{ "id": "f171ce54-2df0-4c13-a467-a9f6f688eb93", "created_at": "2026-04-06T00:07:02.415038Z", "updated_at": "2026-04-10T03:32:21.565045Z", "deleted_at": null, "sha1_hash": "6eadc6bc2efb9c2eaff3af916b925000d197bb68", "title": "The SideWalk may be as dangerous as the CROSSWALK", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1227873, "plain_text": "The SideWalk may be as dangerous as the CROSSWALK\r\nBy Mathieu TartareThibaut Passilly\r\nArchived: 2026-04-02 12:18:07 UTC\r\nESET researchers have recently discovered a new undocumented modular backdoor, SideWalk, being used by an\r\nAPT group we've named SparklingGoblin; this backdoor was used during one of SparklingGoblin's recent\r\ncampaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities\r\nwith another backdoor used by the group: CROSSWALK.\r\nSideWalk is a modular backdoor that can dynamically load additional modules sent from its C\u0026C server, makes\r\nuse of Google Docs as a dead drop resolver, and uses Cloudflare workers as a C\u0026C server. It can also properly\r\nhandle communication behind a proxy.\r\nSparklingGoblin, a member of the Winnti family\r\nIn November 2019, we discovered a Winnti Group campaign targeting several Hong Kong universities; it had\r\nstarted at the end of October 2019, and we published a blogpost about it. During that campaign the attackers\r\nmostly made use of the ShadowPad backdoor and the Winnti malware, but also the Spyder backdoor and a\r\nbackdoor based on DarkShell (an open source RAT) that we named Doraemon.\r\nSubsequent to that campaign, in May 2020 (as documented in our Q2 2020 Threat Report) we observed a new\r\ncampaign targeting one of the universities that was previously compromised by Winnti Group in October 2019,\r\nwhere the attackers used the CROSSWALK backdoor and a PlugX variant using Google Docs as a dead drop\r\nresolver. Even though that campaign exhibited links to Winnti Group, the modus operandi was quite different, and\r\nwe started tracking it as a separate threat actor.\r\nFollowing this (second) Hong Kong university compromise, we observed multiple compromises against\r\norganizations around the world using similar toolsets and TTPs. Considering those particular TTPs and to avoid\r\nadding to the general confusion around the “Winnti Group” label, we decided to document this cluster of activity\r\nas a new group, which we have named SparklingGoblin, and that we believe is connected to Winnti Group while\r\nexhibiting some differences.\r\nDays before the intended publication of this blogpost, Trend Micro published a report about a group its\r\nresearchers track as Earth Baku and a campaign using malware they call the ScrambleCross backdoor. These\r\ncorrespond to the group we track as SparklingGoblin and the SideWalk backdoor documented here.\r\nVictimology\r\nSince mid 2020, according to our telemetry, SparklingGoblin has been very active and remains so in 2021. Even\r\nthough the group targets mostly East and Southeast Asia, we have seen SparklingGoblin targeting a broad range of\r\norganizations and verticals around the world, with a particular focus on the academic sector, but including:\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 1 of 22\n\nAcademic sectors in Macao, Hong Kong and Taiwan\r\nA religious organization in Taiwan\r\nA computer and electronics manufacturer in Taiwan\r\nGovernment organizations in Southeast Asia\r\nAn e-commerce platform in South Korea\r\nThe education sector in Canada\r\nMedia companies in India, Bahrain, and the USA\r\nA computer retail company based in the USA\r\nLocal government in the country of Georgia\r\nUnidentified organizations in South Korea and Singapore\r\nFigure 1. Geographic distribution of SparklingGoblin targets\r\nSideWalk\r\nSideWalk staging is summarized in Figure 2. The SideWalk backdoor is ChaCha20-encrypted shellcode that is\r\nloaded from disk by SparklingGoblin’s InstallUtil-based .NET loaders.