{
	"id": "30737017-851e-452c-8ae6-6186244fcb6c",
	"created_at": "2026-04-06T00:16:05.075824Z",
	"updated_at": "2026-04-10T03:21:15.883998Z",
	"deleted_at": null,
	"sha1_hash": "88bc80f90a287f95f7ff6364b77fa0b6757c2dc5",
	"title": "The Curious Case of an Unknown Trojan Targeting German-Speaking Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3706111,
	"plain_text": "The Curious Case of an Unknown Trojan Targeting German-Speaking Users\r\nPublished: 2016-06-21 · Archived: 2026-04-05 13:31:12 UTC\r\nLast week, an unidentified malware (with SHA-256\r\n171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was discovered and circulated on\r\nTwitter by researcher @JAMES_MHT. Many researchers - including us - were unable to identify the malware so\r\nwe decided to dig a bit further.\r\nIn this post, we will share our findings about this malware: its targets, technical analysis, the related attacks and\r\nthe threat actor behind it.\r\nTargets\r\nOne of the first things we wanted to know is if this malware has a specific target–thanks to researcher @benkow_\r\nsome open directories on the malware C\u0026C were discovered. One of the open directories contained logs of victim\r\nIPs and computer names:\r\nWhile there are not that many IP victims logged on this particular C\u0026C, a look-up on ipintel.io showed a\r\nconcentration of victims from Germany and Austria:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 1 of 12\n\nIncidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the “de” in the\r\nfirst string may refer to Germany’s country code:\r\nDue to this and the results of our analysis below, we tagged this malware DELoader (detected as\r\nW32/DELoader.A!tr).\r\nDELoader Analysis\r\nIn a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by initially\r\ncreating a suspended explorer.exe process:\r\nIt then proceeds to decrypt an embedded DLL from its body and inject it into explorer.exe:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 2 of 12\n\nThe injected DLL then attempts to download a file from the link hxxp://remembermetoday4.asia/00/b.bin:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 3 of 12\n\nUpon the time of analysis, the malware C\u0026C was already sinkholed. Code-wise, the malware expects to download\r\na portable executable (PE) file as it validates the MZ header of the downloaded file. If valid, this PE file is then\r\ncopied to a newly allocated memory:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 4 of 12\n\nIt then searches for instance of a running explorer.exe process where it then injects the downloaded file using\r\nCreateRemoteThread API:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 5 of 12\n\nDELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional PE file.\r\nThis PE file could be any malware, or simply an updated copy of itself.\r\nEither way, it leads us to the next question – what is the motive behind DELoader?\r\nRelated Attacks\r\nThe registrant information of the malware C\u0026C, resdomactivationa.asia, leads us to the next clue:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 6 of 12\n\nThe registrant details list someone named Aleksandr Sirofimov from Russia. Of course, we certainly don’t know\r\nif Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’ of an individual\r\ncybercriminal. However, the important thing is that these same registrant details have been frequently used in the\r\npast to register malicious domains.\r\nBelow is an overview of some of the related attacks we were able to correlate using the email\r\naddress sir777alex@outlook.com:\r\nFrom the above graph we can extract the infection chain for DELoader, which is delivered through malicious\r\nJavaScript downloaders:\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 7 of 12\n\nSince the JavaScript downloaders come from ZIP files with “invoice” themes, it is more or less sent to victims as\r\nan attachment to malicious emails.\r\nFurthermore, the above correlation enabled us to identify that the actor (or actors), using the name “Aleksandr,”\r\nregistered malicious domains as early as the 3rd quarter of 2015, while DELoader first surfaced by at least\r\nFebruary of 2016.\r\nOne of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking Trojan whose source code\r\nwas leaked five years ago. Here is a graph of some of the related Zeus variants out of the many Zeus C\u0026C\r\ndomains “Aleksandr” registered:\r\nAn online search of the domain goodvin77787.in leads us to this blog. The blog talks about a DHL-themed Zeus\r\ncampaign targeting German-speaking users where all the related Zeus C\u0026Cs were registered using “Aleksandr’s”\r\ndetails.