{ "id": "f9c4b4b7-d13d-4dd5-b5c2-6071aab536f5", "created_at": "2026-04-06T00:06:54.735774Z", "updated_at": "2026-04-10T03:37:21.697356Z", "deleted_at": null, "sha1_hash": "61cd4a8b611dcdeb19277d2eef72ce2463cd1f3d", "title": "Space Pirates: analyzing the tools and connections of a new hacker group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1978181, "plain_text": "Space Pirates: analyzing the tools and connections of a new hacker group\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 13:27:01 UTC\r\n1. Introduction\r\n2. General information\r\n3. Analysis of malware and tools\r\n1. MyKLoadClient\r\n1. Scheme 1\r\n2. Scheme 2\r\n3. Test sample\r\n4. Payload\r\n2. Zupdax\r\n1. Payload\r\n2. Connection with Redsip\r\n3. Connection with Winnti and FF-RAT\r\n4. Connections with Bronze Union and TA428\r\n3. Downloaders\r\n1. Downloader.Climax.A\r\n2. Downloader.Climax.B\r\n4. RtlShare\r\n1. Dropper rtlstat.dll\r\n2. Injector rtlmake.dll\r\n3. Payload rtlmain.dll (rtlmainx64.dll)\r\n4. Use of RtlShare\r\n5. PlugX\r\n1. Demo dropper\r\n6. BH_A006\r\n1. Stage 0. Loading DLL from the overlay\r\n2. Stage 1. DLL dropper\r\n3. Stage 2. .dat loader (SbieDll.dll / SbieMsg.dll)\r\n4. Stage 3. Shellcode .dat and DLL\r\n5. Stage 4. MemLoadLibrary\r\n6. Stage 5. Payload\r\n7. Connection with 9002 RAT\r\n7. Deed RAT\r\n4. Conclusion\r\n5. Appendices\r\n1. MITRE\r\n2. IOCs\r\n1. File indicators\r\n2. Network indicators\r\nIntroduction\r\nAt the end of 2019, Positive Technologies Expert Security Center (PT ESC) found a phishing email aimed at a Russian\r\naerospace enterprise. It contained a link to previously unknown malware. Our experts discovered the same malware in 2020\r\nwhen investigating an information security incident at a Russian government agency. During the investigation, several new\r\nmalware families using a common network infrastructure were also discovered, some of which had not previously been\r\nmentioned in open sources.\r\nIn the summer of 2021, PT ESC revealed traces of compromise of another Russian aerospace enterprise. The organization\r\nwas duly informed. As a result of the investigation, we found connections to the same network infrastructure on its\r\ncomputers. Further research made it possible to identify at least two more organizations in Russia, both partially state-owned, that were attacked using the same malware and network infrastructure.\r\nWe could not unambiguously link the detected malicious activity to any known hacker group, so we gave the attackers a new\r\nname—Space Pirates. The reason for the name was the P1Rat string used in the PDB paths, and the targeting of the\r\naerospace industry. This report describes the group's detected activity, the features of the malware it uses, as well as its\r\nconnection with other APT groups.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 1 of 40\n\nGeneral information\r\nWe assume that Space Pirates has Asian roots, as indicated by the active use of the Chinese language in resources, SFX\r\narchives, and paths to PDB files. In addition, the group's toolkit includes the Royal Road RTF (or 8.t) builder (common\r\namong hackers of Asian origin) and the PcShare backdoor, and almost all intersections with previously known activity are\r\nassociated with APT groups in the Asian region.\r\nThe group began its activity no later than 2017. The main targets of the criminals are espionage and theft of confidential\r\ninformation. Among the victims identified during the threat study are government agencies and IT departments, as well as\r\naerospace and power enterprises in Russia, Georgia, and Mongolia. At least five organizations were attacked in Russia, one\r\nin Georgia, and the exact number of victims in Mongolia is unknown.\r\nSome APT group attacks using malware were also targeted at Chinese financial companies, which suggests a monetary\r\nmotivation. All potential victims were notified by the respective national CERTs.\r\nAt least two attacks on Russian organizations can be considered successful. In the first case, the attackers gained access to at\r\nleast 20 servers on the corporate network, where they remained for about 10 months. During this time, more than 1,500\r\ninternal documents were stolen, as well as information about all employee accounts in one of the network domains. In the\r\nsecond case, the attackers managed to gain persistence in the company's network and remain there for more than a year,\r\nobtain information about the computers on the network, and install malware on at least 12 corporate nodes in three different\r\nregions.\r\nThe Space Pirates toolkit includes unique downloaders and several backdoors which we have not previously encountered\r\nand which are presumably specific to the group: MyKLoadClient, BH_A006, and Deed RAT. The criminals also have access\r\nto the Zupdax backdoor: its modern variants use a similar MyKLoadClient execution scheme; however, the code of the\r\nbackdoor itself dates back to 2010 and cannot be uniquely attributed to the group.\r\nIn addition, the attackers use well-known malware, such as PlugX, ShadowPad, Poison Ivy, a modified version of PcShare,\r\nand the public shell ReVBShell. The dog-tunnel utility is used to tunnel traffic.\r\nThe main network infrastructure of the group uses a small number of IP addresses indicated by DDNS domains.\r\nInterestingly, the attackers use not only third-level domains, but also fourth- and higher-level ones, for example,\r\nw.asd3.as.amazon-corp.wikaba.com.\r\nIn the process of investigating Space Pirates, we found a large number of intersections with previously identified activity,\r\nwhich researchers associate with the following groups: Winnti (APT41), Bronze Union (APT27), TA428, RedFoxtrot,\r\nMustang Panda, and Night Dragon. The reason for this is probably the exchange of tools between groups, which is common\r\npractice for APT groups in the Asian region.\r\nThe connection between the Space Pirates and TA428 groups should be specially noted. As part of another investigation, we\r\nobserved the activities of both groups on infected computers, which, however, had no intersections in the network\r\ninfrastructure. During Operation StealthyTrident, described by ESET, the attackers used Tmanger, attributed to TA428, and\r\nZupdax, associated with Space Pirates. The connection with another TA428 malware, in particular Albaniiutas (RemShell),\r\nand Zupdax can also be traced in the network infrastructure adjacent to the one mentioned in the ESET report. All this\r\nsuggests that Space Pirates and TA428 can combine their efforts and share tools, network resources, and access to infected\r\nsystems.\r\nThe key connections between the affected organizations, malware families, and fragments of the network infrastructure, as\r\nwell as public information about the attackers, can be seen in Figure 1. Later in the report, we will give more details about\r\nthem.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 2 of 40\n\nFigure 1. Key connections\r\nAnalysis of malware and tools\r\nMyKLoadClient\r\nThis malware was used in attacks on Russian organizations, including government agencies and aerospace enterprises, often\r\nbeing distributed through targeted phishing. The email analysis shows that Chinese companies providing financial services\r\nalso became victims.\r\nAmong the malware samples with MyKLoadClient that we found, two typical implementation schemes can be\r\ndistinguished. The first (hereinafter scheme 1) is based on the use of SFX archives as droppers, implements the DLL Side-Loading technique, and uses an auxiliary launcher library AntiVirusLoader.dll. The second (hereinafter scheme 2) includes\r\nonly a custom-written dropper which transfers control to the payload directly. In the second case, gaining persistence in the\r\nsystem is not a feature of the code.\r\nNote that, according to the known data, there is a clear relationship between the attackers' goals and the choice of\r\nimplementation scheme: samples using scheme 1 were targeted at Russian organizations, whereas scheme 2 was used in\r\nattacks on Chinese companies. If we rely on the dates of modification and compilation of files (which, however, could be\r\nspoofed), the same division can be traced back in time: scheme 1 was presumably used in 2018–2019, and scheme 2 in\r\n2020. It is possible that the attackers updated the implementation chain of the previous malware to reduce the likelihood of\r\nits detection in new attacks.\r\nScheme 1\r\nA typical example of a sample with the first implementation scheme is a file named Петербургский международный\r\nэкономический форум (ПМЭФ)____2019.exe (Petersburg International Economic Forum (SPIEF)____2019.exe) with\r\nSHA-256 d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b. The file is an SFX archive that\r\nextracts the decoy document 0417.doc and another SFX archive named apple.exe. The files in the archive were modified in\r\nApril 2019. The document contains a text with a true description of SPIEF.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 3 of 40\n\nFigure 2. Contents of the decoy document 0417.doc\r\nThe second SFX archive extracts three PE files from itself: the legitimate siteadv.exe, the launcher siteadv.dll, and the\r\nlibrary with payload cc.tmp. Note that in the samples studied, the first implementation scheme does not always use a decoy.\r\nHowever, in all cases, a similar SFX archive is used, which contains files with the same names and purpose.\r\nFigure 3. Contents of the apple.exe archive\r\nThe executable EXE file is signed by McAfee, Inc. and is a component of the McAfee SiteAdvisor installer. At startup, it\r\nloads the siteadv.dll library, which is responsible for installing and launching the payload. The launcher resources feature a\r\nconfiguration encrypted with RC4 with key \"TDILocker\" and containing the necessary paths, registry key names, and flags.\r\nFigure 4. Siteadv.dll code fragment\r\nThe launcher provides several possible commands that are passed by way of command-line arguments and are responsible\r\nfor one of the implementation stages:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 4 of 40\n\nCommand Description\r\nstat\r\nThe command to start the installation. Restarts the process in which the library is loaded (siteadv.exe)\r\nwith the install_del command. Additionally passes the path to the parent process.\r\ninstall_del\r\nGains persistence on the infected computer (the registry key is specified in the configuration). In this\r\ncase, the path to the siteadv.exe file is used with the run or mrun argument. Deletes the file specified by\r\nthe third argument (the path to the parent process). Launches the payload in the same way as the run\r\ncommand.\r\nrun\r\nLoads a DLL with payload via LoadLibrary and executes the function exported from it (the name is\r\nspecified in the configuration).\r\nmrun Not implemented.\r\nins Not implemented.\r\nIn addition to the exported function main, which is called by the legitimate siteadv.exe, in siteadv.dll there is an unused\r\nbuc_uninstallinterface export that is responsible for bypassing the UAC using the IARPUninstallStringLauncher component.\r\nThe launcher library has the export name AntiVirusLoader.dll. In some of its instances, you can find the PDB path:\r\nD:\\Leee\\515远程文件\\P1Rat_2017_07_28A\\src\\MyLoader_bypassKIS\\snake\\res\\SiteAdv.pdb.\r\nThe cc.tmp payload is a backdoor implemented as a dynamic library with the internal name client.dll. It exports the\r\nMyKLoad function, which is the actual entry point. We will consider the functionality of the backdoor below.\r\nScheme 2\r\nThe executable file responsible for extracting the decoy and payload acts as a dropper in the second scheme. The binary data\r\nis located in the body of the dropper and is XOR-encrypted with a single-byte key. In addition to the standard launch of the\r\nextracted payload via the CreateProcess call, the dropper also performs reflective loading and execution of the EXE file\r\ndirectly in the current process.\r\nFigure 5. Fragment of the dropper code\r\nIn some cases, the dropper functions are additionally obfuscated using the control flow flattening technique.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 5 of 40\n\nFigure 6. Obfuscated version of the dropper\r\nAs a decoy, the investigated samples use a PDF document containing a message about a \"corrupt file\" in the Chinese\r\nlanguage, or an application stub that displays the message \"正在更新浏览器插件,请稍后…\" (The browser plugin is\r\nupdating, please wait ...) and \"更新完毕,请重启浏览器!\" (The update is completed, restart the browser!).\r\nFigure 7. PDF decoy with the text \"Corrupt or incompatible file\"\r\nThe payload in this case is an executable file with the internal name client.exe. Some samples also have the PDB path\r\nC:\\Users\\classone\\Desktop\\src\\client\\exe_debug\\client.pdb.\r\nTest sample\r\nWe also managed to find a test version of the malware created no later than in 2018:\r\nb1d6ba4d995061a0011cb03cd821aaa79f0a45ba2647885171d473ca1a38c098. This application is a dropper.