{ "id": "bc70da8e-be1a-4771-b650-18991e360b85", "created_at": "2026-04-06T00:15:41.56407Z", "updated_at": "2026-04-10T03:36:37.116092Z", "deleted_at": null, "sha1_hash": "4697bf03c6dab968d2c3ee7f682a4f54f0a54127", "title": "STOMP 2 DIS: Brilliance in the (Visual) Basics | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4324778, "plain_text": "STOMP 2 DIS: Brilliance in the (Visual) Basics | Mandiant\r\nBy Mandiant\r\nPublished: 2020-02-05 · Archived: 2026-04-05 16:24:31 UTC\r\nWritten by: Rick Cole, Andrew Moore, Genevieve Stark, Blaine Stancill\r\nThroughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download\r\nand deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the\r\nUnited States, though targeting is likely more widespread than those we’ve initially observed in our FireEye product\r\ntelemetry. At least one campaign targeted South Korean organizations, including a marketing agency.\r\nIn these campaigns, the phishing documents appeared to be carefully crafted and leveraged some publicly-documented —\r\nbut in our experience uncommon and misunderstood — TTPs, likely in an effort to decrease detection of the malicious\r\ndocuments’ macros. The actor also used a self-hosted email marketing solution across multiple campaigns. Notably, the\r\npayload delivered in these campaigns leveraged a packer previously affiliated with a commonly-tracked threat actor, an\r\noverlap that we will explore later.\r\nThis blog post will review the theme of these campaigns and their targets, the adversary’s unique tradecraft, the\r\nMINEBRIDGE C++ backdoor, some potential attribution overlaps, and importantly — the threat actor’s love of rap music.\r\nTargeting and Lure Detail\r\nWhile we first identified MINEBRIDGE samples in December, we observed our first phishing campaigns relating to this\r\nactivity in early January 2020. Email addresses used to send phishing messages were associated with domains that appear to\r\nhave been registered specifically for this purpose within a few weeks of the activity — and were thematically consistent\r\nwith the content of the phishing messages.\r\nAdditionally, the actor(s) responsible are likely using a self-hosted email marketing solution called Acelle. Acelle adds\r\nextended email headers to messages sent via the platform in the format of X-Acelle-. The messages observed across\r\ncampaigns using these TTPs have included a “Customer-Id” value matching “X-Acelle-Customer-Id: 5df38b8fd5b58”.\r\nWhile that field remained consistent across all observed campaigns, individual campaigns also shared overlapping “X-Acelle-Sending-Server_Id” and “X-Acelle-Campaign-Id” values. All of the messages also included a “List-Unsubscribe”\r\nheader offering a link hosted at 45.153.184.84 suggesting that it is the server hosting the Acelle instance used across these\r\ncampaigns. The sample table for one campaign below illustrates this data:\r\nTimestamp Sender Subject\r\nx-acelle-subscriber-id\r\nx-acelle-sending-server-id\r\nx-acelle-customer-idx-acelle-campaign-id\r\n1/7/20\r\n16:15\r\ninfo@rogervecpa.com\r\ntax\r\nreturn\r\nfile\r\n25474792e6f8c 5e14a2664ffb4 5df38b8fd5b58 5e14a2664ffb4\r\n1/7/20\r\n15:59\r\ninfo@rogervecpa.com tax\r\nreturn\r\n22e183805a051 5e14a2664ffb4 5df38b8fd5b58 5e14a2664ffb4\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 1 of 19\n\nfile\r\n1/7/20 info@rogervecpa.com\r\ntax\r\nreturn\r\nfile\r\n657e1a485ed77 5e14a2664ffb4 5df38b8fd5b58 5e14a2664ffb4\r\n1/7/20\r\n16:05\r\ninfo@rogervecpa.com\r\ntax\r\nreturn\r\nfile\r\nddbbffbcb5c6c 5e14a2664ffb4 5df38b8fd5b58 5e14a2664ffb4\r\nThe URLs requested by the malicious documents and serving the final MINEBRIDGE payloads delivered in each of these\r\ncampaigns provide additional overlap across campaigns. In all observed cases, the domains used the same bullet-proof\r\nhosting service. The URI used to download the final payload was “/team/invest.php” or, in one case, “/team/rumba.php”.