{ "id": "1211ec0a-0be9-4671-a6dc-d584bf94b87c", "created_at": "2026-04-06T00:06:51.904373Z", "updated_at": "2026-04-10T03:32:39.876529Z", "deleted_at": null, "sha1_hash": "52533b8640d8692899224396cc77764813eb9c06", "title": "The EPS Awakens - Part 2 « Threat Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262694, "plain_text": "The EPS Awakens - Part 2 « Threat Research\r\nBy by Ryann Winters , FireEye Threat Intelligence | Threat Research, Targeted Attack\r\nArchived: 2026-04-05 23:09:28 UTC\r\nOn Wednesday, Dec. 16, 2015, FireEye published The EPS Awakens, detailing an exploit targeting a previously\r\nunknown Microsoft Encapsulated Postscript (EPS) dict copy use-after-free vulnerability that was silently patched\r\nby Microsoft on November 10, 2015. The blog described the technical details of the vulnerability, and the steps\r\nneeded to bypass the EPS filter and obtain full read and write access to the system memory.\r\nIn this follow-up blog, we discuss the operational details of the spear phishing campaigns associated with the\r\nexploit. Specifically, we detail the lures, attachments, targeting and malware, and examine the China-based\r\nadvanced persistent threat (APT) group responsible for one of the observed attacks.\r\nActivity Summary\r\nBetween November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched\r\nseveral spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government\r\nservices, media and financial services industries. Each campaign delivered a malicious Microsoft Word document\r\nexploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege\r\nescalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of\r\neither a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.\r\nThanksgiving Day Parade\r\nOn November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing\r\nemails to multiple Japanese financial and high-tech companies. As shown in Figure 1, the emails originated from\r\nthe Yahoo! email address mts03282000@yahoo.co[.]jp, and contained the subject “新年号巻頭言の送付”\r\n(Google Translation: Sending of New Year No. Foreword).\r\nFigure 1. November 26, 2015 Phish SMTP header\r\nEach phishing message contained the same malicious Microsoft Word attachment. The malicious attachment\r\nresembled an article hosted on a legitimate Japanese defense-related website, as both discussed national defense\r\ntopics and carried the same byline. The lure documents also used the Japanese calendar, as indicated by the 27th\r\nyear in the Heisei period. This demonstrates that the threat actors understand conventional Japanese date notation.\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 1 of 7\n\nIRONHALO Downloader\r\nFollowing the exploitation of the EPS and CVE-2015-1701 vulnerabilities, the exploit payload drops either a 32-\r\nbit or 64-bit binary containing an embedded IRONHALO malware sample. IRONHALO is a downloader that uses\r\nthe HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server\r\nand uniform resource locator (URL) path.  \r\nThe encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and\r\ndecoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where\r\n[%rand%] is a 4-byte hexadecimal number based on the current timestamp.\r\nTable 1. IRONHALO artifacts\r\nIRONHALO persists by copying itself to the current user’s Startup folder. This variant sends an HTTP request to a\r\nlegitimate Japanese website using a malformed User-Agent string, as shown in Figure 2. The threat actors likely\r\ncompromised the legitimate site and attempted to use it as a staging server for second-stage payloads.\r\nFigure 2. IRONHALO HTTP GET request\r\nDecember to Remember\r\nOn December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the undisclosed EPS\r\nvulnerability and CVE-2015-1701. Unlike the Nov. 26 campaign, these attacks targeted Taiwanese governmental\r\nand media and entertainment organizations. Moreover, the exploit dropped a different malware payload, a\r\nbackdoor we refer to as ELMER.\r\nLure Number One\r\nThe first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1. The attachment was\r\ncreated using the traditional Chinese character set, and contained a flowchart that appeared to be taken from the\r\nlegitimate Taiwanese government auction website hxxp://shwoo.gov[.]taipei/buyer_flowchart.asp. The image,\r\nshown in Figure 3, is a flowchart detailing how to place a trade on the Taipei Nature and Cherish Network\r\nwebsite.