{
	"id": "a6cbf16a-1855-47d2-8983-0476694ac785",
	"created_at": "2026-04-06T00:06:35.305004Z",
	"updated_at": "2026-04-10T03:20:00.030042Z",
	"deleted_at": null,
	"sha1_hash": "d273a24e29e8dc3a4f38454feca434c4f70cbd49",
	"title": "New Malware with Ties to SunOrcal Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 528566,
	"plain_text": "New Malware with Ties to SunOrcal Discovered\r\nBy Josh Grunzweig, Jen Miller-Osborn\r\nPublished: 2017-11-10 · Archived: 2026-04-02 12:23:06 UTC\r\nSummary\r\nUnit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal\r\nmalware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the\r\nC2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and\r\nto date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat\r\nunique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of\r\nall malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.\r\nWhile we don’t have information on the intended targets in this case, previous reports on this activity have\r\nidentified targeting primarily among the “Five Poisons” which are movements the Chinese government perceives\r\nas dangerous. They are:\r\nUyghurs, particularly those supporting East Turkestan independence\r\nTibetans, particularly those supportive of Tibetan independence\r\nFalun Gong practitioners\r\nSupporters of Taiwan independence\r\nSupporters of Chinese democracy\r\nThe attackers used both families concurrently from late last year through November 2017 and there is some C2\r\ninfrastructure overlap between the two families, as well as links to historical reporting.  We explore those ties and\r\nprovide an in-depth analysis of the new malware below.\r\nReaver Malware Analysis\r\nTo date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware\r\nfamily we have named “Reaver”. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3.\r\nReaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2\r\nand 3 use a payload that uses raw TCP connections for this communication.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 1 of 10\n\nThe flow for Reaver is as shown:\r\nFigure 1 Reaver execution flow diagram\r\nReaver.v1\r\nThe earliest variant of Reaver begins by attempting to enable the SeDebugPrivilege privilege for the running\r\nprocess. In the event this is successful the malware will use the following path to store any dropped files:\r\n%COMMONPROGRAMFILES%\\services\\\r\nIn the event it is not successful, this alternative path will be used instead:\r\n%APPDATA%\\microsoft\\mmc\\\r\nIt proceeds to load and decrypt and embedded bitmap resource file. This decrypted data is written to the following\r\nlocation:\r\n%TEMP%\\WUpdate.~tmp\r\nThis ‘WUpdate.~tmp’ file is then copied to a filename of ‘Applet.cpl’, which is placed in the previously identified\r\nfile path.\r\nThe malware proceeds to identify the file path of either the common startup folder, or the user’s startup folder\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 2 of 10\n\ndepending on if the SeDebugPrivilege privilege was obtained. In the event this privilege was obtained, the\r\ncommon startup folder is queried by reading the following registry key:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup\r\nAlternatively, if the privilege was unable to be obtained, Reaver.v2 will obtain the user’s startup folder by\r\nquerying the following registry key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup\r\nReaver proceeds to write a shortcut file to ‘%TEMP%\\~WUpdate.lnk’. This file is then copied to a filename of\r\n‘Windows Update.lnk’, which is placed in the startup path previously identified. This shortcut file points to the\r\npath of the previously written ‘Applet.cpl’ file. Finally, Reaver.v1 will execute the ‘~WUpdate.lnk’ file in a new\r\nprocess, thus loading the recently dropped malicious CPL file.\r\n  Reaver.v2\r\nReaver.v2 begins by attempting to enable the SeDebugPrivilege privilege for the running process. In the event this\r\nis successful, the malware will use the following path to store any dropped files:\r\n%COMMONPROGRAMFILES%\\services\\\r\nIn the event it is not successful, this alternative path will be used instead:\r\n%APPDATA%\\microsoft\\mmc\\\r\nReaver.v2 proceeds to decrypt an embedded file using a simple XOR obfuscation routine. This file is written to\r\nthe following file path:\r\n% TEMP%\\Update.~tmp\r\nAfter the file is written, it is then copied to a filename of ’winhelp.cpl’ in the directory that was initially chosen.\r\nAfter this file is copied, the original ‘Update.~tmp’ file is deleted. At this stage the malware will identify the\r\ncorrect startup path using the same technique witnessed in earlier variants.\r\nA shortcut file is generated in the following path:\r\n%TEMP%\\~Update.lnk\r\nThis ‘~Update.lnk’ file is then copied to a filename of ‘Windows help.lnk’, which is placed in the startup path\r\npreviously identified. This shortcut file points to the path of the previously written ‘winhelp.cpl’ file. It will\r\nspecifically load this CPL file via a call to the built-in Microsoft Windows ‘control.exe’ utility. Finally, Reaver.v2\r\nwill execute the ‘~Update.lnk’ file in a new process, thus loading the recently dropped malicious CPL file.\r\nReaver.v3\r\nLike Reaver.v2, Reaver.v3 begins by attempting to enable the SeDebugPrivilege privilege for the running process.