{
	"id": "d1ec0245-a726-4267-a2cd-5ac0e45c6e8a",
	"created_at": "2026-04-06T00:17:34.719157Z",
	"updated_at": "2026-04-10T03:33:36.943928Z",
	"deleted_at": null,
	"sha1_hash": "da50697f1b61fc0d0d4fa6d1313b54563d11532d",
	"title": "Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2776339,
	"plain_text": "Space Pirates: a look into the group's unconventional techniques, new\r\nattack vectors, and tools\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 20:13:53 UTC\r\nIntroduction\r\nAt the end of 2019, the team at the Positive Technologies Expert Security Center (PT ESC) discovered a new cybercrime\r\ngroup, which they dubbed Space Pirates. It had been active since at least 2017. The first-ever comprehensive research paper\r\ndescribing the group saw light in early 2022. The Space Pirates group have since stepped up attacks on Russian companies:\r\nwe have come across the group frequently while investigating cyberattacks in the past year. They have hardly changed their\r\ntactics, but they have developed new tools and improved their old ones.\r\nThe cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its\r\ninterests and the geography of its attacks. Over the year, at least 16 organizations have been attacked in Russia and one\r\nin Serbia. Some of the new victims that we identified are Russian and Serbian government and educational institutions,\r\nprivate security companies, aerospace manufacturers, agricultural producers, defense, energy, and infosec companies.\r\n1. Investigating the network infrastructure\r\nWe found an Acunetix installation on one of the Space Pirates command-and-control (C\u0026C) servers, which suggested that\r\nthe group exploited vulnerabilities—an attack vector we had not seen it use earlier.\r\nFigure 1. Evidence of Acunetix being installed on a Space Pirates C\u0026C server\r\nDuring our investigation, we noticed that the group was interested in PST email archives (among other targets).\r\nA configuration error on a Space Pirates C\u0026C server allowed us to scan its contents, discovering two email archives\r\nbelonging to a Serbian ministry.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 1 of 40\n\nFigure 2. C\u0026C server with web shells and stolen data\r\nWe alerted the ministry via Serbia’s National CERT. Other contents of the server included a Godzilla web shell and\r\nan obfuscated Neo-reGeorg tunnel.\r\nThe Space Pirates network infrastructure continues to use a small number of IP addresses as indicated by the DDNS\r\ndomains. The malicious actors often reuse old website URLs by creating high-level domains, such\r\nas ruclient.dns04.com.ruclient.dns04.com.\r\nThe group had also begun using the ShadowPad malware, something we discovered as we were tracking changes in the\r\nhacker infrastructure using our internal ScanDat automated system. An alert we received pointed to a chain of SSL\r\ncertificates characteristic of ShadowPad. That chain was covered in one of our previous reports. As we continued\r\nto investigate the incident in question, we found a copy of ShadowPad used by the Space Pirates group in the client’s\r\nsystems.\r\nFigure 3. Chain of SSL certificates characteristic of ShadowPad\r\n2. Analysis of the malware and tools\r\n2.1. Deed RAT\r\nVirtually every investigation we conducted found that the group was using Deed RAT. As far as we can tell, the Space\r\nPirates group is moving away from other backdoors. Code similarities between Deed RAT and ShadowPad, noted by our\r\npeers, suggest that the backdoor is an evolution of ShadowPad. ShadowPad is in turn believed to be an evolution of PlugX.\r\nUnlike ShadowPad and PlugX, though, Deed RAT has been known to be exclusive to the Space Pirates group to date.\r\nThe backdoor is still under active development. We found a 64-bit version of Deed RAT on an infected device while\r\ninvestigating the incident. The structure of the main module and plugin headers is all but identical to the 32-bit version.\r\nBelow is what it looks like:\r\n \r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 2 of 40\n\nstruct SectionHeader {\r\n DWORD VirtualSize;\r\n DWORD SizeOfRawData;\r\n};\r\nstruct ModuleHeader {\r\n DWORD Signature; // 0xDEED4554\r\n DWORD ModuleId;\r\n DWORD EntryPoint;\r\n QWORD OriginalBase;\r\n DWORD AbsoluteOffset;\r\n SectionHeader Sections[3];\r\n DWORD RelocationsVirtualSize;\r\n};\r\n \r\nThe string encryption algorithm in recent versions is somewhat different. String length is no longer specified, and strings are\r\nnull-terminated.\r\nFigure 4. Original encryption algorithm, with string length explicitly stated\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 3 of 40\n\nFigure 5. Updated decryption algorithm for null-terminated strings\r\nWe found computers infected with Deed RAT to contain two plugins, retrieved dynamically from the C\u0026C server. The first\r\none is named Disk, has the identifier 0×250, and is used as a disk tool. Essentially a Windows API wrapper, Disk supports\r\nthe 10 network commands described below.\r\nIdentifier Description\r\n0х250 List disks\r\n0х251 List files inside folder\r\n0х252\r\nList files inside folder recursively. The response returns the fields of the WIN32_FIND_DATAW structure,\r\nsuch as timestamp, size, attributes, and name\r\n0х253\r\nCall the SHFileOperation function with specified operation code and flags FOF_NOERRORUI |\r\nFOF_NOCONFIRMMKDIR | FOF_NOCONFIRMATION | FOF_SILENT | FOF_MULTIDESTFILES\r\n0х254 Execute command via CreateProcess\r\n0х255 Get file attributes and content\r\n0х257 Write file to specified path with attributes\r\n0х259 Create folder\r\n0х25A List network resources\r\n0х25B Connect network drive. The command sends a NETRESOURCEW structure\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 4 of 40\n\nThe other plugin is named Portmap and has the identifier 0×290. The hackers likely based it on the ZXPortMap utility often\r\nused by Asian cybercrime groups. The plugin is used for port forwarding and supports three network commands, each\r\ncorresponding to an operating mode.\r\nIdentifier Description\r\n0х290 Proxy one request\r\n0х292 Start simple proxy on specified port\r\n0х294 Start SOCKS5 proxy without authentication on specified port\r\nAdditionally, the main module code contains a reference to a module with the identifier 0xC0, which we did not come\r\nacross. Apparently, it was a built-in module that executed some actions before the backdoor started.\r\nThe configuration header in recent versions looks as follows:\r\n \r\nstruct DeedRATConfigHeader {\r\n DWORD Signature; // 0xC88CDB32\r\n BYTE UnusedFlag;\r\n WORD pInitialKey;\r\n BYTE PairReplacableFlag1;\r\n WORD pInstallationPath;\r\n WORD pSideLoadingDllName;\r\n WORD pShellcodeName;\r\n WORD pServiceName;\r\n WORD pDisplayedServiceName;\r\n WORD pServiceDescription;\r\n WORD pPersistentRegistryKey;\r\n WORD pPersistentRegistryValue;\r\n BYTE PairReplacableFlag2;\r\n WORD pTargetProcessForInject1;\r\n WORD pTargetProcessForInject2;\r\n WORD pTargetProcessForInject3;\r\n WORD pTargetProcessForInject4;\r\n WORD pBotID;\r\n BYTE UnusedFlag;\r\n WORD pMutexName;\r\n BYTE Unknown[58];\r\n BYTE DayOfWeek1;\r\n BYTE StartHour1;\r\n BYTE EndHour1;\r\n BYTE DayOfWeek2;\r\n BYTE StartHour2;\r\n BYTE EndHour2;\r\n BYTE DayOfWeek3;\r\n BYTE StartHour3;\r\n BYTE EndHour3;\r\n BYTE DayOfWeek4;\r\n BYTE StartHour4;\r\n BYTE EndHour4;\r\n BYTE DnsFlag;\r\n DWORD DnsIP1;\r\n DWORD DnsIP2;\r\n DWORD DnsIP3;\r\n DWORD DnsIP4;\r\n BYTE DohFlag;\r\n WORD pDohAddress1;\r\n WORD pDohAddress2;\r\n WORD pDohAddress3;\r\n WORD pDohAddress4;\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 5 of 40\n\nBYTE Unknown[34];\r\n WORD pC2Url1;\r\n WORD pC2Url2;\r\n WORD pC2Url3;\r\n WORD pC2Url4;\r\n BYTE UnusedFlag;\r\n WORD pProxyUrl1;\r\n WORD pProxyUrl2;\r\n WORD pProxyUrl3;\r\n WORD pProxyUrl4;\r\n BYTE Unknown[3];\r\n};\r\n \r\nThe rest of the configuration consists of encrypted strings referenced in the header.