{ "id": "79c03c0d-4128-4089-be70-5e08c905a3ff", "created_at": "2026-04-06T00:08:29.236286Z", "updated_at": "2026-04-10T03:33:45.606939Z", "deleted_at": null, "sha1_hash": "8adafe0d9d59bd6882a6c1d596f715ec79812271", "title": "TA410: Malware Attacks Against U.S. Utilities Sector | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3006572, "plain_text": "TA410: Malware Attacks Against U.S. Utilities Sector | Proofpoint US\r\nBy Michael Raggi, Dennis Schwarz, and Georgi Mladenov with the Proofpoint Threat Research Team\r\nPublished: 2020-06-06 · Archived: 2026-04-05 15:53:50 UTC\r\nIn August 2019, Proofpoint researchers reported that LookBack malware was targeting the United States (U.S.) utilities\r\nsector between July and August 2019. We then continued our analysis into additional LookBack campaigns that\r\nunfolded between August 21-29, 2019. These campaigns utilized malicious macro-laden documents in order to deliver\r\nmodular malware to targeted utility providers across the U.S. At the same time as the LookBack campaigns, Proofpoint\r\nresearchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities\r\nproviders.\r\nFlowCloud malware, like LookBack, gives attackers complete control over a compromised system. Its remote access\r\ntrojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files,\r\nservices, and processes with the ability to exfiltrate information via command and control.\r\nWe analyzed phishing campaigns between July-November 2019 and have determined that both LookBack and\r\nFlowCloud malware can be attributed to a single threat actor we are calling TA410. This conclusion is based on the\r\nthreat actor’s use of shared attachment macros, malware installation techniques, and overlapping delivery\r\ninfrastructure.\r\nIn addition, our analysis found similarities between TA410 and TA429 (APT10) delivery tactics. Specifically, we have\r\nseen attachment macros that are common to both actors. TA410 campaigns detected in November 2019 included TA429\r\n(APT10)-related infrastructure used in phishing attachment delivery macros. However, Proofpoint analysts believe that\r\nintentional reuse of well-publicized TA429 (APT10) techniques and infrastructure may be an attempt by threat actors to\r\ncreate a false flag. For this reason, while research is ongoing, we do not attribute LookBack and FlowCloud campaigns\r\nto TA429 (APT10). Proofpoint currently tracks TA429 (APT10) independently of TA410 campaigns.\r\nFigure 1 below shows a timeline of the identified LookBack and FlowCloud campaigns.\r\nFigure 1 LookBack and FlowCloud Campaign Timeline\r\nDelivery\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 1 of 18\n\nProofpoint researchers observed phishing campaigns beginning on July 10, 2019 that targeted utility providers across\r\nthe United States with portable executable (PE) attachments and used subject lines such as “PowerSafe energy\r\neducational courses (30-days trial)”.  These campaigns continued through September 2019.\r\nOur analysis of these phishing campaigns determined that the PE attachments delivered a modular malware which the\r\ndevelopers referred to in program data base (“PDB”) paths as “FlowCloud”. We therefore refer to these campaigns as\r\n“FlowCloud” based on the malware family they delivered. It’s notable that these FlowCloud campaigns were occurring\r\nat the same time as the LookBack campaigns that Proofpoint has previously documented. Both the FlowCloud and\r\nLookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures.\r\nAnd both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns\r\ntargeted not only the same companies but also the same recipients.\r\nThe senders of the emails that delivered FlowCloud malware utilized threat actor-controlled domains for delivery which\r\nimpersonated energy sector training services, as well as utilized subdomains which contained the word “engineer”.\r\nWe observed a distinct change in FlowCloud delivery tactics beginning with attacks carried out in November 2019. The\r\ntargeting of US utilities companies remained constant, but the threat actors shifted from PE attachments to malicious\r\nmacro laden Microsoft Word documents that closely resembled the same delivery and installation macros used in\r\nLookBack malware campaigns.\r\nAdditionally, in November threat actors began to utilize the sender domain asce[.]email to deliver these attachments.