{
	"id": "f8bc6779-a76d-4573-9221-d29445bf5f26",
	"created_at": "2026-04-06T00:15:58.494472Z",
	"updated_at": "2026-04-10T03:37:21.655278Z",
	"deleted_at": null,
	"sha1_hash": "d6fdc69202fef1c0f4e171e9fcae238e25ab4bcf",
	"title": "Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44200,
	"plain_text": "Budworm: APT Group Uses Updated Custom Tool in Attacks on\r\nGovernment and Telecoms Org\r\nBy About the Author\r\nArchived: 2026-04-05 14:14:18 UTC\r\nThe Budworm advanced persistent threat (APT) group continues to actively develop its toolset. Most recently, the\r\nThreat Hunter Team in Symantec, part of Broadcom, discovered Budworm using an updated version of one of its\r\nkey tools to target a Middle Eastern telecommunications organization and an Asian government.\r\nBoth attacks occurred in August 2023. Budworm (aka LuckyMouse, Emissary Panda, APT27) deployed a\r\npreviously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll). SysUpdate is\r\nexclusively used by Budworm. \r\nAs well as its custom malware, Budworm also used a variety of living-off-the-land and publicly available tools in\r\nthese attacks. It appears the activity by the group may have been stopped early in the attack chain as the only\r\nmalicious activity seen on infected machines is credential harvesting.\r\nTools Used\r\nBudworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate\r\nINISafeWebSSO application. This technique has been used by the group for some time, with reports of\r\nINISafeWebSSO being leveraged dating as far back as 2018. DLL sideloading attacks use the DLL search order\r\nmechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. It can\r\nhelp attackers evade detection.\r\nSysUpdate is a feature-rich backdoor that has multiple capabilities, including:\r\nList, start, stop, and delete services\r\nTake screenshots\r\nBrowse and terminate processes\r\nDrive information retrieval\r\nFile management (finds, deletes, renames, uploads, downloads files, and browses a directory)\r\nCommand execution\r\nTrend Micro reported in March 2023 that Budworm had developed a Linux version of SysUpdate with similar\r\ncapabilities to the Windows version. SysUpdate has been in use by Budworm since at least 2020, and the attackers\r\nappear to continually develop the tool to improve its capabilities and avoid detection.\r\nAs well as SysUpdate, the attackers used a number of legitimate or publicly available tools to map the network\r\nand dump credentials. Tools used by the attackers in this campaign included:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt\r\nPage 1 of 3\n\nAdFind: A publicly available tool that is used to query Active Directory. It has legitimate uses but is\r\nwidely used by attackers to help map a network.\r\nCurl: An open-source command-line tool for transferring data using various network protocols.\r\nSecretsDump: A publicly available tool that can perform various techniques to dump secrets from the\r\nremote machine without executing any agent. Techniques include reading SAM and LSA secrets from\r\nregistries, dumping NTLM hashes, plaintext credentials, and Kerberos keys, as well as dumping the\r\nNTDS.dit Active Directory database.\r\nPasswordDumper: A password-dumping tool.\r\nBudworm Background\r\nBudworm is a long-running APT group that is believed to have been active since at least 2013. The attackers are\r\nknown for their targeting of high-value victims, often focusing on organizations in the government, technology,\r\nand defense sectors. Budworm has targeted victims in many countries in Southeast Asia and the Middle East,\r\namong other locations, including the U.S. Symantec’s Threat Hunter Team published a blog in October 2022\r\ndetailing how Budworm activity was seen on the network of a U.S. state legislature. In that campaign, the\r\nattackers also targeted the government of a Middle Eastern country, a multinational electronics manufacturer, and\r\na hospital in Southeast Asia. The attackers also leveraged DLL sideloading in that campaign to load their\r\nHyperBro malware.\r\nThe victims in this campaign — a government in Asia and a telecommunications company in the Middle East —\r\ndo align with the kinds of victims we often see Budworm targeting. The targeting of a telecommunications\r\ncompany and government also point to the motivation behind the campaign being intelligence gathering, which is\r\nthe motivation that generally drives Budworm activity.\r\nThat Budworm continues to use a known malware (SysUpdate), alongside techniques it is known to favor, such as\r\nDLL sideloading using an application it has used for this purpose before, indicate that the group isn’t too\r\nconcerned about having this activity associated with it if it is discovered. \r\nThe use of a previously unseen version of the SysUpdate tool also demonstrates that the group is continuing to\r\nactively develop its toolset. The fact that this activity occurred as recently as August 2023 suggests that the group\r\nis currently active, and that those organizations that may be of interest to Budworm should be aware of this\r\nactivity and the group’s current toolset. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256 file hashes\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt\r\nPage 2 of 3\n\nc501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO\r\napplication\r\nc4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor\r\n551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper\r\ndf571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool     \r\nc3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump\r\nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind\r\nee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt"
	],
	"report_names": [
		"budworm-tool-update-telecoms-govt"
	],
	"threat_actors": [
		{
			"id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c",
			"created_at": "2022-10-25T15:50:23.819113Z",
			"updated_at": "2026-04-10T02:00:05.354598Z",
			"deleted_at": null,
			"main_name": "Threat Group-3390",
			"aliases": [
				"Threat Group-3390",
				"Earth Smilodon",
				"TG-3390",
				"Emissary Panda",
				"BRONZE UNION",
				"APT27",
				"Iron Tiger",
				"LuckyMouse",
				"Linen Typhoon"
			],
			"source_name": "MITRE:Threat Group-3390",
			"tools": [
				"Systeminfo",
				"gsecdump",
				"PlugX",
				"ASPXSpy",
				"Cobalt Strike",
				"Mimikatz",
				"Impacket",
				"gh0st RAT",
				"certutil",
				"China Chopper",
				"HTTPBrowser",
				"Tasklist",
				"netstat",
				"SysUpdate",
				"HyperBro",
				"ZxShell",
				"RCSession",
				"ipconfig",
				"Clambling",
				"pwdump",
				"NBTscan",
				"Pandora",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236429ce-6355-43f6-9b58-e6803a1df3f4",
			"created_at": "2026-03-16T02:02:50.60344Z",
			"updated_at": "2026-04-10T02:00:03.641587Z",
			"deleted_at": null,
			"main_name": "Bronze Union",
			"aliases": [
				"Circle Typhoon ",
				"Emissary Panda "
			],
			"source_name": "Secureworks:Bronze Union",
			"tools": [
				"China Chopper",
				"OwaAuth",
				"Sysupdate"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775792241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6fdc69202fef1c0f4e171e9fcae238e25ab4bcf.pdf",
		"text": "https://archive.orkl.eu/d6fdc69202fef1c0f4e171e9fcae238e25ab4bcf.txt",
		"img": "https://archive.orkl.eu/d6fdc69202fef1c0f4e171e9fcae238e25ab4bcf.jpg"
	}
}