{ "id": "425893f9-69fe-44d5-b50b-0340337ce125", "created_at": "2026-04-06T00:16:55.792907Z", "updated_at": "2026-04-10T03:36:06.924619Z", "deleted_at": null, "sha1_hash": "a32666781a0f2225f289f72a0537cc3b6a031ad9", "title": "Introducing the REF5961 intrusion set", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1788341, "plain_text": "Introducing the REF5961 intrusion set\r\nBy Daniel Stepanic, Salim Bitam, Cyril François, Seth Goodwin, Andrew Pease\r\nPublished: 2023-10-04 · Archived: 2026-04-05 17:24:42 UTC\r\nPreamble\r\nUpdated October 11, 2023 to include links to the BLOODALCHEMY backdoor.\r\nElastic Security Labs continues to monitor state-aligned activity, targeting governments and multinational government\r\norganizations in Southern and Southeastern Asia. We’ve observed a batch of new and unique capabilities within a\r\ncomplex government environment. This intrusion set is named REF5961.\r\nIn this publication, we will highlight distinctions between malware families, demonstrate relationships to known threats,\r\ndescribe their features, and share resources to identify or mitigate elements of an intrusion. Our intent is to help expose\r\nthis ongoing activity so the community can better understand these types of threats.\r\nThe samples in this research were discovered to be co-residents with a previously reported intrusion set, REF2924\r\n(original reporting here and updated here). The victim is the Foreign Affairs Ministry of a member of the Association of\r\nSoutheast Asian Nations (ASEAN).\r\nElastic Security Labs describes the operators of the REF2924 and REF5961 intrusion sets as state-sponsored and\r\nespionage-motivated due to observed targeting and post-exploitation collection activity. Further, the correlation of\r\nexecution flows, tooling, infrastructure, and victimology of multiple campaigns we’re tracking along with numerous\r\nthird-party reports makes us confident this is a China-nexus actor.\r\nREF5961 intrusion execution flow\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 1 of 22\n\nPart of this intrusion set includes a new x86-based backdoor called BLOODALCHEMY, and it is covered in depth here.\r\nKey takeaways\r\nElastic Security Labs is disclosing three new malware families:\r\nEAGERBEE\r\nRUDEBIRD\r\nDOWNTOWN\r\nCode sharing and network infrastructure have connected malware in this intrusion set to other campaigns\r\nThe threat actors targeting ASEAN governments and organizations continue to develop and deploy additional\r\ncapabilities\r\nEAGERBEE\r\nEAGERBEE is a newly identified backdoor discovered by Elastic Security Labs that loads additional capabilities using\r\nremotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced\r\nskills from the author, relying on basic techniques.\r\nDuring our research outlined below, we identified string formatting and underlying behavior that aligns with previous\r\nresearch attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).\r\nCode analysis\r\nEAGERBEE dynamically constructs its Import Address Table (IAT) during runtime, populating a designated data\r\nstructure with the memory addresses of essential Windows APIs that the malware needs.\r\nEAGERBEE dynamically constructs its Import Address Table\r\nNote: Dynamic import tables are used as an anti-analysis technique by malware authors to impair static analysis of\r\ntheir binaries. These techniques prevent most static analysis software from determining the imports and thus force\r\nanalysts through laborious manual methods to determine what the malware is doing.\r\nAfter resolving all the required Windows APIs, the malware creates a mutex with the string mstoolFtip32W to prevent\r\nmultiple instances of the malware from running on the same machine.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 2 of 22\n\nMutex setup\r\nThe malware gathers key information about the compromised system:\r\nThe computer's name is obtained using the GetComputerNameW function\r\nThe malware retrieves the Windows version by utilizing the GetVersionExW function\r\nA globally unique identifier (GUID) is generated through the CoCreateGuid function\r\nThe processor architecture information is acquired using the GetNativeSystemInfo function\r\nThe ProductName, EditionID, and CurrentBuildNumber are extracted from the designated registry key\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nInformation collection\r\nThe sample’s operational schedule is controlled by the string 0-5:00:23;6:00:23; . In our sample the malware conforms\r\nto the outlined schedule using the ISO 8601 24-hour timekeeping system:\r\nactive from Sunday(0) to Friday(5)\r\nall hours between 00 and 23\r\nSaturday(6) all hours between 00 and 23\r\nThis functionality allows the malware to impose self-restrictions during specific timeframes, showcasing both its\r\nadaptability and control.