{ "id": "c5e373b2-8fa5-4d0a-9397-4c7f82449ef8", "created_at": "2026-04-06T00:21:04.933048Z", "updated_at": "2026-04-10T03:37:40.697325Z", "deleted_at": null, "sha1_hash": "91731d474dd26cf6576b764db57858ce6a09290f", "title": "Reverse engineering SuperBear RAT.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 563930, "plain_text": "Reverse engineering SuperBear RAT.\r\nBy Ovi\r\nPublished: 2023-09-14 · Archived: 2026-04-05 14:45:31 UTC\r\nYou’re probably thinking, why is it called SuperBear? Well, here’s why:\r\nI spent some time analyzing this attack campaign that was impacting civil society groups and thought it would be a good\r\nidea to document the technical analysis for the low-level infosec consumers. You can read our high-level report of the\r\nmalware campaign here on Interlab’s website.\r\nNethertheless I found this sample to be quite interesting since it utilized some interesting techniques. Notably, the usage of\r\nAutoIT to perform process hollowing, and then the C2 protocol itself being somewhat similar to that of commodity RATs.\r\nAutoIT initial access\r\nIn the initial finding of the RAT disclosed on the Interlab website discusses how we found it to be deployed using an AutoIT\r\nscript. I won’t go into the original maldoc or powershell commands since it’s covered in that publication. So let’s start by\r\nlooking at the AutoIT script.\r\nOn inital view, I’d found that the script appeared to be compiled and packed. Since this is a typical feature of AutoIT scripts,\r\nI used AutoITExtractor to decompile the script (we made all payloads available on both open-source and commercial\r\nmalware zoo sites, so if you want to see any of this data yourself check the Interlab post). The source code detailed a trivial\r\nprocess injection operation by hollowing memory from a spawned instance of Explorer.exe. It decrypted a payload and\r\ninjected it into the hollowed memory.\r\nThe script is too large to cover in this post and not really necessary. The threat actor actually just modified an open-source\r\nscript that I’d found discussed across a bunch of different forums:\r\nhttps://www.autoitscript.com/forum/topic/99412-run-binary/page/8/\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 1 of 7\n\nhttps://syra.forumcommunity.net/?t=55181142\r\nhttps://autoit-script.ru/threads/peredacha-parametrov-komandnoj-stroki.24834/\r\nI couldn’t be bothered to reverse the entire crypto operation to get the payload, if you look at the sample you’ll see what I\r\nmean, so for time sake I just executed it dynamically with the intention of carving out the injected PE.\r\nWhen the script spawns explorer.exe we can see a Private address space with RWX permissions. A notable sign of injection!\r\nInspecting the memory we see an MZ header.\r\n… and contained within that memory is also a string relating to the C2 server that I’d previously found in sandbox\r\ndetonation.\r\nFrom a detection standpoint, this process hollowing operation is pretty loud and I’d be surprised if most Avs didn’t pick it\r\nup. You can of course use Process Hacker etc to dump the PE file. Though I ran @hasherezade’s Hollows Hunter to get a\r\ndump of the PE file. Once dumped, I took the PE file to IDA and here’s what I found.\r\nSuperBear RAT static reverse engineering\r\nMuch like other RATs the malicious code first creates a mutex object using “CreateMutexW”. The mutex name is\r\n(“BEARLDR-EURJ-RHRHR”). In then handles an “already running” case by checking if the mutex creation result is 5. If it\r\nis, it displays a message stating “already running” and proceeds to exit the process. If it’s not, it calls sub_401070 which\r\nestablishes the C2 connection.\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 2 of 7\n\nThe C2 mechanism begins by first allocating memory and initializing a memory block to hold a string “AAAAAA”\r\nproviding space to store data. It then defines three variables for URI paths “/id1”, “/id2” \u0026 “/id3”.\r\nIt then validates the C2 connection by looping over a call to “InternetOpenW” till it successfully establishes a valid\r\n“hInternet” handle. Once complete, it uses “InternetConnectW” to connect to the C2 server, in this instance\r\n“hironchk[.]com” checking the defined URI paths previously. It iterates through these three URI paths indefinitely until a\r\nconnection is established. After successful connection it sleeps for 10 seconds before continuing the loop again.\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 3 of 7\n\nDuring dynamic analysis, you can of course see the malware attempting connecting to these URI paths.\r\nOnce the C2 connection is established, it performs a HTTP request. Interestingly, the actor left a push instruction that pushes\r\nthe address of the string “Connected to vk.com” onto the stack. Despite this, the C2 address is not anything to do with VK,\r\nthough this is an interesting observation a TI perspective.