{ "id": "40f9dc3b-be8c-4ea8-a77e-85b0af896f14", "created_at": "2026-04-06T00:09:30.209273Z", "updated_at": "2026-04-10T03:35:34.417042Z", "deleted_at": null, "sha1_hash": "b9dd268748ac02f9bca810d3f8fbfea7c8414d13", "title": "PLATINUM Hackers Hijack Windows Hotpatching to Stay Hidden", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 487035, "plain_text": "PLATINUM Hackers Hijack Windows Hotpatching to Stay\r\nHidden\r\nBy The Hacker News\r\nPublished: 2016-04-28 · Archived: 2026-04-05 22:51:55 UTC\r\nIn Brief\r\nThe Microsoft’s Windows Defender Advanced Threat Hunting team detected that a cyber espionage group of\r\nhackers, known as PLATINUM, has found a way to turn the Windows's Hotpatching technique (a way of updating\r\nthe operating system without requiring a restart) to hide its malware from Antivirus products.\r\nPLATINUM group has been active since 2009 and launching large-scale attacks against governmental\r\norganizations, intelligence agencies, defense institutes and telecommunication providers in South and Southeast\r\nAsia.\r\nPractically speaking, the most important thing for a sophisticated APT hacker and a cyber-espionage group is to\r\nremain undetected for the longest possible period.\r\nWell, that's exactly what an APT (Advanced Persistent Threat) group has achieved.\r\nThe Microsoft’s Windows Defender Advanced Threat Hunting team has discovered that an APT group, dubbed\r\nPlatinum, has been spying on high-profile targets by abusing a \"novel\" technique called Hotpatching.\r\nhttps://thehackernews.com/2016/04/windows-hotpatching-malware.html\r\nPage 1 of 3\n\nIntroduced in Windows Server 2003, the Hotpatching feature allows Microsoft to upgrade applications or the\r\noperating system in the running system without having to reboot the computer by inserting the new, updated code\r\ninto a server.\r\nThe Platinum hacking group has often used the spear-phishing technique to penetrate initially the targeted\r\nnetworks, used numerous zero-day vulnerabilities in attacks, and has taken many efforts to hide its attacks.\r\nThe latest report released by Microsoft said the Platinum group abused the Windows’ hotpatching feature,\r\nallowing it to inject malicious code into running processes without having to reboot the server and then later hide\r\nbackdoors and other malware from installed antivirus solution.\r\n\"If the tool fails to inject code using hot patching, it reverts to attempting the other more common code\r\ninjection techniques into common Windows processes, primarily targeting winlogon.exe, lsass.exe, and\r\nsvchost.exe,\" Microsoft said in its report.\r\nThe hotpatching technique works against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows\r\nServer 2008 R2, Windows Vista, and Windows 7. Platinum abused the technique in real-world attacks to hide its\r\nefforts from analysis.\r\nThe group has been using the Hotpatching technique to install the Dipsing, Adbupd and JPIN backdoors on\r\nnetworks belonging to governmental organizations, including defense organizations, intelligence agencies,\r\ndiplomats and Internet Service Providers (ISPs) and then to steal sensitive data.\r\nThe goal of the attacks doesn’t appear to have been immediate financial gain; rather the Platinum APT group is up\r\nto a broader economic espionage campaign using stolen information.\r\nThe group has been targeting countries in South and Southeast Asia since at least 2009, with Malaysia being its\r\nbiggest victim, following Indonesia, China, and India.\r\nThough the Platinum group is still active, there is still a way for organizations and companies to avoid infection.\r\nMicrosoft's security experts explain that the hotpatching technique requires admin-level permissions, so the threat\r\nactors are sending spear-phishing emails that come with boobytrapped Office documents to infect each target.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nhttps://thehackernews.com/2016/04/windows-hotpatching-malware.html\r\nPage 2 of 3\n\nSource: https://thehackernews.com/2016/04/windows-hotpatching-malware.html\r\nhttps://thehackernews.com/2016/04/windows-hotpatching-malware.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2016/04/windows-hotpatching-malware.html" ], "report_names": [ "windows-hotpatching-malware.html" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434170, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9dd268748ac02f9bca810d3f8fbfea7c8414d13.pdf", "text": "https://archive.orkl.eu/b9dd268748ac02f9bca810d3f8fbfea7c8414d13.txt", "img": "https://archive.orkl.eu/b9dd268748ac02f9bca810d3f8fbfea7c8414d13.jpg" } }