{ "id": "2a5aa04d-78fa-43b8-8e9e-41b9f7dfa604", "created_at": "2026-04-06T00:16:17.543564Z", "updated_at": "2026-04-10T13:11:44.221185Z", "deleted_at": null, "sha1_hash": "ca099d18524bd774b7c704a90ddcfbdfce22099f", "title": "Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63551, "plain_text": "Antlion: Chinese APT Uses Custom Backdoor to Target Financial\r\nInstitutions in Taiwan\r\nBy About the Author\r\nArchived: 2026-04-05 13:29:37 UTC\r\nChinese state-backed advanced persistent threat (APT) group Antlion has been targeting financial institutions in Taiwan in a\r\npersistent campaign over the course of at least 18 months.\r\nThe attackers deployed a custom backdoor we have called xPack on compromised systems, which gave them extensive\r\naccess to victim machines. \r\nThe backdoor allowed the attackers to run WMI commands remotely, while there is also evidence that they leveraged\r\nEternalBlue exploits in the backdoor. The attackers appeared to have the ability to interact with SMB shares, and it's\r\npossible that they used mounted shares over SMB to transfer files from attacker-controlled infrastructure. There is also\r\nevidence that the attackers were able to browse the web through the backdoor, likely using it as a proxy to mask their IP\r\naddress.\r\nThe goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for\r\nexfiltration from infected networks.\r\nTechnical details\r\nAs well as the attack on the financial institution outlined in the case study below, Antlion compromised the networks of at\r\nleast two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity\r\nthe group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack\r\nbackdoor frequently deployed and a lot of evidence of credential dumping. In the manufacturing target, also, we see the\r\nattackers attempting to download malicious files via SMB shares.\r\nThe attackers also spent a significant amount of time on both these targeted networks, spending close to 250 days on the\r\nfinancial organization and around 175 days on the manufacturing organization.\r\nSymantec, a division of Broadcom, cannot state with certainty what the initial infection vector used by the attackers in this\r\ncampaign was, though in one instance they were seen utilizing the MSSQL service to execute system commands, which\r\nindicates that the most likely infection vector was exploitation of a web application or service. However, Antlion are also\r\nknown to have previously used malicious emails to gain initial access to victim networks.\r\nThe main custom backdoor used by Antlion in this campaign was the xPack backdoor, which is a custom .NET loader that\r\ndecrypts (AES), loads, and executes accompanying .bin files. Its decryption password is provided as a command-line\r\nargument (Base64 encoded string), and xPack is intended to be run as a standalone application or as a service (xPackSvc\r\nvariant). The xPack malware and its associated payload seems to be used for initial access; it appears that xPack was\r\npredominantly used to execute system commands, drop subsequent malware and tools, and stage data for exfiltration. The\r\nattackers also used a custom keylogger and three custom loaders.\r\nEHAGBPSL loader - custom loader written in C++ - loaded by JpgRun loader\r\nJpgRun loader - customer loader written in C++ - similar to xPack, reads the decryption key and filename from the\r\ncommand line - decodes the file and executes it\r\nCheckID - custom loader written in C++ - based on loader used by BlackHole RAT\r\nThe attackers also used a custom SMB session enumeration tool (NetSessionEnum), a custom bind/reverse file transfer tool\r\nnamed ENCODE MMC, and a Kerberos golden ticket tool based on Mimikatz.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 1 of 7\n\nThe attackers also used a variety of off-the-shelf tools, as well as leveraging living-off-the-land tools such as PowerShell,\r\nWMIC, ProcDump, LSASS, and PsExec. The legitimate AnyDesk tool was also abused by the attackers for remote access in\r\none of the victim organizations. The attackers were also observed leveraging exploits such as CVE-2019-1458 for privilege\r\nescalation and remote scheduled tasks to execute their backdoor. CVE-2019-1458 is an elevation-of-privilege vulnerability\r\nthat occurs in Windows when the Win32k component fails to properly handle objects in memory.