{ "id": "82fec0c9-bb83-437b-8bc6-864996b3c3a0", "created_at": "2026-04-06T00:17:34.300801Z", "updated_at": "2026-04-10T13:11:34.325954Z", "deleted_at": null, "sha1_hash": "b1c475fc1375b007a6bc93982d2c1e5f7d8cab5b", "title": "An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2103416, "plain_text": "An Offer You Can Refuse: UNC2970 Backdoor Deployment Using\r\nTrojanized PDF Reader\r\nBy Mandiant\r\nPublished: 2024-09-17 · Archived: 2026-04-05 22:52:05 UTC\r\nWritten by: Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels,\r\nChristopher Gardner\r\nIntroduction\r\nIn June 2024, Mandiant Managed Defense identified a cyber espionage group suspected to have a North Korea\r\nnexus, tracked by Mandiant under UNC2970. Later that month, Mandiant discovered additional phishing lures\r\nmasquerading as an energy company and as an entity in the aerospace industry to target victims in these verticals.\r\nUNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies.\r\nMandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets.\r\nUNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is\r\npurported to contain the job description in PDF file format. The PDF file has been encrypted and can only be\r\nopened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via\r\nBURNBOOK launcher. \r\nMandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this\r\ncampaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon\r\ndiscovery, Mandiant alerted SumatraPDF of this campaign for general awareness.\r\nOverview\r\nUNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure\r\nverticals. The job description is delivered to the victim in a password-protected ZIP archive containing an\r\nencrypted PDF file and a modified version of an open-source PDF viewer application.  \r\nMandiant noted slight modifications between the delivered job descriptions and their originals, including the\r\nrequired qualifications, experience and skills, likely to better align with the victim's profile. Moreover, the chosen\r\njob descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to\r\nsensitive and confidential information that is typically restricted to higher-level employees.\r\nTo illustrate this, Mandiant analyzed the differences between the original job description and UNC2970's job\r\ndescription included in the ZIP archive.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 1 of 15\n\nFigure 1: Page 1 of PDF lure\r\nFor example, under the \"Required Education, Experience, \u0026 Skills\" section, the original post mentions \"United\r\nStates Air Force or highly comparable experience,\" while the malicious PDF omits this line. Another omitted line\r\nis under the \"Preferred Education, Experience, \u0026 Skills\" section, where the original job description includes\r\n\"Preferred location McLean, Virginia.\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 2 of 15\n\nFigure 2: Original vs. modified\r\nAdditionally, Mandiant discovered a similar ZIP archive that was uploaded to VirusTotal, having an identical\r\nstructure, but containing a different job description. The PDF content is consistent with a legitimate job\r\ndescription from the nuclear energy sector.\r\nThe Infection Chain Explained\r\nMandiant Managed Defense discovered that the victim downloaded and opened a password protected ZIP archive\r\nreceived through WhatsApp chat, expecting to see a document containing a job description. Upon analysis, the\r\nZIP archive contains several files, briefly described in Table 1:\r\nFile Description\r\nBAE_VICE President of Business\r\nDevelopment.pdf\r\n(MD5:\r\n28a75771ebdb96d9b49c9369918ca581)\r\nAn encrypted file containing both the PDF lure displayed to the\r\nuser and the MISTPEN backdoor\r\nlibmupdf.dll\r\n(MD5:\r\n57e8a7ef21e7586d008d4116d70062a6)\r\nA trojanized dynamic-link library (DLL) file required by\r\nSumatraPDF.exe, tracked as BURNBOOK. This file is a\r\ndropper for an embedded DLL, \"wtsapi32.dll\", which is tracked\r\nas TEARPAGE and used to execute the MISTPEN backdoor\r\nafter the system is rebooted.