{ "id": "56b269c3-fb60-46c8-b8be-f533dfbc98b1", "created_at": "2026-04-06T00:06:08.055666Z", "updated_at": "2026-04-10T13:11:26.906493Z", "deleted_at": null, "sha1_hash": "7f9020e4cf6edc0cff6ff188224252894e685009", "title": "TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 692140, "plain_text": "TA505 begins summer campaigns with a new pet malware\r\ndownloader, AndroMut, in the UAE, South Korea, Singapore, and\r\nthe United States | Proofpoint US\r\nBy Matthew Mesa and Dennis Schwarz with the Proofpoint Threat Insight Team\r\nPublished: 2019-07-02 · Archived: 2026-04-05 19:45:11 UTC\r\nOverview\r\nThroughout 2018, Proofpoint researchers observed threat actors increasingly distributing downloaders, backdoors,\r\ninformation stealers, remote access trojans (RATs), and more as they abandoned ransomware as their primary\r\npayload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing\r\na new backdoor we named “ServHelper”. ServHelper has two variants: one focused on remote desktop functions\r\nand a second that primarily functioned as a downloader.\r\nIn June 2019, TA505 appears to have introduced yet another new downloader malware, AndroMut, which has\r\nsome similarities in code and behavior to Andromeda, a long-established malware family. Proofpoint research has\r\nobserved AndroMut download malware referred to as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT\r\nthat was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool,\r\nAmmyy.\r\nAlso Read: Leaked Ammyy Admin Source Code Turned into Malware\r\nAlso Read: Andromeda Under the Microscope (Avast)\r\nCampaign Analysis\r\nProofpoint researchers observed two distinct campaigns by TA505 that used AndroMut to download\r\nFlawedAmmyy.\r\nThe first campaign used the following message details to target recipients in South Korea:\r\nSender Name:\r\n백승기\r\nSubject:\r\n쌍용 인보이스 1234\r\nURLs\r\nSee IOCs\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 1 of 11\n\nSender Name:\r\n최성은\r\nSubject:\r\n송금증 $123.12\r\nAttachment Names:\r\n20.06.2019 송금증 123.12.doc\r\n20.06.2019 송금증 123.12.xls\r\n20.06.2019 송금증 123.12.htm\r\n20.06.2019 송금증 123.12.html\r\nSender Name:\r\n\"Kim, DongHoon (Dongtan_Con)\"\r\nSubject:\r\n견적서\r\nAttachment Names:\r\nCml-123456-1.xls\r\nThe HTM or HTML attachments contained links to the download of an Office file. Depending on the specific\r\ncase, the delivered Word or Excel file used macros to execute a Msiexec command that would download and\r\nexecute either the FlawedAmmyy loader or AndroMut. In the cases that involved AndroMut, Proofpoint\r\nresearchers observed it downloading FlawedAmmyy.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 2 of 11\n\nFigure 1: Example TA505 email used to deliver AndroMut\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 3 of 11\n\nFigure 2: Example TA505 document used to deliver AndroMut\r\nThe second campaign targeted recipients at financial institutions in Singapore, UAE, and the USA. The message\r\nlures used the following details:\r\nSender:\r\nMir Imran Medhi\r\nSubject:\r\nInvoice \u0026 DOs\r\nAttachments Names:\r\ninvoice-5601.doc\r\ninvoice.xls\r\nSender Name:\r\nOng Kai Chin\r\nSubject:\r\nProfoma Invoice_1234\r\nAttachments Names:\r\ninvoice-1234.doc\r\nSender Name:\r\nRejeesh Aj\r\nSubject:\r\nrequest for holding cheque\r\nAttachments Names:\r\nrequest.doc\r\nRq20061901.doc\r\nAgain, depending on the specific case, the delivered Word or Excel file used macros to execute a Msiexec\r\ncommand that would download and execute either the FlawedAmmyy loader or AndroMut. In the cases that\r\ninvolved AndroMut, we observed it downloading FlawedAmmyy.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 4 of 11\n\nFigure 3: Example TA505 email with attachments used to deliver AndroMut\r\nAndroMut Malware Analysis\r\nAndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild\r\nin June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another\r\ndownloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates:\r\n“mutshellmy777”.