{ "id": "c1713f1c-4d59-4400-84a9-d5aa5b653d77", "created_at": "2026-04-06T00:12:15.33076Z", "updated_at": "2026-04-10T03:33:18.444457Z", "deleted_at": null, "sha1_hash": "96f7989bae125c4a6da20cb1dcca1619d19fce4a", "title": "ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1578662, "plain_text": "ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op -\r\nSentinelLabs\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2021-06-08 · Archived: 2026-04-05 16:24:19 UTC\r\nKey Findings\r\nThis research focuses on the ‘Mail-O’ malware used against the FSB and other Russian government\r\norganizations, detailed in the May 2021 FSB NKTsKI and Rostelecom-Solar report.\r\nEarly armchair commentary presumed that given the targets, this attack would undoubtedly be the work of\r\na Western government, Five Eyes, or the United States.\r\nOur analysis disproves that hypothesis.\r\nInstead, we present the argument that the Mail-O malware is a variant of a relatively well-known malware\r\ncalled PhantomNet or SManager used by a threat actor ‘TA428’\r\nPrevious reporting on TA428 points to Chinese origin and details a history of attacks against South East\r\nAsian and Russian targets.\r\nActor Disambiguation\r\nRelated actors: TA428, suspected IronHusky\r\nRelated operations: Operation SignSight, Operation LagTimeIT\r\nRelated malware: PhantomNet, SManager, TManger, CoughingDown\r\nIn May 2021, the Russian Federal Security Service’s National Coordination Center for Computer Incidents\r\n(NKTsKI) in coordination with Rostelecom announced that several Russian government institutions had been\r\nvictims of an APT campaign. While the Russian government has made a similar announcement before, it’s the first\r\ntime they’ve accompanied it with a moderately detailed technical analysis. Several researchers, myself included,\r\njumped on the opportunity to write our YARA rules and hope for a glimpse at the culprit.\r\nThe InfoSec twitterverse needed no such artifacts as blind speculation immediately pointed at a Western\r\ngovernment, Five Eyes, or the United States as de facto culprits. I think we’ll be relieved to find out that was most\r\nlikely not the case – if solely because we’ve come to expect a higher standard for Western malware development.\r\nInitial attempts to find the samples were fruitless but that changed this past weekend as some kind soul (or more\r\nlikely a bulk autosubmitter) uploaded a copy of the ‘Mail-O’ malware to VirusTotal. We track this activity under\r\nthe name ‘ThunderCats’.\r\nTechnical Analysis\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 1 of 6\n\nSHA256\r\n603881f4c80e9910ab22f39717e8b296910bff08cd0f25f78d5bff1ae0dce5d7\r\nSHA1\r\nb7c1ec9484c4c2dcd01f861eeaa3b915c3e3312e\r\nMD5\r\nd58b95f8413f784552d7fdadbb621243\r\nSize\r\n2.82 MB\r\nCompilation Timestamp\r\n2019-12-20 02:13:01\r\nFirst Submitted\r\n2021-06-05 05:22:04\r\nIn line with the findings of the NKTsKI-Rostelecom report, the Mail-O malware acts as a downloader with a thin\r\nveneer of similarity to the legitimate Mail.ru Disk-O software. The disguise consists of a version number\r\n(“19.05.0045”) lifted from a legitimate Disk-O executable and the use of a real Mail.ru to post victim details and\r\nhost a next stage payload.\r\nThe executable is bulked up to 2.8MB by statically linking both libcurl 7.64.1 and OpenSSL. Focus becomes\r\nimportant to avoid going down a pointless rabbithole of reversing unrelated open-source code. For that reason, we\r\nshould focus primarily on the exported functions.\r\nThe Mail-O malware exports two functions, Entery and ServiceMain :\r\nMail-O malware’s exported functions\r\nMail-O: ServiceMain\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 2 of 6\n\nServiceMain function pseudocode\r\nServiceMain takes a service name as an argument and attempts to register a service control handler with a\r\nspecific HandlerProc function meant to check and set the status of that service. With a valid service status\r\nhandle, Mail-O detaches the calling process from its console, changes the service status values to reflect its current\r\nrunning state, and calls the Entery function. Note the ServiceMain function with the debug string\r\n“ServiceMain Load” – a template that comes into play in looking for connections to other malware.\r\nMail-O: Entery\r\nThe Entery function is called at the end of ServiceMain , but it can also be independently invoked. It checks\r\nfor the presence of ‘%AllUsersProfile%PSEXESVC.EXE’ and launches it as a process. This function is registered as\r\na top level exception filter.\r\nMail-O PSEXESVC.exe check function\r\nThe main Entery logic is orchestrated in the next function. First, Mail-O checks the registry for an existing\r\ninstall of the legitimate Mail.Ru Disk-O software. It decrypts configuration strings and contacts\r\nhttps://dispatcher.cloud.mail.ru/ .