{ "id": "b7e1b1e0-a468-4985-8186-82fe1cc1037d", "created_at": "2026-04-06T00:13:09.308706Z", "updated_at": "2026-04-10T03:37:36.770854Z", "deleted_at": null, "sha1_hash": "5b54e1a9c0965d05e69601ab39f72f7a9c691489", "title": "New Python-Based Payload MechaFlounder Used by Chafer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 542302, "plain_text": "New Python-Based Payload MechaFlounder Used by Chafer\r\nBy Robert Falcone, Brittany Barbehenn\r\nPublished: 2019-03-04 · Archived: 2026-04-02 11:21:41 UTC\r\nIn November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they\r\nused in campaigns reported earlier in 2018 by Clearsky, specifically, the domain win10-update[.]com. While we\r\nlack visibility into the initial delivery mechanism of this attack, we did observe a secondary payload hosted on\r\n185.177.59[.]70, the IP address to which this domain resolved at the time of the activity.\r\nUnit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new\r\nsecondary payload is Python-based and compiled into executable form using the PyInstaller utility. This is the first\r\ninstance where Unit 42 has identified a Python-based payload used by these operators. We’ve also identified code\r\noverlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We\r\nhave named this payload MechaFlounder for tracking purposes and discuss details below.\r\nTurkish Government Targeting\r\nOur visibility into this Chafer activity involves the identification of a malicious executable  downloaded from the\r\nIP address 185.177.59[.]70. How the attackers are targeting victims and causing them to download this file are\r\ncurrently not known.\r\nThe file named ‘lsass.exe’ was downloaded from win10-update[.]com via an HTTP request. The win10-\r\nupdate[.]com domain has been noted in open source as an indicator associated with Chafer threat operations. The\r\nlsass.exe file downloaded from this domain is a previously unreported python-based payload that we are currently\r\ntracking as MechaFlounder. We believe Chafer uses MechaFlounder as a secondary payload that the group\r\ndownloads from a first-stage payload to carry out its post-exploitation activities on the compromised host. Based\r\non our telemetry, the first-stage payload was not observed in this activity.\r\nIn February 2018, IP address 134.119.217[.]87 resolved to win10-update[.]com and several other domains likely\r\nassociated with Chafer activity. Of interest, the domain turkiyeburslari[.]tk, which mirrors the legitimate Turkish\r\nScholarship government domain turkiyeburslari[.]gov[.]tr, also resolved to this IP and may likely have been used\r\nin other Chafer collection operations. The domains associated with this IP address are included within the\r\nAppendix and displayed in Figure 1 below.\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 1 of 9\n\nFigure 1. Infrastructure associated with 134.119.217[.]87\r\nThe MechaFlounder Payload\r\nThe python-based payload, ‘lsass.exe’ was retrieved from a command and control (C2) server via an HTTP\r\nrequest to the following URL:\r\nwin10-update[.]com/update.php?req=\u003credacted\u003e\u0026m=d\r\nThis payload, (SHA256: 0282b7705f13f9d9811b722f8d7ef8fef907bee2ef00bf8ec89df5e7d96d81ff), which we are\r\ntracking as MechaFlounder, was developed in Python and bundled as a portable executable using the PyInstaller\r\ntool. This secondary payload acts as a backdoor allowing the operator to upload and download files, as well as run\r\nadditional commands and applications on the compromised system.\r\nMechaFlounder begins by entering a loop that will continuously attempt to communicate with its C2 server. The\r\nTrojan will use HTTP to send an outbound beacon to its C2 server that contains the user's account name and\r\nhostname in the URL. The code, seen in Figure 2, builds the URL by concatenating the username and hostname\r\nwith two dashes \"--\" between the two strings. The code then creates the URL string by using the username and\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 2 of 9\n\nhostname string twice with the back-slash \"\\\" character between the two and by appending the string \"-\r\nsample.html\".\r\nFigure 2. Trojan code used to build anomalous HTTP request\r\nDuring this analysis, the code in Figure 2 generated anomalous HTTP requests for its beacons, as shown in Figure\r\n3 below. One might notice that the GET request in Figure 3 does not start with a forward-slash \"/\" character and\r\nincludes a back-slash character \"\\\" in the URL. This causes a legitimate web server, such as nginx used in our test\r\nenvironment, to respond with a '400 Bad Request' error message. This may suggest that even though the code in\r\nFigure 2 uses the HTTPConnection class from the httplib module to generate the anomalous HTTP beacon, it is\r\nlikely that the threat actors created a custom server to handle this C2 channel instead of relying on a standard web\r\nserver.\r\nAdditionally, Figure 2 shows that the malware author used the variable name 'cmd' to build the string used for the\r\nHTTP method and path and checks the HTTP method portion of the string for the word 'exit'. We are unsure of the\r\npurpose of this check, as the HTTP method in this string would never be 'exit' and therefore would never be true.