{ "id": "94bf545a-097f-42ba-a584-ed7ac800b098", "created_at": "2026-04-06T01:30:40.92205Z", "updated_at": "2026-04-10T13:11:52.894079Z", "deleted_at": null, "sha1_hash": "48d3b983f521b222111da75d6acea4b65e88885a", "title": "A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 486030, "plain_text": "A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs\r\nBy Shunichi Imano and Fred Gutierrez\r\nPublished: 2022-08-22 · Archived: 2026-04-06 00:19:50 UTC\r\nRecently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications\r\nagency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a\r\nPakistan government division and delivered the PivNoxy malware.\r\nAffected Platforms: Windows\r\nImpacted Parties: Windows users\r\nImpact: Controls victim’s machine and collects sensitive information\r\nSeverity Level: Medium\r\nThis blog describes how the attack works, suggests who the threat actor behind the operation might be, and details\r\nthe techniques used by the attacker.\r\nAttack Overview\r\nThe attack started with a simple email that included a bare document as an attachment:\r\nFigure 1. Spearphishing email used in the attack\r\nThe attached doc file is in RTF format. It was generated using a tool called Royal Road, a phishing “weaponizer”\r\nbelieved to be used by several Asia-based APT threat actors. Also referred to as 8.t RTF exploit builder, Royal\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 1 of 15\n\nRoad allows APT groups to create RTF files with embedded objects that can exploit vulnerabilities in Microsoft\r\nWord to infect targets. Some of the known vulnerabilities that Royal Road supports include:\r\nCVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)\r\nCVE-2018-0802 (Microsoft Office Memory Corruption Vulnerability)\r\nCVE-2018-0798 (Microsoft Office Memory Corruption Vulnerability)\r\nOpening the email attachment, “Please help to CHECK.doc,” opens a decoy Word document. And at the same\r\ntime, it exploits CVE-2018-0798 in the background. CVE-2018-0798 is a Remote Code Execution (RCE)\r\nvulnerability in Microsoft’s Equation Editor (EQNEDT32). Microsoft released a fix for it on January 9, 2018. The\r\nfact that attackers are still targeting this vulnerability highlights that not all organizations deploy critical patches or\r\nupgrade to the latest software. The truth is that older vulnerabilities are still commonly and successfully being\r\nexploited.\r\nFigure 2. Decoy Word file used in the attack. Note that gibberish displayed in the document may be a result of the\r\nlanguage not being supported by our test machine.\r\nOnce executed, the malicious document drops three files:\r\nC:\\\\ProgramData\\Cannon\\Cannondriver.exe\r\nC:\\\\ProgramData\\Cannon\\LBTServ.dll\r\nC:\\\\ProgramData\\Cannon\\Microsoft.BT\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 2 of 15\n\nDespite the deceptive file name, the Cannondriver.exe file is a legitimate Logitech file, LBTWizGi.exe, with the\r\ndescription, “Logitech Bluetooth Wizard Host Process.” The Cannondriver.exe is even digitally signed by a\r\ncertificate issued to Logitech.\r\nFigure 3. Legitimate version of Cannondriver.exe\r\nOn the other hand, the LBTServ.dll file is not digitally signed. This is where it gets interesting.\r\n“Cannondriver.exe” is vulnerable to a DLL Search Order Hijacking attack that LBTServ.dll takes advantage of.\r\nTake note that the “LBTServ.dll” sample used in this attack has a compilation time of Sun July 18 02:04:24 2021\r\nGMT. This means that this group created this variant well before they needed to use it. It suggests they were either\r\nready to attack their target almost a year before or had started stockpiling an arsenal of malware ready to go at a\r\nmoment’s notice. Recent Chinoxy samples that stayed under the radar, but were uncovered during our\r\ninvestigation, have similar compile times.