{ "id": "2bdcf4f7-ad37-46a3-a02e-c793a5787a0f", "created_at": "2026-04-06T00:09:48.393198Z", "updated_at": "2026-04-10T03:32:56.624268Z", "deleted_at": null, "sha1_hash": "6a6eea4d83efdc3f965d4e41c9da8e2882a53e6d", "title": "Packrat: Seven Years of a South American Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4336766, "plain_text": "Packrat: Seven Years of a South American Threat Actor\r\nArchived: 2026-04-05 13:15:48 UTC\r\nSummary\r\nThis report describes an extensive malware, phishing, and disinformation campaign active in several Latin American\r\ncountries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to\r\npoint to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown\r\na keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian\r\nAlternative for the Americas), and their recently allied regimes. These countries are linked by a trade agreement as well as a\r\ncooperation on a range of non-financial matters.\r\nAfter observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign active in Argentina in 2014.\r\nThe targeting in Argentina was discovered when the attackers attempted to compromise the devices of Alberto Nisman and\r\nJorge Lanata.  Building on what we had learned about these two campaigns, we then traced the group’s activities back as far\r\nas 2008.\r\nThis report brings together many of the pieces of this campaign, from malware and phishing, to command and control\r\ninfrastructure spread across Latin America. It also highlights fake online organizations that Packrat has created in Venezuela\r\nand Ecuador.  Who is responsible? We assess several scenarios, and consider the most likely to be that Packrat is sponsored\r\nby a state actor or actors, given their apparent lack of concern about discovery, their targets, and their persistence.  However,\r\nwe do not conclusively attribute Packrat to a particular sponsor.\r\nPart 1: Packrat’s Seven Years of Activity\r\nThe authors on this report have been independently investigating malware and phishing campaigns in Latin America.  This\r\nreport is the result of discovering that the cases we have been investigating are linked by a common threat actor with\r\ntargeting in several countries, including Venezuela, Ecuador, Argentina, and Brazil. We refer to this threat actor as Packrat,\r\nto highlight their preference for packed, commodity Remote Access Trojans (RATs), and their retention of the same domains\r\nand servers over many years.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 1 of 40\n\nPackrat has systematically targeted high profile political figures, journalists, and others in several countries with malware\r\nand phishing. In total we uncovered 12 different malware command and control domains, and over 30 samples of malware\r\nstretching over a seven year time period. Packrat also favors an interesting strategy: create and maintain fake opposition\r\ngroups and news organizations, then use these to distribute malware and conduct phishing attacks.\r\nSome of these organizations exist in name only, while others have a more elaborate online presence. Packrat has also created\r\nelaborate fake news organizations without any evidence we can find of malware or phishing activity.\r\nWe chart Packrat’s activities back to at least 2008. Through correlation of network infrastructure, we identified several\r\nwaves of activity, coupled with changes in tools and tactics. This section provides a brief chronology of Packrat’s network\r\ninfrastructure and activities. For a detailed chronology of the malware used, see 3. The Evolution of Packrat’s Implants.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 2 of 40\n\nPackrat’s Greatest Hits\r\n2008-2013\r\nTools and infrastructure used by Packrat suggest that they have been active since at least 2008. During this period, Packrat\r\nused hosting services in Brazil, and some of their malware samples were uploaded from Brazilian IP space to popular online\r\nvirus scanning services. Some of the messages they sent also contained Brazilian bait content. While this is suggestive of\r\nBrazilian targeting, we have yet to find confirmed victims from this period.\r\n2014\r\nBy 2014, Packrat was targeting high-profile Argentine lawyer Alberto Nisman, and well-known investigative journalist and\r\ntelevision news host, Jorge Lanata. Maximo Kirchner, son of Argentina’s president, also announced that he was targeted.\r\nThe screenshot he released of the phishing email he received is consistent with what we have seen, although we have not\r\nbeen able to verify his claims. In addition, a number of phishing domains with Ecuadorian and Venezuelan targeting that we\r\nidentified became active during this period.\r\n2015\r\n2015 seems to have marked an extensive campaign of phishing and malware attacks targeting civil society and public\r\nfigures, including parliamentarians in Ecuador. We observed a range of phishing domains and attacks, often using fake\r\norganizations during this period. We also found fake organizations and possible disinformation campaigns with targets in\r\nEcuador, Venezuela and the Venezuelan diaspora.\r\n1.1 Nisman and the Argentine Cases\r\nIn January 2015, controversial Argentine prosecutor Alberto Nisman was found dead of a gunshot under suspicious\r\ncircumstances. Argentine news reported that a malicious file was found on his Android phone by the Buenos Aires\r\nMetropolitan Police forensic lab. The file was named “estrictamente secreto y confidencial.pdf.jar,” or “strictly secret and\r\nconfidential” in English.\r\nAn identically titled file was uploaded to VirusTotal from Argentina on the 29th of May, 2015. The file was a remote access\r\ntoolkit, known as AlienSpy, which allowed an attacker the ability to record the activities of a target, access their email, their\r\nwebcam, and more. However, the file was built for the Windows operating system, and could not have infected Nisman’s\r\nAndroid phone.\r\nThe initial analysis of the alienspy implant by Morgan Marquis-Boire revealed the command and control server of the\r\nattackers to be deyrep24.ddns.net. In addition to the malware apparently used to target Nisman, Lanata, and Kirchner (see\r\nbelow), three other samples1 were found which used deyrep24.ddns.net as a command and control domain. One of these, 3\r\nMAR PROYECTO GRIPEN.docx.jar, was a build of AlienSpy (See Packrat’s Implants) which masqueraded as a\r\ndocument containing communication between Ecuadorian President Rafael Correa and Ecuador’s Ambassador to Sweden\r\nconcerning the acquisition of fighter jets.\r\nAfter the finding was made public, other targets came forward. Prominent investigative journalist and television host Jorge\r\nLanata revealed that he too had been targeted by the same malware. The president’s son, Maximo Kirchner, also claimed to\r\nhave been targeted. We were unable to verify Kirchner’s claim, however, a screenshot showing his targeting was included in\r\na report of this claim:\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 3 of 40\n\nThe email which he claims to have received has an attachment named “Estrictamente Secreto y Confidencial.pdf.jar” (size\r\n67.3kb) which is the same as the malware sent to Nisman and Lanata. Additionally, the sender’s email address\r\n(claudiobonadio88@gmail.com) purports to be well-known judge Claudio Bonadio. This similar to the targeting of Lanata,\r\nwho also received an email also claiming to be from Claudio Bonadio (cfed.bonadio@gmail.com).\r\n1.2 Ecuadorian Campaigns\r\nIn 2015, we began independently receiving a growing number of reports of phishing attacks via e-mail and SMS targeting\r\njournalists and other public figures in Ecuador. Some emails we examined had no political content, but were simple\r\ncredential phishing for social media and email providers, like Gmail. Others, however, had explicit political content\r\nconcerning a range of political figures and issues in Ecuador. Further investigation revealed an extensive campaign, as well\r\nas many fake organizations (See Section 6: Possible Deception Operations).\r\nOne of the authors developed a Gmail search query for strings associated with the attacks (See Appendix A: The Search\r\nQuery). We shared this query with many potential targets, resulting in hits for phishing attacks, as well as suspicious\r\nMicrosoft Word (DOCX) files sent to a range of journalists and public figures. These documents contained embedded RATs\r\nwritten in Java, including Adzok and AlienSpy (See Packrat’s Implants). Subsequently, using indicators found in the JAR\r\nfiles, as well as an updated Gmail query we were able to identify a larger set of malicious files and domains used by Packrat\r\n(See Appendix B: Malware Samples).\r\nWe found a dense web of interconnections between phishing and malware sites. Sites often shared registration information,\r\nor were hosted from the same servers. We determined that the malware samples typically communicated with\r\ndaynews.sytes.net, which is linked to the Argentine cases. Ultimately, investigation of this infrastructure also revealed\r\nmalware and infrastructure in Brazil, and fake sites in Venezuela.\r\n1.3 Shared Command \u0026 Control Infrastructure\r\nThis section describes Packrat’s command and control infrastructure in narrative form, Appendix B provides a full list of\r\nCommand \u0026 Control domains along with the related binaries and malware families.\r\nPackrat’s deyrep24.ddns.net domain was created on November 7th, 2014, and at the time of Nisman’s targeting, pointed to\r\nthe IP address: 50.62.133.49. This IP address belongs to a GoDaddy range for dedicated hosting, and on March 3rd, 2015,\r\nthe domain moved to another GoDaddy IP: 192.169.243.65. Passive DNS records revealed that at the same time as this IP\r\nwas being used by the deyrep24.ddns.net command and control domain, it was being used by the domain\r\ndaynews.sytes.net which had been created on March 1st, 2015. Over the course of our joint investigation we found 5\r\nsamples of malware using this domain which were used to target journalists and civil society in Ecuador (See Appendix D:\r\nSeeding Domains for a larger list).\r\nPackrat’s Command \u0026 Control Infrastructure\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 4 of 40\n\nSearching for domains related to daynews.sytes.net lead us to taskmgr.serveftp.com which on the August 11th, 2014 was\r\nat the IP address 190.210.180.181, an IP address in Argentina, used by daynews.sytes.net for a brief period when it was first\r\nregistered, before being quickly moved to GoDaddy hosting. The taskmgr.serveftp.com domain also returns to\r\n190.210.180.181 on multiple dates in October of 2014, and May of 2015. On July 23rd, 2014, taskmgr.serveftp.com was\r\nhosted at 201.52.24.126, a Brazillian IP address, which was also hosting taskmgr.servehttp.com, and\r\ntaskmgr.redirectme.com. We found a total of 15 malware samples using either taskmgr.servehttp.com or\r\ntaskmgr.serveftp.com as command and control domains (or both in the case of several samples). The earliest of these\r\nsamples had a compile time of December 24th, 2008, providing us with the earliest date we know of that Packrat was active.\r\nWhile it is possible that this timestamp is faked, we have seen no evidence of this on other samples by these attackers.