{ "id": "9213f287-461c-43d5-b1d2-aa826ae1acb5", "created_at": "2026-04-06T00:08:04.162632Z", "updated_at": "2026-04-10T03:36:47.980846Z", "deleted_at": null, "sha1_hash": "4d929df9c3cf31d50cc8782ff5fcf6450b0385b9", "title": "Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2385676, "plain_text": "Hive0154 targeting US, Philippines, Pakistan and Taiwan in\r\nsuspected espionage campaign\r\nBy Golo Mühr, Joshua Chung\r\nPublished: 2025-05-15 · Archived: 2026-04-05 16:49:03 UTC\r\nJoshua Chung\r\nCyber Threat Intelligence Analyst\r\nIBM Security\r\nAs of May 2025, IBM X-Force is tracking a suspected espionage campaign using weaponized ZIP archives to\r\ndistribute Pubload and Toneshell backdoors. X-Force attributes this campaign, which likely began in late 2024, to\r\nChina-aligned threat actor Hive0154, whose operations overlap with groups tracked as Mustang Panda, Stately\r\nTaurus, Camaro Dragon, Twill Typhoon, Polaris and Earth Preta. The archives contain politically themed lures\r\nlikely designed to entice government, military and diplomatic personnel in the Philippines, the United States and\r\nPakistan. Hive0154 subclusters have used similar tactics in the past. Specifically, they have used the Claimloader\r\nmalware to install persistent backdoors facilitating direct access to victim environments to gain advanced insight\r\ninto emergent decisions of world governments. X-Force has also observed the group employing a USB worm to\r\nspread Pubload in Taiwan, potentially reaching networks that might be air-gapped.\r\nKey findings\r\nHive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent\r\ntechniques and well-documented activity over the past several years\r\nAmong the malware arsenal, X-Force discovered a number of tools designed to target a specific audience,\r\nlikely targeting the Philippines', the United States' and Pakistan's government, military and diplomatic\r\npersonnel\r\nX-Force discovery suggests Hive0154’s use of geopolitical topics tailored to separate audiences: 1. the\r\nPhilippines, using South China Sea tensions; 2. Pakistan, using Balochistan separatists’ activities; and 3.\r\nthe United States, using spoofed National Security Council meeting notes\r\nThese tailored attacks suggest Hive0154 is likely attempting to gain intelligence on the potential strategies\r\nand intent of the U.S. administration and the neighboring countries to China\r\nOne of Hive0154's subclusters has consistently used evolving Claimloader variants to deploy related\r\nPubload and Toneshell backdoors and target entities in Europe, the Asia-Pacific region and the US\r\nX-Force investigated recent activity in Taiwan, where the HIUPAN USB worm was used to spread the\r\nPubload backdoor to a major manufacturing company. Hive0154 also uses filenames related to invoices\r\nand legal documents as lures to target Taiwan in May 2025\r\nHive0154 overview\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 1 of 38\n\nSince at least 2022, Hive0154 has used the Toneshell malware family among others to conduct worldwide cyber\r\noperations. Toneshell-related malware, such as Pubload and Pubshell (aka NoFive), indicates the group maintains\r\nseparate malware strands as part of their operations. The group consists of multiple subclusters and targets public\r\nand private organizations, including think tanks, policy groups, government agencies and individuals. X-Force\r\nassesses that this threat actor is a capable threat as evidenced by its use of multiple independent malware loaders,\r\nbackdoor and USB worm families, and consistent reporting of its activity by several security research teams.\r\nPrevious activity\r\nIn 2023, Palo Alto reported that one of the Hive0154 subclusters X-Force tracks was using various lures to spread\r\nthe Pubload backdoor. Some of the lures below also coincide with a campaign against Myanmar as reported by\r\nCSIRT CTI in January 2024. The lures below show China's ongoing interest in Southeast Asian countries and\r\nAustralia.\r\nLure name Description SHA256 Date\r\nNotice re UEC,\r\n(04-25-2023\r\nDay).zip\r\nUnknown\r\n167a842b97d0\r\n434f20e0cd6cf\r\n73d07079255a7\r\n43d26606b94fc\r\n785a0f3c6736e\r\nApril 2023\r\nApril 27 updated\r\nparty list.zip\r\nUnknown\r\n41276827827b9\r\n5c9b5a9fbd198b\r\n7cff2aef6f90f2b2b\r\n3ea84fadb69c55\r\nefa171\r\nApril 2023\r\nBiography of\r\nSenator the Hon\r\nDon Farrell.zip\r\nThe filename seems to be a direct copy of the\r\ntitle appearing on Australia's Trade and\r\nTourism's website about the Australian Trade\r\nminister.\r\n4fbfbf1cd2efaef1\r\n906f0bd2195281\r\nb77619b9948e82\r\n9b4d53bf1f198ba\r\n81dc5\r\nApril 2023\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 2 of 38\n\nSAC has some\r\ninstructional\r\nrequirements for\r\nthe general\r\nelection\r\nUnknown\r\n782e074601f5b1\r\n7e045d7c8c6380\r\nbbb90ab2a1834b\r\n30740d662d6c7f2\r\nc5372fe\r\nApril 2023\r\nNational Security\r\nPriority\r\nPrograms.zip\r\nUnknown\r\na02766b3950dbb\r\n86a129384cf9060c\r\n11be551025a7f469e\r\n3811ea257a47907d5\r\nMay 2023\r\n230605 Ministerial\r\nmeeting minutes\r\n(1).zip\r\nThe file may be a reference to the declaration\r\nthat occurred in Paris on June 8, 2023 by\r\nministers from Australia, Canada, Japan, United\r\nStates, United Kingdom, and New Zealand over\r\nabusive trade practices concerning Asia-Pacific\r\nregion.