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 2 of 22\n\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 3 of 22\n\nFigure 2. SideWalk staging mechanism\r\nAlso, as we will show below, the SideWalk backdoor shares multiple similiarities with CROSSWALK, which is a\r\nmodular backdoor attributed to APT41 by FireEye and publicly documented by Carbon Black.\r\nFirst stage\r\nSideWalk’s shellcode is deployed encrypted on disk under the name Microsoft.WebService.targets and loaded\r\nusing SparklingGoblin’s InstallUtil-based .NET loader obfuscated with a modified ConfuserEx, an open source\r\nprotector for .NET applications that is frequently used by the group.\r\nSparklingGoblin’s .NET loaders persist via a scheduled task using one of the following filenames:\r\nRasTaskStart\r\nRasTaskManager\r\nWebService\r\nIt executes the loader using the InstallUtil.exe utility using the following command:\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /ParentProc=none\r\nwhere InstallWebService.sql is the malicious .NET loader. When started with the /U flag, as here, the Uninstall\r\nmethod from the USCInstaller class in the UPrivate namespace method of the .NET loader is called (see Figure 3).\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 4 of 22\n\nFigure 3. Hierarchy of an InstallUtil-based loader\r\nA deobfuscated version of the RunShellcode method called by the Uninstall method is shown in Figure 4.\r\nFigure 4. .NET loader method called by the Uninstall method and that decrypts and injects the shellcode.\r\nAs we can see, the loader is responsible for reading the encrypted shellcode from disk, decrypting it and injecting\r\nit into a legitimate process using the process hollowing technique. Note that the decryption algorithm used varies\r\nacross samples.\r\nAdditionally, note that SparklingGoblin uses a variety of different shellcode loaders such as the Motnug loader\r\nand ChaCha20-based loaders. Motnug is a pretty simple shellcode loader that is frequently used to load the\r\nCROSSWALK backdoor, while the ChaCha20-based loaders, as their names suggest, are used to decrypt and load\r\nshellcode encrypted with the ChaCha20 algorithm. The ChaCha20 implementation used in this loader is the same\r\none used in the SideWalk backdoor described below. This implementation is counter based (CTR mode), using a\r\n12-byte nonce and 32-byte key with a counter value of 11, leading to the following initial state:\r\nOffset 0x00 0x04 0x08 0x12\r\n0x00 \"expa\" \"nd 3\" \"2-by\" \"te k\"\r\n0x16 Key Key Key Key\r\n0x32 Key Key Key Key\r\n0x48 0x0000000B Nonce Nonce Nonce\r\nThe 0x0000000B counter value differs from the usual ChaCha20 implementation, where it’s usually set to 0.\r\nNote that these ChaCha20-based loaders were previously documented in a blogpost from Positive Technologies.\r\nInitialization\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 5 of 22\n\nSimilar to CROSSWALK, the SideWalk shellcode uses a main structure to store strings, variables, the Import\r\nAddress Table (IAT), and its configuration data. This structure is then passed as an argument to all functions that\r\nneed it. During SideWalk’s initialization, first the strings are decrypted and added to the structure, then the part of\r\nthe structure responsible for storing the IAT is populated, and finally SideWalk’s configuration is decrypted.