{ "id": "24eadcb9-f7ce-4cf3-8bd9-e4c6c362944e", "created_at": "2026-04-06T00:08:11.185276Z", "updated_at": "2026-04-10T03:32:39.906511Z", "deleted_at": null, "sha1_hash": "b85fd69d4b454f5ea1d9eed04e555a279a3f4cb7", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 590293, "plain_text": "China-based Cyber Threat Group Uses Dropbox for Malware\r\nCommunications and Targets Hong Kong Media Outlets |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2015-12-01 · Archived: 2026-04-05 13:56:16 UTC\r\nWritten by: FireEye Threat Intelligence\r\nFireEye Intelligence CenterFireEye Threat Intelligence analysts identified a spear phishing campaign carried out\r\nin August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which\r\nFireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as\r\n“admin@338,” may have conducted the activity.[1] The email messages contained malicious documents with a\r\nmalware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and\r\ncontrol (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be\r\na second, similar operation. The attack is part of a trend where threat groups hide malicious activity by\r\ncommunicating with legitimate web services such as social networking and cloud storage sites to foil detection\r\nefforts.[2][3]\r\nA Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\r\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely\r\ntargeted organizations involved in financial, economic and trade policy, typically using publicly available RATs\r\nsuch as Poison Ivy, as well some non-public backdoors.[5]\r\nThe group started targeting Hong Kong media companies, probably in response to political and economic\r\nchallenges in Hong Kong and China. The threat group’s latest activity coincided with the announcement of\r\ncriminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced\r\nseveral challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock\r\nmarket in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a\r\npro-democracy leader.[7]\r\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The\r\ntargeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material.\r\nThe media organizations targeted with the threat group’s well-crafted Chinese language lure documents are\r\nprecisely those whose networks Beijing would seek to monitor. Cyber threat groups’ access to the media\r\norganization’s networks could potentially provide the government advance warning on upcoming protests,\r\ninformation on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what\r\noccurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 1 of 6\n\nThreat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\r\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media\r\norganizations, including newspapers, radio, and television. The first email references the creation of a Christian\r\ncivil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the\r\nUmbrella Movement. The second email references a Hong Kong University alumni organization that fears votes\r\nin a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\r\nThe group’s previous activities against financial and policy organizations have largely focused on spear phishing\r\nemails written in English, destined for Western audiences. This campaign, however, is clearly designed for those\r\nwho read the traditional Chinese script commonly used in Hong Kong.\r\nLOWBALL Malware Analysis\r\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in\r\nMicrosoft Office (CVE-2012-0158):\r\nMD5 Filename\r\nb9208a5b0504cb2283b1144fc455eaaa 使命公民運動 我們的異象.doc\r\nec19ed7cddf92984906325da59f75351 新聞稿及公佈.doc\r\n6495b384748188188d09e9d5a0c401a4 (代發)[采訪通知]港大校友關注組遞信行動.doc\r\nIn all three cases, the payload was the same:\r\nMD5 Filename\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 2 of 6\n\nd76261ba3b624933a6ebb5dd73758db4 time.exe\r\nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability\r\nto download, upload, and execute files. The communication occurs via HTTPS over port 443.\r\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP\r\nport 443 for the files:\r\nMD5 Filename\r\nd76261ba3b624933a6ebb5dd73758db4 WmiApCom\r\n79b68cdd0044edd4fbf8067b22878644 WmiApCom.bat\r\nThe “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as the\r\none dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update\r\nthe compromised host with a new version of the LOWBALL malware.\r\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL\r\nmalware calls back to the Dropbox account, the attackers will create a file called\r\n“[COMPUTER_NAME]_upload.bat” which contains commands to be executed on the compromised computer.\r\nThis batch file is then executed on the target computer, with the results uploaded to the attackers’ Dropbox\r\naccount in a file named “[COMPUTER_NAME]_download”.\r\nWe observed the threat group issue the following commands:\r\n@echo off\r\ndir c:\\ \u003e\u003e %temp%\\download\r\nipconfig /all \u003e\u003e %temp%\\download\r\nnet user \u003e\u003e %temp%\\download\r\nnet user /domain \u003e\u003e %temp%\\download\r\nver \u003e\u003e %temp%\\download\r\ndel %0\r\n@echo off\r\ndir \"c:\\Documents and Settings\" \u003e\u003e %temp%\\download\r\ndir \"c:\\Program Files\\\r\n\" \u003e\u003e %temp%\\download\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 3 of 6\n\nnet start \u003e\u003e %temp%\\download\r\nnet localgroup administrator \u003e\u003e %temp%\\download\r\nnetstat -ano \u003e\u003e %temp%\\download\r\nThese commands allow the threat group to gain information about the compromised computer and the network to\r\nwhich it belongs. Using this information, they can decide to explore further or instruct the compromised computer\r\nto download additional malware.