{ "id": "e717a43f-e975-4239-a558-d2a943e259f3", "created_at": "2026-04-06T01:32:27.969854Z", "updated_at": "2026-04-10T03:36:33.432515Z", "deleted_at": null, "sha1_hash": "98208df8af3ef233dcb848eaafde355d1fec6d3f", "title": "CrimsonIAS: Listening for an 3v1l User", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65261, "plain_text": "CrimsonIAS: Listening for an 3v1l User\r\nBy ThreatConnect\r\nPublished: 2021-01-27 · Archived: 2026-04-06 01:01:01 UTC\r\nExecutive Summary\r\nCrimsonIAS is a Delphi-written backdoor dating back to at least 2017 that enables operators to run command line tools,\r\nexfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only;\r\nmaking it different from typical Windows backdoors that beacons out. The characteristics found in CrimsonIAS’s execution\r\nflow suggest a connection to Mustang Panda (aka BRONZE PRESIDENT, RedDelta) PlugX samples.  Based on those non-unique characteristics, ThreatConnect assesses with low confidence that CrimsonIAS is an additional tool in Mustang\r\nPanda’s repertoire.  Industry reporting assesses with varying levels of confidence that Mustang Panda is a Chinese espionage\r\nactor that has conducted operations in Mongolia, Vietnam, and Hong Kong among other locations.  According to fellow\r\nresearchers, Mustang Panda targets non-government organizations (NGOs), law enforcement organizations, and political\r\nentities.\r\nDiscovery\r\nThreatConnect identified CrimsonIAS while hunting for XOR encrypted PlugX binaries.  The CrimsonIAS backdoor is\r\nencrypted similarly to recent MustangPanda PlugX samples, which piqued our interest.\r\nEncrypted SHA256: acfd58369c0a7dbc866ad4ca9cb0fe69d017587af88297f1eaf62a9a8b1b74b4\r\nDecrypted SHA256: 891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e\r\nCrimsonIAS Analysis\r\nThe developers behind CrimsonIAS wrote this backdoor using Delphi. They also added some features that changed the\r\nnormal execution flow starting with shell code embedded in the MZ header. Windows executables are not designed to\r\nexecute code from the MZ header; they have a dedicated section (outside of the MZ header) for executable code. The actor\r\nis able to work around this design choice to start execution in the MZ header based on how we suspect the binary is loaded.\r\nThis shell code calls a reflective loader function which resolves additional library functions needed before jumping to the\r\nmalware’s actual entrypoint. The binary was also XOR encrypted with a 10 byte XOR key prepended to the binary (T1140:\r\nDeobfuscate/Decode Files or Information). All of these are also seen in Mustang Panda’s PlugX samples.\r\nThis backdoor spins up a listener and awaits the operator’s commands to run command line tools, exfiltrate files, and upload\r\nfiles to the infected machine. Prior to spinning up the network listener, CrimsonIAS launches netsh.exe to open a port on the\r\nlocal machine (T1562.004: Impair Defenses: Disable or Modify System Firewall). This sample opens port 80.\r\nCommand and Control\r\nWhen receiving network traffic, the listener’s handler first checks for the presence of the marker 0x33669966 (T1205:\r\nTraffic Signaling). If it matches, then the handler proceeds to parse the first 24 bytes.\r\nThe first 24 bytes make up the command header; however, only the first three DWORDs appear to be used.\r\nThe command buffer starts at offset 24 (0x18) and its content differs based upon the command code specified.\r\nThe three command codes are:\r\n0x6600 : Run Command (T1059.003: Command and Scripting Interpreter: Windows Command Shell)\r\n0x7701 : Receive File (T1105: Ingress Tool Transfer)\r\n0x7702 : Send File (T1041: Exfiltration Over C2 Channel)\r\nA null preserving XOR encryption algorithm is used to hide the buffer’s contents (T1573.001: Encrypted Channel:\r\nSymmetric Cryptography). All of the samples found use the same single byte XOR key 0x85.\r\nCommand and Control Recreation\r\nhttps://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nPage 1 of 5\n\nAfter reversing the backdoor’s network byte parser, we recreated parts of the command and control (C2) server to elicit\r\nresponses from it. Here the backdoor responds to our command telling it to execute “net user evil 3v1l /add”.\r\nNotice both the sent and received responses start with 0x33669966 (0x66996633 on the network); enabling fingerprinting of\r\nthe network traffic. The response buffer reads: “The command completed successfully.”