{
	"id": "135695ab-451a-4c5b-8f73-5762402e1104",
	"created_at": "2026-04-06T00:13:20.572391Z",
	"updated_at": "2026-04-10T03:37:17.456343Z",
	"deleted_at": null,
	"sha1_hash": "b3a8de0d2773536bd0fc6306c641fdff800b1bab",
	"title": "DarkUniverse - the mysterious APT framework #27",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68661,
	"plain_text": "DarkUniverse - the mysterious APT framework #27\r\nBy Andrey Dolgushev\r\nPublished: 2019-11-05 · Archived: 2026-04-05 17:37:02 UTC\r\nIn April 2017, ShadowBrokers published their well-known ‘Lost in Translation’ leak, which, among other things,\r\ncontained an interesting script that checked for traces of other APTs in the compromised system.\r\nIn 2018, we found an APT described as the 27th function of this script, which we call ‘DarkUniverse’. This APT\r\nwas active for at least eight years, from 2009 until 2017. We assess with medium confidence that DarkUniverse is\r\na part of the ItaDuke set of activities due to unique code overlaps. ItaDuke is an actor known since 2013. It used\r\nPDF exploits for dropping malware and Twitter accounts to store C2 server urls.\r\nTechnical details\r\nInfection vector\r\nSpear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their\r\nattention and prompt them to open an attached malicious Microsoft Office document.\r\nEach malware sample was compiled immediately before being sent and included the latest available version of the\r\nmalware executable. Since the framework evolved from 2009 to 2017, the last releases are totally different from\r\nthe first ones, so the current report details only the latest available version of the malware used until 2017.\r\nThe executable file embedded in the documents extracts two malicious files from itself, updater.mod and\r\nglue30.dll, and saves them in the working directory of the malware –\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Reorder.\r\nAfter that, it copies the legitimate rundll32.exe executable into the same directory and uses it to run the\r\nupdater.mod library.\r\nThe updater.mod module\r\nThis module is implemented as a dynamic-link library with only one exported function, called callme@16. This\r\nmodule is responsible for such tasks as providing communication with the C2 server, providing the malware\r\nintegrity and persistence mechanism and managing other malware modules.\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 1 of 6\n\nThe persistence mechanism is provided by a link file, which is placed by updater.mod into the startup folder,\r\nensuring malware execution after a reboot. If the link file becomes corrupted, the updater.mod module restores it.\r\nCommunication with C2\r\nIn this campaign the C2 servers were mostly based on cloud storage at mydrive.ch. For every victim, the operators\r\ncreated a new account there and uploaded additional malware modules and a configuration file with commands to\r\nexecute it. Once executed, the updater.mod module connected to the C2 and performed the following actions:\r\ndownloaded the command file to the working directory;\r\nuploaded files collected and prepared by additional malicious modules (if any) to the C2. These files were\r\nlocated in a directory called ‘queue’ or ‘ntfsrecover’ in the working directory. Files in this directory could\r\nhave one of two extensions: .d or .upd depending on whether they had already been uploaded to the server\r\nor not.\r\ndownloaded additional malware modules:\r\ndfrgntfs5.sqt – a module for executing commands from the C2;\r\nmsvcrt58.sqt – a module for stealing mail credentials and emails;\r\nzl4vq.sqt – legitimate zlib library used by dfrgntfs5;\r\n%victim_ID%.upe – optional plug-in for dfrgntfs5. Unfortunately, we were unable to obtain this\r\nfile.\r\nAll malware modules are encrypted with a custom algorithm:\r\nThe credentials for the C2 account are stored in the configuration that is placed in the registry, but the updater.mod\r\nmodule also stores a copy as an encrypted string in the executable file. Also, the configuration specifies how often\r\nupdater.mod polls the C2, supporting both an active mode and a partly active mode.