{
	"id": "731ff89d-2473-41f6-a29a-10a7b1a21221",
	"created_at": "2026-04-06T01:32:36.435688Z",
	"updated_at": "2026-04-10T13:12:26.044737Z",
	"deleted_at": null,
	"sha1_hash": "9e4ff8db1dfccae167b1c25847bf495978896b59",
	"title": "New “CleverSoar” Installer Targets Chinese and Vietnamese Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 561918,
	"plain_text": "New “CleverSoar” Installer Targets Chinese and Vietnamese Users\r\nBy Natalie Zargarov\r\nPublished: 2024-11-27 · Archived: 2026-04-06 01:26:59 UTC\r\nCleverSoar Installer Used to Deploy Nidhogg Rootkit and Winos4.0 Framework\r\nAgainst Targeted Users\r\nIn early November, Rapid7 Labs identified a new, highly evasive malware installer, 'CleverSoar,' targeting\r\nChinese and Vietnamese-speaking victims. CleverSoar is designed to deploy and protect multiple malicious\r\ncomponents within a campaign, including the advanced Winos4.0 framework and the Nidhogg rootkit. These tools\r\nenable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control,\r\nsuggesting that the campaign is part of a potentially prolonged espionage effort. Rapid7 Labs’ findings indicate a\r\nsophisticated and persistent threat, likely focused on data capture and extended surveillance.\r\nDistribution\r\nWhile the majority of CleverSoar installer-related binaries were detected in November 2024, we discovered that\r\nthe initial version of these files was uploaded to VirusTotal in late July of this year. The malware distribution\r\nbegins with a .msi installer package, which extracts the files and subsequently executes the CleverSoar installer.\r\nVictimology\r\nThe CleverSoar installer, as detailed in the Technical Analysis section, checks the user’s language settings to\r\nverify if they are set to Chinese or Vietnamese. If the language is not recognized, the installer terminates,\r\neffectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims\r\nin these regions. Based on the folder names generated by the malicious .msi files (e.g., Wegame, Installer), we\r\ninfer that the .msi installer is being distributed as fake software or gaming-related applications.\r\nAttribution\r\nRapid7 Labs was unable to attribute the installer to a specific known threat actor. However, due to similarities in\r\ncampaign characteristics, we suspect with medium confidence that the same threat actor may be responsible for\r\nboth the ValleyRAT campaign and the new campaign, both reported by Fortinet this year. The techniques\r\nemployed in the CleverSoar installer suggest that the threat actor possesses advanced skills and a comprehensive\r\nunderstanding of Windows protocols and security products.\r\nRapid7 Customers\r\nInsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through\r\nRapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 1 of 8\n\nhosts to ensure visibility into suspicious processes and proper detection coverage. The following rule will alert on\r\na wide range of malicious hashes tied to behavior in this blog:  Suspicious Process - Malicious Hash On Asset.\r\nTechnical Analysis\r\nThis technical analysis will cover the CleverSoar installer used to evasively deploy the Nidhogg rootkit, Winos4.0\r\nframework and the custom backdoor (T1105). The installer is also responsible for disabling security solutions\r\n(T1562.001) and making sure to infect only machines with Chinese or Vietnamese system languages (T1614.001).\r\nFile Information:\r\nGiven our high confidence that the malicious files were dropped by a .msi package (T1218.007), which in our\r\ncase creates a 'WindowsNT' folder under the 'C:\\Program Files (x86)' directory, we also assume that the same .msi\r\npackage is responsible for dropping all the payloads listed below and executing the 'Update.exe' binary.\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 2 of 8\n\nThe installer begins by verifying the existence of the 'C:\\cs' folder.It subsequently checks if the process is elevated\r\nby executing 'GetTokenInformation' and passing 'TokenElevation' (0x14) as a TokenInformationClass (T1134). If\r\nthe process is not elevated, the malware will utilize the 'runas' operation of 'ShellExecuteA' to execute the process\r\nwith Administrator privileges (T1134.002).