\r\nPerhaps the most fun overlap, however, was discovered when trying to identify additional artifacts of interest hosted at\r\nsimilar locations. In most cases a GET request to the parent directory of “/team/” on each of the identified domains served\r\nup the lyrics to rap group Onyx’s “Bang 2 Dis” masterpiece. We will refrain from sharing the specific verse hosted due to\r\nexplicit content.\r\nOne of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure\r\ncontent, similarities in malicious document macro content, and targeting. Since first seeing these emails, we’ve identified at\r\nleast 3 distinct campaigns.\r\nCampaign #1: January 7, 2020 – Tax Theme\r\nEmails associated with this campaign used the CPA themed domain rogervecpa.com registered in late November and\r\nthe subject line “Tax Return File” with IRS related text in the message body.\r\nThe attached payload was crafted to look like an H\u0026R Block related tax form.\r\nObserved targeting included the financial sector exclusively.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 2 of 19\n\nCampaign #2: January 8, 2020 – Marketing Theme\r\nEmails associated with this campaign used the same CPA themed domain rogervecpa.com along with pt-cpaaccountant.com, also registered late November.\r\nThe subject line and message body offered a marketing partnership opportunity to the victim.\r\nThe attached payload used a generic theme enticing users to enable macro content.\r\nObserved targeting focused on a South Korean marketing agency.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 3 of 19\n\nCampaign #3: January 28, 2020 – Recruiting Theme\r\nEmails associated with this campaign were sent from several different email addresses, though all used the recruiting-themed domain agent4career.com which was registered on January 20, 2020.\r\nThe subject line and message body referenced an employment candidate with experience in the financial sector.\r\nThe attached payload masqueraded as the resume of the same financial services candidate referenced in the phishing\r\nemail.\r\nObserved targeting included the financial sector exclusively.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 4 of 19\n\nQuit Stepping All Over My Macros\r\nThe phishing documents themselves leverage numerous interesting TTPs including hiding macros from the Office GUI, and\r\nVBA stomping.\r\nVBA stomping is a colloquial term applied to the manipulation of Office documents where the source code of a macro is\r\nmade to mismatch the pseudo-code (hereto referred to as \"p-code\") of the document. In order to avoid duplicating research\r\nand wasting the reader’s time, we will instead reference the impressive work of our predecessors and peers in the industry.\r\nAs an introduction to the concept, we first recommend reading the tool release blog post for EvilClippy from Outflank. The\r\nsecurity team at Walmart has also published incredible research on the methodology. Vesselin Bontchev provides a useful\r\nopen source utility for dumping the p-code from an Office document in pcodedmp. This tool can be leveraged to inspect the\r\np-code of a document separate from its VBA source. It was adopted by the wider open source analysis toolkit oletools in\r\norder to detect the presence of stomping via comparison of p-code mnemonics vs keyword extraction in VBA source.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 5 of 19\n\nThat is a whole lot of quality reading for those interested. For the sake of brevity, the most important result of VBA\r\nstomping as relevant to this blog post is the following:\r\nStatic analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document\r\nbearing malicious p-code.\r\nWhen VBA source is removed, and a document is opened in a version of Office for which the p-code was not\r\ncompiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.\r\nWhen a document is opened under a version of Office that uses a VBA version that does not match the version of\r\nOffice used to create the document, VBA source code is recompiled back into p-code.\r\nWhen a document is opened in Office and the GUI is used to view the macro, the embedded p-code is decompiled to\r\nbe viewed.\r\nThe final two points identify some interesting complications in regard to leveraging this methodology more broadly.