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 3 of 22\n\nConfiguration scheduling\r\nThe malware's C2 addresses are either hardcoded values or stored in an XOR-encrypted file named\r\nc:\\users\\public\\iconcache.mui . This file is decrypted using the first character as the decryption key.\r\nThis configuration file contains a list of semicolon-delimited IP addresses. The format adheres to the structure IP:PORT ,\r\nwhere the character s is optional and instructs the malware to open a Secure Socket Layer (SSL) for encrypted\r\ncommunication between C2 and the malware.\r\nMalware’s hardcoded configuration of C2 IPs\r\nThe configuration optionally accepts a list of port numbers on which the malware will listen. The specific configuration\r\nmode, whether it's for reverse or forward connections, determines this behavior.\r\nA configuration flag is embedded directly into the code in both operating modes. This flag empowers the malware to\r\nselect between utilizing SSL encryption during its interactions with the C2 server or plain text communication.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 4 of 22\n\nIn passive listening mode, the malware opens a listening socket on the port indicated in its configuration.\r\nWhen operating in active connection mode, the malware attempts to load its configuration from the file\r\nc:\\users\\public\\iconcache.mui . In the event that this file is not found, the malware falls back to its hardcoded\r\nconfiguration to acquire the necessary IPs\r\nThe author employs a global variable embedded in the source code to select between modes. Importantly, both are\r\nincluded in the binary, with only one being executed based on the selection. Leaving this dormant capability in the binary\r\nmay have been a mistake, but one that helps researchers understand the technical maturity of this group. Generally\r\nspeaking, malware authors benefit from removing unused code that may be used against them.\r\nBoth forward and reverse connection functionalities are present in the binary\r\nNote: In C programming, modularity is achieved through the use of #define directives to selectively include or exclude\r\ncode parts in the compiled binary. However, the malware developer employed a less advisable approach in this case.\r\nThey utilized static global variables whose values are set during compilation. Consequently, the resulting binary\r\ncontains both utilized and unused functions. During runtime, the binary assesses the value of these static global\r\nvariables to determine its behavior. Though functional, this is neither the best programming nor tradecraft practice as\r\nit permits analysis and detection engineering of code used outside the identified intrusion.\r\nThe malware has the capability to detect the presence of an HTTP proxy configuration on the host machine by inspecting\r\nthe ProxyEnable registry key within Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings . If this key\r\nvalue is set to 1 , the malware extracts the information in the ProxyServer key.\r\nIf no proxy server is set, the malware connects directly to C2.\r\nHowever, if the proxy settings are defined, the malware also initializes the proxy by sending a CONNECT request, and its\r\ndata to the configured destination. The malware author made a typo in the HTTP request code; they mistakenly wrote\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 5 of 22\n\nDONNECT instead of CONNECT in the HTTP request string in the binary. This is a reliably unique indicator for those\r\nanalyzing network captures.\r\nHTTP request string to connect to the setup proxy\r\nUpon establishing a connection to C2, The malware downloads executable files from C2, likely pushed automatically. It\r\nvalidates that each executable is 64bit, then extracts the entry point and modifies memory protections to allow execution\r\nusing the VirtualProtect API.