\r\nThis domain was first observed in June 2019 registered to the IP 103.253.41[.]75 which was used as a staging and\r\nreconnaissance IP in previous LookBack campaigns. On October 29, 2019, the domain resolved to the IP\r\n134.209.99[.]169 which also hosted several energy certification and education themed domains. A number of these\r\ndomains also shared an SSL certificate with delivery domains previously observed in the July and August 2019\r\nFlowCloud phishing campaigns. The data from this SSL Certificate has been displayed in Figure 2. This figure\r\ndemonstrates the actor’s use of a single SSL certificate for multiple energy and training themed domains. The actor\r\nlisted the domains that were signed by the certificate in the Alternative Names field allowing for the identification of\r\nadditional related infrastructure. A number of these domains were used in FlowCloud campaigns.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 2 of 18\n\nFigure 2 Passive Total SSL Certificate data for powersafetrainings[.]org and related energy themed domains.\r\nThe table below shows the TA410 staging IPs, when they were first observed, the registered domains associated with\r\nthem, and the malware delivered by emails originating from these domains.\r\nIP\r\nFirst\r\nObserved\r\nRegistered Domains\r\nMalware\r\nDelivered\r\n103.253.41[.]75 06/23/2019\r\nDelivery Domain:\r\nNceess[.]com\r\nGlobalenergycertification[.]com\r\nRegistered Domain:\r\nNerc[.]email\r\nAsce[.]email\r\nLookBack\r\n134.209.99[.]169 10/29/2019 Delivery Domain:\r\nAsce[.]email\r\nFlowCloud\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 3 of 18\n\nRegistered Domain:\r\nPowersafetraining[.]net\r\nDomains Related by SSL Certificate:\r\nmails.energysemi[.]com\r\npowersafetrainings[.]org\r\nwww.mails.energysemi[.]com\r\nwww.powersafetraining[.]net\r\nwww.powersafetrainings[.]org\r\n101.99.74[.]234 07/02/2019\r\nDelivery Domain\r\nwww.powersafetrainings[.]org\r\nFlowCloud\r\nThe content of the emails in the November 2019 campaigns impersonated the American Society of Civil Engineers and\r\nmasqueraded as the legitimate domain asce[.]org. The structure of this email is very similar to the LookBack delivery\r\nemails constructed to impersonate the NCEES and Global Energy Certification in July 2019. Examples of the emails\r\nare included in Figure 3 and Figure 4.\r\nFigure 3 ASCE-themed phishing email delivering FlowCloud malware November 2019\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 4 of 18\n\nFigure 4 NCEES-themed phishing email delivering LookBack malware July 2019\r\nExploitation - Installation Macros\r\nAs noted above, after an extended period of using PE attachments to deliver FlowCloud in campaigns, the threat actors\r\nbehind FlowCloud switched to using Microsoft Word documents with malicious macros at the beginning of November\r\n2019. The Word document attachments and macros delivering FlowCloud had key similarities with the Word document\r\nattachments and macros we identified that delivered LookBack in July and August 2019.\r\nIdentical to the methodology used with LookBack, the FlowCloud macro used privacy enhanced mail (“.pem”)  files\r\nwhich were subsequently renamed to the text file “pense1.txt”. This file is next saved as a portable executable file\r\nnamed “gup.exe” and executed using a version of the certutil.exe tool named “Temptcm.tmp”.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 5 of 18\n\nFor comparison, Figure 5 November 2019 macro used to install FlowCloud malware shows the macro used to install\r\nFlowCloud while Figure 6 August 2019 macro used to install LookBack malware shows the macro used to install\r\nLookBack.\r\nFigure 5 November 2019 macro used to install FlowCloud malware\r\nFigure 6 August 2019 macro used to install LookBack malware\r\nThe “Exploitation” section in our blog  LookBack Malware Targets the United States Utilities Sector with Phishing\r\nAttacks Impersonating Engineering Licensing Boards has a more in-depth explanation of this method used by\r\nLookBack. FlowCloud uses this same method exactly including identical macro concatenation code.\r\nWhile we found the ultimate execution method for both the LookBack Gup proxy tool and FlowCloud malware were\r\nthe same across both macro versions, we found that the FlowCloud macro introduced a new method for the delivery of\r\nthe malware.