{
	"id": "2fef21c0-0930-4d23-bac3-f1d35e7d18c5",
	"created_at": "2026-04-06T00:08:10.833266Z",
	"updated_at": "2026-04-10T03:32:24.942705Z",
	"deleted_at": null,
	"sha1_hash": "4c841f4f8af757774310c4c6c13fbe1d19a4da8d",
	"title": "TA2722 Spoofs Philippines - Remcos \u0026 Nanocore Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 599604,
	"plain_text": "TA2722 Spoofs Philippines - Remcos \u0026 Nanocore Malware | Proofpoint\r\nUS\r\nBy October 27, 2021 Selena Larson and Joe Wise\r\nPublished: 2021-10-25 · Archived: 2026-04-02 10:59:41 UTC\r\nKey Findings \r\nProofpoint identified a new cybercriminal threat actor, TA2722.  \r\nThis group impersonates Philippine health, labor, and customs organizations as well as other entities based in the\r\nPhilippines.  \r\nTA2722 typically targets Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy entities,\r\namong others. Geographic targeting includes North America, Europe, and Southeast Asia.  \r\nTA2722 distributes Remcos and NanoCore remote access trojans (RATs). \r\nOverview \r\nProofpoint identified a new and highly active cybercriminal threat actor, TA2722, colloquially referred to by Proofpoint\r\nthreat researchers as the Balikbayan Foxes. Throughout 2021, a series of campaigns impersonated multiple Philippine\r\ngovernment entities including the Department of Health, the Philippine Overseas Employment Administration (POEA), and\r\nthe Bureau of Customs. Other related campaigns masqueraded as the Manila embassy for the Kingdom of Saudi Arabia\r\n(KSA) and DHL Philippines. The messages were intended for a variety of industries in North America, Europe, and\r\nSoutheast Asia, with the top sectors including Shipping, Logistics, Manufacturing, Business Services, Pharmaceutical,\r\nEnergy, and Finance.\r\nProofpoint assesses this actor is targeting organizations directly or indirectly engaged with the Philippine government based\r\non a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities. For\r\nexample, the shipping, transportation, and logistics companies would frequently engage with customs officials at ports of\r\ncall. Additionally, the manufacturing and energy companies support and maintain large supply chain operations, likely\r\nrequiring correspondence with both labor and customs organizations. \r\nAll the campaigns distributed either Remcos or NanoCore remote access trojans (RATs). Remcos and NanoCore are\r\ntypically used for information gathering, data theft operations, monitoring and control of compromised computers. While the\r\nmalware’s associated infrastructure changed over time, the sender emails were reused for a long period of time. \r\nIn 2020, Philippine government entities issued multiple alerts warning users of the activity related to lures using themes\r\nsuch as COVID-19 infection information in the Philippines and the POEA labor information. \r\nCampaign Details \r\nProofpoint researchers identified a series of campaigns distributing Remcos and NanoCore RATs masquerading as the\r\nKingdom of Saudi Arabia (KSA) embassy in Manila and the Philippine Overseas Employment Administration (POEA) in\r\nmid-2021. Upon further investigation, Proofpoint identified additional, separate campaigns distributing the same malware\r\nmasquerading as the Philippine Department of Health and Bureau of Customs.  \r\nProofpoint separated campaigns into two distinct threat activity clusters. In all cases, message lures were in English. They\r\ncontained multiple threat distribution mechanisms including: \r\nOneDrive URLs linking to RAR files with embedded UUE files \r\nPDF email attachment with an embedded OneDrive link or other malicious URL leading to compressed executables\r\n(.iso files) that download and run malware \r\nCompressed MS Excel documents containing macros which, if enabled, download malware \r\nRemcos is a commodity remote access tool available for purchase online. NanoCore is also commodity malware and written\r\nin .NET by \"Aeonhack\". The code is obfuscated with Eazfuscator.NET 3.3. NanoCore RAT is sold on various hack forums.