{ "id": "f9637128-e8de-4c30-9f1a-c677b184519c", "created_at": "2026-04-06T00:18:41.211366Z", "updated_at": "2026-04-10T13:12:17.846159Z", "deleted_at": null, "sha1_hash": "7a46988edb1f450e2eb116b1479008ef4ad8bc01", "title": "APT10: Tracking down LODEINFO 2022, part II", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1764197, "plain_text": "APT10: Tracking down LODEINFO 2022, part II\r\nBy Suguru Ishimaru\r\nPublished: 2022-10-31 · Archived: 2026-04-05 17:53:29 UTC\r\nIn the previous publication ‘Tracking down LODEINFO 2022, part I‘, we mentioned that the initial infection\r\nmethods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with\r\neach infection vector. In this article, we discuss improvements made to the LODEINFO backdoor shellcode in\r\n2022.\r\nKaspersky investigated new versions of LODEINFO shellcode, namely v0.5.9, v0.6.2, v0.6.3 and v0.6.5, in\r\nMarch, April and June, respectively. The following chart shows the evolution timeline of this malware since its\r\ndiscovery.\r\nTimeline of LODEINFO releases\r\nLODEINFO v0.5.6: multiple encryption for C2 communication with ancient\r\ncrypto algorithm\r\nThis LODEINFO v0.5.6 shellcode extracted from a loader module demonstrates several enhanced evasion\r\ntechniques for certain security products, as well as three new backdoor commands implemented by the developer.\r\nAfter infecting the target machine, the LODEINFO backdoor beacons out machine information to the C2, such as\r\ncurrent time, ANSI code page (ACP) identifier, MAC address and hostname. The beacon also contains a\r\nhardcoded key (NV4HDOeOVyL) used later by the age-old Vigenere cipher. Furthermore, randomly generated\r\njunk data is appended to the end of the data, possibly to evade beaconing detection based on packet size.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 1 of 10\n\nVigenere cipher key and randomly generated junk data added in LODEINFO v0.5.6\r\nIn December 2021, we discovered LODEINFO v0.5.8, with a slight modification that added the LODEINFO\r\nimplant version number right after the Vigenere cipher key.\r\nThe encryption function used to send data was also modified, making it even more complicated. As observed in\r\nprevious variants, it takes the first 48 bytes of the SHA512 hash value of the data to be sent. Then it XORs the\r\ndata using a four-byte XOR key that is equal to the elapsed running time, and prepends it before the data. The first\r\n16 bytes to be sent are from another SHA512 hash value, this time taken from the previously mentioned\r\nhardcoded AES key (NV4HDOeOVyL). It encrypts 11 bytes at the end of a base64-encoded payload (with\r\nreplaced padding from “=” to “.”) to dynamically generate the second Vigenere cipher key and the variable of the\r\nfinal generated data. The second key is used by the Vigenere cipher to encrypt the base64 encoded header (url-safe\r\nreplaced padding from “=” to “.”).\r\nCrypto algorithms and data flow in C2 communications\r\nFinally, the data to be sent to the C2 is produced using the second key, the encrypted header, and the payload\r\nthrough the complex steps described above. The final data packet structure is as follows:\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 2 of 10\n\nOffset Description\r\nCrypto\r\nalgorithm\r\n0x00 11 bytes from the end of the payload Vigenere cipher\r\n0x0C A delimiter N/A\r\n0x0D\r\nMessage header\r\nOffset Description\r\n0x00\r\nThe first 16 bytes of SHA512 value calculated from the\r\nhardcoded AES key.\r\n0x10 Size of base64 encoded payload\r\n0x15 A byte of unknown data\r\nbase64 (url-safe\r\nand replaced\r\npadding from\r\n“=” to “.”)\r\nVigenere cipher\r\n0x29\r\nMessage payload:\r\nOffset Description\r\n0x00\r\nXORed the first 48 bytes of SHA512 value calculated from the\r\nfollowing AES encrypted data (offset 0x36), the XOR key\r\nequals the elapsed running time.\r\n0x30 XORed size of encrypted data\r\n0x35 1 byte XOR key for size of encrypted data (offset 0x30)\r\n0x36\r\nEncrypted data by AES CBC mode with the hardcoded AES key\r\n“88 8C A3 F2 87 36 CC 12 A5 90 18 56 13 B7 C0 A7 E1 07 D4\r\n5C 7D 47 37 AD AB A3 8C C2 12 E3 03 AC” and IV “83 01 36\r\nC9 3A 2D 13 29 23 56 78 A1 F1 0C D1 75”. The data contains\r\nelapsed running time, current time, ANSII Code Page, MAC\r\naddress, host name, etc.\r\nbase64 (url-safe\r\nwith replaced\r\npadding from\r\n“=” to “.”)