{ "id": "86396f6f-43f8-4509-b39e-ed2fa3328783", "created_at": "2026-04-06T00:19:56.133578Z", "updated_at": "2026-04-10T03:25:21.243941Z", "deleted_at": null, "sha1_hash": "a5e0660e3db5b2807e635ff4ff0b0ec5826fc1c7", "title": "Evasive Maneuvers by the Wekby Group with Custom ROP-packing and DNS Covert Channels", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1020782, "plain_text": "Evasive Maneuvers by the Wekby Group with Custom ROP-packing and DNS Covert Channels\r\nBy Aaron Shelmire\r\nPublished: 2026-03-12 · Archived: 2026-04-05 17:32:23 UTC\r\nEvasive maneuvers by Wekby (TG-0416) from 30 Jun 2015: obfuscated HTTPBrowser/Token Control using DNS\r\ncovert channels, custom ROP-packing, and IT-helpdesk phishing\r\nhttps://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 1 of 3\n\nThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby\r\nthreat actors (a/k/a TG-0416, APT-18, Dynamite Panda). The Wekby actors have recently been observed\r\ncompromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long\r\nstanding interest in the HealthCare industry.  This campaign uses obfuscated variants of the HTTPBrowser tool\r\nthat use DNS as a control channel.\r\nThis recent campaign exhibits many of the groups key characteristics to deliver a more technically advanced\r\nversion of their toolkit than has previously been found. The Wekby group is keen on using phishes that purport to\r\nbe from the IT helpdesk, often with links or attachments claiming to be vpn or citrix upgrades. This specific\r\ninstance used a “cisco” vpnclient theme.\r\nThe Phishing links are: \r\nhXXp://it-desktop[.]com/vpn/cisco/vpnclient.exe\r\nhXXp://wangke99[.]tgk[.]delldns[.]com/tools.exe\r\nThese URIs result in the download of an installer, which creates a PE of the malware typically known as\r\nHTTPBrowser, but called Token Control by the Wekby group themselves (based upon the PDB strings found\r\nwithin many of the samples).  The PEBuildDate of the installers range from 2015-06-30 11:57:13 to 12:03:13\r\nUTC. Two samples use subdomains of local.it-desktop.com and were submitted to VirusTotal at 15:32:37 from\r\nusers in Great Britain. At that time only 8 of 55 AntiVirus engines detected the same as malware, mostly with\r\ngeneric and heuristic detections.  The third sample was first submitted on July 1st 2015 from a user in South\r\nKorea.   \r\nThe samples install HTTPBrowser at %APPDATA%/wdm.exe. Persistence is established via the\r\nHKCUSoftwareMicrosoftWindowsCurrentVersionRun key value for wdm set to the path of the executable.\r\nPrevious samples have set persistence via Run key values for 360v.\r\n  HKCU Run Key for wdm\r\nThis tool has been used by a few groups since at least 2012 based upon PEBuildDates). However this sample is a\r\nbit more interesting. Normally HTTPBrowser sends traffic over HTTP using a user-agent of HTTPBrowser/1.0.\r\n This sample uses DNS as a covert channel for communications. Specifically this sample utilizes DNS TXT\r\nrecords with 9 uppercase letters followed by a number and 7 more uppercase letters, then the C2 domain used. In\r\nthis PCAP the C2 domain is glb.it-desktop.com. The “glb” label is believed to be a campaign ID. The other\r\nsamples use the C2 domains of local.it-desktop.com and hi.getgo2.com\r\nDNS TXT C2\r\nAdding to the intrigue of this sample is a novel form of obfuscation that greatly complicates analysis. Specifically\r\nthe sample uses Return Oriented Programming to control execution flow, and creates an extraordinary amount of\r\nfunctions filled with instructions that essentially evaluate to elaborate NOPs (no operation).  The way this works is\r\neach function modifies the stack to replace the return point with additional functions including a function that\r\nincludes the next bit of code that needs to be executed. Each subroutine includes the bare minimum number of\r\noperations necessary to call another subroutine, or perform local control flow (looping, branching, and simple\r\nhttps://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 2 of 3\n\ncalculations), before modifying the stack to return to the next subroutine. While looking at a sample in OllyDbg,\r\nyou would see the following, where execution will continue with Subroutine 0x0040F62E. If that subroutine does\r\nnot add any additional functions to the stack, execution will continue to Subroutine 0x0040F38A. \r\nROP Obfuscation\r\nWhile many of the Wekby threat actors campaigns may appear unsophisticated because they often rely upon\r\nstolen credentials or basic malware, this group of actors is extremely successful at obtaining their objectives. If\r\nyour organization does not use Two-Factor authentication, the group will typically rely upon stolen credentials for\r\nremote access. The Wekby group has exhibited a preference to use a tool named HcdLoader which often persists\r\nas a Windows Service on externally facing servers for remote access. The group is particularly skilled at living off\r\nthe land by using the tools already present on computers for lateral movement and exfiltration.\r\nThe samples detailed here can be found on VirusTotal at:\r\nd0f79de7bd194c1843e7411c473e4288 \r\ne5414c5215c9305feeebbe0dbee43567 \r\n985eba97e12c3e5bce9221631fb66d68\r\nUPDATE: The original post noted a domain of hi.get2go.com in error. This domain should have been\r\nhi.getgo2.com\r\nSource: https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nhttps://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "report_names": [ "evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434796, "ts_updated_at": 1775791521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5e0660e3db5b2807e635ff4ff0b0ec5826fc1c7.pdf", "text": "https://archive.orkl.eu/a5e0660e3db5b2807e635ff4ff0b0ec5826fc1c7.txt", "img": "https://archive.orkl.eu/a5e0660e3db5b2807e635ff4ff0b0ec5826fc1c7.jpg" } }