{
	"id": "9b2de52a-2f54-4464-9973-0a15a8bdd826",
	"created_at": "2026-04-06T00:17:53.704944Z",
	"updated_at": "2026-04-10T13:12:26.83798Z",
	"deleted_at": null,
	"sha1_hash": "9af638f0c6ac0a3f4bc0ece7767317628ce94b9e",
	"title": "In the Balkans, businesses are under fire from a double-barreled weapon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1955560,
	"plain_text": "In the Balkans, businesses are under fire from a double-barreled weapon\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 23:01:25 UTC\r\nWe’ve discovered an ongoing campaign in the Balkans spreading two tools having a similar purpose: a backdoor and a\r\nremote access trojan we named, respectively, BalkanDoor and BalkanRAT.\r\nBalkanRAT enables the attacker to control the compromised computer remotely via a graphical interface, i.e., manually;\r\nBalkanDoor enables them to control the compromised computer remotely via a command line, i.e., possibly en masse. ESET\r\nsecurity products detect these threats as Win{32,64}/BalkanRAT and Win32/BalkanDoor.\r\nA typical victim of this campaign, which uses malicious emails as its spreading mechanism, ends up having both these tools\r\ndeployed on the computer, each of them capable of fully controlling the affected machine. This rather uncommon setup\r\nmakes it possible for attackers to choose the most suitable method to instruct the computer to perform operations of their\r\nchoice.\r\nThe campaign’s overarching theme is taxes. With the contents of the emails, included links and decoy PDFs all involving\r\ntaxes, the attackers are apparently targeting the financial departments of organizations in the Balkans region. Thus, although\r\nbackdoors and other tools for remote access are often used for espionage, we believe that this particular campaign is\r\nfinancially motivated.\r\nThe campaign has been active at least from January 2016 to the time of writing (the most recent detections in our telemetry\r\nare from July 2019). Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the\r\nCroatian CERT in 2017. Each of these sources focused only on one of the two tools and only on a single country. However,\r\nour research shows that there is a significant overlap in targets and also in the attackers’ tactics, techniques and procedures.\r\nOur findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that\r\nspans Croatia, Serbia, Montenegro, and Bosnia and Herzegovina.\r\nOur research has also shed more light at the malware used in this campaign and provided some context. We’ve discovered a\r\nnew version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability\r\n(CVE-2018-20250). Furthermore, we’ve seen both malicious tools digitally signed with various certificates the developers\r\npaid for to add perceived legitimacy. One of them, issued to SLOW BEER LTD, was even valid at the time of writing;\r\nwe’ve notified the issuer about the misuse and they revoked the certificate.\r\nIn this article, we will describe some notable features of both BalkanDoor and BalkanRAT. Our analysis shows that the\r\nformer runs as a Windows service, which allows it to unlock the Windows logon screen remotely and without the password\r\nor start a process with the highest possible privileges. The latter misuses a legitimate remote desktop software (RDS)\r\nproduct and uses extra tools and scripts to hide its presence from the victim, such as hiding the window, tray icon, process\r\nand so on.\r\nTargets and distribution\r\nBoth BalkanRAT and BalkanDoor have been spread in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina. (These\r\ncountries, along with Slovenia and former Macedonia, formed the country of Yugoslavia until 1992.)\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 1 of 18\n\nFigure 1. Malware distribution by country\r\nAccording to our telemetry: the campaign spreading these tools has been live since 2016, with the most recent detections as\r\nlate as in July 2019.\r\nThe attackers have been distributing their tools via malicious emails (“malspam”) with links leading to a malicious file.\r\nThe links included in the malspam emails used for distribution of both BalkanRAT and BalkanDoor mimic legitimate\r\nwebsites of official institutions.\r\nTable 1. Domains misused in the\r\ncampaign\r\n#colspan# #colspan#\r\nMalicious domain Real domain Institution\r\npksrs[.]com pks.rs Chamber of Commerce and Industry of Serbia\r\nporezna-uprava[.]com\r\nporezna-uprava.hr\r\nMinistry of Finance of Croatia, Tax Administration\r\nporezna-uprava[.]net #rowspan# #rowspan#\r\npufbih[.]com pufbih.ba\r\nTax Administration of the Federation of Bosnia and\r\nHerzegovina\r\nThe decoy PDFs revolve around the tax theme.