{ "id": "06a7ff31-0f7e-4399-92c8-090537302494", "created_at": "2026-04-06T00:09:22.039267Z", "updated_at": "2026-04-10T03:37:22.784548Z", "deleted_at": null, "sha1_hash": "2d932df3266fe0b9c8114d0ded4a2e6f44d30eec", "title": "Hackers use new malware to breach air-gapped devices in Eastern Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1972175, "plain_text": "Hackers use new malware to breach air-gapped devices in Eastern\r\nEurope\r\nBy Bill Toulas\r\nPublished: 2023-08-01 · Archived: 2026-04-05 22:48:20 UTC\r\nChinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems.\r\nAir-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either\r\nphysically or through software and network devices.\r\nResearchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group\r\nAPT31, a.k.a. Zirconium.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to the findings, the hackers used at least 15 distinct implants in attacks in Eastern Europe, each for a distinct stage\r\nof the operation, as well as their signature 'FourteenHi' malware family.\r\nMulti-stage attacks\r\nKaspesky says that the attacks started in April last year and involved three separate stages. The implants in the initial-phase\r\nestablished persistence and remote access to the compromised systems and collected data useful for reconnaissance.\r\nIn the second stage, APT31 drops more specialized malware that can steal data from isolated (air-gapped) systems using\r\nUSB propagation.\r\nFinally, in the third stage of the attack, the hackers use implants that can upload the collected data to their command and\r\ncontrol (C2) servers.\r\nThe malware that targets isolated systems consists of four modules described below.\r\n1. First module: Profiles removable drives connected to the system, collects files, captures screenshots and window\r\ntitles, and drops additional payloads on the infected device.\r\n2. Second module: Infects removable drives by copying a legitimate McAfee executable which is vulnerable to DLL\r\nhijacking, and a malicious DLL payload onto the root directory of the device, and sets them as \"hidden.\" The tool\r\nalso creates a lure LNK file that triggers the infection if the victim launches it.\r\n3. Third module: Executes a batch script to collect data from the device and save the output to the \"$RECYCLE.BIN\"\r\nfolder, from where the first module will collect it.\r\n4. Fourth module: Variant of the first module seen in some attacks, acts as a payload dropper, keylogger, screenshot-capturing tool, and file stealer.\r\nInfection route for air-gapped systems (Kaspersky)\r\nIn May 2022, Kaspersky noticed an additional implant used in the APT31 attacks, designed to collect local files from\r\nbreached systems.\r\nThat implant decrypts and injects its payload into the memory of a legitimate process to evade malware detection, then\r\nsleeps for 10 minutes and eventually copies all files that match the file type extensions defined in its configuration.\r\nThe stolen files are archived using WinRAR (if not available, the malware exits) and then stored in temporary local folders\r\ncreated by the malware under \"C:\\ProgramData\\NetWorks\\.\" Ultimately, the archives are exfiltrated to Dropbox.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/\r\nPage 3 of 4\n\nKaspersky underlines that the attacks were stealthy and listed the following tactics, techniques, and procedures (TTPs): DLL\r\norder hijacking to load malicious payloads into memory and hide payloads in encrypted form in separate binary data files.\r\nThe company provides a technical report that includes additional data such as malware hashes, a full set of indicators of\r\ncompromise, and details about the activity of the malware from start to finish. \r\nAir-gapped systems are an attractive target for APT groups, who typically turn to USB drives to deliver malware and\r\nexfiltrate data from the isolated environment.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/" ], "report_names": [ "hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe" ], "threat_actors": [ { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d932df3266fe0b9c8114d0ded4a2e6f44d30eec.pdf", "text": "https://archive.orkl.eu/2d932df3266fe0b9c8114d0ded4a2e6f44d30eec.txt", "img": "https://archive.orkl.eu/2d932df3266fe0b9c8114d0ded4a2e6f44d30eec.jpg" } }