{ "id": "2a07b2ed-2a2a-41f0-be67-4aa131d54a09", "created_at": "2026-04-06T00:18:08.567773Z", "updated_at": "2026-04-10T03:36:06.728023Z", "deleted_at": null, "sha1_hash": "cc14bd469329cc64656b001ac5cced227d829cc7", "title": "Shadows with a chance of BlackNix", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8457955, "plain_text": "Shadows with a chance of BlackNix\r\nBy asuna amawaka\r\nPublished: 2020-05-06 · Archived: 2026-04-05 14:02:26 UTC\r\nIn the last post, I did an analysis of a set of BBSRAT samples that are characterized by unique mutexes\r\n(cc5d64b344700e403e2sse, cc5d6b4700e403e2sse, cc5d6b4700032eSS) and calls back to a known Winnti\r\nGroup C2 (bot[.]googlerenewals[.]net). In this post, I’m going to continue on analysis of samples related to the\r\nabovementioned mutexes.\r\nWhen I started on this analysis journey, I was hoping to find more BBSRAT samples. However, the results I\r\narrived at deviated from expectations, and instead I found a set of dropper malware that used the same mutexes as\r\nthose found in the BBSRAT samples I analyzed. The final payload dropped by these droppers is the BlackNix RAT.\r\nPivoting from the C2 called from this BlackNix RAT, more BlackNix RATs were found on VirusTotal. I was unable\r\nto find any technical blogs on the BlackNix RAT, and hence, here I am.\r\nThe following diagram is a sort of a “signpost” for this writing.\r\nLet’s dip into the first dropper!\r\nProject1.exe\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 1 of 28\n\nThe following files are likely from the same source code:\r\ndaaa061c88b197fa92d9648306e79875e3a24f392550dacaabd22e5fdba53ebf\r\n75dc821013fe92ef93cefa47d3fe83ad5ce90658e8ef01fcdb0b11652397abec\r\nJudging from the executables’ icon, it looks like the samples are written with Borland Delphi 7, and sadly the\r\nexecutables’ compilation timestamps are 1992–06–19 22:22:17 (a well-known bug in Delphi 4–2006). I didn’t\r\nreally look into which versions are affected by the compilation time bug, because that’s beside the point. The\r\nsamples’ compilation time can still be deduced with the timestamp within the executables’ resources. (Thanks to\r\nAdam’s old post on this[1])\r\nThis dropper will drop 2 files system.exe and systemm.exe into %USERPROFILE%\\Pictures, execute them and\r\nwrite a diskshadow.exe to C:\\ProgramData\\Microsoft\\DeviceSync\\.\r\nPress enter or click to view image in full size\r\nsystem.exe, systemm.exe\r\nSHA256: AEB61477C3F4F2D76AF0DC97B19B01F73C8ADA1FCE91D66E8B0E489E2E807430\r\nExecution of system.exe creates a service to execute itself within the context of the service.\r\nC:\\Windows\\System32\\sc.exe create SESSRV binpath= “cmd /c\r\n\\”C:\\Users\\asuna\\Pictures\\system.exe\\””\r\nC:\\Windows\\System32\\net.exe start SESSRV\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 2 of 28\n\nThe mutexes are set within the execution of system.exe and systemm.exe.\r\nPress enter or click to view image in full size\r\nsystemm.exe attempts to copy diskshadow.exe to a network location\r\n\\\\TSCLIENT\\%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\. The sample\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 3 of 28\n\nalso attempts to locate and copy a 1.jpg.lnk within the same directory as diskshadow.exe, but this file was not\r\ncreated by the previous dropper.\r\nIn gist, the sample’s job is to copy the payload diskshadow.exe to a host that is connected to the current victim via\r\nRDP and set persistency to run at startup. This is possibly a tool meant for lateral movement within the victim\r\nnetwork. The same technique is also found in the execution of the BBSRAT samples analyzed previously.\r\nThe following screen captures referenced one of the BBSRAT trinity files, lockdown.dll (MD5:\r\n166D28FF69019D9991EECBD26DC1E266):\r\nPress enter or click to view image in full size\r\nCopy file to network location. Left: system.exe; Right: lockdown.dll\r\nThe mutexes come into play with the same “usage” as what was seen in the BBSRAT samples as well.\r\nPress enter or click to view image in full size\r\nOne of the places where mutex is set. Left: system.exe; Right: lockdown.dll\r\nGiven that even the sleep counter is identical, I would suspect that the two executables might share the same “base\r\ncode” (or perhaps copied from the same “reference code”). The proximity of their compilation time also suggests\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 4 of 28\n\nthat perhaps the same author is behind both executables.