{
	"id": "2dc86869-5371-4a7c-9bf9-2bd20c0deb2b",
	"created_at": "2026-04-06T00:20:13.436662Z",
	"updated_at": "2026-04-10T03:24:54.848871Z",
	"deleted_at": null,
	"sha1_hash": "353a9ace2e6eb3e6668d74cb3d28bc80a147b137",
	"title": "The Siesta Campaign: A New Targeted Attack Awakens",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66354,
	"plain_text": "The Siesta Campaign: A New Targeted Attack Awakens\r\nBy By: Trend Micro Mar 06, 2014 Read time: 3 min (875 words)\r\nPublished: 2014-03-06 · Archived: 2026-04-02 10:36:41 UTC\r\nIn the past few weeks, we have received several reports of targeted attacks that exploited various application\r\nvulnerabilities to infiltrate various organizations. Similar to the Safe Campaign, the campaigns we noted went\r\nseemingly unnoticed and under the radar. The attackers orchestrating the campaign we call the Siesta Campaign\r\nused multi-component malware to target certain institutions that fall under the following industries:\r\nConsumer goods and services\r\nEnergy\r\nFinance\r\nHealthcare\r\nMedia and telecommunications\r\nPublic administration\r\nSecurity and defense\r\nTransport and traffic\r\nThreat actors don’t always rely on complex attack vectors to infiltrate an organization’s network. Attackers can\r\nalso make use of basic social engineering techniques for their victims to take the bait, such as in our case study\r\nbelow.\r\nThe Siesta Campaign: A Case Study\r\nWe are currently investigating an incident that involved attackers sending out spear-phishing emails addressed to\r\nexecutives of an undisclosed company. These emails were sent from spoofed email addresses of personnel within\r\nthe organization. Instead of using attachments and document exploits, this specific campaign served their malware\r\nthrough a legitimate-looking file download link. To lure the target into downloading the file, the attacker serves\r\nthe archive under a URL path named after the target organization’s name as cited below:\r\nhttp://{malicious domain}/{organization name}/{legitimate archive name}.zip\r\nThis archive contains an executable (TROJ_SLOTH) disguised as a PDF document. When executed, it drops and\r\nopens a valid PDF file, which was most probably taken from the target organization’s website. Along with this\r\nvalid PDF file, another malicious component is also dropped and executed in the background. This backdoor\r\ncomponent is named google{BLOCKED}.exe. (Due to the ongoing investigation, we are unfortunately unable to\r\nshare hashes and filenames at this time.) This backdoor connects to http://www.micro{BLOCKED}.\r\ncom/index.html, which are its command-and-control (C\u0026C) servers. Trend Micro identifies these samples as\r\nBKDR_SLOTH.B. At this point, the malware begins waiting for additional commands from the attacker. The\r\nencrypted commands that are accepted are:\r\nSleep:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/\r\nPage 1 of 3\n\nCommands the backdoor to sleep for specified number of minutes\r\nWe have received a sleep command of “sleep:120” during our analysis which means that the\r\nmalware will wait for 2hrs before establishing a connection again to the C\u0026C server\r\nDownload: \u003cdownload_url\u003e\r\nCommands the backdoor to download and execute a file (most probably another Win32 executable)\r\nfrom a specified URL\r\nThe C\u0026C servers used in this campaign are found to be newly registered and also short-lived, making it difficult\r\nfor us to track the malware's behavior. Based on our research, we found 2 variants of the malware used in this\r\ncampaign. Although not exactly alike, the behaviors are nearly identical. One of the similar samples is a file\r\nnamed Questionaire Concerning the Spread of Superbugs February 2014.exe (SHA1:\r\n014542eafb792b98196954373b3fd13e60cb94fe). This sample drops the file UIODsevr.exe, its backdoor\r\ncomponent which behaves similarly as BKDR_SLOTH.B with the addition of communicating