{
	"id": "36b47950-a2fc-4eb3-9491-7801c00fb91f",
	"created_at": "2026-04-06T00:08:23.818927Z",
	"updated_at": "2026-04-10T13:11:30.466905Z",
	"deleted_at": null,
	"sha1_hash": "db0ca0e06278a4f1d2c65935c2000518ee4376e8",
	"title": "Blackwood APT Group Has a New DLL Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411544,
	"plain_text": "Blackwood APT Group Has a New DLL Loader\r\nPublished: 2024-01-29 · Archived: 2026-04-05 18:10:53 UTC\r\nOverview\r\nThis week, the SonicWall Capture Labs threat research team analyzed a sample tied to the Blackwood APT group.\r\nThis is a DLL that, when loaded onto a victim's computer, will escalate privileges and attempt to install a\r\nbackdoor for communications monitoring and diversion. It has evasive capabilities and, as of this writing, is\r\ntargeting companies and individuals in Japan and China.\r\nTechnical Overview\r\nThe sample is detected as a 32-bit DLL (Figure 1) with no packer or protector. It has minimal strings and no\r\nobvious obfuscation or encryption.\r\nFigure 1: Sample detection\r\nStrings show several API calls of concern, including GetCurrentProcessID, OpenProcess and VirtualAlloc – all of\r\nwhich are used to load malicious DLLs into memory. There are also two files listed: ‘333333333333333.txt’ and\r\n‘Update.ini’, as shown in Figure 2.\r\nhttps://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/\r\nPage 1 of 4\n\nFigure 2: Static string detection\r\nThe name of the file is shown as ‘agent.dll’ (Figure 3) and there is one anonymous export that is only shown as an\r\nordinal value when looking at the file with multiple tools.\r\nFigure 3: Original name and anonymous export\r\nWhen dynamically analyzing the sample, it has multiple anti-analysis capabilities that prevent most of its function\r\nfrom being observed. It will look for debuggers, processor features and security settings in the registry (Figure 3).\r\nThere are also locale checks that, when failed, will kill the process.\r\nFigure 4: WMI registry keys being queried for security checks\r\nhttps://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/\r\nPage 2 of 4\n\nThe anonymous export at address 0x10001A70 is the file calling ‘Rundll32.exe’ for process injection, as shown in\r\nFigure 5.\r\nFigure 5: Export address calls sub_10001990, which creates ‘rundll32.exe’\r\nControlling the program’s execution allows the check for a UAC bypass to be generated. The DLL will attempt to\r\nescalate privileges via CMSTPLUA interface. The following strings are created, as shown in Figures 5 and 6:\r\nElevation:Administrator!new:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}\r\nElevation:Administrator!new:{F885120E-3789-4FD9-865E-DC9B4A6412D2}\r\nhttps://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d\r\nhttps://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/\r\nPage 3 of 4\n\nFigures 6 (top) and 7 (bottom): A function creates GUIDs for privilege escalation\r\nThe two files that are listed within the strings are also referenced during runtime (Figure 7), but despite multiple\r\nattempts at controlling execution, the files were not observed on test systems.\r\nFigure 8: Update.ini is referenced but never created\r\nProtection\r\nTo ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following\r\nsignatures have been released:\r\nMalAgent.Blackwood\r\nIOCs\r\n72B81424D6235F17B3FC393958481E0316C63CA7AB9907914B5A737BA1AD2374\r\nSource: https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/\r\nhttps://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/"
	],
	"report_names": [
		"blackwood-apt-group-has-a-new-dll-loader"
	],
	"threat_actors": [
		{
			"id": "c13153a4-8dda-4cc5-ac31-c9ca25f3563c",
			"created_at": "2024-02-01T02:00:04.227755Z",
			"updated_at": "2026-04-10T02:00:03.522787Z",
			"deleted_at": null,
			"main_name": "Blackwood",
			"aliases": [],
			"source_name": "MISPGALAXY:Blackwood",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0770ba43-efad-4f73-a5e4-21621a5ac86e",
			"created_at": "2024-03-08T02:02:14.61239Z",
			"updated_at": "2026-04-10T02:00:04.585473Z",
			"deleted_at": null,
			"main_name": "Blackwood",
			"aliases": [],
			"source_name": "ETDA:Blackwood",
			"tools": [
				"NSPX30"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db0ca0e06278a4f1d2c65935c2000518ee4376e8.pdf",
		"text": "https://archive.orkl.eu/db0ca0e06278a4f1d2c65935c2000518ee4376e8.txt",
		"img": "https://archive.orkl.eu/db0ca0e06278a4f1d2c65935c2000518ee4376e8.jpg"
	}
}