{ "id": "fc464616-91e4-4321-a48a-19ae518e5ad9", "created_at": "2026-04-06T00:16:03.684093Z", "updated_at": "2026-04-10T03:25:28.194248Z", "deleted_at": null, "sha1_hash": "392edc2d1ef6f98a2313ffb75797a2edcda12355", "title": "Buhtrap group uses zero-day in latest espionage campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 733652, "plain_text": "Buhtrap group uses zero-day in latest espionage campaigns\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-05 14:06:54 UTC\r\nThe Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However,\r\nsince late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group\r\nperpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage\r\nin Eastern Europe and Central Asia.\r\nThroughout our tracking, we’ve seen this group deploy its main backdoor as well as other tools against various\r\nvictims, but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign.\r\nIn that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its\r\nvictims.\r\nThe exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer\r\ndereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the\r\nMicrosoft Security Response Center, who promptly fixed the vulnerability and released a patch.\r\nThis blog post covers the evolution of Buhtrap from a financial crime to an espionage mindset.\r\nHistory\r\nThe timeline in Figure 1 highlights some of the most important developments in Buhtrap activity.\r\nFigure 1. Important events in Buhtrap timeline\r\nIt is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available\r\non the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence\r\nthat the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in\r\ntargeting governmental institutions.\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 1 of 8\n\nAlthough new tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and\r\nprocedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years.\r\nThey still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious\r\ndocuments. Also, several of their tools are signed with valid code-signing certificates and abuse a known,\r\nlegitimate application to side-load their malicious payloads.\r\nThe documents employed to deliver the malicious payloads often come with benign decoy documents to avoid\r\nraising suspicions if the victim opens them. The analysis of these decoy documents provides clues about who the\r\ntargets might be. When Buhtrap was targeting businesses, the decoy documents would typically be contracts or\r\ninvoices. Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014.\r\nFigure 2. Decoy document used in campaigns against Russian businesses\r\nWhen the group’s focus shifted to banks, the decoy documents were related to banking system regulations or\r\nadvisories from FinCERT, an organization created by the Russian government to provide help and guidance to its\r\nfinancial institutions (such as the example in Figure 3).\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 2 of 8\n\nFigure 3. Decoy document used in campaigns against Russian financial institutions\r\nHence, when we first saw decoy documents related to government operations, we immediately started to track\r\nthese new campaigns. One of the first malicious samples showing such a change was noticed in December 2015.\r\nIt downloaded an NSIS installer whose role was to install the main Buhtrap backdoor, but the decoy document –\r\nseen in Figure 4 – was intriguing.\r\nFigure 4. Decoy document used in campaigns against governmental organizations\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 3 of 8\n\nThe URL in the text is revealing. It is very similar to the State Migration Service of Ukraine website, dmsu.gov.ua.\r\nThe text, in Ukrainian, asks employees to provide their contact information, especially their email addresses. It\r\nalso tries to convince them to click on the malicious domain included in the text.\r\nThis was the first of many malicious samples we encountered being used by the Buhtrap group to target\r\ngovernment institutions . Another, more recent decoy document that we believe was also distributed by the\r\nBuhtrap group is seen in Figure 5 – a document which would appeal to a very different set of people, but still\r\ngovernment-related.\r\nFigure 5. Decoy documents used in campaigns against governmental organizations\r\nAnalysis of the targeted campaigns leading to zero-day usage\r\nThe tools used in the espionage campaigns were very similar to those used against businesses and financial\r\ninstitutions. One of the first malicious samples we analyzed that targeted governmental organizations was a\r\nsample with SHA-1 hash 2F2640720CCE2F83CA2F0633330F13651384DD6A. This NSIS installer downloads\r\nthe regular package containing the Buhtrap backdoor and displays the decoy document shown in Figure 4.\r\nSince then, we’ve seen several different campaigns against governmental organizations coming from this group.\r\nIn these, they were routinely using vulnerabilities to elevate their privileges in order to install their malware.\r\nWe’ve seen them exploit old vulnerabilities such as CVE-2015-2387. However, they were always known\r\nvulnerabilities. The zero-day they used recently was part of the same pattern: using it so that they could run their\r\nmalware with the highest privileges.\r\nThroughout the years, packages with different functionalities appeared. Recently, we found two new packages that\r\nare worth describing as they deviate from the typical toolset.\r\nLegacy backdoor with a twist – E0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 4 of 8\n\nThis document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare\r\ninstallation of the main backdoor. However, this NSIS installer is very different from the earlier versions used by\r\nthis group. It is much simpler and is only used to set the persistence and launch two malicious modules embedded\r\nwithin it.