\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 8 of 12\n\nSo we now know that person or persons behind “Aleksandr” have been (or are still) involved in a malicious\r\ncampaign for stealing banking credentials. True to the nature of DELoader, the previous campaign also targeted\r\nGerman-speaking users.\r\nAre German-Speaking Users \"Aleksandr’s\" Only Target?\r\nAnother domain the individual or group known as “Aleksandr” registered is bestbrowser-2015.biz. This domain\r\nwas used as a C\u0026C server for Android Marcher variants – an Android banking Trojan sold on Russian\r\nunderground forums:\r\nInterestingly, these trojans were configured to steal credentials from Australian banks. Below is a code snippet\r\nfrom one of the Android Marcher samples:\r\nIt is worth noting that these Marcher variants surfaced around the same time “Aleksandr” was running Zeus\r\ncampaigns in the 3rd and 4th quarter of 2015. This suggests that he was running his malicious regional campaigns\r\nsimultaneously.\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 9 of 12\n\nConclusion\r\nWhile DELoader is a relatively new malware, the findings in this research demonstrate that the threat actor behind\r\nit has actually been around for quite some time, and has left a substantial amount of fingerprints over the Internet.\r\nHistorical information shows that the individual or group using the name “Aleksandr” have been involved in bank\r\ninformation theft not only of German-speaking users, but have also targeted Australian users. It is possible that\r\nDELoader may be used to aid in similar purposes in the future.\r\nWe are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working with a\r\ngroup. We may, however, have an idea on where “Aleksandr” is located.\r\nEarlier, we showed that the geolocations of DELoader victims were concentrated in Germany and Austria. You\r\nmight have also noticed that one of the IPs deviated from that area – it resolved to Kiev,Ukraine:\r\nThis is odd since German is not a common language in Ukraine. So we theorized that this anomalous event may\r\nbe due to someone testing the DELoader.\r\nTo test our theory, we looked up the IP in the C\u0026C logs to find more information. Can you find the interesting\r\nstring in the IP’s computer name below?\r\nHigh five if you found “ALEXANDR”.\r\n-= FortiGuard Lion Team =-\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 10 of 12\n\nIOCs\r\nDELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):\r\n72faed0bc66afe1f42bd7e75b7ea26e0596effac65f67c0ac367a84ec4858891\r\n5d759710686db2c5b81c7125aacf70e252de61ab360d95e46cee8a9011c5693f\r\nc16281c83378a597cbc4b01410f997e45b89c5d06efada8000ff79c3a24d63ca\r\n171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b\r\n5afee15a022fcdb12cc791dd02db0ec6beb2e9152b312b2251f2b8ecfe62e03c\r\n103c6f425cfcd5eb935136f8c4ce51b9556974545bc6b7947039405164d46b0d\r\ncec73c7b54c290b297a713e0eb07c7c2d822cc67ed61b9981256464273d63892\r\nDomains registered by sir777alex@outlook.com:\r\nyberprojects22017.info\r\nmasterhost8981.asia\r\nnov15mailmarketing.in\r\nauspostresponse22.asia\r\ngoodwinn8.asia\r\nmastehost12312.asia\r\nmasterhost1333.asia\r\nmarketingmas.in.net\r\nremembermetoday4.asia\r\nstartupproject33676.asia\r\nbestbrowser-2015.biz\r\nmarketing5050.asia\r\nmarketingking878.asia\r\nyidckntbrmhuuhmq.com\r\nresdomactivationa.asia\r\nukcompanymarketing.asia\r\ngoodvin77787.in\r\njajajakala8212.asia\r\nmasterhost122133.asia\r\nmasterj.in\r\nlalalababla.asia\r\nresponder201922.asia\r\ncyberprojects2727.info\r\nsuper-sexy-girl2015.net\r\njxsraxhlccokkrob.com\r\nmastehost88832.asia\r\nmasterlin888.pw\r\nmamba777.in\r\ncopolsox.us\r\n10cyberprojects2016.asia\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 11 of 12\n\nstartupproject336.asia\r\nmasterhost122133.asia\r\n \r\nSource: https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nhttps://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html"
	],
	"report_names": [
		"the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88bc80f90a287f95f7ff6364b77fa0b6757c2dc5.pdf",
		"text": "https://archive.orkl.eu/88bc80f90a287f95f7ff6364b77fa0b6757c2dc5.txt",
		"img": "https://archive.orkl.eu/88bc80f90a287f95f7ff6364b77fa0b6757c2dc5.jpg"
	}
}