{
	"id": "71b0b00a-0c6f-4b1d-8d33-8869be68ce84",
	"created_at": "2026-04-06T00:17:47.605942Z",
	"updated_at": "2026-04-10T03:30:25.855223Z",
	"deleted_at": null,
	"sha1_hash": "7171afce0beb2b9e75e4784e2cace436632f4033",
	"title": "Avast finds backdoor on US government commission network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1650871,
	"plain_text": "Avast finds backdoor on US government commission network\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 17:39:35 UTC\r\nWe have found a new targeted attack against a small, lesser-known U.S. federal government commission associated with\r\ninternational rights. Despite repeated attempts through multiple channels over the course of months to make them aware of\r\nand resolve this issue they would not engage.\r\nAfter initial communication directly to the affected organization, they would not respond, return communications or provide\r\nany information.\r\nThe attempts to resolve this issue included repeated direct follow up outreach attempts to the organization. We also used\r\nother standard channels for reporting security issues directly to affected organizations and standard channels the United\r\nStates Government has in place to receive reports like this.\r\nIn these conversations and outreach we have received no follow up or information on whether the issues we reported have\r\nbeen resolved and no further information was shared with us.\r\nBecause of the lack of discernible action or response, we are now releasing our findings to the community so they can be\r\naware of this threat and take measures to protect their customers and the community. We are not naming the entity affected\r\nbeyond this description.\r\nBecause they would not engage with us, we have limited information about the attack. We are unable to attribute the attack,\r\nits impact, or duration. We are only able to describe two files we observed in the attack. In this blog, we are providing our\r\nanalysis of these two files.\r\nWhile we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the\r\nfiles in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all\r\nlocal network traffic in this organization. This could include information exchanged with other US government agencies and\r\nother international governmental and nongovernmental organizations (NGOs) focused on international rights. We also have\r\nindications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving\r\nthem complete control.\r\nTaken altogether, this attack could have given total visibility of the network and complete control of a system and thus could\r\nbe used as the first step in a multi-stage attack to penetrate this, or other networks more deeply.\r\nOverview of the Two Files Found\r\nThe first file masquerades as oci.dll and abuses WinDivert, a legitimate packet capturing utility, to listen to all internet\r\ncommunication. It allows the attacker to download and run any malicious code on the infected system. The main scope of\r\nthis downloader may be to use priviliged local rights to overcome firewalls and network monitoring.\r\nThe second file also masquerades as oci.dll, replacing the first file at a later stage of the attack and is a decryptor very\r\nsimilar to the one described by Trend Labs from Operation red signature. In the following text we present analysis of both of\r\nthese files, describe the internet protocol used and demonstrate the running of any code on an infected machine.\r\nFirst file – Downloader\r\nWe found this first file disguised as oci.dll (“C:\\Windows\\System32\\oci.dll”) (Oracle Call Interface). It contains a\r\ncompressed library (let us call it NTlib ). This oci.dll exports only one function DllRegisterService . This function\r\nchecks the MD5 of the hostname and stops if it doesn’t match the one it stores. This gives us two possibilities. Either the\r\nhttps://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network\r\nPage 1 of 5\n\nattacker knew the hostname of the targeted device in advance or the file was edited as part of the installation to run only on\r\nan infected machine to make dynamic analysis harder.\r\nWe found two samples of this file:\r\nOci.dll then decompresses and loads NTlib and waits for the attacker to send a PE file, which is then executed.