{ "id": "ae988690-b190-4e38-ab3f-01de0a95303e", "created_at": "2026-04-06T00:13:19.461558Z", "updated_at": "2026-04-10T03:31:00.913359Z", "deleted_at": null, "sha1_hash": "58994ee3507e9dfdaf25f6460e5fd6026e775669", "title": "WinDealer dealing on the side", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1203672, "plain_text": "WinDealer dealing on the side\r\nBy GReAT\r\nPublished: 2022-06-02 · Archived: 2026-04-05 21:52:51 UTC\r\nIntroduction\r\nLuoYu is a lesser-known threat actor that has been active since 2008. It primarily goes after targets located in\r\nChina, such as foreign diplomatic organizations established in the country, members of the academic community,\r\nor companies from the defense, logistics and telecommunications sectors. In their initial disclosures on this threat\r\nactor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer. The actor behind these\r\nfamilies is capable of targeting Windows, Linux and macOS machines, as well as Android devices.\r\nIn previous years, Kaspersky investigated LuoYu’s activities and was able to confirm the connection between\r\nDemsty and WinDealer. On January 27, we delivered a joint presentation with TeamT5 and ITOCHU Corporation\r\nat Japan Security Analyst Conference (JSAC) to provide an update on the actor’s latest activities. In this article,\r\nwe will focus on one of the most groundbreaking developments: the fact that LuoYu has the ability to perform\r\nman-on-the-side attacks.\r\nDelivery method\r\nIn the past, LuoYu used watering-hole attacks (for instance, on local news websites) to infect their targets. Seeing\r\nthat some variants of their Android malware impersonate a popular messaging app in Asia, it is also likely that\r\nmalicious APKs are distributed in a variety of ways, including social engineering to convince users to install fake\r\nupdates for their applications.\r\nIn 2020, we discovered a whole new distribution method for the WinDealer malware that leverages the automatic\r\nupdate mechanism of select legitimate applications. In one case we investigated, we noticed that a signed\r\nexecutable qgametool.exe (MD5 f756083b62ba45dcc6a4d2d2727780e4), compiled in 2012, deployed WinDealer\r\non a target machine. This program contains a hardcoded URL that it uses to check for updates, as shown in the\r\nfollowing screenshot:\r\nUpdate URL hardcoded in qgametool.exe\r\nThe executable located at this URL (hxxp://download.pplive[.]com/PPTV(pplive)_forap_1084_9993.exe, MD5\r\n270902c6bb6844dc25ffaec801393245) is benign, but our telemetry shows that on rare occasions, a WinDealer\r\nsample (MD5 ce65092fe9959cc0ee5a8408987e3cd4) is delivered instead.\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 1 of 7\n\nObserved WinDealer infection flow\r\nWe also identified online message board posts where Chinese-speaking users reported the discovery of malware\r\nunder the same name – PPTV(pplive)_forap_1084_9993.exe – on their machine. The posted information was\r\ncomplete enough for us to confirm that they had indeed received a sample of WinDealer.\r\nLeaving the mystery of the delivery method aside for now, let’s look at the capabilities of the malware itself.\r\nWinDealer’s technical description\r\nWinDealer is a modular malware platform. It starts execution by locating an embedded DLL file placed in its\r\nresources by looking for a hardcoded pattern, and proceeds to decode it using a 10-byte XOR key.