\r\nMustang Panda Connection\r\nWe assess with low confidence that CrimsonIAS is associated with Mustang Panda. The similarities with how the binary\r\nwas packaged along with how it’s launched are the basis for this connection.\r\nInspecting Mustang Panda PlugX samples identified last year, we observed these three pertinent characteristics:\r\n1 – Encrypted with a 10 byte XOR key prepended to the encrypted binary\r\nFigure 7 and 8 show a prepended XOR key separated by a null byte from the encrypted payload. Over the past 8 months\r\nwe’ve been monitoring this technique and, outside of this one CrimsonIAS sample, all the other uploaded samples have been\r\nthe PlugX associated with Mustang Panda. We acknowledge during the last two months of 2020 that two samples deviated\r\nfrom the 10 byte XOR key length; however, the overwhelming majority used a 10 byte prepended XOR key.\r\n2 – Matching shell code at the start of the MZ header (minus the offset value)\r\nShell code in the MZ header is not exclusive to Mustang Panda, as tools like Cobalt Strike make use of this; however this set\r\nof bytes (shown in figures 9 and 10) we’ve only seen in files related to Mustang Panda over the past few months.\r\n3 – Exported Loader function\r\nBoth samples also make use of a reflective loader technique which they export under the name Loader. Searching VTI for\r\nthis exported function leads to a fair number of results not tied to Mustang Panda samples; so the presence of this export is\r\nnot unique enough.\r\nFinally, we successfully launched CrimsonIAS by taking a Mustang Panda PlugX archive (complete with the DLL\r\nsideloading executable and the sideloaded DLL) and swapping out the encrypted PlugX DLL with the encrypted\r\nCrimsonIAS DLL (T1574.002: Hijack Execution Flow: DLL Side-Loading).\r\nGrouping these characteristics together is the basis for the CrimsonIAS connection with Mustang Panda. The reasoning\r\nbehind the low confidence is the fact that the first two techniques should be trivial to implement/copy and that the third is\r\nnot unique to Mustang Panda; increasing the likelihood it could be a copycat, false flag, or inadvertent consistency.\r\nAdditional information on organizations targeted, affected regions, the complete payload, inbound communications, or any\r\nassociated incidents would potentially help us reassess our confidence in CrimsonIAS’ association to Mustang Panda.\r\nEvolution\r\nVirusTotal shows that the first sample was uploaded back in 2018.\r\nSHA256\r\nCompile\r\nTime\r\nVT First\r\nSubmission\r\nDLL\r\nName\r\nExports\r\n3bc96b4cce0dd550eeb3a563f7ef203614e36fbbbf990726e1afd5d3dcec33e1\r\n1511835471\r\n(2017-11-28\r\n02:17:51)\r\n2018-05-29\r\n08:35:59\r\nDll.dll\r\n0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41d100:\r\nServiceMain (3)\r\n0x41d224: CPlApp\r\n(4)\r\nbde63cd5c3aefed249d2610ca2ee834bde0c0ec06193119363972e3761fb3c63 1527218355\r\n(2018-05-25\r\n03:19:15)\r\n2019-04-28\r\n07:50:41\r\nDll.dll 0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\nhttps://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nPage 2 of 5\n\nSHA256\r\nCompile\r\nTime\r\nVT First\r\nSubmission\r\nDLL\r\nName\r\nExports\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41d108:\r\nServiceMain (3)\r\n0x41d22c: CPlAppl\r\n(4)\r\n194c0f6c5001b929080d700362e8d8e8009973c82d9409094af2a7ad33506228\r\n1527218355\r\n(2018-05-25\r\n03:19:15)\r\n2018-12-11\r\n03:16:46\r\nDll.dll\r\n0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41d108:\r\nServiceMain (3)\r\n0x41d22c: CPlAppl\r\n(4)\r\n5021a19f439d31946e61b7529f8e930ebc9829b1ab1f2274b281b23124113cb1\r\n1527218355\r\n(2018-05-25\r\n03:19:15)\r\n2018-07-23\r\n01:02:09\r\nDll.dll\r\n0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41d108:\r\nServiceMain (3)\r\n0x41d22c: CPlAppl\r\n(4)\r\n306175ffc59091515a8a0b211c356843f09fcb65395decd9fe72c9807c17288a\r\n1528707090\r\n(2018-06-11\r\n08:51:30)\r\n2019-05-16\r\n10:21:16\r\nDll.dll\r\n0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41d108:\r\nServiceMain (3)\r\n0x41d22c: CPlAppl\r\n(4)\r\n63e144fbe0377e0c365c126d2c03ee5da215db275c5376e78187f0611234c9b0\r\n1531455240\r\n(2018-07-13\r\n04:14:00)\r\n2018-08-04\r\n07:57:02\r\nDll.dll\r\n0x42562c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41cb80: CPlAppl\r\n(3)\r\nb19fea36cb7ea1cf1663d59b6dcf51a14e207918c228b8b76f9a79ff3a8de36c 1539848755\r\n(2018-10-18\r\n07:45:55)\r\n2019-03-30\r\n13:00:05\r\nDll.dll 0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\nhttps://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nPage 3 of 5\n\nSHA256\r\nCompile\r\nTime\r\nVT First\r\nSubmission\r\nDLL\r\nName\r\nExports\r\n0x41ccc8:\r\nServiceMain (3)\r\n0x41cdec: CPlAppl\r\n(4)\r\n891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e\r\n1582792200\r\n(2020-02-27\r\n08:30:00)\r\n2020-08-09\r\n06:29:04\r\nDll.dll\r\n0x42662c:\r\ndbkFCallWrapperA\r\n(1)\r\n0x40bb34:\r\n__dbk_fcall_wrapp\r\n(2)\r\n0x41cbc4: Loader (\r\nThe earliest compile time found suggests this backdoor has been around since at least 2017. The three samples with the\r\ncompile time 2018-05-25 03:19:15 are the same sample with just the listen on port number changed; probably after\r\ncompilation.\r\nOverall CrimsonIAS’s primary functionality remains consistent over the years. The primary difference lies in how the\r\nmalicious code is executed. The earlier samples relied on calling the exported function CPlApplet that would register and\r\nlaunch a Windows service that then executes the backdoor functionality (T1569.002: System Services: Service Execution).\r\nThe file 63e144fbe0377e0c365c126d2c03ee5da215db275c5376e78187f0611234c9b0 is an exception as the exported\r\nfunction CPIApplet does not create a service but it immediately starts up the backdoor.\r\nThe latest sample moved away from this technique and it now makes use of a reflective loader technique that is seen across\r\ndifferent malware families. This change along with the prepended XOR key and the shellcode provide hints to who might be\r\nbehind this backdoor.\r\nConclusion\r\nThreatConnect believes that Mustang Panda will continue to be active and adapt their toolset as needed to meet their\r\nobjectives against largely near-abroad targets.  The backdoor, CrimsonIAS, passively awaits commands, implying that the\r\nactor has some means of proxying/accessing the target’s network or, more likely, that the machine targeted is exposed to the\r\npublic Internet.  We encourage entities who think they might have been targeted by Mustang Panda to check for the presence\r\nof programs listening for external inbound connections and inspect further if something is found.  Verify carefully as the\r\npresence of programs listening for inbound connections does not necessarily mean that the machine is compromised.\r\nNaming Convention Note\r\nWe generally abstain from adding a new name for malware and threats where other industry reporting has already done so.\r\nTwo exceptions where we may use our own naming convention:\r\nWhen we are unsure whether our findings are consistent with activity sets other organizations have described and\r\nnamed. In this case, we will attempt to describe the overlap and differences between those previously named sets and\r\nthe activity we’re describing.\r\nWhen we are describing a previously unnamed malware or threat.\r\nThe latter is the case here. Our naming convention is intended to help describe the assessed origin of the threat or malware,\r\nalong with another identifier that is specific to the entity. In this case, we are using Crimson to refer to the malware’s\r\nassessed Chinese origin, and IAS to refer to the Internet Authentication Service (IAS) binary string previously described.\r\nAbout the Author\r\nThreatConnect\r\nBy operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations\r\nbattlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your\r\nthreat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your\r\nhttps://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nPage 4 of 5\n\nteam will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise.\r\nLearn more at www.threatconnect.com.\r\nSource: https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nhttps://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user-2/" ], "report_names": [ "crimsonias-listening-for-an-3v1l-user-2" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439147, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98208df8af3ef233dcb848eaafde355d1fec6d3f.pdf", "text": "https://archive.orkl.eu/98208df8af3ef233dcb848eaafde355d1fec6d3f.txt", "img": "https://archive.orkl.eu/98208df8af3ef233dcb848eaafde355d1fec6d3f.jpg" } }