{
	"id": "911b2c28-bd89-4d92-bef9-ffd9dff29a2b",
	"created_at": "2026-04-06T00:16:28.716147Z",
	"updated_at": "2026-04-10T13:12:45.019992Z",
	"deleted_at": null,
	"sha1_hash": "3511ed8e0361cffbc7f4e0ce68c2be056ed667a9",
	"title": "Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 737473,
	"plain_text": "Trochilus and New MoonWind RATs Used In Attack Against Thai\r\nOrganizations\r\nBy Jen Miller-Osborn, Josh Grunzweig\r\nPublished: 2017-03-30 · Archived: 2026-04-05 14:14:17 UTC\r\nFrom September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly\r\nidenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We\r\nchose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used\r\nto generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a\r\ntactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same\r\ncompromised sites and used to target the same organization at the same time. The attackers used different\r\ncommand and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to\r\ntie the attacks together using infrastructure alone. The compromised websites are the site for a group of\r\ninformation technology companies in Thailand, and all the tools were stored in the same directory.\r\nWe were also able to find a post-compromise tool along with the two RATs, which afforeded us insight into one of\r\nthe tools the attackers used once they gained a foothold inside an organization. In addition to Trochilus and\r\nMoonWind we found Mimikatz, a popular credential harvesting tool.\r\nFurther research led us to additional MoonWind samples using the same C2 (dns[.] webswindows [.]com) but\r\nhosted on a different compromised but legitimate website.  The attacks in that case took place in late September to\r\nearly October 2016 and the attackers stored the MoonWind samples as RAR files, while in the November attacks\r\nthe RATs were stored as executables. We were not able to find additional tools, but the attackers again\r\ncompromised a legitimate Thai website to host their malware, in this case the student portal for a Thai University.\r\nMoonWind Analysis\r\nThe MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the\r\nsame compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon\r\nbanking Trojan, the malware is not the same. Both malware families were simply compiled using the same\r\ncompiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But\r\nbecause this new sample is different from the BlackMoon banking Trojan, we have named it MoonWind, by\r\ncombining the BlackMoon compiler artifacts with the embedded string below:\r\nE:\\StarWind\\FW__Project_RTPD-PIBICs\\Table.ini\r\nWhen MoonWind first runs, it will copy itself to one of the following locations with a filename of ‘svcohos.exe’:\r\nC:\\Documents and Settings\\All Users\\Ufyaginptxb\\\r\nC:\\Users\\All Users\\\r\nC:\\PorgramData\\\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 1 of 10\n\nC:\\Program Files\\Common Files\\\r\nIt then executes a new instance of itself in a new process. Also, it will remove the original file via the following\r\ncommand that is executed in a batch script named 'date.bat’.\r\ncmd /c timeout /t 6 \u0026 del \"C:\\ProgramData\\Ufyaginptxb\\svcohost.exe\" \u0026 del date.bat\r\nDuring this routine, a randomly generated victim identifier will be created and written to a file named 'micr.ini'.\r\nThis file is located in the same path as the malware. The following contents represent an example of a victim ID\r\ncontained in this file:\r\nDuring the install routine, the malware will also setup a timer that will execute a file named 'sevrsvos.exe'. This\r\nsample (815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201) acts as a runtime persistence\r\nmechanism. It installs itself as a service with the following properties:\r\nService Name: Windows  Ejlptxtxbfjn Rvzd\r\nDisplay Name: Windows  Ejlptxtxbfjn Rvzd\r\nDescription: Windows  Ejlptxtxbfjn Rvzd Hlptxbfjnr\r\nStartup Type: Automatic\r\nThis service serves the single purpose of checking every 60 seconds if the 'svcohos.exe' process is running. If not,\r\nthe service will spawn a new instance of it. In doing so, this secondary malware sample acts as both a runtime\r\npersistence mechanism, as well as a persistence mechanism across reboots.