{ "id": "4df4e9bd-82e6-4097-831e-c8b4298e271d", "created_at": "2026-04-06T00:11:39.480514Z", "updated_at": "2026-04-10T03:38:20.716649Z", "deleted_at": null, "sha1_hash": "80a3cb56417eb337074c54a3c3371ca6a0a9ebad", "title": "DEV-0139 launches targeted attacks against the cryptocurrency industry | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3009429, "plain_text": "DEV-0139 launches targeted attacks against the cryptocurrency industry\r\n| Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-12-06 · Archived: 2026-04-05 16:05:01 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. DEV-0139 is now tracked as Citrine Sleet.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nOver the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and\r\nthreat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in\r\nransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency\r\nindustry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation,\r\nfake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.\r\nWe are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to\r\ngain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat\r\nactor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms\r\nand identified their target from among the members. The threat actor posed as representatives of another cryptocurrency\r\ninvestment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on\r\nthe fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part\r\nof the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.\r\nAfter gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance \u0026 Huobi VIP fee\r\ncomparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in\r\nthe document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of\r\nactivities:\r\n1. A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some\r\ndata.\r\n2. The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said\r\nExcel sheet is encoded in base64, and dropped into C:ProgramDataMicrosoft Media with the name VSDB688.tmp\r\n3. The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named\r\nlogagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.\r\n4. The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate\r\nwsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor\r\nremotely access the infected system.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 1 of 17\n\nFigure 1. Overview of the attack\r\nFurther investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique.\r\nBut instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June\r\n2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.\r\nIn this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency\r\ninvestment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and\r\nprepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.\r\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-####\r\ndesignations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing\r\nMicrosoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence\r\nabout the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\r\nInitial compromise\r\nTo identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the\r\nspecific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with\r\nthe name \u003cNameOfTheTargetedCompany\u003e \u003c\u003e OKX Fee Adjustment and inviting three employees. The threat actor created\r\nfake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the\r\nmalicious ones for two of the users present in the group.\r\nFigure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the\r\nthreat actor (right)\r\nIt’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges\r\nthe targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 2 of 17\n\nexchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be\r\noptimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come\r\nfrom fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well\r\nprepared before contacting their target.\r\nAfter gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further\r\ndetails on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target\r\nto open the weaponized Excel file and fill in their information.\r\nWeaponized Excel file analysis\r\nThe weaponized Excel file, which has the file name OKX Binance \u0026 Huobi VIP fee comparision.xls (Sha256:\r\nabca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate\r\ninformation about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created\r\nby the user Wolf:\r\nFile name OKX Binance \u0026 Huobi VIP fee comparision.xls\r\nCompObjUserTypeLen 31\r\nCompObjUserType Microsoft Excel 2003 Worksheet\r\nModifyDate 2022:10:14 02:34:33\r\nTitleOfParts Comparison_Oct 2022\r\nSharedDoc No\r\nAuthor Wolf\r\nCodePage Windows Latin 1 (Western European)\r\nAppVersion 16\r\nLinksUpToDate No\r\nScaleCrop No\r\nLastModifiedBy Wolf\r\nHeadingPairs Worksheets, 1\r\nFileType XLS\r\nFileTypeExtension xls\r\nHyperlinksChanged No\r\nSecurity None\r\nCreateDate 2022:10:14 02:34:31\r\nSoftware Microsoft Excel\r\nMIMEType application/vnd.ms-excel\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 3 of 17\n\nFigure 3. The information in the malicious Excel file\r\nThe macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case,\r\nthe name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code\r\nIFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to\r\nretrieve the information stored into the UserForm.