{ "id": "dfce69c0-e2c7-445c-bbbb-f700ec869f28", "created_at": "2026-04-06T00:12:50.194844Z", "updated_at": "2026-04-10T03:36:14.0363Z", "deleted_at": null, "sha1_hash": "72db5d425bfd1e72a729aeacc59f7d6dd89eeeb9", "title": "Uncovering an undetected KeyPlug implant attacking industries in Italy   - Yoroi", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3231834, "plain_text": "Uncovering an undetected KeyPlug implant attacking industries in Italy \r\n- Yoroi\r\nPublished: 2024-05-21 · Archived: 2026-04-05 18:59:20 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\n05/21/2024\r\nIntroduction \r\nAPT41, known by numerous aliases such as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass\r\nTyphoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED\r\nSPIDER, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns. \r\nAPT41's operations stand out due to their complexity and versatility, reflecting a high level of expertise and resources,\r\npossibly indicating support or connections with state entities. The group targets a wide array of sectors including\r\ngovernment, manufacturing, technology, media, education, and gaming, with the intent of stealing intellectual property,\r\nsensitive data, and compromising systems for strategic or economic gain. \r\nThe group's tactics, techniques, and procedures (TTPs) include the deployment of malware, phishing, exploitation of zero-day software vulnerabilities, and supply chain attacks. Their activities pose a global threat, necessitating constant vigilance\r\nfrom cybersecurity professionals to mitigate associated risks. \r\nNotably, during a prolonged and in-depth investigation, Tinexta Cyber’s own Yoroi malware ZLab team isolated the\r\ninfamous modular backdoor malware, KEYPLUG. Written in C++ and active since at least June 2021, KEYPLUG has\r\nvariants for both Windows and Linux platforms. It supports multiple network protocols for command and control (C2)\r\ntraffic, including HTTP, TCP, KCP over UDP, and WSS, making it a potent tool in APT41's cyber-attack arsenal. \r\nThis specific implant has been identified both in its Linux and Windows variant, with its own custom configuration and C2\r\ncommunication protocol, WSS, which will be deepened in the following sections. \r\nTechnical Analysis \r\nWindows implant \r\nThe first analyzed malware sample is the malware implant retrieved on a Windows machine. It is written in the .NET\r\nFramework, designed for decrypting the file \"C:\\ProgramData\\pfm.ico\".  \r\nSHA256  87756cb5e33f7fb7c2229eb094f1208dbd510c9716b4428bfaf2dc84745b1542\r\nThreat  .NET Loader \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 1 of 12\n\nThreat\r\nDescription \r\nSimple .NET Loader which decrypts and executes shellcode leading to the final KeyPlug payload \r\nSSDEEP  192:+3c5NTgL6xvKDgtRy5TZYxALUsLh4LSOK7kJ9POxLVLSE7pZ6A5U1A:+3cfvCMjcTZEAL9LOLSngJ5sLVL9NQUl \r\nThe decryption process employs the AES algorithm, with the keys hard-coded within the sample itself, as demonstrated in\r\nthe following code snippet: \r\nFigure 1: Seeking for pfm.ico file and decryption \r\nAfter the decryption of the file content, the malware allocates