{
	"id": "e98eaaad-4da4-4f7d-83ca-43c9ef528d85",
	"created_at": "2026-04-06T00:07:18.30162Z",
	"updated_at": "2026-04-10T13:11:57.522587Z",
	"deleted_at": null,
	"sha1_hash": "47e12686fd25e3dca0f568a04c8c469ac3af3148",
	"title": "EAGERBEE, with updated and novel components, targets the Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93769,
	"plain_text": "EAGERBEE, with updated and novel components, targets the\r\nMiddle East\r\nBy Saurabh Sharma\r\nPublished: 2025-01-06 · Archived: 2026-04-05 12:37:47 UTC\r\nIntroduction\r\nIn our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and\r\ngovernmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including\r\na novel service injector designed to inject the backdoor into a running service. Additionally, we discovered\r\npreviously undocumented components (plugins) deployed after the backdoor’s installation. These enabled a range\r\nof malicious activities such as deploying additional payloads, exploring file systems, executing command shells\r\nand more. The key plugins can be categorized in terms of their functionality into the following groups: Plugin\r\nOrchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection\r\nListing and Service Management.\r\nIn this blog, we provide a detailed analysis of the EAGERBEE backdoor’s capabilities, focusing on the service\r\ninjector, Plugin Orchestrator module and associated plugins. We also explore potential connections of the\r\nEAGERBEE backdoor with the CoughingDown threat group.\r\nInitial infection and spread\r\nUnfortunately, the initial access vector used by the attackers remains unclear. However, we observed them\r\nexecuting commands to deploy the backdoor injector named “tsvipsrv.dll” along with the payload file\r\nntusers0.dat, using the SessionEnv service to run the injector, as can be seen below.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n//change the creation, last access and write time, timestamp of the file to \"1/8/2019 9:57\"\r\nattrib.exe -s -h -a C:\\users\\public\\ntusers0.dat\r\npowershell.exe -Command \"='1/8/2019 9:57'; = 'C:\\users\\public\\ntusers0.dat';(Get-Item\r\n).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = \"\r\n//set the attributes of the file (EAGERBEE backdoor) to archive (+a), system file (+s) and\r\n//hidden (+h)\r\nattrib.exe +s +h +a C:\\users\\public\\ntusers0.dat\r\n//set the attributes of the file (loader) to archive (+a), system file (+s) and hidden\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 1 of 13\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n//(+h)\r\nattrib.exe +s +h +a system32\\tsvipsrv.dll\r\n//the malware runs now because of a DLL hijacking vulnerability, as the libraries in the\r\n//system32 directory where the malicious library is located are the first to load\r\nnet.exe stop sessionenv\r\ncmd.exe /c \"sc config sessionenv Start= auto\"\r\nnet.exe start sessionenv\r\nattrib.exe -s -h -a C:\\users\\public\\ntusers0.dat\r\nnet.exe use \\\\\u003c\u003cinternal ip\u003e\u003e\\c$ \u003cpassword\u003e /user:\u003cusername\u003e\r\nattrib.exe +s +h +a C:\\users\\public\\ntusers0.dat\r\nattrib.exe +s +h +a \\\\172.17.1.127\\c$\\users\\public\\ntusers0.dat\r\nattrib.exe -s -h -a system32\\tsvipsrv.dll\r\nattrib.exe +s +h +a system32\\tsvipsrv.dll\r\nattrib.exe +s +h +a \\\\172.17.1.127\\c$\\windows\\system32\\tsvipsrv.dll\r\nattrib.exe -s -h -a \\\\172.17.1.127\\c$\\windows\\system32\\tsvipsrv.dll\r\nattrib.exe +s +h +a \\\\172.17.1.127\\c$\\windows\\system32\\\r\nMalware components\r\nService injector\r\nThe service injector targets the Themes service process. It first locates and opens the process, then allocates\r\nmemory within it to write EAGERBEE backdoor bytes (stored in C:\\users\\public\\ntusers0.dat) along with stub\r\ncode bytes. The stub code is responsible for decompressing the backdoor bytes and injecting them into the service\r\nprocess memory.