{ "id": "252c5f4b-ae9c-4565-869d-a5067c680f0b", "created_at": "2026-04-06T00:08:19.342216Z", "updated_at": "2026-04-10T13:12:07.067934Z", "deleted_at": null, "sha1_hash": "c8213a40e71e8447106d010c417e6ca62ab4032c", "title": "New WhiteShadow downloader uses Microsoft SQL to retrieve malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 853940, "plain_text": "New WhiteShadow downloader uses Microsoft SQL to retrieve\r\nmalware | Proofpoint US\r\nBy Bryan Campbell and Jeremy Hedges with the Proofpoint Threat Insight Team\r\nPublished: 2019-09-26 · Archived: 2026-04-05 22:38:37 UTC\r\nOverview\r\nWhile not a new development, the use of Microsoft SQL queries to retrieve next-stage payloads has been\r\nrelatively rare as a form of malware distribution. In August 2019, however, Proofpoint researchers encountered\r\nnew Microsoft Office macros, which collectively act as a staged downloader that we dubbed “WhiteShadow.”\r\nSince the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of\r\nCrimson RAT, we have observed the introduction of detection evasion techniques. These changes include ordering\r\nof various lines of code as well as certain basic obfuscation attempts.\r\nIn August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only\r\nobserved obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.”\r\nIn early September, we observed slight misspellings of certain variables such as\r\n“ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings\r\nsuch as “StrReverse(\"piz.Updates\\stnemucoD\\\")”. The most recently observed versions of the WhiteShadow\r\nmacros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.\r\nOverall, the macro code still remains mostly human readable, with the same functionality as previously observed.\r\nWhen recipients open malicious document attachments in these campaigns and activate macros, WhiteShadow\r\noperates by executing SQL queries against attacker-controlled Microsoft SQL Server databases. The malware is\r\nstored as long strings that are ASCII-encoded within the database. Once retrieved, the macro decodes the string\r\nand writes it to disk as a PKZip archive of a Windows executable. Once extracted by the macro, the executable is\r\nrun on the system to start installing malware, which is determined by the actor based on the script configuration\r\nstored in the malicious Microsoft Office attachments.\r\nEarly campaigns delivered Crimson malware, which has historically been linked to specific actor activity.\r\nHowever, Proofpoint researchers currently have no evidence tying this current round of malware distribution with\r\nprevious Crimson campaigns [1].\r\nCampaigns\r\nIn August 2019, Proofpoint researchers began observing a series of malicious email campaigns distributing\r\nMicrosoft Word and Microsoft Excel attachments containing the WhiteShadow downloader Visual Basic macro\r\n(Figure 1).\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 1 of 16\n\nFigure 1: A malicious email from a threat actor containing Microsoft Word attachments that, when opened, will\r\nexecute Visual Basic macros that collectively comprise the WhiteShadow downloader. WhiteShadow then installs\r\nadditional malware.