\r\nLayout of the encrypted data\r\nWinDealer’s logic is spread over the initial EXE and its companion DLL: the former contains the setup of the\r\nprogram as well as network communications, while the orders sent by the C2 are implemented in the latter. The\r\nmalware possesses the following capabilities:\r\nFile and file system manipulation: reading, writing and deleting files, listing directories, obtaining disk\r\ninformation;\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 2 of 7\n\nInformation gathering: collecting hardware details, network configuration and/or keyboard layout, listing\r\nrunning processes, installed applications and configuration files of popular messaging applications (Skype,\r\nQQ, WeChat and Wangwang);\r\nDownload and upload of arbitrary files;\r\nArbitrary command execution;\r\nSystem-wide search across text files and Microsoft Word documents;\r\nScreenshot capture;\r\nNetwork discovery via ping scan;\r\nBackdoor maintenance: set up or remove persistence (via the registry’s RUN key), configuration updates.\r\nA variant we discovered (MD5 26064e65a7e6ce620b0ff7b4951cf340) also featured the ability to list available Wi-Fi networks. Overall, WinDealer is able to collect an impressive amount of information, even when compared to\r\nother malware families. And yet, the most extraordinary aspect of WinDealer lies elsewhere.\r\nThe impossible infrastructure\r\nThe latest WinDealer sample we discovered in 2020 doesn’t contain a hardcoded C2 server but instead relies on a\r\ncomplex IP generation algorithm to determine which machine to contact. The details of this algorithm are left as\r\nan exercise to the reader, but the end result is that the IP address is selected at random from one of these two\r\nranges:\r\n113.62.0.0/15 (AS4134, CHINANET XIZANG PROVINCE NETWORK)\r\n111.120.0.0/14 (AS4134, CHINANET GUIZHOU PROVINCE NETWORK)\r\nOnce the IP address has been selected, communications take place either over UDP port 6999 or TCP port 55556.\r\nIn an even weirder twist, a research partner shared with us an additional WinDealer sample (MD5\r\nd9a6725b6a2b38f96974518ec9e361ab) that communicates with the hardcoded URL\r\n“http://www[.]microsoftcom/status/getsign.asp”. This domain is obviously invalid and cannot resolve to anything\r\nin normal circumstances – yet the malware expects a response in a predetermined format (“\\x11\\x22\\x??\r\n\\x33\\x44”).\r\nPackets exchanged with the C2 server contain a header (described in the next table) followed by AES-encrypted\r\ndata. They leverage a homemade binary protocol containing magic numbers and flags, making it easy to recognize\r\nand filter packets on a large scale.\r\nOffset Description\r\nSample value (in\r\nhex)\r\n0x00 Magic number\r\n06 81 DA 91 CE\r\nC7 9F 43\r\n0x08 Target identifier 57 5B 73 B2\r\n0x0C Flag set by the attacker. Its exact meaning remains unclear 00 or 0B or 16\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 3 of 7\n\n0x0D\r\nConnection type or backdoor command identifier\r\n0 = initial connection\r\n1 = subsequent connection\r\nOthers = backdoor command identifiers\r\n00\r\n0x0E Unknown static value 14\r\n0x0F Unknown value 00\r\n0x10\r\nPayload\r\nInitial connection: the generated AES key and its CRC32, encrypted using\r\nRSA-2048 with a hardcoded public key.\r\nAll other packets: payload size followed by encrypted payload using AES-128 in ECB mode with the generated AES key.\r\n03 4D 5D 44 C3\r\n1E 0A DA\r\nA3 4A 86 A3 CC\r\nED 67 38\r\n…\r\nThe man-on-the-side attack\r\nPutting all the pieces together, WinDealer’s infrastructure is nothing short of extraordinary:\r\nIt appears to be distributed via plain HTTP requests that normally return legitimate executables.\r\nIt communicates with IP addresses selected randomly inside a specific AS.\r\nIt can interact with non-existent domain names.\r\nIt is very hard to believe that an attacker would be able to control the 48,000 IP addresses of the aforementioned IP\r\nranges, or even a significant portion of them. The only way to explain these seemingly impossible network\r\nbehaviors is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic\r\nand even modify it if needed.