\r\nData and string pool decryption\r\nAt the very beginning of its execution, the data section at the end of the shellcode is decrypted using an XOR loop\r\nand this 16-byte key: B0 1D 1E 4B 68 76 FF 2E 49 16 EB 2B 74 4C BB 3A. This section, once decrypted,\r\ncontains the strings that will be used by SideWalk, including:\r\nregistry keys\r\ndecryption keys\r\npath to write files received from the C\u0026C server\r\nHTTP method to be used\r\nHTTP request parameters\r\nURLs used to retrieve the local proxy configuration\r\ndelimiters used to retrieve the encrypted IP address from the Google Docs document\r\nThe decrypted string pool is listed in Figure 5 below.\r\nSOFTWARE\\Microsoft\\Cryptography\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\nProxyServer\r\nkT7fDpaQy9UhMz3\r\nZFYP0BV7SJ2LUH1Q9WEC8RTMXAKG6D3NO5I4LAHXN1EDRVC\r\nPBKW0X8MEOUSCA6LQJYH4R97VNI5T31FD2ZG697NYYGB81W\r\no71UwSfKrH0NkRhjOmXqFGMAWDplz4s\r\n0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\r\nKernel32.dll\r\nGetTickCount64\r\nGetTickCount\r\ntexplorer.exe\r\n%AllUsersProfile%\\UTXP\\nat\\\r\n%02X\r\nGET\r\nPOST\r\nMozilla/5.0 Chrome/72.0.3626.109 Safari/537.36\r\ngtsid:\r\ngtuvid:\r\nhttps://msdn.microsoft.com\r\nhttps://www.google.com\r\nhttps://www.twitter.com\r\nhttps://www.facebook.com\r\n0B93ACF2\r\nPublicKey:AE6849916EB80C28FE99FC0F3EFF\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 6 of 22\n\nCC1F99653E93305D\r\nhttpss\r\nGlobal\\JanzYQtWDWFejAFR\r\nFigure 5. Decrypted configuration strings from SideWalk\r\nNote that similar to SideWalk, CROSSWALK also starts its execution by decrypting a string pool using an XOR\r\nloop and a 16-byte key.\r\nInstruction decryption\r\nAfter decrypting the data section at the end of the shellcode, SideWalk then proceeds to decrypt the rest of its\r\ninstructions (starting at offset 0x528) by using the same XOR loop with a different 16-byte key:\r\n26 74 94 78 36 60 C1 0C 41 56 0E 60 B1 54 D7 31.\r\nAnti-tampering\r\nOnce it has decrypted its data and code, SideWalk proceeds to verify its integrity by computing a 32-bit checksum,\r\nrotating the result to the right by 13 bits at every 32-bit word and comparing the hash value with a reference one\r\ncorresponding to the untampered shellcode. If the hash is different from the reference value, it exits. This allows\r\nthe shellcode to detect breakpoints or patches to its code and to avoid execution in such cases. The corresponding\r\ndecompiled code is shown in Figure 6.\r\nFigure 6. Decompiled code of SideWalk’s anti-tampering procedure\r\nIAT\r\nIn addition to the string pool, the decoded data also contains the names of the DLLs, as well as the hashes of the\r\nnames of the functions, to be loaded. Contrary to CROSSWALK, where the string representation of the hashes is\r\nused, the hashes are stored directly in their raw binary representation. The corresponding part of the main\r\nstructure, after having resolved import addresses, is shown in Figure 7. The names of the DLLs to be loaded are\r\nhighlighted in grey, the hash of the Windows API function names to be imported are in purple and the addresses of\r\nthe imported functions are in green.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 7 of 22\n\nFigure 7. SideWalk's IAT structure\r\nSideWalk iterates over the exports of each of the DLLs listed in the decoded data and hashes them with a custom\r\nhashing algorithm and then compares them to the hashes of the function names to be imported. Once a match is\r\nfound, the address of the matching function is added to the main structure.\r\nConfiguration\r\nOnce the IAT is populated, SideWalk proceeds to decrypt its configuration. The configuration is encrypted using\r\nthe ChaCha20 algorithm and the decryption key is part of the string pool mentioned above. The ChaCha20\r\nimplementation is the same one used for the ChaCha20-based loader. The decrypted configuration contains values\r\nused by SideWalk for proper operation, as well as the update.facebookint.workers[.]dev C\u0026C server, and the URL\r\nof the Google Docs document that is later used as a dead-drop resolver.