{ "id": "72f38c18-eb09-4e15-b143-efbec460b836", "created_at": "2026-04-06T00:07:05.073123Z", "updated_at": "2026-04-10T03:33:35.74071Z", "deleted_at": null, "sha1_hash": "d6f61566e19a308db87f5b9447dacfb947213c90", "title": "Operation TunnelSnake - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 178672, "plain_text": "Operation TunnelSnake - RedPacket Security\r\nBy March 22, 2026\r\nPublished: 2021-05-07 · Archived: 2026-04-05 15:52:50 UTC\r\nWindows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near\r\nabsolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the\r\nsystem, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying\r\nOS, like reading or writing to files or processing incoming and outgoing network packets. The capability to blend\r\ninto the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their\r\nnotoriety for stealth and evasion.\r\nHaving said that, the successful deployment and execution of a rootkit component in Windows has become a\r\ndifficult task over the years. With Microsoft’s introduction of Driver Signature Enforcement, it has become harder\r\n(though not impossible) to load and run new code in kernel space. Even then, other mechanisms such as Kernel\r\nPatch Protection (also known as PatchGuard) make it hard to tamper with the system, with every change in a core\r\nsystem structure potentially invoking the infamous Blue Screen of Death.\r\nConsequently, the number of Windows rootkits in the wild has decreased dramatically, with the bulk of those still\r\nactive often being leveraged in high profile APT attacks. One such example came to our attention during an\r\ninvestigation last year, in which we uncovered a formerly unknown Windows rootkit and its underlying cluster of\r\nactivity. We observed this rootkit and other tools by the threat actor behind it being used as part of a campaign we\r\ndubbed ‘TunnelSnake’, conducted against several prominent organizations in Asia and Africa.\r\nIn this blog post we will focus on the following key findings that came up in our investigation:\r\nA newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors\r\non public facing servers, facilitating the creation of a covert C\u0026C communication channel through which\r\nthey can be silently controlled;\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 1 of 26\n\nThe rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on\r\nseveral instances dating back to October 2019 and May 2020, where the infection persisted in the targeted\r\nnetworks for several months after each deployment of the malware;\r\nWe observed an additional victim in South Asia, where the threat actor deployed a broad toolset for lateral\r\nmovement along with the rootkit, including a tool that was formerly used by APT1. Based on the detection\r\ntimestamps of that toolset, we assess that the attacker had a foothold in the network from as early as 2018;\r\nA couple of other tools that have significant code overlaps with Moriya were found as well. These contain\r\na user mode version of the malware and another driver-based utility used to defeat AV software.\r\nWe provided information about this operation in our threat intelligence portal in August 2020. More details and\r\nanalysis are available to customers of our private APT reporting service. For more details contact:\r\nintelreports@kaspersky.com.\r\nWhat is the Moriya rootkit and how does it work?\r\nOur investigation into the TunnelSnake campaign started from a set of alerts from our product on a detection of a\r\nunique rootkit within the targeted networks. Based on string artefacts within the malware’s binaries, we named\r\nthis rootkit Moriya. This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the\r\ninfected machine, filter out packets that are marked as designated for the malware and respond to them. This\r\nforms a covert channel over which attackers are able to issue shell commands and receive back their outputs.\r\nThe rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the\r\nuse of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the\r\nnetwork stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits\r\nfor incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C\u0026C\r\naddress in the malware’s binary or to maintain a steady C\u0026C infrastructure. This hinders analysis and makes it\r\ndifficult to trace the attacker’s footprints.