\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 3 of 15\n\nFigure 4. DLL Search Order Hijacking inside Cannondriver.exe\r\nThe figure above is part of the code found in Cannondriver.exe. Basically, it calls the export named\r\nLGBT_Launch, which is found in LBTServ.dll.\r\nFigure 5. Inside LBTServ.dll\r\nAfter Cannondriver.exe loads the fake LBTServ.dll and calls the LGBT_Launch function, the malicious function\r\nloads the other dropped file, Microsoft.BT, into memory and proceeds to decrypt it. The attack chain is similar to\r\nthat used by the Chinoxy backdoor, which also uses Cannondriver.exe to load a malicious LBTServ.dll to deliver\r\nits payload.\r\nHowever, this current variant sent to the telecommunication agency in South Asia delivers the final payload a bit\r\ndifferently than its predecessors. Instead of LBTServ.dll containing the final payload, it loads a shellcode from a\r\nseparate file and injects itself into svchost.exe. It then contacts instructor[.]giize[.]com, a dynamic DNS\r\nredirecting the connection to the attacker’s IP where the payload is hosted. Unfortunately, a remote file was not\r\navailable at the time of this investigation. Luckily, a tweet by nao_sec identified PoisonIvy malware as the\r\npayload.\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 4 of 15\n\nFigure 6. Tweet by nao_sec on May 12, 2022\r\nPoisonIvy is a Remote Access Trojan (RAT) that has been around for over a decade. Also known as Pivy, the RAT\r\nis distributed in underground forums and allows an attacker to take control of a compromised machine and\r\nperform reconnaissance activities through its GUI.\r\nFortiGuard Labs previously released a blog series detailing how PoisonIvy works:\r\nDeep Analysis of New Poison Ivy Variant\r\nDeep Analysis of New Poison Ivy/PlugX Variant - Part II\r\nThe PoisonIvy RAT variant covered in those blogs performs lateral movement. As such, a single infection by\r\nPoisonIvy can lead to information being lifted from a wide range of machines in the affected organization.\r\nThe Quest to Reveal the Attacker’s Identify\r\nAlthough PoisonIvy is known to have been used in targeted attacks, it’s not an easy task to identify the attacker\r\nbehind the operation targeting the telecommunication organization in South Asia. This is due to the number of\r\nreported threat actors that use the RAT and its wide availability.\r\nOur curiosity about the attacker led to another LBTServ.dll (SHA2:\r\n719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3), that was submitted to VirusTotal\r\nfrom France in January 2022. This file is dropped by a file with SHA2:\r\ncdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe.\r\nOur analysis revealed that the file behaves similarly to the one in the email sent to the targeted agency. It creates a\r\nfolder (c:\\windows\\tasks) and drops config and PE files into it. A dropped executable file, unio.exe, is identical to\r\nthe legitimate signed Logitech file disguised as Cannondriver.exe, described earlier in this blog. The unio.exe\r\nloads one of the other dropped files in the attack we are investigating, LBTServ.dll. In this case, LBTServ.dll\r\ncontains the full backdoor payload instead of loading a shellcode to download it. This LBTServ.dll file also takes\r\nadvantage of DLL Search Order Hijacking, has eight fake exports, and has a malicious export also named\r\nLGBT_Launch. This led us to believe that both attacks most likely came from the threat actor but in a different\r\ncampaign that likely occurred in January 2022 based on the file submission date to VirusTotal.