{
	"id": "d9877b3a-ee5e-4bcd-b0be-8d73385c3bae",
	"created_at": "2026-04-06T00:13:40.837386Z",
	"updated_at": "2026-04-10T13:12:50.723004Z",
	"deleted_at": null,
	"sha1_hash": "747b1318011148cf17126069b038302cb6c6e5b3",
	"title": "“GreenSpot”Operations Grow For Many Years - Antiy Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4288823,
	"plain_text": "“GreenSpot”Operations Grow For Many Years - Antiy Labs\r\nArchived: 2026-04-05 17:59:13 UTC\r\n1、Overview\r\nIn the past few years, various APT attacks against China have been monitored, analyzed and tracked by Antiy\r\nLabs, disclosing the activities and toolsets of many APT groups, such as the “APT-TOCS”\r\n(http://www.antiy.com/response/APT-TOCS.html), “White Elephant”\r\n(http://www.antiy.com/response/WhiteElephant/WhiteElephant.html) and “Equation”\r\n(http://www.antiy.com/response/EQUATIONS/EQUATIONS.html). On the whole, “GreenSpot” group uses\r\nexposed targets and assets as entry points, and uses social engineering emails and vulnerabilities. It may have been\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 1 of 44\n\nactive for more than 10 years. The activities of this geographic attack group before 2015 will be analyzed in this\r\nreport. The marine life “Greenspot” grown in relevant areas is used to name this group. In order to enhance the\r\nsecurity awareness of Chinese users, promote network security and informatized construction, this report is\r\nreleased.\r\nBelow, we will introduce the activities of “GreenSpot” group, including early attacks in 2007, attacks in 2011-\r\n2015 and recent attacks in 2017.\r\n1.1 Early Attacks (2007)\r\nIn 2007, some network intrusion activities from the mentioned areas were responded by Antiy Labs. Table 1-1 is a\r\nlist of the main behaviors and functions of the attack payloads extracted from attacked server systems.\r\nTable 1-1 Payloads and Their Functions in Early Attacks\r\nMost of these tools are open source or free tools, based on them, some DIY components are added. Most of these\r\ntools are not created specifically for malicious intentions, some are even common network management tools, so\r\nthese components have certain \"detection evasion\" effects. But, this kind of DIY job is not covered by Rootkit\r\ntechnology, bringing obvious changes to the system environment. Compared with other self-developed Trojans\r\nand commercial Trojans used in APT attacks, it is a relatively low-cost method, relying on attackers’ skills.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 2 of 44\n\nFigure 1-1 Payload Calls in Early “GreenSpot” Attacks\r\nA closed operation loop is formed by these tools in the compromised environment. When the target host is\r\ninfiltrated, multiple payloads in Table 1-1are uploaded into it, which realize self-start and long-term residency via\r\nthe persistence tools. The remote shell is opened through NC to remotely control the target host; and Mt1.exe is\r\ncalled to get basic system information and further management. Meanwhile, a list of disk files is obtained through\r\nSpooler.exe, keyboard input is collected through keylog.exe, specified files are packed through Rar.exe, and HTTP\r\nservice is opened through HTTP.exe. Then, a full file list and user keystroke records are remotely obtained, and\r\nthe files and logs to be collected are returned.\r\nWe tend to believe that around 2007, the attack group was limited in self-research capabilities, so they relied on\r\nopen source and free tools, and line command operations. Their attack style is greatly influenced by the Coolfire-style attack tutorial. At the moment, we are unable to confirm that this attack is the work of “GreenSpot” group,\r\nbut we are sure that it is from the same source.\r\n1.2 2011-2015 Attacks\r\nSince 2010, the group has improved their attack capabilities. They are good at improving 1-day and old\r\nvulnerabilities, and modifying the open source attack procedures. In addition, they developed some attack\r\nweapons. After 2010, related activities increased significantly and their attack capabilities improved rapidly.\r\n“GreenSpot” group mainly targets Chinese government departments, as well as aviation and military-related\r\nresearch institutions. It spreads via spear phishing emails (with vulnerability document attached) or bundled\r\nexecutable files, deploying RAT (Remote Administration Tool) programs to control the target host and steal\r\ninformation. The typical attack vectors are emails – the attachment contains a malicious document, which is\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 3 of 44\n\nmostly in MHT format (MHT is an abbreviation of MIME HTML, which is a format for saving HTML files).\r\nWhen the document is opened, the executable payload will be released and executed. In order to confuse users, a\r\nnormal document embedded in the MHT attachment will also be displayed. The attack process is shown in Figure\r\n1-2:\r\nFigure 1-2 The Attack Process of “GreenSpot” Group\r\nThrough manual analysis, combined with correlation analysis of Antiy PTA and Antiy Analysis Platform, we\r\nidentified their targets, IPs and common methods. The attachments are in uncommon format, related attack\r\ntechniques and methods have been prepared and tested for a long time. Based on the original clues, Antiy Labs has\r\ntracked, correlated, and analyzed the group, and finally obtained nearly 100 IoCs. Through an overall analysis of\r\nthe incidents and samples, we sorted out the timeline of the group’s activities in 2011-2014.