{ "id": "2279ed2c-7fff-4a3c-b95c-e0e28ea31628", "created_at": "2026-04-06T00:19:44.852474Z", "updated_at": "2026-04-10T13:13:05.227143Z", "deleted_at": null, "sha1_hash": "cff6c9dd04d4b28bcbce95f397aea245420cb7f9", "title": "The Icefog APT Hits US Targets With Java Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155136, "plain_text": "The Icefog APT Hits US Targets With Java Backdoor\r\nBy Vitaly Kamluk\r\nPublished: 2014-01-14 · Archived: 2026-04-05 14:54:19 UTC\r\nIn September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply\r\nchain – targeting government institutions, military contractors, maritime and ship-building groups.\r\nIcefog, also known as the “Dagger Panda” by Crowdstrike’s naming convention, infected targets mainly in South\r\nKorea and Japan. You can find our Icefog APT analysis and detailed report here.\r\nSince the publication of our report, the Icefog attackers went completely dark, shutting down all known\r\ncommand-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and\r\nanalysing victim connections. During this monitoring, we observed an interesting type of connection which\r\nseemed to indicate a Java version of Icefog, further to be referenced as “Javafog”.\r\nMeet “Lingdona”\r\nThe Icefog operation has been operational since at least 2011, with many different variants released during this\r\ntime. For Microsoft Windows PCs, we identified at least 6 different generations:\r\nThe “old” 2011 Icefog – sends stolen data by e-mail; this version was used against the Japanese House of\r\nRepresentatives and the House of Councillors in 2011.\r\nType “1” “normal” Icefog – interacts with command-and-control servers via a set of “.aspx” scripts.\r\nType “2” Icefog – interacts with a script-based proxy server that redirects commands from the attackers to\r\nanother machine.\r\nType “3” Icefog – a variant that uses a certain type of C\u0026C server with scripts named “view.asp” and\r\n“update.asp”\r\nType “4” Icefog – a variant that uses a certain type of C\u0026C server with scripts named “upfile.asp”\r\nIcefog-NG – communicates by direct TCP connection to port 5600\r\nIn addition to these, we also identified “Macfog”, a native Mac OS X implementation of Icefog that infected\r\nseveral hundred victims worldwide.\r\nBy correlating registration information for the different domains used by the malware samples, we were able to\r\nidentify 72 different command-and-control servers, of which we managed to sinkhole 27.\r\nOne interesting domain in particular was “lingdona[dot]com”, which expired in September 2013 and we took over\r\nin October 2013. Here’s what the original contact information looked like:\r\nDomain Name: LINGDONA.COM\r\nRegistrant Contact:\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 1 of 6\n\nlin ming hua\r\nlin ming kevistin@qq.com\r\ntelephone: +86.031185878412\r\nfax: +86.031185878412\r\nfuzhoushi Fuzhou Shi Fujian Sheng 412141\r\nCN\r\nThe domain was originally hosted in Hong Kong, at IP 206.161.216.214 and 103.20.195.140, and appeared\r\nsuspicious because of the registration data, which seemed to match other known Icefog domains. As soon as we\r\nsinkholed it, we observed a number of suspicious connections, almost every 10 seconds:\r\n69.59.x.x www.lingdona.com - [26/Oct/2013:23:59:39 +0000] \"POST /news/latestnews.aspx?\r\ntitle=2.0_1593925273 HTTP/1.1\" 404 345 \"-\" \"Java/1.7.0_25\"\r\n69.59.x.x www.lingdona.com - [26/Oct/2013:23:59:45 +0000] \"POST /news/latestnews.aspx?\r\ntitle=2.0_1593925273 HTTP/1.1\" 404 345 \"-\" \"Java/1.7.0_25\"\r\n38.100.x.x www.lingdona.com - [26/Oct/2013:23:59:48 +0000] \"GET /news/latestnews.aspx?\r\ntitle=1.1_1254592001 HTTP/1.1\" 404 345 \"-\" \"Java/1.7.0_40\"\r\n38.100.x.x www.lingdona.com - [26/Oct/2013:23:59:58 +0000] \"GET /news/latestnews.aspx?\r\ntitle=1.1_1254592001 HTTP/1.1\" 404 345 \"-\" \"Java/1.7.0_40\"\r\nInterestingly, the User-Agent string indicated the client could be a Java application, however, this was unusual\r\nbecause all other Icefog variants used regular IE User-Agent strings.\r\nFinding the sample\r\nWhile we suspected there was a malware sample in the wild connecting to the domain “lingdona[dot]com”, we\r\ndidn’t have a copy of that particular Icefog trojan.\r\nLuck seemed to strike when we came by a JSUNPACK submission that appeared quite interesting.\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 2 of 6\n\nIn November 2012, someone submitted an interesting URL to the public JSUNPACK service which was hosted on\r\nthe “sejonng[dot]org” server, a known Icefog domain. It also appeared to reference “starwars123[dot]net”, another\r\nknown Icefog domain.\r\nMost interestingly, the HTML page references a Java applet “policyapplet.jar” with a long hexadecimal string\r\nparameter named “jar”. Unfortunately, we were not able to recover the “policyapplet.jar” file, which was most\r\nlikely a Java exploit. Decoding the hexadecimal string, we found another Java applet with the following\r\ninformation:\r\nSize: 8697 bytes\r\nMD5: d26af487534c1d575e747ff240ee6357\r\nLater, we discovered the extracted applet was also uploaded to a virus scanning service around the same time.