{ "id": "02d9bdcb-1c59-4012-9060-9c1a9de60fdc", "created_at": "2026-04-06T00:07:33.069882Z", "updated_at": "2026-04-10T03:38:09.994881Z", "deleted_at": null, "sha1_hash": "5f77c7bad303e45abbbc56996e27753708a3010c", "title": "The Art of Cyberwarfare | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 303205, "plain_text": "Anastasia Tikhonova\r\nGlobal Threat Research Lead\r\nThe Art of Cyberwarfare\r\nChinese APTs attack Russia\r\nAugust 3, 2021 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/task/\r\nPage 1 of 36\n\nAPT China Malware\r\nIn mid-May 2021, experts from SOLAR JSOC and the National Computer Incident Response \u0026\r\nCoordination Center (NCIRCC) released a joint report on a series of targeted attacks detected in\r\n2020. According to the report, the attackers targeted Russian federal executive authorities.\r\nWhile analyzing the report, Anastasia Tikhonova (Head of APT Research at Group-IB) and Dmitry\r\nKupin (Senior Malware Analyst) noticed that they had already come across similar tools in earlier\r\nattacks.\r\nChinese APTs are one of the most numerous and aggressive hacker communities. Several\r\ndozen groups conduct attacks in countries all over the world, and Russia is no exception. Hackers\r\nmostly target state agencies, industrial facilities, military contractors, and research institutes. The\r\nmain objective is espionage: attackers gain access to confidential data and attempt to hide their\r\npresence for as long as possible. There have been cases when attackers successfully persisted in\r\nthe victim’s network for several years.\r\nUnfortunately, the SOLAR JSOC and NCIRCC report did not provide indicators of compromise, so\r\nthe experts had to rely on descriptions of the functionality and screenshots of the malicious code.\r\nAs a result, Group-IB’s researchers came up with some interesting conclusions about which\r\nChinese groups could be behind the attacks against Russian federal executive authorities in\r\n2020, what tools they used, and how their malware has evolved since.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 2 of 36\n\nKey conclusions\r\nTA428 is a Chinese state-sponsored hacker group that\r\nhas been operating since 2013. The attackers target a\r\nnumber of government agencies in East Asia that control\r\ngovernmental information technology, domestic and\r\nforeign policy, and economic development. TaskMasters\r\n(aka BlueTraveller) is a state-sponsored Chinese hacker\r\ngroup that allegedly has been active since at least 2010.\r\nThe group attacks companies based in several countries,\r\nbut many of their targets are located in Russia and CIS.\r\nThe research describes Webdav-O malware detected in attacks against Russian federal\r\nexecutive authorities in 2020.\r\nGroup-IB experts detected two versions of the Webdav-O Trojan for x86 and x64 systems.\r\nWhen comparing parts of the code, the specialists proved that the Webdav-O x64 Trojan was\r\nused in attacks against Russian federal executive authorities. The malware has existed since at\r\nleast 2018.\r\nGroup-IB specialists established that Webdav-O has a set of commands similar to a popular\r\nTrojan called BlueTraveller (aka RemShell), which was developed in China and has been linked to\r\nthe hacker group called TaskMasters.\r\nBefore that, Sentinel Labs released a report about malware called Mail-O, which was also\r\nidentified in attacks against Russian federal executive authorities. Mail-O was deemed to be\r\nlinked to the Chinese hacker group TA428.\r\nGroup TA428 is known to use a Trojan called Albaniiutas in their attacks. Group-IB’s analysis\r\nshowed that Albaniiutas is an updated version of BlueTraveller.\r\nGroup-IB experts believe that either both Chinese hacker groups (TA428 and TaskMasters)\r\nattacked Russian federal executive authorities in 2020 or that there is one united Chinese\r\nhacker group made up of different units.