{ "id": "42f9c4eb-bff6-4706-a13f-4aabb45e9413", "created_at": "2026-04-06T01:29:29.912538Z", "updated_at": "2026-04-10T03:34:00.389872Z", "deleted_at": null, "sha1_hash": "4c7ee3e68ce468f75f529e81b326df8c16d16ec9", "title": "Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 535572, "plain_text": "Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike\r\nbackdoor\r\nBy Adam Burgher\r\nArchived: 2026-04-06 00:12:32 UTC\r\nESET researchers discovered a Ballistic Bobcat campaign targeting various entities in Brazil, Israel, and the United Arab\r\nEmirates, using a novel backdoor we have named Sponsor.\r\nWe discovered Sponsor after we analyzed an interesting sample we detected on a victim’s system in Israel in May 2022 and\r\nscoped the victim-set by country. Upon examination, it became evident to us that the sample was a novel backdoor deployed\r\nby the Ballistic Bobcat APT group.\r\nBallistic Bobcat, previously tracked by ESET Research as APT35/APT42 (aka Charming Kitten, TA453, or\r\nPHOSPHORUS), is a suspected Iran-aligned advanced persistent threat group that targets education, government, and\r\nhealthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the\r\nUnited States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health\r\nOrganization and Gilead Pharmaceuticals, and medical research personnel.\r\nOverlaps between Ballistic Bobcat campaigns and Sponsor backdoor versions show a fairly clear pattern of tool\r\ndevelopment and deployment, with narrowly targeted campaigns, each of limited duration. We subsequently discovered four\r\nother versions of the Sponsor backdoor. In total, we saw Sponsor deployed to at least 34 victims in Brazil, Israel, and the\r\nUnited Arab Emirates, as outlined in Figure 1.\r\nFigure 1. Timeline of the Sponsoring Access campaign\r\nKey points of this blogpost:\r\nWe discovered a new backdoor deployed by Ballistic Bobcat that we subsequently named Sponsor.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 1 of 17\n\nBallistic Bobcat deployed the new backdoor in September 2021, while it was wrapping up the campaign\r\ndocumented in CISA Alert AA21-321A and the PowerLess campaign.\r\nThe Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch\r\nfiles and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning\r\nengines.\r\nSponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have\r\nnamed this activity the Sponsoring Access campaign.\r\nInitial access\r\nBallistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers\r\nby first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and\r\nsubsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for\r\nsome time. However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity\r\nrather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems. We have named this Ballistic Bobcat\r\nactivity utilizing the Sponsor backdoor the Sponsoring Access campaign.\r\nThe Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass\r\nscanning engines. This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the\r\npast two and a half years. On compromised systems, Ballistic Bobcat also continues to use a variety of open-source tools,\r\nwhich we describe – together with the Sponsor backdoor – in this blogpost.\r\nVictimology\r\nFigure 2. Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor\r\nA significant majority of the 34 victims were located in Israel, with only two located in other countries:\r\nBrazil, at a medical cooperative and health insurance operator, and\r\nthe United Arab Emirates, at an unidentified organization.\r\nTable 1 describes the verticals, and organizational details, for victims in Israel.\r\nTable 1. Verticals and organizational details for victims in Israel\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 2 of 17\n\nVertical Details\r\nAutomotive\r\n·       An automotive company specializing in custom modifications.\r\n·       An automotive repair and maintenance company.