\r\n178e92c59afe4c\r\n590436579d9ba\r\n98f6afafddf1bf05\r\nf570539729a8f00\r\n34d798\r\nJune 2023\r\nNUG's Foreign\r\nPolicy Strategy.zip\r\nThe wording appears on this CSIS Indonesia\r\nwebpage, concerning a situation unfolding in\r\nMyanmar, which is embroiled in a civil war,\r\nwith reports suggesting that China is reportedly\r\nconsidering sending security personnel in\r\nsupport of Myanmar's military junta\r\ngovernment, according to December 2024\r\nreporting.\r\nba7c456f229adc\r\n4bd75bfb87681\r\n4b4deaf6768ffe\r\n95a03021aead03\r\ne55e92c7c\r\nAugust\r\n2023\r\nAnalysis of the\r\nthird meeting of\r\nNDSC.zip\r\nThe file may have been part of previously\r\nreported campaign against Myanmar\r\ngovernment by Stately Taurus in early 2024.\r\nCirca October 2023, Myanmar became\r\nembroiled in a civil war between rebel faction\r\nand government forces, where rebel forces have\r\neffectively seized control of a key trade route\r\nfor China. \r\n4e8717c9812318f8\r\n775a94fc2bffcf050\r\neacfbc30ea25d0d3\r\ndcfe61b37fe34bb\r\nNovember\r\n2023\r\n       \r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 3 of 38\n\nThe weaponized ZIP files generally contain a renamed legitimate executable, such as SolidPDFCreator.exe\r\n(e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942), which is used to sideload a\r\nmalicious DLL. The DLL is part of the Claimloader family, which is comprised of different shellcode loader\r\nvariants used by Hive0154 throughout the years to load payloads associated with the Pubload and Toneshell\r\nbackdoor families.\r\nThroughout 2024, further Hive0154 activity was recorded, some of which was reported on by FatzQuatz, the\r\nStrikeReadyLabs Twitter/X account, and Hunt.io:\r\nLure name Description SHA256 Date\r\nMeeting Request--30-31-\r\n05.zip\r\nUnknown\r\n09597c284\r\n4067d8ee67\r\n13137cd2739f\r\n4f3c9009fd8d\r\n59a149742442\r\n4c96cf341\r\nMay 2024\r\nEBO Brainstorming\r\nFriday 24 to\r\nSaturday 25 May 2024.zip\r\nUnknown\r\n78a60bea56\r\n93138c77138\r\n6b8c22f0adfe\r\n6765a6313b80\r\n488bd1084bc9\r\ned370bd\r\nMay 2024\r\nAttendee list template\r\n(24-6-2024).zip\r\nUnknown\r\nb7d13787c8be\r\n72dcc584c516\r\ne7185a6e6513\r\n8aa247d63156\r\nafc7e376b3c01\r\ndc2\r\nJune 2024\r\nNotice of Final\r\nMeeting.zip\r\nUnknown\r\nfef713b23717\r\n9f4d6bea899\r\n687d91073c45\r\n7e0487b6efd91\r\n3902089444a7\r\nd2f2\r\nJuly 2024\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 4 of 38\n\na1.Guidelines for Driving\r\nSoft Power to Promote\r\nThailand's Image and\r\nCompetitiveness\r\non the World Stage.pptx\r\nUnknown\r\n727ccc4560\r\nfb11627870ff\r\n2cac2349d65\r\n6e25d1f566d9\r\n2e98eb7cb80\r\nd771fa22\r\nJuly 2024\r\nInterview with Surachet\r\nPraweewongwut.rar\r\nUnknown\r\nf00e5ff2dc47\r\na7625c86ac8\r\n9784d5aa26b\r\n210a8437b9fb\r\n150b66eb3798\r\nb3c1d6\r\nAugust\r\n2024\r\nIISS Prague Defence\r\nSummit 2024.zip\r\nPreviously reported Mustang Panda\r\ncampaign targeting participants in IISS\r\nDefence Summit in Prague, on\r\nNovember 2024.\r\n1387ec22a339\r\n1647e25d2cb7\r\n22cd89e255d3\r\nebfe586cf5f69\r\n9eae22c6e008\r\nc34\r\nAugust\r\n2024\r\nNDI-IRI_Election_\r\nObservation_\r\nMission_Report.zip\r\nThe filename seems to be in reference\r\nto the NDI-IRI report published in June\r\n2023 concerning elections in Nigeria.\r\nThe report was commissioned with\r\nsupport from US Agency for\r\nInternational Development (USAID).\r\nac989df2715a\r\n26df9e039e9e\r\n0d73ed84337e\r\neb07a4a45901\r\n858acbb09c90\r\n50c4\r\nAugust\r\n2024\r\nleadership information\r\nlist.zip\r\nUnknown\r\n3a37a127a4253\r\n60d00588bf652\r\n7a1687ce2d7c73\r\n6a6c3fdec4f83\r\na752ba3c3fd\r\nAugust\r\n2024\r\nRequest for Inputs for the\r\n6th\r\nPhilippines-The lure likely refers to bilateral\r\nmeeting between Thailand and\r\n057fd248e0219\r\ndd31e1044afb7b\r\nc77c5f30a7315e1\r\nSeptember\r\n2024\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 5 of 38\n\nThailand Joint\r\nCommission for Bilateral\r\nCooperation\r\n(JCBC)\r\nMinisterial\r\nMeeting.exe\r\nPhilippines that occurred on October\r\n2024.\r\n36adfcca55ce159\r\n3d6cf5d\r\n(legitimate EXE,\r\ncorresponding\r\nDLL unknown)\r\nBencana_Air_\r\ndan_\r\nPandemik_\r\nTNB_UTM_\r\n23_Oktober_\r\n2024_1.rar\r\nThe lure document appears to be from\r\nMalaysian National Disaster\r\nManagement Agency (NADMA, Agensi\r\nPengurusan Bencana Negara) and its\r\nongoing responses to Covid-19 in\r\nMalaysia. \r\ncc4e5d175fc85685\r\ne7f31c2e7797a3d3a\r\n74e751716724b8603\r\n3e92321fef1bae\r\nOctober\r\n2024\r\n       \r\nThe DLL sideloading technique within ZIPs remains the same, but different versions of the Claimloader DLL\r\nwere registered with changes to the decryption algorithm. Some of the campaigns also used a Toneshell DLL\r\n(0bd114fecfd3c09820fa013d8cd8aadedee69906b6f81a2e827bba68ddf1023b) directly. \r\nTensions over South China Sea\r\nX-Force observed several new campaigns in late 2024 and early 2025 following the same TTPs, which were\r\nattributed to the same Hive0154 subcluster. The latest Claimloader variants also support opening decoy PDFs as\r\npart of the installation routine, before injecting their shellcode payloads. The PDFs, as well as the DLLs, use file\r\nattributes to remain hidden to a standard user.\r\nTwo lures and their associated decoy filenames specifically mention tensions over the South China Seas between\r\nChina and the Philippines, with the Philippines government calling for close military cooperation with the United\r\nStates in light of growing activities by the Chinese military. These developments will likely elicit increased\r\ninterest from the recipients, who may be more inclined to open the attachment. Such recipients may include\r\nthe Philippines' government, military and diplomatic personnel, and may also involve U.S. government and\r\nmilitary personnel whose duty might warrant engaging in the topic presented by the filenames.