\r\nNote that the update.facebookint.workers[.]dev domain is a Cloudflare worker that lets the malware operators\r\ncustomize the server, running on a widely used, public web service. During that campaign, SparklingGoblin also\r\nused a Cloudflare worker domain with Cobalt Strike: cdn.cloudfiare.workers[.]dev.\r\nNetwork Activity\r\nOne feature of SideWalk is to check whether a proxy configuration is present before starting to communicate with\r\nthe C\u0026C server. To do so, it tries two techniques:\r\nA call to the API function WinHttpGetIEProxyConfigForCurrentUser, with predefined URLs contained in\r\nits configuration:\r\nhttps://msdn.microsoft.com\r\nhttps://www.google.com\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 8 of 22\n\nhttps://www.twitter.com\r\nhttps://www.facebook.com\r\nIf SideWalk is able to adjust its privileges to SeDebugPrivilege, it tries to retrieve the proxy configuration\r\nfrom HKU\\\u003cuser SID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer.\r\nOtherwise, it tries to fetch it from HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ProxyServer.\r\nIf a proxy is found, SideWalk will use it to communicate with the C\u0026C server. This behavior is very similar to the\r\nway proxies are handled by CROSSWALK.\r\nSideWalk attempts to obtain the proxy configuration of the current user session by stealing the user token from\r\nexplorer.exe (the process name to search for is in the configuration) and calling the Windows API\r\nWinHttpGetIEProxyConfigForCurrentUser.\r\nNote that SideWalk has the necessary permissions to impersonate logged-on users because it is loaded by the\r\nInstallUtil-based .NET loader, which persists as a scheduled task, and so runs under the SYSTEM account.\r\nInterestingly, the same procedure to get the explorer.exe token is described on this Chinese language blog. The\r\ndecompiled procedure is shown in Figure 8.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 9 of 22\n\nFigure 8. Decompiled code responsible for user impersonation before retrieving the proxy configuration\r\nRequests formats\r\nThe Google Docs page used by SideWalk as a dead-drop resolver is shown in the following screenshot (Figure 9),\r\nand at the time of writing, it is still up. Note that anyone can edit this page.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 10 of 22\n\nFigure 9. Google Docs document used by SideWalk as dead-drop resolver\r\nThe string present on this page has the format depicted in Figure 10.\r\nFigure 10. Format of the string hosted on the Google Docs document\r\nThis string is composed of:\r\nDelimiters used for proper parsing.\r\nA payload and its size, which consists of a ChaCha20-encrypted IP address, the key to decrypt it, and, for\r\nan integrity check, the hash of the decryption key.\r\nAdditional strings that are currently unused.\r\nTo facilitate the potential future usage of that formatting, we have provided a script in our GitHub repository.\r\nThe decrypted IP address is 80.85.155[.]80. That C\u0026C server uses a self-signed certificate for the\r\nfacebookint[.]com domain. This domain has been attributed to BARIUM by Microsoft, which partially overlaps\r\nwith what we define as Winnti Group. As this IP address is not the first one to be used by the malware, it is\r\nconsidered to be the fallback one.\r\nThe communication protocol used by SideWalk to communicate with its C\u0026C server is HTTPS and the format of\r\nthe POST request headers sent to the C\u0026C can be seen in Figure 11.