\r\nNTlib works as a layer between oci.dll and WinDivert .\r\nThe documentation for WinDivert describes it as “a powerful user-mode capture/sniffing/modification/blocking/re-injection\r\npackage for Windows 7, Windows 8 and Windows 10. WinDivert can be used to implement user-mode packet filters, packet\r\nsniffers, firewalls, NAT, VPNs, tunneling applications, etc., without the need to write kernel-mode code.”\r\nNTlib creates a higher level interface for TCP communication by using low-level IP packets oriented functions of\r\nWinDivert . The NTLib checks if the input has magic bytes 0x20160303 in a specific position of the structure given as\r\nthe first argument as some sort of authentication.\r\nExported functions of NTLib are:\r\nNTAccept\r\nNTAcceptPWD\r\nNTSend\r\nNTReceive\r\nNTIsClosed\r\nNTClose\r\nNTGetSrcAddr\r\nNTGetDscAddr\r\nNTGetPwdPacket\r\nhttps://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network\r\nPage 2 of 5\n\nThe names of the exported functions are self-explanatory. The only interesting function is  NTAcceptPWD, which gets an\r\nactivation secret as an argument and sniffs all the incoming TCP communication, searching for communication with that\r\nactivation secret. It means that the malware itself does not open any port on its own, it uses the ports open by the system or\r\nother applications for its communication. The malicious communication is not reinjected to the Windows network stack,\r\ntherefore the application listening on that port does not receive it and doesn’t even know some traffic to its port is being\r\nintercepted.\r\nThe oci.dll uses NTlib to find communications with the activation secret CB 57 66 F7 43 6E 22 50 93 81 CA 60 5B\r\n98 68 5C 89 66 F1 6B . While NTlib captures the activation secret, oci.dll responds with Locale (Windows GUID,\r\nOEM code page identifier and Thread Locale) and then waits for the encrypted PE file that exports SetNtApiFunctions. If\r\nthe PE file is correctly decrypted, decompressed and loaded, it calls the newly obtained function SetNtApiFunctions.\r\nThe Protocol\r\nAs we mentioned before, the communication starts with the attacker sending CB 57 66 F7 43 6E 22 50 93 81 CA 60 5B 98\r\n68 5C 89 66 F1 6B (the activation secret) over TCP to any open port of the infected machine.\r\nThe response of the infected machine:\r\nSize of the of the message – 24 (value: 28) [4 B]\r\nRandom encryption key 1 [4 B]\r\nEncrypted with Random encryption key 1 and precomputed key:\r\n0 [4 B]\r\nThreadLocale [4 B]\r\nOEMCP or 0 [4 B]\r\n0x20160814 (to test correctness of decryption) [4 B]\r\n0,2,0,64,0,0,0 [each 4 B]\r\nThe encryption is xor cipher with precomputed 256 B key:\r\n5C434846474C3F284EB64A4343433B4031E546C049584747454956FE4C51B369595AA5DB6DA082696E6C6D72654E74DC706969696166570B6CE66F7E6D6D6B6F7C247277\r\nThat is xored with another 4 B key.\r\nAfter sending the above message the infected machine awaits for a following message with the encrypted PE file mentioned\r\nabove:\r\nSize of the of the message – 24 [4 B]\r\nRandom Encryption key 2 [4 B]\r\nEncrypted  with Random encryption key 2 and precomputed key:\r\n6 (LZO level?) [4 B]\r\n0 [8 B]\r\n0x20160814 [4 B]\r\n0x20160814 [4 B]\r\nSize of the whole message [4 B]\r\nOffset (0) [4 B]\r\nLength (Size of the whole message) [4 B]\r\nEncrypted with key 0x1415CCE and precomputed key:\r\n0 [16 B]\r\nLength of decompressed PE file [4 B]\r\n0 [16 B]\r\nLength of decompressed PE file [4 B]\r\n0 [16 B]\r\nLZO level 6 compressed PE file\r\nWith the same encryption as the previous message.\r\nIn our research we were unable to obtain the PE file that is part of this attack. In our analysis, we demonstrated the code\r\nexecution capabilities by using a library with the following function:\r\nIn a controlled lab setting, we were able to start the calculator on an infected machine over the network with the following\r\npython script (link to GitHub).\r\nhttps://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network\r\nPage 3 of 5\n\nSecond File – Decryptor\r\nThe second file we found also masquerages as oci.dll . This file replaced the first downloader oci.dll and likely\r\nrepresents another, later stage of the same attack. The purpose of this file is to decrypt and run in memory the file\r\n“SecurityHealthServer.dll”.