{ "id": "d4e644c8-a1fe-44d3-9539-f9616d2b5bf6", "created_at": "2026-04-06T00:13:22.726867Z", "updated_at": "2026-04-10T03:33:45.833672Z", "deleted_at": null, "sha1_hash": "a02d39a656c7302043fd6d16720c472dd8604daa", "title": "APT10 Targets Japanese Corporations | UPPERCUT backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1941888, "plain_text": "APT10 Targets Japanese Corporations | UPPERCUT backdoor\r\nBy Mandiant\r\nPublished: 2018-09-13 · Archived: 2026-04-02 11:51:35 UTC\r\nWritten by: Ayako Matsuda, Irshad Muhammad\r\nIntroduction\r\nIn July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese\r\nmedia sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of\r\ntargeting Japanese entities.\r\nIn this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the\r\nUPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC\r\n(release candidate) until recently. Part of this blog post will discuss the updates and differences we have observed across\r\nmultiple versions of this backdoor.\r\nAttack Overview\r\nThe attack starts with Microsoft Word documents containing a malicious VBA macro being attached to spear phishing\r\nemails. Although the contents of the malicious documents are unreadable (see Figure 3), the Japanese titles are related to\r\nmaritime, diplomatic, and North Korean issues. Table 1 shows the UPPERCUT indicators of compromise (IoCs).\r\nFile Name MD5 Size C2\r\n自民党海洋総合戦略小委員会が政府に\r\n提言申し入れ.doc\r\nGovernment Recommendations from the\r\nLiberal Democratic Party’s\r\nComprehensive Strategic Maritime\r\nSubcommittee\r\n4f83c01e8f7507d23c67ab085bf79e97 843022\r\neservake.jetos[.]com\r\n82.221.100.52\r\n151.106.53.147\r\nグテマラ大使講演会案内状.doc\r\nInvitation to Lecture by Guatemalan\r\nAmbassador\r\nf188936d2c8423cf064d6b8160769f21 720384\r\neservake.jetos[.]com\r\n151.106.53.147\r\n153.92.210.208\r\n米国接近に揺れる北朝鮮内部.doc\r\nNorth Korean interior swayed by the\r\napproach of the United States\r\ncca227f70a64e1e7fcf5bccdc6cc25dd 733184\r\neservake.jetos[.]com\r\n153.92.210.208\r\n167.99.121.203\r\nTable 1: UPPERCUT IoCs\r\nFor the North Korean lure, a news article with an identical title was readily available online. It’s also worth noting that in the\r\nGuatemalan lure, the attacker used an unusual spelling of Guatemala in Japanese. The top result of a Google search using\r\nthe same spelling led us to the event website for the lecture of the Guatemalan Ambassador, held in August 2018. Figure 1\r\nshows the screenshot of the event page.\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 1 of 7\n\nFigure 1: Event Website for the Lecture of Guatemala Ambassador\r\nFigure 2 shows the macro function that displays the lure document. At the bottom of this function, we can see the readable\r\ntext that matches the contact information found in Figure 1. Thus, people who would have an interest in Latin American\r\nissues may have been the targets of this campaign.\r\nFigure 2: Macro to display lure document\r\nThe initial Word documents were password protected, likely in an effort to bypass detection. Once the password (delivered\r\nin the body of the email) is entered, the users are presented with a document that will request users to enable the malicious\r\nmacro, as shown in Figure 3.\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 2 of 7\n\nFigure 4 shows what happens when the malicious macro is executed.\r\nFigure 4: Macro to install UPPERCUT\r\nThe execution workflow is as follows:\r\n1. The macro drops three PEM files, padre1.txt, padre2.txt, and padre3.txt, to the victim’s %TEMP% folder and then copies\r\nthem from %TEMP% to the %AllUserProfile% folder.