.106.120.240\r\n204.145.94.101\r\n5.188.231.101\r\n103.208.86.238\r\n185.106.120.27\r\n204.145.94.10\r\nhovnanflovers.com\r\nlatecafe.in\r\ncertificatesshop.com\r\nblondehairman.com\r\nporenticofacts.com\r\nAuxiliary URLs to upload/download files:\r\nwww.fayloobmennik.net/files/save_new.html\r\nhttp://uploadsforyou.com/download/\r\nhttp://uploadsforyou.com/remove/\r\nThe following are old indicators of compromise no longer used by this actor, but which can be used for\r\nforensic purposes:\r\n031e4900715564a21d0217c22609d73f\r\n1610cddb80d1be5d711feb46610f8a77\r\n1ce9548eae045433a0c943a07bb0570a\r\n3a54b3f9e9bd54b4098fe592d805bf72\r\n546ab9cdac9a812aab3e785b749c89b2\r\n5cbbdce774a737618b8aa852ae754251\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 8 of 9\n\n688854008f567e65138c3c34fb2562d0\r\n6fda541befa1ca675d9a0cc310c49061\r\n73d5d104b34fc14d32c04b30ce4de4ae\r\n88ad67294cf53d521f8295aa1a7b5c46\r\na90caeb6645b6c866ef60eb2d5f2d0c5\r\nae4e901509b05022bbe7ef340f4ad96c\r\nca743d10d27277584834e72afefd6be8\r\nce45e69eac5c55419f2c30d9a8c9104b\r\ndf392cd03909ad5cd7dcea83ee6d66a0\r\ne149c1da1e05774e6b168b6b00272eb4\r\nf625ba7f9d7577db561d4a39a6bb134a\r\nfc8b5b2f0b1132527a2bcb5985c2fe6b\r\nf7b1503a48a46e3269e6c6b537b033f8\r\n4f4a8898b0aa4507dbb568dca1dedd38\r\nFirst stage .php script placed at:\r\n148.251.185.168\r\n185.106.120.46\r\n185.106.120.47\r\n46.249.52.244\r\n5.255.71.84\r\n5.255.71.85\r\n88.198.204.196\r\n92.63.88.142\r\nDomains returned by .php script:\r\ngiftfromspace.com\r\nmikohanzer.website\r\nhumorpics.download\r\ndesperados20.es\r\nprom3.biz.ua\r\nSource: https://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nhttps://securelist.com/octopus-infested-seas-of-central-asia/88200/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" ], "report_names": [ "88200" ], "threat_actors": [ { "id": "978775b9-369d-44f7-8a42-76d7b9cb42d5", "created_at": "2022-10-25T15:50:23.846105Z", "updated_at": "2026-04-10T02:00:05.36378Z", "deleted_at": null, "main_name": "Nomadic Octopus", "aliases": [ "Nomadic Octopus", "DustSquad" ], "source_name": "MITRE:Nomadic Octopus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "62f2206e-d8c6-49bb-86fc-63118ac2bf40", "created_at": "2022-10-25T16:07:23.725942Z", "updated_at": "2026-04-10T02:00:04.728159Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "G0136" ], "source_name": "ETDA:IndigoZebra", "tools": [ "Dropbox" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "abb4a645-181b-4237-825f-447ac9b0c16d", "created_at": "2022-10-25T15:50:23.764656Z", "updated_at": "2026-04-10T02:00:05.40558Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "IndigoZebra" ], "source_name": "MITRE:IndigoZebra", "tools": [ "xCaon", "BoxCaon", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "70661552-6715-4750-bf4e-527055d3e7b4", "created_at": "2023-11-08T02:00:07.114392Z", "updated_at": "2026-04-10T02:00:03.417207Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "Nomadic Octopus" ], "source_name": "MISPGALAXY:DustSquad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f33ce87f-9514-447c-aba2-ff3e4e9e5b71", "created_at": "2023-11-07T02:00:07.097748Z", "updated_at": "2026-04-10T02:00:03.406698Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [], "source_name": "MISPGALAXY:IndigoZebra", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6fe4b4f-9694-4ffc-94ef-a0cc5aef94d9", "created_at": "2022-10-25T16:07:23.556112Z", "updated_at": "2026-04-10T02:00:04.655561Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "APT-C-34", "DustSquad", "G0133", "Golden Falcon", "Nomadic Octopus" ], "source_name": "ETDA:DustSquad", "tools": [ "Garpun", "Paperbug", "Remote Control System" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b3082d75dd39ff900b4b17fca8d1f22109d2655.pdf", "text": "https://archive.orkl.eu/2b3082d75dd39ff900b4b17fca8d1f22109d2655.txt", "img": "https://archive.orkl.eu/2b3082d75dd39ff900b4b17fca8d1f22109d2655.jpg" } }