\r\nLegitimate versions of WinRAR appear to have been exploited by the attackers for data exfiltration, while there is also\r\nevidence of data exfiltration via PowerShell, specifically using the BitsTransfer module to initiate an upload to attacker-controlled infrastructure. There is also evidence that the attackers likely automated the data collection process via batch\r\nscripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not\r\nactually observed being exfiltrated from the network. In these instances, it appears the attackers were interested in collecting\r\ninformation from software pertaining to business contacts, investments, and smart card readers.\r\nCase study: Attack on a financial organization\r\nThe attackers spent a significant amount of time on victims’ networks, and deployed both custom and off-the-shelf malware.\r\nIn one financial sector victim in Taiwan the attackers spent almost nine months on the victim network.\r\nThe first suspicious activity on this victim network occurred in December 2020 when WMIC was used to execute two\r\ncommands:\r\nwmic process get CSName,Description,ExecutablePath,ProcessId /format:”;CSIDL_SYSTEM\\wbem\\zh-tw\\htable.xsl”;\r\nwmic os get\r\nname,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDire\r\n/format:”;CSIDL_SYSTEM\\wbem\\zh-tw\\htable.xsl”;\r\nThe first command was used to list the computer name, description of processes, executable path, and process ID. The\r\noutput was written to a suspicious file named htable.xsl under the wbem directory. The second command was used to collect\r\ninformation about the system, which was written out to the same file (htable.xsl). Information collected included:\r\nVersion of the operating system (OS)\r\nThe installation date\r\nThe last time the system was booted\r\nThe local date and time of the system\r\nThe manufacturer\r\nThe registered user\r\nService pack information - this can be used to determine what patches are installed\r\nSystem directory path\r\nFive minutes after those commands were issued, WMIC was used to dump credentials:\r\nreg save HKLM\\SAM CSIDL_COMMON_DOCUMENTS\\sam.hiv\r\nreg save HKLM\\SYSTEM CSIDL_COMMON_DOCUMENTS\\sys.hiv\r\nreg save hklm\\security CSIDL_COMMON_DOCUMENTS\\security.hiv\r\nThe commands listed above were all executed via Antlion’s custom xPack backdoor.\r\nSeveral days later, during the Christmas holiday period, the attackers returned over a period of a few days and executed the\r\nxPack backdoor again. They also executed an unknown VBS script via PsExec multiple times:\r\n“;cscript.exe”; CSIDL_SYSTEM_DRIVE\\update.vbs\r\nOn December 28, the attackers used xPack to launch a command prompt to dump credentials from several machines within\r\nthe compromised organization with the following commands:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 2 of 7\n\nupload.exe -accepteula -ma lsass.exe 16.dmp (a renamed version of Sysinternals procdump64.exe)\r\nreg save hklm\\sam CSIDL_PROFILE\\publicsam.hive\r\nreg save hklm\\system CSIDL_PROFILE\\public\\system.hive\r\nreg save hklm\\security CSIDL_PROFILE\\public\\security.hive\r\nOver the following couple of weeks, the attackers continued to return intermittently to launch the xPack backdoor or to\r\ndump credentials via the registry. Then, following a few weeks of inactivity, they become active on the infected network\r\nonce again.\r\nThe attackers used the xPack backdoor to launch a command prompt to execute the following commands:\r\n“;cmd”; /K CHCP 950\r\nCHCP 950\r\nquery user\r\n“;CSIDL_SYSTEM\\quser.exe”;\r\ntasklist /v\r\nfindstr explorer\r\ncmd /c dir “;CSIDL_PROFILE\\desktop”;\r\nCSIDL_SYSTEM\\cmd.exe /c cmd /c dir \\users /b\r\ncmd /c dir “;CSIDL_PROFILE\\desktop”;\r\ncmd /c dir \\users /b\r\nreg save hklm\\security CSIDL_COMMON_DOCUMENTS\\security.hiv\r\nrar a -r -hp1qaz@WSX3edc!