{
	"id": "9601b15d-4491-4ab1-be6d-d8bd68d1703b",
	"created_at": "2026-04-06T00:19:33.773309Z",
	"updated_at": "2026-04-10T03:33:46.154824Z",
	"deleted_at": null,
	"sha1_hash": "731c7b4deadbc83d1a5808f95e973438e8a1df5f",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 563856,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 21:50:54 UTC\r\nView the indicators of compromise.\r\nIn late August 2015, Symantec identified a previously unknown back door Trojan (Backdoor.Dripion) infecting\r\norganizations primarily located in Taiwan, as well as Brazil and the United States. Dripion is custom-built,\r\ndesigned to steal information, and has been used sparingly in a limited number of targeted attacks. The attackers\r\nbehind this campaign went to some lengths to disguise their activities, including using domains names disguised\r\nas antivirus (AV) company websites for their command and control (C\u0026C) servers. These attacks have some links\r\nto earlier attacks by a group called Budminer involving the Taidoor Trojan (Trojan.Taidoor).\r\nThe threat posed by custom malware such as Dripion illustrates the value of multilayered security. Unknown\r\nthreats may evade signature-based detection, but can be blocked by other detection tools which identify malicious\r\nbehavior.\r\nBackground\r\nOur investigation began when we received three file hashes, which we determined to have the functionality of a\r\nback door with information-stealing capabilities. The malware appeared to be new, rarely detected, and not\r\npublicly available. As we analyzed the binary and compared it against other known back door Trojans, we realized\r\nthis was custom-developed malware.\r\nDeveloping a back door with information-stealing capabilities designed to evade detection requires both\r\nknowledge and funding. Usually when we see a new back door Trojan like this, it is tied to organizations involved\r\nin cyberespionage campaigns.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 7\n\nMalware downloader\r\nOne of the first steps taken when investigating malware is to determine how it is getting onto a victim’s computer.\r\nMany publicly available downloaders exist; however, only a few unique downloaders have been used over the past\r\nfew years that have been exclusive to cyberespionage activity. Since Dripion appeared to be used by a single\r\nattacker against a small target group, we wanted to determine if the downloader could provide additional evidence\r\nto help attribute the threat to any known threat groups.\r\nThe downloader was identified as Downloader.Blugger (MD5: 260f19ef39d56373bb5590346d2c1811). It is not a\r\nnew piece of malware, having been in existence since at least 2011. How the victim was infected with Blugger is\r\ncurrently unknown.\r\nBlugger used encryption to make its infrastructure and commands queried in the URL requests harder to detect.\r\nAfter decrypting however, we identified the following URL requests:\r\nhttp://classic-blog.[REDACTED DOMAIN 1].com/nasyzk/20002630\r\nhttp://nasyzk.[REDACTED DOMAIN 2].net/blog/post/251315428\r\nBoth of the domains we analyzed in the URLs requested by the downloader are publicly accessible blogs. The\r\ndownloader contacts these blog URLs in order to retrieve Dripion for installation.\r\nThe blog posts are primarily in English yet most of the targets are based in Taiwan. As illustrated in Figure 1, one\r\nof the blogs references US healthcare spending.  It is unknown if the attacker created the blog or simply\r\ncompromised another to use in their attacks. If the blog was compromised, then the attacker likely would not\r\ncreate posts themselves as it would show the blog’s creator that something was awry. If the blog was created by\r\nthe attacker, it may be an attempt to develop a blog with topics that would likely be of interest to the intended\r\ntarget. Most of the blogs were related to news events.\r\nFigure 1. Screenshot of one of the blogs used to infect the victim with Dripion malware\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 7\n\nThe Dripion back door Trojan\r\nOnce Dripion is installed, the attacker can access the user’s computer. Dripion has the functionally of a back door\r\nTrojan, letting attackers upload, download, and steal pre-determined information from the victim, and execute\r\nremote commands. Information such as the victim’s computer name and IP address are automatically transmitted\r\nto the C\u0026C server upon the initial infection.