{
	"id": "02e537eb-9ef1-4bad-b4b3-ee4b432cb43e",
	"created_at": "2026-04-06T00:11:12.699125Z",
	"updated_at": "2026-04-10T03:21:07.193928Z",
	"deleted_at": null,
	"sha1_hash": "5e5716c52c5dbd25e743816a032a06ac91ef1f1b",
	"title": "Sophos X-Ops (@SophosXOps@infosec.exchange)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 740404,
	"plain_text": "Sophos X-Ops (@SophosXOps@infosec.exchange)\r\nBy Sophos X-Ops\r\nPublished: 2023-09-22 · Archived: 2026-04-05 15:30:02 UTC\r\nSophos X-Ops @SophosXOps@infosec.exchange\r\nIn mid-August, the Sophos X-Ops Incident Response team was brought in to address a cyber incident impacting a\r\ntelecommunications company. Shortly after, when the customer was onboarded to Sophos MDR services, a\r\ndetection was generated for a service creation for the Cloudflared tunneling service from a suspicious path. The\r\nresulting investigation led Sophos MDR Ops analysts and SophosLabs researchers to uncover a backdoor\r\nleveraging a loading function similar to that previously seen within the TinyTurla backdoor.\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 1 of 8\n\nSophos X-Ops @SophosXOps\r\nEvidence indicates the backdoor had been present in the environment since at least June 2022, as a DLL\r\nmasquerading as a legitimate SMP host service (smpsvc.dll). The registry entry for the ‘smphost’ service was set\r\nwith a value of ‘2’ for autostart, allowing the backdoor to auto-execute without threat actor interaction.\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 2 of 8\n\nSophos X-Ops @SophosXOps\r\nOn September 12th of this year, Sophos observed the execution of the ‘smphost’ service hidden in the svchost.exe\r\nprocess to load the malicious DLL smpsvc.dll and execute attacker commands. The malicious DLL is covered by\r\nSophos under the Troj/Inject-JCX detection.\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 3 of 8\n\nSophos X-Ops @SophosXOps\r\nThe observed overlap between TinyTurla and the sample analyzed by Sophos is that both samples load and\r\nexecute as a service hidden within the svchost.exe process. However, instead of using the technique noted by\r\nTalos, where the TinyTurla backdoor came in the form of a new, fake service DLL named 'Windows Time\r\nService,' the threat actors in this case modified the registry entry for the legitimate smphost service DLL to point\r\nto the malicious smpsvc.dll carrying the backdoor.\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 4 of 8\n\nSophos X-Ops @SophosXOps\r\nThe smphost.dat we saw contains heavily obfuscated data, lacks a PE header and section names, and is used to\r\nbuild the official payload in memory (sha1: c926808667352ff9e0b2f0550965a0864814e3cd). The C2 domain,\r\nhxxps[://]cache[.]chartbaet[.]com/static/cache/, is XOR encoded (0x83) and leverages the user agent [Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63\r\nSafari/537.36].\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 5 of 8\n\nSophos X-Ops @SophosXOps\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 6 of 8\n\nThis sample leverages a UUID that is XORed with file time and system time to generate the unique C2 URL, as\r\nshown. The final payload downloaded is injected into process memory and applies API call obfuscation to further\r\navoid detection. (“chartbaet.com” is unrelated to the legitimate Chartbeat software site.)\r\nSophos X-Ops @SophosXOps\r\nShortly after the backdoor established C2 communications, Sophos observed a likely DCSync attack to retrieve\r\nuser credentials (shown) and saw discovery performed via Impacket.\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 7 of 8\n\nSophos X-Ops @SophosXOps\r\nThe actor then extracted the file 'c.cab' and executed compressed file c.part01.rar. The c.cab file created\r\nC:\\Windows\\Temp\\cloudflared.exe and a new service called 'SRService' on the hosts. The service creation is for\r\nthe execution of 'C:\\Windows\\System32\\downlevel\\ShellExperienceHost.exe,' which was detected by the Sophos\r\nMDR team.\r\nSource: https://infosec.exchange/@SophosXOps/111109357153515214\r\nhttps://infosec.exchange/@SophosXOps/111109357153515214\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://infosec.exchange/@SophosXOps/111109357153515214"
	],
	"report_names": [
		"111109357153515214"
	],
	"threat_actors": [],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e5716c52c5dbd25e743816a032a06ac91ef1f1b.pdf",
		"text": "https://archive.orkl.eu/5e5716c52c5dbd25e743816a032a06ac91ef1f1b.txt",
		"img": "https://archive.orkl.eu/5e5716c52c5dbd25e743816a032a06ac91ef1f1b.jpg"
	}
}