\r\nCommunications ·       An Israeli media outlet.\r\nEngineering\r\n·       A civil engineering firm.\r\n·       An environmental engineering firm.\r\n·       An architectural design firm.\r\nFinancial services\r\n·       A financial services company that specializes in investment counseling.\r\n·       A company that manages royalties.\r\nHealthcare ·       A medical care provider.\r\nInsurance\r\n·       An insurance company that operates an insurance marketplace.\r\n·       A commercial insurance company.\r\nLaw ·       A firm specializing in medical law.\r\nManufacturing\r\n·       Multiple electronics manufacturing companies.\r\n·       A company that manufactures metal-based commercial products.\r\n·       A multinational technology manufacturing company.\r\nRetail\r\n·       A food retailer.\r\n·       A multinational diamond retailer.\r\n·       A skin care products retailer.\r\n·       A window treatment retailer and installer.\r\n·       A global electronic parts supplier.\r\n·       A physical access control supplier.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 3 of 17\n\nTechnology\r\n·       An IT services technology company.\r\n·       An IT solutions provider.\r\nTelecommunications ·       A telecommunications company.\r\nUnidentified ·       Multiple unidentified organizations.\r\nAttribution\r\nIn August 2021, the Israeli victim above that operates an insurance marketplace was attacked by Ballistic Bobcat with the\r\ntools CISA reported in November 2021. The indicators of compromise we observed are:\r\nMicrosoftOutlookUpdateSchedule,\r\nMicrosoftOutlookUpdateSchedule.xml,\r\nGoogleChangeManagement, and\r\nGoogleChangeManagement.xml.\r\nBallistic Bobcat tools communicated with the same command and control (C\u0026C) server as in the CISA report:\r\n162.55.137[.]20.\r\nThen, in September 2021, the same victim received the next generation of Ballistic Bobcat tools: the PowerLess backdoor\r\nand its supporting toolset. The indicators of compromise we observed were:\r\nhttp://162.55.137[.]20/gsdhdDdfgA5sS/ff/dll.dll,\r\nwindowsprocesses.exe, and\r\nhttp://162.55.137[.]20/gsdhdDdfgA5sS/ff/windowsprocesses.exe.\r\nOn November 18th, 2021, the group then deployed another tool (Plink) that was covered in the CISA report, as\r\nMicrosoftOutLookUpdater.exe. Ten days later, on November 28th\r\n, 2021, Ballistic Bobcat deployed the Merlin agent (the\r\nagent portion of an open-source post-exploitation C\u0026C server and agent written in Go). On disk, this Merlin agent was\r\nnamed googleUpdate.exe, using the same naming convention as described in the CISA report to hide in plain sight.\r\nThe Merlin agent executed a Meterpreter reverse shell that called back to a new C\u0026C server, 37.120.222[.]168:80. On\r\nDecember 12th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file,\r\nBallistic Bobcat operators pushed their newest backdoor, Sponsor. This would turn out to be the third version of the\r\nbackdoor.\r\nTechnical analysis\r\nInitial access\r\nWe were able to identify a likely means of initial access for 23 of the 34 victims that we observed in ESET telemetry.\r\nSimilar to what was reported in the PowerLess and CISA reports, Ballistic Bobcat probably exploited a known vulnerability,\r\nCVE-2021-26855, in Microsoft Exchange servers to gain a foothold on these systems.\r\nFor 16 of the 34 victims, it appears Ballistic Bobcat was not the only threat actor with access to their systems. This may\r\nindicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that\r\nBallistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 4 of 17\n\nToolset\r\nOpen-source tools\r\nBallistic Bobcat employed a number of open-source tools during the Sponsoring Access campaign. Those tools and their\r\nfunctions are listed in Table 2.\r\nTable 2. Open-source tools used by Ballistic Bobcat\r\nFilename Description\r\nhost2ip.exe Maps a hostname to an IP address within the local network.