\r\nInterestingly, it seems to have been created based on the Snake game. This is indicated by several details:\r\nWhen launched, the application creates a window using the string \"Snake\" as its name.\r\nThere is code presumably responsible for the game logic—in particular, for generating random coordinates of pieces\r\nof food on the 50×50 field and comparing them with the position of the snake.\r\nThe application handles presses of the spacebar and cursor keys.\r\nThe application features a menu with items in Chinese: Start, Pause, Restart, and Quit.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 6 of 40\n\nFigure 8. Application menu\r\nIn addition, among the dropper resources there is also an \"About the program\" window (in Chinese), the content of which\r\nindicates that this is the second version of the Snake game, which was created in 2016. The email address of the probable\r\nauthor is also given: mexbochen@foxmail.com.\r\nFigure 9. \"About the program\" window\r\nA Google search for the address throws up the profile of the email owner—a programmer from China who specializes in\r\nimage processing.\r\nFigure 10. Business card website with the contact address mexbochen@foxmail.com\r\nDespite the connection between the application and the owner of the email, it is impossible to say unequivocally that he is\r\nthe author of the malware. It is possible that Snake was once an open-source project, and the attackers used it as a basis for\r\nimplementing the dropper.\r\nThe files extracted by the dropper are contained in its resources in cleartext. Also in the resources is an encrypted\r\nconfiguration that contains the file names—exactly the same configuration is used in the launcher. When files are written to\r\ndisk, their contents are XOR-encrypted with the 0x80 key, and then the files are reopened and decrypted. The dropper\r\ncontains the same set of components as SFX archives (scheme 1): a legitimate McAfee SiteAdvisor component, a DLL\r\nlauncher, and a library with a payload named Client.obj.\r\nAfter extraction, the dropper generates a command line to run the launcher with the install command (for persistence in the\r\nregistry and launching the payload), but does not make further use of it. This is probably an error: there is the debug\r\nmessage \"CreateProcess success!\" in the code, but the CreateProcess function is not called.\r\nThe launcher of the test sample differs in its implementation of the mrun command: a variation of the run command\r\nresponsible for launching the function exported from the DLL with payload. Unlike run, mrun predecrypts the library using\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 7 of 40\n\nthe RC4 algorithm with key \"GoogleMailData\" and uses reflective loading for its execution.\r\nThe payload of Client.obj is similar to cc.tmp (scheme 1) and has only minor differences. In particular, the entry point\r\nfunction exported by the library is called \"main\", which, when run, displays a message box with the text \"just a demo for\r\ntest!!!\" In addition, the backdoor configuration is not encrypted and contains the test C2 127.0.0.1.\r\nPayload\r\nOptions for implementing the backdoor in the form of the executable file client.exe and the library client.dll have the same\r\nfunctionality. However, they differ in how they initialize the structure with configuration parameters, which include the\r\naddress and port of the C2, the backdoor activity flag, as well as the string IDs of the malware sent to the C2.\r\nIn the client.dll library, just like in the launcher (scheme 1), there is a configuration encrypted with RC4 key\r\n\"GoogleMailData\" in the payload resources. In the EXE version, the structure is filled with values fixed in the code.\r\nThe following table lists the backdoor samples we found and the data specified in their configuration, namely the IDs and\r\nthe control server. The \"?\" sign means that the string is a random set of bytes.\r\nSHA-256 of the payload Scheme ID1 ID2 ID3 C2\r\n5847c8b8f54c60db939b045d385aba0795880d92b00d28447d7d9293693f622b 1 pwd\r\nmy\r\nvps\r\ngroup 127.0.0.1\r\n56b9648fd3ffd1bf3cb030cb64c1d983fcd1ee047bb6bd97f32edbe692fa8570 1 pwd\r\nmy\r\nvps\r\n? 207.148.121.88\r\nd0fb0a0379248cdada356da83cd2ee364e0e58f4ed272d3369fe1d6ca8029679 1 pwd\r\nmy\r\nvps\r\n? 207.148.121.88\r\n7b7a65c314125692524d588553da7f6ab3179ceb639f677ed1cefe3f1d03f36e 1 pwd\r\nmy\r\nvps\r\n? 207.148.121.88\r\n3ccae178d691fc95f6c52264242a39daf4c44813d835eaa051e7558b191d19ee 1 pwd\r\nmy\r\nvps\r\n? 207.148.121.88\r\n69863ba336156f4e559364b63a39f16e08ac3a6e3a0fa4ce11486ea16827f772 1 pwd\r\nmy\r\nvps\r\n? micro.dns04.com\r\n949cb5d03a7952ce24b15d6fccd44f9ed461513209ad74e6b1efae01879395b1 1 pwd\r\nmy\r\nvps\r\n? microft.dynssl.com\r\nfa3ecd74b9f329a96b5739bba7b1872ef1ab84bb95f89101a69b6b6e780e2063 - pwd memo group 47.108.89.169\r\n84eb2efa324eba0c2e06c3b84395e9f5e3f28a3c9b86edd1f813807ba39d9acb 2 pwd memo group 47.108.89.169\r\nb822a4ec46aacb3bb4c22fe5d9298210bfa442118ee05a1532c324a5f847a9e6 2 gundan memo group 120.78.127.189\r\n944a3c8293ff068d803f8537b15e6adbad7fa1e789f3dc404ba603a8cb7c22aa 2 gundan memo group 121.89.210.144\r\nThe connection to the control server is established over TCP, and the traffic is not encrypted. The messages have a header of\r\nthe following structure:\r\nstruct PacketHeader{\r\n _DWORD Version; // 0x20170510\r\n _DWORD CommandId;\r\n _DWORD PayloadSize;\r\n _DWORD LastError;\r\n};\r\nThe 0x20170510 constant is always used as the version, probably denoting some date.\r\nThe malware has several classes/modules responsible for the corresponding functionality:\r\nShellManager: remote command line\r\nDiskManager: working with disks installed on the infected computer\r\nFileTransferManager: file transfer\r\nRS5Manager: using the infected computer as a proxy server\r\nIn the ID of each command, there is a module identifier, which is obtained by applying the 0xFF000 mask. Here is a full list\r\nof supported commands:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 8 of 40\n\nModule ID\r\nFull\r\nID\r\nDescription\r\n0 1 Collect information about the infected system\r\n0 3 Terminate malware execution\r\n0x2000 (ShellManager) 0x2002 Start the cmd.exe process and create a thread for sending its output to C2\r\n0x2003 Send a command to the shell\r\n0x2004 Close the shell\r\n0x3000 (DiskManager) 0x3000 Get a list of disks available in the system and information about them\r\n0x3001 Get directory listing\r\n0x4000\r\n(FileTransferManager)\r\n0x4001\r\nInitialize file transfer from the infected computer to C2 (opens the file for\r\nreading)\r\n0x4008 Read a block of data from a previously opened file.\r\n0x4004\r\nInitialize file transfer from C2 to the infected computer (opens the file for\r\nwriting)\r\n0x4005 Write a block of data to a previously opened file\r\n0x4006 Complete the file transfer to the infected computer and set the timestamps\r\n0x4009 Close open file descriptors and reset internal fields\r\n0x4010 Get a recursive directory listing\r\n0x5000 (RS5Manager) 0x5000\r\nPerform initialization, create threads for receiving packets from a remote\r\nnode and sending them to C2\r\n0x5001 Create a socket and connect to a remote node\r\n0x5003 Send data to the connected socket\r\n0x5004 Close the connected socket\r\nIn the process of collecting information about the system, the backdoor creates a globally unique identifier (GUID) and\r\nwrites it to the registry in one of the HKLM or HKCU hives using the Software\\CLASSES\\KmpiPlayer key. If the key is\r\nalready in the registry, then the existing ID is used.\r\nZupdax\r\nThe first public mention of this malware can be found in the Unit 42 report on HenBox, a malicious application for Android.\r\nIn the HenBox network infrastructure, researchers found traces of the use of malware of the PlugX, Zupdax, 9002 RAT, and\r\nPoison Ivy families. In 2019, Unit 42 combined three years of observed activity related to the above-mentioned set of\r\nmalware, naming the group (or groups) behind it PKPLUG.\r\nIn 2020, ESET discovered traces of an attack on the Able Soft LLC supply chain. One of the attack options was to\r\ncompromise the Able Desktop installer by adding malicious code to it. The researchers cite the HyperBro and Korplug\r\n(PlugX) backdoors as the payload built into the installers.\r\nAccording to available data, we can say that the payload designated by ESET as Korplug is in fact a Zupdax backdoor. This\r\nopinion is shared by NortonLifeLock and Avira analysts, who published a report in the fall of 2021 describing the main\r\nfeatures of Zupdax.\r\nZupdax has been operating since 2014 at least. Our study focused on 2017–2019 samples, but some details can only be\r\ntraced in earlier versions (2014–2015). We will be referring to them as \"old\".\r\nThe latest versions of Zupdax use the same loading scheme as in the MyKLoadClient test sample. Although there is no\r\nSnake game code in them, the main functionality of the dropper is implemented in a similar way: in its resources are the\r\nlegitimate siteadv.exe, a launcher library, a payload, and a XOR-encrypted configuration with file names and flags. The\r\nlauncher uses exactly the same configuration.\r\nUnlike MyKLoadClient, in almost all samples with Zupdax, the payload (which is extracted under the name ok.obj) is\r\nencrypted and launched using the mrun method. Among the launcher samples that are used in conjunction with Zupdax, you\r\ncan find more functional options that support UAC bypass (in particular, using buc_uninstallinterface export) and\r\npersistence as a service.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 9 of 40\n\nIn the dropper and launcher samples are the corresponding PDB paths:\r\nd:\\Leee\\515远程文件\\P1Rat_2017_07_28A\\src\\MyLoaderBypassNorton\\Release\\loaderexe.pdb and\r\nd:\\Leee\\515远程文件\\P1Rat_2017_07_28A\\src\\MyLoader_bypassKIS\\snake\\res\\SiteAdv.pdb.\r\nMalware variants related to the attack on Able Desktop users also contain a PDB with a similar string,\r\nMyLoader_bypassKIS:\r\nc:\\Users\\PC-2015\\Desktop\\Badger\\En-v2\\免杀\\MyLoader_bypassKIS\\bin\\loaderdll.pdb.\r\nInterestingly, there is at least one sample (a95dfb8a8d03e9bcb50451068773cc1f1dd4b022bb39dce3679f1b3ce70aa4f9) that\r\nis completely identical to the test version of MyKLoadClient and contains exactly the same \"About the program\" window.\r\nThe payload in it is a Zupdax backdoor.\r\nPayload\r\nFor network interaction with C2, the backdoor uses the UDT protocol, which implements data transfer over UDP. The\r\nmessages have a header with a structure similar to that used in MyKLoadClient. The only difference is the value of the first\r\nfield equal to 0x12345678:\r\nstruct PacketHeader{\r\n _DWORD Magic; // 0x12345678\r\n _DWORD CommandId;\r\n _DWORD PayloadSize;\r\n _DWORD Unknown; // 0\r\n};\r\nImmediately after establishing a connection with C2, the backdoor collects and sends information about the system,\r\nincluding the computer name, user name, OS version, information about disk volume, RAM, and CPU, as well as the IP and\r\nMAC addresses of the network adapter. The collected information is sent with the 0x1 command ID.\r\nThe set of commands that the backdoor can handle does not change significantly from version to version: its main features\r\nare reduced to the execution of additional code that it can get from the control server. Older versions of Zupdax contain\r\ndebug messages that allow you to see the original names of operations:\r\nID Name Description\r\n0x0 CMD_END\r\nShut down the backdoor or restart it (depending on the\r\nversion)\r\n0x17 CMD_SET_REM\r\nWrite a new control server to the file (transmitted in the\r\nmessage)\r\n0x19 CMD_UNINSTALL_HOST Perform self-removal from the system\r\n0x28 CMD_TRANSMISSION_PLUGIN\r\nGet the plugin name from C2 and run it (the plugin can be a\r\nshellcode or an EXE file) If the necessary plugin is not\r\navailable on the disk, first get it from C2. (Present only in\r\nold versions)\r\n0x29 CMD_PLUGIN_TRANSMISSION_EXECUTE\r\nGet the plugin ID from C2 and launch its entry point (the\r\nplugins are stored in memory). If the plugin is not in\r\nmemory, first get the PE file from the control server and\r\nreflectively load the exported function from it. (In old\r\nversions, it is the same as\r\nCMD_TRANSMISSION_PLUGIN)\r\n0x38 CMD_UPDATE\r\nDownload the EXE file from the specified link, save it to\r\ndisk, and execute it.\r\n0x68\r\nRun the executable file at a fixed path under the name of\r\nthe current user. The path is equal to\r\nC:\\ProgramData\\AdobeBak\\avanti.exe. (Present only in the\r\nlatest versions)\r\n0x77 CMD_ADD_STARTUP See CMD_TRANSMISSION_PLUGIN\r\nOld Zupdax samples also have paths to PDB files:\r\nh:\\E\\项目问题\\UDPUDP-英文\\bin\\server.pdb\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 10 of 40\n\nd:\\磁盘\\E\\项目问题\\版本\\UDPUDP-英文\\bin\\server.pdb\r\nIt follows from them that the original name of the project can be translated as \"UDPUDP-English.