\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 2 of 13\n\nTo execute the stub code, the injector replaces the original service control handler with the address of the stub\r\ncode in the service process memory. The stub is then triggered by sending a\r\nSERVICE_CONTROL_INTERROGATE control code to the service. After the stub completes its execution, the\r\ninjector cleans up by removing the stub code from the service memory and restoring the original service control\r\nhandler.\r\nEAGERBEE backdoor\r\nWhen we found the backdoor in the infected system, it was named dllloader1x64.dll. It can create a mutex with\r\nthe name mstoolFtip32W if one doesn’t exist yet. After that, it starts collecting information from the system: the\r\nNetBIOS name of the local computer, OS information (major and minor version numbers, build number, platform\r\nidentifier, and information about product suites and the latest service pack installed on the system), product type\r\nfor the operating system on the local computer, processor architecture, and list of IPv4 and IPv6 addresses.\r\nThe backdoor has an execution day and time check. It compares the current system day and hour to the hardcoded\r\nstring 0-6:00:23;6:00:23;, where the numbers mean the following:\r\n0: start day of the week;\r\n6: end day of the week;\r\n00: start hour;\r\n23: end hour.\r\nIf the execution day and hour do not match, it sleeps for 15 seconds and checks again. In the cases we’ve seen, the\r\nbackdoor is configured to run 24/7.\r\nThe backdoor configuration is either stored in C:\\Users\\Public\\iconcache.mui or hardcoded within the binary. If\r\nstored in the file, the first byte serves as the XOR key to decode the remaining data. When hardcoded, the\r\nconfiguration is decoded using a single-byte XOR key (0x57). This configuration includes the command-and-control (C2) hostname and port.\r\nThe backdoor retrieves the proxy host and port information for the current user by reading the registry key\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer. If proxy details are available, the\r\nbackdoor connects through the proxy; otherwise it connects to the C2 server directly.\r\nTo establish communication, the backdoor creates a TCP socket capable of operating over both IPv4 and IPv6. If\r\nthe C2 port has an “s” appended, an SSL session is initiated. Depending on the configuration, it may use the\r\nSCHANNEL security package, which supports SSL and TLS encryption on Windows. In this mode, it can validate\r\nserver credentials (passive mode) or use local client credentials to prepare an outgoing token (active mode).\r\nOnce a connection is established, the backdoor transmits the previously collected victim-specific details to the C2\r\nserver. The server responds with a string followed by a payload known as the Plugin Orchestrator. If the response\r\nstring matches a hardcoded value in the backdoor (unique to each sample), the backdoor retrieves the raw address\r\nof the first export method in the received payload and invokes it. Notably, at this stage, the payload (Plugin\r\nOrchestrator) is not yet mapped into memory.\r\nPlugin Orchestrator\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 3 of 13\n\nThe payload downloaded by the EAGERBEE backdoor is a plugin orchestrator in the form of a DLL file with the\r\ninternal name “ssss.dll” which exports a single method: “m”. As previously mentioned, EAGERBEE does not\r\nmap the plugin orchestrator DLL directly into memory. Instead, it retrieves the raw address of the “m” export\r\nmethod and invokes it.\r\nThe “m” method of the plugin orchestrator DLL is responsible for injecting the orchestrator into memory and\r\nsubsequently calling its entry point. In addition to the victim-specific data already collected, the plugin\r\norchestrator gathers and reports to the C2 server the following additional information:\r\nThe NetBIOS name of the domain;\r\nCurrent usage of physical and virtual memory;\r\nSystem locale and time zone settings;\r\nWindows character encoding;\r\nThe current process identifier;\r\nIdentifiers for any loaded plugins.