{
	"id": "727f2c23-817f-448f-99ec-256d5cb265fd",
	"created_at": "2026-04-06T00:12:42.483165Z",
	"updated_at": "2026-04-10T03:38:09.930355Z",
	"deleted_at": null,
	"sha1_hash": "7326ad44ae8a04b2e593e3853feedf483c980aa8",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71095,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-02 10:34:38 UTC\r\nToday Mandiant released a detailed report dubbed \"APT1\" which focuses on a prolific cyber espionage campaign\r\nby the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the\r\nearliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this\r\nthreat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The\r\nfollowing Q\u0026A briefly outlines some of the relevant Symantec information around this group:\r\nQ: Do Symantec and Norton products protect against threats used by this group?\r\nYes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS\r\nsignatures, as well as STAR malware protection technologies such as our reputation and behavior-based\r\ntechnologies. Symantec.cloud and Symantec Mail Security for Microsoft Exchange also detect the targeted emails\r\nused by this group.\r\nQ: Has Symantec been aware of the activities of the Comment Crew?\r\nYes. Symantec has been actively tracking the work of the Comment Crew for a period of time to ensure that the\r\nbest possible protection is in place for the different threats used by this group.\r\nQ: Why are they called the Comment Crew?\r\nThey were dubbed the Comment Crew due to their use of HTML comments to hide communication to the\r\ncommand-and-control servers.\r\nQ: How does a victim get infected?\r\nThe initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment\r\nusing a theme relevant to the target. Some recent examples used by this group and blocked by Symantec\r\ntechnologies are listed here:\r\nU.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip\r\nInstruction_of_KC-135_share_space.doc\r\nNew contact sheet of the AN-UYQ-100 contractors.pdf\r\nU.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind\r\nTowers in the United States.doc\r\nArmyPlansConferenceOnNewGCVSolicitation.pdf\r\nChinese Oil Executive Learning From Experience.doc\r\nMy Eight-year In Bank Of America.pdf\r\nSimilar to what Symantec indicated in a recent blog, if the malicious attachment is opened, it attempts to use an\r\nexploit against the target victim's system. It drops the malicious payload as well as a clean document to keep the\r\nruse going.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-\r\nd4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 3\n\nQ: Does Symantec know who this group is targeting?\r\nYes. Symantec telemetry has identified many different industries being targeted by this group including Finance,\r\nInformation Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and\r\nPublic Services. The following Figure shows a worldwide heatmap for detections related to this group since the\r\nbeginning of 2012.\r\n \r\nFigure. Heatmap of Comment Crew related detections\r\n \r\nQ: Currently, what are the most prevalent threats being used by this group?\r\nSymantec, in the last year, has identified the most prevalent threats being used by this group as Trojan.Ecltys,\r\nBackdoor.Barkiofork, and Trojan.Downbot.\r\nQ: Has Symantec released any publications around these attacks?\r\nYes. We have recently released publications to address techniques and targets of Trojan.Ecltys and\r\nBackdoor.Barkiofork, both of which are threats used by this group:\r\nTargeted Attacks Make WinHelp Files Not So Helpful\r\nBackdoor.Barkiofork Targets Aerospace and Defense Industry\r\nWe have also investigated associated attacks of this group:\r\nThe Truth Behind the Shady RAT\r\nQ: What are the Symantec detection family names for threats used by this group?\r\nTrojan.Ecltys\r\nBackdoor.Barkiofork\r\nBackdoor.Wakeminap\r\nTrojan.Downbot\r\nBackdoor.Dalbot\r\nBackdoor.Revird\r\nTrojan.Badname\r\nBackdoor.Wualess\r\nSymantec also detects numerous other files used by this group under various detection names:\r\nTrojan Horse\r\nDownloader\r\nTrojan.ADH\r\nTrojan.ADH.2\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-\r\nd4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 3\n\nTrojan.Gen\r\nTrojan.Gen.2\r\nHacktool.Mimikatz\r\nSpyware.ADH\r\nQ: Does Symantec have IPS protection for these threat families?\r\nYes. There are several IPS signatures to catch threat families associated with this group:\r\nSystem Infected: Trojan.Ecltys Activity 2\r\nSystem Infected: Barkiofork Malware Activity\r\nSystem Infected: Shady Trojan Activity\r\nSystem Infected: Dalbot Backdoor Activity\r\nQ: How will this report affect the Comment Crew operations?\r\nDespite the exposure of the Comment Crew, Symantec believes they will continue their activities. We will\r\ncontinue to monitor activities and provide protection against these attacks. We advise customers to use the latest\r\nSymantec technologies and incorporate layered defenses to best protect against attacks by groups like the\r\nComment Crew.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-\r\nd4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775792289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7326ad44ae8a04b2e593e3853feedf483c980aa8.pdf",
		"text": "https://archive.orkl.eu/7326ad44ae8a04b2e593e3853feedf483c980aa8.txt",
		"img": "https://archive.orkl.eu/7326ad44ae8a04b2e593e3853feedf483c980aa8.jpg"
	}
}