{ "id": "383404fc-0fc2-471b-9d23-3099f6ca52ac", "created_at": "2026-04-06T00:09:31.754599Z", "updated_at": "2026-04-10T03:33:45.633341Z", "deleted_at": null, "sha1_hash": "3863933f86c0fdbe1583c588829a18f6203f64fb", "title": "Rewterz Threat Alert – Witchetty APT Group – Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53693, "plain_text": "Rewterz Threat Alert – Witchetty APT Group – Active IOCs -\r\nRewterz\r\nPublished: 2022-10-04 · Archived: 2026-04-05 13:59:21 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nResearchers discovered the Witchetty cyber espionage threat actor group, which employs steganography to\r\nconceal backdoor malware in the Windows logo in its latest campaign. The gang attacked governments in the\r\nMiddle East through the backdoor.\r\nSteganography is the technique of concealing data within non-secret, public information or computer files, such as\r\nan image, in order to avoid discovery.\r\nWitchetty is believed to have close links to the Chinese threat actor APT10. The gang is also thought to be part of\r\nthe TA410 operatives (aka APT10, Stone Panda), the group previously connected to attacks on US energy\r\ncompanies.\r\nThe group’s current cyberespionage campaign, which targeted two governments in the Middle East and an African\r\nstock market, began in February 2022 and is still underway.\r\nThe hackers updated their toolset for this campaign to target various vulnerabilities, and they employed\r\nsteganography to shield their malicious payload from antivirus software.\r\nTwo pieces of malware, a first-stage backdoor called X4 and a second-stage modular malware called LookBack,\r\nwere used in the latest Witchetty activities.\r\nPrior to carrying out malicious actions like stealing credentials, moving lateral across networks, and dropping\r\nadditional malicious payload, the threat actors first gain initial access to a network by exploiting the Microsoft\r\nExchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains.\r\nThe gang launched their campaign by utilizing a previously unidentified implant known as Backdoor.Stegmap, a\r\nsteganography-based malware that hides the malicious payload in a bitmap picture of an outdated Microsoft\r\nWindows logo placed on a GitHub repository. The attackers were able to avoid detection by hiding the malicious\r\ncode behind a picture uploaded on a trustworthy service.\r\n“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old\r\nMicrosoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR\r\nkey.”\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs\r\nPage 1 of 4\n\nsource: The payload is hidden under the Windows logo.\r\n“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. “\r\nAccording to them, \r\n“Downloads from reputable domains like GitHub are significantly less likely to trigger red flags than downloads\r\nfrom an attacker-controlled command-and-control (C\u0026C) server.”\r\nThe following commands are supported by the implant:\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs\r\nPage 2 of 4\n\nIn the campaign identified, the hackers depend on last year’s vulnerabilities to infiltrate the target network and\r\ntake advantage of the subpar management of publicly accessible servers.\r\n \r\nImpact\r\nCyber Espionage\r\nExploitation of Vulnerabilities\r\nNetwork Breach\r\nIndicator Of Compromise\r\nMD5\r\ne3af60f483774014c43a7617c44d05e7\r\nSHA-256\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs\r\nPage 3 of 4\n\ne5f98a1b0d37a09260db033aa09d6829dc4788567beccda9b8fef7e6e3764848\r\nSHA-1\r\n8126ed23cb483c67a454c762178ec7de8536b31a\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls\r\nDo not download document ?les attached in emails from unknown sources and strictly refrain from\r\nenabling macros when the source isn’t reliable.\r\nMaintain daily backups of all computer networks and servers.\r\nPasswords – Ensure that general security policies are employed including: implementing strong passwords,\r\ncorrect configurations, and proper administration security policies.\r\nAdmin Access – limit access to administrative accounts and portals to only relevant personnel and make\r\nsure they are not publicly accessible.\r\nWAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application\r\nFirewall with rules to block suspicious and malicious requests.\r\nPatch – Patch and upgrade any platforms and software timely and make it into a standard security policy.\r\nPrioritize patching known exploited vulnerabilities and zero-days.\r\nSecure Coding – Along with network and system hardening, code hardening should be implemented within\r\nthe organization so that their websites and software are secure. Use testing tools to detect any\r\nvulnerabilities in the deployed codes.\r\n2FA – Enable two-factor authentication.\r\nAntivirus – Enable antivirus and anti-malware software and update signature definitions in a timely\r\nmanner. Using a multi-layered protection is necessary to secure vulnerable assets\r\nSecurity Best Practices – Do not open emails and attachments from unknown or suspicious sources.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs" ], "report_names": [ "rewterz-threat-alert-witchetty-apt-group-active-iocs" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3863933f86c0fdbe1583c588829a18f6203f64fb.pdf", "text": "https://archive.orkl.eu/3863933f86c0fdbe1583c588829a18f6203f64fb.txt", "img": "https://archive.orkl.eu/3863933f86c0fdbe1583c588829a18f6203f64fb.jpg" } }