{ "id": "b6565800-852b-427a-926b-ad2d5ef35023", "created_at": "2026-04-06T00:11:21.80285Z", "updated_at": "2026-04-10T13:11:27.560687Z", "deleted_at": null, "sha1_hash": "8650ac0202915f2af72aa84517bb97d4e556f911", "title": "CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1481028, "plain_text": "CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR\r\nPerspective\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 17:16:59 UTC\r\nThis Threat Analysis Report will delve into a newly discovered nation-state level threat Campaign tracked by\r\nCybereason as Cuckoo Spear. It will outline how the associated Threat Actor persists stealthily on their victims'\r\nnetwork for years, highlighting strategies used across Cuckoo Spear and how defenders can detect and prevent\r\nthese attacks. \r\nIn this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple\r\nincidents together and disclosing new information about this group’s new arsenal and techniques.\r\nThis is the first part of three regarding the Cuckoo Spear threat campaign. It introduces the Threat Actor, the\r\nrelated campaign and their arsenal, and details the TTPs observed during the various incidents. The two next parts\r\nare going to cover a reverse engineering of their arsenal (NOOPLDR/NOOPDOOR in particular) and how to fight\r\nagainst this threat actor.\r\nWe have published Indicators of compromise, Yara rules and Python scripts related to this report and they\r\nare available on the following public Github repository : https://github.com/Cybereason-Open-Source/CuckooSpear/\r\nKEY POINTS\r\nNation-state Threat Actor targeting Japanese companies:  Cybereason observed similar Tactics,\r\nTechniques and Procedures (TTPs) of the threat Campaign targeting different Japanese companies. The\r\nattack focused on manufacturing, politics and industrial sectors, is assessed to be part of cyber espionage.  \r\nStealthy and advanced malware use:  Cuckoo Spear is using the same malware across victims, which is a\r\nnew version of the previously called LODEINFO malware, part of APT10’s arsenal. \r\nNOOPLDR and NOOPDOOR:   Cybereason identified similarities with LODEINFO, but the identified\r\nmalware across multiple cases included the unravel of two new discoveries: \r\nNOOPLDR (Using two very different methods : C# language loading and persistence backdoor and\r\na DLL file)\r\nNOOPDOOR (DGA-Based C2 malware with C2 local network relaying capabilities) \r\nPersistent : Cybereason identified some of the victims had the associated Threat Actor present in their\r\nnetwork for a time period between 2 and 3 years\r\nLuring Techniques:  A  variety of techniques were used to lure in potential victims, but the Threat Actors\r\nmainly rely on Phishing as the Initial Access vector\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 1 of 18\n\nWhat is Cuckoo Spear?\r\nFor the past several years, since December 2019, the cybersecurity landscape has been continuously challenged by\r\nthe emergence and evolution of the LODEINFO malware. Recent investigations suggest the involvement of a\r\nChinese state-backed Advanced Persistent Threat (APT) group, likely APT10, in orchestrating these attacks. A\r\nrecent development identified ties between the Threat Actor utilizing LODEINFO with a new malware family that\r\nis called NOOPDOOR. Cybereason named this threat Campaign “Cuckoo Spear”.\r\nIn this report, the Cybereason team examined several key aspects regarding Cuckoo Spear:\r\nTechniques employed by APT10 group to load the highly sophisticated malware: We'll explore the\r\nsophisticated functionalities and tactics that define the most recent iteration of NOOPDOOR and\r\nNOOPLDR malware and its surrounding capabilities.