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 1 of 8\n\nNanoCore includes many features and plugins. Both Remcos and NanoCore RAT are distributed by numerous cybercrime\r\nthreat actors with many different delivery techniques and lures.   \r\nThreat Cluster Shahzad73 \r\nProofpoint named the first identified cluster Shahzad73 based on the command and control (C2) domains used by the threat\r\nactor: \r\n       shahzad73[.]ddns[.]net \r\n       shahzad73[.]casacam[.]net \r\nAlthough Proofpoint began regularly tracking this activity cluster in April 2021, historic data suggests the activity dates as\r\nfar back as August 2020. The threat actor generally leverages themes purporting to be labor-related messages, including\r\nspoofing the Philippine Overseas Employment Administration (POEA) and the Saudi Arabian consulate in Manila. Other,\r\nless frequent threats observed in Shahzad73 campaigns were associated with billing/invoice lures. The messages impacted\r\nhundreds of customers globally including entities in the Transportation, Energy, Construction, Manufacturing, Finance, and\r\nBusiness Services industries.  \r\nMessages purported to be, for example:  \r\n       From: POEA \u003cinfo1@poea.gov.ph\u003e \r\n       Subject: \"POEA ADVISORY ON DELISTED AGENCIES.\" \r\nFigure 1: Email sample purporting to be from Philippine Overseas Employment Administration (POEA). \r\nAdditional samples include:  \r\n       From: \"ksa.Consulate manila \" \u003cconsulate_ksa_emb@gmail.com\u003e \r\n       Subject: \"Memorandum from the Saudi Embassy\" \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 2 of 8\n\nFigure 2: Email sample purporting to be from the Kingdom of Saudi Arabia (KSA) consulate.  \r\nSaudi Arabia is reportedly one of the most popular destinations for the country’s overseas workers, with over one million\r\nFilipinos working there. In May 2021, the Philippines temporarily suspended sending workers to the Kingdom after\r\nreceiving reports Filipino workers were being charged for COVID-19 testing and quarantine. Proofpoint identified a\r\ncampaign spoofing the KSA embassy in Manila targeting transportation entities, among others, around the same time.  \r\nMost of these messages contain either UUE or RAR attachments ultimately leading to the installation of Remcos remote\r\naccess trojan (RAT) or NanoCore RAT. Each campaign featured a dynamic DNS C2 domain containing the keyword\r\nshahzad73. \r\nExample attachment file names: \r\n       memorandum from the saudi embassy.pdf.uue.rar \r\n       Memorandum from the Saudi Embassy.pdf.uue \r\n       POEA Memo-Circular No 019-22.pdf.uue \r\n       POEA Memo-Circular No 002-06.pdf.exe \r\n       poea memo on delisted agencies ! reminder.uue.rar \r\n       poea advisory on delisted agencies.pdf.uue \r\n       swiftusd33,980_soa005673452425.uue.rar \r\nThe observed Remcos samples included the following example configuration:  \r\n       C2: shahzad73[.]casacam[.]net:2404 \r\n       C2: shahzad73[.]ddns[.]net:2404 \r\n       license: 9C98D5D48F9EA32282C07700F23815A0 \r\n       version: 2.7.2 Pro \r\nObserved NanoCore RAT samples included the following example configuration: \r\n       GCThreshold: 10485760 \r\n       KeyboardLogging: True \r\n       WanTimeout: 8000 \r\n       Version: 1.2.2.0 \r\n       Mutex: Global\\{a58bb08a-85df-4191-824c-1b90cbce1024} \r\n       RestartDelay: 5000 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 3 of 8\n\nBackupDnsServer: 8.8.4.4 \r\n       PrimaryDnsServer: 8.8.8.8 \r\n       ConnectionPort: 9036 \r\n       MaxPacketSize: 10485760 \r\n       BufferSize: 65535 \r\n       ClearZoneIdentifier: True \r\n       DefaultGroup: ENDING-JUNE \r\n       LanTimeout: 2500 \r\n       BackupConnectionHost: shahzad73[.]ddns[.]net \r\n       BuildTime: 2021-07-26 13:34:18 UTC \r\n       UseCustomDnsServer: True \r\n       