{ "id": "1582e11f-42d0-447b-af8e-9c06e1e7f3d0", "created_at": "2026-04-06T00:06:13.706956Z", "updated_at": "2026-04-10T13:11:27.905366Z", "deleted_at": null, "sha1_hash": "3cd950534e27005723d08a906b4a0132491eb4a5", "title": "New Attacks Linked to C0d0so0 Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1073519, "plain_text": "New Attacks Linked to C0d0so0 Group\r\nBy Josh Grunzweig, Bryan Lee\r\nPublished: 2016-01-22 · Archived: 2026-04-05 22:29:51 UTC\r\nWhile recently researching unknown malware and attack campaigns using the AutoFocus threat intelligence\r\nplatform, Unit 42 discovered new activity that appears related to an adversary group previously called “C0d0so0”\r\nor “Codoso”. This group is well known for a widely publicized attack involving the compromise of Forbes.com, in\r\nwhich the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit.\r\nCompared to other adversary groups, C0d0so0 has shown the use of more sophisticated tactics and tools and has\r\nbeen linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear\r\nphishing attacks.\r\nIn the newly discovered attack campaign, Unit 42 identified attacks targeting organizations within the\r\ntelecommunications, high tech, education, manufacturing, and legal services industries. The attacks likely were\r\ninitially delivered via spear-phishing e-mails, or as demonstrated by C0d0so0 in the past, legitimate websites that\r\nhad been previously compromised then used as watering holes for the selected victims.\r\nIn such situations, the victims would then be redirected to another set of compromised websites. These websites\r\nhosted malware that would be side-loaded with a legitimate signed executable. These tactics are becoming\r\nincreasingly common by malware authors in order to evade security products and controls. Two variants of the\r\nmalware employed by C0d0so0 were discovered—one that used HTTP for command and control (C2)\r\ncommunications, and one that used a custom network protocol over port 22.\r\nIn these newly discovered C0d0so0 attacks, several of the targeted hosts were identified as server systems, instead\r\nof user endpoints, suggesting the possibility that these specific targets will be used in future attacks as additional\r\nwatering holes. Both of the malware variants encoded and compressed the underlying network traffic to bypass\r\nany network-based security controls that were implemented.\r\nThe malware variants in question do not appear to belong to any known malware family, although the structure of\r\nthe network communication does bear a resemblance to the Derusbi malware family, which has shown to be\r\nunique to Chinese cyber espionage operators. Past observations of Derusbi in various attack campaigns indicate\r\nthe version used was compiled specifically for that campaign. Derusbi has had both the client and server variants\r\ndeployed, using different combinations of configurations and modules. The newly discovered activity is consistent\r\nwith this procedure, with compile times only a few days prior to the observed attacks.\r\nInfrastructure\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 1 of 12\n\nFigure 1: Attacker infrastructure\r\n(Click to view full size.)\r\nThe following primary C2 servers for the malware variants were identified:\r\njbossas[.]org\r\nsupermanbox[.]org\r\nmicrosoft-cache[.]com\r\nThe ‘jbossas’ and ‘supermanbox’ domains were found to resolve to the same Hong Kong based IP address,\r\n121.54.168.230. A total of three unique samples were identified communicating with these two domains using the\r\nraw network protocol communicating over port 22. They used what appeared to be three separate legitimate\r\nwebsites that looked to be compromised for malware distribution.\r\nThe ‘microsoft-cache’ domain was used by the malware variant that communicated over HTTP. We found four\r\nunique samples communicating with this domain, which resolved to the same Hong Kong-based IP address used\r\nby the first two domains.\r\nMalware Analysis – HTTP Variant\r\nThis variant was disguised as a serial number generator for the popular AVG anti-virus product. When executed,\r\nthe binary will drop and run the serial generator for AVG.\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 2 of 12\n\nFigure 2: AVG serial generator\r\nIt will also drop the following two files:\r\n% LOCALAPPDATA %\\dbgeng.dll\r\n% LOCALAPPDATA %\\fakerx86.exe\r\nThe dropped DLL in question is sideloaded with the legitimate fakerx86.exe executable, which is the symbolic\r\ndebugger for Microsoft Windows.