\r\nCSRSS.EXE RevSocks, a reverse tunnel application.\r\nmi.exe\r\nMimikatz, with an original filename of midongle.exe and packed with the Armadillo PE\r\npacker.\r\ngost.exe GO Simple Tunnel (GOST), a tunneling application written in Go.\r\nchisel.exe Chisel, a TCP/UDP tunnel over HTTP using SSH layers.\r\ncsrss_protected.exe\r\nRevSocks tunnel, protected with the trial version of the Enigma Protector software\r\nprotection.\r\nplink.exe Plink (PuTTY Link), a command line connection tool.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 5 of 17\n\nWebBrowserPassView.exe A password recovery tool for passwords stored in web browsers.\r\nsqlextractor.exe A tool for interacting with, and extracting data from, SQL databases.\r\nprocdump64.exe\r\nProcDump, a  Sysinternals command line utility for monitoring applications and\r\ngenerating crash dumps.\r\nBatch files\r\nBallistic Bobcat deployed batch files to victims’ systems moments before deploying the Sponsor backdoor. File paths we are\r\naware of are:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\Install.bat\r\n%USERPROFILE%\\Desktop\\Install.bat\r\n%WINDOWS%\\Tasks\\Install.bat\r\nUnfortunately, we were unable to obtain any of these batch files. However, we believe they write innocuous configuration\r\nfiles to disk, which the Sponsor backdoor requires to function fully. These configuration filenames were taken from the\r\nSponsor backdoors but were never collected:\r\nconfig.txt\r\nnode.txt\r\nerror.txt\r\nUninstall.bat\r\nWe believe that the batch files and configuration files are part of the modular development process that Ballistic Bobcat has\r\nfavored over the past few years.\r\nSponsor backdoor\r\nSponsor backdoors are written in C++ with compilation timestamps and Program Database (PDB) paths as shown in Table\r\n3. A note on version numbers: the column Version represents the version that we track internally based on the linear\r\nprogression of Sponsor backdoors where changes are made from one version to the next. The Internal version column\r\ncontains the version numbers observed in each Sponsor backdoor and are included for ease of comparison when examining\r\nthese and other potential Sponsor samples.\r\nTable 3. Sponsor compilation timestamps and PDBs\r\nVersion Internal version Compilation timestamp PDB\r\n1 1.0.0 2021-08-29 09:12:51 D:\\Temp\\BD_Plus_Srvc\\Release\\BD_Plus_Srvc.pdb\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 6 of 17\n\n2 1.0.0 2021-10-09 12:39:15 D:\\Temp\\Sponsor\\Release\\Sponsor.pdb\r\n3 1.4.0 2021-11-24 11:51:55 D:\\Temp\\Sponsor\\Release\\Sponsor.pdb\r\n4 2.1.1 2022-02-19 13:12:07 D:\\Temp\\Sponsor\\Release\\Sponsor.pdb\r\n5 1.2.3.0 2022-06-19 14:14:13 D:\\Temp\\Alumina\\Release\\Alumina.pdb\r\nThe initial execution of Sponsor requires the runtime argument install, without which Sponsor gracefully exits, likely a\r\nsimple anti-emulation/anti-sandbox technique. If passed that argument, Sponsor creates a service called SystemNetwork (in\r\nv1) and Update (in all the other versions). It sets the service’s Startup Type to Automatic, and sets it to run its own Sponsor\r\nprocess, and grants it full access. It then starts the service.\r\nSponsor, now running as a service, attempts to open the aforementioned configuration files previously placed on disk. It\r\nlooks for config.txt and node.txt, both in the current working directory. If the first is missing, Sponsor sets the service to\r\nStopped and gracefully exits.\r\nBackdoor configuration\r\nSponsor’s configuration, stored in config.txt, contains two fields:\r\nAn update interval, in seconds, to periodically contact the C\u0026C server for commands.\r\nA list of C\u0026C servers, referred to as relays in Sponsor’s binaries.\r\nThe C\u0026C servers are stored encrypted (RC4), and the decryption key is present in the first line of config.txt. Each of the\r\nfields, including the decryption key, have the format shown in Figure 3.