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 4 of 44\n\nFigure 1-3 Attack Timeline of “GreenSpot” Group in 2011-2014\r\n1.3 Some Recent Attacks (2017)\r\n“GreenSpot” group continued to be active after 2015. We found that, the group established a new propagation\r\nsource in 2017. All the payloads in this activity are stored in the same WEB server, and the payload in each attack\r\nprocess is stored in the corresponding directory. The attackers first propagate an Office document containing\r\nvulnerabilities, then download the malicious payload (EXE) via the vulnerability document, and then remotely\r\ncontrol the target host via C2. See Figure 1-4 for the specific attack process.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 5 of 44\n\nFigure 1-4 The Attack Process of the Latest Activity\r\nThe WEB server stores a number of malicious scripts and executable files with different configurations. One\r\ndirectory contains is a set of attack samples. The Poison Ivy ShellCode (Poison Ivy is a remote management tool)\r\nis connected to a separate C2 address. The domain name (pps.*.com) marked red in Figure 1-5 is associated with\r\n2011-2015 activities.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 6 of 44\n\nFigure 1-5 Server Deployment and C\u0026C\r\n2、Attack Method Analysis: Spreading Payloads via Targeted Social Engineering Emails\r\n2.1 Typical Cases\r\nThrough monitoring and correlation analysis, Antiy Labs found that the payloads are associated with dozens of\r\nincidents in 2011-2015. Through analyzing typical cases and bait files, we can see \"GreenSpot\" group mostly uses\r\ntargeted social engineering emails to spread payloads. There are two kinds of payloads: (1) bundled PE malicious\r\ncode, when opened, it will open the \"normal\" document (used to confuse the recipient) embedded in the PE; (2)\r\nattack document, it exploits CVE-2012-0158 vulnerability to release and execute the executable file, and open the\r\n\"normal\" document file to conceive recipients. However, in both attack modes, the path and name of the\r\nexecutable file are the same. In some cases, the “%TEMP%” path is used. And in other cases, “C:\\Documents and\r\nSettings\\All Users\\[Start] Menu\\Programs\\Startup \\update.exe” path is used, so as to self-start when the system\r\nboots. Based on the release paths and file names, we can see these samples are related (see Section 4.4 for specific\r\nanalysis). In terms of time, attacks using bundled PE malicious code are later than those using vulnerability\r\ndocuments.\r\n2.1.1 Case 1\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 7 of 44\n\n2.1.2 Case 2\r\n2.1.3 Case 3\r\nIt is also worth noting that the relevant text in Figure 2-3 is directly copied from the “National People’s Congress\r\nwebsite” (http://www.npc.gov.cn/npc/xinwen/node_12435.htm, which was posted in 2013 and now updated).\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 8 of 44\n\n2.1.4 Case 4\r\n2.1.5 Case 5\r\n2.1.6 Case 6\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 9 of 44\n\n2.1.7 Case 7\r\n2.1.8 Case 8\r\n2.1.9 Case 9\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 10 of 44\n\n2.2 Analysis of Social Engineering Techniques\r\nEmails are customized according to the target’s occupation, position, identity, etc., pretending to be the\r\nannouncement of the Chinese government, the annual conference documents of academic organizations, or the\r\nnotices of the relevant units. The topics are of interest to the recipients, including politics, economics, military,\r\nscientific research, geopolitical security, etc. The spoofed documents are mainly downloaded from the websites of\r\nrelevant ministries and agencies.\r\n3、Attack Payload Analysis: Vulnerabilities, Backdoors and Executables\r\n3.1 CVE-2012-0158\r\nCVE-2012-0158 (https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?\r\nName=Win32/CVE-2012-0158) is an overflow vulnerability – inserting carefully constructed malicious code into\r\ndocuments. On the surface, it is normal, which seldom causes user suspicion. So, such vulnerabilities are often\r\nused in APT attacks, and CVE-2012-0158 is the most frequently used one. It often uses RTF files, whose internal\r\ndata are stored as a hex string.\r\n3.1.1 From RTF to MHT\r\nThe traditional CVE-2012-0158 exploit format is mainly RTF, but “GreenSpot” group uses the MHT format,\r\nwhich can also trigger vulnerabilities, and can evade multiple antivirus software.