\r\nThe DNS list in the configuration remains unchanged as follows: 8.8.8.8 (Google Public DNS), 1.1.1.1 (Cloudflare DNS),\r\n9.9.9.9 (Quad9 DNS), 222.222.67[.]208. The final DNS likely should be spelled as 208.67.222.222 (Cisco OpenDNS). The\r\nconfig seems to use little-endian addressing, rather than the network byte order. The likely reason why the error might have\r\ngone unnoticed so far is that this address is the last one on the list and seldom sees use, while the others are not affected\r\nby endianness.\r\nNever once did we see a DNS service hosted at 222.222.67[.]208. We have seen similar attempts to resolve domain names\r\nusing non-existent DNS servers (see figure below).\r\nFigure 6. Traffic containing requests to a non-existent DNS server\r\nQueries like these are a likely sign of Deed RAT infection.\r\nUnlike the sample described above, the backdoor contains the environment pseudovariable %AUTOPATH%, used in the\r\nconfiguration field InstallationPath and, depending on backdoor permissions and system bitness, resolved as follows:\r\n%AppData% if the backdoor is missing administrator permissions\r\n%ProgramFiles(x86)% if the backdoor has administrator permissions and the system is 64-bit Windows\r\n%ProgramFiles% if the backdoor has administrator permissions and the system is 32-bit Windows\r\nWe have seen a similar implementation in PlugX, which used the variable %AUTO%.\r\nIt seems interesting in light of the group’s presumed Chinese origins that the number four is a regular feature of the code:\r\nfour days on which the backdoor cannot run, four links to C\u0026C servers, four links to proxies, four inject processes the\r\nmalware into, four DNS servers, four DoH addresses. The pronunciation of the Chinese character 四 (four) differs from 死\r\n(death) only in tone, thus the number four is considered unlucky.\r\n2.2. Voidoor\r\nDuring an investigation, we obtained a sample of unknown, functionally different malware. Our timeline of the sample\r\nappearing on the infected computer suggested that the malware is delivered via Deed RAT already installed on the machine\r\nand belongs to the Space Pirates group. We were later shown to be right. We named the malware Voidoor, after the C\u0026C\r\nserver and the backdoor malware type.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 6 of 40\n\nFigure 7. Voidoor (ConsoleApplication1.exe) appearing on the infected ALEX-PC computer\r\nCompiled at the end of 2022, Voidoor is a 32-bit EXE file containing the PDB path \"C:\\_\\Project1\\Release\\Project1.pdb\".\r\nFigure 8. Information from the DIE analysis tool\r\nMost of the strings inside are XOR-encoded with the key 0×22.\r\nFigure 9. Obfuscated stack strings\r\nThe Voidoor life cycle can be broken down into the following phases:\r\n1. Preparation\r\n2. Talking to GitHub repositories\r\n3. Gaining persistence\r\n4. Talking to the voidtools forum\r\n5. Talking to GitHub\r\n2.2.1. Preparatory phase\r\nThe sample starts by trying to open port 27015. If unsuccessful, the process is terminated, so that only one sample is left\r\nrunning at any given time. This is followed by decrypting the bulk of the strings. These can be broken down into the\r\nfollowing groups:\r\n1. Talking to GitHub: access token, HTTP headers, user name, user repositories, names of files to be downloaded and\r\nrun\r\n2. Talking to the voidtools forum: URI with parameters\r\n3. Talking to both GitHub and voidtools: User-Agent header: Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. The HTTP header in the network\r\ncommands is written in lowercase, unlike the other fields\r\n4. Local activity: name of scheduler task, paths of files created by Voidoor\r\nThe above strings are decrypted inside one function, and they can be categorized as file configuration. In addition to that,\r\nas the malware runs, it decrypts locally used strings.\r\nThis phase also sees Voidoor use the victim identifier, stored in a %TEMP%/ids file. If not present, the file is created, with\r\nthree concatenated random numbers used as the ID.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 7 of 40\n\nFigure 10. Generating a victim ID\r\n2.2.2. Talking to GitHub repositories\r\nA personal access token hard-coded in the sample tells us a few things about the owner and their repositories:\r\n \r\nToken issuer: hasdhuahd\r\nToken issuer url: https://api.github.com/users/hasdhuahd\r\nUser created at: 2022-11-23T01:08:24Z\r\nUser updated at: 2023-03-20T07:47:54Z\r\nProject: hasdhuahd/919A1C3FD38A41D89ED53F1967AF443D\r\nCreated at: 2022-11-23T03:44:21Z\r\nVisibility: private\r\nProject: hasdhuahd/myprivaterepo-1\r\nCreated at: 2022-11-23T03:44:32Z\r\nVisibility: private\r\nProject: hasdhuahd/13F20E32BDBA46229631517AB130A7E7\r\nCreated at: 2022-11-24T04:39:35Z\r\nVisibility: public\r\nProject: hasdhuahd/al-khaser\r\nCreated at: 2022-12-07T08:16:58Z\r\nVisibility: public\r\n \r\nhasdhuahd/919A... acts as the C\u0026C center.\r\nhasdhuahd/myprivaterepo-1 holds the tools used by the malware.\r\nhasdhuahd/13F2... contains the only file that has a UUID. Its function is unknown.\r\nhasdhuahd/al-khaser is a fork of a public antivirus benchmarking utility.\r\nThe sample assembles the paths to the repositories it will use.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 8 of 40\n\nFigure 11. Building the paths to a repository\r\nNetwork communication is handled by libcurl.\r\nVoidoor’s first task is to tell the operators about the new victim. To do this, it builds the link\r\nhttps://api.github.com/repos/hasdhuahd/919A.../git/trees/main?recursive=1 and downloads the file\r\n1A11878899834F1591DFADC277B2132E. If network is unavailable, the program will keep trying until it can download the\r\nfile. The file maintains a victim list of several dozen strings consisting of a computer name and a pre-generated identifier.\r\nFigure 12. Part of the victim list. The plus sign is used as a delimiter\r\nThe JSON file returned by GitHub is parsed by chopping it into substrings.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 9 of 40\n\nFigure 13. Every developer had this phase\r\nIf the above list does not contain a the identifier generated for the victim, Voidoor sends an HTTP PUT request\r\nto api.github.com. GitHub supports adding and modifying files with PUT requests as detailed here:\r\ndocs.github.com/en/rest/repos/contents#create-or-update-file-contents. Remarkably, this phase includes the decryption\r\nof a string in the malware code that will be modified later:\r\n \r\n{\"message\": \"commit message\", \"content\": \"dGhpcyBpcyBkb25l\", \"sha\": \"164adc449d458c4b0819bb348db9b07ca2fc367d\"\r\n \r\nThe sequence dGhpcyBpcyBkb25l turns into \"this is done\". This string is replaced with the ID to be added, and the resulting\r\nvalue is sent to the file 164adc449d458c4b0819bb348db9b07ca2fc367d. The sample then calls the repository\r\nmyprivaterepo-1, downloading a shellcode file XOR-encrypted with the key 0×22 to the folder %TEMP%\\myfile.bin.\r\nIt is worth noting that the developer has implemented integrity control by appending a SHA-256 checksum to the end of the\r\nfile names, which is derived from the downloaded files and checked.