{ "id": "5d9f05f6-b8ee-4915-97ea-e3e0c6fc1fc7", "created_at": "2026-04-06T00:13:05.94939Z", "updated_at": "2026-04-10T13:11:48.360311Z", "deleted_at": null, "sha1_hash": "87c8b34cd0a0c5e4f24e74de83527365e531e69c", "title": "Titanium: the Platinum group strikes again", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 404132, "plain_text": "Titanium: the Platinum group strikes again\r\nBy AMR\r\nPublished: 2019-11-08 · Archived: 2026-04-02 10:37:23 UTC\r\nPlatinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region.\r\nDuring recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a\r\npassword to one of the self-executable archives). Titanium is the final result of a sequence of dropping,\r\ndownloading and installing stages. The malware hides at every step by mimicking common software (protection\r\nrelated, sound drivers software, DVD video creation tools).\r\nVictimology\r\nDuring our research we found that the main targets of this campaign were located in South and Southeast Asia.\r\nIntroduction\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 1 of 10\n\nThe Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment\r\nof a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security\r\nsoftware, software for making DVD videos, sound drivers’ software etc.\r\nIn every case the default distribution is:\r\n1. 1 an exploit capable of executing code as a SYSTEM user\r\n2. 2 a shellcode to download the next downloader\r\n3. 3 a downloader to download an SFX archive that contains a Windows task installation script\r\n4. 4 a password-protected SFX archive with a Trojan-backdoor installer\r\n5. 5 an installer script (ps1)\r\n6. 6 a COM object DLL (a loader)\r\n7. 7 the Trojan-backdoor itself\r\nInfection vector\r\nWe believe the Titanium APT uses local intranet websites with a malicious code to start spreading.\r\n1 – Shellcode\r\nAnother known way of spreading is the use of a shellcode that needs to be injected into a process. In this case it\r\nwas winlogon.exe. Unfortunately, we don’t know how the shellcode was injected. See the shellcode description\r\nbelow.\r\n2 – Wrapper DLLs\r\nAttackers make active use of various kinds of ‘wrappers’. Each wrapper is usually a COM DLL, with the\r\ncorresponding exported functions. The main purpose of these libraries is to decrypt and load an encrypted file\r\n(previously dropped somewhere) into the system memory (a payload) and then redirect calls to the wrapper itself\r\nto the payload’s exported functions.\r\nAnother type of wrapper DLL is designed to obtain a command line from its exported function argument passed\r\nby a caller and create a new process.\r\n3 – Windows task installer (SFX archive)\r\nThis is a password-encrypted SFX archive that can be downloaded via BITS Downloader. The password is\r\nhardcoded into the downloader that is used to decrypt the SFX archive using the -p command line argument.\r\nThe main feature of this archive is that it contains the cURL executable code, compiled into a DLL. Its purpose is\r\nto install the Windows task to establish persistence in the infected system.\r\n4 – Trojan-Backdoor installer (SFX archive)\r\nThe backdoor itself uses an SFX archive which must be launched from the command line using a password to\r\nunpack it. All paths examples here and there will be for the DVD making software. However, these notes can be\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 2 of 10\n\nalso applied to any other known software paths.\r\n5 – BITS Downloader\r\nThis component is used to download encrypted files from the C\u0026C server then decrypt and launch them.\r\nShellcode description\r\nThe shellcode itself contains position-independent code and doesn’t require previously loaded libraries (except\r\nKernel32.dll). Its sole purpose is to connect to the hardcoded C\u0026C address, download an encrypted payload (the\r\npassword-protected SFX archive), then decrypt and launch it using the hardcoded unpacking password. The usual\r\ncommand line is:\r\n\"rundll32 \"$temp\\IOZwXLeM023.tmp\",GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw\"\r\nBITS Downloader description\r\nThe BITS Downloader is a DLL file which has only one exported function: GetVersionInfoA. The main purpose\r\nof this library is to download files in encrypted form from the C\u0026C and launch them.\r\nExecution sequence\r\nThe first thing the downloader does is to check whether it was started using the SYSTEM user. If it was, it\r\nlaunches command line arguments (that were passed to the binary loaded by the downloader DLL) using WMI.\r\nIf it wasn’t started using the SYSTEM user, the downloader passes command line arguments into the argument\r\nparser.\r\nArgument parser\r\nKey Parameter description\r\n-c URL Specifies a URL address where system information will be sent\r\n-t\r\nSTRING\r\nAn additional string that will be appended to a request string to the C\u0026C\r\n-u URL\r\nConfirmation URL where the downloader will send various confirmations or request data.