\r\nThe earlier LookBack versions of the macro included the payload in numerous privacy enhanced email (“.pem”) files\r\nthat were dropped when the attachment file is executed by the user. The FlowCloud version of the macro utilized a\r\npreviously unobserved macro section to download the payload from a DropBox URL. Once the payload was\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 6 of 18\n\ndownloaded, a FlowCloud malware PE in the form of a .pem file was saved as the variable “Pense1.txt”. Figure 7\r\nFlowCloud Malware Macro delivery code shows the FlowCloud macro with the delivery section in question called out.\r\nFigure 7 FlowCloud Malware Macro delivery code\r\nThe FlowCloud macro also contained a strange try… catch statement which initially attempts to download the\r\nFlowCloud payload from the DropBox URL as part of the try statement. However, if it was unable to retrieve the\r\npayload from that resource, a catch statement which was nearly identical to the try statement attempted to retrieve a\r\nmalware resource from the URL http://ffca.caibi379[.]com/rwjh/qtinfo.txt”.”. Figure 8 FlowCloud Malware Catch\r\nstatement macro code shows the catch statement in question.\r\nFigure 8 FlowCloud Malware Catch statement macro code\r\nThis try…catch sequence is significant because the URL in the catch statement and malware resource was previously\r\nmentioned in a May 2019 blog by enSilo entitled “Uncovering New Activity by APT10”. The blog claims that this URL\r\ndelivered a modified Quasar RAT payload which included the addition of SharpSploit, an opensource post-exploitation\r\ntool. When analyzed on the same date of FlowCloud campaign delivery this URL and resource was unavailable, while\r\nthe DropBox URL successfully delivered the FlowCloud .pem file. While Proofpoint has not independently verified\r\nthese attribution claims made by other researchers regarding the referenced Quasar RAT sample, the use of this URL\r\nrepresents a previously undisclosed overlap with publicly reported indicators of compromise attributed to TA429\r\n(APT10). While on the surface this domain may imply links to TA429 (APT10), we have identified several aberrations\r\nregarding the domain registration information and inactive nature of the URL and will discuss them at length at length\r\nlater in this blog.\r\nFlowCloud Malware\r\nOur analysis of the FlowCloud malware determined that it is a multi-stage payload comprised of a large code base\r\nwritten in C++. The code demonstrates a level of complexity including numerous components, extensive object-https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 7 of 18\n\noriented programming, and use of legitimate and imitation QQ files for initial and later stage execution. We found\r\nfurther imitation of QQ components in several modules used throughout FlowCloud execution. The malware name\r\n“FlowCloud” was taken from distinctive PDB paths observed in numerous malware components. These values have\r\nbeen included in the IOCs section at the end of this blog.\r\nFlowCloud malware is capable of RAT functionalities based on its available commands including accessing the\r\nclipboard, installed applications, keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate\r\ninformation via command and control. Additionally, the malware variants analyzed have several distinct characteristics\r\nthat indicate the malware may have been active in the threat landscape since at least July 2016.\r\nIn addition to components built to target updated Windows versions, FlowCloud samples have dropped a 32-bit module\r\nthat was only compatible with Windows versions 6 (Windows Vista) and below. The dated nature of this binary coupled\r\nwith the extensible nature of the malware code suggests that the FlowCloud code base has been under development for\r\nnumerous years. Public reports around FlowCloud malware components and related installation directory paths suggest\r\nthat versions of this malware may have been observed in the wild as early as July 2016. Additionally, development of\r\nthis malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan\r\nin December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in\r\nAsia prior to its appearance targeting the US utilities sector.\r\nFigure 9 Flowchart of FlowCloud Loader Functionality below outlines FlowCloud’s loader functionality.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 8 of 18\n\nFigure 9 Flowchart of FlowCloud Loader Functionality\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 9 of 18\n\nThe malware begins with the execution of Gup.exe by the malicious macro which in turn executes the file\r\nEhStorAuthn.exe.