\r\nAfter transmitting this information, the plugin orchestrator also reports whether the current process has elevated\r\nprivileges. It then collects details about all running processes on the system, including:\r\nProcess identifiers;\r\nThe number of execution threads started by each process;\r\nThe identifier of the parent process;\r\nThe fully qualified path of each process executable.\r\nOnce the information is sent, the plugin orchestrator waits for commands to execute. The following commands are\r\nsupported:\r\nCommand Description\r\n06\r\nThis command supports several sub-commands:\r\n2: Receive and inject plugins into memory. There can be multiple plugins loaded one after\r\nanother. Each plugin has an identifier.\r\n3: Unload a specific plugin from memory, remove the plugin from the list, and free the plugin\r\ncode bytes.\r\n4: No operation.\r\n5: Remove all plugins from the list and free the plugin code bytes.\r\n07 and 09\r\nCheck if the plugin is loaded or not. If the plugin is loaded, then call the specified export\r\nmethod of the plugin. If the plugin is not loaded, then check if the plugin has been received,\r\nthen load it, and call the specified export method. Otherwise, just make a plugin entry.\r\nPlugins\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 4 of 13\n\nThe plugins are DLL files and export three methods using ordinals. The plugin orchestrator first calls the exported\r\nmethod of the plugin with the ordinal number 3. This method is responsible for injecting the plugin DLL into\r\nmemory. After that, the orchestrator calls the exported method of the plugin with the ordinal number 1, which is\r\nthe DllMain method. This method initializes the plugin with the required data structures. Finally, it calls the\r\nexported method of the plugin with the ordinal number 2. This method implements the functionality of the plugin.\r\nAll the plugins are responsible for receiving and executing commands from the orchestrator. Below, we provide\r\nbrief descriptions of the analyzed plugins and the commands supported by each of them.\r\nFile Manager Plugin\r\nThis plugin performs a wide range of file system functions, including:\r\nListing drives, files and folders in the system;\r\nRenaming, moving, copying and deleting files;\r\nSetting ACLs to manage file and folder permissions;\r\nReading and writing files to and from the system;\r\nInjecting additional payloads into memory.\r\nThe table below contains commands it accepts.\r\nCommand Description\r\n0x02\r\nCheck and enable SeDebugPrivilege, SeBackupPrivilege, SeRestorePrivilege and\r\nSeTakeOwnershipPrivilege for the current process.\r\n0x06\r\nList files and folders at the specified path or at some of the following locations:\r\nDESKTOP, MYDOCUMENTS, RECYCLE.BIN, FAVORITES, STARTUP, RECENT,\r\n“C:\\Windows\\Prefetch” and the window credential manager storage folder.\r\nGet information about USB storage devices that have been connected to the computer\r\nby querying the registry key HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR.\r\n0x07 Get information about drives.\r\n0x08 Delete multiple directories or files.\r\n0x09 Create a directory at the specified location.\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 5 of 13\n\n0x0A (10) Rename an existing directory/file to a new directory/file.\r\n0x0B (11) Move or copy an existing directory/file to a new directory/file.\r\n0x0C (12) Move or copy multiple existing directories/files to new directories/files.\r\n0xD (13) Reflectively inject the received executable and DLL into memory.\r\n0x0F (15)\r\nGet a list of files and folders at a specified location recursively.\r\nRead a file by dumping file sectors of the specified file directly from disk.