{ "id": "d097d608-09dc-424b-ad7a-b3e69055c470", "created_at": "2026-04-06T00:18:34.506063Z", "updated_at": "2026-04-10T13:12:38.650129Z", "deleted_at": null, "sha1_hash": "38a429205afc55ac815c00dcc34a062668ef66e6", "title": "APT10: Tracking down LODEINFO 2022, part I", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1759169, "plain_text": "APT10: Tracking down LODEINFO 2022, part I\r\nBy Suguru Ishimaru\r\nPublished: 2022-10-31 · Archived: 2026-04-05 14:26:00 UTC\r\nKaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new\r\nmodifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated\r\nfileless malware first named in a blogpost from JPCERT/CC in February 2020. The malware was regularly\r\nmodified and upgraded by the developers to target media, diplomatic, governmental and public sector\r\norganizations and think-tanks in Japan.\r\nJapan is likely the main target of LODEINFO\r\nResearchers continued tracking LODEINFO after that. JPCERT/CC and Macnica Networks shared additional\r\nupdates on LODEINFO activities in a later publication. Kaspersky researchers also shared new findings during the\r\nHITCON 2021 conference, covering LODEINFO activities from 2019 to 2020, and revealing high-confidence\r\nattribution to APT10.\r\nIn March 2022, we observed a Microsoft Word file that was used as the infection vector in some attacks. In June\r\nof the same year, a SFX file was discovered targeting the Japanese government or related organizations using a\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 1 of 10\n\ndecoy file with Japanese content, as well as utilizing the name of a famous Japanese politician in the filename. A\r\nnew downloader shellcode named DOWNIISSA that is used to deploy the LODEINFO backdoor was also\r\nobserved.\r\nThe first part of this report will provide technical analysis of the new infection methods such as SFX files and\r\nDOWNIISSA along with our findings. The second part will provide technical analysis of the LODEINFO\r\nbackdoor and the related shellcode for each version of the backdoor with the latest LODEINFO IoCs and related\r\ninformation discovered in 2022.\r\nCustomers of Kaspersky Threat Intelligence Service have access to additional private APT reports describing past\r\nLODEINFO activities.\r\nInitial infection #1: VBA + DLL sideloading\r\nDuring our investigation of the attacks in March 2022, we observed a spear-phishing email with a malicious\r\nattachment installing malware persistence modules, which consisted of a legitimate EXE file and a malicious DLL\r\nfile loaded via the DLL sideloading technique. For example, the following section describes a malicious Microsoft\r\nWord file (MD5: da20ff8988198063b56680833c298113) that was uploaded to Virustotal. Once the target opens\r\nthe malicious doc file, a message in Japanese is displayed (インターネットセキュリティ設定によると、ファ\r\nイルを開くために、上の黄色のドキュメントバーの「編集を有効にする」と「コンテンツの有効化」\r\nをクリックしてください。Translation: “According to your internet security settings, click “Enable Editing”\r\nand “Enable Content” on the yellow document bar above to open this file.”) to trick the victims into clicking\r\n“Enable Content” and enabling the embedded macro.\r\nThe message in Japanese to trick the target into clicking “Enable Content” and embedded VBA code\r\nThe embedded VBA code creates the folder C:\\Users\\Public\\TMWJPA\\ and drops a zip file named GFIUFR.zip\r\n(MD5: 89bd9cf51f8e01bc3b6ec025ed5775fc) in the same folder. The GFIUFR.zip contains two files named\r\nNRTOLF.exe and K7SysMn1.dll. NRTOLF.exe (MD5: 7f7d8c9c1b6735807aefb0841b78f389) is a digitally signed\r\nlegitimate EXE file from the K7Security Suite software used for DLL sideloading. K7SysMn1.dll (MD5:\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 2 of 10\n\ncb2fcd4fd44a7b98af37c6542b198f8d) is a malicious DLL sideloaded by NRTOLF.exe. The malicious DLL file\r\ncontains a loader of the LODEINFO shellcode. This DLL is a known loader module of LODEINFO. It contains a\r\none-byte XOR-encrypted LODEINFO shellcode internally identified by version 0.5.9. This infection method was\r\nalso used by the threat actor in the previous attacks we investigated.