{
	"id": "4c6ccb54-6ee5-436e-8e33-9b6e47417c6c",
	"created_at": "2026-04-06T00:15:29.105251Z",
	"updated_at": "2026-04-10T13:11:48.792906Z",
	"deleted_at": null,
	"sha1_hash": "a71c570af6db8647e80124dd48287030e9adb0ea",
	"title": "AgentVX and Taurus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406906,
	"plain_text": "AgentVX and Taurus\r\nBy Zachary Reichert\r\nPublished: 2023-02-03 · Archived: 2026-04-05 16:43:47 UTC\r\nFebruary 03, 2023 5 Minute Read\r\nIn 2021, Stroz Friedberg Incident Response Services team (Stroz Friedberg) encountered a new payload associated\r\nwith the Taurus loader. Stroz Friedberg provides additional threat intelligence on the AgentVX payload and has\r\nreleased a script to assist with the automated decoding of the Taurus loader.\r\nIn an investigation occurring in 2021, Stroz Friedberg Incident Response Services team (Stroz Friedberg)\r\nencountered a new payload associated with the Taurus loader. Typically, the information security community sees\r\nthis loader associated with the Taurus Stealer malware. The Taurus Stealer has the ability to collect information\r\nfrom various web browsers, including passwords, cookies, autofill forms and history. However, in this instance,\r\nStroz Friedberg identified a new payload named \"AgentVX\". This payload contains several functions outlined\r\nbelow. On September 19th, 2022, NSFOCUS Security Labs released an article attributing AgentVX to the group\r\n\"Evilnum.\" Since 2021, Stroz Friedberg has not seen publicly available information relating this loader and\r\npayload. We are releasing this blog post to provide additional threat intelligence on the AgentVX payload and\r\nrelease a script to assist with the automated decoding of the Taurus loader.\r\nTaurus Loader\r\nIn this investigation, the Taurus loader matched publicly available analysis and Minerva Labs posted analysis on it\r\nearlier in 2021. The execution chain begins with a self-extracting archive. This archive drops the following files to\r\n%AppData%\\BueedgFYHdzEt\\:\r\nFile Description\r\nAndate.xlm Corrupt PE, used to build \"Sapro.exe.com\"\r\nCalpestare.pptm Unused\r\nPoi.xltx Obfuscated AutoIT loader is renamed to \"x\" and executed\r\nSapro.exe.com AutoIT executable used for injection of payload\r\nSeguente.mpg Obfuscated batch file used to control the execution flow\r\nSta.xll Encrypted \"AgentVX\" payload that is injected into \"Sapro.exe.com\"\r\nUpon execution, the malware executes \"Seguente.mpg,\" which conducts multiple kill-switch checks that are\r\nconsistent with the Taurus loader including:\r\nAttempts to connect to the non-existent domain QYLBUtMSCcIS.QYLBUtMSCcIS\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 1 of 6\n\nChecks for the existence of a file called C:\\aaa_TouchMeNot_.txt\r\nChecks to see if the system name is DESKTOP-QO5QU33 . The information security community has\r\nwritten about the name of this system multiple times.\r\nWhen the checks pass, the malware continues execution to execute the obfuscated AutoIT script, \"Poi.xlxt.\" The\r\nAutoIT script conducts additional checks like the above, including checking for the same system name of\r\nDESKTOP-QO5QU33 . If these checks pass, the malware injects a decrypted version of \"Sta.xll\" (AgentVX) into\r\nthe newly created \"Sapro.exe.com\" process.\r\nThe Taurus AutoIT loader, \"Poi.xlxt,\" obfuscates its strings by using an algorithm which takes an integer and an\r\noffset, then converts the integer and offset to its ASCII value. Below is an example of an encoded string that uses\r\nan offset value of 2:\r\nEncoded String Decoded String\r\n\"74\u003e89\u003e112\u003e102\u003e42\u003e51\u003e56\u003e56\u003e43\",2 HWnd(166)\r\nPerforming the decoding manually for a sample is a very lengthy and cumbersome process. Stroz Friedberg has\r\nreleased code to assist with automatic extraction and decoding of the Taurus AutoIT loader strings. Decoding of\r\nthe strings allows for quicker analysis of the Taurus loader, allowing an analyst to see de-obfuscated function calls\r\nto kernel32 and commands to be run by the script. The Python function described below will de-obfuscate AutoIT\r\nstrings manually:\r\ndef decodeTaurus(string, integer, delim): res = '' tab = string.split(delim) for character in tab:\r\nres = res + chr(int(character)-int(integer)) return res\r\nThe execution chain of the self-extracting archive to AgentVX is described in the below figure, followed by a\r\nshort description of each step in the chain:\r\nFigure 1: Execution chain of self-extracting archive to final AgentVX payload.