{ "id": "330e0ece-69eb-4956-8a0d-0cf0c502a497", "created_at": "2026-04-06T00:09:52.060658Z", "updated_at": "2026-04-10T03:37:40.856127Z", "deleted_at": null, "sha1_hash": "d746f8042d226356162af400966cdf25d4832ec7", "title": "APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 836695, "plain_text": "APT36 jumps on the coronavirus bandwagon, delivers Crimson\r\nRAT\r\nPublished: 2020-03-15 · Archived: 2026-04-05 14:11:25 UTC\r\nNebula support\r\nOneView support\r\nNebula sign in\r\nOneView sign in\r\nPartner Portal sign in\r\nProducts\r\nPartners\r\nResources\r\nWhy ThreatDown\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 1 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 2 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 3 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 4 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 5 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 6 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 7 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 8 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nArticle continues below this ad.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 9 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 10 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 11 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 12 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 13 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 14 of 93\n\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 15 of 93\n\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 16 of 93\n\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 17 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 18 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 19 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 20 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 21 of 93\n\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 22 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 23 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 24 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 25 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 26 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 27 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 28 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 29 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 30 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 31 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 32 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 33 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 34 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 35 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 36 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 37 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 38 of 93\n\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 39 of 93\n\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://attack.mitre.org/software/S0115/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 40 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 41 of 93\n\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 42 of 93\n\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 43 of 93\n\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 44 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 45 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 46 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 47 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 48 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 49 of 93\n\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 50 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 51 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 52 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 53 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 54 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 55 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 56 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 57 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 58 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 59 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 60 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 61 of 93\n\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 62 of 93\n\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://attack.mitre.org/software/S0115/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 63 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 64 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 65 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 66 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 67 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 68 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 69 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 70 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 71 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 72 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 73 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 74 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 75 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 76 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 77 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 78 of 93\n\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 79 of 93\n\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://attack.mitre.org/software/S0115/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 80 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 81 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 82 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 83 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 84 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 85 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 86 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 87 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nSince the coronavirus became a worldwide health issue, the desire for more information and guidance from\r\ngovernment and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to\r\ncapitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with\r\nscams or malware campaigns.\r\nProfiting from global health concerns, natural disasters, and other extreme weather events is nothing new for\r\ncybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a\r\ndecade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute\r\ncoronavirus lures, including:\r\nChinese APTs: Vicious Panda, Mustang Panda\r\nNorth Korean APTs: Kimsuky\r\nRussian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)\r\nOther APTs: Sweed (Lokibot)\r\nRecently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote\r\nAdministration Tool (RAT).\r\nAPT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the\r\ngovernment of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive\r\ninformation from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is\r\nalso known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.\r\nAPT36 spreads fake coronavirus health advisory\r\nAPT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The\r\nphishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-\r\n0199.\r\nIn the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure\r\n1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 88 of 93\n\nWe looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern\r\nfrom this group. The names used for directories and functions are likely Urdu names.\r\nThe malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious\r\nmacro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS\r\ntype.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 89 of 93\n\nBased on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is\r\nstored in one of the two textboxes in UserForm1 (Figure 3).\r\nThen it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function,\r\ndropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.\r\nCrimson RAT\r\nThe Crimson RAT has been written in .Net (Figure 4) and its capabilities include:\r\nStealing credentials from the victim’s browser\r\nListing running processes, drives, and directories on the victim’s machine\r\nRetrieving files from its C\u0026C server\r\nUsing custom TCP protocol for its C\u0026C communications\r\nCollecting information about antivirus software\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 90 of 93\n\nCapturing screenshots\r\nUpon running the payload, Crimson RAT connects to its hardcoded C\u0026C IP addresses and sends collected\r\ninformation about the victim back to the server, including a list of running processes and their IDs, the machine\r\nhostname, and its username (Figure 5).\r\nOngoing use of RATs\r\nAPT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT,\r\nDarkComet, Luminosity RAT, and njRAT.\r\nIn past campaigns, they were able to compromise Indian military and government databases to steal sensitive data,\r\nincluding army strategy and training documents, tactical documents, and other official letters. They also were able\r\nto steal personal data, such as passport scans and personal identification documents, text messages, and contact\r\ndetails.\r\nProtection against RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 91 of 93\n\nWhile most general users needn’t worry about nation-state attacks, organizations wanting to protect against this\r\nthreat should consider using an endpoint protection system or endpoint detection and response with exploit\r\nblocking and real-time malware detection.\r\nShoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields\r\nagainst exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from\r\nunvetted sources can protect against this and other social engineering attacks from threat actors.\r\nMalwarebytes users are protected against this attack. We block the malicious macro execution as well as its\r\npayload with our application behavior protection layer and real-time malware detection.\r\nIndicators of Compromise\r\nDecoy URLs\r\nemail.gov.in.maildrive[.]email/?att=1579160420\r\nemail.gov.in.maildrive[.]email/?att=1581914657\r\nDecoy documents\r\n876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656\r\n20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a\r\nCrimson RAT\r\n0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 b67d764c981a298fa2bb14ca7faffc68ec30\r\nC2s\r\n107.175.64[.]209 64.188.25[.]205\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 92 of 93\n\nhttps://attack.mitre.org/software/S0115/\r\nCategories\r\nRelated articles\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/\r\nPage 93 of 93", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/" ], "report_names": [ "apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434192, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d746f8042d226356162af400966cdf25d4832ec7.pdf", "text": "https://archive.orkl.eu/d746f8042d226356162af400966cdf25d4832ec7.txt", "img": "https://archive.orkl.eu/d746f8042d226356162af400966cdf25d4832ec7.jpg" } }