\r\nPdfFilter.dll\r\n(MD5:\r\ncefc7b6e95f5a985b7319021441ae4e7)\r\nA legitimate DLL file required by SumatraPDF.exe\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 3 of 15\n\nPdfPreview.dll\r\n(MD5:\r\n2505610c490d24a98da730100175f262)\r\nA legitimate DLL file required by SumatraPDF.exe\r\nSumatraPDF.exe\r\n(MD5:\r\n91841e006225ac500de7630740a21d91)\r\nA legitimate open-source PDF viewer application component,\r\nversion 3.3.3\r\nTable 1: Files in ZIP archive received through WhatsApp chat\r\nBased on the surrounding context, the user was likely instructed to open the PDF file with the enclosed trojanized\r\nPDF viewer program based on the open-source project SumatraPDF. As previously stated, this technique did not\r\nemploy a vulnerability in the original SumatraPDF source code.\r\nSumatraPDF is an open-source document viewing application that is capable of viewing multiple document file\r\nformats such as PDF, XPS, and CHM, along with many more. Its source code is publically available. \r\nWhen accessed this way, the DLL files are loaded by the SumatraPDF.exe executable, including the trojanized\r\nlibmupdf.dll file representing the first stage of the infection chain. This file is responsible for decrypting the\r\ncontents of BAE_Vice President of Business Development.pdf , thus allowing the job description document to\r\nbe displayed as well as loading into memory the payload named MISTPEN. Mandiant found that later versions\r\n(after 3.4.3) of SumatraPDF implement countermeasures to prevent modified versions of this DLL from being\r\nloaded.\r\nMISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll , which contains a backdoor.\r\nLibmupdf.dll also writes the encrypted backdoor to disk into a new file named thumbs.ini and creates a\r\nscheduled task named Sumatra Launcher to execute the backdoor daily using the legitimate Windows binary\r\nBdeUISrv.exe , which loads the wtsapi32.dll file through DLL search-order hijacking.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 4 of 15\n\nFigure 3: Infection lifecycle diagram\r\nAnalysis of BURNBOOK (libmupdf.dll)\r\nBURNBOOK is a launcher written in C/C++ that is capable of executing an encrypted payload stored in a file and\r\nwriting it to disk. \r\nThis file is a modified version of a legitimate DLL file used by the SumatraPDF.exe binary. The DLL contains\r\nmalicious code that is triggered when the user opens the PDF lure ( BAE_Vice President of Business\r\nDevelopment.pdf ) using the provided SumatraPDF.exe file.\r\nBAE_Vice President of Business Development.pdf has the following structure and contents:\r\nFile Offset Value Description\r\n0x0 - 0x7 Offset used to determine the end of the encrypted PDF file\r\n0x8 - 0x27 ChaCha20 key\r\n0x28 - 0x33 ChaCha20 nonce\r\n0x34 - [PDF Offset] Encrypted PDF file\r\n0x4DF1D - 0x4DF24 Size of the encrypted DLL\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 5 of 15\n\n0x4DF25 - EOF Encrypted DLL\r\nTable 2: PDF lure structure and contents\r\nPhase 1: Initial Setup and Decryption\r\nThe sample commences by reading the first 8 bytes of the PDF file, storing this value as a marker to determine the\r\nend of the embedded encrypted PDF file. The next 32 bytes (key) and 12 bytes (nonce) are read from the file and\r\nused to initialize a ChaCha20 cipher. The cipher's initial state is stored in memory.\r\nFigure 4: The ChaCha20 cipher is initialized\r\nThe remaining bytes (starting from offset 0x34 and looping until the PDF offset is reached) are decrypted in\r\nchunks of 0x1000 (4096) bytes using the ChaCha20 cipher. The decrypted data, representing a PDF file, is written\r\nto the system's temporary folder and will be displayed by the PDF viewer if the sample passes a network\r\nconnectivity check to google[.]com .