{
	"id": "244c2a4a-e66c-4399-8d8c-fd2c8572c3d4",
	"created_at": "2026-04-06T00:17:45.43132Z",
	"updated_at": "2026-04-10T13:11:46.700544Z",
	"deleted_at": null,
	"sha1_hash": "d9868cea48675bc539618753e8d6292ab75d65e9",
	"title": "New version of chinoxy backdoor using COVID19 alerts document lure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 739515,
	"plain_text": "New version of chinoxy backdoor using COVID19 alerts document\r\nlure\r\nBy Sebdraven\r\nPublished: 2020-03-20 · Archived: 2026-04-05 16:20:22 UTC\r\nLast year I’ve analyzed a chinoxy backdoor dropped by an royal road RTF targeting Vietnam.\r\nhttps://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272\r\nThe 17 march 2019, a campaign using royal road RTF targetted the Kirghistan with a lure document COVID19\r\nabout financial consideration of the world Bank.\r\n5 years of Chinoxy implemention\r\nThis backdoor is very similar with it used for the Vietnam.\r\nWe have the same protocole HTTPs custom.\r\nPress enter or click to view image in full size\r\nThe state machine of the backoors are similare.\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 1 of 6\n\nPress enter or click to view image in full size\r\nBut in the new version, we found a functionality coming for the 2014 version.\r\nA keylogger is implemented\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 2 of 6\n\nThe big difference with another versions, the configuration of the backdoor is in the resource named “NNKK”.\r\nThe malware reads the resource (Fun_10005c50) and decode the configuration. (FUN_10005bf0)\r\npHVar1 =FindResourceW(param_2,u_NNKK_100159fc,u_TYPELIB_1001a290);\r\nif (pHVar1 != (HRSRC)0x0) {\r\nhModule = LoadLibraryW(u_kernel32.dll_10019720);\r\nlocal_b = 0x65;\r\nlocal_5 = 0x65;\r\nlocal_10 = ‘L’;\r\nlocal_f = 0x6f;\r\nlocal_e = 0x61;\r\nlocal_d = 100;\r\nlocal_c = 0x52;\r\nlocal_a = 0x73;\r\nlocal_9 = 0x6f;\r\nlocal_8 = 0x75;\r\nlocal_7 = 0x72;\r\nlocal_6 = 99;\r\nlocal_4 = (undefined4 *)((uint)local_4 \u0026 0xffffff00);\r\npFVar2 = GetProcAddress(hModule,\u0026local_10);\r\nhResData = (HGLOBAL)(*pFVar2)(param_2,pHVar1);\r\nFreeLibrary(hModule);\r\nif (hResData != (HGLOBAL)0x0) {\r\npuVar4 = (undefined4 *)LockResource(hResData);\r\niVar3 = 0x4c0;\r\npuVar5 = local_4;\r\nwhile (iVar3 != 0) {\r\niVar3 = iVar3 + -1;\r\n*puVar5 = *puVar4;\r\npuVar4 = puVar4 + 1;\r\npuVar5 = puVar5 + 1;\r\n}\r\ndecode_resource((int)local_4,0x1300);\r\nIn decode_resource the algorithm is very simple:\r\nIn the DATA section there are two keys to decode the configuration:“ 22135987565” and “36969856569”\r\nDAT_1001a278 XREF[1]: decode_ressource:10005c14(R)\r\n1001a278 32 undefined1 32h\r\ns_2135987565_1001a279 XREF[1]: decode_ressource:10005c14(R)\r\n1001a279 32 31 33 ds “2135987565”\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 3 of 6\n\n35 39 38\r\n37 35 36\r\nDAT_1001a284 XREF[1]: decode_ressource:10005c0e(R)\r\n1001a284 33 undefined1 33h\r\ns_6969856569_1001a285 XREF[1]: decode_ressource:10005c0e(R)\r\n1001a285 36 39 36 ds “6969856569”\r\n39 38 35\r\n36 35 36\r\nEach bytes of this keys are xored, a mask is applied with \u0026 0x27 and there is a new xor with DAT_1001a284\r\nThis result is xored with each byte of the resource NNK.\r\n(byte *)(uVar1 + param_1) =\r\n*(byte *)(uVar1 + param_1) ^\r\n((\u0026DAT_1001a278)[uVar3] ^ (\u0026DAT_1001a284)[uVar2]) \u0026 0x27 ^ (\u0026DAT_1001a284)[uVar2];\r\nthe result is the config of the c2 in base64\r\nPress enter or click to view image in full size\r\nThe backdoor check it if the configuration is not stored in the registry in function FUN_10010e10.