{ "id": "1f0ea192-fdfc-46de-80ea-dc7cc5dc87e0", "created_at": "2026-04-06T00:14:13.12631Z", "updated_at": "2026-04-10T03:32:35.353459Z", "deleted_at": null, "sha1_hash": "53ac4764e4ab6a2b917cfcb562ed71a498cee9bd", "title": "Tracking Elirks Variants in Japan: Similarities to Previous Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 507904, "plain_text": "Tracking Elirks Variants in Japan: Similarities to Previous Attacks\r\nBy Kaoru Hayashi\r\nPublished: 2016-06-23 · Archived: 2026-04-05 14:47:19 UTC\r\nA recent, well-publicized attack on a Japanese business involved two malware families, PlugX and Elirks, that\r\nwere found during the investigation. PlugX has been used in a number of attacks since first being discovered in\r\n2012, and we have published several articles related to its use, including an analysis of an attack campaign\r\ntargeting Japanese companies.\r\nElirks, less widely known than PlugX, is a basic backdoor Trojan, first discovered in 2010, that is primarily used\r\nto steal information from compromised systems. We mostly observe attacks using Elirks occurring in East Asia.\r\nOne of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined\r\nmicroblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the\r\ndomain names of real C2 servers in advance of distributing the backdoor. We have seen multiple Elirks variants\r\nusing Japanese blog services for the last couple of years. Figure 1 shows embedded URL in an Elirks sample\r\nfound in early 2016.\r\nFigure 1 Embedded URLs in Elirks variant\r\nIn another sample found in 2014, an attacker used a Japanese blog service. The relevant account still exists at the\r\ntime of writing this article (Figure 2).\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 1 of 6\n\nFigure 2 Blog account created by the attacker in 2014\r\nLink to previous attack campaign\r\nUnit 42 previously identified an Elirks variant during our analysis of the attack campaign called Scarlet Mimic. It\r\nis years-long campaign targeting minority rights activists and governments. The malware primarily used in this\r\nseries of attacks was FakeM. Our researchers described the threat sharing infrastructure with Elirks in the report.\r\nAs of this writing, we can note similarities between previously seen Elirks attacks and this recent case in Japan.\r\nSpear Phishing Email with PDF attachment\r\nFigure 3 shows an email which was sent to a ministry of Taiwan in May 2012.\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 2 of 6\n\nFigure 3 Spear Phishing Email sent to a ministry of Taiwan\r\nThe email characteristics were bit similar to the recent case (Table 1).\r\n2012 2016\r\nEmail Sender Masquerades as an existing bank in Taiwan\r\nMasquerade as an existing aviation company\r\nin Japan\r\nEmail\r\nRecipient\r\nRepresentative email address of a ministry\r\nof Taiwan, which is publicly available.\r\nRepresentative email address of a subsidiary\r\ncompany, which is publicly available.\r\nSubject “Bank credit card statement” in Chinese “Airline E-Ticket” in Japanese\r\nAttachment\r\nPDF file named “Electronic Billing\r\n1015” in Chinese\r\nFile named “E-TKT” in Japanese with PDF\r\nicon\r\nTable 1 Email characteristics\r\nWhen a user opened the attached PDF file, the following message is displayed. It exploits a vulnerability in Adobe\r\nFlash, CVE-2011-0611 embedded in the PDF and installs Elirks malware on the system.\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 3 of 6\n\nFigure 4 opening malicious PDF attachment\r\nAirline E-Ticket\r\nAttackers choose a suitable file name to lure targeted individual or organization. In the recent case, the malicious\r\nattachment name in the email was reported as “E-TKT”. We found similar file name in the previous attack in\r\nTaiwan in August 2012 (Figure 5).\r\nFigure 5 Elirks executable file masquerade as folder of E-Ticket\r\nWhen opening the file, Elirks executes itself on the computer and creates ticket.doc to deceive users (Figure 6).\r\nFigure 6 doc file created by Elirks\r\nWe’ve also seen another file name related to aviation at Taiwan in March 2012. Figure 7 shows PDF file named\r\n“Airline Reservation Numbers (updated version).pdf”. When opening the PDF file, it displays the exactly same\r\nmessage with the Figure4, exploits CVE-2011-0611 and installs Elirks.\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 4 of 6\n\nFigure 7 PDF named “Airline Reservation Number”\r\nConclusion\r\nCurrently, we have found no reliable evidence to indicate the same adversary attacked a company in Japan in 2016\r\nand multiple organizations in Taiwan in 2012. However, we can see some resemblances between the two attacks.\r\nIn both cases, attackers used the same malware family, crafted spear phishing emails in a similar manner, and\r\nseem to be interested in some areas related to aviation. We have been seeing multiple Elirks variants targeting\r\nJapan in the last few years, potentially indicating an ongoing cyber espionage campaign. We will keep an eye on\r\nthe threat actors.\r\nPalo Alto Networks customers are protected from Elirks variant and can gather additional information using the\r\nfollowing tools:\r\nWildFire detects all known Elirks samples as malicious\r\nAll known C2s are classified as malicious in PAN-DB\r\nAutoFocus tags have been created: Elirks\r\nIndicators:\r\nExecutable File:\r\n8587e3a0312a6c4374989cbcca48dc54ddcd3fbd54b48833afda991a6a2dfdea\r\n0e317e0fee4eb6c6e81b2a41029a9573d34cebeabab6d661709115c64526bf95\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 5 of 6\n\nf18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68\r\nDelivery PDF:\r\n755138308bbaa9fcb9c60f0b089032ed4fa1cece830a954ad574bd0c2fe1f104\r\n200a4708afe812989451f5947aed2f30b8e9b8e609a91533984ffa55d02e60a2\r\nSource: https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nhttps://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/" ], "report_names": [ "unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775791955, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53ac4764e4ab6a2b917cfcb562ed71a498cee9bd.pdf", "text": "https://archive.orkl.eu/53ac4764e4ab6a2b917cfcb562ed71a498cee9bd.txt", "img": "https://archive.orkl.eu/53ac4764e4ab6a2b917cfcb562ed71a498cee9bd.jpg" } }