{
	"id": "a9da4d65-9da3-488b-bce3-7b19705a79bf",
	"created_at": "2026-04-20T02:21:42.094803Z",
	"updated_at": "2026-04-20T02:22:27.777453Z",
	"deleted_at": null,
	"sha1_hash": "b65133d28b018cc7f748cf12570e365207ba94da",
	"title": "IndigoZebra APT continues to attack Central Asia with evolving tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100839,
	"plain_text": "IndigoZebra APT continues to attack Central Asia with evolving tools\r\nBy alexandrag\r\nPublished: 2021-07-01 · Archived: 2026-04-20 02:01:33 UTC\r\nIntroduction\r\nCheck Point research recently discovered an ongoing spear-phishing campaign targeting the Afghan government. Further\r\ninvestigation revealed this campaign was a part of a long-running activity targeting other Central-Asia countries, including\r\nKyrgyzstan and Uzbekistan, since at least 2014. The actor suspected of this cyber-espionage operation is an APT group\r\ndubbed “IndigoZebra“, previously attributed by researchers to China. The technical details of the operation were not\r\npublicly disclosed before. In this article, we will discuss the tools, TTPs and infrastructure used by the attacker during the\r\nyears of its activity. We will also provide technical analysis of the two different strains of the previously publicly\r\nundescribed backdoor xCaon, including its latest version we dubbed BoxCaon which uses the legitimate cloud-storage\r\nservice Dropbox to act as its Command and Control server.\r\nInfection Chain\r\nOur investigation started with the emails sent from an employee of the Administrative Office of the President in\r\nAfghanistan to the employees of the Afghanistan National Security Council (NSC). The email asked the recipient to\r\nreview the modifications in the document related to the upcoming press conference of the NSC.\r\nFig 1: Malicious email sent to the Afghan government employees\r\nThe email contains a password-protected RAR archive named NSC Press conference.rar . Extracting the archive with the\r\npassword provided in the email requires user interaction and therefore provides a challenge for some sandbox security\r\nsolutions.\r\nFig 2: The infection chain\r\nThe extracted file, NSC Press conference.exe , acts as a dropper. The content of the lure email suggests that the attached\r\nfile is the document, hence, to reduce the suspicion of the victim running the executable, the attackers use the simple trick –\r\nthe first document on the victim’s desktop is opened for the user upon the dropper execution. Whether the dropper found a\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 1 of 9\n\ndocument to open or not, it will proceed to the next stage – drop the backdoor to C:\\users\\public\\spools.exe and execute\r\nit.\r\nBoxCaon Backdoor Analysis\r\nThe backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results.\r\nHowever short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral\r\nmovement. To hide malicious functionality – persistence and C\u0026C communication – from static detections, the malware\r\nuses a common obfuscation technique known as “stackstrings” to build wide char strings.\r\nDropbox as a C\u0026C Server\r\nThe backdoor utilizes Dropbox as a C\u0026C server, by sending and receiving commands written to a specific folder in a\r\nspecially created Dropbox account, prepared by the attacker before the operation. By using the legitimate Dropbox service\r\nfor C\u0026C communications, instead of regular dedicated server infrastructure, aids in masking the malicious traffic in the\r\ntarget’s network, as no communication to abnormal websites is taking place. The backdoor uses the Dropbox API with a\r\nhardcoded bearer access token and has the ability to download, upload, and execute files. In the initialization stage, the\r\nbackdoor creates a unique folder for the victim in an attacker-controlled Dropbox account. The folder is named by the\r\nvictim’s MAC address which is obtained using GetAdaptersInfo API.\r\nFig 3: Creation of a folder in Dropbox by the backdoor and stackstrings obfuscation\r\nLocally, the backdoor creates a working folder at C:\\users\\public\\\u003cd\u003e (where \u003cd\u003e is a random integer). It then proceeds\r\nby uploading two files to the server:\r\nm-\u003cdate\u003e.txt – containing the backdoor execution path\r\nd-\u003cdate\u003e.txt – containing the local working folder path.