{ "id": "53eb0968-b716-44f4-8049-c4c2e6a280c4", "created_at": "2026-04-06T00:16:01.880077Z", "updated_at": "2026-04-10T13:11:41.078831Z", "deleted_at": null, "sha1_hash": "9c06013fd519169a0ae86c69438b59f7fb848bd9", "title": "Chinese APT Uses Poison Ivy Malware to Target Government | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 356346, "plain_text": "Chinese APT Uses Poison Ivy Malware to Target Government |\r\nProofpoint US\r\nBy Michael Raggi and Dennis Schwarz with the Proofpoint Threat Insight Team\r\nPublished: 2019-07-23 · Archived: 2026-04-05 13:47:43 UTC\r\nOverview\r\nProofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver\r\ncustom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities\r\nthat were targeted and the distinctive domains registered to C\u0026C IP infrastructure.\r\nBeginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing\r\ngovernment information technology, domestic affairs, foreign affairs, economic development, and political\r\nprocesses. We determined that the infection vector observed in this campaign was spear phishing, with emails\r\noriginating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation\r\nEditor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT.\r\nAdditionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C\u0026C)\r\ninfrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation\r\ntechniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese\r\nAPT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical\r\nresemblance to the Maudi Surveillance Operation which was previously reported in 2013 [1].\r\nDelivery\r\nProofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting\r\nEast Asian government agencies in March 2019. These campaigns originated from adversary-operated free email\r\nsender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the\r\nlanguages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF\r\nfiles saved with .doc file extensions.\r\nThe lures used in the subjects, attachment names, and attachment content in several cases utilized information\r\ntechnology themes specific to Asia such as governmental or public training documents relating to IT. On one\r\nspecific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity \u0026\r\nInteroperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1\r\nonline_course_agenda_coei_c\u0026i.doc”. The conference referenced in the lure was an actual event likely selected\r\ndue to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt\r\nChinese 5G technology in government as well as heavy equipment industries.\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 1 of 8\n\nFigure 1: Example lure used by TA428 referencing an APAC IT conference\r\nWe identified several government agencies targeted as part of Operation LagTime IT. These agencies are\r\nresponsible for overseeing IT, scientific research, domestic affairs, foreign affairs, political processes, and\r\nfinancial development.\r\nExploitation\r\nAs we previously noted, the malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor,\r\nspecifically CVE-2018-0798, before downloading subsequent payloads. The exploit uses an encoded RTF object\r\nto drop a PE file to the Windows temporary directory. The dropped PE file has the distinctive file name “8.t”.\r\nWhen executed, writes a Word Add-In file with the “.wll” extension to the Windows Startup directory, which runs\r\nthe next time Word is opened. It should be noted that this dropper methodology is not unique to TA428, and has\r\nbeen identified by security researchers in campaigns related to at least four additional Chinese APT groups. RTF\r\nfiles leveraging this technique have historically contained the string \"objw871\\\\objh811\\\\objscalex8\\\\objscaley8\"\r\nwhich has been noted by researchers at Anomali [2] and FireEye. Researchers have also recently observed this\r\nRTF weaponizer tool in commodity campaigns delivering Async RAT.