\r\nWindows API Calls\r\nThe malware resolves most of its Windows API calls at runtime by hash. The hashing algorithm is called\r\n“ror13AddHash32Dll” by FireEye [2] and it rotates right (ROR) each character of the DLL and API name by 13\r\nthen adds them together. Some example API hashes are:\r\nlstrcpyW - 0xE33D73B4\r\nCreateMutexW - 0x95898DFF\r\nsocket - 0xED83E9BA\r\nString Decryption\r\nAndroMut decrypts strings in one of two ways:\r\nThe encrypted string is base64-decoded then decrypted with AES-256 in ECB mode. Each string has its\r\nown key and they look like 32-byte hex strings (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 5 of 11\n\nFigure 4: Example of Type 1 Encrypted Strings\r\nThe encrypted string is stored as a stack string. Each string decrypts by performing a unique math problem\r\n-- we were unable to observe any compelling patterns in the mathematics. Figure 5 shows an example of\r\nthe string “cmd /C” being decrypted. An equivalent Python snippet of the code is available on Github [3].\r\nFigure 5: Example of Type 2 Encrypted String\r\nAnti-Analysis\r\nIn addition to Windows API hashing and string encryption, AndroMut uses the following anti-analysis techniques:\r\nChecks for sandboxing by looking for the following process names:\r\ncmdvirth.exe (COMODO)\r\nSbieSvc.exe (Sandboxie)\r\nVMSrvc.exe (Virtual PC)\r\nxenservice.exe (Xen)\r\nChecks for mouse movement\r\nChecks for the Wine emulator by looking for the “HKEY_CURRENT_USER\\SOFTWARE\\Wine” subkey\r\nin the Registry\r\nChecks for debuggers by looking for debugging flags set in the NtGlobalFlag field of its Process\r\nEnvironment Block (PEB)\r\nChecks for debuggers by setting a “Puleg” mutex, setting the\r\nHANDLE_FLAG_PROTECT_FROM_CLOSE flag on the mutex handle, then trying to close the handle\r\nExplicitly zeroing memory after using important data\r\nPersistence\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 6 of 11\n\nDepending on user privileges the malware creates persistence by either scheduling a task that executes a created\r\nLNK file in the Recycle Bin or via the “Registry run” method.\r\nConfiguration\r\nAndroMut contains five configuration pieces and stores them as type 1 encrypted strings:\r\nCommand and control (C\u0026C) host\r\nC\u0026C port\r\nC\u0026C URI\r\nEncryption key used in C\u0026C\r\nJSON key used in C\u0026C\r\nCommand and Control\r\nThe URL is constructed from the configuration and C\u0026C communication is established using HTTP POST\r\nrequests. An example response to such a request is depicted in Figure 6:\r\nFigure 6: Example C\u0026C response\r\nRequest and response data are both JSON objects that contain the configured JSON key (in the analyzed sample,\r\nthe key was “w”). The key values can be decrypted by hex-decoding and decrypting with AES-256 in ECB using\r\nthe configured C\u0026C key (in the analyzed sample, the key was “736769476A5162373558736B71703962”).\r\nAn example plaintext request looks like:\r\n{\r\n     \"data\": {\r\n           \"arch\": true,\r\n           \"cmd\": 1,\r\n           \"os\": \"Win7\",\r\n           \"rights\": true,\r\n           \"tid\": \"\u003c16 uppercase hex digits\u003e\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 7 of 11\n\n}\r\n}\r\nIt is a JSON object that contains a data key which contains the following keys:\r\ntid - Bot ID\r\nos - Windows version\r\narch - “true” indicates x64\r\nrights - “true” indicates admin privileges\r\ncmd - Command response code\r\nAn example plaintext response looks like:\r\n{\r\n     \"status\": \"200\",\r\n     \"wmjf\": \"rtjlafogqsebkxuy\"\r\n}\r\nThe “status” key maps to different commands. The rest of the keys are command-specific arguments. AndroMut is\r\nable to execute the following commands:\r\n100 - Remove self and exit\r\n200 - Initial beacon response. Argument is not used and appears to be random padding\r\n300 - Base64 decodes the “data” value, saves it the %TEMP% directory using the “name” value, then\r\nexecutes it with the CreateProcessW Windows API. See below for an example:\r\n{\r\n     \"data\": \"TVqQAAMA...