{ "id": "42afe6c6-813c-4787-b8ff-affd535c108d", "created_at": "2026-04-06T00:16:29.655054Z", "updated_at": "2026-04-10T03:37:08.902244Z", "deleted_at": null, "sha1_hash": "dbd4ec4ef832aca953c71c0c9167c7d85677a673", "title": "New Ursnif Variant Targets Japan Packed with New Features", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2414673, "plain_text": "New Ursnif Variant Targets Japan Packed with New Features\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 17:28:22 UTC\r\nResearch by: Assaf Dahan \r\nThe Ursnif trojan (also known as Gozi ISFB) is one of the most prolific information stealing Trojans in the\r\ncybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source\r\ncode was leaked and made publicly available on Github, which led to further development of the code by different\r\nthreat actors who improved it and added new features. \r\nOver the past few years, Japan has been among the top countries targeted by Ursnif’s operators. In 2018,\r\nCybereason as well as other security companies reported about attacks where Ursnif (mainly the Dreambot\r\nvariant) and Bebloh (also known as URLZone and Shiotob) were operating in conjunction. In these joint\r\ncampaigns, Bebloh is used as a downloader that runs a series of tests to evaluate whether it is running in a hostile\r\nenvironment (for example, it checks to see if it is running on a research VM). Once the coast is clear, it downloads\r\nUrsnif, which carries out its core information stealing functions.\r\nThe newly discovered Ursnif variant comes with enhanced stealing modules focused on stealing data from mail\r\nclients and email credentials stored in browsers. The revamping and introduction of new mail stealer modules puts\r\nan emphasis on the risk that trojans can pose to enterprises if corporate accounts are compromised. With more and\r\nmore banking customers shifting to mobile banking and the continuous hardening of financial systems, it is not\r\nsurprising that trojans are focusing more than ever before on harvesting other types of data that can also be\r\nmonetized and exploited by the threat actors, including mail user accounts, contents of email inboxes and digital\r\nwallets.\r\nContents of this Research: \r\n1. OLD -NEW TRICKS, NEW VARIANT\r\n2. STAGE ONE: PHISHING VIA OFFICE DOCUMENTS\r\nMODIFIED VBA MACRO TARGETS JAPANESE USERS\r\nOLD VBA COUNTRY CHECK\r\nNEW VBA COUNTRY CHECKS\r\n3. STAGE TWO: PARANOID POWERSHELL DOWNLOADER\r\nNEW LANGUAGE SETTING TEST\r\nGEO-IP LOCATION CHECK\r\nUSAGE OF STEGANOGRAPHY TO HIDE THE PAYLOAD IN PLAIN SIGHT\r\nPOWERSPLOIT REFLECTIVELY LOADS BEBLOH\r\n4. STAGE THREE: URSNIF'S LOADER\r\n5. STAGE FOUR: URSNIF CORE PAYLOAD CLIENT.DLL\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 1 of 29\n\n6. NOTABLE CHANGES IN CORE FUNCTIONALITY\r\nNEW STEALTHY PERSISTENCE MECHANISM\r\nDETAILED PERSISTENCE CREATION LOGIC\r\nDETAILED PERSISTENCE REMOVAL LOGIC\r\nCHANGES IN THE INFORMATION STEALING MODULES\r\nCHANGES IN THE MAIL STEALER FUNCTIONS\r\nCRYPTOCURRENCY AND ENCRYPTED DRIVES STEALER\r\n7. THWARTING SECURITY PRODUCTS MODULES\r\nANTI-PHISHWALL MODULE\r\nANTI-RAPPORT MODULE\r\n8. CONCLUSION\r\n9. INDICATORS OF COMPROMISE\r\nOld-New Tricks, New Variant\r\nSince the beginning of 2019, Cybereason researchers have observed a campaign that specifically targets Japanese\r\nusers across multiple customer environments. This campaign introduced a new Ursnif variant as well as improved\r\ntargeted delivery methods through Bebloh.\r\nUrsnif’s new variant main changes:\r\n1. A new, stealthy persistence mechanism (“last minute persistence”).\r\n2. New, revamped stealing modules (“#IESTEALER#”, “#OLSTEALER#”, “#TBSTEALER#”).\r\n3. Cryptocurrency and disk encryption software module (e.g Bitcoin, TrueCrypt).\r\n4. An Anti-PhishWall module to counteract PhishWall, a Japanese security product.\r\nEnhanced country-targeted delivery methods to ensure the delivery of Bebloh include:\r\n1. Modified VBA code that specifically checks Japanese settings on the infected machine.\r\n2. PowerShell that compiles a .NET DLL to check language settings (Japanese).\r\n3. An added IP geolocation check to determine whether the infected machine is in Japan.\r\nThe following chart demonstrates the infection chain observed in the latest campaign:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 2 of 29\n\nInfection chain as seen in the Cybereason Defense Platform.