{
	"id": "2db63607-aa61-4b83-9291-7337deefaa71",
	"created_at": "2026-04-06T00:18:00.749153Z",
	"updated_at": "2026-04-10T13:12:01.623033Z",
	"deleted_at": null,
	"sha1_hash": "73e1915ed4e87b70f4d068beaf3a12c9a4ddbb0a",
	"title": "ShadowWali: New variant of the xxmm family of backdoors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4171803,
	"plain_text": "ShadowWali: New variant of the xxmm family of backdoors\r\nBy Assaf Dahan\r\nArchived: 2026-04-05 17:07:07 UTC\r\nCybereason has discovered another member in the xxmm family of backdoors---ShadowWali. Like the Wali\r\nbackdoor, ShadowWali also targets Japanese businesses and was built by the xxmm malware toolkit. In fact, the\r\nsame author can be attributed to both backdoors. ShadowWali is likely an earlier version of Wali, making it Wali's\r\n\"older brother.\"\r\nCheck out the ServHelper backdoor for more research on backdoors. \r\nIn this blog, we'll review the xxmm backdoor family and show the similarities between Wali and ShadowWali. In\r\naddition, we will provide new insights regarding the backdoor's post-infection phases.\r\n \r\nThe XXMM backdoor family\r\nWali is a backdoor used for targeted attacks. It gathers information about the compromised machines and their\r\nnetworks, in addition to stealing sensitive information and credentials. Wali’s operators use this information to\r\nmove laterally in an organization and compromise more machines. There are many similarities between the Wali\r\nand ShadowWali:\r\nSame author: PDB paths found in the analyzed binaries indicate  that both Wali and ShadowWali stem\r\nfrom the same author: user 123. The author likely built the backdoors from three different Visual Studio\r\nprojects (xxmm2, xxmm3, ShadowWalker):\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 1 of 27\n\nC:\\Users\\123\\documents\\visual studio 2010\\Projects\\xxmm2\\Release\\test2.pdb\r\nC:\\Users\\123\\documents\\visual studio 2010\\Projects\\xxmm2\\x64\\Release\\BypassUacDll.pdb\r\nC:\\Users\\123\\Documents\\Visual Studio 2010\\Projects\\xxmm2\\Release\\loadSetup.pdb\r\nC:\\Users\\123\\Desktop\\xxmm3\\x64\\Release\\ReflectivLoader.pdb\r\nC:\\Users\\123\\Documents\\Visual Studio\r\n2010\\Projects\\shadowWalker\\x64\\Release\\BypassUacDll.pdb\r\nEvidence suggests that Wali’s author has been developing these backdoors and possibly other malware since 2015.\r\nSame builder: Wali and its sibling backdoor were built using the xxmm builder. (see the section The xxmm\r\nbuilder dissected)\r\nSimilar tactics, techniques and procedures\r\nLarge inflated executables: Both backdoors have unusually large inflated binaries (ranging between 50,000KB\r\nand 200,000KB). This is a tactic used to evade inspection by traditional antivirus software and other security\r\nproducts.\r\nProcess injection: Most samples were observed injecting malicious payloads to Internet Explorer. However,\r\nShadowWali was also observed injecting to LSASS.exe process and to explorer.exe.\r\nA main differentiator between Wali and its sibling backdoor is that Wali’s loader comes with both a 32-bit and 64-\r\nbit payload, while ShadowWali tends to deliver 32-bit payloads. Another key difference is the style of the process\r\ninjection technique. Both backdoors use different process injection techniques.\r\nC2 Infrastructure---Legitimate and fake Japanese websites\r\nMany of the C\u0026C domains and IPs lead to legitimate Japanese and/or Japan-related websites that\r\nhad been compromised. Additionally, some of the C\u0026C domains that were observed are suspected\r\nto be fake websites that mimic the sites of legitimate Japanese businesses.\r\nThe compromised sites are almost exclusively written in PHP. This has to do with one of the\r\nfeatures of the xxmm builder, which supports communication over a PHP Tunnel.\r\nMany of the compromised sites are hosted by one of Japan’s largest hosting companies: the GMO\r\nInternet Group, which has allegedly fallen victim to cyberattacks in the past.