{ "id": "6721fd03-f5f4-404b-a1e9-1c69d46e44e3", "created_at": "2026-04-06T00:13:47.804828Z", "updated_at": "2026-04-10T13:11:59.555292Z", "deleted_at": null, "sha1_hash": "310856318c4f249d442148bbae27e1ccc9995691", "title": "Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 615883, "plain_text": "Chinese Actors Use ‘3102’ Malware in Attacks on US Government\r\nand EU Media\r\nBy Robert Falcone, Jen Miller-Osborn\r\nPublished: 2015-09-23 · Archived: 2026-04-05 19:44:50 UTC\r\nOn May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the\r\nsecond on a European media company. Threat actors delivered the same document via spear-phishing emails to\r\nboth organizations. The actors weaponized the delivery document to install a variant of the ‘9002’ Trojan called\r\n‘3102’ that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.\r\nThe 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering\r\nhole attack hosted on the President of Myanmar’s website in May 2015.  Additionally, we uncovered ties between\r\nthe C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan\r\ndevelopment.\r\nPalo Alto Networks WildFire detected the payload delivered in these spear-phishing attacks as malicious, and the\r\npayload was also tagged in Palo Alto Networks AutoFocus as 9002.\r\nUPDATE 9/24/2015: The Palo Alto Networks platform detects the 3012 malware with its spyware\r\nsignature 9002.RAT.Gen Command And Control Traffic (ID# 14359).\r\nDelivery Document\r\nThe delivery document attached to the two spear-phishing attacks was an Excel document that exploits CVE-2012-0158, specifically exploiting a vulnerability in the MSComctlLib.TreeView ActiveX control. The malicious\r\nExcel document had a filename of電郵名單.xls, which translates from Chinese to “email list.xls”. Upon\r\nsuccessful exploitation, the malicious Excel document installs a payload and opens a decoy document. The decoy\r\ndocument displays a list of names and email addresses of individuals allegedly associated with the Hong Kong\r\nProfessional Teachers' Union.\r\n9002 Trojan: 3102 Variant\r\nThe threat actors weaponized the malicious Excel spreadsheet to extract and execute an initial payload, which is a\r\ndropper with a filename DW20.dll that we track as DoWork. This DoWork variant writes a second sample to the\r\n%TEMP% folder with a temporary filename and executes it.\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 1 of 10\n\nFigure 1. Malware Execution Flow\r\nThe second payload extracts shellcode from a resource named “RES” and decrypts it by subjecting the resource to\r\nthe RC4 algorithm twice, first using a key of “Oq9n01Ca9g” and then using the key “12345678”.  The shellcode\r\nthen installs the actual payload of this attack by saving the 3102 payload to “C:\\Program Files\\Common\r\nFiles\\ODBC\\Mshype.dll” and adding persistence via a registry key “HKCU\\Software\\TransPan\\RunPath”. The\r\nsecond payload is also responsible for writing the 3102 Trojan’s 504-byte configuration to the registry, specifically\r\nin the key “HKCU\\Software\\TransPan\\mshtm”.\r\nThe actors use a clever anti-analysis trick that stores the configuration in the registry, as the 3102 sample does not\r\ncontain the configuration itself and relies on the second payload mentioned above to be operational. The second\r\npayload deletes itself from the system after it executes, suggesting that the malware authors added the\r\nconfiguration saving functionality in the second payload to thwart researchers seeking to extract C2 information\r\nfrom the 3102 sample itself.\r\nThe functional payload uses the string “3102” as the first four-byes of its network communications with its C2\r\nserver, which is the basis for the name ‘3102’. In May 2014, Cylance published an article on a targeted attack\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 2 of 10\n\nagainst a Chinese national that delivered the 3102 variant of 9002. When comparing the attacks, we found the\r\nfollowing commonalities:\r\n1. Same Mshype.dll filename and file system path for the payload.\r\n2. Mshype.dll is signed using the same digital certificate belonging to A’digm, Inc.\r\n3. Shares same registry key for persistence:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\KB923561: \"rundll32.exe \"C:\\Program\r\nFiles\\Common Files\\ODBC\\Mshype.dll\",Process32First”.\r\n4. The dropper creates the same registry key: HKCU\\Software\\TransPan\\RunPath: \"rundll32.exe \"C:\\Program\r\nFiles\\Common Files\\ODBC\\Mshype.dll\",Process32First\".\r\n5. Saves its configuration to the same registry key: HKCU\\Software\\TransPan\\mshtm\r\n6. Uses the same key logging plugin.