\r\nPackrat’s Command and Control Infrastructure\r\nDomain Relevant Resolution Relevant Date of Resolution\r\ndeyrep24.ddns.net 50.62.133.49 November 7th, 2014\r\n192.169.243.65 March 3rd, 2015\r\ndaynews.sytes.net 192.169.243.65 March 3rd, 2015\r\n190.20.180.181 March 1st, 2015\r\ntaskmgr.serveftp.com 190.210.180.181 August 11th, 2014\r\n201.52.24.126 July 23rd, 2014\r\n186.220.1.84 July 11th, 2014\r\ntaskmgr.servehttp.com 186.220.1.84 June 24th, 2014\r\n201.52.24.126 July 23rd, 2014\r\n186.220.1.84 July 11th, 2014\r\n186.220.11.67 August 15th, 2014\r\ntaskmgr.redirectme.com 201.52.24.126 July 23rd, 2014\r\n186.220.1.84 July 11th, 2014\r\n186.220.1.84 July 11th, 2014\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 5 of 40\n\nDomain Relevant Resolution Relevant Date of Resolution\r\n189.100.148.188 September 6th, 2012\r\nlolinha.no-ip.org 189.100.148.188 September 6th, 2012\r\nwjwj.no-ip.org 189.100.148.188 September 6th, 2012\r\nconhost.servehttp.com 186.220.11.67 August 15th, 2014\r\ndllhost.servehttp.com 186.220.11.67 August 15th, 2014\r\nwjwjwj.no-ip.org 179.208.187.216 March 25th, 2014\r\n 186.220.1.84 June 24th, 2014\r\nwjwjwjwj.no-ip.org 179.208.187.216 March 25th, 2014\r\nOn July 11th 2014, all ‘taskmgr’ domains were hosted on 186.220.1.84, an IP address in Brazil. At the same time, this IP\r\naddress was hosting ruley.no-ip.org. We managed to find a malware sample2 using both ruley.no-ip.org and\r\ntaskmgr.servehttp.com as command and control domains. On September 6th, 2012, ruley.no-ip.org was hosted at\r\n189.100.148.188, another Brazillian IP address, along with two other domains lolinha.no-ip.org and wjwj.no-ip.org. We\r\nfound two samples configured with all three of these domains as command and control servers, three samples which used\r\nboth ruley.no-ip.org and wjwj.no-ip.org, two samples just using wjwj.no-ip.org, and one sample just using ruley.no-ip.org. On August 15th, 2014, taskmgr.servehttp.com was hosted on 186.220.11.67, another IP address in Brazil. On the\r\nsame date, this IP hosted both conhost.servehttp.com and dllhost.servehttp.com. We found two samples configured with\r\nboth conhost.servehttp.com and dllhost.servehttp.com as command and control servers.\r\nIn addition to these domains, the domains wjwjwj.no-ip.org and wjwjwjwj.no-ip.org appear to be related. On March 25th,\r\n2014 both wjwj.no-ip.org and wjwjwj.no-ip.org point to 179.208.187.216. On June 24th, 2014, both\r\ntaskmgr.servehttp.com and wjwjwjwj.no-ip.org pointed to 186.220.1.84. We didn’t manage to find malware samples\r\nrelated to either wjwjwj.no-ip.org or wjwjwjwj.no-ip.org.\r\nThe command and control servers behind these domains were hosted with a variety of providers around Latin America,\r\nincluding: Uruguay Montevideo Administración Nacional De Telecomunicaciones, Argentina Buenos Aires Nss S.A.\r\n(IPLAN), and Claro Brazil.\r\nPackrat has also used servers in Europe and the US, including Portlane AB in Sweden and GoDaddy in the United States.\r\nWe have notified hosting providers in order to facilitate the shutdown of Packrat’s infrastructure.\r\nPart 2: Recent Malware Attacks in Ecuador\r\nPackrat is active in many countries, but it is in Ecuador that we were able to gather the most systematic evidence of their\r\nactivities, as well as connect directly with targets and victims. We are also tracking active attacks against Ecuadorian targets\r\nat the time of writing.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 6 of 40\n\nUsing email inbox search queries that we shared with potential targets (See: Appendix A), as well as analysis of malware\r\ndatabases and seeding infrastructure, we collected a diverse set of malware and phishing attacks targeting journalists, public\r\nfigures, politicians, and other prominent individuals (see: 5. Packrat’s Persistent Phishing Campaigns for examples).\r\n2.1 Previous Reports of Packrat Malware in Ecuador\r\nThere are public reports, as well as social media mentions, that point to politically-linked malware attacks Ecuador by\r\nPackrat. For example, Ecuadorian freedom of expression organization Fundamedios reported that public figures, satirical\r\nnews organizations, the director of Fundamedios, and others, had received suspicious messages and phishing attempts.\r\nFundamedios later updated their reporting to note that Access Now had stated that some of these attacks shared command\r\nand control infrastructure with the malware that was reportedly used to target Nisman. There are also indications on Twitter\r\nof phishing attacks and malware. We have been able to link many of these reports to Packrat.\r\n2.2 Common Techniques\r\nWe observed a range of social engineering techniques used to send malware to Ecuadorian targets. In the cases where we\r\nobserved seeding, we found that the malware was often accompanied by political bait content, frequently relevant to\r\nEcuador’s opposition. In other cases, the seeding was personalized to the intended victim. The most common delivery\r\nmechanism was via Microsoft Word DOCX files containing malicious Java. However, in other cases, attackers used fake\r\nupdates.\r\nCommon Seeding Techniques\r\nEmailed as attached malicious files\r\nAs links to malware hosted on sites controlled by the attackers\r\nOn Google Drive or Onedrive\r\nPopups or fake update notifications on politically themed / lookalike sites\r\nPackrat often uses email senders and websites in its social engineering that appear similar to real persons and organizations.\r\nFor example, they registered ecuadorenvivo.co, which looks like the genuine domain of the Ecuador En Vivo news website\r\n(ecuadorenvivo.com). Packrat then sent e-mails purporting to be e-mail news updates (a practice by the real Ecuador En\r\nVivo) from the ecuadorenvivo.co domain.\r\nPackrat also sometimes creates identical paths to real news stories, and hides them under clickable links. For example:\r\nTypical Lookalike Domain\r\nWhat the target sees:\r\nhttp://ecuadorenvivo.com/videos/el-meme-que-volvio-loco-a-correa.html\r\nHREF of the actual malicious link:\r\nhttp://ecuadorenvivo.co/videos/el-meme-que-volvio-loco-a-correa.html\r\n2.3 Three Attacks in Detail\r\nTo illustrate Packrat’s approach, this section describes three recent attacks in detail. The attacks date from between Spring\r\nand Fall 2015. Targets of these attacks include Ecuadorian journalists and public figures.\r\n2.3.1 Attack 1: Email From a Fake Opposition Movement\r\nThroughout April 2015, multiple targets received e-mails from the “Movimento Anti Correista” (English: “Anti Correa\r\nMovement”), a fictitious group (based on open source searches and consultation with individuals familiar with the region)\r\nthat purports to be opponents of Ecuador’s current president, Rafael Correa. The emails contained a Microsoft Word DOCX\r\nattachment containing Adzok malware (See: Section 3. The Evolution of Packrat’s Implants), as well as text and graphics\r\nto bolster the fiction.\r\nExample Seeding E-mail from “Movimento Anti Correista”\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 7 of 40\n\nSeeding text translation:\r\nSubject: Foul Play by Rafael Correa Against the Opposition\r\nBody:\r\nWe are sharing with you this leaked document about President Rafael Correa’s dirty tricks against the opposition\r\n(Open on a PC, this cannot be read on a phone.)Coming soon more leaks on: www[.]movimientoanticorreista.com\r\nThe e-mail seems intended for several purposes. It is obviously designed to trick the target into downloading and viewing\r\nthe document, but it also seems to be an effort to establish the legitimacy of the domain, and the identity of the movement.\r\nThe Malicious Attachment\r\nName La jugada sucia De Correa ante la oposición.ppt\r\nType: Microsoft Word Document file (.docx)\r\nMD5: ea7bcf58a4ccdecb0c64e56b9998a4ac\r\nEmbedded in this document is software called “Adzok – Invisible Remote Administrator.” Analysis of the malware can be\r\nfound in Section 3: The Evolution of Packrat’s Implants and the configuration of this implant can be found in Appendix\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 8 of 40\n\nC: Malware Configuration.\r\n2.3.2 Attack 2: You Are Being Spied On!\r\nThis attack is designed to create a sense of fear and concern in the target, leading to the file being opened. The e-mail is\r\ncustomized for the target’s name, and claims that the target is being spied on by SENAIN, Ecuador’s National Intelligence\r\nSecretariat. The attachment purports to be a list of Twitter users spied on by SENAIN. Interestingly, the purported sender is\r\n“Guillermo Lasso,” the defeated challenger in Ecuador’s last presidential election.\r\nSeeding text translation:\r\nSubject: [Target’s Name] spied on by SENAIN\r\nBody:\r\nGreetings,G.L\r\nNote: Open this on your personal computer. It can’t be opened by smartphones.\r\nLike Attack 1, the malware is not delivered with an exploit, but rather requires that the victim double clicks on the file and\r\naccepts any prompts before executing it.\r\nThe document instructs the target to click:\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 9 of 40\n\nEnglish Translation\r\nIn English: TO READ ALL THE TWEETS DOUBLE CLICK ON THE GRAPHIC OF TWITTER\r\nWhen the image is double clicked, the victim is infected with malware from the AlienSpy family. Examining the\r\nconfiguration file of the malware reveals that the malware uses the the C2 server daynews.sytes.net, which is a domain\r\ncommon to several Packrat attacks. Interestingly, we found that the same document (identical MD5) was re-purposed for\r\nseveral other attacks.\r\nFile Name MD5\r\nLOS TUITEROS ESPIADOS POR SENAIN.docx efc0009d76a2057f86c5f00030378c72\r\nLos trinos de Rafael Correa.docx efc0009d76a2057f86c5f00030378c82d\r\nDetailed analysis of the malware can be found in Section 3 and the configuration of this implant can be found in Appendix\r\nC.\r\n2.3.3 Attack 3: “Exclusive Information about Correa’s Lies”\r\nThis attack was served via a link to a fake political website hosting malicious content. The e-mail served to direct the victim\r\nto the site. Interestingly, the attack attempts to trick the target into believing that it originates from the legitimate\r\ninvestigative journalism site Focus Ecuador. Packrat appears to have acquired the .tk and .info domains of the same name,\r\njust as they had with Ecuador En Vivio.\r\nDe: Focus Ecuador \u003cfocusedtior1@gmail.com\u003e\r\nFecha: [September, 2015 REDACTED]\r\nAsunto: FOCUS ECUADOR ADELANTA EL VIDEO DEL ESCANDALO\r\nPara: [REDACTED]\r\nEl informe sobre las mentiras de Correa: ver video exclusivo: http://focusecuador.tk/\r\nEnglish translation:\r\nFrom: Focus Ecuador \u003cfocusedtior1@gmail.com\u003e\r\nDate: [September, 2015 REDACTED]\r\nSubject: FOCUS ECUADOR THE VIDEO SCANDAL\r\nTo: [REDACTED]\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 10 of 40\n\nInformation on the lies of Correa see the exclusive video: http://focusecuador.tk/\r\nThe email also contains a tracking image from the domain mesvr.com, which is commonly used by ReadNotify, a service\r\nused to track the delivery of emails. It appears that the attackers were hoping to gain additional information about their\r\ntargets, such as possibly de-anonymizing the IP addresses of targets who might be reluctant to open files.\r\nThe focusecuador.tk lookalike website contained content scraped from the legitimate site, but also showed victims a Flash\r\nupdate notification. When clicked, the link triggered the download of “plugin_video.jar”.