{
	"id": "68366c07-43f3-468a-9cb7-3efdae486d52",
	"created_at": "2026-04-06T00:10:17.782614Z",
	"updated_at": "2026-04-10T03:28:17.191382Z",
	"deleted_at": null,
	"sha1_hash": "6d98795a35fd5492ec04f237b062a572d8ad2646",
	"title": "Comnie Continues to Target Organizations in East Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5122797,
	"plain_text": "Comnie Continues to Target Organizations in East Asia\r\nBy Josh Grunzweig\r\nPublished: 2018-01-31 · Archived: 2026-04-05 18:50:50 UTC\r\nUnit 42 has been tracking a series of attacks using a remote backdoor malware family named Comnie, which have\r\nbeen observed targeting organizations in the East Asia region. Comnie, first named by Sophos seemingly after the\r\nWindows LNK file name it created, is a custom malware family that is used in targeted attacks, and has been\r\nobserved in the wild since at least April 2013. The Comnie malware family is notable in that it leverages online\r\nblogs and third-party services to obtain command and control (C2) information. Recent instances of the malware\r\nhave been observed leveraging github.com, tumbler.com, and blogspot.com.\r\nAttackers using Comnie are leveraging malicious macros that initially hide decoy documents and shows them\r\nwhen the victim enables macros. These decoys documents pertain to various subject matters that the targets would\r\nbe likely to be interested in. The contents of these documents suggest that the main interests of threat actor likely\r\nincluded the organizations in the following industries, located in Taiwan:\r\nTelecommunication\r\nDefense\r\nGovernment\r\nHigh Tech\r\nThe most recent attacks, in November 2017, likely targeted organizations in the following industries, located in\r\nSouth Korea:\r\nAerospace\r\nDefense\r\nAdditionally, while researching this campaign, we identified historical attacks that appear to target the Taiwan\r\ngovernment, an IT service vendor based in Asia, and a journalist of a Tibetan radio station.\r\nActivities Involving Comnie\r\nBeginning in mid of 2015, we observed the Comnie malware family delivered via malicious macros with various\r\nfile names and decoy subject matters. Original file names, as well as information revealed within the decoy\r\ndocuments used by these samples provide clues as to who the targets may be. In the most recent attacks in\r\nNovember 2017, the information suggests that these attacks have most likely taken place against Aerospace and\r\nDefense industry targets in South Korea.\r\n \r\nOriginal\r\nFile Name\r\nTranslation Decoy Location\r\nMost\r\nLikely\r\nTarget\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 1 of 19\n\n관계기관번\r\n호.xls\r\nAffiliate numbers.xls\r\nAffiliate phone numbers for\r\na South Korean international\r\nairport\r\nKR Aerospace\r\nPBCS_관련\r\n_현황_보\r\n고.doc\r\nPBCS_related_status_report.doc\r\nReport on the status of\r\nPerformance-Based\r\nCommunication and\r\nSurveillance (PBCS)\r\nKR\r\nAerospace\r\nDefense\r\n \r\nThe following decoy contents are only shown to the victim after macros have been enabled:\r\n \r\nFigure 1 Decoy document discussing an airport contact list in Korean\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 2 of 19\n\nFigure 2 Decoy document discussing Performance Based Communication and Surveillance (PBCS)\r\n \r\nBefore the attacks against South Korean targets, the same malicious macros were used to deliver the Comnie\r\nmalware family to targets in Taiwan as early as 2015. Again, based on the original file names and the decoy\r\ncontents, the most commonly witnessed targets in attacks that occurred in 2017 included those involving the\r\nTelecommunication, Defense, and High-Tech industries in Taiwan.\r\n \r\nOriginal File Name Translation Decoy Location\r\nMost Likely\r\nTarget\r\n1060315 本部發言\r\n參考.doc\r\n1060315 Headquarters\r\nSpeech Reference.doc\r\nDefense Industry\r\nDevelopment\r\nStrategy\r\nTW Defense\r\n轉給苦逼的網管兄\r\n弟.doc\r\nPassing to cool fellow\r\nnetwork\r\nadministrators.doc\r\nNetwork\r\nadministration\r\njokes\r\nTW\r\nHigh Tech\r\nTelecommunication\r\n2.SC OAM Firewall\r\nPolicy_0306.xls\r\n2.SC OAM Firewall\r\nPolicy_0306.xls\r\nNetwork topology\r\ndiagrams\r\nTW\r\nHigh Tech\r\nTelecommunication\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 3 of 19\n\nFigure 3 Decoy document discussing Taiwan’s defense industry development strategy\r\nFigure 4 Network firewall configuration description for a telecommunication company in Taiwan\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 4 of 19\n\nFigure 5 Decoy document providing network topology information\r\n \r\nIt is worth noting that in the attack that made use of the decoy document in Figure 4, the attacker also included\r\nrelated firewall logs and appears to have originated from a compromised an IT service vendor.