\r\nVersioning complexities arise that toolkits like EvilClippy leverage Office version enumeration features to address. An\r\nactor’s VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the\r\np-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or\r\nresearcher opens the macro in the Office editor, they will see malicious code.\r\nOur actor addressed the latter point of this complication by leveraging what we assess to be another feature of the\r\nEvilClippy utility, wherein viewing the macro source is made inaccessible to a user within Office by modifying the\r\nPROJECT stream of the document. Let’s highlight this below using a publicly available sample we attribute to our actors\r\n(SHA256: 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e):\r\nDocument PROJECT stream:\r\nID=\"{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}\"\r\nDocument=ThisDocument/\u0026H00000000\r\nName=\"Project\"\r\nHelpContextID=\"0\"\r\nVersionCompatible32=\"393222000\"\r\nCMG=\"A3A1799F59A359A359A359A3\"\r\nDPB=\"87855DBBA57B887C887C88\"\r\nGC=\"6B69B1A794A894A86B\"\r\n[Host Extender Info]\r\n\u0026H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;\u0026H00000000\r\n[Workspace]\r\nThisDocument=0, 0, 0, 0, C\r\nModule1=26, 26, 388, 131, Z\r\nThe above PROJECT stream has been modified. Within the PROJECT stream workspace, a module is referenced. However,\r\nthere is no module defined. We would expect the unmodified PROJECT stream of this document prior to utilization of a tool\r\nto modify it to be as follows:\r\nID=\"{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}\"\r\nDocument=ThisDocument/\u0026H00000000\r\nModule=”Module1”\r\nName=\"Project\"\r\nHelpContextID=\"0\"\r\nVersionCompatible32=\"393222000\"\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 6 of 19\n\nCMG=\"A3A1799F59A359A359A359A3\"\r\nDPB=\"87855DBBA57B887C887C88\"\r\nGC=\"6B69B1A794A894A86B\"\r\n[Host Extender Info]\r\n\u0026H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;\u0026H00000000\r\n[Workspace]\r\nThisDocument=0, 0, 0, 0, C\r\nModule1=26, 26, 388, 131, Z\r\nIt is interesting to note that we initially identified this actor only performing this manipulation on their malicious documents\r\n—avoiding any versioning complexities--without actually stomping the p-code to mismatch the VBA source. This seems\r\nlike an odd decision and is possibly indicative of an actor assessing what “works” for their campaigns. The above malicious\r\ndocument is an example of them leveraging both methodologies, as highlighted by this screenshot from the awesome\r\npublicly available web service IRIS-H Digital Forensics:\r\nWe can see that the documents VBA source is a blank Sub procedure definition. A quick glance at the p-code identifies both\r\nnetwork- based indicators and host- based indicators we can use to determine what this sample would do when executed on\r\nthe proper Office version. When we attempt to open the macro in the GUI editor, Office gets angry:\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 7 of 19\n\nFor analysts looking to identify this methodology holistically, we recommend the following considerations:\r\nThe GUI hiding functionality results in an altered project stream wherein a module exists, but there is no module,\r\nclass, or baseclass defined in the stream. This is a potential static detection.\r\nWhile the macro source is no longer present, there are still static strings present in Module1 in this sample which may\r\nindicate Windows APIs leveraged. This is a potential static detection.\r\nUtilities like the previously mentioned oletools can do all of this detection for you. If you identify false negatives,\r\nfalse positives, or bugs, the open source project maintainers respond to them regularly like the superheroes that they\r\nare:\r\nThe above methodology creates questions regarding potential efficiency problems for scaling any sizable campaign using it.