{ "id": "d1c16f10-ccd1-4280-bcd4-aeae21e778de", "created_at": "2026-04-06T00:20:02.514221Z", "updated_at": "2026-04-10T03:33:35.708441Z", "deleted_at": null, "sha1_hash": "d2f135f80aca002dbff0cc7c65482bf15928a99e", "title": "COMpfun authors spoof visa application with HTTP status-based Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 307647, "plain_text": "COMpfun authors spoof visa application with HTTP status-based\r\nTrojan\r\nBy GReAT\r\nPublished: 2020-05-14 · Archived: 2026-04-05 14:48:44 UTC\r\nYou may remember that in autumn 2019 we published a story about how a COMpfun successor known as\r\nReductor infected files on the fly to compromise TLS traffic. If you’re wondering whether the actor behind the\r\nmalware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine\r\nrevealed a new Trojan with strong code similarities. Further research showed that it was obviously using the same\r\ncode base as COMPFun.\r\nWhat’s of interest inside\r\nThe campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial\r\ndropper as a spoofed visa application. It is not clear to us exactly how the malicious code is being delivered to a\r\ntarget. The legitimate application was kept encrypted inside the dropper, along with the 32- and 64-bit next stage\r\nmalware.\r\nOverall infection chain. Interestingly, C2 commands are rare HTTP status codes\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 1 of 8\n\nWe observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF\r\nRFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know\r\nwhat the operators want to do. After the control server sends the status “Payment Required” (402), all these\r\npreviously received commands are executed.\r\nThe authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web\r\ncontent caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are\r\nfrom network scanners rather than targets. Besides the aforementioned RSA public key to communicate with the\r\nC2, the malware also uses a self-generated AES-128 key.\r\nWho is the author?\r\nWe should mention here once again that the COMPfun malware was initially documented by G-DATA in 2014;\r\nand although the company did not identify which APT was using the malware. Based mostly on victimology, we\r\nwere able to associate it with the Turla APT with medium-to-low level of confidence.\r\nWhat the Trojan is able to do\r\nIts functions include the ability to acquire the target’s geolocation, gathering host- and network-related data,\r\nkeylogging and screenshots. In other words, it’s a normal full-fledged Trojan that is also capable of propagating\r\nitself to removable devices.\r\nAs in previous malware from the same authors, all the necessary function addresses resolve dynamically to\r\ncomplicate analysis. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA\r\nencryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.\r\nEncrypted data Algorithm Key source\r\nExfiltrated keystrokes, screenshots, etc. RSA\r\nPublic key from\r\nconfiguration data\r\nConfiguration data in .rsrc section\r\nXOR (plus LZNT1\r\ncompression)\r\nHardcoded one-byte key\r\nParameters inside the HTTP GET/POST\r\nrequests\r\nAES-128 (plus ETag\r\nfrom config)\r\nGenerated by Trojan and\r\nshared in beacon\r\nCommands and arguments from C2 for HTTP\r\nstatus 427 (dir, upl, usb, net)\r\nAES-128\r\nGenerated by Trojan and\r\nshared in beacon\r\nEncryption and compression used by the Trojan for various tasks\r\nInitial dropper\r\nThe first stage dropper was downloaded from the LAN shared directory. The file name related to the visa\r\napplication process perfectly corresponds with the targeted diplomatic entities. As with all modules with a similar\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 2 of 8\n\ncode base, the dropper begins by dynamically resolving all the required Windows API function addresses and puts\r\nthem into structures. It then decrypts the next stage malware from its resource (.rsrc) section. The algorithm used\r\nto decrypt the next stage is a one-byte XOR using the key “0x55”, followed by LZNT1 decompression.\r\nThe following files are dropped to the disk in addition to the original application that the malware tries to mimic:\r\nMD5 hash File name Features\r\n1BB03CBAD293CA9EE3DDCE6F054FC325 ieframe.dll.mui 64-bit Trojan version\r\nA6AFA05CBD04E9AF256D278E5B5AD050 ExplorerFrame.dll.mui 32-bit Trojan version\r\nThe dropper urges users to run the file as administrator (using messages such as “need to run as admin”), then\r\ndrops a version corresponding to the host’s architecture and sets the file system timestamp to 2013.12.20 22:31.