\r\nThe figure below illustrates the structure of the rootkit’s components. They consist of a kernel mode driver and a\r\nuser mode agent that deploys and controls it. In the following sections we will break down each of these\r\ncomponents and describe how they operate to achieve the goal of tapping into the target’s network communication\r\nand blending in its traffic.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 2 of 26\n\nFig. 1. The architecture of the Moriya rootkit\r\nUser mode agent analysis\r\nThe user mode component of the Moriya rootkit has two purposes. One is to deploy the kernel mode component\r\nof the malware on the machine and the other is to leverage the covert communication channel created by it to read\r\nshell commands sent from the C\u0026C server to the compromised machine and to respond to them. Since Moriya is a\r\npassive backdoor intended to be deployed on a server accessible from the internet, it contains no hardcoded C\u0026C\r\naddress and relies solely on the driver to provide it with packets filtered from the machine’s overall incoming\r\ntraffic.\r\nThe first order of business for the attacker when using Moriya is to gain persistence on the targeted computer. For\r\nthis purpose, the user mode agent’s DLL contains an export function named Install, which is intended to create a\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 3 of 26\n\nservice named ZzNetSvc with the description ‘Network Services Manager’ and start it. In turn, the path to the user\r\nmode agent’s image is set to the registry key\r\nHKLMSystemCurrentControlSetServicesZzNetSvcParametersServiceDll so that it will be invoked from its\r\nServiceMain export each time the service is initiated.\r\nNext, after the service is started, the agent will attempt to load the rootkit’s driver into the system. Its binary is\r\nbundled as two driver images within the DLL’s resource section, corresponding to 32- and 64-bit architectures,\r\nwhile in reality only one of them is written to disk. In the cases we analyzed, the agent DLLs were compiled for\r\n64-bit systems, dropping a 64-bit driver to the drivers directory in the system path, under the name\r\nMoriyaStreamWatchmen.sys, hence the rootkit’s name.\r\nFig. 2. Code that writes the Moriya driver to disk\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 4 of 26\n\nThe agent uses a known technique whereby the VirtualBox driver (VBoxDrv.sys) is leveraged to bypass the Driver\r\nSignature Enforcement mechanism in Windows and load Moriya’s unsigned driver. DSE is an integrity\r\nmechanism mandating that drivers are properly signed with digital signatures in order for them to be loaded,\r\nwhich was introduced for all versions of Windows starting from Vista 64-bit. The technique used to bypass it was\r\nseen in use by other threat actors like Turla, Lamberts and Equation.\r\nMoriya’s user mode agent bypasses this protection with the use of an open-source code[1] named DSEFIX v1.0.\r\nThe user agent dumps an embedded VBoxDrv.sys image of version 1.6.2 to disk and loads it, which is then used\r\nby the aforementioned code to map Moriya’s unsigned driver to kernel memory space and execute it from its entry\r\npoint. These actions are made possible through IOCTLs implemented in VBoxDrv.sys that allow writing to kernel\r\naddress space and executing code from it. Throughout this process, the bypass code is used to locate and modify a\r\nflag in kernel space named g_CiOptions, which controls the mode of enforcement.\r\nAfter the unsigned driver is loaded, the agent registers a special keyword that is used as a magic value, which will\r\nbe sought in the first bytes of every incoming packet passed on the covert channel. This allows the rootkit to filter\r\nmarked packets and block them for any application on the system other than the user mode agent. The registration\r\nof the value is done through a special IOCTL with the code 0x222004 sent to the driver, where a typical magic\r\nstring is pass12.\r\nFig. 3. Registration of the packet magic value using a designated IOCTL\r\nExcept for its covert channel communication feature, Moriya is capable of establishing a reverse shell session\r\nusing an overt channel. For this purpose, it waits for a special packet that consists of a message with the structure\r\nconnect \u003cc2_address\u003e \u003cc2_port\u003e. The address and port are parsed and used by the agent to start a new connection\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 5 of 26\n\nto the given server, while creating a new cmd.exe process and redirecting its I/O to the connection’s socket. The\r\nhandles for the newly created process and its main thread are destroyed to avoid detection.