\r\nWhile tools like EvilClippy provide the means to create difficult to detect malicious documents that can potentially sneak\r\npast some dynamic and static detections, their payloads have the additional burden of needing to fingerprint targets to enable\r\nsuccessful execution. While actors with sufficient resources and creativity can no doubt account for these requirements, it is\r\nrelevant to note that detections for these methodologies will likely yield more targeted activity. In fact, tertiary review of\r\nsamples employing these techniques identified unrelated activity delivering both Cobalt Strike BEACON and POSHC2\r\npayloads.\r\nWe recently expanded our internal FireEye threat behavior tree to accommodate these techniques. At the time of publication,\r\nthe authors were unable to directly map the methods – PROJECT stream manipulation and VBA stomping – to existing\r\ntechniques in the MITRE ATT\u0026CK Matrix™ for Enterprise. However, our team submitted these as contributions to the\r\nATT\u0026CK knowledge base prior to publication and will make additional data available for ATT\u0026CK Sightings.\r\nCrossing The Bridge of Khazad-dûm: The MINEBRIDGE Infection Chain\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 8 of 19\n\nSuccessful detonation of the previously detailed malicious document results in creation of “uCWOncHvBb.dll” via a call to\r\nURLDownloadToFileA to the URL hxxps://marendoger[.]com/team/rumba.php. The returned MINEDOOR packed\r\nMINEBRIDGE sample is saved in the executing users AppData directory (Eg:\r\nC:\\Users\\username\\AppData\\Roaming\\uCWOncHvBb.dll), and then subsequent execution of the DllRegisterServer export\r\nvia invocation of “regsvr32.exe /s %AppData%\\uCWOncHvBb.dll” occurs:\r\nThis will result in a ZIP file being retrieved from the URL hxxps://creatorz123[.]top/~files_tv/~all_files_m.bin using the\r\nWindows API URLDownloadToFileW. The ZIP file is written to %TEMP%, unzipped to the newly created directory\r\n%AppData%\\Windows Media Player, and then deleted:\r\nThe ZIP file contains legitimate files required to execute a copy of TeamViewer, listed in the file creation area of the IOC\r\nsection of this post. When a file named TeamViewer.exe is identified while unzipping, it is renamed to wpvnetwks.exe:\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 9 of 19\n\nAfter completing these tasks, uCWOncHvBb.dll moves itself to %AppData%\\Windows Media Player\\msi.dll. The phishing\r\nmacro then closes the handle to msi.dll, and calls CreateProcessA on wpvnetwks.exe, which results in the renamed\r\nTeamViewer instance side-loading the malicious msi.dll located alongside it. The malware ensures its persistence through\r\nreboot by creating a link file at %CISDL_STARTUP%\\Windows WMI.lnk, which points to %AppData%\\Windows Media\r\nPlayer\\wpnetwks.exe, resulting in its launch at user logon.\r\nThe end result is a legitimate, though outdated (version 11, compiled on September 17, 2018, at 10:30:12 UTC),\r\nTeamViewer instance hijacked by a malicious sideloaded DLL (MINEBRIDGE).\r\nMINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote\r\ndesktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from\r\nseeing the TeamViewer application. By default, MINEBRIDGE conducts command and control (C2) communication via\r\nHTTPS POST requests to hard-coded C2 domains. The POST requests contain a GUID derived from the system’s volume\r\nserial number, a TeamViewer unique id and password, username, computer name, operating system version, and beacon\r\ninterval. MINEBRIDGE can also communicate with a C2 server by sending TeamViewer chat messages using a custom\r\nwindow procedure hook. Collectively, the two C2 methods support commands for downloading and executing payloads,\r\ndownloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing\r\narbitrary shell commands, process elevation, turning on/off TeamViewer's microphone, and gathering system UAC\r\ninformation.\r\nMINEBRIDGE’s default method of communication is sending HTTPS POST requests over TCP port 443. This method of\r\ncommunication is always active; however, the beacon-interval time may be changed via a command. Before sending any C2\r\nbeacons, the sample waits to collect the TeamViewer generated unique id () and password () via SetWindowsTextW hooks.