{ "id": "21b7e3ae-f7ec-4058-9925-4ba240c47c0e", "created_at": "2026-04-06T00:08:36.856967Z", "updated_at": "2026-04-10T03:32:49.854638Z", "deleted_at": null, "sha1_hash": "d9289eba2b070f6f1cc1f289df9e83eda46e80da", "title": "Full Disclosure of Havex Trojans", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 305757, "plain_text": "Full Disclosure of Havex Trojans\r\nBy Erik Hjelmvik\r\nPublished: 2014-10-27 · Archived: 2026-04-05 15:08:43 UTC\r\n, \r\nMonday, 27 October 2014 11:11:00 (UTC/GMT)\r\nI did a talk on \"SCADA Network Forensics\" at the 4SICS conference last week, where I disclosed the results from\r\nmy analysis of the Havex RAT/backdoor.\r\nThe Havex backdoor is developed and used by a hacker group called Dragonfly, who are also known as \"Energetic\r\nBear\" and \"Crouching Yeti\". Dragonfly is an APT hacker group, who have been reported to specifically target\r\norganizations in the energy sector as well as companies in other ICS sectors such as industrial/machinery,\r\nmanufacturing and pharmaceutical.\r\nIn my 4SICS talk I disclosed a previously unpublished comprehensive view of ICS software that has been\r\ntrojanized with the Havex backdoor, complete with screenshots, version numbers and checksums.\r\nDale Petersen, founder of Digital Bond, expressed the following request regarding the lack of public information\r\nabout the software trojanized with Havex:\r\nIf the names of the vendors that unwittingly spread Havex were made public, the wide coverage would\r\nlikely reach most of the affected asset owners.\r\nFollowing Dale's request we decided to publish the information presented at 4SICS also in this blog post, in order\r\nto reach as many affected asset owners as possible. The information published here is based on our own sandbox\r\nexecutions of Havex malware samples, which we have obtained via CodeAndSec and malwr.com. In addition to\r\nwhat I presented at 4SICS, this blog post also includes new findings published by Joel \"scadahacker\" Langill in\r\nversion 2.0 of his Dragonfly white paper, which was released just a couple of hours after my talk.\r\nIn Symantec's blog post about Havex they write:\r\nThree different ICS equipment providers were targeted and malware was inserted into the software\r\nbundles\r\nTrojanized MESA Imaging driver\r\nThe first vendor known to have their software trojanized by the Dragonfly group was the Swiss company MESA\r\nImaging, who manufacture industrial grade cameras for range measurements.\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 1 of 8\n\nImage: Screenshot of trojanized MESA Imaging driver installer from our sandbox execution\r\nCompany: MESA Imaging\r\nProduct: Swiss Ranger version 1.0.14.706 (libMesaSR)\r\nFilename: SwissrangerSetup1.0.14.706.exe\r\nExposure: Six weeks in June and July 2013 (source: Symantec)\r\nBackdoor: Sysmain RAT\r\nMD5: e027d4395d9ac9cc980d6a91122d2d83\r\nSHA256: 398a69b8be2ea2b4a6ed23a55459e0469f657e6c7703871f63da63fb04cefe90\r\neWON / Talk2M\r\nThe second vendor to have their software trojanized was the Belgian company eWON, who provide a remote\r\nmaintenance service for industrial control systems called “Talk2M”.\r\neWon published an incident report in January 2014 and then a follow-up report in July 2014 saying:\r\nBack in January 2014, the eWON commercial web site www.ewon.biz had been compromised. A\r\ncorrupted eCatcherSetup.exe file had been uploaded into the CMS (Content Management System) of\r\nwww.ewon.biz web site. eCatcher download hyperlinks were rerouted to this corrupted file. The\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 2 of 8\n\ncorrupted eCatcherSetup.exe contained a malware which could, under restricted conditions,\r\ncompromise the Talk2M login of the infected user.\r\nImage: Screenshot of trojanized Talk2M eCatcher installer from our sandbox execution\r\nCompany: eWON\r\nProduct: Talk2M eCatcher version 4.0.0.13073\r\nFilename: eCatcherSetup.exe\r\nExposure: Ten days in January 2014, 250 copies downloaded (source: Symantec)\r\nBackdoor: Havex 038\r\nMD5: eb0dacdc8b346f44c8c370408bad4306\r\nSHA256: 70103c1078d6eb28b665a89ad0b3d11c1cbca61a05a18f87f6a16c79b501dfa9\r\nPrior to version 2.0 of Joel's Dragonfly report, eCatcher was the only product from eWON known to be infected\r\nwith the Havex backdoor. However, Joel's report also listed a product called “eGrabit”, which we managed to\r\nobtain a malware sample for via malwr.com.