{ "id": "470909f6-49f2-485c-a9ec-69d5a76f5128", "created_at": "2026-04-06T00:14:51.035514Z", "updated_at": "2026-04-10T03:37:20.365451Z", "deleted_at": null, "sha1_hash": "2b937ce63eb3fdfbcb00703d7c16999c58fac19a", "title": "APT-K-47 Organization Launches Espionage Attacks Using a New Trojan Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2471573, "plain_text": "APT-K-47 Organization Launches Espionage Attacks Using a New\r\nTrojan Tool\r\nBy Knownsec 404 team\r\nPublished: 2024-02-06 · Archived: 2026-04-05 19:40:24 UTC\r\nAuthor: K\u0026XWS@Knownsec 404 Advanced Threat Intelligence Team\r\nChinese version: https://paper.seebug.org/3115/\r\n1 Summary\r\nAPT-K-47, also known as Mysterious Elephant, is an APT organization whose activity details were first disclosed\r\nby Knownsec 404 Advanced Threat Intelligence Team. In-depth analysis of APT-K-47’s techniques, tactics, tools,\r\nand operational objectives reveals shadows of several other APT groups in South Asia, including but not limited to\r\nSidewinder,Confucius and Bitter.\r\nAPT-K-47’s technical and tactical approaches are largely similar to other South Asian groups, primarily revolving\r\naround social engineering. Phishing attacks are initiated by delivering bait based on current events, with initial\r\nattack vectors often exploiting vulnerabilities in CHM files, document vulnerabilities (such as CVE-2017–11882),\r\nand WinRAR software vulnerabilities. According to our continuous monitoring data, the targets of this\r\norganization include Russia, Pakistan, Bangladesh and the United States.\r\nIn August 2023, Knownsec 404 Advanced Threat Intelligence Team disclosed the attack tool ORPCBackdoor\r\nfrom the emerging APT organization APT-K-47 originating from South Asia. Since then, the team has been\r\nclosely monitoring the activities of this organization. Recently, we detected a new wave of APT-K-47’s attack\r\nactivities and uncovered some previously undisclosed attack weapons. The core tool of this organization remains\r\nORPCBackdoor. In this latest attack, the organization utilized a yet-to-be-disclosed Trojan tool to successfully\r\ninfiltrate systems.\r\nSubsequently, they downloaded ORPCBackdoor and other malicious payloads, conducted disk directory traversal,\r\nand exfiltrated target files to C2. Additionally, the organization stole password information from the target\r\ncomputer browsers and transmitted it back. In the following sections, we will elaborate on the details of the\r\nfindings from this tracking operation.\r\n2 Attack Details\r\nThe recent discovery of attack activities involves the utilization of undisclosed Trojan programs (Trojan 1, named\r\nWalkerShell due to its inclusion of the specific string “walker”, and Trojan 2 named Nimbo-C2). Upon analysis, it\r\nwas found that the attackers downloaded a total of three different malicious payloads, including ORPCBackdoor, a\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 1 of 11\n\nTrojan specifically designed to steal Chrome browser password records (named DemoTrySpy), and a backdoor\r\nprogram for downloading and executing shellcode (named NixBackdoor). The overall attack chain is depicted in\r\nFigure 1.\r\nPress enter or click to view image in full size\r\nFigure 1: Overall Attack Chain\r\nIn this batch of attack activities, we have identified two primary attack paths employed by the attackers:\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 2 of 11\n\n1. The attackers implant the Nimbo-C2 Trojan on a compromised machine and then use PowerShell to download\r\nthe DemoTrySpy tool. This tool is responsible for stealing browser passwords, packaging them into local files, and\r\nthen transmitting these files back to a dedicated server for file exfiltration.\r\n2. On another compromised machine, the attacker implants the WalkerShell trojan, which traverses the disk and\r\nuploads files of interest to a dedicated file storage server.Simultaneously, the attackers use PowerShell to\r\ndownload DemoTrySpy tool for stealing usernames and passwords from the browser. Additionally, they use\r\nPowerShell to download and execute ORPCBackdoor, thereby achieving long-term remote control of the\r\ncompromised machine.\r\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBelow, we will conduct a detailed analysis of the attack weapons involved in the figure.\r\n2.1 Description of WalkerShell\r\nWalkerShell is a malicious program written by C#. When executed, it first utilizes the polor function to obtain the\r\nhostname and username of the target host, as illustrated in Figure 2 below.\r\nFigure 2: Execution Process of WalkerShell\r\nThe primary function of the polor function is to execute the command passed in through parameter 1 using cmd\r\nand return the final result via parameter 2, as detailed in Figure 3 below.\r\nFigure 3: polor Function\r\nUltimately, the program appends the collected information with the `~walker` string, adds an Author field in the\r\nheader, and writes the processed data into this field to transmit the gathered data back. It extracts the value of the\r\n`Cmn` field from the header returned by the server and returns it, as depicted in Figure 4 below.\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 3 of 11\n\nFigure 4: Processing and Returning Data\r\nThe data returned from the server is presented in Table 1 as follows:\r\nPress enter or click to view image in full size\r\nTable 1: List of WalkerShell Commands and Functional Descriptions\r\nIf the returned data is a cmd command, the format of the transmitted data is:\r\n`[username] +“ ”+ [pcname] + “~endow~$[command]$”`, as shown in Figure 5.\r\nFigure 5: Format of Transmitted Data\r\n2.2 Description of DemoTrySpy\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 4 of 11\n\nDemoTrySpy is named for its pdb path containing DemoTry and its main function of data exfiltration, as shown in\r\nFigure 6.