\r\nIn any other case, the agent attempts to read the incoming TCP payload from the driver, which will be retrieved as\r\nsoon as a designated packet with a magic number and shell command is received. An attempt is made to read the\r\ndata with a plain ReadFile API function as a blocking operation, i.e., reading is accomplished only once the buffer\r\nin kernel mode is populated with data from a Moriya-related packet.\r\nUpon an incoming packet event, the agent creates a new cmd.exe process and redirects its I/O using named pipes.\r\nOne pipe is used to read the retrieved shell command from the covert channel and the other is used to write the\r\nshell’s output (obtained from the stdout and stderr streams) back to it after execution. To write any data back, the\r\nagent uses the WriteFile API function with the driver’s handle.\r\nAll traffic passed on the channel is encoded with a simple encryption scheme. Every sent byte has its payload,\r\nfollowing the magic string, XORed with the value 0x05 and then negated. Following the same logic, to decode the\r\nincoming traffic’s payload, every byte of it should be first negated and then XORed with 0x05.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 6 of 26\n\nFig. 4. Code used for packet encoding\r\nKernel mode driver analysis\r\nThe Moriya rootkit’s driver component makes use of the Windows Filtering Platform (WFP) to facilitate the\r\ncovert channel between the compromised host and the C\u0026C server. WFP provides a kernel space API that allows\r\ndriver code to intercept packets in transit and intervene in their processing by the Windows TCP/IP network stack.\r\nThis makes it possible to write a driver that can filter out distinct packet streams, based on developer-chosen\r\ncriteria, and designate them for consumption by a specific user mode application, as is the case in Moriya.\r\nThe driver fetches the distinct Moriya-related traffic using a filtering engine. This is the kernel mode mechanism\r\nused to inspect traffic according to rules that can be applied on various fields across several layers of a packet\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 7 of 26\n\n(namely data link, IP and transport), making it possible to handle matching packets with unique handlers. Such\r\nhandlers are referred to as callout functions.\r\nIn the case of Moriya, the filtering engine is configured to intercept TCP packets, sent over IPv4 from a remote\r\naddress. Each packet with these criteria will be inspected by a callout function that checks if its first six bytes\r\ncorrespond to the previously registered magic value, and if so, copies the packet contents into a special buffer that\r\ncan be later read by the user mode agent. The matching packet will then be blocked in order to hide its presence\r\nfrom the system, while any other packet is permitted to be processed as intended by the network stack.\r\nTo allow the crafting of a response back to the server, the callout function saves a special value in a global variable\r\nthat identifies the received TCP stream. This value is called a flowHandle, and is taken from the packet’s\r\ncorresponding FWPS_INCOMING_METADATA_VALUES0 struct. When the user issues a response to the server\r\nvia the driver, the latter would craft a new packet using the FwpsAllocateNetBufferAndNetBufferList0 function\r\nand insert the response data and target server based on the saved flowHandle to it, using the function\r\nFwpsStreamInjectAsync0.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 8 of 26\n\nFig. 5. Code that creates a new packet, designates it for the flow of the corresponding incoming TCP packet\r\nand injects data written from user space into it\r\nAs formerly mentioned, the driver registers several functions that are exposed to the user mode agent in order to\r\ninteract with it:\r\nIRP_MJ_READ: used to allow the user mode agent to read the body of a Moriya TCP packet from a\r\nspecial buffer to which it is copied upon receipt. The function itself waits on an event that gets signaled\r\nonce such a packet is obtained, thus turning the ReadFile function called by the user mode agent into a\r\nblocking operation that will wait until the packet is picked up by the driver.\r\nIRP_MJ_WRITE: injects user-crafted data into a newly created TCP packet that is sent as a response to\r\nan incoming Moriya packet from the server.