\r\nFigure 3. Format of configuration fields in config.txt\r\nThese subfields are:\r\nconfig_start: indicates the length of config_name, if present, or zero, if not. Used by the backdoor to know where\r\nconfig_data starts.\r\nconfig_len: length of config_data.\r\nconfig_name: optional, contains a name given to the configuration field.\r\nconfig_data: the configuration itself, encrypted (in the case of C\u0026C servers) or not (all the other fields).\r\nFigure 4 shows an example with color-coded contents of a possible config.txt file. Note that this is not an actual file we\r\nobserved, but a fabricated example.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 7 of 17\n\nFigure 4. Example of possible contents of config.txt\r\nThe last two fields in config.txt are encrypted with RC4, using the string representation of the SHA-256 hash of the\r\nspecified decryption key, as the key to encrypt the data. We see that the encrypted bytes are stored hex-encoded as ASCII\r\ntext.\r\nHost information gathering\r\nSponsor gathers information about the host on which it is running, reports all of the gathered information to the C\u0026C server,\r\nand receives a node ID, which is written to node.txt. Table 4 lists keys and values in the Windows registry that Sponsor uses\r\nto get the information, and provides an example of the data collected.\r\nTable 4. Information gathered by Sponsor\r\nRegistry key Value Example\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters Hostname D-835MK1\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation TimeZoneKeyName\r\nIsrael\r\nStandard\r\nTime\r\nHKEY_USERS\\.DEFAULT\\Control Panel\\International LocaleName he-IL\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS BaseBoardProduct 10NX0010I\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString Intel(R)\r\nCore(TM)\r\ni7-8565U\r\nCPU @\r\n1.80GHz\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 8 of 17\n\nRegistry key Value Example\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nProductName\r\nWindows 1\r\nEnterprise N\r\nCurrentVersion 6.3\r\nCurrentBuildNumber 19044\r\nInstallationType\r\nClient\r\nSponsor also collects the host’s Windows domain by using the following WMIC command:\r\nwmic computersystem get domain\r\nLastly, Sponsor uses Windows APIs to collect the current username (GetUserNameW), determine if the current Sponsor\r\nprocess is running as a 32- or 64-bit application (GetCurrentProcess, then IsWow64Process(CurrentProcess)), and\r\ndetermines whether the system is running on battery power or connected to an AC or DC power source\r\n(GetSystemPowerStatus).\r\nOne oddity regarding the 32- or 64-bit application check is that all observed samples of Sponsor were 32-bit. This could\r\nmean that some of the next stage tools require this information.\r\nThe collected information is sent in a base64-encoded message that, before encoding, starts with r and has the format shown\r\nin Figure 5.\r\nFigure 5. Format of the message sent by Sponsor to register the victimized computer\r\nThe information is encrypted with RC4, and the encryption key is a random number generated on the spot. The key is\r\nhashed with the MD5 algorithm, not SHA-256 as previously mentioned. This is the case for all communications where\r\nSponsor has to send encrypted data.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 9 of 17\n\nThe C\u0026C server replies with a number used to identify the victimized computer in later communications, which is written to\r\nnode.txt. Note that the C\u0026C server is randomly chosen from the list when the r message is sent, and the same server is used\r\nin all subsequent communications.\r\nCommand processing loop\r\nSponsor requests commands in a loop, sleeping according to the interval defined in config.txt. The steps are:\r\n1. Send a chk=Test message repeatedly, until the C\u0026C server replies Ok.