memory to store a shellcode directly in memory the decrypted\r\nresult using the VirtualAlloc API call. The VirtualAlloc function reserves or commits a region of pages in the virtual\r\naddress space of the calling process. It can be used to allocate memory for the decrypted payload. Once the memory is\r\nallocated, the malware immediately modifies the memory protections to make it executable using the VirtualProtect API\r\ncall. VirtualProtect changes the protection on a region of committed pages in the virtual address space of the calling process.\r\nIn this context, it ensures that the decrypted payload can be executed by the system \r\nFigure 2: Decrypted and loaded shellcode in memory \r\nThe shellcode performs dynamically API loading with a custom hashing algorithm which will be explained further. Among\r\nthese APIs, another time a VirtualAlloc is loaded to allocate another piece of memory where decrypt and load the Final\r\nkeyplug implant. \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 2 of 12\n\nFigure 3: Evidence of other piece of memory allocated to store the Keyplug Payload \r\nWhen the decoding operations end, the malware passes the control to the Keyplug implant. The Sample starts by retrieving\r\nthe hostname and hashing the string three times with another custom algorithm, the result is used as Mutex. It is used as an\r\nunique identifier for the infected machine and this information is shared with the command and control. \r\nFigure 4: Generation of a new mutex \r\nThe malware proceeds to enable the SeDebugPrivilege token. The SeDebugPrivilege is a powerful privilege that allows a\r\nprocess to debug and interact with other processes, including those that it did not create. This privilege can be used to access\r\nand manipulate system-level processes and is typically reserved for administrators. In this case the malware uses it to\r\nmanipulate pieces of its own code, in order to extract its configuration. \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 3 of 12\n\nFigure 5: Manipulating SeDebugPrivilege \r\nThe new payload, with SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf, appears\r\nto be a version of Keyplug compiled for Windows. Attribution was made by comparing the behavior and structure of the\r\nmalware under examination with Mandiant's report \"Does This Look Infected? A Summary of APT41 Targeting U.S. State\r\nGovernments.\" Additionally, the configuration described in the file appendix matches that described by Mandiant.\r\nConfiguration decryption is performed using the XOR key 0x59. Part of the configuration decoding is shown in Figure 6. \r\nFigure 6: Decrypting the malware configuration \r\nAfter decrypting the configuration, the malware starts to perform different reconnaissance-relevant information, such as the\r\noperating system version and installed anti-malware products, through WMIC (Windows Management Instrumentation\r\nCommand-line) call. \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 4 of 12\n\nFigure 7: Choosing the communication protocol basing on the information retrieved by the configuration \r\nThen the Keyplug implant communicates