\r\nThe table below shows the data retrieved from the UserForm:\r\nObfuscated data Original data\r\nIFUZYDTTOP.nPuyGkKr.Caption \u0026\r\nIFUZYDTTOP.jpqKCxUd.Caption\r\nMSXML2.DOMDocument\r\nIFUZYDTTOP.QevjtDZF.Caption b64\r\nIFUZYDTTOP.MgQnQVGb.Caption bin.base64\r\nIFUZYDTTOP.iuiITrLG.Caption\r\nBase64 encoded Second\r\nWorksheet\r\nIFUZYDTTOP.hMcZvwhq.Caption C:ProgramDataMicrosoft Media\r\nIFUZYDTTOP.DDFyQLPa.Caption VSDB688.tmp\r\nIFUZYDTTOP.PwXgwErw.Caption \u0026\r\nIFUZYDTTOP.ePGMifdW.Caption\r\nExcel.Application\r\nThe macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is\r\ndropped into the directory C:ProgramDataMicrosoft Media as VSDB688.tmp and runs in invisible mode.\r\nFigure 4. The deobfuscated code to load the extracted worksheet in invisible mode.\r\nAdditionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the\r\nmacros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to\r\ntrick the user to enable macros and not raise suspicion.\r\nThe second Excel file, VSDB688.tmp (Sha256:\r\na2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 4 of 17\n\nlater by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second\r\nworksheet:\r\nFile Name VSDB688.tmp\r\nCompObjUserType Microsoft Excel 2003 Worksheet\r\nModifyDate 2022:08:29 08:07:24\r\nTitleOfParts Sheet1\r\nSharedDoc No\r\nCodePage Windows Latin 1 (Western European)\r\nAppVersion 16\r\nLinksUpToDate No\r\nScaleCrop No\r\nCompObjUserTypeLen 31\r\nHeadingPairs Worksheets, 1\r\nFileType XLS\r\nFileTypeExtension xls\r\nHyperlinksChanged No\r\nSecurity None\r\nCreateDate 2006:09:16 00:00:00\r\nSoftware Microsoft Excel\r\nMIMEType application/vnd.ms-excel\r\nFigure 5. The second file is completely empty but contains the same UserForm abuse technique as the first\r\nstage.\r\nThe table below shows the deobfuscated data retrieved from the UserForm:\r\nObfuscated data Original data\r\nGGPJPPVOJB.GbEtQGZe.Caption \u0026\r\nGGPJPPVOJB.ECufizoN.Caption\r\nMSXML2.DOMDocument\r\nGGPJPPVOJB.BkxQNjsP.Caption b64\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 5 of 17\n\nGGPJPPVOJB.slgGbwvS.Caption bin.base64\r\nGGPJPPVOJB.kiTajKHg.Caption C:ProgramDataSoftwareCache\r\nGGPJPPVOJB.fXSPzIWf.Caption logagent.exe\r\nGGPJPPVOJB.JzrHMGPQ.Caption wsock32.dll\r\nGGPJPPVOJB.pKLagNSW.Caption\r\n56762eb9-411c-4842-9530-\r\n9922c46ba2da\r\nGGPJPPVOJB.grzjNBbk.Caption /shadow\r\nGGPJPPVOJB.aJmXcCtW.Caption \u0026\r\nGGPJPPVOJB.zpxMSdzi.Caption\r\nMSXML2.ServerXMLHTTP.6.0\r\nGGPJPPVOJB.rDHwJTxL.Caption Get\r\nThe macro retrieves some parameters from the UserForm then downloads a PNG file from\r\nhxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was\r\nno longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.\r\nFigure 6. Deobfuscated code that shows the download of the file Background.png\r\nThe PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version\r\nof wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three\r\nfiles are used to load the main payload to the target system.\r\nFigure 7. The three files are written into C:\\ProgramDataSoftwareCache and run using the CreateProcess API\r\nLoader analysis\r\nTwo of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted\r\nbackdoor. The following sections present our in-depth analysis of both files.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 6 of 17\n\nLogagent.exe\r\nLogagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system\r\napplication used to log errors from Windows Media Player and send the information for troubleshooting.\r\nThe file contains the following metadata, but it is not signed:\r\nDescription Value\r\nlanguage English-US\r\ncode-page Unicode UTF-16 little endian\r\nCompanyName Microsoft Corporation\r\nFileDescription Windows Media Player Logagent\r\nFileVersion 12.0.19041.746\r\nInternalName logagent.exe\r\nLegalCopyright © Microsoft Corporation. All rights reserved.\r\nOriginalFilename logagent.exe\r\nProductName Microsoft® Windows® Operating System\r\nProductVersion 12.0.19041.746\r\nThe logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the\r\ntargeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously\r\nretrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by\r\nwsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and\r\n/shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering\r\nisolated analysis.\r\nFigure 8. Command line execution from the running process logagent.exe\r\nWsock32.dll\r\nThe legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack,\r\nthe threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by\r\nlogagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and\r\navoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the\r\nexported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts\r\nas a proxy between logagent.exe and the legitimate wsock32.dll.