\r\n7. Shares common C2 communication protocols.\r\nWhile similarities exist to the payload discussed in Cylance’s article, it is worth exploring some specific attributes\r\nand behaviors of the 3102 payload used in the May 2015 attacks on the U.S. government and the European media\r\norganization to gain a better understanding of the treat actors involved.\r\nThis 3102 payload saves the configuration seen in Figure 2 to the registry. The C2 domain\r\n“ericgoodman.serveblog[.]net” exists within this configuration; however, the configuration also contains the\r\ndomain “fordnsdynamic.no-ip[.]org” that does not appear to be used anywhere within the Trojan’s code.\r\nFigure 2. 3102 Configuration Saved to the Registry\r\nThe Trojan also contains several debug messages that reference the domain “www.aestheticismwoods[.]com”,\r\nwhich is a C2 domain referenced in the Cylance article. This 3102 sample never communicates with this domain,\r\nsuggesting that the malware author did not remove debugging messages introduced in previous samples of 3102\r\nwhen compiling the particular sample used in these attacks. The unnecessary inclusion of these two domains\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 3 of 10\n\nsuggests that the author of this 3102 sample is rather sloppy with code changes and lacks a sense of operational\r\nsecurity.\r\nC2 Communication\r\nTo interact with compromised systems, the actors rely on the 3102 Trojan to communicate with its C2 server using\r\none of two different communication methods.  The Trojan’s primary method involves using a custom protocol that\r\nhas a static string of “3102” as the first four bytes of each transmission and uses LZO to compress its data. Each\r\ntransmission contains the size of the LZO compressed data immediately after the “3102” string, followed by the\r\nlength of the decompressed data, and finally the compressed data itself. Figure 3 shows a sample of the custom\r\nprotocol beacon sent from the 3102 variant and the response received from its C2 server.\r\nFigure 3. Custom Protocol Used by 3102 to Communicate with C2 server\r\nThe second method 3102 used for C2 communications employs basic HTTP POST requests. Figure 4 shows an\r\nexample HTTP request sent from the 3102 Trojan to its C2 server. The URL within the POST request is a\r\nhexadecimal value that increments with each request. The content in the HTTP POST, specifically the “AA”\r\nstring, the content-length of 2 and the user-agent of “lynx” are hardcoded into the 3102 Trojan.\r\nFigure 4. HTTP POST Request Created by 3102\r\nOnce communications are established between the 3102 Trojan and its C2 server, the threat actors can interact\r\nwith the compromised system and act on their objectives.\r\nCapabilities and Plugins\r\nThe 3102 Trojan by itself does not contain much in the form of functional capabilities; rather, it is a modular\r\nTrojan that requires external plugins to provide capabilities. Therefore, the threat actors must provide plugins in\r\nthe form of dynamic link libraries (DLL) that the Trojan will load manually. The author of 3102 chose to manually\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 4 of 10\n\nload the libraries in an attempt to evade antivirus engines that scan libraries loaded using the conventional\r\nLoadLibraryA and LoadLibraryW API functions.\r\nDuring these two attacks, the actors used two different methods to load plugins in the 3102 Trojan. A third method\r\nexisted in the code base, but was unused. We will discuss the three loading techniques and the plugins that the\r\nactors loaded onto compromised systems.\r\nEmbedded Plugins\r\n3102 can load embedded plugins by manually loading a DLL that exists within the Trojan without saving the\r\nplugin to the file system. The sample used in the attacks described in this article contained only one plugin with\r\nthe filename of “KeyLogger.dll.” We obtained the filename “KeyLogger.dll” from the ‘OriginalFilename’ field in\r\nthe VERSIONINFO resource of the DLL. As this filename suggests, this plugin provides key logging\r\nfunctionality for the 3102 Trojan by monitoring keystrokes and logging them to a file named “temp_k.ax”. The\r\nkeylogger also encrypts the logged keystrokes saved to temp_k.ax by using an XOR algorithm with 0x56 as the\r\nkey.\r\nPlugins over the Wire\r\n3102 can also load plugins provided directly from the C2 server. This method manually loads a DLL from the\r\nnetwork communications without saving the DLL to the disk, making it difficult for antivirus products to detect its\r\nmalicious functionality. After manually loading the plugins, 3102 will run the plugin by calling the function\r\n“CreatePluginObj” within the plugin’s export address table (EAT).