\r\nStage One: Phishing via Office Documents\r\nThe first stage of the attack starts with a weaponized Microsoft Office document attached to a phishing email: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 3 of 29\n\nWhen the user opens the document, the Japanese text instructs the unsuspecting user to click on the Enable\r\nContent button. They expect to see a preview of a document, but instead it will execute the embedded macro\r\ncode: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 4 of 29\n\nWeaponized Excel document that encourages the user to click on Enable Content.\r\nModified VBA Macro Targets Japanese Users\r\nThe macro code is obfuscated and results in the execution of several PowerShell commands. However, before the\r\nPowerShell commands are decrypted and executed, the VBA macro checks if the victim machine has Japanese\r\ncountry settings. This technique was previously seen in 2018, but the attackers modified the code in this version to\r\nmake it less obvious and harder to detect.\r\nOld VBA Country Check \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 5 of 29\n\nThe previous check, documented by Nao_Sec, consisted of comparing the country setting to the value of ‘81’ for\r\nJapan, using the function xlCountrySetting. If the machine doesn’t have Japanese settings, the macro code exits.\r\nNew VBA Country Checks\r\nThe new country check function in this variant makes it less obvious to understand which country is being\r\ntargeted, however it can still be easily inferred with a bit of basic calculation. The new code checks the country\r\nsetting, adds ‘960’ to it, and stores the new value in a parameter. In this case, the parameter is opa (81 + 960 =\r\n1041):\r\nThe SensitiveLine() function checks if the value of “opa” is greater than ‘1039.93’, in which case, the macro code\r\nwill continue. If not, the code will exit. The calculation is the following:\r\nThe value of xlBinsTypeBinSize (‘3’) * 347 - 1.07 = 1,039.93 \r\nNote: Similar techniques were implemented in a campaign that targeted Italian users, which delivered a different\r\nUrsnif variant.\r\nStage Two: Paranoid PowerShell Downloader \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 6 of 29\n\nThe malicious cmd.exe spawned from an excel process and seen executing two children processes depicted within\r\nthe Cybereason Defense Platform.\r\nOnce the macro code ensures that the machine is Japanese, it decrypts the PowerShell payload, sets it as\r\nenvironment variables, and executes the code: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 7 of 29\n\nPowerShell code hidden in environment variables.\r\nSnipped PowerShell code. \r\nThe code is heavily obfuscated and contains a set of additional tests to ensure that the targeted machine not only\r\nhas Japanese settings, but is also physically located in Japan prior to downloading Bebloh’s payload.\r\nNew Language Setting Test \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 8 of 29\n\nThe malicious PowerShell process is identified within the Cybereason Defense Platform with parent and child\r\nprocesses. \r\nBefore downloading the payload, the PowerShell code runs a final language check to ensure the target is indeed\r\nJapanese. It matches the result of the Omk() function against ‘j’, for Japanese: \r\nThe file is compiled and dropped in the %temp% folder: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 9 of 29\n\nThe decompiled code shows the Omk() function that checks the CultureInfo.CurrentCulture property: \r\nGeo-IP Location Check\r\n The downloader’s last test is a geolocation test using the ipinfo.io API to verify that the IP address is Japanese: \r\n Detecting country by IP geolocation.\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 10 of 29\n\nUsage of Steganography to Hide the Payload in Plain Sight\r\nOnce all the checks are done, the PowerShell code downloads an image file hosted on an image sharing websites\r\nsuch as Imgur or postimage.cc: hxxps://i.imgur[.]com/96vV0YR[.]png\r\nEven the images have Japanese theme. ^_^\r\nThe embedded content is decrypted by the following PowerShell code, which is based on the Invoke-PSImage\r\nsteganography project: \r\nPowerSploit Reflectively Loads Bebloh\r\nThe decrypted PowerShell code embedded in the image is based on the PowerSploit framework that uses the\r\nreflective PE injection module Invoke-ReflectivePEInjection to load and execute Bebloh’s code to memory:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 11 of 29\n\nExcerpt from decrypted content hidden in the downloaded image.\r\nThe unpacked payload dumped from the injected explorer.exe indicates that the payload is in fact Bebloh:\r\n \r\nOnce Bebloh is injected to explorer.exe, it downloads Ursnif’s loader payload from the C2 server:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 12 of 29\n\nBebloh drops Ursnif depicted through a malicious PowerShell process and child processes shown in the\r\nCybereason Defense Platform.