\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn fact the first version of chinoxy stored the configuration in the registration at the installation:\r\nadd_key((HKEY)\u0026DAT_0042d708,\u0026DStack12,\r\n(LPDWORD)0x0,u_SYSTEM\\CurrentControlSet\\Service_00416214,\r\nu_Group_004170c8);\r\nDStack12 = 0x50;\r\nadd_key((HKEY)\u0026DAT_0042d758,\u0026DStack12,\r\n(LPDWORD)0x0,u_SYSTEM\\CurrentControlSet\\Service_00416214,\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 4 of 6\n\nu_Remark_004161e8);\r\nDStack12 = 0x50;\r\nadd_key((HKEY)\u0026DAT_0042d6b8,\u0026DStack12,\r\n(LPDWORD)0x0,u_SYSTEM\\CurrentControlSet\\Service_00416214,\r\nu_PassWord_00417158);\r\nDStack12 = 0x80;\r\nadd_key((HKEY)\u0026DAT_0042d7a8,\u0026DStack12,\r\n(LPDWORD)0x0,u_SYSTEM\\CurrentControlSet\\Service_00416214,\r\nu_Version_00417148);\r\nWe found the same the same keywords of the backdoor of vietnam in k.ini file\r\nGroup,Remark,Version,UID.\r\nand in the new version:\r\nu_Group_1001a754 XREF[2]: 1001135e(*), 1001214b(*)\r\n1001a754 47 00 72 unicode u”Group”\r\n00 6f 00\r\n75 00 70\r\nu_Remark_1001a760 XREF[2]: 100114ae(*), 100120e5(*)\r\n1001a760 52 00 65 unicode u”Remark”\r\n00 6d 00\r\n61 00 72\r\n1001a76e 00 ?? 00h\r\n1001a76f 00 ?? 00h\r\nu_System_1001a770 XREF[1]: 1001152c(*)\r\n1001a770 53 00 79 unicode u”System”\r\n00 73 00\r\n74 00 65\r\n1001a77e 00 ?? 00h\r\n1001a77f 00 ?? 00h\r\nThe config in bas64 of the backdoor is decoded in FUN_100074c0.\r\nThis function calls many time FUN_100074a0 to decode the string encoded.\r\nint __cdecl FUN_100074a0(uint param_1)\r\n{\r\nint iVar1;\r\niVar1 = 0;\r\ndo {\r\nif ((param_1 \u0026 0xffff) == (int)s_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef_1001a440[iVar1]) {\r\nreturn iVar1;\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 5 of 6\n\n}\r\niVar1 = iVar1 + 1;\r\n} while (iVar1 \u003c 0x40);\r\nreturn 0;\r\n}\r\nThe result of this decoding function is:\r\n018DDA4C 018DF780 L”brands.newst.dnsabr.com:3010|brands.newst.dnsabr.com:3010|ru.mst.dns-cloud.net:3010|”\r\nso two domains.\r\nThe configuration is encoded, and split with ‘|’ with the same technics of the backdoor used in Vietnam.\r\nAnd to communicate with the C2, the malware uses raw socket and ws32_dll.\r\nThreat Intelligence Consideration\r\nRoyal Road is massively used by Chinese Threat Actors. The backdoor chinoxy is used by too by this group.\r\nSo with a good confidence, this attack is driven by China againt Kirghistan.\r\nIOCs:\r\nRoyal Road RTF:\r\n1527f7b9bdea7752f72ffcd8b0a97e9f05092fed2cb9909a463e5775e12bd2d6\r\nbackdoor: 30115717d20e469e7c4bf45489f6c6d8810f32b1b68b6aa4b0ffcb21764ea99c\r\nbackdoor 2014:\r\n46876d952e152573069fa15b70caf825e4bf97ffb90c00f80d26890a9d92f05b\r\nDomains:\r\nbrands.newst.dnsabr.com:3010\r\nru.mst.dns-cloud.net:3010\r\nIPs:\r\n45.76.218.232\r\nSource: https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nhttps://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746"
	],
	"report_names": [
		"new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9868cea48675bc539618753e8d6292ab75d65e9.pdf",
		"text": "https://archive.orkl.eu/d9868cea48675bc539618753e8d6292ab75d65e9.txt",
		"img": "https://archive.orkl.eu/d9868cea48675bc539618753e8d6292ab75d65e9.jpg"
	}
}