{ "id": "cc086548-0189-4bab-96af-b7918c42f1d5", "created_at": "2026-04-06T00:13:20.186001Z", "updated_at": "2026-04-10T03:33:45.916856Z", "deleted_at": null, "sha1_hash": "64e1055fff0fdf88cc40821e2612838739c9c0b3", "title": "ChessMaster Makes its Move: A Look into its Arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77069, "plain_text": "ChessMaster Makes its Move: A Look into its Arsenal\r\nBy By: Benson Sy, Kawabata Kohei Jul 27, 2017 Read time: 4 min (1144 words)\r\nPublished: 2017-07-27 · Archived: 2026-04-02 12:15:10 UTC\r\nFrom gathering intelligence, using the right social engineering lures, and exploiting vulnerabilities to laterally\r\nmoving within the network, targeted attacks have multifarious tools at their disposal. And like in a game of chess,\r\nthey are the set pieces that make up their modus operandi.\r\nTake for instance the self-named ChessMaster, a campaign targeting Japanese academe, technology enterprises,\r\nmedia outfits, managed service providers, and government agencies. It employs various poisoned pawns in the\r\nform of malware-laden spear-phishing emails containing decoy documents. And beyond ChessMaster’s endgame\r\nand pawns, we also found red flags that allude to its links to APT 10, also known as menuPass, POTASSIUM,\r\nStone Panda, Red Apollo, and CVNX.\r\nChessMaster’s name is from pieces of chess/checkers/draughts we found in the resource section of the main\r\nbackdoor they use against their targets: ChChes, which Trend Micro detects as BKDR_CHCHES.\r\nWhat makes the campaign unique is its arsenal of tools and techniques:\r\nMalicious shortcut (LNK) files and PowerShell. The LNK files execute Command Prompt that downloads\r\na PowerShell scriptnews article, which would either directly drop or reflectively load ChChes into the\r\nmachine. The latter method makes ChChes a fileless malware.\r\nSelf-extracting archive (SFX). An archive that drops an executable (EXE), a dynamic-link library (DLL),\r\nand a binary file (.BIN). Upon their extraction, malicious code is injected into the process of a legitimate\r\nfile/application (DLL hijacking). ChessMaster takes it up a notch via load-time dynamic linkingopen on a\r\nnew tab to trigger the malicious DLL’s function.\r\nRuntime packers. Throughout its campaign, ChChes used three packers to obfuscate itself and avoid\r\ndetection. The first had no encryption and a varied loader code. The second had a buggy (or anti-emulation) exclusive OR (XOR) encryption technique. The third added an AES algorithm on top of XOR\r\nencryption. Their compile dates overlap, which indicates ChChes’ authors take cues and fine-tune their\r\nmalware.\r\nSecond-stage payloads. Additional malware are introduced to the infected system for persistence. These\r\nare actually variants of ChChes that use similar entry points but different and encrypted C\u0026C\r\ncommunication.\r\nHacking Tools. ChessMaster draws on legitimate email and browser password recovery and dumping tools\r\nthey’ve misused and modified for their campaign. These can restore forgotten passwords, which are then\r\ndumped and retrieved. Lateral movement and further attacks can be worked out from here.\r\nTinyX. A version of PlugXopen on a new tab sans the plug-in functionality that allows it to adopt new\r\ncapabilities. TinyX is bundled separately in spear-phishing emails.\r\nRedLeaves. A second-stage backdoor that operatesopen on a new tab like the open-source and fileless\r\nremote access Trojan (RAT) Trochilus, which is known for enabling lateral movement in the infected\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/\r\nPage 1 of 3\n\nsystems. RedLeaves adopted capabilities from PlugX. In April, a RedLeaves variant named himawari\r\n(Japanese for sunflower) emerged capable of evading YARA rules released during that time.\r\nChessMaster and APT 10 Plays the Same Cyberespionage Game\r\nAPT 10/menuPass is a cyberespionage group whose specific campaign, Operation Cloud Hoppernews article,\r\nattacked the intermediaries of their targets of interest—managed service providers (MSPs). Its notoriety stems\r\nfrom their prolific use of multifarious information-stealing backdoors and vulnerability exploits, along with the\r\ntenacity of its subterfuges, from spear-phishing emails to attack and infection chains. It also abused legitimate or\r\nopen-source remote administration tools to steal data.\r\nIf that sounded familiar, it's because ChessMaster and APT 10 appear to be playing the same cyberespionage\r\ngame. Here’s a further illustration:\r\nintelFigure 1: Similarities in ChessMaster and APT 10’s attack chain\r\nWe first saw ChChes set its sights on an organization that’s long been a target of APT 10/menuPass. As we caught\r\nand delved into more ChChes samples in the wild, however, we also saw how they followed the same pattern—\r\nexclusive packers, mutual targets, overlapping C\u0026C infrastructure.