{
	"id": "6aec9848-184d-4955-a602-74c79b20e2ed",
	"created_at": "2026-04-06T00:21:00.876063Z",
	"updated_at": "2026-04-10T13:11:21.375243Z",
	"deleted_at": null,
	"sha1_hash": "8990ae999fd368aa2b221ea5b77ec593212541c4",
	"title": "New Uyghur and Tibetan Themed Attacks Using PDF Exploits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 261176,
	"plain_text": "New Uyghur and Tibetan Themed Attacks Using PDF Exploits\r\nBy Igor Kuznetsov\r\nPublished: 2013-03-14 · Archived: 2026-04-05 17:36:44 UTC\r\nOn Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a\r\npreviously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us\r\nof Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine\r\nComedy”.\r\nPreviously, we posted about another campaign hitting Governments and other institutions, named Miniduke,\r\nwhich was also using the same “Divine Comedy” PDF exploits.\r\nIn the meantime, we’ve come by other attacks which piggyback on the same high level exploit code, only this\r\ntime the targets are different: Uyghur activists.\r\nTogether with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara\r\nrules and industry standard IOC’s, please read [here]. For our analysis, please read below.\r\nThe new attacks\r\nA few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of\r\nthe MD5s and filenames include:\r\n7005e9ee9f673edad5130b3341bf5e5f 2013-Yilliq Noruz Bayram Merik isige Teklip.pdf\r\nd00e4ac94f1e4ff67e0e0dfcf900c1a8 .pdf (joint_letter.pdf)\r\nad668992e15806812dd9a1514cfc065b arp.pdf\r\nThe Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.\r\nIf the exploit is successful, the PDFs show a clean, “lure” document to the user:\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 1 of 9\n\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 2 of 9\n\nThe first document (2013-Yilliq Noruz Bayram Merik isige Teklip.pdf) refers to a New Years party invitation. The\r\nsecond one, “arp.pdf”, is an authorization to request a reimbursement, for a Tibetan activist group.\r\nThe Javascript exploit code has a large comment block prepended, which was probably included to avoid\r\ndetection by certain anti-malware programs.\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 3 of 9\n\nThe comment block and the exploit is exactly the same among all analyzed PDF files. Interestingly, the “sHOGG”\r\nstring obfuscation function from Itaduke has been removed. In addition, some of the obfuscation for variable\r\ninitialization has been removed as well:\r\nAll documents drop the same malware, detected by Kaspersky as Trojan.Win32.Agent.hwoo and\r\nTrojan.Win32.Agent.hwop, which is interesting: this is one of the rare cases when the same threat actor hits both\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 4 of 9\n\nTibet and Uyghur activists at exactly the same time. It is possible this was done in regards to a human rights\r\nconference which is taking place in Geneva between 11-13 March, 2013.\r\nThe backdoor\r\nThe PDF malware dropper creates a file named “C:Documents and SettingsAdministratorLocal\r\nSettingsTempAcroRd32.exe” and runs it. AcroRd32.exe has a PE compilation timestamp of “Wed Jul 11 05:39:45\r\n2012”.\r\n“AcroRd32.exe” contains an encrypted block with the final payload, an 8KB backdoor, which is dropped as\r\n“clbcatq.dll” and run via Windows Update. The block can be easily noticed inside the backdoor by a trained eye:\r\nThe block is encrypted with a simple xor + add algorithm. Here’s the decryption algorithm for the final payload:\r\nchar key[]=”0l23kj@nboxu”;\r\na=key[i\u00267] + 6;\r\nbuf[i]=(buf[i]^a) + a;\r\nThe final backdoor (clbcatq.dll) is 9728 bytes in size. It was compiled on “Wed Jul 11 05:39:39 2012”. The\r\nbackdoor connects to its C\u0026C server and requests further data using HTTP GET requests. The response from the\r\nserver is expected to be a slightly encrypted DLL, which is then loaded and called by exports “InfectFile” and\r\n“GetWorkType”.