\r\nDuring analysis of the attacks, we observed the threat actor sending three different plugins to the 3102 Trojan\r\nfrom the C2 server. The 3102 Trojan loaded these plugins, which allowed the actor to use the added functionality\r\nto interact with the compromised system. The plugins are not saved to disk, so we extracted and decompressed\r\neach plugin from a packet capture and obtained their filenames from the ‘OriginalFilename’ field in the\r\nVERSIONINFO resource of the DLL.\r\nThe first plugin has a filename of “DownFileS.dll” and enables 3102 to carry out file system activities, such as\r\nreading, writing and searching for files, as well as enumerating storage devices and volumes. The second plugin is\r\ncalled “FileManagerS.dll” and has a great deal of functionality overlap with the DownFileS.dll plugin, but it\r\ncontains the added ability to remove folders and execute files. The third and final plugin provided by the C2 server\r\nis called “ScreenSpyS.dll” and allows for screen capture and allows the operator to interact with the system by\r\nsending key strokes, mouse movements and mouse clicks.\r\nPlugins from the File System\r\nLastly, 3102 can manually load plugins directly from a file named “temp_plugin.ax”. This plugin loading method\r\nallows the Trojan to save plugins to disk so they persist system reboots. The “temp_plugin.ax” file can contain\r\nmultiple plugins, as 3102 will read the entire temp_plugin.ax file and parse its contents for plugins stored in the\r\nfollowing structure:\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 5 of 10\n\nOffset Description\r\n0-1 Single byte XOR key\r\n4-8 Length of cipher text\r\n8 Filename of plugin in unicode\r\n528 Beginning of cipher text\r\nWe did not observe the threat actors using this method in this attack; however, it is possible that the threat actors\r\ncould use the “DownFileS.dll” or “FileManagerS.dll” plugins obtained from the C2 to install plugins that use this\r\nloading method.\r\nConnection to Watering Hole Attack and Chinese Threat Actors\r\nAs previously mentioned, the malware author signed the 3102 sample delivered in the attacks discussed in this\r\narticle using a digital certificate issued to A'digm, Inc. The same digital certificate was used to sign a separate\r\n9002 malware sample, which also shared the C2 domain  “dns.mailpseonfz[.]com” with a second 9002 sample\r\nthat was not signed with the A’digm Inc. certificate. The unsigned 9002 sample was also configured to use the\r\ndomain “dns.websecexp[.]com” as an additional C2 server. This domain was the C2 server used by the Evilgrab\r\npayload delivered in the watering hole attack on the President of Myanmar’s website that we discussed in a blog\r\npost on June 11, 2015. Figure 5 shows the relationship between the spear-phishing and watering hole attacks.\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 6 of 10\n\nFigure 5. Link Between Samples Signed by A'digm, Inc Certificate and the Watering Hole on President of\r\nMyanmar's Website\r\nWhile it should be noted that dissimilar groups can sign their Trojans using the same digital certificate, we believe\r\nthat the same threat group is likely involved with both the spear-phishing attacks discussed in this article and the\r\nwatering hole attacks hosted on the President of Myanmar’s website. We believe this as it appears that a common\r\nmalware author may be involved because the compile times for the 3102 sample (2014-02-28 07:40:37 UTC) and\r\n9002 sample signed by A'digm, Inc. (2014-02-28 08:07:48 UTC) were less than a half hour from each other.\r\nAdditionally, we have not found many other malware samples signed with this certificate, indicating it is not in\r\nwidespread use.\r\nWhile researching the mailpseonfz[.]com and websecexp[.]com domains that created the correlation between the\r\nwatering hole and spear-phishing attacks, we noticed that these two domains had historic registrant email\r\naddresses that were also used in online forums, primarily in Chinese, discussing hacking, Trojan development, and\r\nwebsite defacements. The domain websecexp[.]com was originally registered in 2013 with the email\r\n‘bychinahacker@gmail.com’.  It has since been updated, but the domain has been actor controlled the entire time.