\r\nWe believe this is an artifact likely derived from a previous version of the script that the author forgot to remove.\r\nFigure 3. Example HTTP request issued by Trojan in test environment\r\nIf the C2 server were to accept the beacon in Figure 3, it would respond with HTML that contains a command\r\nintended for the Trojan to parse and execute. The Trojan begins by converting the HTML in the response to text\r\nusing the code seen in Figure 4 below. The HTML to text code in Figure 4 is available in several locations on the\r\nInternet, but it appears to have possibly originated from a discussion at Stack Overflow titled Extracting text from\r\nHTML file using Python, which may be where the malware author obtained this code.\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 3 of 9\n\nFigure 4. HTML to text code in Trojan possibly obtained from Stack Overflow discussion\r\nAfter converting the HTML to text, the Trojan discards the first 10 characters of the response and treats the\r\nremainder of the string as a command. The C2 can also provide the string \"yes \" in this command string, which\r\ninstructs the Trojan to decode the command as a base16 encoded string with the \"yes \" substring removed. The\r\nTrojan subjects the command supplied by the C2 to a handler that determines the activities the Trojan will\r\nperform. Table 1 shows a list of commands available within the Trojan's command handler and the corresponding\r\nactivities. The commands in the command handler provides the necessary functionality for Chafer to interact with\r\nthe remote system.\r\nCommand Description\r\nTerminate Terminates the connection\r\ndownload\r\nDownloads provided \u003cfilename\u003e that it will obtain from http://\u003cc2 server\u003e/\u003cfilename\u003e and\r\nsaves it to C:\\Users\\Public\\\u003cfilename\u003e.\r\nruntime Sets the sleep interval between beacons.\r\nupload Uploads provided \u003cfilename\u003e to http://\u003cc2 server\u003e via HTTP POST.\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 4 of 9\n\ncd Changes the current working directory\r\nempty Does nothing, likely an Idle command.\r\n\u003canything\r\nelse\u003e\r\nAttempts to run the supplied data as a command on the command line.\r\nTable 1. Commands available in Trojan’s command handler\r\nWe gained more insight into the custom C2 server application by analyzing the activities that MechaFlounder\r\ncarries out if it receives the ‘upload’ command. To upload a specified file from the compromised system to the C2\r\nserver, the Trojan uses the Browser class in the mechanize module (partial basis of the MechaFlounder name) to\r\nsubmit the file to an HTML form on the C2 server. This suggests that in addition to being able to handle the\r\nanomalous HTTP GET requests previously mentioned, the custom C2 server application must also be able to:\r\n1. Serve HTML that contains a form to receive uploaded files,\r\n2. Handle legitimate HTTP POST requests generated by the mechanize module, and\r\n3. Save files uploaded with the HTTP POST request.\r\nAfter carrying out the activities for the command, the Trojan will encode the results or output message of the\r\ncommand using the 'base64.b16encode' method. Each command has an output message for both a successful and\r\nfailed execution of the command with the exception of ‘empty’ and ‘terminate’. Table 2 below shows the success\r\nand failure messages associated with each command.\r\nCommand\r\nMessage\r\ntype\r\nOutput message structure\r\ndownload\r\nSuccess\r\n\u003cusername\u003e--\u003chostname\u003e||download \u003cfilename\u003e**download\r\nsuccess\\n\r\nFail\r\n\u003cexception message\u003e||\u003cusername\u003e--\u003chostname\u003e**download\r\nfailed, download \u003cfilename\u003e \\n\r\nupload\r\nSuccess\r\n\u003cusername\u003e--\u003chostname\u003e||upload \u003cfilename\u003e**upload\r\nsuccess \\n\r\nFail (no file)\r\n\u003cusername\u003e--\u003chostname \u003e||\u003ccommand issued\u003e**no such\r\nfile\\n\r\nFail\r\n(exception)\r\n\u003cexception message\u003e||\u003cusername\u003e--\u003chostname\u003e**upload\r\nfailed,upload \u003cfilename\u003e \\n\r\nruntime\r\nSuccess\r\n\u003cinterval\u003e||\u003cusername\u003e--\u003chostname\u003e**runtime changed to\r\n\u003ccommand issued\u003e\r\nFail\r\n\u003cusername\u003e--\u003chostname\u003e||\u003ccommand issued\u003e**runtime\r\nchange failed because of large mount\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 5 of 9\n\ncd\r\nSuccess\r\n\u003cusername\u003e--\u003chostname\u003e||\u003ccommand issued\u003e**directory\r\nchanged success to \u003cdirectory\u003e\r\nFail\r\n\u003cusername\u003e--\u003chostname\u003e||\u003ccommand issued\u003e**Couldn\"t\r\nchange directory\r\n\u003canything else\u003e\r\n(command execution)\r\nSuccess\r\n\u003cusername\u003e--\u003chostname\u003e||\u003ccommand issued\u003e**\u003ccommand\r\nstdout\u003e\r\nFail\r\n\u003cusername\u003e--\u003chostname\u003e||\u003ccommand issued\u003e**\u003ccommand\r\nstderr\u003e\r\nTable 2. Success and failure messages associated with commands\r\nUnlike the initial beacon that uses the anomalous HTTP GET request, the Trojan will send the encoded results to\r\nthe C2 server using the same socket as the initial HTTP beacon. The use of the same socket and the anomalous\r\nportions of the HTTP beacon further suggests that the threat actor likely created a custom C2 server to handle this\r\nnetwork traffic.