\r\nLure name Decoy filename\r\nAssociated DLL\r\nSHA256\r\nDate\r\nAssessment Report 10-17\r\nOct\\China, Philippines'\r\nclash over\r\nSouth China Sea\r\n20241009 Lao PDR_Review and\r\nDecision of the ASEAN LEADERS\r\non the 5PC 2024.pdf\r\n93fb8b78d65a9\r\nef790be6d20552\r\n397373e5d60302\r\nOctober\r\n2024\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 6 of 38\n\nsovereignty\r\n.exe\r\nbf7618af19b53cd0\r\n696b70a\r\nDefense_\r\nCooperation_\r\nwith_the_US\\\r\nUS_task_\r\nforce_backs_\r\nPhilippine_\r\noperations\r\n_in_South_\r\nChina_Sea.exe\r\n2025.pdf\r\na6dfb41bbad08e3f\r\ne663efa325e4c58d\r\n9fddb4fe78f38bce18\r\n0dfc4956581aea\r\nNovember\r\n2024\r\nBoth lures sideload a Claimloader DLL, which loads the same Toneshell backdoor detailed further below. \r\nClaimloader\r\nClaimloader is a family of loaders used by Hive0154 in the past to load various shellcode payloads, including\r\nToneshell and Pubload. Over the years, it has evolved into several different versions with varying functionality.\r\nOne of the early samples, compiled in late 2021, was published on by Palo Alto's Unit 42. It uses an interesting\r\ntechnique, copying shellcode into a buffer via the UuidFromStringA API. It further executes the shellcode as a\r\ncallback function passed to EnumSystemLanguageGroupsA.\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 7 of 38\n\nFig. 1: Early Claimloader sample (cf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86)\r\nA similar technique was previously reported on by the NCC group.\r\nIn November 2022, LAC reported on a Claimloader variant likely targeting government organizations in the\r\nPhilippines in an infection chain almost exactly the same as the activity in 2023-2024 detailed in the previous\r\nsections. The variant stores its payload as 32-byte blocks of encrypted stack strings, before decrypting each of\r\nthem. It also copies the legitimate executable and the Claimloader DLL to a new directory before attempting to\r\nestablish persistence via the registry or scheduled tasks, effectively making it an installer in addition to a loader.\r\nUpon execution, the malware begins by creating a hardcoded mutex to ensure only a single instance of\r\nClaimloader is running. Next, it checks for a specific command line argument, which is not present on the first\r\nrun. If that's the case, Claimloader will copy both the EXE and DLL into a new unobtrusive directory, often under\r\n\"C:\\ProgramData\\\", imitating a software directory such as:\r\nC:\\ProgramData\\NVIDIACorporatione\\\r\nC:\\ProgramData\\NVIDIACorporation\\\r\nC:\\ProgramData\\jxbrowserEdgeBLA\\\r\nC:\\ProgramData\\jxbrowserEdgeIDWT\\\r\nC:\\ProgramData\\JxbrowserChromium\\\r\nC:\\ProgramData\\FastPerfPDF\\\r\nC:\\ProgramData\\NVIDIAFrameViewSDK\\\r\nThis behavior is used by most of the more recent Claimloader samples and can also lead to unsuccessful sandbox\r\nexecutions. \r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 8 of 38\n\nNext, the malware establishes persistence on login by storing the path of the EXE with the correct command line\r\nargument in a new registry key again with an unobtrusive software name under:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nClaimloader also uses a secondary persistence mechanism by creating the following process to create a scheduled\r\ntask, which will execute the loader every 5 minutes:\r\nschtasks /F /Create /TN \\\"\u003cfake_software_name\u003e\\\" /SC minute /MO 5 /TR \\\"C:\\\\ProgramData\\\\\u003cpath_to_exe\u003e\r\n\u003chardcoded_argument\u003e\\\"\r\nNote that the exact techniques may deviate; one sample, for instance, used COM objects instead to schedule the\r\ntask by connecting to the ITaskService interface\r\n(8957c8de9032b347ee1a15abbae489788533acac0b1a000a2104812df24fb8ce). \r\nClaimloader's decryption algorithms have varied in samples between DES (latest version), at least two\r\nimplementations of AES and XOR-based decryption routines using a hardcoded seed to generate a keystream via\r\nthe _srand() function:\r\nFig. 2: Claimloader AES 128 ECB decryption\r\n(a6dfb41bbad08e3fe663efa325e4c58d9fddb4fe78f38bce180dfc4956581aea)\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 9 of 38\n\nFig. 3: Claimloader using a checksum and seeded _srand() to generate a keystream during decryption\r\n(8f4ee5e0b85020f2a040f54dccd24b7e9400c1aa5be8f8988f032e020e371dba)\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 10 of 38\n\nTo execute their payloads after decryption, most Claimloader variants use APIs with callback functions, but there\r\nare also variants that create a new thread or directly call the payload as a function.