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 9 of 26\n\nIRP_MJ_DEVICE_CONTROL: used to register the keyword to check the beginning of every incoming\r\nTCP packet in order to identify Moriya-related traffic. The passed magic is anticipated to be six characters\r\nlong.\r\nFig. 6. Code used for registering the packet magic value from the driver side\r\nHow were targeted servers initially infected?\r\nInspecting the systems targeted by the rootkit, we tried to understand how they got infected in the first place. As\r\npreviously mentioned, Moriya was seen deployed mostly on public-facing servers within the victim organizations.\r\nIn one case, we saw the attacker infect an organizational mail server with the China Chopper webshell, using it to\r\nmap the victim’s\r\nnetwork and then deploy other tools in it. Moriya’s user mode agent was explicitly installed using a command line\r\nexecuted on the targeted server this way. This command and examples of others run on the victim machine via the\r\nwebshell can be seen below.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 10 of 26\n\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026ipconfig -all\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026reg query\r\nHKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026$publicacmsetup.exe\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026query user\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026ipconfig/all\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026ping google.com\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026netstat -anp tcp\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026tasklist /v\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026whoami\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026cd $windirweb\r\n\"cmd\" /c cd /d $windirWeb\u0026rundll32 MoriyaServiceX64.dll, Install\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026ipconfig/all\r\n\"cmd\" /c cd /d C:inetpubwwwroot\u0026time /t\r\n...\r\nIn general, we assess that the group’s modus-operandi involves infiltrating organizations\r\nthrough vulnerable web servers in their networks. For example, an older variant of Moriya named IISSpy\r\n(described below) targets IIS web servers. Our telemetry shows that it was likely deployed by exploiting CVE-2017-7269 to let the attackers gain an initial foothold on a server prior to running the malware.\r\nPost exploitation toolset\r\nDuring our investigation we found a target in South Asia that enabled us to get a glimpse into some of the other\r\ntools that we assess were in use by the same attacker. The toolset includes programs used to scan hosts in the local\r\nnetwork, find new targets, perform lateral movement to spread to them and exfiltrate files. While most of the tools\r\nseem custom made and tailored for the attackers’ activities, we could also observe some open-source malware\r\nfrequently leveraged by Chinese-speaking actors. Following is an outline of these tools based on their purpose in\r\nthe infection chain.\r\nNetwork Discovery: custom built programs used to scan the internal network and detect vulnerable\r\nservices.\r\nHTTP scanner: command-line tool, found under the name ‘8.tmp’, which discovers web servers\r\nthrough banner grabbing. This is done by issuing a malformed HTTP packet to a given address,\r\nwhere no headers are included and the request is succeeded with multiple null bytes.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 11 of 26\n\nFig. 7. Malformed packet generated by HTTP scanner\r\nIf the server responds, the output will be displayed in the console, as shown below.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 12 of 26\n\nFig. 8. Console output with a server response displayed upon discovery of a new server in the\r\nnetwork\r\nDCOM Scanner: another command-line utility that attempts to connect to a remote host on TCP\r\nport 135 (RPC), and use the DCOM IOxidResolver interface to resolve addresses assigned to all\r\nnetwork interfaces available on the remote system.\r\nFig. 9. Output of the DCOM scanner utility\r\nLateral Movement: tools used to spread to other hosts in the targeted networks.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 13 of 26\n\nBOUNCER: malware that was first described by Mandiant in their 2013[2]\r\n report on APT1. This\r\ntool is another passive backdoor that waits for incoming connections on a specific port and provides\r\ndifferent features, as outlined below, that can be used to control a remote host and facilitate lateral\r\nmovement from it.