{ "id": "a0e580d6-3a83-41b8-b7d8-bb6fa421d063", "created_at": "2026-04-06T00:08:30.765442Z", "updated_at": "2026-04-10T03:27:46.364721Z", "deleted_at": null, "sha1_hash": "d49fd733e342db8043f42f42f56742ddd3ed950d", "title": "Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 633794, "plain_text": "Water Orthrus New Campaigns Deliver Rootkit and Phishing\r\nModules\r\nBy By: Jaromir Horejsi, Joseph C Chen May 15, 2023 Read time: 9 min (2419 words)\r\nPublished: 2023-05-15 · Archived: 2026-04-05 14:44:04 UTC\r\nMalware\r\nWater Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware\r\non infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the\r\ncampaign and how they work.\r\nSince 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed\r\nCopperStealer malware via pay-per-install (PPI) networks. The threat actor has upgraded and modified the\r\nmalware multiple times for different purposes, such as injecting network advertisements, acquiring personal\r\ninformation, and stealing cryptocurrency. We believe that they are associated with the threat campaign reported as\r\n“Scranosopen on a new tab” in 2019.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 1 of 14\n\nFigure 1. CopperStealth infection chain\r\nIn March 2023, we observed two campaigns delivering new malware that we named CopperStealth and\r\nCopperPhish. Both malware have characteristics that are similar to those of CopperStealer and are likely\r\ndeveloped by the same author, leading us to believe that these campaigns are likely Water Orthrus’ new activities.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 2 of 14\n\nFigure 2. CopperPhish infection chain\r\nThis blog post discusses our analysis of CopperStealth’s and CopperPhish’s infection chains, and how they are\r\nsimilar to Water Orthrus.\r\nCopperStealth campaign\r\nThe first campaign distributed CopperStealth on March 8, 2023, delivering the malware via installers provided on\r\na popular Chinese software sharing website. It disguised the malware as free software and targeted the country’s\r\nusers.\r\nCopperStealth’s infection chain involves dropping and loading a rootkit, which later injects its payload into\r\nexplorer.exe and another system process. These payloads are responsible for downloading and running additional\r\ntasks. The rootkit also blocks access to blocklisted registry keys and prevents certain executables and drivers from\r\nrunning.\r\nA sample of the installer (SHA-256: 8a21eae144a23fffd35f8714964ff316caaa37fe464e8bbc143f4485119b5575)\r\nwas distributed via a popular Chinese software download website. It was previously reportedopen on a new tab to\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 3 of 14\n\nprovide malicious installers for infecting malware.  The installer contains numerous encoded URLs; when the\r\ninstaller is run these URLs will be decoded and the files located at the said URLs will be downloaded and run on\r\nthe affected system. One of these files was a dropper that we identified as CopperStealth.\r\nCopperStealth (after decrypting the custom crypter) contains an export function called “HelloWorld,” which has\r\nbeen around since earlier versions of CopperStealer. The dropper then checks if the system architecture is 32-bit or\r\n64-bit, which it uses as a basis to read the corresponding driver from its resources.\r\nFigure 3. CopperStealth’s code for selecting 32-bit or 64-bit drivers\r\nFigure 4. CopperStealth’s resources contain two versions of the driver\r\nFigure 5. The new driver service created by CopperStealth\r\nRootkit\r\nThe rootkit is registered as a file system filter driver. In the main entry point (DriverEntryopen on a new tab\r\nfunction), the driver has specific handlers for IRP_MJ_CREATEopen on a new tab, IRP_MJ_READopen on a\r\nnew tab, and IRP_MJ_SHUTDOWNopen on a new tab.\r\nWhen a shutdown request is received, the rootkit driver copies itself to a newly generated random driver. This is\r\ndone with a few registry modifications, such as changing the driver name in the\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services registry and inserting a “PendingFileRenameOperations” registry\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 4 of 14\n\nvalue in HKLM\\SYSTEM\\CurrentControlSet\\Control\\SessionManager to automatically move the file upon\r\nrebootopen on a new tab.\r\nAs for IRP_MJ_READ, this monitors any attempts to read the files on filesystem. If any attempt to read the\r\ncurrent rootkit’s SYS file or executable file in \\windows\\temp folder by one of the blocklisted processes (such as\r\n\\360saf\\, \\kingsoft antivirus\\, \\360SD\\, \\Windows Defender\\) is detected, the driver will result in a\r\nSTATUS_ACCESS_DENIED error message, preventing access to those files.