@# W22-009-099.tmp “;CSIDL_COMMON_DOCUMENTS\\w22-009-099_file”;\r\nreg save hklm\\system CSIDL_COMMON_DOCUMENTS\\system.hiv\r\nreg save hklm\\sam CSIDL_COMMON_DOCUMENTS\\sam.hiv\r\nThe above commands were used to firstly change the code page to 950, which is the Windows code page for Traditional\r\nChinese. The attackers then executed 'query user' to list any logged-in users on the system, as well as running ‘tasklist’ to get\r\na list of all the running processes on the system. They also tried to discover what processes were running, before listing all\r\ncontents of the Desktop directory and the Users directory. After this, the attackers dumped credentials again via the registry.\r\nThe attackers returned to the network a couple of weeks later and carried out largely the same activity. The attackers\r\nremained active on the network for March, April, and May 2021, intermittently returning to launch their xPack backdoor or\r\ndump credentials from the registry. Dumping credentials appears to be a main focus of the attackers, with them likely using\r\nthese credentials to move laterally across the network to identify machines of interest from which they can exfiltrate data.\r\nThe last activity on this network, after a gap of three months, occurred in August 2021, when the attackers returned and\r\nlisted all available shares. They then dumped credentials from the registry and proceeded to collect account, group, and\r\nworkstation configuration information.\r\nThey then dumped credentials from the registry once again. This was the last activity seen on this network.\r\nExperienced actor stays active\r\nAntlion is believed to have been involved in espionage activities since at least 2011, and this recent activity shows that it is\r\nstill an actor to be aware of more than 10 years after it first appeared.\r\nThe length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months\r\non victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected\r\norganizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be\r\ninterested in organizations in that region.\r\nProtection\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 3 of 7\n\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IOCs)\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nYara Rules\r\nrule xpack_loader\r\n{\r\n    meta:\r\nauthor = \"Symantec, a division of Broadcom\"\r\n        hash = \"12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2\"\r\n    strings:\r\n        $s1 = \"Length or Hash destoryed\" wide fullword\r\n        $s2 = \"tag unmatched\" wide fullword\r\n        $s3 = \"File size mismatch\" wide fullword\r\n        $s4 = \"DESFile\" wide fullword\r\n        $p1 = \"fomsal.Properties.Resources.resources\" wide fullword\r\n        $p2 = \"xPack.Properties.Resources.resources\" wide fullword\r\n        $p3 = \"foslta.Properties.Resources.resources\" wide fullword\r\n    condition:\r\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($s*) or any of ($p*))\r\n}\r\nrule xpack_service\r\n{\r\n    meta:\r\nauthor = \"Symantec, a division of Broadcom\"\r\n        hash = \"390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66\"\r\n    strings:\r\n        $s1 = \"C:\\\\Windows\\\\inf\\\\wdnvsc.inf\" wide fullword\r\n        $s2 = \"PackService\" wide fullword\r\n        $s3 = \"xPackSvc\" wide fullword\r\n        $s4 = \"eG#!\u00265h8V$\" wide fullword\r\n    condition:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 4 of 7\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of them\r\n}\r\nrule EHAGBPSL_loader\r\n{\r\n    meta:\r\nauthor = \"Symantec, a division of Broadcom\"\r\n        hash = \"e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2\"\r\n        hash = \"2a541a06929dd7d18ddbae2cb23d5455d0666af7bdcdf45b498d1130a8434632\"\r\n    strings:\r\n        $s1 = {45 00 00 00 48 00 00 00 41 00 00 00 47 00 00 00 42 00 00 00 50 00 00 00 53 00 00 00 4C} // EHAGBPSL\r\n        $s2 = {74 00 00 00 61 00 00 00 72 00 00 00 57 00 00 00 6F 00 00 00 6B} // tarWok\r\n        $b1 = \"bnRtZ3M=\" fullword // ntmgs\r\n        $b2 = \"TmV0d29yayBNYW5hZ2VtZW50IFNlcnZpY2U=\" fullword // Network Management Service\r\n        $b3 = \"UHJvdmlkZXMgYWJpbGl0eSB0byBtYW5hZ2UgbmV0d29yayBvdmVyIHRoZSBuZXQgcHJvdG9jb2wu\"\r\nfullword // Provides ability to manage network over the net protocol.