{ "id": "26ae5a24-9eea-4023-a35b-b82ce24adee6", "created_at": "2026-04-06T00:15:36.162725Z", "updated_at": "2026-04-10T03:33:06.988037Z", "deleted_at": null, "sha1_hash": "7e23d7bd9766f4fcb482fdeb5e35d30cbe739cd7", "title": "New APT34 Malware Targets The Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4649988, "plain_text": "New APT34 Malware Targets The Middle East\r\nBy By: Sherif Magdy Feb 02, 2023 Read time: 8 min (2155 words)\r\nPublished: 2023-02-02 · Archived: 2026-04-05 12:59:02 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a\r\nnew backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external\r\nmail accounts controlled by the attackers.\r\nOn December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) that was\r\ndropped and executed on multiple machines. Our investigation led us to link this attack to advanced persistent threat (APT)\r\ngroup APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is\r\ncapable of sending the new credentials to the threat actors. Moreover, after analyzing the backdoor variant deployed, we\r\nfound the malware capable of new exfiltration techniques — the abuse of compromised mailbox accounts to send stolen data\r\nfrom the internal mail boxes to external mail accounts controlled by the attackers. While not new as a technique, this is the\r\nfirst instance that APT34 used this for their campaign deployment. Following this analysis, it is highly likely that this\r\ncampaign’s routine is only a small part of a bigger chain of deployments. Users and organizations are strongly advised to\r\nreinforce their current security measures and to be vigilant of the possible vectors abused for compromise.\r\nRoutine\r\nIn this section, we describe the attack infection flow and its respective stages, as well as share details on how the group uses\r\nemails to steal and exfiltrate critical information.\r\nFirst Stage: Initial Droppers\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 1 of 12\n\nFigure 1. Initial stage .Net droppers\r\nWe found the initial stage .Net dropper malware called MrPerfectInstaller (detected by Trend Micro as\r\nTrojan.MSIL.REDCAP.AD) responsible for dropping four different files, with each component stored in a Base64 buffer\r\ninside the main dropper. It drops the following: \r\n1. %System%\\psgfilter.dll: The password filter dynamic link library (DLL) used to provide a way to implement the\r\npassword policy and change notification\r\n2. %ProgramData%\\WindowsSoftwareDevices\\DevicesSrv.exe: The main .Net responsible for exfiltrating and leaking\r\nspecific files dropped into the root path of this backdoor execution. This backdoor requires the .Net library\r\nimplementing Microsoft Exchange webservices to authenticate with the victim mail server and exfiltrate through it.\r\n3. %ProgramData%\\WindowsSoftwareDevices\\Microsoft.Exchange.WebServices.dll: The library to support the second\r\ncomponent’s capability.\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 2 of 12\n\n4. %ProgramData%\\WindowsSoftwareDevices\\DevicesSrv.exe.config: An app configuration file for runtimes of the\r\n.Net execution environment. This allows the option of falling back to .Net 2.0.\r\nFigure 2. The four Base64 encoded buffers inside the main .Net dropper\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 3 of 12\n\nFigure 3. The four modules dropped by the main binary\r\nThe dropper also adds the following registry key to assist in implementing the password filter dropped earlier:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\r\nNotification Packages = scecli, psgfilter\r\nFigure 4. Adds the registry key\r\nThe main .Net binary implements two arguments for its operation: the first argument for installing the second stage, and the\r\nsecond argument for uninstalling it and unregistering the password filter dropped.\r\nFigure 5. Implementing two arguments for operation\r\nFigure 6. Function in case -u passed to dropper\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 4 of 12\n\nFigure 7. Function in case -i passed to dropper, installing the second stage, then uninstalling it and\r\nunregistering the password filter\r\nSecond Stage:  Abusing The Dropped Password Filter Policy\r\nMicrosoft introduced Password Filters for system administrators to enforce password policies and change notifications.\r\nThese filters are used to validate new passwords, confirm that these are aligned with the password policy in place, and\r\nensure that no passwords in use can be considered compliant with the domain policy but are considered weak.\r\nThese password filters can be abused by a threat actor as a method to intercept or retrieve credentials from domain users\r\n(domain controller) or local accounts (local computer). This is because for password filters to perform, password validation\r\nrequires the password of the user in plaintext from the Local Security Authority (LSA). Therefore, installing and registering\r\nan arbitrary password filter could be used to harvest credentials every time a user changes his password. This technique\r\nrequires elevated access (local administrator) and can be implemented with the following steps:\r\n1. Password Filter psgfilter.dll be dropped into C:\\Windows\\System32\r\n2. Registry key modification to register the Password Filter [DLL\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\r\nNotification Packages = scecli, psgfilter]\r\nUsing this technique, the malicious actor can capture and harvest every password from the compromised machines even\r\nafter the modification. The DLL has three export functions to implement the main functionality of support for registering the\r\nDLL into the LSA, as follows:\r\nInitializeChangeNotify: Indicates that a password filter DLL is initialized.