\r\nTable 2. Decoy PDFs used in the campaign #colspan# #colspan#\r\nPDF name Language Content\r\nMIP1023.pdf Bosnian Tax form\r\nPonovljeni-Stav.pdf Bosnian Tax law\r\nAUG_1031.pdf Bosnian Instructions for using tax filing application\r\nZakon.pdf Croatian Tax law\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 2 of 18\n\nTable 2. Decoy PDFs used in the campaign #colspan# #colspan#\r\nZPDG.pdf Serbian Tax law\r\nFigure 2. Decoy PDF documents\r\nMost often, the links leading to an executable file are disguised as links to a PDF. The executable file is a WinRAR self-extractor with its name and icon changed to resemble a PDF to fool the user. When executed, it is configured to unpack its\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 3 of 18\n\ncontent, open the decoy PDF to prevent any suspicion - and silently execute either BalkanRAT or BalkanDoor.\r\nIn some of the latest samples of BalkanDoor detected in 2019, the malware is distributed as an ACE archive, disguised as a\r\nRAR archive (i.e., not an executable file), specially crafted to exploit the WinRAR ACE vulnerability (CVE-2018-20250).\r\nThis vulnerability, which has been remediated in version 5.70 released on February 28th, 2019, is known to have been\r\nexploited quite often to distribute malware.\r\nThe exploit-based deployment of BalkanDoor is stealthier than in previous versions of the malware because it does not\r\nrequire executing the downloaded file – an operation that might raise the intended victim's suspicions.\r\nThe campaign\r\nAccording to our telemetry, most of the time, both tools have been deployed on the same machine. The combination of the\r\ntools gives the attacker both a command-line interface and a graphical interface to the compromised computer.\r\nIn the case of the whole toolset being deployed on the machine, here is an example scenario for the attack:\r\nThe attacker detects that the victim has the screen locked and thus, most probably, is not using the computer (either via\r\nBalkanDoor sending a screenshot showing that computer is locked, or via the View Only mode of BalkanRAT). Via the\r\nBalkanDoor backdoor, the attacker sends a backdoor command to unlock the screen… and using BalkanRAT, they can do\r\nwhatever they want on the computer.\r\nHowever, even if the victim does not use the computer, the chance of spotting the actions performed by the attackers is still\r\nthere. Even with this disadvantage, using the RDS tool may be useful. The attackers are not limited by the commands\r\nshipped in the backdoor, or by their programming skills: manually, they can perform actions that would require writing a lot\r\nof code if a backdoor were the only tool available.\r\nIn principle, the Balkan- toolset could be used for espionage, among other possible goals. However, not only the campaign’s\r\ntargets and distribution, but also our analysis of the Balkan-toolset tools show that the attackers are going after money\r\ninstead of espionage.\r\nThe BalkanDoor backdoor does not implement any exfiltration channel. Presumably, if the campaign were intended for\r\nespionage, the attackers would need an exfiltration channel for uploading the collected data – at least as a backup to manual\r\nexfiltration, which might not be always an option.\r\nOn the contrary – and supporting the notion that the attackers’ goal has been to commit some financial crime – we’ve seen\r\nBalkanRAT dropping a tool that can list available smart cards, via the SCardListReadersA/ SCardConnectA API functions.\r\nSmart cards are usually issued by banks or governments for confirmation of the holder’s identity. If misused, smart cards can\r\nfacilitate illegal/fraudulent activities, e.g. digitally signing a contract, validating a money transaction etc.\r\nIn the past, we’ve seen this feature in Operation Buhtrap, a campaign targeting Russian banks.\r\nAnalysis - BalkanDoor\r\nBalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell,\r\ntake a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several\r\naffected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since\r\n2016.\r\nThe initial dropper unpacks all its components, opens a decoy PDF (in some cases) and executes a batch installation script\r\nthat ensures persistence of the backdoor.