{
	"id": "53054202-3697-4011-af43-92cf580c43b0",
	"created_at": "2026-04-06T00:14:54.438725Z",
	"updated_at": "2026-04-10T13:11:38.888317Z",
	"deleted_at": null,
	"sha1_hash": "99866d9171664e7c7a58962b943161b25a7e0624",
	"title": "New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 820038,
	"plain_text": "New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy\r\nActivists\r\nBy Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn\r\nPublished: 2016-04-22 · Archived: 2026-04-05 17:29:23 UTC\r\nMalware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to\r\ndetect via both host- and network-based detection systems.  For many years, one of the go-to families of malware\r\nused by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a\r\nconvenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich\r\nsuite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organizations and\r\nsupporters in Hong Kong that have long been a target of advanced attack campaigns.\r\nDespite its simplicity and prevalence, detection rates for both AV and IDS systems has always been surprisingly\r\nlow for Poison Ivy.  Possibly for these reasons, since the mid-2000s threat actors have frequently used Poison Ivy\r\nto establish beachheads within target organizations, although this occurs much less frequently today than in years\r\npast. Since the last public release of version 2.3.2 in 2008, new variants of the tool have been relatively rare,\r\nespecially versions which modify the core communication protocols.\r\nUnit 42 observed a new version of Poison Ivy which uses the popular search order hijacking, a/k/a “DLL\r\nSideloading,” technique frequently seen in malware such as PlugX. The Poison Ivy builder has an output format\r\noption of either PE file or shellcode, and in this case the backdoor was built as shellcode and then obfuscated to\r\nhelp prevent detection.  While analyzing the sample, we also observed a modified network communication\r\nprotocol which will be discussed in this blog.\r\nSPIVY\r\nIn March, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized\r\ndocuments leveraging CVE-2015-2545. All of the decoy document themes involved recent Hong Kong pro-democracy events. In all of the samples we’ve found to date the exploit drops a self-extracting RAR which\r\ncontains three files:\r\nexe - a legitimate, signed executable which is used to side-load the malware DLL\r\ndll - the malware DLL loaded by RasTls.exe, which then loads the Poison Ivy shellcode file\r\nhlp - the encoded shellcode Poison Ivy backdoor.\r\nBoth identified C2 domains are third-levels off of leeh0m[.]org, which was created in late February 2016, less\r\nthan a month before the attacks.\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 1 of 8\n\nFigure 1. Malicious RARs and the three files within\r\nIn addition to the new variant we discovered, Japan’s Computer Emergency Response Team Coordination Center\r\n(JPCERTCC) published a blog last July on a different new variant. That variant is also side-loaded from a\r\nlegitimate executable and stub DLL, but the shellcode isn’t encoded the same way as SPIVY. JPCERTCC didn’t\r\ncomment on who was being targeted in their blog, but it is notable that two distinct Poison Ivy variants have\r\nrecently appeared, several years after the tool largely fell out of common use by advanced actors.\r\nSPIVY Analysis\r\nWe believe the samples dropped have a direct connection to older Poison Ivy RATs based off of the behaviors and\r\ncode reuse present in the shellcode loaded by the samsung.hlp file within the RAR. Once decoded, the shellcode is\r\nlaunched by ssMUIDLL.dll.\r\nFigure 2. The encoded shellcode is decoded with a single byte addition of 0x99, XOR with 0xD4, then subtract\r\n0x33.\r\nThe SPIVY RAT uses the same API call table generation historically used by Poison Ivy. Shown below is a\r\ncomparison of a PIVY sample from 2008 and our newer SPIVY sample on the right. Both have the exact same\r\nAPI call table function.\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 2 of 8\n\nFigure 3. PIVY sample from 2008 and SPIVY variant with the same API call table function.\r\nUnlike previous versions of Poison Ivy which utilize a fixed 256 byte challenge-response handshake, this new\r\nversion generates a payload that has been prepended with anywhere from 1 to 16 bytes of pseudo-random data\r\n(plus control bytes), the 1st byte of which gives the length of the padding before the start of the 256 byte\r\nhandshake.  In the example below the first byte (0x09) tells the Poison Ivy controller to ignore the following 9\r\nbytes (which were nulled out below for illustration purposes), plus one more byte which holds the first byte\r\nmultiplied by 2 ( 0x09 X 2 = 0x12).  Two control bytes, plus the 9 random, plus the 256 byte handshake gives us\r\n267 total bytes. The Poison Ivy protocol has been very well documented in previous research by Conix Security\r\nand others, and in these samples the remainder of the protocol remains unchanged.\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 3 of 8\n\nFigure 4. SPIVY’s new challenge-response.\r\nWe saw two Poison Ivy configurations with our samples, shown below.\r\nSHA256: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e\r\nPassword: bqesid#@\r\nC2 domain: found.leeh0m[.]org\r\nC2 port: 443\r\nMutex: 40EM76iR9\r\nID: 03-18\r\nGroup: 03-18\r\nSHA256: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2\r\nPassword: bqesid#@\r\nC2 domain: sent.leeh0m[.]org\r\nC2 port: 443\r\nMutex: 40EM76iR9\r\nID: 03-07\r\nGroup: 03-07 \r\nDecoy Documents\r\nDecoy documents are a common technique used by many actors to trick victims into believing they have opened\r\nlegitimate files from spear phishing e-mails. The attacker sends a malicious file which infects the host with\r\nmalware and then displays a clean document which contains content the victim is expecting to see.