{
	"id": "13b4becf-1e48-4500-aa5f-960338296859",
	"created_at": "2026-04-06T00:06:17.386313Z",
	"updated_at": "2026-04-10T03:37:54.50919Z",
	"deleted_at": null,
	"sha1_hash": "d80f86c66aa249e18316d38215c3a92671ebcc15",
	"title": "The Evolution of APT15’s Codebase 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 408115,
	"plain_text": "The Evolution of APT15’s Codebase 2020\r\nBy Paul Litvak\r\nPublished: 2020-05-21 · Archived: 2026-04-05 13:12:21 UTC\r\nThe Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target\r\nvarious high-profile entities spanning multiple continents. Examples include attacks on European ministries, Indian\r\nembassies, and British military contractors. The group’s activities have been traced back to 2010 and it is known to boast a\r\nlarge number of custom tools, most often tailored to their specific target.\r\nIn mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We\r\nnamed this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican”\r\nand “Okrum”.\r\nWe believe the operation was conducted very recently. Below we present a technical analysis of these samples and explain\r\nthe evolution of APT15’s codebase over the last year.\r\nOVERVIEW\r\nThe three samples we discovered seem to be a mix of the Ketrican and Okrum backdoors documented by researchers at\r\nESET in 2019. Features have been merged from these two malware families to create a different RAT class for the group.\r\nWe’ve decided to call this umbrella of malware “Ketrum.”\r\nThe new samples we found continue the Ke3chang group’s strategy of using a basic backdoor to gain control over the\r\nvictim’s device, so that an operator can then connect to it and run commands manually to conduct further operations.\r\nBefore beginning our technical analysis, we were able to connect these binaries to Ke3chang using Intezer Analyze:\r\nGenetic Analysis\r\nAll three samples contacted the same C2 server and appear to have been used in two different time periods, judging by the\r\nPE timestamps and VirusTotal upload date:\r\nSHA256s Name VirusTotal Date PE Timestamp C2 Family\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 1 of 6\n\na142625512e\r\n5372a172859\r\n5be19dbee23\r\neea50524b48\r\n27cb64ed5aa\r\neaaa0270b\r\nRavAudio64.exe 2019-12-03 7 Jan 2010 menu.thehuguardian[.]com Ketrum1\r\n271384a078f\r\n2a2f58e14d77\r\n03febae8a28c\r\n6e2d7ddb00a3\r\nc8d3eead\r\n4ea87a0c0\r\n– 2020-05-16 13 May 2020 www.thehuguardian[.]com Ketrum2\r\naacaf0d4729\r\ndd6fda2e452\r\nbe763d209f9\r\n2d107ecf24d\r\n8a341947c54\r\n5de9b7311\r\n– 2020-05-17 13 May 2020 www.thehuguardian[.]com Ketrum2\r\nTable 1\r\nThe C2 was registered towards the end of 2019, which makes us believe the first PE timestamp was tampered with, and the\r\nlatter two timestamps are at least close to the real compilation date.\r\nIt’s also important to note the C2 was registered in China and ceased operating in mid May.\r\nTHE BEST OF TWO WORLDS\r\nWe documented several interesting differences between the backdoors:\r\nKetrican Okrum Ketrum1 Ketru\r\nIdentify installed proxy servers and use them for HTTP requests ❌ ✅ ✅ ✅\r\nSpecial folder retrieval using registry key\r\n[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell\r\nFolders]\r\n✅ ❌ ✅ ✅\r\nThe response from the server is an HTTP page with backdoor commands and\r\narguments included in the HTML fields ✅ ❌ ❌ ✅\r\nBackdoor commands are determined by a hashing value received from C2 ❌ ✅ ❌ ❌\r\nCommunication with the C\u0026C server is hidden in the Cookie and Set-Cookie headers\r\nof HTTP requests ❌ ✅ ✅ ❌\r\nImpersonate a logged in user’s security context ❌ ✅ ✅ ❌\r\nCreate a copy of cmd.exe in their working directory and use it to interpret backdoor\r\ncommands ✅ ❌ ✅ ❌\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 2 of 6\n\nUsual Ke3chang backdoor functionalities – download, upload, execute files/shell\r\ncommands and configure sleep time ✅ ✅ ✅ ✅\r\nScreenshot-grabbing functionality ❌ ❌ ✅ ❌\r\nTable 2\r\nKETRUM 1\r\nThe Ketrum 1 sample was uploaded to VirusTotal in December 2019. This version registers itself as a “WMI Provider Host”\r\nservice if it is able to obtain SeDebugPrivilege; otherwise it creates an entry in the startup directory.\r\nThis sample incorporates many features from Okrum as can be seen in the table above, however, it abandons more advanced\r\nOkrum features such as offering a reflective injection via an export and the use of hashes to receive command IDs.\r\nIn the past, APT15 has used the IWebBrowser2 COM interface to manage its network communications. This time, the\r\nKetrum developer abandoned this technique and used simple HTTP APIs:\r\nInterestingly, this sample also incorporates a screenshot-grabbing command.\r\nKETRUM 2\r\nKetrum 2 seems to have been built for minimalism. As can be seen in Table 2, many functionalities have been dropped.\r\nUnlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous\r\nimplants, Powershell was used for this end. Interestingly, a string still remains in Ketrum 2, which refers to this deleted\r\nfeature—perhaps an unintentional left-over from copy-pasting:\r\nSeveral other interesting unused file names are included in the binary such as “%sadult.sft” and “%sMessage”.