{
	"id": "62a51c4a-4d8d-40e2-80e9-7fbdbd342f69",
	"created_at": "2026-04-06T00:21:49.040444Z",
	"updated_at": "2026-04-10T13:12:06.132079Z",
	"deleted_at": null,
	"sha1_hash": "89159a6ee2a6c241e3f70ce67bc799fb062dea4c",
	"title": "Threat Actors Target Government of Belarus Using CMSTAR Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4590489,
	"plain_text": "Threat Actors Target Government of Belarus Using CMSTAR Trojan\r\nBy Josh Grunzweig, Robert Falcone\r\nPublished: 2017-09-28 · Archived: 2026-04-05 18:54:55 UTC\r\nPalo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously\r\ndiscussed CMSTAR malware family targeting various government entities in the country of Belarus.\r\nWe first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016.\r\nIn this latest campaign, we observed a total of 20 unique emails between June and August of this year that included two new\r\nvariants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained\r\nbackdoors that we have named BYEBY and PYLOT respectively.\r\nFigure 1 Diagram of the attack sequence\r\nPhishing Emails\r\nBetween June and August of this year, we observed a total of 20 unique emails being sent to the following email addresses:\r\nEmail Address Description\r\npress@mod.mil[.]by Press Service of the Ministry of Defense of the Republic of Belarus\r\nbaranovichi_eu@mod.mil[.]by Baranovichi Operational Management of the Armed Forces\r\nmodmail@mod.mil[.]by Ministry of Defense of the Republic of Belarus\r\nadmin@mod.mil[.]by Ministry of Defense of the Republic of Belarus\r\nitsc@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus\r\nmineuvs@mod.mil[.]by Minsk Operational Administration of the Armed Forces\r\ninform@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus\r\nuporov_milcoop@mod.mil[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus\r\nvideo@gpk.gov[.]by State Border Committee of the Republic of Belarus\r\narmscontrol@mfa.gov[.]by International Security and Arms Control Department, Ministry of Foreign Affairs\r\nablameiko@mia[.]by Unknown. Likely used by the Ministry of Internal Affairs of the Republic of Belarus\r\nThese emails contained a series of subject lines, primarily revolving around the topic of Запад-2017 (‘West-2017’), also\r\nknown in English as Zapad 2017. Zapad 2017 was a series of joint military exercises conducted by the Armed Forces of the\r\nRussian Federation and the Republic of Belarus, held from September 14th to 20th in 2017.\r\nThe full list of subject lines is as follows:\r\nFwd:Подготовка к Запад-2017 [Translation: Fwd:Preparing for the West-2017]\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 1 of 14\n\nвыпуск воспитанников [Translation: graduation]\r\nК Запад-2017 [Translation: To West-2017]\r\nЗапад-2017 [Translation: West-2017]\r\nAn example of some of the previously mentioned emails may be seen below.\r\nFigure 2 Phishing email sent to Belarus government (1/2)\r\nFigure 3 Phishing email sent to Belarus government (2/2)\r\nDecoy Documents\r\nWe observed that the attachments used in these emails contained a mixture of file types. RTF documents, Microsoft Word\r\ndocuments, and a RAR archive. The RAR archive contained a series of images, a decoy document, and a Microsoft\r\nWindows executable within it. The executable has a .scr file extension, and is designed to look like a Windows folder, as\r\nseen below:\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 2 of 14\n\nFigure 4 Payload disguising itself as a Microsoft Windows folder\r\nThe rough translation of the folder and file names above are ‘Preparations for large-scale West-2017 exercises in this format\r\nare being held for the first time.’ Within the actual folder, there are a series of JPG images, as well as a decoy document with\r\na title that is translated to ‘Thousands of Russian and Belarusian military are involved in the training of the rear services.’\r\nFigure 5 Embedded images and decoy document within RAR\r\nThe decoy document contains the following content:\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 3 of 14\n\nFigure 6 Decoy document within RAR\r\nThe other RTF and Word documents used additional decoy documents, which can be seen below.\r\nFigure 7 Decoy document with translation (1/2)\r\nFigure 8 Decoy document with translation (2/2)\r\nWhile we observed different techniques being used for delivery, all attachments executed a variant of the CMSTAR malware\r\nfamily. We observed minor changes between variants, which we discuss in the CMSTAR Variations and Payloads section of\r\nthe blog post.\r\nThe Word documents, which we track as Werow, employ malicious macros for their delivery. More information about these\r\nmacros may be found in the Appendix of the blog post. Additionally, we have included a script that extracts these embedded\r\npayloads that can also be found in the Appendix.\r\nThe RTF documents made use of CVE-2015-1641. This vulnerability, patched in 2015, allows attackers to execute malicious\r\ncode when these specially crafted documents are opened within vulnerable instances of Microsoft Word. The payload for\r\nthese samples is embedded within them and obfuscated using a 4-byte XOR key of 0xCAFEBABE. We have included a\r\nscript that can be used to extract the underlying payload of these RTFs statically that can be found in the Appendix.\r\nThe SCR file mentioned previously drops a CMSTAR DLL and runs it via an external call to rundll32.exe.\r\nCMSTAR Variations and Payloads\r\nIn total, we observed three variations of CMSTAR in these recent attacks against Belarusian targets. The biggest change\r\nobserved between them looks to be minor modifications made to the string obfuscation routine. A very simple modification\r\nto the digit used in subtraction was modified between the variants, as shown below:\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 4 of 14\n\nFigure 9 String obfuscation modifications between CMSTAR variants\r\nThe older variation, named CMSTAR.A, was discussed in a previous blog post entitled, “Digital Quartermaster Scenario\r\nDemonstrated in Attacks Against the Mongolian Government.”\r\nThe CMSTAR.B variant was witnessed using both a different mutex from CMSTAR.A, as well as a slightly modified string\r\nobfuscation routine. The mutexes used by CMSTAR ensure that only one instance of the malware runs at a time. The\r\nCMSTAR.C variant used the same mutex as CMSTAR.B, however, again used another slightly modified string obfuscation\r\nroutine. We found all CMSTAR variants using the same obfuscation routine when I payload was downloaded from a remote\r\nserver. We have included a tool to extract mutex and C2 information from all three CMSTAR variants, as well as a tool to\r\ndecode the downloaded payload: both may be found in the Scripts section.\r\nAn example of CMSTAR downloading its payload may be found below:\r\nFigure 10 Example HTTP download by CMSTAR\r\nWhen expanding the research to identify additional CMSTAR.B and CMSTAR.C variants, we identified a total of 31\r\nsamples. Of these 31 samples, we found two unique payloads served from three of the C2 URLS—One of which was\r\ndownloaded from a sample found in the phishing attacks previously described. Both payloads contained previously\r\nunknown malware families. We have named the payload found in the email campaign PYLOT, and the malware downloaded\r\nfrom the additional CMSTAR samples BYEBY.