{ "id": "8e91209c-f759-4ff9-b827-ab900fce5c45", "created_at": "2026-04-06T00:22:05.717584Z", "updated_at": "2026-04-10T03:33:45.997985Z", "deleted_at": null, "sha1_hash": "9b9b575dc4095c28cb94e02b37e00873de326151", "title": "APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49866, "plain_text": "APT Exploits Microsoft Zerologon Bug: Targets Japanese\r\nCompanies\r\nBy Elizabeth Montalbano\r\nPublished: 2020-11-19 · Archived: 2026-04-05 13:09:24 UTC\r\nThreat actors mount year-long campaign of espionage, exfiltrating data, stealing credentials and installing\r\nbackdoors on victims’ networks.\r\nChina-backed APT Cicada joins the list of threat actors leveraging the Microsoft Zerologon bug to stage attacks\r\nagainst their targets. In this case, victims are large and well-known Japanese organizations and their subsidiaries,\r\nincluding locations in the United States.\r\nResearchers observed a “large-scale attack campaign targeting multiple Japanese companies” across 17 regions\r\nand various industry sectors that engaged in a range of malicious activity, such as credential theft, data exfiltration\r\nand network reconnaissance. Attackers also installed the QuasarRAT open-source backdoor and novel\r\nBackdoor.Hartip tool to continue surveillance on victims’ systems, according a recent report.\r\nDue to some notable hallmark activity, the attacks appear to be the work of Cicada (aka APT10, Stone Panda,\r\nCloud Hopper), a state-sponsored threat group which has links to the Chinese government, researchers at\r\nBroadcom’s Symantec said.\r\n“This campaign has been ongoing since at least mid-October 2019, right up to the beginning of October 2020,\r\nwith the attack group active on the networks of some of its victims for close to a year,” researchers wrote in a\r\nreport posted online. “The campaign is very wide-ranging, with victims in a large number of regions worldwide.”\r\nA number of threat patterns and techniques observed in the campaign that link the activity to Cicada, including a\r\nthird-stage DLL with an export named “F**kYouAnti;” a third-stage DLL using CppHostCLR technique to inject\r\nand execute the .NET loader assembly; .NET Loader obfuscation using ConfuserEx v1.0.0; and the delivery of\r\nQuasarRAT as the final payload.\r\nResearchers observed attackers leveraging Zerologon, or CVE-2020-1472, a Microsoft zero-day elevation-of-privilege vulnerability first disclosed and patched on Aug. 11. The flaw—which stems from the Netlogon Remote\r\nProtocol available on Windows domain controllers–allows attackers to spoof a domain controller account and then\r\nuse it to steal domain credentials, take over the domain and completely compromise all Active Directory identity\r\nservices.\r\n“Among machines compromised during this attack campaign were domain controllers and file servers, and there\r\nwas evidence of files being exfiltrated from some of the compromised machines,” researchers observed.\r\nhttps://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/\r\nPage 1 of 2\n\nZerologon has been a thorn in the side of Microsoft for some time, with multiple APTs and other attackers taking\r\nadvantage of unpatched systems. Last month Microsoft warned that the Iranian group MERCURY APT has been\r\nactively exploiting the flaw, while the Ryuk ransomware gang used it to deliver a lightning-fast attack that moved\r\nfrom initial phish to full domain-wide encryption in just five hours.\r\nGiven the length of the campaign discovered, Cicada may well be one of the earliest APT groups to take\r\nadvantage of Zerologon. The group is known for attacking targets in Japan as well as MSPs with living-off-the-land tools and custom malware. In the latter category, the latest campaign uses Backdoor.Hartip, which\r\nresearchers said is a brand new tool for the group.\r\nIn addition to Zerologon, attackers also extensively used DLL side-loading in the campaign, a common tactic of\r\nAPT groups that “occurs when attackers are able to replace a legitimate library with a malicious one, allowing\r\nthem to load malware into legitimate processes,” researchers said. In fact, suspicious activity surrounding DLL\r\nside-loading is what tipped Symantec researchers off to campaign when it triggered an alert in Symantec’s Cloud\r\nAnalytics tool, they said.\r\n“Attackers use DLL side-loading to try and hide their activity by making it look legitimate, and it also helps them\r\navoid detection by security software,” according to the report.\r\nOther tools attackers leveraged in the campaign included: RAR archiving, which can transfer files to staging\r\nservers before exfiltration; WMIExec, used for lateral movement and to execute commands remotely; Certutil, a\r\ncommand-line utility that can be exploited to decode information, download files and install browser root\r\ncertificates; and PowerShell, an environment in the Windows OS that’s often abused by threat actors. The\r\ncampaign also used legitimate cloud file-hosting service for exfiltration, researchers said.\r\nSource: https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/\r\nhttps://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/" ], "report_names": [ "161383" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434925, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b9b575dc4095c28cb94e02b37e00873de326151.pdf", "text": "https://archive.orkl.eu/9b9b575dc4095c28cb94e02b37e00873de326151.txt", "img": "https://archive.orkl.eu/9b9b575dc4095c28cb94e02b37e00873de326151.jpg" } }