\r\nResearch on this email shows it has been tied to multiple website defacements and is also used a contact email\r\nwithin multiple Chinese hacking forums as well as for a company located in Guangzhou.\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 7 of 10\n\nFigure 6. Screenshot of one of the website defacements.\r\nFor a brief period in late 2011 and early 2012, the registrant email for mailpseonfz[.]com was\r\n‘bubai2012@163[.]com’.  The domain was under actor control the entire time, but currently has the registrant\r\ninformation hidden using a registrant protection service. When researching the registrant email we found ties to a\r\nChinese forum advertising for a Software Security Engineer position in Shanghai in 2007. One responder\r\nrequested to be contacted at that email address and said he or she worked in “Trojan testing.”\r\nConclusion\r\nUnit 42 detected a cyber espionage group attacking the U.S. government and a European media organization\r\nwithin days of each other using a spear-phishing attack to deliver a variant of the 9002 Trojan called 3102. During\r\nthe attack, the threat actor provided the 3102 Trojan with three plugins, which allowed the actors to interact with a\r\ncompromised system’s file system, log keystrokes and perform screen-capturing activities.\r\nThe threat actors signed the 3102 payload with a digital certificate that was also used to sign a 9002 sample that\r\nhas ties to the Evilgrab payload delivered by the watering hole hosted on the President of Myanmar’s website.\r\nBecause that certificate doesn’t seem to be in widespread use and the samples were compiled within thirty minutes\r\nof each other, we believe the same threat group conducted both of these attacks. The threat group uses both spear-phishing and watering hole attack vectors, along with different families of malware to target individuals and\r\ngroups of interest. However, while they use different attack vectors and malware, this threat group also seems to\r\nreuse significant portions of their infrastructure between attacks, which aides in detection and proactive\r\nmitigation.\r\nResearch on registrant information used to set up infrastructure for these attacks led to ties within the hacking\r\ncommunity in China, indicating the threat group behind this activity is likely Chinese-based. Interestingly, the tie\r\nto a private Chinese company further indicates they are likely being hired as contractors, in contrast to threat\r\ngroups like APT1 that are associated with the Chinese military.\r\nThe files used in this attack are properly classified as malicious by WildFire. Users of Palo Alto Networks Traps\r\nadvanced endpoint protection are protected from exploitation of the CVE-2012-0158 vulnerability if they have not\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 8 of 10\n\nbeen able to patch their systems.  AutoFocus users can find more information on samples and indicators related to\r\nthis attack by viewing the 9002 tag.\r\nFiles\r\nFilename SHA256\r\n電郵名單.xls 6ec4ec93409227e225d1d9fcf23ac3b73bbcf534e38628ca51e161efa1239f29\r\nDW20.dll dd7bb7544d27114a3ac7c95302c215c1bbd4ddf7bcd8c5fdc3df1c9935c60359\r\n%TEMP%\\\u003ctemporary\r\nfilename\u003e.tmp\r\n6f1b5f73bf33112737418b52b2f2de4e10747d979789531f8992691dda6a0dbb\r\nMshype.dll 4a4f4a1a0db0d8b169c214d495049dc7bc1a55d011c0db3ad2aea0e2587afab6\r\n3102 Plugins\r\nFilename SHA256\r\nKeyLogger.dll 2656335c9faf75a29d47002f3a54c503cbeee419fa841de0d8f9a3d4dee19c89\r\nDownFileS.dll bcba4361ba4d0344bb0ed1080fa2fcd3dbdf7e1e91b4d1c85ff8e7091de24ef7\r\nFileManagerS.dll 7db917f8fdd62f321e7547d9bea572670051c44080b1df91f69fad9894fd4fff\r\nScreenSpyS.dll 084f01caf66abfd1f0f3669edfba9e07ea0b436820180d2af066d91642a79794\r\nIndicators\r\nType Value\r\nMutex DATA_RUN_MYWAY\r\nCertificate A'digm, Inc.\r\nDomain ericgoodman.serveblog[.]net\r\nRegistry Key HKCU\\Software\\TransPan\\mshtm\r\nRegistry Key HKCU\\Software\\TransPan\\RunPath\r\nDomain dns.websecexp[.]com\r\nDomain dns.mailpseonfz[.]com\r\nRegistrant Email bychinahacker@gmail[.]com\r\nRegistrant Email bubai2012@163[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 9 of 10\n\nFilename temp_k.ax\r\nFilename temp_plugin.ax\r\nSource: https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nhttps://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" ], "report_names": [ "chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434427, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/310856318c4f249d442148bbae27e1ccc9995691.pdf", "text": "https://archive.orkl.eu/310856318c4f249d442148bbae27e1ccc9995691.txt", "img": "https://archive.orkl.eu/310856318c4f249d442148bbae27e1ccc9995691.jpg" } }