\r\nA deep dive into the Threat Actor’s arsenal : During recent incident response activities, our team has\r\nuncovered and meticulously analyzed the newest arsenal deployed by the Threat Actor. This analysis,\r\nfueled by advanced reverse engineering techniques, revealed a sophisticated set of tools designed for\r\nstealth infiltration, data exfiltration, and persistent access. \r\nStrategies for Threat Hunting and Defense: Leveraging open-source intelligence, Cybereason provides\r\nactionable insights on how organizations can effectively hunt and defend against these persistent threats.\r\nAttribution\r\n  Summary\r\nVictimology\r\nCountry\r\nJapan\r\nIndia\r\nTaiwan\r\nIndustries Academic, Government, Manufacturing\r\nTTPs\r\nInitial Infection Vectors\r\nSpear-Phishing\r\nExploit against public-facing applications\r\nE.g. Array AG, FortiOS/FortiProxy and Proself\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 2 of 18\n\nTechniques\r\nDLL Side-Loading\r\nMSBuild\r\nExploitation for Client Execution\r\nE.g. CVE-2013-3900\r\nMalwares\r\nDownloader / Malware Loader\r\nDOWNIISA\r\nNOOPLDR\r\nBackdoor\r\nLODEINFO\r\nNOOPDOOR\r\nInfostealer\r\nMirrorStealer\r\nMSRAStealer\r\nTools Cobalt Strike\r\nIntrusion Set Table of Threat Actors Behind NOOPDOOR\r\nNote: Cybereason began writing this article in the beginning of January 2024 after encountering multiple cases of\r\ncompromise from the same Threat Actor. The adversary was using weaponized tools that were not public at the\r\ntime. On the week of the 22nd of January 2024, threat intelligence reports from Trend Micro and ESET were\r\npublished highlighting similar findings. \r\nTrend Micro and ESET published their research findings in JSAC2024 regarding Threat Actors leveraging\r\nLODEINFO and the new backdoor dubbed NOOPDOOR. From the intrusion sets observed in multiple\r\ncampaigns, both companies have attributed Threat Actors behind this campaign to a group related to APT10,\r\nspecifically Trend Micro have attributed the Threat Actors as “Earth Kasha”. Threat Actors behind NOOPDOOR\r\nconsisted of Intrusion Sets represented in the table above during the campaign observed by Cybereason, ESET,\r\nand Trend Micro. \r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 3 of 18\n\nThe actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new\r\nbackdoor to exfiltrate data from compromised enterprise networks. The intention behind these behavior is likely\r\nespionage, as Threat Actors targeted critical infrastructure sectors and academic institutions, which are often\r\nintelligence gathering targets. \r\nAPT10\r\nAPT10 is a sophisticated Chinese state-sponsored cyber espionage group that has been active as early as 2006,\r\naccording to the Department of Defense. The information security community widely believes the group's focus is\r\nto support Chinese national security goals by gathering intelligence against the relevant targets. APT10 often\r\ntargets various critical infrastructure sectors such as communications, manufacturing and various public sectors. \r\nCuckoo Spear\r\nCybereason documented the campaign as “Cuckoo Spear”. Cuckoo Spear is related to the APT10 Intrusion Set\r\nbecause of the links made between various incidents from Threat Actors “Earth Kasha” and “MirrorFace” \r\nincluding both APT10’s old arsenal (LODEINFO) and new arsenal presented in this report.\r\nThis attribution is made based on four main aspects : \r\nThe arsenal used, mainly NOOPLDR and NOOPDOOR, which were first known to the public in January\r\n2024 but remained on compromised networks for more than two years at most \r\nThe LODEINFO malware was identified during an incident also involving NOOPLDR/NOOPDOOR,\r\nlinking them together\r\nThe domains used as C2 infrastructure, showing many similarities with other APT10 campaigns\r\nThe similarity in techniques employed by the Threat Actor to carry out their attacks\r\nArsenal\r\nThis section describes the arsenal related to Cuckoo Spear observed on the different incidents Cybereason worked\r\non and the links that tie them together.