\r\nIt appears that WhiteShadow is one component of a malware delivery service, which includes a rented instance of\r\nMicrosoft SQL Server to host payloads retrieved by the downloader.\r\nThe following chart is a chronology of campaigns, relative message volume, and payload summary since we first\r\nobserved WhiteShadow in the wild.\r\nDate\r\nRelative\r\nVolume\r\nGeo/Language Attachment Type Payload\r\n8/26/2019 Low AU/English Excel Document Crimson\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 2 of 16\n\n8/29/2019 Low AU/English Excel Document Crimson\r\n9/2-9/4/2019 Low\r\nAU, UK,\r\nChina/English\r\nWord and Excel\r\nDocuments\r\nNanocore, njRAT,\r\nAgentTesla, Crimson\r\n9/9/2019 Low Chinese Word Document Crimson\r\n9/12/2019 Low UK/English Word Document Crimson\r\n9/16-\r\n9/18/2019\r\nMedium US/English Excel Document AZORrult\r\n9/16-\r\n9/17/2019\r\nLow English Excel Document Formbook\r\n9/17-\r\n9/18/2019\r\nLow US/English Excel Document Nanocore\r\n9/20/2019 Low English Excel Document Nanocore\r\n9/20/2019 Low English Excel Document Crimson\r\n9/24/2019 Low US/English Word Document Crimson\r\nTable 1: Chronology and relative volume of August and September 2019 WhiteShadow campaigns.\r\nDownloader Analysis\r\nWhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a\r\nquery, and save the results to a file in the form of a zipped executable.\r\nThe SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many\r\n(if not all) installations of Microsoft Office. Once the connector is installed on the system, it can be used by\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 3 of 16\n\nvarious parts of the Windows subsystem and by Visual Basic scripts including macros in Microsoft Office\r\ndocuments. We have observed several malware strains downloaded in this manner by WhiteShadow:\r\nAgent Tesla\r\nAZORult\r\nCrimson\r\nNanocore\r\nnjRat\r\nOrion Logger\r\nRemcos\r\nFormbook\r\nThe malware infection occurs in the following sequence:\r\nA user enables macros in a document or spreadsheet\r\nThe macro reaches out to a Microsoft SQL server and pulls an ASCII string from the ‘Byte_data’ column\r\nin the database table specified by a hardcoded ‘Id_No’ in the macro\r\nThe Macro ‘decodes’ the ASCII string and writes the data to a file in binary mode\r\nPseudo Format: \u003cbyte\u003e\u003cseparator\u003e\u003cbyte\u003e\u003cseparator\u003e\u003cbyte\u003e....\r\nSee figures 3 and 4 for examples of the macro code that splits the data into an array before writing it\r\nto disk\r\nThe file type of the decoded files have always been a ZIP to date, with a single executable inside\r\nThe macro will then extract the executable from the ZIP and run it. The executable will be one of the\r\nmalware payloads documented above\r\nThe sequence is illustrated in Figure 2:\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 4 of 16\n\nFigure 2. Illustration of WhiteShadow downloader and malware infection sequence.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 5 of 16\n\nFigure 3. Sample code from WhiteShadow script with data decoding routine for array splitting using separator\r\nvalue of ‘!’.\r\nFigure 4. Sample code from WhiteShadow script with data decoding routine for array splitting using separator\r\nvalue of ‘,’.