\r\nThe Fake Flash Update Notification\r\nThis is not a flash update, but a bundle of the AlienSpy / Adwind Remote Access Toolkit. When executed, this java-based\r\nmalware establishes communications with Packrat’s familiar Command \u0026 Control server at 46.246.89.246\r\n(daynews.sytes.net). Analysis of the malware reveals an identical configuration to the LOS TUITEROS ESPIADOS POR\r\nSENAIN.docx and the Los trinos de Rafael Correa.docx samples.\r\nAttack 3: Binary\r\nName: plugin_video.jar\r\nType: Java Archive (JAR)\r\nMD5: 74613eae84347183b4ca61b912a4573f\r\nDetailed analysis of the malware can be found in Section 3 and the configuration of this implant can be found in Appendix\r\nC.\r\n2.4 Packrat Speaks!\r\nDuring the course of our behavioral analysis of Attack 3, a Packrat operator began to communicate to one of the Citizen\r\nLab researchers in Spanish and English on an infected machine.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 11 of 40\n\nThe taunts were delivered as popups and text displayed in Internet Explorer. The tone was threatening and vulgar. This one\r\nreads “You like playing the spy where you shouldn’t, you know it has a cost: your life!” Some of the messages sound stilted\r\nor non-idiomatic in the original Spanish, which might or might not be intentional, or provide clues as to the native dialect (or\r\nmother tongue) of the operator.\r\nMore Taunts: Translated English and Original Spanish\r\nTranslation Original\r\nNow you are in trouble! Lammer! Ahora si estás en líos! Lammer !\r\nYou think you’re living, we have your IP! Te crees vivo, tenemos tu IP\r\nYou keep analyzing processes Tu sigue analizando procesos\r\nWe are going to analyze your brain with a\r\nbullet and your family too\r\nVamos a analizar tu cerebro con una bala y en la de tu\r\nfamila\r\nTake care of your family Cuida a tu familia!\r\nWe have your picture Ya tenesmos tu fotografia\r\nYou like playing the spy where you shouldn’t,\r\nyou know it has a cost, your life!\r\nTe gusta jugar a la espía y meterte donde no debes,\r\npues debes saber que tiene un costo, tu vida!\r\nTake your time and scan processes, we’re\r\ngoing to get you quickly\r\nAnaliza tranquilo los procesos, que te llega rapido\r\nSeveral taunts also came through in mangled English:\r\n“We gou You Punk!!” [sic]\r\n“Your are playing with fire, will get burn !”\r\nPerhaps aiming for surprise value, the attackers also used Windows text-to-speech functionality to have the infected machine\r\nplay out some of their Spanish-language taunts.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 12 of 40\n\nDim message, sapi\r\nmessage=\"Analiza tranquilo los procesos\"\r\nSet sapi=CreateObject(\"sapi.spvoice\")\r\nsapi.Speak message\r\nThis occurred a second time in October, when the attackers again taunted a researcher, followed by using the implant to\r\nissue a remote shutdown command to the infected device.\r\nIt is unusual, though not unheard of, for attack operators to engage with researchers. This kind of engagement could be\r\nconsidered a serious breach of operational security. Packrat took exception to these unwritten rules. It may be that Packrat\r\nhas experienced other cases of individuals touching their infrastructure, or attempting to analyze their files, especially after\r\nsome of their infrastructure was exposed. Since Packrat prefers to leave the infrastructure online, they may be trying to\r\ndiscourage unwelcome attention.\r\n3. The Evolution of Packrat’s Implants\r\nOver the past seven years Packrat has used several different types of malware, much of it off-the-shelf RATs, such as\r\nCybergate, Xtreme, AlienSpy, and Adzok. While these malware families are known to researchers, Packrat typically\r\nobfuscates their malware using a range of tools, including: an unknown VB6 crypter, AutoIt3Wrapper, UPX, PECompact,\r\nPEtite, and Allatori Obfuscator. This layer of obfuscation means that Packrat’s attacks frequently escaped detection by\r\nantivirus when the attacks were deployed. This section describes these tools, roughly grouped into distinct time periods.\r\n3.1. 2008-2014: Packed RATS, Mostly CyberGate\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 13 of 40\n\nBetween 2008 and 2014, Packrat made extensive use of off-the-shelf RATs encapsulated in AutoIt3Wrapper, a runtime\r\npacker. This packer is written in AutoIt, a compilable scripting language for automating tasks in Windows. The use of an\r\ninitial obfuscation layer seems to have been enough to thwart or at least misguide detection, as well as leverage some basic\r\nanti-debugging techniques.\r\nThe majority of implants that are then dropped and executed appear to be CyberGate RAT. In 2013 and 2014, Packrat seems\r\nto have adopted XtremeRAT as well. Cybergate and Xtreme are both written in Delphi and share code with each other and\r\nother Delphi based RATs, SpyNet and Cerberus.\r\nMany of these attacks included embedded decoy Office documents that are opened at execution of the implant, likely in the\r\ncontext of a targeted attack. Among the documents we found are résumés of purported Brazilian citizens, as well as\r\npurported payment receipts of the Association of Lawyers of Sao Paulo, Brazil.\r\nThese attacks suggest that Packrat had Portuguese speaking targets during this period. Based on the specifics of the bait\r\ndocuments, it seems likely that they were Brazilian.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 14 of 40\n\nThe majority of the implants we found were configured to beacon back to a Command \u0026 Control, taskmgr.servehttp.com,\r\nalthough a few others include ruley.no-ip.org, lolinha.no-ip.org, and taskmgr.serveftp.com (See Appendix B for a\r\ncomplete list).\r\n3.1.1 Analysis of CyberGate RAT\r\nThe CyberGate RAT samples we analyzed were, as mentioned above, typically wrapped in a layer of AutoIt. Code and\r\nstrings found in the binary indicate that it is based on the Spy-Net RAT version 2.6. This RAT was developed by a Brazilian\r\nhacker using the handle spynetcoder and is outlined on the Spy-Net RAT ‘official’ website.\r\nCyberGate’s Infection Routine\r\nAfter unpacking from the applied runtime packer, CyberGate runs its second stage, which is likeley the infection routine.\r\nThis injects the third stage, a DLL, into a running process. Once implanted, CyberGate then deploys a range of techniques\r\nfor persistence and monitoring.\r\nThe third stage module picks from three execution paths (based on mutexes, which can also be set by a prior infection):\r\nPassword gathering (mutex: “_x_X_PASSWORDLIST_X_x_”)\r\nBlock mouse and keyboard input to any other application (mutex: “_x_X_BLOCKMOUSE_X_x_”)\r\nInfection routine\r\nCyberGate Anti Analysis\r\nThe infection routine comes with a set of anti-analysis features packaged in a single function. CyberGate searches for a\r\nrange of virtual and sandbox environments3. It also checks for user space debuggers through the IsDebuggerPresent API,\r\nand for SoftICE and Syser through their respective pipes. The malware performs breakpoint detection on the function entries\r\nof the listed anti-analysis features by checking whether the first byte of each function equals ‘CC’, the bytecode indicating a\r\nbreakpoint.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 15 of 40\n\nCyberGate Process Injection\r\nThe infection routine fetches the encrypted implant from the resource section, and upon decryption attempts to inject its\r\nimplant into the Windows system shell process (explorer.exe). If this fails, CyberGate launches an explorer.exe process on\r\nits own, injects its implant into it, and then completes the setup. Additionally, another instance of the CyberGate implant is\r\ninjected into a default browser process, which runs invisibly.\r\nThe infection routine drops a copy of itself into different directories, depending on the Windows version: /System,\r\n/Windows, or /Program Files. The implant’s name varies: taskhost.exe, regedit.exe, or taskmgr.exe are all common. The\r\ninfection routine also writes a copy of the encrypted implant into the %TEMP% directory and names it XX–XX–XX.txt.\r\nTo achieve persistence, the second stage writes registry keys so that CyberGate is run at startup:\r\nHKLMSOFTWAREMicrosoftActive SetupInstalled Components%GUID%StubPath: \"C:WINDOWSSystem32regedit.exe\"\r\nHKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRunPolicies: \"C:WINDOWSSystem32regedit.exe\"\r\nHKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmsconfig: \"C:WINDOWSSystem32regedit.exe\"\r\nPassword Collection\r\nIf tasked with password collection, the second stage binary grabs passwords from a range of locations, including: the No-ip\r\nDynamic Update Client (DUC), MSN messenger, Firefox, and Internet Explorer. The credentials are collected from the\r\nWindows Registry, browser profiles, the RAS dial up settings, Local Security Authority (LSA) settings, MS\r\nProtectedStorage, MS IntelliForms, and the credential store.\r\nCyberGate’s Functionality\r\nThe CyberGate implant runs two instances. The first runs in the default browser process, and acts as the monitoring\r\ncomponent. Meanwhile, the explorer.exe instance serves as ‘watchdog,’ ensuring persistence and making sure the infector\r\nbinary on disk doesn’t disappear.\r\nThe CyberGate implant comes with the same credential stealing capabilities as the infector, and is extended by routines to\r\nspy on Chrome and STEAM credentials as well. Also inherited from the infector, the implant owns the same anti-analysis\r\nroutine protecting it from sandboxes and debuggers.\r\nBeyond the capabilities seen in the infector, CyberGate has a range of features that provide an attacker with a full spectrum\r\nof monitoring and remote control functionality.\r\nCyberGate capabilities include:\r\nCollecting detailed information about the infected system\r\nActivation and control of the webcam and microphone\r\nScreenshot capture\r\nBlocking user input (e.g. keyboard and mouse)\r\nControl over processes, windows, applications, devices, drive, ports, TCP \u0026 UDP connections, the clipboard, registry\r\nkeys and values etc.\r\nControl over the filesystem\r\nDownload and execution of further binaries\r\nExfiltration via FTP\r\nCollection of information on installed security products\r\nInterestingly, CyberGate gathers information on installed security products through the Windows Management\r\nInstrumentation (WMI) by launching cscript.exe on a hardcoded .vbs-script. The script requests name and version number of\r\ninstalled antivirus and firewall solutions and dumps the data to a file:\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 16 of 40\n\nSet objSecurityCenter = GetObject(\"winmgmts:.rootSecurityCenter\")\r\nSet colFirewall = objSecurityCenter.ExecQuery(\"Select * From FirewallProduct\",,48)\r\nSet colAntiVirus = objSecurityCenter.ExecQuery(\"Select * From AntiVirusProduct\",,48)\r\nSet objFileSystem = CreateObject(\"Scripting.fileSystemObject\")\r\nSet objFile = objFileSystem.CreateTextFile(\"%FILEPATH%\", True)\r\nEnter = Chr(13) + Chr(10)\r\nCountFW = 0\r\nCountAV = 0For Each objFirewall In colFirewall\r\nCountFW = CountFW + 1\r\nInfo = Info \u0026 \"F\" \u0026 CountFw \u0026 \") \" \u0026 objFirewall.displayName \u0026 \" v\" \u0026 objFirewall.versionNumber \u0026\r\nEnter\r\nNextFor Each objAntiVirus In colAntiVirus\r\nCountAV = CountAV + 1\r\nInfo = Info \u0026 \"A\" \u0026 CountAV \u0026 \") \" \u0026 objAntiVirus.displayName \u0026 \" v\" \u0026 objAntiVirus.versionNumber \u0026\r\nEnterobjFile.WriteLine(Info)\r\nobjFile.Close\r\nCollected data is stored in dump files on disk and exfiltrated to the remote server component by HTTP or FTP.