{ "id": "485f2070-2944-40ab-b93f-abdcb251d725", "created_at": "2026-04-06T00:09:32.607581Z", "updated_at": "2026-04-10T13:11:45.603033Z", "deleted_at": null, "sha1_hash": "78b17745ea42239d31be0258204d0e4b434d5df0", "title": "Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4311216, "plain_text": "Cyberespionage Group Earth Hundun's Continuous Refinement of\r\nWaterbear and Deuterbear\r\nBy By: Cyris Tseng, Pierre Lee Apr 11, 2024 Read time: 13 min (3461 words)\r\nPublished: 2024-04-11 · Archived: 2026-04-05 15:15:30 UTC\r\nMalware\r\nOur blog entry provides an in-depth analysis of Earth Hundun's Waterbear and Deuterbear malware.\r\nSummary\r\nEarth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors.\r\nThe group has been known for employing several tools and techniques, including Waterbear, a malware\r\nentity that has had over 10 versions since 2009.\r\nWaterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance\r\nof detection and analysis. Succeeding versions have added enhancements that make it even more\r\ntroublesome to deal with.\r\nIn 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which\r\nhas several changes, including anti-memory scanning and decryption routines, that make us consider it a\r\ndifferent malware entity from the original Waterbear.\r\nOur blog entry provides an in-depth analysis of these two malware types in Earth Hundun’s bag of tools.\r\nIntroduction\r\nWe recently observed a surge in cyberattacks targeting a number of organizations in various sectors such as\r\ntechnology, research, and government.  These attacks involve a malware family known as  Waterbear that is linked\r\nto the cyberespionage group Earth Hundun (also known as BlackTech), a threat actor that focuses on gathering\r\nintelligence from technology and government organizations, particularly in the Asia-Pacific region.\r\nAmong the group’s arsenal of weapons, the Waterbear backdoor is one of the most complex, with a wide array of\r\nanti-debug, anti-sandbox, and general antivirus-hindering techniques. Moreover, the frequent updates from its\r\ndevelopers have led to even more evasion tactics, including enhancements of its loader, downloader, and\r\ncommunication protocol. This report will delve into the latest techniques Earth Hundun has implemented with\r\nWaterbear and provide an analysis of its latest iteration, Deuterbear.  \r\nWaterbear details\r\nWaterbear has had over 10 versions since 2009, with the version number directly visible in the configuration.\r\nDespite available solutions for older versions, its operators typically persist in enhancing infection flows until a\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 1 of 22\n\nsuccessful compromise. Therefore, it is common to find multiple versions coexisting within the same timeframe\r\nand even within the environments of the same victims.\r\nInterestingly, some Waterbear downloaders have been seen using command-and-control (C\u0026C) servers with\r\ninternal IP addresses (for instance, the downloader with hash\r\n6b9a14d4d9230e038ffd9e1f5fd0d3065ff0a78b52ab338644462864740c2241 uses the internal IP 192.168.11[.]2 as\r\nits C\u0026C server).\r\nThis suggests that the attackers might have in-depth knowledge of their victims’ networks, employing\r\nmultilayered jump servers to evade detection. Such tactics underscore the sophisticated nature of these attacks,\r\nwhich are designed to stealthily maintain presence and control within compromised environments.\r\nAttack chain and TTPs of Waterbear\r\nFigure 1. Waterbear infection flow chart\r\nFor the launcher, Waterbear uses a legitimate executable to load its custom DLL file. In some cases, its operators\r\npatched the legitimate executable to modify the import table. This includes adding the DLL with the same file\r\nname at ordinal 0, enabling a smooth launch of the loader via DLL sideloading. This strategy allows Earth\r\nHundun to run its custom DLL loader and avoid detection.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 2 of 22\n\nFigure 2. Modifying the import table with a legitimate executable\r\nLoader\r\nBased on the diagram shown in Figure 1, there are two decryption routines used by Waterbear to decrypt the\r\nencrypted downloader.