\r\nPOST /M26RcKtVr5WniDVZ/5CDpKo5zmAYbTmFl HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: close\r\nPragma: no-cache\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 11 of 22\n\nUser-Agent: Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36\r\ngtsid: zn3isN2C6bWsqYvO\r\ngtuvid: 7651E459979F931D39EDC12D68384C21249A8DE265F3A925F6E289A2467BC47D\r\nContent-Length: 120\r\nHost: update.facebookint.workers.dev\r\nFigure 11. Example of a POST request used by SideWalk\r\nBoth the URL and the values of the gtsid and gtuvid parameters are randomly generated. The Host field is either\r\nthe IP fetched from Google Docs, or is set to update.facebookint.workers[.]dev. The data of the POST request is\r\nan encrypted payload. The format used by this request is the communication format used by SideWalk operators\r\nbetween C\u0026C server and infected machines, e.g., requests and responses. The format of the POST request data is\r\nshown in Figure 12.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 12 of 22\n\nFigure 12. Format of the POST request data\r\nNote that this format is used for both the request and the response, meaning that when SideWalk handles the data\r\nsent back from the C\u0026C server, it parses it according to the same format. There is no particular similarity in the\r\nC\u0026C server communication side between CROSSWALK and SideWalk.\r\nIn this format, the fields are:\r\nhash: the hash of the data from 0x10 to total_size of the payload. The hash algorithm is a custom hash\r\ncombined of multiple MD5 calls on different portions of the hashed data.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 13 of 22\n\nsize: the size is equal to total_size - 0x0D.\r\nkey1, key2: ChaCha20 keys to encrypt Header Buffer and Data Buffer.\r\nparameter buffer: optional buffer (may be 0...0).\r\nvictim ID: authentication information, which is the result of a custom hash of various machine information\r\nincluding Machine GUID and computer name.\r\nexecution ID: before launching the threads, this ID is generated using CryptGenRandom. It is different for\r\neach execution.\r\ncommand ID / response ID: ID of the action that has been handled by the malware when it is a request\r\nfrom the malware to the C\u0026C server, and the ID of the command to execute when it is a response from the\r\nC\u0026C server to the malware.\r\ncounter: number of commands executed since the current SideWalk process inception.\r\ndata: the ChaCha20-encrypted, compressed data fetched by the malware or sent by the C\u0026C server.\r\ncompressed size: the size of the LZ4-compressed data.\r\ndata size: the uncompressed data size.\r\nHeader Buffer and Data Buffer are encrypted using the corresponding keys. The first one stands for the metadata\r\nto identify the machine that was compromised, and the second buffer corresponds to the actual data shared\r\nbetween the C\u0026C server and the malware. The details of these fields shown in Figure 12, are visible once\r\ndecrypted.\r\nCapabilities\r\nWhen we started analyzing SideWalk, as its C\u0026C server was already down, some of the possible actions were not\r\nfully understandable without knowing the data sent by the C\u0026C server, yet most of the capabilities of the malware\r\nare documented in the following table.\r\nTable 1. C\u0026C commands supported by SideWalk\r\nCommand ID\r\n(C\u0026C to\r\nmalware)\r\nResponse ID\r\n(malware to\r\nC\u0026C)\r\nDescription\r\n0x00 None Do nothing.\r\n0x7C 0x79 Load the plug-in (as shellcode) sent by the C\u0026C server.\r\n0x82 0x83\r\nCollect information about running processes (owner SID, account\r\nname, process name, domain information).\r\n0x8E 0x8F\r\nWrite the received data to the file located at\r\n%AllUsersProfile%\\UTXP\\nat\\\u003cfilename\u003e, where filename is a\r\nhash of the value returned by VirtualAlloc at each execution of the\r\nmalware.