\r\nSystem.exe: 13 May 2018 19:34:27\r\nLockdown.dll: 6 May 2018 17:59:24\r\nPress enter or click to view image in full size\r\nSame sleep counter. Left: system.exe; Right: lockdown.dll\r\nEnough of the dropper, let’s look at the actual evil payload now.\r\nDiskshadow.exe\r\nUPX section names\r\nWith just one look at it, we’d know it’s UPX-packed. So let’s unpack it quickly.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 5 of 28\n\nAfter unpack:\r\nMD5: 40835ED7C92F33F7F377D4472228CB65\r\nSHA1: 033E97D4AC3AE3CEC00A206F2AD5CCC922DBD326\r\nSHA256: C5BAB78FCA3DB0CE5FFFF5838A5A4A93D930E715DED1CBD8A5B3CAF0CDCE803C\r\nWith the assistance of Procmon, we can see that the binary will drop 2 files, intel.exe and inte.exe into the C:\\intel\r\ndirectory. I located the code responsible for creating the files (refer to screen capture below). The binary also sets\r\n2 persistency mechanisms. Note the presence of Simplified Chinese words within the name of the registry key —\r\n更新计划程序 (translates to “ Update Schedule Program”). This is not the only place where Simplified Chinese\r\nwords are observed.\r\nregsetval sz HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “intel更新\r\n计划程序” “c:\\intel\\inte.exe”’,0\r\nshortcut “c:\\intel\\inte.exe” “~$folder.startup$” “Windows Calculator”\r\nSet persistency\r\nThe two files dropped are:\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 6 of 28\n\nintel.exe\r\nSHA256: 12459A5E9AFDB2DBFF685C8C4E916BB15B34745D56EF5F778DF99416D2749261\r\nThis is the NirCmd executable from Nirsoft. NirCmd is a small command-line utility that allows you to do some\r\nuseful tasks without displaying any user interface.\r\ninte.exe\r\nSHA256: F46520C2284E20C42AFA6E9B90E380735BFDF29817828369D5F1270A887E6979\r\nThis is the actual BlackNix RAT, which is the meat that we want to analyze.\r\nBoth diskshadow.exe and inte.exe are written in Borland Delphi and their compilation datetime stamps are as\r\nfollow:\r\nFile: C:\\ProgramData\\Microsoft\\DeviceSync\\diskshadow.exe\r\nPE Comp.: 1992–06–19 22:22:17 2A425E19, 708992537\r\n.rsrc comp.: 2018–10–22 22:50:06 4D56B643, 1297528387\r\nFile: C:\\Intel\\inte.exe\r\nPE Comp.: 1992–06–19 22:22:17 2A425E19, 708992537\r\n.rsrc comp.: 2018–10–22 22:49:20 4D56B62A, 1297528362\r\nJudging from the compilation datetimes, they might be the output of a generator. Here, I could also make a guess\r\nat the chronological logic of when the files are prepared.\r\ninte.exe\r\nAs with my usual style, I will start with a quick look at strings to try to guess the behaviour of the sample, before\r\ndiving into dynamic and static analysis. Fortunately, the sample contains many helpful and descriptive strings that\r\ncan help us deduce the features that this RAT provides, including Keylogger, FileManager, ProcessManager etc.\r\nPretty typical RAT stuff.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 7 of 28\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 8 of 28\n\nA YARA rule hit\r\nThe sample happened to match James_inthe_box’s YARA rule[2] on BlackNix RAT:\r\nrule BlacknixRAT_bin{\r\nmeta:\r\ndescription = “BlacknixRAT”\r\nauthor = “James_inthe_box”\r\nreference = “https://app.any.run/tasks/e3d845db-09b5-462d-8290-cbb4bb4a505f/\"\r\ndate = “2019/02”\r\nmaltype = “RAT”\r\nstrings:\r\n$string1 = “[Random-Number-Here]”\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 9 of 28\n\n$string2 = “ScreenCapture”\r\n$string3 = “TScreenSpy”\r\n$string4 = “KeyLogger”\r\n$string5 = “RemoteShell”\r\ncondition:\r\nuint16(0) == 0x5A4D and all of ($string*) and filesize \u003c 2000KB\r\n}\r\nBased on the strings seen above, the strings that matched the YARA rule did not look unique enough to confirm\r\nthat this is indeed a BlackNix RAT. James_inthe_box also provided a snort rule:\r\nalert tcp any any -\u003e any 80 (msg:”Blacknix RAT Detected”; flow:established,to_server; content:”|32|”;\r\ndepth:1; content:”|7c 78 01 6d 8e|”; within:10; reference:url,https://app.any.run/tasks/e3d845db-09b5-\r\n462d-8290-cbb4bb4a505f/; classtype:trojan-activity; sid:20166298; rev:1; metadata:created_at\r\n2019_07_18;\r\nLet’s see what we have in the network data.\r\nYup, I see a 7C 78 01 but that’s not an exact match with the pattern in the snort rule. Hang on a second.. 78 01\r\nlooks like the ZLIB magic header. There we go!\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 10 of 28\n\nI noticed some weird characters, which could be indicative of Unicode (maybe Chinese…?). Let’s try.