{
	"id": "40479719-ba96-43c2-9bb5-04640b63801a",
	"created_at": "2026-04-10T03:22:07.066256Z",
	"updated_at": "2026-04-10T13:11:32.004505Z",
	"deleted_at": null,
	"sha1_hash": "7316798a8a2561b7d312c9ca8de4c58b335df047",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2357246,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-10 03:12:31 UTC\r\nOverview\r\nAPT groups often use some uncommon file types to host malicious code in order to increase the probability of\r\nimmunity against antivirus software, such as CD-ROM image files (.iso) and virtual hard disk files (.vhd), which\r\nwe have monitored for abuse in recent years. And the use of these two formats can effectively circumvent the\r\nMOTW mechanism (a security measure in which Windows displays a warning message when a user tries to open\r\na file downloaded from the Internet). The effectiveness of the Lazarus group's attack campaign was evident back\r\nin November '22 when we disclosed that its attack components using the vhdx format had a detection rate of 0 on\r\nVirusTotal.\r\nWhen combing through the recently uploaded vhdx files we found that from September to December 2022,\r\nKasablanka group is suspected of attacking Russia, and its targets include the Russian Federal Government\r\nCooperation Agency, the Ministry of Foreign Communications of the Astrakhan Region of Russia, etc., and the\r\ndetection rate of some samples is always 0.\r\nAnalyzing and organizing the captured samples, the Kasablanka group used a socially engineered phishing email\r\nas the entry point for the attack, with a virtual disk image file attached, which nested a variety of next-stage\r\npayload executions including lnk files, zip packages, and executables. In the early stages of the attack the final\r\nexecution was the commercial Trojan Warzone RAT, in the later stages of the attack we observed that the executed\r\nTrojan changed to Loda RAT.\r\nDecoy File\r\nA phishing attack against the Agency of the Government of the Russian Federation for CIS Affairs, Aliens and\r\nInternational Humanitarian Cooperation, or \"Россотрудничество\".\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 1 of 16\n\nThe translation of the phishing email content is as follows：\r\nPhishing email attack against the Ministry of Foreign Communications of the Astrakhan Region of Russia.\r\nThe translation of the phishing email is as follows:\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 2 of 16\n\nOne of the phishing email attachments uses the situation related to the Republic of Turkey in 2022 as a bait.\r\nAttacks using articles related to Russian import substitution and migration policy in 2015 as bait.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 3 of 16\n\nIn addition, the Kasablanka group intercepted the first page from Resolution No. 1725 published on the official\r\nwebsite of the Government of the Russian Federation as a decoy.\r\nAnd the relevant content of the draft Digital Code of Kyrgyzstan was used as a bait.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 4 of 16\n\nSample Analysis\r\nThe captured samples are all virtual disk image files (.vhdx suffix), and the sample decoy names and contents are\r\nin Russian and uploaded from Russian regions. Some of the samples use lnk files as downloaders for the next\r\nstage payload.\r\nSome attack samples package the decoy and Warzone RAT into a zip file in a virtual disk image file.\r\nOr there is no decoy file and the lnk file is directly disguised as a folder to lure victims to click on it.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 5 of 16\n\nWe have sorted out links to download the relevant payloads, as shown in the table below：\r\n- -\r\nLinks Remarks\r\nhttp://179.60.150.118/new.exe Warzone RAT\r\nhttp://89.22.233.149/ms7.hta Unknown\r\nhttp://193.149.129.151/vmsys Unknown\r\nhttp://45.61.137.32/www.exe Warzone RAT\r\nhttp://45.61.137.32/svvhost.rar Loda RAT\r\nhttp://45.61.137.32/Scanned_document.exe Loda RAT\r\nWarzone RAT\r\nWarzone RAT, also known as AveMaria RAT, is a commercial trojan developed in pure C/C++, which has been\r\nsold publicly on the internet as a software subscription since 2018 and is compatible with systems below Windows\r\n10, with remote desktop, password stealing, keylogging, remote commands, permission elevation, download\r\nexecution and many other remote control functions. It has been used by several APT groups, including Confucius,\r\nBitter, Blind Eagle (APT-Q-98) and other groups .\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 6 of 16\n\nThis captured Warzone RAT eventually establishes a TCP connection to the server hbfyewtuvfbhsbdjhjwebfy.net\r\n(193.188.20.163) .