\r\nEhStorAuthn.exe extracts the subsequent payload file components and installs them to the directory\r\nC:\\Windows\\Media\\SystemPCAXD\\ado\\fc. This file also sets registry key values that store the keylogger drivers\r\nand the malware configuration as the value “KEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\\u003c2-\r\n4\u003e”.\r\nEhStorAuthn.exe is a legitimate portable executable file used by QQ with the initial name QQSetupEx.exe. This\r\nfile is used to load the file dlcore.dll as part of its natural downloader routine.\r\nDlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a\r\nfile named rebare.dat. This file imitates a legitimate QQ component.\r\n When the shellcode within rebare.dat is executed it in turn executes a RAT installer file named rescure.dat.\r\n Rescure.dat is an XOR encrypted DLL file that installs the RAT based application responsor.dat which installs\r\nthe keylogger driver and manages the RAT functionality.\r\nResponsor.dat unpacks several modules (rescure86.dat or rescure64.dat) to the registry %TEMP%\\{0d47c9bc-7b04-4d81-9ad8-b2e00681de8e}\" and installs the unpacked file as a service named “FSFilter Activity Monitor”\r\nor “FltMgr”.\r\nFinally, Responsor.dat starts the RAT when the rescure.dat function “startModule” is called.\r\nSeveral legitimate Microsoft Windows files were also used by the malware for thread injection.\r\nEhStorAuthn_shadow.exe (hhw.exe) a Microsoft HTML Help Workshop file was used as a placeholder for\r\nthread injection.\r\nHha.dll is a component of Microsoft HTML Help Workshop and is required to run EhStorAuthn_shadow.exe.\r\nThe malware stores its configuration in the registry alongside drivers utilized by the malware’s keylogger components.\r\nSeveral additional distinct registry keys are generated which indicate the malware’s current execution stage on the host.\r\nSome of these keys are included in the table below.\r\nRegistry Key\r\nOriginating\r\nComponent\r\nDescription\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\2 Gup.exe\r\n32bit Driver,\r\nKeylogger\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\3 Gup.exe\r\n64bit Driver,\r\nKeylogger\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\4 Gup.exe RAT config\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\{2DB80286-1784-48b5-\r\nA751-B6ED1F490303}\r\nDlcore.dll\r\nExecution Stage\r\nExecuting\r\ndlcore.dll\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 10 of 18\n\nHKEY_LOCAL_MACHINE\\HARDWARE\\{804423C2-F490-4ac3-\r\nBFA5-13DEDE63A71A}\r\nrescure.dat\r\nExecution Stage\r\nInstall keylogger\r\ndriver\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}\r\nrescure.dat\r\nExecution Stage \r\nRAT fully installed.\r\nFlowCloud Configuration\r\nThe FlowCloud loader component EhStorAuthn.exe stores the malware configuration in the registry early in the\r\ninstallation chain and is represented in the table above. The Registry data is composed of multiple encrypted headers\r\n(using XORs and RORs) and data is encrypted using a modified (or broken) AES algorithm. The plaintext data is\r\ncompressed with ZLIB and serialized using Google’s Protocol Buffers. Figure 10 shows an example of a\r\nconfiguration as displayed by FlowCloud’s debug logging:\r\nFigure 10 Example of a configuration as displayed by debug logging\r\nCommand and Control\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 11 of 18\n\nFlowCloud malware handles configuration updates, file exfiltration, and commands as independent threads utilizing a\r\ncustom binary C2 protocol. We identified these independent threads as part of an extensive command handling\r\nfunctionality with distinct command managers existing for each command. The sample we analyzed utilized port 55555\r\nfor file exfiltration and port 55556 for all other data. We identified FlowCloud communication with the IP\r\n188.131.233[.]27. The requests and responses are composed of multiple encrypted headers (using XORs and RORs)\r\nand TEA encrypted data using a key generation scheme involving a hardcoded string of random characters and MD5\r\nhashing. The plaintext data is compressed using ZLIB and serialized using Google’s Protocol Buffers. An example\r\nparsing of an initial beacon is demonstrated in Figure 11 Example of FlowCloud parsing an initial C2 beacon:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 12 of 18\n\nFigure 11 Example of FlowCloud parsing an initial C2 beacon\r\nComparing Public TA429 (APT10) Indicators with TA410 Campaigns\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 13 of 18\n\nPublications by FireEye and EnSilo regarding TA429 (APT10) campaigns contain indicators that later appeared in\r\nTA410 campaigns. In our retrospective analysis of that research, we determined that TA429 (APT10) used phishing\r\nmacros that were later seen being used by LookBack and FlowCloud malware. Additionally, we identified the Quasar\r\nRAT delivery URL hxxp://ffca.caibi379[.]com/rwjh/qtinfo.txt used by FlowCloud macros in November, which was\r\npublished in the enSilo report prior to observable weaponization for TA410 campaigns.