\r\nBackdoor Incident A Incident B Incident C Incident D\r\nCobalt Strike\r\nGOSICLOADER\r\n    YES  \r\nLODEINFO       YES\r\nNOOPLDR-DLL YES YES    \r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 4 of 18\n\nNOOPLDR-C# YES YES   YES\r\nDOWNJPIT YES      \r\nIncident Start Date April 2021 May 2021 November 2021 October 2023\r\nTerminology \r\nCybereason re-used the naming convention established by Trend Micro and ESET, naming the loader\r\nNOOPLDR  in reference to the NOOPDOOR backdoor that is loaded afterwards. The names used in this report\r\nare the following:\r\nCampaign: Cuckoo Spear\r\nIntrusion Set: APT10\r\nThreat Actor: Earth Kasha / MirroFace\r\nLODEINFO: Initial malware identified in one case where NOOPLDR and NOOPDOOR were discovered\r\nNOOPLDR-C#: C# Loader which loads NOOPDOOR\r\nNOOPLDR-DLL: DLL Loaderwhich loads NOOPDOOR\r\nNOOPDOOR: Shellcode loaded that will act as a Command and Control beacon\r\nLODEINFO\r\nLODEINFO  Execution Flow\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 5 of 18\n\nLODEINFO, named by JPCERT in their blog, is a backdoor known to be active since 2019. Threat actors often\r\ndeploy LODEINFO by utilizing DLL Side-loading, which loads LODEINFO loader DLL into legitimate\r\nexecutables. This execution flow attempts to load LODEINFO shellcode and execute the backdoor in memory.\r\nThe currently known LODEINFO version is v0.7.3 and was observed first in the wild in October 2023. \r\nThe interesting aspect of LODEINFO is that the developers change the C2 command functionality after the\r\nversion update, often removing the previously supported commands. For example, developers removed the C2\r\ncommand to remove files (rm) between v0.6.3 and v0.6.6, but this functionality came back after v0.6.8. The\r\ncomparative graph of backdoor commands provided by ITOCHU Cyber \u0026 Intelligence Inc consists of detailed\r\ninformation of the backdoor commands as well as the changes over the version v0.6.5, v0.7.1, and v0.7.2/v0.7.3. \r\nGOSICLoader\r\nGOSICLoader is a Golang based malware loader, which is responsible for loading Cobalt Strike. The loader\r\nabuses DLL Side-Loading, which loads GOSICLoader into legitimate process jcef_helper.exe, a JetBrains plugin\r\nprocess. \r\nGOSICLoader Execution Flow\r\nDOWNJPIT\r\nDOWNJPIT is a fileless downloader dubbed by Kaspersky. DOWNJPIT is responsible for downloading,\r\ndecrypting and executing LODEINFO. \r\nDOWNJPIT Execution Flow Presented By Kaspersky HITCON 2021\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 6 of 18\n\nDOWNJPIT has been spotted in one of the incidents related to Cuckoo Spear .\r\nNOOPLDR / NOOPDOOR\r\nNOOPLDR/NOOPDOOR Execution Flow\r\nIn this report, Cybereason exhibits a new backdoor utilized by Threat Actors called NOOPDOOR, as dubbed by\r\nESET and Trend Micro. NOOPDOOR is a 64-bit modular backdoor which utilizes DGA-based C2\r\ncommunication. The backdoor is seen to be loaded by a loader called NOOPLDR, which appears to have two\r\ndifferent variants. \r\nC#: Variant which relies on MSBuild task\r\nDLL: Variant which relies on DLL side-loading technique\r\nNOOPLDR is responsible for decrypting and executing NOOPDOOR, which utilizes DGA to actively\r\ncommunicate with the C2 server. \r\nCybereason observed LODEINFO and NOOPDOOR both in one case. As mentioned in different reports, Threat\r\nActors started to incorporate NOOPDOOR in the new campaigns. Based on the analysis of LODEINFO and as\r\nwell as on the observation of these campaigns, LODEINFO appears to be utilized as a primary backdoor and\r\nNOOPDOOR acts as a secondary backdoor, keeping persistence within the corporate network. \r\nObserved Behaviors / TTPs\r\nIn this section, Cybereason outlines all the behaviors observed during incidents associated with the Cuckoo Spear\r\ncampaign.\r\nInitial Access\r\nOther reports documenting this Threat Actor mentioned the following vulnerabilities used as initial access vector : \r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 7 of 18\n\nCVE-2023-27997: Buffer overflow vulnerability in FortiOS and FortiProxy, which allows attackers to\r\nexecute arbitrary commands. \r\nCVE-2023-28461: Remote code execution (RCE) vulnerability on Array Network Array AG series and\r\nvxAG. \r\nCVE-2023-45727: Unauthenticated XML External Entity (XXE) vulnerability in Proself\r\nEnterprise/Standard Edition, Proself Gateway Edition, and Proself Mail Sanitize Edition, which allows\r\nattackers to gain unauthorized access to the environment. \r\nIn the Cuckoo Spear campaign, two out of those three vulnerabilities have been identified as initial access vector\r\nleads.