\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 7 of 16\n\nIt has a wide variety of remote control commands, including the following functions.：\r\n- -\r\nFunction number Function\r\n0x0 Obtain information about the controlled machine\r\n0x2 Get process list information\r\n0x4 Get drive information\r\n0x6 Get directory information\r\n0x8 Retrieving files from the victim device's folder\r\n0xA Delete the specified file\r\n0xC Ends the specified process\r\n0xE Remote shell\r\n0x10 Ends the specified thread\r\n0x12 List the victim's camera device information\r\n0x14 Turn on the camera\r\n0x16 Stop the camera\r\n0x18 Get the title of the active program\r\n0x1A Exit and delete your own files\r\n0x1C Downloading files to the controlled end\r\n0x20 Get browser password\r\n0x22 Download the file from the given URL to the controlled end and execute it\r\n0x24 Online keylogging\r\n0x26 Offline keylogging\r\n0x28 Install HRDP Manager on the victim's device\r\n0x2A Enable reverse proxy\r\n0x2C Stop reverse proxy\r\n0x30 Start remote VNC\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 8 of 16\n\n- -\r\n0x32 Shutting down remote VNC\r\n0x38 Reverse proxy port settings\r\n0x3A Execute or open the specified file\r\n0x48 Injection into the specified process\r\n0x4A Traversing to get file information\r\n0x4C Multiple post-command breakdowns, including shutdown, network test, exit, etc\r\nLoda RAT\r\nLoda RAT is a proprietary malware written in AutoIt script language, first captured and disclosed in the wild by\r\nProofpoint in September 2016, the name 'Loda' derives from the malware author's choice of directory to write\r\nkeylogger logs to as Loda.Subsequently Cisco discovered multiple variants of Loda RAT and found that the RAT\r\nadded spying capabilities to the Android platform. After a series of investigations, Cisco concluded that the group\r\nusing the malware was based in Morocco and named the group Kasablanka (the largest city in Morocco) [1].\r\nAnalysis of the captured sample showed that it was written in C# and obfuscated so extensively that common\r\ntools could not decompile it, and added a large amount of 00 data at the end of the PE file, swelling the entire file\r\nsize to 741MB.\r\nAfter execution, the sample first releases and executes the Loda RAT packaged with AutoIt in the %appdata%\r\ndirectory, and the AutoIt script can be restored by using the deep analysis function of QiAnXin's Threat\r\nIntelligence Center Cloud Sandbox, and the behavior and functions of the trojan can be seen by analyzing the\r\nscript.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 9 of 16\n\nLoda RAT first detect antivirus products installed on victim machines through WMI commands.\r\nFollowed operation is collecting some information of victim host, including permissions, operating system\r\nversion, etc.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 10 of 16\n\nAnd adding persistentence by creating %appdata%\\Windata\\svshost.exe and NFOKQN.lnk shortcut to svshost.exe\r\nin windows startup directory.\r\nUploading the collected information and then takeing screenshots.\r\nSubsequently enter the remote control loop, by processing the data returned by C2, and then correspond to the\r\ndetailed remote control instructions, and its remote control instructions divided into a relatively fine function,\r\nrough statistics have 144 remote control instructions, due to the reasons of space, we will not do a detailed\r\nintroduction, a general overview of its remote control functions.\r\nRecording\r\nUpload and download files\r\nExecute the specified file\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 11 of 16\n\nShutdown\r\nClose the specified process\r\nStealing user cookies, passwords\r\nTurn on keylogger\r\nDelete keylogger data\r\nDownload and execute the file from the specified URL\r\nGet file or directory size\r\nAllow RDP connections by modifying the registry\r\nCompressing/uncompressing files\r\nCopy files or directories\r\nEnumerate connected drives\r\nEnumerate hot folder locations\r\nDetect UAC settings\r\nSend mouse clicks (to the left or right is a separate command）\r\nCapture screenshots and send to C2\r\nOpen/close CD trays\r\nRecording\r\nTurn off Windows Firewall\r\nSend the name of running processes to C2\r\nExit, uninstall\r\nCreate a GUI chat window to save the victim/attacker conversation to a file\r\nIn addition, in the previous version, LodaRAT downloaded SQLite3.dll from the official AutoIt website because it\r\nwas needed to extract sensitive information from the browser database, but the embedded URL had been\r\nunavailable for download. So in the latest version, the Kasablanka group transcoded it directly to hex, embedded\r\nin in the script.