\"\r\nConnection with Redsip\r\nIn 2011, McAfee described a series of attacks on energy companies that was named Night Dragon. Among the malware used\r\nby the attackers was a Redsip backdoor (e3165c2691dc27ddaeb21e007f2bf5aeb14ef3e12ec007938e104d6aed512f39).\r\nApparently, Zupdax is a redesigned version of Redsip. Backdoors, in particular, have an identical structure of network\r\nmessages (including the magic constant 0x12345678), matching command names and identifiers (CMD_SET_REM and\r\nCMD_UNINSTALL_HOST), and similar debug messages. In both cases, the payload is implemented through external\r\nplugins.\r\nFigure 11. Fragment of the Redsip code (2010 sample)\r\nFigure 12. Zupdax code fragment (2015 sample)\r\nNote that in 2018 Redsip was used in an attack on a Russian organization associated with the aerospace industry. The\r\nattackers used a leaked corporate document as a decoy. We could not find a direct connection between this attack and the\r\nactivities of Space Pirates.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 11 of 40\n\nFigure 13. Internal document used as a decoy\r\nConnection with Winnti and FF-RAT\r\nSome Zupdax samples have valid digital signatures. In particular, sample\r\n24b749191d64ed793cb9e540e8d4b1808d6c37c5712e737674417573778f665b (upinstall.bat) is signed with a YD Online\r\nCorp. certificate, and 84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429 (Slack.exe) is signed\r\nwith a NFINITY GAMES BILISIM ANONIM SIRKET certificate.\r\nAmong the files signed with these certificates are components of the PipeMon malware, which is attributed to the Winnti\r\ngroup. Studying the network infrastructure of the second sample, we also noted the presence of indirect connections with the\r\nold Winnti infrastructure, but they require additional confirmation.\r\nHowever, in the case of Slack.exe, we can state the presence of reliable infrastructure connections with the FF-RAT\r\nbackdoor, which was described by BlackBerry in 2017. So, both the Zupdax sample and the FF-RAT samples use\r\nplaydr2.com and gamepoer7.com subdomains as C2.\r\nConnections with Bronze Union and TA428\r\nESET's previously mentioned report Operation StealthyTrident: corporate software under attack on the compromise of Able\r\nDesktop notes the presence of HyperBro and Zupdax backdoors (Korplug according to ESET), as well as Tmanger and\r\nShadowPad as part of a single cybercriminal operation. The researchers give several possible explanations for this\r\nconnection. We were able to identify several additional facts that give more information about the connections between the\r\nBronze Union (LuckyMouse, APT27) and TA428 groups and Zupdax malware.\r\nCode intersections\r\nThe Zupdax sample from the ESET report contains a dropper that is standard for this malware (data1.dat,\r\n2486734ebe5a7fa6278ce6358d995d4546eb28917f8f50b01d8fdd7a1f9627a4), extracting the payload from resources. Of\r\ninterest is the scheme by which it gains control: it side-loads the pcalocalresloader.dll library, which contains a shellcode that\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 12 of 40\n\ndecrypts and executes another shellcode from the thumb.db file. The second shellcode contains a DLL library compressed\r\nusing the LZNT1 algorithm, which it reflectively loads into memory.\r\nFigure 14. Fragment of the ESET report\r\nBoth shellcodes use an atypical hashing algorithm for the names of imported libraries and functions (see Figure 15). For\r\nexample, kernel32.dll has the hash 0xD4E88, and ntdll.dll 0x1B708. However, a search for similar samples showed that\r\nsimilar shellcodes can be found in various malware families—for example, in SmokeLoader or in exploits for InPage. It is\r\nlikely that a builder available to various hacker groups was used to create the shellcodes.\r\nFigure 15. Hash function in auxiliary shellcodes\r\nHowever, the whole scheme, including the legitimate component IntgStat.exe, pcalocalresloader.dll library, and the\r\nencrypted file thumb.db, was used in this form only to download the HyperBro backdoor, as described by Kaspersky. The\r\nonly difference is that in the case of Able Desktop, shikata_ga_nai obfuscation was not applied.\r\nAn auxiliary DLL located in thumb.db handles the simultaneous launch of the dropper (data1.dat) and the legitimate Able\r\nDesktop installer. It is distinguished by the presence of a large number of unused strings in the data section. Some of them\r\nare specific only to samples of the HyperBro backdoor:\r\nElevation:Administrator!new:{FCC74B77-EC3E-4dd8-A80B-008A702075A9}\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\test\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 13 of 40\n\nsystem-%d\r\nCreateProcessAsUser error %d\r\n\\\\..\\\\config.ini\r\nWin2008(R2)\r\nWin2012(R2)\r\nAs follows from the ESET report and our research, the criminals behind the attack on Able Desktop users have access to\r\nboth HyperBro and Zupdax. However, most of the code features are specific to the HyperBro backdoor, which, in turn, is\r\nattributed to the Bronze Union group.\r\nNetwork intersections\r\nFigure 16. Fragment of the Zupdax network infrastructure\r\nOne of the Zupdax samples (ffe19202300785f7e745957b48ecc1c108157a6edef6755667a9e7bebcbf750b) uses\r\nflashplayeractivex.info subdomains, such as update.flashplayeractivex.info and news.flashplayeractivex.info, as C2. For\r\nsome time in August 2020, these domains resolved to the IP address 209.250.239.96. At the same time, the\r\ngo.vegispaceshop.org domain was present at the same IP address.\r\nThe latter domain, along with the IP address, can be found in the NTT Security report on the Albaniiutas malware from the\r\nTA428 toolkit. As the detailed analysis of Albaniiutas samples by our colleagues from Group-IB shows, this malware is a\r\nnew version of the RemShell backdoor (BlueTraveller) previously identified by PT ESC.\r\nAnother domain appearing at the IP address 209.250.239.96 at the same time is nameserver.datacertsecure.info. The\r\ndatacertsecure.info and check.datacertsecure.info domains obviously associated with it resolved to the IP address\r\n139.180.208.225 from June to July 2020. The node simultaneously became known as the HyperBro backdoor control server,\r\nand was mentioned by ESET in Operation StealthyTrident.\r\nThese connections further unite the attackers' goals: the compromised Able Desktop installers, as well as the above-mentioned samples of Albaniiutas and HyperBro, were used in attacks on organizations in Mongolia.\r\nDownloaders\r\nIn the Space Pirates network infrastructure, we found two types of downloaders containing decoys with Russian text. One of\r\nthem was also found in the network of our client, who was attacked by criminals.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 14 of 40\n\nFigure 17. Example of a decoy document\r\nDownloader.Climax.A\r\nThe first downloader differs by the use of parts of the source code of the Rovnix bootkit (it was described in detail by\r\nKaspersky). Note that, according to our data, the network indicators listed in the report, in particular the bamo.ocry.com\r\ndomain, as well as IP addresses 45.77.244.191 and 45.76.145.22, are part of the Space Pirates network infrastructure.\r\nWe have no information about what malware was delivered by this downloader. However, researchers from Kaspersky\r\nmanaged to identify likely samples based on the similarity of PDB paths and identical control servers.\r\nFigure 18. Fragment of the Kaspersky report\r\nIn the screenshots of the payload presented in the report, you can notice a specific technique for storing strings: they are all\r\nin one data block and indexed by numbers with the prefix \"PS_\". This technique is found in the code of the publicly\r\navailable PcShare backdoor. The sets of strings highlighted by the researchers correspond exactly to those that can be found\r\nin the open backdoor code. A similar correspondence can be made between the commands supported by the malware. As a\r\nresult, we can confidently say that this payload is based on the PcShare code.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 15 of 40\n\nFigure 19. Fragment of a file of strings from the PcShare code\r\nNext, we will consider a modified version of PcShare, which we called RtlShare. Note that during the investigation for our\r\nclient, we found a RtlShare sample connecting to C2 202.182.98.74. It is also used by the sample Downloader.Climax.A\r\nwith SHA-256 e9c94ed7265c04eac25bbcdb520e65fcfa31a3290b908c2c2273c29120d0617b. Given the above, we can\r\nassume that the payload delivered by the downloader is none other than RtlShare.\r\nDownloader.Climax.B\r\nAnother type of downloader can use vulnerabilities in Microsoft Equation Editor for its execution. This vulnerability, in\r\nparticular, is exploited by a document named \"Mayor of Seoul.rtf\"\r\n(7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff), created using the notorious Royal Road RTF\r\n(8.t) builder, widely used by Asian APT groups.\r\nThe code of this downloader is completely different from Downloader.Climax.A, but does boast some similar features. In\r\nparticular, both downloaders use TCP to connect to C2, and the resulting payload is decompressed using the LZW algorithm\r\nin both cases.\r\nDownloader.Climax.B gains persistence in the system via the registry key\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GetUserConfig. Its task is to get the files named INFOP11.EXE\r\nand OINFO11.OCX from the control server and execute the EXE file. Each of the files has its own numeric identifier, which\r\nis sent to C2.\r\nFigure 20. Fragment of the downloader code\r\nAfter loading, the following configuration parameters in the downloader itself are written to the body of the received OCX\r\nfile: the node and port of the control server, the waiting time between calls to C2, the TodaySend string, as well as the\r\ngenerated GUID.\r\nRtlShare\r\nThe payload of the RtlShare malware is based on the publicly available PcShare backdoor code. The malware has a specific\r\nexecution chain, the code of which is not available in open sources. It involves three DLLs, each with its own export name.\r\nWe will be using these names to refer to the corresponding libraries.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 16 of 40\n\nLet's consider RtlShare using the example of 8ac2165dc395d1e76c3d2fbd4bec429a98e3b2ec131e7951d28a10e9ca8bbc46.\r\nInterestingly, the attackers used the hacked website of the Petrozavodsk mathematical conference PICCAnA\r\n(piccana.karelia.ru) to deliver it; the site is currently unavailable (web archive). As a control server, it uses the private IP\r\naddress 192.168.193.165.\r\nDuring incident investigation for our client, we encountered almost identical samples using control servers 45.76.145.22,\r\n141.164.35.87, and 202.182.98.74.\r\nDropper rtlstat.dll\r\nThe rtlstat.dll library acts as the initial stage of infection, exporting a single function named emBedding. Its task is to extract\r\nand run the next-stage library with the internal name rtlmake.dll.\r\nTo do this, the OS bitness is first checked and the necessary data block is selected, after which it is XOR-decrypted with a\r\nkey in the form of one of the strings 4af233f4740c2fde7fc95ed3a834d7b1 (x64) and 3ad6faf2d7b714137de31efef137775b\r\n(x86). Then the decrypted data is decompressed using the LZ4 algorithm.\r\nFigure 21. Extracting the required version of rtlmake.dll\r\nA data block containing the configuration is copied to the body of the received library (it is encrypted at this stage). The\r\nmagic number 0xAADDEE99 is used as a marker indicating the place where the configuration will be copied.\r\nTo bypass detection based on hash sums, attackers add a random number of random bytes to the end of the library, while\r\nupdating the Checksum field in the PE header of the file. This way, a new file is extracted at each new launch.\r\nThen the dropper checks whether it is running under the SYSTEM user by searching for the config substring in the path to\r\nthe LocalAppData folder. If the substring is present, the library is restarted under the current user via rundll32.exe.\r\nOtherwise, the resulting library is saved to the file %LOCALAPPDATA%\\Microsoft\\Windows\\WER\\Security\\wuaueng.hlk,\r\nand the path to it is written to the registry using the key HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-\r\n0c966feabec1}\\InprocServer32. This section is responsible for the MruPidlList COM object used in the library shell32.dll,\r\nwhich, in turn, loads the process explorer.exe—this is a well-known technique for malware persistence in the system.\r\nAt the end of its operation, the dropper executes the extracted DLL using regsvr32.exe and self-removes via a BAT file.\r\nInjector rtlmake.dll\r\nVersions of rtlmake.dll with different bitness have the same functionality, which is confined to extracting the next-stage DLL\r\nand embedding its code into the process rdpclip.exe (or into the current process).