\r\nLooking at earlier attacks between 2013 and 2016, we believe Comnie was also used in targeted attacks against\r\nthe following individuals or organizations:\r\nTaiwan government\r\nIT service vendor in Asia\r\nJournalist of a Tibetan radio station\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 5 of 19\n\nFigure 6 Email sent to Journalist of Tibetan radio station\r\n \r\nMalicious Macros\r\nThe malicious macro documents used to deliver Comnie initially hide the content inside and requests that the user\r\nenables macros prior to viewing the document. Once the user enables macros, the macro will perform the\r\nfollowing actions:\r\n1. Displays decoy content\r\n2. Checks for the existence of a file at %APPDATA%\\wscript.exe\r\n3. If %APPDATA%\\wscript.exe does not exist, the macro converts an embedded hex-encoded string into\r\nbytes and saves this data to the %APPDATA%\\wscript.exe.\r\n4. Executes the newly created wscript.exe payload\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 6 of 19\n\nFigure 7 Example macro used to delivery Comnie\r\nAn interesting discovery was made when examining the macros used to deliver Comnie. Based on evidence\r\ngleaned from both the macro and other data collected from the samples, it appears that the threat actor did not\r\ngenerate these documents from scratch. Instead, they appear to have been created based on an existing sample\r\navailable via public sample repositories. The existing sample in question was created by a red team penetration\r\ntester at a financial institution for internal testing. The following image shows a comparison of macro code\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 7 of 19\n\nextracted from Comnie dropper and financial institution’s penetration test sample.\r\nFigure 8 Comparison of macros extracted from Comnie dropper versus a pentest sample used by a financial\r\norganization\r\nComnie Malware Family\r\nComnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for\r\nnetwork communication. Additionally, the malware looks for multiple security products on victim machines and\r\nsometimes alters its behavior depending on the products present. More information about how Comnie handles\r\nidentified security products may be found in the technical analysis in the Appendix. These security products\r\nincluded those that are known to be most widely used within South Korea and Taiwan.\r\nComnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally\r\nrun, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host\r\nmachine’s %APPDATA% directory. The built-in Windows utility rundll32.exe is then used to load this DLL by the\r\noriginal .lnk file.\r\nUnit 42 has observed a total of two variants of Comnie. One of the ways the variants differ is in how they obtain\r\ntheir command and control (C2) information. Both variants make use of third-party online services in an attempt\r\nto prevent DNS based blocking of their first stage communications. However, the obfuscation mechanism varies\r\nslightly. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 8 of 19\n\nvariants of Comnie demonstrates this:\r\nFigure 9 Old Comnie variants collecting C2 information\r\nPlease refer to the Appendix for a script that may be used to decode C2 information from the older Comnie\r\nvariants.\r\nNewer Comnie variants, such as the ones witnessed in the most recent attacks, instead look for the ‘magnet:/’ and\r\n‘?’ markers, such as in the following recent example:\r\nFigure 10 New Comnie variants determining their C2 information via a GitHub profile.\r\nAfter Comnie collects the remote C2 information, it will communicate with these remote servers using HTTP\r\nrequests. These requests are encrypted using the RC4 algorithm. Comnie will upload information about the victim.\r\nIt also allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or\r\ndynamic-link library (DLL).\r\nMore detailed information about how C2 information is decoded and additional technical analysis of Comnie may\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 9 of 19\n\nbe found in the Appendix.