{
	"id": "693a8ed0-0585-4e52-8016-a2b11fc6eb8a",
	"created_at": "2026-04-06T00:18:35.503144Z",
	"updated_at": "2026-04-10T03:37:21.713936Z",
	"deleted_at": null,
	"sha1_hash": "701aa2ef6158529c9dbcae135e3a58a9778bdd17",
	"title": "APT27 ZXShell RootKit module updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1334887,
	"plain_text": "APT27 ZXShell RootKit module updates\r\nPublished: 2020-01-13 · Archived: 2026-04-05 20:11:12 UTC\r\nWithin the toolset of the different APT groups, one of the most interesting elements and the one that generally\r\nworries the most, are their capabilities in Ring0, generally RootKit/Bootkit type threats that act with the maximum\r\nlevel of privileges.\r\nAn example of this type of threats is the RootKit module of ZxShell RAT used by Emissary Panda (APT27), of\r\nwhich there is a relatively recent sample (Uploaded to Virustotal since 2019-09-21 17:59:39) that is also correctly\r\nsigned, so it can be loaded in the latest version of Windows 10 and is perfectly functional as far as we have been\r\nable to check.\r\nSysmon DriverLoaded event\r\nA complete analysis of this threat can be found made by the analyst Ori Damari (@0xrepnz) in his blog\r\n(https://repnz.github.io/posts/autochk-rootkit-analysis/). After analyzing this threat and describing its capabilities,\r\nhe has rewritten the source code from a sample of this threat uploaded in 2018 to Virustotal, and published it in\r\nGitHub, which greatly facilitates the analysis of newer versions. As he describes in his blog, the capabilities of this\r\nRootkit are basically the following:\r\nFile Redirection – Redirect malicious files to benign files. If you try to call CreateFile() to open a\r\nmalicious file you’ll get a handle to a benign file.\r\nhttps://lab52.io/blog/apt27-rootkit-updates/\r\nPage 1 of 4\n\nNetwork Connection Hiding – Hide network connections from tools like netstat,proceshacker…\r\nWe found interesting to analyze the differences between the 2018 version and the most recent 2019 version in\r\norder to try to identify new capabilities or changes in its capabilities. After comparing both samples using the\r\nGitHub source code, we have been able to see that most of the functions are identical, except for 5 of them\r\n(including the Driver’s entrypoint):\r\nIdentical functions in both versions\r\nDifferent functions\r\nAfter analyzing the differences between this 5 funtcions, we have been able to observe that all the changes are\r\nfocused on avoiding detections by slightly “obfuscating” some IOCs hardcoded as strings and code modification\r\nwithout impact in the capabilities on the driver…\r\nIn total, there are three notable changes between the two versions:\r\nThe first one basically consists in that they have reversed the list of strings that identify the files that the\r\nDriver hides by default when it is loaded:\r\nhttps://lab52.io/blog/apt27-rootkit-updates/\r\nPage 2 of 4\n\nOld and New list of file names\r\nAt code level, the impact this has had is that the function that redirects these files, now uses the “wcrev” function\r\nthat flips the strings before passing them to the function that hides the files:\r\nNew code (Red) and old code (Green)\r\nSecondly, they have tried to disguise their use of the undocumented Microsoft API\r\n“ObReferenceObjectByName”, which is used to get the pointer to the different Driver_Object drivers they\r\nintend to hook in each case. Until now, they had the name of this function in their strings, and used it to\r\nresolve it by passing its name to the MmGetSystemRoutineAddress API which returns a pointer to it. Now\r\nthey only keep part of the name, and complete the rest in a slightly more complex way before calling\r\nMmGetSystemRoutineAddress by building it from characters they store in the registers and other areas of\r\nthe binary:\r\nNew code (Red) and old code (Green)\r\nFinally, they have moved part of the logic of some functions to another point, maintaining the same\r\nfunctionality. An example is the end of the driver entry function, where untill now, at the end they only\r\ncalled two functions that initialized the logic of hiding connections and redirecting files, and now, they\r\nhttps://lab52.io/blog/apt27-rootkit-updates/\r\nPage 3 of 4\n\nhave extracted part of the logic of these functions and moved it right after each one of them, but without\r\nany impact on the capabilities and behavior of the Driver:\r\nNew code (Red) and old code (Green)\r\nx64 Sample 42eab05c611bf24d86bb6c985caa2ad7380ed7d98340c7f08de9361be14dc244\r\nx86 Sample 9b7c1e37d5f56cc0b5e5e22ce9805e237a189297e78405b9c392a0953b6e0321\r\nReader Interactions\r\nSource: https://lab52.io/blog/apt27-rootkit-updates/\r\nhttps://lab52.io/blog/apt27-rootkit-updates/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/apt27-rootkit-updates/"
	],
	"report_names": [
		"apt27-rootkit-updates"
	],
	"threat_actors": [
		{
			"id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c",
			"created_at": "2022-10-25T15:50:23.819113Z",
			"updated_at": "2026-04-10T02:00:05.354598Z",
			"deleted_at": null,
			"main_name": "Threat Group-3390",
			"aliases": [
				"Threat Group-3390",
				"Earth Smilodon",
				"TG-3390",
				"Emissary Panda",
				"BRONZE UNION",
				"APT27",
				"Iron Tiger",
				"LuckyMouse",
				"Linen Typhoon"
			],
			"source_name": "MITRE:Threat Group-3390",
			"tools": [
				"Systeminfo",
				"gsecdump",
				"PlugX",
				"ASPXSpy",
				"Cobalt Strike",
				"Mimikatz",
				"Impacket",
				"gh0st RAT",
				"certutil",
				"China Chopper",
				"HTTPBrowser",
				"Tasklist",
				"netstat",
				"SysUpdate",
				"HyperBro",
				"ZxShell",
				"RCSession",
				"ipconfig",
				"Clambling",
				"pwdump",
				"NBTscan",
				"Pandora",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236429ce-6355-43f6-9b58-e6803a1df3f4",
			"created_at": "2026-03-16T02:02:50.60344Z",
			"updated_at": "2026-04-10T02:00:03.641587Z",
			"deleted_at": null,
			"main_name": "Bronze Union",
			"aliases": [
				"Circle Typhoon ",
				"Emissary Panda "
			],
			"source_name": "Secureworks:Bronze Union",
			"tools": [
				"China Chopper",
				"OwaAuth",
				"Sysupdate"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775792241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/701aa2ef6158529c9dbcae135e3a58a9778bdd17.pdf",
		"text": "https://archive.orkl.eu/701aa2ef6158529c9dbcae135e3a58a9778bdd17.txt",
		"img": "https://archive.orkl.eu/701aa2ef6158529c9dbcae135e3a58a9778bdd17.jpg"
	}
}