\r\nIt is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 7 of 17\n\nFigure 9. Import Address Table from wsock32.dll\r\nFigure 10. Retrieving data with PeStudio revealed the original file name for the malicious wsock32.dll.\r\nWhen the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a\r\nfilename is present in the same directory using the CreateFile API to retrieve a file handle.\r\nFigure 11. Verification of the presence of the file 56762eb9-411c-4842-9530-9922c46ba2da for decryption\r\nThe malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to\r\nremote access the infected machine.\r\nSHA256 2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb\r\nImphash 52ff8adb6e941e2ce41fd038063c5e0e\r\nRich PE Hash ff102ff1ac1c891d1f5be7294035d19e\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 8 of 17\n\nFiletype PE32+ DLL\r\nCompile Timestamp 2022-08-29 06:33:10 UTC\r\nOnce the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not\r\nretrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed\r\nin the next section. Identified implants were connecting back to the same command-and-control (C2) server.\r\nWe identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is\r\npackaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash:\r\ne5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate\r\napplication called tplink.exe to sideload the malicious DLL called DUser.dll and uses  DLL proxying as well.\r\ncreation\r\ndatetime\r\n11/12/2009 11:47\r\nauthor 168 Trading\r\ntitle Installation Database\r\npage count 200\r\nword count 2\r\nkeywords Installer, MSI, Database\r\nlast saved 11/12/2009 11:47\r\nrevision number {30CD8B94-5D3C-4B55-A5A3-3FC9C7CCE6D5}\r\nlast printed 11/12/2009 11:47\r\napplication\r\nname\r\nAdvanced Installer 14.5.2 build 83143\r\nsubject CryptoDashboardV2\r\ntemplate x64;1033\r\ncode page Latin I\r\ncomments\r\nThis installer database contains the logic and data required to install\r\nCryptoDashboardV2.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 9 of 17\n\nFigure 12. Installation details of the MSI file\r\nOnce the package is installed, it runs and side-loads the DLL using the following command:\r\nC:UsersuserAppDataRoamingDashboard_v2TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it\r\nnoticeably uses a different GUID.\r\nFurther analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious\r\nwsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details\r\nof DUser.dll:\r\nSHA256 90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33\r\nImphash 52ff8adb6e941e2ce41fd038063c5e0e\r\nRich PE Hash ff102ff1ac1c891d1f5be7294035d19e\r\nFiletype Win32 DLL\r\nCompile Timestamp 2022-06-20 07:47:07 UTC\r\nOnce the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that\r\ncase, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.\r\nImplant analysis\r\nThe payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the\r\ncompromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the\r\npayload:\r\nSHA256 ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5\r\nImphash 96321fa09a450119a8f0418ec86c3e08\r\nRich PE Hash 8c4fb0cb671dbf8d859b875244c4730c\r\nFiletype Win32 DLL\r\nCompile Timestamp 2022-06-20 00:51:33 UTC\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 10 of 17\n\nFirst, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive\r\ncommands from it.\r\nFigure 13. Details about the connection to the C2.\r\nFigure 14. The sample is connecting back to the domain name strainservice[.]com.\r\nInfrastructure\r\nIt is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive\r\naccount has been set up quickly for a one shot, indicating that it was created for only one target.\r\nWe identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was\r\nregistered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had\r\nport 80, 443, and 2083. The implants were communicated on port 443.\r\nDefending against targeted attacks\r\nIn this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new,\r\nbut manage hundreds of millions of dollars, raising interest by threat actors.   \r\nIn this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges\r\ntheir targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram,\r\nan app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and\r\nfinally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack\r\nidentified was luring a fake crypto dashboard application.\r\nThe cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels\r\nto increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of\r\ninterest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations\r\nprovided below:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 11 of 17\n\nUse the included indicators of compromise to investigate whether they exist in your environment and assess for\r\npotential intrusion.\r\nEducate end users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes,\r\nand reporting of reconnaissance attempts and other suspicious activity.