\r\nConclusion\r\nComnie is far from a new threat, however, it continues to remain active. In the past year, we have observed\r\nmultiple low volume attacks in various regions of East Asia. Based on clues provided by the malware’s original\r\nfile names, as well as the decoy content embedded within these samples, we can make a reasonable estimation that\r\nthese attacks targeted organizations in Taiwan in the Telecommunication, Defense, Government, and High-Tech\r\nindustries. Additionally, those same estimations may be made for attacks in South Korea targeting the Aerospace\r\nand Defense industries.\r\nWhile we have witnessed modifications to the attacker’s toolsets, the overall architecture and operations of the\r\nComnie malware family have remained consistent, suggesting that the attackers have been able to stay below the\r\nradar of the security community.\r\nThe Comnie malware family is notable in that it leverages third-party online services to download and parse C2\r\ninformation. Because these third-party online services are legitimate, it allows Comnie to circumvent a number of\r\nsecurity preventions that may be present in the environment. This overall technique has previously been referred\r\nto as using a “Dead Drop Resolver” or DDR.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAll identified samples have been flagged as malicious by WildFire and Traps\r\nCustomers may track this threat using the ‘Comnie’ AutoFocus tag\r\nTraps appropriately catches the macro execution from the malware and prevents it\r\nAdditionally, blogspot, tumblr, and github have been alerted to the malicious activity discovered.\r\nAppendix\r\nComnie Technical Analysis\r\nFor the analysis of the Comnie malware family, we investigated the following sample:\r\nSHA256 18ec68e1bd9b11f22e481d48c415f8d80edb76e9032ba4e1d31d87e16eed9959\r\nWhen the sample is initially executed, it will attempt to create a mutex with a name of ‘tmutexabc’ to ensure only\r\na single instance of Comnie is running at a given time. Should this mutex already be found to exist, the malware\r\nwill immediately exit.\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 10 of 19\n\nComnie continues to load an embedded bitmap (BMP) file and decrypt data at offset 0x512.\r\nFigure 11 Embedded BMP file containing encrypted string data\r\nRC4 is used to decrypt this data using a 16-byte key that is stored within the BMP file at offset 0x502. Once\r\ndecrypted, we are provided with a large list of strings, as seen below (note that the data has been truncated for\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 11 of 19\n\nbrevity):\r\nFigure 12 Decrypted strings from embedded BMP file\r\nAfter these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later\r\non. After these functions are loaded, Comnie determines if it is running within the %TEMP% directory of the\r\nvictim machine. In the event it is not running within this directory, it will copy itself to %TEMP% and execute this\r\nnewly created file with an argument of the original file’s path. A total of 64MB of garbage data is appended to this\r\ncopied file, likely as a way to deter any security products in place that may be scanning files on disk. After\r\nrunning within the %TEMP% path, Comnie will delete the original file.\r\nAfter Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in\r\nthis path. It is unclear how this file is used exactly, as it does not appear to ever be written during runtime by\r\nComnie.\r\nComnie continue to enter its installation routine. In doing so, it will attempt to detect the following Anti-Virus\r\nproducts via various techniques:\r\nTrend Micro\r\nKaspersky\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 12 of 19\n\nSymantec\r\nAvira\r\nAVG\r\nALYac\r\nAhnlab\r\nAhnlab and ALYac are the most widely used Anti-Virus solutions in South Korea, and Trend Micro and the rest\r\nare also known to be most widely used in Taiwan. These are in-line with the targeting of the victims witnessed by\r\nthe attackers using Conmie.\r\nWith a few exceptions, Comnie will perform the following actions regardless of what security product, if any, is\r\ndiscovered:\r\nConvert itself to a temporary DLL with a default export of ‘Dm’ in the %TEMP% directory.\r\nIf running with administrator privileges on a 32-bit host:\r\nCopy the temporary DLL in %TEMP% to %WINDOWS%\\LINKINFO.dll\r\nOtherwise:\r\nCopy the temporary DLL in %TEMP% to %APPDATA%\\cnagnt.dll\r\nDelete the temporary DLL in %TEMP%\r\nWrite a ‘Conime.lnk’ file in the user’s startup path. This shortcut file points to\r\n'C:\\Windows\\system32\\rundll32.exe \"%APPDATA%\\cnagnt.dll\",Sd'\r\nOne of the exceptions to the installation routine above is in the event Symantec is detected. In such a scenario,\r\nComnie will drop a temporary VBS script to write the ‘Conime.lnk’ file.