{ "id": "a2dfded0-6789-4a82-9730-5941aa6bc392", "created_at": "2026-04-06T01:31:57.048247Z", "updated_at": "2026-04-10T03:33:18.499514Z", "deleted_at": null, "sha1_hash": "cbfa634c4e30da58581aa4879f925ef57079e628", "title": "Chinese New Backdoor Deployed For Cyberespionage​ - Security Investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 496612, "plain_text": "Chinese New Backdoor Deployed For Cyberespionage\r\n- Security\r\nInvestigation\r\nBy BalaGanesh\r\nPublished: 2022-08-09 · Archived: 2026-04-06 01:24:38 UTC\r\nKaspersky ICS CERT experts detected a wave of targeted attacks on military-industrial complex enterprises and\r\npublic institutions in several Eastern European countries and Afghanistan. \r\nThe attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking\r\ncontrol of systems used to manage security solutions.\r\nAn analysis of information obtained during the Kaspersky investigation indicates that cyber espionage was the\r\ngoal of this series of attacks.\r\nAttack Summary\r\nThe attack starts with a Phishing email that contains Microsoft Word documents with embedded malicious code\r\nthat exploits the CVE-2017-11882 vulnerability. The text in such documents is crafted using specific details on\r\nthe organization’s operation, some of which may not be publicly available.\r\nThe CVE-2017-11882 vulnerability exists in outdated versions of the Microsoft Equation Editor (a Microsoft\r\nOffice component). It enables an attacker to use a specially crafted byte sequence masked as an equation, which,\r\nwhen processed, will result in arbitrary code being executed on behalf of the user.\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 1 of 7\n\nThe vulnerability enables the malware to gain control of an infected system without any additional user activity.\r\nFor example, there is no need for the user to enable macros, which is required by most attacks.\r\nAlso Read: Latest IOCs – Threat Actor URLs , IP’s \u0026 Malware Hashes\r\nTo achieve their goal, the Chinese cyberspies used spear phishing emails containing confidential information\r\nabout the targeted organizations and malicious code exploiting the CVE-2017-11882 Microsoft Office\r\nvulnerability to deploy PortDoor malware.\r\nFragment of malicious document contents ( Kaspersky )\r\nThe malicious code embedded in the document drops PortDoor malware. According to the Cybereason blog post,\r\nthe malware has earlier been used by the TA428 APT.\r\nThe PortDoor executable is first extracted to the %AppData%\\Local\\Temp directory with the name 8.t, after\r\nwhich it is moved to the Microsoft Word startup directory, %AppData%\\Roaming\\Microsoft\\Word\\STARTUP,\r\nwith a name that is specific to each attack, such as strsrv.wll. \r\nIn the following stages of the attack, the group installed additional malware linked to TA428 in the past (i.e.,\r\nnccTrojan, Logtu, Cotx, and DNSep), as well as a never before seen malware strain named CotSam.\r\nCollecting Information on the enterprise’s infrastructure\r\nThe attackers mostly scanned the network using the NBTscan console utility, which was delivered to victim\r\ncomputers as a .cab archive named ace.cab and unpacked using the expand system utility:\r\nexpand.exe ace.cab ace.exe\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 2 of 7\n\nace -n 172.22.0.0/16\r\nRDP Information Collected\r\nThe attackers also collected information on users working on the system and their network connections.