\r\nSubsequently, it proceeds to a series of evasion techniques, commencing with a rarely employed one.\r\nFirmware Table Anti-VM\r\nThe malware retrieves a raw SMBIOS firmware table by invoking 'GetSystemFirmwareTable' and verifying a\r\nspecific value presence. In our instance, the installer checks for 'QEMU' (indicating a free string open-sourced\r\nemulator) presence in the returned buffer (T1497.001). This technique is a sophisticated Anti-VM method as\r\ncertain memory regions utilized by the operating system contain distinctive artifacts when the operating system is\r\nexecuted within a virtual environment. Notably, this technique has been previously employed by the Raspberry\r\nRobin malware, but in a slightly different way.\r\nWindows Defender Emulator\r\nThe installer employs the 'LdrGetDllHandleEx' and 'RtlImageDirectoryEntryToData' functions to ascertain the\r\nstate of Windows Defender’s emulator (T1497.001). Additionally, it utilizes the 'NtIsProcessInJob' and\r\n'NtCompressKey' functions for the same purpose. These three anti-emulation techniques are publicly available in\r\nthe UACME open-source project. Upon successful completion of these anti-emulation checks, the installer logs\r\nthat defender checks were successfully bypassed and proceeds to the subsequent check.\r\nWindows 10 or Windows 11\r\nInitially, the installer verifies the operating system version by invoking the 'GetVersionExW' function (T1082). To\r\nidentify whether the malware is executing on the Windows 10 operating system or Windows 11, the presence of\r\nthe 'C:\\Windows\\System32\\Taskbar.dll' file is checked, as this file can only be found on Windows 11 operating\r\nsystems.\r\n3rd Party DLL Injection Prevention\r\nThe CleverSoar installer modifies the processes mitigation policy to include the restriction 'Signatures restricted\r\n(Microsoft only)' (T1543). This action prevents non-Microsoft-signed binaries from being injected into the\r\naffected process. By implementing this technique, Anti-Virus and EDR solutions that employ userland hooking\r\ncannot inject their DLLs into the running process.\r\nTiming Anti-Debug\r\nThe installer also executes timing anti-debug checks by invoking the 'GetTickCount64' function twice and\r\nmeasuring the delay between instructions and their execution (T1622).\r\nSimple Anti-Debug check\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 3 of 8\n\nThe CleverSoar installer employs the 'IsDebuggerPresent' API call to ascertain whether the process is currently\r\nundergoing debugging (T1622).\r\nAnti-Sandbox/Anti-VM Username Check\r\nUpon the successful completion of all preceding checks, the malware retrieves the current username and\r\nsubsequently compares it to the following (T1497.001):\r\n'CurrentUser, Sandbox, Emily, HAPUBWS, Hone Lee, IT-ADMIN, Johnaon, Miller, miloza, Peter Wilson, timmy,\r\nsand box, malware, maltest, test user, virus, John Doe, 9ZaXj, WALKER, vbccsb_*, vbccsb.'\r\nWhile most of these usernames are well known for being used by sandboxes and emulator solutions, two of them\r\nseem to be misspelled: 'Hone Lee' instead of 'Hong Lee' and 'Johnaon' instead of 'Johnson'.\r\nThere are two possible reasons for this misspell, first, the threat actor typed those names manually, and the second\r\none might be, the threat actor found that those are more recent names used by sandboxes.\r\nOnce the username check bypass is successfully executed, the malware proceeds to complete the evasion phase\r\nand initiates its malicious actions.\r\nMalicious Activity\r\nUpon successful completion of all environmental checks, the installer proceeds to the system language\r\nverification. This process involves retrieving the language identifier (ID) for the user interface language and\r\nverifying if that ID corresponds to one of the Chinese language IDs (0x804, 0xC04, 0x1404, 0x1004) or the\r\nVietnamese ID (0x42A). If the language ID does not match any of these identifiers, the malware terminates its\r\nexecution (T1614.001).\r\nThis observation suggests a potential threat actor’s intention to target only endpoints within these two countries.