{ "id": "859c6ee6-11a4-464b-93a2-8e3472d1258f", "created_at": "2026-04-06T00:08:24.994435Z", "updated_at": "2026-04-10T03:33:40.864258Z", "deleted_at": null, "sha1_hash": "5dd53f13d2d8668d4aa39108df99a0880d021db6", "title": "MyCERT : Advisories - Espionage Campaign Based On Technical Indicators", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89476, "plain_text": "MyCERT : Advisories - Espionage Campaign Based On Technical\r\nIndicators\r\nArchived: 2026-04-05 18:22:57 UTC\r\n1.0 Introduction\r\n MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian\r\nGovernment officials by a specific threat group. The group motives are believed to be data theft and exfiltration.\r\n2.0 Impact\r\nPossible data breach and confidential document exposed for espionage activity.\r\n3.0 Tactic, Techniques and Procedure (TTP)\r\nSince the target is utilizing short and targeted campaigns, the targeted campaign's TTP is as below:\r\nReconnaissance: The group has leveraged previously compromised email addresses or impersonation of\r\nemails to send spear-phishing emails\r\nDelivery: Send spear-phishing emails with malicious attachments although Google Drive has been\r\nobserved. This includes pretending to be a journalist, an individual from a trade publication, or someone\r\nfrom a relevant military organization or non-governmental organization (NGO).\r\nWeaponization: Microsoft document with enable macro that extract malicious exe to download loader.\r\nExploitation:\r\nCVE-2014-6352: Allow remote attackers to execute arbitrary code via a crafted OLE object, as\r\nexploited in the wild in October 2014 with a crafted PowerPoint document.\r\nCVE-2017-0199: Allow remote attackers to execute arbitrary code via a crafted document, aka\r\n\"Microsoft Office/WordPad Remote Code Execution Vulnerability Windows API.\r\nInstallation:\r\nUtilizes unique “iShape” names benign exe, loader dll, and hidden content\r\nFacilitates extraction and execution of main payload in memory\r\nLoad order hijacking using benign Windows Defender exe\r\nContains and encrypted config block and LZMA compressed main payload.\r\nCommand and Control: Beacon + download and execute stage 2. Beacon that is also encrypted and looks\r\nlike png.\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nPage 1 of 4\n\nFigure 7: Sample of Encrypted PNG\r\nActions on Objectives:  Data theft and exfiltration. The group's operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals,\r\nmeetings, financial data, shipping information, plans and drawings, and raw data.\r\n4.0 Affected Products\r\n1. CVE-2014-6352: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,\r\nWindows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1\r\n2. CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1,\r\nMicrosoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1,\r\nWindows 8.1\r\n5.0 Indicator of Compromised\r\nIP Address Domains Hashes\r\n108[.]61[.]223[.]27\r\n139[.]162[.]23[.]6\r\n139[.]162[.]44[.]81\r\n139[.]59[.]66[.]229\r\n149[.]28[.]151[.]144\r\n152[.]89[.]161[.]5\r\n157[.]230[.]34[.]7\r\n159[.]65[.]197[.]248\r\n167[.]99[.]72[.]82\r\n195[.]12[.]50[.]168\r\nbyfleur[.]myftp[.]org\r\ndynamics[.]ddnsking[.]com\r\naccountsx[.]bounceme[.]net\r\nvvavesltd[.]servebeer[.]com\r\ncapitana[.]onthewifi[.]com\r\nkulkarni.bounceme[.]net\r\nthestar[.]serveblog[.]net\r\ninvoke[.]ml\r\nA827d521181462a45a7077ae3c20c9b5\r\nF744481A4C4A7C811FFC7DEE3B58B1FF\r\nae342bf6b1bd0401a42aae374f961fc6\r\nb427c7253451268ca97de38be04bf59a\r\ncf94796a07b6082b9e348eef934de97a\r\nd81db8c4485f79b4b85226cab4f5b8f9\r\nf744481a4c4a7c811ffc7dee3b58b1ff\r\nfe1247780b31bbb9f54a65d3ba17058f\r\n01b5276fdfda2043980cbce19117aaa0\r\n3c43eb86d40ae78037c29bc94b3819b7\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nPage 2 of 4\n\n207[.]148[.]79[.]152\r\n45[.]32[.]123[.]142\r\n45[.]77[.]241[.]33\r\n3ca84fe6cec9bf2e2abac5a8f1e0a8d2\r\n3cb38f7574e8ea97db53d3857830fcc4\r\n4c47ca6ecf04cfe312eb276022a0c381\r\n4c89d5d8016581060d9781433cfb0bb5\r\n5fe8dcdfe9e3c4e56e004b2eebf50ab3\r\n6e9f0c3f64cd134ad9dfa173e4474399\r\n8a133a382499e08811dceadcbe07357e\r\n89a81ea2b9ee9dd65d0a82b094099b43\r\n6889c7905df000b874bfc2d782512877\r\n7233ad2ba31d98ff5dd47db1b5a9fe7c\r\n4114857f9bc888122b53ad0b56d03496\r\n3ca84fe6cec9bf2e2abac5a8f1e0a8d2\r\n6.0 Recommendations\r\nFollow the best practices adviced in own organization\r\nTo patch the vulnerabilities listed above as necessary\r\nTo block and set rule in firewall, IDS or IPS of the IOC found\r\nTo give awareness on the current TTP to users in the own organization\r\nGenerally, MyCERT advises the users of this devices to be updated with the latest security announcements by the\r\nvendor and follow best practice security policies to determine which updates should be applied.\r\nFor further enquiries, please contact MyCERT through the following channels:\r\nE-mail: cyber999[at]cybersecurity.my\r\nPhone: 1-300-88-2999 (monitored during business hours)\r\nFax: +603 - 8008 7000 (Office Hours)\r\nMobile: +60 19 2665850 (24x7 call incident reporting)\r\nSMS: CYBER999 REPORT EMAIL COMPLAINT to 15888\r\nBusiness Hours: Mon - Fri 09:00 -18:00 MYT\r\nWeb: https://www.mycert.org.my\r\nTwitter: https://twitter.com/mycert\r\nFacebook: https://www.facebook.com/mycert.org.my\r\n5.0    References\r\n1. https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nPage 3 of 4\n\n2. https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\n3. https://medium.com/insomniacs/on-27-march-2019-we-notice-a-twitter-post-by-clearsky-cyber-security-on-having-a-sample-named-951ec7896d3\r\n4. https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts\r\nSource: https://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-774.022020\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mycert.org.my/portal/advisory?id=MA-774.022020" ], "report_names": [ "advisory?id=MA-774.022020" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434104, "ts_updated_at": 1775792020, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5dd53f13d2d8668d4aa39108df99a0880d021db6.pdf", "text": "https://archive.orkl.eu/5dd53f13d2d8668d4aa39108df99a0880d021db6.txt", "img": "https://archive.orkl.eu/5dd53f13d2d8668d4aa39108df99a0880d021db6.jpg" } }