\r\nSpecifically, they were interested in RDP connections:\r\nquery user\r\nnet user\r\nnet group\r\nipconfig /all\r\nnetstat -no\r\nnetstat -no | findstr 3389\r\nnetstat -ano | findstr 2589\r\nMalware Distribution\r\nInstallation of nccTrojan malware ( Kaspersky )\r\nThe attackers were able to move laterally by infecting one system after another, gaining access to these systems\r\nusing network scanning results and user credentials stolen earlier. They used the net use and xcopy utilities to\r\nestablish network connections with remote systems and copy malware to those systems:\r\nnet use \\\\[IP address]\\IPC$ \"[password]\" /u:\"[user name]\"\r\nxcopy.exe /s \\\\[IP address]\\c$\\windows\\web\\*\" $windir\\Web\\ /y /e /i /q\r\nIn some cases, the malware was launched using an open-source VBS script named wmic.vbs, which the attackers\r\nalso downloaded to remote systems:\r\ncscript.exe //nologo wmic.vbs /cmd [IP address] [user name][password] $appdata\\ABBYY\\Install.exe\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 3 of 7\n\nIn other cases, the attackers created a task in Windows Task Scheduler to ensure that the malware started\r\nautomatically:\r\nschtasks /create /tn CacheTasks /tr “$appdata\\ABBYY\\FineReader\\WINWORD.EXE” /sc minute /mo 50 /ru “”\r\n/f\r\nattackers were able to reach closed networks (i.e., networks that are not directly connected to the internet), they\r\nturned intermediate systems (systems available from closed networks and at the same time connected to the\r\ninternet) into proxy servers. \r\nnetsh interface portproxy add v4tov4 2589 \u003cIP address\u003e 443\r\nAlso Read: Lateral Movement Detection with Windows Event Logs\r\nDomain Hijacking\r\nAfter gaining access to the domain controller, the attackers stole the entire database of Active Directory user\r\npassword hashes. To do this, they first saved a copy of system registry hives with a special cmd command:\r\nreg save HKLM\\SAM sam.save\r\nreg save HKLM\\SECURITY security.save\r\nNext, they copied the file ntds.dit, which contains the Active Directory database, including user password hashes.\r\nCuriously, the file ntds.dit is continuously used by the system and cannot be copied using standard tools.\r\nAn example of a command launching the utility is shown below:\r\nc:\\programdata\\microsoft\\sc64.exe c:\\windows\\ntds\\ntds.dit c:\\programdata\\microsoft\\ntds.dit\r\nUsing the contents of the system registry and the file ntds.dit, the attackers were able to get logins and password\r\nhashes for all users of the domain. Next, the attackers used hash cracking to gain authentication credentials for\r\nmost users from the attacked organization’s domain\r\nIn cases where an attacked organization’s IT infrastructure includes several domains, the attackers analyzed trust\r\nrelationships between the domains to identify accounts allowing them to move laterally:\r\nnltest /domain_trusts\r\nThe authors of the research mentioned above attribute the attacks they describe to the activity of Chinese-speaking\r\nAPT groups, pointing to TA428 as one of the most likely perpetrators.\r\nIndicators of compromise\r\n0A2E7C01B847D3B1C6EEBE6AF63DC140\r\n0A945587E0E11A89D72B4C0B45A4F77E\r\n10818F47AA4DC2B39A7B5EEF652F3C68\r\n1157132504BE3BF556A80DB8A2FF9395\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 4 of 7\n\n11955356232DCF6834515BF111BB5138\r\n11BA5665EC1DBA660401AFDE64C2B125\r\n17FA7898D040FA647AFA4467921A66CF\r\n180EE3E469BFCFC079E1A46D16440467\r\n1EA58FF469F5EE0FDCF5B30FC19E4CB8\r\n216D9F82BA2B9289E68F9778E1E40AC9\r\n29B62694DC9F720BD09438F37B7B358A\r\n3953EB8F7825E756515BE79EF45655B0\r\n3A13B99B2567190AB87E8AB745761017\r\n40EB08F151859C1FE4DC8E6BC466B06F\r\n413FA4AD3AFE00B34102C520A91F031C\r\n4866622D249F3EA114495A4A249F3064\r\n4AD1AD14044BD2C5A5C5E7E7DD954B23\r\n4D42C314FF4341F2D1315D7810BD4E15\r\n51367DC409A7A7E5521C2F700C56A452\r\n51BEFD74AC3B8943DA58C841017A57A8\r\n56AF3279253E4A60BD080DD6A5CA7BA8\r\n5EA338D71D2A49E7B3259BC52F424303\r\n5EB42E1BA99FACE02CE50EA1AAF72AB5\r\n6038583B155F73FAF1B5EF8135154278\r\n64EF950D1F31A41FE60C0FD10CA46109\r\n6652923CE80A073FD985E20B8580E703\r\n6BDF1C294B6A34A5769E872D49AFD9E7\r\n6DFC3BDD2B70670BF29506E5828F627E\r\n70DA6872B6B2DA9DDC94D14B02302917\r\n7101FE9E82E9B0E727B64608C9FD5DF1\r\n7C383C9CA29F78FCC815EAEA9373B4