\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 10 of 19\n\nThis specific sample continuously sends an HTTP POST request over TCP port 443 with the URI\r\n~f83g7bfiunwjsd1/g4t3_indata.php to each host listed below until a response is received.\r\n123faster[.]top\r\nconversia91[.]top\r\nfatoftheland[.]top\r\ncreatorz123[.]top\r\ncompilator333[.]top\r\nThe POST body contains the formatted string uuid=\u0026id=\u0026pass=\u0026username=\u0026pcname=\u0026osver=\u0026timeout= where is a\r\nGUID derived from the system's volume serial number and formatted using the format string %06lX-%04lX-%04lX-%06lX.\r\nAdditionally, the request uses the hard-coded HTTP User-Agent string \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like\r\nMac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1\"\r\nAfter a response is received, it's processed for commands. A single response may contain multiple commands. For each\r\ncommand executed, the sample sends an HTTPS POST request over TCP port 443 indicating success or failure. The sample\r\nresponds to the commands below.\r\nCommand Description\r\ndrun\r\nDownload and execute an executable from a URL provided in the command. File saved to\r\n%TEMP%\\\u003c32_rand_chars\u003e.exe.\r\nrundll_command\r\nDownload a custom XOR-encoded and LZNT1 compressed DLL from a URL provided in the\r\ncommand and save to %TEMP%\\\u003c32_rand_chars\u003e. Decode, decompress, and load the DLL in\r\nmemory and call its entrypoint.\r\nupdate_command\r\nMove sample file to .old and download a new version of itself to where is the name of this\r\nsample (i.e., msi.dll). Relaunch the hosting TeamViewer application with command-line\r\nargument COM1_. Delete .old.\r\nrestart_command Relaunch the hosting TeamViewer application with command-line argument COM1_.\r\nterminate_command Terminate the hosting TeamViewer application.\r\nkill_command\r\nCreate and execute the self-deleting batch script tvdll.cmd to delete all unzipped files as well as\r\nthe sample file. Terminate the hosting TeamViewer application.\r\npoweroff_command Shutdown the system.\r\nreboot_command Reboot the system.\r\nsetinterval_command Update the C2 beacon-interval time.\r\nAfter executing all commands in the response, the sample sleeps for the designated C2 beacon-interval time. It repeats the\r\nprocess outlined above to send the next C2 beacon. This behavior repeats indefinitely.\r\nThe self-deleting batch script tvdll.cmd contains the following content where is the renamed TeamViewer executable (i.e.,\r\nwpvnetwks.exe) and is the name of this sample (i.e., msi.dll).\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 11 of 19\n\n@echo off\r\nping 1.1.1.1 -n 1 -w 5000 \u003e nul\r\ngoto nosleep1\r\n:redel1\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep1\r\nattrib -a -h -s -r %~d0%~p0TeamViewer_Resource_en.dll\r\ndel /f /q %~d0%~p0TeamViewer_Resource_en.dll\r\nif exist \"%~d0%~p0TeamViewer_Resource_en.dll\" goto redel1\r\ngoto nosleep2\r\n:redel2\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep2\r\nattrib -a -h -s -r %~d0%~p0TeamViewer_StaticRes.dll\r\ndel /f /q %~d0%~p0TeamViewer_StaticRes.dll\r\nif exist \"%~d0%~p0TeamViewer_StaticRes.dll\" goto redel2\r\ngoto nosleep3\r\n:redel3\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep3\r\nattrib -a -h -s -r %~d0%~p0TeamViewer_Desktop.exe\r\ndel /f /q %~d0%~p0TeamViewer_Desktop.exe\r\nif exist \"%~d0%~p0TeamViewer_Desktop.exe\" goto redel3\r\ngoto nosleep4\r\n:redel4\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep4\r\nattrib -a -h -s -r %~d0%~p0TeamViewer.ini\r\ndel /f /q %~d0%~p0TeamViewer.ini\r\nif exist \"%~d0%~p0TeamViewer.ini\" goto redel4\r\ngoto nosleep5\r\n:redel5\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep5\r\nattrib -a -h -s -r %~d0%~p0\r\ndel /f /q %~d0%~p0\r\nif exist \"%~d0%~p0\" goto redel5\r\ngoto nosleep6\r\n:redel6\r\nping 1.1.1.1 -n 1 -w 750 \u003e nul\r\n:nosleep6\r\nattrib -a -h -s -r %~d0%~p0\r\ndel /f /q %~d0%~p0\r\nif exist \"%~d0%~p0\" goto redel6\r\nattrib -a -h -s -r %0\r\ndel /f /q %0\r\nPossible Connection to Another Intrusion Set\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 12 of 19\n\nThe identified MINEBRIDGE samples have been packed within a loader we call MINEDOOR. Since Fall 2019, we’ve\r\nobserved a group publicly tracked as TA505 conducting phishing campaigns that use MINEDOOR to deliver the\r\nFRIENDSPEAK backdoor. The combination of MINEDOOR and FRIENDSPEAK has also been publicly discussed using\r\nthe name Get2.