\r\n2. The macro decodes the dropped files using Windows certutil.exe with the following commands (certutil.exe is a\r\nlegitimate built-in command-line program to manage certificates in Windows):\r\nC:\\Windows\\System32\\cmd.exe\" /c certutil -decode C:\\ProgramData\\padre1.txt C:\\ProgramData\\\\GUP.txt\r\nC:\\Windows\\System32\\cmd.exe\" /c certutil -decode C:\\ProgramData\\padre2.txt C:\\ProgramData\\\\libcurl.txt\r\nC:\\Windows\\System32\\cmd.exe\" /c certutil -decode C:\\ProgramData\\padre3.txt C:\\ProgramData\\\\3F2E3AB9\r\n3. The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe)\r\nwith the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows):\r\nC:\\Windows\\System32\\esentutl.exe\" /y C:\\ProgramData\\\\GUP.txt /d C:\\ProgramData\\GUP.exe /o\r\nC:\\Windows\\System32\\esentutl.exe\" /y C:\\ProgramData\\\\libcurl.txt /d C:\\ProgramData\\libcurl.dll /o\r\nThe dropped files include the following:\r\nGUP.exe : GUP, a free (LGPL) Generic Updater. GUP is an open source binary used by Notepad++ for software\r\nupdates. The version used here is version 4.1 digitally signed by Notepad++, as shown in Figure 5.\r\nlibcurl.dll: Malicious Loader DLL\r\n3F2E3AB9: Encrypted shellcode\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 3 of 7\n\nFigure 5: Notepad++ signed updater\r\n4. The macro launches the legitimate executable GUP.exe.\r\nThe executable sideloads the malicious DLL (libcurl.dll), which decrypts and runs shellcode (3F2E3AB9) located in\r\nthe same folder.\r\nThe shellcode decodes and decompresses another DLL, which is an updated variant of UPPERCUT. Before decoding\r\nthe DLL, the shellcode uses an anti-debug technique based on ntdll_NtSetInformationThread which causes the thread\r\nto be detached from the debugger, as shown in Figure 6. The DLL is then loaded into memory and the randomly\r\nnamed exported function is called.\r\nFigure 6: Anti-debug technique used by shellcode\r\n5. The macro deletes the initially dropped .txt files using Windows esentutl.exe and changes the document text to an\r\nembedded message.\r\nThe complete attack overview is shown in Figure 7.\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 4 of 7\n\nFigure 7: Attack overview\r\nSeveral threat actors leverage the technique of using Windows certutil.exe for payload decoding, and APT10 continues to\r\nemploy this technique.\r\nEvolution of UPPERCUT\r\nFigure 8 shows the timeline of updates for UPPERCUT. The PE compile time of loaders and the create time of droppers\r\n(Word documents) are plotted in the graph. The compile time of loaders in the newer version(s) are not shown here since the\r\ntimestamps are overwritten and filled with zeroes. We don’t have visibility into UPPERCUT 5.2.x series, but it’s possible\r\nthat minor revisions were released every few months between December 2017 and May 2018.\r\nFigure 8: Timeline of UPPERCUT updates\r\nUnlike previous versions, the exported function names are randomized in the latest version (Table 2).\r\nEncoded Payload\r\nDecoded\r\nPayload\r\n     \r\nMD5 Size Import Hash Exported Function Version\r\naa3f303c3319b14b4829fe2faa5999c1 322164 182ee99b4f0803628c30411b1faa9992 l7MF25T96n45qOGWX 5.3.2\r\n126067d634d94c45084cbe1d9873d895 330804 5f45532f947501cf024d84c36e3a19a1 hJvTJcdAU3mNkuvGGq7L 5.4.1\r\nfce54b4886cac5c61eda1e7605483ca3 345812 c1942a0ca397b627019dace26eca78d8 WcuH 5.4.1\r\nTable 2: Static characteristics of UPPERCUT\r\nAnother new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails\r\nto receive the HTTP response from the command and control (C2) server. The error code is the value returned by the\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 5 of 7\n\nGetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if\r\nthe backdoor is unable to receive a response (Figure 9). This Cookie header is a unique indicator that can be used for\r\nnetwork-based detection.