{ "id": "fe36a8cb-e77a-4a34-8fd4-617cc26434a7", "created_at": "2026-04-06T00:21:04.867197Z", "updated_at": "2026-04-10T03:36:13.636133Z", "deleted_at": null, "sha1_hash": "c2959c9fb12228fb1182df2d595f372b7966cac3", "title": "Tracking Tick Through Recent Campaigns Targeting East Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 745939, "plain_text": "Tracking Tick Through Recent Campaigns Targeting East Asia\r\nBy Ashlee Benge\r\nPublished: 2018-10-18 · Archived: 2026-04-05 23:20:53 UTC\r\nSummary\r\nSince 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea\r\nand Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler.\r\nAlthough each campaign employed custom tools, Talos has observed recurring patterns in the actor's use of\r\ninfrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving\r\nto the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi\r\nmalware families. In this post, we will dive into these parallels and examine the methods used by this actor.\r\nIntroduction\r\nThe APT threat actor known as \"Tick,\" \"Bronze Butler,\" and \"Redbaldknight\" has conducted\r\nespionage campaigns since 2016 against East Asian countries such as Japan and South Korea [1].\r\nTalos analyzed a recent campaign in which compromised websites located in South Korea and\r\nJapan were used as C2 servers for samples belonging to the malware family known as \"Datper,\"\r\nwhich has the ability to execute shell commands on the victim machine and obtain hostnames and\r\ndrive information. Talos found potential links in shared infrastructure between the malware\r\nfamilies Datper, xxmm backdoor, and Emdivi, each of which has been attributed to this threat\r\nactor under one of the above three aliases.\r\nWe obtained this Datper variant through VirusTotal. The sample, written in Delphi code, was submitted toward the\r\nend of July 2018. Although the exact attack vector is unclear, the threat actor appears to have selected a legitimate-but-vulnerable Korean laundry service website to host their C2, shown below.\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 1 of 7\n\nLegitimate Korean laundry site used as Datper C2 host. The website, located at whitepia[.]co.kr, does not use SSL\r\nencryption or certificates. The specific URL used for C2 communication is:\r\nhxxp://whitepia[.]co[.]kr/bbs/include/JavaScript.php\r\nOnce executed, the Datper variant creates a mutex object called \"gyusbaihysezhrj\" and retrieves several pieces of\r\ninformation from the victim machine, including system information and keyboard layout. Afterward, the sample\r\nattempts to issue an HTTP GET request to the above C2 server, which at the time of this writing, resolved to the IP\r\n111[.]92[.]189[.]19.\r\nAn example of this request is:\r\nGET /bbs/include/JavaScript.php?ycmt=de4fd712fa7e104f1apvdogtw HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: whitepia[.]co.kr\r\nCache-Control: no-cache\r\nUnfortunately, at the time of this investigation, the C2 server was unavailable, preventing Talos from investigating\r\nC2 communications in greater detail. However, Talos was able to analyze a previous campaign from 2017, which\r\nemployed a similar sample from this family and used a slightly different mutex, \"d4fy3ykdk2ddssr.\" All samples\r\nin the diagram below, associated with the 2017 campaign, implemented mutex object \"d4fy3ykdk2ddssr,\" likely to\r\nprevent access from other processes during execution.\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 2 of 7\n\nStructure of C2 communications from the 2017 campaign. The actor behind this campaign deployed and managed\r\ntheir C2 infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their\r\nC2 infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these\r\ncountries. In addition to whitepia[.]co[.]kr, we identified other instances of compromised websites used as C2\r\nservers. It is possible the malware samples are being delivered using web-based attacks, such as drive-by\r\ndownloads or watering hole attacks. Additionally, Talos identified hosts used as C2 servers that may not be\r\nconnected to a compromised website. This indicates the possibility that the threat actor may have initially\r\ndeployed their C2 server infrastructure on legitimately obtained (and potentially purchased) hosts.\r\nOverlaps in the compromised websites used as C2 domains suggest links to another malware family known as\r\n\"xxmm backdoor\" (or alternatively, \"Murim\" or \"Wrim\"), a malware family that allows an attacker to install\r\nadditional malware. The GET request URI paths of xxmm backdoor and Datper are similar, as seen below:\r\nxxmm backdoor: hxxp://www.amamihanahana.com/diary/archives/a_/2/index.php\r\nDatper: hxxp://www.amamihanahana.com/contact/contact_php/jcode/set.html\r\nBased on the findings above, both tools have used the same websites located in Japan in their C2 infrastructure\r\nsince 2016.