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 11 of 44\n\nFigure 3-1 Comparison of RTF and MHT File Format\r\nIf attackers use RTF files to trigger this vulnerability, CLSID will appear in the file after decoding (CLSID is the\r\nunique ID that the Windows system assigns to different applications, file types, OLE objects, special folders, and\r\nvarious system components). If MHT files are used, CLSID will appear in the MHT file – since the previous RTF\r\noverflow vulnerability embedded in DOC documents (Figure 3-2, the red box is the DOC file’s header), CLSID is\r\nstored in the DOC document (Figure 3-3, the red box is CLSID, one part uses the network byte order, and the\r\nother part uses the host byte order).\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 12 of 44\n\nFigure 3-2 Overflow File Using RTF as the Carrier\r\nFigure 3-3 Overflow File Using RTF as the Carrier\r\nIn the case of MHT files, The CLSID will not be stored in the DOC document, but directly in the MHT file (as\r\nshown in the red box in Figure 3-4), which can evade the detection of most security software. In addition, the\r\nencoding format has changed, so if you use CVE-2012-0158 detection program that was previously written based\r\non the RTF file, it will be invalid.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 13 of 44\n\nFigure 3-4 MHT File Involved in Case 6\r\nThe main function of the MHT file is, to save all files of an offline webpage into a file for easy browsing. After\r\nmodifying the file suffix to “.doc”, the file can be opened via Microsoft Word.\r\nThe file can be divided into three parts: the first part is a webpage; the second part is a base64 encoded data file\r\nnamed \"ocxstg001.mso\", which is decoded into a composite document or a DOC document; the third part is a\r\nbinary file.\r\nIn the first part, we found a piece of code which describes the relationship between the first part and the second\r\npart is also the key to trigger the vulnerability.\r\nThis code roughly means that, when the page is loaded, a COM control is loaded to interpret the second part. The\r\nCLSID of the control is {**********-11D1-B16A-00C0F0283628}, and the control is MSCOMCTL.OCX. The\r\nlatest vulnerability known to be related with the control is CVE-2012-0158, so it can be determined that, these\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 14 of 44\n\nthree cases were implemented via carefully constructed MHT files by exploiting CVE-2012-0158, to release and\r\nexecute the executable files.\r\n3.1.2 Detection Evasion Techniques of the Vulnerability Payload\r\n\"GreenSpot\" group frequently used the MHT format before May 2013. We conducted statistics on the use of the\r\nCVE-2012-0158 vulnerability and MHT format by a well-known third-party threat intelligence source.\r\nFigure 3-5 Detection Evasion Samples Captured by Antiy Labs (Red) and Massive MHT Documents\r\n(Yellow)\r\nAs can be seen from Figure 3-5, before March 2013, the MHT documents related to CVE-2012-0158 did not\r\nappear, but it has been used by the “GreenSpot” group. We can’t confirm that \"GreenSpot\" is the inventor of this\r\ntype of detection evasion, but at least it is an early adopter of this approach. For an outdated vulnerability dated\r\nback to January 2012, “GreenSpot” managed to extend its attack window. Not all APT attacks use 0-day\r\nvulnerabilities, which depends on the attacker’s resources and their needs to break the defensive measures. Some\r\nAPT groups are not able to develop 0-day vulnerabilities, so they try to purchase commercial 0-day\r\nvulnerabilities. They quickly followed up on the 1-day vulnerabilities, trying to use the detection evasion method\r\nto create new attack capabilities for old vulnerabilities. These issues should be paid attention to.\r\n3.2 CVE-2014-4114\r\nWe have some analytical evidence that “GreenSpot” group exploited CVE-2014-4114 vulnerability\r\n(https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/CVE-2014-\r\n4114) before October 2014. This may indicate that this group has a certain channel to underground vulnerability\r\ntransaction.\r\n3.3 CVE-2017-8759\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 15 of 44\n\nIn 2017, Antiy Labs analyzed a new attack document of “GreenSpot” group, which exploits the latest CVE-2017-\r\n8759 vulnerability (https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?\r\nName=Exploit:Win32/CVE-2017-8759) to download malicious code to the target host. The sample uses RTF\r\nformat instead of the previous macro code, and can directly download and execute remote files without user\r\ninteraction, with better effect.\r\nCVE-2017-8759 is a vulnerability caused by line feed, and it affects all major .NET Framework versions. The\r\nSOAP WSDL parsing module (IsValidUrl function) in the .NET library does not correctly handle the “return” line\r\nfeed, which causes the caller function PrintClientProxy to contain a code injection execution vulnerability.\r\nCurrently, the vulnerability is mainly exploited via Office documents in advanced attacks.