\r\nApart from this, we discovered two more implants related to LODEINFO that were used in other infection\r\nmethods in 2022.\r\nInitial infection #2: SFX + DLL sideloading\r\nOne of the implants is a self-extracting archive (SFX) file in RAR format (MD5\r\n76cdb7fe189845a0bc243969dba4e7a3) that was also uploaded to Virustotal. Similarly, the archive contains three\r\nfiles named 1.docx, K7SysMn1.dll and K7SysMon.exe, with the self-extracting script commands shown below.\r\nThere is also a comment added by the malware author written in Japanese that can be translated as “The following\r\ncomment contains a self-extracting script command”:\r\nComment = ;以下のコメントは自己解凍スクリプトコマンドを含んでいます(\r\nPath=%temp%\\\r\nSetup=%temp%\\1.docx\r\nSetup=%temp%\\K7SysMon.Exe\r\nSilent=1\r\nOverwrite=1\r\n   Date      Time    Attr         Size   Compressed  Name\r\n------------------- ----- ------------ ------------  ------------------------\r\n2022-06-14 03:47:04 ....A        11900         9181  1.docx\r\n2021-08-18 18:58:58 ....A       342528       169345  K7SysMn1.dll\r\n2022-04-19 09:44:45 ....A        91464        45247  K7SysMon.Exe\r\n------------------- ----- ------------ ------------  ------------------------\r\n2022-06-14 03:47:04             445892       223773  3 files\r\nWhen a targeted user executes this SFX file, the archive drops other files to %temp% dir and opens 1.docx as a\r\ndecoy containing just a few Japanese words such as 申込書 (“Application”), 名前 (“name”) and メールアドレス\r\n(“email address”), as shown on the following screenshot.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 3 of 10\n\nSimple decoy document content from 1.docx\r\nWhile showing the decoy file to the user, the archive script starts K7SysMon.exe, which loads the malicious DLL\r\nfrom K7SysMn1.dll (MD5: a8220a76c2fe3f505a7561c3adba5d4a) via DLL sideloading. The K7SysMn1.dll\r\ncontains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into\r\nfour-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary.\r\nThese export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode\r\nusing a one-byte XOR key.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 4 of 10\n\nReassembling the payload BLOB from parts\r\nThe payload that is eventually deployed by this implant is the LODEINFO v0.6.3.\r\nInitial infection #3: SFX + DLL sideloading + additional BLOB file\r\nWe also discovered another similar SFX file named \u003cmasked\u003e[1]sns用動画 拡散のお願い.exe (Translation: The\r\nspreading request for sns movie of \u003cmasked\u003e). The attackers exploited the name of a well-known Japanese\r\npolitician. The embedded self-extracting script and files are very similar to the previous sample discussed in the\r\nInitial Infection #2 section of this article. However, this sample contains an additional file named\r\nK7SysMon.Exe.db. Previously observed loader modules had a BLOB with the encrypted shellcode embedded in\r\nthe executable file, but in this sample K7SysMn1.dll does not contain the BLOB. Instead, the loader module reads\r\nthe K7SysMon.Exe.db file as the encrypted BLOB and decrypts the shellcode, which is the LODEINFO v0.6.3\r\nbackdoor. The title of the SFX file, as well as the document content, displays a request to spread a video of the\r\nfamous politician for SNS (Social Network Service). We believe this SFX file was spread via a spear-phishing\r\nemail on June 29, 2022, based on the last archiving timestamp. The file name and the decoy document suggest the\r\ntarget was the Japanese ruling party or a related organization.