\r\n2. Send a c (IS_CMD_AVAIL) message to the C\u0026C server, and receive an operator command.\r\n3. Process the command.\r\nIf there is output to be sent to the C\u0026C server, send an a (ACK) message, including the output (encrypted), or\r\nIf execution failed, send an f ( FAILED) message. The error message is not sent.\r\n4. Sleep.\r\nThe c message is sent to request a command to execute, and has the format (before base64 encoding) shown in Figure 6.\r\nFigure 6. Format of the message sent by Sponsor to ask for commands to execute\r\nThe encrypted_none field in the figure is the result of encrypting the hardcoded string None with RC4. The key for\r\nencryption is the MD5 hash of node_id.\r\nThe URL used to contact the C\u0026C server is built as: http://\u003cIP_or_domain\u003e:80. This may indicate that 37.120.222[.]168:80\r\nis the only C\u0026C server used throughout the Sponsoring Access campaign, as it was the only IP address we observed victim\r\nmachines reaching out to on port 80.\r\nOperator commands\r\nOperator commands are delineated in Table 5 and appear in the order in which they are found in the code. Communication\r\nwith the C\u0026C server occurs over port 80.\r\nTable 5. Operator commands and descriptions\r\nCommand Description\r\np Sends the process ID for the running Sponsor process.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 10 of 17\n\ne\r\nExecutes a command, as specified in a subsequent additional argument, on the Sponsor host using the\r\nfollowing string:\r\nc:\\windows\\system32\\cmd.exe /c  \u003ccmd\u003e  \u003e \\result.txt 2\u003e\u00261\r\nResults are stored in result.txt in the current working directory. Sends an a message with the encrypted\r\noutput to the C\u0026C server if successfully executed. If failed, sends an f message (without specifying the\r\nerror).\r\nd\r\nReceives a file from the C\u0026C server and executes it. This command has many arguments: the target\r\nfilename to write the file into, the MD5 hash of the file, a directory to write the file to (or the current\r\nworking directory, by default), a Boolean to indicate whether to run the file or not, and the contents of the\r\nexecutable file, base64-encoded. If no errors occur, an a message is sent to the C\u0026C server with Upload\r\nand execute file successfully or Upload file successfully without execute (encrypted). If errors occur\r\nduring execution of the file, an f message is sent. If the MD5 hash of the contents of the file does not\r\nmatch the provided hash, an e (CRC_ERROR) message is sent to the C\u0026C server (including only the\r\nencryption key used, and no other information). The use of the term Upload here is potentially confusing\r\nas the Ballistic Bobcat operators and coders take the point of view from the server side, whereas many\r\nmight view this as a download based on the pulling of the file (i.e., downloading it) by the system using\r\nthe Sponsor backdoor.\r\nu\r\nAttempts to download a file using the URLDownloadFileW Windows API and execute it. Success sends\r\nan a message with the encryption key used, and no other information. Failure sends an f message with a\r\nsimilar structure.\r\ns\r\nExecutes a file already on disk, Uninstall.bat in the current working directory, that most likely contains\r\ncommands to delete files related to the backdoor.\r\nn\r\nThis command can be explicitly supplied by an operator or can be inferred by Sponsor as the command to\r\nexecute in the absence of any other command. Referred to within Sponsor as NO_CMD, it executes a\r\nrandomized sleep before checking back in with the C\u0026C server.\r\nb\r\nUpdates the list of C\u0026Cs stored in config.txt in the current working directory. The new C\u0026C addresses\r\nreplace the previous ones; they are not added to the list. It sends an a message with\r\nNew relays replaced successfully (encrypted) to the C\u0026C server if successfully updated.