{ "id": "c5d3855a-68e0-488a-b43b-c2614ab6d305", "created_at": "2026-04-06T00:15:22.046648Z", "updated_at": "2026-04-10T03:33:20.072985Z", "deleted_at": null, "sha1_hash": "3b7cd178303c3da0b5c3f4487b396e19c6cc5589", "title": "The KeyBoys are back in town", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1097889, "plain_text": "The KeyBoys are back in town\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 14:21:40 UTC\r\nAnalysis\r\nOur analysis starts with a Microsoft Word document named 2017 Q4 Work Plan.docx (with a hash of\r\n292843976600e8ad2130224d70356bfc), which was created on 2017-10-11 by a user called “Admin’’, and first\r\nuploaded to VirusTotal, a website and file scanning service, on the same day, by a user in South Africa.\r\nCuriously, the Word document does not contain any macros, or even an exploit. Rather, it uses a technique\r\nrecently reported on by SensePost, which allows an attacker to craft a specifically created Microsoft Word\r\ndocument, which uses the Dynamic Data Exchange (DDE) protocol. DDE traditionally allows for the sending of\r\nmessages between applications that share data, for example from Word to Excel or vice versa. In the case reported\r\non by SensePost, this allowed for the fetching or downloading of remote payloads, using PowerShell for example.\r\nFigure 1 – Word Error\r\nOnce we extract the initial document, using 7-zip for example, we can observe the usual structure, and inside, a\r\nfile called document.xml is of interest. In this XML, a remote payload, in this case a DLL, will be downloaded\r\nusing PowerShell, moved to the user’s temporary folder, and run using rundll32.exe, starting in the HOK function\r\nor export. Figure 2 shows the relevant part in our XML file.\r\nFigure 2 - Download and payload execution\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 1 of 8\n\nThis debug.dll is a PE32 binary file with the following properties:\r\nmd5 hash: 64b2ac701a0d67da134e13b2efc46900\r\nsha1 hash: 1bb516d70591a5a0eb55ee71f9f38597f3640b14\r\nsha256 hash: f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92\r\nsize: 531,456 bytes\r\ninternal DLL name: InstallClient.dll\r\ncompiler: Microsoft\r\nlinker: Microsoft Linker(14.0)[DLL32]\r\ncompilation time: 2017-07-06 08:50:10\r\nThis DLL serves as a dropper for the actual payload, and as such the internal name of ‘InstallClient’ is an apt\r\nchoice by the threat actor. Developing a Yara rule for the simple dropper DLL, yielded several new binaries:\r\n1dbbdd99cb8d7089ab31efb5dcf09706\r\n5708e0320879de6f9ac928046b1e4f4e\r\na6903d93f9d6f328bcfe3e196fd8c78b\r\ncf6f333f99ee6342d6735ac2f6a37c1e\r\nac9b8c82651eafff9a3bbe7c69d69447\r\nd6ddecdb823de235dd650c0f7a2f3d8f\r\nWe have analysed d6ddecdb823de235dd650c0f7a2f3d8f, which also has InstallClient.dll as its internal name, as it\r\nseems to be the earliest dropper DLL used in this campaign, and does not appear to be very different from any of\r\nthe other DLLs so far uncovered.\r\nThe DLL starts in the function named Insys, which performs some simple checks, for example, if the current user\r\naccount is an administrator, and will subsequently call the function named SSSS, which is the main function.\r\nA substantial amount of actions will follow according to what’s defined in the SSSS function, as follows:\r\nPrepare target DLL, in this case rasauto.dll, for replacement in C:\\Windows\\System32;\r\nStop the service belonging to the target DLL, and use the takeown and icacls commands to gain full\r\npermissions for the system service DLL;\r\nDisable Windows File Protection, which normally prevents software or users from replacing critical\r\nWindows files;\r\nSuppress any error messages from Windows from popping up on boot;\r\nCopy the target DLL, rasauto.dll, to a new file named rasauto32.dll;\r\nReplace the target DLL with the malware’s DLL, which is time-stomped in order to evade detection;\r\nStart the now malicious service using net.exe and net1.exe; and,\r\nCreate configuration and keylogs in C:\\Windows\\system32, using an uncommon extension, in this case\r\n.tsp, and additionally create a folder in C:\\Programdata for the purpose of screen captures.\r\nThe malware will also, in some observed cases, output debug or error messages in a newly created file in the\r\nuser’s Application Data folder as DebugLog.TXT, for example:\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 2 of 8\n\n\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\DebugLog.TXT\r\nThen, the original dropper DLL will then be deleted, using a simple batch file that runs in a loop. In Figures 3 to 5,\r\nthe target DLL, the original and new DLL, as well as the full process flow are shown.