\r\nThe rootkit then registers a registry callback routineopen on a new tab, which is called every time a thread\r\nperforms an operation in the registry. In this case, the routine monitors attempts to access rootkit’s registry path in\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\\u003cdrivername\u003e. Any attempt to delete the registry key (such as\r\nRegNtDeleteKeyopen on a new tab OR RegNtDeleteValueKeyopen on a new tab) will result in\r\nSTATUS_ACCESS_DENIED, blocking the operation.\r\nAn attempt to query the registry key (RegNtQueryKeyopen on a new tab OR RegNtQueryValueKeyopen on a new\r\ntab) while any of the blocklisted processes (360safe.exe, 360sd.exe, QQPCTray.exe, and kxetray.exe) is running\r\nwill also result in a STATUS_ACCESS_DENIED message.\r\nFigure 6. Rootkit’s code to block querying it’s (rootkit’s) own registry key, if any of the blocklisted\r\nprocesses is running\r\nThe rootkit also sets an image load notification routineopen on a new tab, which is called whenever a new image\r\n(i.e., an executable/binary file, like .EXE, .DLL, and .SYS files) is loaded into memory. If an “image” name\r\ncorresponds to the hardcoded filename (\\Fix\\fixMBR.exe), then a DLL library (embedded inside the driver) is\r\nmapped and run into the newly created process. The 64-bit version of the rootkit contains a 32-bit and a 64-bit\r\nversion of the DLL library.\r\nFigure 7. Rootkit’s code that terminates newly executed processes by injected DLL\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 5 of 14\n\nFigure 8. Termination DLL exits process\r\nIf the newly loaded process is a driver, then the rootkit searches for a few blocklisted byte sequences. If any of\r\nthose are found, then the driver’s entry point is patched to return STATUS_ACCESS_DENIED.\r\nFigure 9. Rootkit replaces blocklisted drivers‘ entrypoints to return error code\r\nThe blocklisted drivers contain one of the following byte sequences:\r\nBeijing Huorong Network Technology Co., Ltd.\r\nBeijing Kingsoft Security Software Co., Ltd.\r\nBeijing Qihu Technology Co., Ltd.\r\nHuoRongBoRui (Beijing) Technology Co., Ltd.\r\nQihoo 360 Software (Beijing) Co., Ltd.\r\nLastly, the rootkit starts a payload injection thread. In the samples we analyzed, we saw two types of payloads:\r\nstatistics module and task module. This thread enumerates all running processes (SystemProcessInformationopen\r\non a new tab) and looks for explorer.exe and another process with SYSTEM integrity having “assign primary\r\ntoken privilegeopen on a new tab” and “increase quota privilegeopen on a new tab.” It also increments the\r\nHKLM\\SOFTWARE\\Microsoft\\recount registry value, which holds the number of system restarts since the\r\nmachine became infected. If the restart recount value is greater than three, the rootkit decrypts (AES cipher) and\r\nunpacks (7-Zip) embedded statistics in the DLL module, then it patches its statistics URL address inside the binary\r\n(placeholder starting with “cnzz_url”), and finally injects the patched module into explorer.exe.\r\nFigure 10. Placeholder inside the statistics module, which the rootkit replaces with its statistics URL\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 6 of 14\n\nAfter successful injection into explorer.exe, it makes a GET request to the task URL to get the task command to be\r\nperformed. Once the GET request is done by the driver, then the response to the GET request is then inserted (a\r\nplace holder starting with “searching_magic_url”) into the task module, which, like the statistics module, is\r\nembedded in rootkit. It must be AES-encrypted, and then 7-Zip unpacked.And then the task module is injected\r\ninto the previously found process with system integrity.\r\nFigure 11. Placeholder inside the task module, which the rootkit replaces with a response to the task\r\nURL\r\nStatistics module\r\nThe statistics module is called cnzzopen on a new tab (the largest Chinese internet statistics analysis service),\r\nthough it has nothing to do with this organization. Each time it is run it increases the counter in\r\nHKCU\\Software\\Microsoft\\count_a0b1c2d3. It checks the internet connection by trying to access\r\nhxxp://www.msftconnecttest.com/connecttest.txt, and once verified it will get the computer’s unique machine ID\r\nand report the statistics to hxxp://cnzz_url\u0026m=\u003cmachine ID\u003e then exits the module.\r\nIn some cases, cnzz_url contains keyword “tongji” (tǒng jì, 統open on a new tab計open on a new tab), which\r\ntranslates to “statistics.”