{ "id": "c2ddbf99-0198-438b-9632-b2af42ee7ec2", "created_at": "2026-04-06T00:09:48.024168Z", "updated_at": "2026-04-10T03:31:17.761834Z", "deleted_at": null, "sha1_hash": "b4bd7473cdb7cbf6551df0d4222f7a3331579d64", "title": "Registers as", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115787, "plain_text": "Registers as\r\nBy ESET Research\r\nArchived: 2026-04-05 17:15:51 UTC\r\nDePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve\r\npersistence, the malware registers a new local port monitor - a trick falling under the “Port Monitors” technique in\r\nthe MITRE ATT\u0026CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name;\r\nthat’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a\r\nframework.\r\nAccording to our telemetry, DePriMon has been active since at least March 2017. DePriMon was detected in a\r\nprivate company, based in Central Europe, and at dozens of computers in the Middle East.\r\nSome of the domain names used as C\u0026C servers contain Arabic words, which gives an indication of a\r\nregion‑specific campaign. However, DePriMon deserves attention beyond its targets’ geographical distribution: it is\r\ncarefully written malware, with lots of encryption that is used properly.\r\nTo help defenders stay safe from this threat, we’ve thoroughly analyzed this newly discovered malware, focusing on\r\nthe downloader itself. Because we’re missing initial stage(s), which we will refer to here as \"the first stage\", we\r\ndon't know the initial distribution and compromise vector. What kind of final payload is used in the attacks is\r\nanother question that remains to be answered.\r\nHowever, it should be noted that, in a few cases, DePriMon was detected with ColoredLambert malware on the\r\nsame computers within a short time frame. ColoredLambert is used by the Lamberts (aka Longhorn)\r\ncyberespionage group and linked to the Vault 7 leak of CIA capabilities. Our colleagues from Symantec and\r\nKaspersky published their analyses in April 2017.\r\nTechnical analysis\r\nStage two\r\nBoth DePriMon’s second and third stages are delivered to the victim’s disk in the first stage. The second stage\r\ninstalls itself and loads the third stage using an encrypted, hardcoded path. One of the possible explanations is that it\r\nwas configured after the first stage of the attack occurred.\r\nThe described installation technique is unique. In principle, it is described in the MITRE ATT\u0026CK taxonomy as\r\n“Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example\r\nof malware using this technique ever publicly described.\r\nThe second stage registers the third-stage DLL as a port monitor by creating the following registry key and value:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Windows Default Print Monitor\r\nDriver = %PathToThirdStageDLL%\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 1 of 8\n\nAdministrator rights are required for creating this registry key.\r\nAt system startup, the registered DLL will be loaded by spoolsv.exe with SYSTEM privileges, which, combined\r\nwith the uniqueness of this method, makes this technique very effective for attackers.\r\nThe second stage checks regularly whether there is a file in the %system32% folder with the same name as the third\r\nstage DLL file but without the “.dll” extension. This file serves as an uninstallation trigger – should DePriMon find\r\nit, it removes both this file and its own components in a secure way by overwriting the binaries and then deleting\r\nthem.\r\nStage three\r\nThe third stage, responsible for downloading the main payload(s) from DePriMon’s operators, also implements\r\nsome interesting techniques.\r\nFor C\u0026C communication, it uses the Microsoft implementation of SSL/TLS, Secure Channel, instead of common\r\nAPIs like WinHTTP or WinInet. Its configuration is very complex, as is the way the malware handles it. Finally, the\r\nauthors have put significant effort into encryption, making the DePriMon malware more difficult to analyze.\r\nC\u0026C communication\r\nDePriMon communicates securely over TLS, however, not on a high level as is a typical scenario in malware. The\r\nconnection is initialized with a Windows socket and can continue with initialization of an authenticated Security\r\nSupport Provider Interface (SSPI) session with the Negotiate / NTLM SSP. After that, DePriMon uses Schannel.