{ "id": "75d605bf-6fd9-4263-b5e5-c7393ec4e98b", "created_at": "2026-04-06T00:06:54.041557Z", "updated_at": "2026-04-10T03:36:06.687785Z", "deleted_at": null, "sha1_hash": "2dffc3e2cf175bc15ffba805a6e869f40dfd36a1", "title": "What happened between the BigBadWolf and the Tiger?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4345396, "plain_text": "What happened between the BigBadWolf and the Tiger?\r\nBy asuna amawaka\r\nPublished: 2020-05-20 · Archived: 2026-04-05 17:48:42 UTC\r\nWhile I was doing research for my previous posts, I came across mentions of a trending Chinese-language-based\r\nC2-side controller called 大灰狼 (pronounced as Da Hui Lang, which translates literally to Big Gray Wolf). I’m\r\njust going to call it BigBadWolf here :) Simply because the name is cute, I picked it up and took a closer look.\r\nTurns out, it is modelled after (or should I say, it’s an edit of) the infamous Gh0stRAT, and samples that are built\r\nfrom the BigBadWolf matches Gh0stRAT signatures, as well as this YARA rule [1]:\r\nrule IronTiger_Gh0stRAT_variant\r\n{\r\nmeta:\r\nauthor=”Cyber Safety Solutions, Trend Micro”\r\ncomment=”This is a detection for a s.exe variant seen in Op. Iron Tiger”\r\nstrings:\r\n$mz=”MZ”\r\n$str1=”Game Over Good Luck By Wind” nocase wide ascii\r\n$str2=”ReleiceName” nocase wide ascii\r\n$str3=”jingtisanmenxiachuanxiao.vbs” nocase wide ascii\r\n$str4=”Winds Update” nocase wide ascii\r\ncondition:\r\n$mz at 0 and (any of ($str*))\r\n}\r\nThere are plenty of articles and analysis walkthroughs out there on Gh0stRATs, given its very long history.\r\nHowever, I decided to go ahead to further this exploration because I’ve seen this YARA rule hit often enough to\r\nwonder about whether the samples are really related to Iron Tiger, or could it be the case that the strings are no\r\nlonger unique enough to identify any particular variant.\r\nI’m sure that in your lifetime browsing VirusTotal, you would have come across community comments like this:\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 1 of 18\n\nI was not able to get my hands on the exact sample that this rule was based on but I did find a few other samples\r\nthat contains those strings, and I picked 3 to do comparisons with binaries generated from the BigBadWolf\r\nbuilder:\r\nBBE7D708310EC7E5F981CE4BA9928A19C4D2169B5520FFA573085F9698F90C25\r\nC02A360C6F64609403B4E4D4FC130014C40EBB77F71DF816C6408851C7C9ED54\r\n9DCDDC7FFCE78526057888B43B57E76BA7F3FED0C13FB4FA4214DCB08412C447\r\nWhile I was preparing this post, I came across a tweet[2] from malwaremustd1e that mentioned a “KuGou”\r\nbackdoor along with screenshots that looked somewhat like what I observed while exploring BigBadWolf. I added\r\nthese files as part of my comparison attempts, later in this post.\r\n852FA14860260023289EE6577DBD5E0193DF31DAE5F3C078142D3CAC030C7462 (EXE dropper)\r\n7BAEE22C9834BEF64F0C1B7F5988D9717855942D87C82F019606D07589BC51A9 (DLL RAT)\r\nLet’s get started!\r\nThe Misunderstood Wolf?\r\nMaybe it all started as a tool for education. Really. It even came with a warning against doing evil with this\r\ntoolkit. Although ticking that checkbox at the bottom of the disclaimer does felt a little like “I solemnly swear I\r\nam up to no good”.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 2 of 18\n\nThe builder component comes with the standard set of features e.g. specify the C2 IP address, mutex, name of the\r\nservice to create for persistency, location to store the malicious binary on disk, options to delete the binary upon\r\nsingle run. There seems to be another binary (“1.dll” shown in the screen capture) that needs to be downloaded by\r\nthe generated binary. Leaving this field blank causes the build to fail. This is quite typical of a Gh0stRAT\r\ndeployment — a simple dropper/loader and a DLL that contains the main logic of the RAT.\r\nI found a copy of the required DLL file that came within the bundle of C2-side binaries, and it looks to be\r\nencoded/encrypted. The last 32 bytes of the file looks like a marker of sorts. Make a mental note of this, we’ll see\r\nhow this is used later.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 3 of 18\n\nThe output of the builder is a rather lightweight (9.5KB) EXE file, with almost no strings to analyze. Thankfully,\r\nthere is still something to hint of “evilness” within this executable — two sets of base64 encoded strings.\r\nThe use of these strings are very quickly found within the binary.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 4 of 18\n\nThe first set of string can be decoded with base64, ADD 0x7a and finally a XOR 0x59. This gives us the address\r\nto fetch the DLL that we specified in the builder. ADD and XOR operations are typical encoding seen in\r\nGh0stRAT variants.