{ "id": "1ad5515c-8f89-450a-b4a4-2323399ccbb2", "created_at": "2026-04-06T00:16:35.231347Z", "updated_at": "2026-04-10T13:12:11.656416Z", "deleted_at": null, "sha1_hash": "2fec8fc3e8b6c2fad752121e356b5268355474f5", "title": "Emissary Panda DLL Backdoor – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1241251, "plain_text": "Emissary Panda DLL Backdoor – One Night in Norfolk\r\nPublished: 2019-07-21 · Archived: 2026-04-05 17:12:27 UTC\r\nLast month’s post on this blog examined a backdoor previously thought to be associated with Emissary Panda\r\n(APT27). Recent reporting has instead shown that the HTTP listener examined is likely affiliated with Turla. That\r\npost has been updated with the corresponding corrections.\r\nThis post is a granular examination of a payload alluded to in a Palo Alto report that is tied to Emissary Panda\r\nwith much higher confidence. While the payload wasn’t available for analysis in that report, VirusTotal pivoting at\r\nthe time produced the matching file.\r\nFilename: PYTHON33.hlp\r\nMD5: 19c46d01685c463f21ef200e81cb1cf1\r\nSHA1: ac4a264a76ba22e21876f7233cbdbe3e89b6fe9d\r\nSHA256: 3e21e7ea119a7d461c3e47f50164451f73d5237f24208432f50e025e1760d428\r\nThis file is expected to be part of a DLL side-loading chain that involves a component of the legitimate Sublime\r\ntext editor (plugin_host.exe, also available on VirusTotal: f0b05f101da059a6666ad579a035d7b6) and a malicious\r\nDLL that this file will sideload:\r\nFilename: PYTHON33.dll\r\nMD5: bc1305a6ca71d8bdb3961bfd4e2b3565\r\nSHA1: f189d63bae50fc7c6194395b2389f9c2a453312e\r\nSHA256: 2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\r\nPreparation\r\nIf all three of these files are placed in the same folder with the correct filenames, plugin_host.exe will sideload\r\nPYTHON33.dll, which will decrypt and decompress the PYTHON33.hlp file into a DLL. The workflow for this is\r\nsimilar to (but not identical to) previous reporting from NCC group regarding an earlier version of this malware.\r\nThis post will thus not go into detail regarding this process, but makes the following recommendation for\r\nanalyzing these components:\r\n1) Patch the PYTHON33.hlp file (which is a block of shellcode) by prepending an infinite loop (EB FE) to the file\r\nvia a hex editor\r\n2) Run plugin_host.exe normally (i.e. not in a debugger). This will sideload the DLL and load the shellcode, but\r\nwill hold it in an infinite loop without executing any commands\r\n3) Attach a debugger (e.g. x96dbg) to this running process and step through until the payload is decoded in\r\nmemory, as you would any other shellcode samples. In this case, a good breakpoint to set is would be at the entry\r\nto “CommandLineToArgvW”\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 1 of 14\n\nThe breakpoint in step 3 wouldn’t be obvious during the initial examination of this file, but this blog mentions it\r\nhere as a shortcut to facilitate analysis of this file. The DLL can also be dumped at this stage for concurrent static\r\nanalysis in IDA.\r\nPayload\r\nThe Palo Alto report mentions similarities between the loading and decrypting process for this file and the loading\r\nand decrypting process for a file previously analyzed (but not provided) by NCC Group. NCC Group provided a\r\nhigh-level overview of that payload’s capabilities. This overview serves as a framework for “what we might be\r\nlooking for;” specifically, NCC group mentions the following:\r\n– An execution workflow determined by the number of specified parameters\r\n– Process injection into svchost\r\n– A series of keys written to the registry in a unique way\r\n– A basic persistence mechanism (HKCU runkey) + service creation\r\nThis offers a big head-start for analysis. First, the malware calls GetCommandLineW followed by\r\nCommandLineToArgvW. Per MSDN documentation, this second call “parses a Unicode command line string and\r\nreturns an array of pointers to the command line arguments.” The “number of pointers in this array is indicated by\r\npNumArgs.” The screenshot below shows these two API calls at the top, followed by a comparison between\r\npNumArgs (decreased by 1, for the case statement) and the value “3:”\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 2 of 14\n\nComparison for number of command line arguments\r\nIf EAX is greater than 3, (i.e. if there are more than three command line arguments), the malware will jump to the\r\ndefault case rather than cases 0-4, will return to the calling function, and will terminate without taking any action.\r\nIf EAX is less than or equal to 3, it will jump into one of the available cases:\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 3 of 14\n\nCase structure\r\nAs always, right click and open the image in a new tab to enlarge. Additional labeling has been added, including\r\nstring labeling that would be visible during dynamic analysis in a debugger. At this stage, we can begin exploring\r\nthe cases.\r\nCase 0\r\nA good way to explore these cases to take a snapshot just prior to the EAX comparison, and then set EAX to the\r\nvalue of the case to be examined. In Case 0, the malware:\r\n– Moves a string representing the location of the currently running executable (plugin_host.exe) to EAX\r\n– Moves a string containing “C:\\\\ProgramData\\\\plugin_host\\\\pluginhost.exe” to ECX\r\n– Pushes these two values to the stack\r\n– Uses wsicmp to compare these two values\r\n– Jumps to an “ExitProcess” call if these two values do not match\r\nIf these two values do match, the malware will move to a function call referenced in several locations, labelled in\r\nthe above IDA screenshot as the CreateFileCheck_Inject_Calls. As this label would suggest, there are two\r\nprimary subcomponents of this call, labelled below as CreateFileCheck and Process_Injection_Workflow.