\r\nChChes’ packer, for instance, resembled the one used in menuPass’ old PlugX samples. DNS records also showed\r\nthat some of their command and control (C\u0026C) servers and domains resolved to the same IP address, or resided in\r\nthe same subnet. Are they operated by the same actors? Their commonalities make it appear so. It’s also known to\r\nhappen; BlackTech’s cyberespionage campaigns are a case in point.\r\nintelFigure 2: Comparison of Emdivi and ChChes\r\nChessMaster’s ChChes also resembles another backdoor, Emdiviopen on a new tab, which first made waves in\r\n2014. They have the same endgame. Both are second-stage payloads that use the system’s Security Identifier\r\n(SID) as encryption key so they execute only in their target’s machine. Their difference lies in complexity—\r\nChChes hides part of the decryption key and payload in registry keys to make it harder to reverse engineer.\r\nBut that’s just one dot in several we’ve connected. In one instance, we detected PlugX and Emdivi on the same\r\nmachine. This PlugX variant connected to an APT 10/menuPass-owned domain, but the packer is similar to that\r\nused by ChChes. While it’s possible it was hit by two different campaigns, further analysis told a different story.\r\nBoth were compiled on the same date, only several hours apart. We detected and acquired the samples the next\r\nday, which means both backdoors were delivered to the victim a day after they were compiled.\r\nintelFigure 3: Overview of the overlaps in ChessMaster and APT 10’s campaigns\r\nTake ‘Control of the Center’\r\nUltimately attacks like ChessMaster’s make pawns out of the systems, networks, devices and their users, all of\r\nwhich hold the organization’s crown jewels. This is why enterprises need to be steps ahead of the game: prepare,\r\nrespond, restore, and learn. Plan ahead—what techniques will attackers use? How can I defend against them?\r\nDon’t just pull the plug—understand what happened to better assess and mitigate the damage. Fine-tune your\r\nresponse—what worked, what didn’t, and what could’ve been done better?\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/\r\nPage 2 of 3\n\nDefense in depth plays a crucial role especially for the IT/system administrators and information security\r\nprofessionals that watch over them. The network, endpoints, servers, mobile devices, and web/email gateways are\r\nthe bishops, knights, and rooks that underpin the enterprise’s crown jewels, which is why securing them is\r\nimportant. Reduce their attack surface. Keep the systems updated and regularly patched, and enforce the principle\r\nof least privilege. Employ behavior monitoring and application control. Deploy firewalls as well intrusion\r\ndetection and prevention systems. Implement URL categorization, network segmentationnews article, and data\r\ncategorization.\r\nChessMaster’s gambit is spear-phishing, so it’s especially important to filter and safeguard the email\r\ngatewaynews- cybercrime-and-digital-threats. Additionally, foster a cybersecurity-aware workforce. Seemingly\r\nbenign icons or decoy documents can still swindle the victim, for instance. More importantly, develop proactive\r\nincident response and remediation strategies—threat intelligence helps enterprises prepare and mitigate attacks.\r\nLike in chess, the more you understand your enemy’s moves, the more successful you can be at thwarting them.\r\nThe Indicators of Compromise (IoCs) related to ChessMaster's campaigns is in this appendix.\r\nThis has been presented in the RSA Conference 2017 Asia Pacific \u0026 Japanopen on a new tab as “ChessMaster: A\r\nNew Campaign Targeting Japan Using the New ChChes Backdooropen on a new tab” on July 27, 2017, in\r\nMarina Bay Sands, Singapore. Updated on August 14, 2017, 11:50 PM to include IoCs related to ChessMaster.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/" ], "report_names": [ "chessmaster-cyber-espionage-campaign" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "48782737-377b-47b4-aff0-87424208a643", "created_at": "2023-01-06T13:46:38.569144Z", "updated_at": "2026-04-10T02:00:03.02685Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Cloudy Omega", "Emdivi" ], "source_name": "MISPGALAXY:Blue Termite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64e1055fff0fdf88cc40821e2612838739c9c0b3.pdf", "text": "https://archive.orkl.eu/64e1055fff0fdf88cc40821e2612838739c9c0b3.txt", "img": "https://archive.orkl.eu/64e1055fff0fdf88cc40821e2612838739c9c0b3.jpg" } }