\r\nBoth malware families acted as backdoors, allowing the attackers to execute commands on the victim machine, as well as a\r\nseries of other functions. More information about these individual malware families may be found in the appendix.\r\nConclusion\r\nDuring the course of this research, we identified a phishing campaign consisting of 20 unique emails targeting the\r\ngovernment of Belarus. The ploys used in these email and decoy documents revolved around a joint strategic military\r\nexercise of the Armed Forces of the Russian Federation and the Republic of Belarus, which took place between September\r\n14th and September 20th of this year. While looking at the emails in question, we observed two new variants of the\r\nCMSTAR malware family. Between the samples identified and others we found while expanding our research scope, we\r\nidentified two previously unknown malware families.\r\nPalo Alto customers are protected from this threat in the following ways:\r\nTags have been created in AutoFocus to track CMSTAR, BYEBY, and PYLOT\r\nAll observed samples are identified as malicious in WildFire\r\nDomains observed to act as C2s have been flagged as malicious\r\nTraps 4.1 identifies and blocks the CVE-2015-1641 exploit used in these documents\r\nTraps 4.1 blocks the macros used in the malicious Word documents\r\nA special thanks to Tom Lancaster for his assistance on this research.\r\nAppendix\r\nWerow Macro Analysis\r\nThe attacker used the same macro dropper all of the observed Microsoft Word documents we analyzed for this campaign. It\r\nbegins by building the following path strings:\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 5 of 14\n\n%APPDATA%\\d.doc\r\n%APPDATA%\\Microsoft\\Office\\WinCred.acl\r\nThe ‘d.doc’ path will be used to store a copy of the Word document, while the ‘WinCred.acl’ will contain the dropped\r\npayload, which is expected to be a DLL.\r\nFigure 11 Macro used to drop CMSTAR\r\nWerow uses rudimentary obfuscation to hide and re-assemble the following strings:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WinCred\r\nrundll32 %APPDATA%\\Microsof\\Office\\WinCred.acl ,WinCred\r\nThese strings will be used at the end of the macro’s execution to ensure persistence via the Run registry key.\r\nThe malware proceeds to read an included overlay within the original Word document from a given offset. This data is\r\ndecoded using and XOR operation, as well as an addition operation. It can be represented in Python as follows:\r\ndef decrypt_xor(data, key, key_offset):\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 6 of 14\n\noutput = \"\"\r\n  seed = ord(key)\r\n  for d in data:\r\n    ord_d = ord(d)\r\n    if ord_d != 0 and ord_d != seed:\r\n      nvalue = ord_d ^ seed\r\n      seed = (seed + key_offset) % 0x100\r\n      output += chr(nvalue)\r\n    else:\r\n      output += d\r\n  return output\r\nOnce this overlay is decoded, it is written to the ‘WinCred.acl’ file and loaded with the ‘WinCred’ export. A script has been\r\nprovided in the Scripts section that, in conjunction with oletools, can statically extract the embedded DLL payload from\r\nthese documents.\r\nRTF Shellcode Analysis\r\nThe RTF documents delivered in this attack campaign appear to be created by the same builder. All of the RTF files attempt\r\nto exploit CVE-2015-1641 to execute shellcode on the targeted system. Please reference https://technet.microsoft.com/en-us/library/security/ms15-033.aspx for more information.\r\nThe shellcode executed after successful exploitation begins by resolving the API functions it requires by enumerating the\r\nAPI functions within loaded modules in the current process. It then builds the following list of values:\r\nThe shellcode then enumerates the API functions, subjects them to a ROR7 hashing routine and XORs the resulting hash\r\nwith 0x10ADBEEF. It uses the result of this arithmetic to compare with the list of values above to find the API functions it\r\nrequires to carry out its functionality.