\r\nWe observed that recent Waterbear loader routines commonly use the same custom salted RC4 decryption,\r\naccompanied by a similar obfuscation pattern, to decrypt the downloader. This approach is consistent across\r\ndownloader versions 0.13, 0.16, and 0.24. In contrast, earlier versions of the Waterbear loader were barely\r\nobfuscated, if at all.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 3 of 22\n\nFigure 3. Past Waterbear variants did not use obfuscation in the RC4 KSA stage (top) compared to\r\nmore recent variants that use obfuscation (bottom)\r\nFigure 4. Past Waterbear variants did not use obfuscation in the RC4 PRGA stage (top) compared to\r\nmore recent variants that use obfuscation (bottom)\r\nIn some cases, Waterbear loaders routinely place the encrypted downloader in the registry in advance, with the\r\ndownloader being decryptable only on the infected machine since it uses the CryptUnprotectData API. This\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 4 of 22\n\nmethod is limited by the requirement that it must operate on the infected machine. However, it can prevent the\r\nvictim from realizing that they are being attacked, while also hindering incident responders during investigation.\r\nDownloader\r\nEarth Hundun has been gradually refining its technique to bypass antivirus software adding a large amount of\r\npadding with 0x00 around the beginning and end to avoid detection. After decryption, the loader executes the\r\nshellcode directly and checks the debugger mode, initiating the Waterbear downloader.\r\n1. Decrypts the function before using it and encrypts it again after use\r\n2. After recovering the function address, they quickly move it to another place in memory and mess-up the\r\noriginal address.\r\nFor more detailed information, please refer to our previous report, specifically the section titled “Anti-memory\r\nscanning of shellcode payload.”\r\nThe configuration outlined in the previously mentioned report contains the information required for proper\r\nexecution and communication with C\u0026C server.\r\nData\r\noffset\r\nData\r\nsize\r\nData content\r\n0x00 0x10 Encryption/Decryption key for the functions\r\n0x10 0x04 Remote access trojan (RAT) infection mark, which is also used for sleep time.\r\n0x14 0x10 Version (such as 0.13, 0.16, 0.24, and so on)\r\n0x24 0x0C Mutex (not use for now)\r\n0x34 0x78\r\nC\u0026C server address, which is XOR-encrypted with the key 0xFF; has each address\r\nwith a maximum length of 0x28 and supports up to 3. If the downloader is intended to\r\nlisten in on a specific port, this section will be filled with 0x00.\r\n0xAC 0x02 Port number (might contain multiple numbers)\r\n0xD8 0x10 traffic KEY_1, RC4 key of first traffic sent from victim\r\n0xE8 0x10 traffic KEY_2, unique ID to identify victim\r\n0xF8 0x10\r\ntraffic KEY_RANDOM (randomly generated by the downloader and the RC4 key of\r\nencrypted RAT sent from the C\u0026C server)\r\n0x108 0xC8 List of function addresses (for example, 0x8 * 25 functions)\r\n0x1D0 0x64 List of function lengths (for example, 0x4 * 25 functions)\r\n0x234 0x124 List of API addresses\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 5 of 22\n\n0x358 0x90 List of encrypted API hash\r\n0x3E8 0x78 List of library names\r\nTable 1. The configuration structure of Waterbear downloader\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 6 of 22\n\nFigure 5. A screenshot showing the configuration structure of Waterbear downloader\r\nFor the network request, the downloader will set up the custom connection to deliver the next stage RAT as\r\nfollows:\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 7 of 22\n\nFigure 6. Network traffic to download the Waterbear RAT\r\nIndex Direction Encryption Key\r\n1  Victim -\u003e C\u0026C  Salted RC4 (10000 times) KEY_1\r\n2  C\u0026C -\u003e Victim  Salted RC4 KEY_RANDOM XOR reversed (KEY_1)\r\n3  C\u0026C -\u003e Victim  Salted RC4 KEY_RANDOM\r\n4  C\u0026C -\u003e Victim  Salted RC4 KEY_RANDOM\r\nTable 2. Basic information about network traffic to download the Waterbear RAT\r\nAll of the packets have a 10-byte header with which to describe the information of data (keeping the same format\r\nas described in a report published by Palo Alto. However, the signature has been obfuscated over time by the\r\nthreat actors to evade detection. The analysis of the latest protocol is shown here:\r\nSend KEY_RANDOM\r\nThe downloader randomly generates the 16-byte key, KEY_RANDOM, and sends the packet to the C\u0026C server\r\nwith the format:\r\nOffset Size Type Content\r\n0x00  0x10 Header The 1st, 4th, and 6th are generated randomly and applied to encrypt other bytes\r\nin the header.