{ "id": "d45210ac-e498-417a-b8b6-562fc463ffb3", "created_at": "2026-04-06T00:15:47.185341Z", "updated_at": "2026-04-10T03:33:07.196303Z", "deleted_at": null, "sha1_hash": "87c3e1b2308b2e772b3cabad1d85ec07a5826e0d", "title": "APT34 Deploys Phishing Attack With New Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66174, "plain_text": "APT34 Deploys Phishing Attack With New Malware\r\nBy By: Mohamed Fahmy, Mahmoud Zohdy Sep 29, 2023 Read time: 5 min (1304 words)\r\nPublished: 2023-09-29 · Archived: 2026-04-05 13:14:58 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant\r\naccompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the\r\ncampaign, the group abused a fake license registration form of an African government agency to target a victim in\r\nSaudi Arabia.\r\nWe analyzed a new malware, which we attribute to the APT34 advanced persistent threat (APT) group, that was\r\ninvolved in a phishing attack. In August, our threat hunting activities identified a malicious document we\r\ninvestigated to have been used during a targeted phishing attack by the group. The malicious document is\r\nresponsible for dropping a new malware we have called Menorah (taken from the malicious document’s dropped\r\nexecutable, detected by Trend Micro as Trojan.W97M.SIDETWIST.AB), and for creating a scheduled task for\r\npersistence. The malware was designed for cyberespionage, capable of identifying the machine, reading and\r\nuploading files from the machine, and downloading another file or malware.\r\nDuring our investigation, there was little information about the victims targeted by this malware. But the file that\r\nAPT34 used for this attack is called “MyCv.doc,” a license registration form related to the Seychelles Licensing\r\nAuthority. However, we noted that the document contained pricing information in Saudi Riyal, which might\r\nindicate that the targeted victim was an organization inside the Kingdom of Saudi Arabia. This blog post provides\r\nan analysis of the group’s latest malware and its capabilities, shows the attack process, and details the attackers’\r\ninfrastructure.\r\nAPT34 background and targeting\r\nAPT34 is a covert cyberespionage group that specializes in targeting organizations and illicit activities within the\r\nMiddle East. As we’ve previously covered, APT34 primarily focuses on collecting sensitive intelligence,\r\nemploying spear phishing campaigns, and abusing advanced techniques to infiltrate and maintain access within\r\ntargeted networks. Our monitoring suggests this group operates with a high degree of sophistication and\r\nseemingly vast resources, posing a significant cybersecurity challenge regionally and beyond.\r\nNotably, APT34 has been involved in high-profile cyberattacks against a diverse range of targets in the Middle\r\nEast, including government agencies, critical infrastructure, telecommunications, and key regional entities. The\r\ngroup consistently develops and enhances tools, aiming to reduce security solutions and researchers’ detection. In\r\nthis research on APT34, we observed the group transitioning to the employment of novel data exfiltration\r\nmethods. Researchers from NSFOCUS published a report on a new variant of the SideTwist malware utilized by\r\nAPT34.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/\r\nPage 1 of 4\n\nInfection routine\r\nfig1-malware-infection-chain-apt34-deploys-new-malware-phishing\r\nFigure 1. Malware infection routine (Click on the button to download the infection chain)\r\nThe infection starts with a malicious document dropping a hardcoded malware and creates a scheduled task for\r\npersistence once the targeted victim opens the document. The malicious document contains hidden macros\r\nresponsible for dropping a .NET malware into the \u003c%ALLUSERSPROFILE%\\Office356\u003e directory, naming it\r\nMenorah.exe. It then creates a scheduled task named \"OneDriveStandaloneUpdater\" to execute the Menorah.exe\r\nmalware. The image in Figure 2 shows a portion of the macros' functions responsible for string transformation,\r\ndecoding, and the creation of the scheduled task.\r\nfig2-macros-apt34-deploys-new-malware-phishing\r\nFigure 2. Macros for string transformation\r\nfig3-scheduled-tasks-apt34-deploys-new-malware-phishing\r\nFigure 3. Creating a scheduled tasks to execute the Menorah.exe malware\r\nMalware analysis\r\nThe .NET-written malware delivered through the malicious document is primarily deployed for cyberespionage\r\nand possesses multifaceted capabilities. The malware can fingerprint the targeted machine, list directories and\r\nfiles, upload selected files from the compromised system, execute shell commends, and download files to the\r\nsystem.\r\nCompared to the previous variant of SideTwist, the new variant has more functions to hash the traffic to the\r\ncommand and control (C\u0026C) server and make it stealthier to avoid detection. Initially, the malware conducts a\r\nspecific argument check during execution to ensure the correct flow of its operations. In the absence of the\r\nspecified argument, the malware will terminate and stop its execution. The regular check ensures the routine’s and\r\ncomponents’ stealth, and detects if the malware is in an analytic environment like a sandbox. If the argument\r\ndetermines that it’s running inside a sandbox, the malware will run without the argument and terminate itself.