\r\nAdditionally, in the event Kaspersky is detected, the malware will immediately run the ‘Conime.lnk’ shortcut file\r\nin a new process after it is created.\r\nAfter the installation routine, the malware will decrypt an embedded blob of data using RC4 with an embedded 8-\r\nbyte static key of ‘\\x11\\xcc\\xd1\\x32\\x61\\x21\\xd1\\xe2’. The results of the decoded data may be seen below:\r\n \r\nFigure 13 Decrypted information\r\nThe decrypted data contains URLs for various online services that will be used by the attacker for downloading\r\ndata that will contain the command and control (C2) server(s) and port(s) to be used by Comnie.\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 13 of 19\n\nComnie will make requests to these URLs, looking for base64-encoded data after an identifier of ‘magnet:/’, as\r\nseen in the example below:\r\nFigure 14 GitHub storing Comnie C2 information\r\nIn the example above, the C2 information is being stored within the user’s URL parameter within GitHub. In order\r\nto decode this data, Comnie first decodes it using base64 with the following non-standard alphabet (note that it is\r\nsimply the original alphabet in reverse):\r\n/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA\r\n  The resulting data is then parsed and decrypted using RC4. The first 64 bytes are used as the key. The next 4\r\nbytes represent the underlying data’s length, and the remaining data is the C2 data. The prior example decrypts to\r\nthe following:\r\nmailto:121.126.211[.]94:8080;80;80\r\n  The following Python script may be used to decode the C2 data used by the newest Comnie variant:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nimport base64\r\nimport sys\r\nimport re\r\nfrom string import maketrans\r\nfrom struct import *\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 14 of 19\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\nimport requests\r\ndef rc4_crypt(data, key):\r\n  S = range(256)\r\n  j = 0\r\n  out = []\r\n  for i in range(256):\r\n    j = (j + S[i] + ord( key[i % len(key)] )) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n  i = j = 0\r\n  for char in data:\r\n    i = ( i + 1 ) % 256\r\n    j = ( j + S[i] ) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n    out.append(chr(ord(char) ^ S[(S[j] + S[i]) % 256]))\r\n  return ''.join(out)\r\ndef decode(data):\r\n  o = \"\"\r\n  for d in data:\r\n    od = ord(d)\r\n    o += chr((4 * (16 * od | od \u0026 0xC) | (((od \u003e\u003e 4 | od \u0026 0x30) \u003e\u003e 2))) \u0026 0xFF)\r\n  return o\r\nbase64fixTable =\r\nmaketrans(\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n[::-1], \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\");\r\ndef trans(string):\r\n  return str(string).translate(base64fixTable)\r\ndef altdecode(string):\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 15 of 19\n\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n  return base64.b64decode(trans(string))\r\nreq = requests.get(sys.argv[1])\r\nfd = req.text\r\noriginal_data = re.search(\"magnet:/\\?([^\\?]+)\\?\", fd).group(1)\r\nparsed_data = altdecode(original_data)\r\ndataLength = unpack(\"\u003cI\", parsed_data[64:68])[0]\r\nkey = decode(parsed_data[0:64])\r\ndata = parsed_data[dataLength*-1:]\r\nd = rc4_crypt(data, key)\r\nprint(d)\r\n \r\nComnie will make attempts at connecting to the IP address above using the various ports specified. Data is sent\r\nvia HTTP, and is encrypted against using the RC4 algorithm. The URIs used in the HTTP requests are randomly\r\ngenerated. Data is provided first via the ‘pid’ GET parameter initially, and via the ‘iid’ GET parameter when\r\nPOST requests are made by Comnie. Initially, Comnie will send the following request:\r\nFigure 15 Comnie initial beacon\r\nIn order to decrypt the data provided within the ‘pid’ parameter, a key is generated using the SessionID\r\ninformation, which is randomly generated. This particular data is decoded from hex and bytes at offsets 0, 2, 4, 6,\r\n8, 10, 12, and 14 are used to form an 8-byte RC4 key. After applying this decryption algorithm, we are presented\r\nwith the following data:\r\nh=HOSTNAME-PC\u0026f=mission.ini\u0026c=\u0026\r\nThe response made by the C2 server uses the same