\r\nFigure 5: The embedded PDF file is decrypted using the cipher\r\nPhase 2: Backdoor Extraction and Execution\r\nUpon reaching the offset retrieved in the first phase, the function reads 8 bytes signifying the size of the encrypted\r\nbackdoor DLL, which is subsequently read from the file. The same ChaCha20 cipher (without resetting) is used to\r\ndecrypt the backdoor DLL, which is then reflectively loaded into the memory space of SumatraPDF.exe and\r\nexecuted.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 6 of 15\n\nFigure 6: The backdoor DLL (MISTPEN) is decrypted\r\nPhase 3: Persistence and Re-Encryption\r\nThe sample extracts wtsapi32.dll from its resource section and copies BdeUISrv.exe from the System32\r\ndirectory, placing both files in the %APPDATA%\\Microsoft\\BDE UI Launcher directory for persistence. Following\r\nthis, the ChaCha20 cipher is reset, with the original key and nonce being reused to re-encrypt the in-memory DLL\r\ncontaining the backdoor code. The re-encrypted data, along with the key and nonce, are written to\r\n%APPDATA%\\Thumbs.ini . These steps ensure that Thumbs.ini and the PDF file both contain the same encrypted\r\nDLL but with different ciphertexts.\r\nFinally, the sample creates a scheduled task named Sumatra Launcher , which executes\r\n%APPDATA%\\Microsoft\\BDE UI Launcher\\BdeUISrv.exe daily when the user logs in. This is further discussed\r\nunder the analysis of TEARPAGE.\r\nAnalysis of MISTPEN\r\nMISTPEN is a lightweight backdoor written in C whose main functionality is to download and execute Portable\r\nExecutable (PE) files.\r\nThe backdoor is a modification of the open-source Notepad++ binhex plugin v2.0.0.1 where the creation of a\r\nthread that executes the malicious code has been added to the DllMain function.\r\nMISTPEN decrypts a token using AES with the key EF 0D 4E A6 D8 B8 E8 73 DF 17 5C 0B 51 F6 3B 33 ,\r\nwhich is then used to access a Microsoft API endpoint in the following request:\r\nRequest type: POST\r\nRequest URI: https://login.microsoftonline.com/common/oauth2/v2.0/token\"\r\nBody: grant_type=refresh_token \u0026refresh_token=0.AScAuGeUx8-5OkufugCaUtV\r\nEuwXupyYCVnZNp7rq6Le2eUEnAME.AgABAwEAAADnfolhJpSnRYB1SVj-Hgd8\r\nAgDs_wUA9P_z3EI-It1YbdHPtZaMoegHpfKNHgO9rjjC9plVmHfYhva9utOdkzbp\r\no-p4m5uoLzuQu9kJmCqXpdDteicUF5Fd7XfcVBpe5Vu1TOhxQoP-k1HJmiLRg\r\nGcdzWMa3aYVzdfnNsAlV8n-061gnUDKNxHYL4xTz1jymmhRGzZ1KOOiJLs7e\r\nj0A8fMNSqvTwp_UF7upYw5yI81UTRsBN9hbpGpLnMb_WIOMvX-Bcm3CtCHjf\r\nLzij1n... \u003cREDACTED\u003e\r\nThis MISTPEN sample communicates over HTTP with the following Microsoft Graph URLs:\r\nhxxps[:]//login[.]microsoftonline[.]com/common/oauth2/v2.0/token\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 7 of 15\n\nhxxps[:]//graph[.]microsoft[.]com/v1.0/me/drive/root:/path/upload/hello/\nhxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/\nhxxps://graph.microsoft[.]com/v1.0/me/drive/items/\nThe backdoor reads configuration data from the file setup.bin if it exists within the same directory. The\nconfiguration data includes the sleep time and an ID. The backdoor sleeps for the configured time and sends the\nmessage \" Hi,I m just woke up! \" to its command-and-control (C2 or C\u0026C) server.\nOtherwise, the backdoor generates a random hexadecimal ID and sends the time and timezone to its C2. If the\nbackdoor fails to get the time information, the backdoor sends the message \" Hi,I am New \" to its C2 instead.\nOn the infected host, Mandiant observed a suspicious network connection from the SumatraPDF.exe process\ntowards a compromised SharePoint domain belonging to a university. As this connection occurred after MISTPEN\nexecution, Mandiant assesses that the SharePoint URL was part of the in-memory execution of payloads sent to\nthe backdoor after establishing communication with the C2, leaving no other traces on disk.\nThe backdoor includes code to support more than one token, selecting randomly the one to use.