\r\nSSPI is used/not used according to a particular flag in the configuration file and can utilize the local proxy settings\r\nof the machine. The implementation is similar to this example provided by Microsoft.\r\nThe malware’s implementation of TLS via Schannel is similar to this example by Coast Research \u0026 Development.\r\nIt includes creating credentials, performing the client handshake and verifying the server certificate.\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 2 of 8\n\nFigure 1. Part of the SSPI implementation as output by the Hex-Rays decompiler\r\nAfter the communication is established, the third stage encrypts and decrypts messages manually each time.\r\nConfiguration\r\nThe configuration data for DePriMon’s third stage has 27 members, which is an unusually large number for a\r\ndownloader. It is encrypted with AES-256 and embedded in the binary.\r\nDuring the first run, DePriMon’s third stage (the downloader itself) decrypts the configuration data with Key 2 (see\r\nthe IoCs section), encrypts it with Key 3 and stores the encrypted configuration file in a temporary folder. The\r\nfilename for the configuration file is created via the following process: Starting with the second byte, the value of\r\nKey 2 is transformed into a number in base 36 but encoded using custom alphabet “abc…xyz012…789”. The\r\nextension of the configuration file is “.tmp”.\r\nAn example of a configuration file path: %temp%\\rb1us0wm99sslpa1vx.tmp.\r\nDuring the second run, the downloader reads the configuration data from the file, not from itself – this way, the\r\nattacker can easily update the configuration.\r\nThanks to its secure design, the configuration is not left in memory in unencrypted form. Every time the\r\ndownloader needs to use some element of the configuration file, it decrypts the configuration file, retrieves the\r\nmember and encrypts the file again.\r\nThis design protects the malware’s primary function – C\u0026C communication - against memory forensics.\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 3 of 8\n\nFigure 2. Part of the code as seen by the Hex-Rays decompiler, which illustrates how the DePriMon malware\r\ndecrypts the configuration file, saves a few members to local variables and encrypts it again\r\nOf interest in the configuration file are:\r\nTwo entries for usernames and two members for passwords – for the proxy server if it is set on the machine.\r\nIt means attackers are preparing to further their attack via a proxy with credentials. However, we haven’t\r\nseen functionality for stealing these details, so it appears that it is done in another phase of the attack.\r\nThree entries for three C\u0026C servers – each of them used on a different occasion.\r\nThree entries for three ports – each of them used on a different occasion.\r\nFlags indicating whether the downloader initializes a connection through Security Support Provider Interface\r\n(SSPI) with a possible proxy or only with a socket (described later).\r\nIt should be noted that besides C\u0026C servers extracted from malware samples, we identified additional domains and\r\nservers likely related to this malware.\r\nEncryption\r\nThe malware uses the AES encryption algorithm with three different 256-bit keys for different purposes (these keys\r\nare listed in the IoCs section).\r\nKey 1: For decryption of various sensitive strings in the malware.\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 4 of 8\n\nKey 2: For encryption and decryption of the configuration data in memory (as described earlier). This key is\r\nalso used to generate the third key.\r\nKey 3: For encryption and decryption of the configuration file on disk.\r\nThis key is not hardcoded but derived using a 32-byte array which is then encrypted. The array is generated as\r\nfollows: the first 4 bytes are the volume serial number of the system drive, and the remaining 28 bytes contain the\r\nvalues 5 – 32. This array is encrypted with Key 2, resulting in Key 3.\r\nConclusion\r\nDePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the\r\narchitecture and crafting the critical components.\r\nDePriMon is downloaded to memory and executed directly from there as a DLL using the reflective DLL loading\r\ntechnique. It is never stored on disk. It has a surprisingly extensive configuration file with several interesting\r\nelements, its encryption is properly implemented and protects the C\u0026C communication effectively.