\r\nEducate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected\r\nemails or attachments sent via instant messaging applications or social networks. Encourage end users to practice\r\ngood credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to\r\nprevent malware infection and stifle propagation.\r\nChange Excel macro security settings to control which macros run and under what circumstances when you open a\r\nworkbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by\r\nAntimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for\r\nMacro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.\r\nTurn on attack surface reduction rules to prevent common attack techniques observed in this threat:\r\nBlock Office applications from creating executable content\r\nBlock Office communication application from creating child processes\r\nBlock Win32 API calls from Office macros\r\nEnsure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojanDownloader:O97M/Wolfic.A\r\nTrojanDownloader:O97M/Wolfic.B\r\nTrojanDownloader:O97M/Wolfic.C\r\nTrojanDownloader:Win32/Wolfic.D\r\nTrojanDownloader:Win32/Wolfic.E\r\nBehavior:Win32/WolficDownloader.A\r\nBehavior:Win32/WolficDownloader.B\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nAn executable loaded an unexpected dll\r\nDLL search order hijack\r\n‘Wolfic’ malware was prevented\r\nAdvanced hunting queries\r\nThe following hunting queries locate relevant activity.\r\nQuery that looks for Office apps that create a file within one of the known bad directories:\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"outlook\" \"powerpnt\")\r\n| where ActionType == \"FileCreated\"\r\n| where parse_path( FolderPath ).DirectoryPath has_any(\r\n@\"C:ProgramDataMicrosoft Media\",\r\n@\"C:ProgramDataSoftwareCache\",\r\n@\"RoamingDashboard_v2\"\r\n)\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 12 of 17\n\n| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName,\r\nInitiatingProcessAccountDomain\r\nQuery that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of\r\neach machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"outlook\", \"powerpnt\")\r\n| where ActionType == \"FileCreated\"\r\n| extend Path = tostring(parse_path(FolderPath).DirectoryPath)\r\n| summarize PathCount=count(), DeviceList=make_set(DeviceName),\r\nAccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256\r\n| where PathCount \u003c 5\r\nQuery that summarizes child process of Office apps, looking for less than five occurrences:\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"powerpnt\")\r\n| summarize ProcessCount=count(), DeviceList=make_set(DeviceName),\r\nAccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName\r\n| where ProcessCount \u003c 5\r\nQuery that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then\r\nlooks for uncommon paths, with less than five occurrences:\r\nDeviceProcessEvents\r\n| where ProcessVersionInfoCompanyName has \"Microsoft\"\r\n| extend Path = tostring(parse_path(FolderPath).DirectoryPath)\r\n| summarize ProcessList=make_set(FileName) by Path\r\n| where array_length( ProcessList ) \u003c 5\r\nQuery that searches for connections to malicious domains and IP addresses:\r\nDeviceNetworkEvents\r\n| where (RemoteUrl has_any (\"strainservice.com\"))\r\nor (RemoteIP has_any (\"198.54.115.248\"))\r\nQuery that searches for files downloaded from malicious domains and IP addresses.\r\nDeviceFileEvents\r\n| where (FileOriginUrl has_any (\"strainservice.com\"))\r\nor (FileOriginIP has_any (\"198.54.115.248\"))\r\nQuery that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices\r\ntogether:\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"powerpnt\")\r\n| where ActionType == \"FileCreated\"\r\n| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 13 of 17\n\n| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName),\r\nDeviceList=make_set(DeviceName),\r\nFileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName\r\nLooks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"powerpnt\", \"outlook\")\r\n| where ActionType == \"FileCreated\"\r\n| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )\r\n| extend Extension=tostring(parse_path(FolderPath).Extension)\r\n| extend Path=tostring(parse_path(FolderPath).DirectoryPath)\r\n| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl),\r\nFileList=make_set(FileName),\r\nUserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension,\r\nInitiatingProcessFileName\r\nLooks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to\r\nreduce the results before the regex:\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName has_any (\"word\", \"excel\", \"access\", \"powerpnt\")\r\n| where ProcessVersionInfoCompanyName has \"Microsoft\"\r\n| where ProcessCommandLine matches regex\r\n@\"[A-Za-z0-9]+.