{ "id": "282dea08-9d12-45e3-bd46-68d610bfff1b", "created_at": "2026-04-06T00:17:25.176515Z", "updated_at": "2026-04-10T03:37:50.788588Z", "deleted_at": null, "sha1_hash": "33582aa7dd0215ceaa6e4b80718d6e07f388423d", "title": "Pawn Storm’s Lack of Sophistication as a Strategy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137437, "plain_text": "Pawn Storm’s Lack of Sophistication as a Strategy\r\nBy By: Feike Hacquebord, Lord Alfred Remorin Dec 17, 2020 Read time: 6 min (1678 words)\r\nPublished: 2020-12-17 · Archived: 2026-04-05 12:53:44 UTC\r\nA defender who finds a simple remote access trojan (RAT) in the network won’t immediately think it was from an advanced\r\npersistent threat (APT) actor. Likewise, brute force attacks on internet-facing services like email, Microsoft Autodiscover,\r\nSMB, LDAP, and SQL are so common that they may seem like background noise that can be ignored. But in 2020, the\r\nnotorious APT actor Pawn Storm used exactly these non-sophisticated attack methods to such an extent that their attacks\r\nmay get lost in the noise.\r\nIn 2020 Pawn Storm spread simple Google Drive and IMAP Remote Access Trojans (RATs) to attack their usual targets,\r\nsuch as ministries of foreign affairs, embassies, the defense industry and the military. The RATs were also sent to a wider net\r\nof targets including various industries around the world. The group also performed widespread brute force attacks to steal\r\ncredentials such as those of corporate email accounts, as evidenced by network probes we attribute to Pawn Storm and the\r\nloose way the actor abused compromised email accounts in malware and in sending spear-phishing emails. Pawn Storm\r\neven hardcoded compromised military and government-related email addresses in their IMAP RAT malware to\r\ncommunicate with victims’ computers. Recently, Norwegian authorities announced that Pawn Storm hacked the Norwegian\r\nparliament through brute force attacks.\r\nAs shown in incremental improvements, subsequent versions of the malware hint towards a learning curve of the malware\r\nauthor that is more typical for an inexperienced actor than for an advanced actor. First, the RATs were so simple that they\r\ndid not even take into account international keyboards. This means it would be difficult for the attacker to enumerate the\r\nvictims’ hard drives with files and folders that contain international characters. This mistake was corrected swiftly, but it\r\nshows the relative inexperience of this particular Pawn Storm operator. Later versions of the RAT malware started to use\r\nencryption, which could have been added right from the start. The only secondary payload we observed was a simple\r\nkeylogger that stores stolen information locally on the victims’ machines.\r\nAttribution to Pawn Storm of these malware samples would be difficult with only the samples at hand. Typically, a network\r\ndefender would not attribute this kind of malware to an APT actor at all. However, we have solid attribution for these\r\nsamples based on our long-term monitoring of Pawn Storm’s activities.\r\nRecap of recent Pawn Storm activities\r\nCompromising accounts of users from the Middle East\r\nTrend Micro has been closely and consistently monitoring the activities of Pawn Storm, and in March 2020, we released our\r\nlatest research on the group. In the aforementioned research paper, we shared that Pawn Storm heavily abuses compromised\r\naccounts — mainly in the Middle East — to send spear-phishing emails. The abuse of compromised email accounts in the\r\nMiddle East continued in 2020. For example, in early December 2020 the group used a VPN service to connect to a\r\ncompromised cloud server, then used the cloud server to connect to a commercial business email service provider. The group\r\nthen logged in to a compromised email account of a chicken farm in Oman, and then sent out credential phishing spam\r\nmessages to high-profile targets around the world. This shows that Pawn Storm is careful at obfuscating their tracks on\r\nmultiple levels.\r\nThe abuse of various compromised email accounts in the Middle East started in May 2019 and continues today. Since\r\nAugust 2020, they didn’t use these email addresses to only send spear-phishing emails, but also as a way to communicate\r\nwith compromised systems in IMAP RATs.\r\nBrute force attacks\r\nWe think that Pawn Storm compromises lots of email accounts through brute force attacks on internet-facing services like\r\nemail, LDAP, Microsoft Autodiscover, SMB, and SQL. For example, in May 2020, Pawn Storm scanned IP addresses\r\nworldwide, including IP addresses from the defense industry in Europe, on TCP port 445 and 1433, likely in an attempt to\r\nfind vulnerable SMB and SQL servers or brute force credentials. In August 2020, Pawn Storm also sent UDP probes to\r\nLDAP servers around the world from one of their dedicated IP addresses.