{ "id": "fb94605f-e011-4c8f-aac9-f3622a9790f8", "created_at": "2026-04-06T00:17:38.253721Z", "updated_at": "2026-04-10T03:37:36.941805Z", "deleted_at": null, "sha1_hash": "c8b43c78906df829ffa707e4fc4e3a0cfb0462de", "title": "APT34 Event Analysis Report - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1641920, "plain_text": "APT34 Event Analysis Report - NSFOCUS, Inc., a global network\r\nand cyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2019-11-09 · Archived: 2026-04-05 18:47:01 UTC\r\n1 Overview\r\nOn April 18, 2019 a hacker/hacker organization sold a toolkit of the APT34 group, under the false name of Lab\r\nDookhtegan, on a Telegram channel. The organization also posted screenshots of the tool’s backend panels, where\r\nvictim data had been collected. Early in the middle of March 2019, this hacker/hacker organization had released\r\nand sold this toolkit on the Internet. Interestingly, the CEO of a security company in Kuwait took to Twitter to\r\nstress in particular the authenticity of this post.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 1 of 29\n\nTools included in the leaked toolkit are listed as follows:\r\nGlimpse: a new trojan based on PowerShell, dubbed BondUpdater by Palo Alto Networks\r\nPoisonFrog: an old version of BondUpdater\r\nHyperShell\r\nHighShell: dubbed TwoFace by Palo Alto Networks\r\nMinionProject: Fox management interface with the HighShell module loaded\r\nWebmask: HTTP proxy hijacking tool, the main tool behind DNSpionage, used for DNS tunneling\r\nNSFOCUS Security Labs and NSFOCUS M01N Security Research Team made an analysis of this toolkit together\r\nand found that tools included in the leaked toolkit differed from the previously released attacks tools of the APT34\r\ngroup. In this report, we have made a detailed analysis of the leaked tools from the perspectives of tactics,\r\ntechniques and procedures (TTPs).\r\n1.1 Distribution of Attack Targets by Industry\r\nIn addition to countries in the Middle East, APT34 has also hit China Mainland,  China Taiwan, Turkey, Albania,\r\nand other countries and regions. China Mainland and China Taiwan both received a large proportion of attacks.\r\nThrough analysis, we have found 12 malicious WebShell files used to target China Energy Conservation and\r\nEnvironmental Protection Group, China Railway Construction Corporation, and Western Securities Co., Ltd.\r\namong other Chinese companies, as well as six such files used to be against companies in Hong Kong, Macao,\r\nand Taiwan.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 2 of 29\n\nThe released toolkit also contains a lot of passwords which are packaged and released in different archives\r\naccording to information sources.\r\nFrom the above figure, we can see that the archive names contain airport names and oil company names. More\r\nthan 12,000 weak passwords were disclosed this time.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 3 of 29\n\n1.2 About APT34\r\nThe APT34 group, named by FireEye, uses tools and attack approaches that bear a high resemblance to the OilRig\r\norganization, an organization active in the Middle East followed up by Palo Alto Networks. The APT34 group\r\nstarted to carry out malicious activities as early as in 2014, targeting governments and the financial, energy,\r\nchemical, and telecom sectors. This group, though often seen in the Middle East, also hits China, as indicated in\r\nfiles leaked this time.\r\nOn November 4, 2017, FireEye discovered that this group exploited the vulnerability (CVE-2017-11882) to\r\nlaunch attacks by leveraging tools similar to those leaked this time.\r\n2 TTPs\r\nDuring the functional analysis of APT34’s leaked sample, we have ascertained the attack tactics and techniques\r\nused by this hacking group, via a reverse deduction based on attack procedures. Overall, four phases of the kill\r\nchain are involved: privilege escalation, collection, exfiltration, and command and control.