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 10 of 40\n\nFigure 14. Verifying the checksum of a downloaded file\r\nJudging by the corrupted shellcode files in the repository history, this desperate measure was intended as an extra guarantee\r\nthat the file is valid. Interestingly enough, at some point, the developer began to additionally encode binary files in Base64\r\nto avoid byte interpretation issues when storing these in Git.\r\nThen, the sample terminates every process with the name ConsoleApplication1.exe, downloads a file with that name from\r\nthe tooling repository, and saves it to the folder with the shellcode.\r\n2.2.3. Gaining persistence\r\nVoidoor generates a scheduler task as follows:\r\nschtasks /create /tn MyApp /tr \u003cFile path\u003e /sc minute /mo 1 /f \u0026\u0026 schtasks /create /tn MyApp /tr \u003cFile path\u003e /sc minute /mo\r\n1 /ru system /f\r\nThis task runs the malware every minute, with system permissions if possible. Clashes that may be caused by this\r\noutrageous frequency are avoided by checking port 27015. Notable is the method of gaining persistence: the malware uses\r\nthe previously downloaded file ConsoleApplication1.exe, which is also used to run the shellcode. The process then generates\r\na task inside the file orderFile.txt, formatting its contents in a way that resembles the output of certutil -encode (see figure\r\nbelow).\r\nFigure 15. Decrypting stack strings related to certutil\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 11 of 40\n\nA Base64-encrypted command is placed in the BEGIN CERTIFICATE and END CERTIFICATE strings. The program runs\r\nthe file ConsoleApplication1, which decrypts the shellcode (using the operation XOR 0×22) and runs it. The file logic\r\nis as follows:\r\n \r\ncmd /c certutil -decode C:\\Users\\Public\\Downloads\\orderFile.txt C:\\Users\\Public\\Downloads\\silentBase.bat \u0026\u0026 ec\r\ncmd /c type C:\\Users\\Public\\Downloads\\silentBase.bat\u003eC:\\Users\\Public\\Downloads\\Basesilent.txt \u0026\u0026 copy C:\\Users\r\n1\u003eC:\\Users\\Public\\Downloads\\checkString || echo 1\u003eC:\\Users\\Public\\Downloads\\checkString\r\ncmd /c C:\\Users\\Public\\Downloads\\silentBase.bat \u0026\u0026echo 1\u003eC:\\Users\\Public\\Downloads\\interResultFile.txt \u0026\u0026 echo\r\nRemoval of API files via Windows C:\\Users\\Public\\Downloads\\houston, C:\\Users\\Public\\Downloads\\interResultFile\r\n \r\nIt can be simplified as follows:\r\n \r\n# Decode orderFile.txt to silentBase.bat\r\ncd C:\\Users\\Public\\Downloads\r\ncertutil -decode orderFile.txt silentBase.bat\r\n# Use type and copy commands to complicate automated tracking of links between processes and artifacts\r\ntype silentBase.bat\u003eBasesilent.txt\r\ncopy Basesilent.txt silentBase.bat\r\ndel Basesilent.txt\r\n# Execute the script—in this case, the main file persistence logic\r\nsilentBase.bat\r\n# Clean up temporary files\r\n \r\n2.2.4. Talking to the voidtools forum\r\nTo support further operation, the program creates an invisible window with two threads.\r\nFigure 16. Creating two threads\r\nThe second thread serves the simple purpose of standing by for ten hours, then activating the termination flag for the first\r\none.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 12 of 40\n\nFigure 17. Body of the termination control thread\r\nThe flag will be checked in the global cycle of the first thread.\r\nFigure 18. Global cycle of the first thread with the exit condition\r\nThe checks relating to the forum part must be passed to proceed to the next phase.\r\nFirst, the thread decrypts the strings https://www.voidtools.com, /forum/ucp.php, and ?i=ucp_pm\u0026mode=options. \"UCP\"\r\nmeans \"User Control Panel\" in the context of this website. Interestingly, the sample adds \"asdasdasd\" to the cookie request\r\nheader, but we could not find any common sense in that.\r\nThe process concatenates the strings and sends a request to the resulting address. If there is a connection, the request will\r\nbe redirected to the login page.\r\nFigure 19. Forum login form\r\nThe sample will then send a POST request to log in to the forum using the hard-coded login and password, and if successful,\r\nstore the values of the phpbb3_h6rei_u, phpbb3_h6rei_k, and phpbb3_h6rei_sid cookies, which are required for the session.\r\nThe forum has a personal messaging system that supports custom rules.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 13 of 40\n\nFigure 20. Email rules from several malware samples\r\nThe sample will try to define a new rule even if this rule already exists:\r\ncheck_option=1\u0026rule_option=1\u0026rule_string=^\u003cvictim\r\nID\u003e^\u0026rule_user_id=0\u0026rule_group_id=0\u0026cond_option=text\u0026action_option=1|0\u0026add_rule=Add\r\nrule\u0026foldername=\u0026rename_folder_id=8\u0026new_folder_name=\u0026remove_folder_id=8\u0026remove_action=1\u0026move_to=0\u0026full_move_to=0\u0026full_action=3\u0026\r\n\u003cdevice timestamp\u003e\u0026form_token=\u003cparsed token from the page\u003e\r\nFigure 21. Warning message when trying to create a duplicate rule\r\nThe malware will download the page with the list of rules again. This time, though, it is looking for a folder whose name\r\nfeatures the victim ID.\r\nFigure 22. List of directories and folders\r\nThe folder must be created by the C\u0026C server, or else the sample will get stuck in a loop for ten hours repeatedly adding the\r\nnew rule. Multiple folders cannot be created, as the sample will take the first entry for comparison. We suspect this means\r\nthat the C\u0026C server can communicate with only one sample via GitHub at any given time.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 14 of 40\n\nThe forum is powered by the phpBB engine; it proved to be a treasure trove of useful information.\r\nFigure 23. Account registration date\r\nFigure 24. Address created by a temporary email service\r\nFigure 25. The time zone is Antarctic\r\nThe forum notably requires some activity from users before allowing them to send email.\r\nFigure 26. Restriction on messaging for newcomers\r\nThe so-called \"Remember me\" login keys were a real catch. This function helps to manage active sessions whose tokens are\r\nstored client-side. If the device is stolen, the user can block it by removing the key from the list. The device will lose access\r\nto the profile, and the forum will ask for a user name and password to log in again. This is a legacy feature based on a use\r\ncase that was described in a 2004 post we found on the phpBB community forum. We consider that functionality\r\nto be dangerous.\r\nFigure 27. Top of the active session list\r\nWe found more than 3,500 login events associated with 73 unique IP addresses, and we were able to attribute voidoor to the\r\nAPT group after discovering a series of logins from Space Pirates IP addresses that occurred within days of registering the\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 15 of 40\n\naccount. By correlating these events with activities in the GitHub repository, we established that these logins took place\r\nduring the malware development and testing phases.\r\nFigure 28. Addresses related to the Space Pirates C\u0026C server\r\nThe hackers have targeted universities, healthcare centers, energy companies, private security providers and government\r\norganizations in Russia and Serbia.\r\n2.2.5. GitHub-based C\u0026C server\r\nThe sample switches to the communication mode based on GitHub commands. It searches the repository 919A... for a file\r\nwhose name consists of two parts: a string of the same type as the value returned by the command and an identifier.