{
	"id": "c0de85ee-2292-4a1a-a9f4-d4bb83dc77af",
	"created_at": "2026-04-06T00:19:30.286797Z",
	"updated_at": "2026-04-10T13:12:27.826115Z",
	"deleted_at": null,
	"sha1_hash": "7f7e936e07ad6922b664e223558b9c17c5704ab4",
	"title": "APT17、マイクロソフトの「TechNet」をマルウェア拡散に悪用",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110549,
	"plain_text": "APT17、マイクロソフトの「TechNet」をマルウェア拡散に悪用\r\nBy 谷川哲司\r\nPublished: 2015-05-17 · Archived: 2026-04-05 18:39:46 UTC\r\n【概要】\r\n■攻撃者\r\nAPT17, Hidden Lynx, Deputy Dog, Aurora Panda, Tailgater Team, Dogfish\r\n■発生事象\r\n2014年末に、Microsoft TechNetのフォーラムに、偽装されたマルウェア拡散用のC＆Cコードが埋め込まれ\r\nているのを発見\r\n【ニュース】\r\n◆中国ハッカー集団、マイクロソフトの「TechNet」をマルウェア拡散に悪用 (ZDNet, 2015/05/18 11:25)\r\nhttp://japan.zdnet.com/article/35064621/\r\n◆APT Group Embeds Command and Control Data on TechNet Pages (threat post, 2015/05/18 03:03)\r\nhttps://threatpost.com/apt-group-embeds-command-and-control-data-on-technet-pages/112881\r\n【関連情報】\r\n◆APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic (FireEye, 2015/05/18)\r\nhttps://www2.fireeye.com/WEB-2015RPTAPT17.html\r\n⇒ https://malware-log.hatenablog.com/entry/2015/05/18/000000_3\r\n【IOC情報】\r\n◆7b9e87c5-b619-4a13-b862-0145614d359a.ioc (FireEye)\r\nhttps://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc\r\n【関連まとめ記事】\r\n◆全体まとめ\r\n　◆攻撃組織 / Actor (まとめ)\r\n　　◆標的型攻撃組織 / APT (まとめ)\r\n◆APT17 / Hiden Lynx (まとめ)\r\nhttps://malware-log.hatenablog.com/entry/APT17\r\n【インディケータ情報】\r\n■ハッシュ情報(MD5)\r\nde56eb5046e518e266e67585afa34612\r\n195ade342a6a4ea0a58cfbfb43dc64cb\r\n4c21336dad66ebed2f7ee45d41e6cada\r\nhttp://malware-log.hatenablog.com/entry/2015/05/18/000000_1\r\nPage 1 of 3\n\n0370002227619c205402c48bde4332f6\r\nac169b7d4708c6fa7fee9be5f7576414\r\n5f2fcba8bd42712d9975da208a1cc0ca\r\n5d16e5ee1cc571125ab1c44ecd47a04a\r\nda88e711e4ffc7c617986fc585bce305\r\nc016af303b5729e57d0e6563b3c51be4\r\n0b757d3dc43dab594262579226842531\r\n■IPアドレス\r\n130.184.156.62\r\n69.80.72.165\r\n110.45.151.43\r\n121.101.73.231\r\n103.250.72.39\r\n148.251.71.75\r\n217.198.143.40\r\n178.62.20.110\r\n175.126.104.175\r\n103.250.72.254\r\n1.234.52.111\r\n出典: https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc\r\n■7ad8944573fe10ad74b09c964d65c1dadad11b67b18dff8f5ea3bc6fe6c9afbf\r\nMD5 4c21336dad66ebed2f7ee45d41e6cada\r\nSHA1 52f1add5ad28dc30f68afda5d41b354533d8bce3\r\nSHA256 7ad8944573fe10ad74b09c964d65c1dadad11b67b18dff8f5ea3bc6fe6c9afbf\r\nSHA512\r\nSSDEEP 1536:kUCfyQleHyebwt7y8daEmjHicZPI6ZhbPxF30c8SlS3YG9VVZR3oOSj6:LCf1leHyeQ7y8daEmjHicZPI6ZhrI\r\nauthentihash 7373849314cbfc43d587ea430ed196249491f5b53e6a607e81b24039c4b8977f\r\nimphash 403556d9f4bec7266681160adde7cc7c\r\nFile Size 86016 bytes\r\nFile Type Win32 DLL\r\nコンパイル\r\n日時\r\n2013-08-26 08:22:30\r\nDebug Path\r\nFile Name FXSST.DLL\r\nFile Path\r\n生成ファイ\r\nル\r\nhttp://malware-log.hatenablog.com/entry/2015/05/18/000000_1\r\nPage 2 of 3\n\n特徴 Zusy\r\nBlackCoffee\r\n参考情報 https://www.virustotal.com/ja/file/7ad8944573fe10ad74b09c964d65c1dadad11b67b18dff8f5ea3bc6fe6c9afbf/analys\r\nhttps://www.reverse.it/sample/7ad8944573fe10ad74b09c964d65c1dadad11b67b18dff8f5ea3bc6fe6c9afbf?\r\nenvironmentId=1\r\nSource: http://malware-log.hatenablog.com/entry/2015/05/18/000000_1\r\nhttp://malware-log.hatenablog.com/entry/2015/05/18/000000_1\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://malware-log.hatenablog.com/entry/2015/05/18/000000_1"
	],
	"report_names": [
