{ "id": "d7b2dfe6-2695-45b0-9e78-54200a2ca876", "created_at": "2026-04-06T00:15:01.39515Z", "updated_at": "2026-04-10T13:11:26.117176Z", "deleted_at": null, "sha1_hash": "66b9cfec0e4d2abfe6e503c74e3a6e8ec219c7ec", "title": "Operation DRBControl: Uncovering a Cyberespionage Campaign Targeting Gambling Companies in Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157114, "plain_text": "Operation DRBControl: Uncovering a Cyberespionage Campaign\r\nTargeting Gambling Companies in Southeast Asia\r\nArchived: 2026-04-02 11:38:14 UTC\r\n open on a new tabDownload Uncovering\r\nDRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations\r\nIn 2019, Talent-Jump Technologies, Inc. reached out to Trend Micro about a backdoor they discoveredopen on a\r\nnew tab during an incident response operation. We provided further intelligence and analysis on the backdoor,\r\nwhich we learned was being used by an advanced persistent threat (APT) actor that we dubbed \"DRBControl.\"\r\nThe threat actor is currently targeting users in Southeast Asia, particularly gambling and betting companies.\r\nEurope and the Middle East were also reported to us as being targeted, but we could not confirm this at the time of\r\nwriting. Exfiltrated data was mostly comprised of databases and source codes, which led us to believe that the\r\ngroup's main purpose is cyberespionage.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 1 of 8\n\nThe campaign uses two previously unidentified backdoors. Known malware families such as PlugXopen on a new\r\ntab and the HyperBroopen on a new tab backdoor, as well as custom post-exploitation tools were also found in the\r\nattacker's arsenal. Interestingly, one of the backdoors used file hosting service Dropbox as its command-and-control (C\u0026C) channel. We disclosed our findings to Dropbox, which expired the tokens used in the campaign in\r\nAugust 2019 and has since been working with Trend Micro on the issues.\r\nA newly identified threat actor behind a cyberespionage campaign targets gambling and betting entities by using\r\npublicly available and custom tools to elevate privileges and perform lateral movements. One of the deployed\r\nmalware uses Dropbox as a way to communicate and exfiltrate data from targets.\r\nTargets\r\nDRBControl targets gambling and betting operations in Southeast Asia.\r\nThe threat actors behind the campaign use a variety of post-exploitation tools, such as a clipboard stealer, network\r\ntraffic tunnel, brute-force tool, and password dumpers.\r\nOperations\r\nThe first-stage intrusion uses spear-phishing .DOCX files. DRBControl distributes three versions of the infecting\r\ndocuments.\r\nThe campaign primarily takes advantage of two backdoors, both of which use DLL side-loading through\r\nthe Microsoft-signed MSMpEng.exe file.\r\nThe type 1 backdoor already has nine versions, all developed between May to October 2019. All versions\r\nuse the file hosting service Dropbox as their C\u0026C channel.\r\nThe type 2 backdoor uses a configuration file that has the C\u0026C domain and connection port, as well as the\r\ndirectory and filename where the malware is copied. The file also sets its persistence mechanism.\r\nIn most cases, IP addresses could be resolved only for subdomains hardcoded in malware samples; no IP\r\naddress was linked to the domain names themselves.\r\nKnown malware families (e.g., PlugX RAT, Trochilus RAT, and HyperBro backdoor) and software Cobalt\r\nStrike were also utilized in the campaign.\r\nNetwork Activities\r\nConnections with Other APT Campaigns\r\nDifferent malware identified with Winntiopen on a new tab and Emissary Pandaopen on a new tab campaigns.\r\nLinks to the Winnti group range from mutexes to domain names and issued commands. The HyperBro backdoor,\r\nwhich appears to be exclusive to Emissary Panda, was also used in this campaign.\r\nKey Findings:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 2 of 8\n\nThe DRBControl campaign attacks its targets using a variety of malware and techniques that coincide with those\r\nused in other known cyberespionage campaigns. The threat actors maintain a diverse infrastructure and take\r\nadvantage of post-exploitation tools to further their operations.\r\nThe campaign not only uses file hosting service Dropbox as its C\u0026C channel, but also for the delivery of different\r\npayloads. Dropbox repositories were also found to store information such as commands and post-exploitation\r\ntools, target user's workstation information, and stolen files.\r\nEarthWorm network traffic tunnel\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 3 of 8\n\nPublic IP address retriever\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 4 of 8\n\nElevation of privilege vulnerability tool\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 5 of 8\n\nElevation of privilege vulnerability tool\r\nPost-exploitation tools used by DRBControl\r\nConclusion\r\nUnlike largely indiscriminate attacks that focus on typical forms of cybercrime, targeted attacks differ in terms of\r\nhow threat actors actively pursue and compromise specific targets (i.e., through spear phishing) for lateral\r\nmovement in the network and sensitive information extraction. Understanding attack tools, techniques, and\r\ninfrastructure, as well as the links to similar attack campaigns, provides the context necessary to assess potential\r\nimpact and adopt defensive measures. Trend Micro users can thwart advanced persistent threats with security that\r\nprovide actionable threat intelligence, network-wide visibility, and timely threat protection.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 6 of 8\n\nRead our detailed findings in our research paper, \"Uncovering DRBControl: Inside the Cyberespionage Campaign\r\nTargeting Gambling Operations,\"open on a new tab which looks into the malware that DRBControl uses, its\r\nrelations to known APT groups, other noteworthy points of their activities, and indicators of compromise.\r\nMITRE ATT\u0026CK Matrix\r\nopen on a new tab\r\nDownload Uncovering DRBControl:\r\nInside the Cyberespionage Campaign Targeting Gambling Operations\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 7 of 8\n\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nAI Security Starts Here: The Essentials for Every Organizationnews article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-target\r\ning-gambling-companies-in-southeast-asia\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia" ], "report_names": [ "operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66b9cfec0e4d2abfe6e503c74e3a6e8ec219c7ec.pdf", "text": "https://archive.orkl.eu/66b9cfec0e4d2abfe6e503c74e3a6e8ec219c7ec.txt", "img": "https://archive.orkl.eu/66b9cfec0e4d2abfe6e503c74e3a6e8ec219c7ec.jpg" } }