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 3 of 36\n\nThe hackers target solid industrial and energy enterprises,\r\ngovernment agencies, and transport companies.\r\nStarting point\r\nIn early June 2021, analysts from the American cybersecurity company Sentinel Labs released a\r\nreport about Mail-O. The experts wrote that Mail-O is a version of the relatively well-known malware\r\ncalled SManager, which is used by the Chinese hacker group TA428.\r\nGroup-IB specialists wanted to make sure that Mail-O is loader, while Smanager and Tmanger are\r\nRemote Access Trojans (RAT). However, a part of the code overlaps in the exported functions\r\n“Entery” and “ServiceMain” of Mail-O, SManager and Tmanger, which brings us back to TA428.\r\nMoreover, hackers from TA428 have already been found to be involved in espionage against\r\nRussia, especially Russian state facilities.\r\nTo prove the hypothesis that TA428 was behind the attacks against Russian federal executive\r\nauthorities in 2020, we decided to analyze a sample of Webdav-O. Group-IB Threat Intelligence \u0026\r\nAttribution has detected similar malicious behavior before and can now explain why we link it to a\r\nspecific group. Below we provide an analysis of Webdav-O samples and highlight features that\r\noverlap with the points mentioned in the SOLAR JSOC and NCIRCC report.\r\nAs the experts put it: “The report dwells on the analysis of a series of targeted attacks“. Based\r\non this information, we assumed that several hacker groups may be behind the attacks.\r\nThe attackers used malware that interacted with management server via the cloud service called\r\nYandex.Disk. The malware was dubbed Webdav-O.\r\nAttackers also used malicious software that accessed the cloud service Mail.ru. The malware was\r\ndubbed Mail-O.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 4 of 36\n\n骑驴找马 [qí lǘ zhǎo mǎ] Verbatim translation: Ride a mule\r\nwhile looking for a horse. Definition: Use the tools you\r\nhave while looking for something better.\r\nAnalysis of Webdav-O sample\r\nName 1.dll\r\nSHA1 c9e03855f738e360d24018e2d203142c7ae6c2ec\r\nCompilation timestamp 2018-07-12 03:08:01\r\nFirst Submission 2019-11-07 10:34:11\r\nDll Name y_dll.dll\r\nExport function ServiceMain\r\nFile “1.dll” is an x86 dynamic link library (DLL) that functions as a service in the system.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 5 of 36\n\nThe analyzed file provides remote access to the command line shell (cmd.exe) and executes various\r\ncommands originating from C2 on the compromised host.\r\nThe legitimate cloud service called Yandex.Disk (webdav.yandex.ru:443) is used as network\r\ninfrastructure, namely C\u0026C. Network interaction with the cloud is implemented via the Webdav\r\nprotocol. The authentication method is Basic.\r\nThe strings and configuration data are encrypted with the RC4 algorithm using the following key: {\r\n8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B }. The key size is 16 bytes. The analyzed files\r\ncan work with 1-7 accounts (in this case only 2 are used, but we will come back to this later).\r\nFeatures of the sample\r\nhttps://www.group-ib.com/blog/task/\r\nPage 6 of 36\n\n1. The exported ServiceMain function uses a random delay before the main code is executed.\r\n2. Yandex.Disk cloud accounts are checked for availability using the query “/?userinfo” (GET).\r\nhttps://www.group-ib.com/blog/task/\r\nPage 7 of 36\n\n3. The file “/test3.txt” is uploaded from “Yandex.Disk” (GET) and checked for the “Just A Test!” line.\r\nIn case of success, the system checks for batch files in the “/test” directory of “Yandex.Disk”\r\n(PROFIND).\r\n4. A command file is defined for downloading from the Yandex.Disk cloud (GET). The response from\r\nthe server is processed. The name of the file with commands is between the tags:\r\n\u003cd:href\u003e[name of the command file]\u003c/d:href\u003e\r\n5. In the command file, the contents are encrypted using the RC4 algorithm. After downloading the\r\ncommand file, it is deleted from Yandex.Disk (DELETE).