\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 5 of 15\n\nMore interestingly, the compilation time of\r\n719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3 is “2016-07-09 12:49:34 UTC”\r\nwhile the compilation time of its dropper (SHA2:\r\ncdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe) is about 29 seconds later, at 2016-07-\r\n09 13:18:11 UTC. These indicate this attacker group has been active since at least mid-2016.\r\nA Tale of PivNoxy and Chinoxy Puppeter\r\nWe will now look at a partial history of the techniques used by this threat actor. Specifically, we will focus on their\r\nuse of a file best described as the Logitech Bluetooth Wizard Host Process. This legitimately signed file contains a\r\nDLL Search Order hijacking vulnerability. The APT group takes advantage of this vulnerability by creating their\r\nown malicious “LBTServ.dll” file to be loaded whenever the real Logitech process is executed. Over time, this\r\nmalicious DLL has evolved to use different techniques. The attack chain usually starts with an email containing an\r\nattachment. The attachment itself contains an executable that, when executed, drops the malicious DLL, the\r\nlegitimate Logitech executable, and any associated files used by the malware.\r\nBelow is a timeline of dropper malware used by the threat actor utilizing the technique described above to deliver\r\nChinoxy, PivNoxy, and recent Chinoxy variants.\r\nFigure 7. Sample timeline of dropper malware based on file compilation time Note: Q1, Q2, Q3, and Q4 refer to\r\nJanuary to March, April to June, July to September, and October to December, respectively.\r\nAs seen in the timeline, in Q3 of 2021, the threat actor switched their arsenal from PivNoxy to a new variant of\r\nChinoxy, which decrypts and loads shellcode from a file and downloads the next payload. The switch from\r\nChinoxy to PivNoxy occurred sometime in Q2 2020.\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 6 of 15\n\nFortiGuard Labs has documented that from the middle of 2016 to the end of 2018, “LBTServ.dll” was consistently\r\nused by the variant known as Chinoxy. In this form, the malicious DLL loads an external configuration file named\r\n“k1.ini.”\r\nFigure 8. The configuration file used by Chinoxy\r\nThis configuration file typically contains a base64 string, which turns out to be the C2 server used by Chinoxy.\r\nFigure 9. Base64 decoded value from the Chinoxy configuration file\r\nThe “Remark” field contains the approximate date of the attack. This Chinoxy DLL sample (SHA2:\r\n719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3), according to its metadata, was\r\ncompiled on Sat Jul 09 12:49:34 2016 GMT. The main dropper (SHA2:\r\ncdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe) itself was compiled on 2016-07-09\r\n13:18:11 GMT. The turnaround time appears to have only been a few days. Chinoxy operated as a backdoor and\r\ncollected data from the infected computers. It is interesting to note that the same C2 server was used for over two\r\nyears. Our telemetry indicates that an overwhelming majority of the traffic to this server originated from India.\r\nThings stayed relatively quiet until the end of 2020 and beginning of 2021 when the group decided to return.\r\nOperation Nightscout started targeting gamers in Southeast Asia. NoxPlayer is an Android emulator and, like\r\nmany programs, contacts servers to check for updates. Instead of delivering their malware through email\r\nattachments, however, the APT group changed tactics and somehow compromised the update chain of NoxPlayer.\r\nA fake update package was sent to Southeast Asian gamers.\r\nSimilar to the Chinoxy case, this PivNoxy variant (SHA2:\r\n5c2a6b11d876c5bad520ff9e79be44dfbb05ee6a6ff300e8427deab35085bef6) uses a fake update package to unpack\r\nseveral files, including files that abuse the same DLL Search Order Hijacking technique used against Logitech.