{
	"id": "8ab8a30b-23ee-49fb-962d-f6754936162a",
	"created_at": "2026-04-06T00:21:35.635637Z",
	"updated_at": "2026-04-10T03:21:18.201575Z",
	"deleted_at": null,
	"sha1_hash": "50133141ad0d145a4a1511db994ff1a6c99d5738",
	"title": "The Blockbuster Saga Continues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 814242,
	"plain_text": "The Blockbuster Saga Continues\r\nBy Anthony Kasza\r\nPublished: 2017-08-14 · Archived: 2026-04-05 19:48:35 UTC\r\nUnit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with\r\nUnited States defense contractors. Through analysis of malicious code, files, and infrastructure it is clear the group\r\nbehind this campaign is either directly responsible for or has cooperated with the group which conducted\r\nOperation Blockbuster Sequel and, ultimately, Operation Blockbuster (originally outlined  by researchers from\r\nNovetta). The threat actors are reusing tools, techniques, and procedures which overlap throughout these\r\noperations with little variance. Attacks originating from this threat group have not ceased since our previous report\r\n(from April of 2017) and have continued through July of 2017.\r\nNew Activity\r\nRecently, we’ve identified weaponized Microsoft Office Document files which use the same malicious macros as\r\nattacks from earlier this year. Based on the contents of these latest decoy documents which are displayed to a\r\nvictim after opening the weaponized document the attackers have switched targets from Korean language speakers\r\nto English language speakers. Most notably, decoy document themes now include job role descriptions and\r\ninternal policies from US defense contractors.\r\nThe following image shows the content of one of the recent decoy documents\r\n(de2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34). It is a job description at a defense\r\ncontractor.\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 1 of 6\n\nThe following images also shows the contents of a recent decoy document\r\n(062aadf3eb69686f4881860d88ce472e6b1c07e1f586d840dd2ee1f7b76cabe7). It contains an exact copy of a\r\npublicly available job description, including typos, at a US defense contractor.\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 2 of 6\n\nThe weaponized documents have been hosted on systems which we believe have likely been compromised and\r\nrepurposed. Two of the URL paths used to host the weaponized documents on the compromised systems are exact\r\nmatches (event/careers/jobs/description/docs). The payloads delivered by the weaponized documents are\r\nextremely similar to the payloads delivered by weaponized documents detailed in our April 2017 report on the\r\nthreat group's activity.\r\nFor a more comprehensive understanding of the relationships between samples and infrastructure used in the\r\nrecent activity see the following network graph.\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 3 of 6\n\nThe document metadata Author \"ISkyISea\" is used across multiple weaponized document files. IPv4 addresses\r\n(210.202.40[.]35) hosting the weaponized documents have also been hardcoded as command and control servers\r\nfor previous samples (16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd).\r\nTies to Blockbuster\r\nThe source code used in the macros embedded in the weaponized documents described above was also detailed in\r\na previous report where it was included in testing documents uploaded to VirusTotal. This reuse of macro source\r\ncode, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the\r\nmacros write to disk demonstrates the continued use of this tool set by this threat group. The use of an automated\r\ntool to build the weaponized documents would explain the common but not consistent reuse of metadata,\r\npayloads, and XOR keys within the documents.\r\nOther similarities between the previously reported activity and this new activity can be seen within the PE\r\npayloads written to disk by the malicious documents. The payloads function similarly to other implants associated\r\nwith this threat group. The use of a fake TLS communications protocol, encoded strings within samples, filenames\r\nand contents of batch files embedded within implants, as well implants beaconing directly to IPv4 addresses (and\r\nnot resolving domains for command and control) are all known techniques associated with the threat group. These\r\ntactics have changed very little since the original Operation Blockbuster.\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 4 of 6\n\nIn addition to tool reuse, infrastructure overlaps also exist. URLs used for hosting the malicious documents and\r\nIPv4 addresses used for command and control overlap with infrastructure previously used by the group.\r\nFinal Thoughts\r\nThe techniques and tactics the group uses have changed little in recent attacks. Tool and infrastructure overlaps\r\nwith previous campaigns are apparent. Given that the threat actors have continued operations despite their\r\ndiscovery and public exposure it is likely they will continue to operate and launch targeted campaigns.\r\nPalo Alto Networks researchers will continue to monitor this group’s activities and stay abreast to additional\r\nattacks using this tool set.\r\nThe malicious files describe in this report are flagged as malicious by WildFire and in Threat Prevention.\r\nAutoFocus users can learn more about the threat group and their indicators by examining the\r\nBlockBuster_Sequel tag.\r\nIndicators of Compromise\r\nSHA256\r\n4d4465bd9a57c7a3c0b80fa3282697554a1419794afa36e544a4ae06d60c1615\r\nf390ef86a4ad92dde125c983e6470f08344b9eaa14c17a1e6c4bb7ebfa7c4ec9\r\nacfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897\r\n7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd\r\ne09224a24a14a08c6fcb79b00b4a7b3097c84f805f5f2adefe2f7d04d7b4a8ee\r\n062aadf3eb69686f4881860d88ce472e6b1c07e1f586d840dd2ee1f7b76cabe7\r\nc63a415d23fc4ab10ad3acfdd47d42b5c7444604485ab45147277cca82fffb34\r\n16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd\r\nde2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34\r\n2f133525f76ab0ebb0b370601673361253074c337f0b0895d0f0cb5bc261cfcb\r\ne83a08bcb4353bfd6edcdedbc9ead9ab179a620e15155b60d18153bed9892f38\r\n6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0\r\nad075279d2ee6958105889d852e0d7f4266f746cb0078ac1b362f05a45b5828d\r\n1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e\r\nIPv4\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 5 of 6\n\n104.192.193[.]149\r\n176.35.250[.]93\r\n213.152.51[.]169\r\n108.222.149[.]173\r\n197.246.6[.]83\r\n118.140.97[.]6\r\n210.202.40[.]35\r\n59.90.93[.]97\r\n107.6.12[.]135\r\nURLs\r\nhttp://210.202.40[.]35/CKRQST/event/careers/jobs/description/docs/NGC1398.doc\r\nhttp://210.202.40[.]35/CKRQST/Company/HR/Position/lm/L1915.doc\r\nhttp://104.192.193[.]149/Event/careers/jobs/description/docs/LJC077.doc\r\nhttp://lansingturbo[.]org/docs/WebDAV.exe\r\nSource: https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nhttps://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/"
	],
	"report_names": [
		"unit42-blockbuster-saga-continues"
	],
	"threat_actors": [],
	"ts_created_at": 1775434895,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50133141ad0d145a4a1511db994ff1a6c99d5738.pdf",
		"text": "https://archive.orkl.eu/50133141ad0d145a4a1511db994ff1a6c99d5738.txt",
		"img": "https://archive.orkl.eu/50133141ad0d145a4a1511db994ff1a6c99d5738.jpg"
	}
}