\r\nBelow is a table of different Claimloader samples and their techniques:\r\nSample SHA256 DLL name Persistence  Decryption  Execution technique\r\n3af7807efb105\r\n25196c562c1f91\r\nd2f009c836630\r\na899f76e2db80\r\nae7c1714d01\r\nAmind\r\nPDF\r\nCore.dll\r\nRegistry and\r\nscheduled\r\ntask \"Amind\r\nPDF\"\r\n _srand()\r\nkeystream\r\nEnumPropsExW\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 11 of 38\n\n8957c8de9032\r\nb347ee1a15abb\r\nae489788533a\r\ncac0b1a000a21\r\n04812df24fb8ce \r\nlibemb\r\n.dll\r\nRegistry and\r\nscheduled task\r\nvia COM\r\n\"Fhbemb Update\"\r\n AES Direct call\r\nd665f55555f87\r\nb515cb8ef1adce\r\n9592a83662a8c4\r\nefa34f6ffdd02247\r\n5bd176a\r\nCCleaner\r\nReactivator\r\n.dll\r\nNone\r\n AES, with\r\npayload stored in\r\nstack strings\r\nEnumCalendarInfoExW\r\nc7efd45aa7dd1e\r\ncd05571f15d83e\r\n9c9fb92090286\r\n87498bf3ce52411\r\na44662ac\r\nSolid\r\nPDF\r\nCreator\r\n.dll\r\nRegistry and\r\nscheduled task\r\n\"jxbrowser-chromiumim\"\r\n AES EnumFontsW\r\na6dfb41bbad08\r\ne3fe663efa325e\r\n4c58d9fddb4fe7\r\n8f38bce180dfc49\r\n56581aea\r\njx\r\nbrowser-chromium\r\n-lib.dll\r\nRegistry and\r\nscheduled task\r\n\"jxbrowser-chromiumim\"\r\n AES EnumFontsW\r\n900af2b8d03b4\r\n0cdb027126d47e\r\n65375351784648\r\n33770741bab8e74\r\n026334c7\r\nhelper_\r\ncore.dll\r\nRegistry and\r\nscheduled task\r\n\"Wargaming\r\nGroup\"\r\n _srand()\r\nkeystream\r\nEnumFontsW\r\n4c66e7ebf2ca2e\r\ncf00379463835e\r\n6a2d5b0231d93f\r\nb274a968e75f45\r\nb9b7adbc\r\nhelper_\r\ncore.dll\r\nRegistry and\r\nscheduled task\r\n\"NVIDIA_\r\nGPU_Core\"\r\n DES EnumFontsW\r\nSeveral recent samples have added support to display a decoy PDF during the first execution of Claimloader.\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 12 of 38\n\nFig. 4: Claimloader opening a decoy PDF during execution and removing its file attributes\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 13 of 38\n\nAfter opening the PDF file for the user, Claimloader removes the \"System\" and \"Hidden\" file attributes to make\r\nthe PDF permanently visible to the user in the open folder. \r\nThe latest Claimloader variant at the time of publication uses obfuscated API and DLL names, which are XOR\r\nencrypted with 0x99. During execution, the loader decrypts the strings and calls LdrLoadDll and\r\nLdrGetProcedureAddress to resolve the function pointers for the APIs it needs.\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 14 of 38\n\nFig. 5: Claimloader resolving XOR encrypted API names\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 15 of 38\n\nToneshell \r\nBoth Claimloader DLLs associated with the South China Sea lures load the same Toneshell backdoor\r\n(5d7b9605cf85371da0849b82977df222ac6c970596c5a9a123c9490789d40078) as shellcode, which is a valid PE\r\nat the same time. \r\nFig. 6: Loader shellcode in DOS header of Toneshell backdoor\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 16 of 38\n\nThe DOS Header was modified to include a small stub to call another function at offset 0x4200, while providing\r\nthe base address of the PE as an argument. This loader function goes on to manually load the PE, resolving\r\nnecessary imports and mapping the sections into memory. This technique allows malware developers to convert a\r\nvalid PE into shellcode post-compilation. \r\nThe Toneshell family comprises a large arsenal of different variants and has evolved significantly over time.\r\nAlthough it shares strong code overlaps with the Pubload backdoor, it is tracked separately by X-Force. Variants\r\nmay differ in C2 mechanisms, custom C2 protocols, supported commands and API hashes. X-Force also groups\r\nmultiple versions of a USB worm framework called \"Tonedisk\" under the Toneshell family. \r\nThe Toneshell backdoor from the campaign above is a comparatively simple variant and is designed to establish a\r\nreverse shell through its C2 server. \r\nIt begins by resolving its APIs and creating a new GUID via CoCreateGuid. The resulting 16 bytes are used as a\r\nunique victim identifier and are written in a new file:\r\nc:\\\\users\\\\public\\\\description.ini\r\nNext, it creates a new event \"Fool87012900137\", which it uses as a mutex to ensure it is the only running\r\ninstance. Toneshell initializes its main struct with the C2 server address (45[.]136[.]254[.]193:443), the GUID and\r\nthe victim's computer name, among other configuration values. It also initializes an implementation of the\r\nMicrosoft \"rand\" PRNG.\r\nFor each beacon querying the C2 server for commands, Toneshell generates the next 256-byte key from the\r\nPRNG, which is used to encrypt C2 communication, the GUID and the computer name.\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 17 of 38\n\nFig. 7: Toneshell function to generate C2 key and encrypt the GUID and computer name\r\nThe TCP beacons contain the following values formatted with a header imitating a TLS Application Data packet\r\n(17 03 03):\r\nstruct BEACON {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE\r\nc2_key[256];       BYTE encrypted_data[];  // XOR encrypted (GUID + computer name + zero_byte) }\r\nToneshell expects a similar response back from the server:\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 18 of 38\n\nstruct C2_RESPONSE {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE\r\nencrypted_data[];  // XOR encrypted command and payload }\r\nAfter decrypting the response, the first byte is parsed as a command value, the second byte is used as an identifier\r\nfor created pipes and the rest as the command payload.\r\nBefore handling the command, Toneshell creates a new thread that sends heartbeat-like response beacons every 30\r\nseconds. Every beacon must also send the correct lowest byte of the next 4 bytes generated by the initialized\r\nPRNG keystream to verify the integrity of the communication to the C2 server. These beacons are formatted as\r\nfollows:\r\nstruct BEACON_CMD_RESPONSE {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE response_code;     BYTE next_keystream;    // low-byte of next 4 bytes generated by the\r\ninitialized PRNG keystream     BYTE encrypted_data[];  // XOR encrypted data }\r\nThis version of Toneshell supports the following C2 command codes:\r\nCode Description\r\n1 Wait - will continue waiting for commands with a non-empty payload.