{
	"id": "3fe95445-2f7d-44ec-951f-9babb26e4dbd",
	"created_at": "2026-04-06T00:06:18.558238Z",
	"updated_at": "2026-04-10T13:12:54.351302Z",
	"deleted_at": null,
	"sha1_hash": "3357eab141359b8f253e39c38da102ca81f52fc4",
	"title": "Backdoored client from Mongolian CA MonPass",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2564153,
	"plain_text": "Backdoored client from Mongolian CA MonPass\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 13:13:44 UTC\r\nIntroduction\r\nWe discovered an installer downloaded from the official website of MonPass , a major certification authority (CA)\r\nin Mongolia in East Asia that was backdoored with Cobalt Strike binaries. We immediately notified MonPass on\r\n22 April 2021 of our findings and encouraged them to address their compromised server and notify those who\r\ndownloaded the backdoored client.\r\nWe have confirmed with MonPass that they have taken steps to address these issues and are now presenting our\r\nanalysis.\r\nOur analysis beginning in April 2021 indicates that a public web server hosted by MonPass was breached\r\npotentially eight separate times: we found eight different webshells and backdoors on this server. We also found\r\nthat the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored. \r\nThis research provides analysis of relevant backdoored installers and other samples that we found occurring in the\r\nwild. Also during our investigation we observed relevant research from NTT Ltd so some technical details or IoCs\r\nmay overlap.\r\nAll the samples are highly similar and share the same pdb path:\r\nC:\\Users\\test\\Desktop\\fishmaster\\x64\\Release\\fishmaster.pdb and the string: Bidenhappyhappyhappy .\r\nFigure 1: Pdb path and specific string\r\nTechnical details\r\nThe malicious installer is an unsigned PE file. It starts by downloading the legitimate version of the installer from\r\nthe MonPass official website. This legitimate version is dropped to the C:\\Users\\Public\\ folder and executed\r\nunder a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely\r\nto notice anything suspicious.\r\nAdditional similar installers were also found in the wild, with SHA256 hashes: \r\ne2596f015378234d9308549f08bcdca8eadbf69e488355cddc9c2425f77b7535\r\nand  f21a9c69bfca6f0633ba1e669e5cf86bd8fc55b2529cd9\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 1 of 7\n\nFigure 2: This image is not as innocent as it may seem.\r\nThe attackers decided to use steganography to transfer shellcode to their victims. On execution, the malware\r\ndownloads a bitmap image file from http://download.google-images[.]ml:8880/download/37.bmp as shown in\r\nfigure 2 . \r\nThe download is performed slightly unusually in two HTTP requests. The first request uses the HEAD method to\r\nretrieve the Content-Length, followed by a second GET request to actually download the image. After the picture\r\nis downloaded, the malware extracts the encrypted payload as follows. The hidden data is expected to be up to\r\n0x76C bytes. Starting with the 3rd byte in image data it copies each 4th byte. The resulting data represents an\r\nASCII string of hexadecimal characters which is later decoded into their respective binary values. These bytes are\r\nthen XOR decrypted using the hardcoded key miat_mg , resulting in a Cobalt-Strike beacon.\r\nWe have seen multiple versions of this backdoored installer, each with slightly modified decryptors. \r\nIn version ( f21a9c69bfca6f0633ba1e669e5cf86bd8fc55b2529cd9b064ff9e2e129525e8 ) the XOR decryption was\r\nstripped.\r\nIn the version ( e2596f015378234d9308549f08bcdca8eadbf69e488355cddc9c2425f77b7535 ) basic anti-analysis\r\ntricks were stripped. In Figure 3, you can see different time stamps and the same rich headers.\r\nFigure 3: Timestamps\r\nFigure 4: Rich header.\r\nIn the backdoored installer we also observed some basic anti-analysis techniques used in an attempt to avoid\r\ndetection. In particular, we observed checks for the number of processors using the GetSystemInfo function, the\r\namount of physical memory using the GlobalMemoryStatusEx function and the disk capacity using the\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 2 of 7\n\nIOCTL_DISK_GET_DRIVE_GEOMETRY IOCTL call. If any of the obtained values are suspiciously low, the malware\r\nterminates immediately.\r\nFigure 5: Anti-analysis techniques employed by the malware\r\nFigure 6: Anti-analysis technique testing for disk capacity\r\nOne of the samples ( 9834945A07CF20A0BE1D70A8F7C2AA8A90E625FA86E744E539B5FE3676EF14A9 ) used a different\r\nknown technique to execute shellcode. First it is decoded from a list of UUIDs with UuidFromStringA API, then\r\nit is executed using EnumSystemLanguageGroupsA .\r\nFigure 7:Decoding list from UUIDs and executing shellcode.\r\nAfter we found a backdoored installer in one of our customers,  we commenced hunting for additional samples in\r\nVT and in our user-base, to determine if there were more backdoored installers observed in the wild. In VT we\r\nfound some interesting hits:\r\nFigure 8: VT hit\r\nWe analyzed the sample and found out that the sample was very similar to infected installers found in our\r\ncustomers. The sample contained anti-analysis techniques using the same XOR decryption and also contained\r\nsimilar C2 server addresses ( hxxp://download.google-images.ml:8880/download/x37.bmp ) as observed in\r\nprevious backdoored installers. The sample also contained references to the link ( hxxps://webplus-cn-hongkong-s-5faf81e0d937f14c9ddbe5a0.oss-cn-hongkong.aliyuncs[.]com/Silverlight_ins.exe ) and the file path\r\nC:\\users\\public\\Silverlight_ins.exe ; however these did not appear to be in use. The sample name is also\r\nunusual –  Browser_plugin (8).exe – we speculate that this may be a test sample uploaded by the actor. \r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 3 of 7\n\nIn VT we saw another hash ( 4a43fa8a3305c2a17f6a383fb68f02515f589ba112c6e95f570ce421cc690910 ) again\r\nwith the name Browser_plugin.exe . According to VT this sample has been downloaded from hxxps://jquery-code.ml/Download/Browser_Plugin.exe . It was downloading a PDF from\r\nhxxp://37.61.205.212:8880/dow/Aili.pdf PDF file Aili.pdf.