{ "id": "d01a3acb-8269-48cc-bcf1-b61da9d414f7", "created_at": "2026-04-06T00:18:18.010634Z", "updated_at": "2026-04-10T13:12:26.32526Z", "deleted_at": null, "sha1_hash": "89f7a11dc4e1c6781eb52948e8b398771db700d0", "title": "Bisonal Malware Used in Attacks Against Russia and South Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2432269, "plain_text": "Bisonal Malware Used in Attacks Against Russia and South Korea\r\nBy Kaoru Hayashi, Vicky Ray\r\nPublished: 2018-07-31 · Archived: 2026-04-05 15:05:44 UTC\r\nSummary\r\nIn early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified\r\norganization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant\r\nhas been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including\r\na different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication\r\nand maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used.\r\nThe adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by\r\nmasquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents.\r\nAttacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using\r\nBisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an\r\nattack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. We\r\nbelieve it is likely these tools are being used by one group of attackers.\r\nThough Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same\r\nhigh-level playbooks. Common features of attacks involving Bisonal include:\r\nUsually targeting organizations related to government, military or defense industries in South Korea, Russia, and\r\nJapan.\r\nIn some cases, the use of Dynamic DNS (DDNS) for C2 servers.\r\nThe use of a target or campaign code with its C2 to track victim or attack campaign connections.\r\nDisguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file.\r\nThe use of a decoy file in addition to the malicious PE file\r\nIn some cases, code to handle Cyrillic characters on Russian-language operating systems.\r\nWe observed all these characteristics in the latest attacks against both Russia and South Korea.\r\nTargeting Russia\r\nWhile investigating attack campaigns, Unit 42 discovered a targeted attack against at least one organization in Russia which\r\nprovides communication security services and products. The targeted organization specialises in encryption and\r\ncryptographic services and develops a broad number of secure communication products which also includes\r\ntelecommunication systems and data protection facilities. Given the sensitivity of the products being developed by the target\r\norganization, it is not a surprise to see a targeted attack towards the organisation by a known threat actor.\r\nFigure 1 shows the spear-phishing email sent to the target organization. The email was spoofed to look like it was sent from\r\nRostec, a Russian state corporation that promotes the development, production and export of high-tech industrial products.\r\nThe contents of the email suggest it was sent from the legal support and corporate governance department of Rostec and\r\nincludes project details aimed at improving the housing conditions of defence industry workers. It is interesting to note there\r\nis a relationship between the target company and Rostec: the attackers may be trying to exploit the relationship between\r\nRostec and the target to add an additional air of legitimacy to the attack.\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 1 of 9\n\nFigure 1. Spear-phishing email sent to the Russian company\r\nBelow is the translation from Russian into English by Google Translate.\r\n \r\nSubject:\r\nA comprehensive project to create housing and construction cooperatives for defence workers\r\n \r\nBody:\r\nGood afternoon, dear colleagues!\r\nBy the May Day, I am sending you a comprehensive project aimed at improving the housing conditions of defence industry\r\nworkers\r\nCongratulations!\r\n \r\nAttachment:\r\nComprehensive project for the creation of housing construction cooperatives for defence workers .exe\r\nAs you can see in Figure 1, some email clients do not display the attachment as the PDF. However, if you save the file on the\r\ncomputer, it looks like a PDF document because the executable file has the PDF icon in the resource.\r\nOnce the malicious executable attachment is opened, the main payload is dropped in the victim machine and displays a\r\ndecoy file to the victim. Figure 2 shows the contents of the decoy file which is a PDF whose contents are an exact match to\r\nan article published on Rostec’s website on January 30th\r\n, 2018. The article discusses new housing project plans by Rostec\r\nand other state departments, and the benefits to the defence industry workers who are eligible for free housing under the\r\nproject.\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 2 of 9\n\nFigure 2 Decoy pdf file\r\nUpon further analysis of the malware payload, we determined it is part of the Bisonal malware family. Since the details of\r\nthe malware family have already been published, we will discuss some of the unique indicators and techniques the threat\r\nactor behind Bisonal employed in this campaign.