\r\n0x01: Proxy Init Connection\r\n 0x02: Proxy Send Packet\r\n 0x03: Proxy Close Connection\r\n 0x07: Execute Shellcode\r\n 0x0A: Kill Bot\r\n 0x0C: Reverse Shell CMD\r\n 0x0D: Delete File\r\n 0x0E: Execute local program\r\n 0x0F: Enumerate Servers In Domain and save output in gw.dat\r\n 0x10: Enumerate SQL Servers and save output in sql.dat\r\n 0x12: Reverse Shell CreateProcess\r\n 0x16: Upload File - Write Data\r\n 0x17: Download File - Finish\r\n 0x1E: Download File - Start\r\n 0x1F: Upload File - Start\r\n 0x2D: Enumerate Servers\r\n 0x2E: Enumerate SQL Server\r\n 0x2F: Enumerate Servers Verbose\r\n 0x30: Enumerate Users\r\n 0x32: Do nothing\r\nThe BOUNCER sample that we observed contained a string that indicates which command-line\r\narguments it anticipates:\r\nusage:%s IP port [proxip] [port] [key]\r\nHowever, the backdoor is configured to accept only the port number on which it will listen.\r\nWe saw two versions of this backdoor, initiated by two different launchers. The first one is an\r\nexecutable file named nw.tmp that decrypts an embedded payload using the RC4 algorithm and\r\ninjects it into a newly spawned svchost.exe process. The injected payload is similar to one described\r\nby Mandiant in 2013, which is yet another intermediate loader that decrypts and loads an embedded\r\nBOUNCER DLL. The last stage is started by invoking the DLL’s dump export with the arguments\r\npassed via the command line.\r\nThe other version was stored with the name rasauto.dll in the system directory, impersonating the\r\nWindows Remote Access Auto Connection Manager library. Like the other version, it decrypts an\r\nembedded DLL using RC4, but this time uses no intermediate stage, instead directly calling the\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 14 of 26\n\nDLL’s dump export without arguments. The decrypted library is a slightly modified BOUNCER\r\nvariant that always listens on the hardcoded port 1437.\r\nFig. 10. Code from the second BOUNCER variant that uses the hardcoded port 1437 to listen\r\nfor new packets\r\nBased on compilation timestamps of all BOUNCER-related executables, as shown below, we assess\r\nthat the attacker reused old samples of the malware rather than compiled new versions of it:\r\nnw.tmp – stage 0 - launcher - 08-03-2017 03:56:24\r\n nw.tmp – stage 1 - embedded loader - 26-08-2014 04:49:58\r\n nw.tmp – stage 2 - embedded BOUNCER backdoor - 28-05-2012 13:44:37\r\n \r\n rasauto.dll - stage 0 – loader 26-08-2013 09:37:08\r\n rasauto.dll - stage 1 - embedded BOUNCER backdoor - 26-08-2013 09:36:27\r\nCustom PSExec: the attacker deployed a tool to execute commands remotely on compromised\r\nmachines. Like the original PSExec tool, this one consists of two components – a client named tmp\r\nand a service named pv.tmp. In order to use the tool, the attacker has to execute it via a command\r\nline with the parameters specified below.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 15 of 26\n\nUsage: psexec \u003chostname \u003e\r\npsserve_pathexefilenameServerName[option]n\r\nThe service component is a tiny program that uses the CreateProcessA API to start a program\r\nspecified as an argument. The client component uses the Service Control Manager (SCM) API to\r\ncreate a service on the target machine. If the ServerName argument is not specified, the service will\r\nbe named Server%c%c where %c is a random lower case character. The exefilename argument is\r\nthen passed to the StartServiceA function in order to initiate the command execution.\r\nFig. 11. Code used to create and start the service on targeted host\r\nIt is worth noting that the program has some limitations. Compared with the original PSExec, it is\r\nnot able to copy the service binary (i.e., pv.tmp, which has its path specified in the psserve_path\r\nargument) to a remote machine, but rather assumes it is already present on it. Besides, it cannot\r\nhandle network credentials, limiting the ability to execute commands as other users, nor does it\r\nsupport pipes, which means it does not receive the output of the commands it issues.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 16 of 26\n\nExfiltration: multi-platform utilities commonly used to establish connections with remote hosts and\r\nconduct file system operations on them, including file upload and download.\r\nEarthworm and Termite: well-known command-line utilities developed to facilitate intrusion into\r\nintranet networks. These programs are multiplatform and can be deployed on various architectures.\r\nEarthworm is used to create tunnels between compromised hosts and transfer data.