\r\nAs a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and\r\nto collect some basic information about the system and its user along the way.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/DePriMon\r\nWin64/DePriMon\r\nSHA-1 hashes\r\n02B38F6E8B54885FA967851A5580F61C14A0AAB6\r\n03E047DD4CECB16F513C44599BF9B8BA82D0B7CB\r\n0996C280AB704E95C9043C5A250CCE077DF9C8B2\r\n15EBE328A501B1D603E66762FBB4583D73E109F7\r\n1911F6E8B05E38A3C994048C759C5EA2B95CE5F7\r\n2B30BE3F39DEF1F404264D8858B89769E6C032D9\r\n2D80B235CDF41E09D055DD1B01FD690E13BE0AC7\r\n6DB79671A3F31F7A9BB870151792A56276619DC1\r\n6FAB7AA0479D41700981983A39F962F28CCFBE29\r\n7D0B08654B47329AD6AE44B8FF158105EA736BC3\r\n7E8A7273C5A0D49DFE6DA04FEF963E30D5258814\r\n8B4F3A06BA41F859E4CC394985BB788D5F76C85C\r\n94C0BE25077D9A76F14A63CBF7A774A96E8006B8\r\n968B52550062848A717027C512AFEDED19254F58\r\n9C4BADE47865E8111DD3EEE6C5C4BC83F2489F5B\r\nAA59CB6715CFFF545579861E5E77308F6CAEAC36\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 5 of 8\n\nC2388C2B2ED6063EACBA8A4021CE32EB0929FAD2\r\nCA34050771678C65040065822729F44B35C87B0C\r\nD38045B42C7E87C199993AB929AD92ADE4F82398\r\nE272FDA0E9BA1A1B8EF444FF5F2E8EE419746384\r\nE2D39E290201010F49652EE6116FD9B35C9AD882\r\nF413EEE3CFD85A60D7AFC4D4ECC4445BB1F0B8BC\r\nDomains\r\nDomain IP address\r\nimg.dealscienters[.]net 138.59.32.72\r\nteknikgorus[.]com 88.119.179.17\r\nwnupdnew[.]com 190.0.226.147\r\nbabmaftuh[.]com 185.56.89.196\r\nalwatantrade[.]com 188.241.60.109\r\nshayalyawm[.]com 5.226.168.124\r\nelehenishing[.]com 185.225.17.77\r\nalmawaddrial[.]com 46.151.212.202\r\nmdeastserv[.]com 46.151.212.201\r\nKeys - example\r\nKey 1: C097CF17DC3303BC8155534350464E50176ACA63842B0973831D8C6C8F136817\r\nKey 2: 8D35913F80A23E820C23B3125ABF57901BC9A7B83283FB2B240193ABDEDE52B9\r\nKey 3: Derived as described earlier.\r\nFilenames\r\ndpnvmrs.dll\r\nhp3mlnv.dll\r\nhp4mlnv.dll\r\nhp5nhd.dll\r\nhp6nhd.dll\r\nhpjdnb64.dll\r\nhpmdnel3b.dll\r\nifssvc.dll\r\nifssvcmgr.dll\r\nmsprtmon64.dll\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 6 of 8\n\nmsptromn.dll\r\nplamgr.dll\r\nppcrlchk.dll\r\nppcrlupd.dll\r\nprntapt.dll\r\nprntqdl64.dll\r\npscript6f.dll\r\npscript6s.dll\r\nshprn64.dll\r\nstprn32.dll\r\nwinmnprt.dll\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nPersistence T1013 Port Monitors\r\nDePriMon installs one of its components as a port monitor\r\nfor achieving persistence.\r\nDefense\r\nEvasion\r\nT1036 Masquerading\r\nDePriMon places its components into the System32 folder\r\nwith names mimicking common system DLLs.\r\nT1107 File Deletion\r\nDePriMon can delete itself securely by overwriting its files\r\nwith random data and then deleting them.\r\nT1112 Modify Registry\r\nDePriMon adds registry entry in\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\r\nto achieve persistence.\r\nT1134\r\nAccess Token\r\nManipulation\r\nDePriMon obtains a user token for obtaining information\r\nabout the proxy settings on the machine.\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nDePriMon encrypts some of its strings and its configuration\r\nfile using AES-256.\r\nDiscovery\r\nT1007\r\nSystem Service\r\nDiscovery\r\nDePriMon can list registered services on the system.\r\nT1057 Process Discovery DePriMon can list running processes on the system.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nDePriMon collects various information about the system.\r\nT1124\r\nSystem Time\r\nDiscovery\r\nDePriMon regularly checks system time and performs\r\nvarious actions based on it, such as uninstallation.\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nCommand\r\nAnd\r\nControl\r\nT1043\r\nCommonly Used\r\nPort\r\nDePriMon uses ports 443 and 8080 for C\u0026C\r\ncommunication.\r\nT1071\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\nDePriMon uses\r\nHTTP for C\u0026C\r\ncommunication.\r\nT1090\r\nConnection\r\nProxy\r\nDePriMon uses\r\nlocal proxy settings\r\nto make its\r\ncommunication less\r\nsuspicious.\r\nSource: https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nhttps://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/" ], "report_names": [ "deprimon-default-print-monitor-malicious-downloader" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434188, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4bd7473cdb7cbf6551df0d4222f7a3331579d64.pdf", "text": "https://archive.orkl.eu/b4bd7473cdb7cbf6551df0d4222f7a3331579d64.txt", "img": "https://archive.orkl.eu/b4bd7473cdb7cbf6551df0d4222f7a3331579d64.jpg" } }