\r\nMalware Analysis\r\nMalware Dropper\r\nThe dropper executable file in the Russian attack hides the encrypted Bisonal DLL file and non-malicious decoy file at the\r\nend of its body. Once executed, the dropper decrypts the data blob using the RC4 cipher with the key, “34123412”, saves\r\nthem in the path shown below and executes them.\r\nType PATH SHA256\r\nDropper\r\nEXE\r\nN/A b1da7e1963dc09c325ba3ea2442a54afea02929ec26477a1b120ae44368082f8\r\nBisonal\r\nDLL\r\nC:\\Windows\\Temp\\pvcu.dll 1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75\r\nRussian\r\nDecoy\r\nPDF\r\nC:\\Windows\\Temp\\Комплексный\r\nпроект по созданию жилищно-строительных кооперативов для\r\nработников оборонки.pdf\r\nF431E0BED6B4B7FFEF5E40B1B4B7078F2538F2B2DB2869D831DE5D7DF26EE6CD\r\nTable 1. File hashes and paths targeting Russia\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 3 of 9\n\nThe dropper then creates following registry entry to execute the Bisonal sample when the computer reboots:\r\nHKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\”vert” = “rundll32.exe\r\nc:\\windows\\temp\\pvcu.dll , Qszdez”\r\nBisonal main module\r\nThe DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented\r\nsamples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2\r\naddress strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key “78563412”.\r\nTo date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this\r\nvariant has been in the wild for several years.\r\nAdding to the change in encryption type, a large part of the code such as network communication procedures, and the\r\npersistence method have been re-written. For example, the Bisonal malware in 2012 used send() and recv() APIs to\r\ncommunicate with its C2. For this variant, the developer wholly recreated C2 code from scratch by using other network\r\nAPIs, such as HttpSendRequest() and InternetReadFile().\r\nThis Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the\r\nHTTP POST method on TCP port 443.\r\nkted56erhg.dynssl[.]com\r\neuiro8966.organiccrap[.]com\r\nThese domains are provided by a free DDNS service and both resolve to the same IP address, 116.193.155[.]38.\r\nWhen this Bisonal variant communicates with its C2, the malware sends an HTTP POST request with the static strings\r\n“ks8d” and “akspbu.txt”, and the IP address of the compromised machine. Figure 3 shows the initial HTTP POST request to\r\nthe C2 server.\r\nFigure 3. Initial network C2 beacon\r\nReaders may notice the missing closing parenthesis in the User Agent request header. That string is hardcoded in this\r\nmalware variant. We have more than 230 samples of Bisonal in total and only 14 samples since 2014 use this incomplete\r\nUser Agent string. It is unclear whether the author forgot to add closing parenthesis while developing the code, or\r\nintentionally use this string for validating the connection to the C2 server. Either way, it can be a good Indicator in network\r\nlogs for a possible Bisonal infection.\r\nC2 Communication\r\nAnother sign of the infection is the data being sent to the C2 server during the initial connection. Every time this variant of\r\nBisonal communicates with its C2, it sends a unique id number and backdoor command in the first eight bytes. The malware\r\nsends hardcoded DWORD values (0x10000 and 0x3E7) just for the initial connection and receives updated values from the\r\nC2 and uses them for further communication. As described above, all communications between this Bisonal variant and C2\r\nare encrypted by RC4 cipher with the static key “78563412”. As the result of enciphering static values, the backdoor always\r\nsends identical eight bytes of data (81b2a8977ea31b91) to the C2 first.\r\nSoon after receiving the initial beacon from the victim infected with Bisonal, the C2 replies with a session id number and\r\nbackdoor command. The session id number is consistent throughout the C2 communication. The malware then processes the\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 4 of 9\n\ngiven command on the compromised system and sends the result back to C2 with the session id number and the backdoor\r\ncommand number. Then the C2 replies with that same session id number. The backdoor waits five seconds and restarts\r\ncommunication with the C2 with the same session id number.\r\nBelow is an example of the reply to the command, “get system info”. The actual traffic between the C2 and Bisonal sample\r\nis on the left side, and the decrypted payload is on the right side. The first DWORD (four bytes) is the given session id,\r\n0x00000003, and the next DWORD is a backdoor command, 0x000000C8. At offset 8 of the decrypted payload, there is a\r\ncampaign or target code. In this sample, it is “0425god”.\r\nFigure 4 Decrypted payload showing the target/campaign code\r\nFollowing is the diagram of the session between Bisonal and C2.\r\nFigure 5. Bisonal C2 communication flow\r\nThe following table shows the list of backdoor commands this sample supports.