\r\nFig 4: File upload to Dropbox by the backdoor\r\nWhen the attackers need to send a file or command to the victim machine, they place them to the folder named d in the\r\nvictim’s Dropbox folder. The malware retrieves this folder and downloads all its contents to the working folder. Finally, if\r\nthe file named c.txt – that contains the attacker command, exists in this working folder, the backdoor executes it using the\r\nComSpec environment variable, which normally points to the command line interpreter (like cmd.exe ), and uploads the\r\nresults back to the Dropbox drive while deleting the command from the server.\r\nPersistence\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 2 of 9\n\nThe backdoor establishes persistence by setting the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Windows\\load registry key to point to its executable. This method is less common than Run or\r\nRunOnce keys but achieves its ultimate goal: the program listed in the Load registry value runs when any user logs on.\r\nPost-infection\r\nOnce the C\u0026C communication is established, the threat actor starts by executing fingerprinting and reconnaissance\r\ncommands on the machine. In this attack, some of the actions we spotted included:\r\nDownload and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45 ) – NetBIOS scanner\r\ntool widely used by multiple APT actor including the prolific Chinese group APT10\r\nExecution of Windows built-in networking utility tools\r\nAccess to the victim’s files, especially documents located on the Desktop\r\nAttribution\r\nSearching for related samples in the wild yielded almost 30 executables, each of them bear varying degrees of similarity\r\nwith the spools.exe BoxCaon backdoor. One of the common similarities is a very specific implementation of the\r\ncommand execution: first constructing the ComSpec string on stack, using the same path naming convention for the output\r\nfile, and deleting it right after the execution:\r\nFig 5: Code similarities between BoxCaon (left) and Investigating China’s Crimes against Humanity.exe\r\n(sha1:3557d162828baab78f2a7af36651a3f46d16c1cb)\r\nThe earliest of the found samples is dated back to 2014. Even though some of the executables claim to be compiled in 2004\r\nor 2008, based on the C\u0026C servers registration time and the activity, we believe the compilation date was probably modified\r\nby the actor. While we were collecting additional information about this long-lasting operation, we noticed a reference to the\r\nKaspersky 2017 APT trends report where one of the samples is referred to as xCaon malware, used by the Chinese-speaking\r\nAPT actor “IndigoZebra“. The other samples in our set appear to be the different variants of xCaon, including packed ones,\r\nor the PoisonIvy malware which was also reported as a part of the actor’s arsenal. Based on the code and functionality\r\nsimilarities we can attribute the BoxCaon backdoor to the updated variant of the same xCaon family (hence the name). It is\r\nthe only xCaon version that communicates over Dropbox API in clear text commands, whereas all the other samples use\r\nHTTP protocol with Base64+XOR encryption to communicate with their C\u0026C servers. Although the xCaon malware family\r\nis used in the wild for several years, there was no technical analysis publicly available until now. In the next section, we will\r\nsummarize the technical details of all the versions we’ve encountered.\r\nxCaon HTTP variant analysis\r\nAs mentioned earlier, we found an approximate of 30 different samples of the xCaon HTTP variant with slightly different\r\nfunctionality. Below we will cover the most note-worthy features of the backdoor, highlighting samples with unique\r\nfunctionality.\r\nAnti-AV\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 3 of 9\n\nThe HTTP variant checks if Kaspersky is installed on the victim’s machine by searching for the existence of files in the\r\nKaspersky installation folder.\r\nFig 6: Backdoor searches for files in the installation directory of Kaspersky AV\r\nIf Kaspersky AV is not installed on the system, persistence via registry is installed. First, the backdoor makes sure that a\r\ncopy of the executable exists in the specific path of the TEMP folder, and then the path is written to the\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load key, causing the malware to run each\r\ntime any user logs in.\r\nFig 7: Backdoor establishes persistence via Load registry if Kaspersky is not installed\r\nCommand Execution\r\nThe backdoor receives commands from the attacker and runs them in an interactive CMD shell using pipes. The commands\r\nmay differ between the samples, the full list of the commands is provided in [Appendix B].