\r\nPossible to build in two additional confirmation URLs\r\n-br GUID Stop a payload downloading. The GUID parameter must provide a download task GUID\r\nIf one of these parameters exists, the downloader will collect information about installed antivirus products and\r\nsend it to the C\u0026C.\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 3 of 10\n\nAfter that, it sends the download request to the confirmation URL. In response, the C\u0026C sends a file that will be\r\ndownloaded in the %USERPROFILE% directory.\r\nTo decrypt the downloaded file, the downloader uses an MD5 hash of the strings’ encryption key.\r\nConfirmation URL request and file downloading\r\nDefault (hardcoded) URL: http://70.39.115.196/payment/confirm.gif\r\nThe request is a string such as:\r\nhttp://70.39.115.196/payment/confirm.gif?f=1 (x86)\r\nhttp://70.39.115.196/payment/confirm.gif?f=2 (x64)\r\nPayload decryption and launch\r\nThis is the structure of the encrypted file:\r\ntypedef struct {\r\n    byte hash[16]; // md5 hash of the following data\r\n    dword data_size;\r\n    byte data[data_size];\r\n} enc_data;\r\nThe downloader checks the hash field against a calculated MD5 of the data field hash, and if the hash is correct,\r\nperforms the following actions:\r\nAppends an extension (DLL or EXE, depending on data type)\r\nStores the downloaded file in the %TMP% folder using the name %\r\n(SystemTimeAsFileTime.dwLowDateTime).%TMP\r\nThen the downloader specifies a command line to launch the downloaded file. If the file is a DLL, the final\r\ncommand line will be:\r\n\"%systemroot%\\system32\\rundll32.exe %(SystemTimeAsFileTime.dwLowDateTime)%.TMP,-\r\npeuwewh383eg -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw\"\r\nIf the file is an EXE file:\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 4 of 10\n\n%(SystemTimeAsFileTime.dwLowDateTime)%.TMP -peuwewh383eg -t\r\n06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw\r\nAfter that, the downloader deletes itself using the following command line:\r\n/c for /L %i in (1,1,100) do ( for /L %k in (1,1,100) do (del /f /q module_path \u003e NUL \u0026 if not exist\r\nmodule_path exit /b 0))\r\nFile launching\r\nTo launch the downloaded file, the downloader uses the WMI classes Win32_ProcessStartup, Win32_Process and\r\ntheir methods and fields.\r\nFile downloading using BITS\r\nTo download a file, the downloader uses the BITS service and its COM interface, called\r\nIBackgroundCopyManager.\r\nIt creates a task with the name Microsoft Download, then specifies remote and local file paths and timeouts.\r\nWindows task installation (SFX archive with cURL)\r\nIt contains:\r\nName Description\r\np.bat Launches cURL and obfuscated ps1 scripts\r\nc.dll cURL executable compiled as a DLL (7.50.3)\r\nf1.ps1 Will be executed after the first request to the C\u0026C; decrypts x.dat\r\nf2.ps1 Will be executed after the second request to the C\u0026C; decrypts b.dat\r\ne.ps1 Contains code that calculates a string for the Authorization field of the HTTP header\r\nh.ps1 Gets information about the system proxy settings\r\ne.dll A DLL file with a single exported function; calls CreateProcessA\r\nIt downloads:\r\nSource file Downloaded and decrypted file Description\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 5 of 10\n\nx.dat u.xml AES-encrypted file (see f1.ps1 for decryption algorithm)\r\nb.dat i.bat AES-encrypted file (the same decryption algorithm)\r\nThe result:\r\nName Description\r\ni.bat Performs Windows task installation\r\nWhen a caller (previous step) executes this archive, it must specify two arguments:\r\nArgument Description\r\n-pKEY Argument with a key to unpack the SFX archive\r\n-t\r\nACCEPTANCE_ID_STRING\r\nArgument with a long string – AcceptanceID (used in requests to the\r\nC\u0026C)\r\np.bat\r\nIt launches the h.ps1 script to get information about system-wide proxy settings. After that it launches the e.ps1\r\nscript to calculate the SystemID that will be used in requests to the C\u0026C.\r\nTo send a request, it uses c.dll (which is cURL and has an exported function called DllGetClassObject).\r\nRequest 1\r\nCommand line arguments:\r\nWhere:\r\nParameter Description\r\n%pp% System-wide proxy\r\n%output% SystemID\r\n%p3% AcceptanceID\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 6 of 10\n\nThis request downloads the x.dat file, and the f1.ps1 script decrypts it into u.xml. After that it launches the next\r\nrequest.\r\nRequest 2\r\nCommand line arguments:\r\nIt downloads the b.dat file, and the f2.ps1 script decrypts it into i.bat (using the same decryption algorithm).\r\nTask installation\r\nAfter that, it launches the following command line to install the persistence task:\r\nThe i.bat file uses the previously decrypted u.xml file as the task description.\r\nTrojan-backdoor installer\r\nThe archive unpacks its files into the following folder (in the case of DVD making software):\r\nThe archive itself contains:\r\nName Description\r\nBabyBoyStyleBackground.wmv Configuration data\r\nDvDupdate.dll Trojan-backdoor loader\r\nnav_downarrow.png Trojan-backdoor\r\npsinstrc.ps1 Loader installation script\r\nIn the case of the audio drivers software mimic, it differs only in its installation method compared to DVD making\r\nsoftware: the ps1 script uses two known CLSIDs to replace their COM DLL paths with malicious ones.