{ "id": "1717721f-4f60-4443-94c8-f36433420c0a", "created_at": "2026-04-06T00:21:26.434707Z", "updated_at": "2026-04-10T03:36:01.161456Z", "deleted_at": null, "sha1_hash": "a711650195e0752091a02b20835c2d8c8465e3f6", "title": "Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3653108, "plain_text": "Digital Quartermaster Scenario Demonstrated in Attacks Against\r\nthe Mongolian Government\r\nBy Josh Grunzweig, Robert Falcone, Bryan Lee\r\nPublished: 2016-03-14 · Archived: 2026-04-05 14:53:54 UTC\r\nUnit 42 has collected multiple spear phishing emails, weaponized document files, and payloads that targeted\r\nvarious offices of the Mongolian government during the time period of August 2015 and February 2016. The\r\nphishing emails and document files leveraged a variety of geopolitically sensitive subject matters as attractive\r\nlures, such as events in Beijing, the Dalai Lama, North Korea relations, the Zika virus, and various legitimate\r\nappearing announcements. As we began to analyze and tear down the various samples we collected, we found\r\nsignificant overlaps with previously reported and documented adversary groups, attack campaigns, and their\r\ntoolsets, exemplifying the concept of the Digital Quartermaster.\r\nThe concept of the Digital Quartermaster is not a particularly new one; it is the idea that there is a group, or\r\ngroups whose mission is to supply and maintain malicious tools in support of cyber espionage operations. The\r\nexistence of a Digital Quartermaster has been discussed within the intelligence community for some time, but it is\r\nnot often that sufficient overlaps exist between what appear to be separate toolsets to confidently claim this idea is\r\nindeed in use. The data Unit 42 has collected and analyzed however, does strongly point to the possibility that\r\nwhile there may be multiple operations groups, a Digital Quartermaster may be the one supplying and maintaining\r\nthe tools used.\r\nAttack Analysis\r\nWhile investigating new BBSRAT instances discovered using the AutoFocus tool, Unit 42 was able to collect\r\nadditional samples, weaponized documents, and phishing emails uploaded to VirusTotal between August 2015\r\nthrough February 2016. Each of the samples collected via WildFire and VirusTotal contained significant overlaps\r\nin tactics used, tools used, as well as infrastructure for command and control channels. In addition, a large\r\nmajority of the samples gathered from VirusTotal were uploaded from a single entity in Mongolia.\r\nThe attacks themselves followed a consistent playbook throughout the observed timeframe; using weaponized\r\nMicrosoft Word documents initially containing an exploit for only CVE-2012-0158, appearing to use the highly\r\npopular ‘Tran Duy Linh’ toolkit, then adding in an additional exploit for CVE-2014-1761 in the three newest\r\nsamples we collected. The newer documents containing exploits for both vulnerabilities appeared to use a\r\npublically available PoC authored by ‘HCL’, with little to no modifications made. All of the weaponized\r\ndocuments except two executed the Cmstar loader or a lightly modified variant of Cmstar onto the victim host\r\nwhile displaying a decoy document or a legitimate appearing document that is generated and presented to the user\r\nto make it appear that the weaponized document that had been executed was indeed, legitimate. Once Cmstar was\r\nloaded onto the victim hosts, it would attempt to retrieve a final payload. Unfortunately, at the time of analysis, we\r\nwere unable to retrieve the majority of the payloads the Cmstar loaders were attempting to download, but those\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 1 of 26\n\nthat were available were variants of BBSRAT. The two samples not using Cmstar simply had BBSRAT embedded\r\ndirectly into to the weaponized document.