\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 3 of 6\n\nMail-O uses the SystemTime to POST the encrypted victim hostname (or in its absence the string “[none]”) and\r\nreceive a payload. The payload is written to a temporary path before being launched. Mail-O then goes into a\r\nsleep loop until a predetermined amount of time.\r\nWe’ve yet to see ‘Webdav-O’, the other malware component described in the Rostelecom-Solar report. However,\r\nthat shouldn’t keep us from following an interesting lead.\r\nThe ‘Entery’ Connection\r\nLeft: TManger sample (NTT Security)\r\n71fe3edbee0c27121386f9c01b723e1cfb416b7af093296bd967bbabdc706393\r\nRight: Mail-O sample:\r\n603881f4c80e9910ab22f39717e8b296910bff08cd0f25f78d5bff1ae0dce5d7\r\nMail-O exports a function called Entery , presumably a misspelling of ‘Entry’. Misspellings are a true gift for\r\nmalware researchers. As it turns out, this isn’t the first time that misspelling has been noted in a recently deployed\r\npiece of malware.\r\nIn December 2020, Ignacio Sanmillan and Matthieu Faou released an excellent report on a Vietnamese supply-chain attack that used PhantomNet (aka SManager) malware. The researchers noted that the malware’s persistence\r\nwas established via a scheduled task that called the malicious DLL’s export, ‘Entery’. The researchers note that\r\nthis same export was pointed out by NTT Security in their analysis of TManger malware, which they in turn\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 4 of 6\n\ncorrelate with Proofpoint’s ‘TA428’ threat actor. That nondescript threat actor name is adopted by Dr. Web in\r\nreporting recent attacks against additional Russian targets including research institutes.\r\nWhile that might all seem a bit convoluted, I rehearse the logical connections to illustrate two points:\r\n1. There’s an established history of this very non-Western ‘threat actor’ in targeting both Asian and Russian\r\ntargets.\r\n2. These presumably Chinese clusters of activity are confusing and difficult to disentangle. Tooling is likely\r\nshared among multiple threat actors (likely including PhantomNet/SManager), and what’s being referred to\r\nas ‘TA428’ is probably an amalgam of multiple threat groups.\r\nFor skeptics, we’ve provided a YARA rule below for the Entery overlap, which entails not just the export\r\nfunction name but also the general layout of the function and some shared strings. Note that the layout has likely\r\ndeveloped iteratively from an open-source template.\r\nFinally, while I’m quick to disparage the quality of the malware as not up to some exalted Western standard, it’s\r\nimportant to note that ThunderCats (and the larger TA428 umbrella) are pulling off custom-tailored region-specific supply chain attacks, successfully punching way above their weight in their intelligence collection efforts,\r\nand they should not be underestimated as an adversary.\r\nYARA\r\nimport \"pe\"\r\nrule apt_CN_ThunderCats_Overlap\r\n{\r\nmeta:\r\n desc = \"Thundercats Entery Export Overlap\"\r\n author = \"JAG-S @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"06.08.2021\"\r\n reference = \"https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_S\r\nstrings:\r\n$psexesvc = \"%AllUsersProfile%PSEXESVC.EXE\" ascii wide\r\n$sm_load = \"ServiceMain Load\" ascii wide fullword\r\ncondition:\r\nuint16(0) == 0x5a4d\r\nand\r\npe.exports(\"Entery\")\r\nand\r\npe.exports(\"ServiceMain\")\r\nand\r\nall of them\r\n}\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 5 of 6\n\nReferences\r\nhttps://www.bbc.com/news/world-europe-36933239\r\nhttps://www.reuters.com/technology/russias-fsb-reports-unprecedented-hacking-campaign-aimed-government-agencies-2021-05-26/\r\nhttps://rt-solar.ru/analytics/reports/2203/\r\nhttps://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nSource: https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nhttps://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op" ], "report_names": [ "thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op" ], "threat_actors": [ { "id": "bbdb2d7d-4bf4-4100-a108-f4742cfd69ff", "created_at": "2022-10-25T16:07:24.01101Z", "updated_at": "2026-04-10T02:00:04.836112Z", "deleted_at": null, "main_name": "Operation SignSight", "aliases": [], "source_name": "ETDA:Operation SignSight", "tools": [ "Mimikatz", "PhantomNet", "SManager" ], "source_id": "ETDA", "reports": null }, { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434335, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96f7989bae125c4a6da20cb1dcca1619d19fce4a.pdf", "text": "https://archive.orkl.eu/96f7989bae125c4a6da20cb1dcca1619d19fce4a.txt", "img": "https://archive.orkl.eu/96f7989bae125c4a6da20cb1dcca1619d19fce4a.jpg" } }