\r\nAt the beginning of its operation, the injector makes sure that it is running in one instance: mutexes are most often used for\r\nthis purpose, but in this case named file mappings are applied. During the operation of rtlmake.dll, a mapping with the name\r\n55fc3f9a654c500932 is created, while the mapping 7f8b6a2440e5c9e5b6 handles the payload.\r\nThen, using a function similar to the previous step, the DLL with the payload and configuration is decrypted and\r\ndecompressed (recall that it was previously copied to rtlmake.dll). The configuration encryption key is the string\r\n2ae06f136eb6588508eefd4b5f6c98d8345f1104746d15141, and the payload encryption key is\r\n1192f6c4b018c8e0f51d31d6dde22ff3.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 17 of 40\n\nFigure 22. RtlShare backdoor configuration\r\nNext, the process in which the payload will be injected is selected. If the current process is explorer.exe (which is true, if the\r\nlibrary was loaded as a COM component), then the target process will be rdpclip.exe. If rdpclip.exe failed to start, or if the\r\nDLL was loaded into another process, the current process becomes the target one.\r\nThe decrypted configuration is written to the memory of the selected process, and after that the injector generates a\r\ncommand line of the form /v /c:0x12345678, which contains the configuration address in the address space of the process.\r\nThe resulting string and payload are also written to the process memory.\r\nFigure 23. Generating the command line in rtlmake.dll\r\nTo start execution of the payload, the injector determines the offset in the PE file where the exported Putklm function is\r\nlocated, and after that it gains control of the CreateRemoteThread call. In this case, the command-line address is passed to it\r\nas arguments. Note that there is no reflective loading up to this point: the Putklm function actually works as a shellcode.\r\nPayload rtlmain.dll (rtlmainx64.dll)\r\nThis DLL is fully implemented based on the code of the main backdoor module PcShare—PcMain. Here are some of its\r\nfeatures that are typical only for the RtlShare family:\r\nA reflective loader is implemented inside the library, which is located in the Putklm function. The command-line\r\naddress that it receives is passed to DllEntryPoint via the lpReserved parameter and is XOR-encrypted with the\r\nconstant 0x73DE2938. Address recovery and command-line parsing occur inside the DllMain function.\r\nAfter running rtlmain.dll, all the rdpclip.exe processes are terminated except for the current one.\r\nThe backdoor string storage, in addition to LZ4 compression (which is present in the open-source code), is AES-encrypted with the key 68fa504a1aee69f71df454e554c74eaf. Similarly, the messages received (key\r\n48d426ca6d45496e7413cf435516af06) and transmitted (key 2e5140d04c7d7da454991bae10160369) are encoded.\r\nSupport for the connection via a proxy server has been added.\r\nThere is a special command that allows attackers to overwrite the configuration inside the injector rtlmake.dll (the\r\nrequired offset contains the magic constant 0x76EE38BB).\r\nThe getip command has been added to the code for implementing the remote command shell, which is done through\r\nthe call nslookup myip.opendns.com resolver1.opendns.com.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 18 of 40\n\nUse of RtlShare\r\nRtlShare samples can be found in other reports. For example, Recorded Future researchers found PcShare samples in the\r\nnetwork infrastructure of the RedFoxtrot group, which have significant similarities with the RtlShare family. In addition,\r\nsimilar samples were previously detected by Bitdefender when investigating the activity of an APT group with Asian roots\r\naimed at government institutions in Southeast Asia.\r\nThere are no connections in the network infrastructure between the above-mentioned cases, nor between these cases and the\r\nactivity that we found during incident investigation for our client. This suggests that despite the absence of RtlShare code in\r\nopen sources, several different APT groups of Asian origin have access to this malware.\r\nPlugX\r\nWe also found several samples of the PlugX backdoor in our client's network. The samples used micro.dns04.com,\r\nmicroft.dynssl.com, api.microft.dynssl.com, and www.0077.x24hr.com addresses as control servers, which are part of the\r\ngroup's network infrastructure and directly intersect with MyKLoadClient C2.\r\nPlugX is widely used in the cybercriminal environment; it has several versions and multiple modifications. However, the\r\nsamples identified by us have a set of features that make it possible to distinguish them into a separate group.\r\nAs in the usual PlugX, the main payload of the backdoor is implemented in the form of a DLL library, which is reflectively\r\nloaded into memory during malware execution. A pointer to the structure is passed to its entry point as an argument; the\r\nstructure contains, in particular, the signature and address of the encrypted configuration.\r\nIn the original PlugX, the signature is the constant 0x504C5547 (PLUG string), but in our sample group, this value was\r\nequal to 0xCF455089. The configuration size, which is 0x1924 bytes, is also nonstandard: we could not find a mention of\r\nsuch a configuration in open sources. Unlike many other variants that have the XV signature instead of MZ and PE, in our\r\ncase, the header of the PE file with the payload remains unchanged.\r\nThe inlining technique is actively used in the backdoor, in particular, for API calls and string encryption.\r\nFigure 24. API function calls in PlugX\r\nTo search for API functions, the backdoor uses CRC32 hashes of their names. The received pointers are cached, while the\r\ncode fragments responsible for this operation are embedded in every place where access to WinAPI is required.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 19 of 40\n\nFigure 25. String encryption in PlugX\r\nAlmost all the strings in the backdoor are stack-based, most of them are encrypted using the ADD-XOR-SUB method. The\r\ndecryption code is copied to all places where encrypted strings are used.\r\nThe malware uses a standard set of plugins known from early versions. The original PlugX, during their initialization, uses a\r\nparameter that looks like a date. For instance, the Disk plugin has the 0x20120325 parameter. In our case, for all plugins, the\r\n2012 combination has been changed to 8102 (which may mean 2018): the same Disk plugin uses the 0x81020325 value.\r\nThe entire backdoor also has a numeric value indicating the version: it is transmitted to C2 along with information about the\r\ninfected system and is equal to 0x20161127. The same version can be found in Backdoor.PlugX.38 from the Dr.Web report\r\non attacks on state institutions in Kazakhstan and Kyrgyzstan. However, other unique values from the Space Pirates variant,\r\nsuch as signature and configuration size, are missing in BackDoor.PlugX.38. Both variants seem to be based on the base\r\ncode of the same version of PlugX, but its modifications in each of these cases are different.\r\nWe found more precise intersections in other reports. Among the PlugX instances used in the attacks on the Vatican in 2019–\r\n2020 are several samples similar to those used by the Space Pirates group. In addition, the same backdoor modifications are\r\nfound in samples associated with the activity of the RedFoxtrot group. However, we failed to detect connections in the\r\nnetwork infrastructure, which again suggests the exchange of tools between groups. Given the other intersections between\r\nthe malware used in the attacks (Zupdax and RtlShare), we can also assume that all this activity belongs to one or more\r\njointly operating groups. This, however, requires additional confirmation.\r\nDemo dropper\r\nSome samples of the PlugX variant we found are extracted into the system by an interesting dropper, whose executable file\r\ncan be called demo.exe. It is implemented based on the MFC library. Its job is to create a VBS script named msiexece.vbs or\r\ncosetsvc.vbs, and perform its subsequent execution.\r\nThe path to the EXE dropper and the names of the files to be extracted from it are passed to the script as command-line\r\nparameters. The files are in the demo.exe overlay and can be encrypted with a 1-byte XOR (but in all samples known to us,\r\nthe key is 0). The overlay offset and the length of each of the files are written in the VBS code. The script extracts the\r\nstandard PlugX components: a legitimate EXE file, a DLL for side-loading, and encrypted shellcode, after which the\r\nlegitimate file is executed.\r\nFigure 26. Writing and execution of the VBS file\r\nBH_A006\r\nAs in other cases, we found this malware both on our client's resources and when researching the group's network\r\ninfrastructure. It contains a modified Gh0st backdoor as a payload. The string BH_A006 is constantly found in PDB paths\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 20 of 40\n\nand internal names of DLL libraries associated with the backdoor, which is why it got this name.\r\nBH_A006 has a nontrivial payload execution scheme, which can vary at the initial stages in different samples. Let's consider\r\nit using the example of one of the malicious files.\r\nStage 0. Loading DLL from the overlay\r\nSHA-256: 1e725f1fe67d1a596c9677df69ef5b1b2c29903e84d7b08284f0a767aedcc097\r\nThe source sample is an executable file that uses the MFC library. It extracts the contents of the overlay, decrypts itswith\r\nXOR with the 0xA0 key, and reflectively loads the resulting DLL into memory.\r\nStage 1. DLL dropper\r\nSHA-256: 8bf3df654459b1b8f553ad9a0770058fd2c31262f38f2e8ba12943f813200a4d\r\nextracts the following files:\r\nC:\\ProgramData\\resmon.resmoncfg\r\nC:\\ProgramData\\Sandboxie\\SbieIni.dat (install32.dat)\r\nC:\\ProgramData\\Sandboxie\\SbieDll.dll\r\nC:\\ProgramData\\Sandboxie\\SandboxieBITS.exe\r\nAfter that, there is a check for write permission to the system folder. For this, the dropper tries to create a file in it with the\r\nname format: wmkawe_%d.data. The content is the Stupid Japanese string.\r\nIf there is no permission, and the system is 64-bit, two additional files are extracted:\r\nC:\\ProgramData\\Sandboxie.dll (install64.dll)\r\nC:\\ProgramData\\Sandboxie.dat (install64.dat)\r\nThe names given in parentheses are not used, but are present in the code. Apparently, they were left there from another\r\nversion of the dropper.\r\nAll the files are contained in the data section in packaged form; a variant of the LZMA algorithm is used for compression.\r\nThis compression method is also used in further stages of the malware operation. Further in the section, unless otherwise\r\nindicated, we will refer to this algorithm.\r\nDepending on the available permissions and the OS bitness, the dropper starts one of the chains to bypass the UAC:\r\n(x32) C:\\ProgramData\\Sandboxie\\SandboxieBITS.exe ByPassUAC\r\n(x64) rundll32.exe C:\\ProgramData\\Sandboxie\\SbieMsg.dll,installsvc ByPassUAC\r\nOr it immediately proceeds to the execution of the next stage:\r\nC:\\ProgramData\\Sandboxie\\SandboxieBITS.exe InsertS\r\nIn all three cases, the file %tmp%\\delself.bat is created, which contains commands for self-removal.\r\nNote that it is not the first time researchers have encountered this sample. Another variant of the MFC loader (stage 0)\r\ncontaining the same dropper was mentioned by ESET in the Operation NightScout report, and then studied in detail by our\r\ncolleagues from VinCSS.\r\nStage 2. .dat loader (SbieDll.dll / SbieMsg.dll)\r\nRegardless of the command run by the DLL dropper, execution jumps to one of the extracted DLL libraries. In the case of a\r\n32-bit version, a legitimate component of the Sandboxie utility, which is vulnerable to DLL side-loading, is used for this.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 21 of 40\n\nFigure 27. Loading and running the shellcode in SbieDll.dll\r\nThe code in the 32-bit and 64-bit versions of the libraries is almost identical and downloads the corresponding .dat file,\r\ndecrypts its contents, and executes it. For decryption, XOR is used with the byte sequence: 00, 01, 02, ... FF, 00, 01, ... Just\r\nas in the code of the previous stage, here you can see alternative paths to .dat files that are not used during operation.\r\nStage 3. Shellcode .dat and DLL\r\nThe shellcode is a reflective DLL library loader, which is located in its body immediately after the loading function. In this\r\ncase, the library functionality differs significantly in shellcode versions with different bitness.\r\nStage 3.1 ByPassUAC (x64)\r\nStage 3.1.1 Intermediate DLL\r\nThe 64-bit version is only responsible for implementing the UAC bypass. To perform this task, it extracts another DLL from\r\nitself into memory and transfers control to it. Reflective loading is performed again using a shellcode, which is predecrypted\r\nwith XOR using the 0x97 key. The shellcode is not autonomous: in addition to the buffer with the PE file, pointers to the\r\nnecessary functions, such as GetProcAddress and LoadLibraryA, are passed to it.