{ "id": "079cd3d0-75f6-44b1-9c0c-78746b050714", "created_at": "2026-04-06T00:22:09.629705Z", "updated_at": "2026-04-10T03:35:58.774205Z", "deleted_at": null, "sha1_hash": "94cf359a01b554eb46edd83952e99930d114046c", "title": "Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques « Threat Research Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 604821, "plain_text": "Obfuscation in the Wild: Targeted Attackers Lead the Way in\r\nEvasion Techniques « Threat Research Blog\r\nBy by Daniel Bohannon, Nick Carr | Threat Research\r\nPublished: 2017-06-30 · Archived: 2026-04-05 14:48:57 UTC\r\nThroughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a\r\nrange of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative obfuscation into their phishing lures.\r\nThese techniques often bypass static and dynamic analysis methods and highlight why signature-based detection\r\nalone will always be at least one step behind creative attackers.\r\nIn early 2017, FIN8 began using environment variables paired with PowerShell’s ability to receive commands via\r\nStdIn (standard input) to evade detection based on process command line arguments. In the February 2017\r\nphishing document “COMPLAINT Homer Glynn.doc” (MD5: cc89ddac1afe69069eb18bac58c6a9e4), the file\r\ncontains a macro that sets the PowerShell command in one environment variable\r\n(_MICROSOFT_UPDATE_CATALOG) and then the string “powershell -” in another environment variable\r\n(MICROSOFT_UPDATE_SERVICE). When a PowerShell command ends in a dash then PowerShell will execute\r\nthe command that it receives via StdIn, and only this dash will appear in powershell.exe’s command line\r\narguments. Figure 1 provides the commands that were extracted using Mandiant consultant Nick Carr’s FIN8\r\nmacro decoder.\r\nFigure 1: FIN8 environment variable commands extracted from “COMPLAINT Homer Glynn.doc” macros\r\nTo evade many detections based on parent-child process relationships, FIN8 crafted this macro to use WMI to\r\nspawn the cmd.exe execution. Therefore, WinWord.exe never creates a child process, but the process tree looks\r\nlike: wmiprvse.exe \u003e cmd.exe \u003e powershell.exe. FIN8 has regularly used obfuscation and WMI to remotely\r\nlaunch their PUNCHTRACK POS-scraping malware, and the 2017 activity is an implementation of these evasion\r\ntechniques at an earlier stage of compromise.\r\nhttps://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\r\nPage 1 of 3\n\nAs new application whitelisting bypass techniques have surfaced, targeted attackers have quickly adopted these\r\ninto their campaigns with extra layers of obfuscation to stay ahead of many defenders. Many groups leverage the\r\nregsvr32.exe application whitelisting bypass, including APT19 in their 2017 campaign against law firms. The\r\ncyber espionage group APT32 heavily obfuscates their backdoors and scripts, and Mandiant consultants observed\r\nAPT32 implement additional command argument obfuscation in April 2017. Instead of using the argument /i:http\r\nfor the regsvr32.exe bypass, APT32 used cmd.exe obfuscation techniques to attempt to break signature-based\r\ndetection of this argument. At FireEye we have seen them include both /i:^h^t^t^p and /i:h”t”t”p in their lures.\r\nFigure 2 shows a redacted screenshot of our Host Investigative Platform (HIP) capturing real-time attacker\r\nactivity during one of our Mandiant incident response engagements for APT32 activity.\r\nFigure 2: APT32 command obfuscation for regsvr32.exe application whitelisting bypass\r\nMeanwhile, FIN7 has continued to wreak havoc on the restaurant, hospitality, and financial services sectors in\r\n2017. To ensure their arsenal did not grow stale, in April 2017 FIN7 shifted to using wscript.exe to run JavaScript\r\npayloads that retrieve an additional payload hidden in the phishing document by use of the Word.Application\r\nCOM object.\r\nThis week, FireEye identified FIN7 introducing additional obfuscation techniques at both the JavaScript and\r\ncmd.exe levels. These methods rely on FIN7’s preferred method of hiding shortcut files (LNK files) in their\r\nDOCX and RTF phishing documents to initiate the infection. At the time of this blog, the files implementing this\r\ntechnique were detected by 0 antivirus engines. For JavaScript, instead of specifying “Word.Application” for the\r\nCOM object instantiation, FIN7 began concatenating the string to “Wor”+”d.Application”. In addition,\r\nJavaScript’s suspicious “eval” string was transformed into “this[String.fromCharCode(101)+’va’+’l’]”. Finally,\r\nthey used a little-known character replacement functionality supported by cmd.exe. The wscript.exe command is\r\nset in a process-level environment variable “x”, but is obfuscated with the “@” character. When the “x” variable is\r\nechoed at the end of the script the “@” character is removed by the syntax “%x:@=%”. Figure 3 shows this\r\ncommand extracted from a LNK file embedded within a new FIN7 phishing document.\r\nFigure 3: FIN7 command obfuscation from LNK file phishing document\r\nIn this example, FIN7 implements FIN8’s passing of commands via StdIn – this time passing it to cmd.exe instead\r\nof powershell.exe – but the evasion effect is the same. While this example will expose these arguments in the first\r\ncmd.exe’s command execution, if this environment variable were set within the LNK or a macro and pushed to\r\ncmd.exe via StdIn from VBA, then nothing would appear on the command line.\r\nhttps://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\r\nPage 2 of 3\n\nThe FireEye iSIGHT Intelligence MySIGHT Portal contains detailed information on these attackers – and all\r\nfinancial and cyber espionage groups that we track – including analysis of their malware, tactics, and further\r\nintelligence attribution.\r\nWe fully expect targeted attackers to continue this pattern of adopting new bypass techniques and adding\r\ninnovative obfuscation at both the macro and command line levels. As for what we might see next, we’d\r\nrecommend reading up on DOS command line tricks so that monitoring your network isn’t the first time you see\r\nnew attacker tricks. Network defenders must understand what obfuscation is possible, assess their endpoint and\r\nnetwork visibility, and most importantly not rely on a single method to detect these attacks.\r\nSource: https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\r\nhttps://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" ], "report_names": [ "obfuscation-in-the-wild.html" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434929, "ts_updated_at": 1775792158, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94cf359a01b554eb46edd83952e99930d114046c.pdf", "text": "https://archive.orkl.eu/94cf359a01b554eb46edd83952e99930d114046c.txt", "img": "https://archive.orkl.eu/94cf359a01b554eb46edd83952e99930d114046c.jpg" } }