\r\nHowever, in this case, “LBTServ.dll” was used to deliver malware more powerful than the previous iteration, with\r\nPivNoxy delivering the PoisonIvy RAT through the malicious DLL. While other vendors report infected\r\ncomputers were gamers from Southeast Asia, our telemetry suggests more infected gamers originated from\r\nMexico.\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 7 of 15\n\nAt this point, this threat actor once again decided to go quiet. But fast forward to May 2022, and the spearphishing\r\nemail disguised to come from a governmental division of Pakistan was sent to a telecommunication organization\r\nin South Asia. And this time, it attempted to deliver a new Chinoxy malware variant.\r\nRegional Interest\r\nThe dropper malware covered earlier in this blog (SHA2:\r\ncdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe) reaches out to goog1eupdate[.]com.\r\nBased on FortiGuard telemetry gathered over the past six months, almost 70% of the connections to the domain\r\nwere made from Mexico, followed by 22% from India. Chinoxy variants also used this domain from 2016 to\r\n2018.\r\nWe also found three similar samples connect to frontbeauty[.]dynamic-dns[.]net, beautygirl[.]dynamic-dns[.]net,\r\nand 784kjsuj[.]dynamic-dns[.]net. Over the same past six months, all access to the three domains was made from\r\nIndia. As they are dynamic DNS, not all connections can be considered related to the threat actor. However, a\r\nBitdefender report published in November 2020 references the domain “goog1eupdate[.]com” as part of the IOCs\r\nfor an APT group that uses the FunnyDream backdoor as part of their toolset and who primarily targeted South-Eastern Asia. Access to another C2 address, “mfaupdate[.]com”, was mainly observed from Mexico and India,\r\nwhile “ru[.]mst[.]dns-cloud[.]net” was primarily accessed from Israel and Ukraine. According to security\r\nresearcher Sebastien Larinier, ru[.]mst[.]dns-cloud[.]net was used by a threat actor who targeted Kirghizstan.\r\nFurther, a research blog released by NTT Security lists another C2 server, “eofficeupdating[.]com“, as being used\r\nby this threat actor as a C2 server for Smanager malware, which was used against Vietnam. NTT Security\r\nattributed Smanager to an unknown Panda group. Panda is typically part of the monikers used by Chinese threat\r\nactors, such as Deep Panda and Goblin Panda.\r\nThis evidence indicates that the threat group we are after has a particular interest not only in South-East Asia but\r\nalso in South and Central Asia and potentially Mexico. Or at the least, they have a relationship with an attacker\r\nwith interests there.\r\nConclusion\r\nThe attack against a telecommunications agency in South Asia began with a simple email that initially appeared to\r\nbe a standard malicious spam email message. However, the attached Word doc was weaponized using a malicious\r\ntool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798). While a\r\npayload was unavailable at the time of the investigation, OSINT research points to the Poison Ivy RAT, which\r\nFortiGuard Labs has previously highlighted.\r\nBased on our analysis, Asian organizations, and potentially some in Mexico, were a reconnaissance target of a\r\nthreat actor that we believe was also involved in Operation NightScout in 2021. This threat actor, who uses\r\nChinoxy and PivNoxy in their arsenal, has been active since at least mid-2016.