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 14 of 22\n\nCommand ID\r\n(C\u0026C to\r\nmalware)\r\nResponse ID\r\n(malware to\r\nC\u0026C)\r\nDescription\r\n0x64 None\r\nCall one of the plug-ins received from the C\u0026C server. Each\r\ncommand calls them differently using different arguments. In\r\naddition, the command 0x74 terminates all the threads.\r\n0x74 None  \r\n0x78 0x79 or 0x7B  \r\n0x7E None  \r\n0x80 0x81  \r\ndefault None  \r\nNote: As we didn’t retrieve any plug-ins from the C\u0026C server, it’s difficult to assess SideWalk’s full capabilities.\r\nThe CROSSWALK connection\r\nEven though the SideWalk and CROSSWALK code is different, both families share multiple architectural\r\nsimilarities, with a similar anti-tampering technique, threading model and data layout, and the way this data is\r\nhandled throughout execution. Feature-wise, both backdoors are modular and able to handle proxies to\r\ncommunicate properly with their C\u0026C servers.\r\nThese similarities are described below and summarized in a table at the end of this section.\r\nConsidering all these similarities, we believe SideWalk and CROSSWALK are most likely coded by the same\r\ndevelopers.\r\nArchitecture\r\nThe threading model is very similar between SideWalk and CROSSWALK. The authors split tasks between\r\nthreads and use PostThreadMessage Windows API calls to communicate between them. For example, one thread\r\nis responsible for making a request, and once it gets the response, it transfers it to the appropriate thread.\r\nThe programming style is also very similar; a functional approach is used. A data structure stores the\r\nconfiguration, strings, and imports, and it is passed as an argument to all the functions that need it.\r\nFor example, here are a few function prototypes:\r\n__int64 getMachineGuid(main_struct* main_struct, __int64 machineguid)\r\n__int64 writeBufferToFile(main_struct* main_struct, __int64 buffer, unsigned int nbBytes)\r\n__int64 recv(main_struct* main_struct, __int64 socket, unsigned int nbBytes, __int64 buffer)\r\nBoth SideWalk and CROSSWALK are modular backdoors that can load additional modules sent by the C\u0026C\r\nserver. The SideWalk module handling is implemented in a manner similar to CROSSWALK. Some of the\r\npossible module operations are execution, installation, and uninstallation.\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 15 of 22\n\nFunctionalities\r\nLike CROSSWALK, during its initialization, SideWalk computes a 32-bit hash value of the shellcode at the very\r\nbeginning of its execution using a ROR4 loop.\r\nCROSSWALK and SideWalk gather similar artifacts; among them:\r\nIP configuration\r\nOS version\r\nUsername\r\nComputer name\r\nFilename\r\nCurrent process ID\r\nCurrent time\r\nProxy handling is the same in both CROSSWALK and SideWalk. Both use common, legitimate URLs (such as\r\nhttps://www.google.com or https://www.twitter.com) and a WinHttpGetIEProxyConfigForCurrentUser Windows\r\nAPI call to retrieve the proxy configuration.\r\nData layout\r\nSideWalk and CROSSWALK follow the same shellcode layout, with instructions followed by strings, IAT, and\r\nencrypted configuration data.\r\nData handling\r\nSideWalk and CROSSWALK each process the data at the end of the shellcode in the same way:\r\nFirst, the data section is decrypted using a 16-byte XOR loop.\r\nThen, function addresses from name hashes stored in the data section are resolved and stored in its main\r\nstructure (pointing to the IAT in the data section).\r\nFinally, its configuration that contains the C\u0026C server address is decrypted (although the decryption\r\nalgorithm used by SideWalk is different).