\r\nPasswordChangeNotify: Indicates that a password has been changed.\r\nPasswordFilter: Validates a new password based on password policy.\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 5 of 12\n\nFigure 8. First and second stages\r\nFigure 9. Functions exported by DLL\r\nWhen implementing the password filter export functions, the malicious actor took great care working with the plaintext\r\npasswords. When sent over networks, the plaintext passwords were first encrypted before being exfiltrated.\r\nData Exfiltration Through Legitimate Mail Traffic\r\nThe main backdoor function (detected by Trend Micro as Backdoor.MSIL.REDCAP.A) receives the valid domain\r\ncredentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. The main\r\nfunction of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an\r\nemail. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with\r\nstolen passwords. \r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 6 of 12\n\nFigure 10. High level overview of malware’s data exfiltration routine\r\nFirst, the .Net backdoor parses a config file dropped in the main root path where it is executing from and checks for a file\r\ncallled ngb inside \u003c%ProgramData%\\WindowsSoftwareDevices\\DevicesTemp\\\u003e to extract three parameters:\r\nServer: The specific Exchange mail server for the targeted government entity where the data is leaked through.\r\nTarget: The email addresses where the malicious actors receive the exfiltrated data in.\r\nDomain: The internal active directory (AD) domain name related to the targeted government entity in the Middle\r\nEast.\r\nHowever, the malware also supports for the modification of old passwords to new ones, which are sent through the\r\nregistered DLL password filter. \r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 7 of 12\n\nFigure 11. Checking the config file path ngb\r\nThe malware proceeds to initialize an ExchangeService object in the first step and supplies the stolen credentials as\r\nWebCredentials to interface with the victim mail server in the second step. Using these Exchange Web Service (EWS)\r\nbindings, the malicious actor can send mails to external recipients on behalf of any stolen user and initialize a new instance\r\nof the WebCredentials class with the username and password for the account to authenticate.\r\nFigure 12. Initialize EWS binding to the victim mail server\r\nThe malware then iterates through the files found under the target path. For each file found, it adds its path to a list, which\r\nwill be exfiltrated later in the last step.\r\nFigure 13. Iterating through the files found under the target path\r\nThe final stage is to iterate over the collected list of file paths. For each path, it prepares an EmailMessage object with the\r\nsubject “Exchange Default Message”, and a mail body content of “Exchange Server is testing services.” The iteration\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 8 of 12\n\nattaches the whole file to this EmailMessage object and sends it using the previous initalized EWS form (Steps 1 and 2 in\r\nFigure 10), which already authenticated the user account.\r\nFigure 14. Exfiltrating files using mail attachments\r\nFigure 15. Some hardcoded targets in the sample\r\nFigure 16. How the Sent folder looks like for a compromised user\r\nAPT34 Targeting and Arsenal Evolution\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 9 of 12\n\nAPT34 has been documented to target organizations worldwide, particularly companies from the financial, government,\r\nenergy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group\r\nprimarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no\r\nsigns of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and\r\nupdated tools to minimize the detection of their arsenal: Shifting to new data exfiltration techniques — from the heavy use\r\nof DNS-based command and control (C\u0026C) communication to combining it with the legitimate simple mail transfer\r\nprotocol (SMTP) mail traffic — to bypass any security policies enforced on the network perimeters.\r\nFrom three previously documented attacks, we observed that while the group uses simple malware families, these\r\ndeployments show the group's flexibility to write new malware based on researched customer environments and levels of\r\naccess. This level of skill can make attribution for security researchers and reverse engineers more difficult in terms of\r\ntracking and monitoring because patterns, behaviors, and tools can be completely different for every compromise.\r\nFor instance, in the two separate attacks using Karkoff (detected by Trend Micro as Backdoor.MSIL.OILYFACE.A) in 2020\r\nand Saitama (detected by Trend Micro as Backdoor.MSIL.AMATIAS.THEAABB) in 2022, the group used macros inside\r\nExcel files as part of the first stage to send phishing emails since the group did not have access to the enterprise yet.\r\nContrary to this newest compromise, however, the first stage was rewritten completely in DotNet and executed by the actor\r\ndirectly.