\r\nMalware configuration in the registry\r\nThe malware configuration is stored in the registry in the SOFTWARE\\AppDataLow\\GUI\\LegacyP entry.\r\nDifferent values are detailed in the following table:\r\nValue name Description\r\nC1 C2 domain.\r\nC2 C2 domain path.\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 2 of 6\n\nC3 C2 credential username.\r\nC4 C2 credential password.\r\ninstall 1 if malware is installed.\r\nTL1 DESACTIVAR | HABILITAR – specifies whether msvcrt58 and glue libraries are active.\r\nTL2, TL3 If TL1 is not NULL, it specifies time bounds when TL1 option is applied.\r\n“kl” If 1, updater.mod should download msvcrt58.sqt from C2 again.\r\n“re” If 1, updater.mod should download dfrgntfs5.sqt from C2 again.\r\n“de” If not 0, framework should uninstall itself.\r\n“cafe” REDBULL | SLOWCOW specifies how often updater.mod polls C2.\r\n“path” Path to the folder from which files are being sent to C2.\r\nModules glue30.dll and msvcrt58.sqt\r\nThe glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API\r\nfunction SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get\r\nkeyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.\r\nThe msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’\r\ncredentials. This module looks for traffic from the following processes:\r\noutlook.exe;\r\nwinmail.exe;\r\nmsimn.exe;\r\nnlnotes.exe;\r\neudora.exe;\r\nthunderbird.exe;\r\nthunde~1.exe;\r\nmsmsgs.exe;\r\nmsnmsgr.exe.\r\nThe malware parses intercepted POP3 traffic and sends the result to the main module (updater.mod) for uploading\r\nto the C2. This is done by hooking the following network-related Win API functions:\r\nws2_32.connect;\r\nws2_32.send;\r\nws2_32.recv;\r\nws2_32.WSARecv;\r\nws2_32.closesocket.\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 3 of 6\n\nThe dfrgntfs5.sqt module\r\nThis is the most functional component of the DarkUniverse framework. It processes an impressive list of\r\ncommands from the C2, which are listed in the following table.\r\nCommand Description\r\nVER Sends malware version to server.\r\nDESINSTALAR Uninstalls itself.\r\nPANTALLA Takes screenshot of the full screen and saves it to the \\queue folder.\r\nCAN_TCP, CAN_HTTP,\r\nCAN_HTTPS\r\nInjects a shellcode into IE that establishes a direct connection with the C2,\r\ndownloads additional code, sends info about the download results to the C2 and\r\nexecutes the downloaded code.\r\nMET_TCP, MET_HTTPS\r\nAlso injects a shellcode into IE. The only difference with the previous\r\ncommand set is that in this case the shellcode doesn’t send any additional info\r\nto the C2 – it only establishes the connection, downloads additional code and\r\nexecutes it.\r\nCAN_HTTP_LSASS\r\nInjects the same shellcode as in the case of CAN_HTTP into the LSASS.exe\r\nprocess.\r\nSCAN/STOPSCAN\r\nStarts/stops network scan. Collects lots of different info about the local\r\nnetwork.\r\nCREDSCAN Brute-forces IP range with specified username and password.\r\nACTUALIZAR Updates dfrgntfs5.sqt.\r\nACTUALIZARK Updates msvcrt58.sqt.\r\nSYSINFO Collects full system info.\r\nREDBULL Sets cafe flag to 1 – active.\r\nSLOWCOW Sets cafe flag to 0 – slow mode.\r\nX\r\nRuns specified process and logs its output, then prepares this output log for\r\nuploading to the C2.\r\nT Obtains list of files from a specific directory.\r\nTAUTH Obtains list of files of remote server if specified credentials are valid.\r\nG Sends a file to the C2.\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 4 of 6\n\nGAUTH\r\nDownloads a particular file from a shared resource if specified credentials are\r\nvalid.\r\nSPLIT Splits file into 400 KB parts and uploads them to the C2.\r\nFLUSH Sends file with the data collected by all components that day and deletes it.\r\nC1 – C4 Sets the C2 in its configuration in the registry (C1-C4).