\r\nhttps://www.group-ib.com/blog/task/\r\nPage 8 of 36\n\n6. The file “/test2.txt” is uploaded to Yandex.Disk (PUT). The file “/test2.txt” contains the line “Just A\r\nTest!“. The mechanism is presumably used to check the functioning of a malicious program.\r\n7. The file “/test2/[0-9]{1,4}[0-9]{1,4}.bin” is uploaded to “Yandex.Disk” (PUT). The file contains the\r\ncommand results. Data is encrypted using the RC4 algorithm.\r\nDescription of the commands\r\nCommand Description\r\n-upload\r\nUploads the file to Yandex.Disk cloud storage. The file name is specified in the\r\ncommand. The file is saved in the cloud under the following name: “[0-9]{1,4}[0-9]\r\n{1,4}.bin”. Response format: “##u## %s %s”.\r\n-download\r\nDownloads the file from Yandex.Disk cloud storage. The file name is specified in\r\nthe command. The downloaded file is deleted from Yandex.Disk. Response format:\r\n“##d## %s”.\r\n-quit Ends a session (exits the command execution flow).\r\n-setsleep\r\nSets the waiting interval (in minutes) between command requests. Response\r\nformat: “##s## %d”.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 9 of 36\n\nCommand Description\r\n[other\r\nRuns the command in the command line shell (cmd exe)\r\nComparison with the sample presented in the\r\nSOLAR JSOC and NCIRCC report\r\nWhen analyzing the code uploaded to VirusTotal, we found many overlapping points with the\r\nTrojan described in the SOLAR JSOC and NCIRCC report. Some of the common features can be\r\nseen in the screenshot with the malware code, which shows the receipt of the command files list in\r\nthe test folder:\r\nComparison of the Webdav-O sample from the report (on the left) to the VirusTotal sample (on the\r\nright)\r\nComparison of Webdav-O samples\r\nWebdav-O sample from the report Webdav-O x86\r\nhttps://www.group-ib.com/blog/task/\r\nPage 10 of 36\n\nBasic authentication and OAuth Basic authentication\r\nList of commands (5):\r\n-upload\r\n-download\r\n-setsleep\r\n-quit\r\n[other command cmd.exe]\r\n-sleepuntil\r\nList of commands (4)\r\n-upload\r\n-download\r\n-setsleep\r\n-quit\r\n[other command cmd.exe]\r\nCommand response format:\r\n##u## %s %s (-upload)\r\n##d## %s (-download)\r\n##s## %d (-setsleep)\r\n##l## %s (-sleepuntil)\r\nCommand response format:\r\n##u## %s %s (-upload)\r\n##d## %s (-download)\r\n##s## %d (-setsleep)\r\n* Impossible to verify since there are no indicators (specifying Webdav-O file) in the report.\r\nAs you can see from our comparison of the two samples, Webdav-O from the SOLAR JSOC and\r\nNCIRCC report looks like a newer, partially improved version of the Trojan that we detected on\r\nVirusTotal.\r\nComparison of Webdav-O with the code of\r\nthe BlueTraveller (RemShell) sample\r\n见风转舵 [jiàn fēng zhuǎn duò] Verbatim translation: If you\r\nfeel the wind – change direction. Meaning: Change your\r\ntactics to avoid difficulties.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 11 of 36\n\nBased on a large database of analyzed malicious samples accumulated when searching and\r\nresponding to cyber threats, Group-IB’s specialists linked the detected Webdav-O sample to the\r\nBlueTraveller Trojan.\r\nTo prove our hypothesis, below we present a comparison of the Webdav-O x86 sample and the\r\nsample of BlueTraveller (RemShell) (SHA1: 6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F).\r\nName netui4.dll\r\nSHA1 6857bb2c3ae5f9c2393d9f88816be7a10cb5573f\r\nCompilation timestamp 2017-03-03 09:13:08\r\nFirst Submission 2017-07-07 18:33:12\r\nDll Name client_dll.dll\r\nExport function ServiceMain\r\nFragments of the pseudocode for processing (receiving) the \"-upload\" command in the samples of\r\nWebdav-O\r\nhttps://www.group-ib.com/blog/task/\r\nPage 12 of 36\n\nOriginal name of DLL Webdav-O\r\n(DIRECTORY_ENTRY_EXPORT)\r\nDll name: y_dll.dll\r\nOriginal name of DLL BlueTraveller (RemShell)\r\n(DIRECTORY_ENTRY_EXPORT)\r\nDll name: client_dll.dll\r\nFragments of the pseudocode for processing (receiving) the \"-download\" command in the samples\r\nof Webdav-O\r\nFragments of pseudocode for processing (receiving) the \"-quit\" command in the sample of Webdav-O\r\nFragments of pseudocode for executing a command in the command line shell (cmd.exe) in the\r\nsamples of Webdav-O\r\nhttps://www.group-ib.com/blog/task/\r\nPage 13 of 36\n\nBased on the above comparison, we can draw the following conclusions:\r\nAccounts, passwords, and attribution\r\n路遥知马力, 日久见人心 [lù yáo zhī mǎ lì rì jiǔ jiàn rén xīn]\r\nVerbatim translation: Having overcome a long distance,\r\nyou will know a horse's endurance, and after a long time\r\nyou will know what lies in a person's heart. Definition: Time\r\nreveals a person's true nature.\r\n1. Similar DLL name (DIRECTORY_ENTRY_EXPORT – original DLL name)\r\n2. Same command names\r\n3. Same principle of command processing\r\n4. Feature allowing to execute commands in the command line shell (cmd.exe)\r\nhttps://www.group-ib.com/blog/task/\r\nPage 14 of 36\n\nLet’s go back to the analyzed sample of Webdav-O x86. When we decrypted the malware string, we\r\nfound the following “login:password” for the attacker’s accounts used on Yandex.Disk.\r\nThe data discovered:\r\nIf the account login is known, it is possible to recover the email address as follows:\r\naleshaadams:7ujm!QAZ2wsx\r\ntstrobos:\u0026UJM1qaz2ws\r\ntstrobos@yandex.ru\r\naleshaadams@yandex.ru\r\nAttempt to recover the password for aleshaadams@yandex.ru\r\nhttps://www.group-ib.com/blog/task/\r\nPage 15 of 36\n\nThe screenshots show that both accounts are linked to cellphone numbers in the same region\r\n(+86), which is the country code for China.\r\nAnalysis of password generation\r\nIn 2019, Elmar Nabigaev (Deputy Director of Expert Security Center Positive Technologies) delivered\r\na report entitled “The TaskMasters APT” (aka BlueTraveller) and gave examples of passwords\r\ndiscovered when investigating the malware campaign:\r\nhttps://www.group-ib.com/blog/task/\r\nPage 16 of 36\n\nThe images above show that the passwords to the Webdav-O account were generated using a\r\nsimilar technique as TaskMasters. The only things that changed were the registry and the key row\r\ncombination.\r\nBlurring the boundaries\r\nConsidering all the comparisons made and the information discovered about the accounts, we\r\nbelieve that the Chinese hacker group TaskMasters is most likely behind the attacks involving an\r\nimproved version of the Webdav-O Trojan. The case of TA428, however, is still open to debate.\r\nCould both of them be behind the attack against Russian federal executive authorities in 2020?\r\nCould there be someone else involved? Or was it the same group?\r\nWe will continue our investigation and seek more information for analysis. Let us take a look at the\r\nreport about TA428 and their new tools, in particular the Trojan called Albaniiutas, which was\r\nreleased by NTT Security Corporation in 2020.\r\nExecuting Albaniiutas files, NTT report\r\nThe aim of our investigation is to study these two objects. Our reasoning will be presented below.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 17 of 36\n\nFirst and foremost, we discovered some common points in the utility used to launch DLL:\r\nBlueTraveller Albaniiutas\r\n1.exe vjsc.dll\r\n\u003e6303CCE6747703E81A5A52DEC11A3BA7DB26EA4B 2FE6AF7CE84CB96AE640BB6ED25A7BA\r\nUtility for registering and running DLL as a service in\r\nthe system and for removing this service.\r\nDLL responsible for registering and running\r\nservice in the system.\r\nLaunched in the command line shell (cmd.exe).\r\nReceives the following command line arguments:\r\nC:\\Users\\IEUser\\Desktop\\1.exe Usage: install -i DllPath\r\nor install -u ServiceName\r\nUploaded by the file “Scrpt.exe” (SHA1:\r\nBC708ACDF6B8B60577268A0788F1E375C\r\n– legitimate signed file “vjc.exe”. Original D\r\n“ServiceAdd.dll”.\r\n“-i [DllPath]” – registering and running DLL as a\r\nservice. “-u [ServiceName]” – deleting the specified\r\nservice.