\r\nAssociation \u0026 Attribution\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 12 of 16\n\nIn C2:193.149.129.151, we trace back to Trojan \"systeml.dll\", written in C# and only 8.5KB in size, whose\r\nfunction is to download WinScp tools to synchronize files with remote computers and set scheduled tasks to\r\npersist, making it a potential backdoor.\r\nIn another C2: 179.60.150.118, we associate two files packaged by Pyinstaller, both of them are downloaders and\r\nhave the same core code.\r\nAfter Base64 decoding, you can clearly see that by requesting port 443 of 179.60.150.118 to get the follow-up\r\npayload to execute, and the payload is Warzone RAT or CS Trojan.\r\nSome security vendors believe that Loda RAT is the exclusive trojan of Kasablanka group, but since Loda RAT is\r\ncompiled from AutoIt scripts and its source code can be obtained by decompiling it, 'false flag' activities by other\r\nthreat actors using the decompiled source code are also possible.\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 13 of 16\n\nIn terms of attack motivation, we believe that the purpose of this attack is mainly for information gathering and\r\nespionage. Considering the current situation between Russia and Ukraine, intelligence spying and espionage are\r\nmore in line with the motivation of nation-sponsered hacker groups, so we attribute this attack to Kasablanka\r\ngroup with moderate confidence.\r\nSummary\r\nIn previous disclosures of the Kasablanka group's operations, its targets included Bangladesh, South America and\r\nthe United States, and its Loda RAT includes Windows version and Android version.Now this group often uses\r\ncommercial RATs in its attack activities, which not only reduces the development cost but also makes it difficult\r\nfor tracing attackers’ footprints.\r\nThe RedDrip team would like to remind all users not to open links of unknown origin shared by social media, not\r\nto click on email attachments from unknown sources, not to run unknown files with exaggerated titles, not to\r\ninstall APPs from informal sources, to back up important files in a timely manner, and to update and install\r\npatches.\r\nIf you need to run or install an application of unknown origin, you can first identify it through the QiAnXin Threat\r\nIntelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page). At present, it supports\r\ndeep analysis of files in various formats including Windows and Android platforms.\r\nCurrently, a full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence\r\nCenter, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, QiAnXin Advanced Threat\r\nDetection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., already support the accurate detection\r\nof such attacks [2].\r\nIOCs\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 14 of 16\n\nMD5\r\n4d75d26590116a011cbebb87855f4b4f\r\n574e031a4747d5e6315b894f983d3001\r\n56d1e9d11a8752e1c06e542e78e9c3e4\r\ndb9f2d7b908755094a2a6caa35ff7509\r\n8f52ea222d64bbc4d629ec516d60cbaf\r\nc3b3cb77fcec534763aa4d3b697c2f8c\r\n9ea108e031d29ee21b3f81e503eca87d\r\n23d5614fcc7d2c54ed54fb7d5234b079\r\n6be3aecc5704c16bf275e17ca8625f46\r\ne4a678b4aa95607a2eda20a570ffb9e1\r\n11ed3f8c1a8fce3794b650bbdf09c265\r\n8a548f927ab546efd76eeb78b8df7d4c\r\n6d710d1a94445efb0890c8866250958e\r\n6b42e4c5aecd592488c4434b47b15fbb\r\nd82743e8f242b6a548a17543c807b7b0\r\n32a0a7fa5893dd8d1038d1d1a9bc277a\r\nbd5c665187dfb73fc81163c2c03b2ddf\r\na07c6e759e51f856c96fc3434b6aa9f8\r\n0dcd949983cb49ad360428f464c19a9e\r\n87125803f156d15ed3ce2a18fe9da2b8\r\n4f7e2f5b0f669599e43463b70fb514ad\r\n00b9b126a3ed8609f9c41971155307be\r\nC2\r\n179.60.150.118\r\n45.61.137.32\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 15 of 16\n\n89.22.233.149\r\n193.149.129.151\r\n193.149.176.254\r\nReference Links\r\n[1] https://blog.talosintelligence.com/kasablanka-lodarat/\r\n[2] https://ti.qianxin.com/\r\nSource: https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nhttps://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/"
	],
	"report_names": [
		"Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia"
	],
	"threat_actors": [],
	"ts_created_at": 1775791327,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7316798a8a2561b7d312c9ca8de4c58b335df047.pdf",
		"text": "https://archive.orkl.eu/7316798a8a2561b7d312c9ca8de4c58b335df047.txt",
		"img": "https://archive.orkl.eu/7316798a8a2561b7d312c9ca8de4c58b335df047.jpg"
	}
}