\r\nTL1 – TL3 Sets the active state in its configuration in the registry (T1-T3).\r\nONSTART Sets process to be started every malware startup.\r\nCLEARONSTART Undoes previous ONSTART command.\r\nARP\r\nRuns unavailable ARP module (uncparse.dll – unavailable). This module stores\r\ndata in a file internally named arpSniff.pcap.\r\nAUTO Automatically looks for updates of predefined files.\r\nMANUAL\r\nFiles in the specified directory are searched using the * .upd pattern, all found\r\nfiles are deleted.\r\nREGDUMP Collects information from the registry.\r\nPWDDUMP\r\nCollects and decrypts credentials from Outlook Express, Outlook, Internet\r\nExplorer, Windows Mail and Windows Live Mail, Windows Live Messenger,\r\nand also Internet Cache;\r\nLOGHASH\r\nInjects process into lsass.exe and starts collecting password hashes in the file\r\nchecksums.bk.\r\nSENDLOGHASH Sends collected lsass.exe process password hashes to the C2.\r\nPROXYINFO Checks if credentials for proxy are valid.\r\nDHCP Sets DHCP settings for local machine.\r\nDNS Sets DNS settings for local machine.\r\nFAKESSL Provides basic MITM functionality.\r\nVictimology\r\nWe recorded around 20 victims geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus\r\nand the United Arab Emirates. The victims included both civilian and military organizations. We believe the\r\nnumber of victims during the main period of activity between 2009 and 2017 was much greater.\r\nConclusions\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 5 of 6\n\nDarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The\r\nmalware contains all the necessary modules for collecting all kinds of information about the user and the infected\r\nsystem and appears to be fully developed from scratch. Due to unique code overlaps, we assume with medium\r\nconfidence that DarkUniverse’s creators were connected with the ItaDuke set of activities. The attackers were\r\nresourceful and kept updating their malware during the full lifecycle of their operations, so the observed samples\r\nfrom 2017 are totally different from the initial samples from 2009. The suspension of its operations may be related\r\nto the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more\r\nmodern approaches and start using more widely available artefacts for their operations.\r\nAppendix I – Indicators of Compromise\r\nMD5 Hashes\r\n1addee050504ba999eb9f9b1ee5b9f04\r\n4b71ec0b2d23204e560481f138833371\r\n4e24b26d76a37e493bb35b1a8c8be0f6\r\n405ef35506dc864301fada6f5f1d0711\r\n764a4582a02cc54eb1d5460d723ae3a5\r\nc2edda7e766553a04b87f2816a83f563\r\n71d36436fe26fe570b876ad3441ea73c\r\nA full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting\r\nservice. For more information, contact intelreports@kaspersky.com\r\nSource: https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nhttps://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/"
	],
	"report_names": [
		"94897"
	],
	"threat_actors": [
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8",
			"created_at": "2023-01-06T13:46:39.131811Z",
			"updated_at": "2026-04-10T02:00:03.2252Z",
			"deleted_at": null,
			"main_name": "ItaDuke",
			"aliases": [
				"DarkUniverse",
				"SIG27"
			],
			"source_name": "MISPGALAXY:ItaDuke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59ce37c7-ce10-4cc3-ab27-c784a8a0898a",
			"created_at": "2022-10-25T16:07:23.534403Z",
			"updated_at": "2026-04-10T02:00:04.645423Z",
			"deleted_at": null,
			"main_name": "DarkUniverse",
			"aliases": [],
			"source_name": "ETDA:DarkUniverse",
			"tools": [
				"dfrgntfs5.sqt",
				"glue30.dll",
				"msvcrt58.sqt",
				"updater.mod",
				"zl4vq.sqt"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775792237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3a8de0d2773536bd0fc6306c641fdff800b1bab.pdf",
		"text": "https://archive.orkl.eu/b3a8de0d2773536bd0fc6306c641fdff800b1bab.txt",
		"img": "https://archive.orkl.eu/b3a8de0d2773536bd0fc6306c641fdff800b1bab.jpg"
	}
}