\r\nROR7 ROR7^0x10ADBEEF API Func\r\n1a22f51 110f91be WinExec\r\n741f8dc4 64b2332b WriteFile\r\n94e43293 84498c7c CreateFileA\r\ndaa7fe52 ca0a40bd UnmapViewOfFile\r\ndbacbe43 cb0100ac SetFilePointer\r\nec496a9e fce4d471 GetEnvironmentVariableA\r\nff0d6657 efa0d8b8 CloseHandle\r\nAfter resolving the API functions, the shellcode then begins searching for the embedded payload and decoy within the initial\r\nRTF file. It does so by searching the RTF file for three delimiters, specifically 0xBABABABABABA, 0xBBBBBBBB and\r\n0xBCBCBCBC, which the shellcode uses to find the encrypted payload and decoy. The shellcode then decrypts the payload\r\nby XOR'ing four bytes at at time with the key 0xCAFEBABE, and decrypts the decoy by XOR'ing four bytes at a time using\r\nthe key 0xBAADF00D. Here is a visual representation of the delimiters and embedded files:\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 7 of 14\n\nAfter decrypting the payload, it saves the file to the following location:\r\n%APPDATA%\\Microsoft\\Office\\OutL12.pip\r\nThe shellcode then creates the following registry key to automatically run the payload each time the system starts:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run : Microsoft\r\nThe shellcode saves the following command to this autorun key, which will execute the OutL12.pip payload, specifically\r\ncalling its 'WinCred' exported function:\r\nrundll32.exe\r\n\"%APPDATA\\Roaming\\Microsoft\\Office\\OutL12.pip\",WinCred\r\nThe shellcode will then overwrite the original delivery document with the decrypted decoy contents and open the new\r\ndocument.\r\nPYLOT Analysis\r\nThis malware family was named via a combination of the DLLs original name of ‘pilot.dll’, along with the fact it downloads\r\nfiles with a Python (.py) file extension.\r\nPYLOT begins by being loaded as a DLL with the ServiceMain export. It proceeds to create the following two folders\r\nwithin the %TEMP% path:\r\nKB287640\r\nKB887209\r\nPYLOT continues to load and decode an embedded resource file. This file contains configuration information that is used by\r\nthe malware throughout its execution. The following script, written in Python, may be used to decode this embedded\r\nresource object:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nimport sys\r\nimport hexdump\r\nfile = sys.argv[1]\r\nfh = open(file, 'rb')\r\nfdata = list(fh.read())\r\nfh.close()\r\nfdata_len = len(fdata)\r\nc = fdata_len-1\r\noutput = \"\"\r\nwhile c \u0026gt; 1:\r\nfdata[c] = chr( ord(fdata[c]) ^ ord(fdata[c-2]) )\r\nc -= 1\r\nfdata = ''.join(fdata)\r\nhexdump.hexdump(fdata)\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 8 of 14\n\n16\r\n17\r\n18\r\nLooking at the decoded data, we see the following:\r\nFigure 12 Decoded embedded configuration information\r\nThe malware continues to collect the following information from the victim computer:\r\nComputer name\r\nIP addresses present on the machine\r\nMAC addresses\r\nMicrosoft Windows version information\r\nWindows code page identifier information\r\nThis information is used to generate a unique hash for the victim machine. PYLOT then begins entering its C2 handler\r\nroutine, where it will use HTTP for communication with the remote host.\r\nData sent to the remote C2 server is encrypted using RC4 with the previously shown key of ‘BBidRotnqQpHfpRTi8cR.’ It is\r\nthen further obfuscated by base64-encoding this encrypted string. An example of this HTTP request containing this data can\r\nbe seen below.