\r\nAfter installation, a keylogging routine begins. The malware writes keystrokes and window information to a\r\nfilename in the present working directory with the following filename:\r\njop[year][month][day][hour][minute][seconds].zip\r\nAdditionally, it writes a 'win.ini' file that contains this file path above.\r\nThe malware proceeds to collect the following victim information:\r\nHostname\r\nUsername\r\nWindows version\r\nIP address\r\nCurrent time\r\nRAM amount\r\nNumber of total drives\r\nNumber of removable drives\r\nUnique victim identifier\r\nAfter this information is aggregated, MoonWind enters its command and control loop, and begins reaching out to\r\nthe servers and ports specified in its configuration embedded in the svcohos.exe file. The following remote hosts\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 2 of 10\n\nwere specified in this particular sample:\r\ndns.webswindows[.]com|80\r\ndns.webswindows[.]com|443\r\ndns.webswindows[.]com|53\r\ndns.webswindows[.]com|8080\r\nWhile the ports associated with this sample’s configuration pertain normally to HTTP, HTTPS, or DNS, network\r\ncommunication takes place via raw sockets. The malware first receives data, which has the following format as\r\nshown in Figure 1:\r\nFigure 1 C2 to MoonWind communication\r\nDigging into the packet further, we can break out individual pieces, as seen in Figure 2:\r\nFigure 2 MoonWind network communication packet format\r\nThe encrypted data portion is encrypted via RC4 with the following static key:\r\nHHSADh!@#$YUAGEWYGhjfsjd5465fsaQWAFGDA/jfdafdjhhasgfh==\r\nIn the above example, the encrypted data decrypts to ‘\\x20\\x20\\x20\\x20\\x20\\x20’, or six spaces. This particular\r\ncommand requests that the malware send the previously collected victim information.\r\nThe data returned by MoonWind has the same format, however, uses the following static key for encryption\r\ninstead:\r\nSSHqWSSAFdhjklfahj!@##4*\u0026\u0026!!HQ12785452!@!!11!!\r\nAn example of such data returned by the malware can be seen below in figure 3.\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 3 of 10\n\nFigure 3 MoonWind to C2 communication\r\nWhen decrypted, we see the data shown in Figure 4. Note that the first six bytes contains the return command\r\n(‘WYR002’), followed by the payload. The payload contains information previously discussed, delimited by ‘*/*’.\r\nCertain variables, such as ‘cdg’ and ‘ip’ are hardcoded. We also see what is most likely a malware versioning\r\nstring at the end (V2.1). This string is also hardcoded to the sample.\r\nFigure 4 Decrypted data sent by MoonWind\r\nIn total, MoonWind has 73 possibly commands that it can accept. We have not yet fully researched all of the\r\ncommands, but the majority of them have been identified, as we can see in the Appendix.\r\nConclusion\r\nTrochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted\r\nSoutheast Asia activity. The activity dates to at least 2013 and has ties to multiple reports by other researchers. It is\r\nhighly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity,\r\nindicating they are not only still active but continuing to evolve their playbook.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nThe malware discussed in this report is blocked by WildFire and Traps\r\nThe domain names included in this report are blocked by Threat Prevention\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 4 of 10\n\nAutoFocus subscribers can investigate the activities further with the following tags:\r\nTrochilus\r\nMoonWind\r\nAppendix\r\nMoonWind Commands\r\nCommand Description\r\nResponse\r\nCommand\r\nNotes\r\n\\x20\\x20\\x20\\x20\\x20\\x20\r\nReturns collected\r\nvictim information.\r\nWYR002\r\nWYR002 Null command. None\r\nWYR003\r\nSpawns message\r\nbox that allows\r\nvictim to send a\r\nmessage.\r\nWYR003\r\nWYR005 Modifies services. WYR005\r\nSubcommands of either 'fuwu' (create\r\nservice), 'exit' (stop service), 'stop'\r\n(pause service), 'reun' (continue\r\nservice), or 'yrun' (start service)\r\nWYR006\r\nReturns a list of\r\nrunning processes.\r\nWYR006\r\nWYR007\r\nKills specified\r\nprocess.\r\nNone\r\nqdcmdl\r\nSpawns an\r\ninteractive shell.\r\ncmdok1\r\nWYR009\r\nSend command to\r\ninteractive shell and\r\nreceive results.\r\nWYRCCC\r\nWYR010\r\nTerminates\r\ninteractive shell.\r\nNone\r\nWYR011 Get size of disks. WYR011\r\nWYR012\r\nReturns space of\r\ngiven directory.\r\nWYR012\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 5 of 10\n\nWYR013\r\nReturn a directory\r\nlisting of specified\r\ndirectory (C:\\\r\ndefault).