{ "id": "f48eabac-d78b-405b-a3bc-49429c81eeae", "created_at": "2026-04-06T00:16:15.746016Z", "updated_at": "2026-04-10T03:37:19.249529Z", "deleted_at": null, "sha1_hash": "67ed982fef7800a433d55e59ffe9e0da74cad52b", "title": "nao-sec.org", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 752974, "plain_text": "nao-sec.org\r\nBy nao_sec\r\nPublished: 2020-01-29 · Archived: 2026-04-05 17:01:42 UTC\r\nAn Overhead View of the Royal Road\r\n2020-01-29\r\nAbstract\r\nSeveral targeted attack groups share the tools used in the attack and are reported to be doing similar attacks.\r\nAttack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool\r\ncalled Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and\r\nTemp.Trident that is suspected of being involved in China.\r\nIn this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool,\r\nits behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed,\r\nand each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and\r\ninvestigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we\r\nattributed them based on the target country/organization, the technique used for the attack, the malware executed,\r\netc.\r\nThere are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been\r\npublished by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks\r\ntargeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of\r\nmalicious documents and malware based on the cases we observed. Other targeted attack groups may be related to\r\nRoyal Road. We introduce the attack cases of these attack groups and show their relevance.\r\nFinally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques\r\nthat are preferred by targeted attack groups that use them. This blog will help researchers who are researching and\r\nanalyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures.\r\nSummary\r\nRoyal Road\r\nRoyal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is\r\nnot OSS, However it’s shared between multiple actors.\r\nWe define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions:\r\n1. Exploit the vulnerability in the Equation Editor\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 1 of 7\n\n2. Have an object named 8.t in the RTF\r\nRoyal Road behaves as follows.\r\n1. RTF create a file (8.t) using ActiveX Control “Package” when opening a document\r\n2. All Vulnerabilities used by exploit coed are based on Equation Editor.\r\nCVE-2017-11882\r\nCVE-2018-0798\r\nCVE-2018-0802\r\n3. It decode 8.t, execute malware, dll-sideloading, etc\r\nClassification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about\r\nRTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We\r\ncalled that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather\r\nthan a tool distinction.\r\nAbout v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related,\r\nnot RoyalRoad.\r\nNew version definitions for v6 and later. The object string has changed a little since v5, but it is basically the\r\nsame. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists\r\nrandomly.\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 2 of 7\n\nFor attribution\r\nTime\r\nsubmission to public service\r\nRTF creation\r\nTarget country\r\ndecoy file language\r\nRTF characteristics\r\nObject strings\r\nObject patterns\r\nPackage patterns\r\nObject name, Path\r\nPayload encoding patterns\r\nDropped file name\r\nMalware execution techniques\r\nT1137 (Office Application Startup)\r\nT1073 (DLL Side-Loading)\r\nFinal payload (malware family)\r\nActors\r\nHere are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is\r\nsuspected.\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 3 of 7\n\nThese are tables summarizing each actor’s characteristics. We categorize these actors into three groups.\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 4 of 7\n\nGroup\r\nGroup-A is Conimes, Periscope and Rancor.\r\nGroup-B is Trident, Tick, TA428 and Tonto.\r\nGroup-C is something else we don’t know.\r\nGroup-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same\r\ntechniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these\r\ngroups are close and may share tools and insights.\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 5 of 7\n\nGroup-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia,\r\nKorea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar.\r\nWe believe that Group-B actors are very close and share techniques and insights.\r\nWrap-up\r\nThe RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a\r\nvarious of characteristics that help with attribution. There are many actors who use Royal Road. We can divide\r\nthem into three groups and suppose connections between actors.\r\nAppendix\r\nAppendix-1: IOC\r\nhttps://nao-sec.org/jsac2020_ioc.html\r\nAppendix-2: Tool\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 6 of 7\n\nrr_decoder\r\nYara Rules\r\nFull report is here: [PDF (EN)]\r\nSource: https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nhttps://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html" ], "report_names": [ "an-overhead-view-of-the-royal-road.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434575, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67ed982fef7800a433d55e59ffe9e0da74cad52b.pdf", "text": "https://archive.orkl.eu/67ed982fef7800a433d55e59ffe9e0da74cad52b.txt", "img": "https://archive.orkl.eu/67ed982fef7800a433d55e59ffe9e0da74cad52b.jpg" } }