{
	"id": "5397056f-c570-49b3-8f9e-801a5e695edb",
	"created_at": "2026-04-06T00:15:20.306435Z",
	"updated_at": "2026-04-10T13:12:31.143444Z",
	"deleted_at": null,
	"sha1_hash": "b01d9fa5107aa3da8105991dd0b7f9c7a4e85d3d",
	"title": "Check Point response to MysterySnail vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37080,
	"plain_text": "Check Point response to MysterySnail vulnerability\r\nArchived: 2026-04-05 14:42:30 UTC\r\nProductAnti-Bot, Anti-Virus, Harmony Endpoint, IPS, Threat Emulation\r\nVersionAll\r\nLast Modified2021-10-20\r\nSolution\r\nOn October 13, 2021, details of an exploitation of a vulnerability in Microsoft Windows named \"MysterySnail\"\r\nbecame publicly known. Microsoft patched the vulnerability in its October 2021 Patch Tuesday.\r\nThe CVE assigned to the vulnerability is CVE-2021-40449.  \r\n\"MysterySnail\" is a remote shell access Trojan installed on compromised Windows servers. \"MysterySnail\" has\r\nprivilege escalation, advanced persistence, and data-stealing capabilities. It was recently found at the end of an\r\nexploit chain attack campaign by Chinese APT “IronHusky”.\r\nCheck Point provides security coverage from the vulnerability with these Threat Prevention protections:\r\nIPS\r\nMicrosoft Win32k Elevation of Privilege (CVE-2021-40449)\r\nAnti-Bot\r\nMysterySnail.TC.[X]\r\nAnti-Virus\r\nRAT.Win32.MysterySnail.TC.[X]\r\nThreat Emulation\r\nKAV-Trojan.Win64.Agentb.[X]\r\nRAT.Wins.MysterySnail.A \r\nHarmony Endpoint\r\nRAT.Win.MysterySnail.B\r\nRAT.Win.MysterySnail.C\r\nArticle Properties\r\nhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk175885\r\nPage 1 of 2\n\nAccess LevelGeneral\r\nStatusApproved\r\nDate Created2021-10-14\r\nLast Modified2021-10-20\r\nSource: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk175885\r\nhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk175885\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk175885"
	],
	"report_names": [
		"portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk175885"
	],
	"threat_actors": [
		{
			"id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938",
			"created_at": "2023-11-08T02:00:07.135638Z",
			"updated_at": "2026-04-10T02:00:03.42332Z",
			"deleted_at": null,
			"main_name": "IronHusky",
			"aliases": [],
			"source_name": "MISPGALAXY:IronHusky",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2caf4672-1812-4bb9-9576-6011e56102d2",
			"created_at": "2022-10-25T16:07:23.742765Z",
			"updated_at": "2026-04-10T02:00:04.733853Z",
			"deleted_at": null,
			"main_name": "IronHusky",
			"aliases": [
				"BBCY-TA1",
				"Operation MysterySnail"
			],
			"source_name": "ETDA:IronHusky",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"MysterySnail",
				"MysterySnail RAT",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434520,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b01d9fa5107aa3da8105991dd0b7f9c7a4e85d3d.pdf",
		"text": "https://archive.orkl.eu/b01d9fa5107aa3da8105991dd0b7f9c7a4e85d3d.txt",
		"img": "https://archive.orkl.eu/b01d9fa5107aa3da8105991dd0b7f9c7a4e85d3d.jpg"
	}
}