\r\nStage Three: Ursnif’s Loader \r\nThe malicious gyehtuegg.exe (Ursnif Loader) spawns an instance of explorer.exe, depicted in the Cybereason\r\nDefense Platform.\r\n Ursnif’s loader unpacks the main payload (client.dll / client64.dll), which is embedded in the loader’s PE resource\r\nsection (RT_RCDATA):\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 13 of 29\n\n32-bit and 64-bit version of client.dll.\r\nPrior to its decryption, the loader conducts a series of tests to determine whether the loader is running in a hostile\r\nenvironment, namely, whether it is being debugged or run in a sandbox or virtual machine. For example, Bebloh\r\nruns the following checks:\r\nA Xeon CPU check to determine whether it is running on a server, laptop, or PC.\r\nA virtualization vendor check to determine whether it is running in vbox, qemu, vmware or on a virtual hd.\r\nA timing check (RDTSC with CPUID to force a VM exit and to thwart debuggers and sandboxes).\r\nThe following is an example of virtualization checks using the SetupDiGetClassDevsA() and\r\nSetupDiGetDeviceRegistryPropertyA() APIs to query hardware information stored in the Windows registry:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 14 of 29\n\nIf any of the above tests returns positive, the loader displays an error message and terminate the process:\r\n \r\nError message displayed upon VM detection.\r\nIf all the tests check out, it will proceed and inject Ursnif’s core DLL to the main explorer.exe process.\r\nStage Four: Ursnif Core Payload client.dll\r\nThe injected DLL payload includes an interesting PDB path of client64.dll, suggesting that it is Gozi ISFB version\r\n3:\r\nPDB path: c:\\isfb3\\x64\\Release\\client.pdb.\r\n Its build number (version number) extracted from memory indicates that its version “300035”: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 15 of 29\n\nThe compilation date is 22/02/2019, which also suggests that it was compiled recently:\r\nWe have found an earlier sample of the same variant in the wild with a compilation timestamp that dates to July\r\n2018, suggesting that the variant first emerged in 2018:\r\nNotable Changes in Core Functionality\r\nThroughout the years, Ursnif’s code original code has changed to introduce different strains and new features. For\r\na detailed analysis of Ursnif’s previous versions and functionality, please see the following write-ups by Vitali\r\nKremez, Mamoru Saito and Maciej Kotowicz.\r\nBased on our code analysis, the newly observed variant bears great resemblance to the Dreambot variant.\r\nHowever, it lacks some commonly observed built-in features like the Tor client and VNC module. The new variant\r\nexhibits several new or revamped features, such as: \r\nA new persistence mechanism (last minute persistence that resembles Dridex’s persistence).\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 16 of 29\n\nRevamped and new stealer modules (IE Stealer, Outlook Stealer, Thunderbird Stealer).\r\nA cryptocurrency and disk encryption software module.\r\nAn Anti-PhishWall module to counteract PhishWall, a Japanese security product.\r\nNew Stealthy Persistence Mechanism\r\nOne of the most noticeable changes observed in this new variant is the implementation of a new persistence\r\nmechanism designed to evade detection.\r\nThe newly observed persistence mechanism is based on the \"last minute persistence\" model. This model creates\r\nits persistence at the very last moment before the system shuts down. Once the system is rebooted and the loader\r\ninjects the core DLL to explorer.exe, it immediately deletes its registry autorun key along with the files stored in\r\n%appdata%. Similar implementations have been used by Dridex and Bebloh banking trojans in the past. \r\nit is interesting to mention that the above mention persistence is different than the fileless persistence mechanism\r\nreported by Cisco and other researchers between December 2018 and February 2019. The previous technique\r\nrelied on a PowerShell script stored in the registry. Upon boot, it dynamically loads and injects the core DLL to\r\nexplorer.exe using the QueueUserAPC injection technique. \r\nThe following is a chart that demonstrates the “last minute persistence” creation and removal logic on an infected\r\nmachine:\r\nDetailed Persistence Creation Logic\r\nThe malware creates an invisible window used for internal communication between the trojan’s different\r\ncomponents:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 17 of 29\n\nUrsnif uses this window among other things in order to catch the WM_QUERYENDSESSION message.