\r\nFigure 3-6 Automatically Update Links via objautlink and objupdate Control Fields\r\nFigure 3-7 The Embedded Link Is Actually a WSDL File (See the Next Section “TXT File”)\r\n3.3.1 Vulnerability Trigger File: TXT File\r\nThis is a WSDL file that triggers the vulnerability. When the vulnerability is triggered, the code within will be\r\nexecuted, i.e., parse and execute the specified HTA file using msHTA.exe. Take sample jin2.txt as an example, the\r\nkey code is as follows:\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 16 of 44\n\nFigure 3-8 WSDL File Calls msHTA to Execute the HTA File\r\nThe difference between each txt file is the HTA file link. For details, see Table 3-1:\r\nTable 3-1 HTA File List\r\n3.3.2 Download the Specified EXE File: HTA File\r\nHTA file is a html page file, with VBScript script embedded in. The main function of the script is to download the\r\nspecified EXE file using PowerShell, save it as officeupdate.exe and execute it. Figure 3-9 shows the contents of\r\nsample jin2.HTA:\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 17 of 44\n\nFigure 3-9 HTA File Calls powershell to Download Executables\r\nThe difference between each HTA file is the download address. The attacker exploits the vulnerability to trigger\r\nthe HTA file, so as to download and execute the final executable payload. For the corresponding relationship, see\r\nTable 3-2.\r\nTable 3-2 HTA Files and Corresponding EXE Download Addresses\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 18 of 44\n\n3.4 Analysis of Related Payloads\r\n3.4.1 Poison Ivy RAT Backdoor\r\nThrough analysis, we found that, update.exe released in Case 1, Case 2, Case 3 and Case 9 are Poison Ivy RAT\r\nbackdoor. Poison Ivy is a well-known RAT program with strong capabilities. The payloads it generates are\r\ncompact-sized, easy to encrypt and can evade detection. Because of these advantages, Poison Ivy is also used by\r\nother attack groups. Here are some of the features of Poison Ivy backdoor:\r\ncollect basic information about the system;\r\nfull-disk file management, including viewing all files, downloading files, uploading files, etc.\r\nobtain system process information, end the process, suspend processes, etc.\r\nobtain system service program information;\r\nview the software installed on the system, uninstall the software;\r\nobtain the port number opened by the system;\r\nexecute a remote shell, execute arbitrary commands;\r\nobtain password hash value;\r\nget keystrokes;\r\nget screenshots;\r\nturn on the camera for monitoring;\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 19 of 44\n\nFigures 3-10 and 3-11 show the mutex and domain names in the samples (update.exe) involved in these four\r\ncases:\r\nFigure 3-10 Comparison of Mutex in the Samples\r\nFigure 3-11 Comparison of Domain Names in the Samples\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 20 of 44\n\nIn addition, we collect relevant information about the samples (such as versions, timestamps and domain names)\r\nin the four cases, as shown in Table 3-3.\r\nTable 3-3 Version Comparison\r\nFrom the table above, we can see that Poison Ivy RAT backdoors are used in these four cases, but they can be\r\ndivided into three categories.\r\nThe first category is Case 1 and Case 2. Except for the domain name, the other information is the same. By\r\ncomparing update.exe binary in Case 1 and Case 2, we found that 90% of the two binaries are the same, the only\r\ndifference is the encrypted binary code, which is due to the difference of the encryption key.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 21 of 44\n\nFigure 3-12 Decryption Algorithm of the Samples in Case 1 and Case 2\r\nThe second category is Case 3, and the third category is Case 9. The encryption algorithms of these two types are\r\ndifferent from the first one, but the decrypted code is almost identical except for the related configuration.\r\nFigure 3-13 Decryption algorithm of the samples in Case 3\r\nFigure 3-14 Decryption Algorithm of the Samples in Case 9\r\nAccording to the timestamp of update.exe in Case 3, we can determine that the sample appeared on February 6\r\n2013. Although the timestamp can be modified, based on the contents of the spoofed document released in Case 3\r\n(see Chapter 2, the timestamp in the doc document), we believe it has certain reference value.\r\n3.4.2 Gh0st Backdoor\r\nThrough analysis of update.exe in Case 4, we found the mutex used in the sample is \"chinaheikee__inderjns\",\r\nwhich is identical with the mutex of the gh0st samples. This mutex is the default configuration. In addition, the\r\npacket is consistent with the gh0st 3.75 version, so we can determine that update.exe is a gh0st backdoor.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 22 of 44\n\nFigure 3-15 The Interface of Gh0st RAT Backdoor\r\n3.4.3 HttpBots Backdoor\r\nThrough analysis of svchost.exe in Case 5, we can determine that the sample is actually a BOT backdoor.\r\nSvchost.exe controls the machine with the backdoor installed. Figure 3-16 is the screenshot of the specific\r\ncommand.\r\nFigure 3-16 The Control Command of Httpbots Backdoor\r\nTable 3-4 Command Description\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 23 of 44\n\n3.4.4 ZXSHELL Backdoor (Targeted)\r\nThrough analysis, Antiy Labs determined the PE files released in Cases 6, 7 and 8 are ZXShell backdoors (three\r\ndifferent versions respectively). They are compiled based on ZXShell source code, and have regular functions of\r\nZXShell backdoor, including system information collection, file management, process review, etc.