\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 4 of 9\n\nFig 8: Interactive CMD shell using pipes\r\nVictim Fingerprinting\r\nThe backdoor collects the victim’s MAC address using the GetAdaptersInfo API. Some of the versions generate a user ID\r\nand save it in a temporary file. These IDs are then passed to the C\u0026C server as one of the POST body parameters (MAC\r\naddress is sent encrypted as discussed later).\r\nFig 9: Generate a user ID and save it in a temp file\r\nC\u0026C Communication Protocol\r\nThe communication between the malware and the server is based on the HTTP protocol and slightly varies between the\r\nsamples. Every few seconds the backdoor sends a POST request to the C\u0026C URL. In the response (which looks like an\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 5 of 9\n\nHTML page), the malware searches for a specific pattern: it takes the string between \u003c!—|# and #|-\u003e , decodes it, and\r\nexecutes the command. The result is encrypted and sent back to another URL on the server as the parameter of a POST\r\nrequest.\r\nFig 10: C\u0026C communication\r\nEncryption\r\nThe HTTP variant used an interesting and unique method of encryption for both configuration and communication. It uses a\r\npredefined key, which we found to be one of the following two (depends on the malware variant): 1. \"GetMessagePos\r\nSendMessage GetExitCodeProces CreateProcess GetTickCount GetDCEx CopyImage DrawText CloseHandle\r\nSendMessageTimeout\" 2.\r\n\"\\x32\\xE2\\x5C\\x48\\xEC\\x0E\\xC3\\x7F\\x5F\\x7A\\xED\\x11\\xCB\\xE5\\x0A\\x87\\x0F\\xFA\\x7D\\xFC\\xF9\\xA7\\x39\\x38\\x3D\\xE3\\x6B\\x6F\\xBF\\x9B\\x84\\x1F\\xE7\\xB\r\nThe decryption process is based on splitting the “fake” base64-like string into two strings, XORing the first part with the\r\npredefined key, base64-decoding the second part, and finally, XOR both the results.\r\nTargets\r\nFig 11: Targeted region\r\nWhile we saw the Dropbox variant (BoxCaon) targeting Afghan government officials, the HTTP variants are focused on\r\npolitical entities in two particular Central Asian countries – Kyrgyzstan and Uzbekistan. This very specific victimology is\r\nbased upon the following overlapping indicators:\r\nCheck Point products’ telemetry\r\nC\u0026C domains impersonating known Uzbek and Kyrgyz domains ( post[.]mfa-uz[.]com – Uzbekistan Ministry of\r\nForeign Affairs; ousync[.]kginfocom[.]com – Kyrgyz state enterprise “Infocom”)\r\nMalware names of the samples were written in Kyrgyz and Russian ( Министрге сунуштама.exe –\r\nRecommendation to the Minister.exe in Kyrgyz; материалы к массовому беспорядку.exe – materials to\r\nriots.exe in non-native Russian)\r\nVT submitters’ countries for multiple samples from this campaign are Uzbekistan and Kyrgyzstan.\r\nInfrastructure\r\nAs the Dropbox variant uses Dropbox API for communication, the only information we were able to gather from it is the\r\nDropbox account information [Appendix C]. However, when we analyzed the infrastructure of the HTTP variants, we saw\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 6 of 9\n\nthat the samples have a common infrastructure for over 6 years since the first sample was in the wild.\r\nFig 12: HTTP Variant Infrastructure Graph\r\nTo get a clearer picture of how the attackers operated their infrastructure throughout the years, we have plotted the various\r\nmalicious domains according to the ASN they were hosted on. The results are presented in the figure below:\r\nFig 13: Correlation between domains and ASNs over time\r\nFew observations:\r\nMost of the domains are relatively short-lived. This can be explained by the precision targeting of the whole\r\noperation: the lookalike domains were most likely created to mislead a specific entity and were not reused anymore.\r\nSince 2019, all of the new infrastructure has been concentrated on ASN 20473 (CHOOPA). This observation does\r\nnot come as a surprise: Vultr, a subsidiary of CHOOPA, is considered an “attractive platform for criminals” by the\r\nresearch community and widely used for malicious purposes by multiple groups including, for example, Chinese-based APT group ViciousPanda whose recent C\u0026C servers are also all hosted on Vultr servers.