\r\nMoreover, Karkoff malware has a full backdoor module using a government exchange server as a communication channel\r\nvia send/received commands over an exchanged server, and used a hardcoded account to authenticate the said\r\ncommunication. Compared to the new malware, the latest compromise seems to be rewritten to use the same technique but\r\nonly to exfiltrate data over the mail channel. Aside from using hardcoded accounts as exchange accounts, APT34 can add a\r\nnew module that can monitor changes in passwords and use the new accounts to send mails, exfiltrating data via Microsoft\r\nExchange servers.\r\nBased on a 2019 report on APT34, the top countries targeted by the group are:\r\nThe United Arab Emirates\r\nChina\r\nJordan\r\nSaudi Arabia\r\nWhile not at the top of the group’s list, other countries in the Middle East considered as targets are Qatar, Oman, Kuwait,\r\nBahrain, Lebanon, and Egypt.\r\nAttribution Analysis\r\nThere are several data points and indicators that suggest APT34 carried out this attack, and that this group is still active in\r\ntargeting countries in the Middle East with a special focus on compromising government entities.\r\n1.     The first stage dropper\r\nThe first stage dropper between the Saitama backdoor and this new operation’s first stage .Net dropper have a few\r\nsimilarities. Despite the dated Saitama operation’s first stage dropper, a VBA macro that drops the actual .Net backdoor\r\nSaitama malware, the new attack implemented in the group’s latest deployment is a .Net dropper that drops the actual\r\nmalware. Both deployments’ final stages leverage EWS’ Managed API (Microsoft.Exchange.WenServices.dll).\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 10 of 12\n\nFigure 17. Saitama backdoor’s first stage dropper (left), and the dropped files for the new APT34 .Net\r\nbackdoor in the first stage (right)\r\n2.     Leveraging exchange servers for communications (Uni- and bidirectional)\r\nBoth this campaign and the Karkoff campaign made use of targeted exchange servers and relayed communications through\r\nit. In the previous campaign, this was reportedly done with the deployment of the Karkoff implant. The old Karkoff sample\r\nattributed to APT34 share a common functionality for abusing the EWS API.\r\nFigure 18. The Karkoff implant leveraging EWS (top), and the newer APT34 backdoor’s use of EWS (bottom)\r\n3.      The victim targeted\r\nAPT34 has been documented for targeting countries in the Middle East. In a previous campaign analyzed by Yoroi Labs, the\r\nKarkoff sample (SHA256: 1f47770cc42ac8805060004f203a5f537b7473a36ff41eabb746900b2fa24cc8) attributed to APT34\r\nhas the mail server domain hardcoded inside the sample. Alongside the target mail recipient the attackers receive\r\ninformation from is the same hardcoded mail server domain found in the latest backdoor, including the targeted Exchange\r\nServer for a government ministry. Both samples included some hardcoded credentials as well. However, the newer backdoor\r\nincludes support for stealing the new passwords of previously compromised users who changed their passwords, ensuring\r\ntheir legitimate accounts stay compromised.\r\nFigure 19. Karkoff implant targeting an army mail server in 2020 (top), and the newer APT backdoor targeting\r\nanother mail server in 2023 (bottom)\r\nConclusions\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 11 of 12\n\nAt first glance, security teams can mistakenly tag the sample as safe or as a benign activity given the validity of the domains\r\nand mail credentials. It will take more experienced analysts to see that the domains abused is part of a bigger active directory\r\ndomain “forest”, which share a trust relationship with each other to allow different government ministries or agencies to\r\ncommunicate. Considering we found a compromised account from one entity inside a sample sourced from a different\r\nagency indicates APT34 now has a deep foothold in the government domain forest.\r\nFollowing the stages executed, APT34’s repeated use of the Saitama backdoor technique in the first stage indicates a\r\nconfidence that even the dated malware’s technique will continue to work and initiate compromise.\r\nThe next stages for exfiltrating data, however, are considerably new and are considered exploratory for the group. Despite\r\nthe routine's simplicity, the novelty of the second and last stages also indicate that this entire routine can just be a small part\r\nof a bigger campaign targeting governments. We continue tracking and monitoring the abuse of this threat to determine the\r\ndepth and breadth of this compromise.\r\nIndicators of Compromise (IOCs)\r\nSHA256 File name Detection\r\n5ed7ebc339af6ca6a5d1b9b45db6b3ae00232d9ccd80d5fcadf7680320bd4e6b DevicesSrv.exe Backdoor.MSIL.REDCAP.A\r\n827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e psgfilter.dll Trojan.Win64.REDCAP.AF\r\nEmails abused\r\nJaqueline[.]Herrera@proton[.]me\r\nCiara[.]Stoneburner@proton[.]me\r\nmarsha[.]fischer556@gmail[.]com\r\nKathryn[.]Firkins@proton[.]me\r\nSusan[.]potts454@proton[.]me\r\nEarl[.]butler945@gmail[.]com\r\nAdditional insights provided by AbdelRahman Yasser.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html" ], "report_names": [ "new-apt34-malware-targets-the-middle-east.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775791986, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e23d7bd9766f4fcb482fdeb5e35d30cbe739cd7.pdf", "text": "https://archive.orkl.eu/7e23d7bd9766f4fcb482fdeb5e35d30cbe739cd7.txt", "img": "https://archive.orkl.eu/7e23d7bd9766f4fcb482fdeb5e35d30cbe739cd7.jpg" } }