\r\nFigure 28. Decryption and execution of the shellcode for reflective loading\r\nStage 3.1.2 DLL with UAC bypass implementation\r\nThe DLL contains the path to the PDB file: e:\\F35-F22\\昆明版本\\ElephantRat\\nwsapagent\\Bin\\ByPassUAC64.pdb.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 22 of 40\n\nFigure 29. Choosing a UAC bypass method\r\nThe UAC bypass method used depends on the presence in the system of the avp.exe process (a component of Kaspersky\r\nantivirus products) and on the system version. In total, three well-known methods using sdclt.exe, a .NET library, and\r\nmocking trusted directories have been implemented.\r\nIf the bypass is successfully implemented using any of the methods, the previously encountered command\r\nC:\\ProgramData\\Sandboxie\\SandboxieBITS.exe InsertS is run.\r\nStage 3.2. ByPassUAC / InstallS (x32)\r\nStage 3.2.1. Intermediate DLL\r\nThe 32-bit version of the DLL, which is located in the corresponding DAT file, is obfuscated using an unknown protector.\r\nFigure 30. The entry point in the obfuscated PE file\r\nIn the data section of this DLL, there is a compressed shellcode that is decompressed and gains control.\r\nStage 3.2.2. Decompression shellcode\r\nFigure 31. Passing arguments to the function via the return address\r\nThe shellcode starts with calling the sub_20F function, which takes three arguments: a hash on behalf of VirtualAlloc, the\r\nsize of the buffer to decompress, and a pointer to the data. The arguments are written immediately after the call statement,\r\nand the called function accesses them using an offset relative to the return address.\r\nThe sub_20F function gets a pointer to the VirtualAlloc function, for which it finds the kernelbase.dll library in the list of\r\nloaded modules (which is always assumed to be in second place on the InInitializationOrderModuleList list) and iterates its\r\nexport table using a hash to find the required function. Then a buffer of the size specified in the arguments with RWX rights\r\nis allocated, and the compressed data is unpacked into it. In this case, compression is done with the NRV family algorithm\r\nfrom the UCL library (used in the UPX packer). The data is another shellcode to which control is transferred.\r\nStage 3.2.3. Relocation shellcode\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 23 of 40\n\nThe main part of the next shellcode is the contents of data and code sections, apparently extracted from some PE file. To\r\nlaunch correctly at the beginning of its operation, the shellcode performs address correction (relocation). The parameters\r\nnecessary for it are transmitted in the same way as the previous shellcode using the return address. The relocation is\r\nperformed relative to the standard base address 0x401000. After its completion, control is transferred to the address of the\r\nentry point specified in the parameters (as an offset relative to the end of the relocation table).\r\nFigure 32. Parameters of the relocation shellcode\r\nStage 3.2.4. Installer in shellcode format\r\nThe main function of the installer loads the WinAPI functions necessary for operation, after which it can perform the\r\noperation specified in the command line.\r\nFigure 33. Code fragment of the shellcode installer\r\nThe following commands are supported:\r\nInsertS: create a service named Network Service. The name of the current module with the runsvc parameter is\r\nspecified as the launch path. If there are no avp.exe processes in the list, the service is launched immediately.\r\nRunsvc: delete all auxiliary files and folders that could be used in the UAC bypass. Decompressing the next-stage\r\nshellcode, creating an svchost.exe process, and injecting the decompressed shellcode. Interestingly, in the code for\r\nimpersonation and starting the svchost.exe process, a special check has been implemented only for the Russian\r\nlanguage, which indicates an orientation to Russian-language OS versions.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 24 of 40\n\nFigure 34. Special processing for the Russian-language version of the system\r\nIn addition, a separate thread is created that checks for Global\\MYKERNELDLLMAPPING06 mapping every 50\r\nseconds. In case of its absence in the system, the creation of svchost.exe and shellcode injection are repeated.\r\nByPassUAC: works completely similar to the 64-bit version (stage 3.1.1)—it decompresses the DLL with the\r\nimplementation of UAC bypass methods and transfers control to it.\r\nMemload: there is a MemLoadServer debug message in the code. Decompresses the next-stage shellcode and runs it\r\ndirectly in the current process.\r\nStage 4. MemLoadLibrary\r\nThe fourth stage has a previously encountered format: the decompression shellcode extracts the relocation shellcode, which\r\nin turn executes the main code (obtained from the PE file). The main code in this case is small in volume and is responsible\r\nfor decompressing and reflectively loading the DLL into memory. The reflective loader is implemented in the form of an\r\nXOR-encrypted shellcode, as in stage 3.1.1. After loading the library, control is transferred to the exported Online function.\r\nFigure 35. Decompressing the DLL and starting the Online export\r\nThe DLL is again just an intermediate loader and runs another shellcode.\r\nFigure 36. Online function code\r\nThe new shellcode is an unpacking shellcode, and stage 4 is repeated exactly, right up to calling the Online function from\r\nthe latest DLL library.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 25 of 40\n\nStage 5. Payload\r\nIt is a backdoor partially obfuscated with the help of a previously encountered packer (stage 3.2.1), which is based on the\r\nGh0st trojan code.\r\nInterestingly, the signature of network packets (Gh0st in the original) in this version is generated and checked in a special\r\nway. In a 4-byte value, only the lowest bit of each byte carries the payload, the remaining bits are random. The lower bits\r\nmust satisfy a set of logical relations involving the lower bits of the magic constant 0x31230C0. Note that a similar\r\nalgorithm for checking these relations using the same constant can be found in loaders of .dat files (stage 2), but the result of\r\nits operation is not used there.\r\nFigure 37. Generating a signature in the constructor of the CClientSocket class\r\nThe library has the export name BH_A006_SRV.dll, and in the PE file overlay, you can find the corresponding PDB path:\r\nD:\\005(fastapp f35 20181009)\\nwsapagent\\KernelTrjoan\\BH_A006_SRV\\BH_A006_SRV\\Debug\\BH_A006_SRV.pdb\r\nWe managed to find a sample of the malware (57d4c08ce9a45798cd9b0cf08c933e26ffa964101dcafb1640d1df19c223e738),\r\nwhich has a similar obfuscation and an identical algorithm for generating a network signature, and contains the name\r\nBH_A006_SRV.dll. This sample was uploaded to VirusTotal in 2015.\r\nConnection with 9002 RAT\r\nIn studying the execution chain of the BH_A006 backdoor, it turned out that the technique used for converting a PE file into\r\nan autonomous compressed shellcode is not unique. Similar decompression and relocation shellcodes, as well as the\r\nprocedure for loading WinAPI functions, are present in instances of the 9002 RAT malware. For example, they can be found\r\nin the sample 52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005 from the Trend Micro report on\r\nattacks on South Korean companies—one of the last mentions of this malware.\r\nDeed RAT\r\nAnother type of previously unknown malware, which we found in a single instance in our client's infrastructure, is a\r\nmodular backdoor. Based on the value of the signature used in the header of its modules, we named it Deed RAT.\r\nThe Deed RAT control server ftp.microft.dynssl.com is directly connected to the infrastructure of the Space Pirates group.\r\nAnother similarity can be found in one of the code features: the [xor 0xBB, sub 0x1] operations are used to encrypt the\r\nshellcode in the same way as in the part of PlugX samples.\r\nThe payload execution scheme resembles the standard method that PlugX uses: a legitimate EXE file signed by Trend Micro\r\nloads a malicious library TmDbgLog.dll, which, in turn, runs the encrypted shellcode from the file PTWD.tmp.\r\nHowever, an interesting method of transferring control to the shellcode is used: at the time of loading, the library modifies\r\nthe executable file so that after returning control to the EXE file, the FreeLibrary function is immediately called for it.\r\nHaving regained control at the time of unloading, the library modifies the executable file again, writing assembly\r\ninstructions for calling the shellcode to it—they will be executed immediately after returning from FreeLibrary.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 26 of 40\n\nThe shellcode is the loader of the main module, which is located in compressed and encrypted form after the loading code.\r\nThe module has a special structure and uses techniques borrowed from PE files. In particular, the module has three\r\n\"sections\" with different access rights and a relocation table completely similar to the one used in PE format.\r\nThe decrypted module consists of a header starting with the signature 0xDEED4554 and a main data block compressed with\r\nLZNT1, which contains section data and a relocation table. For each of the sections, the header indicates its actual size and\r\nthe size in memory, which is aligned to the 0x1000 boundary. The header structure looks as follows:\r\nstruct SectionHeader{\r\n _DWORD VirtualSize;\r\n _DWORD SizeOfRawData;\r\n};\r\nstruct ModuleHeader{\r\n _DWORD Signature; // 0xDEED4554\r\n _DWORD ModuleId;\r\n _DWORD EntryPoint;\r\n _DWORD OriginalBase;\r\n _DWORD AbsoluteOffset; // 0x1000\r\n SectionHeader Sections[3];\r\n _DWORD Unknown;\r\n};\r\nDuring operation, the loader allocates the necessary memory area, copies each of the sections into it (taking into account its\r\nsize in memory), and performs address configuration (relocation). The first of the sections contains executable code, and RX\r\npermissions are set for its memory area, the other sections have RW permissions. After loading the sections, the module\r\nentry point specified in the header gain control.\r\nThe main backdoor module has the identifier 0x20 and is responsible for loading and managing plugins that implement\r\nvarious functions. In its data section, there are eight encrypted plugins that are initialized at the beginning of operation:\r\nID Name Description Network commands\r\n0x30 Startup A plugin that implements the malware startup algorithm\r\n0x40 Config A plugin that handles the configuration\r\n0x40: transferring the\r\nconfiguration to C2\r\n0x41: receiving a new\r\nconfiguration from C2\r\n0xA0 Install\r\nA plugin responsible for persistence on the infected computer.\r\nPersistence can be achieved through the mechanism of services\r\nand through the registry (the key is set by the configuration)\r\n0xB0 Inject\r\nA plugin that implements code injection into a given process\r\n(determined by the configuration)\r\n0x60 Network A plugin that manages network interaction\r\n0x70 NetSocket\r\nA plugin that implements various types of connectors for network\r\ninteraction\r\n0x50 Plugin\r\nA plugin that implements registry monitoring for the appearance\r\nof new plugins in it and their loading\r\n0x50: collecting\r\ninformation about plugins\r\n0x51: adding a plugin to\r\nthe registry and launching\r\nit\r\n0x52: removing the plugin\r\nfrom the registry and\r\nmemory\r\n0x90 NetProxy\r\nA plugin that manages information about available proxy servers.\r\nIt has a built-in sniffer for automatic detection of proxies used by\r\nthe infected computer\r\nUnlike the main module, an algorithm based on Salsa20 is used to encrypt plugins. Among the modifications is a custom\r\nconstant for the key extension, equal to arbitraryconstat. The structure of the decrypted plugin completely copies the\r\nstructure of the main module, and a similar algorithm is used to load it.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 27 of 40\n\nEach plugin implements five service operations that are implemented at its entry point:\r\n1. Initialization.\r\n2. Obtaining the numeric ID of the plugin.\r\n3. Obtaining the plugin name.\r\n4. Obtaining a link to the structure with the plugin's API functions.\r\n5. Resource deallocation.\r\nFigure 38. Entry point of the Config plugin\r\nThe useful functionality of the plugin is available through the structure with its API functions. Among them, there may be a\r\ndispatcher function responsible for processing network commands that the plugin supports. The main module also has an\r\nAPI that allows you to access other plugins and implements auxiliary functions, such as encryption or access to the registry.