{ "id": "2e797f46-3cbd-42eb-b2b7-9e81212355e2", "created_at": "2026-04-06T00:07:12.373484Z", "updated_at": "2026-04-10T03:38:19.146378Z", "deleted_at": null, "sha1_hash": "5af334ca08bd2c5631de159b176992c5a5f77a1a", "title": "Security Update Tuesday 11 April 2023 - Interim Assessment Concluded", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56386, "plain_text": "Security Update Tuesday 11 April 2023 - Interim Assessment\r\nConcluded\r\nBy Pierre Jourdan\r\nPublished: 2023-04-11 · Archived: 2026-04-05 14:20:42 UTC\r\nInitial Results from Mandiant Incident Response\r\nFollowing the appointment of Mandiant as our security incident response team, forensic analysis on our network\r\nand product is in progress. In a nutshell, the interim assessment concluded:\r\nAttribution\r\nBased on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the\r\nactivity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean\r\nnexus.\r\nWindows-based Malware\r\nMandiant determined that the attacker infected targeted 3CX systems with TAXHAUL (AKA “TxRLoader”)\r\nmalware. When executed on Windows systems, TAXHAUL decrypts and executes shellcode located in a file\r\nnamed \u003cmachine hardware profile GUID\u003e.TxR.0.regtrans-ms located in the directory\r\nC:\\Windows\\System32\\config\\TxR\\. The attacker likely chose this file name and location to attempt to blend into\r\nstandard Windows installations. The malware uses the Windows CryptUnprotectData API to decrypt the shellcode\r\nwith a cryptographic key that is unique to each compromised host, which means the data can only be decrypted on\r\nthe infected system. The attacker likely made this design decision to increase the cost and effort of successful\r\nanalysis by security researchers and incident responders.\r\nIn this case, after decrypting and loading the shellcode contained within the file \u003cmachine hardware profile\r\nGUID\u003e.TxR.0.regtrans-ms was a complex downloader which Mandiant named COLDCAT. It is worth noting,\r\nhowever, this malware differs from GOPURAM referenced in Kaspersky’s report.\r\nThe following YARA rule can be used to hunt for TAXHAUL (TxRLoader):\r\nrule TAXHAUL\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ncreated = \"04/03/2023\"\r\nmodified = \"04/03/2023\"\r\nversion = \"1.0\"\r\nstrings:\r\nhttps://www.3cx.com/blog/news/mandiant-initial-results/\r\nPage 1 of 3\n\n$p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n$p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\ncondition:\r\nuint16(0) == 0x5A4D and any of them\r\n}\r\nPlease note that in a similar way to any YARA rule, this should be properly assessed within a test environment\r\nfirst before usage in production. This also comes with no guarantees regarding false positive rates, as well as\r\ncoverage for this entire malware family and eventual variants.\r\nMacOS-based Malware\r\nMandiant also identified a MacOS backdoor, currently named SIMPLESEA, located at /Library/Graphics/Quartz\r\n(MD5: d9d19abffc2c7dac11a16745f4aea44f). Mandiant is still analysing SIMPLESEA to determine if it overlaps\r\nwith another known malware family.*\r\nThe backdoor written in C communicates via HTTP. Supported backdoor commands include shell command\r\nexecution, file transfer, file execution, file management, and configuration updating. It can also be tasked to test\r\nthe connectivity of a provided IP and port number.\r\nThe backdoor checks for the existence of its configuration file at /private/etc/apdl.cf. If it does not exist, it creates\r\nit with hard-coded values. The config file is single-byte XOR encoded with the key 0x5e. C2 comms are sent over\r\nHTTP requests. A bot id is generated randomly seeded with the PID of the malware upon initial execution. The id\r\nis sent with C2 communications. A brief host survey report is included in beacon requests. Message contents are\r\nencrypted with the A5 stream cipher according to the function names in the binary.\r\n* Previous reporting mentioned the macOS build server was compromised with SIMPLESEA. Mandiant\r\nIntelligence analyzed the sample and determined it to have a high degree of code overlap with POOLRAT,\r\ndeprecating SIMPLESEA in favor of POOLRAT.\r\nPersistence\r\nOn Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker's malware within the context of legitimate Microsoft\r\nWindows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the\r\nattacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system\r\nover the internet.\r\nThe malware was named C:\\Windows\\system32\\wlbsctrl.dll to mimic the legitimate Windows binary of the same\r\nname. The DLL was loaded by the legitimate Windows service IKEEXT through the legitimate Windows binary\r\nsvchost.exe.\r\nCommand and Control\r\nhttps://www.3cx.com/blog/news/mandiant-initial-results/\r\nPage 2 of 3\n\nMandiant identified that malware within the 3CX environment made use of the following command and control\r\ninfrastructure:\r\nazureonlinecloud[.]com\r\nakamaicontainer[.]com\r\njournalide[.]org\r\nmsboxonline[.]com\r\nDiscuss this article\r\nSource: https://www.3cx.com/blog/news/mandiant-initial-results/\r\nhttps://www.3cx.com/blog/news/mandiant-initial-results/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.3cx.com/blog/news/mandiant-initial-results/" ], "report_names": [ "mandiant-initial-results" ], "threat_actors": [ { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434032, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5af334ca08bd2c5631de159b176992c5a5f77a1a.pdf", "text": "https://archive.orkl.eu/5af334ca08bd2c5631de159b176992c5a5f77a1a.txt", "img": "https://archive.orkl.eu/5af334ca08bd2c5631de159b176992c5a5f77a1a.jpg" } }