{ "id": "831233b8-0e36-420a-87a5-3e3230796b73", "created_at": "2026-04-06T00:19:17.461467Z", "updated_at": "2026-04-10T03:35:47.23302Z", "deleted_at": null, "sha1_hash": "2b37df41129549e854cb0c2a9e091471c7fe6bf0", "title": "Naikon’s Aria", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 196109, "plain_text": "Naikon’s Aria\r\nBy GReAT\r\nPublished: 2020-05-08 · Archived: 2026-04-05 23:13:52 UTC\r\nOur colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related\r\nto “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we\r\nare summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor\r\nDeployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers\r\nbrought to light today.\r\nThe Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully\r\ndescribed the group as a long running presence in the APAC region. Even when the group shutdown much of their\r\nsuccessful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching\r\nmalware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage\r\ncampaigns in the South China Sea region during 2018.\r\n“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February\r\n2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader\r\ncomponents without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules\r\nused in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction\r\nfeature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s\r\n“Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and\r\nlegislative offices, law enforcement, government administrative, military and intelligence organizations within\r\nSoutheast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and\r\nother malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues\r\ninto 2018. We identified at least a half dozen individual variants from 2017 and 2018.\r\nTechnical Details\r\nIt seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors\r\nwere built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted\r\norganizations, again lending confidence to clustering these resources and activity with previous “Naikon”.\r\nNaikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a\r\nsystem. AR load attempts have been identified within processes with executable images listed here:\r\nc:\\windows\\system32\\svchost.exe\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 1 of 6\n\nc:\\windows\\syswow64\\svchost.exe\r\nc:\\program files\\windows nt\\accessories\\services.exe\r\nc:\\users\\dell\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\acrobat.exe\r\nc:\\alphazawgyi\\svchost.exe\r\nBecause this AR code is injected into processes, the yara rule provided in the Appendix is best run against\r\nmemory dumps of processes maintaining a main image in the list above. The AR modules have additionally been\r\nseen in some others, including “msiexec.exe” processes.\r\nBelow are characteristics of the oldest AR and the newest known AR component in our collection.\r\nMD5 c766e55c48a4b2e7f83bfb8b6004fc51\r\nSHA256 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4\r\nCompiledOn Tue Jan  3 09:23:48 2017\r\nType PE32 DLL\r\nInternal name TCPx86.dll\r\nSize 176kb\r\nExports AzManager, DebugAzManager\r\nMD5 2ce4d68a120d76e703298f27073e1682\r\nSHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db\r\nCompiledOn Thu Feb 22 10:04:02 2018\r\nType PE32 DLL\r\nInternal Name aria-body-dllX86.dll\r\nSize 204kb\r\nExports AzManager, DebugAzManager\r\nWhen the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive\r\ncheck, a CONNECT proxied callback to its main C2, an IP location verification against\r\ncheckip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include\r\nmore or less system information collection prior to the initial callback.\r\nThe most recent version of the backdoor utilizes another Window procedure to implement a raw input device\r\nbased keystroke collector. This keylogger functionality was newly introduced to the malware code in February\r\n2018, and was not present in previous versions.