\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 3 of 8\n\nImage: Screenshot of trojanized eGrabIt installer from our sandbox execution\r\nCompany: eWON\r\nProduct: eGrabIt 3.0.0.82 (version 3.0 Build 82)\r\nFilename: egrabitsetup.exe\r\nExposure: unknown\r\nBackdoor: Havex RAT 038\r\nMD5: 1080e27b83c37dfeaa0daaa619bdf478\r\nSHA256: 0007ccdddb12491e14c64317f314c15e0628c666b619b10aed199eefcfe09705\r\nMB Connect Line\r\nThe most recent company known to have their software infected with the Havex backdoor was the German\r\ncompany MB Connect Line GmbH, who are known for their industrial router mbNET and VPN service\r\nmbCONNECT24.\r\nMB Connect Line published a report about the Dragonfly intrusion in September 2014, where they write:\r\nOn 16th of April 2014 our website www.mbconnectline.com has been attacked by hackers. The files\r\nmbCHECK (Europe), VCOM_LAN2 and mbCONFTOOL have been replaced with infected files.\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 4 of 8\n\nThese files were available from 16th of April 2014 to 23th of April 2014 for download from our\r\nwebsite. All of these files were infected with the known Trojan Virus Havex Rat.\r\nImage: Screenshot of trojanized mbCONFTOOL installer from our sandbox execution\r\nCompany: MB Connect Line GmbH\r\nProduct: mbCONFTOOL V 1.0.1\r\nFilename: setup_1.0.1.exe\r\nExposure: April 16 to April 23, 2014 (source: MB Connect Line)\r\nBackdoor: Havex RAT 043\r\nMD5: 0a9ae7fdcd9a9fe0d8c5c106e8940701\r\nSHA256: c32277fba70c82b237a86e9b542eb11b2b49e4995817b7c2da3ef67f6a971d4a\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 5 of 8\n\nImage: Screenshot of trojanized mbCHECK application from our sandbox execution\r\nCompany: MB Connect Line GmbH\r\nProduct: mbCHECK (EUROPE) V 1.1.1\r\nFilename: mbCHECK.exe\r\nExposure: April 16 to April 23, 2014 (source: MB Connect Line)\r\nBackdoor: Havex RAT 043\r\nMD5: 1d6b11f85debdda27e873662e721289e\r\nSHA256: 0b74282d9c03affb25bbecf28d5155c582e246f0ce21be27b75504f1779707f5\r\nNotice how only mbCHECK for users in Europe was trojanized, there has been no report of the USA/CAN\r\nversion of mbCHECK being infected with Havex.\r\nWe have not been able to get hold of a malware sample for the trojanized version of VCOM_LAN2. The\r\nscreenshot below is therefore from a clean version of this software.\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 6 of 8\n\nImage: Screenshot VCOM_LAN2 installer\r\nCompany: MB Connect Line GmbH\r\nProduct: VCOM_LAN2\r\nFilename: setupvcom_lan2.exe\r\nExposure: April 16 to April 23, 2014 (source: MB Connect Line)\r\nBackdoor: unknown\r\nMD5: unknown\r\nSHA256: unknown\r\nConclusions on Havex Trojans\r\nThe vendors who have gotten their software trojanized by Dragonfly are all European ICS companies\r\n(Switzerland, Belgium and Germany). Additionally, only the mbCHECK version for users in Europe was infected\r\nwith Havex, but not the one for US / Canada. These facts indicate that the Dragonfly / Energetic Bear threat actor\r\nseems to primarily target ICS companies in Europe.\r\nNext: Detecting Havex with NSM\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 7 of 8\n\nRead our follow-up blog post Observing the Havex RAT, which shows how to detect and analyze network traffic\r\nfrom ICS networks infected with Havex.\r\nPosted by Erik Hjelmvik on Monday, 27 October 2014 11:11:00 (UTC/GMT)\r\nTags: #Havex#ICS#SCADA#Trojan#4SICS\r\nSource: http://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nhttp://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "http://www.netresec.com/?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans" ], "report_names": [ "?page=Blog\u0026month=2014-10\u0026post=Full-Disclosure-of-Havex-Trojans" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775791969, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9289eba2b070f6f1cc1f289df9e83eda46e80da.pdf", "text": "https://archive.orkl.eu/d9289eba2b070f6f1cc1f289df9e83eda46e80da.txt", "img": "https://archive.orkl.eu/d9289eba2b070f6f1cc1f289df9e83eda46e80da.jpg" } }