\r\nThis message is typically sent when the system is about to shut down, thus alerting the malware of an\r\nimminent shutdown:\r\nOnce Ursnif is made aware of the shutdown message, it creates an autorun registry key along with files in\r\nthe %appdata% folder, based on information found in the Install key found in -\r\nHKCU\\Software\\AppDataLow\\Software\\Microsoft\\{GUID}\\Install \r\nBooting the machine in Safe Mode, can reveal the created persistence, as it prevents any program from running\r\nautomatically when the user logs on: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 18 of 29\n\n.lnk and .exe file in %appdata% created before the system shuts down.\r\nRegistry Autorun key created before the system shuts down.\r\nDetailed Persistence Removal Logic \r\nOnce the system boots and the user is logged on, the loader runs and injects the core DLL to explorer.exe. Once\r\nthe trojan’s code runs:\r\nIt checks for the existence of the “ProgMan” window, indicating that the explorer.exe process is running: \r\nIt checks whether the malware code is running from the same process (explorer.exe), likely as an anti-debugging measure: \r\n \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 19 of 29\n\nIt deletes registry keys and the %appdata% folder where the .lnk and .exe files exist based on the on the\r\nInstall key in HKCU\\Software\\AppDataLow\\Software\\Microsoft\\{GUID}.\r\nChanges in the Information Stealing Modules\r\nThe new variant (V3) exhibits changes in the code of its stealer modules in comparison with:\r\nDreambot (unpacked client.dll - 2bcb80182ed4ca4701ab0bcd750d5aacac83d77)\r\nGozi ISFB 2.16 / 2.17 (unpacked client.dll - 74e7453b33119de1862294e03bf86cc7623d558b)\r\nChanges in the Mail Stealer Functions\r\nThe new variant’s mail stealing functionality seems to have undergone a major update that includes enhancements\r\nand some new functionality, like: a Microsoft Outlook stealer, an Internet Explorer stealer, and a Mozilla\r\nThunderBird stealer.\r\nExcerpt of the mail stealer’s main function.\r\nThe following comparative chart demonstrates the changes to the main mail stealing functions between recent\r\nvariants:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 20 of 29\n\n#OLSTEALER# - the Revamped Outlook Stealer\r\nThe new OLSTEALER module enumerates stored Microsoft Outlook accounts on the infected machine:\r\nThis new variant adds support for multiple Microsoft Outlook versions, as opposed to previous versions that\r\ntypically support one or two versions: \r\n In addition, it adds the capability to locate Microsoft Outlook’s .PST and .OST file extensions:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 21 of 29\n\n#TBSTEALER# - Mozilla ThunderBird Stealer\r\nThis variant adds the capability to steal data from the Mozilla ThunderBird mail client, stored in:\r\nThunderbird Stored Credentials (logins.json)\r\nThunderBird Personal Address Book (abook.mab) \r\nExtracting ThunderBird user credentials. \r\n#IESTEALER# - Internet Explorer Stealer\r\nThe newly added, built-in module steals data stored in Internet Explorer, such as:\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs (Autocomplete typed URLs)\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2 (AutoComplete Data, including stored\r\ncredentials)\r\nCLSID_CUrlHistory (Browsing History)\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 22 of 29\n\nCryptoCurrency and Encrypted Drives Stealer\r\nThe new variants seems to add the ability to steal data from cryptocurrency wallets as well as disk encryption\r\nsoftware:\r\nDigital currency wallets:\r\nElectrum Bitcoin wallet, Bitcoin wallet, Multibit-hd (a deprecated Bitcoin wallet), Bither Bitcoin wallet,\r\nmSigna Bitcoin wallet, Jaxx multi-currency digital wallet, and Bitcoin Armory wallet.\r\nDisk Encryption Tools:\r\nVeraCrypt disk encryption software, TrueCrypt disk encryption utility (a discontinued utility)\r\nThwarting Security Products Modules\r\nAnti-PhishWall Module\r\nThe new variant adds a built-in anti-PhishWall module to its capabilities. PhishWall is an anti-phishing and anti-MITB (Man-in-the-Browser) product created by Japanese cybersecurity company Securebrain. The product is\r\nquite popular in Japan and is even recommended by several banks and financial institutions as a protection against\r\nbanking trojans, and more specifically, Gozi. \r\nIn light of the product’s popularity in Japan, it is not surprising that the new Ursnif variant added an Anti-PhishWall module similar to other trojans in the past such as Shifu and Bebloh.