\r\nThe backdoor registers itself as a service, under a legitimately-looking service name (e.g. WindowsSvc, WindowsPrnt,\r\nWindowsConn or WindowsErr); the accompanying batch scripts can further ensure persistence by using Registry Run Keys\r\nor Startup folder.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 4 of 18\n\nAfter the backdoor is installed, the computer connects to a C\u0026C server, identifying itself by the computer name and\r\nrequesting commands. The backdoor can connect to any of the C\u0026Cs from a hardcoded list – a measure to increase\r\nresilience. It connects via the HTTP or HTTPS protocol; if HTTPS is used, then the server certificates are ignored.\r\nIf the connection is not successful, the backdoor is capable of using the user-configured proxy on the victim’s computer and\r\nrepeating the connection attempt.\r\nThe backdoor commands come in a format of an INI file, with properties determining the commands, command arguments\r\nand intended recipients. Specifying the list of recipients allows the attacker to send their commands to several compromised\r\ncomputers at once, e.g. to take screenshots of all compromised computers automatically.\r\nTable 3. BalkanDoor’s commands #colspan#\r\nCommands Functionality\r\ncn Specifies computer name(s) of the intended recipients of the commands\r\ndu, int Download and execute a file\r\ndu, ra, de, rpo Download and execute a file, in the specified context and on a specified desktop\r\nrip Create a remote shell accessible from the specified IP address\r\nscr_int, scr_dur Capture a series of screenshots of the specified duration\r\nFurthermore, the backdoor itself can be executed in several modes, determined by the command line arguments with which\r\nit is executed. These modes themselves can serve as backdoor commands (when executed from the remote shell):\r\nTable 4. BalkanDoor’s modes #colspan#\r\nArgument Functionality\r\n/unlock Unlocks the screen\r\n/rcmd Creates a remote shell and redirects its input/output to the specified IP address\r\n/takescr Captures a series of screenshots, duration determined by other arguments\r\n/run Executes the specified command using cmd.exe\r\n/runx Executes the specified command using cmd.exe, on the active (input) desktop\r\n/inst Installs itself as a service and starts the main procedure (see /nosvc)\r\n/start Starts the associated service, which starts the main procedure (see /nosvc)\r\n/nosvc Main payload, communicates with C\u0026C and interprets backdoor commands\r\nAmong the BalkanDoor capabilities, the most notable is passwordless screen-unlocking.\r\nThis feature comes in handy to the attackers in cases when a logged-in user locks the computer. The “Lock screen” is just\r\nanother Desktop for the system, so any malware with the necessary privileges can switch to a real desktop by command. No\r\npassword is required to perform this operation.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 5 of 18\n\nFigure 3. Code responsible for unlocking the computer when the backdoor is executed remotely with a “/unlock” argument\r\nAnalysis - BalkanRAT\r\nThe BalkanRAT part of the malicious Balkan- toolset is more complex compared to its backdoor accomplice. Its goal is to\r\ndeploy a copy of the Remote Utilities software, which is commercial software by a Russian vendor, Remote Utilities, LLC,\r\nused for remote access to a computer or for remote administration. BalkanRAT also provides the attacker with the\r\ncredentials needed for this remote access.\r\nBalkanRAT has several additional components to help load, install and conceal the existence of the RDS. They can add\r\nexceptions to the firewall, hide the RDS’s window and its tray icon, and hide the presence of related processes in the task\r\nmanager.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 6 of 18\n\nFigure 4. Components used in the campaign to deploy and hide the presence of the RDS\r\n1. The dropper first unpacks all components; a configuration file, the remote desktop software and a core component\r\ninstalling it, a userland rootkit, a GUI hider and a decoy PDF file.\r\n2. The dropper opens the PDF file so as not to arouse suspicion of the user.\r\n3. Covertly, the dropper executes the core component (32-bit) in the installation mode.\r\n4. The core component (32-bit) installs itself to be executed with each start, and adds an exception to the firewall for the\r\nRDS. It executes commands inst1 and inst2 specified in the configuration file, and executes itself again, now in\r\nstealth mode.