nao-sec.org
By nao_sec
Published: 2024-10-16 · Archived: 2026-04-05 16:46:22 UTC
IcePeony with the '996' work culture
2024-10-16
This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful
to Virus Bulletin for giving us the opportunity to present.
https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/
tl;dr
We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to
operational mistakes, they exposed their resources, allowing us to uncover details of their attacks.
IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted
government agencies, academic institutions, and political organizations in countries such as India,
Mauritius, and Vietnam.
Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors.
Interestingly, they use a custom IIS malware called “IceCache”.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 1 of 19

Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating
under harsh work conditions.
IcePeony
IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They
mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200
attempts to attack various government websites in India.
They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or
malware. Ultimately, their goal is to steal credentials.
We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime
strategy.
Our research found that IcePeony targeted government and academic institutions in India, political parties in
Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that
they will expand their targets in the future.
OPSEC fail
In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap,
via an open directory. What made this discovery even more compelling was the presence of a zsh_history file.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 2 of 19

One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records
command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each
command was executed. This enabled us to construct a highly detailed timeline of the attack.
Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective.
We could observe their trial-and-error process and how they executed the intrusion.
The zsh_history was not the only interesting file. There were many others.
For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify
lengthy commands and commands to quickly access help information.
Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz.
This improved their effectiveness during attacks.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 3 of 19

Intrusion Timeline
We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day.
On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded,
they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain
information of compromised hosts and created accounts for further exploitation. On day three, which was a
Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the
attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in
more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other
government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a
rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and
sqlmap.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 4 of 19

On day-8, they used IceCache to steal information from the compromised environment, especially focusing on
domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing
since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source
tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and
set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation.
Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government
websites and exfiltrate information.
IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight
only the most distinctive tools they use.
StaX
StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker
enhanced Stowaway with custom processing. Based on development strings, we called this version StaX.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 5 of 19

StaX included encryption for communication targets specified in active mode using Custom Base64 and AES.
ProxyChains
ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts.
info.sh is a script that collects system information from the compromised environment. It gathers environment
information, user information, installed tool versions, network settings, SSH configuration files, and command
history.
linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the
server and creates backdoor users.
Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 6 of 19

Malware
The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack
the attack surface server. Additionally, during the investigation, we discovered another related malware, which we
called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another
computer that was not connected to the internet.
IceCache
IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software
reGeorge.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 7 of 19

To facilitate their intrusion operations, they added file transmission commands and command execution
functionality.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 8 of 19

IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into
two types based on authentication tokens. We found files with remaining PDB information. These files were
developed by a user named “power” in a project called “cachsess”
PDB Path
C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb
C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb
The number of commands changes over time, but it includes command execution functions, SOCKS proxy
functions, and file transmission functions.
TYPE-A Description
EXEC / EXEC_PRO Command to the execution of a process
SOCKS_HELLO Command to SOCKS protocol initial handshake message
SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol
SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol
SOCKS_READ Command to reading of data in SOCKS protocol
SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol
PROXY_ADD Command to add a proxy
PROXY_LIST Command to list a proxy
PROXY_DEL Command to del a proxy
PROXY_CLEAR Command to clear all proxy settings
PROXY_SET_JS Set the JavaScript
PROXY_GET_JS Get set the JavaScript
PROXY_ALLOW_PC Allowed PC settings
PROXY_CACHE_CLEAR Command to clear the proxy cache
PROXY_CACHE_TIME Command to set proxy cache time
FILE_UPLOAD Upload Files
FILE_DOWNLOAD Download Files
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 9 of 19

TYPE-B Description
EXEC / EXEC_PRO Command that directs the execution of a process
SOCKS_HELLO SOCKS protocol initial handshake message
SOCKS_CONNECT
Command to indicate a connection request with the SOCKS
protocol
SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol
SOCKS_READ Command that directs reading of data in SOCKS protocol
SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol
PROXY_ADD Command to add a proxy
PROXY_LIST Command to list a proxy
PROXY_DEL Command to del a proxy
PROXY_CLEAR Command to clear all proxy settings
FILE_UPLOAD / FILE_UPLOAD_PRO Upload Files
FILE_DOWNLOAD /
FILE_DOWNLOAD_PRO
Download Files
IIS_VERSION Show IIS version
These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and
submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first
submission, we believe the dates are reliable.
Many new samples have also been found since 2024. Most of the submitters are from India, which matches the
victim information we have gathered from OpenDir data.
The number of commands has change over time. It is show that the malware’s developers have made
improvements while continuing their intrusion operations.
sha256[:8]
Compile
Time
First
Submission
Submitter
Cmd
Num
X-Token TYPE
5b16d153
2024-07-17
09:11:14
2024-08-03
04:58:20
c8d0b2b9
(ID)
20 tn7rM2851XVvOFbc B
484e2740
2024-06-21
03:05:15
2024-08-07
09:25:53
39d4d6d2 -
email
20 tn7rM2851XVvOFbc B
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 10 of 19