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 5 of 10\n\nOn July 4, 2022, another SFX file (MD5 edc27b958c36b3af5ebc3f775ce0bcc7) was discovered. The archived\r\nfiles, the payload and also the C2 address were very similar to the previous sample set. The only notable\r\ndifference was the Japanese title of the decoy document: “取材のお願い” (“Request for coverage”). We think\r\nthis SFX file was probably used to target Japanese media companies.\r\nInitial infection #4: VBA + undiscovered downloader shellcode DOWNIISSA\r\nBack in August 2020, we discovered a fileless downloader shellcode dubbed DOWNJPIT, a variant of the\r\nLODEINFO malware, and gave a presentation on it at HITCON 2021. In June 2022, we found another fileless\r\ndownloader shellcode delivered by a password-protected Microsoft Word file. The filename is 日米同盟の抑止力\r\n及び対処力の強化.doc (“Enhancing the deterrence and coping power of the Japan-US alliance.doc”). The\r\ndocument file contains malicious macro code that is completely different from previously investigated samples.\r\nOnce opened, the doc file shows a Japanese message to enable the following VBA code.\r\nMalicious VBA code inside MS Word file found in June 2022\r\nUnlike past samples, such as the one described in the Initial Infection #1 section of this article, where the\r\nmalicious VBA macro was used to drop different components of the DLL sideloading technique, in this case the\r\nmalicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process\r\ndirectly. This implant was not present in past activities and the shellcode is also a newly discovered multi-stage\r\ndownloader shellcode for LODEINFO v0.6.5.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 6 of 10\n\nThis downloader shellcode was completely different from the DOWNJPIT variant. The new downloader shellcode\r\nhas two URLs inside:\r\nhttp://172.104.112[.]218/11554.htm\r\nhttp://www.dvdsesso[.]com/11554.htm\r\nWe named this new downloader DOWNIISSA, where IISSA is a string derived from 11554 in the file names\r\nfound in the URLs. The following diagram shows the complicated infection flow from the malicious document\r\nfile to the final payload downloaded by DOWNIISSA.\r\nLODEINFO infection process via DOWNIISSA\r\nAs mentioned earlier, the embedded macro generates the DOWNIISSA shellcode and injects it in the current\r\nprocess (WINWORD.exe). The main downloader code is base64-encoded and placed at the beginning of the\r\nDOWNIISSA shellcode, which gets decoded and patched by the shellcode itself.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 7 of 10\n\nDOWNIISSA base64 decode and self-patch\r\nAfter it has been decoded, some important strings are found with a one-byte XOR encryption. For example, the\r\ntwo C2 destination addresses are decrypted in the following code.\r\nXORed C2 destinations embedded in the main function of DOWNIISSA shellcode\r\nDOWNIISSA uses the URLDownloadToFileA() API function to download the BLOB from the URL addresses\r\nand drop it as %TEMP%/${temp}.tmp. Then it reads the file into allocated memory in the current process and\r\ndeletes the downloaded temp file immediately. We confirmed that both URLs served the same binary data that was\r\nXORed with the one-byte XOR key stored at the end of the BLOB itself. After XOR decryption, the LODEINFO\r\nbackdoor shellcode v0.6.5 was found. For the final stage of the infection, DOWNIISSA creates an instance of\r\nmsiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.\r\nThis new infection flow involving the DOWNIISSA shellcode has not been seen in previous activities using\r\nLODEINFO and is a new TTP in 2022.\r\nApart from the 11554.htm file found in this sample, we also discovered files with other names such as 3390.htm,\r\n5246.htm and 16412.htm, hosted on the same C2 servers in July 2022. 