\r\n2nd: 0x40 XOR 6th byte\r\n3rd: 0x1F XOR 1st byte\r\n5th: 0x03 XOR 4th byte XOR ((1st byte \u003e\u003e 4) AND (6th byte \u003c\u003c 4))\r\n7th: size_of_data XOR 1st byte\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 8 of 22\n\n8th: (size_of_data \u003e\u003e 8) XOR 6th byte\r\n9th: (size_of_data \u003e\u003e 16) XOR 4th byte\r\n10th: (size_of_data \u003e\u003e 24) XOR (4th byte \u003c\u003c 4) AND (6th byte \u003e\u003e 4)\r\n0x10 0x20 Data\r\n0x00 – 0x10: \u003cKEY_RANDOM\u003e XOR “abcdefghijklmno\\x00”\r\n0x10 – 0x20: \u003cKEY_RANDOM\u003e XOR \u003cKEY_2\u003e\r\nTable 3. Packet format for sending KEY_RANDOM.\r\nThe header contains the command code 0x40 0x1F, and the size of the data in the last four bytes by little-endian,\r\nbut this variant’s obfuscation method is more complex than the previous version. The C\u0026C server will perform the\r\nreversed calculation to decrypt the header and data while the KEY_RANDOM will be applied to the key of the\r\nsalted RC4 in the next packets. The KEY_2 is the unique ID to check the target.\r\nC\u0026C Verification\r\nC\u0026C server sends the packet to victim for verification with the format:\r\nOffset Size Type Content\r\n0x00  0x10 Header\r\n?? 40 1F ?? ?? ?? ?? ?? ?? ?? (The last 4 bytes are the size of the data with little-endian)\r\n0x10 0x20 Data\r\nThe data contains the KEY_1, with the offset of KEY_1 being ((1st byte XOR\r\n2nd byte) + 2)\r\nTable 4. Packet format for C\u0026C verification.\r\nGet RAT Size\r\nC\u0026C server sends the packet for RAT size with the format:\r\nOffset Size Type Content\r\n0x00  0x10 Header ?? 43 1F ?? 00 ?? 04 00 00 00\r\n0x10 0x04 Data The size of the RAT with little-endian.\r\nTable 5. Packet format for getting the RAT size\r\nDownload RAT\r\nC\u0026C server sends the packet for RAT with the format:\r\nOffset Size Type Content\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 9 of 22\n\n0x00  0x10 Header\r\n?? 43 1F ?? 01 ?? ?? ?? ?? ?? (The last 4 bytes are size of data with little-endian)\r\n0x10\r\nNot\r\nFixed\r\nData The segment of next-stage RAT.\r\nTable 6. Packet format for getting the RAT\r\nThis step repeatedly receives the packet from the C\u0026C server until the whole RAT is delivered.\r\nRAT command\r\nSince TeamT5’s article in 2020 discussing Waterbear’s functions, there have been more of them that have been\r\nimplemented, with the latest version shown in this table:\r\nCommand code\r\n(decimal)\r\nCapability\r\n2 Enumerate disk drives\r\n3 List files\r\n4 Upload file to C\u0026C server\r\n5 Download file from C\u0026C server\r\n6 Rename file\r\n7 Create folder\r\n8 Delete file\r\n10 Execute file\r\n11 Move file\r\n12 Disguise meta data of file\r\n13 File operation\r\n806 Get system language, system time and Windows installation date\r\n807 Enumerate Windows\r\n809 Hide Windows\r\n810 Show Windows\r\n811 Close Windows\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 10 of 22\n\n812 Minimize Windows\r\n813 Maximize Windows\r\n815 Screenshot\r\n816 Set screenshot event signaled\r\n817 Remote desktop\r\n818 Enumerate process\r\n819 Terminate process\r\n821 Suspend process with pID\r\n822 Resume process with pID\r\n823 Get process module infomation\r\n824\r\nGet process module info (for file or object using the authenticode policy\r\nprovider)\r\n825 Get extended TCP table\r\n826\r\nSetTcpEntry Set state of the TCP connection with\r\nMIB_TCP_STATE_DELETE_TCB\r\n827 Enumerate services\r\n828 – 832 Manipulate service\r\n833  Get C\u0026C in downloader config\r\n834  Set C\u0026C in downloader config\r\n1006 Start remote shell\r\n1007 Exit remote shell \r\n1008 Get PID of remote shell\r\n1010 Download DLL and execute the export function “Start”\r\n1300 Unknown\r\n2011 Enumerate Registry\r\n2012 Enumerate registry value\r\n2013 Create registry key\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 11 of 22\n\n2014 Set registry value\r\n2015 Delete registry key\r\n2016 Delete registry value\r\n8001 Get current window\r\n8004 Set the infection mark in registry HKCU\\Console\\Quick\\Edit\r\n8005 Terminate connection and RAT process\r\n9010 Update C\u0026C IP address\r\n9011 -9018 Manipulate socket\r\nTable 7. List of RAT command and corresponding functionalities.