\r\nCommand Description\r\nGoSleep Sleeps for 10 minutes\r\nGoKill Attempts to delete itself and ends its activities\r\nGoBye Disconnects from the computer\r\nnodata Similar to GoBye\r\nCommand\r\nExecute command (lpCommandLine in CreateProcessA), redirect result through pipe to .tmp\r\nfile and Download file\r\nUpFile Write data in file on victim's computer\r\nDownFile\r\nWrite data to a remote open file (InternetWriteFile). The .tmp file used may be deleted after\r\nsuccess operation.\r\nExecuteFile Create a new process (CreateProcessA)\r\nTable 1. Commands associated with the Dripion malware\r\nAdditionally, the developer of the Dripion malware used XOR encoding for both the binary configuration file\r\n(XOR: 0xA8) as well as network requests with the C\u0026C server (XOR: 0xA3), to make detection more difficult.\r\nDripion has been identified in multiple variations and has version numbers hardcoded within the malware. This\r\nindicates that the attackers have the ability to both create and develop their own custom malware as well as update\r\ntheir code to provide new capabilities and make detection more difficult.\r\nTies to previous cyberespionage activity\r\nThe use of publicly accessible blogs to distribute malware is a tactic we have seen previously, but few\r\ncyberespionage groups have used this technique. Fewer still have used this strategy to deliver custom-developed\r\nmalware not often seen in the wild.\r\nThe first piece of evidence pointing towards a link with previous cyberespionage campaigns was the use of the\r\nBlugger downloader, which has only been used by a group Symantec calls Budminer. This group has used Blugger\r\nto distribute its own custom malware known as Taidoor (Trojan.Taidoor). Symantec has previously written about\r\nBudminer’s Taidoor campaigns. Significantly, this is the first time we have seen Blugger used to deliver malware\r\nother than Taidoor.\r\nFurther investigation uncovered a second tie with earlier Budminer activity. One of the Blugger samples\r\nassociated with Dripion connected with a root domain also used in Taidoor-related activity.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 7\n\nFigure 2. Dripion and Taidoor share ties with the same root domain.\r\nBoth of the URL queries originated from the Blugger downloader which connected to the blog classic-blog.\r\n[REDACTED DOMAIN 1].com. They then call out to subdomains of the domain [REDACTED DOMAIN 3].net.\r\nBoth Dripion and Taidoor not only connected to the same website (classic-blog.[REDACTED DOMAIN 1].com)\r\nbut also used the same URL (classic-blog.[REDACTED DOMAIN 1].com /nasyzk/[ENCODED TEXT]) to obtain\r\nthe encrypted C\u0026C configuration.\r\nTargeting\r\nSymantec first identified activity involving Dripion in September 2015. Based on the timestamp of the earliest\r\nknown sample however, Dripion may have been in existence since 2013. The Dripion activity that we have\r\nanalyzed is extremely targeted and has involved far fewer victims compared to the number of users infected with\r\nTaidoor.\r\nFigure 3. Detection of unique Dripion and Taidoor file hashes by region\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 7\n\nThe similarity between the two sets of activity is the number of unique file hashes found infecting users located in\r\nTaiwan.\r\nUnfortunately, we need more data to determine if the timestamps associated with Dripion dating back to\r\nNovember 2013 (7ad3b2b6eee18af6816b6f4f7f7f71a6) are legitimate or if they have been forged. The earliest\r\nknown Dripion activity we were able to validate took place in November 2014. Despite the one-year gap in\r\nactivity, it is possible that campaigns involving Dripion happened during this period and went undetected due to\r\nits small target window.\r\nAnother interesting tactic used to deceive potential targets lies within the C\u0026C infrastructure. The attackers\r\ncreated multiple domains with names similar to that of legitimate companies and websites in the antivirus\r\ncommunity. For example the domains hyydn.nortonsoft[.]com and  mhysix.mcfeesoft[.]com were both C\u0026C\r\ndomains used in attacks. Using typo-squat domains to mimic legitimate sites is a tactic frequently used to trick the\r\ntargets as well as defenders, in an effort to make the domains blend in with normal activity.