{ "id": "14504048-4674-4dc0-9277-c1d77a4f80c9", "created_at": "2026-04-06T01:32:11.82248Z", "updated_at": "2026-04-10T03:33:45.86119Z", "deleted_at": null, "sha1_hash": "c6fb58d464d1dc9dc89982cf216aecf5c7ab6b77", "title": "Uncovering New Activity By APT10 | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1753314, "plain_text": "Uncovering New Activity By APT10 | FortiGuard Labs\r\nBy Ben Hunter\r\nPublished: 2019-10-15 · Archived: 2026-04-06 00:43:43 UTC\r\nFortiGuard Labs Threat Analysis Report: This blog originally appeared on the enSilo website and is republished\r\nhere for threat research purposes. enSilo was acquired by Fortinet in October 2019.\r\nSummary\r\nIn April 2019, we detected what we believe to be new activity by the Chinese cyber espionage group APT10. The\r\ndiscovered variants are previously unknown and deploy malware that is unique to the threat actor. These malware\r\nfamilies have a rich history of being used in numerous targeted attacks against government and private\r\norganizations. The activity surfaced in Southeast Asia, a region where APT10 frequently operates.\r\nOverview\r\nTowards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber\r\nespionage group. Both of the loader’s variants, as well as the various payloads that we analyzed share similar\r\nTactics, Techniques, and Procedures (TTPs) and code associated with APT10.\r\nAlthough they deliver different payloads to a victim's machine, both variants drop the following files beforehand:\r\njjs.exe - legitimate executable\r\njli.dll - malicious DLL\r\nmsvcrt100.dll - legitimate Microsoft C Runtime DLL\r\nsvchost.bin - binary file\r\njjs.exe is a JVM-based implementation of a javascript engine that is part of the Java platform developed by Oracle,\r\nbut in this case it served as a loader for the malware.\r\nAmong the payloads we found were PlugX and Quasar RATs. The former is well known to be developed in-house\r\nby the group with a rich history of being used in many targeted attacks against different government and private\r\norganizations. PlugX is a modular structured malware that has many different operational plugins, such as\r\ncommunication compression and encryption, network enumeration, files interaction, remote shell operations, and\r\nmore.\r\nThe samples we analyzed originated from the Philippines. APT10 frequently targets the Southeast Asia region. \r\nIn this article we examine both versions of the loader along with their payloads, TTPs, and Command and Control\r\n(C\u0026C) server information.\r\nLoader\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 1 of 11\n\nAbusing a Legitimate Executable\r\nThe loader starts out by running a legitimate executable, which is abused to load a malicious DLL instead of a\r\nlegitimate one on which it depends. The method is known as DLL Side-Loading.\r\nIn both variants, the abused executable is jjs.exe, which loads jli.dll. The DLL exports the following functions:\r\nJLI_CmdToArgs\r\nJLI_GetStdArgs\r\nJLI_GetStdArgc\r\nJLI_MemAlloc\r\nJLI_Launch\r\nThe first function called by jjs.exe is JLI_CmdToArgs, which is implemented by the malware author and behaves\r\ndifferently in each variant.\r\nRunning The Payload\r\nThe malicious DLL maps the data file, svchost.bin, to memory and decrypts it. The decrypted content is a\r\nshellcode that is injected into svchost.exe and contains the actual malicious payload.\r\nThe decryption process resembles previous versions used by the group in PlugX\\RedLeaves.\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 2 of 11\n\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 3 of 11\n\nFigure 1: Decryption of the binary file\r\nThe injection flow is rather simple and is done by creating a process in suspended state, allocating memory\r\nwith VirtualAllocEx, writing the shellcode with WriteProcessMemory, and running it using CreateRemoteThread.\r\nThe complete execution flow is visualized in Figure 2, below.\r\nFigure 2: Loader’s execution flow\r\nVariant 1\r\nThe first variant uses a service as its persistence method. It installs itself (jjs.exe) as the service and starts. When\r\nrunning in the context of the service, it performs the decryption and injection described above.\r\nWe have observed the variant delivering both Quasar and PlugX, which we’ll discuss later on.