{ "id": "2bcfb6eb-ed28-4547-97c5-2aca9c98de8d", "created_at": "2026-04-06T00:19:13.815391Z", "updated_at": "2026-04-10T03:35:10.548735Z", "deleted_at": null, "sha1_hash": "7e00cb1a225cea21b868f0906e9fccfdd3671e35", "title": "WildPressure targets industrial-related entities in the Middle East - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 588448, "plain_text": "WildPressure targets industrial-related entities in the Middle East -\r\nRedPacket Security\r\nBy March 30, 2026\r\nPublished: 2020-03-25 · Archived: 2026-04-05 13:41:06 UTC\r\nIn August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call\r\nMilum. All the victims we registered were organizations from the Middle East. At least some of them are related\r\nto industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with\r\nknown campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples,\r\nall in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.\r\nThe compilation timestamps for all these files is the same – March 2019. This is consistent with the fact that we\r\nregistered no infections before May 31, 2019, so the compilation dates don’t seem to be spoofed. For their\r\ncampaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a\r\ndomain registered with the Domains by Proxy anonymization service.\r\nThe malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as\r\nwell. Inside the encrypted communications within the HTTP POST requests, we found several interesting fields.\r\nOne of them shows the malware version – 1.0.1. A version number like this indicates an early stage of\r\ndevelopment. Other fields suggest the existence of, at the very least, plans for non-C++ versions.\r\nThe only encryption implemented is the RC4 algorithm with different 64-byte keys for different victims. Also, the\r\ndevelopers were kind enough to leave RTTI data inside the files. Kaspersky products detect this malware as\r\nBackdoor.Win32.Agent. For more information, please contact: intelreports@kaspersky.com\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 1 of 9\n\nWhy we call it Milum and why it’s of interest\r\nAll the aforementioned C++ Trojans are compiled as standalone PE files, originally named Milum46_Win32.exe.\r\nThe word ‘milum’ is used in the C++ class names inside the malware, so we named the Trojan after it.\r\nAnother distinctive characteristic is that the malware exports lots of zlib compression functions, such as\r\nzlibVersion(), inflate() or deflate(). This compression is needed for C2 communication, but in reality there is no\r\nneed to export them in the case of a standalone application.\r\nThe JSON configuration fields are not limited to just the version and programming language; the campaign\r\noperators also use target IDs that are found in the samples. Among them, we found HatLandM30 and HatLandid3\r\n– neither of which we are familiar with. The following table provides Milum samples that have similar PE header\r\ncompilation timestamps but different target IDs:\r\nMilum46_Win32.exe sample MD5 hash Timestamp (GMT) clientid\r\n0C5B15D89FDA9BAF446B286C6F97F535 2019.03.09 06:17:19 839ttttttt\r\n17B1A05FC367E52AADA7BDE07714666B 2019.03.09 06:17:19 HatLandid3\r\nA76991F15D6B4F43FBA419ECA1A8E741 2019.03.09 06:17:19 HatLandM30\r\nRather than describing all the configuration fields one by one, we have gathered them together in the following\r\ntable, with all the main characteristics for this malware family:\r\nProgramming\r\nlanguage\r\nC++ with STL functions used mostly to parse JSON data and exception handling.\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 2 of 9\n\nConfiguration\r\ndata\r\nBase64-encoded JSON data in PE resources. Includes timeouts, C2 URLs and keys for\r\ncommunication, including RC4 64-byte key.\r\nNetwork\r\nprotocol\r\nTrojan transmits compressed JSON data in HTTP POST requests with gzip, base64-\r\nencoded and RC4 encrypted.\r\nBeacon data\r\nEncrypted JSON contains the malware version “1.0.1”, Epoch timestamp and client id. It\r\nalso has specific fields such as “vt” and “ext” that correspond to programming language\r\n“c++” and file extension “exe”. If our hypothesis is correct, this suggests that non-C++\r\nTrojan versions may be planned, if not already implemented.\r\nPersistence HKCU autorun system registry keys Run and RunOnce.\r\nEncryption\r\nThe communication encryption used is RC4 with the 64-byte key stored in the\r\nconfiguration data.\r\nCompression\r\nFor compression the Trojan uses an embedded gzip code. For some reason gzip functions\r\nare exported from PE, although the samples are standalone executables, not DLLs.\r\nLet’s dig a little deeper inside\r\nThe most popular sample in our telemetry was:\r\nSHA256 a1ad9301542cc23a04a57e6567da30a6e14eb24bf06ce9dd945bbadf17e4cf56\r\nMD5    0c5b15d89fda9baf446b286c6f97f535\r\nCompiled     2019.03.09 06:17:19 (GMT)\r\nSize   520704\r\nInternal name       Milum46_Win32.exe\r\nThis application exists as an invisible toolbar window. The main malicious functions are implemented in a\r\nseparate thread. Milum decodes its configuration data and, besides timeouts, it gets the parameters “clientid” and\r\n“encrypt_key” to use in RC4 encryption.\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 3 of 9\n\nExample of the decoded and beautified configuration data. The “clientid” field differs in every sample observed\r\nThe following table describes the different configuration parameters:\r\nConfig parameter Parameter features\r\nshortwait Pause in milliseconds between C2 communication working cycles\r\nclientid Unique ASCII target name\r\nencrypt_key RC4 encryption key for JSON-based C2 communications\r\nrelays – url Full URL to send HTTP POST beacon and GET commands\r\nrelays – key Unique ASCII key for each C2 to communicate with it\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 4 of 9\n\nThe operators can run the Trojan using the key (“b” or “B”) as the first argument and the file name as the second.\r\nIn this case, Milum will delete the file sent as a parameter. Then the Trojan will create the\r\nC:ProgramDataMicappWindows directory and parse its configuration data to form the beacon to send to its C2.\r\nTo send the beacon, Milum uses the HTTP POST request with three parameters as enumerated in the table below.