{
	"id": "61fe1c2f-f550-4669-8794-68836f6d1243",
	"created_at": "2026-04-06T00:08:48.736276Z",
	"updated_at": "2026-04-10T03:35:29.114951Z",
	"deleted_at": null,
	"sha1_hash": "4b99c48bfd3add9e6af972f7a9e437379da28163",
	"title": "Scope of ‘KeyBoy’ Targeted Malware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 212180,
	"plain_text": "Scope of ‘KeyBoy’ Targeted Malware Attacks\r\nBy Jaeson Schultz\r\nPublished: 2013-06-13 · Archived: 2026-04-05 22:35:20 UTC\r\nSkip to content\r\nOn June 6, 2013, malwaretracker.com released an analysis of Microsoft Office-based malware that was exploiting\r\na previously unknown vulnerability that was patched by MS12-060. The samples provided were alleged to be\r\ntargeting Tibetan and Chinese Pro-Democracy Activists. On June 7, 2013, Rapid7 released an analysis of malware\r\ndubbed ‘KeyBoy,’ also exploiting unknown vulnerabilities in Microsoft Office, similarly patched by MS12-060,\r\nbut allegedly targeting interests in Vietnam and India. The indicators of compromise (IoCs) listed by Rapid7\r\nmatch some of the indicators of compromise listed previously by malwaretracker.com.\r\nIoCs published by malwaretracker.com.\r\nhttps://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nPage 1 of 5\n\nIoCs published by Rapid7.\r\nAs we have seen in some previous targeted malware attacks, the attackers in this incident are taking advantage of\r\nservices like changeip.com to establish free subdomains in their infrastructure. While TRAC is sure that many\r\nsubdomains used at changeip.com have no malicious purpose, there is no denying the fact that attackers mounting\r\ntargeted attacks are also attracted to these ‘free’ services. Blending in with legitimate traffic is a common tactic\r\nused by attackers to help fly under the radar. Not many professional organizations have valid reasons to allow\r\ntraffic to domains offered by changeip.com, so blacklisting these domains is an option.\r\nOne of the second-level domains listed as an IoC is phmail.us. Subdomains at phmail.us have been linked to\r\nmalicious activity dating back as far as December 2011. Based on the patterns of subdomain registration over time\r\nin DNS, TRAC believes this is an example where the attackers registered their own second-level domain. The\r\nWHOIS data, including the address, postal code and telephone number, is obviously forged.\r\nFake WHOIS record data for phmail.us.\r\nAn eclectic group of subdomains has been used at phmail.us, including the following:\r\ncpnet.phmail.us\r\ndnd.phmail.us\r\nhoasen.phmail.us\r\nhttps://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nPage 2 of 5\n\ninquirer.phmail.us\r\nphattai.phmail.us\r\nrfa.phmail.us\r\nsscdtt.phmail.us\r\nttbc.phmail.us\r\nwww.phmail.us\r\nyah00.phmail.us\r\nyl.phmail.us\r\nynsc.phmail.us\r\nWhile watching some of these domains using passive DNS a peculiar pattern emerges. For a long period of time,\r\nmany of the DNS responses for a hostname will return 127.0.0.1, but every so often, presumably when a likely\r\ntarget is on-the-hook, the domain name servers return a routable IP. Perhaps this is a tactic designed to evade or\r\npostpone eventual detection and assist in staying below the radar. Note in the following graphic the DNS server\r\nreplied 717 times with 127.0.0.1; however during that same time, the real routable IPs were also offered to certain\r\nrequesters.\r\nAnother IoC second-level domain from this group (phdns01.com) exhibits exactly the same WHOIS and passive\r\nDNS patterns:\r\nhttps://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nPage 3 of 5\n\nsilence.phdns01.com\r\nsymantec.phdns01.com\r\nwww.phdns01.com\r\nhanoihcm.phdns01.com\r\nsscd.phdns01.com\r\nTRAC recommends analyzing DNS traffic for these IoCs on your own networks. In this case, maintaining the\r\nlatest patches would also have thwarted the attacks, and is always an excellent idea. Additionally, blacklisting the\r\ndomains offered by changeip.com using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or\r\nCloud Web Security (CWS) are additional options that can help add an extra level of security.\r\nThanks to Craig Williams and Emmanuel Tacheau for their assistance in co-writing this blog post.\r\nAuthors\r\nhttps://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nPage 4 of 5\n\nCisco Cybersecurity Viewpoints\r\nWhere security insights and innovation meet. Read the e-book, see the video, dive into the infographic and more...\r\nWhy Cisco Security?\r\nExplore our Products \u0026 Services\r\nSource: https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nhttps://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks"
	],
	"report_names": [
		"scope-of-keyboy-targeted-malware-attacks"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc",
			"created_at": "2023-01-06T13:46:38.354607Z",
			"updated_at": "2026-04-10T02:00:02.939761Z",
			"deleted_at": null,
			"main_name": "APT23",
			"aliases": [
				"BRONZE HOBART",
				"G0081",
				"Red Orthrus",
				"Earth Centaur",
				"PIRATE PANDA",
				"KeyBoy",
				"Tropic Trooper"
			],
			"source_name": "MISPGALAXY:APT23",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bef7800a-a08f-4e21-b65c-4279c851e572",
			"created_at": "2022-10-25T15:50:23.409336Z",
			"updated_at": "2026-04-10T02:00:05.319608Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"Tropic Trooper",
				"Pirate Panda",
				"KeyBoy"
			],
			"source_name": "MITRE:Tropic Trooper",
			"tools": [
				"USBferry",
				"ShadowPad",
				"PoisonIvy",
				"BITSAdmin",
				"YAHOYAH",
				"KeyBoy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724",
			"created_at": "2022-10-25T16:07:24.344358Z",
			"updated_at": "2026-04-10T02:00:04.947834Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"APT 23",
				"Bronze Hobart",
				"Earth Centaur",
				"G0081",
				"KeyBoy",
				"Operation Tropic Trooper",
				"Pirate Panda",
				"Tropic Trooper"
			],
			"source_name": "ETDA:Tropic Trooper",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"ByPassGodzilla",
				"CHINACHOPPER",
				"CREDRIVER",
				"China Chopper",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"KeyBoy",
				"Neo-reGeorg",
				"PCShare",
				"POISONPLUG.SHADOW",
				"Poison Ivy",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Swor",
				"TSSL",
				"USBferry",
				"W32/Seeav",
				"Winsloader",
				"XShellGhost",
				"Yahoyah",
				"fscan",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b99c48bfd3add9e6af972f7a9e437379da28163.pdf",
		"text": "https://archive.orkl.eu/4b99c48bfd3add9e6af972f7a9e437379da28163.txt",
		"img": "https://archive.orkl.eu/4b99c48bfd3add9e6af972f7a9e437379da28163.jpg"
	}
}