\r\nWrite a file.\r\n0x14 (20)\r\nLaunch the passed command line via the CreateProcessW API. The module can also\r\nlaunch the passed command line via CreateProcessAsUserW to run in the security\r\ncontext of the user represented by the token of specified process ID.\r\n0x22 (34)\r\nAdjust the security (DACL) for the user groups LOCAL SYSTEM, AUTHENTICATED\r\nUSERS, DOMAIN ADMINISTRATOR and DOMAIN USER to grant access to\r\nspecified file or directory.\r\n0x23 (35) Load a DLL at the specified path via LoadLibraryW.\r\n0x24 (36) Set the label of a file system volume.\r\n0x26 (38)\r\nCopy an existing file to a new file.\r\nChange the existing and new file time parameters (last write time, last access time and\r\ncreation time) to those of user32.dll.\r\nProcess Manager\r\nThis plugin manages process-related activities such as:\r\nListing running processes in the system;\r\nLaunching new modules and executing command lines;\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 6 of 13\n\nTerminating existing processes.\r\nIt accepts four commands.\r\nCommand Description\r\n0x10 (16) Terminate the process with the specified process ID.\r\n0x11 (17)\r\nRun the passed command line via the CreateProcessW API. Process Manager can also\r\nlaunch the specified module via CreateProcessAsUserW to run in the security context of\r\nthe user represented by the token of specified process ID.\r\n0x1E (30)\r\nGet information about the list of running processes in the system. The module also\r\ncollects user accounts associated with the processes.\r\n0x26 (38) Set file attribute.\r\nRemote Access Manager\r\nThis plugin facilitates and maintains remote connections, while also providing command shell access.\r\nCommand Description\r\n0x0B (11)\r\nPerform the operations below to enable and persist an RDP session:\r\nSet remote desktop services to autostart.\r\nKeep the Windows remote access service (RAS) session opened after logging\r\noff.\r\nEnable remote desktop connections.\r\nEnable concurrent (multiple) RDP sessions.\r\nAfter performing the above settings, start the remote desktop service\r\n(TermService).\r\n0x0D (13)\r\nDownload a file from the specified URL and write to the specified file path. Then start\r\nthe remote desktop service (TermService).\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 7 of 13\n\n0x1D (29)\r\nStart the command shell (cmd.exe). The module can also run cmd.exe by injecting its\r\ncode into the process C:\\Windows\\System32\\dllhost.exe.\r\nRead data from the command shell and send it to the C2 server.\r\n0x1E (30)\r\nIf the command shell process is not running, then start the command shell (cmd.exe) and\r\nwrite the received command data from C2 to the command shell.\r\n0x21 (33)\r\nTerminate the thread to read the command output from the command shell console.\r\nThen terminate the command shell process.\r\nThe attackers launch the command shell by injecting cmd.exe into the DllHost.exe process. The commands below\r\nwere seen executed by the threat actor:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n//list all users and users in the local admin group\r\nnet user\r\nnet localgroup administrators\r\n//obtain system- and account-related information; the \"dsquery\" command implies that the\r\n//attacker got hold of a Windows server machine with the Active Directory Domain Services\r\n//(AD DS) server role installed.