\r\nIt checks if the request was successful and then allocates memory using “VirtualAlloc”. The allocated memory is then read\r\nfrom the HTTP connection using the InternetReadFile function. This is looped, and retrieves data from the connection into\r\nthe “lpBuffer”.\r\nThe HTML data is checked for the string “NdBrldr”, if the string “NdBrldr” is not found during the processing of the loop\r\nthe loop will exit. If it’s found, it will continue and a string “Found watermark” is pushed to the stack.\r\nAfter the loop ends the allocated memory is released using “VirtualFree” and the request handle is closed using\r\n“InternetCloseHandle”.\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 4 of 7\n\nOnce the connection is established it will do one of four operations depending on the command message received from the\r\nC2.\r\nDo nothing\r\nExfiltrate process and system data\r\nDownload and execute a shell command\r\nDownload and run a DLL\r\nWhen exfiltrating data, the RAT uses “CreateToolhelp32Snapshot” to create a snapshot of the running processes and saves\r\nthem to a file located here: “C:\\Users\\Public\\Documents\\proc.db”\r\nIt then executes the SystemInfo command and saves the output to a file located here: “C:\\Users\\Public\\Documents\\sys.db”\r\nEach of these text files are uploaded to the C2 located at URI “/upload/upload.php”\r\nIf the download execute command is seen, it reads a base64 encoded string from the C2 server and decodes it. It then uses\r\nthe ShellExecuteW to execute this.\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 5 of 7\n\nIf the DLL command is found, it will pull a DLL payload from the C2 and use rundll32 to execute it. This DLL data is\r\nbase64 encoded, and when pulled from the C2 it decodes it and stores the decoded result in a memory block. The resultant\r\npayload is allocated using “VirtualAlloc” and memory freed by VirtualFree. It attempts to generate a random string for the\r\nDLL filename, if it can’t it uses a default string of “SuperBear”.\r\nI won’t document the “do nothing” portion :). In the sample I had, the C2 was instructing to only initiate the exfiltration\r\nrecon activity described above. I wasn’t able to pull an addition DLL payload. Maybe we will see what that DLL contains in\r\nthe future. Definitely something to look out for.\r\nFinal thoughts\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 6 of 7\n\nI made all these samples available here:\r\nVT Collection:\r\nhttps://www.virustotal.com/gui/collection/454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec/summary\r\nMalware Bazaar:\r\nSuperBear RAT (dumped PE from memory):\r\nhttps://bazaar.abuse.ch/sample/282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb\r\nAutoIT process injector:\r\nhttps://bazaar.abuse.ch/sample/5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e/\r\nGenerally I think the RAT is pretty trivial and also demonstrated functionality similar to xRAT/Quasar. Signature detection\r\nfor it seem either generic or heuristic, so I’m not sure how much more samples we’ll see but since Kimsuky have utilized\r\nthat in the past, I am wondering why this seems novel. Why did they move from using Quasar to something like this? Also\r\nanother question that makes me ponder is the utilization of AutoIT. There have been recent reports of open-source tooling\r\nbeing used more by other threat groups in NK, is there a connection here? Maybe I’m just trying to make something out of\r\nnothing but I think it’s an interesting point to consider.\r\nWhen I get round to it, I’ll add some Yara rules here and update this post.\r\nOvi\r\nA bit about my new website:\r\nThis is a new site for me, I recently moved from Hugo to using Ghost. I am an independent research - I do not work for\r\ncorporations and only work with non-profit groups. For me, getting my research out to as many people for the betterment of\r\ndigital security is my goal. I also wish to contribute directly to information security and human rights. In creating a\r\nsubscription list for my work, it helps me publish my research and get it out to the right people. I hope, in time, I can\r\ncontinue to publish my research here without needing to rely on media outlets to get the work heard. If you would like to\r\nsupport me, please consider subscribing:\r\nSource: https://0x0v1.com/posts/superbear/superbear/\r\nhttps://0x0v1.com/posts/superbear/superbear/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://0x0v1.com/posts/superbear/superbear/" ], "report_names": [ "superbear" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91731d474dd26cf6576b764db57858ce6a09290f.pdf", "text": "https://archive.orkl.eu/91731d474dd26cf6576b764db57858ce6a09290f.txt", "img": "https://archive.orkl.eu/91731d474dd26cf6576b764db57858ce6a09290f.jpg" } }