\r\nFortinet Protections\r\nThe following (AV) signatures detect the samples mentioned in this blog:\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 8 of 15\n\nOlder Chinoxy variants\r\nW32/Chinoxy.AP!tr\r\nW32/Chinoxy.Z!tr\r\nW32/Generic.AC.433BE8\r\nW32/PossibleThreat\r\nPivNoxy\r\nW32/Kryptik.HHBQ!tr\r\nW32/Injector.KR!tr\r\nW32/Rekvex.IY!tr\r\nW32/PossibleThreat\r\nNewer Chinoxy variants\r\nW32/ERUG!tr\r\nW32/PossibleThreat\r\nOlder Chinoxy dropper\r\nW32/Chinoxy.AA!tr\r\nW32/Agent.BJWZYI!tr\r\nW32/Daws.DIGU!tr\r\nW32/Daws.EKFE!tr\r\nW32/Daws.EQVO!tr\r\nW32/Generic.AC.433BE8\r\nW32/Kryptik.GQMK!tr\r\nW32/RENOS.SM1!tr\r\nW32/Zuguo.A!tr\r\nRTF/CVE_2017_11882.A!exploit\r\nPivNoxy dropper\r\nW32/Agent.SMC!tr\r\nW32/Generik.CIJIXOM!tr\r\nW32/Injector.KR!tr\r\nW32/Injector.SMC!tr\r\nW32/Kryptik.HHBQ!tr\r\nW32/Rekvex.IY!tr\r\nW32/Rekvex.JOHUGYE!tr\r\nW32/Rekvex.JOHUGYE!tr\r\nW32/RENOS.SM1!tr\r\nW32/Zuguo.A!tr\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 9 of 15\n\nNewer Chinoxy dropper\r\nW32/Agent.ADWJ!tr\r\nW32/ERUG!tr\r\nW32/PossibleThreat\r\nMalicious_Behavior.SB\r\nAll network-based URIs are blocked by the WebFiltering client.\r\nFortinet has multiple solutions designed to help train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIn addition to these protections, we suggest that organizations also have their end users go through our FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end\r\nusers learn how to identify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nFile IOCs\r\nOlder Chinoxy variants\r\n719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3\r\n75f7b6197d648eaa8263d23c8f9aa9224038259d25df073803929d6582ea27b1\r\na33dcbd2ccf291ebd465bfcd6a9be10b3d6c0d89fa5ee0038a2e41fbd6c0397d\r\n5137bc35b042c0ea2ad56f3b0e03191e840cce9e9dadb470d6a7a018f3a1a4fb\r\nb0ad5af44a0a07a2408e9a6b4e4a27e366aa64350ff60f398d1b8086172034f6\r\na8c21cb9dea1c9bc62adcc6de4a73c7971ea797ab4fdb93320532647625e22ba\r\n6f7f142089b1d2e48880f59362c7c50e5d193166bdd5e4b27318133e8fe27b2c\r\n399563e798edd4a9e1a89209b1b350a4e1197786c23c0986a1a965446e7d5474\r\na8c21cb9dea1c9bc62adcc6de4a73c7971ea797ab4fdb93320532647625e22ba\r\nPivNoxy\r\na638cce32a01f63febe2d21b02ef9f6f6c6c59e2107a043eb2ae547ff9a1d776\r\n8ceb84e33db56092618f763771630b0759d7122d5df5afaeb4c1ebc9e72ed7f1\r\na4cbae07c1d674d41c1297be4e0c19b2f138c2ef29db16b5edc528026dc4e717\r\n6ab62f7cd1c4a00c200cd130afa7352bb6e536e324cb9ead13e01e54146bb112\r\naf7d3f46c32f4040dbfb6f85d6db1471e29c4a9290654d3f44351e316f05fba5\r\na557eed41c5e021209c7e3a3eada10abf43e2bfabf930552b6cb7a4b7568b971\r\nd49c0d6113a9928486e35a7013d9c09a52743bd8fe84712e27c54fcac9b9e31e\r\n53c7ab494527a8118f89ba99dea51b223f98e368e687f42d31925945b0282e87\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 10 of 15\n\nNewer Chinoxy variants\r\nc8934c7b3187e48b1ee44fc2c8e1c3ab19850efc1e45383442cfe4b9b4a06d01\r\nd59278ff54d30176263deadcb7d21ba6f9b7eb1139e3dcd6f7ea534183f96c92\r\nChinoxy dropper\r\ncdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe\r\nf8a8ccfa6426f27da75649dbef26213aae6137f726d29232e45e4183391016bf\r\n9f93a50cadd762d36788ce1c8d5deb2d26e109f717f3e2d4d5c8f0d3344de725\r\na8f1e7eccae75e840b1d6982b06ee322ceaed65ade23a10d17c8414e5a522110\r\n6a8ba940d40be935ffc623b5fadfdb4537c1787fedf5889021b0ceb65dfa809d\r\n59ea7516b2a028e5cad938534099f45b5d28f7cfa32d268a8bdcbe5f6320b5a6\r\n07a37e52533bf26f5d506c69e748f479de5dcd416103f8d7a4a06c948e1051ad\r\n152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914\r\n947760b4f688863708741457297d74810ad45e20e2c02d91b54b056716803777\r\n3f21e0b3ef80fd9393c6e187311a78aee22738f510ed227397249157b131b890\r\n3c9d802f617aab4c6973cef74d2509fea00ee8454681c40df09a4734946e5125\r\n82f8cf41aa720e268ee0c6e43cd52512ea4a2f98a51844071e0faaf1eb13ce62\r\nPivNoxy dropper\r\n2bebd0989d1d8c6bb681217399281640521d61ce207f358a4340377898ed44c5\r\n6485d76e645d2f7e27a20d072f07c282583f21ec42801de588193d01b591a957\r\n8dfda79f7848a41f0a8f7a68096fcb6783ace3f3430ae3d7d05fed1ad4533fe0\r\n86c563a8630150934ae7468e074f81914d26b978c32571ce9f4d9b349dc03349\r\n72a7341805713327f09f881bc7184610ed28101bfbda93fd829d0d52978c22eb\r\n4d9af80dad6dcdfe37931094c42296d53ef6d98b633db32503d7972fd7e0e3f6\r\ne537b6eb903d9bb9b3cb0e63f9fddf2afa0875af7558b5bec3c98cebf1452e01\r\nc25ae716a651c7c846871275bfde7188224628e3380fd6f256aacba1cb15ad61\r\n289ce24d873986d607ab8e43f499be562fa4925d2b5be16bb31ce68a00b4020a\r\nf229239ed7665338961eec60a17bcca0fed1eb957b0e751dd991ce664140d79c\r\n5c2a6b11d876c5bad520ff9e79be44dfbb05ee6a6ff300e8427deab35085bef6\r\nNewer