\r\nWali backdoor\r\nThe Wali backdoor emerged in Japan in early  2016. It’s dubbed Wali because of the indicative strings found\r\ninside its binaries, as seen in the screenshot of the strings from a decrypted Wali binary (SHA-1:\r\n3603163413A8E4E03758C9FB7673E1866FF29CB5):\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 2 of 27\n\nWali’s Process Injection\r\nOne of the consistent characteristics of Wali is the injection of the malicious payloads (either 32-bit or 64-bit) into\r\na host process. As seen in our analysis of the xxmm builder (See the section The xxmm builder dissected), the\r\ndefault host process of choice is Internet Explorer (iexplore.exe). The screenshot below, taken from a real attack\r\nattempt on one of our Japanese customers, shows Wali’s loader (srvhost.exe) injecting code into Internet Explorer.\r\nLet’s have a look at the injection detected by Cybereason:\r\n \r\nSrvhost.exe loader injecting to Internet Explorer. Visual taken from the Cybereason Platform.\r\nWali injection routine combines implementations of \"Reflective DLL injection\" along with another injection\r\ntechnique. Wali’s author clearly borrowed code from Stephen Fewer’s famous ReflectiveDLLInjection project\r\nfound on Github.\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 3 of 27\n\nStephen Fewer’s Reflective DLL Injection code on Github:\r\nExcerpt taken from Wali's process injection routine:\r\nHowever, a few alterations were made to the code to accommodate the 32-bit and 64-bit payload delivery.\r\nFollowing is a simplified flow of the injection routine, with main differences marked in red:  \r\nCreateProcessA → OpenProcess → VirtualAllocEx → WriteProcessMemory → GetVersionEx →\r\nCreateRemoteThread/NtCreateThreadEx\r\nStep 1: Create iexplore.exe in suspended mode \r\nSince Wali’s author chose to inject to Internet Explorer---a host process that doesn’t necessarily run all the time---\r\nWali first needs to make sure the browser runs, and launches it in a suspended mode (creation flag =\r\nCREATE_SUSPENDED):\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 4 of 27\n\nStep 2: Allocating two RWX regions in target process and injecting the payloads\r\nNext, the loader will allocate two RWX regions in the target process and write the 32-bit and 64-bit payload\r\nrespectively. \r\nIt's interesting to notice the size of the actual injected payloads---At 120KB to 144KB, the actual payloads are tiny\r\ncompared to the 100MB to 200MB loader that’s inflated with junk code.  \r\n \r\nStep 3: Determining OS version and executing a remote thread in target process\r\nDuring the final step of the injection routine, Wali's loader determines the OS version of the compromised host. If\r\nthe value of dwMajorVersion is lower than 6 (older than Vista), the loader will call CreateRemoteThread to\r\nexecute the injected payload:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 5 of 27\n\nOtherwise, it will use the rare and undocumented NtCreateThreadEX API to execute the injected code. The\r\nmotivation behind the version check is most likely to overcome Windows “Session Separation” mitigation\r\nintroduced in Windows Vista:\r\nC2 communication\r\nWali uses GET requests over HTTP port 80 to communicate with its C\u0026C servers, which are mostly\r\ncompromised websites. Most samples have a set of three hard-coded URLs that are decrypted at runtime. Wali\r\nwill try to reach all three URLs, one after the other, until it receives a response from the server:  \r\nAfter communicating with the C\u0026C server, Wali attempts do the following:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 6 of 27\n\n1. Download a payload from the server using the URLDownloadToFileW API:\r\n2. Decrypt the payload:\r\n3. Parse the payload and execute it.