{
	"id": "b43565a4-a979-439a-9b9e-7d916e164b49",
	"created_at": "2026-04-06T00:19:07.691456Z",
	"updated_at": "2026-04-10T13:12:01.600732Z",
	"deleted_at": null,
	"sha1_hash": "d8c67aa392aae1b1569afd51362dee28500638b8",
	"title": "Threat Actor Targeting Hong Kong Pro-Democracy Figures – Red Alert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1686171,
	"plain_text": "Threat Actor Targeting Hong Kong Pro-Democracy Figures – Red\r\nAlert\r\nArchived: 2026-04-05 22:57:31 UTC\r\nAt the end of October, a person deeply involved in the pro-democracy side of the Hong Kong protests received a\r\nspear phishing email from someone claiming to be a law student at a top foreign university, requesting for\r\nfeedback on his supposed thesis which includes recommendations on how to end the Hong Kong unrest. The\r\nemail contained a link to a Google drive ZIP file.\r\nThe contents of FYI.zip downloaded from the Google Drive link\r\nThe ZIP archive contained three files – an August 2019 policy brief downloaded from Freedom House regarding\r\nthe Democratic Crisis in Hong Kong, a September 2019 Hong Kong report downloaded from Human Rights First,\r\nand a supposed RTF file from the Nikkei Asian Review.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 1 of 10\n\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 2 of 10\n\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 3 of 10\n\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 4 of 10\n\nThe third file masquerading as a Nikkei Asian Review document is actually a LNK shortcut file which had a\r\ndouble extension. When LNK files are viewed through archiving software, the double extension “.rtf.lnk” will be\r\nshown correctly. If the file was extracted and viewed through the Windows Explorer, however, the operating\r\nsystem always hides the LNK extension by default.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 5 of 10\n\nAnalysis of the LNK file shows running it will execute msiexec.exe to download and run a remote MSI file\r\nThe LNK file is actually a shortcut to the Windows utility msiexec.exe, which can be used as a LOLBin to\r\nremotely download and run MSI files which have the PNG extension. In this case, the MSI file is remotely\r\ndownloaded from a GitHub repository and account which was created on October 10.\r\nA snapshot of the GitHub repository on October 29\r\nThe MSI file, “siHost64.png”, was created using a registered or cracked EXEMSI program. Running it will drop\r\nand run “siHost64.exe” in the %APPDATA% folder. This executable is a PyInstaller executable which has over a\r\nthousand files inside it, but the main important file is the compiled python script “siHost64”.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 6 of 10\n\nUnpacking the PyInstaller executable shows the real files, some of which cannot be seen when performing\r\ndynamic analysis\r\nBy restoring the first eight missing bytes of “siHost64” which is typically required for such PyInstaller files, we\r\nare then able to decompile the compiled python script and analyze the functionality of this malware:\r\nUse the Python requests library to call the DropBox API which connects to DropBox and uses it as a\r\nHTTPS C2 server\r\nUse the system proxy for communications if any\r\nAdd itself to the registry AutoRun location HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with\r\nthe registry name “siHost64”. On October 31, the new version of the malware changed the registry name\r\nused to “Dropbox Update Setup”.\r\nPerform AES encryption with CBC mode on uploaded files with the key\r\n“ApmcJue1570368JnxBdGetr*^#ajLsOw” and a random salt\r\nCheck in to the C2 server by creating an encrypted file containing the operating system version and\r\narchitecture, date, computer name, and logged in user\r\nCheck for files from the C2 server which contain encrypted arbitrary commands to be run, execute that\r\ncommand, and create a new encrypted file containing the results of the executed command.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 7 of 10\n\nExample of the malware using the Dropbox API to check in\r\nBased on the check in information from infected machines, it appears that there is a single infected Hong Kong\r\nvictim of interest to this threat actor connecting to the Dropbox app besides the target we described at the start.\r\nThe files exfiltrated from this victim appeared to be personal documents related to the victim traveling to the\r\nUnited States, business forms, and Christian hymns.\r\nBesides those exfiltrated documents, the C2 server also appeared to host their next stage malware such as two files\r\nnamed “GetCurrentRollback.exe” and “GetCurrentDeploy.dll”. “GetCurrentRollback.exe” is a signed Microsoft\r\nexecutable which seems to be for upgrading the previous Windows operating system version to Windows 10, and\r\n“GetCurrentDeploy.dll” likely being the name of the DLL which is side loaded. The first version of\r\n“GetCurrentRollback.exe” we could find was since 2016 and the latest in 2019 November, which means all\r\nversion might be exploitable by DLL Sideloading at first glance.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 8 of 10\n\nA version of GetCurrentRollback.exe signed on November 13, 2019 is still vulnerable to DLL Sideloading\r\nBased on the victim profile and the exfiltrated files, it appears one of the intelligence requirements of the threat\r\nactor is to monitor people with relations to the Hong Kong protests, targeting either them or the people around\r\nthem. There are multiple possibilities for this requirements, with the most likely being to understand the inner\r\nthoughts of pro-democracy movement, or to support or undermine the movement behind the scenes.\r\nUsing Dropbox and other legitimate services such as Google Drive and GitHub\r\nthroughout the attack life cycle is not a new concept for threat actors, allowing them to easily bypass network\r\ndetection. To counter this threat, enterprises or teams within enterprises nowadays block or detect such Shadow IT\r\nservices if they are not in official use, but individual or non-enterprise users which may be targeted by state\r\nsponsored threat actors rarely have this luxury.\r\nThe full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is\r\navailable to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.\r\nThe following is a list of MITRE ATT\u0026CK Techniques we have observed based on our analysis of these and other\r\nrelated malware.\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 9 of 10\n\nInitial Access\r\nT1192 Spearphishing Link\r\nExecution\r\nT1204 User Execution\r\nT1218 Signed Binary Proxy Execution\r\nT1064 Scripting\r\nPersistence\r\nT1060 Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1036 Masquerading\r\nT1112 Modify Registry\r\nT1027 Obfuscated Files or Information\r\nT1218 Signed Binary Proxy Execution\r\nT1102 Web Service\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nT1082 System Information Discovery\r\nT1033 System Owner/User Discovery\r\nT1124 System Time Discovery\r\nCollection\r\nT1005 Data from Local System\r\nCommand and Control\r\nT1043 Commonly Used Port\r\nT1132 Data Encoding\r\nT1071 Standard Application Layer Protocol\r\nT1032 Standard Cryptographic Protocol\r\nT1102 Web Service\r\nExfiltration\r\nT1022 Data Encrypted\r\nT1041 Exfiltration Over Command and Control Channel\r\nSource: https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nhttps://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/"
	],
	"report_names": [
		"threat-actor-targeting-hong-kong-activists"
	],
	"threat_actors": [],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8c67aa392aae1b1569afd51362dee28500638b8.pdf",
		"text": "https://archive.orkl.eu/d8c67aa392aae1b1569afd51362dee28500638b8.txt",
		"img": "https://archive.orkl.eu/d8c67aa392aae1b1569afd51362dee28500638b8.jpg"
	}
}