\r\n3.1.2 Analysis of XTremeRAT\r\nXTremeRAT is commercial off-the-shelf malware, often available cracked, and used to monitor victim machines. While\r\nused by apolitical hackers, XTremeRAT has been extensively used by government-linked malware groups to target the\r\nopposition during the ongoing Syrian Civil War, as well as by other politically-motivated groups in the Middle East and\r\nNorth Africa. It has also been extensively analyzed, and we encourage interested readers to review some of these analyses.\r\nWhile often packed, XTreme RAT itself has limited stealth and persistence functionality. Its monitoring capabilities are also\r\nstraightforward. The versions we analyze here have no code obfuscation. XTreme Rat is implemented as client/server\r\narchitecture, where the infected machine acts as server, while the C\u0026C component is the client.\r\nThis version of Xtreme Rat’s capabilities include:\r\nLogging keystrokes\r\nLogging the name of the foreground desktop application\r\nSniffing the clipboard for passwords\r\nDownloading and executing binaries via HTTP, presumably to install second stage malware\r\nXtreme RAT operation and keylogging functionality\r\nThe Xtreme RAT implant sniffs the clipboard contents via the keylogger window, using a clipboard viewer that it also\r\ninstalls. The viewer receives the window message WM_DRAWCLIPBOARD every time the clipboard changes, and\r\nprovides access to Clipboard contents. Clipboard and keylogger data is dumped to a .dat-file that, along with the\r\nconfiguration file (.cfg), is located in the […]Application DataMicrosoftWindows folder for the current user. Both filenames\r\nare dictated by XTreme RAT’s configuration.\r\nXTreme RAT Data Files\r\nC:Documents and SettingsAdministratorApplication DataMicrosoftWindowsRJokLSZBj.cfg\r\nC:Documents and SettingsAdministratorApplication DataMicrosoftWindowsRJokLSZBj.dat\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 17 of 40\n\nThe dump file is exfiltrated via push to FTP. XTreme RAT comes with preconfigured FTP server credential placeholders\r\n(ftpuser/ftppass) to log on to ftp.ftpserver.com, which are then switched for updated values received from the C\u0026C at\r\nruntime.\r\nThe XTreme RAT implant also creates a mutex named following the same naming scheme as configuration and dump file\r\n(e.g. “RJokLSZBjPERSIST”). The RAT’s configuration is fetched from the .rsrc-section and encrypted using RC4, with the\r\nkey “CONFIG”. The same algorithm and key combination has been seen in use before in other variants of XTreme RAT.\r\nThis variant of XTreme RAT uses explorer.exe as a container for remote threads to carry out specific functions. Thread\r\ninjection can happen on at least three occasions.\r\nPossible injections of explorer.exe by XTreme RAT:\r\nA ‘watchdog’ thread to restore persistence keys, and to locate and run the infector binary. To increase stealth, the\r\ndropping module changes the timestamp of the dropped infector.\r\nA thread for deleting of XTreme RAT’s files on disk\r\nThe entire keylogging code and FTP push functionality\r\n3.2: 2014- 2015 AlienSpy Dominates\r\nOver the past two years, Packrat has been using an evolving family of off-the-shelf malware known as AlienSpy. The\r\nsoftware began as the free RAT “Frutas,” and was identified in 2013 during a campaign in Mexico. This was subsequently\r\nadapted for commercial sale as the “Premium RAT” Adwind. Adwind could be purchased for $75 for a single license, and up\r\nto $250 for multiple licenses. Then, by 2013, AdWind was renamed UNRECOM (UNiversal REmote COntrol Multi-platform), and was detected in targeted attacks in the Middle East.\r\nThe software was most recently branded “AlienSpy,” and was again found by security researchers in targeted spying\r\noperations. At the time of this report, the latest re-packaging of this RAT is known as JSocket. For the purposes of this\r\nreport, we’ll refer to all variants of this spyware as “AlienSpy.” AlienSpy is a relatively full-featured RAT with a range of\r\nfeatures, such as recording the victim’s keystrokes, audio eavesdropping via a device’s built-in microphone, remote viewing\r\nof the desktop, and the ability to turn on a victim’s webcam “without user notification.” Alienspy has been extensively\r\nanalyzed by malware researchers, including reports by ProofPoint and Fidelis.\r\n3.2.1 Packrat’s Alienspy Deployment\r\nFrom 2014 to early 2015, Packrat’s preferred technique was to send AlienSpy implants as attachments in phishing emails\r\nwith the extension ‘.pdf.jar.’ The default setting in Windows is to hide file extensions, thus making it appear to be a “.pdf”\r\nfile. With some minor differences, all the samples from this time period are built in a similar manner. There’s an outer .jar\r\n(Java archive) file containing a folder named META-INF and two files: Favicon.ico and Principal.class. Upon execution,\r\nPrincipal.class unzips the contents of “Favicon.ico” (not an icon file, but a .zip archive), and looks for a filename containing\r\n“.jar”.\r\nContents of Favicon.ico\r\n0doc.jar\r\n1Estrictamente Secreto y Confidencial.pdf\r\nOnce it finds the right file (in this case 0doc.jar), it drops it to a randomly-named temp file starting with a constant string and\r\ninvokes Java to run it.\r\nInside the .jar file from “Favicon.ico”\r\nMETA-INF/MANIFEST.MF\r\nMANIFEST.MF\r\nID\r\nplugins/Server.class\r\nMain.class\r\nEstrictamente Secreto y Confidencial.pdf\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 18 of 40\n\n“Main.class” is obfuscated using Allatori, a Russian-origin JVM obfuscator used by AlienSpy.\r\nThis reads part of an RC4 key from the file “ID.” To this it appends a constant string, then uses the full RC4 key to decrypt\r\nthe contents of MANIFEST.MF, which yields the actual Adwind implant JAR file. Others have written about the operation\r\nand deobfuscation of Allatori, including how to deobfuscate it, here, here, and here.\r\nAlienSpy in MS Office Documents\r\nIn 2015, Packrat started sending AlienSpy implants embedded in .docx files. The method used to obfuscate these files is\r\nmore complex, but ultimately similar to previous techniques. Uncompressing an infected MS Word document reveals a file\r\nnamed “oleObject1.bin” under the directories word/embeddings. Opening this file, which is a jar, reveals:\r\na\r\nabcdefghijka.class\r\nabcdefghijkf.class\r\nabcdefghijkj.class\r\nabcdefghijks.class\r\nabcdefghijku.class\r\nabcdefghijkz.class\r\na.txt\r\nb.txt\r\nc.dat\r\nkjmhs\r\nMain.class\r\nMETA-INF\r\nSimilar to the obfuscation described above in Packrat’s earlier uses of AlienSpy, half the decryption key is in a.txt. The other\r\nhalf is a string which is decrypted iteratively by the abcdefghijk[a,f,j,s,u,z].class files with the method and class names from\r\nthe caller.\r\nPersistence is achieved by adding the following registry value:\r\n\"reg.exe\" (Access type: \"SETVAL\", Path: \"REGISTRYMACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN\", Key: \"JAVASE\", Value:\r\n3.2.2 Adzok Makes an Appearance\r\nBetween 2014-2015, Packrat also used Adzok – Invisible Remote Administrator. Similar to AlienSpy in functionality, the\r\njava-based Adzok is apparently from Bolivia. The premium version costs $990, but it appears that Packrat is using the “free”\r\nversion. This version of Adzok does not use obfuscation, which makes it possible to simply uncompress the jar files within\r\nthe docx and read the clear-text configuration file. Given the obfuscated nature of the other RATs that Packrat has used, their\r\nuse of Adzok is surprising. It is possible that they were having stability, compatibility, or detection problems with other\r\nRATs and that Adzok served a specific requirement.\r\n4. Packrat’s Persistent Phishing Campaigns\r\nPackrat is active in phishing, often against the same groups and individuals whom they target with malware. For example,\r\nwhen examining one target of malware attacks, we found this individual had been targeted by dozens of phishing attempts\r\nby Packrat during the same period. The same domains and fake identities that Packrat uses to seed malware are also used to\r\nserve phishing, although Packrat also maintains dedicated phishing sites and servers. While phishing e-mails appeared to be\r\nregularly sent, we also observed particular cases of the phishing apparently sent to targets in response to contacts they made\r\nduring our investigation.\r\nWe have been able to achieve the most systematic visibility of Packrat’s campaign against Ecuadorian targets, but have\r\nfound evidence of targeting in neighboring countries including Venezuela. Packrat uses both e-mails and social media\r\nmessages, as well as SMSes to send phishing messages.\r\nThis section describes these phishing campaigns, and describes both Politically-Themed and Non-Politically Themed\r\nphishing attacks.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 19 of 40\n\nCategory Example Domain Note\r\nPolitics \u0026 News lavozamericana.info Fake news website\r\nGovernmental –\r\nEcuador\r\nasambleanacional-gob-ec-cu9.coLookalike to the Ecuadorian National\r\nAssembly’s e-mail login\r\nPolitical Movement –\r\nEcuador\r\nmovimientoanticorreista.com Fake political movement\r\nFree E-mail mgoogle.us Fake Google login\r\n4.1 Non-Politically Themed Phishing Content\r\nOne of the most common phishing techniques is lookalike communications from popular webmail and social media sites\r\ncontaining requests for password verification, notifications of unauthorized logins, and so on. Packrat uses a wide range of\r\ntemplates for the major email providers, including Gmail, Yahoo and Hotmail. A majority of the e-mails are in Spanish. The\r\nmessages are typically personalized to the targets, including both their names and e-mail addresses.\r\nTranslated Message\r\nFrom: Gmail Team no.response.delivery.es@gmail.com\r\nSubject: [Victim Name], you have a pending warning !\r\nTo: [victim email]\r\n[Victim email],\r\n[Victim Name]for security reasons we request that you verify your account below.\r\nTo ensure proper use of your account, we request that you verify it.\r\nClick here to verify your account.\r\nDepending on the attack, the phishing either contains a direct link to the phishing URL, or uses a shortener.\r\n4.1.1 Most Recent Non-Political Phishing\r\nRecently, the attackers appear to have slightly varied their technique. We have observed them making extensive use of\r\ntinyurl as a shortener, as well as moving their phishing pages to the free host cu9.co. The attackers may have concluded that\r\nusing a free provider reduced costs and increased flexibility.\r\nExample recent phishing URL and shortener:\r\ntinyurl.com/nww83ov Yields: main-latam-soporte-widget-local.cu9[dot]co\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 20 of 40\n\n4.1.2 Example Non-Political Phishing SMSes\r\nA number of Packrat’s targets also received phishing SMSes. The SMSes often use similar language to the phishing e-mails,\r\nand in some cases use the same shortened URL. In other cases, the attackers push harder, warning the targeted user that their\r\naccounts will be terminated if they fail to follow the link. In at least one case we observed that the messages contained\r\nimproperly formatted e-mail addresses.