\r\nInterestingly, the dropper’s abilities aren’t limited to PE lures; as an alternative, this stage is also able to use .doc\r\nand .pdf files. In such cases, the dropper will open the files using the “open” shell command instead of running the\r\nlegitimate spoofed executable application.\r\nMain module – HTTP status-based Trojan\r\nSHA256 710b0fafe5fd7b3d817cf5c22002e46e2a22470cf3894eb619f805d43759b5a3\r\nMD5 a6afa05cbd04e9af256d278e5b5ad050\r\nCompiled 2015.06.26 09:42:27 (GMT)\r\nType I386 Windows GUI DLL\r\nSize 593408\r\nInternal name ExplorerFrame.dll.mui\r\nThe analysis below is based on the 32-bit sample from the table above. The legitimate ExplorerFrame.dll.mui is a\r\nlanguage resource for the ExplorerFrame.dll file used by Windows Explorer.\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 3 of 8\n\nMulti-threaded Trojan features such as monitoring USB devices to spread further and receiving commands as\r\nHTTP status codes\r\nInitialization\r\nAs usual in this malware family’s code, a huge number of short standalone functions return all the readable\r\nstrings. This is done to complicate analysis by not allowing the strings to be visible at a glance for researchers.\r\nThe module’s preparation stage dynamically resolves all required Windows API function addresses into\r\ncorresponding custom structures. Afterwards the malware uses indirect function calls only.\r\nThe module obtains the processor architecture (32- or 64-bit) and Windows OS version. It includes a number of\r\nanti-analysis checks for virtual machine-related devices (VEN_VMWARE, VBOX_HARDDISK,\r\nVirtual_DVD_ROM, etc.) to avoid controlled execution. It also notes which security products are running on the\r\nhost (Symantec, Kaspersky, Dr.Web, Avast).\r\nBefore every communication with the C2, the malware checks if software such as debuggers (WinDbg, OllyDbg,\r\nVisual Studio) and host (Process Explorer or Monitor, etc.) or network monitoring (Wireshark, TCPView, etc.)\r\nprograms are running. It also checks for internet connectivity and does not attempt to communicate if the checks\r\nfail.\r\nThe DLL also checks for potentially available launch processes that it can inject itself into. In the case of\r\nPaymentRequired, this could be system, security product or browser processes. Then the malware forms the\r\ncorresponding code to drop files, delete files, etc.\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 4 of 8\n\nThe last step in the initialization procedure is to decrypt and decompress the configuration file. Decryption is done\r\nvia a one-byte XOR using the 0xAA key, followed by decompression using the LZNT1 algorithm. From the\r\nconfiguration, the malware parses the RSA public key, ETag and IP addresses to communicate with its control\r\nservers.\r\nDecrypted configuration data contains an RSA public key to encrypt exfiltrated data, C2 IPs and unique ETag\r\nto communicate with them\r\nHTTP status-based communication module\r\nFirstly, the module generates the following:\r\nAES-128 encryption key used in HTTP GET/POST parameters and HTTP status code 427 (request new\r\ncommand);\r\n4-byte unique hardware ID (HWID) based on the host network adapters, CPU and first fixed logical drive\r\nserial number.\r\nThe module then chooses a process to inject the code into, in order of decreasing priority, starting from Windows\r\n(cmd.exe, smss.exe), security-related applications (Symantec’s nis.exe, Dr.Web’s spideragent.exe) and browsers\r\n(IE, Opera, Firefox, Yandex browser, Chrome).\r\nThe main thread checks if the C2 supports TLS in its configuration. If it does, communication will be over HTTPS\r\nand port 443; otherwise, the HTTP protocol and port 80 are used.\r\nConfig Parameter Value\r\nEncryption key RSA public key on the image above\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 5 of 8\n\nETag C8E9CEAD2E084F58A94AEDC14D423E1A\r\nC2 IPs\r\n95.183.49[.]10\r\n95.183.49[.]29\r\n200.63.45[.]35\r\nDecrypted configuration content inside the analyzed sample\r\nThe first GET request sent contains an ETag “If-Match” header that is built using data from its decrypted\r\nconfiguration. ETags are normally used by web servers for caching purposes in order to be more efficient and save\r\nbandwidth by not resending redundant information if an ETag value matches. The implementation of ETags means\r\nthe C2 may ignore all requests that are not sent from its intended targets if they don’t have the required ETag\r\nvalue.