\r\nThe limited overlap in tactics, techniques, and procedures (TTPs) between campaigns delivering MINEBRIDGE and those\r\ndelivering FRIENDSPEAK may suggest that MINEDOOR is not exclusive to TA505. Recent campaigns delivering\r\nFRIENDSPEAK have appeared to use spoofed sender addresses, Excel spreadsheets with embedded payloads, and\r\ncampaign-specific domains that masquerade as common technology services. Meanwhile, the campaigns delivering\r\nMINEBRIDGE have used actor-controlled email addresses, malicious Word documents that download payloads from a\r\nremote server, and domains with a variety of themes sometimes registered weeks in advance of the campaign. The\r\ncampaigns delivering MINEBRIDGE also appear to be significantly smaller in both volume and scope than the campaigns\r\ndelivering FRIENDSPEAK. Finally, we observed campaigns delivering MINEBRIDGE on Eastern Orthodox Christmas\r\nwhen Russian-speaking actors are commonly inactive; we did not observe campaigns delivering FRIENDSPEAK during the\r\nweek surrounding the holiday and language resources in the malware may suggest TA505 actors speak Russian.\r\nIt is plausible that these campaigns represent a subset of TA505 activity. For example, they may be operations conducted on\r\nbehalf of a specific client or by a specific member of the broader threat group. Both sets of campaigns used domains that\r\nwere registered with Eranet and had the registrant location “JL, US” or “Fujian, CN,” however this overlap is less notable\r\nbecause we suspect that TA505 has used domains registered by a service that reuses registrant information.\r\nPost-compromise activity would likely reveal if these campaigns were conducted by TA505 or a second threat group,\r\nhowever, FireEye has not yet observed any instances in which a host has been successfully compromised by\r\nMINEBRIDGE. As such, FireEye currently clusters this activity separately from what the public tracks as TA505.\r\nAcknowledgments\r\nFireEye would like to thank all the dedicated authors of open source tooling and research referenced in this blog post.\r\nFurther, FireEye would like to thank TeamViewer for their collaboration with us on this matter. The insecure DLL loading\r\nhighlighted in this blog post was resolved in TeamViewer 11.0.214397, released on October 22, 2019, prior to the\r\nTeamViewer team receiving any information from FireEye. Additionally, TeamViewer is working to add further mitigations\r\nfor the malware’s functionality. FireEye will update this post with further data from TeamViewer when this becomes\r\navailable.\r\nIndicators of Compromise (IOCs)\r\nSuspicious Behaviors\r\nProcess lineage: Microsoft Word launching TeamViewer\r\nDirectory Creation: %APPDATA%\\Windows Media Player\r\nFile Creation:\r\n%APPDATA%\\Windows Media Player\\msi.dll\r\n%APPDATA%\\Windows Media Player\\msi.dll.old\r\n%APPDATA%\\Windows Media Player\\tvdll.cmd\r\n%APPDATA%\\Windows Media Player\\wpvnetwks.exe\r\n%APPDATA%\\Windows Media Player\\TeamViewer_Resource_en.dll\r\n%APPDATA%\\Windows Media Player\\TeamViewer_StaticRes.dll\r\n%APPDATA%\\Windows Media Player\\TeamViewer_Desktop.exe\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 13 of 19\n\n%APPDATA%\\Windows Media Player\\TeamViewer.ini\r\n%CSIDL_STARTUP%\\Windows WMI.lnk\r\n%CSIDL_PROFILE%\\\u003cdll_name\u003e.xpdf\r\n%TEMP%\\\u003c32 random characters\u003e\r\n%TEMP%\\\u003c32 random characters\u003e.exe\r\n%TEMP%\\~8426bcrtv7bdf.bin\r\nNetwork Activity:\r\nHTTPS Post requests to C2 URLs\r\nUser-Agent String: \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X)\r\nAppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1\"\r\nC2 Domains\r\n123faster[.]top\r\nconversia91[.]top\r\nfatoftheland[.]top\r\ncreatorz123[.]top\r\ncompilator333[.]top\r\nDownload