\r\nFigure 9: Content of Aili.pdf.\r\nAfterwards it has the similar functionalities as previously mentioned samples from VT. That means it was\r\ndownloading and decrypting Cobalt strike beacon from hxxp://micsoftin.us:2086/dow/83.bmp\r\nIn our database we again found the similar sample but with the name Browser_plugin (1).exe . This sample was\r\ndownloaded from hxxp://37.61.205.212:8880/download/Browers_plugin.exe , we saw it on Feb 4, 2021. It\r\ndoesn’t install any legitimate software, it just shows a MessageBox. It contains C\u0026C address\r\n( hxxp://download.google-images.ml:8880/downloa/37.bmp ), (Note: there is a typo in the directory name:\r\ndownloa). \r\nCompromised Web server content\r\nOn the breached web server, where you were able to download backdoored installer we found two executables\r\nDNS.exe ( 456b69628caa3edf828f4ba987223812cbe5bbf91e6bbf167e21bef25de7c9d2 ) and again\r\nBrowser_plugin.exe ( 5cebdb91c7fc3abac1248deea6ed6b87fde621d0d407923de7e1365ce13d6dbe ). \r\nDNS.exe\r\nIt downloads from ( hxxp://download.google-images.ml:8880/download/DNSs.bat ) C\u0026C server bat file, that is\r\nsaved in C:\\users\\public\\DNS.bat . It contains this script:\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 4 of 7\n\nFigure 10: DNS.bat script\r\nIn the second part of the instance, it contains the similar functionality and the same address of C\u0026C server as the\r\nbackdoored installer that we mentioned earlier. \r\nBrowser_plugin.exe\r\n( 5cebdb91c7fc3abac1248deea6ed6b87fde621d0d407923de7e1365ce13d6dbe )\r\nThis sample is very similar to this one ( 4a43fa8a3305c2a17f6a383fb68f02515f589ba112c6e95f570ce421cc690910 )\r\nwith the same address of C\u0026C server, but it doesn’t download any additional document. \r\nC\u0026C server analysis\r\nWe checked the malicious web server hxxps://jquery-code.ml , from where\r\n( 4A43FA8A3305C2A17F6A383FB68F02515F589BA112C6E95F570CE421CC690910 ) Browser_plugin.exe has been\r\ndownloading. The malicious web server looks identical to the legitimate one https://code.jquery.com/ the\r\ndifference is the certificate. The legitimate server https://code.jquery.com is signed by Sectigo Limited while\r\nthe malicious server is signed by Cloudflare, Inc.\r\nFigure 11: Comparing two sites\r\nConclusion\r\nThis blog post outlines our findings regarding the MonPass client backdoored with Cobalt Strike. \r\nIn our research we found additional variants on VirusTotal in addition to those we found on the compromised\r\nMonPass web server. \r\nIn our analysis of the compromised client and variants, we’ve shown that the malware was using steganography to\r\ndecrypt Cobalt Strike beacon. \r\nAt this time, we’re not able to make attribution of these attacks with an appropriate level of confidence. However\r\nit’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a\r\ntrustworthy source, which in this case is a CA in Mongolia.\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 5 of 7\n\nMost importantly, anyone that has downloaded the MonPass client between 8 February 2021 until 3 March\r\n2021 should take steps to look for and remove the client and the backdoor it installed. \r\nI would like to thank Jan Rubín for helping me with this research.\r\nTimeline of communication:\r\nMarch 24. 2021 – Discovered backdoored installer\r\nApril 8. 2021 – Initial contact with Monpass through MN CERT/CC providing findings.\r\nApril 20. 2021 – MonPass shared a forensic image of an infected web server with Avast Threat Labs.\r\nApril 22. 2021 – Avast provided information about the incident and findings from the forensics image in a\r\ncall with MonPass and MN CERT/CC.\r\nMay 3. 2021 – Avast followed up with MonPass in email. No response.\r\nMay 10. 2021 – Avast sent additional follow up email.\r\nJune 4, 2021 – MonPass replied asking for information already provided on April 22, 2021.\r\nJune 14. 2021 – Follow up from Avast to MonPass, no response\r\nJune 29, 2021 – Final email to MonPass indicating our plans to publish with a draft of the blog for\r\nfeedback.\r\nJune 29, 2021 – Information from MonPass indicating they’ve resolved the issues and notified affected\r\ncustomers.\r\nJuly 1, 2021 – Blog published.\r\nIndicators of Compromise (IoC)\r\n Repository: https://github.com/avast/ioc/tree/master/MpIncident\r\nList of SHA-256: https://github.com/avast/ioc/blob/master/MpIncident/samples.sha256\r\nTimeline of compilation timestamps:\r\nA group of elite researchers who like to stay under the radar.\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 6 of 7\n\nSource: https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nhttps://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass"
	],
	"report_names": [
		"backdoored-client-from-mongolian-ca-monpass"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3357eab141359b8f253e39c38da102ca81f52fc4.pdf",
		"text": "https://archive.orkl.eu/3357eab141359b8f253e39c38da102ca81f52fc4.txt",
		"img": "https://archive.orkl.eu/3357eab141359b8f253e39c38da102ca81f52fc4.jpg"
	}
}