\r\n2 Create new file (delete if already exists)\r\n3 Write data to file\r\n4 Write data to file and confirm via response beacon\r\n5 Create reverse shell via pipes\r\n6 Write shell command to pipe\r\n7 Terminate reverse shell\r\nTo create a reverse shell, Toneshell sets up two anonymous pipes and creates a new cmd.exe process using the\r\npipes to write data to stdin and read data from stdout and stderr. \r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 19 of 38\n\nFig. 8: Toneshell using anonymous pipes to create a reverse shell\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 20 of 38\n\nBy adding the handles to the pipes into the STARTUPINFO structure of the new process, Toneshell can execute\r\narbitrary commands by simply writing to the pipe. In a new thread, Toneshell peeks the pipe for new output\r\nusing PeekNamedPipe every 100ms. Any new data is read from the pipe and relayed back to the C2 server.\r\nEarly 2025 activity\r\nAs of February 2025, X-Force observed a Hive0154 campaign delivering the Pubload backdoor through similar\r\nvariants of Claimloader as described above. The four samples below share the same C2 server\r\n218[.]255[.]96[.]245:443\r\nLure name\r\nSubmitter\r\ncountry\r\nClaimloader\r\nDLL name\r\nClaimloader\r\nMutex\r\nDLL SHA256 Date\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 21 of 38\n\nBLA,BLF,\r\nBRAS,\r\nBRG,BRA,\r\nUBA\r\n(Research \u0026\r\nAnalysis)\r\nReport.exe\r\n Pakistan\r\n SolidPDF\r\nCreator.dll\r\n TB2025\r\n1202\r\nc7efd45aa7\r\ndd1ecd0557\r\n1f15d83e9c9f\r\nb920902868\r\n7498bf3ce52\r\n411a44662ac\r\n 12 \r\nFebruary\r\n2025\r\nUnknown  Hong Kong\r\n SolidPDF\r\nCreator.dll\r\n MTM2025\r\n1103\r\n087ccc7f6c02\r\n2dc5fd40ade3\r\nef6adaecd51f4\r\n7e52619cae6b5\r\n85b84b7acc7633\r\n 11 March\r\n2025\r\n(The_\r\nMilitary_\r\nBalance_\r\n2025)-Page-A.zip\r\n The\r\nPhilippines\r\n chrome_\r\nelf.dll\r\n CATM2025\r\n2003\r\n216188ee52b0\r\n67f761bdf3c45\r\n6634ca2e84d2\r\n78c8ebf35cd4cb\r\n686d45f5aaf7b\r\n 20 March\r\n2025\r\nNSC_\r\nMeeting\r\n_Minutes_\r\nApr2025.lnk\r\n United States\r\n helper_\r\ncore.dll\r\n GameBox\r\nABC\r\n900af2b8d03b\r\n40cdb027126d4\r\n7e653753517846\r\n4833770741bab8\r\ne74026334c7\r\n 17 April\r\n2025\r\nInvitation to\r\nthe Inter-Agency\r\nMeeting for\r\nthe46th\r\nASEAN\r\nSummit.exe\r\n The\r\nPhilippines\r\n helper_\r\ncore.dll\r\n GameGpu\r\n0428\r\n4c66e7ebf2ca2\r\necf0037946383\r\n5e6a2d5b0231d9\r\n3fb274a968e75f\r\n45b9b7adbc\r\n 29 April\r\n2025\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 22 of 38\n\n豐德電廠\r\n114年5月份\r\n現金需求\r\n表/114.04~\r\n114.06\r\n月現金需\r\n求表\r\n(114年度5月)\r\n.exe\r\n Unknown\r\n(likely\r\nTaiwan)\r\n helper_\r\ncore.dll\r\n GameFind\r\n057\r\n112118aad0db9ff\r\n6c78dce2e81d97\r\n32537ac9cd71412\r\n409fa10c7446f71\r\ned8ec\r\n 7 May\r\n2025\r\n英諾飛保\r\n密合約書\r\n-NDA-亞航 v英\r\n諾飛-AACLlegal\r\n1105.exe\r\n Taiwan\r\n helper_\r\ncore.dll\r\n Unknown Unknown\r\n 8 May\r\n2025\r\nInvitation letter\r\nfor the\r\ncom\r\nWorkshop\r\n- AMB.exe\r\n Unknown\r\n helper_\r\ncore.dll\r\n GameBox\r\nTV59\r\n7476d6b375d8\r\nb1962624723aa\r\nbe6f5054567ce1\r\n51ade06ae1353f6\r\n49c4c4e763\r\n 9 May\r\n2025\r\nIn the case of the LNK file above, it executes the legitimate renamed executable to initiate the DLL sideloading of\r\nClaimloader:\r\nC:\\Windows\\System32\\conhost.exe --headless --width 80 --height 90 explorer\r\n(NSC_Meeting)-0416\\NSC_Meeting_Minutes_Apr2025.exe\r\nOne of the weaponized ZIP files contained a legitimate executable renamed to \"BLA,BLF,BRAS,BRG,BRA,UBA\r\n(Research \u0026 Analysis) Report.exe\". The lure is likely a reference to the Baloch Liberation Army (BLA), a militant\r\nseparatist group, and other associated militant groups calling for the establishment of a new nation of Balochistan. \r\nThe use of such names in the lure is likely an attacker's effort to prompt interested recipients to click the\r\nattachment.\r\nAnother file, \"NSC_Meeting_Minutes_Apr2025.lnk\", may refer to a U.S. National Security Council meeting and\r\npurported notes taken, which would be of interest to individuals in the U.S. government or other individuals\r\ninvolved in intelligence, academics or journalism involving U.S. governmental affairs. As in the 'BLA' lure\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 23 of 38\n\npotentially targeting Pakistani officials, this lure may be geared toward a U.S. audience with a captive filename to\r\nentice the recipients to click the attachment.\r\nA filename, “Invitation to the Inter-Agency Meeting for the 46th ASEAN Summit.exe”, may refer to an upcoming\r\nAssociation of Southeast Asian Nations (ASEAN) summit on May 26 and 27, 2025, in Malaysia.\r\nThe filename, “豐德電廠114年5月份現金需求表/114.04~114.06月現金需求表(114年度5月).exe”, may refer to\r\nTaiwan’s Fongde power plant’s payment invoice circa April/May 2015.\r\nThe last file, “英諾飛保密合約書-NDA-亞航 v英諾飛-AACLlegal1105.exe”, may refer to a supposed non-disclosure agreement between two Taiwanese aerospace firms related to unmanned aerial vehicle (UAV) and\r\naircraft maintenance.\r\nPubload\r\nPubload is a backdoor first described by Cisco Talos in 2022 as an unnamed stager. Note that X-Force identifies\r\nthe loader for the shellcode as Claimloader and the first-stage shellcode downloader as Pubload, whereas\r\nTrendMicro reporting identifies both as Pubload. Claimloader has been used to load both Pubload and\r\nToneshell. Team T5 tracks Pubload and Pubshell as NoFive.