\r\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as\r\nBackdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\r\n@echo off\r\nren \"%temp%\\upload\" audiodg.exe\r\nstart %temp%\\audiodg.exe\r\ndir d:\\ \u003e\u003e %temp%\\download\r\nsysteminfo \u003e\u003e %temp%\\download\r\ndel %0\r\nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the\r\nCnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group,\r\nalthough the IP had not been used for some time prior to this most recent activity:\r\nMD5    \r\n0beb957923df2c885d29a9c1743dd94b accounts.serveftp.com 59.188.0.197\r\nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using\r\nHTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system\r\nversion and hostname, and includes functionality to check, upload, and register plugins that can further enhance its\r\ncapabilities.\r\nA Second Operation\r\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we\r\ncollaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse\r\nand put countermeasures in place.\r\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to\r\nverify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames\r\nwere different, which indicates that there may be multiple versions of the malware. In addition, while the\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 4 of 6\n\noperation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we\r\nsuspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\r\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar,\r\nand period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this\r\ndirectory using the hardcoded API token and attempts to download these files (which are deleted from the\r\nDropbox account after the download):\r\nupload.bat, a batch script that the compromised machine will execute\r\nupload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable\r\n(sometimes named rar.exe) which the batch script will run and almost always uploads the results of\r\ndownload.rar to the cloud storage account\r\nsilent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\r\nThe threat actor will then download the results and then delete the files from the cloud storage account.\r\nConclusion\r\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network\r\ndefenders. The LOWBALL first stage malware allows the group to collect information from victims and then\r\ndeliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting\r\ntargets.\r\nA version of this article appeared first on the FireEye Intelligence Center. The FireEye Intelligence Center\r\nprovides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional\r\nknowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking\r\nadvanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat\r\nIntelligence Analysts, to power the Intelligence Center.\r\n[1] FireEye currently tracks this activity as an “uncategorized” group, a cluster of related threat activity about\r\nwhich we lack information to classify with an advanced persistent threat number.\r\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic.\r\nhttps://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf\r\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group.\r\n[4] Moran, Ned and Alex Lanstein. FireEye. “Spear Phishing the News Cycle: APT Actors Leverage Interest in the\r\nDisappearance of Malaysian Flight MH 370.” 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\r\n[5] Moran, Ned and Thoufique Haq. FireEye. “Know Your Enemy: Tracking a Rapidly Evolving APT Actor.” 31\r\nOctober 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\r\n[6] BBC News. “Hong Kong student leaders charged over Umbrella Movement.’” 27 August 2015.\r\nhttp://www.bbc.com/news/world-asia-china-34070695.\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 5 of 6\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. “University of Hong Kong’s council votes 12-8 to reject Johannes\r\nChan’s appointment as pro-vice-chancellor.” 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\r\n[8] Wong, Alan. Pro-Democracy Media Company’s Websites Attacked. “Pro-Democracy Media Company’s\r\nWebsites Attacked.” New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\r\n[9] “HKU concern group raises proxy fears in key vote.” EIJ Insight. 31 August 2015.\r\nhttp://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nhttps://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "MISPGALAXY", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "report_names": [ "china-based-threat.html" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "9d6f666e-3a9d-4a09-bcac-8aee96572827", "created_at": "2022-10-25T15:50:23.2832Z", "updated_at": "2026-04-10T02:00:05.268714Z", "deleted_at": null, "main_name": "admin@338", "aliases": [ "admin@338" ], "source_name": "MITRE:admin@338", "tools": [ "BUBBLEWRAP", "LOWBALL", "Systeminfo", "PoisonIvy", "netstat", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a", "created_at": "2023-01-06T13:46:38.351187Z", "updated_at": "2026-04-10T02:00:02.938577Z", "deleted_at": null, "main_name": "TEMPER PANDA", "aliases": [ "Admin338", "Team338", "admin@338", "G0018" ], "source_name": "MISPGALAXY:TEMPER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4", "created_at": "2022-10-25T16:07:24.313367Z", "updated_at": "2026-04-10T02:00:04.932247Z", "deleted_at": null, "main_name": "Temper Panda", "aliases": [ "G0018", "Team338", "Temper Panda", "admin@338" ], "source_name": "ETDA:Temper Panda", "tools": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper", "Bozok", "Bozok RAT", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "LOLBAS", "LOLBins", "LOWBALL", "Living off the Land", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434091, "ts_updated_at": 1775791959, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b85fd69d4b454f5ea1d9eed04e555a279a3f4cb7.pdf", "text": "https://archive.orkl.eu/b85fd69d4b454f5ea1d9eed04e555a279a3f4cb7.txt", "img": "https://archive.orkl.eu/b85fd69d4b454f5ea1d9eed04e555a279a3f4cb7.jpg" } }