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 6 of 16\n\nFigure 5: ASCII representation of the ‘encoded’ PKZIP file before written to disk, line breaks added for\r\ncomparison to Figure 6\r\nFigure 6: Hex editor representation of the ‘decoded’ PKZIP file as written to disk.\r\nWe have observed multiple databases all hosted on a subdomain of mssql.somee[.]com:\r\nantinio.mssql.somee[.]com\r\nbytesdata.mssql.somee[.]com\r\nfabancho.mssql.somee[.]com\r\nIn each of the databases, the data that was being accessed by WhiteShadow was stored in a table called ‘Data,’\r\nwhich always contained three columns:\r\n1. Id_No ; A Primary Key ‘int’ identifier for the payload\r\n2. Byte_data ; an encoded ASCII representation of the payload data\r\n3. Net_ver ; This is likely a ‘customer’ identifier or versioning string for the payload\r\nProofpoint researchers have observed rows being added, removed, and in rare cases, updated in these databases.\r\nProofpoint researchers also noticed similarities in some cases with the data in the ‘Net_Ver’ column and\r\nAffiliate/Group structures in some of the malware that was being dropped relative to a specific ‘Id_No’;\r\nExamples:\r\nDB Subdomain DB ‘Id_No’ DB ‘Net_ver’ Malware Config Affiliate Malware Family\r\nantinio 7 Del ec DEL AEC V2 Crimson\r\nbytesdata 4 jay2 JAY_V2 Crimson\r\nbytesdata 9 oncode oncode_Ver:1 Crimson\r\nfabancho 2 oncode Oncode-2 Crimson\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 7 of 16\n\nTable 2: Illustration of how the Net_ver identifier column corresponds with the associated configured malware\r\nidentifier\r\nIt should be noted that bytesdata’s Id_No ‘4’ was first identified as Nanocore, but was updated two days later to\r\nbe Crimson, where the Net_ver was updated from ‘jay’ to ‘jay2’\r\nWe also observed similarities between multiple MSSQL hosts, suggesting they are likely managed by the same\r\nactor:\r\nbytesdata.mssql.somee[.]com -\u003e Id_No: 9; Net_Ver: oncode\r\nfabancho.mssql.somee[.]com -\u003e Id_No: 2; Net_Ver: oncode\r\nfabancho.mssql.somee[.]com -\u003e Id_No: 2; Net_Ver: nano oncode\r\nIn addition to the Net_ver similarities (likely customer similarities, or perhaps repeat customers), it is clear that\r\nthere is table schema reuse between the multiple databases which indicate the underlying architecture for these\r\nmultiple databases are in fact related.\r\nPayload Analysis\r\nWhile analyzing the various payloads hosted in the database, we discovered one family of malware in particular -\r\nCrimson - that had several updates since our last analysis of the malware [2]. Updated commands are listed below:\r\ncownar:\r\n    Adds an executable to Environment.SpecialFolder.CommonApplicationData\\\\%install_folder%\\\\updates\\\\ and\r\nexecutes it via Process.Start(exe_path);\r\ncscreen:\r\n    Captures a JPEG format screenshot of the infected machine and sends it to the C\u0026C using the C\u0026C response\r\ncommand:\r\n    capScreen\r\ngetavs:\r\n    This is similar to the previously documented 'procl' command; it creates a concatenated string of processes with\r\na format similar to:\r\n        \u003e%process-id%\u003e%process_module_name%\u003e\u003c\r\n    