\r\npsinstrc.ps1\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 7 of 10\n\nThis is the installer script that registers DvDupdate.dll as the ‘DVDMaker Help’ service, and sets its entry point as\r\nthe DllGetClassObject name. It requires admin privileges to be executed correctly.\r\nThe script contains configurable parameters, so it’s easy to change any of the required parameters for different\r\nsystems.\r\nThere are two ways the loader can be installed:\r\nSystem service, with the DllGetClassObject exported function as the ServiceMain function\r\nCOM object, by replacing an existing CLSID registry path with its own\r\nDvDupdate.dll\r\nThis is a service DLL, but with all the same exports you would expect from a COM object. Basically, it’s a\r\npayload loader.\r\nThe whole code is obfuscated with different Windows API calls and loops. It wasn’t designed to confuse a reverse\r\nengineer or to make reverse engineering harder, but to bypass some simple AV emulation engines.\r\nThe first exported function for every COM object is DllGetClassObject.\r\nDllGetClassObject\r\nThe loader creates a thread that decrypts the payload, restores its PE and MZ headers, and then loads it into\r\nmemory and launches it. The payload is encrypted with AES 256 CBC. The decryption key is hardcoded along\r\nwith other encrypted strings. It doesn’t contain ‘MZ‘ and ‘PE‘ tags that allow it to bypass simple AV engines.\r\nAfter initializing the payload, the loader calls its function with ordinal 1.\r\nnav_downarrow.png\r\nThe payload, with backdoor functionality, is a DLL file. The malware functionality is in the first exported entry\r\nonly.\r\nnav_downarrow.png – Ordinal 1 (Trojan-backdoor main function)\r\nThe first thing that it does is decrypt the other encrypted binary (containing configuration data) from the SFX\r\ncontent:\r\nThe configuration itself is divided into blocks, and every block has its own index. The payload uses these indices\r\nto get a specific item. The configuration contains:\r\nthe C\u0026C address\r\ntraffic encryption key\r\nthe UserAgent string\r\nother less important parameters\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 8 of 10\n\nExecution thread\r\nThe execution thread is responsible for receiving commands from the C\u0026C server and sending responses. It\r\ncontains an execution loop that starts by reading configuration item #00 to get the C\u0026C address.\r\nInitializing C\u0026C communication\r\nTo initialize the connection to the C\u0026C, the payload sends a base64-encoded request that contains a unique\r\nSystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands.\r\nReceiving commands\r\nTo receive commands from the C\u0026C, the payload sends an empty request to the C\u0026C. It uses the UserAgent\r\nstring from the configuration and a special cookie generation algorithm to prepare a request. The malware can also\r\nget proxy settings from Internet Explorer.\r\nIn response to this request, the C\u0026C answers with a PNG file that contains steganographically hidden data. This\r\ndata is encrypted with the same key as the C\u0026C requests. The decrypted data contains backdoor commands and\r\narguments for them.\r\nExamples of PNG files:\r\nC\u0026C command processor (command descriptions)\r\nThe backdoor can accept many different commands, with the following among the most interesting:\r\nRead any file from a file system and send it to the C\u0026C\r\nDrop or delete a file in the file system\r\nDrop a file and run it\r\nRun a command line and send execution results to the C\u0026C\r\nUpdate configuration parameters (except the AES encryption key)\r\nInteractive mode – allows to the attacker to receive input from console programs and send their output at\r\nthe C\u0026C\r\nConclusions\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 9 of 10\n\nThe Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good\r\ncoordination between all of them. In addition, none of the files in the file system can be detected as malicious due\r\nto the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking\r\nof well-known software.\r\nRegarding campaign activity, we have not detected any current activity related to the Titanium APT.\r\nSource: https://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nhttps://securelist.com/titanium-the-platinum-group-strikes-again/94961/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/titanium-the-platinum-group-strikes-again/94961/" ], "report_names": [ "94961" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434385, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87c8b34cd0a0c5e4f24e74de83527365e531e69c.pdf", "text": "https://archive.orkl.eu/87c8b34cd0a0c5e4f24e74de83527365e531e69c.txt", "img": "https://archive.orkl.eu/87c8b34cd0a0c5e4f24e74de83527365e531e69c.jpg" } }