\r\nOne interesting feature of the backdoor is the pseudorandom generation of various kinds of strings—registry keys, names of\r\nmutexes and pipes, and command-line arguments. A string of the required length is created on the basis of a seed, which is\r\ngenerated using the numeric identifier of the string and the serial number of the system volume. As a result, each of the\r\ninfected computers uses its own unique set of string constants.\r\nFigure 39. ID generation algorithm\r\nThe backdoor stores all the necessary data in the registry key [HKLM|HKCU]\\Software\\Microsoft\\. For each type of\r\ninformation, it creates its own subkey, the name of which is obtained using the string generator described above. To get all\r\nthe keys that the backdoor can use, we implemented a script in Python that accepts the serial number of the volume and\r\nreproduces the operation of the generator.\r\n \r\nimport click\r\ndef rshift(val, n):\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 28 of 40\n\ns = val \u0026 0x80000000\r\n for i in range(0,n):\r\n val \u003e\u003e= 1\r\n val |= s\r\n return val\r\ndef generator(volume_number, seed, length):\r\n gr_seed = (volume_number + seed + 0x1000193) \u0026 0xffffffff\r\n r = []\r\n for i in range(length):\r\n r1 = (gr_seed * 0x2001) \u0026 0xffffffff\r\n r2 = rshift(r1, 7)\r\n r3 = r2 ^ r1\r\n r4 = (r3 * 9) \u0026 0xffffffff\r\n r5 = rshift(r4, 17)\r\n r6 = r4 ^ r5\r\n r7 = (r6 * 33) \u0026 0xffffffff\r\n r.append(((r7 \u0026 0xffff) % 26) + 0x41)\r\n gr_seed = r7\r\n \r\n return bytes(r).decode('utf-8')\r\n@click.command()\r\n@click.argument(\"VOLUME_NUMBER\")\r\ndef main(volume_number):\r\n try:\r\n serial_number = int(volume_number, 16)\r\n except ValueError:\r\n print(\"[~] Invalid Volume number\")\r\n return\r\n registry_key_1 = generator(serial_number, 0xC4DA8B2F, 6)\r\n registry_key_2 = generator(serial_number, 0x7BD90AA1, 10)\r\n registry_key_3 = generator(serial_number, 0xF7BBC23F, 10)\r\n registry_key_4 = generator(serial_number, 0xDF12A5B2, 8)\r\n registry_key_5 = generator(serial_number, 0x6EB208A4, 9)\r\n registry_key_6 = generator(serial_number, 0xDE8765CB, 8)\r\n registry_key_7 = generator(serial_number, 0x6D3C218A, 8)\r\n registry_key_8 = generator(serial_number, 0x78D3BC22, 8)\r\n registry_key_9 = generator(serial_number, 0xD53BCA90, 10)\r\n registry_key_11 = generator(serial_number, 0x4FD82CB4, 8)\r\n registry_key_13 = generator(serial_number, 0xDCBC5D23, 8)\r\n registry_key_10 = generator(serial_number, 0xE2C7BA56, 15)\r\n \r\n registry_key_12 = generator(serial_number, 0x8BD43C12, 8)\r\n print(f\"[+] Plugin monitor registry key: [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_1}\")\r\n print(f\"[+] Executable path: [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_3}; ValueName: {registry_key_\r\n print(f\"[+] Machine ID: [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_5}; ValueName: {registry_key_4}\")\r\n print(f\"[+] Shellcode for injection: [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_6}; ValueName: {regis\r\n print(f\"[+] Proxies: [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_9}; ValueName: {registry_key_8}\")\r\n print(f\"[+] Config : [HKCU|HKLM]\\\\Software\\\\Microsoft\\\\{registry_key_11}; ValueName: {registry_key_13}\")\r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nThe Network plugin is responsible for the algorithm of interaction with the control server. It extracts the C2 address as a\r\nURL string from the configuration and, depending on the scheme specified in it, selects one of the connectors available in\r\nthe NetSocket plugin. All of them implement a common interface for uniformly receiving and transmitting network\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 29 of 40\n\nmessages. Before sending, messages are compressed using the LZNT1 algorithm and encrypted with a modified Salsa20\r\nusing a random key.\r\nTo resolve the domain of the control server, the backdoor consistently uses DNS over HTTPS and the usual DNS servers\r\nspecified in the configuration (public servers of Google and other providers), before resorting to the standard mechanism.\r\nThis gives the malware the opportunity to hide the C2 domain from network traffic inspection tools.\r\nSupported connection protocols include TCP, TLS, HTTP, HTTPS, UDP, and DNS.\r\nThe REUSEPORT option is available for TCP—specifying it leads to prebinding of the socket with which the connection to\r\nC2 is established. Binding is performed on the largest free port in the range of system (well-known) ports. The ports are\r\nchecked starting from 1022 in descending order. Apparently, this technique is implemented to bypass security measures and\r\ndisguise traffic as system network services.\r\nThe backdoor also provides for the possibility of obtaining a new C2 over HTTP. To do this, a web page can be used, the\r\naddress of which is specified in the configuration with the URL:// scheme. After the page loads, its body is searched for the\r\nagmsy4 and ciou0 substrings, which indicate the beginning and end of the string with the control server. This string is\r\nencoded using base16 (hex) with the abcghimnostuyz0456 alphabet and is processed similarly to the address from the\r\nconfiguration.\r\nTCP/TLS and HTTP/HTTPS connectors support connection via a proxy server, which can be obtained using the NetProxy\r\nplugin. The plugin has its own proxy storage, which is located in the registry and can be filled with values from the\r\nconfiguration, system proxies, and data from installed browsers (Chrome, Opera, and Firefox). In addition, the plugin has\r\nthe functionality of a built-in sniffer that listens to the traffic of the infected computer using a raw socket. If the sniffer\r\ndetects an attempt to connect to a proxy server (SOCKS4, SOCKS5, or HTTP) in the outgoing packet, it saves information\r\nabout it in the storage.\r\nBefore connecting to the control server, the backdoor checks the schedule: up to four entries can be specified in its\r\nconfiguration, containing the days of the week and the hours during which the connection is prohibited.\r\nAfter the connection is established, the backdoor can execute the following commands:\r\nID Description\r\n0x210 Collect information about the system\r\n0x211 Creation of a separate connection to work with plugins\r\n0x212 Self-removal\r\n0x213 Empty command (ping)\r\n0x214 Connection deactivation\r\n0x215 Update of the shellcode for the injection, which is stored in the registry\r\n0x216 Update of the main shellcode on the disk. All plugins stored in the registry are deleted\r\nIf a command is received that is not on the list above, it is assumed that it is a network command of one of the plugins. Its\r\nID is determined by applying the mask 0xFFF0 to the command ID. If the plugin is not available locally, it is preloaded from\r\nC2 and saved in the registry.\r\nOn the computer infected with Deed RAT, we were able to detect a single plugin obtained dynamically from the control\r\nserver. It is called Shell, and its ID is 0x270. Shell supports two network commands (0x270 and 0x271); each of them starts\r\nthe specified process and redirects its I/O to C2. In the first case, the interaction takes place in text mode via pipes. In the\r\nsecond case, Windows Console API operations are used, which allows attackers to fully emulate a console window on their\r\nside, taking into account information about the size of the screen buffer, cursor position, and other parameters.\r\nThe configuration of the sample we examined contained the following set of strings:\r\nString Purpose\r\n%ALLUSERSPROFILE%\\Test\\Test.exe Path to the legitimate executable file (installation path)\r\nTmDbgLog.dll Library name for DLL side-loading\r\nPTWD.tmp File name with the encrypted shellcode\r\nTest Service name\r\nTrend Micro Platinum Displayed service name\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 30 of 40\n\nString Purpose\r\nPlatinum Watch Dog Service description\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce Key for persistence in the registry\r\n%windir%\\system32\\svchost.exe Process names for injecting code\r\n%windir%\\system32\\taskeng.exe\r\n%ProgramFiles%\\Internet Explorer\\iexplore.exe\r\n%windir%\\system32\\WmiPrvSE.exe\r\nhio2cF9VF2Jsdf9n Identifier sent along with system information\r\nasdRFSDabormhkmfgUIYGBDURE Mutex name\r\nhttps://dns.google/dns-query Addresses of DNS over HTTPS servers\r\nhttps://cloudflare-dns.com/dns-query\r\nhttps://dns.adguard.com/dns-query\r\nhttps://dns.quad9.net/dns-query\r\nTCP://ftp.microft.dynssl.com:53412 Control server URL\r\nConclusion\r\nAPT groups with Asian roots continue to attack Russian companies, as evidenced by the activity of Space Pirates.\r\nCybercriminals both develop new malware that implements non-standard techniques (such as Deed RAT) and use\r\nmodifications of existing backdoors. Such modifications sometimes feature multiple layers of obfuscation to defeat security\r\ntools and complicate the analysis procedure—as in the case of BH_A006, built on the code of the popular Gh0st backdoor.\r\nA separate difficulty as regards APT groups operating out of the Asian region is accurate attribution: the frequent exchange\r\nof tools and, in some cases, joint activity of groups significantly complicate this task. The core part of our research is based\r\non the results of our investigation of an information security incident at our client's premises and analysis of specific\r\nnetwork infrastructure that uses DDNS domains. The data obtained allows us to state with certainty that the same attackers\r\nare behind the detected activity.\r\nPT ESC will continue to monitor the threats: new facts may provide more information about the activities of Space Pirates\r\nand its relationship with other groups.\r\nAppendices\r\nMITRE\r\nID Name Description\r\nInitial Access\r\nT1566.001 Phishing: Spearphishing Attachment\r\nSpace Pirates uses phishing emails with malicious\r\nattachments\r\nT1566.002 Phishing: Spearphishing Link\r\nSpace Pirates uses phishing emails with links to\r\nmalware\r\nExecution\r\nT1059.003\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nSpace Pirates malware features remote command shell\r\nfunctionality\r\nT1059.005\r\nCommand and Scripting Interpreter:\r\nVisual Basic\r\nSpace Pirates uses VBS scripts, including ReVBShell\r\nT1106 Native API\r\nSpace Pirates malware uses WinAPI functions to run\r\nnew processes and implement shellcode\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nSpace Pirates uses atexec.py to run commands on a\r\nremote host\r\nT1053.005 Scheduled Task/Job: Scheduled Task Space Pirates uses system tasks\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 31 of 40\n\nID Name Description\r\nT1569.002 System Services: Service Execution Space Pirates creates malicious services.\r\nPersistence\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nSpace Pirates creates system tasks for persistence on\r\nthe host\r\nT1543.003\r\nCreate or Modify System Process:\r\nWindows Service\r\nSpace Pirates creates malicious services for persistence\r\non the host\r\nT1546.015\r\nEvent Triggered Execution: Component\r\nObject Model Hijacking\r\nRtlShare malware persists in the system through\r\nsubstitution of the MruPidlList COM object\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nFor persistence on the host, Space Pirates can place a\r\nshortcut in the autorun folder and use the Run and\r\nRunOnce registry keys\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control Mechanism:\r\nBypass User Account Control\r\nSpace Pirates malware contains various techniques for\r\nbypassing UAC\r\nT1068 Exploitation for Privilege Escalation\r\nSpace Pirates can exploit the CVE-2017-0213\r\nvulnerability for privilege escalation\r\nDefense\r\nEvasion\r\nT1027.001\r\nObfuscated Files or Information: Binary\r\nPadding\r\nThe RtlShare dropper adds random bytes to the\r\nextracted payload\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nOne of the stages of the BH_A006 malware is\r\nobfuscated using an unknown protector\r\nT1036.004 Masquerading: Masquerade Task or\r\nService\r\nSpace Pirates uses legitimate-looking names when\r\ncreating services\r\nT1036.005 Masquerading: Match Legitimate Name\r\nor Location\r\nSpace Pirates masks its malware as legitimate software\r\nT1055 Process Injection\r\nSpace Pirates malware can inject shellcode into other\r\nprocesses\r\nT1055.001\r\nProcess Injection: Dynamic-link Library\r\nInjection\r\nSpace Pirates malware can inject DLLs with payload\r\ninto other processes\r\nT1078.002 Valid Accounts: Domain Accounts Space Pirates uses compromised privileged credentials\r\nT1112 Modify Registry\r\nDeed RAT stores all its data in the registry, including\r\nconfiguration and plugins\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nSpace Pirates malware uses various algorithms to\r\nencrypt configuration data and payload\r\nT1197 BITS Jobs Space