\r\nPress enter or click to view image in full size\r\nIndeed! 初始 is translated to mean Initial Start, and “2核2808” might mean 2 Cores (probably referring to the\r\nCPU cores). I’ll step through the code that forms up this data in abit. Now, let us try to confirm if this callback\r\nbelongs to BlackNix family.\r\nThe YARA and snort rules mentioned above referenced a sample (SHA256:\r\nA4DA694DED531EC60CA5A242C554B6A7062E12FF633D34656C4CA9DF86E42DD5). Let’s sidetrack and\r\nsee what this sample does.\r\nThis sample is packed with VMProtect, so to save time, I’m just going to execute it and see what happens. Upon\r\nexecution, a new file phpalpha.exe is created in C:\\Intel\\ExtremeGraphics\\CUI\\Resource. Turns out the file has\r\nthe same hash as the parent binary.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 11 of 28\n\nThe network callback looks like this:\r\nPress enter or click to view image in full size\r\nWe already know that’s a ZLIB header, so let’s use CyberChef to view the inflated data:\r\nPress enter or click to view image in full size\r\nInteresting. The data structure and keywords are identical. Now I can say that the sample (SHA256:\r\nA4DA694DED531EC60CA5A242C554B6A7062E12FF633D34656C4CA9DF86E42DD5) and our sample\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 12 of 28\n\n(inte.exe, SHA256: F46520C2284E20C42AFA6E9B90E380735BFDF29817828369D5F1270A887E6979) belong\r\nto the same family. Is it really BlackNix though?\r\nWith the C2, everything is easier\r\nWith some help from Google search, I found a copy of a BlackNix C2 component :D\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe C2 executable comes with the ability to generate the “server” component. This naming convention is common\r\nin RATs, where the malware client is typically referred to as the “server”, and the C2 is the “client”.\r\nThe following is one of the default profiles loaded with the C2:\r\nPress enter or click to view image in full size\r\nFor the ease of testing, I changed some of the values when generating our test binary. The generator even comes\r\nwith the option of UPX-packing the generated binary if the user wishes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 13 of 28\n\nInspecting the strings within the generated binary, we can quickly identify some familiar keywords.\r\nI’ve written a quick script to read the strings from the default settings. This will come useful later, when\r\ncomparing these strings across different samples.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 14 of 28\n\nHere’s the output of running the script:\r\nIt appears that these SETTINGS strings have nothing to do with the configuration set when generating the binary.\r\nThe default connection password within the C2 is “admin” and notice that even if I changed the password when\r\ngenerating the binary, the new password does not get inserted into this SETTINGS data. These may be part of a\r\n“stub” that comes with the C2 executable and inserted into every generated binary. I think this may be a helpful\r\npiece of information when trying to identify if a set of BlackNix RATs is communicating with the same C2\r\nexecutable (or at least the same version).\r\nTake a look at the network communications.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 15 of 28\n\nFirst thing that I noticed was the difference in the way the “Processor” information is being formatted. Remember\r\nthere were some Chinese words (2核2808) that I thought refers to Processor Cores? In the data sent from this test\r\nbinary, the processor information was simply a “2808” (referring to 2808 Mhz, which is indeed the setup of my\r\nVM).\r\nPress enter or click to view image in full size\r\nConnected victim on C2 dashboard\r\nLet’s get back to the sample we have at hand.\r\nI did an in-depth analysis of how the first beacon’s data structure is formed within inte.exe.\r\nEarlier I mentioned some SETTINGS strings. These are the strings that are populated into a data structure and\r\nsome of these values are later copied into the first beacon data.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 16 of 28\n\nReading strings from SETTINGS\r\nLet’s compare the default SETTINGS strings found in the generated BlackNix binary and inte.exe.