{ "id": "9a2a4355-4550-4a34-ac85-105d38e989be", "created_at": "2026-04-06T00:15:53.786732Z", "updated_at": "2026-04-10T03:37:21.639734Z", "deleted_at": null, "sha1_hash": "8269696ef27d5db68cfb4b51946e7ccd937d98fe", "title": "Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 592126, "plain_text": "Iron Tiger Compromises Chat Application Mimi, Targets\r\nWindows, Mac, and Linux Users\r\nBy By: Daniel Lunghi, Jaromir Horejsi Aug 12, 2022 Read time: 7 min (1864 words)\r\nPublished: 2022-08-12 · Archived: 2026-04-02 10:49:38 UTC\r\nWe noticed a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.”\r\nHyperBro is a malware family used by Iron Tiger (also known as Emissary Panda, APT27, Bronze Union, and\r\nLuckymouse), an advanced persistent threat (APT) group that has been performing cyberespionage for almost a\r\ndecade, and there have been no reports of this group associated with a tool for Mac operating systems (OS). We\r\nanalyzed the Mach-O sample and found it to be a new malware family targeting the Mac OS platform. We also\r\neventually found samples compiled for the Linux platform that belongs to the same malware family.\r\nWe noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently\r\nwhile investigating threat actor Earth Berberokanews- cybercrime-and-digital-threats. We noticed Iron Tiger\r\ncontrolling the servers hosting the app installers of MiMi, suggesting a supply chain attack. Further investigation\r\nshowed that MiMi chat installers have been compromised to download and install HyperBro samples for the\r\nWindows platform and rshell samples for the Mac OS platform. While this was not the first time the technique\r\nwas used, this latest development shows Iron Tiger’s interest in compromising victims using the three major\r\nplatforms: Windows, Linux, and macOS.\r\nInfection vector\r\nMiMi (mimi = 秘密  = secret in Chinese) is an instant messaging application designed especially for Chinese\r\nusers, with implementations for major desktop and mobile operating systems: Windows, macOS, Android, and\r\niOS. The desktop versions are developed with the help of ElectronJS framework, which is a cross-platform\r\nframework based on Node.js, allowing the developers to create applications with HTML, Javascript (JS), and\r\nCSS.\r\nWe already came across an abuse of this application during the Earth Berberoka investigation. However,\r\ncompared to Earth Berberoka’s routine wherein the threat actor set up a fake website to deliver a malicious chat\r\napplication, in this instance Iron Tiger compromised the server hosting the legitimate installers for this chat\r\napplication for a supply chain attack. Contrary to the fake website, the links to the mobile versions of the\r\napplication for Android and iPhone worked. Also, we could not find anything malicious in the latest Windows\r\ninstaller.\r\nIn June, we were able to download the macOS installer for the 2.3.2 version of MiMi chat and verified it as\r\ngenuine. After downloading it again later, we found that the installer was replaced with a malicious version\r\nretrieving the rshell sample. This was proof that the attackers had direct access to the installers‘ host server, and\r\nthat they were monitoring the versions published by the MiMi app developers in order to quickly insert a\r\nbackdoor.\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 1 of 8\n\nFigure 1. Downloaded installer before (left) and after (right) malware embedding\r\nIn this case, we can see that it took an hour and a half for the attackers to modify the legitimate installer and add\r\nmalicious code to it. For older versions, it took the attackers one day to inject its modifications.\r\nThe modification occurs in the electron-main.js file, which contains a block of code beginning with\r\n“eval(function(p,a,c,k,e,d)”, suggesting we are dealing with Dean Edwards packer. \r\nFigure 2. Malicious Javascript code inserted into 2.3.2.dmg targeting macOS\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 2 of 8\n\nFigure 3. Deobfuscated malicious Javascript code\r\nOnce deobfuscated, we saw that the inserted code downloads rshell from the IP address 139[.]180[.]216[.]65 and\r\nexecutes it once run on the macOS platform. The delivered rshell malware is a new family we will discuss in a\r\nlater section.\r\nAfter looking at previous versions of this installer, we found that the first compromised version was 2.3.0, built on\r\nMay 26, 2022, while the previous version (2.2.10, published on May 6, 2022) was clean. This led is to our first\r\nassumption that Iron Tiger had access to the Mimi chat developer's backend between the two dates in May.