		"000000_1"
	],
	"threat_actors": [
		{
			"id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5",
			"created_at": "2022-10-25T15:50:23.269339Z",
			"updated_at": "2026-04-10T02:00:05.402835Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"APT17",
				"Deputy Dog"
			],
			"source_name": "MITRE:APT17",
			"tools": [
				"BLACKCOFFEE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9",
			"created_at": "2022-10-25T16:07:23.708745Z",
			"updated_at": "2026-04-10T02:00:04.720108Z",
			"deleted_at": null,
			"main_name": "Hidden Lynx",
			"aliases": [
				"Aurora Panda",
				"Group 8",
				"Heart Typhoon",
				"Hidden Lynx",
				"Operation SMN"
			],
			"source_name": "ETDA:Hidden Lynx",
			"tools": [
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"BlackCoffee",
				"HiKit",
				"MCRAT.A",
				"Mdmbot.E",
				"Moudoor",
				"Naid",
				"PNGRAT",
				"Trojan.Naid",
				"ZoxPNG",
				"gresim"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a7aefdda-98f1-4790-a32d-14cc99de2d60",
			"created_at": "2023-01-06T13:46:38.281844Z",
			"updated_at": "2026-04-10T02:00:02.909711Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"BRONZE KEYSTONE",
				"G0025",
				"Group 72",
				"G0001",
				"HELIUM",
				"Heart Typhoon",
				"Group 8",
				"AURORA PANDA",
				"Hidden Lynx",
				"Tailgater Team"
			],
			"source_name": "MISPGALAXY:APT17",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def",
			"created_at": "2025-08-07T02:03:24.626625Z",
			"updated_at": "2026-04-10T02:00:03.605175Z",
			"deleted_at": null,
			"main_name": "BRONZE KEYSTONE",
			"aliases": [
				"APT17 ",
				"Aurora Panda ",
				"DeputyDog ",
				"Group 72 ",
				"Hidden Lynx ",
				"TG-8153 ",
				"Tailgater Team"
			],
			"source_name": "Secureworks:BRONZE KEYSTONE",
			"tools": [
				"9002",
				"BlackCoffee",
				"DeputyDog",
				"Derusbi",
				"Gh0stHTTPSDropper",
				"HiKit",
				"InternalCMD",
				"PlugX",
				"PoisonIvy",
				"ZxShell"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "86fd71d3-06dc-4b73-b038-cedea7b83bac",
			"created_at": "2022-10-25T16:07:23.330793Z",
			"updated_at": "2026-04-10T02:00:04.545236Z",
			"deleted_at": null,
			"main_name": "APT 17",
			"aliases": [
				"APT 17",
				"ATK 2",
				"Beijing Group",
				"Bronze Keystone",
				"Deputy Dog",
				"Elderwood",
				"Elderwood Gang",
				"G0025",
				"G0066",
				"Operation Aurora",
				"Operation DeputyDog",
				"Operation Ephemeral Hydra",
				"Operation RAT Cook",
				"SIG22",
				"Sneaky Panda",
				"TEMP.Avengers",
				"TG-8153",
				"Tailgater Team"
			],
			"source_name": "ETDA:APT 17",
			"tools": [
				"9002 RAT",
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"Briba",
				"Chymine",
				"Comfoo",
				"Comfoo RAT",
				"Darkmoon",
				"DeputyDog",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Jumpall",
				"Kaba",
				"Korplug",
				"Linfo",
				"MCRAT.A",
				"McRAT",
				"MdmBot",
				"Mdmbot.E",
				"Moudour",
				"Mydoor",
				"Naid",
				"Nerex",
				"PCRat",
				"PNGRAT",
				"Pasam",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Naid",
				"Vasport",
				"Wiarp",
				"Xamtrav",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f7e936e07ad6922b664e223558b9c17c5704ab4.pdf",
		"text": "https://archive.orkl.eu/7f7e936e07ad6922b664e223558b9c17c5704ab4.txt",
		"img": "https://archive.orkl.eu/7f7e936e07ad6922b664e223558b9c17c5704ab4.jpg"
	}
}