\r\nWali can support different types of payloads from the C\u0026C servers, including: PowerShell commands and\r\nadditional plugins. Even ShadowWali was delivered by some of compromised C\u0026C servers.\r\nThis screenshot was taken from one of subroutines in charge of parsing and executing the payloads, in this case\r\nPowerShell commands:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 7 of 27\n\nAnalysis of Wali's C\u0026C payloads\r\nThe Wali backdoor was observed downloading two different types of post-infection payloads:\r\nReconnaissance and Credential Theft Plugin: This payload executes a series of commands to gather\r\ninformation on the compromised host and its network environment. In addition, it contains a Mimikatz\r\nmodule to dump locally stored credentials.\r\nxxmm malware: This is a variant of ShadowWali, which exhibits slightly different capabilities and a\r\ndifferent persistence mechanism.\r\nPayload one: Reconnaissance and credential theft plugin\r\nDuring an investigation, Cybereason analysts noticed that Wali attempted to download the following payload after\r\nreaching one of its hard-coded URLs:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 8 of 27\n\nOnce the payload is downloaded and decrypted in-memory, Wali writes its content to a temporary file:\r\nSep9808.tmp - 2CE05CD6AF79B10F9EE8CBEBAE8D439FF0F30F60\r\nThe temporary file is a binary file in 101MB size:\r\nThe file’s timestamp indicates that it was compiled in August 2016: \r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 9 of 27\n\nThe downloaded payload performs a similar process injection routine as Wali, namely injecting a malicious code\r\nto a new instance of  iexplore.exe (memory address 0x140000000):\r\n \r\nThe plugin executable size is considerably bigger than Wali’s payloads: 896KB as opposed to Wali’s 120KB to\r\n140KB injected payloads.\r\n0x140000000’s SHA-1:  1C822CB9B4AFA82099B8EF2B909204D9D8F4626D\r\nThe payload launches a series of reconnaissance commands after it’s executed:\r\nIpconfig /all: TCP/IP configuration of all network adapters on the host.\r\nNetstat -ano: TCP and UDP connections, open ports and owner processes.\r\nNet user: Enumerating user accounts on the host.\r\nSysteminfo: Detailed configuration information about a computer and its operating system.\r\nfind /i /n \"[Device Install\" C:\\windows\\inf\\setupapi.dev.log: Enumerating devices that are\r\ninstalled on the host.\r\nreg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USB /s:\r\nEnumerating USB drives.\r\nReconnaissance commands found in the memory of the injected iexplore.exe\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 10 of 27\n\nLast but not least, the injected code will execute an embedded Mimikatz binary in order to steal locally stored\r\ncredentials and possibly perform lateral movement.\r\nPayload two: Variant of ShadowWali\r\nOur investigation led us to a compromised Japanese site where the attackers uploaded their malicious PHP code\r\nand the other xxmm payload (scommand.txt, SHA-1:  52921e7b488ee1a48ca098247a07d17ce610c235).\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 11 of 27\n\nSimilar to the previous C\u0026C payload, the scommand.txt file also contains an encrypted payload:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 12 of 27\n\nScommand.txt SHA-1: 52921e7b488ee1a48ca098247a07d17ce610c235\r\nAfter Wali uses the hard-coded decryption key to decrypt the payload in memory, it writes the decrypted contents\r\nto a .tmp file in %temp% folder. Once the .tmp file is written to disk and executed, it will also create a batch file\r\nthat will be used for self-deletion:\r\nThis self-deletion mechanism is consistent to both backdoors of the \"xxmm\" family, and is found in the code of its\r\n\"loadsetup\" component:\r\nC:\\Users\\123\\Documents\\Visual Studio 2010\\Projects\\xxmm2\\Release\\loadSetup.pdb\r\nDownloaded payload details:\r\nFile name: rr2E9E.tmp (original name: test.exe)\r\nSHA-1: 