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 17 of 28\n\nThe following code is responsible for building the structure to be sent in the first beacon:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 18 of 28\n\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 19 of 28\n\nThe following is the deduced first beacon’s data structure sent from the inte.exe to its C2.\r\nOnConnect|Default 初始|Username|Username|Computer Name|IP Address|Hardcoded Space|Locale|Is\r\nMachine Idle?|Locale|Language|Account Privilege|Processor|Memory|Foreground Window\r\nText|OS|Default False|Default\r\nFalse|%Root%|%Desktop%|%MyDocuments%|%AppData%|Locale|Server authentication\r\npassword|ProdID, InstallDate|\r\nNow we can play spot-the-differences. We can guess what each of these fields mean by looking at what can be\r\nseen on the dashboard, without reverse engineering the binary.\r\nThe following is the deduced first beacon’s data structure sent from the test BlackNix binary.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 20 of 28\n\nOnConnect|Assigned Group|Assigned Name|Username|Computer Name|IP Address|Webcam Installed?\r\n|C2 Version|?|Locale|Language|Account Privilege|Processor|Memory|OS|True/False?|True/False?\r\n|%Root%|%Desktop%|%MyDocuments%|%AppData%|Locale|Server authentication password|?|\r\nPress enter or click to view image in full size\r\nComparison of fields within data structure sent to C2\r\nYes! inte.exe is a BlackNix RAT, but has a different/modified C2 component?\r\nWhat I did above proved that the inte.exe sample is indeed a BlackNix RAT, judging from the highly similar data\r\nstructure within the initial beacon and the similarities found within the executables. However, since some fields in\r\nthe communicated data are interpreted differently, I’m guessing there is a customised C2 that the adversary is\r\nusing. I am not even able to tell the version number of the C2 from the sample, perhaps it is not important for the\r\nadversary. However, the SETTINGS strings found within the samples could be a way for us to differentiate\r\nvariants.\r\nSo far, I’ve walked through the analysis of this set of files:\r\n· 1st level droppers (Project1.exe)\r\ndaaa061c88b197fa92d9648306e79875e3a24f392550dacaabd22e5fdba53ebf\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 21 of 28\n\n75dc821013fe92ef93cefa47d3fe83ad5ce90658e8ef01fcdb0b11652397abec\r\n· 2nd level droppers (diskshadow.exe)\r\nf0311ede2dd5e752411bf181626e3cdb36737affe67ddeb8af028d0c44355886\r\nc5bab78fca3db0ce5ffff5838a5a4a93d930e715ded1cbd8a5b3caf0cdce803c\r\n· BlackNix RAT (inte.exe)\r\nf46520c2284e20c42afa6e9b90e380735bfdf29817828369d5f1270a887e6979\r\nI’ve verified that the sample inte.exe is indeed a BlackNix RAT and communicates with a custom BlackNix C2 at\r\nIP address 112.213.107[.]134.\r\nRelated to this IP address, other possible BlackNix RAT samples were found on VirusTotal:\r\nPress enter or click to view image in full size\r\nIn addition, one other BlackNix RAT samples were mentioned by james_inthe_box[2]. Based on SSDEEP\r\nsimilarity, another sample was found.\r\nPress enter or click to view image in full size\r\nNext, we shall see if all these samples send data in the same structure as what we have analyzed previously. If they\r\ndo, then perhaps these are all related in some way and are not “wild” BlackNix RATs.\r\nSet 1 binaries\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 22 of 28\n\nExecution of these binaries will result in errors. Upon closer look, the errors happen because some part of the\r\nbinary seems to be corrupted. Whether this is a deliberate “disarm” attempt or due to a bug, I can’t tell.\r\nPress enter or click to view image in full size\r\nCause of error at address 0x4CDE53\r\nPress enter or click to view image in full size\r\nCause of error at address 0x4CE084\r\nJust patch the areas with the corresponding bytes from inte.exe to fix the problems. The following screenshots\r\nshow highlighted areas after patching.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 23 of 28\n\nPatch to solve error at 0x4CDE53\r\nPatch to solve error at 0x4CE084\r\nFrom the network packet, it looks like the data structures are identical to what we saw in inte.exe. This is verified\r\nwith a comparison of the function that is responsible for building the structure. This is not surprising, as they all\r\ncall back to the same IP address.\r\nPress enter or click to view image in full size\r\nSet 2 binaries\r\nThese binaries are different, because they are VMProtect-packed, which means that I cannot simply throw them\r\ninto IDA Pro and hope to do function comparisons.