\r\nLODEINFO v0.5.6: 2-byte XOR obfuscation for backdoor command identifiers\r\nThis update included revised crypto algorithms and backdoor command identifiers that were defined as four-byte\r\nhardcoded values in previous LODEINFO shellcodes. LODEINFO v0.5.6 backdoor command identifiers are\r\nobfuscated with a two-byte XOR operation. Before comparing a command identifier, an XOR operation is applied\r\nfor each command. The hardcoded XOR key differs for each command as follows:\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 3 of 10\n\nTwo-byte XOR for four-byte stack strings of backdoor command identifiers\r\nWe also observed the actor implementing new backdoor commands such as “comc”, “autorun”, and “config” in\r\nLODEINFO v0.5.6 and later versions. Twenty-one backdoor commands, including three new commands, are\r\nembedded in the LODEINFO backdoor to control the victim host.\r\nLODEINFO v0.5.9: hashing algorithm to get API functions\r\nVersion 0.5.9 has a new hash calculation algorithm compared to v0.5.8. The hashing algorithm is used by the\r\nmalware to calculate hashes for API function names, to resolve the function addresses. In this case it seems to be a\r\ncustom algorithm developed by the actor. The logic of the hash calculation has an XOR operation with a two-byte\r\nkey at the end and the hardcoded XOR key, which is different in each sample.\r\nChanged hash calculation algorithm and additional two-byte XOR key in v0.5.9\r\nThis modification suggests the attacker’s goal was to evade signature-based detections and make the reverse\r\nengineering process more difficult for security researchers.\r\nLODEINFO v0.6.2: evasion of en_US environment\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 4 of 10\n\nIn LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the\r\nvictim’s machine in a recursive function and halts execution if that locale is found.\r\nRecursive call if the “en-US” locale is found\r\nAccording to our own investigations, as well as open-source intelligence collected on this malware, the main\r\ntargets of these attacks are Japanese entities. The aim of this feature, therefore, is to evade execution in sandboxes\r\nand on researcher machines, something that occurs most commonly in an English-language locale.\r\nLODEINFO v0.6.2: generating user agent for C2 communications\r\nThe function responsible for generating the user agent for C2 communication has also been updated from v0.6.2.\r\nThe malware generates the user agent string using the following hardcoded formatted string, where the %s is\r\nsubstituted with the version number of the installed chrome.exe application:\r\n“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%s\r\nSafari/537.36″.\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 5 of 10\n\nThe malware gets the version number of the installed chrome.exe from the EXE file present at one of the\r\nfollowing file paths:\r\nC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\r\nC:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nC:\\Users\\Administrator\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe\r\nOtherwise, if none of these files exists on the system, the malware uses the hardcoded version 98.0.4758.102 to\r\ncreate the following user agent string:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/98.0.4758.102 Safari/537.36\r\nLODEINFO v0.6.2: supporting the injection of the 64-bit shellcode in ‘memory’\r\ncommand\r\nBased on our deep analysis of this version, we discovered a very interesting update in the shellcode loading\r\nscheme implemented from version v0.6.2, in the function that handles the ‘memory’ command.\r\nChecking the OS architecture and the next shellcode architecture\r\nDuring the memory injection process, performed using the function responsible for the memory command, the\r\nmalware checks the first byte of the second stage shellcode to determine the shellcode architecture using a magic\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 6 of 10\n\nhex value. If the first byte is 0xE9, the architecture is 32-bit, and if it is 0x8D, the architecture is 64-bit. After the\r\ncheck is completed, if the first byte was 0x8D, it gets replaced with 0xE9 in order for the shellcode to execute\r\nproperly. In the function shown below, the malware checks the OS architecture of the infected machine and\r\nhandles the appropriate loading scheme according to OS architecture and shellcode architecture.\r\nMemory injection of the 64-bit shellcode was supported in v0.6.2\r\nIn the shellcode injection process, it uses the basic Windows APIs such as VirtualAllocEx(),\r\nWriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and\r\nNtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory\r\ninjection of the 64-bit shellcode.