\r\nFurthermore, examining the data from August indicates that this campaign had started earlier and the adversary\r\nmay have already achieved initial footholds, due to the use of what appears to be compromised legitimate email\r\naccounts from within the Mongolian government.\r\nAttack Timeline\r\nAttack Details\r\nSHA256 5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378\r\nDate 8/12/2015\r\nFilename Ялалтын баярын ар дахь улс төр.doc (Victory in the back of the government)\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nTwo spear-phishing emails originating from likely compromised account\r\n'altangadas@energy.gov.mn' targets multiple other Mongolian government officials. The\r\nsubject and file attachment are titled 'Ялалтын баярын ар дахь улс төр' (Victory in the\r\nback of the government). CVE-2012-0158 exploit used, dropping new variant of Cmstar.\r\nThe dropped decoy document talks about a Russian festival known as 'Victory Day' and\r\nMongolian's participation in this event.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 2 of 26\n\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 3 of 26\n\nSHA256 10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57\r\nDate 8/28/2015\r\nFilename Бээжин хотод цэргийн ёслолын жагсаал.doc (Military ceremonial parade in Beijing)\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 4 of 26\n\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nSpear-phishing email originating from 'ganbat_g@bpo.gov.mn'. A single target is discovered\r\nin the collected sample. Subject and filename are titled 'Бээжин хотод цэргийн ёслолын\r\nжагсаал' (Military ceremonial parade in Beijing). CVE-2012-0158 exploit used, dropping\r\nnew variant of Cmstar. The decoy document contains a flight itinerary from Ulaanbaatar,\r\nMongolia to Beijing, China.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 5 of 26\n\nSHA256 44dbf05bc81d17542a656525772e0f0973b603704f213278036d8ffc999bb79a\r\nDate 9/15/2015\r\nFilename Путины урилга.doc (Putin's Invitation)\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 6 of 26\n\nDescription\r\nWeaponized Microsoft Word document found titled 'Путины урилга.doc' (Putin's\r\nInvitation). CVE-2012-0158 exploit used, dropping new variant of Cmstar. The following\r\ndecoy image, embedded within a Word document, is displayed to the victim upon opening\r\nthe malicious file.\r\nSHA256 91ffe6fab7b33ff47b184b59356408951176c670cad3afcde79aa8464374acd3\r\nDate 9/16/2015\r\nFilename 1.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nWeaponized Microsoft Word document with unknown title found. Likely delivered via\r\nspear-phishing. CVE-2012-0158 exploit used, dropping new variant of Cmstar. The decoy\r\ndocument, which is 13 pages in length, talks about the interference of the United States in\r\nother countries across the globe.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 7 of 26\n\nSHA256 6f3d4fb64de9ae61776fd19a8eba3d1d828e7e26bb89ace00c7843a57c5f6e8a\r\nDate 9/29/2015\r\nFilename Далай ламыг эмч нар амрахыг зөвлөжээ.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nSpear-phishing email originating from 'bilguun@masm.gov.mn'. Nearly two thousand\r\nrecipients found to be targeted, all within the Mongolian government. Email subject and\r\nfilenames titled 'Далай ламыг эмч нар амрахыг зөвлөжээ' (Dalai Lama doctors advised\r\nrest). CVE-2012-0158 exploit used, dropping new variant of Cmstar. The decoy document\r\ndiscusses the latest health of the Dalai Lama, as well as a number of US-based trips he made\r\nin late 2015.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 8 of 26\n\nSHA256 e88ea5eb642eaf832f8399d0337ba9eb1563862ddee68c26a74409a7384b9bb9\r\nDate 10/2/2015\r\nFilename Sudalgaa avah zagvar.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription Spear-phishing email originating from 'davaa_ayush@yahoo.com'.