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 5 of 18\n\nThe binary then proceeds to download this DLL and store it in C:\\Program Files\\AppPatch. This path is not\r\nconfigurable within the builder. As said earlier, the DLL is the meat of the RAT — all the EXE does is to\r\ndownload it, decrypt it, execute it and load the configuration data into its memory. Speaking of configuration data,\r\nthat happens to be the second set of encoded strings we saw. The decoding of that set of string is the responsibility\r\nof the DLL. We’ll look at that in awhile.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 6 of 18\n\nLet’s talk about the DLL. After receiving the DLL, the loader checks for the magic footer before proceeding to\r\ndecrypt it.\r\nThe decryption algorithm is nothing fanciful, just RC4, where the key is “Kother599”. One more thing that we\r\nhave to do before we can analyze this DLL with a disassembler: unpack it with ‘upx -d’.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 7 of 18\n\nYour big ears are showing, grandma…\r\nThe first thing that the DLL is tasked to do is to decode the configuration data. Most of this configuration data is\r\nset in the builder, while some appears to be hardcoded.\r\nThe decoding of the configuration is the same sequence (but using different hex values) seen above: base64, ADD\r\n0x77, XOR 0x56.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 8 of 18\n\nThe structure is as such:\r\n[C2 Address][QQ User ID][C2 Port 1][C2 Port 2][RC4 Password][Version][Service Name][Service Display\r\nName][Service Description][Installation Path][Filename][Mutex][Group Option][Additional Download]\r\n[Installation Type, Logging Options][IP address tool][placeholder string][reverse DNS tool][placeholder strings]\r\n[QQ profile URL]\r\nNow we come to the interesting part — the callbacks. As we know, Gh0stRATs have their signature 5-byte magic\r\nheaders (the length varies in some cases, I know), followed by some size information, and finally the Zlib\r\ncompressed data. However, I don’t see this structure in the traffic. What I do see is a Zlib header magic 0x78 9C.\r\nLet’s see what happened to the first few bytes prior to this Zlib header.\r\nIt’s not hard to identify the part that performs the encryption (RC4 again) of the communicated data. However, the\r\nauthor made a choice not to encrypt the entire data, but only the header portion, consisting of the 5byte magic, size\r\nof entire data, size of uncompressed payload, a total of 0xD bytes. This is done perhaps in a (futile) attempt to\r\nevade standard network signatures used to identify Gh0stRAT communications. However, since the length of the\r\nheader remains the same after encryption, a slight tweak to such network signatures should suffice to work. The\r\nkey used in the encryption is found within the configuration data earlier read by the binary. This key is made up of\r\n\u003cuser defined password within builder\u003e appended with \u003cusername used to login to the C2\u003e.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 9 of 18\n\nAnd I huff and I puff, to clear the mysterious fog surrounding these samples!\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSo what made these samples get flagged with that YARA rule I mentioned in the beginning of this post?\r\nPress enter or click to view image in full size\r\nThe presence of this strange VBS name:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 10 of 18\n\nWhat does this VBS do? I gave the function some mock data as arguments, and the contents of the VBS is formed\r\nas follows. Looks like it is just for creating or manipulating a user account with “net user”. The name of the VBS\r\nis not related to its contents. Just for fun, I’m guessing “jingtisanmenxiachuanxiao” is written as 警惕三门峡传销\r\nin Chinese, which literally translate to “Be wary of Sanmenxia MLM”. Strange name to give to a script in any\r\ncase.\r\nPress enter or click to view image in full size\r\nThe exact same function is found in all 4 files I cross-examined.\r\nNow, let’s find out if they are all BigBadWolf related.\r\nThe laziest way to start is to do BinDiff on the 3 files in relation to the DLL related to BigBadWolf. Results from\r\nBinDiff, pretty high scores. Not surprising, since they all stemmed from Gh0st code.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 11 of 18\n\nSimilarity with C02A360C6F64609403B4E4D4FC130014C40EBB77F71DF816C6408851C7C9ED54\r\nConfidence 0.988735 | Similarity 0.886978\r\nSimilarity with BBE7D708310EC7E5F981CE4BA9928A19C4D2169B5520FFA573085F9698F90C25\r\nConfidence 0.984084 | Similarity 0.767249\r\nSimilarity with 9DCDDC7FFCE78526057888B43B57E76BA7F3FED0C13FB4FA4214DCB08412C447\r\nConfidence 0.988665 | Similarity 0.879644\r\nWhat are the differences then? Looks like all of the 3 has a different magic header — “KuGou”, while the binary\r\nfrom BigBadWolf has “DHLAQ” as the magic (if you didn’t notice, DHL is the acronym of its Chinese name Da\r\nHui Lang). The size of the RC4 encrypted header also differs.\r\nPress enter or click to view image in full size\r\nLeft: from BigBadWolf; Right: from\r\nBBE7D708310EC7E5F981CE4BA9928A19C4D2169B5520FFA573085F9698F90C25\r\nAnother obvious difference is that the configuration data is not given as an encoded input, but instead found as\r\nplaintext strings handled directly within the functions.