\r\nPrivilege Escalation\r\nThis leaked sample uses multiple WebShell backdoor programs like HighShell, HyperShell, and MinionProject,\r\neach of which is a .NET program. Some of these programs encrypt the communications in order to evade defense\r\nmeasures. By reference to the tool use record documents included in the leaked files and the list of websites\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 4 of 29\n\ncompromised by APT34, we can see that this hacking group mainly uses these WebShell programs, placed in\r\n/owa/auth/, to target the Outlook email system of the Exchange server. This sample’s attack targets are found all\r\naround the world, including 14 enterprises in the energy and securities sectors in the Chinese mainland. By the\r\ntime this report is released, some of those WebShell backdoor programs are still active.\r\nThe following figure shows WebShell backdoors targeting companies in China:\r\nThe following table lists URLs of active WebShells:\r\nWebShell Website Country/Region\r\nhttps://202.***.***.31/owa/auth/signout.aspx rtarf.*****.th Thailand\r\nhttps://202.***.***.4/owa/auth/signout.aspx rtarf.*****.th Thailand\r\nhttps://122.***.***.136/owa/auth/error3.aspx mail.*****.com.tw Taiwan\r\nhttps://202.***.***.169/owa/auth/signin.aspx *****.com{outlook}\r\nhttps://202.***.***.206/owa/auth/signout.aspx wmail.*****.com\r\nhttps://213.***.***.51/owa/auth/logon.aspx *****.gov.tr{outlook} Turkey\r\nhttps://1.***.***.13/owa/auth/error1.aspx mail.*****.cn China\r\nhttps://1.***.***.14/owa/auth/error1.aspx mail.*****.cn China\r\nhttps://114.***.***.1/owa/auth/error1.aspx mail.generali-*****.cn China\r\nhttps://180.***.***.217/owa/auth/error3.aspx exchange.*****.com.cn China\r\nhttps://180.***.***.230/owa/auth/error1.aspx *****.com.cn China\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 5 of 29\n\nWebShell Website Country/Region\r\nhttps://210.***.***.26/owa/auth/error1.aspx lswebext.*****.com.cn China\r\nhttps://221.***.***.230/owa/auth/outlook.aspx mail.*****.com.cn China\r\nhttps://222.***.***.8/owa/auth/outlook.aspx mail.*****.com.cn China\r\nhttps://222.***.***.76/owa/auth/error1.aspx *****.*****.com.cn China\r\nhttps://58.***.***.113/owa/auth/error1.aspx mail.*****.com.cn China\r\nhttps://60.***.***.237/owa/auth/error3.aspx *****.cn China\r\nhttps://60.***.***.237/owa/auth/logoff.aspx *****.cn China\r\nhttps://202.***.***.218/owa/auth/error1.aspx mail.*****.com\r\nhttps://202.***.***.218/owa/auth/exppw.aspx mail.*****.com\r\nhttps://132.***.***.165/owa/auth/logout.aspx CSEX.*****.technion.ac.il Israel\r\nhttps://132.***.***.165/owa/auth/signout.aspx CSEX.csf.*****.ac.il Israel\r\nhttps://209.***.***.35/owa/auth/logout.aspx mail.*****.co.zw Zimbabwe\r\nhttps://114.***.***.22/owa/auth/login.aspx mail.******.ws Samoa\r\nhttps://114.***.***.3/owa/auth/login.aspx mail.*****.ws Samoa\r\nhttps://185.***.***.199/owa/auth/logout.aspx ******.com.sa Saudi Arabia\r\nhttps://46.***.****.125/owa/auth/signin.aspx *****.com.sa Saudi Arabia\r\nhttps://51.***.***.170/owa/auth/owaauth.aspx *****.edu.sa Saudi Arabia\r\nhttps://91.***.***.155/owa/auth/signin.aspx *****.gov.sa Saudi Arabia\r\nhttps://83.***.***.132/owa/auth/logon.aspx mail.*****.com.ps{outlook} Palestine\r\nhttps://78.***.***.199/owa/auth/logon.aspx *****.gov.qa{outlook} Qatar\r\nhttps://110.***.***.90/owa/auth/errorff.aspx mail.fmis.*****.gov.kh Cambodia\r\nhttps://211.***.***.68/owa/auth/error1.aspx mailexchange.*****.co.kr North Korea\r\nhttps://168.***.***.220/owa/auth/error3.aspx mail.tc-*****.co Colombia\r\nhttps://213.***.***.221/owa/auth/errorff.aspx *****.gov.kw Kuwait\r\nhttps://77.***.***.125/owa/auth/logout.aspx {ul.*****.lb} Lebanon\r\nhttps://202.***.***.11/owa/auth/error1.aspx webmail.*****.com.mo Macao\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 6 of 29\n\nWebShell Website Country/Region\r\nhttps://202.***.***.141/owa/auth/error3.aspx *****.must.edu.mo Macao\r\nhttps://213.***.***.73/owa/auth/error4.aspx ad.*****.eg{shell} Egypt\r\nhttps://200.***.***.13/owa/auth/error3.aspx sre.*****.mx Mexico\r\nhttps://202.***.***.68/owa/auth/error0.aspx mfa.*****.mn Myanmar\r\nhttps://202.***.***.68/owa/auth/error1.aspx mifa.*****.mn Myanmar\r\nhttps://197.***.***.10/owa/auth/logout.aspx mail.*****.gov.ng Nigeria\r\nhttps://41.***.