\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 4 of 14\n\nSubroutine to launch the file check and process injection workflows\r\nThe CreateFileCheck subroutine will use the PathFileExistsW and CreateFileW APIs to check if the malware can\r\nopen C:\\\\ProgramData\\\\plugin_host\\\\PYTHON33.hlp:\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 5 of 14\n\nChecking if PYTHON33.hlp is at the correct location\r\nThe next function, not pictured here due to space constraints, will take the following actions:\r\n– Locate and spawn a suspended copy of svchost.exe\r\n– Allocate an executable section of memory\r\n– Write PYTHON33.hlp to this section of memory\r\n– Create and resume a thread at this location\r\nThis is a common workflow for process injection. The parent process will then terminate. Thus, Case 0 can be\r\nsummarized in the following way:\r\n– Ensure that plugin_host.exe is running from the correct directory\r\n– Ensure that PYTHON33.hlp is inside of this directory\r\n– Create a suspended svchost.exe process\r\n– Re-write a copy of the payload into this process\r\n– Terminate\r\nCase 1\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 6 of 14\n\nCase 1 can be thought of as Case 0 with added contingencies. Case 1 begins with the same string comparison,\r\nensuring that the malware is running from the “C:\\\\ProgramData\\\\plugin_host\\\\” directory. If this comparison is\r\nsuccessful, the malware will run the same check for PYTHON33.hlp and process injection routines described in\r\nCase 0, followed by the “core functionality” routine (described later).\r\nUnlike Case 0, if the file is not running from the correct subdirectory in ProgramData, the malware does not\r\nterminate; instead, it performs what is labelled as the “MoveFile_Routine” in the IDA case picture. This\r\nworkflow:\r\n– Moves the necessary components for the malware to run into the ProgramData\\\\plugin_host\\\\ directory\r\n– Executes plugin_host.exe using WMI\r\nCase 1 represents a more flexible workflow for starting the malware for the first time.\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 7 of 14\n\nWMI Execution Workflow\r\nCase 2\r\nCase 2 contains three parts, in the following order:\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 8 of 14\n\n– A new call not yet analyzed\r\n– The same CreateFile check and ProcessInjection calls\r\n– The “core functionality” call discussed in Case 3\r\nThe new call is actually fairly simple. This function performs a permissions check, and takes one of two branches\r\ndepending on the permissions available:\r\nBranch to registry workflow (left) or service workflow (right)\r\nWith sufficient privileges, the malware will create a new service named plugin_hostvr874u5Pn pointing at the\r\nplugin_host.exe executable with a start type of “2” (autoload):\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 9 of 14\n\nService Creation\r\nOtherwise, the malware will create a registry entry under the HKCU CurrentVersion\\Run key named\r\nplugin_hostvr874u5Pn pointing to plugin_host.exe with a parameter of –1. The function then returns and the\r\ninjection and core routines are executed.\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 10 of 14\n\nRegistry Key Creation\r\nCase 3\r\nCase 3 contains a single function, referenced above and by NCC Group’s writeup on an earlier version of this\r\nmalware as the “core functionality” routine. This routine contains the code used for process injection, but more\r\nimportantly is used to:\r\n– Write encrypted configuration values to the Windows Registry\r\n– Perform a workflow for C2 communication\r\nmissary panda unit42\r\nThe workflow for this is shown below, and tracks closely with the previous NCC group reporting:\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 11 of 14\n\nWorkflow for writing config values to the registry\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 12 of 14\n\nWriting config value to registry\r\nFollowing this, the malware enters its C2 routine. The malware uses the PolarSSL library to do this, and\r\ncommunicates with 138.68.154[.]133:443.\r\nConcluding Thoughts\r\nHaving looked at each of the cases within the malware, we can compare this sample to the previously reported\r\none, even though that file was never provided.\r\n– The previous reporting described self-termination and WMI execution for Case 0. The WMI functionality\r\nappears to have moved to Case 1, and Case 0 now supports process injection.\r\n– Case 1 now supports moving the files to the appropriate locations if they are not present, executing these files\r\nvia WMI, or performing process injection. Previously, the file moving routines were in Case 0.\r\n– Case 2 appears to be largely unchanged.\r\n– Case 3 appears to be largely unchanged.\r\n– There is no “Case 4,” although the malware will treat any number of parameters greater than 3 as a signal to\r\nhead to the “default case.”\r\n– The referenced debugging strings do not appear in this sample.\r\nNCC group previously assessed that the malware might be undergoing active development. Given these findings\r\nfrom a sample a year later, it appears that was the case. There are minor upgrades, cases rearranged, and possibly\r\none case removed. Still, based on the higher-level descriptions in that report and how closely they track with this\r\nmore granular analysis, it would appear that this is the same malware family (with modifications).\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 13 of 14\n\nSource: https://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nhttps://norfolkinfosec.com/emissary-panda-dll-backdoor/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://norfolkinfosec.com/emissary-panda-dll-backdoor/" ], "report_names": [ "emissary-panda-dll-backdoor" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434595, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fec8fc3e8b6c2fad752121e356b5268355474f5.pdf", "text": "https://archive.orkl.eu/2fec8fc3e8b6c2fad752121e356b5268355474f5.txt", "img": "https://archive.orkl.eu/2fec8fc3e8b6c2fad752121e356b5268355474f5.jpg" } }