\r\nThe Javafog\r\nThe “jar” applet caught our attention so we analysed to determine how it works.\r\nThe JAR format uses ZIP compression to store the data in compact form. The ZIP header uses timestamps to track\r\nwhen files were added to the archive. This helps understanding when the JAR file could have been created. Here\r\nis ZIP directory information from the applet:\r\nDate Time Attr Size Compressed Name\r\n---------- --- ------ ------ ------------\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 3 of 6\n\n2012-10-30 16:47:50 ..... 129 115 META-INF/MANIFEST.MF\r\n2012-10-30 16:47:50 ..... 259 206 META-INF/B8228E45.SF\r\n2012-10-30 16:47:50 ..... 5365 3610 META-INF/B8228E45.RSA\r\n2010-10-29 22:44:06 ..... 7726 4226 JavaTool.class\r\nThis means that the JAR file was most likely created on 30th November 2012, while the main class JavaTool.class\r\nwas compiled two years before that, on 29th November 2010.\r\nUpon startup, it tries to register itself as a startup entry to achieve persistence. The module writes a registry value\r\nto ensure it is automatically started by Windows:\r\n[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun]\r\nJavaUpdate=%TEMP%update.jar\r\nIt is worth noting that the module does not copy itself to that location. It is possible that the missing file\r\n“policyapplet.jar” contains the parts of the installation routine.\r\nNext, it enters a loop where it keeps calling its main C\u0026C function, with a delay of 1000ms. The main loop\r\ncontacts the well known Icefog C\u0026C server – “www.lingdona[dot]com/news” and interacts with it.\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 4 of 6\n\nFirst of all, it sends the full system information profile, which the attackers can use to determine if the victim is\r\n“interesting” or has any real value. Here’s a PCAP of the conversation:\r\nIn the screenshot above, “title=2.0_1651809722” indicates a unique victim ID that is computed by hashing the\r\nhostname. This can be used by the operators to uniquely identify the victim and send commands to it.\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 5 of 6\n\nAs a reply to the uploaded system information, the backdoor expects an “order”, which can have different values:\r\nCommand Description:\r\nupload_* – Upload a local file specified after the command to the C\u0026C server by URL “%C\u0026C server\r\nURL%/uploads/%file name%”. Uploaded data is encrypted with a simple XOR operation with key 0x99.\r\ncmd_UpdateDomain – Migrate to a new C\u0026C server URL specified after the command. The new URL is\r\nalso written to the file “%TEMP%update.dat”\r\ncmd_* – Execute the string specified after the command using “cmd.exe /c”. The results are uploaded to\r\nthe C\u0026C server by URL “%C\u0026C server URL%/newsdetail.aspx?title=2.0_%host name%”.\r\nBesides the above, the backdoor doesn’t do much else. It allows the attackers to control the infected system\r\nand download files from it. Simple, yet very effective.\r\nGeography of victims\r\nOne might wonder what is the purpose of something like the Javafog backdoor. The truth is that even at the time\r\nof writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as\r\npopular as Windows PE malware, and can be harder to spot.\r\nDuring the sinkholing operation for the “lingdona[dot]com” domain, we observed 8 IPs for three unique victims\r\nof Javafog, all of them in the United States. Interestingly, during the observation period, two of the victims\r\nupdated the Java version from “Java/1.7.0_25” to “Java/1.7.0_45”.\r\nBased on the IP address, one of the victims was identified as a very large American independent Oil and Gas\r\ncorporation, with operations in many other countries.\r\nAs of today, all victims have been notified about the infections. Two of the victims have removed it already.\r\nConclusions\r\nWith Javafog, we are turning yet another page in the Icefog story by discovering another generation of backdoors\r\nused by the attackers.\r\nIn one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability,\r\nfollowed by the attackers attempting to deploy and run Javafog, with a different C\u0026C. We can assume that based\r\non their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it\r\nmore attractive for long term operations. (Most Icefog operations being very short – the “hit and run” type).\r\nThe focus on the US targets associated with the only known Javafog C\u0026C could indicate a US-specific operation\r\nrun by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term\r\ncollection of intelligence on the target. This brings another dimensions to the Icefog gang’s operations, which\r\nappear to be more diverse than initially thought.\r\nSource: https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nhttps://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/" ], "report_names": [ "58209" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cff6c9dd04d4b28bcbce95f397aea245420cb7f9.pdf", "text": "https://archive.orkl.eu/cff6c9dd04d4b28bcbce95f397aea245420cb7f9.txt", "img": "https://archive.orkl.eu/cff6c9dd04d4b28bcbce95f397aea245420cb7f9.jpg" } }