3390.htm (MD5:\r\n0fcf90fe2f5165286814ab858d6d4f2a) and 11554.htm (MD5: f7de43a56bbb271f045851b77656d6bd) were one-byte XORed LODEINFO v0.6.5 shellcodes downloaded via DOWNIISSA malware. The XOR key for each\r\nsample was found at the end of the file. The 5246.htm (MD5: 6780d9241ad4d8de6e78d936fbf5a922) and\r\n16412.htm (MD5: 15b80c5e86b8fd08440fe1a9ca9706c9) files are one-byte XORed unique data structures. The\r\ndata structure found in the 5246.htm file is shown below:\r\nOffset Data example Descriptions\r\n0x000000 265715 Memory allocation size (probably)\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 8 of 10\n\n0x000004 265712\r\nThe size of this data structure without\r\nmemory allocation size and data size\r\n0x000008 3 Number of embedded files\r\n0x000009 91464 Data size of embedded file1\r\n0x00000D 13 Filename size of embedded file1\r\n0x00000E ‘K7SysMon.Exe’,0 Filename of file1\r\n0x00001B\r\n4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00\r\n00\r\nB8 00 00 00 00 00 00 00 40 00 00 00 00 00 00\r\n00\r\n[SKIPPED]\r\nThe legitimate EXE file for DLL\r\nsideloading\r\n0x016563 57856 Data size of embedded file2\r\n0x016567 13 Filename size of embedded file2\r\n0x016568 ‘K7SysMn1.dll’,0 Filename of file2\r\n0x016575\r\n4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00\r\n00\r\nB8 00 00 00 00 00 00 00 40 00 00 00 00 00 00\r\n00\r\n[SKIPPED]\r\nMalicious DLL file that is the loading\r\nmodule of LODEINFO without embedded\r\nBLOB\r\n0x024775 116335 Data size of embedded file3\r\n0x024779 16 Filename size of embedded file3\r\n0x02477A ‘K7SysMon.Exe.db’,0 Filename of file3\r\n0x02478A\r\n73 3A 3C 9B 9A CF 11 76 11 DF 8A 1F 5A EF\r\n9F 11 DF 92 C7 59 CC 11 EF 96 CD 11 E7 92\r\nA1 64 EC BF\r\n[SKIPPED]\r\nA byte XORed BLOB is read by the\r\nloading module to infect LODEINFO\r\nv0.6.5. The key is at the end of the data\r\nThis data structure contains the names of three files: K7SysMon.exe, K7SysMn1.dll (MD5:\r\nc5bdf14982543b71fb419df3b43fbf07) and K7SysMon.exe.db (MD5: c9d724c2c5ae9653045396deaf7e3417).\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 9 of 10\n\nThis suggests that an undiscovered downloader module downloads 5246.htm from the C2 to assist with the\r\ninstallation of some embedded files on the victim’s machine.\r\nConclusions\r\nLODEINFO was first discovered in 2019. LODEINFO and its infection methods have been constantly updated\r\nand improved to become a more sophisticated cyber-espionage tool while targeting organizations in Japan. The\r\nLODEINFO implants and loader modules were also continuously updated to evade security products and\r\ncomplicate manual analysis by security researchers.\r\nThese modifications may serve as a confirmation that the threat actors track publications by security researchers\r\nand learn how to update their TTPs and improve their malware. In fact, we haven’t detected any activities\r\ninvolving the LILIMRAT and the DOWNJPIT malware from this threat actor since publishing our investigation\r\nresults at HITCON 2021. We believe this cat-and-mouse game will continue in the future.\r\nTo be continued in Part II…\r\n[1]\r\n Personal name of Japanese politician was masked to protect their identity.\r\nSource: https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/\r\nPage 10 of 10\n\n(MD5: 89bd9cf51f8e01bc3b6ec025ed5775fc) NRTOLF.exe and K7SysMn1.dll. NRTOLF.exe in the same folder. (MD5: 7f7d8c9c1b6735807aefb0841b78f389) The GFIUFR.zip contains two files named is a digitally signed\nlegitimate EXE file from the K7Security Suite software used for DLL sideloading. K7SysMn1.dll (MD5:\n Page 2 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/" ], "report_names": [ "107742" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38a429205afc55ac815c00dcc34a062668ef66e6.pdf", "text": "https://archive.orkl.eu/38a429205afc55ac815c00dcc34a062668ef66e6.txt", "img": "https://archive.orkl.eu/38a429205afc55ac815c00dcc34a062668ef66e6.jpg" } }