\r\nAmong the different samples we tested, we encountered the following service names being registered:\r\nWxUpdateServiceInfo\r\nHxUpdateServiceInfo\r\nWinDefendSec\r\nWeb_Client\r\nclr_optimization_v4.0.30319_31\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 4 of 11\n\nclr_optimization_v4.0.30319_37\r\nVariant 2\r\nUnlike the first variant, this variant uses the Run registry key for the current user under the name “Windows\r\nUpdata” to ensure its persistence, rather than installing a service. This variant delivered the same PlugX DLL as\r\nthe first loader.\r\nPayloads\r\nModified Quasar RAT\r\nThe injected shellcode reflective loads in-memory an executable it reconstructs from data that it is bundled with it.\r\nThe reflective load code is obfuscated, as function calls are made by dynamically resolving their addresses\r\naccording to hashed values.\r\nThe executable tries to run conhost.exe from C:\\Users\\Public\\Documents, and in case it doesn’t exist, it turns\r\nto ffca[.]caibi379[.]com to download it. The code that sends the HTTP request seems to be buggy.\r\nWhile wininet!InternetOpenW (the Unicode version of the function) is used, an ascii value is provided as the User-Agent, so instead of “RookIE/1.0”, the request headers will include inconsistent and meaningless values, as can be\r\nseen in Figure 3.\r\nFigure 3: .NET downloader’s HTTP request\r\nIn our analysis, the conhost.exe that was downloaded is itself another downloader written in .NET and disguised\r\nas a legitimate system executable.\r\nThis extremely simplified downloader only has the ability to download and execute a base-64 encoded executable\r\nfrom the hardcoded address using a simple System.Net.WebClient HTTP\r\nrequest: ffca[.]caibi379[.]com/rwjh/qtinfo.txt.\r\nThe downloaded payload is a modified Quasar RAT. This version contains the addition of SharpSploit to extract\r\npasswords from a victim’s machine using the framework’s built-in mimikatz capabilities.\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 5 of 11\n\nFigure 4: Quasar Assembly information\r\nFigure 5: Embedded SharpSploit code\r\nExamining the sample’s configuration, we found the following:\r\nC\u0026C server: cahe.microsofts.org:443\r\nMutex name: “QSR_MUTEX_rSifQNOVTwHrsBs2nd”\r\nA self-signed certificate issued to “MSGQ Server CA” (as seen in Figure 6)\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 6 of 11\n\nFigure 6: Quasar's embedded certificate\r\nPlugX\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 7 of 11\n\nFollowing the injection to svchost.exe by the loader, the shellcode decrypts another part of itself and use\r\nRtlDecompressBuffer API to further unpack the PlugX DLL. The DOS and NT header’s magic values, MZ and\r\nPE respectively, were replaced with VX, a typical behavior for PlugX payloads. This is meant to prevent security\r\nproducts and automated tools from identifying the executable headers when performing memory scans.\r\nLike previous versions of PlugX, it collects information about the infected machine, such as the computer name,\r\nusername, OS version, RAM usage, network interfaces, and resources. \r\nIn an attempt to generate noise around allocation and release of memory by the malware, the authors wrapped it\r\nwith dummy calls to the GetForegroundWindow API function, as can be seen in Figure 7.\r\nFigure 7: Dummy calls to GetForegroundWindow\r\nThis sample shares some similarities with the Paranoid PlugX variant. For example, it goes a long way to\r\ncompletely remove any sign of McAfee’s email proxy service from the infected machine. Besides killing the\r\nprocess, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and\r\ndirectories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript that\r\nthe dropper runs.\r\nTypically, APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by\r\nposing as a legitimate domain. In the configuration bundled to the samples we found the following:\r\nThe sample in the first loader communicates with update[.]microsofts[.]org with DNS over TCP.\r\nThe sample in the second loader communicates with update[.]kaspresksy[.]com over HTTPS.\r\nThreat Intelligence\r\nWhen examining the first loader variant’s domain (ffca[.]caibi379[.]com), we discovered that it resolved to the\r\nfollowing IP addresses according to VirusTotal:\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 8 of 11\n\nDate Resolved IP\r\n2019-04-24 27.102.128.157\r\n2019-03-23 27.102.127.80\r\n2019-01-30 27.102.127.75\r\nWhile all the IP address ranges are listed under the name of an organization located in South Korea, the domain\r\nitself was registered in Hong Kong.