\r\nIt should be noted that, the author changed the version to V3.6 (the latest version of ZXShell is V3.0), and added\r\npassword stealing function to it: the sample collects *.doc*, *.xls*, *.ppt* and other document files (in Case 6, it\r\nonly collects files on network disks, USB flash drives and CDROMs; in Cases 7 and 8, it collects full-disk files).\r\nIn order to ensure the value of collected files, only the modified files within 6 months are collected. Then, the files\r\nare packed using RAR, and are named with the date and the disk volume serial number (in Case 6, the file is\r\nnamed after the disk volume serial number). The suffix and the compression passwords are different.\r\nFigure 3-17 In Case 6, the Sample Only Collects Files on Network Disks, USB Flash Drives and CDROMs\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 24 of 44\n\nFigure 3-18 Collected Files Are Packed\r\nAfter analyzing the configuration of existing samples, we found the document types they collected: *.doc*, *.xls*,\r\n*.ppt*, *.wps*, *.pdf. We also found some new features of the samples:\r\n1. Obtain the email accounts, passwords and corresponding URLs that are automatically saved by IE, and adopt\r\ndifferent methods for IE6 and above.\r\n2. Collect network information, host information and process information, and record such information in the\r\nfollowing directory: %Application Data%\\Microsoft\\Windows\\Profiles.log\r\n3. According to their respective configurations, the sample searches the full disk, collect the file path containing\r\nspecified keywords and the EXE file path in the “Program Files” directory of Drive C, and records the collected\r\nfile path information in %Application Data\\Microsoft\\Windows\\Profiles.log.\r\nFigure 3-19 Collection of Specified Files\r\nAccording to the captured samples, we found that each sample has three keywords hard-coded in it, and collected\r\nsensitive information based on the keywords. After deduplication, there are 12 keywords, including “战” (which\r\nmeans war), “军” (which means military), “航” (which means aviation) , etc. Through these keywords, we can\r\nclearly understand the intent of \"GreenSpot\" group.\r\n4. There is an additional domain name in the sample. Profiles.log file and the RAR packed files are automatically\r\nsent back.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 25 of 44\n\n5. Backdoor delivery: ***_IP-计算机名^^//@@\u0026\u0026*** (“***” part is different for each sample)\r\n6. Listen and respond: kwo (password)\r\n7. Backdoor delivery: IP-计算机名-2014010106.tmpp19769（Year month day hour .tmpp file size）\r\n8. Listen and respond: Any (supports reading files at the specified offset)\r\n9. Backdoor delivery: Profiles.log file content (see Figure 3-20)\r\nFigure 3-20 The Content of Profiles.log File\r\n10. In Case 6, the “help instruction” is in Chinese, but in Case 8, it is garbled. After analysis, we found that in the\r\nnew sample, the “help instruction” uses other encoding method, but it is converted to GB2312 code when\r\ncompiled, causing garbled characters.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 26 of 44\n\nFigure 3-21 The Instruction in Case 6\r\nFigure 3-22 The Instruction in Case 8\r\n11.In Case 7, the sample judges security vendors and their products in China. Based on the antivirus software\r\ninstalled, it takes different actions, such as exit, normal execution, add special startup items, etc. It can be seen that\r\nthis is a malicious program specially designed against Chinese users.\r\nTable 3-5 compares the functions between the samples used by “GreenSpot” group and the original ZXShell. It\r\ncan be found that the sample only retains the necessary remote control function, and adds password stealing\r\nfunction that ZXShell did not have. The specific functions are shown in Table 3-5:\r\nTable 3-5 Function Comparison Between the Sample Used by “GreenSpot” and the Original ZXShell\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 27 of 44\n\n3.4.5 Detection of Some Samples During Attacks\r\nThe backdoor samples in the attacks are all public RAT programs. Generally, mainstream security vendors all pay\r\nattention to, detect and clean them. But “GreenSpot” group modifies and encrypts these public RAT programs,\r\ncausing the overall detection rate of these samples is less than 8%, some individual samples are even detected by\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 28 of 44\n\nonly 1-2 security vendors. It can be seen that these samples are designed for detection evasion, and they can reside\r\non the target host.\r\nFigure 3-23 Detection Rate of Some Samples\r\n3.4.6 Analysis of Recently Captured Samples\r\n3.4.6.1 EXE File\r\nThe EXE file is the final payload downloaded and executed by the HTA file mentioned in Section 3.3.2. The main\r\nfunction of this file is to download ShellCode from the specified URL. After decryption, it generates a thread and\r\nexecutes the ShellCode. Take jin2.exe as an example, the key code of the sample is as follows:\r\nFigure 3-24 Connect to the Specified URL to Download ShellCode\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 29 of 44\n\nFigure 3-25 Decrypt Shellcode Function\r\nAfter downloading ShellCode from the specified URL, the sample decrypts the ShellCode, and then allocates\r\nmemory space to copy the decrypted ShellCode. Then, it creates a thread, passes the ShellCode’s first address as a\r\nparameter to the thread function, so as to execute ShellCode.