***.221/owa/auth/logout.aspx mail.*****.gov.ng Nigeria\r\nhttps://mail.*****.ae/owa/auth/change_password.aspx mail.*****.ae\r\nUnited Arab\r\nEmirates\r\nhttps://mail.*****.com.sa/owa/auth/GetLoginToken.aspx mail.*****.com.sa Saudi Arabia\r\nhttps://webmail.*****.bh/owa/auth/Timeoutctl.aspx webmail.*****.bh Bahrain\r\nhttps://webmail.*****.bh/owa/auth/EventClass.aspx webmail.*****.bh Bahrain\r\nhttps://webmail.*****.bh/ecp/auth/EventClass.aspx webmail.*****.bh Bahrain\r\nhttp://*****.ae:8080/_layouts/WrkStatLog.aspx *****.ae\r\nUnited Arab\r\nEmirates\r\nhttps://www.*****.jo/statistic.aspx www.*****.jo Jordan\r\nhttps://e-*****.al/dptaktkonstatim.aspx e-*****.al Albania\r\nhttps://webmail.*****.ae/owa/auth/RedirSuiteService.aspx webmail.*****.ae\r\nUnited Arab\r\nEmirates\r\nhttps://webmail.*****.ae/owa/auth/handlerservice.aspx webmail.*****.ae\r\nUnited Arab\r\nEmirates\r\nCollection\r\nOur Webmask analysis of this leaked sample mainly focuses on attacks against Outlook. Through the analysis, we\r\nfound that such attacks used the email connection and man-in-the-browser (MITB) technologies. Also, we\r\ndissected the sample’s source code and instructions and discovered that this tool could steal users’ email account\r\npasswords and cookies for Outlook authentication as well as inject code into traffic for further information\r\ncollection.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 7 of 29\n\nExfiltration\r\nIn this phase, the Exfiltration Over Command and Control Channel tactic is applied. The attacker sends sensitive\r\ndata to the controlled server using a DNS protocol through command and control, in a way to avoid information\r\ndisclosure due to common data loss prevention techniques.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 8 of 29\n\nCommand and Control\r\nThe leaked sample used two remote access Trojans (RATs), poisonfrog.ps1 (old version) and Glimpse\r\n(dns_main.ps1) (new version), for remote control of the target server by using a DNS protocol for\r\ncommunication.\r\nAfter a sample analysis, we found that both versions of RATs used PowerShell as an agent for code execution, and\r\nprior to that, the RATs needed to hijack the victim’s DNS server for DNS redirection in order to parse the domain\r\nname suffix designated by the attacker. By generating a subdomain with a specific algorithm, the victim’s machine\r\nperforms a DNS query to request an A/TXT record of the subdomain from the DNS server (C2 server) and obtains\r\nthe IP address provided by the C2 server for communications. In addition, the attacker will create a scheduled task\r\nto execute the PowerShell script regularly to obtain information from the C2 server before executing commands.\r\nThe C2 server mainly provides command execution and file upload and download functions.\r\nThe C2 server of the old version already implements proxy detection and can download files from the remote\r\nserver for web proxy configuration. The old version only supports the query of DNS A records and generates\r\nsubdomain names that contain part of the UUID (Universally Unique Identifier) value of the victim’s system.\r\nThe C2 server of the new version does not involve proxy configuration and deems that the DNS hijacking is\r\nalready completed. It can parse DNS TXT records and generate subdomain names that do not contain the UUID\r\nvalue of the victim’s system.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 9 of 29\n\n3 Trojan and WebShell Analysis\r\nThe following figures show the directory structure of each tool used by this leaked sample:\r\nGlimpse:\r\nPoisonFrog:\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 10 of 29\n\nWebmask:\r\nWebshells_and_Panel:\r\nWhen sorting out files and trying to reproduce the sample, we found that remote control tools had an incomplete\r\nlogic which renders one-click deployment impossible. These tools can run properly only after an analysis and\r\nreconfiguration is completed. MinionProject, however, cannot directly execute due to the lack of files.