\r\nSuch capabilities are not unheard of: the QUANTUM program revealed in 2014 was the first known instance. The\r\ngeneral idea is that when the attacker sees a request for a specific resource on the network, it tries to reply to the\r\ntarget faster than the legitimate server. If the attacker wins the “race”, the target machine will use the attacker-supplied data instead of the normal data. This is consistent with the scenario described earlier in this article, where\r\nthe target receives an infected executable instead of the normal one. Automatic updaters are prime targets for such\r\nattacks as they perform frequent requests – it doesn’t matter if the attackers don’t win most races, as they can try\r\nagain until they succeed, guaranteeing that they will infect their targets eventually. This class of attack is\r\nparticularly devastating because there is nothing users can do to protect themselves, apart from routing traffic\r\nthrough another network. This can be done with the use of a VPN, but these may be illegal depending on the\r\njurisdiction and would typically not be available to Chinese-speaking targets.\r\nConfirming our assessment, we later discovered a downloader utility (MD5\r\n4e07a477039b37790f7a8e976024eb66) that uses the same unique user-agent as WinDealer samples we analyzed\r\n(“BBB”), tying it weakly to LuoYu.\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 4 of 7\n\nA downloader utility and WinDealer of 2021 use the unique user-agent “BBB”\r\nThe downloader periodically retrieves and runs an executable from\r\nhxxp://www.baidu[.]com/status/windowsupdatedmq.exe. This URL normally returns a 404 error and we consider\r\nit extremely unlikely that the attackers have control over this domain.\r\nBased on all the evidence laid out above, we speculate that the attackers may have the following capabilities over\r\nAS4134:\r\nIntercepting all network traffic, which allows them to receive backdoor responses to random IP addresses\r\nwithout having to deploy actual C2 servers.\r\nInjecting arbitrary TCP and UDP packets on the network, a capability through which they can send orders\r\nto WinDealer.\r\nFull control over the DNS, meaning they can provide responses for non-existent domains.\r\nEither QUANTUMINSERT capabilities or the ability to modify the contents of HTTP packets on the fly,\r\nthanks to which they can achieve remote, zero-click malware installation by abusing auto-update\r\nmechanisms. One noteworthy observation is that the attackers specifically target plain HTTP sessions,\r\nindicating that they may not have the ability to break or downgrade HTTPS.\r\nWinDealer’s targets\r\nOur analysis of WinDealer reveals that it specifically looks for popular applications in Asia, such as QQ, WeChat\r\nand WangWang. It also contains references to registry keys created by Sogou programs. This indicates to us that\r\nthe LuoYu APT is predominantly focused on Chinese-speaking targets and organizations related to China. Our\r\ntelemetry confirms that the vast majority of LuoYu targets are located in China, with occasional infections in other\r\ncountries such as Germany, Austria, the United States, Czech Republic, Russia and India.\r\nIn recent months, LuoYu has started to widen its scope to companies and users in East Asia and their branches\r\nlocated in China.