\r\nFig. 12. Earthworm help message\r\nTermite provides additional features to download and upload files between the compromised hosts,\r\nas well as a way to spawn a remote shell to control the targeted machine.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 17 of 26\n\nFig. 13. Termite help message\r\nTRAN: another tool that we detected under the filename tmp that was used to transfer data between\r\ncompromised hosts. The binary we saw operated as a loader that embodies a tiny web server\r\nencrypted with the RC4 algorithm within it. This server is later injected into a newly created\r\nlegitimate schtask.exe process and usually listens on port 49158. It is used for managing files\r\nuploaded by the attacker into an in-memory virtual file system maintained by the malware.By\r\ndefault the file system includes a tiny program named client.exe, which can be downloaded by any\r\nhost using a standard HTTP GET request to the path /client.exe. This file is a command-line utility\r\nthat can be used to control the virtual file system managed by the server, through one of several\r\navailable commands outlined below.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 18 of 26\n\nFig. 14. Client.exe help message\r\nIISSpy: tracing Moriya back to a user-mode rootkit\r\nIISSpy is an older user-mode version of the Moriya rootkit that we were able to pinpoint in our telemetry. It is\r\nused to target IIS servers for establishing a backdoor in their underlying websites. It was detected on a machine in\r\n2018, unrelated to any of the attacks in the current operation. This suggests the threat actor has been active since at\r\nleast that year.\r\nThe malware, which comes as a DLL, achieves its goals by enumerating running IIS processes on the server (i.e.,\r\nthose that are executed from the image w3wp.exe), and injecting the malware’s DLL into them to alter their\r\nbehavior. The executed code in the IIS processes will then set inline hooks for several functions, most notably\r\nCreateFileW.\r\nThe corresponding CreateFileW hook function checks if the filename argument contains the directory ‘MORIYA’\r\nor ‘moriya’ in its path, and if so, infers that the attacker has sent a specially crafted HTTP request to the web\r\nserver. In this request, the Moriya path in the URL is followed by an encoded command. After the command is\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 19 of 26\n\ndecoded and processed, it is passed via a mailslot (\\.mailslotslot) to a separate thread, while signaling an event\r\ncalled GlobalCommandEvent.\r\nFig. 15. Code of the CreateFileW hook function that looks for the ‘MORIYA’ ‘moriya’ directory in a\r\nrequest path\r\nShould the currently handled file contain the Moriya path, the very same hook function will generate a special file\r\non the web server to which command execution output will be written. This file’s path is created by finding the\r\nposition of the ‘MORIYA’ or ‘moriya’ strings in the inspected filename argument, and replacing it with the string\r\n‘IISINFO.HTM’. This will then be appended to the command data passed on the mailslot, following a ‘ \u003e ‘\r\ncharacter.\r\nThe other thread waiting on the command event mentioned above is in charge of processing attacker data fetched\r\nfrom the mailslot. Any such command will be read and parsed to find the ‘ \u003e ‘ character and the file path that\r\nfollows it, in this case the one corresponding to ‘IISINFO.HTML’. After executing the command via cmd.exe, the\r\noutput will be written to the file in this path, allowing the attacker to read it by issuing a corresponding HTTP\r\nrequest where the URL path leads to this file on the server.\r\nOther functions that are hooked in the IIS process are CreateProcessAsUserW and CreateProcessW. These are\r\nused to detect if the current process spawns a new server instance, which will in turn be injected with the\r\nmalware’s DLL. Apart from this, IISSpy will also create a monitoring thread that will periodically look for newly\r\ncreated httpd.exe processes, corresponding to the Apache server. If detected, the malware will be injected to them\r\nas well.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 20 of 26\n\nAlthough it is evident from both the functionality and use of the Moriya keyword by the malware that IISSpy and\r\nthe Moriya rootkit are related, further evidence in the code substantiates the connection:\r\nThe older variant is capable of creating a reverse shell transmitted through an overt channel in exactly the\r\nsame way as the more recent version of the malware, i.e., it identifies a connect request followed by a C\u0026C\r\nserver address and port, connects to it and redirects the IO of a new exe process to the underlying socket.