{ "id": "fdca9101-5ebb-4dcb-a4fe-c7aecce11d9c", "created_at": "2026-04-06T02:12:41.0261Z", "updated_at": "2026-04-10T03:37:54.298869Z", "deleted_at": null, "sha1_hash": "758e5f41dc1203e3605da370241191371a450245", "title": "MirageFox: APT15 Resurfaces With New Tools Based On Old Ones - Intezer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1845254, "plain_text": "MirageFox: APT15 Resurfaces With New Tools Based On Old\r\nOnes - Intezer\r\nBy Jay Rosenberg14.06.18 | 3:26 pm\r\nPublished: 2018-06-14 · Archived: 2026-04-06 01:59:36 UTC\r\nAPT15 Background\r\nCoincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine\r\nwarfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing\r\ncyber espionage which is believed to be affiliated with the Chinese government. The malware involved in this\r\nrecent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012,\r\nknown as Mirage.\r\nAPT15 is known for committing cyberespionage against companies and organizations located in many different\r\ncountries, targeting different sectors such as the oil industry, government contractors, military, and more. They are\r\nknown for “living off the land,” meaning they use already available tools and software installed on the computer\r\nto operate, and once inside a target network, they will tailor their malware specifically to the target. Other names\r\nfor the group are Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.\r\nThere are many articles and researches online about APT15 and their activities, the most recent one by NCC\r\nGroup; although posted in March 2018, it refers to a campaign in 2017. In addition, although the 2017 campaign\r\nhas been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018)\r\nfrom the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected\r\nwith only 7/66 detections on VirusTotal. \r\nAPT15 Code Reuse\r\nWe found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only\r\nfound in Mirage and Reaver, both attributed to Chinese government affiliated groups. After seeing that these\r\nbinaries were new uploads to VirusTotal, with very few detections, we analyzed them using Intezer Analyze™ to\r\nsee if we could find any code reuse.\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 1 of 8\n\n(https://analyze.intezer.com/#/analyses/d00b6787-0078-4148-aec3-a66779a22ba5)\r\nAs can be seen in this code reuse analysis report (SHA256:\r\n28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a), there is shared code with Mirage\r\nand Reaver. The compilation timestamp is from June 8, 2018 while the upload date to VirusTotal was June 9,\r\n2018.\r\n(VirusTotal)\r\nOn VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of\r\nMirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), and 9/64 for\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 2 of 8\n\nthe third MirageFox binary that was uploaded (SHA256:\r\nb7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2).\r\nHere’s a couple examples of code reuse similarities found in the Mirage family between one of the newer binaries\r\nand older ones.\r\nRemote Shell:\r\nThe function above is seen throughout many of the binaries in the Mirage family and is executed when a\r\ncommand is sent from the C\u0026C. It is responsible for executing commands in cmd.exe (later down in the functions,\r\nnot seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA).\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 3 of 8\n\nConfiguration Decryption:\r\nAnother small, but same important function in the photo above, is the function for decrypting the data containing\r\nthe C\u0026C configuration. Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C\u0026C server, the\r\nport, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.”\r\nTechnical Details\r\nAt this moment, we were unable to retrieve the original infection vector and other information regarding what\r\nother tools the APT15 group is using to attack their targets. We are able to come up with a few very interesting\r\nconclusions about what is going on here, although we cannot say for sure what the case is without the full\r\ncontext.\r\nFirstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for\r\nthe modules, the name field is filled with a string MirageFox_Server.dat.