\r\n4.2 Politically Themed Phishing\r\nWe observed a wide range of e-mails and messages that contained content with political overtones. Packrat takes two basic\r\napproaches in the attacks we have examined. First approach: create fake political and media organizations. Second\r\napproach: impersonate well-known groups and high-profile individuals. Attacks typically took the form of messages and\r\ne-mails containing information either in ‘solidarity,’ upsetting information, or other relevant news. A majority of what we\r\nobserved seemed to be crafted to appeal to opposition elements.\r\nWhile much of the phishing seems to mimic common free webmail and social media sites, in specific cases, Packrat\r\nmimicked e-mail services of high-profile targets, like the Ecuadorian National Assembly.\r\n4.2.1 Targeting Ecuadorian Parliamentarians\r\nA group we believe to be Packrat has operated a phishing campaign that mimics the Ecuadorian national assembly’s\r\nwebmail portal. This malicious site prompts the target(s) to enter their email credentials, which are captured via formmail, a\r\ntechnique seen repeatedly in the phishing pages we identified (see below).\r\nasambleanacional-gob-ec.cu9.co\r\nThe legitimate domain is:\r\nhttp://mail.asambleanacional.gob.ec/\r\n4.2.2 A Typical Credential Harvesting Page\r\nWhatever the bait, the links on the messages typically lead victims (often via a shortener) to a lookalike domain for a free\r\nemail provider. During the summer of 2015, a frequently observed domain was a lookalike for Google, although there have\r\nbeen many others:\r\nmgoogle.us\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 21 of 40\n\nWhile the attacks were active, mgoogle.us hosted a Spanish-language lookalike Google login.\r\nOnce a victim’s credentials are entered, they are shown a Spanish language note “confirming” that their gmail has been\r\n“unblocked” and thanking the victim for “choosing us.”\r\nIn other cases, Packrat sends “confirmation” emails to the original victim, congratulating them on “successfully” verifying\r\ntheir account after credentials are entered. In specific cases, we found that this e-mail arrived several hours before phished\r\naccounts were accessed.\r\nWhile the phishing has used different tools to harvest credentials, we find that Packrat makes repeated use of the legitimate\r\nonline website form service formmail.com to receive phished credentials. Formmail is a legitimate HTML-based form\r\nprocessor that receives the contents of data entered into forms, then sends them to an e-mail address.\r\n4.3 A Sample of Phishing \u0026 Malware Seeding Sites\r\nThe attackers control a range of domains that they use to serve both phishing and malware. This section outlines elements of\r\nthis infrastructure. A more complete list is in Appendix D, but we describe certain domains of interest here. The phishing\r\npage mgoogle.us, for example, has resolved to a range of IPs, including:\r\nIP First Seen Last Seen WHOIS\r\n198.12.150.249 5/19/2015 6:16:00 9/4/2015 9:51:00 Godaddy\r\n50.63.202.57 9/4/2015 12:52:00 10/8/2015 21:44:00 Godaddy\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 22 of 40\n\nOf these IPs, the first (198.12.150.249) is particularly interesting. We find that the same IP was used to host a range of other\r\nsuspect domains with similar themes. For a full list of associated domains, see Appendix D. While some of these domains\r\nare lookalikes for logins, or update pages (e.g. sopporte-gmail.com or login-office365.com) others seem to have a more\r\npolitical angle.\r\nWHOIS\r\nName Pedro Luis\r\nOrganization Reterg is\r\nAddress teredotr\r\nCity berlin\r\nState berlin\r\nCountry DE Germany\r\nPhone +49.454545445\r\nPrivate no\r\nThe registrant of the site is enripintos123@outlook.es, whom we find listed as the registrant for a range of other domains.\r\nAll but two are lookalike to the login pages of major online services, or suggestive of updates to services like Java and\r\nAndroid (see Appendix D). The two exceptions are lavozamericana.info and pancaliente.info (see Section 6. Possible\r\nDeception Operations). Both of those domains were registered within the timeframe of other registrations of lookalike or\r\nconfirmed phishing domains.\r\n4.3.1 Lookalike Fake News Sites\r\nThe website Ecuador En Vivio (ecuadorenvivo.com) is a legitimate news site, however the attackers control the lookalike\r\necuadorenvivo.co domain. Packrat has used this fake domain to send emails to targets, either containing attachment-based\r\nmalware, or links to the site which has also been used to seed malware via a plugin error.\r\nA Twitter user spotted the fake plugin notification in May 2015 and alerted their followers, and included a screenshot\r\npurporting to show one of the fake plugin alerts.\r\nSimilarly, Focus Ecuador (focusecuador.net) is a genuine news website, however the domain focusecuador.tk, is controlled\r\nby the attackers, and has been observed seeding malware using a fake popup. Examination of the IP hosting focusecuador.tk\r\n(193.105.134.27) reveals a long list of obvious lookalike domains (See Appendix D).\r\n4.3.2 A Fake News Organization: The American Voice?\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 23 of 40\n\nA second interesting domain is lavozamericana.info, which is no longer active. However we were also able to find a Twitter\r\nidentity and string of tweets suggesting that there may have been an effort to establish the legitimacy of the site.\r\nTweets by voz_americana\r\nInterestingly, the fake identity appears to have had at least some success, as some of the followers of the account appear to\r\nbe genuine. While the site is no longer active, Google’s cache indicates that a phishing page was hosted on the site.\r\nWhile we have received reports that individuals targeted by Packrat lost access to their iCloud accounts during the\r\ntimeframe of this attack, we have been unable to verify conclusively whether Packrat was responsible.\r\n4.3.3 A Fake Opposition Movement\r\nA number of the targets we identified had received e-mails and messages purporting to come from\r\nmovimientoanticorreista.com, including the example Attack 1 above. The same domain was also mentioned in a recent\r\nreport by an Ecuadorian NGO of malware attacks against journalists in Ecuador. We found malware seeding messages\r\nassociated with this domain, typically sent by movimiento.anti.correista@gmail.com.\r\nAnother Anti Correa Movement E-mail\r\nDe: Movimiento Anti Correista \u003cmovimiento.anti.correista@gmail.com\u003e\r\nFecha: [REDACTED: April 2015]\r\nAsunto: DOCUMENTOS FILTRADOS DEL GOBIERNO CORREISTA – EL SILLON MILLONARIO Y LAS\r\nACTIVIDADES CORRUPTAS\r\nPara: [REDACTED]SALUDOS ESTIMADO,Compartimos con usted nuestro nuevo sitio web en el cual estaremos\r\npublicando información del corrupto gobierno de Rafael Correa.DESCARGUE LOS DOCUMENTOS\r\nDE:www.movimientoanticorreista.com\r\nTranslated E-mail\r\nFrom: Anti Correa Movement \u003cmovimiento.anti.correista@gmail.com\u003e\r\nSubject: LEAKED DOCUMENTS FROM THE CORREISTA GOVERNMENT – THE ARMCHAIR MILLIONAIRE AND\r\nCORRUPT ACTIVITIES\r\nTo: [REDACTED]ESTEEMED GREETINGS,We are sharing with you our new website where we will publish information\r\nabout the corrupt government of Rafael Correa.DOWNLOAD DOCUMENTS:www.movimientoanticorreista.com\r\n4.4 A Window Into Campaign Scope\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 24 of 40\n\nSeveral moves by Packrat gave us access to some more systematic information about the scope of their attacks. During\r\nmuch of 2015, we observed that Packrat regularly used the same bit.ly link in a range of attacks.\r\nhttp://bit.ly/1wl3YE2\r\nThis link was created Oct. 31, 2014 by an anonymous sharer. Examining statistics for the bit.ly link, we were able to see a\r\nsuperficial overview of the volume, timeframe, and basic geographic distribution of clicks.\r\nThe distribution of clicks is particularly interesting, and suggests that a majority of the hits were located in Ecuador, with\r\nothers in Argentina, Germany, the United States, Spain, Uruguay, and Venezuela. The absence of Brazil is not necessarily\r\nsurprising, as it is likely that the attackers, if they continue to phish in Brazil, may be using separate, Portuguese language\r\nsites. This provides an indirect window into the location of Packrat’s targets.\r\nA majority of clicks (322) came from direct link clicks, rather than link shares elsewhere. While this particular bitly link was\r\nnot extensively clicked on social media sites, Packrat does use social media for some seeding.\r\n4.5 Note: Lots of Phishing, Not All of it Linkable\r\nThe investigation yielded a high volume of  Spanish-language phishing attacks against the same individuals that Packrat\r\ntargeted, however for a number of reasons we were unable to link much of the phishing activity to Packrat.  One of the most\r\nnotable and high volume campaigns that we identified used the domain gmail.com.msg07.xyz and masqueraded  as a range\r\nof account notifications from popular providers including Gmail.  Typically these messages displayed as originating from e-mail addresses like “no-responder@supportgmai1.com.”   In some cases, individuals received these messages almost weekly\r\nover long periods of time.\r\n5. Possible Deception Operations\r\nNot all of the domains associated with this group appear to have been built to spread malware, or to trick victims into\r\nentering their passwords. Several domains are extensively built out, and currently maintained, which appear to be designed\r\nto convey the impression of active, news media sites. Some of these sites contain ‘original’ news stories and ‘leaks’ about\r\npolitical figures. At least two of these sites seem Venezuela-specific, while a third is Ecuador-oriented.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 25 of 40\n\nWhat makes these three fake organizations exceptionally interesting is that we have found no evidence that they are used to\r\nseed malware or conduct phishing, either directly, or as pretexts for messages. While it may be that we simply lack visibility\r\non the targeting, it may be that the pages and identities serve another function. They may be attempts to seed false\r\ninformation, or might serve as watering holes to attract individuals that Packrat or its sponsors wish to monitor. They may\r\nalso be coupled with other operations on which we have no visibility.\r\n5.1 Anti-Chavez: The Very Strange Case of pancaliente.info\r\nUpdate: immediately prior to the publication of this report the Pancaliente.info site went offline.  The site is still\r\nviewable in Google’s cache.  The second domain of this type (chavistas24.com) remains online.\r\nOne of the most interesting domains also hosted on 198.12.150.249 is pancaliente.info. At first glance this is a Venezuela-focused news and information site. Unlike all of the other sites hosted on this IP that we could verify, this site appeared to\r\nhave a large volume of original content that was presented in a news format.\r\nNevertheless, the site has many links to the other domains. While the domain registration is currently masked, the\r\nregistration e-mail is shared with other phishing sites.