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 11 of 29\n\nTo sum up, we believe that the leaked toolkit is incomplete, which should be noted during analysis of the toolkit.\r\nSo far, no backdoor is discovered left by the leaker.\r\n3.1 Glimpse\r\nGlimpse is a remote control tool that uses DNS tunneling. It consists of an agent, a panel, and a server.\r\n3.1.1 Agent\r\nThe agent is a program at the controlled end.\r\nMajor Functions\r\nThe startup script is runner_.vbs which is used to start the main script of PowerShell.\r\nThe main script is dns_main.ps1 used for communications with the server.\r\nFile-related Operations\r\nThe program generates the directory PUBLIC\\Libraries\\guid\\ (hereinafter referred to as the agent directory in\r\nwhich guid is generated by Dns_main.ps1) and creates folders in this directory like receivebox, sendbox, and\r\ndone to communicate with the server by reading or writing into files in these folders.\r\nCommunication Process\r\n1. The agent can communicate with the server through the ping mode (DNS A mode) or text mode (DNS TXT\r\nmode). Commands received by the agent from the server are saved as files with RCVD as the file name\r\nprefix in the \\receivebox\\ directory of the agent.\r\n2. Check the commands from the server and perform the related behavior.\r\nThe following table lists commands from the server.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 12 of 29\n\nTrailing Byte of a\r\nCommand File\r\nName\r\nMeaning Operation\r\n0\r\nExecuting commands\r\nissued by the server\r\nReads contents from the command file, executes them as\r\nCMD commands, and saves the command output as a file\r\nwith proc as the file name prefix in the agent directory,\r\n\\sendbox.\r\n1 Uploading a file\r\nPlaces the file designated in the body of the command file in\r\nthe agent directory \\sendbox and sends this file to the C\u0026C\r\nserver.\r\nOthers Downloading a file Places the command file in the agent directory \\done.\r\n3. After executing commands issued by the server, the agent will send the file saved in the agent directory\r\n\\sendbox to the server.\r\n3.1.2 Panel\r\nThe panel is the graphic panel of Glimpse, used to manage the communications between the agent and the server.\r\n3.1.3 Server\r\nThe server issues commands to the agent, instructing it what to do next.\r\nMajor Functions\r\nThe server uses a DNS tunneling protocol for communications, issuing commands to the agent or receiving files\r\nuploaded by the agent via the DNS tunnel of the A or TXT type.\r\nFile-related Operations\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 13 of 29\n\nThe program generates the directory ALLUSERSPROFILE/Glimpse/dns/aid/ (hereinafter referred to as the\r\nserver directory in which aid indicates the guid ID received from the agent) and then creates folders like wait,\r\nreceive, done, sended, and sending in this directory to communicate with the agent by reading or writing into\r\nfiles in those folders.\r\nCommunication Process\r\n1. Receives false DNS requests from the agent.\r\n2. Parses information received from the agent by using local rules.\r\nFor a false DNS request, the contents are in the format of data.mainData.mainData2.mainData3, each part of\r\nwhich contains different contents.\r\nData\r\n0–14 15–n n+1 n+2 n+3 n+4\r\ndataRand Unknown C reqNoIndex actionIndex T\r\nIf the data contains the trailing string CxxT (x indicates arbitrary characters), the server determines that the data is\r\nbased on a tunneling protocol.\r\nIf the data contains the trailing string in other formats than CxxT, the server forwards the data.\r\ndatarand: records the action and aid. The data location is variable and determined by both reqNoIndex and\r\nactionIndex.\r\naid: ID of the packet, based on which the server directory is generated on the server.\r\naction: action of the agent.\r\nValue of the action\r\nField\r\nOperation\r\nM\r\nThe agent checks the mode folder in the specific directory and handles ping\r\ninformation.\r\nW\r\nThe server, in the DNS TXT manner, merges the contents in the wait folder in the\r\nserver directory and sends them.