\r\nSubsequently, the installer creates the 'HKCU\\SOFTWARE\\Magisk' (T1112) registry key and searches for the\r\n'ring3_username' value under it. If the value is not present, the malware retrieves the user name that the\r\n'explorer.exe' process is running as and sets the 'ring3_username' value.\r\nThe installer verifies if virtualization is enabled in the firmware and made available by the operating system by\r\ncalling 'IsProcessorFeaturePresent' with 0x15 (PF_VIRT_FIRMWARE_ENABLED) and creates the 'INIT.dat' file\r\nin the 'C:\\Program Files (x86)\\Windows NT' directory. Next, it enumerates processes and checks if one of\r\n'ZhuDongFangYu.exe', 'QHActiveDefense.exe', 'HipsTray.exe', or 'HipsDaemon.exe' is running (T1518.001). The\r\nfirst two processes belong to 360 Total Security (Chinese Anti-Virus Software), and the last two belong to\r\nHeroBravo System Diagnostics. If one of these processes is discovered, the installer proceeds to adjust\r\n'Se_Debug_Privilege' to the running process (T1134), enumerates running processes once again, searches for\r\n'lsass.exe' and writes into that process (T1055). Unfortunately, we were unable to retrieve the written payload due\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 4 of 8\n\nto an unhandled runtime error. It is noteworthy that during our investigation, we identified several installer\r\nversions, and most of them encountered unhandled runtime errors and could not execute.\r\nUpon successful completion of the preceding checks, the installer proceeds to verify the existence of the\r\n'CleverSoarInst' service. If the service is not detected, the installer opens a named '\\\\.\\pipe\\ntsvcs' pipe, which is\r\nlinked to the RPC protocol, to establish a temporary service responsible for creating the 'CleverSoar' service\r\n(T1569.002). This temporary service will only execute once, executing the following command: 'cmd /c start sc\r\ncreate CleverSoar' displayname= CleverSoar binPath= “C:\\Program Files (x86)\\Windows NT\\tProtect.dll” type=\r\nkernel start= auto'.\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 5 of 8\n\nThis command will create a new 'CleverSoar' service that will commence executing a driver at the system’s\r\nstartup. The DLL specified within this service is one of the previously dropped files and is, in fact, a vulnerable\r\nSysmon driver commonly employed by threat actors to disable security software. The installer initiates the\r\n'CleverSoar' service and establishes a named '\\\\.\\TfSysMon' pipe connection. Subsequently, it enumerates the\r\ncurrently running processes once more (T1057), searching for any instances that contain one of the following\r\nstrings:\r\nSecurity Product String\r\nBkav Pro bka, blu\r\nWindows Security sechealthui, security, smartscreen, msmpeng, mssecess, mpcmdrun, defender\r\n360 Total Security\r\n360, zhudongfangyu, dsmain, qhactive, wdswfsafe, softmgr, 360se,\r\n360chrome, 360zip\r\nKingsoft\r\nksafe, kwatch, kxecenter, kislive, kxetray, kxemain, kxewsc, kscan, kxescore,\r\nxdict\r\nHuorong Internet Security wsctrlsvc, usysdiag, hrsword\r\nHeroBravo System\r\nDiagnostics\r\nhips\r\nKaspersky kav, avp, kis\r\n2345 Security Guard 2345\r\nTencent qqpc\r\nMcAfee mcshield, mcapexe, mfemms\r\nAvira avira, sentryeye\r\nEset eset, boothelper, efwd, egui, ekrn.exe, eguiproxy.exe\r\nElastic Security elastic, agentbeat.exe, apm-server.exe\r\nRising Anti-Virus ravmond.exe, rsmain.exe, rstray, rsmgrsvc\r\nMonitoring and debugging\r\ntools\r\ndbg, pchunter, hacker, monitor, wireshark\r\nOther lenovo, calc.exe, regedit\r\nUnknown remotectrlaid, superki, mfeavsv, 52pojie, kl_, watchdog\r\nIf one of the listed processes is discovered, the installer employs the 'DeviceIoControl' API call, specifying the\r\nprocess ID and the '0B4A00404h' IoControl code. Upon our examination of the Sysmon driver, this action results\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 6 of 8\n\nin the termination of the identified process (T1489).\r\nSubsequently, CleverSoar installer enumerates the files present in the folder generated by the malware and\r\nmodifies their attributes by adding 0x6 (FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM). This\r\nmodification is intended to evade file detection mechanisms (T1564.001).