\r\nCode parts of both utilities show the similarities in more detail. As can be seen, both samples use\r\nXOR encryption, which even displays identical debugging information.\r\nFragments of code encrypted with XOR and debugging lines in BlueTraveller\r\nhttps://www.group-ib.com/blog/task/\r\nPage 18 of 36\n\nMoreover, there are common points at the stage of establishing persistence in the system. The\r\nscreenshots below show that the same DLL name randomization occurs. The same description of\r\nthe service under which this DLL will work is also displayed.\r\nLet’s continue our comparative analysis and take a look at a sample of BlueTraveller\r\n(SHA1:6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F) and a fileless RAT belonging to the\r\nAlbaniiutas family.\r\nBlueTraveller Albaniiutas\r\nnetui4.dll –\r\n6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F 08645D079ABE05B88201DB0FF1C9B1EC0\r\nDLL is a RAT. Fileless DLL is a payload in the form of a RAT\r\nLauched via service (exported function\r\nServiceMain).\r\nUploaded by the file “XpEXPrint.dll / [a-z]{4}.d\r\n(SHA1:\r\nFragments of code of the XOR encrypting function in BlueTraveller\r\nFragments of code with DLL name randomization in BlueTraveller\r\nhttps://www.group-ib.com/blog/task/\r\nPage 19 of 36\n\nBlueTraveller Albaniiutas\r\nAE57D779AAC235E979FAE617599377A099B\r\nIt is contained in resources in an encrypted f\r\nOriginal DLL name: “client_dll.dll”. Original DLL name: “ClientX.dll”.\r\nWe also analyzed code parts that look very similar. For example, part of the pseudocode for\r\nexecuting commands in the command line shell (cmd.exe) is shown below.\r\nNext, we analyzed the code parts of data processing received from the C\u0026C server:\r\nThe parts of code above show that the code in BlueTraveller is less sophisticated, but in both cases\r\nthe separator “\\b” is used three times (the strtok function). Below is an example of the data that\r\nAlbaniiutas malware receives for each command:\r\nFragments of the code in BlueTraveller\r\nFragments of the code in BlueTraveller\r\nhttps://www.group-ib.com/blog/task/\r\nPage 20 of 36\n\nFormat of the data received when executing commands (retrieved from the NTT report)\r\nLet’s also compare the code fragments for checking and executing the commands received from\r\nthe C\u0026C server:\r\nIt is clear that this part was updated by the hackers, but the commands remain the same:\r\nCommand Options Description\r\n-exit\r\nTerminates the function for receiving\r\nand processing commands (exiting the\r\nflow)\r\nIf the command is executed multiple times, the command will not be executed unless a value\r\nother than the previous one is specified.\r\n1.\r\n2. Separator\r\n3. If the value does not match the value in ③, the command will not be executed.\r\n4. Command identifier and command parameters separated by spaces.\r\nFragments of code in BlueTraveller\r\nhttps://www.group-ib.com/blog/task/\r\nPage 21 of 36\n\nCommand Options Description\r\n-download\r\nDownloads URLs or Path to the storage\r\ndirectory\r\nDownloads a file from the C\u0026C server\r\n-upload\r\nPath to the file on the infected device or\r\nPart of path of the URL-address during\r\nthe upload\r\nUploads a file to the C\u0026C server\r\n(command) Command arguments\r\nExecutes the command with cmd.exe\r\nand returns the result to the C\u0026C\r\nserver.\r\nIn addition, the two Trojans have a similar pattern of communicating with the control server in the\r\nprotocols of network interaction with the C\u0026C server. Below is an example of network\r\ncommunication with the C\u0026C server, taken from BlueTraveller samples available on VirusTotal.\r\nBlueTraveller Albaniiutas\r\nhttp://45.32.188[.]226/0000/1301/0024/4u/i7fr09bGus+Wyt7iyjos=\r\nhttp://go.vegispaceshop[.]org/h\r\n8QIRN2+6+O3gKV6ODd2mEPN\r\nTemplate: [IP]/[0000 or 1111]/[0-9]{4}/[0-9]{4}/[base64 data] Template: [domain]/[dir]/[0-9]{4}\r\nLet’s move on to string obfuscation in Albaniiutas. We have established that strings are encrypted\r\nusing the RC4 algorithm. The encryption key used is L!Q@W#E$R%T^Y\u0026U*A|}t~k.