\r\nPayload execution in the same process\r\nEAGERBEE connection to a Mongolian campaign\r\nDuring our EAGERBEE analysis, we also saw an additional two (previously unnamed) EAGERBEE samples involved in\r\na targeted campaign focused on Mongolia. These two EAGERBEE samples were both respectively bundled with other\r\nfiles and used a similar naming convention ( iconcache.mui for EAGERBEE and iconcaches.mui in the Mongolian\r\ncampaign). The samples consisted of multiple files and a lure document.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 6 of 22\n\nDecompressed files inside Mongolian campaign sample\r\nWhile analyzing the Mongolian campaign samples, we found a previous webpage\r\n( http://president[.]mn/en/ebooksheets.php ) hosted under Mongolian infrastructure serving a RAR file named\r\n20220921_2.rar . Given the VirusTotal scan date of the file and the filename, it is likely to have been created in\r\nSeptember 2022.\r\nThe lure text is centered around the regulations for the “Billion Trees National Movement Fund” and has been an\r\nimportant topic in recent years related to an initiative taken on by Mongolia. To address food security, climate impacts,\r\nand naturally occurring but accelerating desertification, Mongolia’s government has undertaken an ambitious goal of\r\nplanting one billion trees throughout the country.\r\nLure document\r\nFor this infection chain, they leveraged a signed Kaspersky application in order to sideload a malicious DLL. Upon\r\nexecution, sensitive data and files were collected from the machine and uploaded to a hard-coded Mongolian government\r\nURL ( www.president[.]mn/upload.php ) via cURL. Persistence is configured using a Registry Run Key.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 7 of 22\n\nHard-coded domain in first sample\r\nNote: Though it does not contain the .gov second-level domain, www.president[.]mn does appear to be the official\r\ndomain of the President of Mongolia, and is hosted within government infrastructure. Abuse email is directed to\r\noyunbold@datacenter.gov[.]mn which appears to be legitimate. Based on string formatting and underlying behavior, this\r\nsample aligns with public reporting from AVAST related to a utility they call DataExtractor1.\r\nSensitive file collection on different drives\r\nWhile we didn’t find a WinRAR archive for the other linked sample, we found this related executable. It functions\r\nsimilarly, using a different callback domain hosted on Mongolian infrastructure\r\n( https://intranet.gov[.]mn/upload.php ).\r\nHard-coded domain in the second sample\r\nWhile it is not clear how this infrastructure was compromised or the extent to which it has been used, impersonating\r\ntrusted systems may have enabled the threat to compromise other victims and collect intelligence.\r\nEAGERBEE Summary\r\nEAGERBEE is a technically straightforward backdoor with forward and reverse C2 and SSL encryption capabilities, used\r\nto conduct basic system enumeration and deliver subsequent executables for post-exploitation. The C2 mode is defined at\r\ncompile time, and configurable with an associated config file with hardcoded fallback.\r\nUsing code overlap analysis, and the fact that EAGERBEE was bundled with other samples from VirusTotal, we\r\nidentified a C2 server hosted on Mongolian government infrastructure. The associated lure documents also reference\r\nMongolian government policy initiatives. This leads us to believe that the Mongolian government or non-governmental\r\norganizations (NGOs) may have been targeted by the REF2924 threat actor.\r\nRUDEBIRD\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 8 of 22\n\nWithin the contested REF2924 environment, Elastic Security Labs identified a lightweight Windows backdoor that\r\ncommunicates over HTTPS and contains capabilities to perform reconnaissance and execute code. We refer to this\r\nmalware family as RUDEBIRD.\r\nInitial execution\r\nThe backdoor was executed by a file with an invalid signature, C:\\Windows\\help\\RVTDM.exe , which resembles the\r\nSysinternals screen magnifier utility ZoomIt. Shortly after being executed, Elastic Defend registered a process injection\r\nalert.\r\nPE signature and original filename details of RVTDM.exe\r\nThe process was executed with the parent process ( w3wp.exe ) coming from a Microsoft Exchange application pool. This\r\nis consistent with the exploitation of an unpatched Exchange vulnerability, and prior research supports that hypothesis.\r\nLateral movement\r\nRUDEBIRD used PsExec ( exec.exe ) to execute itself from the SYSTEM account and then move laterally from victim\r\n0 to another targeted host. It is unclear if PsExec was brought to the environment by the threat actor or if it was already\r\npresent in the environment.