\r\nFigure 3 - Target DLL, config and keylog file built dynamically on the stack\r\nFigure 4 - Real and fake rasauto.dll (rasauto32.dll is the real or original DLL)\r\nFigure 5 - Complete process flow\r\nWhile visually there is apparently no difference, due to the malware being time-stomped (altering the created and\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 3 of 8\n\nmodified dates of a file or folder), we can however observe a few subtle differences in the real and malicious\r\nbinary.\r\nFigure 6 - Subtle differences\r\nAs can be seen in Figure 6, the fake DLL has a different link date, some minor spelling mistakes, and does not\r\ninclude the build in the file version details. As the malware also disables Windows File Protection and thus any\r\npop-ups, it may not be immediately obvious to system administrators that a legitimate DLL was actually replaced.\r\nThe following commands are issued in order to achieve persistence:\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v SFCDisable /t\r\nREG_DWORD /d 4 /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Windows\" /v NoPopUpsOnBoot /t REG_DWORD\r\n/d 1 /f\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 4 of 8\n\nTaking a look at the Windows registry for our service, RasAuto, short for Remote Access Auto Connection\r\nManager and historically used for connecting dial-up modems to the internet for example, reveals no specific\r\nadditional modifications.\r\nDllhost.exe is additionally seen to call back or phone home to a hardcoded range of C2 servers, on ports 53, 80,\r\nand 443.\r\nFigure 7 - Dllhost connecting to a remote address\r\nDllhost usually has no need to connect to the internet or WAN, and as such it is a possible indicator of malicious\r\nactivity.\r\nAttaching a debugger to dllhost.exe, reveals the keylogger files and configuration, replaced DLL file, as well as\r\nanother folder, which is likely used to store screenshots and other data. Another ASCII string can be discovered in\r\nthe DLL’s config, MDDEFGEGETGIZ, which likely pertains to the specific KeyBoy campaign, or target.\r\nFigure 8 - ASCII dump\r\nThe malware leveraged by KeyBoy has a plethora of functionality, including, but not limited to:\r\nScreen grabbing/taking screenshots;\r\nDetermine public or WAN IP address (using a public IP service), likely for determining a suited target;\r\nGather extended system information, such as information about the operating system, disks, memory and\r\nso on;\r\nA ‘file browser’ or explorer;\r\nShutdown and reboot commands (in addition to the point below);\r\nLaunching interactive shells for communicating with the victim machine;\r\nDownload and upload functionality; and\r\nUsage of custom SSL libraries for masquerading C2 traffic.\r\nInterestingly enough, the malware developers left several unique debug messages, for example:\r\nGetScreenCmd from file:%s\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 5 of 8\n\nTake Screen Error,May no user login!\r\nTake Screen Error,service dll not exists\r\nEarlier, we mentioned the threat actor uses custom SSL libraries to communicate to the C2. While we have been\r\nunable to observe this behavior in any traffic logs, we were able to extract a certificate, which can be found in\r\nAppendix B. Converting this certificate to the DER format, we find strings pointing to jessma.org, and an email\r\naddress, ldcsaa@21cn.com. These belong to projects by a Chinese developer, where one of the tools or libraries is\r\nnamed HP-Socket, which is a ‘High Performance TCP/UDP Socket Component’.\r\nAdditionally, said library sported an interesting debug path:\r\nD:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\Release\\TClient.pdb\r\nIn addition to writing a Yara rule for the dropper DLL and finding additional samples as mentioned above, we\r\nrepeated the same process for the payload DLL. In Table 1 below, you may find other payloads, with their related\r\nand fake, or replaced Windows DLL or service.\r\nHash Impersonated DLL Impersonated service\r\na55b0c98ac3965067d0270a95e60e87e ikeext.dll IKE and AuthIP IPsec Keying Modules\r\n2e04cdf98aead9dd9a5210d7e601cca7 rasauto.dll Remote Access Auto Connection Manager\r\nd6ddecdb823de235dd650c0f7a2f3d8f rasauto.dll Remote Access Auto Connection Manager\r\n1dbbdd99cb8d7089ab31efb5dcf09706 sinet.dll Unknown\r\n581ddf0208038a90f8bc2cdc75833425 sinet.dll Unknown\r\nTable 1 - Impersonated DLLs\r\nSinet.dll may relate to SPlayer, a popular video player in China.