\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 2 of 7\n\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 3 of 7\n\nFigure 3: Lure Image\r\nLure Number Two\r\nThe second December spear phishing attack targeted Taiwan-based news media organizations. The emails\r\noriginated from the address dpptccb.dpp@msa.hinet[.]net (Figure 4), and contained the subject DPP's Contact\r\nInformation Update. Based on the email address naming convention and message subject, the threat actors may\r\nhave tried to make the message appear to be a legitimate communication from the Democratic Progressive Party\r\n(DPP), Taiwan’s opposition party.\r\nFigure 4. December 1 Lure 2 SMTP Header\r\nUnlike the previous exploit documents, this malicious attachment did not contain any visible text when opened in\r\nMicrosoft Word.\r\nELMER Backdoor\r\nThe exploit documents delivered during the December campaigns dropped a binary containing an embedded\r\nvariant of a backdoor we refer to as ELMER. ELMER is a non-persistent proxy-aware HTTP backdoor written in\r\nDelphi, and is capable of performing file uploads and downloads, file execution, and process and directory\r\nlistings.\r\nTo retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP\r\nresponse packets received from the CnC server for an integer string corresponding to the command that needs to\r\nbe executed. Table 2 lists the ELMER backdoors observed during the December campaigns.\r\nTable 2. ELMER variants\r\nThe ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the CnC IP address 121.127.249.74 over\r\nport 443. However the ELMER sample 0b176111ef7ec98e651ffbabf9b35a18 beaconed to the CnC domain\r\nnews.rinpocheinfo[.]com over port 443. Both samples used the hard-coded User-Agent string “Mozilla/4.0\r\n(compatible; MSIE 7.0; Windows NT 5.1; SV1)”, as shown in Figure 5.\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 4 of 7\n\nFigure 5. ELMER beacon\r\nAPT16\r\nWhile attribution of the first two spear phishing attacks is still uncertain, we attribute the second December\r\nphishing campaign to the China-based APT group that we refer to as APT16. This is based on the use of the\r\nknown APT16 domain rinpocheinfo[.]com, as well as overlaps in previously observed targeting and tactics,\r\ntechniques and procedures (TTPs).\r\nBackground\r\nTaiwanese citizens will go to the polls on January 16, 2016, to choose a new President and legislators. According\r\nto recent opinion polls, the Democratic Progressive Party (DPP) candidate Tsai Ing-wen is leading her opponents\r\nand is widely expected to win the election. The DPP is part of the pan-green coalition that favors Taiwanese\r\nindependence over reunification with the mainland, and the party’s victory would represent a shift away from the\r\nruling Kuomintang’s closer ties with the PRC. Since 1949, Beijing has claimed Taiwan as a part of China and\r\nstrongly opposes any action toward independence. The Chinese government is therefore concerned whether a DPP\r\nvictory might weaken the commercial and tourism ties between China and Taiwan, or even drive Taiwan closer to\r\nindependence. In 2005, the Chinese government passed an “anti-secession” law that signified its intention to use\r\n“non-peaceful” means to stymie any Taiwanese attempt to secede from China.\r\nTargeting Motivations\r\nAPT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail\r\naddresses. The message subject read “DPP’s Contact Information Update”, apparently targeting those interested in\r\ncontact information for DPP members or politicians. The Chinese government would benefit from improved\r\ninsight into local media coverage of Taiwanese politics, both to better anticipate the election outcome and to\r\ngather additional intelligence on politicians, activists, and others who interact with journalists. This tactic is not\r\nwithout precedent; in 2013, the New York Times revealed it had been the target of China-based actors shortly after\r\nit reported on the alleged mass accumulation of wealth by then-Prime Minister Wen Jiabao and his family. The\r\nactors likely sought information on the newspaper’s sources in China, who could be silenced by the government.\r\nCompromising these Taiwanese news organizations would also allow the actors to gain access to informants or\r\nother protected sources, who might then be targeted for further intelligence collection or even retribution. The\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 5 of 7\n\nwebmail addresses, while unknown, were possibly the personal-use addresses of the individuals whose corporate\r\ndomain emails were targeted. As corporate networks become more secure and users become more vigilant,\r\npersonal accounts can still offer a means to bypass security systems. This tactic exploits users’ reduced vigilance\r\nwhen reading their own personal email, even when using corporate IT equipment to do so.