\r\nConclusion\r\nWe began this investigation with what we believed was a new campaign using an unidentified back door Trojan\r\nagainst targets primarily in Taiwan. As the investigation grew we found multiple ties between this newly\r\ndiscovered attack and activity associated with the Budminer cyberespionage group:\r\nSame unique downloader (not publicly available and only seen used in China-based cyberespionage\r\nactivity)\r\nThe unique downloader used by both Dripion and Taidoor encrypts data using the victim's MAC address as\r\nthe RC4 key\r\nUse of the same blogs for distribution of malware (Taidoor and Dripion)\r\nUse of shared C\u0026C infrastructure (at the root domain level)\r\nSimilar targeting (primary location of targets is Taiwan)\r\nWe compared Dripion against Taidoor malware samples to determine if there was any shared code or if it may\r\nhave originated from the same developer. Our findings concluded there were no similarities between the two\r\nmalware families. However, the downloader used by both malware families has unique attributes, and we believe\r\nit to be from the same developer.\r\nSo what does all this mean? Attribution of cyberespionage groups is difficult and needs to be done carefully based\r\non fact and not assumptions. We have a number of ties between the two sets of activity.  Not all of the ties are\r\nstrong on their own, but together provide a strong case that there is a relationship between the groups targeting\r\nTaiwan using Dripion and Taidoor malware.\r\nBased on the evidence we have presented Symantec attributed the activity involving the Dripion malware to the\r\nBudminer advanced threat group. While we have not seen new campaigns using Taidoor malware since 2014, we\r\nbelieve the Budminer group has changed tactics to avoid detection after being outed publicly in security white\r\npapers and blogs over the past few years.\r\nThis investigation is just one example of Symantec’s ongoing effort to identify unknown emerging threats. By\r\nremaining one step ahead of adversaries, we can protect customers with intelligence driven security.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 7\n\nMitigation advice\r\nAlways keep your security software up to date to protect yourself against any new variants of this malware.\r\nKeep your operating system and other software updated. Software updates will frequently include patches\r\nfor newly discovered security vulnerabilities which are frequently exploited by attackers.\r\nDelete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear\r\nphishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening\r\nmalicious files.\r\nProtection\r\nSymantec and Norton products protect against these threats with the following detections:\r\nBackdoor.Dripion\r\nDownloader.Blugger\r\nTrojan.Taidoor\r\nIndicators of compromise\r\nFile hashes\r\n2dd931cf0950817d1bb567e12cf80ae7\r\n3652075425b367d101a7d6b6ef558c6c\r\n59ff5624a02e98f60187add71bba3756\r\n865d24324f1cac5aecc09bae6a9157f5\r\neca0ef705d148ff105dbaf40ce9d1d5e\r\nf4260ecd0395076439d8c0725ee0125f\r\n3652075425b367d101a7d6b6ef558c6c\r\n285de6e5d3ed8ca966430846888a56ff   \r\n31f83a1e09062e8c4773a03d5993d870   \r\n4438921ea3d08d0c90f2f903556967e5   \r\n7ad3b2b6eee18af6816b6f4f7f7f71a6  \r\nb594d53a0d19eaac113988bf238654d3   \r\nc3e6ce287d12ac39ceb24e08dc63e3b5   \r\ne0c6b7d9bdae838139caa3acce5c890d  \r\ne7205c0b80035b629d80b5e7aeff7b0e   \r\nc182e33cf7e85316e9dc0e13999db45e   \r\n272ff690f6d27d2953fbadf75791274c   \r\nae80f056b8c38873ab1251c454ed1fe9  \r\n260f19ef39d56373bb5590346d2c1811   \r\nFE8D19E3435879E56F5189B37263AB06\r\n68BEBCD9D2AD418332980A7DAB71BF79  \r\nCBDE79B6BA782840DB4ACA46A5A63467\r\nInfrastructure\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 7\n\nhyydn[.]nortonsoft.com\r\nmhysix[.]mcfeesoft.com\r\ngspt[.]dns1.us\r\nunpt[.]defultname.com\r\n198.144.100.73\r\n208.61.229.10\r\n200.215.222.105\r\n61.222.137.66\r\n103.240.182.99\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=b0649cc1-a60f-4cd7-ba3e-832e218de385\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b7276b8-7f25-4e60-be9a-86cbc153cbfc",
			"created_at": "2023-01-06T13:46:39.086587Z",
			"updated_at": "2026-04-10T02:00:03.208512Z",
			"deleted_at": null,
			"main_name": "Budminer",
			"aliases": [
				"Budminer cyberespionage group"
			],
			"source_name": "MISPGALAXY:Budminer",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434773,
	"ts_updated_at": 1775792026,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/731c7b4deadbc83d1a5808f95e973438e8a1df5f.pdf",
		"text": "https://archive.orkl.eu/731c7b4deadbc83d1a5808f95e973438e8a1df5f.txt",
		"img": "https://archive.orkl.eu/731c7b4deadbc83d1a5808f95e973438e8a1df5f.jpg"
	}
}