\r\n\"C:\\windows\\help\\exec.exe\" /accepteula \\\\{victim-1} -d -s C:\\windows\\debug\\RVTDM.EXE\r\nCode analysis\r\nRUDEIBIRD is composed of shellcode that resolves imports dynamically by accessing the Thread Environment Block\r\n(TEB) / Process Environment Block (PEB) and walking the loaded modules to find base addresses for the kernel32.dll\r\nand ntdll.dll modules. These system DLLs contain crucial functions that will be located by the malware in order to\r\ninteract with the Windows operating system.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 9 of 22\n\nResolving imports using TEB/PEB\r\nRUDEBIRD uses a straightforward API hashing algorithm with multiplication ( 0x21 ) and addition that is publicly\r\navailable from OALabs. This provides defense against static-analysis tools that analysts may use to inspect the import\r\ntable and discern what capabilities a binary has.\r\nRUDEBIRD API Hashing algorithm\r\nAfter resolving the libraries, there is an initial enumeration function that collects several pieces of information including:\r\nHostname\r\nComputer name\r\nUsername\r\nIP Address\r\nSystem architecture\r\nPrivilege of the current user\r\nFor some functions that return larger amounts of data, the malware implements compression using RtlCompressBuffer .\r\nThe malware communicates using HTTPS to IP addresses loaded in memory from its configuration. We observed two IP\r\naddresses in the configuration in our sample:\r\n45.90.58[.]103\r\n185.195.237[.]123\r\nStrangely, there are several functions throughout the program that include calls to OutputDebugStringA . This function is\r\ntypically used during the development phase and serves as a mechanism to send strings to a debugger while testing a\r\nprogram. Normally, these debug messages are expected to be removed after development is finished. For example, the\r\nresult of the administrator check is printed if run inside a debugger.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 10 of 22\n\nRUDEBIRD debug string\r\nRUDEBIRD uses mutexes to maintain synchronization throughout its execution. On launch, the mutex is set to VV.0 .\r\nRUDEBIRD mutex\r\nAfter the initial enumeration stage, RUDEBIRD operates as a traditional backdoor with the following capabilities:\r\nRetrieve victim’s desktop directory path\r\nRetrieve disk volume information\r\nPerform file/directory enumeration\r\nPerform file operations such as reading/writing file content\r\nLaunch new processes\r\nFile/folder operations such as creating new directories, move/copy/delete/rename files\r\nBeacon timeout option\r\nDOWNTOWN (SManager/PhantomNet)\r\nIn the REF2924 environment, we observed a modular implant we call DOWNTOWN. This sample shares a plugin\r\narchitecture, and code similarities, and aligns with the victimology described in the publicly reported malware\r\nSManager/PhantomNet. While we have little visibility into the impacts of its overall use, we wanted to share any details\r\nthat may help the community.\r\nSManager/PhantomNet has been attributed to TA428 (Colourful Panda, BRONZE DUDLEY), a threat actor likely\r\nsponsored by the Chinese government. Because of the shared plugin architecture, code similarities, and victimology, we\r\nare attributing DOWNTOWN with a moderate degree of confidence to a nationally sponsored Chinese threat actor.\r\nCode analysis\r\nFor DOWNTOWN, we collected the plugin from a larger framework. This distinction is made based on unique and\r\nshared exports from previously published research by ESET. One of the exports contains the same misspelling previously\r\nidentified in the ESET blog, GetPluginInfomation (note: Infomation is missing an r ). The victimology of REF2924\r\nis consistent with their reported victim vertical and region.\r\nDOWNTOWN exports\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 11 of 22\n\nIn our sample, the plugin is labeled as “ExplorerManager”.\r\nGetPlugInfomation export\r\nThe majority of the code appears to be centered around middleware functionality (linked lists, memory management, and\r\nthread synchronization) used to task the malware.\r\nStrings found inside DOWNTOWN sample\r\nIn a similar fashion to RUDEBIRD above, DOWNTOWN also included the debug functionality using\r\nOutputDebugStringA . Again, debugging frameworks are usually removed once the software is moved from development\r\nto production status. This could indicate that this module is still in active development or a lack of operational scrutiny by\r\nthe malware author(s).