for each process running on the system, enumerated via:\r\n        Process[] processes = Process.GetProcesses();\r\nputsrt:\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 8 of 16\n\nThe input to this function is a string and it compares the string to the current running process executable path. If\r\nthat path is different, it 'moves' the executable via:\r\n    File.WriteAllBytes(text, File.ReadAllBytes(executablePath));\r\n    It will then install the modified path into the common ‘CurrentVersion AutoRun’ registry key:\r\n        SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nThe remaining non-Crimson samples appeared to be largely the same as those currently documented and observed\r\nin the current threat landscape.\r\nConclusion\r\nAlthough not a new development, the use of MSSQL queries to retrieve next-stage payloads is unusual in the\r\nwild. In late August 2019, Proofpoint researchers encountered a new staged downloader which uses this\r\nuncommon method and named it “WhiteShadow”. More importantly, this appears to be a new malware delivery\r\nservice, allowing a range of threat actors to potentially incorporate the downloader and associated Microsoft SQL\r\nServer infrastructure into their attacks. We have observed actors using WhiteShadow to install RATs,\r\ndownloaders, and keyloggers including Agent Tesla, AZORult, Crimson, and others. Organizations need to be\r\ncognizant of both the incoming malicious email and outbound traffic on TCP port 1433 which should be blocked\r\nor at least restricted on modern ACL configurations in firewalls today. Currently, these campaigns are relatively\r\nsmall, with message volumes in the hundreds and thousands, but we will continue to monitor associated trends.\r\nReferences\r\n[1]https://unit42.paloaltonetworks.com/tag/subaat/\r\n[2]https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nantinio.mssql.somee[.]com hostname\r\nDropper Next\r\nStage\r\nBytesData.mssql.somee[.]com hostname\r\nDropper Next\r\nStage\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 9 of 16\n\nfabancho.mssql.somee[.]com hostname\r\nDropper Next\r\nStage\r\n2cf21ddd9d369a2c88238606c5f84661cf0f62054e5cc44d65679834b166a931 SHA256\r\nWhiteShadow\r\nMaldoc\r\ned8f4a7f09e428ceff8ede26102bb153b477b20775a0183be4ca2185999d20c8 SHA256\r\nWhiteShadow\r\nMaldoc\r\n539087ebb1d42c81c3be48705d153d75df550c047cf1056721f68724b78b73b7 SHA256\r\nWhiteShadow\r\nMaldoc\r\ndc90b12b71c4f8c08a789a5ec86ef9b05189d499c887f558f35eeb5e472551a0 SHA256\r\nWhiteShadow\r\nMaldoc\r\nfc068dda0efdaaa003c87bccd1880bc8953f18c2a8f1f0527a9a44e637e1fcce SHA256\r\nWhiteShadow\r\nMaldoc\r\na710a685bb4fbace08e26e32a8bb8a58665973cd802a3df2cb28581c287446e5 SHA256\r\nWhiteShadow\r\nMaldoc\r\n9cd62748e7be536f9bfb46493fc9704a93e4e4bcb38ef193b5d66e4a875756bc SHA256\r\nWhiteShadow\r\nMaldoc\r\n95dbabe512ba4fc45e32786e87c292fb665e18bc0e2fea1cadb43ba1fe93f13b SHA256\r\nWhiteShadow\r\nMaldoc\r\na6a6b8c7cb72dd2670b6171576bc20c2f28198df12907b4d3ce010dcd97358e4 SHA256\r\nWhiteShadow\r\nMaldoc\r\n67d0347b8db05a7115d89507394760f41419e5e91ab88be50e27eded28ce503e SHA256\r\nWhiteShadow\r\nMaldoc\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 10 of 