\r\nSpear-phishing is the common initial access technique observed by Threat Actors utilizing LODEINFO; however,\r\nmalicious actors have started to shift their tactics to exploiting vulnerabilities. \r\nPersistence\r\nNOOPDOOR must be loaded first on the victim machines, which is done through persistence mechanisms and\r\nCybereason observed three different methods.  \r\nScheduled Tasks\r\nWMI Consumer Events\r\nWindows Services (Service DLL)\r\nScheduled Task\r\nThreat Actors maintain persistence within the environment by abusing Scheduled Tasks. The scheduled task\r\nconsists of execution of MSBuild, which loads malicious XML files and compiles the NOOPDOOR loader at\r\nruntime. \r\nMSBuild Execution Via Schedule Task\r\nWMI Event Consumers\r\nThe Threat Actors leverage the WMI event consumer, which executes the main action when it gets triggered by a\r\nfilter. The Threat actor then utilizes ActiveScript, which appears to execute in the JScript engine. For the consumer\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 8 of 18\n\naction in this WMI event, the Threat Actor leverages MSBuild execution for NOOPDOOR loader, similar to the\r\nscheduled task which also leverages MSBuild. \r\nUtilizing WMI event consumers are the alternate methodologies to persist within the environment. \r\nWMI Event Consumers For NOOPDOOR\r\nThe process responsible for hosting WMI event consumers for scripting, such as ActiveScript, is scrcons.exe,\r\nwhich then spawns necessary processes declared in its scripts. \r\nNOOPLDR/NOOPDOOR Attack Tree\r\nWindows Services\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 9 of 18\n\nThreat actors also maintain persistence within the environment by creating malicious services that load unsigned\r\nDLL files. \r\nIn this case, unsigned DLL files are written to the C:\\Windows\\System32\\ folder.\r\nAn entry in the registry is found, indicating that this DLL is loaded under svchost.exe process through a Service\r\nDLL.\r\nExtract From Velociraptor IR Tool\r\nThe screenshot above shows a registry key involving a Service named DssSvc and a ServiceDll configured to be\r\nC:\\Windows\\System32\\pgodb100.dll, which is in fact NOOPLDR (DLL version).\r\nTo summarize how Service DLLs are used as persistence, one technique involves creating a new Windows service\r\nhosted by svchost.exe. Here is an overview of the process:\r\nThreat Actor drops the NOOPLDR (DLL version) file on the disk: The DLL (for instance,\r\npgodb100.dll) containing the code to execute on system reboot is located in C:\\Windows\\System32\\.\r\nCreate a New Service: Establish a new service (for instance, DssSvc) with binPath set to svchost.exe.\r\nAdd ServiceDll Value: Include the ServiceDll value in the DssSvc service, pointing to the DLL dropped in\r\nstep 1.\r\nModify Registry: Adjust HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost to specify\r\nthe service's loading group.\r\nStart the Service: Initiate the DssSvc service.\r\nExecution: The DssSvc is launched, and its service DLL (pgodb100.dll, in our example) is loaded into an\r\nsvchost.exe process.\r\nThis method leverages the Windows service infrastructure to achieve persistence by loading a custom DLL into\r\nsvchost.exe, ensuring execution of specified code on system restarts.\r\nIn a detection perspective, defenders can look for the loading of unsigned DLL under the following process:\r\nsvchost.exe -k netsvcs\r\nCommand \u0026 Control\r\nDomain Generation Algorithm (DGA)\r\nCybereason observed several domains created by the DGA, and will detail these aspects in the following sections.