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 14 of 29\n\nValue of the action\r\nField\r\nOperation\r\nD\r\nThe server sends the contents in the wait folder in the server directory as fragments in\r\nDNS TXT manner.\r\n0\r\nThe server disguises names of files in the wait folder as IP strings and sends them to\r\nthe agent.\r\n1 The server sends files in the wait folder as fragments to the agent in DNS A manner.\r\n2\r\nThe server receives files by fragment from the agent in DNS A manner and saves them\r\nin the part folder.\r\nmainData: saves the body of the command file.\r\nmainData2: saves the command file name.\r\nmainData3: saves the domain name of the C\u0026C server.\r\nTunnel Format\r\nThe server is a forged DNS server which responds to the agent’s DNS requests by returning designated IP strings.\r\nDifferent IP strings have different meanings, as shown in the following table.\r\nIP String Meaning\r\n99.250.250.199 The server responds to a new agent and creates a session.\r\n199.250.250.99 The server responds to the ping information of the agent.\r\n3.2.1.0 The server has files to be sent.\r\n24.125.a.b A file named a+b waits to be sent by the server.\r\n11.24.237.110 There are files to be sent by the server.\r\na.b.c.d\r\nThe server sends fragments as DNS A records. In this IP string, a.b.c indicates the data\r\ncontents and d indicates the data index.\r\n1.2.3.0 Fragments are sent by the server.\r\na.2.3.b\r\nThe server is receiving fragments from the agent. In this IP string, a indicates the agent ID\r\nand b indicates the fragment ID.\r\n253.25.42.87 The server has received fragments from the agent.\r\n3.2 PoisonFrog\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 15 of 29\n\nMajor Functions\r\nPoisonFrog is a remote control tool that can steal information from the controlled server and execute CMD\r\ncommands issued by the C\u0026C server.\r\nOperation Process\r\n1. The ps1 script executes to release the hUpdater.ps1 and dUpdater.ps1 scripts and the UpdateTask.vbs\r\nscript as well as set Windows scheduled tasks.\r\n2. The ps1 script accesses the C\u0026C domain and uploads and downloads files as instructed by commands\r\nissued via the domain.\r\n3. The ps1 script identifies the trailing character of the name of the file downloaded from the C\u0026C server as\r\nthe command and operates on files in the specified directory as instructed by this command.\r\n4. As a scheduled task, the vbs script is set to execute every 10 minutes.\r\nThe following figure shows part of contents of the poisonfrog.ps1 script.\r\nComponent Analysis\r\nhUpdater.ps1\r\nThis script is mainly used to send data to the C\u0026C server and receive commands and files from this server.\r\nWhen cfg.ini exists, the hUpdater.ps1 script will read contents from this file to extract the proxy and\r\ncommunicate with the C\u0026C server in proxy mode.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 16 of 29\n\nAs for command format parsing, the hUpdater.ps1 script obtains strings from the C\u0026C server and splits them into\r\nfour or more arrays with angle brackets. SSA[0]\u003c\u003eSSA[1]\u003c\u003eSSA[2]\u003c\u003eSSA[3]\u003c\u003eSSA[4]\u003c\u003eSSA[5] is such an\r\nexample. In the string, each array corresponds to a different response function. For instance, when SSA[2] has a\r\nvalue other than not, it downloads files to a specified directory. The following table describes functions of these\r\narrays.\r\nCommand Description\r\nSSA[0]\r\nWhen SSA[0] has a value other than not, upload the file named SSA[0] to the URI /fil/domain\r\nname/SSA[0] and then delete the original file.\r\nSSA[1]\r\nWhen SSA[1] has a value other than not, it uploads strings to a specified URL. SSA[1] code has\r\nbeen commented out.\r\nSSA[2]\r\nWhen SSA[0] has a value other than not, download the file under /fil/SSA[3] to the local\r\ndirectory C:/…./SSA[0]/SSA[2].\r\nSSA[4] When SSA[4] has a value other than not, upload the SSA[4] file to /fil/domain name/SSA[0].\r\nSSA[5] When the array length is 2, continue to perform operations within the loop.