{
	"id": "7136fc24-4dc6-4327-a92e-f82ba749b960",
	"created_at": "2026-04-06T00:11:31.045985Z",
	"updated_at": "2026-04-10T03:26:48.469987Z",
	"deleted_at": null,
	"sha1_hash": "6f8041bb4b61f40b9188c7dbce8ef8fca388dab5",
	"title": "The sample analysis of APT-C-27’s recent attack | 360 Total Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 845636,
	"plain_text": "The sample analysis of APT-C-27’s recent attack | 360 Total\r\nSecurity Blog\r\nPublished: 2018-10-19 · Archived: 2026-04-05 14:01:26 UTC\r\nLearn more about 360 Total Security\r\nBackground\r\nAPT-C-27 is a group that has long been engaged in cyber attacks against Arab countries such as Syria. It mainly\r\nuses APK, PE, VBS, JS files as attack vectors, involving Android and Windows platforms, using social networks\r\nand spear phishing email to spread malicious payloads.\r\nThe malicious sample captured by 360 CERT(360 Computer Emergency Readiness Team) is the Office phishing\r\ndocument with the embedded Package object. From the sample type, the attack was suspected to be delivered to\r\nthe victim by means of a spear phishing email. The United Nations Relief and Works Agency for Palestine\r\nRefugees in the Near East (UNRWA) issued a public letter embedding an important form to induce victims to\r\nexecute Package objects to carry out attack payloads.\r\nAttack analysis\r\nFrom the sample captured by 360 CERT, the attack started with the Office phishing document containing the\r\nPackage object. The entire attack chain consists of phishing documents, Dropper scripts, and backdoors.\r\nThe bait file shows an official letter issued by UNRWA. After the victim executes the embedded Package object,\r\nanother Word document \u003cالذاتية السرية \u003cis displayed. From the language used in the documentation, the attack was\r\nmainly targeted at Arabic victims, using fraudulent documents to trick victims into filling in personal details.\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 1 of 8\n\nThe embedded package belongs to the features of Microsoft Office, and its compatibility is very strong. It can be\r\nexecuted stably under all versions of Office. Once the user double clicks on the object, the embedded VBS script\r\nwill be released and executed.\r\nThe script under the Word process is a Dropper, which releases the VBA backdoor and the \u003cالذاتية السرية\u003c\r\ndocument executed in the next stage. Then, it uses the backdoor script to interact with C2. Unlike the common\r\nattack process, there is no PE file in the entire attack chain, and the APT-C-27 group chooses to use the script to\r\ncommunicate directly with C2. We found that this script spreads the classic script backdoor on the network for a\r\nlong time.\r\nSample technical analysis\r\nAnalysis of fishing documents\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 2 of 8\n\nThe main technique used in this phishing document is to embed a malicious VBS script in a Word document with\r\nconfusing information. A letter was issued on behalf of UNRWA to induce victims to trust the source of the\r\ndocument and double-click on the embedded Package icon to perform malicious operations.\r\nAccording to the properties of the embedded package in the Office document, analyze the files in the\r\n\\word\\embeddings\\ directory to get the path of the attacker to insert the object as C:\\Users\\gorin\r\nfulcroum\\Desktop\\CV.vbs\r\nThe author of the bait file is: مستخدم Windows, the last modification time of the document is: 2018-09-\r\n19T09:53:00Z, which is the long-term working environment from the comparison of the author name of the\r\ndocument.\r\nDropper analysis\r\nThe Dropper uses Base64 encoded data. There is a certain degree of interference with the detection of software\r\nvendors.\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 3 of 8\n\nAfter analysing the Dropper script, it is obvious that its main function is to save and execute the sh3r.doc and\r\nprogram.vbs scripts. Its original content is stored in two base64 encoded strings.\r\nBackdoor analysis\r\nThe Program.vbs script is a heavily confusing backdoor. Its encoding inserts a large amount of invalid code,\r\ninvisible special characters, encoded strings, and cluttered encoding to interfere.