Domains\r\nneurogon[.]com\r\ntiparcano[.]com\r\nseigortan[.]com\r\nmarendoger[.]com\r\nbadiconreg[.]com\r\nSender Domains\r\npt-cpaaccountant[.]com\r\nrogervecpa[.]com\r\nagent4career[.]com\r\nbestrecruitments[.]com\r\nPhishing Documents\r\nMD5 SHA256\r\n01067c8e41dae72ce39b28d85bf923ee 80e48391ed32e6c1ca13079d900d3afad62e05c08bd6e929dffdd2e3b9f69299\r\n1601137b84d9bebf21dcfb9ad1eaa69d 3f121c714f18dfb59074cbb665ff9e7f36b2b372cfe6d58a2a8fb1a34dd71952\r\n1c883a997cbf2a656869f6e69ffbd027 de7c7a962e78ceeee0d8359197daeb2c3ca5484dc7cf0d8663fb32003068c655\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 14 of 19\n\n2ed49bd499c9962e115a66665a6944f6 b8f64a83ad770add6919d243222c62471600e64789264d116c560b7c574669ec\r\n3b948368fe1a296f5ed18b11194ce51c 999d4f434bbc5d355656cc2a05982d61d6770a4c3c837dd8ec6aff8437ae405a\r\n4148281424ff3e85b215cd867746b20c 9812123d2367b952e68fa09bd3d1b3b3db81f0d3e2b3c03a53c21f12f1f4c889\r\n54f22fbc84f4d060fcbf23534a02e5f6 7b20e7e4e0b1c0e41de72c75b1866866a8f61df5a8af0ebf6e8dbd8f4e7bdc57\r\n5a3d8348f04345f6687552e6b7469ac1 77a33d9a4610c4b794a61c79c93e2be87886d27402968310d93988dfd32a2ccf\r\n607d28ae6cf2adb87fcb7eac9f9e09ab f3917832c68ed3f877df4cd01635b1c14a9c7e217c93150bebf9302223f52065\r\n9ba3275ac0e65b9cd4d5afa0adf401b4 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e\r\n9becd2fd73aa4b36ad9cd0c95297d40b 30025da34f6f311efe6b7b2c3fe334f934f3f6e6024e4d95e8c808c18eb6de03\r\n9cce3c9516f0f15ce18f37d707931775 bf0adb30ca230eee6401861e1669b9cfeaa64122cc29c5294c2198f2d82f760e\r\n9faf9e0c5945876c8bad3c121c91ea15 88c4019e66564ad8c15b189b903276910f9d828d5e180cac30f1f341647278fc\r\na37e6eeb06729b6108649f21064b16ef e895dc605c6dcaf2c3173b5ec1a74a24390c4c274571d6e17b55955c9bd48799\r\nab8dc4ba75aad317abb8ee38c8928db0 212793a915bdd75bede8a744cd99123e2a5ac70825d7b2e1fc27104276a3aafd\r\nb8817253288b395cb33ffe36e0072dc9 ba013420bd2306ecb9be8901db905b4696d93b9674bd7b10b4d0ef6f52fbd069\r\ncb5e5d29f844eb22fecaa45763750c27 4ff9bfde5b5d3614e6aa753cacc68d26c12601b88e61e03e4727ee6d9fe3cdc2\r\ncffda37453e1a1389840ed6ebaef1b0d c9f6ba5368760bf384399c9fd6b4f33185e7d0b6ea258909d7516f41a0821056\r\ndc0e1e4ec757a777a4d4cc92a8d9ef33 ac7e622e0d1d518f1b002d514c348a60f7a7e7885192e28626808a7b9228eab6\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 15 of 19\n\ne5c7e82670372e3cf8e8cab2c1e6bc17 eba3c07155c47a47ee4d9b5201f47a9473255f4d7a6590b5c4e7b6e9fc533c08\r\nf93062f6271f20649e61a09c501c6c92 3f4f546fba4f1e2ee4b32193abcaaa207efe8a767580ab92e546d75a7e978a0b\r\nMINEBRIDGE/MINEDOOR Samples\r\nMD5 SHA256\r\n05432fc4145d56030f6dd6259020d16c 182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97\r\n0be9911c5be7e6dfeaeca0a7277d432b 65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b\r\n0dd556bf03ecb42bf87d5ea7ce8efafe 48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85\r\n15edac65d5b5ed6c27a8ac983d5b97f6 03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525\r\n1e9c836f997ddcbd13de35a0264cf9f1 23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7\r\n21aa1066f102324ccc4697193be83741 86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12\r\n22b7ddf4983d6e6d84a4978f96bc2a82 fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f\r\n2333fbadeea558e57ac15e51d55b041c 57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb\r\n2b9961f31e0015cbcb276d43b05e4434 e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712\r\n2c3cb2132951b63036124dec06fd84a8 b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84\r\n4de9d6073a63a26180a5d8dcaffb9e81 7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6\r\n505ff4b9ef2b619305d7973869cd1d2b abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 16 of 19\n\n52d6654fe3ac78661689237a149a710b d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb\r\n53e044cd7cea2a6239d8411b8befb4b7 6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8\r\n5624c985228288c73317f2fa1be66f32 99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add\r\n598940779363d9f4203fbfe158d6829b 1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621\r\n60bdea2c493c812428a8db21b29dd402 