{ "id": "58f1580f-e634-478d-8c68-dd9208d7aac5", "created_at": "2026-04-06T00:17:22.380316Z", "updated_at": "2026-04-10T13:11:37.225155Z", "deleted_at": null, "sha1_hash": "74366829b1ab7786444a8af66d586092b1d2ad42", "title": "MyCERT : Advisories - Espionage campaign targeting Malaysia government officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91653, "plain_text": "MyCERT : Advisories - Espionage campaign targeting Malaysia\r\ngovernment officials\r\nArchived: 2026-04-05 20:45:48 UTC\r\nHome\r\nServices\r\nAdvisories\r\nEspionage campaign targeting Malaysia government officials\r\nMA-770.022020: MyCERT Advisory - Espionage campaign targeting Malaysia government officials\r\n1.0 Introduction\r\n MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian\r\nGovernment officials by a specific threat group. The group motives is believe to be  data theft and exfiltration.\r\n2.0 Impact\r\nPossible data breach and confidential document exposed for espionage activity.\r\n3.0 Tactic, Techniques and Procedure (TTP)\r\nSince the target is utilizing short and targeted campaigns, the targeted campaign's TTP is as below:\r\nReconnaissance: The group has leveraged previously compromised email addresses or impersonation of\r\nemails to send spear-phishing emails\r\nDelivery: Send spear-phishing emails with malicious attachments although Google Drive has been\r\nobserved. This includes pretending to be a journalist, an individual from a trade publication, or someone\r\nfrom a relevant military organization or non-governmental organization (NGO).\r\nWeaponization: Microsoft document with enable macro that extract malicious exe to download loader.\r\nExploitation:\r\nCVE-2014-6352: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows\r\n7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and\r\n8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the\r\nwild in October 2014 with a crafted PowerPoint document.\r\nCVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013\r\nSP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7\r\nSP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka\r\n\"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\r\nInstallation:\r\nUtilizes unique “iShape” names benign exe, loader dll, and hidden content\r\nFacilitates extraction and execution of main payload in memory\r\nLoad order hijacking using benign Windows Defender exe\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\nPage 1 of 4\n\nContains and encrypted config block and LZMA compressed main payload.\r\nCommand and Control: Beacon + download and execute stage 2. Beacon that is also encrypted and looks\r\nlike png.\r\nFigure 7: Sample of Encrypted PNG\r\nActions on Objectives:  Data theft and exfiltration. The group's operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals,\r\nmeetings, financial data, shipping information, plans and drawings, and raw data.\r\n4.0 Affected Products\r\n1. CVE-2014-6352: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,\r\nWindows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow\r\nremote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October\r\n2014 with a crafted PowerPoint document.\r\n2. CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1,\r\nMicrosoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1,\r\nWindows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft\r\nOffice/WordPad Remote Code Execution Vulnerability w/Windows API.\r\n5.0 Indicator of Compromised\r\nIP Address Domains Hashes\r\n108[.]61[.]223[.]27\r\n139[.]162[.]23[.]6\r\n139[.]162[.]44[.]81\r\n139[.]59[.]66[.]229\r\n149[.]28[.]151[.]144\r\n152[.]89[.]161[.]5\r\nbyfleur[.]myftp[.]org\r\ndynamics[.]ddnsking[.]com\r\naccountsx[.]bounceme[.]net\r\nvvavesltd[.]servebeer[.]com\r\ncapitana[.]onthewifi[.]com\r\nkulkarni.bounceme[.]net\r\nA827d521181462a45a7077ae3c20c9b5\r\nF744481A4C4A7C811FFC7DEE3B58B1FF\r\nFe1247780b31bbb9f54a65d3ba17058f\r\nae342bf6b1bd0401a42aae374f961fc6\r\nb427c7253451268ca97de38be04bf59a\r\ncf94796a07b6082b9e348eef934de97a\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\nPage 2 of 4\n\n157[.]230[.]34[.]7\r\n159[.]65[.]197[.]248\r\n167[.]99[.]72[.]82\r\n195[.]12[.]50[.]168\r\n207[.]148[.]79[.]152\r\n45[.]32[.]123[.]142\r\n45[.]77[.]241[.]33\r\nthestar[.]serveblog[.]net\r\ninvoke[.]ml\r\nd81db8c4485f79b4b85226cab4f5b8f9\r\nf744481a4c4a7c811ffc7dee3b58b1ff\r\nfe1247780b31bbb9f54a65d3ba17058f\r\n01b5276fdfda2043980cbce19117aaa0\r\n3c43eb86d40ae78037c29bc94b3819b7\r\n3ca84fe6cec9bf2e2abac5a8f1e0a8d2\r\n3cb38f7574e8ea97db53d3857830fcc4\r\n4c47ca6ecf04cfe312eb276022a0c381\r\n4c89d5d8016581060d9781433cfb0bb5\r\n5fe8dcdfe9e3c4e56e004b2eebf50ab3\r\n6e9f0c3f64cd134ad9dfa173e4474399\r\n8a133a382499e08811dceadcbe07357e\r\n89a81ea2b9ee9dd65d0a82b094099b43\r\n6889c7905df000b874bfc2d782512877\r\n7233ad2ba31d98ff5dd47db1b5a9fe7c\r\n4114857f9bc888122b53ad0b56d03496\r\n3ca84fe6cec9bf2e2abac5a8f1e0a8d2\r\n6.0 Recommendations\r\nFollow the best practices adviced in own organization\r\nTo patch the vulnerabilities listed above as necessary\r\nTo block and set rule in firewall, IDS or IPS of the IOC found\r\nTo give awareness on the current TTP to users in the own organization\r\nGenerally, MyCERT advises the users of this devices to be updated with the latest security announcements by the\r\nvendor and follow best practice security policies to determine which updates should be applied.\r\nFor further enquiries, please contact MyCERT through the following channels:\r\nE-mail: cyber999[at]cybersecurity.my\r\nPhone: 1-300-88-2999 (monitored during business hours)\r\nFax: +603 - 8008 7000 (Office Hours)\r\nMobile: +60 19 2665850 (24x7 call incident reporting)\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\nPage 3 of 4\n\nSMS: CYBER999 REPORT EMAIL COMPLAINT to 15888\r\nBusiness Hours: Mon - Fri 09:00 -18:00 MYT\r\nWeb: https://www.mycert.org.my\r\nTwitter: https://twitter.com/mycert\r\nFacebook: https://www.facebook.com/mycert.org.my\r\n5.0    References\r\n1. https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/\r\n2. https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\n3. https://medium.com/insomniacs/on-27-march-2019-we-notice-a-twitter-post-by-clearsky-cyber-security-on-having-a-sample-named-951ec7896d3\r\n4. https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts\r\nSource: https://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\nPage 4 of 4\n\nPhone: 1-300-88-2999 Fax: +603 - 8008 7000 (monitored during (Office Hours) business hours) \nMobile: +60 19 2665850 (24x7 call incident reporting) \n Page 3 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mycert.org.my/portal/advisory?id=MA-770.022020" ], "report_names": [ "advisory?id=MA-770.022020" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434642, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74366829b1ab7786444a8af66d586092b1d2ad42.pdf", "text": "https://archive.orkl.eu/74366829b1ab7786444a8af66d586092b1d2ad42.txt", "img": "https://archive.orkl.eu/74366829b1ab7786444a8af66d586092b1d2ad42.jpg" } }