\r\nFigure 3-26 Allocate Memory Space, Create a Thread to Execute ShellCode\r\nThe function code of each EXE file is basically the same. Only the download URL of the ShellCode is different.\r\nThe respective URLs are shown in the following table:\r\nTable 3-6 Downloaded Shellcode and the Corresponding URLs\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 30 of 44\n\n3.4.6.2 ShellCode（Poison Ivy）\r\nWe analyzed the decrypted ShellCode and found that it is generated by the Poison Ivy program. The IP addresses\r\nconnected by different ShellCode are shown in Table 3-7:\r\nTable 3-7 Shellcode and the Corresponding C2\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 31 of 44\n\nThe C2 address can be redirected to the local computer via local hijacking. The Poison Ivy client can be connected\r\nto the sample through the configured Poison Ivy client. The Poison Ivy used by the attacker is version 2.3.1. The\r\ndetailed information is shown in Figure 3-27.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 32 of 44\n\nFigure 3-27 Redirect C2 Sample for Successful Connection\r\n4、 Sample Correlation Analysis\r\n4.1 Lateral Association of Multiple Cases\r\nAntiy CERT analyzes the relevant information of the first 6 cases, mainly involving file names, mutex, file version\r\ninformation, etc. Through lateral association (see Figure 4-1), and the aforementioned doc files, the exploit\r\nmethod, and the information about the executable file, we initially determined that there is correlation between\r\nthese incidents.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 33 of 44\n\nFigure 4-1 Lateral Association of Multiple Cases\r\n4.1.1 Comparison of ShellCode Part (CVE-2012-0158)\r\nTable 4-1 Comparison of ShellCode Part (CVE-2012-0158)\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 34 of 44\n\n4.1.2 Comparison of Released PE Files\r\nTable 4-2 Comparison of Released PE Files\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 35 of 44\n\n4.2 Domain Name Association\r\nBy extracting and sorting out the domain names in a dozen of related samples (see Figure 4-2), it can be clearly\r\nseen that all domain names are dynamic, the service providers are all overseas, and most of them are registered\r\nthrough changeip.com and no-ip.com. We believe that these domain names are not registered randomly, but are\r\norganized and registered by the same group.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 36 of 44\n\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 37 of 44\n\nFigure 4-2 Domain Name Information\r\n4.3 IP Address Association\r\nBy extracting and sorting out the previous jump IPs and the current jump IPs of the domain names, we can clearly\r\nsee that among all IP addresses, the vast majority belong to the same region, and most of these IPs come from two\r\nInternet address assigning agencies – AS3462 and AS18182. Each agency manages an area, which also indicates\r\nthat this is a set of attacks from the same source.\r\n4.4 Correlation Between Malicious Code\r\nTo facilitate presentation and understanding, the correlation of all samples and C2s is analyzed (see Figure 4-3).\r\nFigure 4-3 Correlation Between Malicious Code (2011-2015)\r\nAlthough \"GreenSpot\" group uses a variety of different backdoors, the backdoors share the same C2 server, which\r\nis likely to facilitate management and control. The correspondence between different backdoor types can be seen\r\nfrom the backdoor ID and password in Table 4-3.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 38 of 44\n\nFigure 4-4 Different Incidents/Malicious Payloads (PE) Share the Same Infrastructure C2\r\nThrough the analysis of the Poison Ivy RAT samples, their online ID and password can be derived. It can be seen\r\nthat different samples have the same online ID and password.\r\nTable 4-3 Online ID and Password of Poison Ivy RAT\r\nBy analyzing the captured ZXShell RAT samples, their online password and compression password are counted. It\r\ncan be seen that many ZXShell samples use the same password, and these passwords are similar to (or the same\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 39 of 44\n\nwith) the passwords in Table 4-3. Combined with domain names, IPs, etc., we can see these samples are from the\r\nsame attack group.\r\nTable 4-4 Online Password and Compression Configuration of ZXShell RAT\r\n5、Group Association Analysis\r\nIn addition to the correlation of the multiple incidents, Antiy CERT also conducted a comparative analysis. From\r\ncode similarity, domain name preference, C2 IP address relevance and geographical characteristics, we believe\r\nthese payloads are all from “GreenSpot” group.