{
	"id": "66fec58c-d506-4a16-b96c-04fd2b7d3fe6",
	"created_at": "2026-04-06T00:17:52.460132Z",
	"updated_at": "2026-04-10T13:11:19.652352Z",
	"deleted_at": null,
	"sha1_hash": "6d734691ea9654f38c8a9092a0cffa7aff95dc45",
	"title": "FireEye, Microsoft wipe TechNet clean of malware hidden by hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 946323,
	"plain_text": "FireEye, Microsoft wipe TechNet clean of malware hidden by\r\nhackers\r\nBy Written by\r\nArchived: 2026-04-05 16:56:51 UTC\r\nFireEye and Microsoft have moved against Chinese hackers taking advantage of the TechNet forum to spread\r\nmalware.\r\nAccording to a new report released by cybersecurity firm FireEye, in late 2014, FireEye Threat Intelligence and\r\nthe Microsoft Threat Intelligence Center discovered a command-and-control (C\u0026C) obfuscation code hidden\r\nwithin Microsoft's TechNet web portal. A Chinese group dubbed APT17 -- also known as Deputy Dog -- used the\r\nTechNet forum in order to hide the C\u0026C code, making it more difficult for security professionals to locate the true\r\nsource of the attack infrastructure.\r\nChina tightens military control in fresh censorship wave\r\nThe researchers say Deputy Dog created profiles and posts in TechNet which embedded the encoded C\u0026C for use\r\nwith a variant of the BLACKCOFFEE malware, malicious code used in cyberespionage campaigns.\r\nhttps://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/\r\nPage 1 of 2\n\nComments left on particular pages contained the names of encoded domains, which systems infected with\r\nBLACKCOFFEE were forced to contact, as reported by IDG. The victim computer was then directed to the C\u0026C\r\nserver controlled by Deputy Dog. In other words, TechNet -- while not compromised itself -- became a go-between used to disguise the true address of the C\u0026C.\r\nAs TechNet supports a vast amount of traffic and hosts an open forum where Microsoft software customers can\r\nask and respond to questions, the platform was an excellent conduit for hiding hacking activities.\r\n\"This technique can make it difficult for network security professionals to determine the true location of the CnC,\r\nand allow the CnC infrastructure to remain active for a longer period of time,\" FireEye said.\r\n\"TechNet's security was in no way compromised by this tactic.\"\r\nscreen-shot-2015-05-15-at-10-43-22.png\r\nDeputy Dog is a well-known Chinese hacking group which has launched attacks against tech firms, mining\r\ncompanies, defense contractors, law firms and US government agencies. The group has also been linked to attacks\r\non Japanese targets.\r\n\"By injecting encoded data onto some of the TechNet pages, the FireEye-Microsoft team was able to gain insight\r\ninto the malware and the victims,\" FireEye explained. \"Though the security community has not yet broadly\r\ndiscussed this technique, FireEye has observed other threat groups adopting these measures and expect this trend\r\nto continue on other community sites.\"\r\nOn Thursday, FireEye released Indicators of Compromise (IOCs) for BLACKCOFFEE and Microsoft released\r\nupdated signatures for its anti-malware security products.\r\nRead on: In the world of security\r\nYahoo launches password-free logins\r\nFeds hot on the trail of JPMorgan hackers\r\nEquationDrug: Sophisticated, stealthy data theft for over a decade\r\nSymantec research highlights security failures in the connected home\r\nNew CryptoLocker ransomware targets gamers\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/\r\nhttps://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/"
	],
	"report_names": [
		"fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers"
	],
	"threat_actors": [
		{
			"id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5",
			"created_at": "2022-10-25T15:50:23.269339Z",
			"updated_at": "2026-04-10T02:00:05.402835Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"APT17",
				"Deputy Dog"
			],
			"source_name": "MITRE:APT17",
			"tools": [
				"BLACKCOFFEE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a7aefdda-98f1-4790-a32d-14cc99de2d60",
			"created_at": "2023-01-06T13:46:38.281844Z",
			"updated_at": "2026-04-10T02:00:02.909711Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"BRONZE KEYSTONE",
				"G0025",
				"Group 72",
				"G0001",
				"HELIUM",
				"Heart Typhoon",
				"Group 8",
				"AURORA PANDA",
				"Hidden Lynx",
				"Tailgater Team"
			],
			"source_name": "MISPGALAXY:APT17",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def",
			"created_at": "2025-08-07T02:03:24.626625Z",
			"updated_at": "2026-04-10T02:00:03.605175Z",
			"deleted_at": null,
			"main_name": "BRONZE KEYSTONE",
			"aliases": [
				"APT17 ",
				"Aurora Panda ",
				"DeputyDog ",
				"Group 72 ",
				"Hidden Lynx ",
				"TG-8153 ",
				"Tailgater Team"
			],
			"source_name": "Secureworks:BRONZE KEYSTONE",
			"tools": [
				"9002",
				"BlackCoffee",
				"DeputyDog",
				"Derusbi",
				"Gh0stHTTPSDropper",
				"HiKit",
				"InternalCMD",
				"PlugX",
				"PoisonIvy",
				"ZxShell"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "86fd71d3-06dc-4b73-b038-cedea7b83bac",
			"created_at": "2022-10-25T16:07:23.330793Z",
			"updated_at": "2026-04-10T02:00:04.545236Z",
			"deleted_at": null,
			"main_name": "APT 17",
			"aliases": [
				"APT 17",
				"ATK 2",
				"Beijing Group",
				"Bronze Keystone",
				"Deputy Dog",
				"Elderwood",
				"Elderwood Gang",
				"G0025",
				"G0066",
				"Operation Aurora",
				"Operation DeputyDog",
				"Operation Ephemeral Hydra",
				"Operation RAT Cook",
				"SIG22",
				"Sneaky Panda",
				"TEMP.Avengers",
				"TG-8153",
				"Tailgater Team"
			],
			"source_name": "ETDA:APT 17",
			"tools": [
				"9002 RAT",
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"Briba",
				"Chymine",
				"Comfoo",
				"Comfoo RAT",
				"Darkmoon",
				"DeputyDog",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Jumpall",
				"Kaba",
				"Korplug",
				"Linfo",
				"MCRAT.A",
				"McRAT",
				"MdmBot",
				"Mdmbot.E",
				"Moudour",
				"Mydoor",
				"Naid",
				"Nerex",
				"PCRat",
				"PNGRAT",
				"Pasam",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Naid",
				"Vasport",
				"Wiarp",
				"Xamtrav",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434672,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d734691ea9654f38c8a9092a0cffa7aff95dc45.pdf",
		"text": "https://archive.orkl.eu/6d734691ea9654f38c8a9092a0cffa7aff95dc45.txt",
		"img": "https://archive.orkl.eu/6d734691ea9654f38c8a9092a0cffa7aff95dc45.jpg"
	}
}