\r\nHTTP\r\nstatus\r\nRFC status meaning Corresponding command functionality\r\n200 OK Send collected target data to C2 with current tickcount\r\n402 Payment Required\r\nThis status is the signal to process received (and stored in binary\r\nflag) HTTP statuses as commands\r\n422\r\nUnprocessable Entity\r\n(WebDAV)\r\nUninstall. Delete COM-hijacking persistence and corresponding\r\nfiles on disk\r\n423 Locked (WebDAV)\r\nInstall. Create COM-hijacking persistence and drop\r\ncorresponding files to disk\r\n424\r\nFailed Dependency\r\n(WebDAV)\r\nFingerprint target. Send host, network and geolocation data\r\n427 Undefined HTTP status\r\nGet new command into IEA94E3.tmp file in %TEMP%, decrypt\r\nand execute appended command\r\n428 Precondition Required Propagate self to USB devices on target\r\n429 Too Many Requests Enumerate network resources on target\r\nC2 HTTP status code descriptions, including installation, USB propagation, fingerprinting, etc.\r\nHTTP 427 can receive any of the following appended commands:\r\nCommand Command functionality\r\ndir Send directory content to C2 encrypted with RSA public key from config\r\nupl Send file to C2 encrypted with RSA public key from config\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 6 of 8\n\nusb Not implemented yet. Possibly same function planned as for HTTP status 428\r\nnet Not implemented yet. Possibly same function planned as for HTTP status 429\r\nRemovable device propagation module\r\nIf initialization is successful, the malware starts one more thread for dispatching Windows messages, looking for\r\nremovable devices related to a WM_DEVICECHANGE event. The module runs its own handlers in the event of a\r\nUSB device being plugged into or unplugged from the host.\r\nOther spying modules: keylogger, screenshot tool and more\r\nThe user’s activity is monitored using several hooks. All of them gather the target’s data independently of any C2\r\ncommand. Keystrokes are encrypted using the RSA public key stored in the configuration data and sent once\r\nevery two seconds, or when moreа than 512 bytes are recorded. These 512 characters also include left mouse\r\nbutton clicks (written as the “MSLBTN” string) and Windows title bar texts. For clipboard content, the module\r\ncalculates an MD5 hash and if it changes, encrypts the clipboard content with the same RSA public key and then\r\nsends it.\r\nIn a separate thread, the Trojan takes a bitmap screenshot using the GDIPlus library, compresses it with the\r\nLZNT1 algorithm, encrypts it using the key from the configuration data and sends it to the control server. A\r\nscreenshot will be taken of the target and sent anyway, independently of any C2 command.\r\nLast but not least\r\nThere are several choices – albeit not major additional technical ones – that the malware author made which we\r\nconsider to be noteworthy.\r\nThe COM-hijacking-based persistence method injects its corresponding code and structure as a parameter into a\r\nlegitimate process’s memory. The malware geolocates victims using legitimate web services:\r\ngeoplugin.net/json.gp, ip-api.com/json and telize.com/geoip.\r\nThe unusual thread synchronization timeout calculation in the HTTP status thread is peculiar. Mathematically, the\r\npartial sum of the series is precisely:\r\nThis series, in the case of a full sum, is just a representation of the exponent. The developers probably used the\r\nexponent to make timeouts in the communication thread more unpredictable and grow at a fast rate, and the\r\ncompiler calculated it this way.\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 7 of 8\n\nSo what did the COMPFun authors achieve?\r\nWe saw innovative approaches from the COMpfun developers twice in 2019. First, they bypassed TLS encrypted\r\ntraffic via PRNG system function patching, and then we observed a unique implementation of C2 communications\r\nusing uncommon HTTP status codes.\r\nThe malware operators retained their focus on diplomatic entities and the choice of a visa-related application –\r\nstored on a directory shared within the local network – as the initial infection vector worked in their favor. The\r\ncombination of a tailored approach to their targets and the ability to generate and execute their ideas certainly\r\nmakes the developers behind COMPFun a strong offensive team.\r\nIndicators of compromise\r\nFile MD5 Hashes\r\nTrojan 32-bit: A6AFA05CBD04E9AF256D278E5B5AD050\r\nTrojan 64-bit: 1BB03CBAD293CA9EE3DDCE6F054FC325\r\nIPs\r\n95.183.49.10\r\n95.183.49.29\r\n200.63.45.35\r\nSource: https://securelist.com/compfun-http-status-based-trojan/96874/\r\nhttps://securelist.com/compfun-http-status-based-trojan/96874/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/compfun-http-status-based-trojan/96874/" ], "report_names": [ "96874" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434802, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2f135f80aca002dbff0cc7c65482bf15928a99e.pdf", "text": "https://archive.orkl.eu/d2f135f80aca002dbff0cc7c65482bf15928a99e.txt", "img": "https://archive.orkl.eu/d2f135f80aca002dbff0cc7c65482bf15928a99e.jpg" } }