\r\nThe Pubload shellcode payload begins by XOR decrypting the rest of its shellcode using a 32-byte XOR key:\r\nFig. 9: Pubload shellcode self-decrypting routine\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 24 of 38\n\nThis self-decrypting routine was only added starting with the second of the four Claimloader samples above. After\r\ndecryption, it goes on to resolve all its necessary APIs, obfuscated via the ROR13 algorithm. Next, it allocates\r\nnew memory and sets up its main struct with a hardcoded C2 server address and encryption key, before initiating\r\nits main behavior.\r\nPubload's main loop begins by enumerating the following values:\r\nC drive's disk volume serial number, through GetVolumeInformationA. Obfuscated by adding 0x12345678,\r\nused as a victim ID\r\nThe machine's tick count via GetTickCount\r\nThe victim's computer name via GetComputerNameA\r\nThe victim's username via GetUserNameA\r\nThese values are formatted as the first beacon payload:\r\nstruct BEACON_PLAIN {     BYTE beacon_code;       // always 0x0A for Pubload     DWORD serial;               //\r\nobfuscated volume serial     BYTE victim_data[];      // The victim's computer name and username concatenated }\r\nThe payload is encrypted using the hardcoded key in four consecutive XOR loops with different key offsets:\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 25 of 38\n\nFig. 10: Pubload consecutive XOR encryption loops\r\nSimilar to Toneshell, the encrypted payload is placed into a fake TLS Application Data packet:\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 26 of 38\n\nstruct BEACON {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE\r\nencrypted_data[];  }\r\nThe TCP packet is sent to its hardcoded C2 server at\r\n218[.]255[.]96[.]245:443\r\nIn return Pubload expects a response parsed as\r\nstruct C2_RESPONSE {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE\r\nencrypted_data[];  // XOR encrypted command and payload }\r\nAfter successful decryption of the payload, the first byte is expected to be 0x06, while the rest of the data is parsed\r\nas the struct below to XOR decrypt the received shellcode payload:\r\nstruct C2_PAYLOAD {   DWORD key_size;   BYTE key[32];   DWORD shellcode_size;   BYTE shellcode[]; };\r\nFinally, Pubload adds the necessary PAGE_EXECUTE_READWRITE memory protection option and executes\r\nthe shellcode, while providing the enumerated system info and the C2 server as arguments. \r\nPubload's second stage: Pubshell\r\nThe shellcode payload (Pubshell) immediately downloaded by Pubload displays several similarities with the\r\nToneshell variant discussed above and has the same functionality—to create a reverse shell through pipes.\r\nIt begins with the usual setup procedure, resolving APIs, allocating memory and initializing its main struct and the\r\nsame key as its parent Pubload sample. \r\nThe first beacon is like Pubload's, except for the first byte of the payload (beacon code), which is 0x0B.\r\nFig. 11: Pubload/Pubshell function to build a beacon\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 27 of 38\n\nAgain, the first byte of the decrypted response acts as a command code to determine the behavior of Pubshell:\r\nCommand code Description\r\n1 Reset the victim ID to the initial obfuscated serial number\r\n3 Set a new victim ID\r\n4 Set beacon frequency in seconds (initial value is 10s)\r\n5 Stop beaconing\r\n26 Delete file\r\n27 Create new file\r\n29 Write data to newly created file\r\n30 Create reverse shell via pipes\r\n31 Write new command to pipe\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 28 of 38\n\n32 Terminate reverse shell and close all handles and associated processes\r\n48 Read command result (stdin, stderr) from pipe\r\nJust like Toneshell, Pubshell sends back different response codes to its C2 server, depending on the result of a\r\ncommand. For instance, both the commands to create a new file (27) and write to that file (29) will return the code\r\n42 upon success and 43 on failure. In addition, Pubshell also includes more detailed error message strings, such\r\nas:\r\n\"UploadBegin error : %d!\" \"UploadData  error : %d!\" \"CmdStart error : %d!\" \"CmdWrite error : %d!\"\r\nSimilar strings were also observed in other Toneshell variants.\r\nThe Pubshell implementation of the reverse shell via anonymous pipes is almost identical to Toneshell. However,\r\ninstead of running a new thread to immediately return any results, Pubshell requires an additional command to\r\nreturn command results. It also only supports running \"cmd.exe\" as a shell.\r\nIn several ways, Pubload and Pubshell appear to be an independently developed \"lite version\" of Toneshell, with\r\nless sophistication and clear code overlaps.\r\nTargeting Taiwan with HIUPAN USB Worm\r\nIn December 2024, X-Force observed additional Hive0154 activity targeting Taiwan with the Pubload backdoor.