\r\n5. In this mode, the core component acts like a keylogger.\r\n6. The core component (32-bit) executes the 64-bit version of itself, in injection mode (if applicable).\r\n7. The core component (64-bit) injects the userland rootkit (64-bit) into task manager processes. The userland rootkit\r\nthen hides the presence of the malicious processes in the task manager.\r\n8. The core component (32-bit) executes the RDS. It repeatedly monitors and hides the RDS window (because it is a\r\nGUI application).\r\n9. The core component (32-bit) injects the userland rootkit (32-bit) into task manager processes. The userland rootkit\r\nthen hides the presence of the malicious processes in the task manager.\r\n10. The core component (32-bit) executes commands cmd1 and cmd2, as specified in the configuration file. One such\r\ncommand was seen executing a GUI hider, which is an AutoHotKey script hiding the tray icon of the RDS.\r\nNote: Some components are optional. Also, sometimes they are deployed as a set comprising an encrypted payload and the\r\ncorresponding loader. We are omitting these details.\r\nThe configuration file of BalkanRAT is in INI file format (similarly to BalkanDoor, which uses this format for backdoor\r\ncommands), with one section named [CFG]. The INI file is used by the malware’ core component and the userland rootkit.\r\nProperty Functionality\r\ninst1, inst2 Commands executed by the core component during installation\r\ncmd1, cmd2 Command executed by the core component main payload\r\nhproc List of processes that should be hidden by userland rootkit\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 7 of 18\n\nProperty Functionality\r\nmproc List of processes where userland rootkit is injected\r\nFigure 5. BalkanRAT’s configuration file – properties (top) and example (below)\r\nBalkanRAT’s core is a multipurpose component (there are both 32-bit and 64-bit versions); it can be executed in various\r\nmodes, determined by the command-line argument. Most significantly, it is used for installation of BalkanRAT, launching a\r\nuserland rootkit and adding exceptions for the RDS component in the firewall.\r\nTable 5.\r\nBalkanRAT’s core\r\ncomponent –\r\nsupported\r\nfunctionality\r\n#colspan#\r\nArgument Functionality\r\n/rhc Executes a batch file\r\n/fwl Adds exception to the firewall for the specified program\r\n/sreg\r\nSets configuration data for the RDS in the registry (especially email address where the\r\ncredentials should be sent)\r\n/inst\r\nEnsures persistence by adding itself to the\r\n[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows]\r\nregistry key under the “load” entry. Adds exception for the RDS to the local firewall. Executes\r\nitself again in the main mode (no arguments).\r\n/inj Injects the userland rootkit library into processes, as specified in the configuration file\r\n(none)\r\nMain mode. Executes the 64-bit version of itself (if applicable), injects the userland rootkit,\r\nexecutes the RDS and hides the window by changing its coordinates to values outside the\r\nscreen.\r\nAnother thread captures pressed keystrokes.\r\nThe main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access. Instead of using the\r\nofficial version, BalkanRAT deploys a copy signed by a certificate of the attacker.\r\nThe client side of the RDS running on the victim’s computer must know the unique ID and the password, both generated on\r\nthe server side, to connect to the server. The RDS deployed by BalkanRAT is configured in such a way that the password is\r\nthe same for all victims, and the generated unique ID is sent to the attacker’s email address by the tool itself.\r\nSince the tool BalkanRAT misuses is legitimate, it leverages the genuine Remote Utilities’ infrastructure for this\r\ncommunication (rutils.com, server.rutils.com); due to this, the communication may seem legitimate to the user - and to\r\nsecurity products.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 8 of 18\n\nAs a result, the attacker has obtained credentials to access the compromised computer via the Remote Utilities software.\r\nUsing this tool, they can broadcast the screen to monitor the activity of the user and manually take over the compromised\r\ncomputer.\r\nFigure 6. A window the victim never sees. With a legitimate copy of Remote Utilities, this window is visible; however,\r\nBalkanRAT will hide it using the GUI hider feature.