\r\nRelated samples\r\nHunting further, we have discovered similar samples to the ones described above, with additional interesting\r\ndebug paths:\r\nHash Debug path\r\n7d39cef34bdc751e9cf9d46d2f0bef95 D:\\work\\vs\\UsbFerry_v2\\bin\\UsbFerry.pdb\r\n29e44cfa7bcde079e9c7afb23ca8ef86 E:\\Work\\VS Project\\cyassl-3.3.0\\out\\SSLClient_x64.pdb\r\nTable 2 - Other debug paths\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 6 of 8\n\nBoth samples include references to a “work” folder, and a “VS” or “VS Project”. The latter likely points to a\r\nVisual Studio project short name, or VS. While the connection initially seems rather weak, it did hit the same Yara\r\nrule as mentioned before and the sample with hash 29e44cfa7bcde079e9c7afb23ca8ef86 additionally includes an\r\nSSL certificate, which, when converted, points to another custom SSL library, called WolfSSL, which is a “a\r\nsmall, fast, portable implementation of TLS/SSL for embedded devices to the cloud”. The same hash or binary\r\nalso includes what we assess to be a campaign name or KeyBoy version identifier, which is weblogic20170727.\r\nAnother sample which hit our Yara rule is 7aea7486e3a7a839f49ebc61f1680ba3, which was first uploaded to\r\nVirusTotal on 2017-08-25. This sample appears to be an older variant of KeyBoy, as there are several plain-text\r\nstrings present, which are consistent with CitizenLab’s report referenced in the introduction.\r\nAll samples (hashes) and other indicators are provided in Appendix A.\r\nInfrastructure\r\nWe have mapped out the complete infrastructure that we have discovered, using Maltego, as shown in Figure 9.\r\nFigure 9 - C2 graphing\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 7 of 8\n\nThere was some overlap with the samples and infrastructure, and one email address appears to jump out, which is\r\nlinked to several domains: 657603405@qq[.]com. This email address does not appear to have been observed\r\nbefore.\r\nOne other relevant point to note in regards to the infrastructure, is the use of dates, likely relating to campaign\r\nnames, as part of the C2 servers. Examples include:\r\nWeblogic727.xxuz[.]com (2017-07-27 campaign); and,\r\nWeblogic1709.zzux[.]com (2017-09-17 campaign).\r\nAll C2’s are provided in Appendix A.\r\nConclusion\r\nIn this report, we have analysed what we assess with high confidence, to be (part of) the latest KeyBoy campaign,\r\na threat actor that has been active for several years, and displays at least a medium level of technical and\r\noperational know-how.\r\nSeveral connections can be made to CitizenLab’s report from 2016, such as the continued usage of fake services\r\nand related DLLs, powerful capabilities, several exports and strings present in the (sometimes decrypted) DLLs,\r\nas well as campaign or version identifiers which are reminiscent and consistent with earlier reported identifiers.\r\nWhile we do not have a clear visibility of targeting, it does appear that this latest campaign targets at least some\r\nWestern organisations, likely for corporate espionage purposes. Organisations can refer to Appendix A, in order to\r\nsearch of any possible indicators of compromise. Additionally, organisations may wish to disable default\r\nadministrator credentials, which will prevent unauthorised services to be installed.\r\nFurther Information\r\nClients who are part of our threat intelligence subscription services, can refer to our latest report CTO-TIB-20171019-01A - KeyBoy's new toys, which includes more information as well as ruling in order to detect\r\nKeyBoy’s latest campaign. If you would like more information on any of the threats discussed in this alert, or you\r\nsuspect you may be compromised, please feel free to get in touch, by emailing threatintelligence@uk.pwc.com.\r\nSource: https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nhttps://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" ], "report_names": [ "the-keyboys-are-back-in-town.html" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b7cd178303c3da0b5c3f4487b396e19c6cc5589.pdf", "text": "https://archive.orkl.eu/3b7cd178303c3da0b5c3f4487b396e19c6cc5589.txt", "img": "https://archive.orkl.eu/3b7cd178303c3da0b5c3f4487b396e19c6cc5589.jpg" } }