\r\ndsquery computer\r\ndsquery server\r\ndsquery users\r\ndsquery user\r\nsysteminfo\r\nping  -n 1 \u003c\u003ccomputer name\u003e\u003e\r\n//establish a connection to a shared resource using stolen credentials\r\nnet use \\\\\u003c\u003cip in the network\u003e\u003e\\admin$ \u003cpassword\u003e /user:\u003cusername\u003e\r\n//archive the information from the shared resource\r\nrar.exe  a -v100M idata001.rar -ta\"20240101000000\" -r -x\"*.mp3\" -x\"*.dll\" -x\"*.exe\" -\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 8 of 13\n\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nx\"*.zip\" -x\"*.mxf\" -x\"*.rar\" \"\\\\\u003c\u003cip in the network\u003e\u003e\\c$\\Users\\\u003c\u003cuser name\u003e\u003e\\Documents\"  \r\n\"\\\\\u003c\u003cip in the network\u003e\u003e\\c$\\Users\\\u003c\u003cuser name\u003e\u003e\\Desktop\"\r\nrar.exe  a -v100M idata001.rar -ta\"20240101000000\" -r -x\"*.mp3\" -x\"*.dll\" -x\"*.exe\" -\r\nx\"*.zip\" -x\"*.mp4\" -x\"*.rar\" \"\\\\\u003c\u003cip in the network\u003e\u003e\\c$\\Users\\\u003c\u003cuser name\u003e\u003e\\Documents\"  \r\n\"\u003c\u003cip in the network\u003e\u003e\\c$\\Users\\\u003c\u003cuser name\u003e\u003e\\Desktop\"\r\nService Manager\r\nThis plugin manages system services, including installing, starting, stopping, deleting and listing them.\r\nCommand Description\r\n0x11 (17)\r\nCreate Service entries. The module can create the following types of services:\r\nSERVICE_WIN32_SHARE_PROCESS: shares a process with other services.\r\nSERVICE_WIN32_OWN_PROCESS: runs inside its own process.\r\n0x12 (18) Stop and delete the service.\r\n0x13 (19) Start a service.\r\n0x14 (20) Stop a service.\r\n0x1E (30)\r\nEnumerate all services (active and inactive) to collect the following information about\r\nservices: the service name, display name and service status information.\r\nNetwork Manager\r\nThis plugin lists the network connections in the system.\r\nCommand Description\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 9 of 13\n\n0x1E (30)\r\nGet information about the list of IPv4 and IPv6 TCP and UDP connections:\r\nState\r\nLocal address\r\nLocal port\r\nRemote address\r\nRemote port\r\nOwning PID\r\nAttribution\r\nEAGERBEE was deployed in several organizations in East Asia. Two of these organizations were breached via\r\nthe infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells\r\nwere uploaded and utilized to execute commands on the breached servers.\r\nIn May 2023, our telemetry indicated the execution of multiple commands to start and stop system services at one\r\nof the affected organizations in East Asia. The attackers abused the legitimate Windows services MSDTC,\r\nIKEEXT and SessionEnv to execute malicious DLLs: oci.dll, wlbsctrl.dll and TSVIPSrv.dll, respectively.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\ntasklist.exe\r\nnet stop IKEEXT\r\nnet start IKEEXT\r\nnet start msdtc\r\nnet stop msdtc\r\nnet start msdtc\r\nNETSTAT.EXE -ano\r\ntasklist.exe\r\nARP.EXE -a\r\nnet.exe use \\\\[[IP REDACTED]]\\admin$\r\nipconfig.exe /all\r\nnet.exe stop IKEEXT\r\n//all privileges are assigned to the service IKEEXT, which loads the malicious DLL\r\nreg.exe add hklm\\SYSTEM\\CurrentControlSet\\Services\\IKEEXT /v RequiredPrivileges /t\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 10 of 13\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\nREG_MULTI_SZ /d\r\nSeAuditPrivilege\\0SeBackupPrivilege\\0SeRestorePrivilege\\0SeTakeOwnershipPrivilege\\0SeImper\r\nsonatePrivilege\\0SeTcbPrivilege\\0SeAssignPrimaryTokenPrivilege\\0SeManageVolumePrivilege\\0S\r\neCreateSymbolicLinkPrivilege\\0SeShutdownPrivilege /f\r\nnet.exe start IKEEXT\r\nnet.exe start IKEEXT\r\nNETSTAT.EXE -ano\r\nnet.exe view\r\nnet.exe stop IKEEXT\r\nnet.exe start IKEEXT\r\nnet.exe start IKEEXT\r\nnet.exe start sessionenv\r\nnet.exe stop sessionenv\r\nnet.exe stop SessionEnv\r\nnet.exe start SessionEnv\r\nnet.exe start SessionEnv\r\nnet.exe start SessionEnv\r\nnet.exe start SessionEnv\r\nnet.exe start SessionEnv\r\nnet.exe stop SessionEnv\r\nnet.exe stop SessionEnv\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 11 of 13\n\n41\r\n42\r\n43\r\n44\r\n45\r\nAccording to our telemetry, the DLLs loaded and executed by the services IKEEXT and SessionEnv are loaders in\r\nnature, loading the EAGERBEE backdoor into memory. Similar EAGERBEE loaders targeting Japanese\r\norganizations have been described by another security vendor. Examples of files loaded by these services are\r\nprovided below.