\r\ni\r\nUpdates the predetermined check-in interval specified in config.txt. It sends an a message with New\r\ninterval replaced successfully to the C\u0026C server if successfully updated.\r\nUpdates to Sponsor\r\nBallistic Bobcat coders made code revisions between Sponsor v1 and v2. The two most significant changes in the latter are:\r\nOptimization of code where several longer functions were minimized into functions and subfunctions, and\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 11 of 17\n\nDisguising Sponsor as an updater program by including the following message in the service configuration:\r\nApp updates are great for both app users and apps – updates mean that developers are always working on improving the app,\r\nkeeping in mind a better customer experience with each update.\r\nNetwork infrastructure\r\nIn addition to piggybacking on the C\u0026C infrastructure used in the PowerLess campaign, Ballistic Bobcat also introduced a\r\nnew C\u0026C server. The group also utilized multiple IPs to store and deliver support tools during the Sponsoring Access\r\ncampaign. We have confirmed that none of these IPs are in operation at this time.\r\nConclusion\r\nBallistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched\r\nvulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset\r\nsupplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch\r\nany internet-exposed devices and remain vigilant for new applications popping up within their organizations.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Descripti\r\n098B9A6CE722311553E1D8AC5849BA1DC5834C52 N/A Win32/Agent.UXG\r\nBallistic\r\nBobcat\r\nbackdoor,\r\nSponsor\r\n(v1).\r\n5AEE3C957056A8640041ABC108D0B8A3D7A02EBD N/A Win32/Agent.UXG\r\nBallistic\r\nBobcat\r\nbackdoor,\r\nSponsor\r\n(v2).\r\n764EB6CA3752576C182FC19CFF3E86C38DD51475 N/A Win32/Agent.UXG\r\nBallistic\r\nBobcat\r\nbackdoor,\r\nSponsor\r\n(v3).\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 12 of 17\n\n2F3EDA9D788A35F4C467B63860E73C3B010529CC N/A Win32/Agent.UXG\r\nBallistic\r\nBobcat\r\nbackdoor,\r\nSponsor\r\n(v4).\r\nE443DC53284537513C00818392E569C79328F56F N/A Win32/Agent.UXG\r\nBallistic\r\nBobcat\r\nbackdoor,\r\nSponsor\r\n(v5, aka\r\nAlumina)\r\nC4BC1A5A02F8AC3CF642880DC1FC3B1E46E4DA61 N/A WinGo/Agent.BT\r\nRevSocks\r\nreverse\r\ntunnel.\r\n39AE8BA8C5280A09BA638DF4C9D64AC0F3F706B6 N/A clean\r\nProcDump\r\na comman\r\nline utility\r\nfor\r\nmonitorin\r\napplicatio\r\nand\r\ngenerating\r\ncrash\r\ndumps.\r\nA200BE662CDC0ECE2A2C8FC4DBBC8C574D31848A N/A Generik.EYWYQYF Mimikatz\r\n5D60C8507AC9B840A13FFDF19E3315A3E14DE66A N/A WinGo/Riskware.Gost.D\r\nGO Simpl\r\nTunnel\r\n(GOST).\r\n50CFB3CF1A0FE5EC2264ACE53F96FADFE99CC617 N/A WinGo/HackTool.Chisel.A\r\nChisel\r\nreverse\r\ntunnel.\r\n1AAE62ACEE3C04A6728F9EDC3756FABD6E342252\r\nN/A N/A Host2IP\r\ndiscovery\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 13 of 17\n\ntool.\r\n519CA93366F1B1D71052C6CE140F5C80CE885181 N/A Win64/Packed.Enigma.BV\r\nRevSocks\r\ntunnel,\r\nprotected\r\nwith the\r\ntrial versio\r\nof the\r\nEnigma\r\nProtector\r\nsoftware\r\nprotection\r\n4709827C7A95012AB970BF651ED5183083366C79 N/A N/A\r\nPlink\r\n(PuTTY\r\nLink), a\r\ncommand\r\nline\r\nconnectio\r\ntool.\r\n99C7B5827DF89B4FAFC2B565ABED97C58A3C65B8 N/A Win32/PSWTool.WebBrowserPassView.I\r\nA passwo\r\nrecovery\r\ntool for\r\npasswords\r\nstored in\r\nweb\r\nbrowsers.\r\nE52AA118A59502790A4DD6625854BD93C0DEAF27 N/A MSIL/HackTool.SQLDump.A\r\nA tool for\r\ninteracting\r\nwith, and\r\nextracting\r\ndata from\r\nSQL\r\ndatabases\r\nFile paths\r\nThe following is a list of paths where the Sponsor backdoor was deployed on victimized machines.