{
	"id": "b423de90-5e50-495b-89b0-726081559852",
	"created_at": "2026-04-06T00:17:51.721626Z",
	"updated_at": "2026-04-10T13:11:33.868542Z",
	"deleted_at": null,
	"sha1_hash": "4672fc36c4981b36b0ed234fceaeca884226e31d",
	"title": "Clasiopa: New Group Targets Materials Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66174,
	"plain_text": "Clasiopa: New Group Targets Materials Research\r\nBy About the Author\r\nArchived: 2026-04-05 22:33:19 UTC\r\nA hitherto unknown attack group has been observed targeting a materials research organization in Asia. The\r\ngroup, which Symantec calls Clasiopa, is characterized by a distinct toolset, which includes one piece of custom\r\nmalware (Backdoor.Atharvan). At present, there is no firm evidence on where Clasiopa is based or whom it acts\r\non behalf.\r\nClasiopa Tactics, Techniques, and Procedures\r\nThe infection vector used by Clasiopa is unknown, although there is some evidence to suggest that the attackers\r\ngain access through brute force attacks on public facing servers.\r\nAside from the distinct toolset used, there were a number of attack hallmarks observed:\r\nThe attackers checked the IP addresses of the computers they were on using: https://ifconfig.me/ip\r\nAn attempt was made to disable Symantec Endpoint Protection (SEP) by stopping the SepMasterService.\r\nThe result of this query was checked and then a second attempt was made to disable SEP using \"smc -\r\nstop\". Note that any commands attempting to stop SEP will only work if the attacker has administrative\r\ncredentials and the SEP administrator has disabled anti-tamper protection.\r\nThe attackers used multiple backdoors to build lists of file names and exfiltrate them. These lists were\r\nexfiltrated either in a Thumb.db file or a Zip archive.\r\nSysmon logs were cleared using wsmprovhost.\r\nAll eventlogs were cleared using PowerShell.\r\nA scheduled task named \"network service\" was created to list file names.\r\nThere is some evidence to suggest that the attackers used two legitimate software packages. One compromised\r\ncomputer was running Agile DGS and Agile FD servers, software developed by Jiangsu. These packages are used\r\nfor document security and protection in transit. Malicious files were dropped into a folder named “dgs” and one of\r\nthe backdoors used was renamed from atharvan.exe to agile_update.exe. It is unclear if these software packages\r\nare being injected into or installed by the attackers.\r\nHCL Domino (formerly IBM Domino) was also run on a compromised machine in close proximity to the\r\nexecution of backdoors, although it is unclear if this was a coincidence or not. However, both the Domino and\r\nAgile software appear to be using old certificates and the Agile servers use old vulnerable libraries.\r\nTools Used\r\nAtharvan: Custom developed remote access Trojan (RAT).\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nPage 1 of 4\n\nLilith: The attackers used modified versions of the publicly available Lilith RAT. The versions used were\r\ncapable of carrying out the following tasks:\r\nKilling the process\r\nRestarting the process\r\nModifying the sleep interval\r\nUninstalling the RAT\r\nExecuting a remote command or PowerShell script\r\nExiting the process\r\nThumbsender: Hacking tool which, when it receives a command from a command-and-control (C\u0026C)\r\nserver will list file names on the computer and save them in a file called Thumb.db before sending them to\r\na specified IP address.\r\nCustom proxy tool.\r\nAtharvan\r\nAtharvan is so-named because when the malware is run, it creates a mutex named: \"SAPTARISHI-ATHARVAN-101\" to ensure that only one copy is running.\r\nIt will then contact a hardcoded C\u0026C server. The hardcoded C\u0026C addresses seen in one of the samples analyzed\r\nto date was for Amazon AWS South Korea (Seoul) region, which is not a common location for C\u0026C\r\ninfrastructure.\r\nThe C\u0026C communications are formatted as HTTP POST requests where the Host header is hardcoded as\r\n\"update.microsoft.com\", e.g.:\r\nPOST /update.