133C7B74E35D9DCC3BD43764CB18E59C1B74190F\r\nPDB Path: C:\\Users\\123\\Documents\\Visual Studio\r\n2010\\Projects\\shadowWalker\\x64\\Release\\BypassUacDll.pdb\r\n rr2E9E.tmp binary’s file timestamp is from May 2016:\r\n \r\nThe resources section of the PE file contains two additional PE files:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 13 of 27\n\n102 (32bit payload)- 8123534DDE8AC4AF983DB302A06427AAB00EDD55\r\n105 (64bit payload) - BC725B8FF4446A72539F5C5B0532CC0264A51D9C\r\nShadowWali: Another xxmm backdoor\r\nShadowWali is also a member of the xxmm backdoor family, written by the 123 author and can be considered\r\nWali’s older brother. The timestamp of most of the observed backdoor sample dates back to 2015 and continues\r\nuntil mid-2016. Wali’s timestamps, meanwhile, run between 2016 and 2017. This could be viewed as either an\r\nolder version of Wali or as a separate, older project the 123 author developed. \r\nAlthough there are many similarities between the two siblings, they are also clear differences:\r\nStrings Discrepancy: The indicative \"Wali\" string is not found on any of the samples we identified as\r\nShadowWali. In fact, the binaries of ShadowWali contains many strings that do not appear in Wali\r\nbackdoor. At the same time, some of the strings that appear in ShadowWali samples, show resemblance to\r\nstrings usually found in Metasploit’s Meterpreter payloads:\r\nStrings indicative of the xxmm backdoor family:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 14 of 27\n\nStrings indicating the usage of stdapi functions, which are also found in Metasploit's Meterpreter:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 15 of 27\n\nMostly 32-bit payloads: Most observed samples have 32-bit support, however, later samples also came\r\nwith 64-bit support. This could be regarded as the missing link in the evolution of Wali.\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 16 of 27\n\nDifferent RC4 key: ShadowWali a slightly shorter hard-coded RC4 key (1234)  as opposed to Wali, which\r\nuses 12345.\r\nDifferent PDB paths: ShadowWali contains different PDB paths than Wali:\r\nC:\\Users\\123\\Documents\\Visual Studio 2010\\Projects\\xxmm2\\Release\\loadSetup.pdb\r\nC:\\Users\\123\\Desktop\\xxmm3\\x64\\Release\\ReflectivLoader.pdb\r\nC:\\Users\\123\\Documents\\Visual Studio\r\n2010\\Projects\\shadowWalker\\x64\\Release\\BypassUacDll.pdb\r\nDifferences in process injection: \r\nSome samples inject to LSASS.exe and explorer.exe instead of Internet Explorer.\r\nDifferent process injection routine, using different API calls.\r\nService-based persistence mechanism, as opposed to Wali’s tendency to use the classic registry autorun.\r\nAnalysis of the process injection routine\r\nShadowWali uses a less common and evasive style of \"process hollowing,\" as opposed to Wali's injection routine\r\nthat uses different APIs and also combines reflective DLL injection:\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 17 of 27\n\nShadowWali simplified injection routine Wali’s simplified injection routine\r\nCreateProcessA → VirtualAlloc →\r\nGetThreadContext → VirtualAllocEx →\r\nWriteProcessMemory → SetThreadContext →\r\nResumeThread\r\n CreateProcessA → OpenProcess→\r\n VirtualAllocEx→ WriteProcessMemory→\r\nGetVersionEx → CreateRemoteThread /\r\nNtCreateThreadEx\r\nExample of the last stage of ShadowWali’s process injection, showing SetThreadContext/ResumeThread APIs\r\nwhich are used in that style of \"evasive process hollowing:\"\r\n \r\nVariation in injected host processes\r\nAs opposed to Wali’s tendency of injecting to iexplore.exe, ShadowWali seems to exhibit more variation, and we\r\nobserved it injecting code to explorer.exe and LSASS.exe, as can be seen in the following example: \r\nFile Name: SMSvcHost.exe, SHA-1: 168524E2292E376B2036C41E691A434BAC3A89E\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 18 of 27\n\nAdditional persistence