\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 12 of 22\n\nOutputDebugStringA usage\r\nSome functionality observed in the sample included:\r\nFile/folder enumeration\r\nDisk enumeration\r\nFile operations (delete/execute/rename/copy)\r\nUnfortunately, our team did not encounter any network/communication functionality or find any domain or IP addresses\r\ntied to this sample.\r\nDOWNTOWN Summary\r\nDOWNTOWN is part of a modular framework that shows probable ties to an established threat group. The observed\r\nplugin appears to provide middleware functionality to the main implant and contains several functions to perform\r\nenumeration.\r\nNetwork infrastructure intersection\r\nWhen performing an analysis of the network infrastructure for EAGERBEE and RUDEBIRD, we identified similarities\r\nin the domain hosting provider, subdomain naming, registration dates, and service enablement between the two malware\r\nfamilies’ C2 infrastructure. Additionally, we were able to use TLS leaf certificate fingerprints to establish another\r\nconnection between EAGERBEE and the Mongolian campaign infrastructure.\r\nShared network infrastructure\r\nAs identified in the malware analysis section for EAGERBEE, there were two IP addresses used for C2:\r\n185.82.217[.]164 and 195.123.245[.]79 .\r\nOf the two, 185.82.217[.]164 had an expired TLS certificate registered to it for paper.hosted-by-bay[.]net . The\r\nsubdomain registration for paper.hosted-by-bay[.]net and the TLS certificate were registered on December 14, 2020.\r\npaper.hosted-by-bay[.]net TLS certificate\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 13 of 22\n\nAs identified in the malware analysis section for RUDEBIRD, there were two IP addresses used for C2:\r\n45.90.58[.]103 and 185.195.237[.]123 .\r\n45.90.58[.]103 was used to register the subdomain news.hosted-by-bay[.]net , on December 13, 2020.\r\nBoth IP addresses (one from EAGERBEE and one from RUDEBIRD) were assigned to subdomains ( paper.hosted-by-bay[.]net and news.hosted-by-bay[.]net ) within one day at the domain hosted-by-bay[.]net .\r\nNote: While 195.123.245[.]79 (EAGERBEE) and 185.195.237[.]123 (RUDEBIRD) are malicious, we were\r\nunable to identify anything atypical of normal C2 nodes. They used the same defense evasion technique (described\r\nbelow) used by 185.82.217[.]164 (EAGERBEE) and 45.90.58[.]103 (RUDEBIRD).\r\nDomain analysis\r\nWhen performing an analysis of the hosted-by-bay[.]net domain, we see that it is registered to the IP address\r\n45.133.194[.]106 . This IP address exposes two TCP ports, one is the expected TLS port of 443 , and the other is\r\n62753 .\r\nNote: Port 443 has a Let’s Encrypt TLS certificate for paypal.goodspaypal[.]com . This domain does not appear to\r\nbe related to this research but should be categorized as malicious based on its registration to this IP.\r\nOn port 62753 , there was a self-signed wildcard TLS leaf certificate with a fingerprint of\r\nd218680140ad2c6e947bf16020c0d36d3216f6fc7370c366ebe841c02d889a59 ( *.REDACTED[.]mn ). This fingerprint is used\r\nfor one host, shop.REDACTED[.]mn . The 10-year TLS certificate was registered on December 13, 2020.\r\nValidity\r\nNot Before: 2020-12-13 11:53:20\r\nNot After: 2030-12-11 11:53:20\r\nSubject: CN=shop.REDACTED[.]mn\r\n.mn is the Internet ccTLD for Mongolia and REDACTED is a large bank in Mongolia. When researching the network\r\ninfrastructure for REDACTED, we can see that they do currently own their DNS infrastructure.\r\nIt does not appear that shop.REDACTED[.]mn was ever registered. This self-signed TLS certificate was likely used to\r\nencrypt C2 traffic. While we cannot confirm that this certificate was used for EAGERBEE or RUDEBIRD, in the\r\nmalware code analysis of both EAGERBEE and RUDEBIRD, we identified that TLS to an IP address is an available\r\nmalware configuration option. We do believe that this domain is related to EAGERBEE and RUDEBIRD based on the\r\nregistration dates, IP addresses, and subdomains of the hosted-by-bay[.]net domain.\r\nAs noted in the EAGERBEE malware analysis, we identified two other previously unnamed EAGERBEE samples used\r\nto target Mongolian victims and also leveraged Mongolian C2 infrastructure.