\r\nTo remain stealthy, BalkanRAT uses the GUI hider feature. In most samples (some older ones are exceptions), it is\r\nimplemented as an AutoHotKey script, compiled into an executable file so that it can be run on a computer even if\r\nAutoHotKey is not installed there. The purpose of this script is to hide the tray icon of the RDS client.\r\nFigure 7. AutoHotKey script embedded in the resource section of the executable\r\nAnother notable feature used by BalkanRAT to stay hidden is the ability to hide processes from the user.\r\nTo achieve this, userland rootkit libraries are injected in processes hardcoded in the configuration file. The userland rootkit\r\nhooks the NtQuerySystemInformation function for the process in which it is injected. In case SystemProcessInformation is\r\nqueried, it filters out all entries for processes with the names specified in the configuration file. As a result, conventional task\r\nmanager utilities will not display the processes the attackers want to keep hidden from the user.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 9 of 18\n\nFigure 8. With the userland rootkit injected, some processes are missing in the list (left). Without the rootkit, the processes\r\nare visible (right).\r\nNaturally, the list of processes that will be hidden contain mostly ones belonging to BalkanRAT. However, we have also\r\nseen names like “weather.exe” or “preserve.exe” in the list - which belong to the BalkanDoor backdoor. This finding\r\nsupports the belief these two tools are indeed used together.\r\nConclusion\r\nBoth BalkanRAT and BalkanDoor have some interesting tricks up their sleeves and each of them separately pose a\r\nsignificant risk to the victims. If used together as a toolset, they make an even more powerful weapon – the campaign we\r\nhave discovered targets accounting, a function that is critical for organizations.\r\nThe campaign targeting accountants in the Balkans shows some similarities (in terms of modus operandi) with a campaign\r\naimed at Ukrainian notaries reported in 2016. (The only source we have been able to find describing it is in Russian.) In that\r\ncase, the attackers’ goal was to take control over a notary's computer and issue some illegal operation on behalf of the\r\nnotary.\r\nJust as attackers may confirm a fraudulent transaction on behalf of a notary, they may perform a fraudulent transaction while\r\nimpersonating a manager in a company’s financial department.\r\nTo stay safe, business users – and their employers – should follow basic cybersecurity rules: be cautious about emails and\r\nscrutinize their attachments and links, keep their software updated and use a reputable security solution.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/BalkanDoor.A\r\nWin32/BalkanDoor.B\r\nWin32/BalkanRAT.A\r\nWin32/BalkanRAT.B\r\nWin64/BalkanRAT.A\r\nWin64/BalkanRAT.B\r\nSHA-1\r\nBalkanDoor – executable files\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 10 of 18\n\n02225C58A0800A8FFFE82F7614695FDEEB75C8B3\r\n3E8AF08F2C64D9D305A129FDEA6B24ED3D8D9484\r\n400FF3FD5BEF94DCBEAE24B5B8A6632DCD1D22A6\r\n576EF0057982DE87CA029C736706E840031A27F4\r\n5CC4F248595268A0C9988DAEE3F0F8F9F5AC0A7F\r\n60EB2A19EC63FF36D13F472EC0E6A594C2778CE6\r\n7AA3D6EA4736C3BF627DB1837B9C8D2B29D7AB8D\r\nAC5383306459CE8CD19BFF412875F093B40427C6\r\nBalkanRAT – executable and auxiliary files\r\n006B8EF615550BA731A30FA83B0E03CD16D2A92D\r\n030DC8C3832F664FA10EFA3105DFF0A9B6D48911\r\n032884A46430039ED4E38518AA20742B79AB2678\r\n09D18CD045285A753BCF4F42C6F10AF76913546A\r\n0F7A95C89911E3DE9205FF6AA03E1A4FCE6BC551\r\n13D8664B438DA278CEB9C8593AE85023432054CD\r\n17EA62EBC5F86997FD7E303FBBFF3E343DA38FCC\r\n1C03ED1ADF4B4E786EFC00F3D892217FAAAFB268\r\n15EC88015FB554302DB131258C8C11C9E46209D4\r\n21DE3EB6F39DF4DBBF2D1FE4B6467AAE3D9FBEBD\r\n21EE61874F299661AECC5453F4D6D0EC5380DAD0\r\n270F1FA36365273F14D89EE852D8A438A594CD05\r\n30BA2213BE4355D619E20DA733F27F59DA7B937E\r\n3170B45FB642301687A3A320282099B9D7B7F0F2\r\n38E7FCD6038E688DEC9F1AF9D2D222B9BBC03A8C\r\n3927B48D315F6712D33166A3B278B7835E76A6A9\r\n3C1FF7BBE8BC2BE9E5531FFAD25B18F03C51CF6B\r\n421F52733D334BE32C899670426C06CB72D92CDE\r\n46E4B456729CF659527D2697BD8518E67B5A0056\r\n4F8BA64DA7EA16A7CE5AA2C83BBFCE1C8646E424\r\n500A447A187240706C059C16366FEDF1AA13EA77\r\n555844CA5CD40DFC27778C2D3B6AFA43D1B76685\r\n5A3201048D8D9D696102A3C3B98DA99C2CC4FF1F\r\n64E3A46BF393936A79478C891654C1070CEC42D1\r\n685314454A7D7987B38ADD2EDDBAC3DB9E78464F\r\n6C83ABE56219CA656B71AA8C109E0955061DA536\r\n6E27F7C61230452555B52B39AB9F51D42C725BED\r\n6EF16FAA19FC4CEF66C4C1B66E58FB9CFFD8098E\r\n72DB8CCC962E2D2C15AC30E98F7382E3ACDEDDA8\r\n730E20EE7228080A7F90A238D9E65D55EDD84301\r\n73E0A62F1AAAB3457D895B4B1E6E2119B8B8D167\r\n7BA4D127C6CD6B5392870F0272C7045C9932DB17\r\n7BF564891089377809D3F0C2C9E25FD087F5F42B\r\n8852647B1C1A2EFA4F25FEA393D773F9FF94D6FA\r\n8D9A804B1433A05216CFE1D4E61CE5EB092A3505\r\n8F85738534158DB9C600A29B9DED8AC85C3DE8C1\r\n963CF321740C4EF606FEC65FCE85FB3A9A6223AC\r\n97926E2A7514D4078CF51EAC069A014309E607F1\r\n9EA0C6A17EE4EB23371688972B7F4E6D4D53F3C8\r\n9F2C6A44453E882098B17B66DE70C430C64C3B26\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 11 of 18\n\nA1DEA762DD4329E77FE59526D4ABC0E15DE2BBBC\r\nA56A299A8EEF9F4FF082184F66FAD1B76C7CACB8\r\nA5ACE8F90C33CBDB12D398C0F227EC48F99551BF\r\nAA4AD783DFE3CC6B0B9612814ED9418253203C50\r\nAB311B53591C6625335B9B791676A44538B48821\r\nAEDF43347AF24D266EC5D471723F4B30B4ACC0D0\r\nB18222E93D25649BC1B67FAB4F9BF2B4C59D9A1A\r\nB8F67BB5682B26ACD5969D9C6AC7B45FE07E79E1\r\nBAD38D474D5CAAAC27082E6F727CAE269F64CF3C\r\nBEEF0EE9397B01855C6DAA2BFF8002DB4899B121\r\nBFE3F5CEC25181F1B6852E145013E548B920651E\r\nC268CAB6D8EC267EEE463672809FAAEE99C2F446\r\nC2F9FFDF518DA9E037F76902746DE89C2E2821E8\r\nC3813734D3BFC07E339C05417055A1A106E2FBBD\r\nC8CBBC175451A097E605E448F94C89D3E050ACD5\r\nC90756A3C6F6DC34E12BABF5F26543510AACE704\r\nC90B5471BBA3293C0A0E6829A81FBE2EB10B42B2\r\nCD1BC431F53E9CFF8204279CDF274838DE8EBB61\r\nCD82D898A3CEA623179456D9AE5FAD1FB5DA01A0\r\nCDBB74CA0960F2E8631D49ACABF2CEA878AE35B8\r\nCE7092FF909E9380CC647C3350AA3067E40C36A9\r\nCEA70DB7FB8E851EF0D6A257A41C9CEE904345B5\r\nCF7A8AFAC141E162A0204A49BAD0A49C259B5A45\r\nDEEA26F5AF918CEC406B4F12184F0CAB2755B602\r\nDFDFCC61770425A8D1520550C028D1DF2861E53F\r\nE0007A2E0E9AE47DD028029C402D7D0A08EBBC25\r\nE00C309E3FE09248B8AFCFF29FC1A79445C913DA\r\nE95C651C539EAF73E142D1867A1A96098A5E219F\r\nECEEE01F4E8051F544062AE37D76A3DF2921DF82\r\nF06CB000F9A25DDE791C7E5BC30917C74A8F2876\r\nF26C663D5F6F534543A7C42B02254C98BB4EC0D5\r\nF3BC2F436693B61FED7FA7DDF8BC7F27618F24F3\r\nF6030AE46DC2CEF9C68DA1844F7DCEA4F25A90A3\r\nFA19E71F9A836EA832B5D738D833C721D776781A\r\nFFE23D510A24DB27C1C171D2BAF1FBEB18899039\r\nRemote Utilities (otherwise legitimate releases signed by attackers’ certificates)\r\n038ECEB80597DE438D8194F8F57245EB0239FF4B\r\n2A1BB4BB455D3238A01E121165603A9B58B4D09D\r\n34CE3FBEE3C487F4F467B9E8EB36844BB5ACB465\r\n3B88D4047FA2B8F8FA6241320D81508EB676EA7A\r\n400438EB302886FD064274188647E6653E455EED\r\n42F70DAA8C75E97551935D2370142C8904F5A20D\r\n446D3FBAE9889FE59AFAD02C6FB71D8838C3FC67\r\n4D46FB773C02A9FF98E998DA4F0777FB5D9F796B\r\n510C93D3DC620B17500C10369585F4AF7CF3CE0D\r\n6A5CA3B9EE0A048F0AEE1E99CBF3943D84F597FF\r\n6D53E7B5099CE11ACA176519620E8064D4FF9AD0\r\n7CEC39AC6A436577E02E7E8FE8226A00E58564CB\r\n8888014C16732CD5136A8315127BA50BB8BB94ED\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 12 of 18\n\nA5A05BA6E24226F1BC575CBC12B9FC59F6039312\r\nB77CFFF0E359946029120DD642505BC0A9713ECC\r\nBC6F31D5EBC71FF83BACC0B4471FDEFC206B28D0\r\nBE8A582360FB16A4B515CD633227D6A002D142FA\r\nC6E62A113E95705F9B612CDBF49DAC6BAD2073BD\r\nD8D27C742DA87292EF19A197594193C2C5E5F845\r\nDBE0E084B2A8CE4711C3DF4E62E8062234BF6D3B\r\nE56189FE86C9537C28099518D4F4EA2E42EF9EEE\r\nE918192D2B5C565A9B2756A1D01070C6608F361C\r\nScripts\r\n0BD6C70B7E2320F42F0CFC2A79E161614C7C4F66\r\n7A41B912A3F99370DF4CD3791C91467E23B2AA82\r\nA15AB505B79B88A9E868C95CE544942403C58CB6\r\nA8A5980DE35FBF580497B43EF7E8499E004F9F38\r\nB248E43BAB127D8E1E466821B96B7B7ECF37CB78\r\nConfiguration files\r\n28F152154F6E6074EA0DE34214102119C8589583\r\n37A2A15C52CAA7D63AF86778C2DD1D2D81D4A270\r\nB4A847D7AAC4164CF90EA585E4842CBF938B26CF\r\nDecoy PDF files\r\n1E0C4A5F0FF2E835D12C3B6571AE6000E81A014B\r\n8722441FF3678D154C89E312DB1A54951DD21C3F\r\n88C3FDA42768C5B465FD680591639F2CDC933283\r\n9F48E109675CDB0A53400358C27853DB48FCD156\r\nC9B592BD7B69995C75CD5B1E4261B229C27FB479\r\nMisused certificates\r\nMisused\r\ncertificates\r\n#colspan# #colspan# #colspan# #colspan# #colsp\r\nName Email\r\nValid\r\nfrom\r\nValid to SHA1 Thumbprint\r\nStatus\r\nthe tim\r\nof wri\r\nAMO-K Limited\r\nLiability\r\nCompany\r\nllc.amo-k@list.ru\r\n2015/07/30 2016/07/28 4E36C4D10F1E3D820058E4D451C4A7B77856BDB3 Expire\r\nValmpak,\r\nTOV\r\ntov-valpak@mail.ru\r\n2016/04/10 2017/04/01 17D50E2DBBAF5F8F60BFFE1B90F4DD52FDB44A09 Revok\r\nValmpak,\r\nTOV\r\n- 2016/08/22 2017/11/04 4A362020F1AFD3BD0C67F12F55A5754D2E70338C