\r\nBeacon parameter Parameter values\r\nmd Clientid from config, with prefix 01011 and random five-character ASCII suffix\r\nnk Key from config to communicate with C2, differs for each server\r\nval Compressed, encrypted and encoded command JSON data\r\nThe first two parameters are taken from the configuration data. The third one is encrypted and after decryption,\r\ndecompression, decoding and beautifying, it looks like this:\r\nDecoded and beautified JSON beacon to C2. In this case, the connection to the first server was unsuccessful\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 5 of 9\n\nThere are several fields worth mentioning here. We referred above to different programming languages besides\r\nC++: “vt” seems to reference a programming language and “ext” a file extension. The only reason that we could\r\nthink of for keeping these is if the attackers have several Trojans, written in different languages, to work with the\r\nsame control server.\r\nRegarding the “command” field, the control servers were inaccessible at the time of the analysis, so we don’t have\r\ncommands from them. However, we analyzed the command handlers in Milum’s code as described below:\r\nCode Meaning Features\r\n1 Execution Silently execute received interpreter command and return result through pipe\r\n2\r\nServer to\r\nclient\r\nDecode received content in “data” JSON field and drop to file mentioned in “path”\r\nfield\r\n3\r\nClient to\r\nserver\r\nEncode file mentioned in received command “path” field to send it\r\n4 File info Get file attributes: hidden, read only, archive, system or executable\r\n5 Cleanup Generate and run batch script to delete itself\r\n6\r\nCommand\r\nresult\r\nGet command execution status\r\n7\r\nSystem\r\ninformation\r\nValidate target with Windows version, architecture (32- or 64-bit), host and user\r\nname, installed security products (with WQL request “Select From\r\nAntiVirusProduct WHERE displayName \u003c\u003e’Windows Defender’”)\r\n8 Directory list Get info about files in directory: hidden, read only, archive, system or executable\r\n9 Update Get the new version and remove the old one\r\nWho was attacked?\r\nAccording to our telemetry, the Milum Trojan was exclusively used to attack targets in the Middle East from at\r\nleast the end of May 2019.\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 6 of 9\n\nNumber of detections for one of the samples from September 2019\r\nWe were able to sinkhole one of the WildPressure C2 domains (upiserversys1212[.]com) in September 2019. The\r\nvast majority of visitor IPs were also from the Middle East, and we believe the rest were network scanners, TOR\r\nexit nodes or VPN connections.\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 7 of 9\n\nC2 domain sinkholing also shows active infections mostly from the Middle East\r\nAnd who’s behind it?\r\nTo date we haven’t observed any strong code- or victim-based similarities with any known actor or set of activity.\r\nTheir C++ code is quite common, regarding configuration data and communication protocol malware uses base64-\r\nencoded JSON-formatted configuration data stored in the binary’s resource section and parses it with Standard\r\nTemplate Library (STL) functions. However, these commonalities are not conclusive enough for attribution and\r\nour hypothesis is that they are merely coincidence. We will continue to monitor this activity\r\nTo sum up\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 8 of 9\n\nTo date, we don’t have any data regarding Milum’s spreading mechanism. A campaign that is, apparently,\r\nexclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that\r\nautomatically attracts the attention of any analyst. Any similarities should be considered weak in terms of\r\nattribution, and may simply be techniques copied from previous well-known cases. Indeed, this “learning from\r\nmore experienced attackers” cycle has been adopted by some interesting new actors in recent years.\r\nWe should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to\r\njump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own\r\nvisibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in\r\nother operations.\r\nIndicators of compromise\r\nFiles MD5\r\n0C5B15D89FDA9BAF446B286C6F97F535\r\n17B1A05FC367E52AADA7BDE07714666B\r\nA76991F15D6B4F43FBA419ECA1A8E741\r\nOriginal file names are Milum46_Win32.exe; on the target side they exist as system32.exe\r\nURLs\r\nupiserversys1212[.]com/rl.php\r\n37.59.87[.]172/page/view.php\r\n80.255.3[.]86/page/view.php\r\nOriginal Source\r\nPost navigation\r\nSource: https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nhttps://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/\r\nPage 9 of 9\n\n https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/ \nThe operators can run the Trojan using the key (“b” or “B”) as the first argument and the file name as the second.\nIn this case, Milum will delete the file sent as a parameter. Then the Trojan will create the \nC:ProgramDataMicappWindows directory and parse its configuration data to form the beacon to send to its C2.\nTo send the beacon, Milum uses the HTTP POST request with three parameters as enumerated in the table below.\nBeacon parameter Parameter values \nmd Clientid from config, with prefix 01011 and random five-character ASCII suffix\nnk Key from config to communicate with C2, differs for each server \nval Compressed, encrypted and encoded command JSON data \nThe first two parameters are taken from the configuration data. The third one is encrypted and after decryption,\ndecompression, decoding and beautifying, it looks like this: \nDecoded and beautified JSON beacon to C2. In this case, the connection to the first server was unsuccessful\n Page 5 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/" ], "report_names": [ "wildpressure-targets-industrial-related-entities-in-the-middle-east" ], "threat_actors": [ { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434753, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e00cb1a225cea21b868f0906e9fccfdd3671e35.pdf", "text": "https://archive.orkl.eu/7e00cb1a225cea21b868f0906e9fccfdd3671e35.txt", "img": "https://archive.orkl.eu/7e00cb1a225cea21b868f0906e9fccfdd3671e35.jpg" } }