\r\nOn the same date that APT16 targeted Taiwanese media, suspected Chinese APT actors also targeted a Taiwanese\r\ngovernment agency, sending a lure document that contained instructions for registration and subsequent listing of\r\ngoods on a local Taiwanese auction website. It is possible, although not confirmed, that APT16 was also\r\nresponsible for targeting this government agency, given both the timeframe and the use of the same n-day to\r\neventually deploy the ELMER backdoor.\r\nWe’ve Been Here Before\r\nOne of the media organizations involved in this latest activity was targeted in June 2015, while its Hong Kong\r\nbranch was similarly targeted in August 2015. APT16 actors were likely also responsible for the June 2015\r\nactivity. They sent spear phishing messages with the subject “2015 Taiwan Security and Cultural Forum Invitation\r\nForm” (2015台灣安全文化論壇邀請函), and used a different tool – a tool that we refer to as DOORJAMB – in\r\ntheir attempt to compromise the organization. A different group, known as admin@338, used LOWBALL\r\nmalware during its Hong Kong activity. Despite the differing sponsorship, penetration of Hong Kong- and\r\nTaiwan-based media organizations continues to be a priority for China-based threat groups.\r\nThe difference in sponsorship could be the result of tasking systems that allocate targeting responsibility to\r\ndifferent groups based on their targets’ geographic location. In other words, while media organizations are\r\nimportant targets, it is possible that two separate groups are responsible for Hong Kong and Taiwan, respectively.\r\nThe suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media\r\norganizations – further supports this possibility.\r\nConclusion\r\nTable 3 contains a summary of the phishing activity detailed in this blog.\r\nTable 3. Activity summary\r\nThese clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability,\r\npossibly by multiple threat groups. Both Japan and Taiwan are important intelligence collection targets for China,\r\nparticularly because of recent changes to Japan’s pacifist constitution and the upcoming Taiwanese election. Based\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 6 of 7\n\non our visibility and available data, we only attribute one campaign to the Chinese APT group APT16.\r\nNonetheless, the evidence suggests the involvement of China-based groups.\r\nSource: https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nhttps://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "report_names": [ "the-eps-awakens-part-two.html" ], "threat_actors": [ { "id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9", "created_at": "2023-01-06T13:46:38.278691Z", "updated_at": "2026-04-10T02:00:02.90849Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "SVCMONDR", "G0023" ], "source_name": "MISPGALAXY:APT16", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fed3d66d-1721-43b0-b5e1-d35931dc6e71", "created_at": "2022-10-25T15:50:23.72724Z", "updated_at": "2026-04-10T02:00:05.411885Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "APT16" ], "source_name": "MITRE:APT16", "tools": [ "ELMER" ], "source_id": "MITRE", "reports": null }, { "id": "9d6f666e-3a9d-4a09-bcac-8aee96572827", "created_at": "2022-10-25T15:50:23.2832Z", "updated_at": "2026-04-10T02:00:05.268714Z", "deleted_at": null, "main_name": "admin@338", "aliases": [ "admin@338" ], "source_name": "MITRE:admin@338", "tools": [ "BUBBLEWRAP", "LOWBALL", "Systeminfo", "PoisonIvy", "netstat", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a", "created_at": "2023-01-06T13:46:38.351187Z", "updated_at": "2026-04-10T02:00:02.938577Z", "deleted_at": null, "main_name": "TEMPER PANDA", "aliases": [ "Admin338", "Team338", "admin@338", "G0018" ], "source_name": "MISPGALAXY:TEMPER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4", "created_at": "2022-10-25T16:07:24.313367Z", "updated_at": "2026-04-10T02:00:04.932247Z", "deleted_at": null, "main_name": "Temper Panda", "aliases": [ "G0018", "Team338", "Temper Panda", "admin@338" ], "source_name": "ETDA:Temper Panda", "tools": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper", "Bozok", "Bozok RAT", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "LOLBAS", "LOLBins", "LOWBALL", "Living off the Land", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775791959, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/52533b8640d8692899224396cc77764813eb9c06.pdf", "text": "https://archive.orkl.eu/52533b8640d8692899224396cc77764813eb9c06.txt", "img": "https://archive.orkl.eu/52533b8640d8692899224396cc77764813eb9c06.jpg" } }