\r\n'davaa_ayush@mod.gov.mn' was a target in the August 12, 2015 attack, indicating the user\r\nmay have had their personal email account compromised as well. Single target found. Email\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 9 of 26\n\nsubject is 'Fw:_Fwd:_@_БХЯ-наас' (Defense Ministry). Filename is titled 'Sudalgaa avah\r\nzagvar.doc', a possible Romanization of Mongolian. CVE-2012-0158 exploit used, dropping\r\nnew variant of Cmstar. The decoy table provides information about the rank, class, date of\r\nbirth, and experience of individuals in the Mongolian armed forces. \r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 10 of 26\n\nSHA256 68f97bf3d03b1733944c25ff4933e4e03d973ccdd73d9528f4d68806b826735e\r\nDate 10/22/2015\r\nFilename албанушаалтнуудын сарын цалингийнхаа 30 хувийг хасах.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Ерөнхий сайд албанушаалтнуудын\r\nсарын цалингийнхаа 30 хувийг хасах.doc' (Prime Minister albanushaaltnuudyn monthly\r\nsalary minus 30%.doc). Likely delivered via spear-phishing. CVE-2012-0158 exploit used,\r\ndropping new variant of Cmstar The document discusses changes made to the salaries of\r\ngovernment officials within the Mongolian government\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 11 of 26\n\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 12 of 26\n\nSHA256 00ddae5bbc2ddf29954749519ecfb3978a68db6237ebea8e646a898c353053ce\r\nDate 10/22/2015\r\nFilename Улс төрийн www.politik.mn сайт нээгдлээ.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Улс төрийн www.politik.mn сайт\r\nнээгдлээ.doc' (States opens state www.politik.mn site.doc). Likely delivered via spear-phishing. CVE-2012-0158 exploit used, dropping new variant of Cmstar. The decoy\r\ndocument dropped by the malicious file discusses a new website being launched by the\r\nMongolian government.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 13 of 26\n\nSHA256 c2ebaf4366835e16f34cc7f0b56f8eaf80a9818375c98672bc678bb4107b4d8c\r\nDate 10/28/2015\r\nFilename Unknown\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used Cmstar\r\nDescription\r\nWeaponized Microsoft Word document with unknown title found. Likely delivered via\r\nspear-phishing. CVE-2012-0158 exploit used, dropping new variant of Cmstar. The decoy\r\ndocument talks about a 2016 budget discussion in the Mongolian Parliament.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 14 of 26\n\nSHA256 aa86f4587423c2ff677aebae604614030f9f4d38280409501662ab4e4fe20c2a\r\nDate 12/23/2015\r\nFilename СОНОРДУУЛГА.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used BBSRAT\r\nDescription\r\nWeaponized Microsoft Word document found titled 'СОНОРДУУЛГА.doc'\r\n(Announcement). Likely delivered via spear-phishing. CVE-2012-0158 exploit used, with\r\nBBSRAT embedded. The document translates to an announcement of a loan agreement\r\nsigned with foreign banks and financial institutions on October 16th, 2015.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 15 of 26\n\nSHA256 fc21814a5f9ed2f6bef9e15b113d00f9291a6553c1e02cc0b4c185c6030eca45\r\nDate 1/4/2016\r\nFilename Өвлийн өвгөнийн үг.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158\r\nTools Used BBSRAT\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Өвлийн өвгөнийн үг.doc' (Santa's\r\nword). Likely delivered via spear-phishing. CVE-2012-0158 exploit used, with BBSRAT\r\nembedded. The decoy document, which had spacing removed for an unknown reason,\r\nprovides a series of children holiday season songs and poems.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 16 of 26\n\nSHA256 7e031a04e570cddda907d0b4b7af19ce60dc481394dfb3813796ce0e6d079305\r\nDate 2/17/2016\r\nFilename Хойд Солонгост хориг арга хэмжээ авна.