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 12 of 18\n\nSo, there is another Gh0st variant out there similar to BigBadWolf but yet implemented differently in some ways,\r\nlet’s call this set “KuGou”.\r\nRemember at the start of this post, I mentioned some KuGou malware tweeted by malwaremustd1e? Let’s see if\r\nthey are the same as the 3 KuGou binaries we saw above.\r\nThe dropper EXE (SHA256:\r\n852FA14860260023289EE6577DBD5E0193DF31DAE5F3C078142D3CAC030C7462) contains encoded string\r\nthat points the binary to download its DLL payload. Familiar yes?\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 13 of 18\n\nThe downloaded DLL (SHA256:\r\n7BAEE22C9834BEF64F0C1B7F5988D9717855942D87C82F019606D07589BC51A9) is RC4-decrypted with\r\nkey “Kother599”. Again, familiar! There’s a slight difference here, the EXE did not verify that the file has a footer\r\nsignature e.g. “SSSSSSVID:2014-SV8”, and the DLL does not contain such a footer.\r\nPress enter or click to view image in full size\r\nThe next difference lies in the configuration data passed to be decrypted by the DLL. In this binary, the\r\nconfiguration is encrypted with RC4, and not just Base64/ADD/XOR encoded as seen from the BigBadWolf’s\r\nDLL. RC4 key used here is “Strong798”. Notice how the structure of the configuration after decryption is\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 14 of 18\n\nidentical to what we saw in BigBadWolf. And even that string of Chinese (监测和监视新硬件设备并自动更新设\r\n备驱动) used as Service Description is identical.\r\nPress enter or click to view image in full size\r\nSince the configuration data is encrypted in a different manner, there must be another server-side binary\r\nresponsible for building this sample. To my surprise, the 5-byte magic used in the communications is “DHLAR”.\r\nPerhaps this explains the similarities shared with our BigBadWolf sample. Another thing is for sure, this file does\r\nnot belong to the same set as the 3 “KuGou” binaries we just looked at. If I had to pin a family name to this file, it\r\nwould be BigBadWolf.\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 15 of 18\n\nA search on Google pointed me to a Operation PZCHAO report by BitDefender[3], in which a\r\njingtisanmenxiachuanxiao.vbs of a different content is documented. The samples that were described in this report\r\nsomewhat bear resemblance to what we are seeing in BigBadWolf’s DLL, yet there are differences.\r\nFor example,\r\n“the malware then searches inside its own binary for a string delimiter SSSSSSS, returning a string\r\npointer to the beginning of the encrypted configuration string”\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 16 of 18\n\nThis is similar to how our sample looks for the marker SSSSSS (note the length here is only 6) to verify that the\r\nDLL downloaded is correct before proceeding to decrypt.\r\nAs another example,\r\n“Until it checks in with its C2 controller, the RAT server searches for the encrypted configuration buffer\r\ncontaining the C\u0026Cs that will get decrypted using an AES key derived from a hardcoded string\r\n“Mother360””\r\nThe configuration is encoded with base64/ADD/XOR in BigBadWolf sample instead. Even when encryption is\r\nused, the algorithm in place is RC4.\r\nYet, this sample documented by Bitdefender will also match the Yara rule on “s.exe variant”, based on the\r\npresence of the strings within the file. And we now know that it is a different variant from BigBadWolf, and even\r\nKuGou.\r\nWhat a dreadful night!\r\nI think you’re lost. Let’s try to summarise all of these information:\r\nPress enter or click to view image in full size\r\nAt the end of the day, I think I’ve established (further) that Gh0stRATs has too many variants. The builder that\r\nwas behind that particular s.exe seen in Operation Iron Tiger has perhaps been referenced/ modified/ improved,\r\ncausing other binaries to contain similar keywords but belong to different subvariants of Gh0stRAT that probably\r\nhas nothing to do with the s.exe and its user (adversary group).\r\nPhew, glad I’ve got all of that information sorted out :)\r\nThat’s it for today!\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 17 of 18\n\n[1]: Operation Iron Tiger Appendix, TrendLabs Security Intelligence Blog, 2015\r\n[2]: https://twitter.com/malwaremustd1e/status/1262274362872229888\r\n[3]: Operation PZCHAO, Bitdefender, 2017\r\n~~\r\nDrop me a DM if you would like to share findings or samples ;)\r\nSource: https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nhttps://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2" ], "report_names": [ "what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434014, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2dffc3e2cf175bc15ffba805a6e869f40dfd36a1.pdf", "text": "https://archive.orkl.eu/2dffc3e2cf175bc15ffba805a6e869f40dfd36a1.txt", "img": "https://archive.orkl.eu/2dffc3e2cf175bc15ffba805a6e869f40dfd36a1.jpg" } }