{ "id": "12113933-a5fc-4aee-884d-382fa63894fb", "created_at": "2026-04-06T00:13:08.251304Z", "updated_at": "2026-04-10T03:33:18.488226Z", "deleted_at": null, "sha1_hash": "44e1e66a2cf28113f60d0c71db1f92ebc9098cfe", "title": "Operation SignSight: Supply-chain attack against a certification authority in Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 327882, "plain_text": "Operation SignSight: Supply-chain attack against a certification\r\nauthority in Southeast Asia\r\nBy Ignacio SanmillanMatthieu Faou\r\nArchived: 2026-04-05 15:58:22 UTC\r\nJust a few weeks after the supply-chain attack on the Able Desktop software, another similar attack occurred on\r\nthe website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. The attackers modified two\r\nof the software installers available for download on this website and added a backdoor in order to compromise\r\nusers of the legitimate application.\r\nESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised\r\norganization and the VNCERT. We believe that the website has not been delivering compromised software\r\ninstallers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers\r\nbeing distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware\r\nof the attack before our notification and that they notified the users who downloaded the trojanized software.\r\nSupply-chain attack in Vietnam\r\nIn Vietnam, digital signatures are very common, as digitally-signed documents have the same level of\r\nenforceability as “wet” signatures. According to Decree No. 130/2018, the cryptographic certificates used to sign\r\ndocuments must be granted by one of the authorized certificate providers that include the VGCA, which is part of\r\nthe Government Cipher Committee. That committee, in turn, depends on the Ministry of Information and\r\nCommunication.\r\nIn addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the\r\nVietnamese government, and probably by private companies, to sign digital documents. The compromise of a\r\ncertification authority website is a good opportunity for APT groups, since visitors are likely to have a high level\r\nof trust in a state organization responsible for digital signatures.\r\nAs shown in Figure 1, it seems that these programs are deployed in the Party and State agencies.\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 1 of 7\n\nFigure 1. Screenshot of ca.gov.vn\r\nAccording to ESET telemetry, ca.gov.vn was compromised from at least the 23rd of July to the 16th of August\r\n2020. Two of the installers available for download, gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi,\r\nwere modified to include a piece of malware known as PhantomNet or SManager and recently analyzed by NTT\r\nSecurity. We were able to confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol,\r\nso we believe it is unlikely to be a man-in-the-middle attack. The URLs pointing to malicious installers were:\r\nhttps://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x64-8.3.msi\r\nhttps://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x32-8.3.msi\r\nThis is also confirmed by data from VirusTotal as shown in Figure 2.\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 2 of 7\n\nFigure 2. Screenshot of VirusTotal. It shows the URL where the trojanized installer was downloaded from.\r\nThe trojanized installers are not properly signed, but we noticed that clean GCA installers are also incorrectly\r\nsigned (The digital signature of the object did not verify). Both the official and trojanized MSIs use a certificate\r\nassigned to the Safenet company.\r\nFigure 3 is a summary of the supply-chain attack. To be compromised, a user would have to manually download\r\nand execute the compromised software hosted on the official website.\r\nFigure 3. Simplified scheme of the supply-chain attack.\r\nOnce downloaded and executed, the installer starts the genuine GCA program and the malicious file. The\r\nmalicious file is written to C:\\Program Files\\VGCA\\Authentication\\SAC\\x32\\eToken.exe. By also installing the\r\nlegitimate program, the attackers make sure that this compromise won’t be easily noticed by the end-users.\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 3 of 7\n\nThis malicious file is a simple dropper that extracts a Windows cabinet file (.cab) named 7z.cab and that contains\r\nthe backdoor.\r\nIf the dropper runs as an admin, the backdoor is written to C:\\Windows\\apppatch\\netapi32.dll and for the\r\npersistence, the dropper registers the malicious DLL as a service.\r\nIf run as a regular user, the backdoor is written to %TEMP%\\Wmedia\\\u003cGetTickCount\u003e.tmp and for the\r\npersistence, the dropper creates a scheduled task that calls the export Entery of the malicious DLL. It’s interesting\r\nto note that the Entery export was also seen in versions of TManger used by TA428, as detailed by NTT Security.\r\nPhantomNet\r\nThe backdoor was named Smanager_ssl.DLL by its developers but we use PhantomNet, as that was the project\r\nname used in an older version of this backdoor. This most recent version was compiled on the 26th of April 2020,\r\nalmost two months before the supply-chain attack. In addition to Vietnam, we have seen victims in the\r\nPhilippines, but unfortunately we did not uncover the delivery mechanism in those cases.\r\nThis backdoor is quite simple and most of the malicious capabilities are likely deployed through additional\r\nplugins. It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C\u0026C)\r\nserver. This shows that the targets are likely to be working in a corporate network.