\r\nCommunication takes place as follows:\r\n1. The malware receives a command in the specified file. The command consists of three strings: the command\r\nidentifier, the return value type, and the command body. We are aware of the following two return value types:\r\nD737C9A763E941BDAA69C6EE83553014: download the file from the victim’s computer and upload\r\nit to GitHub\r\n139445A83B5B4ED79FAF4439FC7FFE69: execute the command\r\n2. The sample runs the above task and uses a PUT request to upload an object with the name formatted as \u003ccommand\r\ntype\u003e + \u003cvictim identifier\u003e to the repository.\r\n3. The process loops to the start: the sample returns to standby mode, waiting to get a command with an identifier\r\ndifferent from the previous one.\r\nExample of this kind of communication:\r\n \r\ndatetime: 2022-11-24 12:40:59+08:00\r\nmessage: commit message\r\n1A11878899834F1591DFADC277B2132E 2 insertions, 0 deletions, 2 lines (file with the new infected victim added)\r\n\u003e\u003e\u003e\r\n\\n\r\nDESKTOP-94KT1VQ+200882088117246\r\n\u003c\u003c\u003c\r\ndatetime: 2022-11-24 12:42:05+08:00\r\nmessage: commit message\r\nD7B3FDC2EABE453BB39FA73557FC77F3200882088117246 4 insertions, 0 deletions, 4 lines\r\n\u003e\u003e\u003e\r\nuuid: 8b0e4a01-b242-45a4-a86d-25ab54a3308a\r\nmd5: 139445A83B5B4ED79FAF4439FC7FFE69\r\ncmd: hostname\r\n\u003c\u003c\u003c\r\ndatetime: 2022-11-24 12:46:30+08:00\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 16 of 40\n\nmessage: commit message\r\nA2EE1A74A32344FEA87A42D395013499200882088117246 5 insertions, 0 deletions, 5 lines\r\n\u003e\u003e\u003e GB18030 (simplified_chinese):\r\nC:\\mylittletrojan\\shellcodeloader\\thumb_drive-main\\thumb_drive_copy_real_time\\7z2200-src\\CPP\\7zip\\UI\\Client7z\u003e\r\nDESKTOP-94KT1VQ\r\n\u003c\u003c\u003c\r\n \r\nUnfortunately, our copy of the file is missing that functionality: the command identifier includes an extraneous hard-coded\r\nidentifier with an unknown return value type: D7B3FDC2EABE453BB39FA73557FC77F3171542571331346. The string\r\nprevents the code from executing correctly, causing the sample to loop for ten hours, as the termination flag that the cycle\r\nchecks is set by the second thread. As the string is XOR-encrypted in its entirety inside the file, the function can\r\nbe considered deactivated but not removed.\r\n2.2.6. Some facts about the developer of the tool\r\nBy analyzing the GitHub repositories, we can easily identify the testing and operation phases of the malware. We know that\r\nthe name of the hacker’s device is desktop-94kt1vq. Online search returns a blog on Chinese Software Developer Network.\r\nFigure 29. Web search results\r\nFigure 30. Developer profile\r\nThe user posts a lot, with a total of 177 original entries, and importantly for us, his name in the system (\"X\") matches the\r\nname used by the C\u0026C server.\r\nFigure 31. The user name \"X\" and the default project name \"ConsoleApplication\"\r\nSome of the user's other noteworthy blog posts deal with storing files on GitHub, using IDA Pro and reverse engineering\r\nin general, and kernel programming.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 17 of 40\n\nFigure 32. Post on storing files on GitHub\r\nThe profile description caught our eyes too.\r\nFigure 33. Description of the first account\r\nThis mentions another account, abandoned in March 2021.\r\nFigure 34. Second account\r\nThis other blog focuses mostly on pentesting, vulnerability analysis, and descriptions of internal Windows mechanics.\r\nBy comparing these pieces of information (matching computer names, user names, and relevant skills), we can assume with\r\nsome confidence that this person is one of the developers of the malware in question, if not the only one.\r\n2.3. Other tools\r\nBesides the backdoors described above, the hackers have made use of the following publicly available network tools:\r\nStowaway\r\nMimikatz\r\nfscan\r\nprocdump\r\nPortQry версии 2.0 Gold\r\nNetSess\r\nNBTscan\r\nPsExec\r\nKrbRelayUp\r\nSharpRoast\r\nnmap\r\nImpacket\r\nCHAOS\r\nreGeorg\r\nNeo-reGeorg\r\nGodzilla (web shell)\r\nxсmdsvc\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 18 of 40\n\nThe group often uses tools written in Golang and obfuscated with Garble. We also found a homebrew utility that is not\r\navailable publicly and likely has been developed by the Space Pirates group. It monitors connected drives, collecting files\r\nfrom every newly appearing device and creating a new database record. The utility uses the 7z.dll library to pack files into\r\nan archive with a name formatted as hh.mm.ss, where hh is the current hour, mm is the current minute, and ss is the current\r\nsecond. All archives are saved to C:\\Users\\Public\\Downloads\\dest.\r\nThe utility uses two database files: 1.db in place of mutexes and 2.db for logging connected devices. Information about the\r\nlatest changes to the removable drive contents is stored here as well, so the utility can check if it needs to copy any new\r\nfiles. The program masquerades as the 7-Zip file archiver.\r\nFigure 35. Properties of the removable-drive monitoring utility\r\nConclusion\r\nThe Space Pirates group is relentlessly stepping up activity targeting Russian companies: the number of attacks has\r\nincreased manifold. The hackers are working on new malware that implements unconventional techniques, such as voidoor,\r\nand modifying their existing malware. In addition, we have seen a drastic reduction in the use of other backdoors\r\ncharacteristic of the group and an increase in attacks that employ Deed RAT.\r\nThe Space Pirates group uses a large number of publicly available tools for navigating networks. The hackers also use\r\nAcunetix to reconnoiter infrastructures it targets. Meanwhile, the group’s tactics have hardly changed.\r\nThe cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its\r\ninterests and the geography of its attacks.\r\nThe PT ESC team continues to monitor and respond to threats, including those associated with the Space Pirates group.\r\nAuthors: Denis Kuvshinov, Stanislav Rakovsky, Stanislav Pyzhov\r\nApplications\r\nVerdicts by Positive Technologies products\r\nNetwork rules\r\n10007678 SUSPICIOUS [PTsecurity] TLS Server Certificate (Some-Company Some-State)\r\n10007870 SUSPICIOUS [PTsecurity] Multiple attempting to connect to an external non-http/smtp server\r\n10007917 SUSPICIOUS [PTsecurity] Multiple POST request\r\n10008972 SUSPICIOUS [PTsecurity] GET request in TCP\r\n10008973 SUSPICIOUS [PTsecurity] POST request in TCP\r\nYARA rules\r\napt_mem_CN_SpacePirates__Backdoor__DeedRAT____EncryptionArtifacts__R1\r\napt_win86_CN_SpacePirates__Backdoor__Github__And__Voidtools__Backdoor\r\napt_win86_CN_SpacePirates__Shellcode__From__Github\r\napt_win_CN_SpacePirates__Trojan__DllLoader\r\ncrime_linux_ZZ_Chaos__Backdoor\r\ntool_multi_ZZ_NBTscan__HackTool\r\ntool_multi_ZZ_Stowaway__HackTool\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 19 of 40\n\ntool_multi_ZZ_fscan__HackTool\r\ntool_win_CN_ShadowPad__Backdoor__NewDecrypt\r\ntool_win_ZZ_GhostPack__HackTool__SharpRoast\r\ntool_win_ZZ_GodzillaShell__Backdoor\r\ntool_win_ZZ_GolangObfuscation__RiskTool__Garble\r\ntool_win_ZZ_KrbRelay__HackTool__Strings\r\ntool_win_ZZ_Mimikatz__HackTool__Generic\r\ntool_win_ZZ_ProcDump__Hacktool\r\ntool_win_ZZ_PsExec__Hacktool\r\ntool_win_ZZ_reGeorg__Backdoor__WebShell\r\nBehavioral rules\r\nTrojan.Win32.Generic.a\r\nTrojan.Win32.Evasion.a\r\nTrojan.Script.Impacket.a\r\nBackdoor.Elf.Chaos.a\r\nTrojan.MachineLearning.Generic.a\r\nCreate.Process.ProcDump.CredentialDumping\r\nCreate.Process.PortQry.NetworkConnectionsDiscovery\r\nCreate.Process.NBTscan.NetworkSniffing\r\nMITRE\r\nID