\r\nIKEEXT\r\nSessionEnv\r\nThe service MSDTC loaded and executed a DLL file named “ oci.dll”. By analyzing this file, we established that\r\nit was the CoughingDown Core Module.\r\nWe found several clues linking the EAGERBEE backdoor to the CoughingDown group:\r\n1. 1 One of the aforementioned DLLs, oci.dll (MD5 f96a47747205bf25511ad96c382b09e8), which is\r\nexecuted by abusing the legitimate MSDTC service, has a 25% match with CoughingDown samples\r\naccording to the Kaspersky Threat Attribution Engine (KTAE). Analysis of the DLL reveals that it is a\r\nCore Module of multi-plugin malware developed by CoughingDown in late September 2020 and that there\r\nis indeed a significant code overlap (same RC4 key, same command numbers).\r\n2. 2 This Core Module was configured to use the IP addresses 45.90.58[.]103 and 185.82.217[.]164 as its C2.\r\nThe IP address 185.82.217[.]164 is known to be used as an EAGERBEE C2 as reported by other security\r\nvendors.\r\nConclusions\r\nMalware frameworks continue to advance as threat actors develop increasingly sophisticated tools for malicious\r\nactivities. Among these is EAGERBEE, a malware framework primarily designed to operate in memory. This\r\nmemory-resident architecture enhances its stealth capabilities, helping it evade detection by traditional endpoint\r\nsecurity solutions. EAGERBEE also obscures its command shell activities by injecting malicious code into\r\nlegitimate processes, such as dllhost.exe, and executing it within the context of explorer.exe or the targeted user’s\r\nsession. These tactics allow the malware to seamlessly integrate with normal system operations, making it\r\nsignificantly more challenging to identify and analyze.\r\nIn the East Asian EAGERBEE attacks, the organizations were penetrated via the ProxyLogon vulnerability.\r\nProxyLogon remains a popular exploit method among attackers to gain unauthorized access to Exchange servers.\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 12 of 13\n\nPromptly patching this vulnerability is crucial to securing your network perimeter.\r\nBecause of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE\r\nbackdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor\r\nand the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is\r\nrelated to the CoughingDown threat group.\r\nHowever, we have been unable to determine the initial infection vector or identify the group responsible for\r\ndeploying the EAGERBEE backdoor in the Middle East.\r\nIOC\r\nService Injector\r\n183f73306c2d1c7266a06247cedd3ee2\r\nEAGERBEE backdoor compressed file\r\n9d93528e05762875cf2d160f15554f44\r\nEAGERBEE backdoor decompress\r\nc651412abdc9cf3105dfbafe54766c44\r\nEAGERBEE backdoor decompress and fix\r\n26d1adb6d0bcc65e758edaf71a8f665d\r\nPlugin Orchestrator\r\ncbe0cca151a6ecea47cfaa25c3b1c8a8\r\n35ece05b5500a8fc422cec87595140a7\r\nDomains and IPs\r\n62.233.57[.]94\r\n82.118.21[.]230\r\n194.71.107[.]215\r\n151.236.16[.]167\r\nwww.socialentertainments[.]store\r\nwww.rambiler[.]com\r\n5.34.176[.]46\r\n195.123.242[.]120\r\n195.123.217[.]139\r\nSource: https://securelist.com/eagerbee-backdoor/115175/\r\nhttps://securelist.com/eagerbee-backdoor/115175/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/eagerbee-backdoor/115175/"
	],
	"report_names": [
		"115175"
	],
	"threat_actors": [
		{
			"id": "115ee14e-a122-47a4-bef7-5d3668cda109",
			"created_at": "2025-01-10T02:00:03.15179Z",
			"updated_at": "2026-04-10T02:00:03.800179Z",
			"deleted_at": null,
			"main_name": "CoughingDown",
			"aliases": [],
			"source_name": "MISPGALAXY:CoughingDown",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47e12686fd25e3dca0f568a04c8c469ac3af3148.pdf",
		"text": "https://archive.orkl.eu/47e12686fd25e3dca0f568a04c8c469ac3af3148.txt",
		"img": "https://archive.orkl.eu/47e12686fd25e3dca0f568a04c8c469ac3af3148.jpg"
	}
}