{
	"id": "5125d894-ec5d-490a-b972-e493e50224fb",
	"created_at": "2026-04-06T02:10:43.069156Z",
	"updated_at": "2026-04-10T03:28:33.902683Z",
	"deleted_at": null,
	"sha1_hash": "d3d8d8e3ce1208d0125316ee3bfa245f31e18f7a",
	"title": "Musical Chairs Playing Tetris",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 361320,
	"plain_text": "Musical Chairs Playing Tetris\r\nBy ASERT team\r\nPublished: 2018-02-15 · Archived: 2026-04-06 01:36:44 UTC\r\nFebruary 20, 2018: This blog has been amended since it was originally published on February 15, 2018.\r\nThis version removes the association with the APT group responsible for the Night Dragon campaign that\r\nwe had incorrectly made. We thank the research team at Palo Alto Networks for graciously bringing this to\r\nour attention.\r\nIntroduction\r\nASERT has discovered new command-and-control infrastructure controlled by the actors behind the Musical\r\nChairs campaign.  The actors are known for the longevity of their C2 domains, reusing them long after they have\r\nbeen identified, and for making use of a popular opened sourced RAT called Gh0st.   Uniquely in our observation,\r\nthey have even embedded a fully-functional version of the game Tetris that will launch only when a special\r\ncondition is meet.\r\nKey Findings\r\nASERT has discovered a new domain associated with the actors behind the Musical Chairs campaign.\r\nThis long-standing actor is known for maintaining static command-and-control infrastructure such as\r\ndomains for long periods of time, even when they have been discovered and widely publicized in the\r\ncommunity.\r\nWith moderate confidence, ASERT expects this domain to be used in new intrusions.\r\nMultiplearticles have been written about Gh0st over the years, including this one discussing the Musical Chairs\r\ncampaign's use of this RAT.  Using details from that report, ASERT has identified a new sample and more\r\ninterestingly, a new domain that we have associated with the corresponding actor.\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 1 of 7\n\nThe sample appears to be delivered via an email according to artifacts provided by malware-traffic-analysis,\r\nwhich is consistent with documented tactics for this group.\r\nGh0st variants are prolific as they can be found in a popular open-source source code repository - this blog\r\nprovides the basis for our association with the actor.\r\nAnalysis\r\nMalware\r\nExample of this Gh0st's init/login packet (notice 'aaaaabbbbb' which can be used to identify this variant):\r\nSome other behavior of interest  observed while reviewing this actor's specimen is they appear to be moving away\r\nfrom BAT and JS files as part of the infection process[i] to using DLL side loading.  This is just one sample\r\nthough, so take this for what it is.   As part of the DLL side-loading, they make use of a signed executable to load\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 2 of 7\n\na DLL which in turn is used to launch the actual Gh0st DLL. They are not the only malware authors who use this\r\ntrick.\r\nThe observed functionality in this sample maps directly to public documentation for Gh0st, so this blog will not\r\nrehash that.\r\nAssociation No. 1\r\nStarting with the known C2 servers for this group, we can check to see if the new domain has any ties to them. \r\nTwo of their C2s were registered back in 2013 and the campaign has been around even longer than that per\r\nKnown Domains\r\nyourbroiler[.]com\r\nmeitanjiaoyiwang[.]com\r\nNew Domain\r\netybh[.]com\r\nLooking at DomainTools, we learn that all three share the same IP, 45.34.148.126, and the same registrar, Jiangsu\r\nBangning  Science \u0026 Technology Co. LTD.\r\nThe newest domain, etybh[.]com, was registered in December of 2017.  Looking at PassiveTotal, all three\r\ndomains appeared to have switched from 98.126.223.218 to 45.34.148.146 sometime in the middle of January\r\n2018.  This is our first clue that they are related.\r\nAssociation No. 2\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 3 of 7\n\nThis one comes from looking at behavior when the file is attached to a debugger.\r\nFirst, let us back up a step.  Observing behaviors of our suspected Musical Chairs Gh0st sample via a sandbox, we\r\nsee that it creates a folder called \"Win32Tetris\".  Let's see if there are any other Gh0st samples that do this as\r\nwell.  Taking a look through ASERT's malware corpus we find this sample,\r\n11fe12bbb479b4562c1f21a74e09b233ed41c41b7c4c0cad73692ff4672fb86a, which also creates that folder.  