\r\n%SYSTEMDRIVE%\\inetpub\\wwwroot\\aspnet_client\\\r\n%USERPROFILE%\\AppData\\Local\\Temp\\file\\\r\n%USERPROFILE%\\AppData\\Local\\Temp\\2\\low\\\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 14 of 17\n\n%USERPROFILE%\\Desktop\\\r\n%USERPROFILE%\\Downloads\\a\\\r\n%WINDIR%\\\r\n%WINDIR%\\INF\\MSExchange Delivery DSN\\\r\n%WINDIR%\\Tasks\\\r\n%WINDIR%\\Temp\\%WINDIR%\\Temp\\crashpad\\1\\Files\r\nNetwork\r\nIP Provider First seen Last seen Details\r\n162.55.137[.]20 Hetzner Online GMBH 2021-06-14 2021-06-15 PowerLess C\u0026C.\r\n37.120.222[.]168 M247 LTD 2021-11-28 2021-12-12 Sponsor C\u0026C.\r\n198.144.189[.]74 Colocrossing 2021-11-29 2021-11-29 Support tools download site.\r\n5.255.97[.]172 The Infrastructure Group B.V. 2021-09-05 2021-10-28 Support tools download site.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance T1595\r\nActive Scanning:\r\nVulnerability Scanning\r\nBallistic Bobcat scans for vulnerable versions of\r\nMicrosoft Exchange Servers to exploit.\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nBallistic Bobcat designed and coded the Sponsor\r\nbackdoor.\r\nT1588.002 Obtain Capabilities: Tool\r\nBallistic Bobcat uses various open-source tools as\r\npart of the Sponsoring Access campaign.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nBallistic Bobcat targets internet-exposed\r\n Microsoft Exchange Servers.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 15 of 17\n\nTactic ID Name Description\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nThe Sponsor backdoor uses the Windows\r\ncommand shell to execute commands on the\r\nvictim’s system.\r\nT1569.002\r\nSystem Services: Service\r\nExecution\r\nThe Sponsor backdoor sets itself as a service and\r\ninitiates its primary functions after the service is\r\nexecuted.\r\nPersistence T1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nSponsor maintains persistence by creating a\r\nservice with automatic startup that executes its\r\nprimary functions in a loop.\r\nPrivilege\r\nEscalation\r\nT1078.003\r\nValid Accounts: Local\r\nAccounts\r\nBallistic Bobcat operators attempt to steal\r\ncredentials of valid users after initially exploiting a\r\nsystem before deploying the Sponsor backdoor.\r\nDefense Evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nSponsor stores information on disk that is\r\nencrypted and obfuscated, and deobfuscates it at\r\nruntime.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nConfiguration files that the Sponsor backdoor\r\nrequires on disk are encrypted and obfuscated.\r\nT1078.003\r\nValid Accounts: Local\r\nAccounts\r\nSponsor is executed with admin privileges, likely\r\nusing credentials that operators found on disk;\r\nalong with Ballistic Bobcat’s innocuous naming\r\nconventions, this allows Sponsor to blend into the\r\nbackground.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nBallistic Bobcat operators use open-source tools to\r\nsteal credentials from password stores inside web\r\nbrowsers.\r\nDiscovery T1018 Remote System Discovery\r\nBallistic Bobcat uses the Host2IP tool, previously\r\nused by Agrius, to discover other systems within\r\nreachable networks and correlate their hostnames\r\nand IP addresses.\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 16 of 17\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nT1001 Data Obfuscation\r\nThe Sponsor backdoor obfuscates data before\r\nsending it to the C\u0026C server.\r\nSource: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nhttps://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/\r\nPage 17 of 17\n\nTable 3. Sponsor Version compilation Internal version timestamps and Compilation PDBs timestamp PDB\n1 1.0.0 2021-08-29 09:12:51 D:\\Temp\\BD_Plus_Srvc\\Release\\BD_Plus_Srvc.pdb\n Page 6 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/" ], "report_names": [ "sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438969, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c7ee3e68ce468f75f529e81b326df8c16d16ec9.pdf", "text": "https://archive.orkl.eu/4c7ee3e68ce468f75f529e81b326df8c16d16ec9.txt", "img": "https://archive.orkl.eu/4c7ee3e68ce468f75f529e81b326df8c16d16ec9.jpg" } }