\r\nThe xxmm sample, shown on the right-hand side of the diagram above, has the hash\r\n397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25 [2].\r\nThe extracted PDB debug symbol paths from the sample are:\r\nC:\\Users\\123\\Documents\\Visual Studio 2010\\Projects\\shadowWalker\\Release\\BypassUacDll.pdb\r\nC:\\Users\\123\\Documents\\Visual Studio 2010\\Projects\\shadowWalker\\Release\\loadSetup.pdb\r\nC:\\Users\\123\\documents\\visual studio 2010\\Projects\\xxmm2\\Release\\test2.pdb\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 3 of 7\n\nC:\\Users\\123\\Desktop\\xxmm3\\x64\\Release\\ReflectivLoader.pdb\r\nIn addition to the links between Datper and xxmm backdoor, a recent Datper variant compiled in March 2018 used\r\na legitimate website as a C2, which resolved to the IP 211[.]13[.]196[.]164. This same IP was used as C2\r\ninfrastructure by the Emdivi malware family — a trojan that opens a backdoor on the compromised machine —\r\nand was attributed to the threat actor behind the campaign \"Blue termite\" [3].\r\nStructure of 2018 Datper and Emdivi campaigns. Our passive DNS lookup data of Resource Records (RR) for\r\ndomains used by Datper and Emdivi further suggest that this IP was used by both malware families.\r\nResource record for Datper.\r\nResource record for Emdivi.\r\nConclusion\r\nTalos' investigation into attacks conducted by this actor indicates commonalities between the\r\nDatper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the\r\nC2 infrastructure of attacks utilizing these malware families. Some C2 domains used in these\r\nattacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been\r\npurchased by the attacker. Successful attacks utilizing these malware families may result in shell\r\ncommands being run on victim machines, resulting in a potential leak of sensitive information.\r\nCisco security products protect our customers in a range of ways, detailed below.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 4 of 7\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs:\r\nHashes\r\nDatper\r\nc2e87e5c0ed40806949628ab7d66caaf4be06cab997b78a46f096e53a6f49ffc\r\n569ceec6ff588ef343d6cb667acf0379b8bc2d510eda11416a9d3589ff184189\r\nd91894e366bb1a8362f62c243b8d6e4055a465a7f59327089fa041fe8e65ce30\r\n5a6990bfa2414d133b5b7b2c25a6e2dccc4f691ed4e3f453460dee2fbbcf616d\r\n7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 5 of 7\n\n2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d\r\n4149da63e78c47fd7f2d49d210f9230b94bf7935699a47e26e5d99836b9fdd11\r\na52c3792d8cef6019ce67203220dc191e207c6ddbdfa51ac385d9493ffe2a83a\r\ne71be765cf95bef4900a1cef8f62e263a71d1890a3ecb5df6666b88190e1e53c\r\nxxmm backdoor\r\n397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25\r\nEmdivi\r\n9b8c1830a3b278c2eccb536b5abd39d4033badca2138721d420ab41bb60d8fd2\r\n1df4678d7210a339acf5eb786b4f7f1b31c079365bb99ab8028018fa0e849f2e\r\nIPs used for C\u0026C communication\r\n202[.]218[.]32[.]135\r\n202[.]191[.]118[.]191\r\n110[.]45[.]203[.]133\r\n61[.]106[.]60[.]47\r\n52[.]84[.]186[.]239\r\n111[.]92[.]189[.]19\r\n211[.]13[.]196[.]164\r\nC\u0026C servers resolving to malicious IPs\r\nhxxp://www.oonumaboat[.]com/cx/index.php\r\nhxxp://www.houeikai[.]or.jp/images/ko-ho.gif\r\nhxxp://www.amamihanahana[.]com/contact/contact_php/jcode/set.html\r\nhxxp://www.amamihanahana[.]com/diary/archives/a_/2/index.php\r\nhxxp://rbb.gol-unkai4[.]com/common/include/index-visual/index.htm\r\nhxxp://www.whitepia[.]co.kr/bbs/include/JavaScript.php\r\nhxxp://www.adc-home[.]com/28732.html\r\nhxxp://www.sakuranorei[.]com.com/blog/index.php\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 6 of 7\n\nSource: https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nhttps://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html" ], "report_names": [ "tracking-tick-through-recent-campaigns.html" ], "threat_actors": [ { "id": "c92de6de-9538-43e5-9190-9da092194884", "created_at": "2022-10-25T16:07:23.411024Z", "updated_at": "2026-04-10T02:00:04.587683Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Blue Termite", "Cloudy Omega" ], "source_name": "ETDA:Blue Termite", "tools": [ "Emdivi", "Newsripper" ], "source_id": "ETDA", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "48782737-377b-47b4-aff0-87424208a643", "created_at": "2023-01-06T13:46:38.569144Z", "updated_at": "2026-04-10T02:00:03.02685Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Cloudy Omega", "Emdivi" ], "source_name": "MISPGALAXY:Blue Termite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2959c9fb12228fb1182df2d595f372b7966cac3.pdf", "text": "https://archive.orkl.eu/c2959c9fb12228fb1182df2d595f372b7966cac3.txt", "img": "https://archive.orkl.eu/c2959c9fb12228fb1182df2d595f372b7966cac3.jpg" } }