{ "id": "cb4dd251-c612-4156-beb8-453749e69767", "created_at": "2026-04-06T00:12:08.654901Z", "updated_at": "2026-04-10T03:38:18.952977Z", "deleted_at": null, "sha1_hash": "bb19b8ab52e8922bb6779ba27f5a5ee270d1dc38", "title": "Analysis of THREATNEEDLE C\u0026C Communication (feat. Google TAG Warning to Researchers)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73926, "plain_text": "Analysis of THREATNEEDLE C\u0026C Communication (feat. Google\r\nTAG Warning to Researchers)\r\nBy S2W\r\nPublished: 2021-01-29 · Archived: 2026-04-05 21:26:39 UTC\r\n4 min read\r\nJan 27, 2021\r\nAuthor:\r\n(Sojun Ryu)\r\nModified History\r\n- 01/28/2021 IoC Updated\r\n- 01/28/2021 Report Updated\r\nMalware mentioned in “North Korean hackers have targeted security researchers via social media report”\r\npublished by Google Threat Analysis Group (TAG) is considered to be a ThreatNeedle which is dubbed by\r\nKaspersky. We already disclosed the deep analysis regarding C2 communication of ThreatNeedle at DCC 2019\r\nand Kaspersky SAS Lightning Talk 2019.\r\nIn addition, the malware and C2 communication have in common with Operation MalBus.\r\nAdditional Reference for Operation MalBus\r\n\u003e MalBus Actor Changed Market from Google Play to ONE Store\r\nWe briefly delivers only the essential fact in Medium, and for other details, please refer to the attached PDF file\r\nwhich is presented at DCC and Kaspersky SAS.\r\nBelow is tweet from Seongsu Park of Kaspersky GReAT team stating that this malware is ThreatNeedle.\r\nThreatNeedle is already known that it has been used by the Lazarus group along with Manuscrypt from the past.\r\nMost of them operate through HTTP communication, and C\u0026C servers are written in languages such as ASP and\r\nJSP. ThreatNeedle downloaded during the infection process receives commands from the C\u0026C server and\r\nperforms malicious actions, and the overall process is as follows.\r\nThe definition of each term is as below.\r\nhttps://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74\r\nPage 1 of 3\n\nTroy → ThreatNeedle malware installed on Victim\r\nProxy → Control Page of C\u0026C Server (.ASP, .JSP)\r\nfavicon.icon → Store IDs of Infected devices (only Troy’s ID)\r\nbuild.xnl → Store Time, IP, ID of all authenticated connections (Troy and Manager)\r\ndesktops.inf → Store URL of MID server\r\n[TroyID] → Identification value for each infected devices randomly generated when infected with ThreatNeedle\r\n[TroyID].jpg → Store Victim who has [TroyID] information or command result\r\n[TroyID].bmp → Store Attacker’s command\r\nTroy(ThreatNeedle) → Proxy(C\u0026C Page)\r\nThe infected device information is transmitted to Proxy server and waits until specific command is received.\r\nCommunication with the proxy is possible only when a specific type of parameter is transmitted, and Troy’s\r\nconnection is processed by the proxy’s handleTroy function. The action for each commands are as follows.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nQuery Structure: [Field 1]=[Cmd]\u0026[Field 2]=?\u0026[Field 3]=[TroyID]\u0026[Field 4]=[Packet ID]\u0026[Field 5]=[Buffer\r\nSize]\u0026[Field 6]=[Buffer]\r\nCmd, TroyID, Buffer Size and Buffer are actually used, but the 2nd and 4th field are not in use.\r\nProxy initially receives the command 71 from Troy and saves the information of infected devices as [TroyID].jpg\r\nfile on the Proxy server. After checking the connection with the MID by using the command 81, the ID of the\r\ninfected device, that is, Troy ID, is saved in favicon.icon*. After that, if there is a command file called\r\n[TroyID].bmp, it is read and transmitted to Troy. After the initial authentication is completed, the attacker’s\r\nremote control command is stored in [TroyID].bmp encoded with base64^0xA4, and the result of executing the\r\ncommand is stored in the same encoding method in [TroyID].jpg. Files used in this process are immediately\r\ndeleted.\r\n*favicon.icon → store IDs of Infected devices\r\nProxy → MID\r\nWhen ‘Troy’ connects to the ‘Proxy’, and the command 81 is executed, Proxy sends its information to MID. An\r\n‘attacker’ is capable of identifying the logs stored on MID server in order to identify the ‘Proxy’ servers that are\r\nconnected with ‘Troy.’ In order to communicate with ‘MID’, specific command value and Proxy ID authentication\r\nfrom [Figure 1] should be executed. Commands are sent and received only when the MID server is active.\r\nQuery Structure: id=[CMD]\u0026field=[0 or ProxyURL]\u0026buffer=[ProxyID]\u0026iframe=[1 or 0]\u0026frame=[0 or 1]\r\n[\u0026uframe=3]\r\nhttps://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74\r\nPage 2 of 3\n\nThere are 111 and 112 for CMD. 111 is used to update MID server and 112 is used when Troy is\r\nconnected.\r\nManager → Proxy\r\nThe attacker sends commands to ‘Troy’ through the ‘Manager’. Adversary is capable of handling C\u0026C\r\ninfrastructure such as collecting the stored log file on Proxy server and updating MID server.\r\nQuery Structure: [Field 1]=[Cmd]\u0026[Field 2]=[Target TroyID]\u0026[Field 3]=[TroyID]\u0026[Field 4]=[Additional\r\nInformation]\u0026[Field 5]=[Buffer Size]\u0026[Field 6]=[Buffer]\r\nCmd, TroyID, Buffer Size and Buffer are always used, but the 2nd/4th fields are used only for the certain\r\ncommand.\r\nSource: https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74\r\nhttps://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74" ], "report_names": [ "analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775792298, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb19b8ab52e8922bb6779ba27f5a5ee270d1dc38.pdf", "text": "https://archive.orkl.eu/bb19b8ab52e8922bb6779ba27f5a5ee270d1dc38.txt", "img": "https://archive.orkl.eu/bb19b8ab52e8922bb6779ba27f5a5ee270d1dc38.jpg" } }