\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 5 of 7\n\nGeographic distribution of WinDealer targets\r\nConclusion\r\nWith this report, we recognize LuoYu as an extremely sophisticated threat actor able to leverage capabilities\r\navailable only to the most mature attackers. We can only speculate as to how they were able to obtain such\r\ncapabilities. They could have compromised routers on the route to (or inside) AS4134. Alternatively, they may use\r\nsignals intelligence methods unknown to the general public. They may even have access (legitimate or fraudulent)\r\nto law enforcement tools set up at the ISP level and are abusing them to perform offensive operations. Overall, a\r\nthreat actor is leveraging capabilities that could be compared (but are distinct) from the QUANTUMINSERT\r\nprogram in order to infect targets located in China.\r\nMan-on-the-side attacks are devastating because they do not require any interaction with the target to lead to a\r\nsuccessful infection: simply having a machine connected to the internet is enough. They can only be detected\r\nthrough careful network monitoring, which is outside of the realm of everyday users, or if an endpoint security\r\nprogram catches the payload when it is deployed on the attacked computer.\r\nWhatever the case, the only way for potential targets to defend against such intrusions is to remain extremely\r\nvigilant and have robust security procedures involving regular antivirus scans, analysis of outbound network\r\ntraffic and extensive logging to detect anomalies.\r\nIndicators of Compromise\r\nWinDealer samples\r\nMD5: ce65092fe9959cc0ee5a8408987e3cd4\r\nSHA-1: 87635d7632568c98c0091d4a53680fd920096327\r\nSHA-256: 27c51026b89c124a002589c24cd99a0c116afd73c4dc37f013791f757ced7b7e\r\nMD5: 0c8663bf912ef4d69a1473597925feeb\r\nSHA-1: 78294dfc4874b54c870b8daf7c43cfb5d8c211d0\r\nSHA-256: db034aeb3c72b75d955c02458ba2991c99033ada444ebed4e2a1ed4c9326c400\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 6 of 7\n\nMD5: 1bd4911ea9eba86f7745f2c1a45bc01b\r\nSHA-1: f64c63f6e17f082ea254f0e56a69b389e35857fd\r\nSHA-256: 25cbfb26265889754ccc5598bf5f21885e50792ca0686e3ff3029b7dc4452f4d\r\nMD5: 5a7a90ceb6e7137c753d8de226fc7947\r\nSHA-1: 204a603c409e559b65c35208200a169a232da94c\r\nSHA-256: 1e9fc7f32bd5522dd0222932eb9f1d8bd0a2e132c7b46cfcc622ad97831e6128\r\nMD5: 73695fc3868f541995b3d1cc4dfc1350\r\nSHA-1: 158c7382c88e10ab0208c9a3c72d5f579b614947\r\nSHA-256: ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4\r\nMD5: 76ba5272a17fdab7521ea21a57d23591\r\nSHA-1: 6b831413932a394bd9fb25e2bbdc06533821378c\r\nSHA-256: ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261\r\nMD5: 8410893f1f88c5d9ab327bc139ff295d\r\nSHA-1: 64a1785683858d8b6f4e7e2b2fac213fb752bae0\r\nSHA-256: 318c431c56252f9421c755c281db7bd99dc1efa28c44a8d6db4708289725c318\r\nMD5: cc7207f09a6fe41c71626ad4d3f127ce\r\nSHA-1: 84e749c37978f9387e16fab29c7b1b291be93a63\r\nSHA-256: 28df5c75a2f78120ff96d4a72a3c23cee97c9b46c96410cf591af38cb4aed0fa\r\nMD5: e01b393e8897ed116ba9e0e87a4b1da1\r\nSHA-1: 313b231491408bd107cecf0207868336f26d79ba\r\nSHA-256: 4a9b37ca2f90bfa90b0b8db8cc80fe01d154ba88e3bc25b00a7f8ff6c509a76f\r\nMD5: ef25d934d12684b371a17c76daf3662c\r\nSHA-1: b062773bdd9f8433cbd6e7642226221972ecd4e1\r\nSHA-256: 08530e8280a93b8a1d51c20647e6be73795ef161e3b16e22e5e23d88ead4e226\r\nMD5: faa8eaed63c4e9f212ef81e2365dd9e8\r\nSHA-1: 0d3a5725b6f740929b51f9a8611b4f843e2e07b1\r\nSHA-256: b9f526eea625eec1ddab25a0fc9bd847f37c9189750499c446471b7a52204d5a\r\nSource: https://securelist.com/windealer-dealing-on-the-side/105946/\r\nhttps://securelist.com/windealer-dealing-on-the-side/105946/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/windealer-dealing-on-the-side/105946/" ], "report_names": [ "105946" ], "threat_actors": [ { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775791860, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58994ee3507e9dfdaf25f6460e5fd6026e775669.pdf", "text": "https://archive.orkl.eu/58994ee3507e9dfdaf25f6460e5fd6026e775669.txt", "img": "https://archive.orkl.eu/58994ee3507e9dfdaf25f6460e5fd6026e775669.jpg" } }