to its C\u0026C at\r\nskys{BLOCKED}com. These samples are identified by Trend Micro as BKDR_SLOTH.Aopen on a new tab. Both\r\nvariants excessively use Sleep calls, which renders the malware dormant for varying periods of time, hence the\r\ncampaign name \"Siesta\" (which means to take a short nap in Spanish). Commands are being served through\r\nHTML pages using different keywords as listed below:\r\nVariant 1 prefix: “\u003eSC\u003c” Variant 2 prefix: “longDesc=” suffix: “.txt”\r\nListed below are the backdoor commands we were able to see from our analysis:\r\nVariant 1 “run1” – open a remote shell “run2” – pipe shell commands from URL1 “run3” – pipe shell\r\ncommands from URL2 “http” – pipe shell commands from C2 “x_” – sleep for specified number of\r\nminutes Variant 2 “sleep:” – sleep for specified number of minutes “download:” – download and\r\nexecute another executable from C2\r\nAttribution\r\nAttribution of campaigns and attack methods can often be difficult. We were able to identify this new campaign\r\nthrough inspecting hashes, C\u0026Cs, registrants, commands, and additional information.\r\nintelopen on a new tab\r\nFigure 1. Attribution Graph (click the thumbnail for full view)\r\nDuring the course of our investigation into this new campaign, we investigated the malware dropped. We quickly\r\nnoticed the registrant of sky{BLOCKED}.com is also the same registrant as micro{BLOCKED}.com and\r\nifued{BLOCKED}.net. This individual used the name Li Ning and others with an email address of\r\nxiaomao{BLOCKED}@163.com. This individual also recently registered 79 additional domains. There are a total\r\nof roughly 17,000 domains registered with this same email address.\r\nintel\r\nFigure 2.  Domains registered under the name Li Ning, based on Whois data\r\nConclusion\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/\r\nPage 2 of 3\n\nEarly detection is crucial in preventing targeted attacks from exfiltrating confidential company data. Organizations\r\nand large enterprises need an advanced threat protection platform like Trend Micro™ Deep Discovery, which can\r\nmitigate the risks posed by targeted attacks through its various security technologies and global threat intelligence.\r\nAt the heart of our Custom Defense solution is Deep Discovery which provides real-time local and global\r\nintelligence across the attack life cycle. This can help IT administrators understand the nature of the attack they\r\nare dealing with.\r\nTrend Micro blocks all related threats, emails and URLs associated with these attacks. As always, we advise users\r\nto exercise caution when opening emails and links. For more details on various targeted attacks, as well as best\r\npractices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.\r\nWith additional insights and analysis from Kervin Alintanahin, Dove Chiu, and Kyle Wilhoit.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/"
	],
	"report_names": [
		"the-siesta-campaign-a-new-targeted-attack-awakens"
	],
	"threat_actors": [
		{
			"id": "f9fa9633-dfd1-458d-84ce-cc36dcdc7ce4",
			"created_at": "2022-10-25T16:07:24.188897Z",
			"updated_at": "2026-04-10T02:00:04.894484Z",
			"deleted_at": null,
			"main_name": "Siesta",
			"aliases": [],
			"source_name": "ETDA:Siesta",
			"tools": [
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"Poison Ivy",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9bb42e1-65d6-444e-8c63-21c2605b49e0",
			"created_at": "2023-01-06T13:46:38.887429Z",
			"updated_at": "2026-04-10T02:00:03.133382Z",
			"deleted_at": null,
			"main_name": "Siesta",
			"aliases": [],
			"source_name": "MISPGALAXY:Siesta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775791494,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/353a9ace2e6eb3e6668d74cb3d28bc80a147b137.pdf",
		"text": "https://archive.orkl.eu/353a9ace2e6eb3e6668d74cb3d28bc80a147b137.txt",
		"img": "https://archive.orkl.eu/353a9ace2e6eb3e6668d74cb3d28bc80a147b137.jpg"
	}
}