sha256[:8]
Compile
Time
First
Submission
Submitter
Cmd
Num
X-Token TYPE
11e90e24
2024-06-05
03:52:48
2024-06-18
12:21:50
d9cb313c
(ID)
20 tn7rM2851XVvOFbc B
b8d030ed
2024-06-05
03:52:41
2024-06-18
10:47:18
408f1927
(ID)
20 tn7rM2851XVvOFbc B
ceb47274
2024-04-25
09:53:26
2024-08-02
21:50:50
06ac9f47
(BR)
20 tn7rM2851XVvOFbc B
d1955169
2024-04-21
11:29:25
2024-06-18
12:24:39
d9cb313c
(ID)
18 tn7rM2851XVvOFbc B
de8f58f0
2024-04-21
11:29:10
2024-06-18
10:49:53
408f1927
(ID)
18 tn7rM2851XVvOFbc B
53558af
2024-03-27
05:08:50
2024-04-19
07:57:19
c2440bbf
(ID)
18 tn7rM2851XVvOFbc B
0b8b10a2
2024-03-27
05:08:57
2024-04-18
13:54:16
c2440bbf
(ID)
18 tn7rM2851XVvOFbc B
a66627cc
2024-02-20
09:36:12
2024-03-12
15:17:55
a6412166
(VN)
16 cbFOvVX1582Mr7nt A
e5f520d9
2024-02-01
09:32:21
2024-07-17
09:30:54
24761b38
(SG)
24 cbFOvVX1582Mr7nt A
3eb56218
2023-12-07
03:04:16
2024-02-20
13:54:02
0f09a1ae
(ID)
24 cbFOvVX1582Mr7nt A
5fd5e99f
2023-09-27
00:50:46
2024-03-24
08:59:02
Ca43fb0f
(ID)
24 cbFOvVX1582Mr7nt A
0eb60e4c
2023-08-23
09:11:24
2023-10-18
10:11:00
0e8f2a34
(VN)
18 cbFOvVX1582Mr7nt A
IceEvent
IceEvent is a simple passive-mode backdoor that installed as a service.
PDB Path
C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 11 of 19

Two types have been identified based on the command format. Both types only have the minimum necessary
commands. The older type was discovered in September 2023, and several new types were found in April of this
year. All of these were submitted from India.
TYPE-A Description
FILE: Command to Reading files via sockets
CMD: Command to the execution of a process
TYPE-B Description
UPFILE Upload Files
DOWNFILE Download Files
CMD Command to the execution of a process
sha256[:8] Compile Time First Submission Submitter Cmd Num TYPE
80e83118 2024-04-25 09:50:58 2024-07-25 05:43:08 INDIA (99003aca) 3 B
9aba997b 2024-04-30 04:48:48 2024-06-14 05:46:49 INDIA (060734bd) 3 B
9a0b0439 2024-04-25 09:50:58 2024-06-14 05:00:08 INDIA (060734bd) 3 B
bc94da1a 2023-08-23 08:52:46 2023-09-05 03:03:57 INDIA (81f8b666) 2 A
Similarities
We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based
on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode
communication data. And PDB information shows that the same developer created both malware.
This is the XOR-based data encoding process used for communication data, which is equal to both malware.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 12 of 19

This is the command execution process equal to both malware. Since the function calls and branching processes
are exactly the same, we believe they were compiled from the same source code. Other commands also match
perfectly.
The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier,
making it easy to decode. Here is an example of decoding the data during command execution.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 13 of 19

Attribution
We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a
result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works
from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers.
Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work
six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday.
This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead
engaging in them as part of organized, professional operations.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 14 of 19

By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry.
In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a
week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the
996 working hour system.
https://en.wikipedia.org/wiki/996_working_hour_system
Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes
Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the
IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified
Chinese is commonly used.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 15 of 19

IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge.
More specifically, IceCache contains a string referring to a project named reGeorgGo.
Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other
information about this project on the internet, aside from the developer’s blog. It was a not well-known tool.
However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more
commands added to it.
https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo
Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and
Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius?
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 16 of 19

Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a
cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms
of collaboration to counter this influence.
https://www.mea.gov.in/newsdetail1.htm?12042/
We summarize the attribution information using the Diamond Model.
IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries
and work under the 996 working hour system.
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 17 of 19

They prefer open-source software developed in Chinese-speaking regions and use their original malware,
IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region.
Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted.
Wrap-Up
In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows
that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and
Vietnam.
The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony
typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they
install web shells or execute malware. Ultimately, they aim to steal credentials.
We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s
national interests, possibly in connection with China’s maritime strategy. They remain active, and we must
continue monitoring their activities closely moving forward.
IoCs
IP
165[.]22.211.62
64[.]227.133.248
173[.]208.156.19
173[.]208.156.144
154[.]213.17.225
103[.]150.186.219
63[.]141.255.16
204[.]12.205.10
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 18 of 19

107[.]148.37.63
103[.]99.60.119
154[.]213.17.237
45[.]195.205.88
154[.]213.17.244
103[.]99.60.93
149[.]115.231.17
149[.]115.231.39
103[.]99.60.108
Domain
d45qomwkl[.]online
k9ccin[.]com
k8ccyn[.]com
88k8cc[.]com
googlesvn[.]com
IceCache
484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f
5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811
ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b
e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b
d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950
11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63
de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c
b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681
535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd
0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd
5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46
3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c
a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6
0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77
IceEvent
80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58
9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e
9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea
bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b
Source: https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
Page 19 of 19