MutexTimeout: 5000 \r\n       KeepAliveTimeout: 30000 \r\n       PrimaryConnectionHost: shahzad73[.]casacam[.]net \r\n       TimeoutInterval: 5000 \r\n       PreventSystemSleep: True \r\n       ConnectDelay: 4000\r\nThreat Cluster CPRS \r\nProofpoint named the second identified threat cluster CPRS based on the actor regularly spoofing the Philippines Bureau of\r\nCustoms - Client Profile Registration System (CPRS) in ongoing campaigns. The identified Remcos RAT campaigns\r\nimpacted nearly 150 customers globally, with a focus on Shipping and Logistics, Manufacturing, Industry, and Energy\r\nsectors. \r\nProofpoint began tracking this activity cluster in December 2019. The actor appeared to conduct multiple campaigns per\r\nmonth through October 2020. Activity restarted again in September 2021. Historic data suggests the activity dates as far\r\nback as 2018. The threat actor generally leverages themes purporting to be entities related to the Philippine government,\r\nmost frequently the Bureau of Customs CPRS. Other emails masqueraded as the country’s Department of Health distributing\r\nCOVID-19 information. Other, less frequently observed threats in related campaigns were associated invoice, shipping, or\r\nFinance/Treasury themes.  \r\nMessages purported to be, for example: \r\n       From: cprs@customs[.]gov[.]ph \r\n       Subject: \"E-Mail Alert for Status: PROVISIONAL GOODS DECLARATION REFERENCE NO.C-1075027-21\" \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 4 of 8\n\nFigure 3: Email purporting to be a Bureau of Customs declaration. \r\nOther message samples include: \r\n       From: COVID-19@doh.gov.ph \r\n       Subject: \"Covid-19 Data Cases Report in Your Location-The Department of Health (DOH)\" \r\nFigure 4: Message purporting to be COVID-19 information from the Philippine Department of Health. \r\nExample attachment file names: \r\n       covid-19 pcr test report checklist.pdf \r\n       covid-19 data cases report.pdf \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 5 of 8\n\nnotice to submit.pdf \r\nThe emails contain either a OneDrive URL or a PDF attachment with a OneDrive URL leading to the download of a\r\ncompressed executable (e.g. Covid-19 Data Report Checklist_pdf.iso) which, if executed, leads to Remcos RAT. \r\nThe most recent Remcos configuration is as follows: \r\n       C2: cato[.]fingusti[.]club \r\n       License: 4E7867F67DE525ADF9F3A74DBEB02869 \r\n       Version: 2.7.2 Pro \r\n       Mutex: nan \r\n       use_tls: nan \r\n2020 campaigns included the following Remcos configuration: \r\n       C2: remcos[.]got-game[.]org:2265:pass \r\n       license: D77341DCD207EB897C3383385A6676C2 \r\n       version: 2.5.0 Pro \r\nOn 27 September 2021, the threat actor appeared to change tactics. Proofpoint researchers observed corporate credential\r\ncapture attempts targeting many of the same companies as previously observed Remcos activity. The phishing emails\r\nmasqueraded as the Philippines Bureau of Customs CPRS and contained actor-hosted URLs linking to a credential\r\nharvesting page. \r\nFigure 5: Credential capture landing page. \r\nDespite an expansion of TTPs to include credential harvesting campaigns, Proofpoint assesses with high confidence\r\ncredential capture activities are likely temporary and the threat actor maintains ongoing high levels of malware distribution\r\nactivity.  \r\nThreat Cluster Overlap \r\nProofpoint assesses with high confidence the two observed threat clusters are associated with the same threat actor, TA2722.