{
	"id": "816865e4-088f-49bb-abbd-274f0c486c88",
	"created_at": "2026-04-06T00:06:55.523387Z",
	"updated_at": "2026-04-10T13:13:06.342473Z",
	"deleted_at": null,
	"sha1_hash": "9865905cc919d6728b35a243b6e7e11187be9567",
	"title": "Shakti Trojan: Document Thief | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 363596,
	"plain_text": "Shakti Trojan: Document Thief | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2016-08-14 · Archived: 2026-04-05 17:20:42 UTC\r\nWhile some ransomware (i.e. Chimera) give bogus threats about stealing and releasing private files, there are\r\nother malware families that in fact have made this possibility a reality.\r\nRecently, Bleeping Computer published a short article about an unrecognized Trojan that grabs documents from\r\nthe attacked computer and uploads them into a malicious server. Looking at the characteristics of the tool, we\r\nsuspect that it has been prepared for the purpose of corporate espionage. So far, no AV has given any meaningful\r\nidentification to this malware—it is detected under generic names. Since not much is known about its internals,\r\nwe decided to take a closer look.\r\nIn the unpacked core we found strings suggesting that the authors named the project Shakti, which means “power”\r\nin Hindi or may also be a reference to the Shakti goddess. That’s why we refer to this malware as Shakti Trojan.\r\nThis post is a part 1 of the research – giving a short glimpse at the malware’s abilities as well as describing it’s\r\nbackground and possible attribution. See also the part 2: Shakti Trojan: Technical Analysis.\r\nAnalyzed samples\r\nRecent sample mentioned by Bleeping Computer (submitted to VirusTotal 1st August 2016):\r\nb1380af637b4011e674644e0a1a53a64: main executable\r\nbc05977b3f543ac1388c821274cbd22e: Carrier.dll\r\n7d0ebb99055e931e03f7981843fdb540: Payload.dll\r\nC\u0026C: web4solution.net\r\nOther found samples:\r\n8ea35293cbb0712a520c7b89059d5a2a: submitted to VirusTotal in 2013\r\nC\u0026C: securedesignus.com\r\n6992370821f8fbeea4a96f7be8015967: submitted to VirusTotal in 2014\r\nC\u0026C: securedesignuk.com\r\nd9181d69c40fc95d7d27448f5ece1878: submitted to VirusTotal in 2015\r\nCnC: web4solution.net\r\nBehavioral analysis\r\nLike most malware, Shakti Trojan comes packed inside the loader executable with an icon added:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 1 of 7\n\nAfter being deployed, it runs silently.\r\nWe will not see it on the list of running processes because it uses the disguise of a browser. It deploys a legitimate\r\nprocess and injects itself inside.\r\nBelow we can see the traffic generated by this malware, injected inside firefox.exe:\r\nThe Trojan achieves persistence either by installing itself as a service or, if it failed, by adding a key to autorun:\r\nThe atypical feature is that it doesn’t try to hide the original file by moving it into a new location. Instead, it\r\nprevents users from accessing or removing it. To achieve this, it opens its own file for reading.\r\nNetwork communication\r\nThe Trojan passes the data to its C\u0026C server as a HTTP POST request (URL pattern: http://[ CnC\r\naddress]/external/update). It also uses headers of MSMQ protocol.\r\nIt beacons to the server by sending basic info collected about the victim system. When it gets a response, it\r\nuploads the list of all the installed programs:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 2 of 7\n\nAfter passing this initial data, the main mission starts: uploading all the files with the desired extensions.\r\nEverything is transmitted as open text. First goes the file name, then its full content:\r\nA look inside\r\nLooking at the code we can find more about the goals which authors wanted to achieve and their\r\ndevelopment environment.\r\nThe main executable is a loader responsible for unpacking and deploying the core malicious modules: Carrier.dll\r\nand Payload.dll. (More details about them will be described in the next post.)\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 3 of 7\n\nBoth DLLs comes with paths to debug symbols. They reveal folders structure on the development machine:\r\nE:ProjectsComplexStatementShaktiCodeCarrierReleaseCarrier.pdb\r\nE:ProjectsComplexStatementShaktiCodePayloadReleasePayload.pdb\r\nBoth modules are written in Visual C++ and clearly belong to the same project, named Shakti.\r\nPayload.dll comes with a hardcoded list of the extensions, for which the bot is looking:\r\nClearly authors were interested in stealing documents. Majority of them are linked to MS Office packet:\r\ninp, sql, pdf, rtf, txt, xlsx, xls, pptx, ppt, docx, doc\r\nMost of the malware fingerprints a victim system, but rarely are they as precise in recognizing details as this\r\nTrojan is. It comes with a long list of Windows versions, including special editions: Cluster Server Edition,\r\nDatacenter Edition, Compute Cluster Edition, Advanced Server, and more:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 4 of 7\n\nThe lack of Windows 8 and 10 is notable on that hardcoded list. It may suggest that the payload is old, written\r\nbefore the release of those systems. Windows 8 was released in October 2012. Compilation timestamps of the\r\nmain elements: Carrier.dll and Payload.dll point to February 2012. We can never be sure if the compilation date is\r\nnot spoofed, but since those two facts match together, it is worth considering that this Trojan may have been\r\ncreated in 2012.\r\nTracing attribution\r\nThe domain used as a C\u0026C, web4solution.net, is registered in India.\r\nSource of the record: http://www.enom.com/whois/web4solution-net.html\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 5 of 7\n\nInterestingly, the same person was also an owner of the previously found C\u0026Cs:\r\nsecuredesignuk.com from sample: 6992370821f8fbeea4a96f7be8015967\r\nSource of the record: http://domainbigdata.com/name/ashraf%20ahmed\r\nDomain Name Create Date Registrar securedesignuk.com  2011-12-20  netearthone.com\r\nsecuredesignus.com from sample: 8ea35293cbb0712a520c7b89059d5a2a\r\nSource of the record: https://who.is/whois/securedesignus.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 6 of 7\n\nIndian attribution is possible, matching the Indian name of the Trojan.\r\nAdditionally, two of the C\u0026C domains: web4solution.net and securedesignuk.com have been found using the same\r\ncertificate – that confirms being owned by the same actor over years:\r\nConclusion\r\nShakti Trojan is very small and it seems to be written solely for the purpose of document stealing.\r\nSo far we don’t have any information suggesting that this attack is widespread. The application is\r\nnot new, yet it escaped from the radar and hasn’t been described so far. Its signature doesn’t match\r\nany known commodity malware. The only found trace points to the malware were \r\nIt is possible that this tool was designed exclusively for small operations of corporate espionage.\r\nThis trojan is detected by Malwarebytes Anti-Malware as ‘Trojan.Shakti’.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/"
	],
	"report_names": [
		"shakti-trojan-stealing-documents"
	],
	"threat_actors": [
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9865905cc919d6728b35a243b6e7e11187be9567.pdf",
		"text": "https://archive.orkl.eu/9865905cc919d6728b35a243b6e7e11187be9567.txt",
		"img": "https://archive.orkl.eu/9865905cc919d6728b35a243b6e7e11187be9567.jpg"
	}
}