\nBackdoor Commands\nThe backdoor supports the following commands:\nd : The backdoor parses, loads into memory, and executes the received PE payload. The backdoor sends a\nmessage to its C2 that contains the result from the executed code or the string: \" Loaded at\n\n\" where\n\nis a hexadecimal address.\ne : The backdoor sends the message \" DEAD\" to its C2 and terminates the process.\nf : The backdoor sends the message \" Sleep Success \" to its C2, sleeps for the specified time, and sends\nthe message \" Hi,I m just woke up! \" to its C2.\ng : The backdoor sends the message \" Hiber Success \" to its C2 , updates the sleep time in the\nconfiguration with the received time, writes its configuration to setup.bin , and sleeps for the configured\ntime.\nAnalysis of TEARPAGE (wtsapi32.dll)\nTEARPAGE, a loader embedded within the resource section of BURNBOOK, is loaded through DLL search order\nhijacking by the legitimate BdeUISrv.exe binary copied by the malware from its original location to the directory\ncontaining the loader. TEARPAGE decrypts an encrypted blob contained in the file %APPDATA%\\Thumbs.ini .\nTable 3 describes the structure of this file:\nFile Offset Value Description\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\nPage 8 of 15\n\n0x0 - 0x1F ChaCha20 key\r\n0x20 - 0x2B ChaCha20 nonce\r\n0x2C - EOF Encrypted backdoor DLL\r\nTable 3: %APPDATA%\\Thumbs.ini structure\r\nThe sample retrieves the initial 32 bytes and the subsequent 12 bytes from %APPDATA%\\Thumbs.ini , utilizing these\r\nvalues as the key and nonce respectively for the initialization of a ChaCha20 cipher. This cipher is then employed\r\nto decrypt the remaining contents of the file.\r\nThe resulting decrypted output is the MISTEPN backdoor, which is subsequently reflectively loaded into the\r\nmemory space of BdeUISrv.exe and executed.\r\nFigure 7: A pseudocode representation of the malicious code in wtsapi32.dll\r\nSample Comparison\r\nThrough open-source investigation, Mandiant identified a similar malicious archive containing the same\r\nSumatraPDF.exe binary; however, there are a few key differences in the BURNBOOK and MISTPEN samples as\r\ncompared to specimens analyzed earlier in the post. Moreover, this second archive was created prior to the one\r\ndiscussed throughout this blog post. By highlighting the noticeable differences, we can clearly see an evolution in\r\nmalware capabilities and stealthiness.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 9 of 15\n\nMissing Internet Connectivity Check in BURNBOOK\r\nThe BURNBOOK sample we analyzed includes a network connectivity check that prevents the trojanized reader\r\nfrom displaying the decrypted PDF lure if it cannot reach google[.]com . This feature is not present in the earlier\r\nsample.\r\nFigure 8: BURNBOOK earlier version\r\nFigure 9: BURNBOOK later version with connection check\r\nMissing Command g in MISTPEN\r\nThe MISTPEN sample we analyzed supports the g command, which instructs the backdoor to save its\r\nconfiguration to a file named setup.bin. This file is also read by the backdoor when it first executes and thus\r\nallows MISTPEN to make its configuration persistent on the host. The earlier sample does not support  this\r\ncommand, does not reference setup.bin, and does not save its configuration to disk.\r\nDifferent C2 Infrastructure\r\nThe MISTPEN sample delivered by the earlier malicious archive does not communicate using Microsoft Graph\r\nand instead employs a set of HTTPS URLs consisting of compromised WordPress websites belonging to small\r\nbusinesses from across the world:\r\nhxxps://bmtpakistan[.]com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php\r\n— Construction company in Karachi, Pakistan\r\nhxxps://cmasedu[.]com/wp-content/plugins/kirki/inc/script.php — Education service company\r\nbased in Riyadh, Saudi Arabia\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 10 of 15\n\nhxxps://dstvdtt.co[.]za/wp-content/plugins/social-pug/assets/lib.php — Television installation\r\ncompany in South Africa\r\nFurthermore, the d function in the earlier MISTPEN sample has a different implementation that uses an additional\r\nHTTP request in order to receive and parse PE files from the C2 server.