Name Description\r\nReconnaissance\r\nT1595.002\r\nActive Scanning: Vulnerability\r\nScanning\r\nThe Space Pirates group uses Acunetix to search for\r\nvulnerabilities in victim infrastructures\r\nInitial Access\r\nT1566.001 Phishing: Spearphishing Attachment\r\nSpace Pirates uses phishing emails with malicious\r\nattachments\r\nT1566.002 Phishing: Spearphishing Link\r\nSpace Pirates uses phishing emails with links\r\nto malware\r\nExecution\r\nT1059.003\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nSpace Pirates malware features remote command shell\r\nfunctionality\r\nT1059.005\r\nCommand and Scripting Interpreter:\r\nVisual Basic\r\nSpace Pirates uses VBS scripts, including ReVBShell\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 20 of 40\n\nT1106 Native API\r\nSpace Pirates malware uses WinAPI functions to run\r\nnew processes and implement shellcode\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nSpace Pirates uses atexec.py to run commands\r\non a remote host\r\nT1053.005 Scheduled Task/Job: Scheduled Task Space Pirates uses system tasks\r\nT1569.002 System Services: Service Execution Space Pirates creates malicious services\r\nPersistence\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nSpace Pirates creates system tasks for persistence\r\non the host\r\nT1543.003\r\nCreate or Modify System Process:\r\nWindows Service\r\nSpace Pirates creates malicious services for persistence\r\non the host\r\nT1546.015\r\nEvent Triggered Execution:\r\nComponent Object Model Hijacking\r\nRtlShare malware persists in the system through\r\nsubstitution of the MruPidlList COM object\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nFor persistence on the host, Space Pirates can place\r\na shortcut in the autorun folder and use the Run and\r\nRunOnce registry keys\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control Mechanism:\r\nBypass User Account Control\r\nSpace Pirates malware contains various techniques for\r\nbypassing UAC\r\nT1068 Exploitation for Privilege Escalation\r\nSpace Pirates can exploit the CVE-2017-0213\r\nvulnerability for privilege escalation\r\nDefense Evasion\r\nT1027.001\r\nObfuscated Files or Information:\r\nBinary Padding\r\nThe RtlShare dropper adds random bytes to the\r\nextracted payload\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nOne of the stages of the BH_A006 malware\r\nis obfuscated using an unknown protector\r\nT1036.004 Masquerading: Masquerade Task or\r\nService\r\nSpace Pirates uses legitimate-looking names when\r\ncreating services\r\nT1036.005 Masquerading: Match Legitimate\r\nName or Location\r\nSpace Pirates masks its malware as legitimate software\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 21 of 40\n\nT1055 Process Injection\r\nSpace Pirates malware can inject shellcode into other\r\nprocesses\r\nT1055.001\r\nProcess Injection: Dynamic-link\r\nLibrary Injection\r\nSpace Pirates malware can inject DLLs with payload\r\ninto other processes\r\nT1078.002 Valid Accounts: Domain Accounts Space Pirates uses compromised privileged credentials\r\nT1112 Modify Registry\r\nDeed RAT stores all its data in the registry, including\r\nconfiguration and plugins\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nSpace Pirates malware uses various algorithms\r\nto encrypt configuration data and payload\r\nT1197 BITS Jobs Space Pirates uses BITS jobs to download malware\r\nT1218.011\r\nSigned Binary Proxy Execution:\r\nRundll32\r\nSpace Pirates can use rundll32.exe to run DLLs\r\nT1553.002 Subvert Trust Controls: Code Signing\r\nSpace Pirates uses stolen certificates to sign some\r\nZupdax instances\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nSpace Pirates can store its malware in hidden folders\r\nat C:\\ProgramData\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingSpace Pirates uses legitimate applications vulnerable\r\nto DLL side-loading\r\nT1620 Reflective Code Loading\r\nSpace Pirates malware uses reflective loading to run\r\npayloads in memory\r\nCredential Access\r\nT1555.003\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nSpace Pirates uses the Chromepass tool to retrieve\r\npasswords from Chrome browser storage\r\nT1003.001\r\nOS Credential Dumping: LSASS\r\nMemory\r\nSpace Pirates gets LSASS process dumps for further\r\ncredential dumping\r\nT1040 Network Sniffing\r\nDeed RAT collects information about in-use proxies\r\nthrough network sniffing\r\nDiscovery\r\nT1087.001 Account Discovery: Local Account\r\nSpace Pirates collects information about users through\r\nthe query user command\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 22 of 40\n\nT1087.002 Account Discovery: Domain Account\r\nSpace Pirates collects information about users in the\r\ndomain through the legitimate CSVDE tool\r\nT1082 System Information Discovery\r\nSpace Pirates malware collects system information,\r\nincluding OS version, CPU, memory, and disk\r\ninformation\r\nT1614.001\r\nSystem Location Discovery: System\r\nLanguage Discovery\r\nDeed RAT gets the language code identifier (LCID)\r\nduring system information collection\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nSpace Pirates collects information about the network\r\nsettings of the infected machine\r\nT1069.002\r\nPermission Groups Discovery:\r\nDomain Groups\r\nSpace Pirates collects information about groups in the\r\ndomain through the legitimate CSVDE tool\r\nT1083 File and Directory Discovery\r\nSpace Pirates collects information about .doc and .pdf\r\nfiles in the system\r\nT1033 System Owner/User Discovery\r\nSpace Pirates collects information about users\r\nof compromised computers\r\nT1057 Process Discovery\r\nSpace Pirates uses the tasklist.exe tool to retrieve\r\nprocess information\r\nLateral\r\nMovement\r\nT1021.002\r\nRemote Services: SMB/Windows\r\nAdmin Shares\r\nSpace Pirates uses the atexec.py and psexec.rb tools\r\nto move through the network\r\nCollection\r\nT1119 Automated Collection\r\nSpace Pirates searches for and copies files with the\r\nmasks *.doc and *.pdf\r\nT1560.001\r\nArchive Collected Data: Archive via\r\nUtility\r\nSpace Pirates zips stolen documents into password-protected archives using 7-Zip\r\nT1056.001 Input Capture: Keylogging Space Pirates malware can capture user input\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nDeed RAT может инкапсулировать свой протокол\r\nв HTTP и HTTPS\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 23 of 40\n\nT1071.004: DNS\r\nNon-Application Layer Protocol\r\nT1095\r\nDeed RAT can encapsulate its protocol in DNS\r\nT1132.001 Data Encoding: Standard Encoding\r\nSpace Pirates malware can compress network messages\r\nusing the LZNT1 and LZW algorithms\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nSpace Pirates malware can encrypt network messages\r\nusing symmetric algorithms\r\nT1008 Fallback Channels\r\nSpace Pirates malware supports multiple C2s and can\r\nupdate the C2 list through web pages\r\nT1095 Non-Application Layer Protocol\r\nSpace Pirates malware uses its own protocols to\r\ncommunicate with the C2 server\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nSpace Pirates malware uses a combination of the\r\nvoidtools forum and GitHub as the C\u0026C server\r\nT1105 Ingress Tool Transfer\r\nSpace Pirates downloads additional utilities from the\r\nC2 server using the certutil tool\r\nT1571 Non-Standard Port\r\nSpace Pirates uses non-standard ports, such as 8081,\r\n5351, 63514, etc., to communicate with the C2 server\r\nT1572 Protocol Tunneling\r\nThe Space Pirates