\r\nThe same encryption key was used in the BlueTraveller server component which stores the log files\r\nin the encrypted form:\r\nhttps://www.group-ib.com/blog/task/\r\nPage 22 of 36\n\nA fragment of code with a line written to a log file (retrieved from PTSecurity\r\n“Operation TaskMasters” 2019)\r\nThe conclusion is clear: Albaniiutas is nothing but a logic continuation of the malware\r\nbelonging to the BlueTraveller family.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 23 of 36\n\nAnd then it dawned on us…\r\nWe thought that we had analyzed everything and that we were done with comparisons, when\r\nsuddenly a sample was uploaded to VirusTotal. We identified it as Webdav-O.\r\nName y_dll.dll\r\nSHA1 3ff73686244ca128103e86d8c5aa024e37e7b86d\r\nCompilation timestamp 2018-12-06 11:15:35\r\nFirst Submission 2021-06-05 04:41:00\r\nDll Name y_dll.dll\r\nExport function ServiceMain\r\nThe file “y_dll.dll” is an x64 dynamic link library (DLL) that functions as a service in the system.\r\nAs can be seen, this version of Webdav-O was written for a system with a different bitness and\r\ncompiled later than our sample of Webdav-O x86 (2018-12 and 2018-07, respectively).\r\nThe legitimate cloud service Yandex.Disk (webdav.yandex.ru:443) is also used as a network\r\ninfrastructure, in particular C2. Network interaction with the cloud is carried out via a Webdav\r\nprotocol.\r\nHowever, this sample supports two authentication methods instead of one in Webdav-O x86: Basic\r\n(with a username and password) and OAuth (using a token).\r\nThe strings and configuration data are encrypted using the RC4 algorithm with the following key: {\r\nC3 02 03 04 05 DD EE 08 09 10 11 12 1F D2 15 16 }. The key size is 16 bytes. The analyzed file can\r\nwork with 1-7 accounts (it works with only one in this case).\r\nThis sample seemed even more similar to the one described in the SOLAR JSOC and NCIRCC\r\nreport: unlike our sample, it has the “-sleepuntil” function.\r\nUnfortunately colleagues at SOLAR JSOC and NCIRCC did not provide any indicators of\r\ncompromise, so we can only make comparisons based on screenshots and descriptions of the\r\nhttps://www.group-ib.com/blog/task/\r\nPage 24 of 36\n\ncapabilities of their sample.\r\nThe parts of code presented above show that both versions look identical. Group-IB experts also\r\nnoticed that in Webdav-O x64, the commands and their results are transferred by uploading various\r\nfiles to Yandex.Disk:\r\nDescription of files created by Webdav-O from the report:\r\ntest2.txt, test3.txt. are files used to check the connection\r\ntest4.txt contains information about the interval (minutes) between command requests to the\r\nserver\r\ntest5.txt contains the launch date for the malware\r\ntest7.txt is uploaded to the server and contains a 16-byte RC4 key that is used to encrypt\r\ncommands and their results (the\r\nkey is also encrypted with a public RSA key)\r\ntest is a directory containing files that are downloaded, decrypted, and processed as\r\ncommands. Malware receives the file list via the PROPFIND request and by parsing the\r\nnecessary tags: \u003cd:href\u003ecomplete path to file\u003c/d:href\u003e.\r\nWebdav-O sample from the report\r\nWebdav-O sample from the report\r\nhttps://www.group-ib.com/blog/task/\r\nPage 25 of 36\n\nDescription of the files created by Webdav-O x64:\r\nFile/\r\nDirectory\r\nDescription\r\ntest2.txt,\r\ntest3.txt\r\nUsed to verify the connection. Example of “test2.txt” content: “Just A Test!”\r\ntest4.txt\r\nContains the waiting interval (in minutes) between command requests. Example of\r\n“test4.txt” content: 15\r\ntest5.txt\r\nContains the date and time until which the malware will be in sleep mode. Format:\r\n%d-%d-%d_%d:%d:%d, example of file “test5.txt” content: 2021-03-02_14:30:00\r\ntest6.txt\r\nContains an OAuth token. The content is encrypted using the RC4 algorithm with\r\nthe following key: { 8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B } (16 bytes).