\r\nHowever, a further look at our telemetry revealed older installers that have been compromised, this time aimed at\r\nWindows OS. Version 2.2.0 and 2.2.1 (both built on November 23, 2021), had similar additions to the electron-main.js file.\r\nFigure 4. Malicious Javascript code inserted into 2.2.0.exe targeting Windows OS\r\nFigure 5. Deobfuscated malicious JavaScript code from 2.2.0.exe\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 3 of 8\n\nWe saw that one executable, one dynamic link library (DLL), and one binary file were being downloaded into the\r\ntemporary directory before running the executable. This is the typical way that this threat actor loads its files,\r\nexploiting DLL side-loading vulnerabilities in legitimate and usually signed executables. In this case, the\r\nexploited executable belongs to the DESlock+ product, as described last year when we analyzed another Iron\r\nTiger campaign, using malware HyperBro.\r\nMalware analysis\r\nrshell\r\nThe rshell executable is a standard backdoor and implements functions typical of similar backdoors:\r\n1. Collect OS information and send it to command and control (C\u0026C) server\r\n2. Receive commands from the C\u0026C server to execute\r\n3. Send command execution results back to the C\u0026C\r\nWe found multiple samples of this particular backdoor, with some of them in the Mach-O format (macOS\r\nplatform), while others were in the ELF format (Linux platform). The oldest sample we found was uploaded in\r\nJune 2021, with the first victim reported in mid-July 2021.\r\nThe OS information collection routine gathers the following information:\r\nGUID: (randomly generated guid, stored in /tmp/guid)\r\ncomputer name: uname (nodename)\r\nIP addresses: (getifaddrs)\r\nmessage type: login\r\nusername: _getpwuid (pw_name)\r\nversion: uname (release)\r\nOnce collected, the backdoor “packs” them into a Binary JSON (BSON) message and sends it over TCP to the\r\nC\u0026C in clear (unencrypted) form.\r\nFigure 6. Deserialized BSON packet (and displayed as JSON) with login message containing OS\r\ninformation\r\nThe message received from the C\u0026C is also in BSON format and contains the following fields:\r\nTable 1. Type and subtype of packets received from the C\u0026C\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 4 of 8\n\nType Subtype Explanation\r\nCmd Init Start new shell\r\nCmd close Kill shell\r\nCmd data Commands to execute in shell\r\nFile Init List root / directory\r\nFile Dir List directory\r\nFile down Prepare file for downloading\r\nFile read Read file (transfer bytes)\r\nFile close Close file\r\nFile upload Prepare file for uploading\r\nFile write Write file (transfer bytes)\r\nFile Del Delete file\r\nThe client also regularly sends a packet of type ‘keepalive’ to the C\u0026C.\r\nRunning the DMG installer on a macOS machine, the user is shown several warnings before the trojanized app is\r\ninstalled and run. At first, Safari web browser asks the user to allow downloads from the given website. After\r\nchoosing “Allow,” downloading, and executing the DMG installer, another warning message about an unverified\r\ndeveloper is displayed.\r\nFigure 7. Unverified developer warning with the “Open” button noticeably missing\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 5 of 8\n\nTo override this warning, the user must open “System Preferences” and “Security \u0026 Privacy” tabs and click on\r\n“Open Anyway.”\r\nFigure 8. Security \u0026 Privacy tab to allow running apps from unverified developers\r\nAfterward, one more warning about the unverified developer is displayed. This time, however, the “Open” button\r\nappears in the prompt so the application can finally start.\r\nFigure 9. Unverified developer warning with the “Open” button enabled\r\nWe confirmed that both the legitimate and the malicious versions of the chat installer were unsigned, which means\r\nthe users of MiMi chat were probably used to all these extra steps to finally install the application despite all the\r\nmacOS watchguards.\r\nHyperBro\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 6 of 8\n\nThe HyperBro malware family has been around since 2017 and has been extensively analyzed. It was updated in\r\nmid-2019, which we described in detail in our Operation DRBControl paper.