\r\nBoth variants use the same packet encoding and decoding algorithm, whereby each clear-text byte is\r\nXORed with 0x5 and negated, and vice-versa.\r\nFig. 16. Packet decoding loop that follows the same logic as that used in Moriya\r\nIn both cases the developers left a trail of unique debug messages, issued to the OutputDebugString API\r\nfunction. An example of such a string used in identical code in the two variants is shown below.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 21 of 26\n\nFig. 17. Code used in both variants to spawn a new shell, while printing unique debug messages\r\nBoth implants are deployed by invoking an export function named Install that creates a service that allows\r\npersistent execution, with the malware’s logic residing in the ServiceMain Moreover, the Install functions\r\nare highly similar to one another.\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 22 of 26\n\nFig. 18. Comparison of Install export function CFGs between IISSpy and Moriya\r\nThe ProcessKiller rootkit vs. security products\r\nAnother interesting artefact found in our telemetry that could be tied to the developers of Moriya is a malware\r\nnamed ProcessKiller. As its name suggests, it is intended to eliminate execution of processes, with the use of a\r\nkernel mode driver. Ultimately, this tool is used to shut down and block initiation of AV processes from kernel\r\nspace, thus allowing other attack tools to run without being detected.\r\nThis malware operates through the following stages:\r\nAn attacker calls the malware’s DLL from an export named Kill, passing it a list of process names it would\r\nlike to shut down and block as a command-line argument.\r\nThe malware writes a driver that is embedded as a resource within it, impersonating a Kaspersky driver\r\nunder the path %SYSTEM%driverskavp.sys.\r\nThere is an attempt to load the driver using the Service Control Manager. However, since it is not signed\r\nand loading is prone to fail on Windows versions above Vista 64-bit, the malware uses the same DSEFix\r\ncode to bypass Digital Signature Enforcement as witnessed in Moriya’s user mode agent.\r\nThe malware parses the process names passed as arguments and creates a vector of ‘blacklisted processes’\r\nout of them.\r\nFor each process in the list, the malware detects its PID and issues it through an IOCTL with code\r\n0x22200C to the driver which is in charge of shutting it down from kernel space. The shutdown is carried\r\nout by locating the process object with the function PsLookupProcessByProcessId and then terminating it\r\nwith ZwTerminateProcess.\r\nThe list of processes is then passed via another IOCTL with the code 0x222004 to the driver, which inserts\r\neach member of it to a linked list in kernel space. When the driver is bootstrapped, it registers a callback\r\nfor newly created processes through the PsSetCreateProcessNotifyRoutineEx function, which inspects the\r\nimage name of the created process and compares it against those found in the linked list. If a match is\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 23 of 26\n\nfound, the process creation status in the PPS_CREATE_NOTIFY_INFO structure will be set to\r\nSTATUS_UNSUCCESSFUL, signaling the user space API function that process creation failed.\r\nAt this point any other malware can theoretically operate without being detected.\r\nIf the attacker wishes to disable blacklisting, it can be done by issuing an IOCTL with the code 0x222008,\r\nwhich would destroy the linked list of blacklisted processes.\r\nOnce again, the connection to Moriya is based on several observations:\r\nDistinct debug error messages, as the one presented below.\r\nFig. 19. Unique debug message that appears in ProcessKiller and Moriya\r\nFilename of the same structure, i.e., Moriya’s agent is internally named ‘MoriyaServiceX64.dll’, and\r\nProcessKiller’s DLL is named ‘ProcessKillerX64.dll’\r\nUsage of the exact same DSEFix code to load an unsigned driver.\r\nWhat do we know about the threat actor?