{ "id": "9dde5a94-f8cf-4116-9ea7-23b7b9a03526", "created_at": "2026-04-06T00:16:50.052741Z", "updated_at": "2026-04-10T03:37:58.755011Z", "deleted_at": null, "sha1_hash": "70f82800806b67d73627b023226dff9f80c54320", "title": "Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1093348, "plain_text": "Operation RAT Cook: Chinese APT actors use fake Game of Thrones\r\nleaks as lures | Proofpoint US\r\nBy August 25, 2017 Darien Huss and Matthew Mesa\r\nPublished: 2017-08-25 · Archived: 2026-04-05 13:28:05 UTC\r\nOverview\r\nProofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure.\r\nThe malicious attachment, which offered salacious spoilers and video clips, attempted to install a “9002” remote access\r\nTrojan (RAT) historically used by state-sponsored actors. Previous attacks involving the 9002 RAT include:\r\nOperation Aurora, an attack on companies such as Google, widely attributed to the Chinese government [1,2]\r\nOperation Ephemeral Hydra, a strategic website compromise utilizing an Internet Explorer zero-day [3], which\r\nFireEye attributed to an APT actor without a country attribution\r\nAttacks on Asian countries described by Palo Alto [4]\r\nOnce installed, the 9002 RAT provides attackers with extensive data exfiltration capabilities.\r\nEmail Message\r\nOn August 10 Proofpoint detected malicious email messages (Figure 1) purporting to contain unreleased Game of Thrones\r\ncontent. The email used the subject line \"Wanna see the Game of Thrones in advance?\" These lures are especially relevant\r\nsince Season 7 of Game of Thrones premiered in July and concludes on Sunday, August 27, and the email claims to contain\r\nspoilers for the current season. It is worth noting that episodes 4 and 6 were already leaked; it is unlikely that responding to\r\nthe lure would actually net a recipient new, unreleased episodes, particularly considering that the final episode airs this\r\nweekend.\r\nFigure 1: Email message with the potential spoilers (redacted) containing a .docx attachment\r\nThe email shown in Figure 1 contains a Microsoft Word attachment named \"game of thrones preview.docx” (Figure 2).\r\nSimilar to the email, the document uses a lure listing potential spoilers and claims to contain a preview of the purported\r\nspoilers. In reality, the “preview” is an embedded .LNK (an OLE packager shell object) that, if run, executes a malicious\r\nPowerShell script leading to the installation of the diskless “9002” RAT.\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 1 of 8\n\nFigure 2: .docx document attachment containing a malicious .LNK packager object\r\nPayload Analysis\r\nWhen the embedded .LNK object is executed by the potential victim, it runs a PowerShell command using a modified\r\nInvoke-Shellcode [5] PowerShell script to download two files obfuscated using XOR and base64. The first downloaded file\r\ncontains the 9002 RAT shellcode that is injected into a legitimate Windows Mail binary wabmig.exe. (Fig. 3). The other\r\ndownloaded file is a .LNK file that is used as a means to maintain persistence on the infected machine. The HTTP requests\r\nto retrieve the encoded payloads are fairly basic and do not attempt to masquerade as a legitimate browser request (Fig. 4).\r\nInterestingly, if the same URI is requested with any type of User-Agent then a legitimate JPG is returned (Fig. 5). The\r\npersistence .LNK is stored in the Startup directory as UpdateCheck.lnk and contains a PowerShell script that is almost\r\nidentical to the .LNK downloader. However, instead of downloading the shellcode, it opens, decodes, and injects the already\r\ndownloaded shellcode into a newly created wabmig.exe process.\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 2 of 8\n\nFigure 3: Excerpt from PowerShell script found in the LNK package\r\nFigure 4: HTTP request to download encoded payload\r\nFigure 5: HTTP request with User-Agent receiving legitimate JPG instead of payload\r\nThis variant of 9002 is capable of communicating over both HTTP and what appears to be fake SSL. The fake SSL\r\ncomponent contains at least two hardcoded packets: one for the Client_Hello and another for the Client_Key_Exchange.\r\nMost of the hardcoded values, such as the Session ID (Fig. 6,7), stay the same. However, the Random fields are dynamically\r\ngenerated (GMT Unix Time and Random Bytes). Finally, the Client_Hello attempts to mimic SSL traffic to login.live[.]com\r\nby sending that domain in the SNI field (Fig. 8).\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 3 of 8\n\nFigure 6: Client_Hello hardcoded Session ID in 9002\r\nFigure 7: Client_Hello hardcoded Session ID appearing in network traffic\r\nFigure 8: Legitimate login.live[.]com domain in SNI field sent to the C\u0026C\r\nThe HTTP traffic and encoding that is utilized in this variant of 9002 has several distinguishing characteristics. Data sent to\r\nthe command and control (C\u0026C) in the HTTP POST’s client body is transmitted in an encoded state using a custom\r\nalgorithm followed by base64-encoding (Fig. 9).