383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd\r\n681a77eba0734c0a17b02a81564ae73f 0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a\r\n6b7d9268c7000c651473f33d088a16bd 6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d\r\n6d6f50f7bba4ae0225e9754e9053edc0 ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740\r\n6de77c1b4e8abaaf304b43162252f022 8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710\r\n7004fadfa572d77e24b33d2458f023d1 cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a\r\n71988460fd87b6bff8e8fc0f442c934b 8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12\r\n722981703148fa78d41abbae8857f7a2 a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c\r\n818f7af373d1ec865d6c1b7f59dc89e5 cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2\r\n832052b0f806f44b92f6ef150573af81 e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830\r\n836125ae2bed57be93a93d18e0c600e8 0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df\r\n86d60bce47c9bb6017e3da26cab50dcf 6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 17 of 19\n\n8919458aec3dcc90563579a76835fc54 aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec\r\n8d7e220af48fceee515eb5e56579a709 3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb\r\n91b8ec04d8b96b90ea406c7b98cc0ad6 0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a\r\n959eb0696c199cbf60ec8f12fcf0ea3c ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318\r\n95ec5e8d87111f7f6b2585992e460b52 3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae\r\n9606cf0f12d6a00716984b5b4fa49d7d f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb\r\n9f7fed305c6638d0854de0f4563abd62 6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f\r\na11c0b9f3e7fedfe52b1fc0fc2d4f6d1 d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b\r\na47915a2684063003f09770ba92ccef2 7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4\r\na917b2ec0ac08b5cde3678487971232a 8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba\r\nad06205879edab65ed99ed7ff796bd09 d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421\r\nad910001cb57e84148ef014abc61fa73 c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b\r\nb1ce55fca928cf66eaa9407246399d2c c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d\r\nb9249e9f1a92e6b3359c35a8f2a1e804 0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032\r\nbd6880fb97faceecf193a745655d4301 23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254\r\nbe2597a842a7603d7eb990a2135dab5e 6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 18 of 19\n\ncf5470bfe947739e0b4527d8adb8486a 6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f\r\nd593b7847ec5d18a7dba6c7b98d9aebf 5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573\r\nd7ee4ffce21325dfe013b6764d0f8986 92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84\r\nde4d7796006359d60c97a6e4977e4936 ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677\r\ne0069cd3b5548f9fd8811adf4b24bf2e 6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c\r\ne1ea93fa74d160c67a9ff748e5254fe0 92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7\r\nea15d7944c29f944814be14b25c2c2b1 5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444\r\nf22a4abd5217fa01b56d064248ce0cc5 858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94\r\nf3cb175e725af7f94533ecc3ff62fa12 5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb\r\nf6533e09a334b9f28136711ea8e9afca 9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4\r\nf7daaea04b7fe4251b6b8dabb832ee3a 6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352\r\nfb1555210d04286c7bcb73ca57e8e430 36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab9557d\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" ], "report_names": [ "stomp-2-dis-brilliance-in-the-visual-basics.html" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434541, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4697bf03c6dab968d2c3ee7f682a4f54f0a54127.pdf", "text": "https://archive.orkl.eu/4697bf03c6dab968d2c3ee7f682a4f54f0a54127.txt", "img": "https://archive.orkl.eu/4697bf03c6dab968d2c3ee7f682a4f54f0a54127.jpg" } }