\r\nThe version used in this campaign is no different from what we already described in our previous Iron Tiger\r\ninvestigation. The only noteworthy element is the Authenticode signature of dlpprem32.dll, which is signed by a\r\n(now) revoked certificate belonging to “Cheetah Mobile Inc.” The said company was formerly known as Kingsoft\r\nInternet Software Holdings Limited, wherein during our previous investigation on the group, we already found\r\none HyperBro DLL signed by a certificate belonging to Kingsoft.\r\nTargets\r\nWe found 13 different targets while following our sensors‘ data. The only targeted countries were Taiwan and the\r\nPhilippines: five targets of HyperBro (four in Taiwan and one in the Philippines). Meanwhile, we found eight\r\ntargets for rshell: six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines.\r\nWhile we were unable to identify all the targets, these targeting demographics demonstrate a geographical region\r\nof interest for Iron Tiger. Among those targets, we could only identify one of them: a Taiwanese gaming\r\ndevelopment company. Interestingly, we found a sample from the Reptile rootkit framework in that same\r\ncompany, as well as network requests to a subdomain that belongs to Earth Berberoka’s infrastructure.\r\nWe also noticed network requests from a Taiwanese IT development company to the subdomain\r\ntrust[.]veryssl[.]org, and the subdomain center.veryssl[.]org is a C\u0026C for one of the rshell samples we found.\r\nThis suggests the company could be compromised by the same threat actor.\r\nTimeline\r\nJune 2021: Oldest Linux rshell sample found\r\nNovember 2021: Threat actor modified version 2.2.0 of Windows MiMi chat installer to download and\r\nexecute HyperBro backdoor\r\nMay 2021: Threat actor modified version 2.3.0 of Mac OS MiMi chat installer to download and execute\r\n“rshell” backdoor\r\nAttribution and conclusion\r\nWe attribute this campaign to Iron Tiger for multiple reasons. First, the dlpprem32.dll file linked to HyperBro\r\nshares certain characteristics (specifically imphash, RICH header) with previous samples already attributed to the\r\ngroup. Also, the file names involved in the decoding and loading of HyperBro are similar to those we witnessed\r\nduring our investigation last year.\r\nSecond, one of the Linux rshell samples used the IP address 45[.]142[.]214[.]193 as its C\u0026C. In 2020, that IP\r\naddress had a particular reverse DNS: nbaya0u2[.]example[.]com. During our Operation DRBControlnews article\r\ninvestigation, we found a HyperBro sample that had 138[.]124[.]180[.]108 as its C\u0026C. This second IP address had\r\nnbaya0u1[.]example[.]com as its reverse DNS. However, as the rshell sample was found in 2021, we initially did\r\nnot find this correlation strong enough to attribute the rshellmalware family to Iron Tiger.\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 7 of 8\n\nDespite the fact that same state-sponsored threat actors tend to share their malware tools (such as gh0st, PlugX,\r\nand Shadowpad), this is not the case for HyperBro as far as we know. The fact that we found this malware being\r\nused in this campaign is an additional indicator pointing towards Iron Tiger.\r\nWe also found some links to Earth Berberoka. From one of the victims where we found an rshell sample, we also\r\nfound a binary belonging to the Reptile rootkit framework, a rootkit identified as part of the arsenal of Earth\r\nBerberoka. We also noticed network communications from this victim to a subdomain of Earth Berberoka,\r\nsuggesting it could have been previously compromised by this threat actor. We noticed a different system in the\r\nsame situation, as well as the network connections to the subdomain trust[.]veryssl[.]org domain name. One of\r\nthe rshell samples had center[.]veryssl[.]org as the C\u0026C. Both findings suggest that those victims could be\r\ncompromised by both threat actors, or that Earth Berberoka is actually a subgroup of Iron Tiger. As a reminder,\r\nwhile investigating Earth Berberoka, we found multiple links to Iron Tiger that we detailed in our research.\r\nIndicators of Compromise (IOCs)\r\nYou will find the list of IOCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" ], "report_names": [ "irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" ], "threat_actors": [ { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8269696ef27d5db68cfb4b51946e7ccd937d98fe.pdf", "text": "https://archive.orkl.eu/8269696ef27d5db68cfb4b51946e7ccd937d98fe.txt", "img": "https://archive.orkl.eu/8269696ef27d5db68cfb4b51946e7ccd937d98fe.jpg" } }