\r\nPhantomNet uses the HTTPS protocol to communicate with its hardcoded C\u0026C servers: vgca.homeunix[.]org and\r\noffice365.blogdns[.]com. In order to prevent a man-in-the-middle attack, PhantomNet implements certificate\r\npinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the\r\nC\u0026C server and then stored in the Windows certificate store.\r\nIn addition to the use of dynamic DNS providers, it is interesting to note that the name of the first subdomain,\r\nvgca, was chosen in order to mimic the name of the Vietnam Government Certification Authority.\r\nThe implant can be controlled by the attackers using these five commands:\r\nCommand\r\nID\r\nDescription\r\n0x00110020\r\nGet victim information (computer name, hostname, username, OS version, user privileges\r\n(admin or not), and the public IP address by querying ipinfo.io).\r\n0x00110030 Call the export DeletePluginObject of all installed plugins.\r\n0x00110040\r\nPlugin management (install, remove, update). The plugins have the following exports\r\n(including the typo in the first one): GetPluginInfomation, GetRegisterCode,\r\nGetPluginObject, DeletePluginObject.\r\n0x00110070 Set a value of a given field in the main structure of the backdoor.\r\n0x547CBA78 Generate and set a password using the SSPI functions. The final purpose is unknown.\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 4 of 7\n\nOn VirusTotal, we found one plugin that matches the exports above. It is a debug build and is named SnowballS\r\naccording to its PDB path and other debug paths:\r\nE:\\WorkCode\\AD_Attacker\\Server\\EXE_DEBUG\\SnowballS.pdb\r\ne:\\workcode\\ad_attacker\\server\\plugins\\plugins\\snowballs\\cdomainquery.cpp\r\nAn initial, cursory analysis suggests that this tool might be used for lateral movement, as it embeds Invoke-Mimikatz. It can also collect information about the victim machine and user accounts. This shows that\r\nPhantomNet can receive additional and complex plugins that are probably only deployed on machines of\r\nparticular interest to the malware operators.\r\nIn the case of the attack in Vietnam, we were not able to recover data about post-compromise activity and thus we\r\ndon’t have visibility into the end goal of the attackers.\r\nConclusion\r\nWith the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply-chain\r\nattack on SolarWinds Orion, we see that supply-chain attacks are a quite common compromise vector for\r\ncyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority,\r\nin which users are likely to have a high level of trust.\r\nSupply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate\r\ncode, making its discovery significantly more difficult.\r\nFor any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIoCs\r\nFiles\r\nSHA-1 ESET detection name Description\r\n5C77A18880CF58DF9FBA102DD8267C3F369DF449 Win32/TrojanDropper.Agent.SJQ\r\nTrojanized\r\ninstaller\r\n(gca01-\r\nclient-v2-\r\nx64-\r\n8.3.msi)\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 5 of 7\n\nSHA-1 ESET detection name Description\r\nB0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A Win32/TrojanDropper.Agent.SJQ\r\nTrojanized\r\ninstaller\r\n(gca01-\r\nclient-v2-\r\nx32-\r\n8.3.msi)\r\n9522F369AC109B03E6C16511D49D1C5B42E12A44 Win32/TrojanDropper.Agent.SJQ\r\nPhantomNet\r\ndropper\r\n989334094EC5BA8E0E8F2238CDF34D5C57C283F2 Win32/PhantomNet.B PhantomNet\r\n5DFC07BB6034B4FDA217D96441FB86F5D43B6C62 Win32/PhantomNet.A\r\nPhantomNet\r\nplugin\r\nC\u0026C servers\r\noffice365.blogdns[.]com\r\nvgca.homeunix[.]org\r\nMITRE ATT\u0026CK\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1195.002\r\nSupply Chain Compromise:\r\nCompromise Software Supply\r\nChain\r\nAttackers modified the installer\r\nof the GCA01 software that is\r\nhosted on ca.gov.vn and added\r\na backdoor to the MSI installer.\r\nExecution T1204.002 User Execution: Malicious File\r\nThe victim needs to manually\r\nexecute the trojanized installer.\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nIf the user doesn’t have admin\r\nprivileges, PhantomNet persists\r\nvia a scheduled task.\r\nT1543.003\r\nCreate or Modify System Process:\r\nWindows Service\r\nIf the user has admin privileges,\r\nPhantomNet persists via a\r\nWindows service.\r\nDiscovery\r\nT1033 System Owner/User Discovery\r\nPhantomNet implements a\r\nfunction to retrieve the\r\nusername.\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 6 of 7\n\nTactic ID Name Description\r\nT1082 System Information Discovery\r\nPhantomNet implements a\r\nfunction to retrieve the OS\r\nversion.\r\nCommand\r\nand Control\r\nT1090.001 Proxy: Internal Proxy\r\nPhantomNet can retrieve the\r\nproxy configuration of the\r\ndefault browser and use it to\r\nconnect to the C\u0026C server.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nPhantomNet uses HTTPS.\r\nT1573.002\r\nEncrypted\r\nChannel:\r\nAsymmetric\r\nCryptography\r\nPhantomNet can add a certificate\r\nto the Windows store and use it\r\nfor certificate pinning for its\r\nHTTPS communications.\r\nSource: https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/" ], "report_names": [ "operation-signsight-supply-chain-attack-southeast-asia" ], "threat_actors": [ { "id": "bbdb2d7d-4bf4-4100-a108-f4742cfd69ff", "created_at": "2022-10-25T16:07:24.01101Z", "updated_at": "2026-04-10T02:00:04.836112Z", "deleted_at": null, "main_name": "Operation SignSight", "aliases": [], "source_name": "ETDA:Operation SignSight", "tools": [ "Mimikatz", "PhantomNet", "SManager" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434388, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44e1e66a2cf28113f60d0c71db1f92ebc9098cfe.pdf", "text": "https://archive.orkl.eu/44e1e66a2cf28113f60d0c71db1f92ebc9098cfe.txt", "img": "https://archive.orkl.eu/44e1e66a2cf28113f60d0c71db1f92ebc9098cfe.jpg" } }