\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 9 of 14\n\nFigure 13 HTTP request made by PYLOT to remote server\r\nThe decrypted data sent in the request above is as follows. Note that all of this custom data format has not been fully\r\nidentified, however, we’re able to see various strings, including the embedded configuration string of ‘fGAka0001’, as well\r\nas the victim hash of ‘100048048.’\r\nFigure 14 Decrypted data sent by PYLOT to remote server\r\nThe base64-encoded string at the end of the data contains the collected victim machine information from earlier, separated\r\nby a ‘|’ delimiter.\r\nThe remote C2 server responds using the same data format. An example response can be seen below.\r\nFigure 15 Response from remote C2 server\r\nThe decoded data at the end of the response contains various URIs to be used by the malware to receive commands, as well\r\nas other information that has yet to be fully researched.\r\n/duakzu/furs.py|/ugvrf/pvoi.py|/tydfw/pld.py|/bpnij/syau.py|/plugin/plugin.py|eycHhHKVQUnuAwtNchvYjScGYMtVMzMqYmxBmCEwieQpKgso\r\nA number of commands have been identified within PYLOT, including the following:\r\n• Download batch script\r\n• Run batch script\r\n• Delete file\r\n• Rename file\r\n• Execute file\r\n• Download file\r\n• Upload file\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 10 of 14\n\nBYEBY Analysis\r\nBYEBY was named based on a string within the malware itself. Most strings found within this malware are concatenated to\r\n6 characters. One such example was an instance where a debug string contained ‘BYE BY’, which was likely a concatenated\r\nform of the phrase ‘BYE BYE’.\r\nThis malware is loaded as a DLL, with an export name of ServiceMain. When the malware is initially loaded, it begins by\r\nchecking to see if it is running within either of the following paths:\r\n[SYSTEM32]\\svchost.exe\r\n[SYSTEM32]\\rundll32.exe\r\nIf it finds itself not running in either location, it will immediately exit. This is likely a technique used to bypass various\r\nsandboxing systems. Should it find itself running as svchost.exe, it will write the current timestamp and a value of\r\n‘V09SS010’ (Base64 Decoded: ‘WORKMN’) to a file named ‘vmunisvc.cab’ within the user’s local %TEMP% folder. This\r\nfile acts as a lot file and is written to frequently throughout the malware’s execution.\r\nWhen the malware runs within the context of svchost.exe, it bypasses the installation routines and immediately enters the C2\r\nhandler.\r\nWhen BYEBY is run within the context of rundll32.exe, it expects itself to be running for the first time. As such, it will\r\nregister itself as a service with a name of ‘VideoSrv.’ After this service is created, BYEBY proceeds to enter it’s C2 handler\r\nfunction in a new thread.\r\nBYEBY uses TLS for network communication, connecting to the following host on port 443:\r\noeiowidfla22[.]com\r\nAfter the initial connection is established, BYEBY will collect the following system information and upload it to the remote\r\nC2:\r\nHostname\r\nIP Address\r\nEmbedded String of 'WinVideo'\r\nMajor Windows Version\r\nMinor Windows Version\r\nEmbedded String of '6.1.7603.16000'\r\nThe malware is configured to accept a number of commands. These appear to be Base64-encoded strings that, when\r\ndecoded, provide their true meaning. Only the beginning of the commands are checked. The Base64-decoded strings have\r\nbeen included for the benefit of the reader.\r\naGVsbG8h [Decoded: hello!]\r\nR09PREJZ [Decoded: GOODBY]\r\nTElTVCBE [Decoded: LIST D]\r\nU1RBUlRD [Decoded: STARTC]\r\nQ09NTUFO [Decoded: COMMAN]\r\nVFJBTlNG [Decoded: TRANSF]\r\nRVhFQ1VU [Decoded: EXECUT]\r\nA mapping of commands and their descriptions has been provided:\r\nCommand Description\r\naGVsbG8h Authenticate with the remote C2 server.