\r\nfig4-apt34-deploys-new-malware-phishing\r\nFigure 4. Checking for a specific argument\r\nWe identified the C\u0026C server, http[:]//tecforsc-001-site1[.]gtempurl.com/ads.asp, as a string subsequently used\r\nfor HTTP communication and to create a timer to repeat a specific code every 32,000 milliseconds (or every 32\r\nseconds) as a way to organize communication with the C\u0026C server.\r\nThen, the malware fingerprints the machine by getting the machine name and username in this format:\r\n{MachineNameUsername}. The malware continues to encode the string into ASCII then calculates for the MD5\r\nhash from it. The MD5 hash is combined with the {MachineNameUsername} in the format {‘d@{MD5\r\nhash}@MachineName|Username} XOR with a hardcoded string and encoded in Base64, creating a fingerprint for\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/\r\nPage 2 of 4\n\nthe compromised system. This fingerprint is sent to the C\u0026C server as the content of an HTTP request, as shown\r\nin the figure below.\r\nfig5-apt34-deploys-new-malware-phishing\r\nFigure 5. Identifying the C\u0026C server\r\nfig6-apt34-deploys-new-malware-phishing\r\nFigure 6. Sending the “fingerprint” of the victim system\r\nUnfortunately, the C\u0026C server was inactive at the time of analysis. However, from the analysis for functions\r\nresponsible for parsing the C\u0026C, we expected that the response returned will be an encrypted massage and further\r\nencoded in Base64. The decrypted and decoded message split into an array, and each value inside it represents part\r\nof the message received from the C\u0026C server. Based on these values, the malware will have specific actions on\r\nthe machine.\r\nFrom static analysis, we observed the malware capable of executing a command received from the C\u0026C server,\r\nlist directory and files on the compromised system, and upload specific files to server and download files. The\r\nfollowing are the malware’s commands, values, and actions:\r\nTable 1. Malware’s functions and commands received from the C\u0026C server\r\nCommand\r\nID\r\nCommand Function\r\n1\r\nCommand starts with\r\n+sp\r\nMalware will receive a command and execute it on the\r\ncompromised system.\r\n1\r\nCommand starts with\r\n+f1\r\nMalware will get the files and directories under the base\r\ndirectory.\r\n1\r\nCommand starts with\r\n+dn\r\nMalware will upload a specific file to the C\u0026C server.\r\n2   Malware will download file to the server. \r\nfig7-malware-infection-chain-apt34-deploys-new-malware-phishing\r\nFigure 7. Decoded message splitting into an array based on the communication received from the\r\nC\u0026C server\r\nSimilarities to backdoor SideTwist\r\nIn 2021, Checkpoint published an article about SideTwist malware written in native language. After comparing\r\nboth malware variants, we found that there are significant similarities between the two in terms of functionality,\r\nespecially in the way the malware fingerprints the compromised system and C\u0026C communication. Moreover,\r\nSideTwist malware uses the computer name and username to create the unique ID for the victim machine, but the\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/\r\nPage 3 of 4\n\nvariant in 2021 uses a 4-byte hash instead of MD5 during the ID creation. Both malware variants provide similar\r\nbackdoor functionalities to execute the shell command, as well as upload and download files.\r\nConclusions\r\nThe similarities to the SideTwist backdoor suggests that APT34 is in continuous-development mode, changing up\r\nand trying which routines and techniques will work. Typical of APT groups, APT34 demonstrates their vast\r\nresources and varied skills, and will likely persist in customizing routines and social engineering techniques to use\r\nper targeted organization to ensure success in intrusions, stealth, and cyber espionage. The earlier variant of\r\nSideTwist is written in C, and this latest variant has a very similar set of functions but in a .NET implementation.\r\nWhile the techniques and malware infection routine in this sample are not on the same level of sophistication as\r\nthe previously documented attacks of the group, the techniques still work as they continue to redo and depend on\r\nthem. As previous reports on APT34 have noted, the group uses simple routines and changes that, for security\r\nanalysts and researchers, don’t take long to track and analyze. But the group’s arsenal and skills enable them to\r\nrapidly create new pieces of malware and tools, allowing the group to continuously deploy in successive cycles.\r\nOrganizations should continuously warn and keep their employees aware of the different techniques that attackers\r\nemploy to target systems, proprietary, and personal information.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detections\r\n8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618 Trojan.W97M.SIDETWIST.AB\r\n64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345 Trojan.MSIL.SIDETWIST.AA\r\nURL\r\nhxxp://tecforsc-001-site1[.]gtempurl[.]com/ads.asp\r\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/" ], "report_names": [ "in-depth-look-apt-attack-tools-of-the-trade" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434547, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87c3e1b2308b2e772b3cabad1d85ec07a5826e0d.pdf", "text": "https://archive.orkl.eu/87c3e1b2308b2e772b3cabad1d85ec07a5826e0d.txt", "img": "https://archive.orkl.eu/87c3e1b2308b2e772b3cabad1d85ec07a5826e0d.jpg" } }