\r\nFigure 9: HTTP POST request sent to 9002 C\u0026C\r\nSeveral of the headers are hardcoded including the Accept and User-Agent headers:\r\nAccept: text/html,application/xhtml+xml,application/xml,*/*\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\nIn addition, there are two different hardcoded URIs (Fig. 10):\r\n/?FORM=Desktop\u0026setmkt=en-us\u0026setlang=en-us\r\n/config/signin\r\nA dynamically generated URI could also be used in the following format: “/%x.htm?”.\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 4 of 8\n\nFigure 10: HTTP Post request sent to 9002 showing another hardcoded URI\r\nThe encoding algorithm used in this version is an iteration of the “4-byte XOR version of 9002” analyzed by FireEye [3].\r\nInstead of the standard dynamic 4-byte XOR operation that is used in the older variant, a dynamic 4-byte XOR key is used\r\nalong with a static 38-byte seed of\r\n“\\x3A\\x42\\x46\\x41\\x53\\x41\\x39\\x41\\x46\\x2D\\x44\\x38\\x37\\x32\\x6D\\xF1\\x51\\x4A\\xC0\\x2D\\x3A\\x43\\x31\\x30\\x2D\\x30\\x30\\x43\\x30\\x35\\x4A\\x4D\\x39\\xF\r\nto generate a final 256-byte XOR key. To generate the final key, first the 38-byte seed is used with an iterative addition to\r\ngenerate a 256-byte value (Fig. 11).\r\nFigure 11: 256-byte seed initialization using iterative addition and static 38-byte seed value\r\nNext, the first 4-bytes of the encoded data are XOR’ed with the 256-byte value to generate the final 256-byte XOR key (Fig.\r\n12). This key is then XOR’ed with the rest of the encoded data. (Fig. 13)\r\nFigure 12: Generation of final 256-byte XOR key\r\nFigure 13: XOR’ing data with final 256-byte XOR key\r\nSimilar to previous versions of 9002, a value resembling a date (“\\x17\\x05\\x15\\x20”) is hardcoded in the malware and can be\r\nfound at offset 0x1C in beacons sent to its C\u0026C (Fig. 14).\r\nFigure 14: Decoded 9002 traffic sent to its C\u0026C showing the hardcoded value\r\nThe value likely represents the date May 17, 2015, but we are not aware if this date has any significance. An additional\r\nvalue, 201707, is hardcoded in this variant which likely refers to July 2017 (Fig. 15).\r\nFigure 15: Hardcoded 201707 in 9002 variant\r\nThis is the most likely explanation, given that the earliest use of the malicious LNK PowerShell downloader (sha256:\r\n9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd) we have identified is a compressed file\r\n(sha256: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100) uploaded to a malicious file\r\nscanning service on July 6, 2017. The modified timestamp for the files contained in the ZIP file is July 1, 2017. The ZIP\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 5 of 8\n\npackage contains four copies of the same LNK that was used in the Game of Thrones attack as well as a legitimate JPG of\r\nwhat appears to be a stock picture of a “party.” We have also identified a third possible campaign utilizing the same LNK in\r\na DOCX document attachment named “need help.docx” (Fig. 16). In this instance, the lure is to double-click on a LNK\r\nmasquerading as a video.\r\nFigure 16: Malicious document utilizing same LNK as ZIP and Game of Thrones document\r\nSimilar 2014 Campaigns\r\nWhile searching for other potentially related campaigns we discovered a nexus of activity occurring at least as far back as\r\nApril 2014. Several ZIP compressed files containing a similar LNK downloader (Fig. 17) were uploaded to a malicious file\r\nscanning service.\r\nFigure 17: Malicious LNK PowerShell downloader observed in archives from 2014\r\nAll five of the archives contained a similar stock picture of a party as well as multiple copies of the malicious LNK with\r\nparty picture-themed names. The LNK PowerShell downloader uses similar paths to the recent attacks as well as the same\r\n“/x/” URI. Instead of using code injection however, a packed executable (PE) is embedded in the PowerShell script, saved as\r\nx.exe, and is used to execute the downloaded payload that is saved as y.exe. An additional similarity is that the LNKs from\r\nthe 2014 archives share the same Volume Serial Number as the LNK from the recent attacks (0xCC9CE694). The volume\r\nserial number is metadata found in the LNK file; since they match, we know it is more likely that they were created on the\r\ndevice or using the same builder. It is possible to fake these values however we do not believe that likely in this case.\r\nUnfortunately we do not know what payload was hosted at mn1[.]org. However, two of the ZIP archives contained a Java\r\npayload named PhotoShow.jar that ultimately executes a diskless 9002 variant with a C\u0026C of mx[.]i26[.]org. This variant\r\nhas a hardcoded identifier of “\\x28\\x02\\x13\\x20” (Fig. 18).\r\nFigure 18: 9002 hardcoded identifier\r\nAttribution\r\nBased on several shared identifiers, it is possible that the recent campaigns were conducted by the same actor that conducted\r\nthe campaigns in early- to mid-2014. The malicious LNK files in both campaigns (2014 vs. 2017) have the same Volume\r\nSerial Number of 0xCC9CE694. Furthermore, the LNK filename used in one of the campaigns this year is almost identical\r\nto the campaigns in 2014: Party00[1-35].jpg.lnk (2017) vs. Party-00[1-5].jpg.lnk (2014). Finally, the theme of party pictures\r\nand stock-JPGs used in both the 2017 and 2014 campaigns are extremely similar.