16\n\n7b672eb80041a04f49198b1b51bcf0198321a1bdc1f7c56434c2320edb53fc43 SHA256\r\nWhiteShadow\r\nMaldoc\r\nacf9c1dda4a2076f0d503450db348ae2913345ebd134a3701baa2ff5ebaccd6e SHA256\r\nWhiteShadow\r\nMaldoc\r\nfe88d40c56274a38ecd3a7178ac96970dd473c7ef3d0f54b5c8819f0b1fa41c3 SHA256\r\nWhiteShadow\r\nMaldoc\r\nhxxp[://]rebrand[.]ly/813ed538169eeeethczfz2346577777777788kfvmdkf URL\r\nShort URL\r\nLeading to\r\nWhiteShadow\r\nhxxp[://]rebrand[.]ly/purchaseorder54326 URL\r\nShort URL\r\nLeading to\r\nWhiteShadow\r\n35e81258c4365fb97ae57f3989164ed4e8b8e62668af9d281a57c5e7a70c288c SHA256\r\nWhiteShadow\r\nMaldoc\r\nc5193ba871414448c78cb516dfea622f2dbafa6bacb64e9d42c1769ebd4ffea3 SHA256\r\nWhiteShadow\r\nMaldoc\r\nb2c0b1535518321fbcde2c9d80f222e9477053e6ee505f2dd3b680277f80de1d SHA256\r\nWhiteShadow\r\nMaldoc\r\n9a284b1ca8ac7fee1f8823d2457c935134ec61368ef42c8b2cbdfb338ad61ad7 SHA256\r\nWhiteShadow\r\nMaldoc\r\n29fe2bdf25d1739bb920c0776b1826661e8a459af44d1051faf08f3643d84d29 SHA256\r\nWhiteShadow\r\nMaldoc\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 11 of 16\n\nfcc8802b49bfb86d0cffb1cbc4f1b283887015b7da2263f9165a28f1b0f63f47 SHA256 Crimson\r\n193.111.155[.]137 IPv4 Crimson C\u0026C\r\nc966830092abeb5ecb6747122b5c5d63dff064828b84e10a682770763e348713 SHA256 Nanocore\r\n51.254.228[.]144 IPv4 Nanocore C\u0026C\r\n0df01a9e8ad097d6c2b48515497f12bfe9aaa29a3b1c509a0ae1e2a12a162f04 SHA256 Nanocore\r\njasoncarlosscot.dynu[.]net hostname\r\nNanocore C\u0026C\r\n(resolved to\r\n79.134.225[.]77)\r\na7832e35fe571abed0a70b49c043e0fedb7fba28e6c212b6bbaa8fd4075c5f43 SHA256 Formbook\r\nwww.allixanes[.]com/ez3/ URL Formbook C\u0026C\r\n0e54bf9380d40d34e6a3029b6e2357f4af1738968646fdaa0c369a6700e158f4 SHA256 AZORult\r\ntslserv.duckdns[.]org hostname\r\nAZORult C\u0026C\r\nover HTTP\r\n(resolved to\r\n102.165.49[.]69)\r\nbargainhoundblog[.]com hostname\r\nExpanded\r\nrebrandly URL\r\nhostname. Likely\r\ncompromised.\r\n17742a3ca746f7f13aff1342068b2b78df413f0c9cd6cdd02d6df7699874a13a SHA256 Crimson\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 12 of 16\n\n176.107.177[.]54 IPv4 Crimson C\u0026C\r\nglobedigitalmedia[.]com hostname\r\nExpanded\r\nrebrandly URL\r\nhostname. Likely\r\ncompromised.\r\nab962b7b932cb3478770c55a656baa657f9c58ea2409c89b68b5a7728ea721f8 SHA256 Crimson\r\nd89772cfd63f7d5ce7c6740c6709ece4db624c85989e8d508c09f1baeef0a556 SHA256 Crimson\r\n139.28.36[.]212 IPv4 Crimson C\u0026C\r\n64c5d3f729d9a1ec26d5686002ccb0111ee9ba6a6a8e7da6ad31251f5d5dde6a SHA256 Agent Tesla\r\n76e0104aa6c3a0cfc25c6f844edbbeed4e934e2ad21a56e8243f604f510cf723 SHA256 njRAT\r\n139.28.36[.]212 IPv4 njRAT C\u0026C\r\n6a2acd6b97ce811ebf3d154c47b53cd16c500e075c3218e8628bf49f8d7cafe5 SHA256 Nanocore\r\n45.92.156[.]76 IPv4 Nanocore C\u0026C\r\n96e274f1cb5f6918e6a24b714f7cbf2d3d007680050a16ba5232c67582ad0f3b SHA256 Crimson\r\n2ea787dfd65b0488b76b0a0a69ff2a632bb3bea3735ad007336b8dd1473f5768 SHA256 Crimson\r\n192.3.157[.]104 IPv4 Crimson C\u0026C\r\na9898d6d9054f301d0da9373b8cc38641d11c8409a1037112970aa47122561ff SHA256 Crimson\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 13 of 16\n\n5ff5817e325c78a1a706035811bfb976421222c208a7fce694a25bb609a9a2fb SHA256 Crimson\r\n176.107.177[.]77 IPv4 Crimson