\r\nIt is noteworthy that this key has already been used by another sample of our\r\nWebdav-O x86 to encrypt strings and configuration data.\r\ntest7txt\r\nIt is loaded onto the server and contains a RC4 session key (16 bytes), which is used\r\nto encrypt commands and their results (the key itself is encrypted with a public RSA\r\nkey) RC4 session keys are generated using the BCryptGenRandom function:\r\nThe data presented above shows that this part is also identical except for the description of\r\ntest6.txt, which is not presented in the SOLAR JSOC and NCIRCC report.\r\nBased on the comparisons above, Group-IB experts have concluded that this particular Webdav-O\r\nsample was most likely used in attacks on Russian federal executive authorities in 2020 and it is the\r\nsame Trojan as the one described in the SOLAR JSOC and NCIRCC report.\r\nTo sum up…\r\nhttps://www.group-ib.com/blog/task/\r\nPage 26 of 36\n\n人心齐,泰山移 [rén xīn qí, tài shān yí] Verbatim\r\ntranslation: United, people can move even Mount Taishan.\r\nDefinition: By working together people can accomplish\r\nanything.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 27 of 36\n\nVenn diagram showing the common points between the two Trojans (Only data presented in the\r\nblog is used in the diagram)\r\nWebdav-O malware is a version of the BlueTraveller (RemShell) Trojan, which is classified as a\r\nChinese APT. Webdav-O was designed for both x86 and x64 systems.\r\nWebdav-O may have been used by the Chinese APT TaskMasters (aka BlueTraveller). Based on\r\nthe information about attacks on various federal executive authorities in 2020, presented in the\r\nSOLAR JSOC and NCIRC report, it is possible that in some cases the Chinese APT TA428 was\r\nbehind the attacks, while others could have been performed by TaskMasters.\r\nResearchers from SentinelLabs have linked Mail-O to Smanager and Tmanger (tools used by\r\nTA428). Group-IB specialists found common code parts in the malware’s exported functions\r\n“Entery” and “ServiceMain”. We can say with moderate confidence that Mail-O was developed\r\nby TA428.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 28 of 36\n\nBased on research done by NTT Security, it can be said that TA428 has already used the\r\nmalware Albaniiutas. Group-IB experts have shown that the Trojan is a new version of\r\nBlueTraveller (RemShell). As such, it can be assumed that Webdav-O is also linked to TA428.\r\nIt is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but\r\nperhaps it is just the case here.\r\nThere is also strong evidence that points to one large hacker group consisting of several\r\nintelligence units of the People’s Liberation Army of China. For example, unit 61398 from\r\nShanghai is responsible for the actions of a well-known group called APT1 (aka Comment Crew),\r\nand unit 61419 from Qingdao has been linked to Tick. Each unit attacks to the fullest, according\r\nto a strict timeline and order. This means that one Trojan can be configured and modified by\r\nhackers from different departments with different levels of training and with various objectives.\r\nhttps://www.group-ib.com/blog/task/\r\nPage 29 of 36\n\nIoCs\r\nIn Yandex.Disk cloud storage arrow_drop_down\r\nOn the host arrow_drop_down\r\nEmail arrow_drop_down\r\nNetwork indicators arrow_drop_down\r\nHash arrow_drop_down\r\nhttps://www.group-ib.com/blog/task/\r\nPage 30 of 36\n\nTry Group-IB Threat Intelligence now\r\nhttps://www.group-ib.com/blog/task/\r\nPage 31 of 36\n\nDefeat threats efficiently and identify attackers proactively with a revolutionary cyber\r\nthreat intelligence platform by Group-IB\r\nYARA rule\r\nimport \"pe\"\r\nrule webdavo_rat\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"webdavo.rat\"\r\n description = \"Suspected Webdav-O RAT (YaDisk)\"\r\n sample = \"7874c9ab2828bc3bf920e8cdee027e745ff059237c61b7276bbba5311147ebb6\" // x86\r\n sample = \"849e6ed87188de6dc9f2ef37e7c446806057677c6e05a367abbd649784abdf77\" // x64\r\n severity = 9\r\n date = \"2021-06-10\"\r\n strings:\r\n $rc4_key_0 = { 8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B }\r\n $rc4_key_1 = { C3 02 03 04 05 DD EE 08 09 10 11 12 1F D2 15 16 }\r\n $s0 = \"y_dll.dll\" fullword ascii\r\n $s1 = \"test3.txt\" fullword ascii\r\n $s2 = \"DELETE\" fullword wide\r\n $s3 = \"PROPFIND\" fullword wide\r\n condition:\r\n (any of ($rc4_key*) or 3 of ($s*)) or\r\n (\r\n pe.imphash() == \"43021febc8494d66a8bc60d0fa953473\" or\r\n pe.imphash() == \"68320a454321f215a3b6fcd7d585626b\"\r\n )\r\n}\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/task/\r\nPage 32 of 36\n\nrule albaniiutas_dropper_exe\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"albaniiutas.dropper\"\r\n description = \"Suspected Albaniiutas dropper\"\r\n sample = \"2a3c8dabdee7393094d72ce26ccbce34bff924a1be801f745d184a33119eeda4\" // csrss.e\r\n sample = \"71750c58eee35107db1a8e4d583f3b1a918dbffbd42a6c870b100a98fd0342e0\" // csrss.e\r\n sample = \"83b619f65d49afbb76c849c3f5315dbcb4d2c7f4ddf89ac93c26977e85105f32\" // dropper\r\n sample = \"690bf6b83cecbf0ac5c5f4939a9283f194b1a8815a62531a000f3020fee2ec42\" // dropper\r\n severity = 9\r\n date = \"2021-07-06\"\r\n strings:\r\n $eventname = /[0-9A-F]{8}-[0-9A-F]{4}-4551-8F84-08E738AEC[0-9A-F]{3}/ fullword ascii w\r\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 }\r\n $aes256_str_seed = { 00 65 34 65 35 32 37 36 63 30 30 30 30 31 66 66 35 00 } // e4e527\r\n $s0 = \"Release Entery Error\" fullword ascii\r\n $s1 = \"FileVJCr error\" fullword ascii\r\n $s2 = \"wchWSMhostr error\" fullword ascii\r\n $s3 = \"zlib err0r\" fullword ascii\r\n $s4 = \"De err0r\" fullword ascii\r\n $s5 = \"CreateFileW_CH error!\" fullword ascii\r\n $s6 = \"GetConfigOffset error!\" fullword ascii\r\n condition:\r\n 5 of them or\r\n (\r\n pe.imphash() == \"222e118fa8c0eafeef102e49953507b9\" or\r\n pe.imphash() == \"7210d5941678578c0a31adb5c361254d\" or\r\n pe.imphash() == \"41e9907a6c468b4118e968a01461a45b\"\r\n )\r\n}\r\nrule albaniiutas_rat_dll\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"albaniiutas.rat\"\r\n description = \"Suspected Albaniiutas RAT (fileless)\"\r\n sample = \"fd43fa2e70bcc3b602363667560494229287bf4716638477889ae3f816efc705\" // dumped\r\n severity = 9\r\n date = \"2021-07-06\"\r\nhttps://www.group-ib.com/blog/task/\r\nPage 33 of 36\n\nstrings:\r\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 }\r\n $aes256_str_seed = { 00 30 33 30 34 32 37 36 63 66 34 66 33 31 33 34 35 00 } // 030427\r\n $s0 = \"http://%s/%s/%s/\" fullword ascii\r\n $s1 = \"%s%04d/%s\" fullword ascii\r\n $s2 = \"GetRemoteFileData error!\" fullword ascii\r\n $s3 = \"ReadInjectFile error!\" fullword ascii\r\n $s4 = \"%02d%02d\" fullword ascii\r\n $s5 = \"ReadInject succeed!\" fullword ascii\r\n $s6 = \"/index.htm\" fullword ascii\r\n $s7 = \"commandstr\" fullword ascii\r\n $s8 = \"ClientX.dll\" fullword ascii\r\n $s9 = \"GetPluginObject\" fullword ascii\r\n $s10 = \"D4444 0k!\" fullword ascii\r\n $s11 = \"D5555 E00r!\" fullword ascii\r\n $s12 = \"U4444 0k!\" fullword ascii\r\n $s13 = \"U5555 E00r!\" fullword ascii\r\n condition:\r\n 5 of them\r\n}\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nReferences arrow_drop_down\r\nhttps://www.group-ib.com/blog/task/\r\nPage 34 of 36\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/task/\r\nPage 35 of 36\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/task/\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.group-ib.com/blog/task/" ], "report_names": [ "task" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434053, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f77c7bad303e45abbbc56996e27753708a3010c.pdf", "text": "https://archive.orkl.eu/5f77c7bad303e45abbbc56996e27753708a3010c.txt", "img": "https://archive.orkl.eu/5f77c7bad303e45abbbc56996e27753708a3010c.jpg" } }