\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 10 of 18\n\nDGA Sample\r\nConnection To Internal Pivot \r\nAside from the C2 domains that connect to external ip addresses, Cybereason has also observed internal C2\r\ncommunications amongst the infected machines.\r\nCybereason identified processes injected with NOOPDOOR listening on the following CP ports :\r\n5984\r\n47000\r\n8532\r\nThis allows the Threat Actor to connect to internal machines in case the external C2 is unavailable, streamlining\r\nC2 connections to an internal server that will be the sole point of communication with the Internet.\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 11 of 18\n\nInternal Communication To  NOOPDOOR On Port 5984\r\nThis also gives the Threat Actor a capability to remotely control a machine that is not connected to the Internet or\r\nhas limited outbound network capability.\r\nC2 Servers \u0026 Domains\r\nDuring the different cases Cybereason observed, Domain Generation Algorithm (DGA) have been used : \r\nwww.[DGA][.]com with [DGA] being the generated domain based off parameters such as the current date\r\nand a C2 URL hardcoded in LODEINFO\r\nwww.[DGA][.]net with [DGA] same as above\r\n[DGA].[C2 domain].com \r\nUse of NO-IP Services\r\nThreat actors often use dynamic DNS services like No-IP to manage their command and control (C2)\r\ninfrastructure. Since the IP address of a C2 server can change frequently, using a dynamic DNS service helps\r\nmaintain consistent communication with malware or compromised systems.\r\nDue to their nature, it's more difficult for cybersecurity systems to track and blacklist IP addresses associated with\r\nDynamic DNS services as, by design, the IP addresses change on a regular basis. This dynamic aspect helps\r\nThreat Actors avoid detection by security tools that rely on IP blacklists. Threat actors can create redundant\r\nsystems, ensuring that if one domain is taken down or blocked, others are still operational.\r\nCybereason identified the Threat Actor behind these attacks using the following domains through  a service\r\nsimilar to NO-IP : \r\n3utilities[.]com\r\nonthewifi[.]com\r\nredirectme[.]net\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 12 of 18\n\nserveblog[.]net\r\nzapto[.]org\r\nhopto[.]org\r\nUse of Specific Domains \r\nIn addition to  these NO-IP domains, Cybereason also witnessed additional domains being used. These  domains\r\nwere mainly registered by companies such as NAMECHEAP or Tucows.\r\nInfrastructure IP Addresses\r\nIn the screenshot below, Cybereason lists the IP addresses related to the domains that were resolved during the\r\nobservation period of each incident : \r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 13 of 18\n\nResolved Cuckoo Spear  IPs (VirusTotal)\r\nThose IP addresses are mostly hosted in Japan under hosting services such as Akamai or AS-CHOOPA. The other\r\ncountries are : \r\nUS (Cloudflare) \r\nDE \r\nNL \r\nVN \r\nLateral Movement\r\nScheduled Task\r\nIn one instance from Cuckoo Spear, the Threat Actor utilizes scheduled tasks to conduct lateral movement within\r\nthe environment. They create the scheduled task by abusing schtasks.exe, which then creates the scheduled task\r\nresponsible for executing the C# Loader via MSBuild execution on the startup. \r\nScheduled Task Creation On Remote Machine\r\nOnce the scheduled task creation is complete, another instance of schtasks.exe executes the created task\r\nimmediately on the remote machine\r\nDefense Evasion \r\nThe Threat Actor deployed several techniques of defense evasion in both NOOPDOOR and NOOPLDR. \r\nAside from the attacker tools, the Threat Actor also deleted event logs on target systems.