\r\nUpon loading the malicious DLL, a number of encrypted blobs are decrypted using single-byte XOR keys. Strings\r\nare separated by five bytes of junk data, which is consistent across all samples witnessed.\r\nFigure 3: Decrypted strings\r\nThe following IDAPython script can be used to both decrypt and parse these encrypted blobs:\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 3 of 12\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\ndef xor(size, key, buff):\r\nfor index in range(0,size):\r\ncur_addr = buff + index\r\ntemp = idc.Byte(cur_addr) ^ key\r\nidc.PatchByte(cur_addr, temp)\r\ndef parse_config(size, buff):\r\nlast_string = buff\r\nwhile last_string \u003c buff+size:\r\nnext_string = last_string+5\r\nidaapi.make_ascii_string(next_string, 0, ASCSTR_C)\r\nstring = GetString(next_string, -1, ASCSTR_C)\r\nprint \"Found string:\", string\r\nlast_string = next_string+len(string)+1\r\ndef decrypt_and_parse(size, key, buff):\r\nxor(size, key, buff)\r\nparse_config(size, buff)\r\nAfter various data is decrypted, the malware will ensure that it is not running within the context of the\r\nrundll32.exe executable. This simple check acts as a simple anti-reversing mechanism, and ensures it is not\r\nrunning in either an analyst environment or a sandbox.\r\nIt continues to ensure persistent execution by setting the following registry key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools –\r\n%LOCALAPPDATA%\\fakerx86.exe\r\nThe malware variant continues to spawn new threads that are responsible for network communication and other\r\nmalicious activities. It then gathers information about the victim machine, including the following:\r\nMAC Address\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 4 of 12\n\nIP Address\r\nUsername\r\nHostname\r\nCPU Information\r\nThis information will eventually be exfiltrated via a HTTP POST request, as seen below. The data sent is base64-\r\nencoded.\r\nFigure 4: Malware exfiltrating victim information\r\nAll network communication for this malware variant takes places over HTTP. The server will respond with data\r\nsimilar to the following:\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 5 of 12\n\nFigure 5: C2 server response\r\nThe malware will parse the ‘background-color’ parameter in the C2 response to determine what offset it will read.\r\nIn the above example, the ‘028300’ is converted to an integer and divided by 100 to produce a result of 283. The\r\nmalware proceeds to read in data at offset 283. The first four bytes of this data represent the total length. The\r\nremaining data is base64-decoded and parsed. This base64-decoded data has the following data structure:\r\nFigure 6: Network data structure\r\nThe server will respond with a DLL file that has the following exports:\r\nStartWorker\r\nStopWorker\r\nWorkerRun\r\nDllEntryPoint\r\nWhen loaded, this DLL attempts to download further plugins from the remote server. At the time of analysis, no\r\nplugins were available as the command and control server was no longer active.\r\nMalware Analysis – Port 22 Variant\r\nThis variant, which appears to be more recent than the HTTP variant, is delivered via the filename of\r\n‘McAltLib.dll’ and is configured to be side-loaded with the legitimate McAfee mcs.exe executable.\r\nFigure 7: Malware side-loaded with mcs.exe executable\r\nWhen initially loaded, the malware will register itself as a service with the following parameters:\r\nService Name: Dncp\r\nDisplay Name: Dncp Client\r\nBinary Path: %SystemRoot%\\System32\\svchost.exe -k netsvcs\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 6 of 12\n\nStartup Type: SERVICE_AUTO_START\r\nAccount: LocalSystem\r\nAdditionally, the following registry keys are set or modified:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\\netsvcs : Appends ‘Dncp’\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\Dncp\\Description: “Registers and updates IP addresses and DNS\r\nrecords for this computer.If this service is stopped, this computer will not receive dynamic IP addresses and DNS\r\nupdates.If this service is disabled, any services that explicitly depend on it will fail to start”\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\Dncp\\Parameters\\ServiceDll : Path to McAltLib.dll\r\nThese modifications configure the McAltLib.dll to execute in the context of a service and to be run automatically\r\nwhen the machine is rebooted. When the malware is initially executed, it will open and start the ‘Dncp’ service\r\nafter the service is created. When run in the context of a service, the malware will spawn two threads.