\r\nUnfortunately, we are not able to attribute the attack to any particular known actor, but based on the TTPs used\r\nthroughout the campaign, we suppose it is a Chinese-speaking one. We base this on the fact that the targeted\r\nentities were attacked in the past by Chinese-speaking actors, and are generally located in countries that are\r\nusually targeted by such an actor profile. Moreover, the tools leveraged by the attackers, such as China Chopper,\r\nBOUNCER, Termite and Earthworm, are an additional indicator supporting our hypothesis as they have\r\npreviously been used in campaigns attributed to well-known Chinese-speaking groups.\r\nWho were the targets?\r\nBased on our telemetry the attacks were highly targeted and delivered to less than 10 victims around the world.\r\nThe most prominent victims are two large regional diplomatic organizations in South-East Asia and Africa, while\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 24 of 26\n\nall the others were victims in South Asia.\r\nConclusion\r\nThe TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in\r\ndesigning an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows\r\ndrivers, covert communications channels and proprietary malware, the group behind it maintains a considerable\r\nlevel of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code\r\nfor loading unsigned drivers, may get detected and in fact were flagged by our product, giving us visibility into the\r\ngroup’s operation.\r\nStill, with activity dating back to at least 2018, the threat actor behind this campaign has shown that it is able to\r\nevolve and tailor its toolset to target environments. This indicates the group conducting these attacks may well still\r\nbe active and retooling for additional operations in the area of interest outlined in this publication, as well as other\r\nregions. With that in mind, we continue to track this attacker and look for signs of its reappearance in the wild.\r\nAny findings and updates will be made available to customers of our Threat Intelligence Portal.\r\nFor more information about operation TunnelSnake and the underlying threat actor, contact us at:\r\nintelreports@kaspersky.com.\r\nTo learn more on reverse engineering and malware analysis from Kaspersky GReAT experts, check out the\r\nwebsite http://xtraining.kaspersky.com.\r\nIOCs\r\n48307C22A930A2215F7601C78240A5EE Moriya Agent\r\nA2C4EE84E3A95C8731CA795F53F900D5 Moriya 64-bit Driver\r\n5F0F1B0A033587DBCD955EDB1CDC24A4 IISSpy\r\nC1159FE3193E8B5206006B4C9AFBFE62 ProcessKiller\r\nDA627AFEE096CDE0B680D39BD5081C41 ProcessKiller Driver – 32-bit\r\n07CF58ABD6CE92D96CFC5ABC5F6CBC9A ProcessKiller Driver – 64-bit\r\n9A8F39EBCC580AA56D6DDAF5804EAE61 pv.tmp (Custom PSExec Server)\r\n39C361ABB74F9A338EA42A083E6C7DF8 pc.tmp (Custom PsExec Client)\r\nDE3FB65461EE8A68A3C7D490CDAC296D tran.tmp (Exfiltration tool)\r\nEAC0E57A22936D4C777AA121F799FEE6 client.exe (Utility embedded in tran.tmp)\r\nD745174F5B0EB41D9F764B22A5ECD357 rasauto.dll (Bouncer Loader)\r\n595E43CDF0EDCAA31525D7AAD87B7BE4 8.tmp (HTTP )Scanner\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 25 of 26\n\n9D75B50727A8E732DB0ADE7E270A7395 ep.tmp DCOM Scanner\r\n3A4E1F3F7E1BAAB8B02F3A8EE20F98C9 nw.tmp Bouncer Loader\r\n47F2D06713DAD556F535E523B777C682 Termite\r\n45A5D9053BC90ED657FA90DE0B775E8F Earthworm\r\n[1]\r\n Today a copy of the original code can be found here: http://www.m5home.com/bbs/thread-8043-1-1.html\r\n[2]\r\n https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf\r\nIf you like the site, please consider joining the telegram channel or supporting us on Patreon using the button\r\nbelow.\r\nSource: https://www.redpacketsecurity.com/operation-tunnelsnake/\r\nhttps://www.redpacketsecurity.com/operation-tunnelsnake/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.redpacketsecurity.com/operation-tunnelsnake/" ], "report_names": [ "operation-tunnelsnake" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "7c390b96-8206-4194-81d8-ebbabb9910ff", "created_at": "2023-12-03T02:00:05.147496Z", "updated_at": "2026-04-10T02:00:03.486417Z", "deleted_at": null, "main_name": "TunnelSnake", "aliases": [], "source_name": "MISPGALAXY:TunnelSnake", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b48e4b6-09b0-4f4d-a78c-6b455d122e67", "created_at": "2022-10-25T16:07:24.020115Z", "updated_at": "2026-04-10T02:00:04.84333Z", "deleted_at": null, "main_name": "Operation TunnelSnake", "aliases": [], "source_name": "ETDA:Operation TunnelSnake", "tools": [ "Moriya" ], "source_id": "ETDA", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6f61566e19a308db87f5b9447dacfb947213c90.pdf", "text": "https://archive.orkl.eu/d6f61566e19a308db87f5b9447dacfb947213c90.txt", "img": "https://archive.orkl.eu/d6f61566e19a308db87f5b9447dacfb947213c90.jpg" } }