\",\r\n     \"name\": \"okbrjzxp.tmp\",\r\n     \"size\": \"797048\",\r\n     \"status\": \"300\",\r\n     \"type\": \"application/x-msdownload\"\r\n}\r\nOther \"status\" codes include:\r\n301 - Similar to “300” command, but executes the file using “cmd[.]exe [/]C”\r\n302 - Similar to “300” command, but executes the file using the LoadLibraryEx Windows API\r\n303 - Update self\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 8 of 11\n\nPayloads\r\nAt the time of publication Proofpoint researchers have only seen AndroMut deliver the FlawedAmmyy Remote\r\nAccess Trojan (RAT) [4] in the above TA505 campaigns.\r\nSimilarity to Other Malware\r\nWhile Proofpoint researchers believe that AndroMut is a new malware family, it is worth mentioning in passing\r\nthat some of its analysis felt familiar. Proofpoint has observed some low-confidence overlaps between it and two\r\nother malware downloaders: Andromeda [1] and QtLoader [5] [6]. The research into the latter malware also noted\r\nsome similarities to Andromeda.\r\nConclusion\r\nTA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with\r\ntheir campaigns through the end of 2017 and into 2018. Over the last two years, Proofpoint researchers have\r\nobserved TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking\r\nTrojans. With this new June 2019 push, commercial banking verticals in the United States, UAE, and Singapore\r\nappear to be the primary targets as part of TA505’s usual “follow the money” behavioral pattern. The new\r\nAndroMut downloader, when combined with the FlawedAmmy RAT as its payload appears to be TA505’s new pet\r\nfor the summer of 2019.\r\nReferences\r\n[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda\r\n[2] https://github.com/fireeye/flare-ida/tree/master/shellcode_hashes\r\n[3] https://github.com/EmergingThreats/threatresearch/tree/master/andromut\r\n[4] https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware\r\n[5] https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot\r\n[6] https://twitter.com/sysopfb/status/921396006431969280\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxp://greenthumbsup[.]jp/20.06.2019_746.38.doc URL\r\nTA505\r\nDocument\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 9 of 11\n\nhxxp://fakers[.]co[.]jp/20.06.2019_130.22.doc URL\r\nTA505\r\nDocument\r\nhxxp://nagomi-753[.]jp/20.06.2019_800.77.doc URL\r\nTA505\r\nDocument\r\nhxxp://nanepashemet[.]com/20.06.2019_781.37.xls URL\r\nTA505 Excel\r\nFile\r\n52f0aaff3654110e82586d21b07c8a3de23dc9efb3f4001daf412286282315c0 SHA256\r\nTA505\r\nDocument\r\nd0aaf465a2569abbdcbafc049be1c1a643572f4ca185058833310435bfa53358 SHA256\r\nTA505\r\nDocument\r\neb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275 SHA256\r\nTA505 Excel\r\nFile\r\nf21039af47e7660bf8ef002dfcdb0c0f779210482ee1778ab7e7f51e8233e35c SHA256\r\nTA505\r\nDocument\r\n3e3eb26211459eb2d8b52a2429a52e7e12d2145d7733823d7415663537a0b6ca SHA256 TA505 HTML\r\n8621fa54946096ed38aee5cbcc068c0620416a05c17328a527673e808847850d SHA256\r\nTA505 Excel\r\nFile\r\nc4963dcf6b32459740f6a3d3b4d06d9dc06f15087ca01775956df36206543301 SHA256\r\nTA505\r\nDocument\r\na905838db6e6617edd9d25baaaaee9c209381d456e809081977e27c3e0b15793 SHA256\r\nTA505\r\nDocument\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 10 of 11\n\n59af9102a921130fd1d120f6cee7fc7cdfc28292a7a4a8c24233126604aa9443 SHA256\r\nTA505\r\nDocument\r\n98b584b31457b21d0d48fcc78093439638e15dd1705e54182d9aa4ffad014c3a SHA256\r\nTA505 Excel\r\nFile\r\nbb5054f0ec4e6980f65fb9329a0b5acec1ed936053c3ef0938b5fa02a9daf7ee SHA256 AndroMut\r\nhxxp://kreewalk[.com:80/viewforum.php URL C\u0026C\r\n5eddc55c0c445baf2752d56229fa384b7e3f1c7e76b22f43e389c6a711aa713a SHA256 FlawedAmmyy\r\nET and ETPRO Suricata/Snort Signatures\r\n2836975          ETPRO TROJAN AndroMut Checkin\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-sout\r\nh\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south" ], "report_names": [ "ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433968, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f9020e4cf6edc0cff6ff188224252894e685009.pdf", "text": "https://archive.orkl.eu/7f9020e4cf6edc0cff6ff188224252894e685009.txt", "img": "https://archive.orkl.eu/7f9020e4cf6edc0cff6ff188224252894e685009.jpg" } }