\r\nOf note, both clusters targeted a frequently overlapping set of customers, and shared the same sender IP address. Based on\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 6 of 8\n\nobserved infrastructure, the two clusters share similar hosting providers, netblocks, and registrars. There are also dozens of\r\nunrelated domains that appear to distribute RATs hosted on the same infrastructure. \r\nThreat\r\nCluster \r\nC2 IP \r\nLast\r\nSeen \r\nFirst\r\nSeen \r\nASN  Host Org  Netblock  Country \r\nCPRS  185.140.53[.]189  9/22/21  9/22/21 \r\nAS208476 -\r\nPRIVACYFIRST \r\nDanilenko,\r\nArtyom \r\n185.140.53[.]0/24  SE \r\nCPRS  79.134.225[.]107  9/20/21  9/7/21 \r\nAS6775 - FINK-TELECOM-SERVICES \r\nAndreas Fink\r\ntrading as Fink\r\nTelecom\r\nServices GmbH \r\n79.134.224[.]0/19  CH \r\nCPRS  79.134.225[.]92  8/11/21  1/22/21 \r\nAS6775 - FINK-TELECOM-SERVICES \r\nAndreas Fink\r\ntrading as Fink\r\nTelecom\r\nServices GmbH \r\n79.134.224[.]0/19  CH \r\nCPRS  185.244.30[.]70  1/9/21  1/6/21 \r\nAS208476 -\r\nPRIVACYFIRST \r\nDanilenko,\r\nArtyom \r\n185.244.30[.]0/24  NL \r\nCPRS  185.140.53[.]225  12/27/20  12/14/20 \r\nAS208476 -\r\nPRIVACYFIRST \r\nDanilenko,\r\nArtyom \r\n185.140.53[.]0/24  SE \r\nShahzad73  185.140.53[.]8  9/23/21  8/9/21 \r\nAS208476 -\r\nPRIVACYFIRST \r\nDanilenko,\r\nArtyom \r\n185.140.53[.]0/24  SE \r\nShahzad73  185.19.85[.]139  7/29/21  5/11/21 \r\nAS48971 -\r\nDATAWIRE-AS \r\nDATAWIRE\r\nAG \r\n185.19.84[.]0/22  CH \r\nShahzad73  79.134.225[.]9  5/10/21  4/7/21 \r\nAS6775 - FINK-TELECOM-SERVICES \r\nAndreas Fink\r\ntrading as Fink\r\nTelecom\r\nServices GmbH \r\n79.134.224[.]0/19  CH \r\nShahzad73  91.212.153[.]84  4/4/21  2/2/21 \r\nAS24961 -\r\nMYLOC-AS \r\nmyLoc managed\r\nIT AG \r\n91.212.153[.]0/24  DE \r\nAdditionally, Proofpoint identified a common registration email associated with multiple command and control IPs and\r\ndomains that overlapped with the observed activity: \r\n       anthony.marshall.1986@gmail[.]com  \r\nThis email was previously associated with Adwind RAT campaigns reported in 2017.  \r\nConclusion \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 7 of 8\n\nProofpoint assesses with high confidence TA2722 is a highly active threat actor leveraging Philippine government themes\r\nand targeting a variety of organizations in Southeast Asia, Europe, and North America. It is likely this threat actor is\r\nattempting to gain remote access to target computers, which could be used for information gathering or to install follow-on\r\nmalware or engage in business email compromise (BEC) activity.   \r\nExample indicators of compromise: \r\nIndicator  Description \r\nde5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c  Remcos SHA256 \r\n098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525  NanoCore SHA256 \r\nshahzad73[.]casacam[.]net  Remcos/NanoCore C2 \r\nshahzad73[.]ddns[.]net  Remcos/NanoCore C2 \r\ncato[.]fingusti[.]club  Remcos C2 \r\nremcos[.]got-game[.]org  Remcos C2 \r\ninfo1@poea[.]gov[.]ph  Sender Email \r\ncprs@customs[.]gov[.]ph  Sender Email \r\nconsulate_ksa_emb@gmail[.]com  Sender Email \r\nde5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c  Remcos SHA256 \r\n66.248.240[.]80  Sender IP \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread"
	],
	"report_names": [
		"new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread"
	],
	"threat_actors": [
		{
			"id": "8259735e-8dd0-462f-80ff-c265fa839b76",
			"created_at": "2024-02-06T02:00:04.110337Z",
			"updated_at": "2026-04-10T02:00:03.57093Z",
			"deleted_at": null,
			"main_name": "TA2722",
			"aliases": [
				"Balikbayan Foxes"
			],
			"source_name": "MISPGALAXY:TA2722",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0dbd3195-22ca-47c4-a3f1-aa058b06a1d9",
			"created_at": "2022-10-25T16:07:24.269634Z",
			"updated_at": "2026-04-10T02:00:04.917125Z",
			"deleted_at": null,
			"main_name": "TA2722",
			"aliases": [
				"Balikbayan Foxes"
			],
			"source_name": "ETDA:TA2722",
			"tools": [
				"Atros2.CKPN",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"Zurten"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434090,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c841f4f8af757774310c4c6c13fbe1d19a4da8d.pdf",
		"text": "https://archive.orkl.eu/4c841f4f8af757774310c4c6c13fbe1d19a4da8d.txt",
		"img": "https://archive.orkl.eu/4c841f4f8af757774310c4c6c13fbe1d19a4da8d.jpg"
	}
}