\r\nThe malware first collects basic system information to track the infected endpoint and then sends it to the C2 server together\r\nwith a hash of the system info:\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 3 of 6\n\nAll incoming and outcoming payloads are fed through an RC4 encryption and base64 encoding. The RC4 encryption uses an\r\nunusual key:\r\nThese are actually constants used in the MD5 and SHA1 algorithms. The Ketrum developer most likely intended to confuse\r\nresearchers reversing this function.\r\nA command is then extracted from the HTML in the response:\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 4 of 6\n\nThis backdoor only supports a limited number of commands, which is typical of Okrum and Ketrican backdoors. Unlike\r\nKetrum 1, Ketrum 2 does not support screenshot grabbing. This is the list of possible backdoor commands:\r\nCommand ID Description\r\n1 Adjust sleep time\r\n2 Execute a shell command\r\n3 Upload a file\r\n4 Download a file\r\n5 Execute a file\r\n7 (there is no 6) Execute a shell command with adjusted sleep time\r\n8 Adjust execute shell sleep time\r\n9 Download “Notice” file to working directory – * it is unclear how this is used\r\nTable 3\r\nCODE REUSE\r\nBoth Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low level implementation and use of\r\nsystem APIs. Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same\r\nfunctionality. For example, the file upload feature is implemented using different APIs throughout the families; mostly using\r\na constant value of 0x20000 when reading files:\r\n                   Ketrum 1                                                         Ketrum 2\r\n                         Ketrican 2018                                                 Okrum\r\nAs reported by FireEye and ESET, it’s likely the Ke3chang cluster of malware is developed by multiple teams and the\r\ndevelopers of Ketrican/Okrum belong to a different team than the developers of Ketrum, albeit related. This could explain\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 5 of 6\n\nthe high-level and flow similarities but also the low-level differences.\r\nCONCLUSION\r\nKe3chang’s numerous tools such as Okrum, Ketrican, TidePool, Mirage, Ketrum, and others all serve the same purpose,\r\ngive or take a few techniques or functionalities tailored for specific targets. We can regard these tools under the same\r\numbrella of BS2005 malware, distributed as different versions per operation. However, the distinction created by naming\r\nthem differently is useful for tracking the group’s operations and different development cycles.\r\nThe Ke3chang’s group tools have not deviated much from the same tools reported in FireEye’s first Ke3chang report. The\r\ngroup continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been\r\nworking for the group for years and there is no indication yet that it will deviate from this modus operandi.\r\nThe information security field has seen many improvements since the group’s inception, however, surprisingly, this is not\r\nreflected in the group’s persistence to use the same old TTPs in their tools.\r\nIOCs\r\n271384a078f2a2f58e14d7703febae8a28c6e2d7ddb00a3c8d3eead4ea87a0c0\r\naacaf0d4729dd6fda2e452be763d209f92d107ecf24d8a341947c545de9b7311\r\na142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\r\nthehuguardian[.]com\r\n45.56.84[.]25\r\nSource: https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nhttps://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/"
	],
	"report_names": [
		"the-evolution-of-apt15s-codebase-2020"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e",
			"created_at": "2022-10-25T15:50:23.453824Z",
			"updated_at": "2026-04-10T02:00:05.28793Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"Ke3chang",
				"APT15",
				"Vixen Panda",
				"GREF",
				"Playful Dragon",
				"RoyalAPT",
				"Nylon Typhoon"
			],
			"source_name": "MITRE:Ke3chang",
			"tools": [
				"Okrum",
				"Systeminfo",
				"netstat",
				"spwebmember",
				"Mimikatz",
				"Tasklist",
				"MirageFox",
				"Neoichor",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7d5531e2-0ad1-4237-beed-af009035576f",
			"created_at": "2024-05-01T02:03:07.977868Z",
			"updated_at": "2026-04-10T02:00:03.817883Z",
			"deleted_at": null,
			"main_name": "BRONZE PALACE",
			"aliases": [
				"APT15 ",
				"BRONZE DAVENPORT ",
				"BRONZE IDLEWOOD ",
				"CTG-6119 ",
				"CTG-6119 ",
				"CTG-9246 ",
				"Ke3chang ",
				"NICKEL ",
				"Nylon Typhoon ",
				"Playful Dragon",
				"Vixen Panda "
			],
			"source_name": "Secureworks:BRONZE PALACE",
			"tools": [
				"BMW",
				"BS2005",
				"Enfal",
				"Mirage",
				"RoyalCLI",
				"RoyalDNS"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7c8cf02c-623a-4793-918b-f908675a1aef",
			"created_at": "2023-01-06T13:46:38.309165Z",
			"updated_at": "2026-04-10T02:00:02.921721Z",
			"deleted_at": null,
			"main_name": "APT15",
			"aliases": [
				"Metushy",
				"Lurid",
				"Social Network Team",
				"Royal APT",
				"BRONZE DAVENPORT",
				"BRONZE IDLEWOOD",
				"VIXEN PANDA",
				"Ke3Chang",
				"Playful Dragon",
				"BRONZE PALACE",
				"G0004",
				"Red Vulture",
				"Nylon Typhoon"
			],
			"source_name": "MISPGALAXY:APT15",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775792274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d80f86c66aa249e18316d38215c3a92671ebcc15.pdf",
		"text": "https://archive.orkl.eu/d80f86c66aa249e18316d38215c3a92671ebcc15.txt",
		"img": "https://archive.orkl.eu/d80f86c66aa249e18316d38215c3a92671ebcc15.jpg"
	}
}