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158 and CVE-2014-1761\r\nTools Used Cmstar and BBSRAT\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Хойд Солонгост хориг арга хэмжээ\r\nавна.doc' (North Korea sanctions). Exploits for both CVE-2012-0158 and CVE-2014-1761\r\nused, dropping a separate, newer variant of Cmstar which downloaded BBSRAT as its final\r\npayload. The decoy document talks about a recent speech made by the South Korean\r\nPresident regarding sanctions made against North Korea.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 17 of 26\n\nSHA256 5c7e3cde4d286909154e9a5ee5a5d061a1f0efaa9875fb50c9073e1e8b6cfaef\r\nDate 2/19/2016\r\nFilename Зика Монголд ойртсоор.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158 and CVE-2014-1761\r\nTools Used Cmstar and BBSRAT\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Зика Монголд ойртсоор' (Zika closer\r\nto Mongolia). Exploits for both CVE-2012-0158 and CVE-2014-1761 used, dropping a\r\nseparate, newer variant of Cmstar which downloaded BBSRAT as its final payload. The\r\ntranslated Mongolian text found within the decoy document discusses how the Zika virus\r\nhas been witnessed in both China and Russia, as well as other countries across the globe.\r\nSHA256 0b0e6b40a63710b4f7e6d00d7a4a86e6db2df720fef48640ab6d9d88352a4890\r\nDate 2/19/2016\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 18 of 26\n\nFilename Хятадад “Зика” вирусын хоёр дахь тохиолдол илэрчээ.doc\r\nVulnerability\r\nTargeted\r\nCVE-2012-0158 and CVE-2014-1761\r\nTools Used Cmstar and BBSRAT\r\nDescription\r\nWeaponized Microsoft Word document found titled 'Хятадад “Зика” вирусын хоёр дахь\r\nтохиолдол илэрчээ' (China \"Zika\" viruses in two cases). Exploits for both CVE-2012-0158\r\nand CVE-2014-1761 used, dropping a separate, newer variant of Cmstar which downloaded\r\nBBSRAT as its final payload. The dropped decoy document contains a press release dated\r\non February 16th, 2016. The press release discusses changes made to the coal industry in\r\ninner Mongolia, The G-20 meeting in China, a five year plan for economic and social\r\ndevelopment, and two cases of the Zika virus.\r\nThe Digital Quartermaster: Tool Overlap\r\nThe tools we observed being used in this attack campaign remained consistent throughout the six months of data\r\nwe were able to collect and analyze. Yet, prior to the findings in this report, none of the tools used in this\r\ncampaign had been observed being used in conjunction with each other. In their 2013 report, Kaspersky theorized\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 19 of 26\n\nthat NetTraveler may have had connections to the Lurid/Enfal adversaries due to some similarities in command\r\nand control infrastructure and targeting of minority groups in China, but no strong evidence was discovered since\r\nthen. CMStar is a variant of Lurid discovered by us in May 2015, with similar targeting as previously observed as\r\nNetTraveler, but again, with no strong connections. BBSRAT is a relatively new Trojan we had discovered and\r\npublicized in December 2015 and had attributed it to a campaign dubbed ‘Roaming Tiger’ by ESET in 2014,\r\nwhich specifically appeared to target Russia and Russian speaking nation state. None of these tools have been\r\npublicly observed in use together, in a singular campaign, until now:\r\nThe initial dropper embedded in the weaponized document files were obfuscated using a subtraction cipher\r\npreviously used to obfuscate strings in the NetTraveler malware family.\r\nA BinDiff comparison of the newer Cmstar variant with a previously reported on NetTraveler sample\r\nshows an 80% code similarity\r\nThe first stage loader used in the attacks was Cmstar, or lightly modified variants. Cmstar is closely related\r\nto Lurid which is associated with the Enfal trojan\r\nThe final payload for the newest weaponized documents retrieved was BBSRAT, which was previously\r\nassociated with an attack campaign called \"Roaming Tiger\", targeting Russia and other Russian speaking\r\nnations speaking\r\nThe one commonality that does appear amongst these seemingly different tools used by different operators is their\r\ngeolocational nexus: China. In 2011, TrendMicro strongly attributed Lurid/Enfal to operators based out of China,\r\nalthough they stopped just short of claiming it. In Kaspersky’s 2013 report on NetTraveler, another strong\r\nattribution was made to a China-based operator. ESET’s “Roaming Tiger” reporting did not attribute the attack to\r\nany specific nation-state, but examining the command and control infrastructure and WHOIS data again suggested\r\na China-based operator.