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$\"\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain\r\nindicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed,\r\ncustomers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule\r\ndeployed in their Sentinel workspace. More details on the Content Hub can be found here:\r\n https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nTo supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365\r\nDefender data ingested into their workspaces as well as the following Microsoft Sentinel queries:\r\nLeast common parent and child process pairs: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Parent_Child_Process.yaml\r\nDetect anomalous process trees: https://github.com/Azure/Azure-Sentinel/blob/46906229919827bffa14211341f52dd68e27ad81/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml\r\nIndicators of compromise\r\nIOC Filename/Type  De\r\nabca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0\r\nOKX Binance\r\n\u0026 Huobi VIP\r\nfee\r\ncomparision.xls\r\nWe\r\nExc\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 14 of 17\n\n17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b\r\nOKX Binance\r\n\u0026 Huobi VIP\r\nfee\r\ncomparision.xls\r\nWe\r\nExc\r\na2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9 VSDB688.tmp\r\nSec\r\nwo\r\ndro\r\n2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb\r\nwsock32.dll /\r\nHijackingLib.dll\r\nMa\r\ndro\r\nas a\r\nto l\r\nwso\r\n82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629 Duser.dll  \r\n90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33\r\nDuser.dll /\r\nHijackingLib.dll\r\nMa\r\ndro\r\nas a\r\nto t\r\nDu\r\ne5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487 4acbe3.msi\r\nFak\r\nCry\r\napp\r\npac\r\ndel\r\nDu\r\neee4e3612af96b694e28e3794c4ee4af2579768e8ec6b21daf71acfc6e22d52b 43d972.msi\r\nSec\r\napp\r\nBlo\r\ndel\r\nDu\r\nea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5 DLL\r\nImp\r\nby\r\nC:ProgramDataSoftwareCachewsock32.dll Path\r\nPat\r\nwso\r\nC:UsersuserAppDataRoamingDashboard_v2DUser.dll Path Pat\r\nC:Program FilesCryptoDashboardV2 Path\r\nPat\r\napp\r\nC:ProgramDataMicrosoft MediaVSDB688.tmp Path\r\nPat\r\nsec\r\nwo\r\nhxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png\r\nBackground.png\r\ndownloaded\r\nfrom OpenDrive\r\nPng\r\ndow\r\nthe\r\nma\r\nstrainservice.com Domain/C2\r\nCo\r\ncon\r\n198.54.115.248 IP/C2 IP o\r\n56762eb9-411c-4842-9530-9922c46ba2da  GUID GU\r\n27E57D84-4310-4825-AB22-743C78B8F3AA GUID GU\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 15 of 17\n\nTPLink.exe\" 27E57D84-4310-4825-AB22-743C78B8F3AA /sven Command line\r\nCo\r\nrun\r\nexe\r\nlogagent.exe 56762eb9-411c-4842-9530-9922c46ba2da /shadow Command line\r\nCo\r\nrun\r\nfile\r\nMITRE ATT\u0026CK techniques\r\nTactics\r\nTechnique\r\nID\r\nName Description\r\nReconnaissance\r\nT1591\r\nGather Victim Org\r\nInformation\r\nThe attackers gathered information\r\nabout the targets reaching them on\r\nTelegram with a clear\r\nunderstanding of their challenges.\r\nT1593.001 Social Media\r\nAttackers identified the targets on\r\nspecific crypto currencies group on\r\nTelegram.\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nAttackers registered the domain\r\n\"strainservice.com\" on June 18\r\nInitial Access T1566.001 Spearphishing Attachment\r\nAttackers sent a weaponized Excel\r\ndocument.\r\nExecution\r\nExecution T1204.002\r\nUser Execution: Malicious\r\nFile\r\nThe targeted user must open the\r\nweaponized Excel document and\r\nenable macros.\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nAttackers used VBA in the\r\nmalicious excel document “OKX\r\nBinance \u0026 Huobi VIP fee\r\ncomparision.xls” to deliver the\r\nimplant.\r\nT1106 Native API\r\nUsage of CreateProcess API in the\r\nexcel document to run the\r\nexecutable.\r\nPersistence,\r\nPrivilege\r\nEscalation, Defense\r\nEvasion\r\nT1574.002 DLL side-Loading\r\nThe attackers abused the legitimate\r\nLogagent.exe to side-load the\r\nmalicious wsock32.dll and the\r\nlegitimate TPLink.Exe to side load\r\nDuser.dll\r\nDefense Evasion T1027\r\nObfuscated file or\r\ninformation\r\nThe malicious VBA is obfuscated\r\nusing UserForm to hide variable\r\nand data.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nThe attackers are using legitimate\r\nDLL name that acts as DLL Proxy\r\nto the original one (wsock32.dll\r\nand Duser.dll).\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nThe malicious DLL are dropping\r\nthe implant into the machine.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 16 of 17\n\nCommand \u0026\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nThe implant is communicating to\r\nthe remote domain through port 80\r\nor 443.\r\nT1132 Data Encoding\r\nThe implant is encoding the data\r\nexchanged with the C2.\r\nExfiltration T1041\r\nExfiltration over C2\r\nchannel\r\nThe implant has the ability to\r\nexfiltrate information.\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/" ], "report_names": [ "dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434299, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80a3cb56417eb337074c54a3c3371ca6a0a9ebad.pdf", "text": "https://archive.orkl.eu/80a3cb56417eb337074c54a3c3371ca6a0a9ebad.txt", "img": "https://archive.orkl.eu/80a3cb56417eb337074c54a3c3371ca6a0a9ebad.jpg" } }