with the C2 (Command and Control) through the abuse of CloudFlare's Content\r\nDelivery Network (CDN) and via the WSS (WebSocket Secure) protocol. The XOR-encoded configuration contains the\r\ninformation to communicate with the C2. Indeed, after decoding, KEYPLUG randomly selects a CIDR block from the list\r\nand then selects an IP address within the block based on the infected computer's tick count. Once one of the randomly\r\nchosen IPs belonging to Cloudflare's CDN, and present in the subnets listed within the communication, is selected, the\r\nKEYPLUG malware establishes communication with the C2 through a socket API call.  However, KeyPlug is also capable\r\nof using TCP,UDP,WSS,HTTP,QUIC and overall, it is an interesting backdoor by looking at the logging strings (Appendix\r\nA) \r\nLinux Variant \r\nSHA256  a6aabc68245dde1eda2093c6ef4b75b75f99d0572c59d430de9cef527dc037cb \r\nThreat  KeyPlug \r\nThreat\r\nDescription \r\nKeyPlug Linux Variant \r\nSSDEEP  98304:iH/3LJD43UewSERenGaEB9bhUQQxBdKGTYu9DUoi:ydDoUe7GeUB9buJBdJTYzp \r\nCompared to the Windows variant, it is slightly more complex, and it seems to use VMProtect. In fact, when static analysis\r\nwas performed, many strings regarding to UPX packer, but the automated unpacking routine didn’t work. However, other\r\nadvanced analysis strategies revealed a series of interesting information about the similarities between the Windows and\r\nLinux variants. \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 5 of 12\n\nFigure 8: Comparing the  code between Windows and Linux Variant \r\nIn this case the C2 is mirrors.directtimber.]buzz, and even in this case the communication is performed by abusing the WSS\r\nProtocol. \r\nFigure 9: Connection to the C2 through the WSS protocol \r\nPivoting the analysis and the connection with ISOON leak \r\nThe threat hunting investigation revealed other interesting information regarding the complex infrastructure built by APT41\r\nand the development of this malware campaign.  On February 16, a significant amount of sensitive data was exposed\r\nregarding the Chinese Ministry of Public Security. This information was subsequently shared on platforms such as on\r\nGitHub and Twitter. Causing considerable discussion and interest within the cybersecurity community. The event attracted\r\nimmediate attention from a range of private organizations and researchers, who were keen to explore the implications of the\r\nleak and its potential impact on cybersecurity practices and policies. It seems that the massive data leak that appeared on\r\nGithub comes from a data breach of a private industry contractor of the Chinese Ministry of Public Security (MPS) known\r\nas i-Soon (also called Anxun). The published data contains a plethora of chats, user manual, official government plans,\r\nprojects, phone numbers, employee PII.  \r\nThe actor responsible for the compiled leak has organized the data into distinct sections.  \r\nData from links 0-1 discusses how “Anxun deceived the national security agency.”  \r\nThe subsequent set of data, links from 2 to 10, comprises employee complaints. \r\nLinks 11-13 contain information regarding Anxun’s financial problems. \r\nLink 14 is dedicated to chat records between Anxun’s top boss Wu Haibo and his second boss Chen Cheng \r\nLinks 15-20 focus on “Anxun low-quality products” . \r\nlinks 21-38 reveal information about Anxun’s products \r\nFrom links 39 to 60, there is discussion about Anxun’s infiltration into overseas government departments, including\r\nthose of India, Thailand, Vietnam, South Korea, NATO, and others. \r\nThe last dump of the links from 61 to 65 contain data related to Anxun employee information. \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 6 of 12\n\nThe entire folder contains over five hundred files, most of them are images containing private messages or conversation. It’s\r\nalso possible to identify several documents regarding the different technology and software offered by I-S00N.  \r\nWhen analyzing this report, a particular RAT lets think about we dub as KeyPlug, Hector. “Hector”, which targets both\r\nLinux and Windows machines and it is known to use the WSS protocol to communicate with the C2. \r\nFigure 10: Leaked image of Hector Backdoor \r\nEven Recorded Future hypothesized that a link between KEYPLUG malware and Hector leak could exist; but in this case\r\nthe confidence of this information is medium-low due to the lack of direct evidences of the link. If this connection could be\r\nverified, the resulting infrastructure for this campaign is: \r\nFigure 11: Tracking the KEYPLUG malware campaign with the connection to ISOON \r\nCustom API Hashing \r\nAs mentioned earlier, KeyPlug uses a custom algorithm for hashing the names of the APIs to dynamically load in the first\r\npart of the shellcode. By searching for 0x3b7225fc (LoadLibraryA) we found only a report by NetScout from 2016 about\r\nNuclear Bot (TinyNuke) \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 7 of 12\n\nFigure 12: API Hashing algorithm (Source Netscout) \r\nConclusion \r\nIn conclusion, the analysis underscores the sophisticated nature of APT41's operations, adding the fact that this malware just\r\ndescribed implant was capable to be resilient for several months inside the infected network. Not only, it was able to remain\r\nundetected even in environments where different NIDS and EDR solution were installed.  \r\nMoreover, it is plausible to hypothesize a connection between APT41 and the ISOON Leak incident. The sophisticated\r\ntechniques and target sectors align with the modus operandi of APT41, suggesting a potential link to this cyber espionage\r\ncampaign. Further investigation into the ISOON Leak, particularly regarding the tools and methods utilized, may provide\r\ninsights into the involvement of APT41 or related entities. \r\nIndicators of Compromise \r\n0b28025eba906e6176bcd2be58e647beebc92680d1c8e9507662a245bab61803 (KeyPlug RetroHunt) \r\nHTTPS://45.204.1.]248:55589|HTTPS://45.204.1.]248:55589|5|5|1 \r\n1408a28599ab76b7b50d5df1ed857c4365e3e4eb1a180f126efe4b8a5a597bc6 (KeyPlug RetroHunt) \r\nQUIC://67.43.234.]146:443|0|360|/index.html|0|127.0.0.1 \r\n2345c426c584ec12f7a2106a52ce8ac4aeb144476d1a4e4b78c10addfddef920 (KeyPlug RetroHunt) \r\nWSS://chrome.down-flash.]com:443|0|300|/index.html|1|chrome.down-flash.]com:443 \r\n2c28a59408ee8322bc6522734965db8261c196bf563c28dd61d5b65f7fd9a927 (DarkLoadLibrary) \r\n399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf (KeyPlug Windows Sample) \r\nWSS://104.16.85.]0/24;104.17.92].0/24;172.65.236.]0/24;172.67.27.]0/24:443|0|3600|/comments|corsapi.devlopsform.]com|corsapi.devlopsform.]c\r\n4496fb2e42bb8734d4d5c6c40fa6e5f7afa00233ffa1c9e4b00e1ef4fd7849ad (KeyPlug Shellcode) \r\n5921d1686f9f4b6d26ac353cfce3e85e57906311a80806903c9b40f85429b225 (KeyPlug RetroHunt) \r\nHTTPS://43.229.155.]38:8443|HTTPS://43.229.155.]38:8443|1200|5|1|cdn.google-au.]ga:8443 \r\n619c185406e6272ba8ac70ad4c6ff2174e5470011c5737c6c2198cd69d86ec95 (DarkLoadLibrary) \r\n7248217c106dfa048a9e5593cba257fd5189877c490f7d365156e55880c5ddca (Shellcode Encrypted - pfm.ico) \r\n83ef976a3c3ca9fcd438eabc9b935ca5d46a3fb00e2276ce4061908339de43ec (KeyPlug RetroHunt) \r\nUDP://fonts.google-au.]ga:53|0|1200|/index.html|1|127.0.0.1:53 \r\n87756cb5e33f7fb7c2229eb094f1208dbd510c9716b4428bfaf2dc84745b1542 (.NET Shellcode Loader) \r\n9d467226a59d8f85a66b2a162f84120811d437a40eb6a7c60fad546500094ab7 (KeyPlug RetroHunt) \r\nWSS://104.21.82.]192:443|WSS://104.21.82.]192:443|1200|5|1|cdn.google-au.]ga:443 \r\na6aabc68245dde1eda2093c6ef4b75b75f99d0572c59d430de9cef527dc037cb (KeyPlug Linux Sample) \r\nWSS://172.67.249.]0/24;104.20.63.]0/24;104.18.58.]0/24;104.17.16.]0/24:443|WSS://172.67.249.]0/24;104.20.63.]0/24;104.18.58.]0/24;104.17.16\r\nda606c49044ca3055028011f8e384f7ede569d337e08c191e723c9798f0610d9 (KeyPlug RetroHunt) \r\nTCP://8.210.71.]245:443|0|360|/index.html|0|127.0.0.1 \r\ndb7f4aa246bd17971e75d7b79f506b3c87f9f2a42a3b5dadd56dd848ac34a9c7 (KeyPlug RetroHunt) \r\nHTTPS://127.0.0.1:443|HTTPS://127.0.0.1:443|1200|5|1 \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 8 of 12\n\ne94bcaf0d01fcd2f76f1c08575c3ec6315508cdbf72684a180c6992c68b10cc3 (DarkLoadLibrary) \r\nf08e669b6caf8414b2da8e2a0fea18f79b154d274aa4835cffdfa592844da239 (KeyPlug RetroHunt) \r\nHTTPS://127.0.0.1:443|HTTPS://127.0.0.1:443|1200|5|1 \r\nYara Rules \r\nrule keyplug_shellcode { meta: author = \"Yoroi Malware ZLab\"       description = \"Rule for KeyPlug Shellcode\" last_updated = \"2024-03-19\" tlp\r\nrdi 41 56                   push    r14 48 8D 6C 24 80          lea     rbp, [rsp-80h] 48 81 EC 80 01 00 00    sub     rsp, 180h E8 A1 08 00 00          call    s\r\nrax 48 8B CF                mov     rcx, rdi E8 B3 07 00 00          call    sub_7F4 BA 59 3D 78 5E          mov     edx, 5E783D59h 48 89 44 24 20         \r\n07 00 00          call    sub_7F4 BA 5B 7B C3 0A          mov     edx, 0AC37B5Bh 48 89 44 24 40          mov     qword ptr [rsp+190h+var_150], rax \r\n00          call    sub_7F4 48 89 44 24 48          mov     qword ptr [rsp+190h+var_150+8], rax */ $1 = { 4? 89 5c ?4 10 4? 89 74 ?4 18 55 57 4? 56 4\r\n44 ?4 40 4? 8b cf e8 ?? ?? ?? ?? ba ?? ?? ?? ?? 4? 89 44 ?4 30 4? 8b cf 4? 8b d8 e8 ?? ?? ?? ?? 4? 