{
	"id": "72d5cef0-18c2-4520-9918-bb40f0ca4bae",
	"created_at": "2026-04-06T00:12:42.410703Z",
	"updated_at": "2026-04-10T03:30:57.151863Z",
	"deleted_at": null,
	"sha1_hash": "77ebda0fb3fe1b9e8e62e169fe6d21da9feb26e9",
	"title": "Glupteba back on track spreading via EternalBlue exploits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97859,
	"plain_text": "Glupteba back on track spreading via EternalBlue exploits\r\nPublished: 2021-06-04 · Archived: 2026-04-05 18:13:17 UTC\r\nGlupteba malware was first seen in the year 2014 and was active till 2020 when it faded off. But recently we at K7\r\nLabs noticed a spike in the Glupteba malware in our K7 Enterprise Security telemetry.\r\nOn analyzing the telemetry, we came across a huge number of hits for a handful of specific systems, and on\r\npivoting further, we realised that each of those systems were hit by tools handed down from the Equation Group\r\nand Shadow Brokers, namely EternalBlue and DoublePulsar. Along with these, many of those systems had the\r\nRanumbot malware as well. The collective presence of all of these malware families led us on to the trail of their\r\nnext of kin, Glupteba.\r\nChecking the timestamp on which the malware occurrences are  found in the telemetry, we noticed  that they were\r\nfound at regular intervals and, therefore, must have tallied with some scheduled spread from the infected system. \r\nWe inferred  that there must be at least one unprotected, probably unpatched, system that must have been infected\r\nand it was bombarding other protected systems on the network, a common scenario in many Enterprise networks.\r\nThe Firewall telemetry events for these systems were checked along with the corresponding IDS rules, viz. \r\nMS17-010 TRANS2 SECONDARY REQUEST and MS17-010 Echo Response. They were all found to be\r\nattempts to exploit SMB vulnerabilities. We were able to confirm that  the local and remote IPs were internal, and\r\nthat clearly indicates that there was attempted lateral movement within the LAN.\r\nBasically Glupteba malware are Remote Access (Backdoor) Trojans, capable of spreading using EternalBlue\r\nexploits. The malware, once it has breached a system, looks for SMB vulnerabilities and tries to exploit them to\r\nmove laterally within the LAN.\r\nTaking a look at one of the recent Glupteba malware samples, we realise it still prefers the Go language. As a first\r\nstep of its execution it copies itself to another location and creates persistence by changing the autorun values in\r\nthe registry. The self-copied malware is placed in: C:\\Windows\\rss\\csrss.exe\r\nCsrss.exe drops a file named windefender.exe which is the Ranumbot malware, another backdoor capable of\r\nestablishing remote connections and exfiltrating system information.\r\nFigure 1: Dropped file location\r\nThis Glupteba malware attempts to evade detection on Windows Defender by modifying the registry at\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths to add exclusions to the\r\npaths wherever it is located, and uses the command line utility to bypass the default firewall.\r\nThe registry HKCU\\Software\\Classes\\mscfile\\shell\\open\\command  with default key value is created by the\r\nmalware in order to abuse CompMgmtLauncher.exe and bypass UAC (User Account Control). Consequently, an\r\nhttps://labs.k7computing.com/?p=22319\r\nPage 1 of 4\n\nunchallenged execution or download of further payload is enabled.\r\nFigure 2: Abuses CompMgmtLauncher.exe to bypass UAC\r\nThe malware collects details about the system and stores the configuration information in the registry key\r\nHKCU\\Software\\ Microsoft\\a31263b0. Some of the system information that will be POSTed to the C2 include\r\nbuild_number, firmware_type, mac, machine_guid, secure_boot, etc, along with the list of softwares installed in\r\nthe machine. The consumption of this registry key along with a previously predominant name “TestApp”, has\r\nbeen seen quite a lot amongst Glupteba malware, and  can definitely be considered as an Indicator of Compromise\r\n(IoC). The purpose of storing the data this way is that it can be used by the malware in later stages of the infection\r\nchain.\r\nhttps://labs.k7computing.com/?p=22319\r\nPage 2 of 4\n\nFigure 3: Stores configuration information in HKCU\\Software\\Microsoft\\a31263b0\r\nThe malware uses the registry key TSAppCompat to check if the system is running in application compatibility\r\nmode and the registry key TSUserEnabled, to check if the users can log on to the terminal server\r\nFigure 4: Remote connection query\r\nIt then defines a default access permission list for the computer using the DefaultAccessPermission and\r\nEveryoneIncludesAnonymous registries to allow anyone to login without a password.\r\nFigure 5: Permission for anonymous user to login\r\nA malicious network connection is made to 172.67.137.101 and to “hxxps://sndvoices.com”,\r\n“hxxps://2makestorage.com”, “hxxps://stiambat.com”, “hxxps://spolaect.info”. All of these connections attempted\r\nare malicious sites to which the exfiltrated data can be sent.\r\nFigure 6: Malicious connection\r\nTrying to connect to hxxps://blinkroast.info/c544b71e73e7595b36b20b7fcb8b4204/watchdog.exe failed. The URL\r\nnot being active anymore, we were not able to grab the file for further analysis.\r\nGlupteba’s infection vectors in the past have included downloading pirated software, fake installers or adware.\r\nOnce the malware has entered the system it looks for a specific list of vulnerabilities and uses them for lateral\r\nmovement to enter into other systems connected in the network. In our case it is very evident that this Glupteba\r\nmalware attempts to exploit SMB vulnerabilities to move laterally within the LAN.\r\nHere at K7, proactively monitoring our K7 Ecosystem Threat Intelligence, we were able to see that Glupteba is\r\nback on active mode. Installing a reputed product like K7 Endpoint Security will keep you protected from all\r\nkinds of threats.\r\nhttps://labs.k7computing.com/?p=22319\r\nPage 3 of 4\n\nIndicators Of Compromise(IOCs)\r\nMD5 K7 Detection Name\r\n1a7e7794c44762d411d383fac32d45f2 Trojan ( 0057c9a81 )\r\n6512ae7c9f36206f6433f78296102419 Trojan ( 0055a98e1 )\r\nMITRE ATT\u0026CK\r\nExecution\r\nScheduled Task (T1053)\r\nService Execution (T1035)\r\nCommand-Line Interface (T1059)\r\nPersistence\r\nRegistry Run Key / Startup Folder (T1060)\r\nHidden Files and Directories (T1158)\r\nNew Service (T1050)\r\nPrivilege Escalation Bypass User Account Control (T1088)\r\nDefensive Evasion\r\nBypass User Account Control (T1088)\r\nDisabling Security Tools (T1089)\r\nFile and Hidden Files and Directories (T1158)\r\nFile Deletion (T1107)\r\nProcess Injection (T1055)\r\nModify Registry (T1112)\r\nDiscovery\r\nSystem Owner/User Discovery (T1033)\r\nSecurity Software Discovery (T1063)\r\nLateral Movement Exploitation of Remote Services (T1210)\r\nSource: https://labs.k7computing.com/?p=22319\r\nhttps://labs.k7computing.com/?p=22319\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/?p=22319"
	],
	"report_names": [
		"?p=22319"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77ebda0fb3fe1b9e8e62e169fe6d21da9feb26e9.pdf",
		"text": "https://archive.orkl.eu/77ebda0fb3fe1b9e8e62e169fe6d21da9feb26e9.txt",
		"img": "https://archive.orkl.eu/77ebda0fb3fe1b9e8e62e169fe6d21da9feb26e9.jpg"
	}
}