{ "id": "453303e6-e04e-4058-8928-208d94c20ee9", "created_at": "2026-04-06T00:16:40.67456Z", "updated_at": "2026-04-10T03:32:09.270915Z", "deleted_at": null, "sha1_hash": "393031d781b28cf189c08ec67fb235f912396acb", "title": "More Flagpro, More Problems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 595281, "plain_text": "More Flagpro, More Problems\r\nPublished: 2021-12-12 · Archived: 2026-04-05 20:14:29 UTC\r\nNo stranger to this blog, BlackTech has continued to modify techniques to compromise networks and even\r\nsuffered an OPSEC slip in the way of an open directory.\r\nThis post will cover a malicious document similar to that identified by [1] PWC and [2] NTT in the previous\r\nreporting on the group. While I cannot definitively answer that the malicious executable recovered in this case is\r\nFlagpro, I would like to highlight some of the similarities and differences found in this sample.\r\nAn Empty Excel Doc\r\nFigure 1\r\nSHA256:0911e5d1ec48430ff9a863f5c4a38f0c71872d8bd6c89f07d6ae16d78eca162f\r\nFilename: 2021-10工资中公积金问题咨询.xlsm (roughly translates to “Constitution on Provident Fund Issues in\r\n2021-10 Salary”. Google Translate)\r\nWhile there isn’t much in the way of a lure to entice the user to open the document, the title and delivery method\r\nwould likely pique a user’s interest. Upon enabling content, a Windows executable named dwm.exe is dropped\r\ninto the Startup folder which ensures persistence and is executed.\r\nThe malicious macros embedded in the Excel document are almost an exact copy of the code seen in the PWC\r\nreport. Although the malicious executable is named dwm.exe, this isn’t the original name of the application as can\r\nbe seen in Figure 2.\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 1 of 6\n\nFigure 2\r\nWhat’s New\r\nThe Microsoft Foundation Class, or MFC is also heavily utilized in the dropped file. A number of the MFC\r\nlibraries found running strings on this sample differed from previous reports on Flagpro.\r\nNote the absence of the “CV20” prefixes in Figure 3 on the MFC classes, as reported by NTT Security. Previous\r\nreporting theorized that the CV20 served as the version number for Flagpro. This minor development change\r\ncould have been in response to public reporting, or to different development practices.\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 2 of 6\n\nFigure 3\r\nIn PWC’s VB 2021 localhost presentation, the mutex identified for Flagpro malware began with “71564__”.\r\nMutexes associated with this sample are below.\r\nZonesCacheCounterMutex\r\nZonesLockedCacheCounterMutex.\r\nFigure 4\r\nWhile this is certainly not a smoking gun, these are somewhat interesting development changes to the malware.\r\nOpening the executable in Ghidra, the command and control (C2) domain is broken up over three different\r\nvariables, initialized in reverse order.\r\nAdditionally, the HTTP request headers and User-Agent were similarly hardcoded and pieced back together before\r\nmaking a request.\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 3 of 6\n\nFigure 5\r\nFigure 6\r\nUtilizing MFC classes allows threat actors to wrap Windows APIs routinely linked to malware inside the MFC\r\nlibrary. A majority of the suspicious code can be found in the DoModal function, which houses a number of calls\r\nlinked to taking screenshots of the victim’s computer.\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 4 of 6\n\nFigure 7\r\nNetwork Indicators\r\nAs identified in Figure 6, dwm.exe contacted the following domain:\r\ncentos.onthewifi[.]com\r\nRegistrar: TLDS L.L.C. d/b/a SRSPlus\r\nResolving IP: 103.195.150[.]181\r\nLocation: Hong Kong\r\nOrganization: Cloudie Limited\r\nIf you have read prior reporting on BlackTech intrusion operations, the above domain naming scheme should\r\ncome as no surprise. Like other threat actors, BlackTech tends to use software and security companies for their C2\r\ndomain naming. The threat actor has used some form of “centos” as a C2 domain on at least four different\r\noccasions.\r\nAccording to PassiveDNS (pDNS) information, centos.onthewifi[.]com previously resolved to 172.104.109[.]217.\r\nUtilizing ZoomEye to investigate the previous IP, the same “Hello Boy” C2 response NTT-Security reported on is\r\ndisplayed. An additional response of “1” was also found at the same IP on port 80/https.\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 5 of 6\n\nFigure 8\r\nFigure 9\r\nAn additional domain possibly linked to the above is redhatstate.hopto[.]org which is also hosted at\r\n103.195.150[.]181.\r\nA special thanks to Twitter user, @500mk500 for noticing the above domain that matches previous BlackTech\r\ndomain naming.\r\nConclusion\r\nThe above are not definitive links to BlackTech, however, I believe the similarities are strong enough to warrant\r\nattention and maybe a closer look by analysts. Changes in domain hosting should also be of interest to APT\r\nnetwork infrastructure hunters, as this could be a change in technique or simply a new team has taken over\r\nprocurement of network infrastructure. In any case, BlackTech remains an aggressive actor intent on cyber\r\nespionage in the APAC region.\r\nEndnotes\r\n[1] https://vblocalhost.com/uploads/VB2021-50.pdf\r\n[2] https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro (Japanese)\r\nSource: https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nhttps://cyberandramen.net/2021/12/12/more-flagpro-more-problems/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/" ], "report_names": [ "more-flagpro-more-problems" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434600, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/393031d781b28cf189c08ec67fb235f912396acb.pdf", "text": "https://archive.orkl.eu/393031d781b28cf189c08ec67fb235f912396acb.txt", "img": "https://archive.orkl.eu/393031d781b28cf189c08ec67fb235f912396acb.jpg" } }