\r\nThroughout execution of this variant, it will call a function responsible for decrypting subsequent instructions.\r\nAfter the instructions have completed executing, another function is called that will re-obfuscate the previously\r\nexecuted instructions. This acts as an anti-reversing technique by the author.\r\nFigure 8: Anti-reversing technique used by the malware\r\nOne of the threads is responsible for deleting the original McAfee mcs.exe executable. It will enter a loop\r\nattempting to delete the mcs.exe executable that is located in the same directory as McAltLib.dll.\r\nThe other thread is responsible for collecting victim information, communicating with a remote host, and\r\ndownloading/loading further malware. It begins by generating and parsing a configuration string. The following\r\nconfiguration string is used in this particular instance of the malware:\r\n/s www.supermanbox[.]org /p 22 /st 60 /rt 60\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 7 of 12\n\nIn the above example, the first parameter is the remote hostname and the second parameter is the port over which\r\ncommunication occurs. The remaining parameters are most likely used as sleep timers.\r\nIt proceeds to collect the following information from the victim:\r\nMAC Address\r\nIP Address\r\nUsername\r\nHostname\r\nCPU Information\r\nDefault Internet Explorer User-Agent\r\nThis information is exfiltrated in a newly spawned thread with a randomly chosen delay timer of 1-3 minutes in\r\nbetween attempts.\r\nThe malware then proceeds to send an initial beacon to the hostname/port that is configured within the binary.\r\nThis data contains victim information that was previously collected and the server responds with an\r\nacknowledgement. The malware proceeds to send a packet containing the victims MAC address. These packets\r\nhave the following structure:\r\nIn the above example, only the first byte of the XOR key (0x84) is used for decryption. After the data is decrypted\r\nusing this single-byte XOR key, it will then be decompressed using the LZO algorithm. The data represented\r\nabove becomes the following after decryption and decompression takes place:\r\n00000000: 2D 30 30 30 30 30 31 39 32 36 36 38 39 37 39 32 -000001926689792\r\n00000010: 36 00 00                                         6..\r\nThis string is generated via the MAC address of the victim machine. The MAC address is converted from its\r\noriginal hexadecimal representation to an integer and formatted via a call to printf. It is most likely used as a\r\nunique identifier for the victim. Finally, the malware sends a similar request, only with a packet type of ’00 07 02\r\n00’. The server responds with a DLL file that has the following exports:\r\nStartWorker\r\nStopWorker\r\nWorkerRun\r\nDllEntryPoint\r\nWhen loaded, this DLL attempts to download further plugins from the remote server. At the time of analysis, no\r\nplugins were available as the command and control server was no longer active.\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 8 of 12\n\nSimilarities with Forbes.com Breach\r\nWhen Forbes.com was compromised in November 2014, victims were infected with malware that loaded a file\r\nnamed wuservice.dll. Reverse-engineering this file indicates that the McAltLib.dll file identified in this attack is\r\nmost likely a newer variant of the malware found in the forbes.com attack.\r\nOf particular note, both samples use a single-byte XOR obfuscation routine where a large buffer is decrypted.\r\nStrings are separated by five bytes of garbage, as seen below.\r\nFigure 9: Comparison of string encryption between samples\r\nAs seen in the above screenshot, there is a large overlap in unique strings in both samples. The original sample\r\ninvolved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog\r\npost. It should be noted that while the newest variant that uses direct network communication over port 22 no\r\nlonger uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due\r\nto code re-used by the attackers.