\r\n        $b4 = \"bnRtZ3MuZG\" // ntmgs.dll / ntmgs.dat\r\n        $b5 = \"aW1nMS5qcGc=\" fullword // img1.jpg\r\n        $c1 = \"Wscms.nls\" fullword\r\n        $c2 = \"Wscms.dat\" fullword\r\n        $c3 = \"Wscms.dll\" fullword\r\n        $c4 = \"Wscms.ini\" fullword\r\n        $c5 = \"Images01.jpg\" fullword\r\n        $e1 = \"StartWork\" fullword\r\n        $e2 = \"ServiceMain\" fullword\r\n        $h1 = {DD 9C BD 72} // CreateRemoteThread\r\n        $h2 = {C0 97 E2 EF} // OpenProcess\r\n        $h3 = {32 6D C7 D5} // RegisterServiceCtrlHandlerA\r\n        $h4 = {A1 6A 3D D8} // WriteProcessMemory\r\n    condition:\r\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($e*) and (all of ($s*) or any of ($b*) or 3\r\nof ($c*) or all of ($h*))\r\n}\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 5 of 7\n\nrule keylogger\r\n{\r\n    meta:\r\nauthor = \"Symantec, a division of Broadcom\"\r\n        hash = \"3db621cac1d026714356501f558b1847212c91169314c1d43bfc3a4798467d0d\"\r\n        hash = \"789f0ec8e60fbc8645641a47bc821b11a4486f28892b6ce14f867a40247954ed\"\r\n    strings:\r\n        $m1 = \"BKB_Test\" fullword\r\n        $m2 = \"KLG_sd76bxds1N\" fullword\r\n        $k1 = \"[%d/%02d/%02d %02d:%02d:%02d K-E-Y-L-O-G]\" fullword\r\n        $k2 = \"[%d/%02d/%02d %02d:%02d:%02d C-L-I-P-B-D]\" fullword\r\n        $k3 = \"\u003c Title--%s-- \u003e\" fullword\r\n        $k4 = \"ImpersonateLoggedOnUser Error(%d)\" fullword\r\n        $f1 = {55 73 65 72 ?? ?? ?? 00 00 00 ?? ?? ?? 6B 65 79 2E} // Userkey.\r\n        $f2 = {55 73 65 72 ?? ?? ?? 00 00 00 ?? ?? ?? 64 61 74 2E} // Userdat.\r\n    condition:\r\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($k*) or (any of ($m*) and any of ($f*)))\r\n}\r\nrule checkid_loader\r\n{\r\n    meta:\r\nauthor = \"Symantec, a division of Broadcom\"\r\n        description = \"BlackHole/BlackSwan / QuasarRAT/xClient loader\"\r\n        hash = \"29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78\"\r\n    strings:\r\n        $s1 = \"Call %s.%s(\\\"%s\\\") =\u003e %d\" fullword wide\r\n        $s2 = \"Assembly::CreateInstance failed w/hr 0x%08lx\" fullword wide\r\n        $s3 = \"checkID\"\r\n        $s4 = \"NULL == checkID hMutex\" fullword\r\n        $s5 = \"checkID Mutex ERROR_ALREADY_EXISTS\" fullword\r\n        $s6 = \"dllmain mutex ERROR_ALREADY_EXISTS\" fullword\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 6 of 7\n\n$x1 = \"xClient.Program\" fullword wide\r\n        $x2 = \"LoadPayload\" fullword\r\n        $m1 = \"SFZJ_Wh16gJGFKL\" ascii wide\r\n        $m2 = \"d5129799-e543-4b8b-bb1b-e0cba81bccf8\" ascii wide\r\n        $m3 = \"USA_HardBlack\" ascii wide\r\n        $b1 = \"BlackHole.Slave.Program\" fullword wide\r\n        $b2 = \"NuGet\\\\Config\" wide\r\n        $b3 = \"VisualStudio.cfi\" wide\r\n        $p = {E1 F6 3C AC AF AC AC AC A8 AC AC AC 53 53 AC AC 14}\r\n        $t = \"0s+Nksjd1czZ1drJktPO24aEjISMtsvLy5LJzNjdyNnL1dLY08uS39PRhoSMhIy2jYyPkomNko2IjJKEiIaEjISM\"\r\n    condition:\r\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($s*) and (all of ($x*) or any of ($m*) or all\r\nof ($b*) or $p or $t)\r\n}\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" ], "report_names": [ "china-apt-antlion-taiwan-financial-attacks" ], "threat_actors": [ { "id": "6360ea44-b90d-435c-b3cd-9724751b8294", "created_at": "2023-01-06T13:46:39.304451Z", "updated_at": "2026-04-10T02:00:03.281303Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "MISPGALAXY:Antlion", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ad5ab33-9a45-43d3-b0e4-70b7f9d836f8", "created_at": "2022-10-25T16:07:23.309518Z", "updated_at": "2026-04-10T02:00:04.535597Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "ETDA:Antlion", "tools": [ "CheckID", "EHAGBPSL", "EHAGBPSL Loader", "ENCODE MMC", "JpgRun", "JpgRun Loader", "LOLBAS", "LOLBins", "Living off the Land", "NERAPACK", "NetSessionEnum", "ProcDump", "PsExec", "WinRAR", "xPack" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca099d18524bd774b7c704a90ddcfbdfce22099f.pdf", "text": "https://archive.orkl.eu/ca099d18524bd774b7c704a90ddcfbdfce22099f.txt", "img": "https://archive.orkl.eu/ca099d18524bd774b7c704a90ddcfbdfce22099f.jpg" } }