RC4 key for encryption. The data above contains the hostname\r\n(‘HOSTNAME-PC’) of the victim machine, as well as an instruction. In this case, the instruction is asking for\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 16 of 19\n\ninformation that is to be written to a temporary BAT file within the %TEMP% directory. The following example\r\ninformation is provided by the remote C2 server:\r\n[MISSION]\r\nId=2017\r\nCrc=201701\r\n[BAT]\r\nNum=1\r\nFileName1=gethostinfo.bat\r\nCrc1=2017011\r\nResultFile1=info.dat\r\n \r\nThis INI file is parsed to determine what Comnie should do. Comnie allows the attacker to provide and\r\nsubsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). Using this\r\nexample, Comnie will then request data to supply to the BAT script, via the following decrypted request:\r\nh=HOSTNAME-PC\u0026f=gethostinfo.bat\u0026c=\u0026\r\nBased on network traffic witnessed, the remote C2 server was found to respond with the following information:\r\nnetstat -ano \u003e %TEMP%\\info.dat\r\nipconfig /all \u003e\u003e %TEMP%\\info.dat\r\nroute PRINT \u003e\u003e %TEMP%\\info.dat\r\nnet view \u003e\u003e %TEMP%\\info.dat\r\ntasklist \u003e\u003e %TEMP%\\info.dat\r\nnet user \u003e\u003e %TEMP%\\info.dat\r\nnet start \u003e\u003e %TEMP%\\info.dat\r\n \r\nThis script is written to a temporary file prior to be executed. The results of this BAT script are uploaded to the\r\nremote C2 server.\r\n  Old Comnie Variant C2 Decoder\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 17 of 19\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nimport requests\r\nimport sys\r\nimport re\r\ndef decode(data):\r\n  o = \"\"\r\n  for c in data:\r\n    if c == \"*\":\r\n      o += \".\"\r\n    elif c == \"|\":\r\n      o += \":\"\r\n    elif c == \"+\":\r\n      o += \";\"\r\n    else:\r\n      o += chr(ord(c)-49)\r\n  return o\r\nr = requests.get(sys.argv[1])\r\nfd = r.text\r\ndata = fd.split(\"++a++\")[1].split(\"++a++\")[0]\r\nprint(decode(data))\r\n \r\nSamples Analyzed\r\need5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a\r\n8026442b812469e48ccd11611ab6eacdcb312a8f1aabd563b7f4cb4868315e16\r\nc8951038fd53321661274e5a12532c3fb6f73c75fd75503a1089c56990658fef\r\n48a1ce103e5bf47c47cc5ed40b2dc687ebaf3674d667419287bcb1d0b8d8dda6\r\ne06b797a24fa03a77e0d5f11b0cf0f4f038e0a9ea04d4981d39148969349c79c\r\n7282d0709449abe16457864f58157cac8d007571dc5d463d393d1ae2605d17e0\r\nbf6ee8426245b167a69292e513c0841d818b310dda87daea649221f4e0afd1b3\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 18 of 19\n\n62b98dde60cb4dd0d0088bde222c5c2c4c92560cccf4753f1ce94e044093ab85\r\n756952652290ad09fe03c8674d44eab2077b091398187c3abcb6f1ddc462c32d\r\n639a49390c6f8597d36ec0bd245efa1b4a078c0506fb515e577a40389b39a614\r\n29ed6eb3c882b018c2bb6bf2f8eb15069dc5510ca119abebf24f09e3c91f10aa\r\n0e8a4e4d5ca501bad25a730fb5de534fa324c6ac23e0a573524693f2d996d105\r\n316a0c6849f183a1a52d0c7648e722c4ca85bd57b0804a147c0c8656b84bbdb9\r\n  Identified C2s\r\n121.126.211[.]94:8080\r\n113.196.70[.]11:80,8080\r\n133.130.101[.]47:443\r\n123.51.208[.]157:443;8000;8080\r\n  C2 Hosting URLs (DDR URLs)\r\ngithub[.]com/korlee5643\r\nitsmonsee.tumblr[.]com\r\nallworldnewsway.blogspot[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nhttps://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/\r\nPage 19 of 19\n\nComnie continues Figure 11 Embedded to load an embedded BMP file containing bitmap (BMP) encrypted file and decrypt string data data at offset 0x512. \nRC4 is used to decrypt this data using a 16-byte key that is stored within the BMP file at offset 0x502. Once\ndecrypted, we are provided with a large list of strings, as seen below (note that the data has been truncated for\n   Page 11 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-comnie-continues-target-organizations-east-asia/"
	],
	"report_names": [
		"unit42-comnie-continues-target-organizations-east-asia"
	],
	"threat_actors": [
		{
			"id": "ad59becc-29c2-4b7a-a958-d7f242d222ea",
			"created_at": "2023-01-06T13:46:38.956494Z",
			"updated_at": "2026-04-10T02:00:03.161471Z",
			"deleted_at": null,
			"main_name": "Blackgear",
			"aliases": [
				"BLACKGEAR",
				"Topgear",
				"Comnie"
			],
			"source_name": "MISPGALAXY:Blackgear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d98795a35fd5492ec04f237b062a572d8ad2646.pdf",
		"text": "https://archive.orkl.eu/6d98795a35fd5492ec04f237b062a572d8ad2646.txt",
		"img": "https://archive.orkl.eu/6d98795a35fd5492ec04f237b062a572d8ad2646.jpg"
	}
}