\r\npancaliente.info\r\nGoDaddy.com,\r\nLLC(R 171-\r\nLRMS)\r\nenripintos123@outlook.es ns1@hostinger.ru 10/25/2014 49454545445\r\nThe registration can be verified, although pancaliente.info’s WHOIS has since been made private.\r\nExamining more closely, much of the content seems to be intended to appeal to Venezuelans at home and abroad who\r\noppose the Partido Socialista Unido de Venezuela (PSUV: the party of Hugo Chavez). Some of the reports are intriguing\r\nbecause they describe private documents seemingly obtained by the site (and of questionable veracity), but without further\r\ninformation about their origins.\r\nIn other cases, the site has published purportedly “leaked” documents. Many of these stories are critical of individuals linked\r\nto the PSUV. Many reports also concern the “Expat” community of Venezuelans who oppose the regime from overseas,\r\nespecially the diaspora in Spain.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 26 of 40\n\nPanCaliente is referenced elsewhere online, such as an apparently leaked document hosted on Slideshare. Some of their\r\nreports also appear to have been excerpted or cited by other online news sites.\r\nAlthough there seems to be a great deal of content, PanCaliente’s articles do not have bylines. While the site is linked with a\r\nvery active Twitter account (https://twitter.com/pancalienteve), the associated Facebook profile\r\n(facebook.com/pancalienteok) is sparse. The WayBack Machine makes it clear that PanCaliente has only recently become\r\nactive.\r\nInterestingly, some of the first reports published on the site appear to have been written when the site was being demoed as\r\nhaving a different name and identity “Venezuela365.com.”\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 27 of 40\n\nThe many images of this alternate logo as it went through its iterations are publicly visible. Also still online is at least one\r\nreport that still refers to the site as venezuela365. Interestingly, that first ‘report’ refers to “secret” information, including\r\nreproducing a purported cheque, without explaining its provenance.\r\nhttp://pancaliente[.]info/los-negocios-secretos-de-leocenis-garcia-y-gonzalo-tirado/\r\n“García demandó a Tirado en un corte de Miami cuando el empresario le dio al periodista un cheque falso al cual\r\nVenezuela365 tuvo acceso.”\r\nThe source of this page also contains links to the now-defunct venezuela365.com\r\n“http://venezuela365.com/wp-content/uploads/2014/10/tirado-g-300×169.jpg“\r\nAn identically named image is now hosted on pancaliente.info, in an identical directory.\r\nThe venezuela365.com domain was registered behind DomainsByProxy, however previous WHOIS names Sistekon Corp as\r\na prior registrant. Sistekon Corporation seems to now be defunct, although its information is still on archive.org, and\r\nindicates that it develops IT software as well as selling various security solutions. Given that the domain expired in 2013,\r\nbut was re-registered in 2014 at around the same time as pancaliente.info, the link may be coincidental.\r\nWe found no evidence that PanCaliente or venezuela365 was ever used to seed malware or conduct phishing attempts, either\r\ndirectly, or as a pretext for malicious content.\r\n5.2 And Pro-Chavez: Chavistas 24.com\r\nThe domain, chavistas24.com, which seems to refer to supporters of former Venezuelan president Hugo Chavez, also has a\r\nrange of content that is apparently supportive of the party.\r\nChavistas24.com similarly has an associated Twitter account that pushes out tweets, mostly referencing stories published on\r\nthe website.\r\nTweets by chavistas24\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 28 of 40\n\nWe found no evidence that chavistas24.com was used to phish or send malware, either directly, or as a pretext for malicious\r\ncontent or messages.\r\n5.3 Seeking Angry Police?\r\nPackrat appears to be interested in attracting dissatisfied members of Ecuador’s National Police, and has created a website\r\n(justicia-desvinculados.com) and social media identity built around “Los Desvinculados,” referring to police let go from\r\nEcuador’s National Police, possibly in the context of corruption inquiries. The website, which also includes a login section,\r\ncontains news and highly critical reports about the Ecuadorian government.\r\nEcuador’s police have previously been involved in protests over benefit cuts that some have seen as one of the strongest\r\nthreats to Ecuadorian President Rafael Correa’s rule.\r\nThe social media component of this creation, including a Twitter page of the same name (twitter.com/justdesvincula2)\r\nfurther develops the identity.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 29 of 40\n\nAs with the two other operations described in this section, we have been unable to identify malware or phishing associated\r\ndirectly or indirectly with Justicia Desvinculados.\r\nPart 6: The Challenge of Attribution\r\nThe evidence presented in this report points to a coordinated and persistent campaign with a regional focus. Naturally, this\r\nraises questions about attribution. This section assesses two competing hypotheses: Hypothesis 1: Packrat is State-Sponsored and Hypothesis 2: Packrat is Not State-Sponsored. For each hypothesis we provide one or more scenarios that\r\nwe consider plausible versions of the hypothesis.\r\n6.1 Hypothesis 1: Packrat is State-Sponsored\r\n6.1.2 Examining the Target List\r\nThe list of known targets is full of influential people whose activities could have an impact on the domestic and regional\r\npolitical standing of regimes in several countries. Where we have been able to identify individuals who have been targeted,\r\nwe find vocal, strong regime critics and independent journalists in Ecuador and Argentina. Interestingly, Packrat has also\r\ntargeted parliamentarians, and others within the government of Ecuador. This diversity of targets with (possibly) opposing\r\npositions is a common theme in the data.\r\nIn other cases, we find phishing and malware-seeding websites, emails and messages with obviously political themes.\r\nPackrat created fake political organizations, whose identities, logos, and websites are then used to seed phishing attacks and\r\nmalware. These materials seem designed to appeal primarily to both critics and (some) members of governments in Ecuador\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 30 of 40\n\nand Venezuela. We also believe that there are targets in other countries, including Brazil, but have limited information about\r\nwho they are.\r\nThese are the kinds of targets who would be of interest to an intelligence or security service in the region, especially one not\r\nequipped to directly and passively monitor all of the communications of their targets. The multiple nations reflected in the\r\nseeding and targeting suggest, further, that the sponsor(s) of this activity would be interested in the opponents of several\r\nregimes.\r\n6.1.3 Motivation for Disinformation Campaigns\r\nWe see a range of fake websites touching on political themes, but not obviously used to seed malware. While some of these\r\nsites share the same registrations as malware serving sites, they differ by having extensive content, and show no evidence of\r\nhaving hosted malicious files or phishing pages, or of having been used as pretexts for campaigns, as is common with\r\nPackrat. The content reflects extensive effort, as does the backstopping with identities on social media sites.\r\nThere seem to be three possible explanations for these pages. First, the pages may be an attempt to create credible fake\r\norganizations that can be used to actively promote disinformation, interspersed with real news. Second, the pages may serve\r\nas honeypots, used to attract targets, either to identify and possibly manipulate them, or to build trust that could then be used\r\nin malware attacks. Finally, the pages may be part of information gathering operations that have other components of which\r\nwe are not aware.\r\nWhile it would not be surprising for a political movement or well-funded set of interests to engage in these activities in one\r\ncountry, Packrat has done so in multiple countries. It is not clear what group beyond a state, would be interested in this kind\r\nof activity, and have the resources to support it.\r\n6.1.4 Ability to Pay\r\nThe hosting and domain registrations necessary to maintain this campaign infrastructure for more than seven years clearly\r\nhave associated costs. The human labor associated with creating and maintaining the many fake websites we have observed\r\nis also costly. This is especially true for the websites with substantial “original” content, such as PanCaliente. Finally, the\r\nextensive and personalized targeting clearly reflects substantial human effort.\r\nThe cost of this campaign suggests that Packrat is either well-resourced, or has sponsors who can pay for server space and\r\ntime, as well as the costs of Packrat’s operators. We see no evidence of targeting with out-of-scope seeding materials, such\r\nas industry, business or the financial sector. Given the cost of the campaign, it is difficult to see who, beyond a state or an\r\norganized entity with political aspirations, would both want the information, and be in a position to pay for it.\r\n6.1.5 Clues That Packrat Feels ‘Safe’\r\nWhen the first reports were published on the Nisman and Argentine targeting in early 2015, some of Packrat’s infrastructure\r\nwas exposed. Nevertheless, much of the infrastructure has remained online. From a pragmatic point of view this makes\r\nsense. If Packrat had successful implants operational at that time, taking the infrastructure offline would close that access.\r\nPackrat would have had to engage in a process of pushing out updated implants to the infected computers that connected to a\r\nnew host. This time-consuming process would also be prone to failure and possible detection.\r\nIf Packrat were afraid of criminal punishment in their country of residence, it would have been natural to take the servers\r\noffline once exposed. Their interlinked infrastructure can be used to investigate, as we did, the broader structure of their\r\ncampaigns. In the hands of a law enforcement agency, these active servers could potentially be traced back to the responsible\r\nparties.\r\nThe fact that the servers remain online suggests that Packrat is operating purely on practical concerns, which do not include\r\nfear of the authorities. We take this to suggest that they may enjoy a degree of protection in the country or countries in which\r\nthey operate.\r\nWhile it is less conclusive, their taunts of a Citizen Lab researcher also suggest a degree of confidence that these actions will\r\nnot have consequence for them. Given their decision to keep their infrastructure online, this researcher may not have been\r\nthe first (or the last) to bother them by analyzing one of their attacks.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 31 of 40\n\n6.1.6 Two Scenarios of State Sponsorship\r\nIn this section we present two possible scenarios for state sponsorship. The data we have presented in this report could be\r\nexplained by either of these possibilities (or by the scenario outlined for Hypothesis 2: Non State Sponsor).