\r\nThe 2014 campaign resembles activity previously attributed to the Deputy Dog (aka APT17) actor. Additionally, the Deputy\r\nDog actor has been observed utilizing a similar 9002 RAT with an earlier iteration of the 4-byte XOR encoding algorithm in\r\ndiskless mode [3]. Another possible similarity is the use of some of the code from the Java Reverse Metasploit-Stager [6] in\r\nthe exploits previously analyzed by FireEye as well as the PhotoShow.jar payload. Although we do not possess any\r\ndefinitive evidence linking this activity to Deputy Dog, there are enough similarities to support a possible connection.\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 6 of 8\n\nConclusion\r\nBased on similarities in code, payload, file names, images, and themes, it is possible that this attack was carried out by a\r\nChinese state-sponsored actor known as Deputy Dog. The use of a Game of Thrones lure during the penultimate season of\r\nthe series follows a common threat actor technique of developing lures that are timely and relevant, and play on the human\r\nfactor - the natural curiosity and desire to click that leads to so many malware infections. While Proofpoint systems blocked\r\nthis attack, the use of such lures, combined with sophisticated delivery mechanisms and powerful tools like the latest version\r\nof the 9002 RAT can open wide doors into corporate data and systems for the actors behind these attacks.\r\nReferences\r\n[1] https://community.saas.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WaBdzB9ifW8\r\n[2] http://www.washingtontimes.com/news/2010/mar/24/cyber-attack-on-us-firms-google-traced-to-chinese/\r\n[3] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Operation_EphemeralHydra.pdf\r\n[4] https://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/\r\n[5] https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1\r\n[6] http://security-is-just-an-illusion.blogspot.nl/2013/02/45-x-antivirus-software-fail-again-java.html\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhttp://27.255.83[.]3/x/ URL 9002 Shellcode\r\nhttp://27.255.83[.]3/y/ URL Persistence LNK\r\n27.255.83[.]3 IP 9002 C2\r\n9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd SHA256 LNK Object\r\n5a678529aea9195b787be8c788ef4bb03e38e425ad6d0c9fafd44ed03aa46b65 SHA256\r\n%APPDATA%\\y.jpg\r\nencoded 9002 shellcode\r\nefdb6351ac3902b18535fcd30432e98ffa2d8bc4224bdb3aba7f8ca0f44cec79 SHA256\r\ngame of thrones\r\npreview.docx\r\nbdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100 SHA256 Party_photos_201612.zip\r\n192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a SHA256 need help.docx\r\n2014 IOCs\r\n774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0 SHA256 Party-001.jpg.lnk\r\n56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852 SHA256 Photos20140214.zip\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 7 of 8\n\n83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70 SHA256 Party-pics-201304.zip\r\nb54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43 SHA256 Party_Photos_Packed.zip\r\ndb6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6 SHA256 Photos20140215.zip\r\nfb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7 SHA256 PartyPics.7z\r\n559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308 SHA256 PhotoShow.jar\r\n0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8d1a4f586a7c88d37a428 SHA256\r\nUpins_tmp.exe (dropped\r\nby PhotoShow.jar)\r\nmn1[.]org Domain Party-001.jpg.lnk C\u0026C\r\nmx.i26[.]org Domain PhotoShow.jar C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2827624 ETPRO TROJAN Possible APT.9002 Fileless Variant CnC Beacon 1\r\n2827625 ETPRO TROJAN Possible APT.9002 Fileless Variant CnC Beacon 2\r\n2827661 ETPRO TROJAN Possible APT.9002 Fake SSL CnC Beacon\r\nSource: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nhttps://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures\r\nPage 8 of 8\n\nSeveral of the headers Accept: text/html,application/xhtml+xml,application/xml,*/* are hardcoded including the Accept and User-Agent headers:\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\nIn addition, there are two different hardcoded URIs (Fig. 10): \n/?FORM=Desktop\u0026setmkt=en-us\u0026setlang=en-us \n/config/signin \nA dynamically generated URI could also be used in the following format: “/%x.htm?”.\n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures" ], "report_names": [ "operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434610, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70f82800806b67d73627b023226dff9f80c54320.pdf", "text": "https://archive.orkl.eu/70f82800806b67d73627b023226dff9f80c54320.txt", "img": "https://archive.orkl.eu/70f82800806b67d73627b023226dff9f80c54320.jpg" } }