{ "id": "af6e8e52-2d5e-45a9-86ba-9557aeb602fb", "created_at": "2026-04-06T00:12:47.424858Z", "updated_at": "2026-04-10T13:12:01.212348Z", "deleted_at": null, "sha1_hash": "c67bbc0611eccc182de2c4dfa30134069e421480", "title": "Researchers Discover New variants of APT34 Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 860706, "plain_text": "Researchers Discover New variants of APT34 Malware\r\nArchived: 2026-04-05 23:11:33 UTC\r\nTable 1. Relationship between original binary and three discovered variants. (Use the scrollbar to view the content on\r\nthe far right.)\r\nAs you can see from Table 1 above, these files exhibit many similar characteristics and behaviors. Most of the differences\r\nappear to be cosmetic and do not affect the underlying functionality. Our analysts took a closer look at the C2 domain\r\npoison-frog[.]club, which is used in 3 of the 4 files, and found that it overlaps with the findings of the FireEye report. The\r\ndomain resolved to 82.102.14.219 from at least August 2017 until December 2017. Additional domains that resolved to that\r\nIP during that time frame are dns-update[.]club, hpserver[.]online, and anyportals[.]com which were all mentioned in the\r\nFireEye report. The other C2 domain used, proxycheker[.]pro, resolved to 94.23.172.164 and 185.15.247.147, with\r\n185.15.247.147 also hosting dns-update[.]club during that time frame. This new-found evidence, in combination with\r\nsimilar versions of POWRUNER and BONDUPDATER, the existence of the same debug strings in the code of each variant,\r\nand the overlapping infrastructure indicate that these three new binaries are also associated with APT34 operations.\r\nThe DGA domain generation algorithm used in one version of the BONDUPDATER backdoor is broken down into two\r\nparts: send and receive.  If data is being sent, then the following format is used:\r\nUse the scrollbar to view the content on the far right.\r\n1. This is created from combining a unique ID (generated from the MAC address or encoded version of whoami) along\r\nwith two other parameters which are inserted at two different random offsets in the unique ID\r\n2. Random characters generated from: -join ((48 .. 57)+(65 .. 70) | Get-Random  -Count (%{ Get-Random -InputObject\r\n(1 .. 7) }) | %{ [char]$_ })\r\n3. Hardcoded \"A\" \r\n4. Two random offset values referenced in #1.\r\n5. Hardcoded \"7\"\r\n6. Data Chunk being sent\r\n7. Encoded Filename being sent\r\n8. Hardcoded domain \".poison-frog[.]club\"\r\nIf data is being received, then the following format is used:\r\n1. This is created from combining a unique ID (generated from the MAC address or encoded version of whoami) along\r\nwith two other parameters which are inserted at two different random offsets in the unique ID\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 1 of 6\n\n2. Random characters generated from: -join ((48 .. 57)+(65 .. 70) | Get-Random  -Count (%{ Get-Random -InputObject\r\n(1 .. 7) }) | %{ [char]$_ })\r\n3. Hardcoded \"A\" \r\n4. Two random offset values referenced in #1.\r\n5. Hardcoded \"7\" \r\n6. Hardcoded domain \".poison-frog[.]club\"\r\nThe Domain Generating Algorithm (DGA) generation process is different than what was previously mentioned in the\r\nFireEye report.  However, it would still be detected using DarkLabs' custom DGA detection mechanism.\r\nIn early January 2018, ClearSky Cyber Security tweeted about two new malware samples attributed to Oilrig/APT34.  These\r\nsamples were being deployed via a malicious .chm (Compiled HTML Help File) file.  