\r\nAfter it is executed, the .wll file renames itself as RasTls.dll. Simultaneously, it decrypts a legitimate Symantec PE\r\nbinary commonly named IntelGraphicsController.exe or AcroRd32.exe. This legitimate Symantec binary is used\r\nto side-load RasTls.dll using DLL search-order hijacking leading to the execution of Cotx RAT malware. Once\r\nexecuted the RasTls.dll file next resolves the addresses of the DLL libraries it is programmed to access and\r\nensures that it is only running in one of five predetermined processes. These processes are winword.exe,\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 2 of 8\n\nexcel.exe, powerpnt.exe, eqnedt32.exe, and acrord32.exe. The first four of these processes are associated with\r\nMicrosoft Word, Excel, and PowerPoint exploits, as well as the Equation Editor exploit used by the initial\r\nmalicious RTF in this campaign. The last process is utilized as part of the loading process for Cotx RAT and\r\ninvolves the legitimate Symantec binary noted above. The inclusion of the processes excel.exe and powerpnt.exe\r\nsuggests that this stage one malware may be capable of utilizing .xls and .ppsx files as droppers. Researchers at\r\nSectorB06 [4] have noted this stage-one payload and indicated that throughout the above process it is running a\r\n“CheckRemoteDebuggerPresent” function to prevent analysis and debugging by researchers.\r\nMalware: Cotx RAT\r\nThe RasTls.dll contains the Cotx RAT code. The malware is written in C++ using object-oriented programming.\r\nWe named it by borrowing the name of the location of its stored configuration. The encrypted configuration is\r\nstored in the side-loaded DLL file RasTls.dll in a PE section named “.cotx”. The current encrypted configuration\r\nis also stored in the registry key “HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\Java\\user”.\r\nThe configuration data is AES-192-encrypted using CBC mode and base64-encoded. We determined that the\r\nencryption key was \"98151137ab12780969b2c3612072018709a83a3352466a8b\" (hex-encoded) and the\r\ninitialization vector “IV” was “2042123224315117031b1a0a3ccda53f” (hex-encoded). In plaintext the\r\nconfiguration appears as follows:\r\n*\\x00\\x00\\x00217.69.8.255|||1.187.1.187|mark3|P@SSaw1||\\x00\\x00\r\nThe first four bytes contain the size of the configuration (42-bytes). The configuration is pipe deli\r\n1. C\u0026C host 1\r\n2. C\u0026C host 2\r\n3. C\u0026C host 3\r\n4. Definition of two C\u0026C ports\r\n1. An example string looks like an IP address: \"1.187.1.187\"\r\n2. The string is split on \".\"\r\n3. Port 1 is defined by (piece0 \u003c\u003c 8) + piece1 = (1 \u003c\u003c 8) + 187 = 443\r\n4. Port 2 is defined by (piece2 \u003c\u003c 8) + piece3 = (1 \u003c\u003c 8) + 187 = 443\r\n5. Alternatively, if the string is not an IP address, but looks like a host, it will resolve the host into an\r\nIP address and calculate the ports using the resolved address\r\n5. \"mark\" field - sent in the C\u0026C beacon\r\n6. \"passwd\" field - sent in the C\u0026C beacon\r\n7. Proxy IP and port\r\n1. Discovered by searching the IPv4 TCP connection table for established connections with remote\r\nports using common proxy ports (3128, 8080, 808, 1080)\r\n2. Or via WINHTTP_OPTION_PROXY\r\nFor persistence, Cotx stores files in a directory “Intel\\Intel(R) Processor Graphics”. The location of this folder\r\nvaries among samples with both the %AppData% and %PROGRAMFILES% directories being observed.