Revok\r\n3D\r\nPEOPLE\r\n- 2017/11/05 2018/11/06 936EDFB338D458FBACB25FE557F26AA3E101506E Expire\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 13 of 18\n\nMisused\r\ncertificates\r\n#colspan# #colspan# #colspan# #colspan# #colsp\r\nLIMITED\r\nADUNIK\r\nLTD\r\n- 2017/10/11 2018/10/12 E7DF448539D1E2671DCF787CF368AAC2ED8F5698 Expire\r\nSLOW\r\nBEER LTD\r\nadministrator@\r\nslowbeerltd.info\r\n2019/01/25 2019/12/18 2359D644E48759F43993D34885167FECAFD40022 Revok\r\nFile names\r\nBalkanDoor\r\nDropper: Zakon.exe\r\nBackdoors: weather.exe, winmihc.exe, Preserve.exe, PreservS.exe, WindowsConnect.exe\r\nScripts: weather.cmd, winmihc4.cmd, mihcupdate.cmd\r\nDecoy PDF file: Zakon.pdf\r\nBalkanRAT\r\nDroppers: ZPDGI.exe, ZPDGV.exe, ZPDGE.exe, ZPDGO.exe, ZPDGU.exe, ZPDGA.exe, Ponovljeni-Stav.exe,\r\nAUG_1031.exe, MIP1023.exe\r\nConfiguration file: stg.cfg\r\nDecoy PDF files: ZPDG.pdf, Ponovljeni-Stav.pdf, AUG_1031.pdf, MIP1023.pdf\r\nCore component: winchk32.exe, wininit.exe, hide.exe, winchk64.exe\r\nRDS: rutserv.exe, rfusclient.exe\r\nUserland rootkit: winmmon.dll, winmmon64.dll\r\nGUI hider components: serk.bat, serk.exe\r\nFolder names\r\n%WINDIR%\\1B20F6AA-6CAD-45A7-81CB-120FB86FECD8\r\n%WINDIR%\\29D451CF-3548-4486-8465-A23029B8F6FA\r\n%WINDIR%\\B1EDD68E-6AD8-4A7E-91A1-3C30903B8DD4\r\n%APPDATA%\\1B20F6AA-6CAD-45A7-81CB-120FB86FECD8\r\n%APPDATA%\\29D451CF-3548-4486-8465-A23029B8F6FA\r\n%APPDATA%\\B1EDD68E-6AD8-4A7E-91A1-3C30903B8DD4\r\nC\u0026C servers\r\nhttp://bestfriendsroot[.]com/smart.php\r\nhttp://bestfriendsroot[.]com/weather.php\r\nhttp://bestfriendsroot[.]com/zagreb.php\r\nhttp://consaltingsolutionshere[.]com/smart.php\r\nhttp://consaltingsolutionshere[.]com/weather.php\r\nhttp://consaltingsolutionshere[.]com/zagreb.php\r\nhttp://dogvipcare[.]net/kversion.php\r\nhttp://hvar.dogvipcare[.]net/dekol.php\r\nhttp://kimdotcomfriends[.]com/smart.php\r\nhttp://kimdotcomfriends[.]com/weather.php\r\nhttp://kimdotcomfriends[.]com/zagreb.php\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 14 of 18\n\nhttp://limosinevipsalon[.]com/kversion.php\r\nhttp://luxembourgprotections[.]com/kversion.php\r\nhttp://malmevipbikes[.]se/kversion.php\r\nhttp://split.malmevipbikes[.]se/dekol.php\r\nhttp://zagreb.porezna-uprava[.]com/dekol.php\r\nEmail addresses used to exfiltrate Remote Utilities credentials\r\nb.klokov@inbox.ru\r\ngalkin.valentin.83@bk.ru\r\ngligorijmaskov@mail.ru\r\nivan.aslanov@newmail.ru\r\nivan.tatarov@qip.ru\r\nmelikov.viktor@yandex.ru\r\nmr.aleksandrandreev@mail.ru\r\ntest@bbportal.info\r\ntgerik@list.ru\r\nvladzlobin@list.ru\r\nMITRE ATT\u0026CK techniques\r\nBalkanRAT\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1192 Spearphishing Link BalkanRAT is distributed via emails that contain links to malware.\r\nExecution\r\nT1059\r\nCommand-Line\r\nInterface\r\nBalkanRAT uses cmd.exe to execute files.\r\nT1106\r\nExecution through\r\nAPI\r\nBalkanRAT uses ShellExecuteExW and LoadLibrary APIs to execute\r\nother malware components.\r\nT1064 Scripting\r\nBalkanRAT uses batch scripts for malware installation and\r\nexecution.\r\nT1204 User Execution\r\nBalkanRAT relies on the victim to execute the initial infiltration. The\r\nmalware is disguised as PDF documents with misleading names, in\r\norder to entice the intended victim to click on it.\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nBalkanRAT uses the following Registry Run key to establish\r\npersistence:\r\n[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Windows], “load”.\r\nPrivilege\r\nEscalation\r\nT1134\r\nAccess Token\r\nManipulation\r\nBalkanRAT is able to impersonate the logged-on user using\r\nDuplicateTokenEx or ImpersonateLoggedOnUser APIs.\r\nDefense\r\nEvasion\r\nT1116 Code Signing BalkanRAT is digitally signed with code-signing certificates.\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nBalkanRAT decrypts and decompresses some of its components.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 15 of 18\n\nTactic ID Name Description\r\nT1089\r\nDisabling Security\r\nTools\r\nBalkanRAT is capable of adding exceptions to the local firewall,\r\nusing its COM interface.\r\nT1112 Modify Registry\r\nBalkanRAT modifies the\r\n[HKEY_CURRENT_USER\\Software\\Usoris\\Remote\r\nUtilities\\Server\\Parameters] registry key to store configuration of the\r\nRDS\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nSome components of BalkanRAT are compressed and then encrypted\r\nby a XOR cipher.