{
	"id": "4b933497-b4a4-4585-9906-fb0f0dc1b822",
	"created_at": "2026-04-06T00:20:51.895936Z",
	"updated_at": "2026-04-10T13:11:40.358874Z",
	"deleted_at": null,
	"sha1_hash": "b3a184923b1f56374141c53be2b1655f893bfa0c",
	"title": "Weaponizing Open Source Software for Targeted Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61265,
	"plain_text": "Weaponizing Open Source Software for Targeted Attacks\r\nPublished: 2020-11-20 · Archived: 2026-04-05 18:25:36 UTC\r\nThe notepad.exe file was dropped through ntoskrnl.exe, short for Windows NT operating system kernel executable. This was\r\ndone by either exploiting ntoskrnl.exe or via network shares. Based on the telemetry data we obtained, it’s most probably the\r\nlatter. Performing Root Cause Analysis (RCA) shows that this malicious notepad.exe file has done suspicious actions by\r\ncalling the following tools:\r\nExecutable\r\nFile\r\nFunction\r\nipconfig.exe gets Windows IP Configuration\r\nnet.exe\r\n enumerates local and global groups in the domain\r\nlists the settings of server and workstation service\r\nidentifies all the shares on the local machine and in the domain\r\nnames user local and domain user accounts\r\nreg.exe dumps import registry keys/entries to a file\r\nsysteminfo.exe\r\ngathers operating system configuration information for a local or remote machine, including service\r\npack levels\r\ntasklist.exe gets a list of currently running processes on either a local or remote machine\r\nTable 1. Executable file names and functions\r\nThe notepad.exe file’s link to these processes and their functions indicates that the file is a typical backdoor that gets\r\ncommands from a malicious remote user. However, something caught our attention. The details listed in the file properties\r\nof notepad.exe show this:\r\nThe file description, product name, and original filename mention Notepad++, an open-source software used as a source\r\ncode editor. It can also be observed that some of the file’s details are dubious. For example, Notepad++ files are usually\r\nnamed as “notepad++.exe” and not “notepad.exe” as seen in this sample. The version — v7.8.6 released in Aprilopen on a\r\nnew tab — is also old; as of writing, the latest version is v7.9.1open on a new tab, released in early November.\r\nExecuting the file in question shows this:\r\nThe user interface of the file looks and functions convincingly like a typical legitimate Notepad++ file. An initial look\r\nreveals nothing suspicious. But in terms of behavior, we discovered that the sample does something that a non-malicious\r\nNotepad++ won’t do: it searches for a file named config.dat located in c:\\windows\\debug folder. This behavior is notable as\r\nthe said file figures in the analysis of the sample’s code.\r\nCode analysis\r\nDecompiling the code of this malicious Notepad++ file shows the following code:\r\nThe code snippet taken from a typical non-malicious Notepad++ file is shown below:\r\nThese code snippets bear many similarities. However, the malicious Notepad++ file has additional code that loads an\r\nencrypted blob file (config.dat) that decrypts the code and executes it in the memory so it can perform its backdoor routines.\r\nThis reminds us of some older malware types like PLUGXopen on a new tab.\r\nWe observed two instances using the same loader but delivering different payloads. One of the payloads is detected as\r\nTrojanSpy.Win32.LAZAGNE.B, while the other is detected as Ransom.Win32.EXX.YAAK-B (Defray ransomwareopen on\r\na new tab). Further investigation also revealed other blob files with the same loader which lead to different payloads.\r\nWe suspect that the file in this incident got into the organization through a targeted watering hole attack. After the initial\r\nmachine was infected, propagating the malicious notepad++ and config.dat via admin shares would be easy. The\r\nhttps://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html\r\nPage 1 of 3\n\nnotepad.exe file that we investigated came from malicious sources and are not associated with official distributing sites of\r\nNotepad and Notepad++.exe.\r\nWeaponizing open-source software\r\nDue to its uncanny resemblance to a legitimate Notepad++ file, the analyzed sample can be easily mistaken as a non-malicious file, especially by employees with limited technical know-how. Threat actors achieved this disguise by trojanizing\r\nopen-source software. Notepad++’s source code is available publiclyopen on a new tab; thus, anyone (including malware\r\nauthors) can access it.