\r\n5.1 Code Similarity\r\nIn 2011-2015 attacks, the group used four types of remote control programs, mainly ZXShell and Poison Ivy. In\r\nthe use of Poison Ivy, the attack group first generates ShellCode of Poison Ivy, then hard-codes the XOR\r\nencrypted ShellCode into the Loader, decrypts and executes the ShellCode after the Loader is delivered to the\r\ntarget host. This technique is identical to the one used by the sample found in 2017, and they both use triple XOR\r\nencryption. See Figure 5-1 for the decryption algorithm.\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 40 of 44\n\nFigure 5-1 Decryption Algorithm in 2011-2015 Samples (Left) and 2017 Samples (Right)\r\n5.2 Domain Name Preference\r\nAll samples found in 2017 use dynamic domain name providers (14 in total), and 35 dynamic domain name\r\nproviders were used by 2011-2015 samples. It can be found that the attackers in both attacks prefer to use dynamic\r\ndomain names, and 7 providers are the same.\r\nIn addition, a domain name \"geiwoaaa.xxx.com\" in this incident is highly similar to the domain name\r\n\"givemea.xxx.com\" in 2013 attacks, and we suspect that they are registered by the same group.\r\n5.3 IP Address Association\r\nBy correlating the IP addresses of C2, we found that the C2 (uswebmail163.xxx.com and l63service.xxx.com) in\r\nthe 2017 sample resolve to the same IP: 45.77.xxx.xxx. The domain name pps.xxx.com involved in 2011-2015\r\nattacks also point to this IP.\r\nFigure 5-2 C2 Domain Name Associated With 2013 Attacks\r\n5.4 Geographical Characteristics\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 41 of 44\n\nThe domain name \"geiwoaaa.xxx.com\" used in 2017 attacks may have some association with 2011-2015 attacks,\r\nbecause the resolved IP address (114.42.XXX.XXX) points to the same geographic location (other IP addresses\r\nare mostly in US). This IP may be left behind by attackers after early tests. This IP and those in 2013 attacks are\r\npart of 114.42 segment of a telecommunications carrier in certain region of Asia. Via monitoring. we found that\r\nthe C2 addresses in 2013 attacks were mostly within this IP segment, which indicates that there may be a close\r\nrelationship between the attack groups of the two operations. In addition, the information on the carrier’s websites\r\nshows: “114.32.XXX.XXX – 114.47.XXX.XXX is not fixed IPs”, which means that the IP addresses in the\r\nsegment is dynamically allocated, and the carrier’s customers in a certain area may be assigned to these IP\r\naddresses. Based on such information, we can see the attackers of the two operations may be in a similar location,\r\nor the jump machine they use are in the similar location.\r\nFigure 5-3 C2 Domain Name Pointing to 2011-2015 Attacks\r\n6、Summary\r\n\"GreenSpot\" group mainly targeted Chinese government departments, aviation, military, scientific research and\r\nother related institutions and personnel, trying to steal confidential documents or data. It is determined to be active\r\nfor more than 7 years, or perhaps more than 11 years. This group mainly uses spear phishing methods – sending\r\nspear phishing emails. The attachment is disguised as an EXE executable, using social engineering techniques for\r\ntargeted delivery. This group makes a lot of modifications to open source backdoor programs, so these programs\r\ncan bypass antivirus software. In the attacks, 0-day vulnerabilities are seldom exploited. Instead, old\r\nvulnerabilities are exploited repeatedly. The attackers are good at detection evasion. Once they invade into the\r\nhost, they use encryption, dynamic loading and other techniques, trying to reside in the host and remain unnoticed\r\nfor a long time. Their attack methods are not sophisticated, but the repeated use indicates that they are effective.\r\nThe attacks exploiting relevant vulnerabilities correspond to the period with unpatched vulnerabilities. It is not a\r\nsimple vulnerability patch problem, but in-depth troubleshooting and loss prevention problem.\r\nIn contrast with information stealing and destroying in the real world, attacks in cyber space have lower cost,\r\nstronger concealment and are more difficult to trace. Although \"GreenSpot\" group does not represent the highest\r\nlevel of APT attacks, we should be highly vigilant. In APT attacks, the core is never “A” (advanced), but “P”\r\n(persistent), because “P” embodies the intent and perseverance of the attackers. When faced with an attack group\r\nthat is determined, team-structured and can withstand the high cost of attacks, there is no \"generic\" defense\r\nmethod. We should establish solid system security capabilities. Take GreenSpot’s email vector as an example, not\r\nonly authentication and communication encryption, but also attachment dynamic detection analysis, email\r\nterminal security reinforcement, active defense, etc. need to go into place. For important government, army,\r\nscientific research personnel, the application conditions and scenarios of business email and personal email should\r\nbe clearly defined. Email is just one of the many attack portals. All the entrances of information exchange and all\r\nexposed surfaces of open services are likely to become the attack portals of APT attackers.