\r\nFor more details about Waterbear’s past activities, please refer to our 2019 report.\r\nDeuterbear details\r\nThe Deuterbear downloader, the latest Waterbear downloader, has been active since 2022 based on our telemetry.\r\nBecause of significant updates in the decryption flow and configuration structure, we classify this variant as a\r\ndistinct malware entity separate from the original Waterbear downloader category.\r\nAttack chain and TTPs of Deuterbear\r\nFigure 7. Deuterbear infection flow chart\r\nLoader\r\nThe decryption flow is limited on the victim’s side due to the API (CryptUnprotectData) and the need for more\r\nparameters, which are defined by the threat actor:\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 12 of 22\n\n1. Query password from registry (HKLM|HKCU|HKCR)SOFTWARE\\\\Classes\\\\CLSID\\\\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx} with key 'AppID'\r\n2. Query path of encrypted downloader from registry (HKLM|HKCU|HKCR)\r\nSOFTWARE\\\\Classes\\\\CLSID\\\\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}\\\\InprocServer32\r\n3. Downloader decryption\r\na. XOR with password from offset 16~999\r\nb. CryptUnprotectData without password\r\nc. XOR with password from offset 0~999\r\nd. CryptUnprotectData with password\r\nNote that the CLSID value is unique and defined during malware installation.\r\nDownloader\r\nThe Deuterbear downloader enables HTTPS tunnel to protect the network traffic and implements the following\r\nobfuscation methods for anti-analysis:\r\n1. Breaking the function using jmp\r\n2. Checking debugger mode by process time\r\n3. Checking sandbox environment by API, Sleep, which is normal operation\r\n4. Checking execution in specific time, like 9~10 o’clock\r\n5. Implementing anti-memory scanning\r\nAnti-memory scanning, which is inherited from the Waterbear downloader, encrypts all function blocks (except\r\nfor the function involving decode routine) with a fixed key defined in configuration. However, the Deuterbear\r\ndownloader executes the desired function in new virtual memory, and not in the local address that stores all the\r\nencrypted function blocks.\r\nFigure 8. Before executing the desired function, the process inputs its offset and length into\r\nRunEncryptCode.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 13 of 22\n\nFigure 9. The flow chart of RunEncryptCode to execute desired functions\r\nData offset Data size Data content\r\n0x00 0x04 Signature (00 00 01 00)\r\n0x04 0x10 Key (Only for C\u0026C decryption)\r\n0x14 0x04 Retry connection\r\n0x18 0x20 Signature sends to the C\u0026C server, requesting the next-stage RAT\r\n0x3A 0x01 Execution time lower bound in the morning (for example, 9 a.m.)\r\n0x3B 0x01 Execution time upper bound in the morning (for example, 11 a.m.)\r\n0x3C 0x01 Execution time lower bound in the afternoon (for example, 3 p.m.)\r\n0x3D 0x01 Execution time upper bound in the afternoon (for example, 5 p.m.)\r\n0x3E 0x20 Key for encrypted data and encrypted function\r\n0x5F 0x01 (Size of encrypted C\u0026C server) - 3\r\n0x60 not fix Encrypted C\u0026C server\r\n+0: Flag for IP/Domain\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 14 of 22\n\n+1: Port number\r\n+3: C\u0026C server\r\n0x1EA 0x198 List of function address (for example, 0x8 * 51 functions)\r\n0x382 0x66 List of function length (for example, 0x2 * 51 functions)\r\n0x3E8 0x1A0 List of API address\r\n0x588 0xB8 List of encrypted API hash\r\n0x640 0x4D List of encrypted library name\r\nTable 8. The configuration structure of the Deuterbear downloader\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 15 of 22\n\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 16 of 22\n\nFigure 10. A screenshot showing the configuration structure of the Deuterbear downloader\r\nFigure 11. Network traffic to download the Deuterbear RAT\r\nIndex Direction Encryption Key\r\n1  Victim -\u003e C\u0026C  N/A N/A\r\n2  C\u0026C -\u003e Victim  RSA CSP_KEY\r\n3  C\u0026C -\u003e Victim  Salted RC4 RC4_KEY_2 (from index 2)\r\n4  Victim -\u003e C\u0026C  Salted RC4 RC4_KEY_1 (from index 