\r\nThese facts begin to lead us to the following possible conclusions: the previous attack campaigns associated with\r\ntheir specific tool were all actually conducted by one, large, all encompassing operations unit. The previous attack\r\ncampaigns were conducted by separate, but related operations unit with access to a common Digital Quartermaster\r\nfor tools, or some combination of either scenario.\r\nTechnical Analysis of Tools Used\r\nAll of the Microsoft Word documents leveraged in these attacks used the CVE-2012-0158 and CVE-2014-1761\r\nexploits. All of the exploit documents, in addition to targeting the same organizations and relying upon the same\r\nexploit techniques, ultimately dropped a version of the BBSRAT. A large number of the encountered samples used\r\na new version of the Cmstar downloader to accomplish this, while some documents dropped and executed\r\nBBSRAT directly. Upon successful exploitation, the exploit documents would drop and execute a payload using\r\none of the following techniques:\r\n1. The exploit document drops and executes a file with a path of %TEMP%\\xpsfiltsvcs.tmp. This file contains\r\nan original Cmstar downloader that was discussed in a previous blog post.\r\n2. The 'MSOProtect.acl', 'offcln.log', and 'offcln.pip' files are dropped in the %APPDATA%\\Microsoft\\Office\\\r\ndirectory. The MSOProtect.acl file contains a new variant of the Cmstar malware family. The offcln.pip is a\r\nDLL that is responsible for opening a legitimate Microsoft Word decoy document. The offcln.log file\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 20 of 26\n\ncontains a command that will open this decoy document. The offcln.log file is used by offcln.pip in order\r\nto accomplish this.\r\n3. The %APPDATA%\\comctl32.dll file is dropped and subsequently loaded. This file contains either a new\r\ninstance of the Cmstar downloader, or a copy of the BBSRAT malware family, which was discussed by\r\nPalo Alto Networks in December 2015.\r\nNew Cmstar Downloader\r\nThe majority of the spear-phishing attachments leveraged variants of the previously discussed downloader named\r\n'Cmstar'. Much of the functionality remained consistent in the newest variants, which were compiled in July and\r\nAugust of 2015. For reference, the original Cmstar downloader malware samples were compiled in February\r\n2015.\r\nThe new samples appear to have minimal changes made, and in fact a number of the debugging statements\r\nmentioned in the original samples are seen in a number of the newest variants. The obfuscated routine that is\r\nresponsible for downloading the payload has increased in size from 779 bytes to 943 bytes. This increase in size is\r\ndue to additional error controls put into place. This routine is still encrypted using a single-byte XOR operation.