\r\nReverse lookup on the IP addresses shows that some of them used to be resolved from another domain - *\r\n[.]microsofts[.]org. As mentioned before, cahe.microsofts.org is the command and control server for the Quasar\r\npayload, and update.microsofts.org is used for the PlugX payload delivered by the first loader variant.\r\nThe PlugX’s domains resolve to the following addresses: \r\nDate Resolved IP\r\n2019-04-27 27.102.66.67\r\n2019-02-19 27.102.115.249\r\n2019-03-15 27.102.127.80\r\nWhile looking at the other subdomains of kaspresksy[.]com we discovered that:\r\ndownload[.]kaspresksy[.]com resolves to 27.102.113.118\r\napi[.]kaspresksy[.]com resolves to 27.102.114.246\r\n27.102.114.246 used to previously resolve from the following domains:\r\nsmsapi[.]tencentchat[.]net\r\nonedrive[.]miscrosofts[.]com\r\nWe noticed a password-protected zip named “Chrome_Updata” being associated with\r\nthe download[.]kaspresksy[.]com domain. The zip contained a sample of the Poison Ivy malware, which is also\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 9 of 11\n\nknown to be used by APT10. The same executable was also seen communicating with 27.102.115.249, which also\r\nappeared to be mapped to update[.]kaspresksy[.]com.\r\nAll of the overlaps in the network infrastructure make it very reasonable to assume that the same group is\r\noperating both variants.\r\nConclusion\r\nBoth variants of the loader implement the same decryption and injection mechanism.\r\nLooking at the history of APT10, one can notice major similarities in the details we highlighted in this post:\r\nA bundle of legitimate executables are used to sideload a custom DLL, along with storing the payload in a\r\nseparate, encrypted file.\r\nUse of typosquatting domain names similar to real, legitimate tech companies.\r\nUnique malware families both developed by, and associated with, the group.\r\nUsing C\u0026C servers located in South Korea.\r\nSome of the mentioned domain mappings were recently updated. Also, the certificate embedded in the Quasar\r\nsample was issued at 22.12.2018, which correlates with the file’s compilation date. This may indicate that these\r\nsamples are a part of a testing environment or a short-lived attack that is already finished. Either way, it’s safe to\r\nsay that the threat actor behind APT10 is still active and that we have yet to see the last of the group.\r\nIOCs\r\nLoader v1:\r\n41542d11abf5bf4a18332e9c4f2c8d1eb5c7e5d4298749b610d86caaa1acb62c (conhost.exe downloader jli.dll)\r\n29b0454db88b634656a3fc7c36f318b126a83ae8fb7f73fe9ff349a8f8536c7b (conhost.exe downloader svchost.bin)\r\n02b95ef7a33a87cc2b3b6fd47db03e711045974e1ecf631d3ba9e076e1e374e9 (PlugX jli.dll)\r\ne0f91da52fdc61757f6a3f276ae77b01d2d1cc4b3743629c5acbd0341e5de80e (PlugX svchost.bin)\r\nLoader v2:\r\nf13536685206a94a8d3938266f100bb2dffa740a202283c7ea35c58e6dbbb839 (PlugX jli.dll)\r\nc8d86e9f486d23285b744279812ef9047a0908e39656c2ea4cdf3e182f80e11d (PlugX svchost.bin)\r\n.NET Downloader (conhost.exe):\r\n96649c5428c874f2228c77c96526ff3f472bc2425476ad1d882a8b55faa40bf5\r\nQuasar RAT:\r\n0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded\r\nDomains:\r\nhttps://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 10 of 11\n\nupdate[.]kaspresksy[.]com\r\ndownload[.]kaspresksy[.]com\r\napi[.]kaspresksy[.]com\r\nffca[.]caibi379[.]com\r\nupdate[.]microsofts[.]org\r\nppit[.]microsofts[.]org\r\ncahe[.]microsofts[.]org\r\nIP Addresses:\r\n27.102.128.157\r\n27.102.127.80\r\n27.102.127.75\r\n27.102.66.67\r\n27.102.115.249\r\nSolutions \r\nThe FortiEDR platform is capable of detecting the this threat on both pre-execution and post-execution.  \r\nThe Webfiltering service categorized all the network IOCs as malicious. \r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert\r\nprogram, Network Security Academy program, and FortiVet program.\r\nSource: https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-Page 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-" ], "report_names": [ "uncovering-new-activity-by-apt-" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439131, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6fb58d464d1dc9dc89982cf216aecf5c7ab6b77.pdf", "text": "https://archive.orkl.eu/c6fb58d464d1dc9dc89982cf216aecf5c7ab6b77.txt", "img": "https://archive.orkl.eu/c6fb58d464d1dc9dc89982cf216aecf5c7ab6b77.jpg" } }