\r\ndUpdater.ps1\r\nThe dUpdater.ps1 script parses the trailing character in the file name located first during the traversal of the\r\nreceivebox folder, as a command. The following table describes the mapping between commands and the script’s\r\nfunctions.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 17 of 29\n\nCommand Description\r\n0\r\nThe dUpdater.ps1 script parses the contents in the ZZA[0] file in the receivebox folder and\r\nwrites the contents into the ZZA[0] file in the sendbox directory. If the ZZA[0] file exists in the\r\nreceivebox folder, this script will delete this file.\r\n1\r\nIf the contents in the ZZA[0] file in the receivebox folder is parsed as a file path, the\r\ndUpdater.ps1 script copies this file to the sendbox directory and then deletes the ZZA[0] file in\r\nthe receivebox folder.\r\n2\r\nThe dUpdater.ps1 script moves the ZZA[0] file in the receivebox folder to the done/ directory\r\nand types 200\u003c\u003e plus the path of the done/ directory as the content of this file and then deletes\r\nthe ZZA[0] file in the receivebox folder.\r\nServer-Side Scripts\r\nThe scripts are used to assemble commands (e.g. SSA[0]\u003c\u003eSSA[1]\u003c\u003eSSA[2]\u003c\u003eSSA[3]\u003c\u003eSSA[4]\u003c\u003eSSA[5]) and\r\nstore data. Each function has its own function.\r\nFunction Description\r\nPanel Serves as a control panel.\r\nNotFount Notifies the log-in user of the login failure.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 18 of 29\n\nFunction Description\r\nPosted Issues commands from the agent panel to upload and download files.\r\nDeletecommand Deletes commands from the database.\r\nDeleteagent Deletes the agent and its related files.\r\nDescriptionposted Describes information returned by the server.\r\nFileposted Sends files to the receive folder on the server.\r\nAgent\r\nCreates the receive, send, and wait folders in each agentID folder and stores files that\r\ncontain commands in such folders and writes commands into the database.\r\n3.3 WebMask\r\nThis tool is used by the APT34 group as a DNS proxy and for HTTP hijacking.\r\nMajor Functions\r\nThis tool consists of three parts:\r\nShell script sh: used for installation\r\npy: used to steal passwords and for hijacking\r\npy, dnsd.js, and config.json: used to configure the local DNS proxy\r\nComponent Analysis\r\nDNSd Module\r\nThis module starts the local DNS proxy. The configuration file and the IP address of the proxy server are specified\r\nwith startup parameters. By default, the script only does DNS forwarding.\r\nThe DNSd module can be started using the python script (dnsd.py) or JavaScript (dnsd.js).\r\nguide.txt explains two way to use the DNSd tool.\r\n1. py is used as a transparent proxy.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 19 of 29\n\n2. The native-dns module is used as a DNS proxy. As shown in the following figure, 195.229.237.52 is the IP\r\naddress of a DNS server in the United Arab Emirates and 185.162.235.106 is a bot IP address used as an\r\nexample.\r\nIcap Module\r\nThis module is a tool written in PyICAP. PyICAP is a python3 framework for writing ICAP servers. ICAP is\r\nusually used to extend transparent proxy servers, implementing content filters in the transparent HTTP proxy\r\ncache and performing specific services (can be specified by developers) for HTTP requests/responses.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 20 of 29\n\nThe extract_login_password method is used to steal account passwords included in HTTP information and record\r\nthem in a designated file. It extracts data in HTTP requests using regular expressions.\r\nMeanwhile, this tool records header information involved in HTTP interactions, including the user’s IP address,\r\nrequest time, requested content, and recorded cookies. When analyzing the tool code, we found hijacking code,\r\ni.e., the following JavaScript statement:\r\nWhen the hijacking code executes, the first img src leads the victim’s machine to access logo.jpg on the attacker’s\r\nserver. During the process, NTLM authentication will be conducted automatically to allow the attacker to obtain\r\nthe NetNTLMv2 hash which can be used for man-in-the-middle (MITM) attacks.