group uses the dog-tunnel utility for\r\ntraffic tunneling\r\nT1090.001 Proxy: Internal Proxy\r\nDeed RAT can discover and use proxies to connect\r\nto its C\u0026C\r\nIOCs\r\nFile indicators\r\nDeed RAT\r\nb6860214fcc1ef17937e82b1333672afa5fcf1c1b394a0c7c0447357477fe7c9 3f8ee1e875cbb01e145a09db7d857b6be22bdd92 972a1a6f17756d\r\n212f750a1d38921b83e68e142ee4ae1c7b612bf11c99210da60775f17c85a83e f99f5f397fe1abb3fc25cc99fe95952fe24b6123 51ca39e3700e9e\r\n6cfa8ce876c09f7e24af17bbe9baa97f089e9bf478a47d18417e399e64a18d40 1fb924ec4f0ab73a952f2a3cb624b94933275d1b b0b438bcb2a712\r\nb7bb9b41298420d681d1a79765d7afb7ecf05d6f0baf0b29a07b8b1af20a8c97 2910415d483972cc17c76548e2b2aa5afd5bc59a 0fa4a2b8210500\r\nf554ff7eb069f0ea5ebc49e015bde1e88d4cf83f6df21e4de2056716e83fedc6 067ca2d961b913cb2e6d6aaa92595345125d6683 804824203f31eb\r\n7ee776272f7c51e41e10f5ffbd55c8c24ddb332e8c376e132e5a8cb72abd7397 1a6e675d82e67cc41493ff991f99da70316848c4 38c43e589e3dc6\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 24 of 40\n\nece771ab5ae8372078c378fa0cf0a1ac055ea5cbe6091f890185c02caf0edc19 c055f30523028037f51cc62d25ce6d38334a531e ef6264abe29635\r\n87a2176d8839e087100530ee79aa169f5078173acac2a5652527a35924ebf15e 2404ac00114cd2481099c52b879e1776dedb2d24 24ec73b4e18450\r\n5c7f727c852819ae60182c4406c233f5b86962c1da3b933953058985d9f90722 ced02716f59a9a70c37eaf373c42796e6f3e93b0 d217fe96c7737a\r\nceca49486dd7e5cf8af7b8f297d87efe65aba69124a3b61255c6f4a099c4a2ab e986b238cb5fe037718172d965a41c12c85bbdd0 633ccb76bd1728\r\n4f84f4333dc9c42ae4ed55c4550ebb14c8079235ae7de9fef4191251537454fc 59239f73996a3f5a6260228cf7ca3c01e3a00822 77ef4bc2f23ef97\r\n8c3e0fdddc2c53cf7961f770080e96332592c847839ccf84c280da555456baf0 84ca568879ca62448d035d56bec816a11188b831 8002cd74e579a4\r\n85d190304accb34422d3e1d603c33b86b6b8c4e88cc4713b0e0c6d4fdee9d93e ac499c86012858f40eb78ecf3bcefae779527d73 d4e51120c368ee\r\na3df5eb54f0a77cb52beccf1b2aa2caa427f80fcd047fc6be4c7aa849649e1b5 99cc3349b64188aae1c986afbcee7e776aa4b349 66e8f82a418923\r\nf9e97776826f83278c63cda59910c49920b7316433d9d95570dd187e154fed0b 30ad2f4a758ab2c526b6439772c7cd7cee66ffc4 fb23fc474841502\r\n74ac74ea85118fe3686f9d6774de2d63db7870dadb4f0ba0d119a77d6c11323a 0d0c026a1661923cd184b6d0fde647128be75488 99b86ad9bf6193\r\n057a16008ce50c3d02c910eac697748eb157afb8a6e8573adefa4b75b495a778 20c83bcfd9fb45a8ba5922dbefb74d47cb361db7 4db33e5390bfeb\r\n66bca22ba5fbd01758fde8e57e1e251191cd1c7bb599f0beb8dd0ffd661464ac e50dc750e7697ba5e28d6dde12e9a4d370076c0c dbb5995037745e\r\n10d122833af8b8fec97ebdd843942bfc2bf237e3b8c01ae9f852eaca2e9cddc7 491248fdf1141e81d5ff23eb1e44d58b50339fe2 a94277fad94ca6f\r\nf0b8bf55a3e23379aefd9a95c556430e073ad206b4c39e0086f0a17d00ae64fe c58d5d36201cee88a01c9913d771723edde302e4 7aa890406a74a4\r\n8a3aefd75501137f601d4b802959fb50b7cba2b135ce2ab2f1f5fa65b1a86159 0912822548e5983f8a2b6d77848994f6d929ffed 9faf04fc6e52205\r\n3a1e67006fb1e761e0188a04361cb7a57329346e7d0a78ef909fbc5469e3c08b af71956b59b9c05acdcd7badecc232ca6237cc8d 1a04af6c3abe8f6\r\ne88c7dd128c456a34804a36459f32cdf97fe30a5642caa3072ff31cda07f29e2 bfe05003730d79f0004cc41e09f48944df6f68fe 6d52d0e7f49817\r\na2d7255cf7c8710cdec62c01b3e2c9d22600441b20914d73eb8f8af3245a9806 19da36d73e0a72f65c8a9f6fc2e2504ed599b57d 8e3217391e11ca\r\nbfa3c91767c333a97d6849a3f885f4ed2205f24882bffbbfc916624b2601a9b7 6e0c406d07206b588652729a271e054c416b5c90 97c00cee887279\r\n241d1ab6a0da9dfcbc9c565d1ff948743cd7673ed334e5906a1428055cab6c82 338881ff10434b523feb63a8a66370f444378cc7 5d0aa944ce19e0\r\nc8c3b639c6e880d7e01cba8cb019087f0c4d2cf4dcdfa712a18054b78e525a47 f4a5778b74b73745a533f22d33a65880f2968705 1d07e53969cd1c\r\n5e712e78736bde2d3ed507fb730be3a9d55d2b4ee3f7ff827f961fcada4e4e0b 57792f875625fec78bea22af46010bd34dff863a 81a93165b338dd\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 25 of 40\n\nc4e023110216481d0ccb09787ccc5ea46879fdf331f5d2fda2b1f33719a35104 a24d306d0ed0061485cb05901cf9fc9d5f07c097 a2221a72d42b97\r\nef17d44cde003c17c28137c6d4692eb4a1b42f86e5d6995f2f06a05e363f044a c321233155af13a53ecd746eaab84cc6ac69d510 c1be341ffc0f58b\r\n42ef77391f20ffc1751ded79da25376bc20a007d03e501049fff37f781df5403 6f8cc7abbf3185a085aa43186c5da332b04c3156 9a6b1bd3b7f13d\r\ncae7622a5f1ed791d317db0b3bc791a8ab71a9c68837282435f5db6bab540615 a7de9de3774ad507e7d1ddfcce4924625a600434 ab6a57e40ba741\r\n2707602481a025da29438d01e894cfc9742389d419a5b08aa96ddc76bde38cba 493e89a70c4176dcec50f34b79eaa4f910e50800 7949b560ecf606\r\n5311e4fd3329945496962c6417b74da919f5e50ae20ba7ab0d5983012c956f4b ab64d32da52a1e516b0c874aad006db404f9c21e 81de205ac5e44e\r\ndc3c1df20d73a62e8219ed6193ecf1229845dd0a6e42d32eb11cbaee04cfa7df a3225a0bbb66b5babf52466ae23a1538407f0cef 4fdb78de4da91c\r\n70e43da5c5b6a8cfea8fcad768a2e5cfdf532b49b5ac87ec8ca9d05d83e0e915 c5c844582c0590cdc901c253a121568251154c61 2ec55245fbe57ca\r\n1473fcf2297376a819b6cccd50dc709fb61f48f70dc9a0eaff741c893b33d670 e49d21f1e66268715efc6003c4e2d3b98cee666a ffc18496b2b1563\r\n67f7faf0161fdac7ebb619a2aa0c73a4a08def05d7752dfdd698d24410d9989e 28ed17b046e0bed3d1cde67eccf241ecf01fe3c4 ef4d35b1780cb1\r\n7c11eecc2fef6a2ad2e5d80156946d7bdcb9c345d542781c3116141f10eb490f aa42f3758dc599e6184894a2911e774c2e16b92d 01b596051d1fa4\r\ne2735841dd8ae66a825182d6d06629821c49aca44357e5980c3bfb97ace7ebf0 57b138f2bb4731b1c50a034aff3013bce735267c 54c7f04fc541855\r\n374fff9a48949254d72bfe34b9b62129da1cfafb74623d187791ada09d976e7d f95deea8d824ee681341f9457e0a86129ec4eb91 824fbfa8b35f191\r\nVoidoor\r\n86c17c549433223f3b59f5ee3e4f2694ebf4e6aabd66508a9a6fec1bdf830c61 1749f99443b345860dd037940505421c45156950 48097e614cdf1f9c\r\nPlugX\r\n22c6d07b64d40811ef31113faac7293348845ab6a06f7319a653ca694c26e94a a8808089c37faacebc19bafd2677ba011afffc49 3cf999dd950af82c\r\n8c8f9fd17d1c28b471bcc4c870ab53a3b4b260ae2fd123b0ef2a2a819ce1cc78 154da55173f97c50e41e48157bc94515cc6146ec 6d3ce5d4003ce4c9\r\nUSB stealer\r\nff9a833d34ff89660c1c5f3fa71d4d88c287c183235f714e03ccbdec7a3a6b17 89375a28a96286584e321401915bff2860190470 b33e5e2e14b0fbe31\r\nStowaway\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 26 of 40\n\n87d36c48bf6d1d9a3b157aaab45ae162b78b79b0c956383a670dcc7d9d7c14e8 3caf909e6590a4ae2db99ae577d5585d854ad15e 8ec966f8b441fa2\r\n0992aa7f311e51cf84ac3ed7303b82664d7f2576598bf852dbf55d62cb101601 7abf05ccdf0709aacae2ebe07b7104c81b19abe1 3381df84cf05826\r\n8756f0619caff132b0d4dfefad4387b8d5ea134b8706f345757b92658e6e50ff fc6b59571353c74d4d8cbd254ea7b216f8449208 8a7b4985db84e90\r\naafb0a46610064cd88ba99672e0f18456ed827cf46b2d3064487c45bac75637a b85fec5a965785830af1cf5534ef6a3b437542c2 5e25310d2ada344\r\n50c34013472f3848abb0fb280254d0514e83a65c1ce289ae199389795dcfb575 8ef130998044df15395dcf50123e5a1d8f6ce208 0c19d2e8bc1429f\r\nCHAOS\r\nf3f122aee9cd682074cdc757844dfd4e65d6268c2a71430d77265cf369deb774 ec5394b93c376e359a8a2c380622e3a9d033d0de d0ea84204096109\r\nNetwork indicators\r\n0077.x24hr.com\r\nalex.dnset.com\r\namazon-corp.wikaba.com\r\napi.microft.dynssl.com\r\napple-corp.changeip.org\r\nas.amazon-corp.wikaba.com\r\nasd.powergame.0077.x24hr.com\r\nbamo.ocry.com\r\nchdsjjkrazomg.dhcp.biz\r\ncomein.journal.itsaol.com\r\nelienceso.kozow.com\r\neset.zzux.com\r\nfgjhkergvlimdfg2.wikaba.com\r\nfindanswer123.tk\r\nfreewula.strangled.net\r\nfssprus.dns04.com\r\nftp.microft.dynssl.com\r\ngoon.oldvideo.longmusic.com\r\njournal.itsaol.com\r\njs.journal.itsaol.com\r\nlck.gigabitdate.com\r\nloge.otzo.com\r\nmail.playdr2.com\r\nmiche.justdied.