\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 4 of 8\n\nEvidently in the image, you can see there is an exported function. The MirageFox binaries export a function called\r\ndll_wWinMain, the name of an export in vsodscpl.dll, a module by McAfee that is loaded by a few of their\r\nexecutables that import and call this function. This most likely means there is some type of DLL hijacking going\r\non by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate\r\nlooking process. DLL hijacking techniques have been seen in the past with the APT15 group. The problem here is\r\nthat once the export is called the first time, the module renames itself to sqlsrver.dll and there is no evidence\r\nwithin the module of any type of persistence. By renaming it to this, the future executions of the RAT will not be\r\nthrough a McAfee binary. The future persistence could be setup through another component of the malware or\r\neven a command sent by the C\u0026C to the infected computer.\r\nThe most interesting part is the decrypted C\u0026C configuration, as can be seen in the image below.\r\nDecrypted Config:\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 5 of 8\n\nC\u0026C IP: 192.168.0.107\r\nPort: 80\r\nSleep Timer: 30000\r\nCampaign Identifier: Mirage\r\nIf you look at it the decrypted configuration, you may notice that the IP being used for the C\u0026C is an internal IP\r\naddress. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15\r\ninfiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor\r\nmade to an organization they have already infiltrated and are connecting to the internal network using a VPN.\r\nThe rest of MirageFox functions similarly to previous malware created by APT15, first collecting information\r\nabout the computer like the username, CPU information, architecture, and so forth. Then it sends this information\r\nto the C\u0026C, opens a backdoor, and sits waiting for commands from the C\u0026C with functionality such as modifying\r\nfiles, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs.\r\nConclusion\r\nThere is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the\r\nMirageFox binaries. As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance\r\nwork, send the commands from the C\u0026C manually, and will customize their malware components to best suit the\r\nenvironment they have infected.\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 6 of 8\n\nIOCs\r\nMirageFox\r\n28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a\r\n97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5\r\nb7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2\r\nRoyalAPT\r\n016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734\r\nRoyalAPT C\u0026C\r\nbuy.healthcare-internet[.]com\r\nMirage (w/ Same C\u0026C Config Decryption)\r\n5787eff4b4d6ee5b4c5457c9af5e2f2e3c75204b5989606b1faa9b944dc49a30\r\nb6bd5d8f5a824db05c37dde459b60a5571df87966e00390f2df56628da49b856\r\nb9403fb1e3743617bcdf8c1e5dd332c325c1e1f2e79bef166261fec0091880cf\r\nffaddb93042243926a964864e21a28365807ac5be843f5e690f9916cddbbd55b\r\nb0a2923e817ac982c89510e4bd8eab68892ee51e5fa625bd806508a4b701aa78\r\nda4dbc738d069fbcc9b96ab4af2bd3f7a87c7b69a4b47071e099e36b481dfa01\r\nf633df1fb42666f62eb23fd70dac4e3c0c4908af123f9335f3b58e6ea205df8a\r\ne67e58bc736bd54e6915cb43af5f3c332da3592839a5a4884ba141b089310815\r\n1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f\r\n27a0ce9761363f6a1eafc719b96bbe1f9a426e50e8b5abf84db963efddb89a8d\r\nd22c2ef1453d5575e05a673777931e07c44734fe467a77969bebe86e26aacf98\r\nf85023ae81917a7fae0d987134a968ffad346d5c3b35d3a98e237419dd334696\r\n24b3c3527a2431d1c1dd27fe6566ddcaa8e4b92e31e468bb733e827350830a14\r\n57550ab2d20a757b24137ab764a2e9bf644fd8e1f4313bca22e04db7fa608cc2\r\n4d45ddc35abf77cded21bafe5483d345585c1d84f52a101a65ebfda88be5ad7d\r\n421f4c83898ff3ae9b2a94621140ef770888a8a0914b163cdae4690433173899\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 7 of 8\n\nc27fb5fd362fdaec2e344564f76197d01e1dc463ee3552b16452fc41e67f2709\r\ncec9c4e48fad6e4c2b7cf4bc34d357893ef878e8be076c9f680f297e06184c20\r\nSource: https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-one\r\ns/\r\nhttps://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "report_names": [ "miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441561, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/758e5f41dc1203e3605da370241191371a450245.pdf", "text": "https://archive.orkl.eu/758e5f41dc1203e3605da370241191371a450245.txt", "img": "https://archive.orkl.eu/758e5f41dc1203e3605da370241191371a450245.jpg" } }