{ "id": "6387faed-909c-41d2-9aad-29173981e0b9", "created_at": "2026-04-06T00:20:53.038564Z", "updated_at": "2026-04-10T13:12:54.143211Z", "deleted_at": null, "sha1_hash": "55463e17bb23421eb42c815f956ae7a21f86b4c7", "title": "Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58238, "plain_text": "Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign\r\nMinistries\r\nBy About the Author\r\nArchived: 2026-04-05 22:37:17 UTC\r\nThe Flea (aka APT15, Nickel) advanced persistent threat (APT) group continued to focus on foreign ministries in\r\na recent attack campaign that ran from late 2022 into early 2023 in which it leveraged a new backdoor called\r\nBackdoor.Graphican.\r\nThis campaign was primarily focused on foreign affairs ministries in the Americas, although the group also\r\ntargeted a government finance department in a country in the Americas and a corporation that sells products in\r\nCentral and South America. There was also one victim based in a European country, which was something of an\r\noutlier. This victim had also previously suffered a seemingly unrelated ransomware attack in July 2022. However,\r\nthe primary focus of the campaign observed by the Threat Hunter Team at Symantec, part of Broadcom, does\r\nappear to be on ministries of foreign affairs in the Americas.\r\nFlea has a track record of honing in on government targets, diplomatic missions, and embassies, likely for\r\nintelligence-gathering purposes.\r\nTools\r\nFlea used a large number of tools in this campaign. As well as the new Graphican backdoor, the attackers\r\nleveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea. We will\r\ndetail these tools in this section.\r\nBackdoor.Graphican\r\nGraphican is an evolution of the known Flea backdoor Ketrican, which itself was based on a previous malware —\r\nBS2005 — also used by Flea. Graphican has the same basic functionality as Ketrican, with the difference between\r\nthem being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C\u0026C)\r\ninfrastructure.\r\nThis technique was used in a similar way by the Russian state-sponsored APT group Swallowtail (aka APT28,\r\nFancy Bear, Sofacy, Strontium) in a campaign in 2022 in which it delivered the Graphite malware. In that\r\ncampaign, the Graphite malware used the Microsoft Graph API and OneDrive as a C\u0026C server.\r\nThe observed Graphican samples did not have a hardcoded C\u0026C server, rather they connected to OneDrive via the\r\nMicrosoft Graph API to get the encrypted C\u0026C server address from a child folder inside the \"Person\" folder. The\r\nmalware then decoded the folder name and used it as a C\u0026C server for the malware. All instances of this variant\r\nused the same parameters to authenticate to the Microsoft Graph API. We can assume they all have the same\r\nC\u0026C, which can be dynamically changed by the threat actors.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15\r\nPage 1 of 4\n\nOnce on a machine, Graphican does the following:\r\nDisables the Internet Explorer 10 first run wizard and welcome page via registry keys\r\nChecks if the iexplore.exe process is running\r\nCreates a global IWebBrowser2 COM object to access the internet\r\nAuthenticates to the Microsoft Graph API to get a valid access token and a refresh_token\r\nUsing the Graph API it enumerates the child files and folders inside the “Person” folder in OneDrive\r\nObtains the name of the first folder and decrypts it to use it as a C\u0026C server\r\nGenerates a Bot ID based on the hostname, local IP, Windows version, the system default language\r\nidentifier, and the process bitness (32-bit or 64-bit) of the compromised machine\r\nRegisters the bot into the C\u0026C with the format string\r\n\"f$$$%s\u0026\u0026\u0026%s\u0026\u0026\u0026%s\u0026\u0026\u0026%d\u0026\u0026\u0026%ld\u0026\u0026\u0026%s\" or \"f@@@%s###%s###%s###%d###%ld###%s\"\r\nfilled with the previously collected information from the victim’s computer\r\nPolls C\u0026C server for new commands to execute\r\nCommands that can be executed by Graphican include:\r\n'C' — Creates an interactive command line that is controlled from the C\u0026C server\r\n'U' — Creates a file on the remote computer\r\n'D' — Downloads a file from the remote computer to the C\u0026C server\r\n'N' — Creates a new process with a hidden window\r\n'P' — Creates a new PowerShell process with a hidden window and saves the results in a temporary file in\r\nthe TEMP folder and sends the results to the C\u0026C server\r\nDuring the course of this campaign, we also observed an updated version of Ketrican, which had a hardcoded\r\nC\u0026C server and only implemented the ‘C’, ‘U’, and ‘D’ commands. We also saw an older version of Ketrican\r\n(compiled in 2020) that implemented only the ‘N’ and ‘P’ commands. This demonstrates that the group is actively\r\ndeveloping and adapting Ketrican to suit its objectives.\r\nOther Tools\r\nOther tools leveraged by Flea in this recent activity include:\r\nEWSTEW — This is a known Flea backdoor that is used to extract sent and received emails on infected\r\nMicrosoft Exchange servers. We saw new variants of this tool being used in this campaign.