ClearSky provides a link to a Google\r\ndocument they use for \"Raw Threat Intelligence\" which contained additional IOCs associated with this campaign. Two\r\nhashes provided in that document are for versions of POWRUNER (MD5: BED81E58EF8FF0B073E371D433A08855) and\r\nBONDUPDATER (MD5: 63D6B1933F7330358A8FBFAF77532133). These two backdoors contain a reference to another\r\nC2 domain, www.window5[.]win. Using the custom tool developed in DarkLabs, we were able to pivot from these samples\r\nand discover an additional sample each of POWRUNER and BONDUPDATER.\r\nThese two new samples exhibit similar behavior to the samples mentioned in the FireEye report.  However, there are a few\r\nslight differences - namely the use of a new C2 domain and URI, www.window5[.]win/update.aspx.  At writing time of this\r\npost, that domain resolves to 185.181.8.246.  Current research indicates that IP does not host any other domains publicly\r\navailable.  Additionally, the %PUBLIC%\\Java location (e.g. C:\\Users\\Public\\Java) is used for a staging directory in this\r\nversion of POWRUNER.\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 2 of 6\n\nSource Hash Value C2 Domain Details\r\nFireEye\r\nReport\r\nC9F16F0BE8C77F0170B9B6CE876ED7FB proxychecker[.]pro\r\nContains both POWRUNER and\r\nBONDUPDATER\r\nCommunicates with C2 via\r\nproxychecker[.]pro/update_wapp.aspx\r\nPOWRUNER appears to not have the\r\nability to save files\r\nATH Tool 87FB0C1E0DE46177390DE3EE18608B21 poison-frog[.]club\r\nContains both POWRUNER and\r\nBONDUPDATER\r\nCommunicates with C2 via poison-frog[.]club/update_wapp.aspx\r\nPOWRUNER appears to not have the\r\nability to save files\r\nATH Tool A602A7B6DEADC3DFB6473A94D7EDC9E4 poison-frog[.]club\r\nContains both POWRUNER and\r\nBONDUPDATER\r\nCommunicates with C2 via poison-frog[.]club/update_wapp.aspx\r\nPOWRUNER appears to not have the\r\nability to save files\r\nRetroHunt 4EA656D10BEAC05D69252D270592 poison-frog[.]club\r\nContains only POWRUNER\r\nCommunicates with C2 via poison-frog[.]club/update_wapp.aspx\r\nPOWRUNER appears to not have the\r\nability to save files\r\nPOWRUNER contains more Base64\r\nobfuscation effort than other versions\r\n000C20009204A601 7D A 56 7 6556666775466767667566765657661c79e4f73cd932f3f64ca161c45041 336662009e6a\r\n.poi\r\nfrog\r\n1 2 3 4 5 6 7 8\r\n0800C0092904A601 02 A 51 7 .poison-frog.club\r\n1 2 3 4 5 6\r\nSource Hash Value C2 Domain Details\r\nClearSky\r\nCyber\r\nSecurity\r\nBED81E58EF8FF0B073E371D433A08855 window5[.]win\r\nPOWRUNER\r\nCommunicates with C2 via\r\nwww.window5[.]win/update.aspx\r\nClearSky\r\nCyber\r\nSecurity\r\n63D6B1933F7330358A8FBFAF77532133 window5[.]win\r\nBOUNDATER\r\nCommunicates via DGA based\r\nDNS to wondow5[.]win\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 3 of 6\n\nATH\r\nTool\r\nCBE2F69D9EF39093D8645D3C93FD7F21 window5[.]win\r\nPOWRUNER\r\nCommunicates with C2 via\r\nwww.window5[.]win/update.aspx\r\nATH\r\nTool\r\n277FF86501B98A4FF8C945AC4D4A7C53 window5[.]win\r\nBONDUPDATER\r\nCommunicates via DGA based\r\nDNS to window5[.]win\r\nTable 2. Relationship between original two samples and two discovered variants. (Use the scrollbar to view the content\r\non the far right.)\r\nIOC - Network\r\nDomain/IP Address Description\r\nproxycheker[.]pro C2\r\npoison-frog[.]club C2\r\nwindow5[.]win C2\r\n82.102.14.219 Has resolved poison-frog[.]club, dns-update[.]club, hpserver[.]online \u0026 anyportals[.]com\r\n94.23.172.164 Has resolved proxycheker[.]pro\r\n185.15.247.147 Has resolved proxycheker[.]pro \u0026 dns-update[.]club\r\n185.181.8.246 Has resolved window5[.]win\r\nIOC - Endpoint\r\nFilename Description MD5 Hash\r\ndupdatechecker.exe Dropper of POWRUNER and BONDUPDATER C9F16F0BE8C77F0170B9B\r\nexeruner_new.exe Dropper of POWRUNER and BONDUPDATER 87FB0C1E0DE46177390DE\r\nexeruner.exe Dropper