\r\nLODEINFO v0.6.3: reducing backdoor commands\r\nAs for updates implemented in the LODEINFO backdoor commands, the obfuscation method using two-byte\r\nXOR encryption for backdoor command identifiers as well as the debug strings remained untouched up to version\r\n0.5.6. However, in version 0.6.3, the actor removed some of the unnecessary backdoor commands to improve the\r\nefficiency of the backdoor. The number of backdoor commands was reduced from 21 in v0.6.2 to 11 in v0.6.3. The\r\nmodifications to the C2 command list are shown in the table below.\r\nCommand Description and updates\r\nImplemented\r\nsince version\r\nPresence of\r\ncommands in\r\nv0.6.3 – v0.6.5\r\ncommand Show embedded backdoor command list. v0.1.2 Available\r\nsend Download a file from C2. v0.1.2 Available\r\nrecv Upload a file to C2. v0.1.2 Available\r\nmemory\r\nInject the shellcode in memory. This command has\r\nbeen updated to support the 64-bit shellcode in v0.6.2\r\nand later versions.\r\nv0.1.2 Available\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 7 of 10\n\nkill Kill a process using process ID. v0.1.2 Available\r\ncd Change directory. v0.1.2 Available\r\nver\r\nSend malware and system information including\r\ncurrent OS version, malware version, process ID,\r\nEXE file path, system username, current directory, C2\r\nand Mutex name.\r\nv0.1.2 Available\r\nprint Make a screenshot. v0.3.1 Available\r\nransom\r\nEncrypt files by a generated AES key, which is also\r\nencrypted with RSA using the hardcoded RSA key.\r\n(Shows a “Not available.” message in v0.3.5)\r\nv0.3.8 Available\r\ncomc Execute command using WMI. v0.5.6 Available\r\nconfig\r\nJust shows a “Not available.” message from v0.5.6\r\nuntil v0.6.5.\r\nv0.5.6 Available\r\nls Get a file list. v0.1.2 Removed\r\nrm Delete a file. v0.3.1 Removed\r\nmv Move a file. v0.4.8 Removed\r\ncp Copy a file. v0.4.8 Removed\r\ncat Upload a file to C2. v0.1.2 Removed\r\nmkdir Make a directory. v0.4.8 Removed\r\nkeylog\r\nCheck for Japanese keyboard layout.\r\nSave keystrokes, datetime and active window name.\r\nUses 1-byte XOR encryption and a file\r\n%temp%\\%hostname%.tmp.\r\n(Shows a message “Not available.” in v0.3.5.)\r\nv0.4.1 Removed\r\nps Show process list. v0.4.6 Removed\r\npkill Terminate a process. v0.4.6 Removed\r\nautorun Set/delete persistence. v0.5.6 Removed\r\nConclusions\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 8 of 10\n\nLODEINFO malware is updated very frequently and continues to actively target Japanese organizations. At the\r\ntime of writing this report, in September 2022, we detected v0.6.6 and v0.6.7 with new TTPs.\r\nOne of the core modifications of the LODEINFO shellcode was support for Intel 64-bit architecture, to expand the\r\ntargeted victim environments. The updated TTPs and improvements in LODEINFO and related malware, such as\r\nthe implementation of the Vigenere cipher, complex infection flow with fileless malware, partial XOR encryption,\r\nC2 communication packets with a unique data structure and variable length, and password-protected documents,\r\nindicate that the attacker is particularly focused on making detection, analysis and investigation harder for security\r\nresearchers.\r\nFor this reason, it becomes more and more difficult to keep track of this actor. That is why we believe it is\r\nimportant to emphasize collaboration within the security research community, to share our results and findings\r\nabout LODEINFO and related malware attacks.\r\nIndicators of compromise\r\nMalicious document\r\nda20ff8988198063b56680833c298113\r\nLODEINFO zip implant\r\n89bd9cf51f8e01bc3b6ec025ed5775fc\r\nLODEINFO loader with an embedded BLOB\r\nLOADERINFO loader without a BLOB\r\nBinary of LODEINFO with a one-byte XORed shellcode\r\nImplants that contain LODEINFO loader and a one-byte XORed shellcode\r\n15b80c5e86b8fd08440fe1a9ca9706c9\r\n6780d9241ad4d8de6e78d936fbf5a922\r\nSFX file\r\n76cdb7fe189845a0bc243969dba4e7a3\r\nedc27b958c36b3af5ebc3f775ce0bcc7\r\nHardcoded C2s\r\n103.175.16[.]39\r\n172.104.72[.]4\r\n172.104.112[.]218\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 9 of 10\n\n172.105.223[.]216\r\n202.182.108[.]127\r\n45.77.28[.]124\r\n5.8.95[.]174\r\nwww.dvdsesso[.]com\r\nSource: https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nhttps://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/" ], "report_names": [ "107745" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a46988edb1f450e2eb116b1479008ef4ad8bc01.pdf", "text": "https://archive.orkl.eu/7a46988edb1f450e2eb116b1479008ef4ad8bc01.txt", "img": "https://archive.orkl.eu/7a46988edb1f450e2eb116b1479008ef4ad8bc01.jpg" } }