\r\nTable 2. Summary of the similarities between SideWalk and CROSSWALK\r\nCategory Feature Similarities Scarcity\r\nArchitecture\r\nThreading model\r\nMultiple threads are used, each thread\r\nbeing responsible for specific actions:\r\n   \r\nMaking requests\r\nHandling responses and processing\r\ncommands\r\nLow\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 16 of 22\n\nCategory Feature Similarities Scarcity\r\nProgramming style\r\nA main data structure is used to store all the\r\nbackdoor configuration, strings and imports and\r\npassed as an argument to all the functions that\r\nneed it.\r\nHigh\r\nModule handling\r\nInstalls, uninstalls, and executes modules in a\r\nsimilar manner to CROSSWALK.\r\nHigh\r\nFunctionality\r\nGathered information\r\n   \r\nIP configuration\r\nOS version\r\nUsername\r\nComputer name\r\nFilenames\r\nCurrent process ID\r\nCurrent time\r\nLow\r\nNetworking Similar proxy handling Medium\r\nAnti-tampering\r\nCustom hash of the shellcode is computed and\r\nchecked against a 32-bit reference value.\r\nHigh\r\nConfiguration Internal data handling\r\n   \r\nSimilar 16-byte XOR key decryption\r\nSimilar IAT resolution (similar\r\nhash/address pair structure)\r\nSimilar data processing order\r\nHigh\r\nData layout\r\nSimilar data\r\nstructure layout\r\nwith:\r\n   \r\nEncrypted string\r\npool\r\nIAT\r\nEncrypted C\u0026C\r\nconfiguration\r\nHigh\r\nConclusion\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 17 of 22\n\nSideWalk is a previously undocumented backdoor used by the SparklingGoblin APT group. It was most likely\r\nproduced by the same developers as those behind CROSSWALK, with which it shares many design structures and\r\nimplementation details.\r\nSparklingGoblin is a group with some level of connection to Winnti Group. It was very active in 2020 and the first\r\nhalf of 2021, compromising multiple organizations over a wide range of verticals around the world and with a\r\nparticular focus on the academic sector and East Asia.\r\nESET Research is now offering a private APT intelligence report and data feed. For any inquiries about this new\r\nservice, or research published on WLS, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nA comprehensive list of Indicators of Compromise and samples can be found in our GitHub repository.\r\nSamples\r\nNote that the SideWalk sample referenced below is not the one on which our analysis is based; the actual sample\r\nused during the compromise is the one discussed in detail in the text of this blogpost.\r\nSHA-1 Description ESET detection name\r\n1077A3DC0D9CCFBB73BD9F2E6B72BC67ADDCF2AB\r\nInstallUtil-based .NET\r\nloader used\r\nto decrypt\r\nand load\r\nSideWalk\r\nMSIL/ShellcodeRunner.L.gen\r\n153B8E46458BD65A68A89D258997E314FEF72181\r\nChaCha20-\r\nbased\r\nshellcode\r\nloader used\r\nto decrypt\r\nand load the\r\nSideWalk\r\nshellcode\r\nWin64/Agent.AQD\r\n829AADBDE42DF14CE8ED06AC02AD697A6C9798FE\r\nSideWalk\r\nChaCha20-\r\nencrypted\r\nshellcode\r\nN/A\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 18 of 22\n\nSHA-1 Description ESET detection name\r\n9762BC1C4CB04FE8EAEEF50A4378A8D188D85360\r\nSideWalk\r\ndecrypted\r\nshellcode\r\nWin64/Agent.AQD\r\nEA44E9FBDBE5906A7FC469A988D83587E8E4B20D\r\nInstallUtil-based .NET\r\nloader used\r\nto decrypt\r\nand load\r\nCobalt Strike\r\nMSIL/ShellcodeRunner.O\r\nAA5B5F24BDFB049EF51BBB6246CB56CEC89752BF\r\nCobalt Strike\r\nencrypted\r\nshellcode\r\nN/A\r\nNetwork\r\nupdate.facebookint.workers[.]dev\r\ncdn.cloudfiare.workers[.]dev\r\n104.21.49[.]220\r\n80.85.155[.]80\r\n193.38.54[.]110\r\nFilenames\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\WindowsUpdate\\WebService\r\nC:\\windows\\system32\\tasks\\Microsoft\\Windows\\Ras\\RasTaskStart\r\niislog.tmp\r\nmscorsecimpl.tlb\r\nC_25749.NLS\r\nMicrosoft.WebService.targets\r\nSSL certificate\r\nSerial number 8E812FCAD3B3855DFD78980CEE0BEB71\r\nFingerprint D54AEB62D0102D0CC4B96CA9E5EAADE3846EC470\r\nSubject CN CloudFlare Origin Certificate\r\nSubject O CloudFlare, Inc.