{ "id": "cea5752f-92d3-4e6e-858a-b51bb570dbbc", "created_at": "2026-04-06T01:29:12.734237Z", "updated_at": "2026-04-10T13:12:19.817043Z", "deleted_at": null, "sha1_hash": "3efa9d0258be1347593ef75ef706181476703351", "title": "Waterbear malware used in attack wave against government agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41642, "plain_text": "Waterbear malware used in attack wave against government\r\nagencies\r\nBy Charlie Osborne\r\nPublished: 2020-10-08 · Archived: 2026-04-06 01:20:52 UTC\r\nResearchers have spotted a fresh Waterbear campaign in which Taiwanese government agencies have been\r\ntargeted in sophisticated attacks. \r\nAccording to CyCraft researchers, the attacks took place in April 2020, but in an interesting twist, the threat group\r\nresponsible leveraged malware already present on compromised servers -- due to past attacks -- in order to deploy\r\nmalware. \r\nWaterbear has previously been associated with BlackTech, an advanced cyberattack group that generally attacks\r\ntechnology companies and government entities across Taiwan, Japan, and Hong Kong. \r\nTrend Micro researchers say the modular malware is primarily \"used for lateral movement, decrypting and\r\ntriggering payloads with its loader component.\" Last year, Waterbear captured interest in the cybersecurity\r\nindustry after implementing API hooking to hide its activities by abusing security products. \r\nSee also: Black Hat: Hackers are using skeleton keys to target chip vendors\r\nIn the latest wave, CyCraft says a vulnerability was exploited in a common and trusted data loss prevention (DLP)\r\ntool in order to load Waterbear. The job was made easier as malware leftover from previous attacks on the same\r\ntargets had not been fully eradicated. \r\nThe attackers have been tracked in attempts to use stolen credentials to access a target network. In some examples,\r\nendpoints were still compromised from past attacks, and this was leveraged to access the victim's internal network\r\nand covertly establish a connection to the group's command-and-control (C2) server. \r\nA vulnerability in the DLP tool was then used to perform DLL hijacking. As the software failed to verify the\r\nintegrity of DLLs it was loading, the malicious file was launched with a high level of privilege. \r\nThis DLL then injected shellcode into various Windows system services, allowing the Waterbear loader to deploy\r\nadditional malicious packages. \r\nAnother interesting facet of the loader is the \"resurrection\" of a decade-old antivirus evasion technique, according\r\nto the researchers. \r\nKnown as \"Heaven's Gate,\" the misdirection technique is used to trick Microsoft Windows operating systems into\r\nexecuting 64-bit code, even when declared as a 32-bit process. This, in turn, can be used to bypass security\r\nengines and to inject shellcode. \r\nCNET: Privacy push could banish some annoying website popups and online tracking\r\nhttps://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/\r\nPage 1 of 2\n\n\"Just as 64-bit and 32-bit programs are quite different, so are analysis mechanisms. Malware equipped with\r\nHeaven's Gate contains both 64-bit and 32-bit parts,\" the team says. \"Therefore, some monitor/analysis systems\r\nwill only apply 32-bit analysis and will fail the 64-bit part; thus, this approach will break some monitor/analysis\r\nmechanisms.\"\r\nTo scupper analysis attempts, the Waterbear loader will also use RC4 encryption on its main payload and \"pad\r\ncontents [and memory] from Kernel32.dll in front of and behind shellcode.\" The size of the malware's binary was\r\nalso inflated in an attempt to bypass file-based scanners. \r\nTechRepublic: Cybersecurity Awareness Month: How to protect your kids from identity theft\r\nIn August, the CyCraft team told virtual attendees of Black Hat USA that a Chinese advanced persistent threat\r\n(APT) group has been striking the systems of Taiwanese chip manufacturers. \r\nSensitive corporate information and property including semiconductor designs, source code, and software\r\ndevelopment kits (SDKs) have been stolen in \"precise and well-coordinated attacks\" over 2018 and 2019. At least\r\nseven separate vendors have fallen prey to the group. \r\nPrevious and related coverage\r\nHow coronavirus is affecting the Taiwanese tech industry\r\nTaiwan instructs government agencies not to use Zoom\r\nTaiwan offers helping hand to startups affected by coronavirus\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nSource: https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/\r\nhttps://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/" ], "report_names": [ "waterbear-malware-used-in-attack-wave-against-government-agencies" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775438952, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3efa9d0258be1347593ef75ef706181476703351.pdf", "text": "https://archive.orkl.eu/3efa9d0258be1347593ef75ef706181476703351.txt", "img": "https://archive.orkl.eu/3efa9d0258be1347593ef75ef706181476703351.jpg" } }