\r\nR09PREJZ Close socket connection with remote server.\r\nTElTVCBE List drives on the victim machine.\r\nU1RBUlRD Start an interactive shell on the victim machine.\r\nQ09NTUFO Execute a command in the interactive shell\r\nVFJBTlNG Upload or download files to the victim machine.\r\nRVhFQ1VU Execute command in a new process.\r\nScripts\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 11 of 14\n\nWe created multiple scripts during the course of our research. We are sharing them here to assist other researchers or\r\ndefenders that encounter this malware.\r\nextract_cmstar_doc.py – Script to extract the embedded CMSTAR payload from Word documents.\r\nextract_cmstar_rtf.py– Script to extract the embedded CMSTAR payload from RTFs.\r\nextract_cmstar_strings.py – Script to identify possible mutex and C2 strings from CMSTAR variants.\r\ndecode_cmstar_payload.py – Script to decode a payload downloaded by CMSTAR.\r\nIndicators of Compromise\r\nCMSTAR Variants Identified in Phishing Campaign\r\n65d5ef9aa617e7060779bc217a42372e99d59dc88f8ea2f3b9f45aacf3ba7209\r\n2a0169c72c84e6d3fa49af701fd46ee7aaf1d1d9e107798d93a6ca8df5d25957\r\n4da6ce5921b0dfff9045ada7e775c1755e6ea44eab55da7ccc362f2a70ce26a6\r\n2008ec82cec0b62bdb4d2cea64ff5a159a4327a058dfd867f877536389a72fb6\r\ncecd72851c265f885ff02c60cbc3e6cbf1a40b298274761f623dfa44782a01f8\r\nd8c0f8ecdeceba83396c98370f8f458ea7f7a935aabbcc3d41b80d4e85746357\r\n2c8267192b196bf8a92c8b72d52096e46e307fa4d4dafdc030d3e0f5b4145e9e\r\n2debf12b1cb1291cbd096b24897856948734fa62fd61a1f24d379b4224bda212\r\n79b30634075896084135b9891c42fca8a59db1c0c731e445940671efab9a0b61\r\nb0065fc16ae785834908f024fb3ddd4d9d62b29675859a8e737e3b949e85327a\r\n16697c95db5add6c1c23b2591b9d8eec5ed96074d057b9411f0b57a54af298d5\r\n6843d183b41b6b22976fc8d85e448dcc4d2e0bd2c159e6d966bfd4afa1cd9221\r\n3c3efa89d1dd39e1112558af38ba656e048be842a3bedb7933cdd4210025f791\r\nb2bebb381bc3722304ab1a21a21e082583bf6b88b84e7f65c4fdda48971c20a2\r\n09890dc8898b99647cdc1cceb97e764b6a88d55b5a520c8d0ea3bfd8f75ed83b\r\nfd22973451b88a4d10d9f485baef7f5e7a6f2cb9ce0826953571bd8f5d866c2a\r\nCMSTAR Download Locations in Phishing Campaign\r\nhttp://45.77.60[.]138/YXza9HkKWzqtXlt.dat\r\nhttp://45.77.60[.]138/mePVDjnAZsYCw5j.dat\r\nhttp://45.77.60[.]138/UScHrzGWbXb01gv.dat\r\nhttp://45.76.80[.]32/tYD7jzfVNZqMfye.dat\r\nhttp://45.77.60[.]138/liW0ecpxEWCfIgU.dat\r\nhttp://45.77.60[.]138/ezD19AweVIj5NaH.dat\r\nhttp://45.77.60[.]138/jVJlw3wp379neaJ.dat\r\nhttp://108.61.175[.]110/tlhXVFeBvT64LC9.dat\r\nhttp://45.77.60[.]138/HJDBvnJ7wc4S5qZ.dat\r\nhttp://45.77.60[.]138/JUmoT4Pbw6U2xcj.dat\r\nhttp://108.61.175[.]110/oiUfxZfej29MAbF.dat\r\nhttp://45.77.60[.]138/cw1PlY308OpfVeZ.dat\r\nhttp://45.77.60[.]138/VFdSKlgCAZD7mmp.dat\r\nhttp://45.77.60[.]138/c2KoCT5OHcVwGi7.dat\r\nhttp://45.77.60[.]138/3kK24dXFYRgM6Ac.dat\r\nhttp://45.77.60[.]138/WsEeRyHEhLO1kUm.dat\r\nPYLOT SHA256\r\n7e2c9e4acd05bc8ca45263b196e80e919ff60890a872bdc0576735a566369c46\r\nPYLOT C2\r\nwait.waisttoomuchmind[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 12 of 14\n\nBYEBY SHA256\r\n383a2d8f421ad2f243cbc142e9715c78f867a114b037626c2097cb3e070f67d6\r\nBYEBY C2\r\noeiowidfla22[.]com\r\nCMSTAR.B SHA256\r\n8609360b43498e296e14237d318c96c58dce3e91b7a1c608cd146496703a7fac\r\nf0f2215457200bb3003eecb277bf7e3888d16edcf132d88203b27966407c7dc3\r\naecf53a3a52662b441703e56555d06c9d3c61bddf4d3b23d9da02abbe390c609\r\n960a17797738dc0bc5623c74b6f8a5d74375f6d18d20ba18775f26a43898bae6\r\ne37c045418259ecdc07874b85e7b688ba53f5a7dc989db19d7e8c440300bd574\r\n75ea6e8dfaf56fb35f35cb043bd77aef9e2c7d46f3e2a0454dff0952a09c134f\r\na65e01412610e5ed8fde12cb78e6265a18ef78d2fd3c8c14ed8a3d1cef17c91d\r\n7170b104367530ae837daed466035a8be719fdb17423fc01da9c0ded74ca6ad1\r\n13acddf9b7c2daafd815cbfa75fbb778a7074a6f90277e858040275ae61a252b\r\n625ed818a25c63d8b2c264d0f5bd96ba5ad1c702702d8ffaa4e0e93e5f411fac\r\na56cd758608034c90e81e4d4f1fe383982247d6aeffd74a1dd98d84e9b56afdf\r\na4b969b93f7882ed2d15fd10970c4720961e42f3ae3fced501c0a1ffa3896ff5\r\ne833bbb79ca8ea1dbeb408520b97fb5a1b691d5a5f9c4f9deabecb3787b47f73\r\n8e9136d6dc7419469c959241bc8745af7ba51c7b02a12d04fec0bc4d3f7dcdf0\r\nCMSTAR.B