89 44 ?4 48  } condition: $1 } \r\nrule keyplug_windows { meta: author = \"Yoroi Malware ZLab\"       description = \"Rule for KeyPlug Windows\" last_updated = \"2024-03-20\" tlp\r\n\"informational\" strings:  /*  23c6b417ddaf5fbd00d204543b5b981e7f5967c5123d511ef5654c4d409aee0f 00a366e51c88a41a204e4b2267991460c\r\n83 EC 28                             sub     rsp, 28h  48 8B C1                                mov     rax, rcx  41 8B 09                                mov     ecx, [r9]       ; s  44\r\ncs:WSAGetLastError  8B C8                                   mov     ecx, eax  3D 33 27 00 00                          cmp     eax, 2733h  74 42                                \r\nFF                          mov     eax, 0FFFFFFFDh  48 83 C4 28                             add     rsp, 28h  C3                                      retn  ; -----------------------\r\n0FFFFFFFCh  48 83 C4 28                             add     rsp, 28h  C3                                      retn  ; -------------------------------------------------------------\r\n44 C2                                cmovz   eax, edx  48 83 C4 28                             add     rsp, 28h  C3                                      retn /*  $1 = {4? 83 ec 28 4?\r\n8b 88 f8 02 00 00 ff 15 ?? ?? ?? ?? 85 c0 79 ?? ff 15 ?? ?? ?? ?? 8b c8 3d 33 27 00 00 74 ?? 3d 4c 27 00 00 74 ?? 3d 46 27 00 00 75 ?? b8 fd ff ff\r\n66 89 47} condition: any of them and uint16(0) == 0x5A4D } \r\nSuricata Rules \r\nAppendix A: Logging Strings \r\n[ lib] Initialized, PartitionCount=%1 DatapathFeatures=%2\\r\\n \r\n[ lib] Uninitialized\\r\\n \r\n[ lib] AddRef\\r\\n \r\n[ lib] Release\\r\\n \r\n[ lib] Shared server state initializing\\r\\n \r\n[ lib] Rundown, PartitionCount=%1 DatapathFeatures=%2\\r\\n \r\n[ lib] ERROR, %1.\\r\\n \r\n[ lib] ERROR, %1, %2.\\r\\n \r\n[ lib] ASSERT, %2:%1 - %3.\\r\\n \r\n[ api] Enter %1 (%2).\\r\\n \r\n[ api] Exit\\r\\n \r\n[ api] Exit %1\\r\\n \r\n[ api] Waiting on operation\\r\\n \r\n[ lib] Perf counters Rundown\\r\\n \r\n[ lib] New SendRetryEnabled state, %1\\r\\n \r\n[ lib] Version %1.%2.%3.%4\\r\\n \r\n[ api] Error %1\\r\\n \r\n[ reg][%1] Created, AppName=%2\\r\\n \r\n[ reg][%1] Destroyed\\r\\n \r\n[ reg][%1] Cleaning up\\r\\n \r\n[ reg][%1] Rundown, AppName=%2\\r\\n \r\n[ reg][%1] ERROR, %2.\\r\\n \r\n[ reg][%1] ERROR, %2, %3.\\r\\n \r\n[ reg][%1] Shutting down connections, Flags=%2, ErrorCode=%3\\r\\n \r\n[wrkr][%1] Created, IdealProc=%2 Owner=%3\\r\\n \r\n[wrkr][%1] Start\\r\\n \r\n[wrkr][%1] Stop\\r\\n \r\n[wrkr][%1] IsActive = %2, Arg = %3\\r\\n \r\n[wrkr][%1] QueueDelay = %2\\r\\n \r\n[wrkr][%1] Destroyed\\r\\n \r\n[wrkr][%1] Cleaning up\\r\\n \r\n[wrkr][%1] ERROR, %2.\\r\\n \r\n[wrkr][%1] ERROR, %2, %3.\\r\\n \r\n[cnfg][%1] Created, Registration=%2\\r\\n \r\n[cnfg][%1] Destroyed\\r\\n \r\n[cnfg][%1] Cleaning up\\r\\n \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 9 of 12\n\n[cnfg][%1] Rundown, Registration=%2\\r\\n \r\n[cnfg][%1] ERROR, %2.\\r\\n \r\n[cnfg][%1] ERROR, %2, %3.\\r\\n \r\n[list][%1] Created, Registration=%2\\r\\n \r\n[list][%1] Destroyed\\r\\n \r\n[list][%1] Started, Binding=%2, LocalAddr=%4, ALPN=%6\\r\\n \r\n[list][%1] Stopped\\r\\n \r\n[list][%1] Rundown, Registration=%2\\r\\n \r\n[list][%1] ERROR, %2.\\r\\n \r\n[list][%1] ERROR, %2, %3.