\r\nIn March, X-Force engaged with a major manufacturing company to investigate a Pubload infection in Taiwan. In\r\nthe incident, threat actors made use of the HIUPAN USB worm to spread Claimloader and Pubload through USB\r\ndevices. The worm is likely used as a follow-on payload in initial Pubload infections to boost the number of\r\ninfections and potentially reach networks that might be airgapped. The relationship of both malware variants was\r\ndocumented previously by Trend Micro. \r\nHIUPAN (aka U2DiskWatch) is a USB worm, whose main DLL \"u2ec.dll\" is sideloaded through a legitimate\r\nEXE \"UsbConfig.exe\" when a user unintentionally executes it from a USB device. The worm accomplishes the\r\nfollowing tasks:\r\nCopies itself and its accompanying malware components to a directory on the victim's machine:\r\nC:\\ProgramData\\Intel\\_\\\r\nEstablishes persistence via the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nModifies registry keys to ensure hidden files and extensions are not visible in Windows Explorer:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\r\nExecutes the accompanying malware's main executable, and monitors the process to restart if necessary\r\nMonitors for new USB device connections. If found, HIUPAN copies itself and the accompanying malware\r\ncomponents to the new drive in a hidden subdirectory \"\u003cDrive_Letter\u003e:\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\\" and\r\nhides any other existing files to ensure \"UsbConfig.exe\" is the only visible file on the device\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 29 of 38\n\nHIUPAN uses a config file \"$.ini\" to store a sleep multiplier and the filenames of its components and the\r\naccompanying malware. This makes it extremely easy to configure the worm to spread any malware by simply\r\nexchanging payload files and the text-based config.\r\nThe configuration file observed in Taiwan-based infections spreading Claimloader and Pubload is displayed\r\nbelow:\r\n10,UsbConfig.exe,u2ec.dll,jxbrowser-chromium-lib.exe,jxbrowser-chromium- lib.dll,#.doc,$.ini\r\nCommand code Description\r\n1 Reset the victim ID to the initial obfuscated serial number\r\n3 Set a new victim ID\r\n4 Set beacon frequency in seconds (initial value is 10s)\r\n5 Stop beaconing\r\n26 Delete file\r\n27 Create new file\r\n29 Write data to newly created file\r\n30 Create reverse shell via pipes\r\n31 Write new command to pipe\r\n32 Terminate reverse shell and close all handles and associated processes\r\n48 Read command result (stdin, stderr) from pipe\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 30 of 38\n\nHIUPAN is not the only USB worm employed by Hive0154. Several other frameworks and variants distributing\r\nmalware, such as Toneshell and Pubshell, are still actively spreading and are regularly uploaded to VirusTotal.\r\nConclusion\r\nThe extensive operational scope of Hive0154 discussed in this blog becomes evident through their utilization of\r\ndiverse tools, innovative techniques and a broad array of potential victims. China-aligned groups like Hive0154\r\nwill continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the\r\nprivate and public sectors. Their wide array of tooling, frequent development cycles and USB worm-based\r\nmalware distribution highlights them as a sophisticated threat actor. Entities at risk of Hive0154 activity should\r\nremain at a heightened state of defensive security and remain vigilant with regard to the techniques mentioned in\r\nthis report.\r\nRecommendations\r\nMonitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous\r\nTLS handshake as a sign of a Pubload or Toneshell beacon\r\nMonitor and hunt in networks for fake TLS 1.3 Application Data packets (header: 17 03 04), which are\r\nused by some Toneshell variants. Real TLS 1.3 packets are sent with legacy TLS 1.2 headers for backwards\r\ncompatibility with proxies only accepting certain TLS versions.\r\nMonitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories\r\nwhich could indicate a device infected with a USB worm\r\nMonitor and hunt for suspicious and unknown directories in C:\\ProgramData\\ which contain a legitimate\r\nEXE vulnerable to DLL sideloading and a corresponding DLL\r\nMonitor and hunt for persistence techniques such as the registry's Run key and scheduled tasks\r\nMonitor any unusual network, persistence or file modification activity coming from seemingly benign\r\nprocess executables that sideload a malicious DLL\r\nIndicators of compromise\r\nIndicator Indicator Type Context\r\n167a842b97d0434f20e0\r\ncd6cf73d07079255a743d\r\n26606b94fc785a0f3c6736e\r\nSHA256 Hive0154 weaponized archive\r\n41276827827b95c9b5a9f\r\nbd198b7cff2aef6f90f2b2b\r\n3ea84fadb69c55efa171\r\nSHA256 Hive0154 weaponized archive\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 31 of 38\n\n4fbfbf1cd2efaef1906f0bd2\r\n195281b77619b9948e829b\r\n4d53bf1f198ba81dc5\r\nSHA256 Hive0154 weaponized archive\r\n782e074601f5b17e045d7c\r\n8c6380bbb90ab2a1834b3\r\n0740d662d6c7f2c5372fe\r\nSHA256 Hive0154 weaponized SFX\r\na02766b3950dbb86a1293\r\n84cf9060c11be551025a7f4\r\n69e3811ea257a47907d5\r\nSHA256 Hive0154 weaponized archive\r\n178e92c59afe4c59043657\r\n9d9ba98f6afafddf1bf05f57\r\n0539729a8f0034d798\r\nSHA256 Hive0154 weaponized archive\r\nba7c456f229adc4bd75bfb8\r\n76814b4deaf6768ffe95a030\r\n21aead03e55e92c7c\r\nSHA256 Hive0154 weaponized archive\r\n4e8717c9812318f8775a94fc\r\n2bffcf050eacfbc30ea25d0d\r\n3dcfe61b37fe34bb\r\nSHA256 Hive0154 weaponized archive\r\n09597c2844067d8ee671313\r\n7cd2739f4f3c9009fd8d59a1\r\n497424424c96cf341\r\nSHA256 Hive0154 weaponized archive\r\n78a60bea5693138c771386b8\r\nc22f0adfe6765a6313b80488b\r\nd1084bc9ed370bd\r\nSHA256 Hive0154 weaponized archive\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 32 of 38\n\nfef713b237179f4d6bea899687\r\nd91073c457e0487b6efd91390\r\n2089444a7d2f2\r\nSHA256 Hive0154 weaponized archive\r\n727ccc4560fb11627870ff2cac2\r\n349d656e25d1f566d92e98eb7\r\ncb80d771fa22\r\nSHA256 Hive0154 weaponized