\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 3 of 8\n\nThe command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted\r\ncommunication. The initial beacon contains “|”-delimited system information. The data included in the beacon is\r\nZlib compressed and encrypted with AES-192 in CBC mode utilizing the same keys as the configuration. The\r\nfollowing values are included:\r\n\"id\" value from \"software\\\\intel\\\\java\" subkey\r\nComputer name\r\n\"mark\" field from configuration\r\nUsername\r\nWindows version\r\nArchitecture\r\nPossible malware version. \"0.9.7\" is hardcoded in the analyzed sample\r\nLocal IP addresses\r\nFirst adapter's MAC address\r\nConnection type (https or _proxy)\r\n\"password\" field from configuration\r\nCommands from the C\u0026C are received from the malware beacon. This data is AES-encrypted. We observed the\r\nfollowing commands:\r\n0 - Keep alive, sets a \"poll again\" flag and sends an empty response to C\u0026C\r\n1 - Sets \"id\" value in \"software\\\\intel\\\\java\" subkey, sends an empty response to C\u0026C\r\n2 - Get directory info or drive info\r\n5 - Open command shell\r\n6 - Open command shell as logged in user\r\n7 - Send command to command shell\r\n8 - Copy file\r\n9 - Delete file\r\n10 - Read file\r\n11 - Check for filename. If doesn't exist, check for filename with \".ut\" extension. If it exists, send file size\r\nback to C\u0026C\r\n12 - Write file\r\n13 - Screenshot\r\n14 - Process listing\r\n15 - Kill process\r\n16 - Send current configuration to C\u0026C\r\n17 - Update config in registry and \".cotx\" PE section\r\n18 - Set sleep time\r\n19 - Close C\u0026C comms\r\n20 - Uninstall and remove self\r\n21 - Get list of installed software\r\n22 - Kill command shell\r\n23 - Exit malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 4 of 8\n\n24 - Send a \"Ctrl-C\" to the command shell and exit\r\n25 - Execute an executable\r\nMalware: Poison Ivy\r\nTA428 threat actors also delivered Poison Ivy malware payloads. In a limited number of cases, we observed\r\nattachments utilizing the 8.t dropper methodology described above. However, the majority of Poison Ivy payloads\r\nwere dropped as PE files named OSE.exe when the RTF attachment was executed and an Equation Editor\r\nvulnerability was successfully exploited. The Poison Ivy samples all communicated with the IP 95.179.131[.]29.\r\nWe identified earlier variants of Poison Ivy malware that utilized the above IP via open source research, which\r\nused the file names bubbles.exe and sfx.exe. Examination of the Poison Ivy malware configurations indicated that\r\nall samples shared the password “3\u0026U\u003c9f*lZ\u003e!MIQ” while campaign and group IDs, as well as mutexes varied\r\nacross campaigns.\r\nWe identified significant operational overlap between Cotx RAT campaigns and Poison Ivy campaigns.\r\nSpecifically, on several occasions users that were unsuccessfully targeted with Cotx RAT malware were later\r\ntargeted with messages distributing Poison Ivy. Users were also targeted by Poison Ivy malware on successive\r\noccasions indicating the adversary’s persistent nature in attempting to compromise targets via spear phishing. In\r\none example, a targeted user received an unsuccessful phishing email attempting to deliver Cotx RAT followed by\r\na Poison Ivy phishing email seven days later. In addition to a shared targeting list, analysts observed adversary\r\nreuse of free email sender accounts to deliver both Cotx RAT and Poison Ivy malware to different users. It appears\r\nthe adversary sender accounts utilized delivery TTPs and payloads interchangeably from March through April\r\n2019. This vacillation of tactics further enforces Proofpoint’s classification of these campaigns under a single\r\noperation.\r\nC\u0026C Infrastructure\r\nAn examination of the separate C\u0026C infrastructure utilized by Cotx RAT and Poison Ivy payloads revealed\r\nfurther overlaps between these campaigns. A review of passive DNS information indicated that the C\u0026C IPs\r\nhosted subdomains that share the root domain vzglagtime[.]net. We found that the Poison Ivy C\u0026C IP hosted the\r\ndomains f1news[.]vzglagtime[.]net and news[.]vzglagtime[.]net. The Cotx RAT C\u0026C IP hosted the hostname\r\nmtanews.vzglagtime[.]net. The latter of these domains was previously reported by security researchers to have\r\nbeen a C\u0026C address observed in a malware implant targeting the East Asian Telecommunications and\r\nTransportation sectors in January 2019. The presence of related domain registrations on disparate malware IP\r\ninfrastructure also contributed to analysts’ decision to classify these campaigns collectively under Operation\r\nLagTime IT.