\r\nAssume that the attacker has taken control of the proxy. In this case, he can use his server to respond to DNS\r\nrequests to WPAD, and then answer requests to obtain images that are actually PAC files.\r\n3.4 Webshells_and_Panel\r\nThe Webshells_and_Panel directory contains multiple WebShell tools written in C#:\r\nsimpleDownload.aspx: a simple tool only with the upload function.\r\nsimple.aspx: a relatively complicated tool to provide authentication and command execution functions besides the\r\nupload function.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 21 of 29\n\nhighshell.aspx: a full-featured tool that seems like the first version, providing functions like file upload, command\r\nexecution, and database manipulation. This version of tool was reported by Palo Alto Networks in 2017.\r\nThis tool implements login authentication as follows:\r\nThe following shows how login authentication is implemented via pseudocode:\r\nBase64(sha256(bytes(cookies[“p”] + salt))) == pp\r\nBoth salt and pp are predefined values.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 22 of 29\n\nThe configured cookie value can be used for authentication.\r\nIn addition, we have found multiple upgraded versions (minor differences exists between them) of HighShell in\r\nthe Hypershell directory. The following figure shows HighShell 8.6.2.\r\nThis version of tool is rewritten with the Semantic UI framework and its backend has been split into several\r\nmodules. Arguably, this version goes further in engineering than common versions. Like other versions, this\r\nversion performs authentication based on cookies.\r\n4 YARA Rules\r\n/*\r\nYARA Rule Set\r\nAuthor: Florian Roth\r\nDate: 2019-04-17\r\nIdentifier: Leaked APT34 / OilRig tools\r\nReference: https://twitter.com/0xffff0800/status/1118406371165126656\r\n*/\r\nrule APT_APT34_PS_Malware_Apr19_1 {\r\nmeta:\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 23 of 29\n\ndescription = “Detects APT34 PowerShell malware”\r\nauthor = “Florian Roth”\r\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\r\ndate = “2019-04-17”\r\nhash1 = “b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768”\r\nstrings:\r\n$x1 = “= get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID” ascii\r\n$x2 = “Write-Host \\”excepton occured!\\”” ascii /* 🙂 */\r\n$s1 = “Start-Sleep -s 1;” fullword ascii\r\n$s2 = “Start-Sleep -m 100;” fullword ascii\r\ncondition:\r\n1 of ($x*) or 2 of them\r\n}\r\nrule APT_APT34_PS_Malware_Apr19_2 {\r\nmeta:\r\ndescription = “Detects APT34 PowerShell malware”\r\nauthor = “Florian Roth”\r\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\r\ndate = “2019-04-17”\r\nhash1 = “2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459”\r\nstrings:\r\n$x1 = “= \\”http://\\” + [System.Net.Dns]::GetHostAddresses(\\”” ascii\r\n$x2 = “$t = get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID” fullword\r\nascii\r\n$x3 = “| Where { $_ -notmatch ‘^\\\\s+$’ }” ascii\r\n$s1 = “= new-object System.Net.WebProxy($u, $true);” fullword ascii\r\n$s2 = ” -eq \\”dom\\”){$” ascii\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 24 of 29\n\n$s3 = ” -eq \\”srv\\”){$” ascii\r\n$s4 = “+\\”\u003c\u003e\\” | Set-Content” ascii\r\ncondition:\r\n1 of ($x*) and 3 of them\r\n}\r\nrule APT_APT34_PS_Malware_Apr19_3 {\r\nmeta:\r\ndescription = “Detects APT34 PowerShell malware”\r\nauthor = “Florian Roth”\r\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\r\ndate = “2019-04-17”\r\nhash1 = “27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed”\r\nstrings:\r\n$x1 = “Powershell.exe -exec bypass -file ${global:$address1}”\r\n$x2 = “schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn”\r\n$x3 = “\\”\\\\UpdateTasks\\\\UpdateTaskHosts\\””\r\n$x4 = “wscript /b \\\\`\\”${global:$address1” ascii\r\n$x5 = “::FromBase64String([string]${global:$http_ag}))” ascii\r\n$x6 = “.run command1, 0, false\\” | Out-File ” fullword ascii\r\n$x7 = “\\\\UpdateTask.vbs” fullword ascii\r\n$x8 = “hUpdater.ps1” fullword ascii\r\ncondition:\r\n1 of them\r\n}\r\nSource: https://github.com/Neo23x0/signature-base/blob/master/yara/apt_oilrig.yar\r\n5 Indicators