\\r\\n \r\n[conn][%1] Created, IsServer=%2, CorrelationId=%3\\r\\n \r\n[conn][%1] Destroyed\\r\\n \r\n[conn][%1] Handshake complete\\r\\n \r\n[conn][%1] Scheduling: %2\\r\\n \r\n[conn][%1] Execute: %2\\r\\n \r\n[conn][%1] New Local IP: %3\\r\\n \r\n[conn][%1] New Remote IP: %3\\r\\n \r\n[conn][%1] Removed Local IP: %3\\r\\n \r\n[conn][%1] Removed Remote IP: %3\\r\\n \r\n[conn][%1] Assigned worker: %2\\r\\n \r\n[conn][%1] Handshake start\\r\\n \r\n[conn][%1] Registered with %2\\r\\n \r\n[conn][%1] Unregistered from %2\\r\\n \r\n[conn][%1] Transport Shutdown: %2 (Remote=%3) (QS=%4)\\r\\n \r\n[conn][%1] App Shutdown: %2 (Remote=%3)\\r\\n \r\n[conn][%1] Initialize complete\\r\\n \r\n[conn][%1] Handle closed\\r\\n \r\n[conn][%1] QUIC Version: %2\\r\\n \r\n[conn][%1] OUT: BytesSent=%2 InFlight=%3 InFlightMax=%4 CWnd=%5 SSThresh=%6 ConnFC=%7 ISB=%8\r\nPostedBytes=%9 SRtt=%10\\r\\n \r\n[conn][%1] Send Blocked Flags: %2\\r\\n \r\n[conn][%1] IN: BytesRecv=%2\\r\\n \r\n[conn][%1] CUBIC: SlowStartThreshold=%2 K=%3 WindowMax=%4 WindowLastMax=%5\\r\\n \r\n[conn][%1] Congestion event\\r\\n \r\n[conn][%1] Persistent congestion event\\r\\n \r\n[conn][%1] Recovery complete\\r\\n \r\n[conn][%1] Rundown, IsServer=%2, CorrelationId=%3\\r\\n \r\n[conn][%1] (SeqNum=%2) New Source CID: %4\\r\\n \r\n[conn][%1] (SeqNum=%2) New Destination CID: %4\\r\\n \r\n[conn][%1] (SeqNum=%2) Removed Source CID: %4\\r\\n \r\n[conn][%1] (SeqNum=%2) Removed Destination CID: %4\\r\\n \r\n[conn][%1] Setting loss detection %2 timer for %3 us. (ProbeCount=%4)\\r\\n \r\n[conn][%1] Cancelling loss detection timer.\\r\\n \r\n[conn][%1] DROP packet Dst=%3 Src=%5 Reason=%6.\\r\\n \r\n[conn][%1] DROP packet Dst=%4 Src=%6 Reason=%7, %2.\\r\\n \r\n[conn][%1] ERROR, %2.\\r\\n \r\n[conn][%1] ERROR, %2, %3.\\r\\n \r\n[conn][%1] New packet keys created successfully.\\r\\n \r\n[conn][%1] Key phase change (locally initiated=%2).\\r\\n \r\n[conn][%1] STATS: SRtt=%2 CongestionCount=%3 PersistentCongestionCount=%4 SendTotalBytes=%5\r\nRecvTotalBytes=%6\\r\\n \r\n[conn][%1] Shutdown complete, PeerFailedToAcknowledged=%2.\\r\\n \r\n[conn][%1] Read Key Updated, %2.\\r\\n \r\n[conn][%1] Write Key Updated, %2.\\r\\n \r\n[conn][%1][TX][%2] %3 (%4 bytes)\\r\\n \r\n[conn][%1][RX][%2] %3 (%4 bytes)\\r\\n \r\n[conn][%1][TX][%2] %3 Lost: %4\\r\\n \r\n[conn][%1][TX][%2] %3 ACKed\\r\\n \r\n[conn][%1] %2\\r\\n \r\n[conn][%1] Queueing send flush, reason=%2\\r\\n \r\n[conn][%1] OUT: StreamFC=%2 StreamSendWindow=%3\\r\\n \r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 10 of 12\n\n[conn][%1] STATS: SendTotalPackets=%2 SendSuspectedLostPackets=%3 SendSpuriousLostPackets=%4\r\nRecvTotalPackets=%5 RecvReorderedPackets=%6 RecvDroppedPackets=%7 RecvDuplicatePackets=%8\r\nRecvDecryptionFailures=%9\\r\\n \r\n[conn][%1] Server app accepted resumption ticket\\r\\n \r\n[conn][%1] VerInfo Other Versions List: %3\\r\\n \r\n[conn][%1] Client VI Received Version List: %3\\r\\n \r\n[conn][%1] Server VI Supported Version List: %3\\r\\n \r\n[conn][%1] Spurious congestion event\\r\\n \r\n[conn][%1] No Listener for IP address: %3\\r\\n \r\n[conn][%1] No listener matching ALPN: %3\\r\\n \r\n[conn][%1] Flushing Send. Allowance=%2 bytes\\r\\n \r\n[conn][%1] Setting %2, delay=%3 us\\r\\n \r\n[conn][%1] Canceling %2\\r\\n \r\n[conn][%1] %2 expired\\r\\n \r\n[strm][%1] Created, Conn=%2 ID=%3 IsLocal=%4\\r\\n \r\n[strm][%1] Destroyed\\r\\n \r\n[strm][%1] Send Blocked Flags: %2\\r\\n \r\n[strm][%1] Rundown, Conn=%2 ID=%3 IsLocal=%4\\r\\n \r\n[strm][%1] Send State: %2\\r\\n \r\n[strm][%1] Recv State: %2\\r\\n \r\n[strm][%1] ERROR, %2.