\r\nWYR013\r\nWYR014\r\nExecute specified\r\ncommand.\r\nNone\r\nWYR015\r\nOpen specified\r\ncommand with\r\nShellExecuteA.\r\nNone\r\nWYR016\r\nOpen specified\r\ncommand with\r\nShellExecuteA\r\n(Hidden).\r\nNone\r\nWYR018\r\nPerform directory\r\nlisting with file\r\nattributes.\r\nWYR018\r\nxiazai\r\nRead contents of\r\nfile specified.\r\nwrdown\r\ncxqdcx Restart MoonWind. None\r\nUses %TEMP%/restart.bat to perform\r\nrestart.\r\npingmu\r\nReturn screen\r\nresolution.\r\npmgksj\r\nqdkzpm Unknown.\r\njixujj Unknown.\r\nsbkzxx\r\nPerforms various\r\nmouse actions.\r\nNone\r\nSubcommands of either 'sj' (double left-click), 'yk' (move to position and right-up), 'zk' (move to position and right-down), 'zx' (move to position and left-up), or 'yd' (move to position and left-down)\r\nxhpmkz Unknown.\r\naxjpsj\r\nSubmits keyboard\r\ninputs.\r\nNone\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 6 of 10\n\nksjljp\r\nStarts keylogging\r\nfunctionality.\r\nNone\r\ntzjljp\r\nStops keylogging\r\nfunctionality.\r\nNone\r\nhqjljp\r\nReturn keylogging\r\ndata.\r\njpjlhq\r\nscjpjl\r\nDeletes the\r\nkeylogging file.\r\nNone\r\nxzcxzs Uninstalls malware. None\r\nUses ‘x.bat’ to accomplish uninstall.\r\nWritten to present working directory\r\n(PWD) of malware.\r\nhttpxx Unknown.\r\nzaicif Unknown.\r\nxiaokl Unknown.\r\njuxuxi Null command. None\r\nshangc Unknown.\r\necscwj Unknown.\r\nscwjwb Unknown.\r\nscmlcj\r\nCreates specified\r\ndirectory.\r\nmlwzcj\r\nycxiaz Unknown.\r\nzcycxz Unknown.\r\nycxjml\r\nCreates specified\r\ndirectory.\r\nNone\r\nxjwjcj\r\nWrites specified file\r\nwith provided\r\ncontents.\r\nNone\r\nCommand format is\r\n‘[filename]|[data]’.\r\nshanwj\r\nDeletes specified\r\nfile.\r\nNone\r\nshanml\r\nRemoves specified\r\ndirectory.\r\nNone\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 7 of 10\n\ngengmj\r\nMoves specified\r\nfile.\r\nNone Command format is ‘[src]|^|[dst]’.\r\nycgwjj\r\nSets hidden\r\nattribute on\r\nspecified file.\r\nNone\r\ncopywj\r\nCopies specified\r\nfile.\r\ncopyok Command format is ‘[src]^|^[dst]’.\r\nfzmlwj\r\nCopies specified\r\ndirectory.\r\ncopyok Command format is ‘[src]^|^[dst]’.\r\nsdxtcs Unknown.\r\nqypxxl\r\nGet disk space of\r\nspecified drive.\r\nqdypxx\r\nscdqwj Unknown.\r\nwyycwj Unknown.\r\nxzwcsc Unknown.\r\nxzwcyx\r\nExecutes specified\r\ncommand within\r\nbatch script.\r\nNone\r\nUses ‘boot.bat’ to accomplish uninstall.\r\nWritten to PWD of malware.\r\ndwjjxc Unknown.\r\ndwjcwj Unknown.\r\ndqscds\r\nReturns filesize of\r\nspecified file.\r\nqcwjcd\r\nsjkqzd Unknown.\r\nsswjsj\r\nFinds specified file\r\nand returns results\r\nincluding attributes.\r\nwjsswb\r\ndwjsjx Unknown.\r\nxzbwza Unknown.\r\nhqurl1\r\nReturns C2\r\nconfiguration of\r\nMoonWind.\r\nqcsxdz\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 8 of 10\n\nghsxip\r\nWrites data to\r\nwin.dll and loads it.\r\nsdczip\r\nkhljcg Unknown.\r\ndqyxml Unknown.\r\ngxycwj Unknown.\r\ngxwjbc Unknown.\r\ngxwjok Unknown.\r\nfxgxcs Unknown.\r\ngxwjsy\r\nOpen specified\r\ncommand with\r\nShellExecuteA.\r\nNone\r\ngxyxcx Unknown.\r\nbddkzf Unknown.\r\nscwjdx Unknown.\r\nxzwjdx\r\nIndicators of Compromise\r\nMoonWind\r\nfd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928\r\nce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c\r\ne31679b82be58ace96b1d9fdfc2b62b6e91d371ed93957e0764cd7c464b04b9d\r\nf2589745671949422b19beec0856ca8b9608c02d5df4402f92c0dcc9d403010b\r\nMoonWind Persistence Mechanism\r\n815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201\r\nTrochilus\r\n59f8a31d66f053f1efcc8d7c7ebb209a8c12233423cc2dc3673373dde9b3a149\r\nwebswindows[.]com\r\n192.225.226[.]195\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 9 of 10\n\nIgnite ’17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear\r\nfrom innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find\r\nout how breach prevention is changing the security industry. Visit the Ignite website for more information on\r\ntracks, workshops and marquee sessions.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
	],
	"report_names": [
		"unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434588,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3511ed8e0361cffbc7f4e0ce68c2be056ed667a9.pdf",
		"text": "https://archive.orkl.eu/3511ed8e0361cffbc7f4e0ce68c2be056ed667a9.txt",
		"img": "https://archive.orkl.eu/3511ed8e0361cffbc7f4e0ce68c2be056ed667a9.jpg"
	}
}