\r\nMimikatz, Pypykatz, Safetykatz — Mimikatz is a publicly available credential-dumping tool. It allows a\r\nlocal attacker to dump secrets from memory by exploiting Windows single sign-on functionality. Pupykatz\r\nand Safetykatz are Mimikatz variants with the same functionality.\r\nLazagne — A publicly available, open-source tool designed to retrieve passwords from multiple\r\napplications.\r\nQuarks PwDump — Quarks PwDump is an open-source tool that can dump various types of Windows\r\ncredentials: local accounts, domain accounts, and cached domain credentials. It was reported as being used\r\nin a campaign that Kaspersky called IceFog all the way back in 2013.\r\nSharpSecDump — The .Net port of the remote SAM and LSA Secrets dumping functionality of\r\nImpacket's secretsdump.py.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15\r\nPage 2 of 4\n\nK8Tools - This is a publicly available toolset with a wide variety of capabilities, including privilege\r\nescalation, password cracking, a scanning tool, and vulnerability utilization. It also contains exploits for\r\nnumerous known vulnerabilities in various systems.\r\nEHole — A publicly available tool that can help attackers identify vulnerable systems.\r\nWeb shells — The attackers use a number of publicly available web shells, including AntSword, Behinder,\r\nChina Chopper, and Godzilla. Web shells provide a backdoor onto victim machines. Some of these web\r\nshells, such as China Chopper and Behinder, are associated with Chinese threat actors.\r\nExploit of CVE-2020-1472 — This is an elevation of privilege vulnerability that exists when an attacker\r\nestablishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon\r\nRemote Protocol (MS-NRPC). An attacker who successfully exploits the vulnerability could run a specially\r\ncrafted application on a device on the network. A patch has been available for this vulnerability since the\r\nfirst quarter of 2021.\r\nFlea Background\r\nFlea has been in operation since at least 2004. Over that time its tactics, techniques, and procedures (TTPs), as\r\nwell as its targeting, have changed and developed. In recent years, the group has primarily focused on attacks\r\nagainst government organizations, diplomatic entities, and non-governmental organizations (NGOs) for the\r\npurposes of intelligence gathering. North and South America does appear to have become more of a focus for the\r\ngroup in recent times, which aligns with the targeting we saw in this campaign. The goal of the group does seem\r\nto be to gain persistent access to the networks of victims of interest for the purposes of intelligence gathering. Its\r\ntargets in this campaign, of ministries of foreign affairs, also point to a likely geo-political motive behind the\r\ncampaign.\r\nFlea traditionally used email as an initial infection vector, but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks. \r\nMicrosoft seized domains belonging to Flea in December 2021. The company seized 42 domains that it said were\r\nused in operations that targeted organizations in the U.S. and 28 other countries for intelligence-gathering\r\npurposes. Flea was also linked in a November 2022 report by Lookout to a long-running campaign targeting\r\nUyghur-language websites and social media in China.\r\nFlea is believed to be a large and well-resourced group, and it appears that exposure of its activity, and even\r\ntakedowns such as that detailed by Microsoft, have failed to have a significant impact when it comes to stopping\r\nthe group’s activity.\r\nNew Backdoor and Notable Technique\r\nThe use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively\r\ndevelop new tools. The group has developed multiple custom tools over the years. The similarities in functionality\r\nbetween Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about\r\nhaving activity attributed to it.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15\r\nPage 3 of 4\n\nThe most noteworthy thing about Graphican itself is the abuse of the Microsoft Graph API and OneDrive to obtain\r\nits C\u0026C server. The fact that a similar technique was used by Swallowtail, an unconnected APT group operating\r\nout of a different region, is also worth noting. Once a technique is used by one threat actor, we often see other\r\ngroups follow suit, so it will be interesting to see if this technique is something we see being adopted more widely\r\nby other APT groups and cyber criminals.\r\nFlea’s targets — foreign ministries — are also interesting; though they do align with the targets the group has\r\ndirected its activity at in the past. It appears the Flea’s interests remain similar to what they have been in recent\r\nyears, even as its tools and techniques continue to evolve.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15" ], "report_names": [ "flea-backdoor-microsoft-graph-apt15" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434853, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55463e17bb23421eb42c815f956ae7a21f86b4c7.pdf", "text": "https://archive.orkl.eu/55463e17bb23421eb42c815f956ae7a21f86b4c7.txt", "img": "https://archive.orkl.eu/55463e17bb23421eb42c815f956ae7a21f86b4c7.jpg" } }