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/84.0.4147.105 Safari/537.36 Edg/84.0.522.52\r\nHost: update.microsoft.com\r\nContent-type: application/x-www-form-urlencoded\r\nContent-length: 46\r\nid=Atharvan\u0026code=101\u0026cid=H^[REDACTED]\u0026time=5\r\nThe request body includes the following parameters:\r\n\"id\": hardcoded string \"Atharvan\"\r\n\"code\": represents request purpose, which can be one of:\r\n101: fetches commands\r\n102: sends command outputs or error messages\r\n103: fetches file body to write when processing command 0x12\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nPage 2 of 4\n\n\"cid\": hardcoded string \"H^\" followed by the network interface hardware address of the affected computer\r\nas 12 hexadecimal digits\r\n\"time\": interval between communication attempts\r\n\"msg\" (optional): depending on the request purpose as specified using \"code\" parameter:\r\nwhen the \"code\" parameter is 102, it includes output of commands or error messages in encrypted\r\nform\r\nwhen the \"code\" parameter is 103, it identifies the file to fetch in non-encrypted form\r\nWhen encrypting the \"msg\" value, the malware uses the following encryption algorithm:\r\ndef encrypt(plaintext):\r\n    return bytes([((2 - byte) \u0026 0xff) for byte in plaintext])\r\nThe malware uses its own simplistic HTTP parser to extract the body from the server response. The extracted\r\nbody is decrypted using the following algorithm:\r\ndef decrypt(ciphertext):\r\n    return bytes([((2 - byte) \u0026 0xff) for byte in ciphertext])\r\nWhen fetching commands, the malware expects the decrypted body to contain a sequence of strings separated by\r\nthe \"\\x1A\" character.\r\nThe first byte of each string specifies the command to execute and the remaining bytes are interpreted as\r\ncommand parameters.\r\nWhen configuring a communication schedule, the command parameters specify the times and days for the\r\ncommunication attempts. Several different times can be specified, with the hour and minute of the day encoded.\r\nThe days are interpreted as:\r\nNo restrictions (communication schedule type 0x16)\r\nBitmask specifying days of month (communication schedule type 0x17)\r\nBitmask specifying days of week (communication schedule type 0x18)\r\nThis scheduled communication configuration is another unusual feature of the malware and is not commonly seen\r\nin malware of this kind.\r\nAttribution\r\nThere is currently no firm evidence on where Clasiopa is based or what its motivation is. A Hindi mutex is used in\r\nthe Atharvan backdoor: \"SAPTARISHI-ATHARVAN-101\". Atharvan is a legendary Vedic sage of Hinduism. The\r\nbackdoor also sends a post request to a C\u0026C server with the arguments:\r\nd=%s\u0026code=%d\u0026cid=%s\u0026time=%dtharvan\r\nIn addition to this, one of the passwords used by the attackers for a ZIP archive was “iloveindea1998^_^”.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nPage 3 of 4\n\nWhile these details could suggest that the group is based in India, it is also quite likely that the information was\r\nplanted as false flags, with the password in particular seeming to be an overly obvious clue.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n5b74b2176b8914b0c4e6215baab9e96d1e9a773803105cf50dac0427fac79c1b – Backdoor.Atharvan\r\n8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b – Backdoor.Atharvan\r\n95f76a95adcfdd91cb626278006c164dcc46009f61f706426b135cdcfa9598e3 – Lilith\r\n940ab006769745b19de5e927d344c4a4f29cae08e716ee0b77115f5f2a2e3328 – Lilith\r\n38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07 – Lilith\r\nc94c42177d4f9385b02684777a059660ea36ce6b070c2dba367bf8da484ee275 – Thumbsender\r\nf93ddb2377e02b0673aac6d540a558f9e47e611ab6e345a39fd9b1ba9f37cd22 – Custom Proxy Tool\r\n3aae54592fe902be0ca1ab29afe5980be3f96888230d5842e93b3ca230f8d18d – Backdoor\r\n0550e1731a6aa2546683617bd33311326e7b511a52968d24648ea231da55b7e5 – Backdoor\r\n8023b2c1ad92e6c5fec308cfafae3710a5c47b1e3a732257b69c0acf37cb435b – Hacktool\r\n1569074db4680a9da6687fb79d33160a72d1e20f605e661cc679eaa7ab96a2cd – Hacktool\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research"
	],
	"report_names": [
		"clasiopa-materials-research"
	],
	"threat_actors": [],
	"ts_created_at": 1775434671,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4672fc36c4981b36b0ed234fceaeca884226e31d.pdf",
		"text": "https://archive.orkl.eu/4672fc36c4981b36b0ed234fceaeca884226e31d.txt",
		"img": "https://archive.orkl.eu/4672fc36c4981b36b0ed234fceaeca884226e31d.jpg"
	}
}