\r\nThreat actors can look for open source code of widely-used software and trojanize it by adding malicious code that can\r\nperform functions like loading an encrypted blob file. This means that most of the resulting file’s binary code is outright\r\nnon-malicious, and the malicious code simply loads a file, an activity that does not seem to be too suspicious. Additionally,\r\nencrypted blob files don’t have file headers. These make it difficult for antimalware solutions, including AI/ML-based ones\r\nand those that only focus on a single protection layer, to detect. To block these types of threats, solutions that grant visibility\r\nacross layers would be helpful, as security teams can use them to correlate data and behavior within the environment.\r\nRecommendations\r\nUsers should only download files, applications, and software (such as open-source software) from trusted and legitimate\r\nsources to avoid these types of threats. For example, Notepad++ users can download relevant files from their official\r\nwebsiteopen on a new tab. Enterprises can create and disseminate a list of approved downloading sites to their employees.\r\nAs a further security measure, companies can also require the approval of IT teams before employees can install any\r\nsoftware on office devices. For security and IT Teams, it is also strongly recommended to validate the downloaded binary\r\nwith checksums, as good open source projects maintain checksums of their official released binaries.\r\nWe also recommend Trend Micro™ XDRproducts, which collects and correlates data across endpoints, emails, cloud\r\nworkloads, and networks, providing better context and enabling investigation in one place. This, in turn, allows teams to\r\ndetect advanced and targeted threats earlier.\r\nIndicators of Compromise\r\nFile name SHA-256\r\nTrend Micro\r\nPattern Detection\r\nTrend Micro Mac\r\nLearning Detectio\r\nnotepad.exe\r\n(malicious,\r\nnon-legitimate\r\nfile named\r\nas such)\r\nbacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX\r\nconfig.dat 64ba94000e2815898fb17e93deaa44ac0e1b4c55316af727b908dfe74c3b7ef6 Trojan.Win32.VATET.ENC N/A\r\nconfig.dat 33234dc94d926f1fc2831f40e27080739b415d485aa457d14a83617a3996089b Trojan.Win32.VATET.ENC N/A\r\nrelease.exe 09c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c468 TrojanSpy.Win32.LAZAGNE.B Troj.Win32.TRX.X\r\nvirus2.dll 1c3331b87dc55a8cc491846f2609d6226f66eb372716df349567ed619dd1b731 Ransom.Win32.EXX.YAAK-B Troj.Win32.TRX.X\r\nOther related hashes:\r\nSHA-256\r\nTrend Micro Patten\r\nDetection\r\nTrend Micro Machine Learning\r\nDetection\r\n0b42bf15b77cfe9f9e693f2776691647e78a91be27f5bdb8d1a366be510a773f Trojan.Win32.VATET.A Troj.Win32.TRX.XXPE50FFF038\r\nhttps://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html\r\nPage 2 of 3\n\n10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525 Trojan.Win32.VATET.A BKDR.Win32.TRX.XXPE50FFF0\r\n19938becb018e3459b49381c7efffabbe44a6450362b769ba85a3f1240b068d0 Trojan.Win32.VATET.A Troj.Win32.TRX.XXPE50FFF038\r\n2f149a79f721bb78eb956f70183b531fb6a1b233ceb4a3d6385759a0b0c16fd3\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nTroj.Win32.TRX.XXPE50FFF038\r\n37e8d3ae4c34441b30098d7711df8ef0bcc12c395f265106b825221744b956bc Trojan.Win32.VATET.A BKDR.Win32.TRX.XXPE50FFF0\r\n382d9bf5da142d44de5fda544de4fffe2915a3ffc67964b993f3c051aa8c2989\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\n42f5f1b08c9cee876bafdb6dc4188e8e29d26a07951e1083e08e2a4b0cb6d0ff\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\n(GENERIC: Hit Bad Auto Shield)\r\n4421720e0321ac8b3820f8178eb8a5ff684388438b62c85f93df9743a1d9fdb9\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\n4fb94877cc150f591e5b61dc5641f33e93e67ae1912c2e122e7ef2a236046f1a Trojan.Win32.VATET.A BKDR.Win32.TRX.XXPE50FFF0\r\n52d3ebe824ad60a939d64e73336e790884e3674b2d22dbe6e3c6b22061124161\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nn/a\r\n57eea67e3eebde707c3fb3473a858e7f895ae12aad37cc664f9c0512c0382e6a\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nTroj.Win32.TRX.XXPE50FFF038\r\n6ac07424e5c9b87d76645aa041772ac8af12e30dc670be8adf1cf9f48e32944b Backdoor.Win32.VATET.CFH BKDR.Win32.TRX.XXPE50FFF0\r\nbacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\nea6c3b993d830319b08871945cf2726dd6d8e62e8fed8fc42bcb053c38c78748\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\ne5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955 Trojan.Win32.VATET.A BKDR.Win32.TRX.XXPE50FFF0\r\nef7e21d874a387f07a9f74f01f2779a280ff06dff3dae0d41906d21e02f9c975\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\nf0a25444cf58b61ff6cdd86ff1cfa53a51ad426817a33bd0e098f4f0ff286f22\r\nTrojan.Win32.VATET.SMopen\r\non a new tab\r\nBKDR.Win32.TRX.XXPE50FFF0\r\nSource: https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html\r\nhttps://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html"
	],
	"report_names": [
		"weaponizing-open-source-software-for-targeted-attacks.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434851,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3a184923b1f56374141c53be2b1655f893bfa0c.pdf",
		"text": "https://archive.orkl.eu/b3a184923b1f56374141c53be2b1655f893bfa0c.txt",
		"img": "https://archive.orkl.eu/b3a184923b1f56374141c53be2b1655f893bfa0c.jpg"
	}
}