Pirates uses BITS jobs to download malware\r\nT1218.011\r\nSigned Binary Proxy Execution:\r\nRundll32\r\nSpace Pirates can use rundll32.exe to run DLLs\r\nT1553.002 Subvert Trust Controls: Code Signing\r\nSpace Pirates uses stolen certificates to sign some\r\nZupdax samples\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nSpace Pirates can store its malware in hidden folders at\r\nC:\\ProgramData\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingSpace Pirates uses legitimate applications vulnerable to\r\nDLL side-loading\r\nT1620 Reflective Code Loading\r\nSpace Pirates malware uses reflective loading to run\r\npayloads in memory\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 32 of 40\n\nID Name Description\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nSpace Pirates uses the Chromepass tool to retrieve\r\npasswords from Chrome browser storage\r\nT1003.001\r\nOS Credential Dumping: LSASS\r\nMemory\r\nSpace Pirates gets LSASS process dumps for further\r\ncredential dumping\r\nT1040 Network Sniffing\r\nDeed RAT collects information about in-use proxies\r\nthrough network sniffing\r\nDiscovery\r\nT1087.001 Account Discovery: Local Account\r\nSpace Pirates collects information about users through\r\nthe query user command\r\nT1087.002 Account Discovery: Domain Account\r\nSpace Pirates collects information about users in the\r\ndomain through the legitimate CSVDE tool\r\nT1082 System Information Discovery\r\nSpace Pirates malware collects system information,\r\nincluding OS version, CPU, memory, and disk\r\ninformation\r\nT1614.001\r\nSystem Location Discovery: System\r\nLanguage Discovery\r\nDeed RAT gets the language code identifier (LCID)\r\nduring system information collection\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nSpace Pirates collects information about the network\r\nsettings of the infected machine\r\nT1069.002\r\nPermission Groups Discovery: Domain\r\nGroups\r\nSpace Pirates collects information about groups in the\r\ndomain through the legitimate CSVDE tool\r\nT1083 File and Directory Discovery\r\nSpace Pirates collects information about .doc and .pdf\r\nfiles in the system\r\nT1033 System Owner/User Discovery\r\nSpace Pirates collects information about users of\r\ncompromised computers\r\nT1057 Process Discovery\r\nSpace Pirates uses the tasklist.exe tool to retrieve\r\nprocess information\r\nLateral\r\nMovement\r\nT1021.002\r\nRemote Services: SMB/Windows Admin\r\nShares\r\nSpace Pirates uses the atexec.py and psexec.rb tools to\r\nmove through the network\r\nCollection\r\nT1119 Automated Collection\r\nSpace Pirates searches for and copies files with the\r\nmasks *.doc and *.pdf\r\nT1560.001\r\nArchive Collected Data: Archive via\r\nUtility\r\nSpace Pirates zips stolen documents into password-protected archives using 7-Zip\r\nT1056.001 Input Capture: Keylogging Space Pirates malware can capture user input\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nDeed RAT can encapsulate its protocol in HTTP and\r\nHTTPS\r\nT1071.004 Application Layer Protocol: DNS Deed RAT can encapsulate its protocol in DNS\r\nT1132.001 Data Encoding: Standard Encoding\r\nSpace Pirates malware can compress network messages\r\nusing the LZNT1 and LZW algorithms\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nSpace Pirates malware can encrypt network messages\r\nusing symmetric algorithms\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 33 of 40\n\nID Name Description\r\nT1008 Fallback Channels\r\nSpace Pirates malware supports multiple C2s and can\r\nupdate the C2 list through web pages\r\nT1095 Non-Application Layer Protocol\r\nSpace Pirates malware uses its own protocols to\r\ncommunicate with the C2 server\r\nT1105 Ingress Tool Transfer\r\nSpace Pirates downloads additional utilities from the\r\nC2 server using the certutil tool\r\nT1571 Non-Standard Port\r\nSpace Pirates uses non-standard ports, such as 8081,\r\n5351, 63514, etc., to communicate with the C2 server\r\nT1572 Protocol Tunneling Space Pirates uses the dog-tunnel tool to tunnel traffic\r\nT1090.001 Proxy: Internal Proxy Deed RAT can detect and use a proxy to connect to C2\r\nIOCs\r\nFile indicators\r\nMyKLoadClient\r\n947f042bd07902100dd2f72a15c37e2397d44db4974f4aeb2af709258953636f 09c29c4d01d25bae31c5a8b29474258dc1e40936 a2f2e6cdd27c13\r\n949cb5d03a7952ce24b15d6fccd44f9ed461513209ad74e6b1efae01879395b1 55604a258d56931d0e1be05bcbe76f675ed69e6e 5cce810a04197d\r\n35e36627dbbcb2b6091cc5a75ab26d9e5b0d6f9764bc11eb2851e3ebd3fbfe6e 415ae82bc0aa94e425009068a239e85a78b8e837 f250cc6ea8b240\r\n730b9ee9f031c8c543664ee281c7988467a3c83eabbbde181aa280314a91ba41 7be81aa01715c78166b8529eb999ec52f01a6367 399e655f1544e6\r\n16c2e10b2e3d74732edfae4a4fcc118600e9212162256434f34121fa41eaf108 7f9d53dc8247e68bfc30c2399eb227a9f1aa9dae 850c1355f713c6\r\nb822a4ec46aacb3bb4c22fe5d9298210bfa442118ee05a1532c324a5f847a9e6 869bd4d2520e5f2cf1d86e7fa21d0fb9a8fae41b 12c83dc14e08c2\r\n192499ad69ec23900f4c0971801e7688f9b5e1dc5d5365d3d77cb9bf14e5fd73 c3f82d46c5138ba89e3a8fe5ea80ce3b0d2467c0 5865679e252c0c\r\n56b9648fd3ffd1bf3cb030cb64c1d983fcd1ee047bb6bd97f32edbe692fa8570 a8d5e941b04cdd0070fe3218fa1bc04fb1bdd1b4 a5d85f982d6650\r\n0bac8f569df79b5201e353e1063933e52cfb7e34cd092fc441d514d3487f7771 64d97ea909a9b14857490724f19b971bb95d641d cb9617de5bc939\r\n1bab80116fa1f1123553bdaf3048246f8c8a8bb3a71b2a13e87b704e68d10d2b 3f32c341a71a32b6421822f44d4efde30d15421b e26713d8091da\r\n444d376d251911810f3f4b75923313b3726050153d50ad59deff5a0b8b1ada20 90ff670baddb8bce0444a8a422096461e78fb287 bf11b368d61092\r\n84eb2efa324eba0c2e06c3b84395e9f5e3f28a3c9b86edd1f813807ba39d9acb 82c18765ac3a1a2ecf3f258c0912beaf5aedd175 ddc9174f111e8a\r\n14b03ac41b5ef44ca31790fefb23968f2525c3aabfe11e96b9b1ccb6215eb8be e5882192901c00d8ac47bd82b7d4565761847e7b 7b7c21eac0d9a0\r\nb1d6ba4d995061a0011cb03cd821aaa79f0a45ba2647885171d473ca1a38c098 9f671e338bc9b66e2dd3b7a3c9115723911b8f65 135f224c2d740b\r\n5847c8b8f54c60db939b045d385aba0795880d92b00d28447d7d9293693f622b 878b2b8543ee103841cf30af70813b1c27434d71 10b52c1ccaba52\r\n95811d4e3c274f4c2d8f1bf092b9ddc488aa325aabf7c87a2c4877af4ba8bfb7 6b0bebd54877e42f5082e674d07563f527fdd110 fed14e228ba25f\r\n0712456669e65b2b3e8d1305256992c79213a6dd4fd9128cf3e78ab9bae3cff6 ee6b0845ebaae57f88b262c198fad8cf151f6b85 72571ebddf49e7\r\n607c92088b7a3256302f69edbfad204cab12bf051a5aac3395130e18ae568dd5 2452567c5e28f622fa11c8e92f737cd5d8272abf 3562bd5a94f4e8\r\nd0fb0a0379248cdada356da83cd2ee364e0e58f4ed272d3369fe1d6ca8029679 96bae22955bd85110c3f0b7de9a71b81c025f76a 8a8425a0a4988f\r\na8a16168af9dcdc4b34d8817b430a76275338dbbda32328520a4669dbe56e91b 57bd45e4afb8cd0d6b5360de6411ae0327812d5f a2b245bbb1de4f\r\n7b7a65c314125692524d588553da7f6ab3179ceb639f677ed1cefe3f1d03f36e a97b1e1e0de7f0eab5304d206f4d7131987aca6e 568594397a24a5\r\nf6c4c84487bbec5959068e4a8b84e515de4695c794769c3d3080bf5c2bb63d00 9358b341bc217dcd15599b43d88b157f8a9f4882 05a025736a6fd7\r\n467979d766b7e4a804b2247bbcdde7ef2bbaf15a4497ddb454d77ced72980580 ae021c91c759d087ead95319608326e0ed154cfd 78acab8a8d2639\r\n3e57ca992c235b68027cb62740d8e86a3294ac0ebcff4a2683b29bdaec016646 aad3241fd23372523528a99f4c18127a3ebbea59 a75c81a18e3965\r\nc3415bddc506839614cbb7186bfc6643713806de4f5b1c15445e96a644b44bea e29b263a89217412f45d6c7a0235b19af030755a b1f907379148c1\r\nd3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b a9d64e615171b05a402422056ddfcd250febae93 b03192389159b\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 34 of 40\n\n69863ba336156f4e559364b63a39f16e08ac3a6e3a0fa4ce11486ea16827f772 ec928047d511286c4db2580045d02ced34b639ea 27ea69e0233f32\r\n50f035100948f72b6f03ccc02f9c6073c9060d6e9c53c563a3fdb1d0c454916e d5ce13a66e8407baec0f447c7fb41d493fd8d73a 343a9cc37cc984\r\n6bc77fa21232460c1b0c89000e7d45fe42e7723d075b752359c28a473d8dd1fd 74847db3abdb5b0fd3952bb76018f9346815035a 359ae18fbfc16b\r\n3ccae178d691fc95f6c52264242a39daf4c44813d835eaa051e7558b191d19ee 0e40d0424aefa672c18e0500ff940681798f2f02 196222b313b6c\r\na99612370a8407f98746eb0bf60c72393b1b4a23f52e7d7a6896471f85e28834 757af512d07fc8fe1167750a748dbb9c700f71f1 6b2e4ff182bffe5\r\nZupdax\r\nf2ce101698952e1c4309f8696fd43d694a79d35bb090e6a7fd4651c8f41794a3 9ec2f21641bd3f482b4c85cd6050432dc05e7680 d0cb15e5fd961e\r\n84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429 6f1b4ccd2ad5f4787ed78a7b0a304e927e7d9a3c 6e9ff09f5a7daa4\r\n3a093f2c2cb5ba59197a4c978cfa9687d5778a53ae17c2ce2757d3577a5e7c69 9e0e0582eef9e2e2f38893a06c552d607f835fcc b0f95350b13b65\r\n137a3cc8b2ecd98f7d6b787d259e66ca2c1dae968c785d75c7a2fecb4cbbcaf0 1a7967c6357269414cfd1f9e1060a8613bc59f7b 869de5ac4d3520\r\n9e010a2b43a6b588b95b5281544739833fb0250e8e990a4fe9879459f92367d0 24732b6b00326439dc373df56aff78c9c82d7169 814019ff0004d54\r\n408608c6b6f7299561c04f37ab46ca9c82834428ad0e8d42b16ca5da9b86d62e 9f596346c9acc09772bc5baf8c4dbc80fbdbf03b 3801a156c01b2d\r\n6cc33a21417967a1bb3294179ea10aa3d9ee8d945a5ea0f6c44530189344a10a 6f43f6e8cb1474a6272f9632487fa1932dfba18c 6d6c3cbf2c2a3f1\r\n24b749191d64ed793cb9e540e8d4b1808d6c37c5712e737674417573778f665b 26062de2657bd2a3c228049af27333d2c46a041b 58c734474fc415\r\na95dfb8a8d03e9bcb50451068773cc1f1dd4b022bb39dce3679f1b3ce70aa4f9 1e8bf3c1a05f37857a9e8f7adb773ed9b9af1b8b 4ef9466b7ef300e\r\nefaa30bef6327ca8123e5443aa831dd7173de8ac9a016aaa2ae878641f85f952 04951144dc621f5f7ff2d66c8bcb710b77cc3d55 80397808492e12\r\n699bd1babf50a360e0a2ba6b5e0ed2379571ee8356f3f08b09ff8ce434d72696 3c10a0256cc1f0af3c31770314257eb8f994260c 09c34b06199eb1\r\nd6af2d1df948e2221a4bdaa3dd736dc0646c95d76f1aa1a1d314e5b20185e161 44858761afc0439ba361c90f04ae9719b362d315 9afe1f1936145a0\r\n0ecd7741dbdfa0707ccd8613a5ea91e62ab187313dd07d41760c87ed42649793 daacbe773105fd7b0834ed2e3a05ef80275e3c11 e8357ac87261f7\r\n2360fa60a1b6e9705bf6b631fcfe53616f37738cf61bc0444ea94ce09c699c7f 54e9de60e3a5c58fc2f3daadd18a1355350e13ec e0592c56ee8f0a2\r\nffe19202300785f7e745957b48ecc1c108157a6edef6755667a9e7bebcbf750b 25d0321df77623c5af6629c357201941d4cd452c ddf7ed52856f7ab\r\nd45c1ce5678259755df24bd680316a945515fc1bd916ce1d504f9d27cf9d03e4 0f5a74f11c270a02b0c0cc317e0b850c78261b04 a2972cb5228a56\r\n00847787ea6568cfaaa762f4ee333b44f35a34e90858c1c8899144be016510ef d82bc3800396452ee519fbb35f708802fee335af 41f3e576216bb5\r\nDownloader.Climax.A\r\nfa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522 003f46f74bbfc44ffd7f3ebfec67c80cf0a07bbf 24b90157056913b\r\n0a0ce7fb610e3c037beb2c331e147c8750ba9f7ea2ece2f91f27f1a83c6839e4 1e0a63331814aab39ffb7806289a8ef3433553c3 68875f4b80fd1350\r\n898741e11fbbe6b5534fb12a489add1aaa379ee6757c0bd8d6c631473d5c66f7 3fa2f11e142f5f07f2dd63d89b58d01e9397ded0 1fe521f0ad241457\r\n59e4b8d2b65f1690139c094ee27182285febda115304c44e8d9e7329e09dc794 18cd249add7cfae87615ca5b32aca8503337a2d6 9bf855e5e8480fdb\r\n0c64cc96a52ff9bdf6593e948fed1bc743bdf714ec1f7b392490423d927c3bb4 bb1c27db5f8d7e43592fa81cbfa319f1ce7c828f 0830581452de0c9\r\n1ca423fe0159e75718eb66524cd24002071a06b2fa68ce2cbb39d10682a154a6 78c8298b8357eee1a2d5d9da86f290bad798ce39 ff5896c0749b1e8c\r\ne9c94ed7265c04eac25bbcdb520e65fcfa31a3290b908c2c2273c29120d0617b 47edf57c5724ef9ff232dbb76f749977c767106a ef8bcb5865669bc1\r\nd376164e377577fc590a780d15603d6411fde6e45ea21971670d5dff597d9def d9e12317a43f233a739972723abc00f1b88f53b0 5faa973967fee2f3\r\n4301abae1a62f87b1c51acc6a6b4f2c3926a248b4aa9c04b734cef550196c030 cc402936b3d6fa5db14b54f0065404d975f2aeb5 f0f2731cabf1c1a6\r\nDownloader.Climax.B\r\n7d9e1a193402b87dbbb81c2ab95632686154cff9c991324e46b275850a4b2db6 36a6eb414c9b8a7c2cdf12eb46e490d288e7a47a 98416b41f386bb4\r\ndd82a7b9b5dc0ee1f9e9f19d46212f3e2a1d09a816f5c0ece96275ee221fca13 cf0fb4950130abddead04c21316912418562bf8a a74341091f88d59\r\n9f4d15ca56f87a5ded792f2a27a4c112bf59517079aedbefe49fcd0474600b69 bbbca10a8545b0421fbfcbd0b3b7a42527fea641 1bdaa370b064f90\r\n5872abe12a8e4c7182e4c6a894d6c27961b00d333657736bcbfd7cb1b38af2ed 133eca56512d8d5f8c730e102bf9042915e9bf41 c60df47562dba1c\r\n8dcb99e56c888800e0712faddc07d991b6dcb7a6fd4cceffe9e27fe3da83d206 2e76fa63adc870ca1de19fc7ea5afd6860f36e32 1a22342f883ad15\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 35 of 40\n\n7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff 8993d0d5ec2f898eb8d1b8785cc5bb3275b43571 1690766e844034\r\n5e8df46c9bc75450e2660d77897fa3dfa4d6c21eea10a962f7a9cf950ca9ca76 b0506335e332d64d6568f7830a8fab6a8a6ce1f8 923d60f3e63c950\r\nRtlShare\r\n8932c2d1ed0ae1f64d9cff4942f08699b4a7b1b30f45626d7bc46c8c51f8a420 8903e04d7ffae2081867337801ca2fa5f93220bd 9d116d9415168293\r\n8ac2165dc395d1e76c3d2fbd4bec429a98e3b2ec131e7951d28a10e9ca8bbc46 c0988a4ade711993632a03a2f82eea412616ef2a ab01a4642e76df9e\r\n3f6102bd9add588b4df9b1523e40bb124af36a729037b8c3f2261563e4fa4be9 c865ef013018db3ed00f946b96a7a98ef2660e65 e8e966455a60c6f5\r\n785ac72b10fd9cf98b5e2a40dc607e1ff735fcd8192bf71747755c963c764e2d a429d9c8c67c8c8036ef05f7b4a27530ee6ae98a f15c15e2b26f47b43\r\nPlugX\r\n0f7556c6490c4a45a95f5b74ced21185fe48a788bcbe847017084ec1bf75d20a 53a17133173ee8f32261d4ac8afb956e1540f7be 4b6e1f5375552e\r\n429b6c5d380589f2d654a79ea378db118db4c1fd1d399456af08e807d552e428 97ecc5aba4ce94a5012dcf609f2d325f293d4bea 