\r\nInterestingly, the compilation date of several LookBack malware modules used in July 2019 were September 14, 2018.\r\nThis includes the SodomMain and SodomNormal modules covered in previous Proofpoint blogs on LookBack\r\nmalware. That date is just one day after FireEye released their initial analysis of similar TA429 (APT10) macros\r\nutilized in Japan on September 13, 2018.\r\nWhile LookBack malware samples were not observed in the wild until June 2019, this September 2018 compilation\r\ndate demonstrates a large lag time between compilation and delivery. This possibly suggests manipulation of\r\ncompilation times by threat actors but has not been conclusively determined.\r\nThe first identified server installation by TA410 on actor-controlled infrastructure occurred in December 2018. Most of\r\nthe domain registration (weaponization) for LookBack and FlowCloud campaigns began in May and June 2019\r\nrespectively. These events were after FireEye’s initial publication in September 2018.\r\nAdditionally, enSilo’s publication on potentially TA429 (APT10) related Quasar RAT samples was published on May\r\n24, 2019. It was not until the second week of November 2019 when the inactive URL was incorporated into a phishing\r\nmacro as part of a FlowCloud campaign targeting US utilities. WHOIS records and passive DNS information for\r\nffca.caibi379[.]com indicate that the registrant email and address fields for the domain were updated on June 7, 2019.\r\nThe A record for the domain was updated on September 9, 2019 at which time it resolved to the IP 34.80.27[.]200\r\ncontained within an ASN owned by Google. For the prior eight months beginning on January 2, 2019 and\r\nencompassing the period of activity discussed by enSilo, the domain was hosted on several IP’s in an ASN owned by\r\nAPNIC Hostmaster. The shift away from IP infrastructure owned by APNIC represents a departure in threat actor\r\ninfrastructure hosting tactics well after the publication by enSilo and within the weaponization period for TA410’s\r\ncampaign targeting US utilities. While this research is not conclusive, it demonstrates that all observed TA429 (APT10)\r\nsimilarities and indicators of compromise were available publicly prior to the start of TA410 campaigns. Therefore,\r\nwhile not conclusive from current analysis, the possibility remains that these overlaps represent false flag activity by\r\nthe TA410 threat actor. Based on this analysis Proofpoint analysts track TA410 as a distinct threat actor from TA429\r\n(APT10) at this time.\r\nConclusion\r\nThe convergence of LookBack and FlowCloud malware campaigns in November 2019 demonstrates the capabilities of\r\nTA410 actors to distinctly utilize multiple tools as part of a single ongoing campaign against US utilities providers.\r\nBoth malware families demonstrate a level of sophistication in their conception and development while the extensible\r\ncode base of FlowCloud malware suggests that this group may have been operating as early as 2016. TA410 operators\r\ndemonstrate a willingness to dynamically evolve phishing tactics to increase the effectiveness of their campaigns and a\r\nkeen eye towards plausible social engineering within a very select targeted sector. It remains unclear if the nature of the\r\ntactics and indicators that are shared with TA429 (APT10) were developed by this group or culled from readily\r\navailable technical reporting that pre-dated these campaigns. The possibility remains that these overlaps represent\r\nintentional false flag efforts to cloak the identity of these perpetrators while they targeted a critical and geo-politically\r\nsensitive sector of energy providers in the US. Regardless of the actor’s intention, TA410 has established itself as a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 14 of 18\n\nmotivated actor with mature toolsets carrying out long term campaigns against highly important and geographically\r\nconcentrated target sets.