2)\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 17 of 22\n\n5 C\u0026C -\u003e Victim  Salted RC4 RC4_KEY_2\r\n6 C\u0026C -\u003e Victim  Salted RC4 RC4_KEY_2\r\nTable 9. Basic information on traffic to download Deuterbear RAT\r\nDeuterbear uses only 5 bytes in the header to describe the data information, with the general format being the\r\nfollowing:\r\nOffset Size Content\r\n0x00 0x01 Possibly the type of packet\r\n0x01 0x02 Command code (Like 40 1F in the packet of Waterbear downloader)\r\n0x03 0x02 Size of data\r\nTable 10. Header format of the Deuterbear packet\r\nSend RSA public key\r\nThe downloader applies Microsoft CryptoAPI to generate an RSA public/private key, sending the public key to the\r\nC\u0026C server for RSA encryption during the next communication.\r\nThe packet format is as follows:\r\nOffset Size Type Content\r\n0x00  0x05 Header 01 CD 03 ?? ?? (The last 2 bytes are size of data with little-endian)\r\n0x05 0x114 Data RSA public key BLOBs for packet encryption in the next step.\r\nTable 11. Packet format for sending the RSA public key\r\nSend RC4 Key\r\nThe C\u0026C server prepares two keys for RC4 encryption, RC4_KEY_1 and RC4_KEY_2. The former is applied to\r\nencrypt the traffic from the victim to the C\u0026C server, and the latter is for the direction from the C\u0026C server to the\r\nvictim. The keys are then encrypted by RSA public generated from the victim side and sent to the victim with the\r\nfollowing packer format:\r\nOffset Size Type Content\r\n0x00  0x05 Header ?? CD 03 ?? ?? (The last 2 bytes are size of data with little-endian)\r\n0x05 0x20 Data\r\n0x05: RC4_KEY_1\r\n0x15: RC4_KEY_2\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 18 of 22\n\nTable 12. Packet format for sending RC4 key\r\nRC4 verification\r\nThe victim side verifies whether the RC4 decryption is working by checking the decrypted data, which is the RSA\r\npublic key.\r\nOffset Size Type Content\r\n0x00  0x05 Header ?? ?? ?? ?? ?? (The last 2 bytes are size of data with little-endian)\r\n0x05 0x114 Data RSA public key BLOBs generated from victim.\r\nTable 13. Packet format for RC4 verification\r\nSend download request\r\nThe victim side encrypts the download signature, which is located at configuration [0x18:0x38] and sends it to the\r\nC\u0026C server to request the next-stage shellcode.\r\nOffset Size Type Content\r\n0x00  0x05 Header 00 CD 03 20 00 (The last 2 bytes are size of data with little-endian)\r\n0x05 0x20 Data The download signatures\r\nTable 14. Packet format about sending download command to C\u0026C\r\nGet RAT Size\r\nThe C\u0026C server sends the packet for the RAT size with the following format:\r\nOffset Size Type Content\r\n0x00  0x05 Header 02 D0 03 04 00\r\n0x05 0x04 Data This size of RAT with little-endian\r\nTable 15. Packet format for retrieving the RAT size\r\nDownload RAT\r\nThe C\u0026C server sends the packet for the RAT with the following format:\r\nOffset Size Type Content\r\n0x00  0x05 Header 01 D0 03 ?? ?? (The last 2 bytes are size of data with little-endian)\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 19 of 22\n\n0x05 Not fixed Data RSA public key for packet encryption from C\u0026C to victim\r\nTable 16. Packet format for downloading the RAT\r\nThis step repeatedly receives the packet from the C\u0026C server until the whole RAT is delivered. The received\r\nDeuterbear RAT is in a shellcode format, unlike the original Waterbear downloader that loads the PE file for the\r\nnext-stage RAT.\r\nComparison\r\nTable 17 shows the difference between the Deuterbear downloader and Waterbear downloader:\r\nProperties Deuterbear downloader Waterbear downloader\r\nExecutable time Limited Any time\r\nAnti-Memory scanning\r\nEncrypt/Decrypt function in new\r\nvirtual memory\r\nEncrypt/Decrypt function in local\r\naddress\r\nEncrypted downloader path Registry File/Registry\r\nEncrypted downloader\r\ndecryption\r\nCyprtUnprotectData\r\nSalted RC4 or\r\nCyprtUnprotectData\r\nC\u0026C string decryption XOR with 16-bytes key XOR with 0xFF\r\nC\u0026C communication HTTPS HTTP\r\nSize of packet header 5 10\r\nMagic bytes in header\r\nCD 03 40 1F\r\nD0 03 43 1F\r\nRC4 key in downloading\r\ntraffic\r\nGenerated by the C\u0026C server Generated by the victim\r\nFormat of downloaded RAT Shellcode PE file\r\nTable 17. Differences between the Deuterbear downloader and Waterbear downloader\r\nConclusion\r\nSince 2009, Earth Hundun has continuously evolved and refined the Waterbear backdoor, as well as its many\r\nvariants and branches. Despite available solutions, the enhancements in infection methods and anti-analysis\r\nmechanisms have led to the most advanced variant so far — Deuterbear. The Deuterbear downloader employs\r\nHTTPS encryption for network traffic protection and implements various updates in malware execution, such as\r\naltering the function decryption, checking for debuggers or sandboxes, and modifying traffic protocols.