BB\r\n7FE40325F0CEF8A32E69A6087EBC7157\r\n84DF335EBC10633DA1524C7DBB836994\r\n87AA0BEDF293E9B16A93E4411353F367\r\n94AF1B400FDBDEBD8EDA337474C07479\r\nAA7231904A125273F5E5EE55A1441BA4\r\nAB26F4C877A7357CABF95FB5033A5BEF\r\nAB55A08ED77736CE6D26874187169BC9\r\nAE11F7218E919DF5B8A9A2C0DC247F56\r\nB2C9F5CAE72AF5A50940D55BB5B92E98\r\nC6D6CFFD56638A68A0DE11035B9C9097\r\nCBECDFA1D0708D60500864A2A9DE4992\r\nCCC9482A7BEE777BBB08172DCCDAB8AA\r\nD394F005416A20505C597ECF7882450F\r\nD44A276529343F7AC291AD7AD0B99378\r\nD669B03807102B4AF87B20EC3731909A\r\nDA765E4E6B0D2544FE3F71E384812C40\r\nE005F5DA3BA5D6726DA4E6671605B814\r\nE2A3CD2B3C2E43CA08D2B9EE78D4919B\r\nE8800D59C411A948EE966FF745FBD5C9\r\nE8A16193BCD477D8231E6FC1A484DC8A\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 5 of 7\n\nEBCFFECE1B1AF517743D3DFFDE72CB43\r\nF01A9A2D1E31332ED36C1A4D2839F412\r\nFB2B4C9CA6A7871A98C6E2405E27A21F\r\nFF6D8578BE65A31F3624B62E07BEF795\r\n6860189B79FF35199F99171548F5CD65\r\n9EC56A18333D4D4E4D3C361D487C05BD\r\nE5B6571E1512D3896F8C2367DDC5A02D\r\n7CB0D8CFFE48DF7B531B6BEDE8137199\r\n86BB8FA0D00FD94F15AE1BD001037C6C\r\n9F5BBA1ACEF3CCBBDC789F8813B99067\r\n4EA2B943A1D9539E42C5BDBA3D3CA7A0\r\n5934B7E24D03E92B3DBACBE49F6E677C\r\nC8F13C9890CEB695538FDC44AD817278\r\nBABDF6FA73E48345F00462C3EF556B86\r\nCBB7E0B8DDE2241480B71B9C648C1501\r\nDomain Names and IP addresses\r\nwww1.nppnavigator[.]net\r\nwww3.vpkimplus[.]com\r\n45.151.180[.]178\r\ncustom.songuulcomiss[.]com\r\ntech.songuulcomiss[.]com\r\nvideo.nicblainfo[.]net\r\n160.202.162[.]122\r\ndoc.redstrpela[.]net\r\nfax.internnetionfax[.]com\r\nwww2.defensysminck[.]net\r\ninfo.ntcprotek[.]com\r\nwww1.dotomater[.]club\r\n192.248.182[.]121\r\nwww2.sdelanasnou[.]com\r\n54.36.189[.]105\r\n5.180.174[.]10\r\n45.63.27[.]162\r\nserver.dotomater[.]club\r\nDetection \u0026 Response\r\nSplunk:\r\nsource=\"WinEventLog:*\" AND (((TargetFilename=\"*8.t\" OR TargetFilename=\"*.t\" OR TargetFilename=\"*strsrv.wll\") AN\r\nQradar:\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 6 of 7\n\nSELECT UTF8(payload) from events where (LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' an\r\nElastic Query:\r\n((file.path.text:(*8.t OR *.t OR *strsrv.wll) AND file.path.text:(*\\\\Users\\*\\\\Downloads\\* OR *\\\\Users\\*\\\\Conten\r\nCarbonBlack:\r\n((filemod_name:(*8.t OR *.t OR *strsrv.wll) AND filemod_name:(*\\\\Users\\*\\\\Downloads\\* OR *\\\\Users\\*\\\\Content.Ou\r\nGrayLog:\r\n((TargetFilename.keyword:(*8.t *.t *strsrv.wll) AND TargetFilename.keyword:(*\\\\Users\\*\\\\Downloads\\* *\\\\Users\\*\\\r\nLogpoint:\r\n((TargetFilename IN [\"*8.t\", \"*.t\", \"*strsrv.wll\"] TargetFilename IN [\"*\\\\Users\\*\\\\Downloads\\*\", \"*\\\\Users\\*\\\\C\r\nMicrosoft Defender:\r\nDeviceFileEvents | where (((FolderPath endswith \"8.t\" or FolderPath endswith \".t\" or FolderPath endswith \"strsr\r\nMicrosoft Sentinel:\r\nSecurityEvent | where EventID == 11 | where (((TargetFilename endswith '8.t' or TargetFilename endswith '.t' o\r\nSumoLogic:\r\n(_sourceCategory=*windows* AND ((((\"8.t\" OR \".t\" OR \"strsrv.wll\") AND ((\"\\Users\\\" AND \"\\Downloads\\\") OR (\"\\User\r\nRSA Netwitness:\r\n(((TargetFilename contains '8\\.t', '.t', 'strsrv\\.wll') \u0026\u0026 (TargetFilename contains '\\Roaming\\\\Microsoft\\\\Word\\\r\nSource/References: ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/#lkyvqfi875ftflu9\r\nSource: https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nhttps://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/" ], "report_names": [ "chinese-new-backdoor-deployed-for-cyberespionage" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439117, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cbfa634c4e30da58581aa4879f925ef57079e628.pdf", "text": "https://archive.orkl.eu/cbfa634c4e30da58581aa4879f925ef57079e628.txt", "img": "https://archive.orkl.eu/cbfa634c4e30da58581aa4879f925ef57079e628.jpg" } }