\r\nSubject L San Francisco\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 19 of 22\n\nSerial number 8E812FCAD3B3855DFD78980CEE0BEB71\r\nSubject S California\r\nSubject C US\r\nValid from 2020-11-04 09:35:00\r\nValid to 2035-11-01 09:35:00\r\nX509v3 Subject Alternative Name\r\nDNS:*.facebookint.com\r\nDNS:facebookint.com\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nSparklingGoblin uses its own\r\ndomains.\r\nT1583.004 Acquire Infrastructure: Server\r\nSparklingGoblin uses servers\r\nhosted by various providers for\r\nits C\u0026C servers.\r\nT1583.006\r\nAcquire Infrastructure: Web\r\nServices\r\nSparklingGoblin uses\r\nCloudflare worker services as\r\nC\u0026C servers.\r\nT1587.001 Develop Capabilities: Malware\r\nSparklingGoblin uses its own\r\nmalware arsenal.\r\nT1587.003\r\nDevelop Capabilities: Digital\r\nCertificates\r\nSparkling uses self-signed SSL\r\ncertificates.\r\nExecution T1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nSparklingGoblin’s .NET\r\nshellcode loaders are executed\r\nby a scheduled task.\r\nPersistence\r\nT1574.001\r\nHijack Execution Flow: DLL\r\nSearch Order Hijacking\r\nSome SparklingGoblin\r\nshellcode loaders persist by\r\nbeing installed at locations used\r\nfor DLL search order hijacking.\r\nT1053.005 Scheduled Task/Job: Scheduled\r\nTask\r\nSparklingGoblin’s .NET\r\nshellcode loaders persist as\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 20 of 22\n\nTactic ID Name Description\r\nscheduled tasks.\r\nPrivilege\r\nEscalation\r\nT1134.001\r\nAccess Token Manipulation:\r\nToken Impersonation/Theft\r\nSideWalk uses token\r\nimpersonation before\r\nperforming HTTP requests.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMost shellcode used by\r\nSparklingGoblin is stored\r\nencrypted on disk.\r\nT1055.012\r\nProcess Injection: Process\r\nHollowing\r\nSome SparklingGoblin loaders\r\nuse process hollowing to\r\nexecute their shellcode.\r\nT1218.004\r\nSigned Binary Proxy Execution:\r\nInstallUtil\r\nSparklingGoblin’s .NET loaders\r\nare executed by InstallUtil.\r\nDiscovery\r\nT1012 Query Registry\r\nSideWalk queries the registry to\r\nget the proxy configuration.\r\nT1082 System Information Discovery\r\nSideWalk and CROSSWALK\r\ncollect various information\r\nabout the compromised system.\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nSideWalk and CROSSWALK\r\nretrieve the local proxy\r\nconfiguration.\r\nCommand\r\nAnd Control\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nSideWalk and CROSSWALK\r\nuse HTTPS to communicate\r\nwith C\u0026C servers.\r\nT1573.001\r\nEncrypted\r\nChannel:\r\nSymmetric\r\nCryptography\r\nSideWalk uses a modified\r\nChaCha20 implementation to\r\ncommunicate with C\u0026C servers.\r\nT1008 Fallback Channels\r\nSideWalk uses a fallback IP\r\naddress encrypted in a Google\r\nDocs document used as dead-drop resolver.\r\nT1090 Proxy SideWalk and CROSSWALK\r\ncan communicate properly when\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 21 of 22\n\nTactic ID Name Description\r\na proxy is used on the victim’s\r\nnetwork.\r\nT1102 Web Service\r\nSideWalk uses Cloudflare\r\nworkers web services.\r\nT1102.001\r\nWeb Service:\r\nDead Drop\r\nResolver\r\nSideWalk uses a Google Docs\r\ndocument as dead-drop resolver.\r\nSource: https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nhttps://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" ], "report_names": [ "sidewalk-may-be-as-dangerous-as-crosswalk" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434022, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eadc6bc2efb9c2eaff3af916b925000d197bb68.pdf", "text": "https://archive.orkl.eu/6eadc6bc2efb9c2eaff3af916b925000d197bb68.txt", "img": "https://archive.orkl.eu/6eadc6bc2efb9c2eaff3af916b925000d197bb68.jpg" } }