\r\nIn 2020, Pawn Storm often tries to obfuscate these brute force attempts by routing their attack traffic over Tor and VPN\r\nservers. Yet this is not always enough to hide these activities. In a Microsoft article about brute-forcing Office365 credentials\r\nover Tor, Microsoft attributed the activities to Strontium, which is another name for Pawn Storm. We wrote about related\r\nattacks in early 2020. These brute force attacks started in 2019, and then we could firmly attribute them to Pawn Storm\r\nbecause we could cross-relate the extensive probing of Microsoft Autodiscover servers around the world with high-confidence indicators of the group’s more traditional attack methods (spear phishing and credential phishing).\r\nTo illustrate the simplicity of the malware in Pawn Storm’s recent spear-phishing attacks, we describe one example below:\r\nhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nPage 1 of 5\n\nTechnical analysis of Google Drive RAT \r\nStarting from August 2020, Pawn Storm has sent several spear phishing emails with a malicious RAR attachment. Among\r\nthe earliest samples we received were two almost identical RAR files that contained a file called info.exe. Both versions of\r\nthe info.exe files are self-extracting archives (SFX) that extract and execute two files: decrypt.exe and gdrive.exe. We have:\r\nc4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7 installing\r\ndecrypt.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b\r\ngdrive.exe – cbd9cb7b69f864ce8bae983ececb7cf8627f9c17fdaba74bd39baa5cdf605f79\r\n3fd45b9b33ff5b6363ba0013178572723b0a912deb8235a951aa3f0aa3142509 installing\r\ndecrypt.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b\r\ngdrive.exe – 2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc\r\nDecoy File\r\nWe noticed that the file decrypt.exe is a decoy file that will run once info.exe is executed. The application will only show a\r\nmessage box wherein a user can type a password for decryption. Checking the disassembly of this file reveals that it only\r\nshows another message box when a password is entered on the main application.\r\nFigures 2-3. The message box that decrypt.exe displays\r\nAfter closing this application, the file gdrive.exe will be executed by the SFX archive. The different versions of gdrive.exe\r\nare almost identical, with a minor addition to the file\r\n2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc of base64 encoding on the victim’s id. \r\nFigure 4. Drive.exe code snippet showing comp_id\r\nFigure 5. Drive.exe code snippet showing comp_id and base64 encoding\r\nInitial Run\r\nThe first thing this malware does is it copies itself to the startup directory for persistence. It does this via cmd.exe with the\r\nfollowing command:\r\n move /Y  \"{malware_location}\"\r\n\"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\gdrive.exe\"\r\nEvery time the malware runs a command using cmd.exe, the standard output (STDOUT) of the executed command is piped\r\nand written to a Google Drive account with the following filename format:\r\n {utcnow}_report_{victim’s id}\r\nhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nPage 2 of 5\n\nFigure 6. Code snippet showing the execution of commands\r\nThe client key and token used to read and write the attacker’s Google Drive account is hardcoded on the malware itself.\r\nFigures 7-8. Code snippets showing client key and token\r\nSending back the information through Google Drive will allow the attacker to check if the machine that executed the\r\nmalware was the intended victim they wanted to target.\r\nReceiving commands and data exfiltration\r\nEvery 20 minutes, the bot checks for a file in Google Drive. If a file with a corresponding filename format exist\r\n(cmd_{victim’s id}), it downloads that file and runs the contents as a batch file.\r\nFigure 9. Code snippets showing waiting for commands\r\nAgain, the STDOUT of the commands will be written back to Google Drive as a result. This works as a reverse shell back to\r\nthe attacker with Google Drive as the Command and Control (C\u0026C) server.\r\nThe command file that the bot received from Google Drive will also be deleted once it is downloaded.\r\nFigure 10. Code snippets showing readFile\r\nUsing the “reverse shell” method mentioned above, the attacker can exfiltrate data/documents using the following\r\ncommands:\r\npowershell -command \"[Convert]::ToBase64String([IO.File]::ReadAllBytes('{filename}')\r\nFigure 11. Code snippets showing the exfiltration of data\r\nhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nPage 3 of 5\n\nThe secondary payload with the filename Google Drivemonitor.exe\r\n(0b94e123f6586967819fa247cdd58779b1120ef93fa1ea1de70dffc898054a09) is a keylogger. The collected keystrokes are\r\nstored in the same directory from which the malware was executed.