mechanism\r\nIn addition to the previously documented persistence mechanism using the classic registry autorun\r\n(currentversion\\run), some samples showed a different persistence mechanism that is based on Windows Service\r\nas autorun, as can be seen below:\r\nFile: C:\\Program Files\\Common Files\\System\\reginie.exe\r\nSHA-1: 7DDEDADB81EE7A00F07F40686F078A7974E0C2D1\r\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\swprv7\r\nC\u0026C payloads - Image file Steganography\r\nWhile analyzing the C\u0026C communication of ShadowWali, it was noticed that some of the compromised sites\r\nserved image files with hidden code inside them:\r\nhxxp://[REDACTED].co.jp/magento/media/css/css.php\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 19 of 27\n\nThe image files all had one thing in common; at the end of the file, there was an appended section containing the\r\nencrypted payload. The section begins with “###RRRR” and ends with “ZZZZ###:\"\r\nWhen the  image is downloaded,  ShadowWali will search for those start-end markers , and once found, it will\r\ndecrypt the payload between them. The decrypted payload results in a new URL, leading to another domain: \r\nhxxp://[REDACTED]/data/plugin/upgrade.php?t0=000052ef\u0026t1=0\u0026t2=bb9c8e4d\u0026t3=0\r\nThis is consistent with the built-in “changeURL” functionality found in the sample’s binary:\r\n \r\nThe xxmm builder dissected\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 20 of 27\n\nCybereason managed to obtain a copy of the xxmm builder, the tool with which the malware author\r\n\"123\" generated the xxmm family backdoors:\r\nFile Name: xxmm2_build.exe\r\nSHA-1: E5f5d64bf49b10dd4591907f34357be6cecf55b7\r\nFun fact: The icon of the “xxmm builder” was taken from “Batman: The Dark Knight Rises.”\r\n \r\nThe builder is written in C++ and was compiled in January 2015, which is consistent with the appearance of\r\nShadowWali and the timestamps found in the samples’ executables.\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 21 of 27\n\nThe builder is part of the xxmm2 project and was also generated on user 123's machine, as indicated in the PDB\r\npath:\r\nAs seen in the builder’s main menu dialog, the builder consists of three steps to generate the backdoors:\r\nStep 1: Configure kernel module\r\nAlthough the word \"kernel\" suggests rootkit capabilities, the xxmm backdoor family operates in user-mode and\r\nwas not observed implementing kernel-related rootkit capabilities.\r\nThis step is mainly used for: \r\nSetting up encryption keys\r\nConfiguring C2 communication\r\nSteganography-based (payloads hiding in image files)\r\nPHP tunnel\r\nThis explains the previous observations of steganography using “.jpg” images. In addition, it clarifies another\r\nobservation Cybereason made regarding the compromised websites which are written in PHP. Looking at the PHP\r\nTunnel feature, this makes perfect sense: \r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 22 of 27\n\nStep 2: Configure loader/setup module\r\nThis step handles the following components of the malware:\r\nLoader (mainly the injection routine)\r\nPersistence either by service or registry run key\r\nConfiguring host process for injection. Notice the default value is iexplore.exe, which is consistent with\r\nmost of the observed “xxmm” backdoors.\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 23 of 27\n\nStep 3: Generate trojan\r\nThe final step in the trojan generation handles configuration of both 32-bit and 64-bit payloads, as well as the\r\nauto-deletion code (loadSetup). \r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 24 of 27\n\nConnection to the ShadowWalker Rootkit\r\nThe name “ShadowWalker1.0” appears at the third step of the builder, and populates the “Destination File Path”\r\nfield. The same name is found in the PDB path of some of ShadowWali's samples. For example:\r\nrr2E9E.tmp - 133C7B74E35D9DCC3BD43764CB18E59C1B74190F\r\n \r\nThe ShadowWalker1.0 rootkit was a proof-of-concept rootkit introduced by Sparks and Butler at Black Hat Japan\r\nin 2005. The code is now open source and can be found on Github. ShadowWalker1.0's rootkit functionality was\r\nnot observed in any of the xxmm family backdoors.