\r\nOverall capabilities between the forbes.com sample and the newest variants discussed are consistent. All samples\r\nexecute the same overall capabilities, gathering and uploading victim information and attempting to download a\r\nsecondary DLL then calling that DLL’s ‘StartWorker’ exported function.\r\nConclusion\r\nThe tactics, techniques, and procedures (TTPs) used by C0d0so0 appear to be more sophisticated than many other\r\nadversary groups with multiple layers of obfuscation in use, as well as specific victim targeting in what appears to\r\nbe an attempt at creating a staging area for additional attack.\r\nUnit 42 will continue observation and research on this group’s activity, as it appears this may be the beginning of\r\nthe campaign. At this time, the following protections are in place for Palo Alto Networks customers:\r\nWildFire properly identifies samples as malicious\r\nAutoFocus tag created\r\nDomains flagged as malicious\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 9 of 12\n\nAppendix\r\nMD5: CD8C2BB644496D46BF1E91AD8A8F882B\r\nSHA1: CC6EBEEA48A12B396C5FA797E595A0C3B96942DE\r\nSHA256: 3EA6B2B51050FE7C07E2CF9FA232DE6A602AA5EFF66A2E997B25785F7CF50DAA\r\nSize: 137728 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-11-18 15:03:50\r\nC2: www.supermanbox[.]org:22\r\nMD5: 26E863F917DA0B3F7A48304EB6D1B1D3\r\nSHA1: F7984427093BA1FC08412F8594944CEFE2D86CBF\r\nSHA256: 3577845D71AE995762D4A8F43B21ADA49D809F95C127B770AFF00AE0B64264A3\r\nSize: 138752 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-11-19 16:57:29\r\nC2: www.jbossas[.]org:22\r\nMD5: B06A3A9744E9D4C059422E7AD729EF90\r\nSHA1: 9BA2249F0A8108503820E2D9C8CBFF941089CB2D\r\nSHA256: EA67D76E9D2E9CE3A8E5F80FF9BE8F17B2CD5B1212153FDF36833497D9C060C0\r\nSize: 136704 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-11-16 16:21:22\r\nC2: supermanbox[.]org:22\r\nMD5: 1CB673679F37B6A3F482BB59B52423AB\r\nSHA1: B630B7A8FE065E1A6F51EE74869B3938DC411126\r\nSHA256: B690394540CAB9B7F8CC6C98FD95B4522B84D1A5203B19C4974B58829889DA4C\r\nSize: 126976 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-07-15 09:38:15\r\nC2: www.microsoft-cache[.]com\r\nMD5: 39A95C4CBF28EAA534C8F4FC311FE558\r\nSHA1: F6AEE373F2517F2FB686284C27A84A20999A15A5\r\nSHA256: CCF87057A4AB02E53BFF5828D779A6E704B040AEF863F66E8F571638D7D50CD2\r\nSize: 1973747 Bytes\r\nFile Type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2013-06-21 06:26:37\r\nC2: www.microsoft-cache[.]com\r\nMD5: 8AFECC8E61FE3805FDD41D4591710976\r\nSHA1: 615B022A56E2473B92C22EFA9198A2210F21BDC3\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 10 of 12\n\nSHA256: DE33DFCE8143F9F929ABDA910632F7536FFA809603EC027A4193D5E57880B292\r\nSize: 126980 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-07-15 09:38:15\r\nC2: www.microsoft-cache[.]com\r\nMD5: 2161C859B21C1B4B430774DF0837DA9D\r\nSHA1: 380FB5278907FAF3FCA61910F7ED9394B2337EDA\r\nSHA256: DE984EDA2DC962FDE75093D876EC3FE525119DE841A96D90DC032BFB993DBDAC\r\nSize: 117248 Bytes\r\nFile Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile Time: 2015-07-08 13:18:55\r\nC2: www.microsoft-cache[.]com\r\nIOCs\r\nHashes\r\n3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa\r\n3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3\r\nea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0\r\nde33dfce8143f9f929abda910632f7536ffa809603ec027a4193d5e57880b292\r\nb690394540cab9b7f8cc6c98fd95b4522b84d1a5203b19c4974b58829889da4c\r\nde984eda2dc962fde75093d876ec3fe525119de841a96d90dc032bfb993dbdac\r\nccf87057a4ab02e53bff5828d779a6e704b040aef863f66e8f571638d7d50cd2\r\nDomains\r\nwww.jbossas[.]org\r\nsupermanbox[.]org\r\nwww.supermanbox[.]org\r\nwww.microsoft-cache[.]com\r\nIPs\r\n121.54.168.230\r\n218.54.139.20\r\n210.181.184.64\r\n42.200.18.194\r\nURLs\r\n218.54.139.20/example/McAltLib.dll\r\n210.181.184.64/example/McAltLib.dll\r\n42.200.18.194/example/McAltLib.dll\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 11 of 12\n\nSource: https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nhttps://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/" ], "report_names": [ "new-attacks-linked-to-c0d0s0-group" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433973, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cd950534e27005723d08a906b4a0132491eb4a5.pdf", "text": "https://archive.orkl.eu/3cd950534e27005723d08a906b4a0132491eb4a5.txt", "img": "https://archive.orkl.eu/3cd950534e27005723d08a906b4a0132491eb4a5.jpg" } }