\r\nThe next phase involves the installation of a rootkit by creating a service which will run a rootkit dll in system\r\nstartup. The installer initiates a verification process to ascertain the presence of a service named 'Nidhogg.' If the\r\nservice is not already in existence, it proceeds to execute the command 'sc create Nidhogg displayname= Nidhogg\r\nbinPath= “C:\\Program Files (x86)\\Windows NT\\curl.dll” type= kernel start= auto' to create a new 'Nidhogg'\r\nservice (T1543.003). The service will execute an open-sourced Nidhogg rootkit at system startup (T1014).\r\nCleverSoar employs a persistence mechanism by executing a scheduled task upon user login (T1053). This task is\r\ninitiated by dropping a .xml file into the user’s temporary folder, which contains a scheduled task XML file. By\r\nutilizing the same RPC service method previously mentioned, the installer constructs a service responsible for\r\nexecuting a command that creates the scheduled task with the 'Corp' name. The created task is concealed by\r\nmodifying the 'Index' value under 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Corp' registry key to 0 (T1564).\r\nAfter persistence set, the installer turns the Windows firewall off by executing the 'netsh advfirewall set allprofiles\r\nstate off' command (T1562.004).\r\nThe malware now proceeds to the next stages of execution. Firstly, it checks if the 'winnt.exe' binary exists within\r\nthe malware-created folder. In the event of its presence, the installer executes a command to create a scheduled\r\ntask that will execute the binary once and immediately delete the scheduled task. The task responsible for\r\nexecuting the 'winnt.exe' is named 'PayloadTask1'. If the binary is not present in the folder, the installer will\r\npersistently enumerate the folder and search for it. Based on our analysis of the 'winnt.exe' binary, it appears to be\r\na Winos4.0 command-and-control (C2) framework implant that has recently been covered in Trend Micro’s report.\r\nThe installer executes the same process with the 'runtime.exe' binary. The task responsible for executing this\r\nbinary is designated as 'PayloadTask2'. Based on our investigation, 'runtime.exe' appears to be a custom backdoor,\r\nfacilitating communication with the C2 server via a proprietary protocol.\r\nBy the time of the investigation the C2 server was already down and Rapid7 Labs could not continue the further\r\nanalysis of interaction between the C2 server and the malware.\r\nConclusion\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 7 of 8\n\nThe CleverSoar campaign highlights an advanced and targeted threat, employing sophisticated evasion techniques\r\nand highly customized malware components like the Winos4.0 framework and Nidhogg rootkit. The campaign's\r\nselective targeting of Chinese and Vietnamese-speaking users, along with its layered anti-detection measures,\r\npoints to a persistent espionage effort by a capable threat actor. While currently aimed at individual users, this\r\ncampaign's tactics and tools demonstrate a level of sophistication that could easily extend to organizational targets.\r\nOrganizations in the affected regions should take notice of the TTPs of this actor and monitor suspicious activity.\r\nIOCs\r\nF70b34e2b1716528a3c3fffdbfc008003b9685f1a4da2e5a6052612de92b0c68 CleverSoar installer\r\n156.224.26.7 Winos4.0 C2\r\n8848.twilight.zip Backdoor C2\r\nReferences\r\nhttps://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer\r\nhttps://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes\r\nSource: https://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nhttps://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/"
	],
	"report_names": [
		"new-cleversoar-installer-targets-chinese-and-vietnamese-users"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439156,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e4ff8db1dfccae167b1c25847bf495978896b59.pdf",
		"text": "https://archive.orkl.eu/9e4ff8db1dfccae167b1c25847bf495978896b59.txt",
		"img": "https://archive.orkl.eu/9e4ff8db1dfccae167b1c25847bf495978896b59.jpg"
	}
}