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nfaa80e0692ba120e38924ccd46f6be3c25b8edf7cddaa8960fe9ea632dc4a045 SHA256\r\nPE Attachment - our\r\ninfrastructure offer\r\nann‮cod.exe\r\nb7960d1f40b727bbea18a0e5c62bafcb54c9ec73be3e69e787b7ddafd2aae364 SHA256\r\nPE Attachment -\r\npowersafe courses\r\nann‮cod.exe\r\n26eb8a1f0bdde626601d039ea0f2c92a7921152371bafe5e811c6a1831f071ce SHA256\r\nFlowCloud MS Word\r\nMacro Attachment -\r\npersonal invitation.doc\r\ncd8f877c9a1c31179b633fd74bd5050e4d48eda29244230348c6f84878d0c33c SHA256 Dropped Files - Cert.pem\r\ne4ad5d3213425c58778d8a0244df4cd99c748f58852d8ac71b46326efd5b3220 SHA256\r\nDropped Files -\r\npense1.txt\r\n589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4 SHA256\r\nDropped Files -\r\nTemptcm.tmp\r\n1334c742f2aec7e8412d76ba228b99935a49dc96a1e8e1f3446d9f61247ae47e SHA256\r\nDropped Files -\r\nEhStorAuthn.exe\r\nde30929ef958211f9315e27a7aa45ef061726a76990ddc6b9d9f189b9fbdd45a SHA256 Dropped Files - dlcore.dll\r\n0b013ccd9e10d7589994629aed18ffe2388cbd745b5b28ab39c07835295a1ca9 SHA256\r\nDropped Files -\r\nrebare.dat\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 15 of 18\n\n479954b9e7d5c5f7086a2a1ff1dba99de2eab2e1b1bc75ad8f3b211088eb4ee9 SHA256\r\nDropped Files -\r\nrescure.dat\r\nd5191327a984fab990bfb0e811688e65e9aaa751c3d93fa92487e8a95cb2eea8 SHA256\r\nDropped Files -\r\nresponsor.dat\r\n0701cc7eb1af616294e90cbb35c99fa2b29d2aada9fcbdcdaf578b3fcf9b56c7 SHA256\r\nDropped Files -\r\nEhStorAuthn_shadow.exe\r\n27f5df1d35744cf283702fce384ce8cfb2f240bae5d725335ca1b90d6128bd40 SHA256\r\nDropped Files -\r\nrescure64.dat\r\n13e761f459c87c921dfb985cbc6489060eb86b4200c4dd99692d6936de8df5ba SHA256\r\nDropped Files -\r\nrescure86.dat\r\n2481fd08abac0bfefe8d8b1fa3beb70f8f9424a1601aa08e195c0c14e1547c27 SHA256 Dropped Files - hha.dll\r\n188.131.233[.]27 IP C\u0026C IP\r\n118.25.97[.]43 IP Sender IP\r\n34.80.27[.]200 IP Sender IP\r\n134.209.99[.]169 IP Staging IP\r\n101.99.74[.]234 IP Staging IP\r\nAsce[.]email Domain Phishing Domain\r\npowersafetrainings[.]org Domain Phishing Domain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 16 of 18\n\nmails.daveengineer[.]com Domain Phishing Domain\r\npowersafetraining[.]net Domain Related Infrastructure\r\nmails.energysemi[.]com Domain Related Infrastructure\r\nwww.mails.energysemi[.]com Domain Related Infrastructure\r\nwww.powersafetraining[.]net Domain Related Infrastructure\r\nwww.powersafetrainings[.]org Domain Related Infrastructure\r\nffca.caibi379[.]com Domain Macro Domain\r\nhttp://ffca.caibi379[.]com/rwjh/qtinfo.txt URL\r\nFlowCloud Macro\r\nDelivery URL Inactive\r\nhttps://www.dropbox[.]com:443/s/ddgifm4ityqwx60/Cert.pem?dl=1 URL\r\nFlowCloud Macro\r\nDelivery URL\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\2\r\nRegistry\r\nKey\r\nFlowCloud Registry Key\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\3\r\nRegistry\r\nKey\r\nFlowCloud Registry Key\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\PrintResponsor\\4\r\nRegistry\r\nKey\r\nFlowCloud Registry Key\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\{2DB80286-1784-48b5-A751-\r\nB6ED1F490303}\r\nRegistry\r\nKey\r\nFlowCloud Registry Key\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 17 of 18\n\nHKEY_LOCAL_MACHINE\\HARDWARE\\{804423C2-F490-4ac3-BFA5-\r\n13DEDE63A71A}\r\nRegistry\r\nKey\r\nFlowCloud Registry Key\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}Registry\r\nKey\r\nFlowCloud Registry Key\r\nG:\\FlowCloud\\trunk\\Dev\\src\\fcClient\\Release\\QQSetupEx_func.pdb\r\nFile\r\nPath\r\nFlowCloud PDB Path\r\ng:\\FlowCloud\\trunk\\Dev\\src\\fcClient\\Release\\fcClientDll.pdb\r\nFile\r\nPath\r\nFlowCloud PDB Path\r\nF:\\FlowCloud\\trunk\\Dev\\src\\fcClient\\kmspy\\Driver\\Release\\Driver.pdb\r\nFile\r\nPath\r\nFlowCloud PDB Path\r\nF:\\FlowCloud\\trunk\\Dev\\src\\fcClient\\kmspy\\Driver\\x64\\Release\\Driver.pdb\r\nFile\r\nPath\r\nFlowCloud PDB Path\r\n ET and ETPRO Suricata/SNORT Signatures\r\n2837783 ETPRO TROJAN Win32/LookBack CnC Activity\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nPage 18 of 18\n\n https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new \nFigure 11 Example of FlowCloud parsing an initial C2 beacon\nComparing Public TA429 (APT10) Indicators with TA410 Campaigns\n Page 13 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "report_names": [ "ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434109, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8adafe0d9d59bd6882a6c1d596f715ec79812271.pdf", "text": "https://archive.orkl.eu/8adafe0d9d59bd6882a6c1d596f715ec79812271.txt", "img": "https://archive.orkl.eu/8adafe0d9d59bd6882a6c1d596f715ec79812271.jpg" } }