\r\nSHA256: 6C6B40A0B03011EEF925B5EB2725E0717CA04738A302935EAA6882A240C2229A\r\nWe found that this file is similar to the rcview40u.dll that was involved in Operation Red Signature. rcview40u.dll\r\n( bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e ) was signed by a stolen certificate and\r\ndistributed to specific targets from a hacked update server. It decrypted a file named rcview40.log , that contained 9002\r\nRAT and executed it in memory.\r\nThis oci.dll exports same functions as rcview40u.dll :\r\nThe new oci.dll decrypts SecurityHealthServer.dll with RC4 and used the string TSMSISRV.dll as the encryption\r\nkey. This is similar to what we’ve seen with rcview40u.dll which also uses RC4 to decrypt rcview.log with the string\r\nkernel32.dll as the encryption key.\r\nBecause of the similarities between this oci.dll and rcview40u.dll , we believe it is likely that the attacker had access to\r\nthe source code of the three year-old rcview40u.dll .  The newer oci.dll has minor changes like starting the decrypted\r\nfile in a new thread instead of in a function call which is what  rcview40u.dll does. oci.dll was also compiled for x86-\r\n64 architecture while rcview40u.dll was only compiled for x86 architecture.\r\nConclusion\r\nWhile we only have parts of the attack puzzle, we can see that the attackers against these systems were able to compromise\r\nsystems on the network in a way that enabled them to run code as the operating system and capture any network traffic\r\ntravelling to and from the infected system.\r\nWe also see evidence that this attack was carried out in at least two stages, as shown by the two different versions of oci.dll\r\nwe found and analyzed.\r\nThe second version of the oci.dll shows several markers in common with rcview40u.dll that was used in Operation Red\r\nSignature such that we believe these attackers had access to the source code of the malware used in that attack.\r\nBecause the affected organization would not engage we do not have any more factual information about this attack. It is\r\nreasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed\r\nspeculation. Further because this could have given total visibility of the network and complete control of an infected system\r\nit is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks\r\nmore deeply in a classic APT-type operation.\r\nThat said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen. The lack of\r\nresponsiveness is unprecedented and cause for concern. Other government and non-government agencies focused on\r\ninternational rights should use the IoCs we are providing to check their networks to see if they may be impacted by this\r\nattack as well.\r\nhttps://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network\r\nPage 4 of 5\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campa\r\nign=avast-finds-backdoor-on-us-government-commission-network\r\nhttps://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network"
	],
	"report_names": [
		"?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=avast-finds-backdoor-on-us-government-commission-network"
	],
	"threat_actors": [
		{
			"id": "8860d9ac-afa8-454d-9d86-926aa8dd5019",
			"created_at": "2024-02-08T02:00:04.313581Z",
			"updated_at": "2026-04-10T02:00:03.582422Z",
			"deleted_at": null,
			"main_name": "Operation Red Signature",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Red Signature",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "446025dc-d003-448e-a5ea-43ce24bc883d",
			"created_at": "2022-10-25T16:07:23.997281Z",
			"updated_at": "2026-04-10T02:00:04.827365Z",
			"deleted_at": null,
			"main_name": "Operation Red Signature",
			"aliases": [],
			"source_name": "ETDA:Operation Red Signature",
			"tools": [
				"9002 RAT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"McRAT",
				"MdmBot",
				"Roarur"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775791825,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7171afce0beb2b9e75e4784e2cace436632f4033.pdf",
		"text": "https://archive.orkl.eu/7171afce0beb2b9e75e4784e2cace436632f4033.txt",
		"img": "https://archive.orkl.eu/7171afce0beb2b9e75e4784e2cace436632f4033.jpg"
	}
}