\r\nTo show these network communications, we patched the Trojan to issue beacons that use legitimate HTTP GET\r\nrequests that the HTTP server (nginx) in our test environment could support. The patches involved changing the\r\npaths within the HTTP request, specifically setting the path to start with a forward-slash “/” and have the forward-slash “/” instead of a back-splash “\\” within the URL path itself. In our test environment, we added the string\r\n“0123456789runtime 5” to the file ‘rob--rob-virtual-machine-service.html’ in the ‘rob--rob-virtual-machine’\r\nfolder.\r\nWhen the Trojan issues the beacon, the HTTP server responds with contents of the ‘rob--rob-virtual-machine-service.html’ file, which effectively issues a command to the Trojan. The Trojan responds to the command\r\n‘runtime 5’ with the message \"5||rob--rob-virtual-machine**runtime changed to runtime 5\" that it encodes in\r\nbase16. It then sends this to the C2 server without any HTTP headers using the same socket as the initial HTTP\r\nrequest.\r\nFigure 5 shows the TCP session showing the initial beacon sent from the patched Trojan, the HTTP server\r\nresponding with a command, and the Trojan responding to the command all in the same TCP session.\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 6 of 9\n\nFigure 5. Single TCP Session used by the Trojan to receive commands and send command results to the C2\r\nAnd one more thing...\r\nIf you think you’ve seen the “\u0026m=d” parameter before, you’d be correct. The “\u0026m=d” parameter seen in the\r\ninitial download URL of the MechaFlounder payload appears in many URLs related to both Chafer and OilRig\r\nthreat groups. This parameter has been seen in VBScript downloader payloads installed by delivery documents\r\nassociated with both Oilrig and Chafer. We have also seen this parameter used in URLs generated by Chafer’s\r\nAutoIT payload. The VBScript and AutoIT payloads also share common variable names and the same overall\r\nfunctionality, which suggests there may be some code sharing occurring between the two threat groups.  Figure 6\r\nbelow shows a VBScript run by an OilRig delivery document (SHA256:\r\n1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1) on the left compared to a Chafer\r\nAutoIT script (SHA256: 332fab21cb0f2f50774fccf94fc7ae905a21b37fe66010dcef6b71c140bb7fa1) on the right,\r\nwhich have colored boxes surrounding code overlaps.\r\nUnfortunately, we are unable to ascertain the specifics between the code sharing between OilRig and Chafer. At\r\nthis time, we are not combining the two threat groups together based on these code overlaps.\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 7 of 9\n\nFigure 6. Oilrig Clayside VBS | Chafer AutoIT\r\nConclusion\r\nThe Chafer threat group has been active since at least 2015 focused on both private and public sector entities\r\nwithin the Middle East. Unit 42 has specifically observed the targeting of Turkish government entities since at\r\nleast 2016; however, this is the first instance where Unit 42 has observed Chafer using a Python-based payload.\r\nThis payload, now known as MechaFlounder was created by Chafer using a combination of actor developed code\r\nand code snippets freely available online in development communities. The MechaFlounder Trojan contains\r\nenough functionality for the Chafer actors to carry out the necessary activities needed to accomplish their goals,\r\nspecifically by supporting file upload and download, as well as command execution functionality.\r\nThe overlap in Oilrig’s Clayside VBScript and Chafer’s AutoIT payloads does not come as a complete surprise.\r\nOilrig and Chafer have for quite some time appeared very similar operationally and potentially having access to\r\nthe same code or resources for payload development makes sense. Unit 42 has taken reference to the various\r\noverlaps in the two sets of activities and continues to track these operations separately.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nWildFire detects MechaFlounder with a malicious verdict\r\nDomains identified as command and control servers are flagged as malicious\r\nAutoFocus tags: https://autofocus.paloaltonetworks.com/#/tag/Unit42.Mechaflounder\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit cyberthreatalliance.org.\r\nAppendix\r\nMechaFlounder Sample\r\nlsass.exe\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 8 of 9\n\n0282b7705f13f9d9811b722f8d7ef8fef907bee2ef00bf8ec89df5e7d96d81ff\r\nInfrastructure referenced in this report\r\nwin10-update[.]com\r\n185.177.59[.]70\r\n134.119.217[.]87\r\nwin7-update[.]com\r\nturkiyeburslari[.]tk\r\nxn--mgbfv9eh74d[.]com (تلگرام].[com)\r\nytb[.]services\r\neseses[.]tk\r\nSource: https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nhttps://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" ], "report_names": [ "new-python-based-payload-mechaflounder-used-by-chafer" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434389, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b54e1a9c0965d05e69601ab39f72f7a9c691489.pdf", "text": "https://archive.orkl.eu/5b54e1a9c0965d05e69601ab39f72f7a9c691489.txt", "img": "https://archive.orkl.eu/5b54e1a9c0965d05e69601ab39f72f7a9c691489.jpg" } }