\r\nA Execution of self-extracting archive\r\nB Start of execution of extracting routine\r\nC Execution of obfuscated batch script\r\nD Identification of start of encrypted payload\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 2 of 6\n\nE\r\n Execution of Taurus AutoIT loader which is renamed from \"Poi.xlxt\" to \"x\"\r\nF\r\n Execution of AgentVX via injection into \"Sapro.exe.com\"\r\nAgentVX\r\nOnce the loading steps complete, the malware attempts to establish a connection to the Command and Control\r\n(C2) server with the following details:\r\nType IOC\r\nDomain cdn.nvbcloud[.]com\r\nURI /timeout/voip.aspx\r\nUser-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/57.0.2987.133 Safari/537.36\r\nAgentVX begins by dynamically resolving functions. The malware will gather fingerprint information to send to\r\nthe C2 server, including:\r\nJava Runtime Environment (JRE) version\r\n.NET version\r\nDirectory listing for \"Program Files\" and \"Program Files (x86)\" directories\r\nDrive letters\r\nOS version\r\nOnce the malware establishes C2 connectivity, it beacons out to the C2 every 6 seconds using the same details\r\nabove. It waits to receive a \"task list\" from the server. The task list contains one or multiple tasks to complete and\r\noptions for those tasks. The tasks within the task list can be any of the following:\r\nDownload and Execute\r\nThis receives a payload from a server provided in the task options. The options allow for the operator to save the\r\npayload to disk and execute it, or to inject it into another process memory using calls to: NtMapViewOfSection ,\r\nVirtualProtectEx , WriteProccessMemory , and ResumeThread . If the operator chooses process injection, they can\r\nspecify if they wish the payload to be injected into one of the following:\r\n%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe\r\n%SystemRoot%\\Syswow64\\nslookup.exe\r\nIf this task fails, the malware prints a debug string of \"Download and execute failed.\"\r\nExecute\r\nThis receives a base64 encoded payload from the task options. If the payload is an executable, it writes the\r\nexecutable to disk and names it a random number from 6 to 12 and appends a \".exe\" on the end. If the payload is a\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 3 of 6\n\nDLL, it allows the operator to choose one of the following to inject the payload into:\r\n%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe\r\n%SystemRoot%\\Syswow64\\nslookup.exe\r\n%SystemRoot%\\System32\\nslookup.exe\r\nExecute and Set Up Persistence\r\nThis allows the operator to provide three base64 encoded payloads, at least one of which must be an executable.\r\nThe malware downloads and writes the executable to disk. The executable is named with a random number\r\nbetween 6 and 12 and is given the \".exe\" extension (e.g. \"6.exe\"). It will set this executable up with persistence by\r\nadding the following registry key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n=\r\nThe other two payloads use hardcoded file names:\r\nDbghelp.dll\r\nPic.png\r\nCleanup Persistence\r\nThis option removes the registry run key persistence set by the \"Execute and setup persistence\" option.\r\nSetup New Module\r\nThis function receives a base64 encoded DLL which the malware parses for the following exports:\r\nAgentVXModuleInitializer\r\nOnLoad\r\nOnUnLoad\r\nIsPersistent\r\nGetModuleName\r\nGetMinimumVersion\r\nReadCommunication\r\nThe malware checks its version and if the version is less than \"1.6d.1,\" it prints the debug string: \"Bot version is\r\ntoo low to install.