{
	"id": "86351f4e-f3ed-43f8-b901-555c5c2c0ba8",
	"created_at": "2026-04-06T00:16:23.401237Z",
	"updated_at": "2026-04-10T03:23:51.502223Z",
	"deleted_at": null,
	"sha1_hash": "d6b7e71330ec60ae4c997b67dd3e6295aa041d66",
	"title": "New Backdoor Targeting Taiwan Employs Stealthy Communications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43437,
	"plain_text": "New Backdoor Targeting Taiwan Employs Stealthy\r\nCommunications\r\nBy About the Author\r\nArchived: 2026-04-05 14:59:07 UTC\r\nA previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an\r\nattack against a university in Taiwan. \r\nThe most notable feature of this backdoor is that it communicates with a command-and-control (C\u0026C) server via\r\nDNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless\r\nsomething that is not often seen. \r\nMsupedge analysis\r\nMsupedge is a backdoor in the form of a dynamic link library (DLL). It has been found installed in the following\r\nfile paths:\r\ncsidl_drive_fixed\\xampp\\wuplog.dll\r\ncsidl_system\\wbem\\wmiclnt.dll\r\nWhile wuplog.dll is loaded by Apache (httpd.exe), the parent process for wmiclnt.dll is unknown.\r\nMsupedge uses DNS tunneling for communication with the C\u0026C server. The code for the DNS tunneling tool is\r\nbased on the publicly available dnscat2 tool. It receives commands by performing name resolution. The host\r\nnames that are resolved are structured as follows:\r\nFigure 1. Host name for initial name resolution.\r\nFigure 1. Host name for initial name resolution.\r\nFigure 2. Host name used once computer name is sent.\r\nFigure 2. Host name used once computer name is sent.\r\nError notifications include the success or failure of the following:\r\nMemory allocation\r\nDecompression of received commands\r\nExecution of received commands\r\nThe backdoor also appears to encode the result of the command execution as a fifth-level domain and send it.\r\nMsupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C\u0026C server\r\n(ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns\r\nPage 1 of 3\n\nbackdoor will change based on the value of the third octet of the resolved IP address minus seven. For example, if\r\nthe third octet is 145, this translates to 138 (expressed in hexadecimal as 0x8a)\r\nFigure 3. Retrieving the resolved IP address.\r\nFigure 3. Retrieving the resolved IP address.\r\nFigure 4. The behavior of the backdoor changes based on the values of the third octet of the\r\nresolved IP address minus seven.\r\nFigure 4. The behavior of the backdoor changes based on the values of the third octet of the\r\nresolved IP address minus seven.\r\nMsupedge supports the following commands:\r\nCase 0x8a :  Create process. The command is receive via DNS TXT record.\r\nCase 0x75 :  Download file. The download URL is received via DNS TXT record.\r\nCase 0x24 :  Sleep (ip_4 * 86400 * 1000 ms).\r\nCase 0x66 :  Sleep (ip_4 * 3600 * 1000 ms).\r\nCase 0x38 :  Create %temp%\\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp. The purpose of this file is\r\nunknown.\r\nCase 0x3c:  Remove %temp%\\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp.\r\nInfection vector\r\nThe initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The\r\nvulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating\r\nsystem. Successful exploitation of the vulnerability can lead to remote code execution. \r\nSymantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found\r\nno evidence allowing us to attribute this threat and the motive behind the attack remains unknown.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\ne08dc1c3987d17451a3e86c04ed322a9424582e2f2cb6352c892b7e0645eda43 – Backdoor.Msupedge \r\nf5937d38353ed431dc8a5eb32c119ab575114a10c24567f0c864cb2ef47f9f36 – Backdoor.Msupedge \r\na89ebe7d1af3513d146a831b6fa4a465c8edeafea5d7980eb5448a94a4e34480 – Web shell \r\nNew Backdoor Targeting Taiwan Employs Stealthy Communications\r\nThreat Hunter Team\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns\r\nPage 2 of 3\n\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns"
	],
	"report_names": [
		"taiwan-malware-dns"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434583,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6b7e71330ec60ae4c997b67dd3e6295aa041d66.pdf",
		"text": "https://archive.orkl.eu/d6b7e71330ec60ae4c997b67dd3e6295aa041d66.txt",
		"img": "https://archive.orkl.eu/d6b7e71330ec60ae4c997b67dd3e6295aa041d66.jpg"
	}
}