\r\nThe usage of the AES encryption is also different in the two samples observed. The earlier sample uses AES to\r\ndecrypt HTTPS URLs, while the later sample uses it to decrypt the token used to access the Microsoft Graph API.\r\nBased on the differences we have highlighted, the threat actor has improved their malware over time by\r\nimplementing new features and adding a network connectivity check to hinder the analysis of the samples.\r\nThreat Actor Spotlight: UNC2970\r\nIn June 2024, Mandiant Managed Defense responded to an intrusion leveraging a job-themed phishing email to\r\nsocial engineer a victim to download a malicious archive from WhatsApp. The archive contained both the job\r\ndescription specifics and the implant components targeting a multinational energy company. \r\nMandiant Managed Defense has reported similar activity in 2022 attributed to UNC4034, which later got merged\r\ninto UNC2970.\r\nUNC2970 is a cyber espionage group tracked by Mandiant since 2021 suspected to have a North Korea nexus.\r\nThis threat actor's activities overlap with those of TEMP.Hermit, a threat actor conducting collections of strategic\r\nintelligence aligned with North Korean interests that has been active since at least 2013.\r\nMandiant has observed UNC2970 targeting victims located in the United States, United Kingdom, The\r\nNetherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.\r\nAcknowledgements\r\nMartin Co, Muhammad Umer Khan, Mike Stokkel \r\nDetection Opportunities\r\nA Google Threat Intelligence Collection featuring indicators of compromise (IOCs) related to the activity\r\ndescribed in this post is now available for registered users.\r\nYARA Rules\r\nrule M_Launcher_BURNBOOK_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-12\"\r\ndate_modified = \"2024-08-12\"\r\nmd5 = \"8c2302c2d43ebe5dda18b8d943436580\"\r\nrev = 1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 11 of 15\n\nstrings:\r\n$pk_magic = { 50 4B 03 04 }\r\n$cd_magic = { 50 4B 01 02 }\r\n$n1 = \"libmupdf.dll\"\r\n$n2 = \".pdf\"\r\n$n3 = \"PdfFilter.dll\"\r\n$n4 = \"PdfPreview.dll\"\r\n$n5 = \"SumatraPDF.exe\"\r\ncondition:\r\nuint32(0) == 0x04034b50 and for any i in (2 .. #pk_magic) :\r\n( ($n1 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n1 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n2 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n2 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n3 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n3 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n4 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n4 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n5 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n5 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) )\r\n}\r\nrule M_Launcher_BURNBOOK_2 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-12\"\r\ndate_modified = \"2024-08-12\"\r\nmd5 = \"57e8a7ef21e7586d008d4116d70062a6\"\r\nrev = 1\r\nstrings:\r\n$parse_decoy_document = { FF 15 [4-32] 41 B8 08\r\n00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 48 83 ?? 08 48 3B\r\n?? 0F 8? [4-32] 41 B8 20 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8?\r\n[4-32] 41 B8 0C 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? }\r\n$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33\r\n[0-12] 32 2D 62 79 [0-12] 74 65 20 6B }\r\ncondition:\r\nall of them\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 12 of 15\n\nrule M_APT_Backdoor_MISTPEN_2 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-13\"\r\ndate_modified = \"2024-08-13\"\r\nmd5 = \"eca8eb8871c7d8f0c6b9c3ce581416ed\"\r\nrev = 1\r\nstrings:\r\n$s1 = \"Cookie: _PHPSESSIONID=\"\r\n$s2 = \"%d_%s_%d\"\r\n$s3 = \"DEAD\" fullword\r\n$s4_sleep_succcess = { 53 6C 65 65 [1-16] 70 20\r\n53 75 [1-16] 63 63 65 73 [1-16] 73 00 }\r\n$s5_hiber_success = { 48 69 62 65 [1-16] 72 20 53\r\n75 [1-16] 63 63 65 73 [1-16] 73 00 }\r\n$s6 = \"Loaded at %p\"\r\n$s7 = \"setup.bin\" wide\r\n$send_DEAD_signal = { 8B 05 [4] 48 C7 ?? FF FF FF\r\nFF 89 45 ?? 