{
	"id": "a9fc6a6b-a7ac-4b8e-a32c-0815098cc068",
	"created_at": "2026-04-06T00:13:02.62929Z",
	"updated_at": "2026-04-10T03:33:40.897639Z",
	"deleted_at": null,
	"sha1_hash": "bc631f050b58ddc7a5901be93f7ad482ffffb852",
	"title": "APT40 goes from Template Injections to OLE-Linkings for payload delivery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 645417,
	"plain_text": "APT40 goes from Template Injections to OLE-Linkings for\r\npayload delivery\r\nBy asuna amawaka\r\nPublished: 2020-03-15 · Archived: 2026-04-05 22:47:47 UTC\r\n3 min read\r\nMar 10, 2020\r\nI came across a maldoc on VirusTotal that is named to phish and the timing when this maldoc appeared was also\r\npretty “coincidental” with the recent political situation in Malaysia. I’m curious enough to look into this maldoc\r\nfurther.\r\nhttps://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nPage 1 of 5\n\nAccording to MyCERT’s post[1] in Feb 2020, a set of malware had been found to be targeting Malaysian\r\nGovernment officials, and these were attributed to APT40. Extensive analysis of these files had been done by\r\nvarious researchers and we know the malware families involved are DADJOKE[2] and DADSTACHE[3]. On 27\r\nFeb 2020, this new maldoc surfaced on VirusTotal delivered a variant of DADSTACHE. This new maldoc is\r\ninteresting, because it employed a different technique of fetching the final payload.\r\nI’ve compiled the following information regarding the different malicious documents used by APT40 against\r\nMalaysia:\r\nhttps://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nPage 2 of 5\n\nIn the latest document (below, MD5 571EFE3A29ED1F6C1F98576CB57DB8A5), it employed a very different\r\nmethod in fetching the final payload. It goes through 3 “fetching layers” of OLE-linkings to finally arrive at\r\nDADSTACHE execution. At the last layer, the RTF document makes use of “CVE-2017–0199” to execute the\r\nVBScript within a HTA file. The actual target of this maldoc is unknown, though the file was uploaded to\r\nVirusTotal by a user in Malaysia.\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nPage 3 of 5\n\nRemember me for faster sign in\r\nI think one reason for incorporating so many “fetching layers” is to allow layers to change dynamically — at any\r\npoint in time, “Report.docx”, “out.rtf”, “M.png” and “dbgeng.dll” can be altered at the attackers’ side to fetch\r\ndifferent files or to connect to different URLs. Previously the payloads are already embedded into the malicious\r\ndocument and thus difficult to change after deployment.\r\nDADSTACHE is first observed to be delivered through the maldoc (MD5:\r\nA827D521181462A45A7077AE3C20C9B5). Also notice how this maldoc’s embedded objects’ names look\r\ndifferent from the ones in the previous maldocs in the list.\r\nI’ll do an analysis walkthrough of the DADSTACHE payload in the next post ;)\r\nReferences:\r\n[1] https://www.mycert.org.my/portal/advisory?id=MA-770.022020\r\n[2] https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke\r\n[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache\r\n~~\r\nDrop me a DM if you would like to share findings or samples ;)\r\nhttps://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nPage 4 of 5\n\nSource: https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nhttps://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97"
	],
	"report_names": [
		"apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97"
	],
	"threat_actors": [
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775792020,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc631f050b58ddc7a5901be93f7ad482ffffb852.pdf",
		"text": "https://archive.orkl.eu/bc631f050b58ddc7a5901be93f7ad482ffffb852.txt",
		"img": "https://archive.orkl.eu/bc631f050b58ddc7a5901be93f7ad482ffffb852.jpg"
	}
}