\r\nHowever, the newest Cmstar variants use a different routine to obfuscate important strings within the binary. The\r\nfollowing code, represented in Python, accomplishes this:\r\ndef decode(data):\r\n  out = \"\"\r\n  c = 0\r\n  for d in data:\r\n    out += chr(ord(d) - c - 10)\r\n    c += 1\r\n  return out\r\nMalware analysts may recognize this routine, as it's identical to the one witnessed in previously discussed\r\nNetTraveler samples that were found to be targeting an individual working for the Foreign Ministry of Uzbekistan\r\nin China. As witnessed in the following diagram, the new Cmstar downloader’s obfuscation routine has a 100%\r\ncode match to the NetTraveler downloader previously encountered:\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 21 of 26\n\nFigure 1 Code Overlap\r\nBetween Cmstar and NetTraveler Downloaders\r\nThe following URLs were identified to be used by these Cmstar samples:\r\nhttp://thbaw.ofhloe[.]com/cgl-bin/conime.cgi\r\nhttp://dolimy.celeinkec[.]com/cgl-bin/upl.cgi\r\nhttp://question.eboregi[.]com\r\nhttp://pplime.savecarrots[.]com/cgl-bin/upsd.cgi\r\nhttp://dolimy.celeinkec[.]com/bin/r0206/update.tmp\r\nThe majority of these URLs were not responsive at the time of analysis, with the exception of the last one. This\r\nreturned file is an encoded executable that contains a dropper, which in turn loads BBSRAT.\r\nBBSRAT\r\nMuch of BBSRAT's functionality has remained consistent in the newest variants. Like previous versions, the\r\nmalware will build an Import Address Table at runtime and uses the following mutex to ensure a single copy of\r\nBBSRAT is running at a given time:\r\nGlobal\\\\GlobalAcProtectMutex\r\nAdditionally, the network structure, URL pattern, and other characteristics of the malware remain consistent.\r\nBBSRAT will ensure persistence by setting the following registry key:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\comctl32 - rundll32.exe %APPDATA%\\comctl32.dll,\r\nEnter\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 22 of 26\n\nThe largest modification has been the addition of four commands to the command and control handler. These\r\ncommands are still being researched and full functionality of them has yet to be determined. We have identified\r\nthe following BBSRAT command and control servers:\r\ncocolco[.]com\r\nofhloe[.]com\r\nhousejjk[.]com\r\nInfrastructure Analysis\r\nMapping out the first stage command and control infrastructure for the analyzed Cmstar samples revealed an\r\ninfrastructure that was most likely deployed specifically for this attack campaign:\r\nFigure 2 Cmstar Command and Control Infrastructure\r\nA single domain, question.erobegi[.]com, was found to be reused. This domain had previous been identified as a\r\nfirst stage command and control in May 2015 when we initially discovered CMStar. However, the payload was\r\nnot identified at the time. The WHOIS data revealed heavy usage of resellers by the adversary, likely as an evasion\r\ntechnique. Analyzing the historical WHOIS data however, revealed one of the 'clean' personas used by the\r\nadversary as a registrant 'HELENEHELEN@EXCITE.CO.JP', was used to register one of the command and\r\ncontrol domains for CMStar, celeinkec[.]com as well as one of the primary command and control domains for\r\nBBSRAT, housejjk[.]com, further supporting the links between CMStar, and BBSRAT.\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 23 of 26\n\nThe BBSRAT command and control infrastructure remained exactly the same as previously reported in December\r\n2015:\r\nFigure 3 BBSRAT Command and Control Infrastructure\r\nUnfortunately, we were unable to retrieve all of the final payloads from every sample at the time of analysis. \r\nOne interesting fact to note is the use of the primary domain ofhloe[.]com; BBSRAT uses pagbine.ofhloe[.]com as\r\na primary command and control, while we also observed Cmstar thbaw.ofhloe[.]com as a first stage command and\r\ncontrol to likely retrieve BBSRAT.\r\nConclusion\r\nUnit 42 often speaks of sharing threat intelligence, tools, and procedures amongst the security industry, often\r\ntimes pointing to the fact that the adversaries we are up against on an everyday basis are doing the exact same.