\r\nDefense evasion\r\nFinally, we see all of the C2 IP addresses add and remove services at similar dates and times. This is a tactic to hinder the\r\nanalysis of the C2 infrastructure by limiting its availability. It should be noted that the history of the service enablement\r\nand disablement (provided by Censys.io databases) is meant to show possible coordination in C2 availability. The images\r\nbelow show the last service change windows, further historical data was not available.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 14 of 22\n\n192.123.245[.]79 had TCP port 80 enabled on September 22, 2023 at 07:31 and then disabled on September 24, 2023\r\nat 07:42.\r\n192.123.245[.]79 C2 service windows\r\n185.195.237[.]123 had TCP port 443 enabled on September 22, 2023 at 03:33 and then disabled on September 25,\r\n2023 at 08:08.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 15 of 22\n\n185.195.237[.]123 C2 service windows\r\n185.82.217[.]164 had TCP port 443 enabled on September 22, 2023 at 08:49 and then disabled on September 25,\r\n2023 at 01:02.\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 16 of 22\n\n185.82.217[.]164 C2 service windows\r\n45.90.58[.]103 had TCP port 443 enabled on September 22, 2023 at 04:46 and then disabled on September 24, 2023\r\nat 09:57.\r\n45.90.58[.]103 C2 service windows\r\nNetwork intersection summary\r\nEAGERBEE and RUDEBIRD are two malware samples, co-resident on the same infected endpoint, in the same\r\nenvironment. This alone builds a strong association between the families.\r\nWhen adding the fact that both families use C2 endpoints that have been used to register subdomains on the same domain\r\nhosted-by-bay[.]net ), and the service availability coordination, leads us to say with a high degree of confidence that\r\nthe malware and campaign operators are from the same tasking authority, or organizational umbrella.\r\nSummary\r\nEAGERBEE, RUDEBIRD, and DOWNTOWN backdoors all exhibit characteristics of incompleteness whether using\r\n“Test” in file/service names, ignoring compilation best practices, leaving orphaned code, or leaving a smattering of\r\nextraneous debug statements.\r\nThey all, however, deliver similar tactical capabilities in the context of this environment.\r\nLocal enumeration\r\nPersistence\r\nDownload/execute additional tooling\r\nC2 options\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 17 of 22\n\nThe variety of tooling performing the same or similar tasks with varying degrees and types of miscues causes us to\r\nspeculate that this environment has attracted the interest of multiple players in the REF2924 threat actor’s organization.\r\nThe victim's status as a government diplomatic agency would make it an ideal candidate as a stepping-off point to other\r\ntargets within and outside the agency’s national borders. Additionally, it is easy to imagine that multiple entities within a\r\nnational intelligence apparatus would have collection requirements that could be satisfied by this victim directly.\r\nThis environment has already seen the emergence of the REF2924 intrusion set (SIESTAGRAPH, NAPLISTENER,\r\nSOMNIRECORD, and DOORME), as well as the deployment of SHADOWPAD and COBALTSTRIKE. The REF2924\r\nand REF5961 threat actor(s) continue to deploy new malware into their government victim’s environment.\r\nREF5961 and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advance\r\npersistent threats used against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nEAGERBEE\r\nDefense Evasion\r\nDiscovery\r\nCommand and Control\r\nExecution\r\nRUDEBIRD\r\nDefense Evasion\r\nCollection\r\nCommand and Control\r\nDiscovery\r\nLateral Movement\r\nExecution\r\nDOWNTOWN\r\nDiscovery\r\nCollection\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nEAGERBEE\r\nObfuscated Files or Information\r\nSystem Information Discovery\r\nExfiltration Over C2 Channel\r\nProxy\r\nProcess Injection\r\nRUDEBIRD\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 18 of 22\n\nFile and Directory Discovery\r\nSystem Information Discovery\r\nCommand and Scripting Interpreter\r\nLateral Tool Transfer\r\nData from Local System\r\nDOWNTOWN\r\nFile and Directory Discovery\r\nSystem Information Discovery\r\nMalware prevention capabilities\r\nEAGERBEE\r\nRUDEBIRD\r\nDOWNTOWN\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the EAGERBEE,\r\nRUDEBIRD, and DOWNTOWN malware:\r\nEAGERBEE\r\nrule Windows_Trojan_EagerBee_1 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-09\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.EagerBee\"\r\n reference_sample = \"09005775fc587ac7bf150c05352e59dc01008b7bf8c1d870d1cea87561aa0b06\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a1 = { C2 EB D6 0F B7 C2 48 8D 0C 80 41 8B 44 CB 14 41 2B 44 CB 0C 41 }\r\n $a2 = { C8 75 04 33 C0 EB 7C 48 63 41 3C 8B 94 08 88 00 00 00 48 03 D1 8B }\r\n condition:\r\n all of them\r\n}\r\nrule Windows_Trojan_EagerBee_2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-09-04\"\r\n last_modified = \"2023-09-20\"\r\n threat_name = \"Windows.Trojan.EagerBee\"\r\n reference_sample = \"339e4fdbccb65b0b06a1421c719300a8da844789a2016d58e8ce4227cb5dc91b\"\r\n license = \"Elastic License v2\"\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 19 of 22\n\nos = \"windows\"\r\n strings:\r\n $dexor_config_file = { 48 FF C0 8D 51 FF 44 30 00 49 03 C4 49 2B D4 ?? ?? 48 8D 4F 01 48 }\r\n $parse_config = { 80 7C 14 20 3A ?? ?? ?? ?? ?? ?? 45 03 C4 49 03 D4 49 63 C0 48 3B C1 }\r\n $parse_proxy1 = { 44 88 7C 24 31 44 88 7C 24 32 48 F7 D1 C6 44 24 33 70 C6 44 24 34 3D 88 5C 24 35 48 83 F9 01\r\n $parse_proxy2 = { 33 C0 48 8D BC 24 F0 00 00 00 49 8B CE F2 AE 8B D3 48 F7 D1 48 83 E9 01 48 8B F9 }\r\n condition:\r\n 2 of them\r\n}\r\nRUDEBIRD\r\nrule Windows_Trojan_RudeBird {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-09\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.RudeBird\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a1 = { 40 53 48 83 EC 20 48 8B D9 B9 D8 00 00 00 E8 FD C1 FF FF 48 8B C8 33 C0 48 85 C9 74 05 E8 3A F2 }\r\n condition:\r\n all of them\r\n}\r\nDOWNTOWN\r\nrule Windows_Trojan_DownTown_1 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-10\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.DownTown\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a1 = \"SendFileBuffer error -1 !!!\" fullword\r\n $a2 = \"ScheduledDownloadTasks CODE_FILE_VIEW \" fullword\r\n $a3 = \"ExplorerManagerC.dll\" fullword\r\n condition:\r\n 3 of them\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 20 of 22\n\n}\r\nrule Windows_Trojan_DownTown_2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-08-23\"\r\n last_modified = \"2023-09-20\"\r\n threat_name = \"Windows.Trojan.DownTown\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a1 = \"DeletePluginObject\"\r\n $a2 = \"GetPluginInfomation\"\r\n $a3 = \"GetPluginObject\"\r\n $a4 = \"GetRegisterCode\"\r\n condition:\r\n all of them\r\n}\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\nce4dfda471f2d3fa4e000f9e3839c3d9fbf2d93ea7f89101161ce97faceadf9a\r\nSHA-256EAGERBEE\r\nshellcode\r\niconcaches.mui\r\n29c90ac124b898b2ff2a4897921d5f5cc251396e8176fc8d6fa475df89d9274d\r\nSHA-256\r\nDOWNTOWN\r\nIn-memory\r\nDLL\r\n185.82.217[.]164 ipv4\r\nEAGERBEE\r\nC2\r\n195.123.245[.]79 ipv4\r\nEAGERBEE\r\nC2\r\n45.90.58[.]103 ipv4\r\nRUDEBIRD\r\nC2\r\n185.195.237[.]123 ipv4\r\nRUDEBIRD\r\nC2\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 21 of 22\n\nhttps://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\r\nhttps://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns\r\nhttps://thediplomat.com/2022/06/mongolias-1-billion-tree-movement/\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nhttps://github.com/OALabs/hashdb/blob/main/algorithms/mult21_add.py\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.smanager\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/ta428\r\nhttps://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/\r\nSource: https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nhttps://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" ], "report_names": [ "introducing-the-ref5961-intrusion-set" ], "threat_actors": [ { "id": "bbdb2d7d-4bf4-4100-a108-f4742cfd69ff", "created_at": "2022-10-25T16:07:24.01101Z", "updated_at": "2026-04-10T02:00:04.836112Z", "deleted_at": null, "main_name": "Operation SignSight", "aliases": [], "source_name": "ETDA:Operation SignSight", "tools": [ "Mimikatz", "PhantomNet", "SManager" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "6957eadc-136d-4e6c-b158-4035175b2db4", "created_at": "2023-11-07T02:00:07.106754Z", "updated_at": "2026-04-10T02:00:03.410616Z", "deleted_at": null, "main_name": "REF5961", "aliases": [], "source_name": "MISPGALAXY:REF5961", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434615, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a32666781a0f2225f289f72a0537cc3b6a031ad9.pdf", "text": "https://archive.orkl.eu/a32666781a0f2225f289f72a0537cc3b6a031ad9.txt", "img": "https://archive.orkl.eu/a32666781a0f2225f289f72a0537cc3b6a031ad9.jpg" } }