\r\nScenario 1: A Single State Sponsor\r\nThere are several possible explanations for the targeting we see. It is possible that Packrat is working for a single\r\nintelligence or security service, and that these activities all reflect that service’s targeting. Such a service would, potentially,\r\nwish to keep tabs on many groups, including both its opponents, the opponents of friendly governments, and possibly\r\nfriendly governments themselves.\r\nThe strong representation of ALBA (Bolivarian Alternative for the Americas) countries, and their recent “fellow-travelers”\r\n(Argentina included, although it has recently changed ruling parties), among the locations of targeting may be instructive.\r\nThe leaders of these countries are widely seen as political allies on the leftist spectrum, although Argentina’s most recent\r\nelection in November 2015 elected a president who seems to reject this relationship. The governments of Ecuador and\r\nVenezuela, meanwhile, are especially close allies, although it is unclear how this will evolve given Venezuela’s very recent\r\nelections.\r\nSome may jump to interpret public reports of malware attacks targeting opponents of the Ecuadorian government as\r\nconclusive evidence of official Ecuadorian government involvement with Packrat. They may also point to previous reports\r\nthat Ecuador’s domestic intelligence agency reportedly used the commercial trojan made by Hacking Team to target at least\r\none dissident. However, the presence of targets within the Ecuadorian parliament and possibly elsewhere in the\r\ngovernment challenges any simplistic theory of Ecuadorian government sponsorship, but does not completely rule it out\r\nas intra-governmental rivalries or other dynamics could be at play.\r\nScenario 2: Mercenary Work for One or More Government Sponsors\r\nThe range and diversity of regional targets, which includes the opponents of several regimes, as well as those same\r\ngovernments supporters in some cases, could be taken as indicating that the threat actor group is reusing the same\r\ninfrastructure for campaigns on behalf of multiple client governments at once. It is possible, for example, that Packrat is in\r\nthe “address book” of multiple clients, and reuses the same infrastructure for multiple campaigns.\r\n6.2 Hypothesis 2: Packrat is Not a State Actor\r\nAlthough some of the evidence we have outlined above provides circumstantial support for state sponsorship, other features\r\nof Packrat’s activity are not so clear. This section briefly lays out the most salient of these pieces of evidence: lack of\r\ntechnical sophistication. We evaluate this fact, and then briefly note a potential scenario for non-state sponsorship.\r\n6.2.1 Lack of Use of Technically Sophisticated Tools\r\nThe malware used by this campaign is primarily Commercial Off-The-Shelf (COTS) RATs, not boutique or tailor-made\r\nimplants. Nor is it the commercial malware sold to governments by companies like FinFisher and Hacking Team.\r\nAdditionally, the attackers do not make use of exploits for their malware seeding. The lack of exploits very likely hampers\r\nthe efficacy of many attacks. For example some of the bait documents instruct victims to double click on an icon in the\r\ndocument. This is cumbersome, and is more likely to result in failed attacks or discovery. A threat actor with the direct\r\nsupport of a government might have access to more sophisticated malware, and exploits.\r\nHowever, it is well documented that not all government-linked malware groups make use of sophisticated malware or\r\nexploits. Prior research by Citizen Lab, for example, has shown that state-sponsored groups targeting civil society often use\r\nthe minimum necessary technical sophistication in their campaigns. Why use more sophisticated or esoteric technique when\r\nsimpler tools suffice? Other research on government-linked hacking groups in the Middle East also suggests that these\r\ngroups persist in exploit-less targeting, perhaps because it is inexpensive, and that it nevertheless achieves a minimum\r\nsatisfactory level of infections.\r\nUltimately, the reliance on COTS malware and lack of exploits does not enable us to draw many conclusions. However, it\r\ndoes have one feature worth noting: by extensively obfuscating COTS malware, the attackers are nevertheless able to deliver\r\nmalware that is effective at evading detection while simultaneously being difficult to attribute. That said, since obfuscated\r\nmalware is also common in criminal hacking, the pairing of crimeware and obfuscators does not tell either way towards this\r\nhypothesis.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 32 of 40\n\n6.2.2: Scenario: Non-State Group\r\nIt is impossible to reject the possibility that Packrat is a criminal or non-state group. Such a group could, in theory, be a\r\nsupporter of an opposition political movement, or have other interests in the critics of regimes. There are a range of powerful\r\nnon-state groups in South America, including cartels and others involved in illegal trafficking, who would certainly have the\r\nability to pay for these operations. Nevertheless, given the particular targets we are aware of, we are unsure of why these\r\nindividuals would be of primary interest to groups involved in illegal activities.\r\nAnother possibility, also unfalsifiable, is that a non-government group with political ambitions is responsible for Packrat.\r\nSuch a group might be particularly interested in potential allies or sources of instability, as well as governments.\r\n6.3 Adjudicating Between Competing Hypotheses\r\nUltimately, this report does not provide sufficient data to conclusively adjudicate between hypotheses. However, we think\r\nthat the best fit, which is still circumstantial, is that the ultimate recipient of the information collected by Packrat is likely\r\none or more governments in the region.\r\n7. Conclusion\r\nThis report described a seven year campaign with targets in several Latin American countries. While there are many well-known threat actors in Latin America, many of the most visible are engaged in cybercrime. What distinguishes Packrat is the\r\nextensive and often ingenious targeting of political figures, journalists and others. They are also distinguished by their ability\r\nto remain active over such an extended period, seemingly unfazed by discovery.\r\nPackrat highlights the extent to which multi-year campaigns can be run using limited technical sophistication, and a lot of\r\ncreativity. From a technical perspective, they rely almost entirely on off-the-shelf RATs and packers to evade antivirus\r\ndetection. Where they excel is in the time and effort spent to create detailed and moderately convincing fake organizations to\r\nseed their malware.\r\nTheir persistence, and their willingness to keep using domains even after they are exposed suggests that exposure of their\r\ninfrastructure is not an existential threat. Their threats and taunts are similarly brazen. This strongly suggests, but does not\r\nprove, that Packrat operates with a perception of safety.\r\nUltimately, this report does not conclusively attribute Packrat’s activities, however we hope that by exposing their activities,\r\nwe have provided encouragement to others to continue to follow the thread.\r\nNote: The Precarious Position of Media in Latin America\r\nWhile we discourage a direct link between specific incidents of non-digital harassment of journalists and Packrat, the case\r\nhighlights the difficult situation faced by journalists and freedom of expression supporters in countries like Ecuador.\r\nIn Ecuador, for example, numerous observers, including the United Nations Special Rapporteur for Freedom of Expression,\r\nhave expressed concern that the freedoms afforded to journalists continue to be constricted. In Ecuador journalists, and even\r\ncartoonists, have faced apparent retaliation for political speech. Journalist Martha Roldos, for example, had personal e-mails\r\nexposed in the press, and recordings of her conversations played in public. Freedom of expression and journalism\r\norganization Fundamedios, which has documented over 600 attacks against journalists from 2008-2012, has face forced\r\nshutdown. Interestingly, both of these individuals were also targets of Packrat. While we have no evidence linking the\r\nperpetrators of these actions to Packrat, nor reason to believe the sponsor is the same, the targeted malware that we describe\r\nonly adds to the threats these individuals and organizations face.\r\nAcknowledgements\r\nRon Deibert, Masashi Crete-Nishihata, Adam Senft, Irene Poetranto, Jakub Dalek and Sarah McKune of the Citizen Lab for\r\nhelpful feedback and editing assistance.\r\nKevin Breen for helping with the analysis of CyberGate RAT samples.\r\nPassiveTotal and Brandon Dixon.\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 33 of 40\n\nSteven Adair/ Volexity.\r\nCisco’s AMP Threat Grid Team for data correlation.\r\nOther researchers and investigators who wished to remain anonymous but provided exceptionally helpful assistance,\r\nespecially PFlash.\r\nIOCs\r\nThe Citizen Lab Github has a range of Packrat IOCs available here for download as CSVs.\r\nAppendix A: Search Query\r\nThis is a version of our search that can be run in your inbox to determine whether you have received some of the e-mails we\r\nknow of from this group. It is very possible that the query may yield false positives, so a “hit” is not itself a cause for\r\nalarm. We encourage you to carefully scrutinize any results before drawing conclusions. Importantly, even if the query fails\r\nto find results, this does not indicate that you have not been targeted, only that your inbox does not contain the targeting\r\nmaterials that we are familiar with, and that can be searched for without an overwhelming false positive rate.\r\nYou can complete this query by following the steps described in this Google Document, which is based off indicators found\r\nin previous Packrat e-mails (like email senders and malicious URLs). Note that some of the sender emails look very similar\r\nto legitimate e-mails of real people.