{ "id": "c3531525-df0c-4228-9d2b-c23138f62bb0", "created_at": "2026-04-06T01:29:29.518294Z", "updated_at": "2026-04-10T03:36:33.543064Z", "deleted_at": null, "sha1_hash": "3575a1d1787f78832aa056f7f6a6c46789ecd3f2", "title": "Cybercriminals switch from MBR to NTFS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2242217, "plain_text": "Cybercriminals switch from MBR to NTFS\r\nBy Vyacheslav Zakorzhevsky\r\nPublished: 2011-07-06 · Archived: 2026-04-06 00:13:29 UTC\r\nResearch\r\nResearch\r\n06 Jul 2011\r\n 2 minute read\r\n Vyacheslav Zakorzhevsky\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 1 of 7\n\nModification of the hard drive areas responsible for the initial loading of the system has become increasing\r\npopular with cybercriminals. Moreover, cybercriminals have now moved on from just modifying the MBR\r\n(master boot record) to infecting the code of the NTFS loader.\r\nWe recently discovered an interesting piece of malware — Cidox. It is peculiar in that it infects the load area code\r\nof the boot partition on the hard drive.\r\nThe master file Trojan-Dropper.Win32.Cidox “carries on board” two driver rootkits\r\n(Rootkit.Win32/Win64.Cidox). One is compiled for 32-bit platforms, the other for 64-bit platforms.\r\nThe source component of Cidox makes the following modifications to the beginning of the hard drive:\r\nSaves the relevant driver to free sectors at the beginning of the hard drive;\r\nIt chooses the section marked as the boot partition in the MBR partition table for infection. It is important\r\nto note that it only infects partitions with the NTFS file system.\r\nWrites part of its code over Extended NTFS IPL (Initial Program Loader), which is responsible for parsing\r\nthe MFT table (Master File Table), searching for the file with the loader in the root directory of the section\r\n(ntldr — pre-Vista, bootmgr — Vista+), reading this file form the disk and transferring control to it. At the\r\nsame time the original contents of Extended NTFS IPL are encrypted, saved and added to the end of the\r\nmalicious code.\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 2 of 7\n\nFragment of the initial domain of the hard drive infected by Cidox\r\n(detected as Rootkit.Boot.Cidox)\r\nThe next time the system is booted the malicious code in the load area will be invoked. With the help of a known\r\ntechnique, use of the Int 13h interrupt and some Windows kernel features it successfully loads the malicious driver\r\nto the system. The loaded driver uses PsSetCreateProcessNotifyRoutine to control the launch of the following\r\nprocesses:\r\nsvchost.exe\r\niexplore.exe\r\nfirefox.exe\r\nopera.exe\r\nchrome.exe\r\nFragment of Rootkit.Win32.Cidox containing strings with the names of controlled browsers\r\nIf the launch of one of the processes above is detected, one more Cidox component is integrated into it — a\r\ndynamic library (Trojan.Win32.Cidox). This library modifies any browser output, substituting it with its own. As a\r\nresult, the user sees a browser window displaying an offer to renew the browser due to some malicious programs\r\nallegedly detected on the system. The example below tells the user to renew the browser due to infection by\r\nTrojan.Win32.Ddox.ci.\r\nFragment of a browser window on a system infected by Cidox\r\nOf course, the user is asked to pay for the ‘renewal’. In order to obtain it, an SMS has to be sent to a short number.\r\nA unique page design is used for each of the most popular browsers.\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 3 of 7\n\nFragment of a browser window on a system infected by Cidox\r\nIt should be noted that new versions of browsers can in fact be downloaded free of charge from the vendor’s\r\nwebsite. Cybercriminals are merely scaring users in order to extort money from them.\r\nLatest Webinars\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 4 of 7\n\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 5 of 7\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 6 of 7\n\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nhttps://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/" ], "report_names": [ "29117" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438969, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3575a1d1787f78832aa056f7f6a6c46789ecd3f2.pdf", "text": "https://archive.orkl.eu/3575a1d1787f78832aa056f7f6a6c46789ecd3f2.txt", "img": "https://archive.orkl.eu/3575a1d1787f78832aa056f7f6a6c46789ecd3f2.jpg" } }