\"\r\nGet Running Modules\r\nThis gets the list of running modules specific to the malware.\r\nExecute Function\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 4 of 6\n\nThis allows the operator to specify another function of the malware to execute. In total, there are 156 functions\r\nthat the malware can execute. Below are examples of the capabilities that four of these functions provide:\r\nManipulation of clipboard data\r\nCollection of browser data from Firefox or Chrome. Only one of the browsers is targeted at a time. Stroz\r\nFriedberg suspects this is a bug in the malware. During this process, the malware creates the folder:\r\n%AppData%\\XProfiles\r\nFile and directory upload and download\r\nCollection of screenshots\r\nThreat Intelligence\r\nStroz Friedberg captured an image of the threat actor's malware administration panel for AgentVX. The panel\r\nshows the title of \"AgentVX from Cerberus\" in the top left corner. Additionally, Stroz Friedberg observed the\r\nfollowing similarities during our analysis of the malware:\r\nThe BotID length and alphanumeric pattern matches what we observed in the threat actor's control panel.\r\nThe malware shows the error message \"Download and Execute failed\" while the threat actor's control panel\r\ndisplays a task named \"Download and Execute.\"\r\nThe malware can execute various procedures which it refers to as \"tasks.\" The threat actor's control panel\r\nshows that \"tasks\" for bots can be updated.\r\nIn the malware, one particular task can have options such as EXE, MEMORY and NATIVE associated with\r\nit while the threat actor's control panel shows that a task has options of EXE, MEMORY and DISK.\r\nIndicators of Compromise\r\nStroz Friedberg recommends alerting and blacklisting (where possible) the following indicators to help prevent\r\nand detect the AgentVX malware:\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 5 of 6\n\nThe content provided herein is for general informational purposes only and should not be construed as legal,\r\nregulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or\r\ncybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s\r\nManaged Threat Detection and Response solutions are designed to support threat detection and response at the\r\nendpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a\r\nfull cybersecurity program.\r\nSource: https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nhttps://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/"
	],
	"report_names": [
		"agentvx-and-taurus"
	],
	"threat_actors": [
		{
			"id": "059b16f8-d4e0-4399-9add-18101a2fd298",
			"created_at": "2022-10-25T15:50:23.29434Z",
			"updated_at": "2026-04-10T02:00:05.380938Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"Evilnum"
			],
			"source_name": "MITRE:Evilnum",
			"tools": [
				"More_eggs",
				"EVILNUM",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd",
			"created_at": "2023-01-06T13:46:39.153487Z",
			"updated_at": "2026-04-10T02:00:03.232006Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"EvilNum",
				"Jointworm",
				"KNOCKOUT SPIDER",
				"DeathStalker",
				"TA4563"
			],
			"source_name": "MISPGALAXY:Evilnum",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39ea99fb-1704-445d-b5cd-81e7c99d6012",
			"created_at": "2022-10-25T16:07:23.601894Z",
			"updated_at": "2026-04-10T02:00:04.684134Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"G0120",
				"Jointworm",
				"Operation Phantom in the [Command] Shell",
				"TA4563"
			],
			"source_name": "ETDA:Evilnum",
			"tools": [
				"Bypass-UAC",
				"Cardinal RAT",
				"ChromeCookiesView",
				"EVILNUM",
				"Evilnum",
				"IronPython",
				"LaZagne",
				"MailPassView",
				"More_eggs",
				"ProduKey",
				"PyVil",
				"PyVil RAT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraPreter",
				"TerraStealer",
				"TerraTV"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a71c570af6db8647e80124dd48287030e9adb0ea.pdf",
		"text": "https://archive.orkl.eu/a71c570af6db8647e80124dd48287030e9adb0ea.txt",
		"img": "https://archive.orkl.eu/a71c570af6db8647e80124dd48287030e9adb0ea.jpg"
	}
}