\r\nPoison Ivy Cotx RAT\r\nC\u0026C IP 95.179.131[.]29 217.69.8[.]255\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 5 of 8\n\nDomains Hosted by IP f1news.vzglagtime[.]net news.vzglagtime[.]net mtanews.vzglagtime[.]net\r\nConclusion\r\nProofpoint analysts assess that Operation LagTime IT is likely a continuation of targeted activity by APT actors\r\naligned with Chinese state interests. This operation, centered around East Asian governmental agencies, may\r\nrepresent efforts to satisfy espionage and intelligence requirements relative to China’s regional neighbors. While\r\nnot revolutionary in its approach or malware design, TA428 actors demonstrated significant persistence in\r\ncompromising victims and utilized custom malware. The defined scope of targeting in this operation including\r\ngovernment information technology agencies demonstrates a focus on high-value targets. While ultimately the\r\nmotivation for this APT campaign remains opaque, what is certain is that TA428 persists in targeting users\r\nresponsible for the orchestration of governmental systems in East Asia. \r\nReferences\r\n[1] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf\r\n[2] https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain\r\n[3] https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\n[4] https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n304115cef6cc7b81f4409178cd0bcea2b22fd68ca18dfd5432c623cbbb507154 SHA256 Cotx RAT\r\nd0ccb9a277b986f7127199f122023c79a7e0253378a4a78806fbf55a87633532 SHA256 Cotx RAT\r\n81898df69e28a084ea37b77b568ccde34afdf96122ab784f8a361f055281ed0f SHA256 Cotx RAT\r\n93ac0ff3f01f8b8dfad069944d917e4b0798d42bc9ff97028e5a4ea8bda54dbc SHA256 Cotx RAT\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 6 of 8\n\n3dbff4e82dd8ddf71f9228f68df702b8f4add47237f2aee76bd5537489ed2fa9 SHA256 Cotx RAT\r\ncbf607725d128d93fed3b58cde78e1feb7db028a1ed1aa5c924e44faa1015913 SHA256 Poison Ivy\r\n9a477b455a20a26875e5ff804151f9f6524131c32edf04366cfbaf9d41c83f2a SHA256 Poison Ivy\r\neb0191d1b8e311d2716795e9fa7c0300c5199ebf3d8debff77993f23397d2fb5 SHA256 Poison Ivy\r\n1bc93ef96134be9a5a7b5f5b747be796a9ff95bdc835d72541673565d1c165b8 SHA256 Poison Ivy\r\n4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34bea SHA256 Poison Ivy\r\n93f56ec68e072ccba8102c71d005604763d064021795c7c8bb1cade05ddb6ff6 SHA256 Poison Ivy\r\ne9fa0a6223b0e4e60654dc629cd46174b064d5a0968732e6f05bc212a2cdf3f4 SHA256 Poison Ivy\r\nb7cfea87d7de935e1f20e3c09ba4bd1154580682e75330876f21f241b33946f2 SHA256 8.t Dropper\r\nae3e335cc39c07bda70e26e89003e0d1b8eea2deda2b62a006517c959fc0a27a SHA256 8.t Dropper\r\n1d492e549d2cbd296bc8e1368c8625df0c82c467c1b4addea7191e4a80bf074e SHA256 8.t Dropper\r\nb541e0e29c34800a067b060d9ee18d8d35c75f056f4246b1ce9561a5441d5a0f SHA256 8.t Dropper\r\n95.179.131[.]29 C2 IP Poison Ivy C2\r\n217.69.8[.]255 C2 IP Cotx RAT C2\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 7 of 8\n\nf1news.vzglagtime[.]net Domain\r\nDomain Related\r\nby IP\r\nnews.vzglagtime[.]net Domain\r\nDomain Related\r\nby IP\r\nmtanews.vzglagtime[.]net Domain\r\nDomain Related\r\nby IP\r\nET and ETPRO Suricata/Snort Signatures\r\n2836210          ETPRO TROJAN SSL/TLS Certificate Observed (SectorB06 Dropper)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nhttps://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" ], "report_names": [ "chinese-apt-operation-lagtime-it-targets-government-information-technology" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434561, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c06013fd519169a0ae86c69438b59f7fb848bd9.pdf", "text": "https://archive.orkl.eu/9c06013fd519169a0ae86c69438b59f7fb848bd9.txt", "img": "https://archive.orkl.eu/9c06013fd519169a0ae86c69438b59f7fb848bd9.jpg" } }