\r\nCommand Meaning\r\n0x000000C8 gets system info\r\n0x000000C9 gets running process list\r\n0x000000CA terminates process\r\n0x000000CB accesses cmd shell\r\n0x000000CD downloads file\r\n0x000000CF executes file\r\n0x000000D1 creates file\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 5 of 9\n\nTable 2 Backdoor commands\r\nStrong Interests in Cyrillic\r\nPrevious reports have discussed Bisonal malware used in attacks against Japan, South Korea and Russia. This particular\r\nsample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others.\r\nWhen the backdoor receives the shell access command, it checks the code page of the compromised system. If it’s Cyrillic\r\nand the command to the shell is not ‘ipconfig’, the threat converts the command result text encoding from Cyrillic to UTF-16. For any other code page the malware presumes the resulting text as default Windows ANSI code page and also converts\r\nit to UTF-16. It is not known why the malware author called out Cyrillic specifically when the malware would convert any\r\ntext to UTF-16. Windows ANSI code pages supports ASCII characters and non-ASCII values as the international characters\r\ndepends on the OS language. UTF-16 can support maximum 1 million characters in Unicode. To avoid corrupting Cyrillic\r\n(and other language) characters in the results, the developer added the code to the malware.\r\nFigure 6. Checking of Cyrillic character set\r\nThis Cyrillic/ipconfig checks in the ‘shell access’ backdoor command exists in some original Bisonal samples found in\r\n2012. The sample (43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6) contains the marker string\r\n“bisonal” which is the origin of the malware name. This is one of the many reasons we strongly believe the latest samples\r\nare variants of Bisonal.\r\nFigure 7. 'bisonal' marker string\r\nTargeting South Korea\r\nWhile investigating other Bisonal samples we found another dropper submitted to an online malware database on March 6.\r\nThe original file name was “2018년 해양경찰청 공무원 (7급 9급) (2018.03.05).pdf.exe”. This translates to “2018 Korean\r\nCoast Guard Government Employee (Grade 7, Grade 9).pdf.exe” in English. Similar to the Bisonal variant targeting the\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 6 of 9\n\nRussian organization, this sample was also disguised as PDF document.\r\nFigure 8. Malware disguised as PDF\r\nThe dropper executable installs Bisonal and a decoy file in the paths shown in Table 3, below.\r\nType PATH SHA256\r\nDropper\r\nEXE\r\nN/A 0641fe04713fbdad272a6f8e9b44631b7554dfd1e1332a8afa767d845a90b3fa\r\nBisonal\r\nEXE\r\n%Temp%\\\r\n[random].tmp\r\n359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC\r\nKorean\r\nDecoy\r\nPDF\r\n[dropper\r\npath]\\[same\r\nfile name\r\nwithout\r\n.exe].pdf\r\nB2B764597D097FCB93C5B11CBD864AB1BCB894A2A1E2D2DE1C469880F612431C\r\nTable 3, File hashes and system installation paths targeting South Korea\r\nThough the functionality of the two dropper samples look very similar, the dropper code of this sample is completely\r\ndifferent from the Russian targeting sample described above.\r\nThe dropper installs the Bisonal EXE file and decoy PDF file. These files are not encrypted and the offset to the EXE\r\nand PDF file in the dropper is appended at the end of the dropper file. In the Russian samples, the offset to these files\r\nis hardcoded in the code.\r\nThe file name of the decoy file is based on the dropper file name. The dropper code creates a PDF at the same\r\ndirectory, give the same name with itself to the decoy file, removes .exe and adds .pdf in the code. For example, if the\r\nfile name is ABCDEFG.pdf.exe, the decoy filename would be pdf.pdf.\r\nThe dropper also creates two VBS scripts in the %Temp% directory with a random 4 digits hexadecimal name. One\r\nof them opens the decoy PDF file. The other deletes the dropper and the VBS script itself.\r\nThe contents of the decoy PDF is a job descriptions with the South Korean Coast Guard. The original document was a\r\nHangul Word Processor(HWP) file posted on the South Korean Coast Guard website on March 5, 2018. Based on the\r\nmetadata we found in the PDF, we strongly believe that the attacker converted the HWP to PDF. Figure 8, below, shows\r\nmetadata added to the decoy file when converting the original file to PDF. The metadata indicates that the file was created\r\nwith Adobe Distiller 8.00 (Windows) on March 6 by  “조영태” (Cho Young Tae in English).\r\nInterestingly, the same creator name is found in the decoy PDF file of another sample of the Bisonal variant\r\n(dfa1ad6083aa06b82edfa672925bb78c16d4e8cb2510cbe18ea1cf598e7f2722) submitted to an online malware database in\r\nSeptember 2014. This decoy is a contact list of Agriculture, Food, Rural Affairs, Oceans and Fisheries Committee of the\r\nNational Assembly of the Republic of Korea. According to the metadata, this file is also converted from an HWP document\r\nwith same tool by same creator. Though we don’t know whether the creator is real or fake information, we can say the\r\nattacker has not changed this tool and technique for years.