\r\nFaced with high-level and well-organized cyber threat actors, operators of important information systems and key\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 42 of 44\n\ninfrastructure should make objective judgment as to which levels of cyber-space threats should be effectively\r\ncombated, and thus drive the network security defense.\r\nThe following table summarizes relevant reports released by Antiy Labs.\r\nAppendix 1: About Antiy Labs\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 43 of 44\n\nAntiy Labs is a national cybersecurity team that leads the development of threat detection and defense capability,\r\nadhering to the guidance of independent advanced capabilities. Relying on the advanced technologies, such as\r\nnext-generation threat detection engines, and the accumulation of engineering capabilities, Antiy has developed a\r\nseries of products (including IEP, PTF, PTD, ACS, PTA and TDS), building the safety cornerstone of endpoint\r\nprotection, boundary protection, flow monitoring, diversion capture, in-depth analysis, and emergency handling\r\nfor customers. Antiy is committed to building a practical situational awareness system for our clients, relying on\r\nthe comprehensive ability to continuously monitoring, setting up the cooperative operation mechanism of system\r\nand personnel, directing a variety of defense mechanisms in the grid joint response to the threat, achieving the\r\norganic integration from infrastructure security, in-depth defense, situational awareness, and active defense to\r\nthreat information, so as to promote the superposition evolution of the customer’s overall security capacity\r\nbuilding. Antiy provides overall security solutions for high-security demand customers, such as network and\r\ninformation authorities, the military, confidentiality and ministries and commissions, key information\r\ninfrastructure departments and etc.. The products and services of Antiy have ensured that manned space flight,\r\nlunar exploration projects, space station docking, the first flight of large aircraft, capital ship escort, Antarctic\r\nScience Test and other major national projects.\r\nAntiy is also a core enabler node on the world’s fundamental infrastructure security supply chain. Nearly a\r\nhundred well-known security vendors and IT vendors around the world have chosen Antiy as their partner of\r\ndetection capability. The detection engine of Antiy has provided security protection for over three hundred\r\nthousand network devices and network security devices, and nearly 1.4 billion mobile phones.\r\nThe technical strength of Antiy has been recognized by industry management organizations, customers and\r\npartners. Antiy has consecutively been awarded the qualification of national security emergency support unit for\r\nfive times. Antiy is the significant enterprise node of China emergency response system, which has provided early\r\nwarning and comprehensive emergency support in major security threats and virus outbreaks such as “Code Red”,\r\n“Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. As for the dozens of advanced cybersecurity actors\r\nand their attack actions such as “Equation”, “White elephant”, “Lotus” and “Greenspot”, Antiy carries out\r\ncontinuous monitoring and in-depth analysis, and assists customers to form effective protection under “considerate\r\nenemy situation\", providing strong support for defending the sovereignty, security and development interests of\r\nthe country.\r\nOn April 19, 2016, at the symposium about cybersecurity and information held by President Xi Jinping, the chief\r\ntechnical architect and founder of Antiy spoke as representative of cybersecurity field, and reported to President\r\nXi Jinping. On May 25, 2016, President Xi Jinping inspected the headquarters of Antiy during his investigation in\r\nHeilongjiang and praised that “Antiy is a national cybersecurity team, although it is private owned”.\r\nSource: https://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/\r\nPage 44 of 44\n\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/ \n2.1.4 Case 4 \n2.1.5 Case 5 \n2.1.6 Case 6 \n Page 9 of 44\n\nhttps://www.antiy.net/p/greenspotoperations-grow-for-many-years/ \n2.1.7 Case 7 \n2.1.8 Case 8 \n2.1.9 Case 9 \n Page 10 of 44",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.antiy.net/p/greenspotoperations-grow-for-many-years/"
	],
	"report_names": [
		"greenspotoperations-grow-for-many-years"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b9695d1c-08bf-4cb9-b408-f9275bbe47e7",
			"created_at": "2025-03-07T02:00:03.802302Z",
			"updated_at": "2026-04-10T02:00:03.83211Z",
			"deleted_at": null,
			"main_name": "GreenSpot",
			"aliases": [
				"PoisonVine",
				"APT-Q-20"
			],
			"source_name": "MISPGALAXY:GreenSpot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434420,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/747b1318011148cf17126069b038302cb6c6e5b3.pdf",
		"text": "https://archive.orkl.eu/747b1318011148cf17126069b038302cb6c6e5b3.txt",
		"img": "https://archive.orkl.eu/747b1318011148cf17126069b038302cb6c6e5b3.jpg"
	}
}