\\r\\n \r\n[strm][%1] ERROR, %2, %3.\\r\\n \r\n[strm][%1] %2\\r\\n \r\n[strm][%1] Allocated, Conn=%2\\r\\n \r\n[strm][%1] Writing frames to packet %2\\r\\n \r\n[strm][%1] Processing frame in packet %2\\r\\n \r\n[strm][%1] Indicating QUIC_STREAM_EVENT_RECEIVE [%2 bytes, %3 buffers, %4 flags]\\r\\n \r\n[strm][%1] Receive complete [%2 bytes]\\r\\n \r\n[strm][%1] App queuing send [%2 bytes, %3 buffers, %4 flags]\\r\\n \r\n[bind][%1] Created, Udp=%2 LocalAddr=%4 RemoteAddr=%6\\r\\n \r\n[bind][%1] Rundown, Udp=%2 LocalAddr=%4 RemoteAddr=%6\\r\\n \r\n[bind][%1] Destroyed\\r\\n \r\n[bind][%1] Cleaning up\\r\\n \r\n[bind][%1] DROP packet Dst=%3 Src=%5 Reason=%6.\\r\\n \r\n[bind][%1] DROP packet Dst=%4 Src=%6 Reason=%7, %2.\\r\\n \r\n[bind][%1] ERROR, %2.\\r\\n \r\n[bind][%1] ERROR, %2, %3.\\r\\n \r\n[bind][%1] Execute: %2\\r\\n \r\n[ tls][%1] ERROR, %2.\\r\\n \r\n[ tls][%1] ERROR, %2, %3.\\r\\n \r\n[ tls][%1] %2\\r\\n \r\n[data][%1] Send %2 bytes in %3 buffers (segment=%4) Dst=%6 Src=%8\\r\\n \r\n[data][%1] Recv %2 bytes (segment=%3) Src=%5 Dst=%7\\r\\n \r\n[data][%1] ERROR, %2.\\r\\n \r\n[data][%1] ERROR, %2, %3.\\r\\n \r\n[data][%1] Created, local=%3, remote=%5\\r\\n \r\n[data][%1] Destroyed\\r\\n \r\n[pack][%1] Created in batch %2\\r\\n \r\n[pack][%1] Encrypting\\r\\n \r\n[pack][%1] Finalizing\\r\\n \r\n[pack][%1] Batch sent\\r\\n \r\n[pack][%1] Received\\r\\n \r\n[pack][%1] Decrypting\\r\\n \r\nThis blogpost has been authored by Luigi Martire and Carmelo Ragusa\r\nQuesto sito, come la maggior parte dei siti web, utilizza cookie, anche di terze parti, per migliorare la tua esperienza di\r\nnavigazione e raccogliere informazioni sull'utilizzo del sito stesso. Cliccando su \"Accetta tutti\" ti dichiari d'accordo\r\nall'utilizzo di cookie analitici (che ci aiutano a capire in che modo gli utenti usano il sito e come migliorarlo, insieme ai\r\nnostri servizi) e di tracciamento (inclusi quelli di nostri partner di fiducia) che ci aiutano a decidere quali prodotti mostrarti,\r\na misurare il volume di visite sul nostro sito e a darti la possibilità di mettere \"mi piace\" e di condividere contenuti\r\ndirettamente sui social media. Clicca qui per vedere a cosa hai dato il tuo consenso e trovare più informazioni sui cookie che\r\nutilizziamo.\r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 11 of 12\n\nSource: https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-i\r\nn-italy/\r\nhttps://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/" ], "report_names": [ "uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775792174, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72db5d425bfd1e72a729aeacc59f7d6dd89eeeb9.pdf", "text": "https://archive.orkl.eu/72db5d425bfd1e72a729aeacc59f7d6dd89eeeb9.txt", "img": "https://archive.orkl.eu/72db5d425bfd1e72a729aeacc59f7d6dd89eeeb9.jpg" } }