\r\nConclusion\r\nIn this publication we unveiled the latest activity and tools of the long-running IndigoZebra operation, previously attributed\r\nto a Chinese-speaking threat actor. In this case, we observed a cyber-espionage operation focusing on governmental agencies\r\nin Central Asia, being targeted with the Poison Ivy and xCaon backdoors, along with the newly discovered BoxCaon\r\nbackdoor variant – whose C\u0026C communication capability was updated to utilize the Dropbox service itself as the C\u0026C\r\ninfrastructure of the operation. While the IndigoZebra actor was initially observed targeting former Soviet republics such as\r\nUzbekistan and Kyrgyzstan, we have now witnessed that its campaigns do not dial down, but on the contrary – they expand\r\nto the new targets in the region, with a new toolset.\r\nCheck Point products block this attack from the very first step.\r\nAppendix A: Indicators of Compromise\r\nBoxCaon\r\nb9973b6f9f15e6b20ba1c923540a3c9b\r\n974201f7895967bff0b018b95d5f5f4b\r\nxCaon\r\n3ecfc67294923acdf6bd018a73f6c590\r\n35caae29c47dfb570773f6d5fd37e625\r\n3562bf97997c54d74f58d4c1ad84fcea\r\nc00f6268075e3af85176bf0b00c66c13\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 7 of 9\n\n85ea346e74c120c83db7a89531f9d9a1\r\n5a8783783472be67c09926cc139d5b27\r\nb3d11e570da4a66f4b8520bc6107283b\r\nfdcae752f64245c159ab0f4d585c5bf8\r\nbb521918d08a4480699e673554d7072c\r\nc5406e7e161c758e863eb63001861bb1\r\n4d6e93d2416898ea3a4f419aa3a438e3\r\n6dfd06f91060e421320b6ebd63c957f0\r\n0b10ac9bf6d2d31cbce06b09f9b0ae75\r\nb831a48e96e2f033d09d7ad5edd1dc67\r\na875112c66da104c35d0eb43385d7094\r\n1a28c673b2b481ba53e31f77a27669e7\r\nef3383809fdf5a895b42e02bf06f5aa3\r\naa107be86814d9c86911a2a7874d38a0\r\n45d8cfe3450562564a1eb00a1aa0db83\r\ncdd7bfa36c6e47730fad94113aba7070\r\n06d72a4d99fcd76a3502432657f3c999\r\n5a91ccabd2b12ac56ba5170cf9ff8343\r\n33f42e9678ee91369d11ef344bbd5a0d\r\n84575619a690d3ef1209b7e3a7e79935\r\n16e61624827d7785740b17c771a052e6\r\nccc7f88b72c286fd756e76309022e9f8\r\ne98031cf43bfed73db0bce43918a608c\r\n5ea42089cf91464b9c0c42292c18ba4c\r\ncff6d9f5d214e3366d6b4ae31c413adc\r\nPoisonIvy\r\nc74711de8aa68e7d97f501eda328d032\r\nC\u0026C servers\r\nDomain URL\r\ninfodocs[.]kginfocom[.]com infodocs[.]kginfocom[.]com/gin/kw.asp\r\ninfodocs[.]kginfocom[.]com/gin/tab.asp\r\nousync[.]kginfocom[.]com ousync[.]kginfocom[.]com/sync/kw.asp\r\nuslugi[.]mahallafond[.]com uslugi[.]mahallafond[.]com/hall/kw.asp\r\n6z98os[.]id597[.]link 6z98os[.]id597[.]link/css/art.asp\r\nhwyigd[.]laccessal[.]org hwyigd[.]laccessal[.]org/news/art.asp\r\nhwyigd[.]laccessal[.]org/news/js.asp\r\nhelp[.]2019mfa[.]com help[.]2019mfa[.]com/help/art.asp\r\nm[.]usascd[.]com m[.]usascd[.]com/uss/word.asp\r\nns01-mfa[.]ungov[.]org ns01-mfa[.]ungov[.]org/un/art.asp\r\ndcc[.]ungov[.]org dcc[.]ungov[.]org/crss/art.asp\r\nindex[.]google-upgrade[.]com index[.]google-upgrade[.]com/upgrade/art.asp\r\nmofa[.]ungov[.]org mofa[.]ungov[.]org/momo/art.asp\r\nupdate[.]ictdp[.]com update[.]ictdp[.]com/new/art.asp\r\npost[.]mfa-uz[.]com post[.]mfa-uz[.]com/post/art.asp\r\ncdn[.]muincxoil[.]com cdn[.]muincxoil[.]com/cdn/js.asp\r\ncdn[.]muincxoil[.]com/cdn/art.asp\r\ntm[.]2019mfa[.]com tm[.]2019mfa[.]com/css/p_d.asp\r\nAppendix B: HTTP variant commands list\r\nCommand Action\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 8 of 9\n\nx-\u003c#B#\u003e Create BAT file on the victim’s machine\r\nx-\u003c#U#\u003e Upload file to the victim’s machine\r\nx-Down Download a file to the victim’s machine from a URL and execute it\r\nx-StartIM Start interactive shell\r\nx-Unis Exit the process (uninstall)\r\nx-Delay Sleep for X seconds\r\nx-Exec Execute a file\r\nx-DownOnly Download a file to the victim’s machine from a URL\r\nAppendix C: Dropbox account information\r\nAppendix D: MITRE ATT\u0026CK Matrix\r\nTactic Technique Technique name\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nExecution T1204.002 User Execution: Malicious File\r\nPersistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nDiscovery T1518.001 Software Discovery: Security Software Discovery\r\nCommand and Control T1071.001 Application Layer Protocol: Web Protocols\r\nT1102.002 Web Service: Bidirectional Communication\r\n  T1132 Data encoding\r\nExfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nSource: https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nhttps://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/"
	],
	"report_names": [
		"indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools"
	],
	"threat_actors": [],
	"ts_created_at": 1776651702,
	"ts_updated_at": 1776651747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b65133d28b018cc7f748cf12570e365207ba94da.pdf",
		"text": "https://archive.orkl.eu/b65133d28b018cc7f748cf12570e365207ba94da.txt",
		"img": "https://archive.orkl.eu/b65133d28b018cc7f748cf12570e365207ba94da.jpg"
	}
}