\r\nTask module\r\nThe task module is called curl, even though it has nothing to do with curlopen on a new tab (command line tool\r\nfor transferring data with URLs). The module then proceeds with base64 decoding and DES decrypting\r\n(key=”taskhost”, IV=”winlogon”, which is the same encryption as described in previous blog posts) of the task\r\ncommand. The decrypted task is in JSONopen on a new tab format and has the following keys:\r\nName Type Explanation\r\nname string File name created in TEMP directory\r\nonlyone bool Run only once\r\nexclude360 bool Exclude machines where 360tray is running\r\nreboot_count int The task should be run every n-th reboot of the system\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 7 of 14\n\nurl string URL with the file to download and execute\r\nTable 1. List of implemented key names and value types in task query response (in JSON format)\r\nIf payload is expected to run only once (with onlyone [sic] key has value = true), then the hash of the URL is\r\nstored in HKLM\\Software\\Microsoft\\\u003chash\u003e. The actual count of runs is taken from HKEY_USERS\\\r\n\u003cSID\u003e\\Software\\Microsoft\\count_a0b1c2d3, which is set by the statistics module.\r\nCopperPhish campaign\r\nIn April 2023, we noticed another campaign distributing CopperPhish. This campaign was not geofenced and\r\ndelivered the malware via PPI networks behind free anonymous file sharing websites. CopperPhish is an\r\ninteresting phishing kit, which uses two different processes for persistence: credential verification and\r\nconfirmation code to ensure that valid credentials are phished before the phishing kits considers its job successful\r\nand exits.\r\nCopperPhish’s infection chain starts with downloaders like PrivateLoader (SHA-256:\r\n48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9). Visitors will be redirected to a\r\ndownload page designed by the PPI network after clicking on its advertisements, which pretended to be a\r\ndownload link. The downloaded file is PrivateLoader, which downloads and runs many different malware.\r\nFigure 12. The download page of the pay-per-install network redirected from file sharing websites.\r\nThe downloader downloads and starts a new dropper we identified as CopperPhish. It decrypts and loads the\r\nsecond stage. This stage is responsible for dropping and starting the main payload. The main payload is again\r\nobfuscated with the same crypter used by CopperStealer, and then the second stage of the main payload drops a\r\nfew files (PNG image with logo, PNG image with QR code, and HTML page with phishing URL) into\r\n%APPDATA%\\Roaming\\Microsoft.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 8 of 14\n\nFigure 13. Dropped phishing files by CopperPhish\r\nThese files are stored in the main payload’s second stage’s resources. These HTML pages are localized to fifty\r\ndifferent languages. Each language has its own HTML file, but since PNG images do not contain any text, they\r\nremain the same for all language versions.\r\nFigure 14. Phishing webpages in different language variants, stored in resources\r\nThe main malware then starts the two threads — the persistence thread is responsible for starting a rundll32\r\nprocess and injecting a simple program with a browser window (written in Visual Basic) in it.\r\nFigure 15. The thread responsible for starting processes with a web browser window\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 9 of 14\n\nThe exit message thread connects to a named pipe and waits for a message containing a magic string to be\r\nreceived. If the message is received, then the main program uninstalls itself (and deletes all the dropped phishing\r\nfiles) and exits. This indicates that the confirmation code (more on this code later) entered by the victim was\r\ncorrect, which means that the phishing was successful and it can uninstall itself.\r\nFigure 16. Opened pipe that waits for a message to close and uninstall CopperPhish\r\nFigure 17. Code that uninstalls the phishing tool after receiving magic values\r\nThe web browser program loads an instance of an Internet Explorer objectopen on a new tab and uses the web\r\nbrowser control class (SHDocVwCtl) to control the behavior of the web browser object. It reads the valueopen on\r\na new tab written by the victim of the input text field called “checkcode” (which will be explained later). If\r\ncorrect, it then sends the exit message to the main payload via the pipes mentioned earlier.\r\nFigure 18. Exit message sent to the main payload via pipe\r\nThe phishing webpage displayed by the web browser shows the content of the dropped page with the Microsoft\r\nlogo and QR code. The window has no controls that can be used to minimize or close it. The victim could close\r\nthe browser’s process in Task Manager or Process Explorer, but they would also need to terminate the main\r\npayload process, otherwise the browser process will happen again due to the persistence thread. Thus, to proceed,\r\na confirmation code will be asked (which was stated after Figure 15), and this code will act as proof that the\r\nvictim provided the correct details.