\r\nT1055 Process Injection\r\nBalkanRAT injects a userland rootkit library into processes of task\r\nmanager utilities.\r\nT1108 Redundant Access\r\nOperators of BalkanRAT have been seen deploying a second\r\nmalicious tool (BalkanDoor) to preserve remote access in case\r\nBalkanRAT is removed.\r\nT1014 Rootkit\r\nBalkanRAT uses a userland rootkit that hooks the\r\nNtQuerySystemInformation function to hide the presence of\r\nmalicious processes.\r\nT1143 Hidden Window\r\nBalkanRAT uses 3rd party remote desktop software and hides its\r\nwindow and tray icon in order to hide it from the user.\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nBalkanRAT collects the computer name and the language settings\r\nfrom the compromised machine.\r\nCollection T1056 Input Capture BalkanRAT is capable of logging pressed keystrokes.\r\nCommand\r\nand\r\nControl\r\nT1219 Remote Access Tools\r\nBalkanRAT has misused legitimate remote desktop software for\r\nremote access.\r\nBalkanDoor\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1192 Spearphishing Link\r\nBalkanDoor is distributed via emails that contain\r\nlinks to download malware.\r\nExecution T1059 Command-Line Interface BalkanRAT uses cmd.exe to create a remote shell.\r\nT1106 Execution through API\r\nBalkanRAT uses ShellExecuteExW and\r\nLoadLibrary APIs to execute files.\r\nT1203\r\nExploitation for Client\r\nExecution\r\nBalkanDoor can be distributed as an ACE archive\r\ndisguised as a RAR archive, exploiting CVE-2018-20250 vulnerability in WinRAR to execute\r\nmalicious code.\r\nT1064 Scripting\r\nBalkanDoor uses batch scripts for malware\r\ninstallation and execution.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nT1035 Service Execution\r\nBalkanDoor’s backdoor can be executed as a\r\nservice.\r\nT1204 User Execution\r\nBalkanDoor relies on the victim to execute the\r\ninitial infiltration. The malware is disguised as\r\nPDF documents or RAR archives with misleading\r\nnames, in order to entice the intended victim to\r\nclick on it.\r\nPersistence\r\nT1050 New Service\r\nBalkanDoor can be installed as a new service,\r\nmimicking legitimate Windows services.\r\nT1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nBalkanDoor can be installed in the Registry Run\r\nkey, or dropped in the Startup folder.\r\nPrivilege\r\nEscalation\r\nT1134 Access Token Manipulation\r\nBalkanDoor is able to create a process under the\r\nsecurity context of a different user, using\r\nDuplicateTokenEx, SetTokenInformation or\r\nCreateProcessAsUserW APIs.\r\nDefense\r\nEvasion\r\nT1116 Code Signing\r\nBalkanDoor is digitally signed with code-signing\r\ncertificates.\r\nT1107 File Deletion\r\nBalkanDoor deletes files with backdoor\r\ncommands after the commands have been\r\nexecuted.\r\nT1158 Hidden Files and Directories\r\nBalkanDoor sets attributes of its files to\r\nHIDDEN, SYSTEM and READONLY.\r\nT1036 Masquerading\r\nBalkanDoor can be installed as a service with\r\nnames mimicking legitimate Windows services.\r\nT1108 Redundant Access\r\nOperators of BalkanDoor have been seen\r\ndeploying a second malicious tool (BalkanRAT)\r\nto preserve remote access in case BalkanDoor is\r\nremoved.\r\nDiscovery T1082 System Information Discovery\r\nBalkanDoor collects the computer name from the\r\ncompromised machine.\r\nCollection T1113 Screen Capture\r\nBalkanDoor can capture screenshots of the\r\ncompromised machine.\r\nCommand\r\nand Control\r\nT1043 Commonly Used Port\r\nBalkanDoor uses ports 80 and 443 for C\u0026C\r\ncommunication.\r\nT1090\r\nConnection\r\nProxy\r\nBalkanDoor is capable of\r\nidentifying a configured proxy\r\nserver if one exists and then\r\nusing it to make HTTP\r\nrequests.\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 17 of 18\n\nTactic ID Name Description\r\nT1008\r\nFallback\r\nChannels\r\nBalkanDoor can communicate\r\nover multiple C\u0026C hosts.\r\nT1071\r\nStandard\r\nApplication\r\nLayer Protocol\r\nBalkanDoor uses HTTP or\r\nHTTPS for network\r\ncommunication.\r\nSource: https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nhttps://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/"
	],
	"report_names": [
		"balkans-businesses-double-barreled-weapon"
	],
	"threat_actors": [
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9af638f0c6ac0a3f4bc0ece7767317628ce94b9e.pdf",
		"text": "https://archive.orkl.eu/9af638f0c6ac0a3f4bc0ece7767317628ce94b9e.txt",
		"img": "https://archive.orkl.eu/9af638f0c6ac0a3f4bc0ece7767317628ce94b9e.jpg"
	}
}