\r\nStill, as a community, when we do publicize adversary groups or campaigns, there is a tendency to encapsulate\r\neach and place them in their own isolated bubbles, directly contradicting the message of sharing amongst the\r\nadversary. The reasoning behind this is not meant to be hypocritical – it is simply more straightforward for\r\nidentification and ingestion purposes to be able to silo each group or campaign rather than come to the conclusion\r\nthat every group or campaign is somehow related due to the sharing nature of the adversaries. We must\r\nacknowledge the fact however, that in general many attacks are related, even if they do appear significantly\r\ndifferent or do not share the same TTPs as observed previously\r\nThe collection of data we have analyzed strongly points to the fact that a Digital Quartermaster may exist amongst\r\nthe adversary. The strong overlaps within the tactics used in the toolsets as well as links in infrastructure indicate it\r\nis likely that a singular entity is responsible for deployment and maintenance of the tools used, in conjunction with\r\na separate operator group responsible for the actual execution of the cyber espionage operations.\r\nPalo Alto Networks customers are protected through our next-generation security platform:\r\nWildFire successfully detects BBSRAT, Cmstar, and the weaponized documents as malicious\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 24 of 26\n\nAutoFocus identifies the tools used under the Cmstar and BBSRAT tags\r\nTraps actively detects and prevents exploitation of both CVE-2012-0158 and CVE-2014-1761\r\nThe C2 domains and files mentioned in this report are blocked through Threat Prevention\r\nIndicators of Compromise\r\nExploit Document SHA256 Hashes\r\n5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378\r\n10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57\r\n44dbf05bc81d17542a656525772e0f0973b603704f213278036d8ffc999bb79a\r\n91ffe6fab7b33ff47b184b59356408951176c670cad3afcde79aa8464374acd3\r\n6f3d4fb64de9ae61776fd19a8eba3d1d828e7e26bb89ace00c7843a57c5f6e8a\r\ne88ea5eb642eaf832f8399d0337ba9eb1563862ddee68c26a74409a7384b9bb9\r\n68f97bf3d03b1733944c25ff4933e4e03d973ccdd73d9528f4d68806b826735e\r\n00ddae5bbc2ddf29954749519ecfb3978a68db6237ebea8e646a898c353053ce\r\nc2ebaf4366835e16f34cc7f0b56f8eaf80a9818375c98672bc678bb4107b4d8c\r\naa86f4587423c2ff677aebae604614030f9f4d38280409501662ab4e4fe20c2a\r\nfc21814a5f9ed2f6bef9e15b113d00f9291a6553c1e02cc0b4c185c6030eca45\r\n7e031a04e570cddda907d0b4b7af19ce60dc481394dfb3813796ce0e6d079305\r\n0b0e6b40a63710b4f7e6d00d7a4a86e6db2df720fef48640ab6d9d88352a4890\r\n5c7e3cde4d286909154e9a5ee5a5d061a1f0efaa9875fb50c9073e1e8b6cfaef\r\nBBSRAT SHA256 Hashes\r\n567a5b54d6c153cdd2ddd2b084f1f66fc87587dd691cd2ba8e30d689328a673f\r\ncd3b8e4f3a6379dc36fedf96041e292b4195d03f27221167bce7302678fb2540\r\nBBSRAT C2 Servers\r\njowwln.cocolco[.]com\r\npagbine.ofhloe[.]com\r\ncdaklle.housejjk[.]com\r\nCmstar SHA256 Hashes\r\nc3253409cccee20caa7b77312eb89bdbe8920cdb44f3fabfe5e2eeb78023c1b8\r\n3e2c0d60c7677d3ead690b1b6d4d7c5aaa2d218679634ac305ef3d75b5688e6a\r\n3a7348d546d85a179f9d52ff83b20004136ee584993c23a8bfe5c168c00fbaa9\r\n19ba40a7fa332b750c7d93385dd51bd08ee63f91cedb4ae5a93f9f33ecb38c44\r\n4e1d59042336c3758e77c5c521f60ae262aad01bf7265581de54e869a02b65bc\r\nCmstar C2 Servers\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 25 of 26\n\nhttp://thbaw.ofhloe[.]com/cgl-bin/conime.cgi\r\nhttp://dolimy.celeinkec[.]com/cgl-bin/upl.cgi\r\nhttp://question.eboregi[.]com\r\nhttp://pplime.savecarrots[.]com/cgl-bin/upsd.cgi\r\nhttp://dolimy.celeinkec[.]com/bin/r0206/update.tmp\r\nSource: https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-go\r\nvernment/\r\nhttps://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "report_names": [ "digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434886, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a711650195e0752091a02b20835c2d8c8465e3f6.pdf", "text": "https://archive.orkl.eu/a711650195e0752091a02b20835c2d8c8465e3f6.txt", "img": "https://archive.orkl.eu/a711650195e0752091a02b20835c2d8c8465e3f6.jpg" } }