\r\nIt is not completely clear why the xxmm builder references the ShadowWalker rootkit. However, the builder's\r\nmenu clearly indicates that it can support rootkit modules (probably optional). These indications are found in step\r\n1 and 2 of the builder, with indicative names such as: \"kernel module\" and \"Kernel template\". \r\nConclusion\r\nThe xxmm backdoor family has been attacking Japanese targets since 2015. The backdoor family consists of two\r\nmain backdoors and additional post-infection plugins used for reconnaissance, credential dumping and possibly\r\nlateral movement. In this research, we have presented the similarities and differences between Wali and\r\nShadowWali and proven that they have one father, the 123 author. Whether it’s a case of two different backdoors\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 25 of 27\n\nor an evolution of one malware over two years is a matter of interpretation. To date, Wali and ShadowWali are still\r\nactively targeting Japanese organizations.\r\nThe identity of the 123 author remains unknown. However, there are indications that suggest that the threat actor\r\nbehind Wali resides in Asia. From profiling perspective, the evidence show that the 123 author has a penchant for\r\nadapting and customizing previously introduced techniques and tools, such as the reflective loader, Metasploit\r\nmodules and even the builder itself could be adapted from other builders.\r\nCompared to other modern backdoors, the xxmm backdoor family doesn’t stand out or seem very sophisticated.\r\nHowever, the backdoors are proven to be effective as they successfully infected dozens of endpoints over two\r\nyears, while evading traditional security products. The backdoors’ strongest feature is the inflated file sizes that\r\ncan reach 200MB. The motivation behind the inflated files probably stems from the author's perception that\r\ncertain security solutions might not inspect large files, which will then allow the inflated files to evade detection.\r\nIOCs\r\nWali payloads:\r\n381a99c6abe218863f352a76941c9d3a4369740a\r\n878B77556EC3C3572D09F84CC2D8F60CD92F7D00\r\nD044B40D4121689A1AED655DA243D2917B866B6F\r\nA0F8CFDDB34CF44A5588903AF73F5152AF84C47E\r\n4F5748FCE8643B95DC15511816CD8045D0A470CC\r\n2CDE37F62202E4A0B3E6B600293563716E099413\r\n2E340AD74FB71D86787D2801055029C8C0E0DF5B\r\n9CC5BA99B05A0B26F04EE5F6A3EC4088B06C6B17\r\n802722295013D866855BDED0853D6AABC3A93A6F\r\n29bcc33d2b5b6ea192d1b87ab480f10d83406387\r\nShadowWali (xxmm):\r\nC4E0035E6BB3C4A42DD593CB578D9563A2E4D0C7\r\n13F00E24157AF0F23558F400FACBB015606C4E38\r\n3A5975BE9B3E9B1909D0F8EFB6ADD0FFE84ADB76\r\n168524E2292E376B2036C41E691A434BAC3A89E1\r\n367C85179A30B20DB2163CDB0CEA6D17DD164C4A\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 26 of 27\n\n133C7B74E35D9DCC3BD43764CB18E59C1B74190F\r\nxxmm builder:\r\nE5f5d64bf49b10dd4591907f34357be6cecf55b7 \r\nC\u0026C payloads:\r\n2CE05CD6AF79B10F9EE8CBEBAE8D439FF0F30F60\r\n1C822CB9B4AFA82099B8EF2B909204D9D8F4626D\r\n52921e7b488ee1a48ca098247a07d17ce610c235\r\nFile names:\r\nSrvhost.exe\r\nOledb32.exe\r\nRavRtlUpd.exe\r\nSMSvcHost.exe\r\nSpmapi.exe\r\n*Domains and IPs will be discussed in part two of the blog.\r\nSource: https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nhttps://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors"
	],
	"report_names": [
		"labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73e1915ed4e87b70f4d068beaf3a12c9a4ddbb0a.pdf",
		"text": "https://archive.orkl.eu/73e1915ed4e87b70f4d068beaf3a12c9a4ddbb0a.txt",
		"img": "https://archive.orkl.eu/73e1915ed4e87b70f4d068beaf3a12c9a4ddbb0a.jpg"
	}
}