\r\nIn the event this is successful, the malware will use the following path to store any dropped files:\r\n%COMMONPROGRAMFILES%\\services\\\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 3 of 10\n\nIn the event it is not successful, this alternative path will be used instead:\r\n%APPDATA%\\microsoft\\credentials\\\r\nReaver.v3 proceeds to write an embedded Microsoft Cabinet (CAB) file to the following location:\r\n%TEMP%\\winhelp.dat\r\nThis cabinet file is then extracted to the previously identified file path. The contents of this cabinet file consist of a\r\nMicrosoft Control Panel item with a filename of ‘winhelp.cpl’.\r\nMuch like the previous version of Reaver, Reaver.v3 will query the necessary registry keys to determine the\r\ncorrect startup path to use. Again, a shortcut file is written to the %TEMP% path with a name of ‘~Update.lnk’,\r\nwhich is in turn copied to the identified startup path with a filename of ‘Windows help.lnk’. This shortcut file calls\r\nthe built-in ‘control.exe’ utility to in turn load the previously dropped malicious CPL file of ‘winhelp.cpl’.\r\nFinally, the malware calls the ‘winhelp.cpl’ file in a new process via the following command:\r\ncontrol [path_previously_identified]\\winhelp.cpl\r\nReaver HTTP Payload\r\nThe malicious CPL payload of Reaver has the following two exported functions:\r\nCPlApplet\r\nDllEntryPoint\r\nWhen the CPlApplet function is loaded, Reaver will initially determine if the SeDebugPrivilege privilege is able\r\nto be obtained. The malware proceeds to decrypt and embedded configuration of 128 bytes using a simple XOR\r\nroutine. The following example decrypted configuration is as follows:\r\n00000000: 77 77 77 2E 74 61 73 68  64 71 64 78 70 2E 63 6F  www.tashdqdxp.co\r\n00000010: 6D 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  m...............\r\n00000020: 38 30 00 00 00 00 00 00  00 00 00 00 00 00 00 00  80..............\r\n00000030: 33 30 00 00 00 00 00 00  00 00 00 00 00 00 00 00  30..............\r\n00000040: 57 69 6E 64 6F 77 73 20  55 70 64 61 74 65 00 00  Windows Update..\r\n00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................\r\n00000060: 41 70 70 6C 65 74 00 00  00 00 00 00 00 00 00 00  Applet..........\r\n00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................\r\nAs we can see, the following information is present within this configuration:\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 4 of 10\n\nRemote Command and Control (C2) server\r\nRemote port\r\nSleep timer\r\nReaver continues to collect various information from the victim machine, including the following:\r\nCPU speed\r\nComputer name\r\nUsername\r\nIP Address\r\nMicrosoft Windows version\r\nPhysical and virtual memory information\r\nThe malware proceeds to communicate with the remote server via HTTP GET and POST requests. Data that is\r\nsent is compressed and then base64-encoded before being included in the requests.\r\nWe have observed the following capabilities of this payload:\r\nGet drive information\r\nRead files\r\nWrite files\r\nDelete files\r\nMove files\r\nSpawn processes\r\nCreate directories\r\nReaver TCP Payload\r\nThe malicious CPL payload of Reaver has the following three exported functions:\r\nServiceMain\r\nCPlApplet\r\nDllEntryPoint\r\nWhen the malware is initially loaded, DllEntryPoint will be called, which in turn will call a function that is\r\nresponsible for decompressing a blob of data. The decompressed data consists of various key/value pairings that\r\nrepresent important strings used by Reaver. An example of this decompressed data can be seen below:\r\nRA@10001=ole32.dll\r\nRA@10002=CoCreateGuid\r\nRA@10003=Shlwapi.dll\r\nRA@10004=SHDeleteKeyA\r\nRA@10005=wininet.dll\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 5 of 10\n\nRA@10006=InternetOpenA\r\n[TRUNCATED]\r\nRA@10288=%s\\%s\r\nRA@10289=CMD.EXE\r\nRA@10290=%s=\r\nRA@10311=\\%sctr.dll\r\nRA@10312=\\uc.dat\r\nRA@10313=ChangeServiceConfig2A\r\nRA@10314=QueryServiceConfig2A\r\nWhen the malware wishes to retrieve one of these decoded strings, it will simply call a function with an integer\r\nargument that is responsible for providing it. For example, calling this function with an argument of ‘10001’\r\nwould retrieve a string of ‘ole32.dll’.\r\nThe DllEntryPoint function proceeds to attempt to obtain the SeDebugPrivilege privilege, and also calls\r\nWSAStartup for future network activity.\r\nWhen the CPlApplet function is loaded, it will begin by decompressing an embedded configuration using the\r\nsame compression algorithm used previously. An example of this decompressed configuration may be seen below:\r\nFigure 2 Decompressed Reaver configuration\r\nThis configuration contains multiple pieces of information, including the following:\r\nNetwork port\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 6 of 10\n\nSleep timer between network requests\r\nRemote Command and Control (C2)\r\nService Name\r\nService Description\r\nService Display Name\r\nHardcoded String. This may be either a campaign identifier, or perhaps a malware versioning string.\r\nThe malware proceeds to check to see if the original dropped malware file exists. In the event it does, Reaver will\r\nmove this file to ‘%TEMP%\\~FJIOW.tmp’ and delete this new file. This simply acts as cleanup to ensure original\r\nfile artifacts no longer reside on the infected machine. Reaver will then install itself as a service in the event it is\r\nrunning with SeDebugPrivilege privileges.  