3f8de0e26ee2f1\r\n0956ab263c7c112e0a8466406e68765350db654dbe6d6905e7c38e4f912a244e 457a592ece5e309cc8844623f29fc6be62c5be60 bdc734d2c049d7\r\n1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97 ef3e558ecb313a74eeafca3f99b7d4e038e11516 b4f12a7be68d71\r\na072133a68891a37076cd1eaf1abb1b0bf9443488d4c6b9530e490f246008dba e9e8c2e720f5179ff1c0ac30ce017224ac0b2f1b d5f5bb6368735f\r\n1bad7e53cb4924576b221a62d2cddb4d18bd387734328b7d48e32046700e2df9 7539e5f25b3e66ea849ebee6bf6104d504573035 25db7152f66588\r\n39083375012d2a854e6310411e7ce4c4e3440bd5784ae158599be25deaeabcb5 7ad24d1873325a02ca4644ebbebe5c5f95bb927c e7a9d56297f8d0\r\n3c4483e1185d00b282b19910ad5e7970462122b8b7d8895860ffc132a05b3b9d 62d33015859f49e2ad178239891dbed78a0e2de6 a83b0a6b5c590a\r\nf8885d5caeec2627d808dc20bd1fbcd42732700686d34f1bb29d83d5d5115ee0 8a44433cfc2e4f116ebd59aac5f596f83c468d44 633eaedd4944db\r\n07ef63b7c9554065e3a6047404d2526e8c8e450c5fe977247336626be403d790 a397d9d7d242bc748dc2bf5307d0f16c5144d98d cfd0a7ab2c2c99\r\n8d2ff35a5c941cb2f0438969be1a16116efacb51bb9820e6facc285640855682 702cf75a6b23a18001a909d6743a739837cc2053 0fe86427810229\r\n31af406fababf825eb15969970f5de1d2de9fa29a3ca609aed3174c48806492f 12e4407d5341836635ce54727ad4dae7712c2a4c f4c9dd900488d6\r\nc150172ae47f9708bf4a87cf67eb19b09e6d4f5a565043f309c1da5ffc9bd656 eb6b2ddf1da767848ffe51f14b177298173227f5 7a4a791eeb0a19\r\n5f8e8eada8ad8fcb007a1da7d2dedfdc55473cd5d65a287224c345edf9c1e964 a7837c8e3f789a112fbc2eea623c4e03664280ce 11fba00953cbd5\r\nfda4712cfb3007e7eb5f61b37c746640ff5428108c74106352b69a11193d79a1 628dc1642de5e74bf230e9b933f264196b9678bb be4625cb6e797b\r\n17c4a6adca907b7cd0fc75d6008a307a3813ac3b75bfebb4f173360b5d2e7964 d5959009d3a2bdadd0db5385706920da21e5c8d4 ff7b237c3049fce\r\nb153195807d9b58168bba751517498268e396a79965c5d323fad5c16bbc9520d c14b4468a33b12250b560a0c7e884e01dd986c95 9f4150eee0d18c\r\n7112f1033f1fafd9cef1862f6ea0a77994858bb54270deede1ed24b0f18fa7b1 bc0a54644b5ba7eff9ca10d8b42d73f0c69e4c53 824e76688a5b5b\r\n5ece318d3df972291896e858b76224c5ec34637d5409db44c89ec67ee0a6089d b253c8ff5fc2cb1ea8933721c3a4002a42eec2f9 b0b6d1d000f031\r\ne452ea28a9d3e37a2ac0cb8f4bca8ce41bea1a362d4c1680ab3ccaec6e5123d9 7f81103b574a3c26b478e9ab41abc422f979f299 49a5af86baf3d7\r\n195b39d40cd9d50e0b4b6b41f8b45140bb0f6e201e75b4398bd07b1e5959970b 5d449cad4b2a8d8a6b7489d82b110c370142acdd ff58ce5d9d7650\r\n675abcf2bc7b1792b50fa296315f39ce5ac8e7e3f754a9be867eb0dd6bbf1799 103cf5647a8dc33d9d611b5b1eafc3e498d02dab cb9b8cf286b846\r\ne60757a893881559104513d75cf521c8f72e10653442b9f2510402453e48cdcb b2e4179f7a2d1942fdb8e0fff632a3b65e9dce37 3a0536d8cd9311\r\na9acf75a658cb6e8aed6f638b08931fbe74f7b69a26e6b45486caff9d8e455a4 187541ef47985e11324be53309808e23b33c12a1 ef479d7cd2e77a\r\nad48650c6ab73e2f94b706e28a1b17b2ff1af1864380edc79642df3a47e579bb f1a8c309806c90c100e680299a037ec71cf4397c 1cba2ec3fc5f145\r\n0b1ed5214dd31a241920de4b5c7cdf3f02ad5f76260bcd260328732c9bedbcec 9be46478e3cbeb51267b8fb88952860790051c07 b404e426c53c06\r\n555fd0d7c1584f7b504ac65f34017f7070ee12ce0f4070cd0555361b3adea54c 1f10627b46b51a97b059395bf062117fdfae4cf0 895644020eba9e\r\nfe885d1a2bef4e99dcbcacd9393c59ed52a718ff2cbbc6a15e443e150edaa662 9d490725443c9f426cdc0bfa75b3d900404153c0 13febb9240f37a\r\n354c3c2a7602475b72727158ebae8261f0ac9f2ce6c2ab86ee9ec38169b40f62 68a651026a3bae94776a9e1a45c6cca58b9609b7 1d866ed934518\r\nab1282afced126da7d330d7be338dfe1f3623970a696710e55a67fb549118f1d 3ebe6bd2d44a4d54d8ba314b92c9c379398bf095 c063adbb4a8a41\r\ne3d32b0758f98b55483a18631ae42e944c387b5a73b1fbc39f62b2c13a6ec198 5fe3b83b3ccdf78303b59e5f3e628a2cf80e9d13 923165c972c386\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 36 of 40\n\na4576ca47764284bc3aa8e5dacad84163ca56258dc8af4aa4916bb3bacbd58e0 1166b3daa8ad2496a8b71f37656be7ac41821e03 a1503cec20057e\r\n8871bd39918868d4f4390e430e82730819182a8ae9fb3ef7096c2ce5dbafbe26 f1d74087627879e224303ee56e74d53f6dc67204 ec0a9cecb7e1b4\r\nf5e780d10780f45adb0ddc540978d7e170e8c143a251003651e12c18142cee16 8e5ef3c08eb584d041a7aa93473aa2e31787d111 f16790e4e20293\r\n37b3fb9aa12277f355bbb334c82b41e4155836cf3a1b83e543ce53da9d429e2f ea7595bff1cfd1d72fe72417bf263d9adc9bc59e 9ae8a7837c60f3\r\n6cd5079a69d9a68029e37f2680f44b7ba71c2b1eecf4894c2a8b293d5f768f10 50064d66c9b55b6f7d22051b81914d8366fe36c8 d5915394a6916\r\nc21a3a44b46e7242c0762c8ec5e8a394ddc74b747244c5b83678620ae141e59c 31d67b5a5588b2d28365534c36a7b754f28e1df9 ecab63b6de1807\r\nfe18adaec076ffce63da6a2a024ce99b8a55bc40a1f06ed556e0997ba6b6d716 1e8dee59355e064790d05e44199443d94ab1aa02 219983c1a7c6c0\r\nPlugX demo dropper\r\n50f1092795c493c5275637b81fbcacfc4ca7951dfda06782a792988bbde2f5a1 8e0ee1ceb7ce14994a481c266eef1f67087b59b1 6dfabe77bf18f142\r\n82894e2534feb0d9edbb3dd5339c3ff0f6eb73b07e40f0f8b15e759e8a55d052 0b8c9bbea5614d2fec852cf2f74fd20b591edbb2 814e3cfdbf77e8b4\r\ne5f471dcd4f5a47f0a53fc389e58c70b9ef81805c503ed6b100950d02ee7f777 9eb2ed9db419cda517fbea69a9204644e946913c a70db29d6a7ba15\r\naeee80588212bc941e179ca95931a91bf446cbc1446111d4e520243d708f1d5b dbb93c7b7e36b5eb0dd408e836f7bf305ee076bf 661635e774fef37e\r\nc66dda5131c0aaa118e7cbb5de16fbc984f1f0c9194717b8981bca0fb024f170 58ec65e2d39e3dff7df3c85d3896ab37a04cd475 a96e3b2fd7c8bb7c\r\n051b08ef35a6122bd9ff75609ccd50d84793e5502a9e428a57f2bf688d21d1e9 1b43bb893767f48bc134c1894f3390fd20dbb22d d2b60af1360508ca\r\nf96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4 cb85578a26dd90f536b9c97cf88ff93baba22107 4412dcf06cb428d7\r\nBH_A006\r\n1e725f1fe67d1a596c9677df69ef5b1b2c29903e84d7b08284f0a767aedcc097 c0292c55fca5f68f4f4831fb5d2a77a78c1f1a45 36a8ce6f27c251a\r\ne76567a61f905a2825262d5f653416ef88728371a0a2fe75ddc53aad100e6f46 e45a5d9b03cfbe7eb2e90181756fdf0dd690c00c 06af27c0f47837f\r\nf2ab7d78377fe1898eb6406d66668c9dbbe0836e9c97af08bc57da56a78272a1 87ae868159d572acbb376faf7fda6593058f8518 c241e8486a0674\r\n1a4cc1c66082f4bb10b917bc434ecc9e7e4f92877fd42e3fbe5e8a96154318f5 927f428e0de0391a6392943b3c79fda8363828d0 758eabd1b7b644\r\n1b0e8f31b513ad53db7ca6d8db35c37eb24eaddf859521b6913209af934808ce 9df3431e26b958f671b28d1c4d34dfa5c0c653bf 94759ce1618ffa9\r\nf42f8896183d298a6ecd2c3fa78393bf7e58bc33ab7994e35346a57cbe2e2521 f214cbda1dcdc75b3d355affef74354a104d5b29 5ea6d25bb95d86\r\nbd366f22fd0f1b5b5a041621f70b357287c45883e847bb8f31809d16ca46052f c213d8d98359c32e1b320b8ab0cf168e3f369441 8f088b92a9f6868\r\n77052236a7061f91ba6442568f6db1200169fe4afdf9c3c81750e0929dd4fb96 aa9b71858b893a131908b3236bb724226af6b1dc 02a7272416fefc6\r\n2bd9b56ddcccc0a9d33debd1c56b493bb60f8b4229f728b0c6c3bac0e556d080 0e2c294692cebcaecb5e2f3677d07f96a09ab610 c7f0ec11b70be64\r\n59fe1b5b641c140225ed12a8122da47716b9d841754f4604a2bdbb2a0dc765ad 7324dd736142db51c4d3887c30df810a45b46b08 32cb37c984fe0d0\r\ncb35899e21269b564ffdd4785961195af1779daf5ff3e64746e2d6368744ba2a 5ad5183ce68975a59d85d650e72b13a845be82e4 7950cf56e58e2be\r\nf97d1f7e3ed963654fb68803f2ac6cd79580abb8f86ab477c49aec76157bb184 cf1a335ffe672f19fa0160151c50eb9209b5e99b b66203f634e484\r\n74af7c238935e2fc11f97e122bbcf0b813c27f5a4a3b8aa47a574c24003df533 ffb8da41d8a92b4cbeaf4d85a4c2732b90d178c3 7428f82ed54e0d\r\n9cd487bcec62fb5192fbe654ca5c02750b846070b85016fc3d2071add8e04f39 b20c993e963a5540593120cfc1b596ba42aff649 46c4fd5ae4f5907\r\nb0a58c6c859833eb6fb1c7d8cb0c5875ab42be727996bcc20b17dd8ad0058ffa fcc66ea2198a03def308c53adda78d4a64ed22f7 823e689e34be36\r\n9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d 6c8ab56853218f28ac11c16b050ad589ea14bafe 964be19e477b57\r\n9969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435 e102a2ff536d2df93ec9c507e52c04bba773b550 fff3c03e6c455eab\r\n690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462 5c1d4af865b4d514340d6a2dbb42523a142ab5d8 18ea3d4c9639a6\r\n7bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929 cebabb80844c823df4539f4db29d7bca27e1f50a 89de9c0ce214d2\r\n1687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39 53ab54c2c3ea3d6921fa2bf5fde69255dc41fbed ae755e20cd3a6f2\r\n16d2b4bb67147c0086c5716639e226fe1656da26f40bac86f7df970fa92a8460 1f89b71204ef85c00a6675f65acf4b834c0a58ce 68f52f72f9f3becd\r\nNote: the file with SHA-256 9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d was erroneously\r\nlisted in our previous report as a ShadowPad sample. In actual fact, it belongs to the BH_A006 family of backdoor samples.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 37 of 40\n\nDeed RAT\r\nff87ec66b89db551d6f4ce33ad150fae7286f58d465179acf2b8001d9ca9bcea 6c2e080407f03e507316c7bc340ecfe2fa1c248f 508b845dbb4d1821\r\n761557ecc63ec5fbc2e3573f61a860bd8967f04818be25893361c63409ab5af0 60b4af5c44d0ccdfb6003ca77d5ddda808219972 60c6573fe8bc4794\r\nShadowPad\r\n9324d7a72c436d8eb77f3df72b6f41aa4e1b85f08ef7583e26de75e17cad490c c82f168cdd311078bc1a9a748a0e304d26b10d04 e88442798b3881f\r\n06ce5271836a6a1ee40513b1de6991ccd87bc7ff640948f194e7c12bdf779fd9 3e38742d05ab64d1c484f157b345d339becef404 927af917daaee340\r\nd34b6306aeaaccea3b30dde377701c4a23b861b47f9bda777ca7dc0552f2754f 72881125929a2c445c6cd094fa13607b9cdea95c 15d973bcaef5f973\r\nd011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025 a43edb2221919ac5d52bde498f604164b3c86118 08b419b754122d4\r\n459f386be186c0e23234f299f2607d0eb2745eb743e1422a95ec2dca645b0e21 9d05decdda370292012ded9c4e04d8d46c1d0de7 3b0a45da21a9244\r\nPoison Ivy\r\n672d1ec9f27870a9ed4983038e58e8577bacc735d5168d74bcff8d6ed9aa7947 f5ccdd6cc4aae67c822ddd4509f33672ca5335f4 4e87e5af554322a2c\r\n2e35a1599b58e76167f2235d46840cc973dc49a6f14c0c2a2e91310a2fe2c2dd d80b939d9d46cdff9cf20f6234186a1bf3b963c2 b1aadcb19d49519f4\r\nNetwork indicators\r\nMyKLoadClient\r\nmicroft.dynssl.com\r\nmicro.dns04.com\r\n207.148.121.88\r\n47.108.89.169\r\n120.78.127.189\r\n121.89.210.144\r\nZupdax\r\nns2.gamepoer7.com\r\nmail.playdr2.com\r\npop.playdr2.com\r\nnews.flashplayeractivex.info\r\nupdate.flashplayeractivex.info\r\nns9.mcafee-update.com\r\n154.211.161.161\r\n192.225.226.218\r\nDownloader.Climax.A\r\nbamo.ocry.com\r\n202.182.98.74\r\nDownloader.Climax.B\r\nruclient.dns04.com\r\nloge.otzo.com\r\nRtlShare\r\nasd.powergame.0077.x24hr.com\r\nw.asd3.as.amazon-corp.wikaba.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 38 of 40\n\n45.76.145.22\r\n141.164.35.87\r\n202.182.98.74\r\nPlugX\r\nmicroft.dynssl.com\r\napi.microft.dynssl.com\r\nmicro.dns04.com\r\nwww.0077.x24hr.com\r\njs.journal.itsaol.com\r\nfgjhkergvlimdfg2.wikaba.com\r\ngoon.oldvideo.longmusic.com\r\nas.amazon-corp.wikaba.com\r\nfreewula.strangled.net\r\nszuunet.strangled.net\r\nlib.hostareas.com\r\nweb.miscrosaft.com\r\neset.zzux.com\r\nelienceso.kozow.com\r\nlck.gigabitdate.com\r\nmiche.justdied.com\r\n45.77.16.91\r\n103.101.178.152\r\n123.1.151.64\r\n154.85.48.108\r\n154.213.21.207\r\n192.225.226.123\r\n192.225.226.217\r\nBH_A006\r\ncomein.journal.itsaol.com\r\nwww.omgod.org\r\nfindanswer123.tk\r\n45.76.145.22\r\n103.27.109.234\r\n108.160.134.113\r\nDeed RAT\r\nftp.microft.dynssl.com\r\nShadowPad\r\ntoogasd.www.oldvideo.longmusic.com\r\nwwa1we.wbew.amazon-corp.wikaba.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 39 of 40\n\nPoison Ivy\r\nshareddocs.microft.dynssl.com\r\nThird-level DDNS domains\r\nmicroft.dynssl.com\r\nreportsearch.dynamic-dns.net\r\nmicro.dns04.com\r\nwerwesf.dynamic-dns.net\r\nfssprus.dns04.com\r\nloge.otzo.com\r\nalex.dnset.com\r\nruclient.dns04.com\r\nbamo.ocry.com\r\ntombstone.kozow.com\r\ntoon.mrbasic.com\r\nfgjhkergvlimdfg2.wikaba.com\r\nrt.ftp1.biz\r\napple-corp.changeip.org\r\namazon-corp.wikaba.com\r\n0077.x24hr.com\r\nstaticd.dynamic-dns.net\r\nsrv.xxxy.biz\r\nserviechelp.changeip.us\r\nmktoon.ftp1.biz\r\nnoon.dns04.com\r\nybcps4.freeddns.org\r\noldvideo.longmusic.com\r\nchdsjjkrazomg.dhcp.biz\r\nq34ewrd.youdontcare.com\r\njournal.itsaol.com\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/\r\nPage 40 of 40", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/" ], "report_names": [ "space-pirates-tools-and-connections" ], "threat_actors": [ { "id": "ea844ee6-eb12-42c0-8426-11395fe81e6f", "created_at": "2022-10-25T15:50:23.300796Z", "updated_at": "2026-04-10T02:00:05.32389Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "Night Dragon" ], "source_name": "MITRE:Night Dragon", "tools": [ "at", "gsecdump", "zwShell", "PsExec", "ASPXSpy", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "09a8f8fe-e907-47b4-8709-a97717dde3cc", "created_at": "2022-10-25T16:07:23.90252Z", "updated_at": "2026-04-10T02:00:04.783553Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "ETDA:Night Dragon", "tools": [ "ASPXSpy", "ASPXTool", "Cain \u0026 Abel", "gsecdump", "zwShell" ], "source_id": "ETDA", "reports": null }, { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "020794ec-7315-47de-818c-2032c362fd15", "created_at": "2023-01-06T13:46:38.306576Z", "updated_at": "2026-04-10T02:00:02.920647Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "MISPGALAXY:Night Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434014, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61cd4a8b611dcdeb19277d2eef72ce2463cd1f3d.pdf", "text": "https://archive.orkl.eu/61cd4a8b611dcdeb19277d2eef72ce2463cd1f3d.txt", "img": "https://archive.orkl.eu/61cd4a8b611dcdeb19277d2eef72ce2463cd1f3d.jpg" } }