Chinoxy dropper\r\nab49e15c0a0e4f977748faae36255889c2239cde847ed49304881c123b9a0e99\r\n8d7d259ac375171c59ac81ba9a16949ac7277c8ed3841c229ce48def0358c96e\r\na8d92ace0ea438759428877a32cd92f73790d86d0e3384317c04a9ae4ed30c55\r\nc44be5ed5c4bec2be72ce9737bde5a2d48fe5fb0ea235ddc61ba447b26642949\r\nd863f559ba323625f20721e910bf920ee73a5303f6edadbec2aa670b640e01c8\r\nf309b42845ca3e36e0bb6ec68f424a11ff8f77642afc3bd4425118dc0d2514e0\r\nNetwork IOCs\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 11 of 15\n\ngoog1eupdate[.]com\r\nmyhost[.]camdvr[.]org\r\nmfaupdate[.]com\r\neofficeupdating[.]com\r\n58[.]64[.]184[.]201\r\ncdn[.]cloudistcdn[.]com\r\nq.cloudistcdn.com\r\nbeautygirl[.]dynamic-dns[.]net\r\n784kjsuj[.]dynamic-dns[.]net\r\nfrontbeauty[.]dynamic-dns[.]net\r\ninstructor[.]giize[.]com\r\nMITRE\r\nResource Development\r\nT1854.004 Compromise Infrastructure: Server\r\nInitial Access\r\nT1566.001 Phishing: Spearphishing Attachment\r\nT1195.002 Phishing: Compromise Software Supply Chain\r\nExecution\r\nT1203 Exploitation for Client Execution\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1201.002 User Execution: Malicious File\r\nT1543.003 Create or Modify System Process: Windows Service\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 12 of 15\n\nPersistence\r\nT1574.001 Hijack Execution Flow: DLL Search Order Hijacking\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder\r\nT1547.014 Boot or Logon Autostart Execution: Active Setup\r\nPrivilege Escalation\r\nT1574.001 Hijack Execution Flow: DLL Search Order Hijacking\r\nT1055.001 Process Injection: Dynamic-link Library Injection\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder\r\nT1547.014 Boot or Logon Autostart Execution: Active Setup\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1574.001 Hijack Execution Flow: DLL Search Order Hijacking\r\nT1055.001 Process Injection: Dynamic-link Library Injection\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 13 of 15\n\nT1112 Modify Registry\r\nT1027 Obfuscated Files or Information\r\nCredential Access\r\nT1056.001 Input Capture: Keylogging\r\nDiscovery\r\nT1010 Application Window Discovery\r\nCollection\r\nT1005 Data from Local System\r\nT1074.001 Data Staged: Local Data Staging\r\nT1056.001 Input Capture: Keylogging\r\nCommand and Control\r\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nT1105 Ingress Tool Transfer\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 14 of 15\n\nThe FortiGuard Labs has released a new playbook on the threat malware family known as “Chinoxy” and\r\n“PivNoxy” as part of our role in the Cyber Threat Alliance. For more information regarding this series of\r\nadversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nhttps://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis\r\nPage 15 of 15\n\n https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis \nThe FortiGuard Labs has released a new playbook on the threat malware family known as “Chinoxy” and\n“PivNoxy” as part of our role in the Cyber Threat Alliance. For more information regarding this series of\nadversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\nSecurity Subscriptions and Services portfolio. \nSource: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis \n Page 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis" ], "report_names": [ "pivnoxy-and-chinoxy-puppeteer-analysis" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439040, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48d3b983f521b222111da75d6acea4b65e88885a.pdf", "text": "https://archive.orkl.eu/48d3b983f521b222111da75d6acea4b65e88885a.txt", "img": "https://archive.orkl.eu/48d3b983f521b222111da75d6acea4b65e88885a.jpg" } }