of Compromise\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 25 of 29\n\nmyleftheart.com\r\nC:\\Users\\Public\\Public\\atag[0-9]{4}[A-Z]{2}\r\nC:\\Users\\Public\\Public\\dUpdater.ps1\r\nC:\\Users\\Public\\Public\\hUpdated.ps1\r\nC:\\Users\\Public\\Public\\UpdateTask.vbs\r\n27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed\r\nb1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768\r\n2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459\r\n07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741\r\ndd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229\r\n3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e\r\na6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e\r\nfe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392\r\n185.***.***.61\r\n46.***.***.196\r\n185.***.***.80\r\n185.***.***.17\r\n185.***.***,252\r\n185.***.***.103\r\n70.***.***.34\r\n109.***.***.129\r\n185.***.***.140\r\n185.***.***.158\r\n178.***.***.230\r\n146.***.***.108\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 26 of 29\n\n23.***.***.76\r\n185.***.***.8\r\n95.***.***.172\r\n173.***.***.194\r\n173.***.***.201\r\n172.***.***.238\r\n23.***.***.69\r\n185.***.***.86\r\n185.***.***.56\r\n194.***.***.15\r\n185.***.***.63\r\n81.***.***.249\r\n213.***.***.32\r\n46.***.***.42\r\n185.***.***.157\r\n198.***.***.22\r\n213.***.***.9\r\n158.***.***.62\r\n168.***.***.92\r\n38.***.***.153\r\n176.***.***.215\r\n88.***.***.174\r\n190.***.***.59\r\n103.***.***.181\r\n217.***.***.122\r\n46.***.***.52\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 27 of 29\n\n185.***.***.35\r\n172.***.***.226\r\n103.***.***.14\r\n95.***.***.173\r\n142.***.***.99\r\n194.***.***.23\r\n194.***.***.10\r\n185.***.***.14\r\n185.***.***.35\r\n185.***.***.75\r\n185.***.***.157\r\n185.***.***.59\r\n185.***.***.217\r\n23.***.***.6\r\n185.***.***.63\r\n6 Mitigations\r\n1. Be cautious with emails from unknown sources. Do not open emails from strangers, such as those\r\ncontaining links, so as to prevent information disclosure or computer viruses.\r\n2. Do not use weak passwords. Change passwords frequently and make sure strong enough passwords are\r\nused.\r\n3. Fix vulnerabilities in time, especially those in border devices. Enable automatic update on not-frequently-used devices to keep the devices and their software latest.\r\n4. Deploy border protection devices and an intelligence-based alerting system provided by security firms to\r\nnip security hazards in the bud.\r\n7 Detection Means\r\nNetwork layer:\r\nCheck whether there are abnormal DNS parsing server addresses.\r\nCheck whether machines within the network send a great number of DNS requests every 50 ms.\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 28 of 29\n\nCheck whether there are abnormal domain name requests.\r\nHost layer:\r\nCheck whether the following directories or files exist on hosts:\r\nC:\\Users\\Public\\Public\\atag[0-9]{4}[A-Z]{2}\r\nC:\\Users\\Public\\Public\\dUpdater.ps1\r\nC:\\Users\\Public\\Public\\hUpdated.ps1\r\nC:\\Users\\Public\\Public\\UpdateTask.vbs\r\nCheck whether DNS server addresses are tampered with on hosts.\r\nCheck whether unknown files exist in the root directory of the HTTP server.\r\n8 References\r\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/apt_oilrig.yar\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nhttps://misterch0c.blogspot.com/2019/04/apt34-oilrig-leak.html\r\nhttps://raidforums.com/Thread-access-to-top-secret-information-and-hacking-tools-of-Iran-ministry-of-intelligence?pid=540189\r\nhttps://anonfile.com/8f8aL0S1mb/targets_txt\r\nSource: https://nsfocusglobal.com/apt34-event-analysis-report/\r\nhttps://nsfocusglobal.com/apt34-event-analysis-report/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://nsfocusglobal.com/apt34-event-analysis-report/" ], "report_names": [ "apt34-event-analysis-report" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8b43c78906df829ffa707e4fc4e3a0cfb0462de.pdf", "text": "https://archive.orkl.eu/c8b43c78906df829ffa707e4fc4e3a0cfb0462de.txt", "img": "https://archive.orkl.eu/c8b43c78906df829ffa707e4fc4e3a0cfb0462de.jpg" } }