\r\nFigure 9: Example of callback\r\nEarlier versions of UPPERCUT used the hard-coded string “this is the encrypt key” for Blowfish encryption when\r\ncommunicating with a C2. However, in the latest version, the keys are hard-coded uniquely for each C2 address and use the\r\nC2’s calculated MD5 hash to determine which key to use, as shown in Figure 10.\r\nFigure 10: Blowfish key generation\r\nFor instance, Table 3 lists the hard-coded C2 addresses, their MD5 hash, and the corresponding Blowfish key in the decoded\r\npayload of 126067d634d94c45084cbe1d9873d895.\r\nC2 MD5 Blowfish Key\r\nhxxp[:]//151.106.53[.]147/VxQG f613846eb5bed227ec1a5f8df7e678d0 bdc4b9f5af9868e028dd0adc10099a4e6656e9f0ad12b2e75a30f\r\nhxxp[:]//153.92.210[.]208/wBNh1 50c60f37922ff2ff8733aaeaa9802da5 fb9f7fb3c709373523ff27824ed6a31d800e275ec5217d8a11024\r\nhxxp[:]//eservake.jetos[.]com/qIDj c500dae1ca41236830b59f1467ee96c1 d3450966ceb2eba93282aace7d7684380d87c6621bbd3c4f621c\r\nDefault Default f12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005a\r\nTable 3: Example of Blowfish keys\r\nIn this example, the MD5 hash of hxxp[:]//151.106.53[.]147/VxQG will be f613846eb5bed227ec1a5f8df7e678d0. When the\r\nmalware interacts with this URL, bdc4b9f5af9868e028dd0adc10099a4e6656e9f0ad12b2e75a30f5ca0e34489d will be\r\nselected as a Blowfish key. If the MD5 hash of the URL does not match any of the listed hashes, then the default key\r\nf12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005aeee9035dd53 will be used.\r\nAnother difference in the network traffic generated from the malware is that the encoded proxy information has been added\r\nin the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in\r\nthe newer versions. These are sent via POST request, as shown in Figure 9.\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 6 of 7\n\nAdditionally, the command string is hashed using the same RGPH hashing algorithm as before. Two more commands,\r\n0xD290626C85FB1CE3 and 0x409C7A89CFF0A727, are supported in the newer versions (Table 5).\r\nCommands Description\r\n0x97A168D9697D40DD Download and validate file (XXHash comparison) from C2 server\r\n0x7CF812296CCC68D5 Upload file to C2 server\r\n0x652CB1CEFF1C0A00 Load PE file\r\n0x27595F1F74B55278 Download, validate (XXHash comparison), execute file, and send output to C2 server\r\n0xD290626C85FB1CE3 Format the current timestamp\r\n0x409C7A89CFF0A727 Capture the desktop screenshot in PNG format and send it to C2\r\nNone of the above The received buffer is executed via cmd.exe and the output is then sent to the C2 server\r\nTable 5: Supported commands\r\nConclusion\r\nWhile APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving. In the newer\r\nversions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which\r\nmakes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very\r\ncapable of maintaining and updating their malware.\r\nTo mitigate the threat, users are advised to disable Office macros in their settings and not to open documents from unknown\r\nsources. FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat with the following\r\ndetection names:\r\nAPT.Backdoor.Win.UPPERCUT\r\nFE_APT_Backdoor_Win32_UPPERCUT\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "report_names": [ "apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a02d39a656c7302043fd6d16720c472dd8604daa.pdf", "text": "https://archive.orkl.eu/a02d39a656c7302043fd6d16720c472dd8604daa.txt", "img": "https://archive.orkl.eu/a02d39a656c7302043fd6d16720c472dd8604daa.jpg" } }