Download Locations\r\nhttp://108.61.175[.]110/tlhXVFeBvT64LC9.dat\r\nhttp://104.238.188[.]211/gl7xljvn3fqGt3u.dat\r\nhttp://45.77.60[.]138/c2KoCT5OHcVwGi7.dat\r\nhttp://108.61.175[.]110/gkMmqVvZ7gGGxpY.dat\r\nhttp://108.61.175[.]110/z_gaDZyeZXvScQ6.dat\r\nhttp://108.61.175[.]110/bDtzGVtqgiJU9PI.dat\r\nhttp://45.77.60[.]138/liW0ecpxEWCfIgU.dat\r\nhttp://45.77.60[.]138/JUmoT4Pbw6U2xcj.dat\r\nhttp://108.61.175[.]110/oiUfxZfej29MAbF.dat\r\nhttp://108.61.103[.]123/jvZfZ0gdTWtr46y.dat\r\nhttp://108.61.103[.]123/06JcD5jz5dSHVAy.dat\r\nhttp://108.61.103[.]123/nj3dsMMpyQQDBF3.dat\r\nhttp://108.61.103[.]123/fHZvWtBGlFvs2Nr.dat\r\nhttp://45.77.60[.]138/w57E8dktKb9UQyV.dat\r\nCMSTAR.C SHA256\r\n85e06a2beaa4469f13ca58d5d09fec672d3d8962a7adad3c3cb74f3f9ef1fed4\r\nb8ef93227b59e6c8d3a1494b4860d15be819fae17b57fd56bfff9a51b7972ff0\r\n9e6fdbbc2371ac8bc6db3b878475ed0b0af8950d50a4652df688e778beb87397\r\n4e38e627ae21f1a85aa963ca990a66cf75789b450605fdca2f31ee6f0f8ab8f2\r\nf4ff0ca7f2ea2a011a2a4615d9b488b7806ff5dd61577a9e3a9860f2980e7fc0\r\n8de3fa2614b1767cfd12936c5adf4423ef25ea60800fa170752266e0ca063274\r\n38197abde967326568e101b65203c2efa75500e5f3c084b6dd08fd1ba1430726\r\n726df91a395827d11dc433854b3f19b3e28eac4feff329e0bdad93890b03af84\r\n5703565ec64d72eb693b9fafcba5951e937c8ee38829948e9518b7d226f81c10\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 13 of 14\n\nd0544a3e6d1b34b8b4e976c7fc62d4500f28f617e2f549d9a3e590b71b1f9cc5\r\n2a8e5551b9905e907da7268aba50fcbc526cfd0549ff2e352f9f4d1d71bf32a7\r\nd7cd6f367a84f6d5cf5ffb3c2537dd3f48297bd45a8f5a4c50190f683b7c9e90\r\n8f7294072a470b886791a7a32eedf0f0505aaecec154626c6334d986957086e4\r\n6419255d017b217fe984d3439694eb96806d06c7ea41a422298650969028c08c\r\nCMSTAR.C Download Locations\r\nhttp://45.77.58[.]49/54xfapkezW64xDE.dat\r\nhttp://45.77.58[.]49/54xfapkezW64xDE.dat\r\nhttp://45.77.62[.]181/naIXl13kqeV7Y2j.dat\r\nhttp://45.77.58[.]160/9EkCWYA3OtDbz1l.dat\r\nhttp://45.77.58[.]160/8h5NPYB5fAn301E.dat\r\nhttp://45.77.58[.]160/9EkCWYA3OtDbz1l.dat\r\nhttp://45.77.60[.]138/3kK24dXFYRgM6Ac.dat\r\nhttp://45.77.60[.]138/ezD19AweVIj5NaH.dat\r\nhttp://45.77.60[.]138/VFdSKlgCAZD7mmp.dat\r\nhttp://45.77.60[.]138/HJDBvnJ7wc4S5qZ.dat\r\nhttp://45.77.60[.]138/jVJlw3wp379neaJ.dat\r\nhttp://45.77.60[.]138/YXza9HkKWzqtXlt.dat\r\nhttp://45.77.60[.]138/UScHrzGWbXb01gv.dat\r\nhttp://45.77.60[.]138/WsEeRyHEhLO1kUm.dat\r\nSource: https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nhttps://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan\r\nPage 14 of 14\n\nThis information is routine, where it will used to generate a unique use HTTP for communication hash for the victim with the remote machine. PYLOT host. then begins entering its C2 handler\nData sent to the remote C2 server is encrypted using RC4 with the previously shown key of ‘BBidRotnqQpHfpRTi8cR.’ It is\nthen further obfuscated by base64-encoding this encrypted string. An example of this HTTP request containing this data can\nbe seen below.     \n  Page 9 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan"
	],
	"report_names": [
		"unit42-threat-actors-target-government-belarus-using-cmstar-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89159a6ee2a6c241e3f70ce67bc799fb062dea4c.pdf",
		"text": "https://archive.orkl.eu/89159a6ee2a6c241e3f70ce67bc799fb062dea4c.txt",
		"img": "https://archive.orkl.eu/89159a6ee2a6c241e3f70ce67bc799fb062dea4c.jpg"
	}
}