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 27 of 40\n\nmicro.dns04.com\r\nmicroft.dynssl.com\r\nmktoon.ftp1.biz\r\nnews.flashplayeractivex.info\r\nnoon.dns04.com\r\nns2.gamepoer7.com\r\nns9.mcafee-update.com\r\noldvideo.longmusic.com\r\npop.playdr2.com\r\nreportsearch.dynamic-dns.net\r\nrt.ftp1.biz\r\nruclient.dns04.com\r\nserviechelp.changeip.us\r\nshareddocs.microft.dynssl.com\r\nsrv.xxxy.biz\r\nstaticd.dynamic-dns.net\r\nszuunet.strangled.net\r\ntombstone.kozow.com\r\ntoogasd.www.oldvideo.longmusic.com\r\ntoon.mrbasic.com\r\nupdate.flashplayeractivex.info\r\nweb.miscrosaft.com\r\nwerwesf.dynamic-dns.net\r\nwwa1we.wbew.amazon-corp.wikaba.com\r\nwww.0077.x24hr.com\r\nwww.omgod.org\r\nybcps4.freeddns.org\r\nbeachdrivingfun.com\r\n123q4wfbs.staticd.dynamic-dns.net\r\n1cnet.changeip.co\r\naace.zzux.com\r\nablank.ddnsfree.com\r\naccountsupport.ftp1.biz\r\nace1.dynamic-dns.net\r\nadd.srv.xxxy.biz\r\nade.aace.zzux.com\r\nadm.outlook.onmypc.net\r\nadn.aace.zzux.com\r\naeo.dotnet.almostmy.com\r\naep.winsvr.lflinkup.org\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 28 of 40\n\nafa.aace.zzux.com\r\nafd.aace.zzux.com\r\nafm.dotnet.almostmy.com\r\nafp.anp.ddns.ms\r\nagdfyvkiyrgyauhfjdf.journal.itsaol.com\r\nam.jex.ddns.us\r\nanother.journal.itsaol.com\r\nanp.aace.zzux.com\r\nanp.ddns.ms\r\nans.itissohard.journal.itsaol.com\r\napd.anp.ddns.ms\r\napi.reportsearch.dynamic-dns.net\r\napp.anp.ddns.ms\r\nareyoufuckingkiddingme.staticd.dynamic-dns.net\r\naro.noon.wikaba.com\r\nasb.anp.ddns.ms\r\nasd3.as.amazon-corp.wikaba.com\r\nasdfas.w3.oldvideo.longmusic.com\r\nasrweer.amazon-corp.wikaba.com\r\nasu.noon.wikaba.com\r\natec.dnset.com\r\nato.dotnet.almostmy.com\r\nato.jex.ddns.us\r\nau.dotnet.almostmy.com\r\nau.serviechelp.changeip.us\r\nauca.py.dns04.com\r\nava.anp.ddns.ms\r\nazx.aace.zzux.com\r\nba.tu.qpoe.com\r\nback.serviechelp.changeip.us\r\nbba.dns04.com\r\nbca.aace.zzux.com\r\nbeachdrivingfun.com\r\nbel.dynamicdns.edns.biz\r\nbin.anp.ddns.ms\r\nbin.bba.dns04.com\r\nbin.faz.dynamic-dns.net\r\nbit.chdsjjkrazomg.dhcp.biz\r\nblog.beachdrivingfun.com\r\nbrenken.dotnet.almostmy.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 29 of 40\n\nbrrkst.dynamic-dns.net\r\nbz.py.dns04.com\r\ncai.wulatula.xxxy.biz\r\ncba.anp.ddns.ms\r\ncch.noon.xxxy.biz\r\ncchp.aace.zzux.com\r\ncchp.wulatula.xxxy.biz\r\ncdnsvc.microft.dynssl.com\r\nchip.noon.dns04.com\r\nchip.serviechelp.changeip.us\r\nchrome.py.dns04.com\r\nciii.chdsjjkrazomg.dhcp.biz\r\ncloud.noon.dns04.com\r\ncmax.amazon-corp.wikaba.com\r\ncoa.noon.wikaba.com\r\ncom.loge.otzo.com\r\ncom.ruclient.dns04.com\r\ncommunity.reportsearch.dynamic-dns.net\r\nconhost.reportsearch.dynamic-dns.net\r\ncontact.chdsjjkrazomg.dhcp.biz\r\ncood.serviechelp.changeip.us\r\ncrc.jex.ddns.us\r\ncrc.noon.wikaba.com\r\ncrc.noon.xxxy.biz\r\ncro.src.ssl443.org\r\ncstg.jmjejij.otzo.com\r\ncstg.tu.wwwhost.us\r\ncstg.wula.zzux.com\r\ncumulative.dotnet.almostmy.com\r\ndba.aace.zzux.com\r\ndbb.anp.ddns.ms\r\ndidle.staticd.dynamic-dns.net\r\ndigital.brrkst.dynamic-dns.net\r\ndm.jex.ddns.us\r\ndmz.jex.ddns.us\r\ndnmd.0077.x24hr.com\r\ndns04.com.ruclient.dns04.com\r\ndnsfind.reportsearch.dynamic-dns.net\r\ndnsinfo.microft.dynssl.com\r\ndocs.ace1.dynamic-dns.net\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 30 of 40\n\ndocs.atec.dnset.com\r\ndocs.bba.dns04.com\r\ndocs.jmjejij.otzo.com\r\ndocs.microft.dynssl.com\r\ndotnet.almostmy.com\r\ndr.journal.itsaol.com\r\ndt.staticd.dynamic-dns.net\r\ndttd.chdsjjkrazomg.dhcp.biz\r\ndttd.serviechelp.changeip.us\r\ndwm.dotnet.almostmy.com\r\ndynamicdns.edns.biz\r\nedge.microft.dynssl.com\r\nedu.jex.ddns.us\r\nee.chdsjjkrazomg.dhcp.biz\r\nee.mktoon.ftp1.biz\r\neeee.chdsjjkrazomg.dhcp.biz\r\neeee.mktoon.ftp1.biz\r\nemv1.beachdrivingfun.com\r\nerdcserver.microft.dynssl.com\r\nerdserver.microft.dynssl.com\r\netonlkk.chdsjjkrazomg.dhcp.biz\r\nexam.bba.dns04.com\r\nexam.faz.dynamic-dns.net\r\nexam.reportsearch.dynamic-dns.net\r\nexec.anp.ddns.ms\r\nexowa.microft.dynssl.com\r\nfa.anp.ddns.ms\r\nfand.faz.dynamic-dns.net\r\nfas.anp.ddns.ms\r\nfaugi.1cnet.changeip.co\r\nfaugi.py.dns04.com\r\nfaz.dynamic-dns.net\r\nfaz.faz.dynamic-dns.net\r\nfcc.noon.xxxy.biz\r\nfcc.src.ssl443.org\r\nfera.aace.zzux.com\r\nfileserverrt.reportsearch.dynamic-dns.net\r\nfinal.staticd.dynamic-dns.net\r\nfinallyd.youthinkyouaredecent.oldvideo.longmusic.com\r\nfind.mktoon.ftp1.biz\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 31 of 40\n\nfind.serviechelp.changeip.us\r\nfirst.srv.xxxy.biz\r\nfly.chdsjjkrazomg.dhcp.biz\r\nflyme.oldvideo.longmusic.com\r\nfoc.jex.ddns.us\r\nfollme.www.amazon-corp.wikaba.com\r\nforgodsake.oldvideo.longmusic.com\r\nforsafeconcern.journal.itsaol.com\r\nftp.1cnet.changeip.co\r\nftp.aace.zzux.com\r\nftp.accountsupport.ftp1.biz\r\nftp.amazon-corp.wikaba.com\r\nftp.anp.ddns.ms\r\nftp.apple-corp.changeip.org\r\nftp.bba.dns04.com\r\nftp.dotnet.almostmy.com\r\nftp.faz.dynamic-dns.net\r\nftp.jmjejij.otzo.com\r\nftp.journal.itsaol.com\r\nftp.miche.justdied.com\r\nftp.nvidia.freewww.biz\r\nftp.oldvideo.longmusic.com\r\nftp.rt.ftp1.biz\r\nftp.staticd.dynamic-dns.net\r\nftp.werwesf.dynamic-dns.net\r\nftp.winsvr.lflinkup.org\r\nftp.wula.zzux.com\r\nfucker.www.amazon-corp.wikaba.com\r\nfuckinglifs.journal.itsaol.com\r\nfx.anp.ddns.ms\r\nggt.jmjejij.otzo.com\r\nggt.wula.zzux.com\r\ngo.staticd.dynamic-dns.net\r\ngofuckyourself.amazon-corp.wikaba.com\r\ngoogle.ace1.dynamic-dns.net\r\ngoogle.atec.dnset.com\r\ngoogle.winsvr.lflinkup.org\r\ngoogle.wula.zzux.com\r\ngoogle.wulatula.xxxy.biz\r\ngoole.faz.dynamic-dns.net\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 32 of 40\n\ngooz.noon.dns04.com\r\ngov.ace1.dynamic-dns.net\r\ngov.atec.dnset.com\r\ngov.jmjejij.otzo.com\r\ngov.noon.xxxy.biz\r\ngov.winsvr.lflinkup.org\r\ngov.wula.zzux.com\r\ngov.wulatula.xxxy.biz\r\ngovnmer.0077.x24hr.com\r\ngrcc.winsvr.lflinkup.org\r\nh.mktoon.ftp1.biz\r\nheavsick.staticd.dynamic-dns.net\r\nhello.noon.dns04.com\r\nhello.serviechelp.changeip.us\r\nhelp.chdsjjkrazomg.dhcp.biz\r\nhelp.mktoon.ftp1.biz\r\nhelp.noon.dns04.com\r\nhelp.noon.xxxy.biz\r\nhignland.oldvideo.longmusic.com\r\nhomeportal.reportsearch.dynamic-dns.net\r\nhop.mktoon.ftp1.biz\r\nhostname.reportsearch.dynamic-dns.net\r\nhq.faz.dynamic-dns.net\r\nhttpproxy.reportsearch.dynamic-dns.net\r\nhug.noon.dns04.com\r\nhv.dotnet.almostmy.com\r\nhyataung.duckdns.org\r\nint.jex.ddns.us\r\nint.noon.wikaba.com\r\nit.jmjejij.otzo.com\r\nitissohard.journal.itsaol.com\r\njc.chdsjjkrazomg.dhcp.biz\r\njex.ddns.us\r\njinj.faz.dynamic-dns.net\r\njjton.srv.xxxy.biz\r\njmjejij.otzo.com\r\njoin.chdsjjkrazomg.dhcp.biz\r\njoin.mktoon.ftp1.biz\r\njoin.noon.dns04.com\r\njoin.srv.xxxy.biz\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 33 of 40\n\njoodte.serviechelp.changeip.us\r\njuice.mktoon.ftp1.biz\r\njujic.dotnet.almostmy.com\r\nka.wula.zzux.com\r\nkami.atec.dnset.com\r\nkami.wulatula.xxxy.biz\r\nkamishi.wulatula.xxxy.biz\r\nkana.mktoon.ftp1.biz\r\nkana.serviechelp.changeip.us\r\nkatana.serviechelp.changeip.us\r\nkingkong.amazon-corp.wikaba.com\r\nknowledge.reportsearch.dynamic-dns.net\r\nkono.noon.dns04.com\r\nkv.aace.zzux.com\r\nladyboy.journal.itsaol.com\r\nlan.anp.ddns.ms\r\nlan.faz.dynamic-dns.net\r\nlan.noon.dns04.com\r\nlan.src.ssl443.org\r\nland.faz.dynamic-dns.net\r\nlast.mktoon.ftp1.biz\r\nlb.brrkst.dynamic-dns.net\r\nlcd.noon.xxxy.biz\r\nle.bba.dns04.com\r\nlife.serviechelp.changeip.us\r\nlike.serviechelp.changeip.us\r\nlike.srv.xxxy.biz\r\nlikeit.chdsjjkrazomg.dhcp.biz\r\nlin.aace.zzux.com\r\nlin.bba.dns04.com\r\nlink.serviechelp.changeip.us\r\nlive.serviechelp.changeip.us\r\nlocalmsk.reportsearch.dynamic-dns.net\r\nlog.mktoon.ftp1.biz\r\nlonely.chdsjjkrazomg.dhcp.biz\r\nlt.wulatula.xxxy.biz\r\nmail.0077.x24hr.com\r\nmail.anp.ddns.ms\r\nmail.mktoon.ftp1.biz\r\nmail.serviechelp.changeip.us\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 34 of 