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 10 of 14\n\nFigure 19. Initial phishing webpage displayed by CopperPhish\r\nAfter scanning and opening the phishing URL, the victim is presented with a webpage asking to confirm the\r\nidentity.\r\nFigure 20. Phishing webpage asking to confirm the user’s identity\r\nA follow-up webpage asks for various sensitive details, such as the user’s credit card number, its expiration date,\r\nand the CVV code.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 11 of 14\n\nFigure 21. Phishing website asking for sensitive banking details\r\nAnd after entering the sensitive details and passing checks (such as a credit card number validity check), the\r\nphishing kit displays a success message and shows the confirmation code, which closes the browser and uninstalls\r\nthe phishing kit from the system. This is the “checkcode” mentioned previously.\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 12 of 14\n\nFigure 22. Confirmation code displayed after credentials were successfully phished\r\nFigure 23. Code in the phishing webpage to validate the user’s credit card number, expiration date,\r\nand CVV\r\nThis is a simple but interesting approach. If the phishing page is displayed in a standard browser window or tab,\r\nthe user can simply close the window or tab and continue working. In this case, two processes are used — one for\r\npersistence, and another for displaying the phishing window. This sort of persistence, though simple and easy to\r\nremove, can remain and display longer, which could annoy victims enough to force them to enter the credentials\r\njust to get rid of the phishing window.\r\nThe credential verification and confirmation code are two useful features that make this phishing kit more\r\nsuccessful, as the victim cannot simply close the window or enter fake information just to get rid of the window.\r\nAttribution\r\nWe classify both previously mentioned campaigns to be related to previously analyzed campaigns because of the\r\nfollowing similarities:\r\n1. The use of the same crypter, which encrypts the dropper stage (described in our previous blog posts).\r\n2. The use of Data Encryption Standard (DES) with the same key (“taskhost”) and initialization vector\r\n(“winlogon”).\r\n3. The use of the same name of the DLL export function (for later versions of CopperStealer).\r\n4. The use of similar mutex naming conventions (previously: exist_sign_cps, exist_sign_task_Hello001,\r\nexist_sign__install_r3 now: exist_sign_redns, dl_exist_sign_cnzz, dl_exist_sign_sys).\r\nConclusion\r\nWe uncovered two new campaigns conducted by the Water Orthrus threat actor. The actor has not only refined\r\ntheir malware but has also tailored their attacks for different targets. The CopperStealth campaign, distributed to\r\nmachines in China, focuses in installing the rootkit, which later delivers additional malware. Meanwhile,\r\nCopperPhish aims to phish credit card information and is distributed globally. It is likely that the actor has\r\nmultiple objectives at the same time. Our findings also highlight the shift of Water Orthrus’s interests, from\r\npersonal information to cryptocurrency, and now targeting credit card information.\r\nA proactive approach on security can help organizations protect their devices against these types of threats. Trend\r\nMicro Apex One™products employs a variety of threat detection capabilities, notably behavioral analysis that\r\nprotects against malicious scripts, injection, ransomware, and memory and browser attacks related to fileless\r\nthreats. Additionally, the Apex One Endpoint Sensorproducts provides context-aware endpoint detection and\r\nresponse (EDR) that monitors events and quickly examines what processes or events are triggering malicious\r\nactivity. \r\nIOCs\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 13 of 14\n\nThe full list of IOCs can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html" ], "report_names": [ "water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html" ], "threat_actors": [ { "id": "dc1a1006-34fc-4491-b982-f0f0b5362ac2", "created_at": "2024-05-03T02:00:04.196123Z", "updated_at": "2026-04-10T02:00:03.638185Z", "deleted_at": null, "main_name": "Water Orthrus", "aliases": [], "source_name": "MISPGALAXY:Water Orthrus", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775791666, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d49fd733e342db8043f42f42f56742ddd3ed950d.pdf", "text": "https://archive.orkl.eu/d49fd733e342db8043f42f42f56742ddd3ed950d.txt", "img": "https://archive.orkl.eu/d49fd733e342db8043f42f42f56742ddd3ed950d.jpg" } }