\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 24 of 28\n\nExecution of these binaries require them to be executed with administrator privileges, as they will spawn a\r\nsvchost.exe process for injection. Knowing this behaviour, we can dump the unpacked executable from memory at\r\nthe moment where the injection happens. A breakpoint at ntdll.dll’s NtWriteVirtualMemory will do the trick.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 25 of 28\n\nNtWriteVirtualMemory(\r\nIN HANDLE ProcessHandle,\r\nIN PVOID BaseAddress,\r\nIN PVOID Buffer,\r\nIN ULONG NumberOfBytesToWrite,\r\nOUT PULONG NumberOfBytesWritten OPTIONAL );\r\nThe idea is to watch for a call to NtWriteVirtualMemory with a handle to svchost.exe, and let it run till all the\r\nsections have been copied. We would know it’s done when NtResumeThread is called.\r\nAfter dumping the executable from memory, we would have to fix the section headers’ raw addresses before we\r\ncan use IDA Pro to look at it. I’ve mentioned how to do this with CFF explorer in one of my earlier posts.\r\nA quick look at strings within this dumped file reveals the tell-tale BlackNix strings:\r\nThe SETTINGS strings looks identical to what was seen in inte.exe, including the Chinese words 初始 and the\r\nserver password ‘root’. The function that is responsible for reading the SETTINGS strings and building the\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 26 of 28\n\ncallback data structure is identical to inte.exe’s as well (and hence the callback data structure is also the same).\r\nI am certain that we are looking at the same variant of BlackNix RAT here.\r\nPress enter or click to view image in full size\r\nSo, they are all the same BlackNix variant. Now what?\r\nThis journey started from some unique mutexes found in a malware (one BBSRAT) that calls back to one of known\r\nWinnti Group’s infrastructure. The same set of mutexes, some overlaps in code logic (in the naming of files and\r\nlateral movement using RDP shared drives), as well as close time proximity in compilation timestamps, suggested\r\nrelationship between that one BBSRAT and the set of BlackNix RATs (Project1.exe).\r\nIn addition to the mutexes, I noticed other similarities in Project1.exe’s execution and the Trochilus RAT dropper\r\ncsres.exe described in Trend Micro’s Uncovering DRBControl report[3], specifically in the names of the files and\r\nservice created and path to malicious binary:\r\n- system.exe\r\n- SESSRV\r\n- c:\\ProgramData\\Microsoft\\DeviceSync\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 27 of 28\n\nI get reminded of my earlier speculation that system.exe is a generic tool used to deliver/spread the payload (be it\r\nBlackNix or Trochilus RAT). I’ll never know for sure till I get my hands on some more samples ;)\r\nLast Words\r\nIs Winnti Group also behind the set of BlackNix RATs that were under scrutiny in this post? There might be a\r\ngood chance this is true. However, one other interesting finding that I came across was that the C2 domain\r\nmsdnsoft[.]lang32[.]com as well as the corresponding binary (SHA256:\r\n873dfa94f924d59ceff4efb277fef5a251d7b648605c5239fc2ac0885ba32bd5) were linked to an adversary group\r\nnamed “Lang32” by QiAnXin Technology[4]. This adversary group is said to target victims in Southeast Asia.\r\nPerhaps I should look into the tools used by this group as well…\r\nBut that’s a different long story for another time, that’s it for now!\r\nReferences:\r\n[1]: http://www.hexacorn.com/blog/2014/12/05/the-not-so-boring-land-of-borland-executables-part-1/\r\n[2]: https://twitter.com/james_inthe_box/status/1151972438692921344\r\n[3]: “Operation DRBControl: Uncovering a Cyberespionage Campaign Targeting Gambling Companies in\r\nSoutheast Asia”, Trend Micro, 18 Feb 2020\r\n[4]: https://www.secrss.com/articles/12463\r\n~~\r\nDrop me a DM if you would like to share findings or samples ;)\r\nSource: https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nhttps://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb" ], "report_names": [ "shadows-with-a-chance-of-blacknix-badc0f2f41cb" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434688, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc14bd469329cc64656b001ac5cced227d829cc7.pdf", "text": "https://archive.orkl.eu/cc14bd469329cc64656b001ac5cced227d829cc7.txt", "img": "https://archive.orkl.eu/cc14bd469329cc64656b001ac5cced227d829cc7.jpg" } }