Using\r\nclues left by another researcher[ii], we can confirm that this more recent sample is from the Musical Chairs group\r\ndue to the C2 and some other characteristics we'll go over.  The most promising correlation is that this sample's C2\r\nis www.yourbroiler[.]com which is a known C2 for this actor.  Next, we find similarities from a different dropped\r\nfile called C:\\microsoft\\lib\\ki\\vv.js whose content reads as such:\r\nThe content is similar to samples identified back in 2015[iii], which also used rundll32 to call a mystart method. \r\nAnd, finally, this sample makes use of the same mutex tied to this actor's Gh0st variant:  dafewewrw. To\r\nsummarize the pivot sample\r\nProperty Value\r\nLoad the dll via a script file called C:\\microsoft\\lib\\ki\\vv.js\r\nDomain www.yourbroiler[.]com\r\nMutex dafewewrw\r\n  Now that we have confirmed that this sample appears to be a Musical Chairs actor Gh0st variant, let's work the\r\npivot (going to refer to this sample as the \"pivot\" sample). The pivot sample, when attached to a debugger, will\r\nlaunch what appears to be a fully functional Tetris game (very friendly of them to provide us reverse engineers\r\nwith a short break):\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 4 of 7\n\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 5 of 7\n\nThe latest sample (the one tied to the new domain, etybh[.]com) also exhibits this same behavior when attached to\r\nthe debugger.  To play the game make sure to not hide the PEB.  For what it is worth, after checking out one of the\r\nprior samples from 2015[iv], it exhibited similar behavior; just not a Tetris game.\r\nAssociation No. 3\r\nThe final observation is the fact that the payload dropped on the file system as RasTls.dat is in fact an obfuscated\r\nDLL file.  When looking at the DLL properties the mystart function is exported.  Again, mystart is the exported\r\nDLL function which the samples back in 2015 called.\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 6 of 7\n\nConclusion\r\nWhile it should not surprise us when a long-standing actor switches things up, this specific actor is known for not\r\nreally changing much.  The use of a different Gh0st variant in addition to the new domain may be indicative of\r\nadditional changes coming or the actor may be just keeping up with the times. Given previously observed\r\nbehavior, it is likely that this indicator will be used in the campaign for the foreseeable future and ASERT is\r\nmaking it available to enable visibility for the broader security research community.\r\n[i]https://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-mult…\r\n[ii]https://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-mult…\r\n[iii]https://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-mult…\r\n[iv] Hash: 50f08f0b23fe1123b298cb5158c1ad5a8244ce272ea463a1e4858d12719b337f\r\nSource: https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nhttps://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
	],
	"report_names": [
		"musical-chairs-playing-tetris"
	],
	"threat_actors": [
		{
			"id": "ea844ee6-eb12-42c0-8426-11395fe81e6f",
			"created_at": "2022-10-25T15:50:23.300796Z",
			"updated_at": "2026-04-10T02:00:05.32389Z",
			"deleted_at": null,
			"main_name": "Night Dragon",
			"aliases": [
				"Night Dragon"
			],
			"source_name": "MITRE:Night Dragon",
			"tools": [
				"at",
				"gsecdump",
				"zwShell",
				"PsExec",
				"ASPXSpy",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "09a8f8fe-e907-47b4-8709-a97717dde3cc",
			"created_at": "2022-10-25T16:07:23.90252Z",
			"updated_at": "2026-04-10T02:00:04.783553Z",
			"deleted_at": null,
			"main_name": "Night Dragon",
			"aliases": [
				"G0014"
			],
			"source_name": "ETDA:Night Dragon",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Cain \u0026 Abel",
				"gsecdump",
				"zwShell"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "020794ec-7315-47de-818c-2032c362fd15",
			"created_at": "2023-01-06T13:46:38.306576Z",
			"updated_at": "2026-04-10T02:00:02.920647Z",
			"deleted_at": null,
			"main_name": "Night Dragon",
			"aliases": [
				"G0014"
			],
			"source_name": "MISPGALAXY:Night Dragon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441443,
	"ts_updated_at": 1775791713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3d8d8e3ce1208d0125316ee3bfa245f31e18f7a.pdf",
		"text": "https://archive.orkl.eu/d3d8d8e3ce1208d0125316ee3bfa245f31e18f7a.txt",
		"img": "https://archive.orkl.eu/d3d8d8e3ce1208d0125316ee3bfa245f31e18f7a.jpg"
	}
}