\r\nDiscovery Activity\r\nThe Threat Actor also displayed post-exploitation behavior, discovering the Active Directory through net.exe\r\ncommands or the local network through ping.exe and nslookup.exe tools. \r\nMsbuild.exe : resulting from the persistence capability, this command will be responsible for injecting\r\nNOOPLOADER inside pcwrun.exe after spawning the process\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 14 of 18\n\nPcwrun.exe or another arbitrary executable file present in C:\\Windows\\System32\\  - This process is\r\ncreated by the code loaded by msbuild.exe. As stated earlier, that process name varies depending on the C2\r\nconfiguration\r\nnet user Administrator /domain - Active Directory discovery related to the domain administrator\r\naccount\r\nnslookup - This command was used to discover existing machines on the network and their internal\r\nIP addresses \r\nping -n 1 [redacted] - This command is used to check connectivity to the specified IP of internal\r\nmachines being searched by the Threat Actor\r\ntasklist /v - This verbose command line under tasklist.exe indicates that detailed information about\r\nrunning processes is being gathered, potentially for reconnaissance or to find processes to inject into\r\nor terminate. \r\nPost-Exploitation Behavior Attack Tree\r\nIn one incident, the Threat Actors utilized the following CMD commands as part of the post-exploitation.  \r\n/ccopy \\\\[REDACTED]\\C$\\Windows\\System32\\Winevt\\Logs\\security.evtx\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 15 of 18\n\n/cdel C:\\Users\\[REDACTED]AppData\\Local\\Temp\\Cookie-* /f /q\r\n/cdel \\\\[REDACTED]\\C$\\Windows\\System32\\RegSSHelper.exe\r\n/cdel security.evtx\r\n/cnet group \"domain controllers\" /domain\r\n/cnet use * /del /y\r\n/cnet use \\\\[REDACTED]\\ipc$ [REDACTED] /user:[REDACTED]\r\n/cnet use \\\\[REDACTED]\\netlogon [REDACTED] /user:[REDACTED]\r\n/cnet user [REDACTED] /domain\r\n/cnet user [REDACTED] /domain\r\n/cnet user [REDACTED] /domain\r\n/cnet user [REDACTED] /domain\r\n/cnslookup [REDACTED]\r\n/cschtasks /create /s [REDACTED] /sc onstart /tn \"Microsoft\\Windows\\Windows Defender\\Windows Defender\r\nMaintenance\" /tr \"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe C:\\Windows\\system32\\\r\n[REDACTED].xml\" /ru System /u:\"[REDACTED]\" /p:\"[REDACTED]\" /f\r\n/cschtasks /run /s [REDACTED] /tn \"Microsoft\\Windows\\Windows Defender\\Windows Defender Maintenance\"\r\n/u:\"[REDACTED]\" /p:\"[REDACTED]\"\r\nThese findings are very similar to those from JPCERT published back in 2023 :\r\nSource : https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_en.pdf\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 16 of 18\n\nAbout The Researchers\r\nJin Ito, Incident Response Engineer,  Cybereason IR Team\r\nJin Ito is an Incident Response Engineer with the Cybereason Incident Response team. Formerly an Incident\r\nResponse Engineer at Fujitsu, he holds several cybersecurity certificates such as GREM, GCFA, and OSCP. Aside\r\nfrom his digital forensic responsibilities, he loves creating and reverse engineering malware.\r\nLoïc Castel, Incident Response Investigator, Cybereason IR Team\r\nLoïc Castel is an Investigator with the Cybereason IR team. Loïc analyses and researches critical incidents and\r\ncybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as\r\nLead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also\r\ninterested in offensive aspects such as vulnerability research.\r\nKotaro Ogino, CTI Analyst,  Cybereason Security Operations Team\r\nKotaro is a CTI Analyst with the Cybereason Security Operations team. He is involved in threat hunting, threat\r\nintelligence enhancements and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree\r\nin information and computer science.\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 17 of 18\n\nSource: https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nhttps://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor" ], "report_names": [ "cuckoo-spear-analyzing-noopdoor" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8650ac0202915f2af72aa84517bb97d4e556f911.pdf", "text": "https://archive.orkl.eu/8650ac0202915f2af72aa84517bb97d4e556f911.txt", "img": "https://archive.orkl.eu/8650ac0202915f2af72aa84517bb97d4e556f911.jpg" } }