\r\nThe first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords\r\nfrom mail clients, browsers, etc., and sends them to a C\u0026C server. This module was also detected as part of the\r\ncampaign using the zero-day. This module uses standard Windows APIs to communicate with its C\u0026C server.\r\nFigure 6. Grabber module network capabilities\r\nThe second module is something that we have come to expect from Buhtrap operators: an NSIS installer\r\ncontaining a legitimate application that will be abused to side-load the Buhtrap main backdoor. The legitimate\r\napplication that is abused in this case is AVZ, a free anti-virus scanner.\r\nMeterpreter and DNS tunneling – C17C335B7DDB5C8979444EC36AB668AE8E4E0A72\r\nThis document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare\r\ninstallation of the main backdoor. Part of the installation process is to set up firewall rules to allow the malicious\r\ncomponent to communicate with the C\u0026C server. Next is a command example the NSIS installer uses to set up\r\nthese rules:\r\ncmd.exe /c netsh advfirewall firewall add rule name=\\\"Realtek HD Audio Update Utility\\\" dir=in action=allow\r\nprogram=\\\"\u003cpath\u003e\\RtlUpd.exe\\\" enable=yes profile=any\r\nHowever, the final payload is something that we have never seen associated with Buhtrap. Encrypted in its body\r\nare two payloads. The first one is a very small shellcode downloader, while the second one is Metasploit’s\r\nMeterpreter. Meterpreter is a reverse shell that grants its operators full access to the compromised system.\r\nThe Meterpreter reverse shell actually uses DNS tunnelling to communicate with its C\u0026C server by using a\r\nmodule similar to what is described here. Detecting DNS tunnelling can be difficult for defenders, since all\r\nmalicious traffic is done via the DNS protocol, as opposed to the more regular TCP protocol. Below is a snippet of\r\nthe initial communication of this malicious module.\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 5 of 8\n\n7812.reg0.4621.toor.win10.ipv6-microsoft[.]org\r\n7812.reg0.5173.toor.win10.ipv6-microsoft[.]org\r\n7812.reg0.5204.toor.win10.ipv6-microsoft[.]org\r\n7812.reg0.5267.toor.win10.ipv6-microsoft[.]org\r\n7812.reg0.5314.toor.win10.ipv6-microsoft[.]org\r\n7812.reg0.5361.toor.win10.ipv6-microsoft[.]org\r\n[…]\r\nThe C\u0026C server domain name in this example is impersonating Microsoft. In fact, the attackers registered\r\ndifferent domain names for these campaigns, most of them abusing Microsoft brands in one way or another.\r\nConclusion\r\nWhile we do not know why this group has suddenly shifted targets, it is a good example of the increasingly\r\nblurred lines between pure espionage groups and those primarily involved in crimeware activities. In this case, it\r\nis unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely\r\nsomething that we are likely to see more of going forward.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nVBA/TrojanDropper.Agent.ABM\r\nVBA/TrojanDropper.Agent.AGK\r\nWin32/Spy.Buhtrap.W\r\nWin32/Spy.Buhtrap.AK\r\nWin32/RiskWare.Meterpreter.G\r\nMalware samples\r\nMain packages SHA-1\r\n2F2640720CCE2F83CA2F0633330F13651384DD6A\r\nE0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF\r\nC17C335B7DDB5C8979444EC36AB668AE8E4E0A72\r\nGrabber SHA-1\r\n9c3434ebdf29e5a4762afb610ea59714d8be2392\r\nC\u0026C servers\r\nhttps://hdfilm-seyret[.]com/help/index.php\r\nhttps://redmond.corp-microsoft[.]com/help/index.php\r\ndns://win10.ipv6-microsoft[.]org\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 6 of 8\n\nhttps://services-glbdns2[.]com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc\r\nhttps://secure-telemetry[.]net/wp-login.php\r\nCertificates\r\nCompany name Fingerprint\r\nYUVA-TRAVEL 5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5\r\nSET\u0026CO LIMITED b25def9ac34f31b84062a8e8626b2f0ef589921f\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1204 User execution The user must run the executable.\r\nT1106 Execution through API\r\nExecutes additional malware\r\nthrough CreateProcess.\r\nT1059 Command-Line Interface\r\nSome packages provide\r\nMeterpreter shell access.\r\nPersistence T1053 Scheduled Task\r\nSome of the packages create a\r\nscheduled task to be executed\r\nperiodically.\r\nDefense\r\nevasion\r\nT1116 Code Signing Some of the samples are signed.\r\nCredential\r\nAccess\r\nT1056 Input Capture Backdoor contains a keylogger.\r\nT1111\r\nTwo-Factor Authentication\r\nInterception\r\nBackdoor actively searches for a\r\nconnected smart card.\r\nCollection T1115 Clipboard Data Backdoor logs clipboard content.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nLog files are automatically\r\nexfiltrated.\r\nT1022 Data Encrypted Data sent to C\u0026C is encrypted.\r\nT1041\r\nExfiltration Over Command\r\nand Control Channel\r\nExfiltrated data is sent to a server.\r\nCommand and\r\nControl\r\nT1043 Commonly Used Port\r\nCommunicates with a server\r\nusing HTTPS.\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nT1071\r\nStandard\r\nApplication Layer\r\nProtocol\r\nHTTPS is used.\r\nT1094\r\nCustom Command\r\nand Control Protocol\r\nMeterpreter is using DNS\r\ntunneling to communicate.\r\nT1105 Remote File Copy\r\nBackdoor can download and\r\nexecute file from C\u0026C\r\nserver.\r\nSource: https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nhttps://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/" ], "report_names": [ "buhtrap-zero-day-espionage-campaigns" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434563, "ts_updated_at": 1775791528, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/392edc2d1ef6f98a2313ffb75797a2edcda12355.pdf", "text": "https://archive.orkl.eu/392edc2d1ef6f98a2313ffb75797a2edcda12355.txt", "img": "https://archive.orkl.eu/392edc2d1ef6f98a2313ffb75797a2edcda12355.jpg" } }