archive\r\nf00e5ff2dc47a7625c86ac8978\r\n4d5aa26b210a8437b9fb150b6\r\n6eb3798b3c1d6\r\nSHA256 Hive0154 weaponized archive\r\n1387ec22a3391647e25d2cb722\r\ncd89e255d3ebfe586cf5f699ea\r\ne22c6e008c34\r\nSHA256 Hive0154 weaponized archive\r\nac989df2715a26df9e039e9e0d\r\n73ed84337eeb07a4a45901858\r\nacbb09c9050c4\r\nSHA256 Hive0154 weaponized archive\r\n3a37a127a425360d00588bf652\r\n7a1687ce2d7c736a6c3fdec4f83\r\na752ba3c3fd\r\nSHA256 Hive0154 weaponized archive\r\ncc4e5d175fc85685e7f31c2e7797\r\na3d3a74e751716724b86033e92\r\n321fef1bae\r\nSHA256 Hive0154 weaponized archive\r\ne4a4803cb04b58c07230b1368\r\n2fe1cf7e3aa7ffab434e89143219\r\n41cd04d8a5f\r\nSHA256 Hive0154 weaponized archive\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 33 of 38\n\n2b0882fbcfd8fcbc84cc7c63a2\r\n2a2ef10900a8addfe7e73b231c\r\n32f60ceaf34e\r\nSHA256 Hive0154 weaponized archive\r\nb7d13787c8be72dcc584c516e7\r\n185a6e65138aa247d63156afc7\r\ne376b3c01dc2\r\nSHA256 Hive0154 weaponized archive\r\n76cc0fd64a2fc67bc0146f04819\r\n4a64fcf9f7eaf7e91aacce6fa1465\r\n95308dad\r\nSHA256 Hive0154 weaponized archive\r\nc49c686c26845b9ef0913642ca\r\nff101783663787579fa4432ec474\r\n0c8c685e45\r\nSHA256 Hive0154 weaponized archive\r\nb8865a77cb8f0706b50d4d85bf\r\n9d8ca0dbf7bab8223e38ce97e08\r\na6cab1ef5af\r\nSHA256 Hive0154 weaponized archive\r\n98c1527d4b064fcf4a95488c345\r\n76e5f443585cb6e385c7b8765e6\r\n3fa9e83ccc\r\nSHA256 Hive0154 weaponized archive\r\n6f5c50f37b6753366066c65b3e\r\n67b64ffe5662d8411ffa581835c31e\r\n15b62a28\r\nSHA256 Hive0154 weaponized archive\r\nd99e33878e23582308b1e217aff\r\n4a5f8f0836735338b4a4dff80ee\r\n85989d22a8\r\nSHA256 Hive0154 weaponized archive\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 34 of 38\n\ncf61b7a9bdde2a39156d88f309f\r\n230a7d44e9feaf0359947e1f96e\r\n069eca4e86\r\nSHA256 Early Claimloader sample\r\n93fb8b78d65a9ef790be6d2055\r\n2397373e5d60302bf7618af19b5\r\n3cd0696b70a\r\nSHA256 Claimloader DLL\r\n895b8e0c1d2e4cae16508ded50\r\n55e8d4bc1003a683cd47a7278c\r\n1e2e4e8d8b42\r\nSHA256 Claimloader DLL\r\na6dfb41bbad08e3fe663efa325e\r\n4c58d9fddb4fe78f38bce180dfc4\r\n956581aea\r\nSHA256 Claimloader DLL\r\n3af7807efb10525196c562c1f91d2\r\nf009c836630a899f76e2db80ae7\r\nc1714d01\r\nSHA256 Claimloader DLL\r\n8957c8de9032b347ee1a15abbae\r\n489788533acac0b1a000a210481\r\n2df24fb8ce \r\nSHA256 Claimloader DLL\r\nd665f55555f87b515cb8ef1adce9\r\n592a83662a8c4efa34f6ffdd022\r\n475bd176a\r\nSHA256 Claimloader DLL\r\nc7efd45aa7dd1ecd05571f15d83e\r\n9c9fb9209028687498bf3ce5241\r\n1a44662ac\r\nSHA256 Claimloader DLL\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 35 of 38\n\na6dfb41bbad08e3fe663efa325e\r\n4c58d9fddb4fe78f38bce180dfc4\r\n956581aea\r\nSHA256 Claimloader DLL\r\n8f4ee5e0b85020f2a040f54dccd\r\n24b7e9400c1aa5be8f8988f032e\r\n020e371dba\r\nSHA256 Claimloader DLL\r\n087ccc7f6c022dc5fd40ade3ef6a\r\ndaecd51f47e52619cae6b585b84\r\nb7acc7633\r\nSHA256 Claimloader DLL\r\n216188ee52b067f761bdf3c45663\r\n4ca2e84d278c8ebf35cd4cb686d\r\n45f5aaf7b\r\nSHA256 Claimloader DLL\r\n900af2b8d03b40cdb027126d47\r\ne6537535178464833770741bab\r\n8e74026334c7\r\nSHA256 Claimloader DLL\r\n4c66e7ebf2ca2ecf00379463835\r\ne6a2d5b0231d93fb27s4a968e75\r\nf45b9b7adbc\r\nSHA256 Claimloader DLL\r\n112118aad0db9ff6c78dce2e81d9\r\n732537ac9cd71412409fa10c7446\r\nf71ed8ec\r\nSHA256 Claimloader DLL\r\n7476d6b375d8b1962624723aab\r\ne6f5054567ce151ade06ae1353f6\r\n49c4c4e763\r\nSHA256 Claimloader DLL\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 36 of 38\n\n0bd114fecfd3c09820fa013d8cd8\r\naadedee69906b6f81a2e827b\r\nba68ddf1023b\r\nSHA256 Toneshell backdoor\r\n5d7b9605cf85371da0849b8297\r\n7df222ac6c970596c5a9a123c94\r\n90789d40078\r\nSHA256 Toneshell backdoor\r\n62087a1226c5433d6f6184d627\r\nc4874c347c1de1cb1c1fdbdc1b0c\r\nac1e354201\r\nSHA256 Toneshell backdoor\r\n534853913ad1e9b7ae7dade841\r\nb9cfc2e4a1e38351578e1c15466\r\ncd3f0666ead\r\nSHA256 Pubload backdoor\r\n2da73366f9efc0d1c05c72e404\r\n46057333e12c6083528f64e78b\r\n570172fa602c\r\nSHA256 Pubload backdoor\r\nb04775803e48979b68480a49\r\n8807d0ed16df9610e3f632344b\r\n9d45d59b5121a3\r\nSHA256 Pubshell backdoor\r\nb4c37e3995d5ff94754cedd49f\r\n8fc6765448a16027a5951e37bd\r\n0da06661cd88\r\nSHA256 HIUPAN USB worm\r\nf5fd2905d90755d021e1442c34f\r\na628d56598ae1043a7c1103bd5\r\ne21c7706168\r\nSHA256 HIUPAN USB worm\r\n45[.]136[.]254[.]193:443 IP address, port Toneshell C2 server\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 37 of 38\n\n45[.]144[.]165[.]66 IP address, port Toneshell C2 server\r\n218[.]255[.]96[.]245:443 IP address, port Pubload C2 server\r\n103[.]27[.]202[.]132 IP address, port Toneshell C2 server\r\n45[.]12[.]91[.]223:443 IP address, port Pubload C2 server\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat\r\nintelligence about this threat activity and more. Access insights on threat actors, malware, and industry risks.\r\nInstall the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Stay ahead—integrate today!\r\nSource: https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nhttps://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan\r\nPage 38 of 38", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan" ], "report_names": [ "hive0154-targeting-us-philippines-pakistan-taiwan" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434084, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d929df9c3cf31d50cc8782ff5fcf6450b0385b9.pdf", "text": "https://archive.orkl.eu/4d929df9c3cf31d50cc8782ff5fcf6450b0385b9.txt", "img": "https://archive.orkl.eu/4d929df9c3cf31d50cc8782ff5fcf6450b0385b9.jpg" } }