\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 7 of 9\n\nFigure 8. Metadata in the decoy file\r\nMain EXE\r\nThe installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian\r\norganization. Following is a brief write-up of the Bisonal EXE’s behavior. There are only three differences from the DLL\r\nsample; creating a registry entry by itself, the C2 domain and the target or campaign code. The EXE’s behavior is discussed\r\nbelow.\r\nIt creates the registry entry,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\”mismyou” = %Temp%[random].tmp\r\nto achieve persistence. In contrast, the DLL version does not create a registry entry because the dropper of the DLL\r\ndoes.\r\nIt decrypts the C2 domain address by using the RC4 cipher with the same key “78563412”.\r\nIt connects to hxxp://games.my-homeip[.]com:443/ks8d[ip address]akspbu.txt by using the HTTP POST method with\r\nthe same incomplete User Agent string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322”\r\nIt sends the same initial beacon value of 81b2a8977ea31b91 to the C2 server.\r\nIt uses a different target or campaign code, “pmo”.\r\nIt has same backdoor commands, starting with 0x000000C8 in hex.\r\nIt also checks the code page and command in “shell access” and converts text from Cyrillic to UTF-16.\r\nFollowing table is the summary of the Bisonal samples described in this article.\r\nYear\r\nTarget\r\nCountry\r\nCampaign\r\nor Target\r\nCode\r\nSHA256 Cipher\r\nBisonal\r\nMarker\r\n2012 unidentified 1031 43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6 XOR YES\r\n2014\r\nSouth\r\nKorea\r\n0919-1 dfa1ad6083aa06b82edfa672925bb78c16d4e8cb2510cbe18ea1cf598e7f2722 RC4 NO\r\n2018 Russia 0425god 1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75 RC4 NO\r\n2018\r\nSouth\r\nKorea\r\npmo 359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC RC4 NO\r\nTable 4 Summary of the Bisonal samples in this blog\r\nConclusion\r\nThe attackers behind Bisonal have been active for at least 7 years, and the variant used against the Russian and South\r\nKorean targets discussed in this blog in the wild since 2014. Since the attackers frequently rewrite functions from scratch\r\nand avoid reusing infrastructures, some samples look very different from original Bisonal malware. However, as we\r\ndiscussed in this blog, the same original piece of code referencing the malware name \"bisonal\" remains in at least some\r\nsamples.\r\nWe are still investigating the connection between the latest attacks discussed in this blog and the previous Bisonal attacks\r\nreported by industry colleagues. The high-level TTPs of the adversary behind these Bisonal samples matches with previous\r\nBisonal activity. The targets are military or defense industry in particular countries, it used DDNS for C2 servers, and\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 8 of 9\n\ntracked connections from their victims by using target or campaign codes, as well as disguising the malware as document\r\nfile, and using a dropper to install the malware and decoy file. We currently believe one group is behind these attacks, and\r\nwe continue to investigate.\r\nPalo Alto Networks customers are protected from this threat by:\r\nWildFire detects all Bisonal files with malicious verdicts\r\nAutoFocus customers can track these samples with the Bisonal tag\r\nTraps blocks all of the files associated with Bisonal\r\nIoC\r\nDropper SHA256:\r\nB1DA7E1963DC09C325BA3EA2442A54AFEA02929EC26477A1B120AE44368082F8\r\n0641FE04713FBDAD272A6F8E9B44631B7554DFD1E1332A8AFA767D845A90B3FA\r\nBisonal SHA256:\r\n43459F5117BEE7B49F2CEE7CE934471E01FB2AA2856F230943460E14E19183A6\r\nDFA1AD6083AA06B82EDFA672925BB78C16D4E8CB2510CBE18EA1CF598E7F2722\r\n1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75\r\n359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC\r\nC2:\r\njennifer998.lookin[.]at\r\n196.44.49[.]154\r\nwww.hosting.tempors[.]com\r\nkted56erhg.dynssl[.]com\r\neuiro8966.organiccrap[.]com\r\n116.193.155[.]38\r\ngames.my-homeip[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nhttps://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\nPage 9 of 9\n\nTargeting South Korea While investigating other Bisonal samples we found another dropper submitted to an online malware database on March 6.\nThe original file name was “2018년 해양경찰청 공무원 (7급 9급) (2018.03.05).pdf.exe”. This translates to “2018 Korean\nCoast Guard Government Employee (Grade 7, Grade 9).pdf.exe” in English. Similar to the Bisonal variant targeting the\n Page 6 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/" ], "report_names": [ "unit42-bisonal-malware-used-attacks-russia-south-korea" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434698, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89f7a11dc4e1c6781eb52948e8b398771db700d0.pdf", "text": "https://archive.orkl.eu/89f7a11dc4e1c6781eb52948e8b398771db700d0.txt", "img": "https://archive.orkl.eu/89f7a11dc4e1c6781eb52948e8b398771db700d0.jpg" } }