C\u0026C\r\n0c1623662a7ad222ed753b9ffc0d85912e3a075c348b752b671a0b1c755fd1e7 SHA256 Crimson\r\n193.228.53[.]0 IPv4 Crimson C\u0026C\r\n4c487ba8dfded5d050d01ab656ef3916c5269551e51ed60f9cfa5995f55e3264 SHA256 njRAT\r\nmundial2018.duckdns[.]org hostname\r\nnjRAT C\u0026C\r\n(resolved to\r\n46.246.85[.]129)\r\nd2158cfd1bb9116a04dcb919fa35402d64b9e9b39a9c6cd57460ca113cde488e SHA256 Orion Logger\r\n0943a968cc9e00f83c0bb44685c67890c59ad7785db7fc12e9a0de8df309cbfa SHA256 Crimson\r\n185.157.79[.]115 IPv4 Crimson C\u0026C\r\na40987639b464c2d7864faa0cc84da7f996feecc7a7f0225a474e282d2d81c37 SHA256 Crimson\r\n542c6ed8e77987ca01152784a38ab4d288a959d7e2144989ae7f1eb89866d65b SHA256 Agent Tesla\r\na8e0c6387dd77500a0593c0c26ba3b1e72b9bce200c232d7dcc1f2e75a449512 SHA256 Crimson\r\n98d5fc49a5153cd8035ca0e83cf46a81dd573c175884821473aa4d07f719031f SHA256 Crimson\r\ndfea73a64bcb2aeab104dd3d78b83c859c4319be08a8da4edf77cc631bbdd623 SHA256 Crimson\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 14 of 16\n\n07aa897c146f9443876930f1b69807ec7034a73a93dec0dc36157f17dedd3069 SHA256 Crimson\r\nf6ffbd8762b893aa9d7907917ee0b11457fbdbf37f4aacdf8d1d4a4f7f3badca SHA256 Crimson\r\n87.247.155[.]111 IPv4 Crimson C\u0026C\r\na2b5168fb4b6a18d66571c6debc54f9f462f5b05a82313123feecc96dab0e595 SHA256 Netwire\r\nhalwachi50.mymediapc[.]net hostname\r\nNetwire C\u0026C\r\n(resolved to\r\n45.138.172[.]161)\r\nrobinmmadi.servehumour[.]com hostname\r\nNetwire C\u0026C\r\n(resolved to\r\n45.138.172[.]161)\r\nbde269bf69582312c1ec76090991e7369e11dbee47a153af53e49528c8bd1b27 SHA256 Crimson\r\n185.161.209[.]183 IPv4 Crimson C\u0026C\r\nbd7abfaa0d3b1d315c2565c83c1003c229c700176c894752df11e6ecae7ad7e6 SHA256 Crimson\r\n185.161.210[.]111 IPv4 Crimson C\u0026C\r\n4738c2849f2c81dec71427adaed489a84299563da31b62ce5489b84c95426ada SHA256 Crimson\r\nee0f3eb8a4d7c87a4c33a1f8b08e78bb95fa7ee41ddf0b07d9b6eabe87a33b2e SHA256 Remcos\r\nnaddyto.warzonedns[.]com hostname Remcos C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 15 of 16\n\n4b554367f8069f64201418cddcec82d7857dcc2573be7f0fb387c1b4802040b6 SHA256 Formbook\r\nwww.scaker[.]com  hostname\r\nFormbook C\u0026C\r\nover HTTP\r\nET and ETPRO Suricata/Snort Signatures\r\n2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433)\r\n2814263 ETPRO TROJAN MSIL/Crimson C\u0026C Server Command (info)\r\n2832108 ETPRO TROJAN MSIL/Crimson Client Command (info)\r\n2832107 ETPRO TROJAN MSIL/Crimson Receiving Command (getavs)\r\n2816280 ETPRO TROJAN MSIL/Crimson Receiving Command (ping)\r\n2815463 ETPRO TROJAN Win32/Megalodon/AgentTesla Conn Check\r\n2837782 ETPRO TROJAN Win32/Origin Logger SMTP Exfil\r\n2816766 ETPRO TROJAN NanoCore RAT C\u0026C 7\r\n2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1\r\n2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon\r\n2829000 ETPRO TROJAN FormBook C\u0026C Checkin (GET)\r\n2829004 ETPRO TROJAN FormBook C\u0026C Checkin (POST)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware" ], "report_names": [ "new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8213a40e71e8447106d010c417e6ca62ab4032c.pdf", "text": "https://archive.orkl.eu/c8213a40e71e8447106d010c417e6ca62ab4032c.txt", "img": "https://archive.orkl.eu/c8213a40e71e8447106d010c417e6ca62ab4032c.jpg" } }