\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 5 of 9\n\nFor all the servers, the malware makes a request to “/news/show.asp”, using a custom agent string of “Mozilla/4.0\r\n(compatible; MSIE 6.0; Windows NT 5.1; SV1)”.\r\nAt the moment, all the domains point to the same IP address: 60.211.253.28. The server is located in China, in\r\nShandong province:\r\nThe domains “micrsofts.com” and “hotmal1.com” appear to have been registered by the same person, although\r\nwith very small differences in the registration data:\r\nRegistrant Contact:\r\nGW SY\r\nli wen li wen (lcb_jn@sina.com)\r\nzq dj\r\njiningshi, shandongsheng, cn 272000\r\nP: +86.05372178000 F: +86.05372178000\r\nRegistrant Contact:\r\nGW SY\r\nli wen li wen (lcb_jn@sina.com)\r\nzq dj\r\nshixiaqu, beijingshi, cn 272000\r\nP: +86.02227238836601 F: +86.02227238836601\r\nStage 2\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 6 of 9\n\nThe command and control server will reply with a 300K backdoor, which is sent in encrypted form. Here’s how it\r\nlooks as sent by server:\r\nThe encryption is a sub 0x11 followed by a xor 0x11. Once decrypted, we get the malware dropper, which was\r\ncompiled on “Wed Jul 11 06:52:48 2012”. This “stage 2” malware dropper is heuristically detected by Kaspersky\r\nproducts as HEUR:Trojan.Win32.Generic.\r\nThe stage 2 dropper will install two files in system32wbem:\r\n4BA5E980.PBK – 204,932 bytes (MD5 varies)\r\nMSTD32.DLL – 31,880 bytes (MD5: 92f15c2b82e81e8ae47e361b3ecb5add)\r\nMSTD32.DLL is signed by “YNK JAPAN Inc”, with a certificate that was revoked by the issuer:\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 7 of 9\n\nThis technique reminds us of the method used by the malware from the Tilded platform (Duqu, Stuxnet) for\r\nstarting up (small signed loader which reads and executes main body kept in encrypted form).\r\nOur colleagues from Norman have previously written (http://blogs.norman.com/2011/security-research/invisible-ynk-a-code-signing-conundrum) about this compromised certificate in relation to Hupigon and other malware.\r\nThe final stage malware is known by our products as Trojan.Win32.Swisyn and has pretty extensive functionality\r\nfor data stealing.\r\nConclusions\r\nWe have previously published blogs about targeted attacks against Tibetan and Uyghur activists.\r\nThe threat actors behind these attacks are very active and continuously use new methods and new exploits to\r\nattack their victims. We have previously seen the use of CVE-2013-0158 or CVE-2010-3333, in addition to\r\nexploits for Mac OS X, taking advantage of CVE-2009-0563.\r\nThe PDF exploit originally discovered by FireEye is the first known exploit capable of bypassing the Adobe\r\nReader X sandbox. Due to this advanced capability, it is extremely valuable to any attacker. Although it was\r\nprobably developed for (or by) use of a nation state originally, we now see it being copied and reused by other\r\nthreat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or\r\nexploit stealing in the future.\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 8 of 9\n\nSource: https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nhttps://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465"
	],
	"report_names": [
		"35465"
	],
	"threat_actors": [
		{
			"id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8",
			"created_at": "2023-01-06T13:46:39.131811Z",
			"updated_at": "2026-04-10T02:00:03.2252Z",
			"deleted_at": null,
			"main_name": "ItaDuke",
			"aliases": [
				"DarkUniverse",
				"SIG27"
			],
			"source_name": "MISPGALAXY:ItaDuke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8990ae999fd368aa2b221ea5b77ec593212541c4.pdf",
		"text": "https://archive.orkl.eu/8990ae999fd368aa2b221ea5b77ec593212541c4.txt",
		"img": "https://archive.orkl.eu/8990ae999fd368aa2b221ea5b77ec593212541c4.jpg"
	}
}