of POWRUNER and BONDUPDATER A602A7B6DEADC3DFB647\r\nexeruner_new.exe Dropper of POWRUNER 4EA656D10BE1D6EAC05D\r\nGoogleUpdateschecker.vbs Deploys POWRUNER 6F2CA6D892CCA631C1912\r\nJavaUpdates Scheduled Task to run VBS script 0681F2459EDF28DCD99493\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 4 of 6\n\nrUpdateChecker.ps1 Sets up scheduled task to deploy POWRUNER EE93A172937D37D3152D69\r\nGoogleUpdateTasks.vbs Deploys POWRUNER and BONDUPDATER F0B278427C8841C5D1A79E\r\nJavaUpdatesTasksHosts Scheduled Task to run VBS script 52973212E6373585F55B4DD\r\nrUpdateChecker.ps1 Sets up scheduled task to deploy POWRUNER and BONDUPDATER 06D537AF8C43F65FC46778\r\nGoogleUpdateschecker.vbs Deploys POWRUNER and BONDUPDATER 33E86AB6621F3DB7CD7E3\r\nJavaUpdates Scheduled Task to run VBS script 517D1D51414019272849E7C\r\nrUpdateChecker.ps1 Sets up scheduled task to deploy POWRUNER and BONDUPDATER 614DDCCDCAF73172C121\r\nUpdateCheckers.ps1 BONDUPDATER 1DE8F76404EB799C780DA\r\ndUpdateCheckers.ps1 BONDUPDATER 27ACDFAB0A264B4EBD4D\r\nGoogleUpdates.vbs Deploys POWRUNER and BONDUPDATER D9BBB27B0C5249D681179\r\nJavaUpdatesTask Scheduled Task to run VBS script 347929555E8D7174D82356F\r\nrUpdateChecker.ps1 Sets up scheduled task to deploy POWRUNER and BONDUPDATER C3572009CA311F44A99C4F\r\nhxyz.ps1 POWRUNER BED81E58EF8FF0B073E37\r\ndxyz.ps1 BONDUPDATER 63D6B1933F7330358A8FBF\r\nunknown POWRUNER CBE2F69D9EF39093D8645D\r\nunknown BONDUPDATER 277FF86501B98A4FF8C945\r\nYara Signature for the\r\ndropper\r\n{\r\n  strings:\r\n  $exeruner_string_1 = \"C:\\\\Users\\\\aaa\\\\documents\\\\visual studio\r\n2015\\\\Projects\\\\exeruner\\\\exeruner\\\\obj\\\\Debug\\\\exeruner.pdb\"\r\n  $exeruner_string_2 =\r\n\"C:\\\\Users\\\\aaa\\\\Desktop\\\\test\\\\exeruner\\\\exeruner\\\\obj\\\\Debug\\\\exeruner_new.pdb\"\r\n            condition:\r\n        $exeruner_string_1 or $exeruner_string_2\r\n}\r\nUse the scrollbar to view the content on the far right.\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 5 of 6\n\nBy diving deeper and pivoting on known indicators using techniques developed and honed by our experienced analysts, the\r\nindicator lifecycle can diversify discovery. In this case, analysts discovered additional unreported, yet campaign associated\r\nIOCs that can be used for further detection. Additionally, our analysts also developed YARA signatures for static detection,\r\nand TTP based signatures to deploy to EDR tools or for hunting through endpoint telemetry data.  \r\nThe Booz Allen DarkLabs Threat Hunt team recommends deploying detection to endpoints for the hashes listed above and\r\nperform a retroactive search for the domains and IPs in SIEM logs. We also recommend the use of telemetry data collected\r\nvia EDR tools to continuously hunt for this behavior. Monitoring for the behavior or TTP is a critical step because although\r\nIOCs can be used for detection and discovery, they can in many cases be changed cheaply and easily. Our advanced Threat\r\nHunt team always recommends a robust proactive approach to threat hunting with a focus on behavioral detection.\r\nPlease contact us if you would like to learn more about DarkLabs Threat Hunt team or if you are interested in joining our\r\nteam. \r\nSource: https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nhttps://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html" ], "report_names": [ "dark-labs-discovers-apt34-malware-variants.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c67bbc0611eccc182de2c4dfa30134069e421480.pdf", "text": "https://archive.orkl.eu/c67bbc0611eccc182de2c4dfa30134069e421480.txt", "img": "https://archive.orkl.eu/c67bbc0611eccc182de2c4dfa30134069e421480.jpg" } }