\r\nFigure 12. Code snippets showing keylogs\r\nThis secondary payload does not have any function to upload the collected keystrokes back to the attacker. However, since\r\nthe main malware acts as a “reverse shell,” the attacker can retrieve the collected keystrokes at a later time.\r\nEventually, the threat actor added improvements to the malware, like encryption. Later the actor started to use IMAP RATs\r\nas well.\r\nTrend Micro solutions\r\nTrend Micro recommends Trend MicroTM XDR for extensive monitoring across the connected layers of email, endpoints,\r\ncloud workloads, and networks. Powered by advanced AI and expert security analytics for correlating data, XDR allows\r\nearlier detection and response and lessens alert fatigue for IT security teams.\r\nWe also offer Trend Micro Managed XDR, a 24/7 service that harnesses the skills of our expert Managed Detection and\r\nResponse analysts for expert threat monitoring, correlation, and analysis.\r\nIndicators of compromise\r\nIP addresses\r\nIP address Description Dates active\r\n34.243.239[.]199\r\nConnects to email servers of compromised accounts. IP address\r\npossibly compromised by Pawn Storm.\r\nOctober 29, 2020 –\r\nDecember 8, 2020\r\n74.208.228[.]186\r\nConnects to email servers of compromised accounts. IP address\r\npossibly compromised by Pawn Storm.\r\nOctober 15, 2020 –\r\nDecember 14, 2020\r\n193.56.28[.]25 Scans TCP port 445 and 1433 May 21 – May 26, 2020\r\n195.191.235[.]155 Scans UDP port 389  August 22, 2020\r\nFiles\r\nSHA256 Filename Description Trend Micro Pattern Detection\r\nc4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7 info.exe\r\nGoogle\r\nDrive RAT\r\nTrojan.MSIL.DRIVEOCEAN.A\r\n3fd45b9b33ff5b6363ba0013178572723b0a912deb8235a951aa3f0aa3142509 info.exe\r\nGoogle\r\nDrive RAT\r\nTrojan.MSIL.DRIVEOCEAN.A\r\nhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nPage 4 of 5\n\ncbd9cb7b69f864ce8bae983ececb7cf8627f9c17fdaba74bd39baa5cdf605f79 gdrive.exe\r\nGoogle\r\nDrive RAT\r\nTrojan.MSIL.DRIVEOCEAN.A\r\n2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc gdrive.exe\r\nGoogle\r\nDrive RAT\r\nTrojan.MSIL.DRIVEOCEAN.A\r\nf364729450cb91b2a4c4e378c08e555137028c63480a221bb70e7e179a03f5cc gdrive.exe\r\nGoogle\r\nDrive RAT\r\nTrojan.MSIL.DRIVEOCEAN.A\r\ne3894693eff6a2ae4fa8a8134b846c2acaf5649cd61e71b1139088d97e54236d info.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n83fbd76d298253932aa3e3a9bc48c201fe0b7089f0a7803e68f41792c05c5279 decrypt_v2.4.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\nfe00bd6fba209a347acf296887b10d2574c426fa962b6d4d94c34b384d15f0f1 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\nb61e0f68772f3557024325f3a05e4edb940dbbe380af00f3bdaaaeabda308e72 igmtSX.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\nc8b6291fc7b6339d545cbfa99256e26de26fff5f928fef5157999d121fe46135 igmtSX.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n50b000a7d61885591ba4ec9df1a0a223dbceb1ac2facafcef3d65c8cbbd64d46 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n3384a9ef3438bf5ec89f268000cc7c83f15e3cdf746d6a93945add300423f756 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\nabf0c2538b2f9d38c98b422ea149983ca95819aa6ebdac97eae777ea8ba4ca8c email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\nfaf8db358e5d3dbe2eb9968d8b19f595f45991d938427124161f5ed45ac958d5 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n4c1b8d070885e92d61b72dc9424d9b260046f83daf00d93d3121df9ed669a5f9 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n770206424b8def9f6817991e9a5e88dc5bee0adb54fc7ec470b53c847154c22b email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n6fb2facdb906fc647ab96135ce2ca7434476fb4f87c097b83fd1dd4e045d4e47 email.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n31577308ac62fd29d3159118d1f552b28a56a9c039fef1d3337c9700a3773cbf photos.exe IMAP RAT Trojan.MSIL.OCEANMAP.A\r\n661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b decrypt.exe decoy file N/A\r\n0b94e123f6586967819fa247cdd58779b1120ef93fa1ea1de70dffc898054a09\r\nGoogle\r\nDrivemonitor.exe\r\nkeylogger TrojanSpy.MSIL.KEYLOGGR.W\r\nSource: https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" ], "report_names": [ "pawn-storm-lack-of-sophistication-as-a-strategy.html" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434645, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33582aa7dd0215ceaa6e4b80718d6e07f388423d.pdf", "text": "https://archive.orkl.eu/33582aa7dd0215ceaa6e4b80718d6e07f388423d.txt", "img": "https://archive.orkl.eu/33582aa7dd0215ceaa6e4b80718d6e07f388423d.jpg" } }