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 20 of 22\n\nAccording to our telemetry, Earth Hundun has continued to infiltrate the Asia-Pacific region, and the ongoing\r\nevolution of Waterbear and Deuterbear presents formidable challenges to organizational defense efforts.  As such,\r\nTrend Micro remains committed to further enhancing our monitoring and detection methods accordingly.\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Description\r\nExecution\r\nShared Modules T1129  \r\nDynamically loads the DLLs through the\r\nshellcode\r\nNative API T1106  \r\nDynamically loads the APIs through the\r\nshellcode\r\nPersistence  \r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nT1574.002\r\nUses modified legitimate executable to load\r\nthe malicious DLL\r\nBoot or Logon Autostart\r\nExecution: Print Processors\r\nT1547.012\r\nAbuses print processors to run malicious\r\nDLLs during system \r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation: Binary Padding\r\nT1027.001\r\nPadding huge 0x00 in encrypted\r\ndownloader\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nT1036.005\r\nMakes the patched executable that appears\r\nlegitimate or benign to users and/or security\r\ntools\r\nDeobfuscate/Decode Files or\r\nInformation\r\nT1140\r\nUses RC4 or CryptUnprotectData to\r\ndecrypt encrypted downloader\r\nExecution Guardrails T1480\r\nTargets specific path/registry in the victim’s\r\nenvironment\r\nVirtualization/Sandbox\r\nEvasion: Time Based Evasion\r\nT1497.003\r\nDownloaders check sandbox by API, Sleep,\r\nwhether normal operation.\r\nDebugger Evasion T1622\r\nDownloaders check debugger mode by\r\nprocess time.\r\nDiscovery\r\nFile and Directory Discovery T1083\r\nRAT searches files and directories or in\r\nspecific locations.\r\nSystem Network\r\nConfiguration Discovery:\r\nInternet Connection Discovery\r\nT1016.001\r\nDownloaders check for internet\r\nconnectivity on compromised systems.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 21 of 22\n\nSystem Network Connections\r\nDiscovery\r\nT1049\r\nWaterbear RAT lists network connections to\r\nor from the compromised system they are\r\ncurrently accessing or from remote systems\r\nby querying for information over the\r\nnetwork.\r\nProcess Discovery T1057 Waterbear RAT searches specific process.\r\nSystem Information Discovery T1082\r\nWaterbear RAT gets detailed information\r\nabout the operating system and hardware,\r\nincluding version, username, and\r\narchitecture.\r\nQuery Registry T1012\r\nQueries data from registry to decrypt\r\ndownloader\r\nCollection Data from Local System T1005 Collects basic information of victim\r\nExfiltration\r\nExfiltration Over Command-and-Control Channel\r\nT1041 Sends collected data to C\u0026C\r\nCommand\r\nand Control\r\nApplication Layer\r\nProtocol: Web Protocols\r\nT1071.001\r\nDownloaders communicate with C\u0026C by\r\nHTTP/HTTPS\r\nEncrypted Channel T1573\r\nEmploys a RC4/RSA to conceal command\r\nand control traffic\r\nData Encoding: Non-Standard\r\nEncoding\r\nT1132.002\r\nEncodes traffic with a non-standard RC4 to\r\nmake the content of traffic more difficult to\r\ndetect\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nWe’d like to thank Trend's Dove Chiu and Shih-hao Weng for additional intelligence.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html" ], "report_names": [ "earth-hundun-waterbear-deuterbear.html" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434172, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78b17745ea42239d31be0258204d0e4b434d5df0.pdf", "text": "https://archive.orkl.eu/78b17745ea42239d31be0258204d0e4b434d5df0.txt", "img": "https://archive.orkl.eu/78b17745ea42239d31be0258204d0e4b434d5df0.jpg" } }