0F B6 05 [4] 88 45 ?? 4? 8D [2-64] B9 40 00 00 00\r\nFF 15 [4-8] 8? ?? 01 [1-32] 48 8D 48 08 E8 }\r\n$const_marker = { 83 E3 09 81 C3 11 27 00 00 }\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) ==\r\n0x00004550) and (6 of them or ($s1 and $s2 and $s3 and $s6))\r\n}\r\nrule M_APT_Launcher_TEARPAGE_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-13\"\r\ndate_modified = \"2024-08-13\"\r\nmd5 = \"006cbff5d248ab4a1d756bce989830b9\"\r\nrev = 1\r\nstrings:\r\n$load_encrypted_payload = { FF 15 [4-8] 83 F8 2C\r\n0F 8? [4-32] 41 B8 20 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8?\r\n[4-32] 41 B8 0C 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32]\r\n83 C6 D4 B9 40 00 00 00 [2-16] FF 15 }\r\n$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20\r\n33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B }\r\n$load_pe = { 81 3C [1-3] 50 45 00 00 [1-8] 8B [1-3]\r\n50 [4-32] B9 FF FF 1F 00 [2-16] FF 15 [4-64] C7 44 24 [1-8] 40\r\n00 00 00 C7 44 24 [1-8] 00 30 00 00 41 FF D? 85 C0 0F 8? }\r\ncondition:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 13 of 15\n\nall of them\r\n}\r\nYARA-L Rules\r\nMandiant has made the relevant rules available in the Google SecOps Mandiant Intel Emerging Threats curated\r\ndetections rule set. The activity discussed in the blog post is detected under the rule names:\r\nBURNBOOK Related Files Dropping Activity\r\nBURNBOOK C2 Callout Activity\r\nBURNBOOK Payload Dropping Activity\r\nIndicators of Compromise\r\nHost-Based IOCs\r\nIOC MD5\r\nAssociated Malware\r\nFamily\r\nBAE_Vice President\r\nof Business Development.pdf\r\n28a75771ebdb96d9b49c9369918ca581\r\nEncrypted PDF containing\r\nMISTPEN payload\r\nlibmupdf.dll\r\n57e8a7ef21e7586d008d4116d70062a6\r\nf3baee9c48a2f744a16af30220de5066\r\nBURNBOOK\r\n%APPDATA%\\Roaming\\Microsoft\\BDE\r\nUI Launcher\\wtsapi32.dll\r\n006cbff5d248ab4a1d756bce989830b9 TEARPAGE\r\n%APPDATA%\\Roaming\\Thumbs.ini\r\n0b77dcee18660bdccaf67550d2e00b00\r\nb707f8e3be12694b4470255e2ee58c81\r\nMISTPEN\r\nbinhex.dll\r\ncd6dbf51da042c34c6e7ff7b1641837d\r\neca8eb8871c7d8f0c6b9c3ce581416ed\r\nMISTPEN\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 14 of 15\n\nNetwork-Based IOCs\r\nURL\r\nhxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92\r\nheropersonas[.]com\r\nhxxps://dstvdtt.co[.]za/wp-content/plugins/social-pug/assets/lib.php\r\nhxxps://cmasedu[.]com/wp-content/plugins/kirki/inc/script.php\r\nhxxps://bmtpakistan[.]com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php\r\nhxxps://verisoftsystems[.]com/wp-content/plugins/optinmonster/views/upgrade-link-style.php\r\nhxxps://www.clinicabaru[.]co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader\r\nPage 15 of 15\n\n https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader \nFigure 1: Page 1 of PDF lure \nFor example, under the \"Required Education, Experience, \u0026 Skills\" section, the original post mentions \"United\nStates Air Force or highly comparable experience,\" while the malicious PDF omits this line. Another omitted line\nis under the \"Preferred Education, Experience, \u0026 Skills\" section, where the original job description includes\n\"Preferred location McLean, Virginia.\" \n Page 2 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader" ], "report_names": [ "unc2970-backdoor-trojanized-pdf-reader" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434654, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1c475fc1375b007a6bc93982d2c1e5f7d8cab5b.pdf", "text": "https://archive.orkl.eu/b1c475fc1375b007a6bc93982d2c1e5f7d8cab5b.txt", "img": "https://archive.orkl.eu/b1c475fc1375b007a6bc93982d2c1e5f7d8cab5b.jpg" } }