\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 4 of 8\n\nThe decoy documents associated with SPIVY are notable because they reference very specific recent events and\r\norganizations not widely publicized or known outside of the Hong Kong region and the pro-democracy\r\nmovement. In addition, all appear to be legitimate invitations to actual events in Hong Kong. One of the decoys\r\npurports to be from Joshua Wong, announcing a press conference about ending the Scholarism group to start a\r\nprogressive democratic political party, Demosistō, in March 2016. Joshua Wong is a well known Hong Kong\r\nactivist who was one of the founders of the group and is the current Secretary-General for the political party.\r\nScholarism centered around concerns for the Hong Kong’s Department of Education adding a mandatory course\r\nfor all secondary-school students for “moral and national education”. Scholarism was successful in stopping the\r\ncourse and its members desired to shift into a political party to effect further change.\r\nFigure 5. Invitation to press conference about disbanding Scholarism and establishing a political party.\r\nAnother decoy concerns the Mong Kok riot that took place February 8, 2016, the first day of the Lunar New Year.\r\nIt purports to be from the Justice \u0026 Peace Commission of the Hong Kong Catholic Diocese and calls for the\r\ngovernment to establish an independent commission to investigate the cause of the riots and for parishes to\r\nestablish booths throughout April staffed with church members advertising this. The riots were officially written\r\noff as being caused by a crackdown on unlicensed street vendors, but the decoy claims it’s instead a sign of\r\ncontinued civil unrest and dissatisfaction with the government in Hong Kong.\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 5 of 8\n\nFigure 6. Decoy allegedly from the Justice \u0026 Peace Commission of the Hong Kong Catholic Diocese\r\nThe final decoy is an invitation to an April 4, 2016 wreath laying event held by the Hong Kong Alliance in\r\nSupport of Patriotic Democratic Movements of China. The event commemorated the 28th anniversary of the\r\nTiananmen Square massacre and related events, information to which China heavily censors access for mainland\r\nChinese citizens.\r\nFigure 7. Decoy for an April 4, 2016 wreath laying event commemorating the Tiananmen Square massacre held by\r\nthe Hong Kong Alliance in Support of Patriotic Democratic Movements of China.\r\nConclusion\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 6 of 8\n\nThe venerable Poison Ivy has been revamped and used to continue targeted attacks against pro-democracy\r\nactivists in Hong Kong. It’s fairly common to see actors retool malware to make it harder to detect, though it was\r\nrarely seen before with Poison Ivy. The updated execution and communications mechanisms of SPIVY offer\r\ninsight into the ever changing tools, techniques, and practices of targeted attackers. Unit 42 will continue to follow\r\nthese attacks and any new Poison Ivy variants and provide updates as we uncover new information. It is clearly\r\ndemonstrated by this recent campaign that an old dog can learn new tricks.\r\nPro-democratic activists in Hong Kong have increasingly been targeted by APT campaigns. Below are links to\r\nseveral related reports from different researchers. We don't necessarily link the activity in this blog to any of the\r\nspecific campaigns cited in the links; instead, they are provided for situational awareness.\r\nOctober 2014 blog from Volexity titled \"Democracy in Hong Kong Under Attack\"\r\nJune 2015 blog from Citizen Lab titled \"Targeted Attacks against Tibetan and Hong Kong Groups\r\nExploiting CVE-2014-4114\"\r\nDecember 2015 blog from FireEye titled \"China-based Cyber Threat Group Uses Dropbox for Malware\r\nCommunications and Targets Hong Kong Media Outlets\"\r\nApril 2016 blog from Citizen Lab titled \"Between Hong Kong and Burma: Tracking UP007 and SLServer\r\nEspionage Campaigns\"\r\nPalo Alto Networks customers can identify SPIVY command and control traffic using Threat Prevention signature\r\nID and AutoFocus users can track this family using the SPIVY tag.\r\nIOCs\r\nWeaponized EPS Docs:\r\n13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0\r\n4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2\r\n9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e\r\nLoader Files\r\nRasTls.exe - legitimate, signed binary that is used in the sideloading process\r\n0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead\r\nssMUIDLL.dll - 7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4\r\nPoison Ivy shellcode files\r\nc707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8\r\n0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403\r\nC2 Domains\r\nsent.leeh0m[.]org\r\nfound.leeh0m[.]org\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 7 of 8\n\nSource: https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nhttps://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/\r\nPage 8 of 8\n\nhandshake. bytes (which In the example were nulled out below the first below for illustration byte (0x09) tells purposes), the Poison plus one Ivy controller more byte which to ignore the following holds the first 9 byte\nmultiplied by 2 ( 0x09 X 2 = 0x12). Two control bytes, plus the 9 random, plus the 256 byte handshake gives us\n267 total bytes. The Poison Ivy protocol has been very well documented in previous research by Conix Security\nand others, and in these samples the remainder of the protocol remains unchanged.  \n   Page 3 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
	],
	"report_names": [
		"unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists"
	],
	"threat_actors": [],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99866d9171664e7c7a58962b943161b25a7e0624.pdf",
		"text": "https://archive.orkl.eu/99866d9171664e7c7a58962b943161b25a7e0624.txt",
		"img": "https://archive.orkl.eu/99866d9171664e7c7a58962b943161b25a7e0624.jpg"
	}
}