\r\nAfter analysing the backdoor script, as mentioned earlier, we found that this is a classic backdoor that has been\r\ncirculating on the network for a long time. Features include getting system information and uploading, setting up\r\nscheduled tasks, downloading files, executing shell commands, deleting files, ending processes, traversing file\r\ndrivers and processes, and more. The backdoor script execution flow and main functions are as follows:\r\n1. Back up the script to the %APPDATA%\\MICROSOFT\\ directory.\r\n2. Decode a base64 string and save it as %temp%\\R.jpg. Parsing R.jpg in XML format to create a backdoor for\r\nbackup as a scheduled task WindowsUpda2ta\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 4 of 8\n\n3. Obtain the basic information such as the disk volume label, computer name, user name, and operating system\r\nversion, and send it back to the C2 server.\r\n4. Receive and respond to the C2 server command to complete the subsequent attack steps. Received instructions\r\ninclude executing shell commands, updating backdoors, uninstalling, and so on.\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 5 of 8\n\nNetwork Basic Analysis\r\nThe backdoor program uses IP to communicate with the C2 server. The host IP is 82.137.255.56 and the\r\ncommunication port is 5602. This IP address is an inherent IP asset of the Golden Rat organization and has\r\nappeared several times in its attacks. The location of the IP is located in Syria and the ASN is AS29256.\r\nNo domain name has been resolved to this IP address in recent months. Opened 80 and 82 two recognized ports.\r\nPort 5602 is not open when a port is scanned for a report.\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 6 of 8\n\nData association through the 360netlab graph system:\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 7 of 8\n\nSummary\r\nObviously, this incident is still the network penetration activity initiated by the APT-C-27 group against the Arab\r\ncountries. From the constructed document content, the author name of the document, and the Arabic part of the\r\ncode comment section, it is possible to judge that the members of the APT-C-27 group are proficient in Arabic.\r\nThe phishing document forged a letter issued by UNRWA, which not only acquired the computer system for\r\nvictims’ computer information control victims during the attack, but also forged the forms to allow victims to fill\r\nin personal details to better understand the victim’s situation.\r\nAlthough the final payload of the attack chain uses the backdoor of the VBS script that has been circulated on the\r\nnetwork. However, its use of intricate confusing techniques for the script makes the backdoor program not easily\r\ndetected by the software manufacturer, thus anti-av.\r\nThe C2 server used by the event is an intrinsic asset of the the APT-C-27 group. From the use of the IP asset and\r\nthe current state of the asset, the group may continue to use the IP asset for cyberattacks in the near future.\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nhttps://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/"
	],
	"report_names": [
		"the-sample-analysis-of-apt-c-27s-recent-attack"
	],
	"threat_actors": [
		{
			"id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e",
			"created_at": "2022-10-25T16:07:24.256045Z",
			"updated_at": "2026-04-10T02:00:04.912815Z",
			"deleted_at": null,
			"main_name": "Goldmouse",
			"aliases": [
				"APT-C-27",
				"ATK 80",
				"Golden Rat",
				"Goldmouse"
			],
			"source_name": "ETDA:Goldmouse",
			"tools": [
				"Bladabindi",
				"GoldenRAT",
				"Jorik",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf",
			"created_at": "2023-01-06T13:46:38.937468Z",
			"updated_at": "2026-04-10T02:00:03.151838Z",
			"deleted_at": null,
			"main_name": "APT-C-27",
			"aliases": [
				"Golden RAT",
				"ATK80",
				"GoldMouse"
			],
			"source_name": "MISPGALAXY:APT-C-27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775791608,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f8041bb4b61f40b9188c7dbce8ef8fca388dab5.pdf",
		"text": "https://archive.orkl.eu/6f8041bb4b61f40b9188c7dbce8ef8fca388dab5.txt",
		"img": "https://archive.orkl.eu/6f8041bb4b61f40b9188c7dbce8ef8fca388dab5.jpg"
	}
}