The service is configured with a name, description, and display name\r\nthat is provided within the configuration.\r\nReaver continues to collect various information from the victim machine, including the following:\r\nComputer name\r\nVolume serial number\r\nMicrosoft Windows version\r\nCPU speed\r\nANSI code page\r\nOEM code page identifier for the operating system\r\nPhysical and virtual memory information\r\nReaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the\r\nport specified. The following example Python code shows how this encryption takes place:\r\nc = 0\r\nout = \"\"\r\nfor d in data:\r\n  out += chr((ord(d) ^ ((c % 256) + 92)) \u0026 0xFF)\r\n  c += 1\r\nAfter this data is exfiltrated, the malware expects 8 bytes of data that contains two DWORDs. These DWORDs\r\ncontain both a major command and a sub-command.\r\nThe following capabilities have been observed in this payload:\r\nGet drive information\r\nModify files\r\nModify directories\r\nModify registry\r\nSpawn process\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 7 of 10\n\nTerminate process\r\nModify services\r\nKill self\r\nTies to SunOrcal\r\nReaver was used concurrently with SunOrcal over the past year, to include two Reaver samples dropped from zip\r\nfiles hosted on a domain also being used as a SunOrcal C2 (www.fyoutside[.]com), and there is also passive DNS\r\noverlap amongst the C2s. Specifically, Reaver to date has used www.tashdqdxp[.]com for C2, which overlaps with\r\nwww.weryhstui[.]com, another C2 used by SunOrcal samples during the same timeframe. Both domains have\r\nresolved to 98.126.156[.]210. Several of those same SunOrcal samples were also using www.fyoutside[.]com as\r\nan additional C2.  This led to further C2 ties within SunOrcal samples, to include samples beaconing to\r\nwww.olinaodi[.]com; all of this is shown below in Figure 3. The latter has been previously reported in activity\r\ntargeting Hong Kong democracy activists and that activity is in turn tied to a report targeting Tibetan, Hong Kong,\r\nand Taiwanese activists, and another blog about targeting Taiwanese activists.\r\nFigure 3. Chart showing overlaps between Reaver and SunOrcal. All IOCs are in the appendix at the end of this\r\nblog.\r\nConclusion\r\nThe attackers behind SunOrcal, whose activity dates to at least 2013 and possibly 2010, remain active and are still\r\ndeveloping new custom malware to use against their targets. The new malware, Reaver, appears to have been in\r\nthe wild since late 2016 with less than a dozen known samples, among which there are three variants. It is also\r\nunique in the fact that its final payload is in a CPL file, a technique which Palo Alto Networks has seen with only\r\n0.006% of all malware samples we have analyzed. The attackers used both families concurrently from late last\r\nyear through November 2017 and there is some C2 infrastructure overlap between the two families, as well as\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 8 of 10\n\nlinks to historical reporting. We will continue to monitor these attackers for new activity and report as appropriate.\r\nPalo Alto Networks customers are protected by the following:\r\nWildfire and Traps identifies both malware families as malicious.\r\nThe C2 domains are blocked via Threat Prevention.\r\nAutoFocus customers can monitor activity using this malware with the following tags:\r\nReaver\r\nSunOrcal\r\nAppendix\r\nSHA2556 – Reaver.v1\r\nd560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666\r\n  SHA2556 – Reaver.v2\r\n98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c\r\n05ddbd0506ec95fb460b3994e5b21cdb0418ba4aa406374ca1b91249349b7640\r\n  SHA2556 – Reaver.v3\r\n18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92\r\nc0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d\r\n9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b\r\n26c234c73e2c3448589c7d4a0cf17f615ad3666541a4e611e2d8b77637205bcf\r\nae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee\r\n1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1\r\nc906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c\r\n1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1\r\n  SHA256 – SunOrcal\r\n799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac\r\n81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2\r\n58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5\r\n38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb\r\ncb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f\r\nC2 domains and IP addresses\r\nwww.tashdqdxp[.]com\r\nwww.weryhstui[.]com\r\nwww.fyoutside[.]com\r\n  www.olinaodi[.]com\r\n104.148.70[.]217\r\n98.126.156[.]210\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 9 of 10\n\nSource: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
	],
	"report_names": [
		"unit42-new-malware-with-ties-to-sunorcal-discovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d273a24e29e8dc3a4f38454feca434c4f70cbd49.pdf",
		"text": "https://archive.orkl.eu/d273a24e29e8dc3a4f38454feca434c4f70cbd49.txt",
		"img": "https://archive.orkl.eu/d273a24e29e8dc3a4f38454feca434c4f70cbd49.jpg"
	}
}