40\n\nmail.werwesf.dynamic-dns.net\r\nmail1.serviechelp.changeip.us\r\nmail2.serviechelp.changeip.us\r\nmailend.dotnet.almostmy.com\r\nmailend.srv.xxxy.biz\r\nmake.bba.dns04.com\r\nmcc.brrkst.dynamic-dns.net\r\nmcx.jex.ddns.us\r\nmdt.srv.xxxy.biz\r\nmf.noon.xxxy.biz\r\nmgi.faz.dynamic-dns.net\r\nmgimo.1cnet.changeip.co\r\nmgo.bba.dns04.com\r\nmgo.dynamicdns.edns.biz\r\nmgo.jex.ddns.us\r\nmin.brrkst.dynamic-dns.net\r\nmjejij.otzo.com\r\nmmmg.chdsjjkrazomg.dhcp.biz\r\nmohana.casacam.net\r\nmoon.mktoon.ftp1.biz\r\nmor.noon.wikaba.com\r\nmp.noon.dns04.com\r\nmsk.chdsjjkrazomg.dhcp.biz\r\nmsk.noon.dns04.com\r\nmsk.serviechelp.changeip.us\r\nmsu.anp.ddns.ms\r\nnb.dotnet.almostmy.com\r\nneg.src.ssl443.org\r\nnei.ace1.dynamic-dns.net\r\nnei.jmjejij.otzo.com\r\nng.noon.xxxy.biz\r\nnoo.noon.wikaba.com\r\nnoon.wikaba.com\r\nnoon.xxxy.biz\r\nnpl.dynamicdns.edns.biz\r\nns.mktoon.ftp1.biz\r\nns02.dynamicdns.edns.biz\r\nns05.reportsearch.dynamic-dns.net\r\nnvidia.freewww.biz\r\nnvidia.nvidia.freewww.biz\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 35 of 40\n\nnz.wulatula.xxxy.biz\r\nohk.journal.itsaol.com\r\nohyeah.dnmd.0077.x24hr.com\r\nohyigaga.oldvideo.longmusic.com\r\noka.faz.dynamic-dns.net\r\noldfucl.oldvideo.longmusic.com\r\nolga.winsvr.lflinkup.org\r\none.bba.dns04.com\r\nonetwo.mktoon.ftp1.biz\r\nopk.anp.ddns.ms\r\nopt.bba.dns04.com\r\norl.jex.ddns.us\r\noutlook.onmypc.net\r\npdd.jmjejij.otzo.com\r\nperson.serviechelp.changeip.us\r\npgs.dotnet.almostmy.com\r\npornhub.journal.itsaol.com\r\npowergame.0077.x24hr.com\r\nppt.jmjejij.otzo.com\r\npre.noon.wikaba.com\r\nprime.1cnet.changeip.co\r\npro.winsvr.lflinkup.org\r\nproryv2020.1cnet.changeip.co\r\npsq.jex.ddns.us\r\npul.dynamicdns.edns.biz\r\npy.dns04.com\r\nram.noon.wikaba.com\r\nrest.bba.dns04.com\r\nrid.serviechelp.changeip.us\r\nromis.wulatula.xxxy.biz\r\nrosgvard.py.dns04.com\r\nrov.anp.ddns.ms\r\nrov.dotnet.almostmy.com\r\nrov.noon.dns04.com\r\nrov.noon.wikaba.com\r\nrov.noon.xxxy.biz\r\nrox.noon.wikaba.com\r\nroz.noon.wikaba.com\r\nru.serviechelp.changeip.us\r\nru5.fljsm.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 36 of 40\n\nruclient.dns04.com.ruclient.dns04.com\r\nsacere.youthinkyouaredecent.oldvideo.longmusic.com\r\nsdo.microft.dynssl.com\r\nseao.jex.ddns.us\r\nsearch.microft.dynssl.com\r\nsecured02b-support.ftp1.biz\r\nserv.mktoon.ftp1.biz\r\nserv.serviechelp.changeip.us\r\nserver.chdsjjkrazomg.dhcp.biz\r\nservice.mktoon.ftp1.biz\r\nservice.noon.dns04.com\r\nservice.serviechelp.changeip.us\r\nseven.chdsjjkrazomg.dhcp.biz\r\nshirt.ftp1.biz\r\nsim.anp.ddns.ms\r\nskvm.serviechelp.changeip.us\r\nsms.serviechelp.changeip.us\r\nsmsreport.microft.dynssl.com\r\nsomuch.amazon-corp.wikaba.com\r\nsouth.chdsjjkrazomg.dhcp.biz\r\nspb.winsvr.lflinkup.org\r\nspeedtest.reportsearch.dynamic-dns.net\r\nsprfilet.microft.dynssl.com\r\nsrc.ssl443.org\r\nsrcier0wqesj1.microft.dynssl.com\r\nsslvpn.microft.dynssl.com\r\nstmspeedtest.reportsearch.dynamic-dns.net\r\nstp.noon.xxxy.biz\r\nsurender.mktoon.ftp1.biz\r\nsvhostlit.reportsearch.dynamic-dns.net\r\nsy.noon.wikaba.com\r\nta.noon.xxxy.biz\r\ntach.anp.ddns.ms\r\ntalk.noon.dns04.com\r\ntask.noon.dns04.com\r\ntataka.chdsjjkrazomg.dhcp.biz\r\ntax.noon.xxxy.biz\r\ntc.chdsjjkrazomg.dhcp.biz\r\ntellmesomesotry.oldvideo.longmusic.com\r\ntest.beachdrivingfun.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 37 of 40\n\ntest.mktoon.ftp1.biz\r\ntest.noon.wikaba.com\r\nthird.srv.xxxy.biz\r\nthree.brrkst.dynamic-dns.net\r\nthree.dotnet.almostmy.com\r\ntim.bba.dns04.com\r\ntom.bba.dns04.com\r\ntongton.noon.dns04.com\r\ntoomuch.brrkst.dynamic-dns.net\r\ntoon.brrkst.dynamic-dns.net\r\ntop.noon.dns04.com\r\ntouch.brrkst.dynamic-dns.net\r\ntouch.noon.dns04.com\r\ntracertoute.reportsearch.dynamic-dns.net\r\ntre.dynamicdns.edns.biz\r\ntt.oldvideo.longmusic.com\r\ntu.wula.zzux.com\r\ntwo.aace.zzux.com\r\ntx.wula.zzux.com\r\nudp.aace.zzux.com\r\nudp.tu.qpoe.com\r\nuis.noon.wikaba.com\r\nuisp.noon.xxxy.biz\r\nup.serviechelp.changeip.us\r\nupi.jex.ddns.us\r\nusi.jex.ddns.us\r\nuua.jex.ddns.us\r\nuuee.dotnet.almostmy.com\r\nval.mktoon.ftp1.biz\r\nveejayofficeds.synology.me\r\nvimdoc.reportsearch.dynamic-dns.net\r\nvipnet.1cnet.changeip.co\r\nvo.wula.zzux.com\r\nvo.wulatula.xxxy.biz\r\nvris.chdsjjkrazomg.dhcp.biz\r\nwarp.whatzsofun.com\r\nwbbb.oldvideo.longmusic.com\r\nwch.anp.ddns.ms\r\nweb.winsvr.lflinkup.org\r\nwebdocsshare.microft.dynssl.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 38 of 40\n\nwebservice.reportsearch.dynamic-dns.net\r\nwebtest.reportsearch.dynamic-dns.net\r\nwifi48-2.loyno.edu\r\nwiki.noon.wikaba.com\r\nwin.outlook.onmypc.net\r\nwinsvr.lflinkup.org\r\nwl.oldvideo.longmusic.com\r\nwold.chdsjjkrazomg.dhcp.biz\r\nwoldt.srv.xxxy.biz\r\nwood.chdsjjkrazomg.dhcp.biz\r\nwordpress.beachdrivingfun.com\r\nworld.winsvr.lflinkup.org\r\nwserver1.microft.dynssl.com\r\nwula.zzux.com\r\nwulatula.xxxy.biz\r\nwww.1cnet.changeip.co\r\nwww.aace.zzux.com\r\nwww.accountsupport.ftp1.biz\r\nwww.alex.dnset.com\r\nwww.amazon-corp.wikaba.com\r\nwww.anp.ddns.ms\r\nwww.bamo.ocry.com\r\nwww.bba.dns04.com\r\nwww.beachdrivingfun.com\r\nwww.dotnet.almostmy.com\r\nwww.elienceso.kozow.com\r\nwww.fgjhkergvlimdfg2.wikaba.com\r\nwww.journal.itsaol.com\r\nwww.loge.otzo.com\r\nwww.miche.justdied.com\r\nwww.microft.dynssl.com\r\nwww.news.flashplayeractivex.info\r\nwww.nvidia.freewww.biz\r\nwww.oldvideo.longmusic.com\r\nwww.reportsearch.dynamic-dns.net\r\nwww.rt.ftp1.biz\r\nwww.secured02b-support.ftp1.biz\r\nwww.update.flashplayeractivex.info\r\nwww.veejayofficeds.synology.me\r\nwww.winsvr.lflinkup.org\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 39 of 40\n\nxdd.wulatula.xxxy.biz\r\nxsy.tu.qpoe.com\r\nxts.reportsearch.dynamic-dns.net\r\nxx.wulatula.xxxy.biz\r\nyand.anp.ddns.ms\r\nyd.wulatula.xxxy.biz\r\nyouthinkyouaredecent.oldvideo.longmusic.com\r\nyt.journal.itsaol.com\r\nyy.jmjejij.otzo.com\r\nza.anp.ddns.ms\r\nzai.aace.zzux.com\r\nzap.bba.dns04.com\r\nzhi.aace.zzux.com\r\nzim.faz.dynamic-dns.net\r\nzip.faz.dynamic-dns.net\r\nziz.faz.dynamic-dns.net\r\nzmaiewrdtgfhnn.www.amazon-corp.wikaba.com\r\nzmain.www.amazon-corp.wikaba.com\r\nzt.wulatula.xxxy.biz\r\nzzp.bba.dns04.com\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack\r\n-vectors-and-tools/#id4\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4\r\nPage 40 of 40",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4"
	],
	"report_names": [
		"#id4"
	],
	"threat_actors": [
		{
			"id": "536ca49a-2666-4005-8a50-e552fc7e16ef",
			"created_at": "2023-11-21T02:00:07.375813Z",
			"updated_at": "2026-04-10T02:00:03.471967Z",
			"deleted_at": null,
			"main_name": "Webworm",
			"aliases": [
				"Space Pirates"
			],
			"source_name": "MISPGALAXY:Webworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4",
			"created_at": "2022-10-25T16:07:24.219051Z",
			"updated_at": "2026-04-10T02:00:04.902017Z",
			"deleted_at": null,
			"main_name": "Space Pirates",
			"aliases": [
				"Erudite Mogwai",
				"Webworm"
			],
			"source_name": "ETDA:Space Pirates",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"BH_A006",
				"Chymine",
				"Darkmoon",
				"Deed RAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"MyKLoadClient",
				"Mydoor",
				"PCRat",
				"PCShare",
				"POISONPLUG.SHADOW",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SnappyBee",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434654,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da50697f1b61fc0d0d4fa6d1313b54563d11532d.pdf",
		"text": "https://archive.orkl.eu/da50697f1b61fc0d0d4fa6d1313b54563d11532d.txt",
		"img": "https://archive.orkl.eu/da50697f1b61fc0d0d4fa6d1313b54563d11532d.jpg"
	}
}