\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 2 of 6\n\nThe approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set\r\nper compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple\r\nsummary list:\r\nPersistence handling\r\nFile and directory handling\r\nKeylogging\r\nShell/Process Management\r\nNetwork activity and status listing and management\r\nSystem information collection and management\r\nDownload management\r\nWindows management\r\nExtension management\r\nLocation/IP verification\r\nNetwork Communications over HTTP\r\nSimilarities to past Naikon components\r\nNaikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not\r\nonly is some of the functionality only lightly modified, but the same misspellings in error logging remains in their\r\ncodebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.\r\nIt’s clear that the underlying codebase continues to be deployed:\r\ne09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15\r\nc766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48\r\nKudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.\r\nFor reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details\r\nhave been and are available to our threat intel customers (please, contact intelreports@kaspersky.com).\r\nIndicators of compromise\r\nAR aria-body dll\r\nc766e55c48a4b2e7f83bfb8b6004fc51\r\n2ce4d68a120d76e703298f27073e1682\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 3 of 6\n\nLoaders and related Naikon malware\r\n0ed1fa2720cdab23d969e60035f05d92\r\n3516960dd711b668783ada34286507b9\r\nVerdicts – 2018 and Later\r\nTrojan.Win32.Generic.gen\r\nTrojan.Win32.SEPEH.gen\r\nDangerousObject.Multi.Generic\r\nBackdoor.Win64.Agent.h*\r\nBackdoor.Win32.Agent.m*\r\nTrojan-Downloader.Win32.Agent.x*\r\nYARA Rules\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nrule apt_ZZ_Naikon_ARstrings : Naikon\r\n{\r\n    meta:\r\n        copyright = \"Kaspersky\"\r\n        description = \"Rule to detect Naikon aria samples\"\r\n        hash = \"2B4D3AD32C23BD492EA945EB8E59B758\"\r\n        date = \"2020-05-07\"\r\n        version = \"1.0\"\r\n    strings:\r\n        $a1 = \"Terminate Process [PID=%d] succeeds!\" fullword wide\r\n        $a2 = \"TerminateProcess [PID=%d] Failed:%d\" fullword wide\r\n        $a3 = \"Close tcp connection returns: %d!\" fullword wide\r\n        $a4 = \"Delete Directory [%s] returns:%d\" fullword wide\r\n        $a5 = \"Delete Directory [%s] succeeds!\" fullword wide\r\n        $a6 = \"Create Directory [%s] succeeds!\" fullword wide\r\n        $a7 = \"SHFileOperation [%s] returns:%d\" fullword wide\r\n        $a8 = \"SHFileOperation [%s] succeeds!\" fullword wide\r\n        $a9 = \"Close tcp connection succeeds!\" fullword wide\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 4 of 6\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n        $a10 = \"OpenProcess [PID=%d] Failed:%d\" fullword wide\r\n        $a11 = \"ShellExecute [%s] returns:%d\" fullword wide\r\n        $a12 = \"ShellExecute [%s] succeeds!\" fullword wide\r\n        $a13 = \"FindFirstFile [%s] Error:%d\" fullword wide\r\n        $a14 = \"Delete File [%s] succeeds!\" fullword wide\r\n        $a15 = \"CreateFile [%s] Error:%d\" fullword wide\r\n        $a16 = \"DebugAzManager\" fullword ascii\r\n        $a17 = \"Create Directroy [%s] Failed:%d\" fullword wide\r\n        $m1 = \"TCPx86.dll\" fullword wide ascii\r\n        $m2 = \"aria-body\" nocase wide ascii\r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        filesize \u0026lt; 450000 and\r\n        (2 of ($a*) and 1 of ($m*))\r\n}\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nrule apt_ZZ_Naikon_codebase : Naikon\r\n{\r\n    meta:\r\n        report = \"Naikon New AR Backdoor Deployment to Southeast Asia\"\r\n        description = \"Naikon typo\"\r\n        author = \"Kaspersky\"\r\n        copyright = \"Kaspersky\"\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 5 of 6\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n        version = \"1.0\"\r\n        date = \"2018-06-28\"\r\n        last_modified = \"2018-06-28\"\r\n    strings:\r\n        $a1 = \"Create Directroy [%s] Failed:%d\" wide\r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        filesize \u0026lt; 450000 and\r\n        $a1\r\n}\r\nSource: https://securelist.com/naikons-aria/96899/\r\nhttps://securelist.com/naikons-aria/96899/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/naikons-aria/96899/" ], "report_names": [ "96899" ], "threat_actors": [ { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434757, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b37df41129549e854cb0c2a9e091471c7fe6bf0.pdf", "text": "https://archive.orkl.eu/2b37df41129549e854cb0c2a9e091471c7fe6bf0.txt", "img": "https://archive.orkl.eu/2b37df41129549e854cb0c2a9e091471c7fe6bf0.jpg" } }