\r\nAppendix B: Malware Samples\r\nMD5 C\u0026C Family\r\ndd1101adc86fd282f5f183942cc2f3b7\r\nwjwj.no-ip.org ruley.no-ip.org\r\nlolinha.no-ip.org\r\nCyberGate\r\n2d722592a4e3c8030410dccccb221ce4 wjwj.no-ip.org CyberGate\r\nd2adecc6287dd4d559fe6ce2ce7a7e31\r\nwjwj.no-ip.org ruley.no-ip.org\r\nlolinha.no-ip.org\r\nCybergate\r\n(suspected)\r\n93b630891db21a4a2350280a360c713d\r\nruley.no-ip.org wjwj.no-ip.org\r\nlolinha.no-ip.org\r\nCyberGate\r\na73351623577f44a2b578fed1e78e37e ruley.no-ip.org wjwj.no-ip.org CyberGate\r\n5a8975873f52436377d8fb0b5ab0d87a ruley.no-ip.org CyberGate\r\ned8d7ed45b64890b8901b735018318f3 ruley.no-ip.org wjwj.no-ip.org CyberGate\r\nc2237e9d415f542ce6e73adb260af123 wjwj.no-ip.org Xtreme RAT\r\n2827450763b55c5e71fda3caaf8e75f9 wjwj.no-ip.org Xtreme RAT\r\nbc97437fec7e7e8634c2eabae3cc4832 ruley.no-ip.org taskmgr.serveftp.com CyberGate\r\nd7f34168b1a7dd7cbd8e62a5ab1ebc0e\r\ntaskmgr.serveftp.com\r\ntaskmgr.servehttp.com\r\nXtreme RAT\r\n6c34d4296126679d9c6a0bc2660dc453\r\ntaskmgr.servehttp.com\r\ntaskmgr.serveftp.com\r\nCyberGate\r\nefc0009d76a2057f86c5f00030378c72 daynews.sytes.net AlienSpy\r\n74613eae84347183b4ca61b912a4573f daynews.sytes.net AlienSpy\r\nd2f151312f7dee2483ddcab9766b56db daynews.sytes.net AlienSpy\r\nea7bcf58a4ccdecb0c64e56b9998a4ac daynews.sytes.net Adzok\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 34 of 40\n\nMD5 C\u0026C Family\r\n1e4265a0c37773c2372b97bb6630ae57 daynews.sytes.net Adzok\r\n08a3bb5b220eb1e0dc2ecccbbc6859f5 daynews.sytes.net Adzok\r\n2de51e74fd571319bbf763ec62781096 deyrep24.ddns.net AlienSpy\r\n8fb96dfab7e4c0acb1eb9f4e950ba4b9 deyrep24.ddns.net AlienSpy\r\n4a23a1d6779d199aaa582cf0a5868ad1 deyrep24.ddns.net Adzok\r\n0ae0038ffe8cf5c3170734a71ff2213d deyrep24.ddns.net AlienSpy\r\n8e0f021dcbbfa586a1c6780e77ac0fb6 taskmgr.servehttp.com CyberGate\r\na74ef893b1bf21c9df6d8e31285db981 taskmgr.servehttp.com CyberGate\r\na988235ad7d47acbeca5ccb4ea5a1ed5 taskmgr.servehttp.com CyberGate\r\n15ebe16cd9500de534d5bfd5eeceaf73 taskmgr.servehttp.com CyberGate\r\n01dec1b1d0760d5a1a562edcfeb478d1 taskmgr.servehttp.com CyberGate\r\n1e6d0b59d4fb7650453c207688385f3a taskmgr.servehttp.com CyberGate\r\ne03be1849ad7cecba1e20923074cd22f taskmgr.servehttp.com CyberGate\r\n779a79c11f581b84e7c81f321fd8d743 conhost.servehttp.com CyberGate\r\n13d939b2412c6adbab3cc1b539166671\r\nconhost.servehttp.com\r\ndllhost.servehttp.com\r\nCyberGate\r\n7b2cb5249d704cb1df8d4210e7c3d553\r\ndllhost.servehttp.com\r\nconhost.servehttp.com\r\nCyberGate\r\na09f100ddc7cf29f8a93a3d7a79c58b9 taskmgr.servehttp.com CyberGate\r\nce6065346a918a813eeb58bbb0814a23 taskmgr.servehttp.com CyberGate\r\nea50bf8abcf9c0c40c4490dc15fb0a2a taskmgr.servehttp.com CyberGate\r\n3a61d64986ee6529cee271ab6754faa5 taskmgr.servehttp.com CyberGate\r\n695db7dd3b1daf89f2c56d59faecc088 taskmgr.servehttp.com CyberGate\r\nAppendix C: Malware Configuration\r\nCyberGate RAT Configuration\r\nAll Packrat’s CyberGate samples seem to have been configured roughly in the same way, with only occasional changes in\r\nthe Command \u0026 Control domains and port. The following configuration, for example, has been extracted from\r\n01dec1b1d0760d5a1a562edcfeb478d1:\r\nKey Value\r\nActivate Keylogger TRUE\r\nActive X Startup {C452W6HW-7DQ6-8U8P-2730-EI158IF7748K}\r\nChange Creation Date TRUE\r\nCyberGate Version  \r\nDomain taskmgr.redirectme.net|taskmgr.servehttp.com|\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 35 of 40\n\nKey Value\r\nEnable Message Box FALSE\r\nFTP Address ftp.server.com\r\nFTP Directory Value ./logs/\r\nFTP Interval 30\r\nFTP Password +\r\nFTP Port 21\r\nFTP UserName ftp_user\r\nGoogle Chrome Passwords  \r\nHide File TRUE\r\nInstall Directory System32\r\nInstall File Name taskhost.exe\r\nInstall Flag TRUE\r\nInstall Message Box Arquivo Extraido com sucesso\r\nInstall Message Title Ok\r\nKeylogger Backspace = Delete FALSE\r\nKeylogger Enable FTP FALSE\r\nMelt File FALSE\r\nMessage Box Button 0\r\nMessage Box Icon 64\r\nMutex ***MUTEX***\r\nP2P Spread  \r\nPassword abcd1234\r\nPersistence TRUE\r\nPort 2012|2008|\r\nProcess Injection Disabled\r\nREG Key HKCU msconfig\r\nREG Key HKLM msconfig\r\nServerID desp\r\nStartup Policies Policies\r\nUSB Spread FALSE\r\nWhen no decoy Office document is added to the AutoIt3 stub, they normally enabled the Message Box and used “Arquivo\r\ncorrompido“ as message. Additionally, the ServerID value seems to change, including additional values like ley, vtima,\r\nEmais 10.\r\nXtreme RAT Configuration\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 36 of 40\n\nFollowing is the configuration for one of the XtremeRAT samples employed by Packrat\r\n(c2237e9d415f542ce6e73adb260af123):\r\nKey Value\r\nActiveX Key {5460C4DF-B266-909E-CB58-E32B79832EB2}\r\nDomain1 wjwj.no-ip.org:200\r\nDomain2 wjwj.no-ip.org:250\r\nDomain3 lolinha.no-ip.org:200\r\nDomain4 lolinha.no-ip.org:250\r\nDomain5 :0\r\nFTP Folder  \r\nFTP Password ftppass\r\nFTP Server ftp.ftpserver.com\r\nFTP UserName  \r\nGroup Servers\r\nHKCU HKCU\r\nHKLM HKLM\r\nID Server\r\nInjection %DEFAULTBROWSER%\r\nInstall Dir InstallDir\r\nInstall Name regedi.exe\r\nMsg Box Text Ocorreu um erro inesperado ao iniciar o programa.\r\nMsg Box Title Erro\r\nMutex RJokLSZBj\r\nVersion 3.5 Private\r\nAdzok Configuration\r\nMD5: ea7bcf58a4ccdecb0c64e56b9998a4ac\r\nAdzok Free\r\nChrome\r\nJava\r\n7854\r\ntrue\r\n7777\r\ndaynews.sytes.net\r\ntrue\r\nAdwind Variant Configuration\r\nefc0009d76a2057f86c5f00030378c72 LOS TUITEROS ESPIADOS POR SENAIN.docx\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 37 of 40\n\n‘DELAY_CONNECT’: 1,\r\n‘DELAY_INSTALL’: 1,\r\n‘INSTALL’: true,\r\n‘JAR_EXTENSION’: ‘Java.txt’,\r\n‘JAR_FOLDER’: ‘Cas436FlashJava’,\r\n‘JAR_NAME’: ‘Cas934FlashJava’,\r\n‘JAR_REGISTRY’: ‘JavaSE’,\r\n‘JRE_FOLDER’: ‘RoUndCuBe’,\r\n‘NETWORK’: [{‘DNS’: ‘daynews.sytes.net’, ‘PORT’: 1090}],\r\n‘NICKNAME’: ‘Java’,\r\n‘PLUGIN_EXTENSION’: ‘txt’,\r\n‘PLUGIN_FOLDER’: ‘Cas754FlashJava’,\r\n‘VBOX’: false,\r\n‘VMWARE’: false\r\nAppendix D: Seeding Domains\r\nDomains resolving to 198.12.150.249\r\nDomain First Seen Last Seen\r\nsoporte-yahoo.com 10/20/2014 0:00:00 10/20/2014 0:00:00\r\nupdate-outlook.info 10/21/2014 0:00:00 10/21/2014 0:00:00\r\ndeyrep.com 12/19/2014 0:00:00 12/19/2014 0:00:00\r\nsupport-whatsapp.com 1/23/2015 20:39:00 1/23/2015 20:39:00\r\ndeyrep.com 1/30/2015 14:23:00 9/8/2015 5:19:00\r\nblackboxmusic.co 1/31/2015 0:00:00 1/31/2015 0:00:00\r\nwww.blackboxmusic.co 1/31/2015 0:00:00 1/31/2015 0:00:00\r\nblackboxmusic.co 1/31/2015 10:11:00 2/21/2015 6:08:00\r\nwww.blackboxmusic.co 1/31/2015 10:11:00 2/7/2015 1:14:00\r\nmail-account-update.com 2/1/2015 1:59:00 2/1/2015 1:59:00\r\nsoporte-yahoo.com 2/6/2015 6:57:00 9/8/2015 5:30:00\r\nsoporte-gmail.com 2/6/2015 7:20:00 10/8/2015 5:03:00\r\nlogin-office365.com 2/24/2015 0:00:00 2/24/2015 0:00:00\r\nlavozmericana.info 2/26/2015 0:00:00 2/26/2015 0:00:00\r\nsupport-java.com 2/28/2015 0:00:00 2/28/2015 0:00:00\r\npancaliente.info 3/6/2015 16:02:00 10/18/2015 5:42:00\r\npancaliente.info 3/10/2015 0:00:00 3/10/2015 0:00:00\r\npancaliente.info 3/10/2015 9:02:00 10/17/2015 5:31:00\r\nlogon-outlook.com 4/1/2015 0:00:00 4/1/2015 16:50:00\r\nmovimientoanticorreista.com 4/24/2015 0:00:00 4/24/2015 0:00:00\r\nlogin-office365.com 5/19/2015 4:26:00 9/8/2015 5:24:00\r\nlogon-outlook.com 5/19/2015 6:15:00 9/8/2015 5:24:00\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 38 of 40\n\nDomain First Seen Last Seen\r\nmgoogle.us 5/19/2015 6:16:00 9/4/2015 4:36:00\r\nlavozamericana.info 5/19/2015 6:21:00 9/8/2015 5:24:00\r\ndeyrep.com 5/25/2015 0:48:00 5/25/2015 0:48:00\r\nn3.pancaliente.info 6/25/2015 23:56:00 10/19/2015 19:28:00\r\nn4.pancaliente.info 6/25/2015 23:56:00 10/19/2015 19:28:00\r\nns1.deyrep.com 6/29/2015 20:47:00 9/9/2015 19:53:00\r\nns2.deyrep.com 6/29/2015 20:47:00 9/9/2015 19:53:00\r\nn1.login-office365.com 7/9/2015 6:27:00 7/9/2015 6:27:00\r\nn2.login-office365.com 7/9/2015 6:27:00 7/9/2015 6:27:00\r\n1.lavozamericana.info 8/7/2015 4:36:00 8/31/2015 3:50:00\r\n2.lavozamericana.info 8/7/2015 4:36:00 8/31/2015 3:50:00\r\nn1.update-outlook.info 8/10/2015 19:35:00 8/10/2015 19:35:00\r\nns.update-outlook.info 8/10/2015 19:35:00 8/10/2015 19:35:00\r\n1.chavistas24.com 8/16/2015 11:54:00 10/19/2015 0:24:00\r\n2.chavistas24.com 8/16/2015 11:54:00 10/19/2015 0:24:00\r\ns1.mgoogle.us 8/30/2015 5:04:00 8/30/2015 5:04:00\r\ns2.mgoogle.us 8/30/2015 5:04:00 8/30/2015 5:04:00\r\nchavistas24.com 9/1/2015 5:12:00 10/18/2015 5:19:00\r\nDomains resolving to 193.105.134.27\r\nDomain First Seen Last Seen\r\nDomain First Seen Last Seen\r\nsupport-login-validate-outlook.tk 10/23/2015 14:45:40 11/4/2015 17:06:00\r\nverify-gmail-support-secure.tk 10/10/2015 0:00:00 10/13/2015 3:48:18\r\nsoporte-login-account-gmail.tk 9/26/2015 20:55:49 10/3/2015 1:02:29\r\nsoporte-login-account-yahoo.tk 9/20/2015 14:57:09 9/21/2015 18:42:14\r\nfocusecuador.tk 9/19/2015 20:56:29 9/21/2015 5:16:06\r\n1.update-outlook.info 9/13/2015 4:34:45 9/15/2015 9:19:06\r\n2.update-outlook.info 9/13/2015 4:34:45 9/15/2015 9:19:06\r\n1.desk-yahoo.com 9/10/2015 5:32:50 9/12/2015 5:31:16\r\n2.desk-yahoo.com 9/10/2015 5:32:50 9/12/2015 5:31:16\r\n2.mlogin-outlook.com 9/10/2015 5:08:37 9/12/2015 5:11:16\r\n1.mlogin-outlook.com 9/10/2015 5:08:37 9/12/2015 5:11:16\r\n1.soporte-google.com 9/12/2015 3:28:30 9/12/2015 3:28:30\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 39 of 40\n\nDomain First Seen Last Seen\r\n2.soporte-google.com 9/12/2015 3:28:30 9/12/2015 3:28:30\r\nmlogin-outlook.com 9/12/2015 0:55:17 9/12/2015 0:55:17\r\nns2.mlogin-outlook.com 9/12/2015 0:55:17 9/12/2015 0:55:17\r\nns1.mlogin-outlook.com 9/12/2015 0:55:17 9/12/2015 0:55:17\r\nDomains registered by enripintos123@outlook.es\r\nDomain Registrar E-mail Nameserver Date Pho\r\nsupport-java.com GODADDY.COM,LLC enripintos123@outlook.es n1.support-java.com 2/24/2015 494\r\nlavozamericana.info\r\nGoDaddy.com,LLC(R171-\r\nLRMS)\r\nenripintos123@outlook.es n1.lavozamericana.info 2/22/2015 494\r\nlogin-office365.com\r\nGODADDY.COM,LLC enripintos123@outlook.es n1.login-office365.com 2/21/2015 494\r\nsupport-whatsapp.com\r\nGODADDY.COM,LLC enripintos123@outlook.es\r\ns1.support-whatsapp.com\r\n10/30/2014 494\r\nmgoogle.us GODADDY.COM,INC. enripintos123@outlook.es s1.mgoogle.us 10/30/2014 145\r\nandroid-flash.com GODADDY.COM,LLC enripintos123@outlook.es ns03.domaincontrol.com 10/30/2014 145\r\npancaliente.info\r\nGoDaddy.com,LLC(R171-\r\nLRMS)\r\nenripintos123@outlook.es ns1.hostinger.ru 10/25/2014 494\r\nsoporte-gmail.com GODADDY.COM,LLC enripintos123@outlook.es n1.soporte-gmail.com 10/19/2014 494\r\nsoporte-yahoo.com GODADDY.COM,LLC enripintos123@outlook.es ns33.domaincontrol.com 10/17/2014 494\r\nautorizacion-gmail.com\r\nGODADDY.COM,LLC enripintos123@outlook.es ns1.hostinger.ru 10/17/2014 494\r\nsupport-gmail.com GODADDY.COM,LLC enripintos123@outlook.es ns1.ukraine.com.ua 10/15/2014 494\r\nsupport-gmail.com GODADDY.COM,LLC enripintos123@outlook.es ns1.hostinger.ru 10/15/2014 494\r\nlogin-outlook.com GODADDY.COM,LLC enripintos123@outlook.es ns1.hostinger.ru 10/9/2014 494\r\nlogon-outlook.com GODADDY.COM,LLC enripintos123@outlook.es ns1.hostinger.ru 9/27/2014 145\r\nSource: https://citizenlab.ca/2015/12/packrat-report/\r\nhttps://citizenlab.ca/2015/12/packrat-report/\r\nPage 40 of 40\n\npage mgoogle.us, IP for example, has resolved to a range of IPs, First Seen including: Last Seen WHOIS\n198.12.150.249 5/19/2015 6:16:00 9/4/2015 9:51:00 Godaddy\n50.63.202.57 9/4/2015 12:52:00 10/8/2015 21:44:00 Godaddy\n Page 22 of 40", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://citizenlab.ca/2015/12/packrat-report/" ], "report_names": [ "packrat-report" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d001e298-8608-4ee6-96c7-e5afb62d718d", "created_at": "2022-10-25T16:07:24.035765Z", "updated_at": "2026-04-10T02:00:04.847015Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "ETDA:Packrat", "tools": [ "Adwind", "Adwind RAT", "Adzok", "Alien Spy", "AlienSpy", "CyberGate", "CyberGate RAT", "ExtRat", "Frutas", "Invisible Remote Administrator", "JBifrost RAT", "JSocket", "Rebhip", "Sockrat", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Xtreme RAT", "XtremeRAT", "jBiFrost", "jConnectPro RAT", "jFrutas" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02a7064e-447b-433e-ac14-6f10d476f517", "created_at": "2023-01-06T13:46:38.520097Z", "updated_at": "2026-04-10T02:00:03.010392Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "MISPGALAXY:Packrat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434188, "ts_updated_at": 1775791976, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a6eea4d83efdc3f965d4e41c9da8e2882a53e6d.pdf", "text": "https://archive.orkl.eu/6a6eea4d83efdc3f965d4e41c9da8e2882a53e6d.txt", "img": "https://archive.orkl.eu/6a6eea4d83efdc3f965d4e41c9da8e2882a53e6d.jpg" } }