\r\nFigure 6: DemoTrySpy Path\r\nIn the export table of DemoTrySpy, we found a partial code implementation of the open-source project cJSON.\r\nThis code snippet is integrated into the malicious program and is intended for subsequent parsing of JSON format\r\ndata contained in the Local State of Chrome browser user data, as detailed in Figure 7.\r\nPress enter or click to view image in full size\r\nFigure 7: Detailed Content\r\nUpon execution, the program will set its window to a hidden state, as shown in Figure 8.\r\nPress enter or click to view image in full size\r\nFigure 8: Setting Itself to Hidden\r\nNext, the program will create `C:\\Users\\Public\\Documents\\tmpA10.tmp` and write hardcoded data headers into it,\r\nas shown in Figures 9 and 10.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 5 of 11\n\nFigure 9: Creating tmpA10.tmp File\r\nFigure 10: Writing hardcoded data headers into Header\r\nThe program attempts to retrieve the storage directory for Chrome browser user information. If Chrome browser is\r\nnot present on the current host, it skips the subsequent logic, as shown in Figure 11.\r\nFigure 11 :Attempt to Retrieve User Information Storage Directory\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 6 of 11\n\nIf Chrome browser exists, the program will copy the data from Local State to\r\n`C:\\Users\\Public\\Documents\\loc.tmp`, as shown in Figure 12.\r\nFigure 12:Copy Data\r\nThe program then copies the data from the Login Data to the file `C:\\Users\\Public\\Documents\\log.tmp`, as shown\r\nin Figure 13.\r\nPress enter or click to view image in full size\r\nFigure 13: Copy Data\r\nThe subsequent main logic involves the program retrieving the `encrypted_key` from Login data and decrypting\r\nthe key using DPAPI, as shown in Figure 14.\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 7 of 11\n\nFigure 14: Obtaining the encrypted_key\r\nThen, the program connects to the Login Data file using sqlite3 (the file is a sqlite3 database file) to retrieve the\r\nvalues of the password, username_value, and url fields. It decrypts the data using the decrypted key obtained\r\nearlier, as shown in Figure 15.\r\nFigure 15: Decrypting Data\r\nThe decrypted data is eventually written into the tmpA10.tmp file, with the data format illustrated in Figure 16.\r\nPress enter or click to view image in full size\r\nFigure 16: Writing Data\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 8 of 11\n\nDemoTrySpy does not have its own functionality to transmit the gathered information. Attackers will utilize\r\nWalkerShell to transmit tmpA10.tmp, for instance, using commands like type or curl post, as illustrated in Figure\r\n17.\r\nFigure 17:Data Transmission\r\n2.3 NixBackdoor Description\r\nThe naming of NixBackdoor originates from its executable file name, Nix.exe. Due to the simplicity of its overall\r\nfunctionality and small code size, without any other special strings, it is named accordingly. When executed,\r\nNixBackdoor creates a new thread, as shown in Figure 18.\r\nPress enter or click to view image in full size\r\nFigure 18: Creating a New Thread\r\nThe main function of the thread is connect to `recentupdate.sytes.net:6364`. Initially, it retrieves the length of the\r\nsubsequent shellcode from the server, followed by fetching the subsequent shellcode, as shown in Figure 19.\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 9 of 11\n\nFigure 19: Retrieving Shellcode\r\nNixBackdoor modifies the shellcode permissions and then jumps to execute, as shown in Figure 20.\r\nFigure 20:Modify shellcode permissions\r\n2.4 ORPCBackdoor Description\r\nDue to the detailed analysis of ORPCBackdoor in the previous article “[APT-K-47 “Mysterious Elephant”, a new\r\nAPT organization in South Asia,\" further elaboration on it will be omitted in this instance.\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 10 of 11\n\n2.5 NimBo-C2 Description\r\nNimBo-C2 is an open-source projectavailable on GitHub. It is a lightweight and straightforward command and\r\ncontrol (C2) framework. The server-side is written in Python, while the client-side is written in Nim and supports\r\nboth Windows and Linux operating systems. NimBo-C2 enables a wide range of remote control functionalities, as\r\ndepicted in Figure 21.\r\nFigure 21:NimBo-C2 Project\r\n3 Summary\r\nIn this analysis, we identified the attack activities of APT-K-47 organization, which differ significantly from the\r\npreviously exposed attacks using ORPCBackdoor. In the 2023 attacks, the organization deployed ORPCBackdoor\r\nby sending phishing emails containing malicious CHM attachments. However, in this latest attack, they opted for\r\nWalkerShell as the initial intrusion vector to download ORPCBackdoor. Additionally, we observed that the\r\norganization conducted several other attack activities during the same period. Further details of these findings will\r\nbe shared in subsequent analysis reports.\r\n4 IOC\r\n**HASH:**\r\nb087a214fb40e9f8e7b21a8f36cabd53fee32f79a01d05d31476e249b6f472ca DemoTrySpy\r\n74ba5883d989566a94e7c6c217b17102f054ffbe98bc9c878a7f700f9809e910 ORPCBackdoor\r\nc4817f3c3777b063f0adbc1c8e4671da533f716bab7ad2c4b9bc87295df67334 nimbo-c2\r\n85a6ac13510983b3a29ccb2527679d91c86c1f91fdfee68913bc5d3d01eeda2b walkershell\r\n**C\u0026C:**\r\noutlook-web.ddns[.]net ORPCBackdoor C2\r\nSource: https://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nhttps://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@knownsec404team/apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f" ], "report_names": [ "apt-k-47-organization-launches-espionage-attacks-using-a-new-trojan-tool-5e7eccfdce2f" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434491, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b937ce63eb3fdfbcb00703d7c16999c58fac19a.pdf", "text": "https://archive.orkl.eu/2b937ce63eb3fdfbcb00703d7c16999c58fac19a.txt", "img": "https://archive.orkl.eu/2b937ce63eb3fdfbcb00703d7c16999c58fac19a.jpg" } }