\r\nThis module runs extensive tests to detect and disable the PhishWall product and browser plugin:\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 23 of 29\n\n1. It checks the registry for if the PhishWall key is present. If it is present, it locates the sbpwu.exe process and\r\nterminates it.\r\n2. It checks for a second process (“PhishWall5.1.exe”) and attempts to terminate it.\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 24 of 29\n\n3. It enumerates Firefox’s browser extensions for the PhishWall extension\r\n“\\extensions\\info.asia@securebrain.co.jp.xpi”. If it finds it, it will attempt to terminate Firefox.\r\n4. Lastly, it attempts to locate the following CLSID in the registry, which are associated with PhishWall:\r\n8CA7E745-EF75-4E7B-BB86-8065C0CE29CA\r\nBB62FFF4-41CB-4AFC-BB8C-2A4D4B42BBDC\r\nImportant note: The author of this article did not test the Anti-PhishWall code and cannot attest to its validity or\r\nquality.\r\nAnti-Rapport Module\r\nWhile Ursnif’s alleged Anti-Rapport module is not new, it is quite rare to see this module among the variants that\r\nhit Japan recently. Rapport is an endpoint protection product by IBM’s Trusteer. Over the years, there have been\r\nseveral types of malware that claimed to bypass or disable Rapport.\r\nThis Ursnif variant comes with an Anti-Rapport module which seems heavily based, on Carberp’s Anti-Rapport\r\ncode. This code was leaked in 2013 and is publicly available on Github.\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 25 of 29\n\nExcerpt from the Anti-Rapport code found in the new variant:\r\n \r\nThe variant’s code shows great resemblance to Carberp’s code on Github: \r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 26 of 29\n\nImportant note: The author of this article did not test the Anti-Rapport code and cannot attest to its validity or\r\nquality.\r\nConclusion\r\nUrsnif and Bebloh continue to be among the most common information stealing trojans that target Japanese users.\r\nThe development cycle and the introduction of targeted delivery techniques and variants observed in Japan is quite\r\nfrequent. It changes tactics every one to two months, in an attempt to  evade detection by traditional security\r\nproducts and some sandbox solutions. \r\nWhat stands out in these campaigns is the great effort made by threat actors to target Japanese users, using\r\nmultiple checks to verify that the targeted users are Japanese. These multiple tests prove to be quite effective not\r\nonly in targeting the right crowd, but also in evading security products such as sandboxes, since the malicious\r\ncode will not run unless the country/language settings are properly configured. We assess that this new wave of\r\ncountry-based targeted delivery is likely to become more and more popular in future campaigns. \r\nLastly, our research demonstrates that the new variant seems to be quite unique and customized for Japan. It\r\ncomes with robust information stealing features that focus on mail data, new evasive persistence mechanism and a\r\nmodule to bypass a Japanese security product. Some of the new features of this variant seem to draw inspiration\r\nfrom other trojans that are popular in Japan, such as Bebloh and Shifu. According to Cybereason's telemetry, this\r\nvariant has been spotted only in Japan so far.  It is interesting to see whether this new strain of Ursnif will emerge\r\nin other geographical regions. \r\nWe have an on-demand webinar all about this research online. Check out our live webinar on the discovery.\r\nIndicators of Compromise\r\nExcel Document (Macro)\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 27 of 29\n\nDA85A7DE0B48881EF09179B800D033F27E8F6A01\r\n6BEF7B72A0D314393FAE5F7915A5440DF2ABCF5F\r\nA1CC4B824A35B5E1A016AA9AC0FAC0866C66BFFC\r\n12E6EEA2EC60AC530CB6F683619ED4F571558C3F\r\nF23EDE071D9F0274430D06E2C6E33FF1B1803C5F\r\nB4707DA9396F1BBD3179A10F58815F1E58AC02FA\r\n.NET language checker\r\nEttivyph.dll - 14181A8F9ACF8B3C55076BEF21217EAF83062B5A\r\nUrsnif Loader (1st Stage):\r\ngyehtuegg.exe - 2B21C3237105DEE871C252633AE65125E78AC23E\r\nEwwhuptgfq.exe - 99882D848ADF3818AD758B951303F12649967247\r\nEhuwowstsg.exe - 6EABB986CBA048EE1B81BD884F6ABDD38B7CB5DA\r\nIiwrghesya.exe - F1F6E136EEAC66278359EB6DAF406FD8504107DB\r\nBthcan32.exe - C8488A58B5ECE9104AEFBBBB0334199E2E3C3D56\r\nAwerwyae.exe - 610B9128E56D488C7C2C700BD6C45A0250312129\r\nWinklogon.exe - 1D78AA605450C5C02D23BD065996A028A59DE365\r\nFEWPSQUUST.EXE - 8BB7240A38534881FDE3ADD2179EF9E908A09BE8\r\n1770BE655DB3AC9B6561F2CC91DD9CD5DEA3D69B\r\n0147FCC93C78A823BE94191FAE8A105549390C03\r\nUnpacked Loader (dumped from memory)\r\n1BB1BDA50D3C7BAD92872C4FE334203FB706E7C3\r\nClient64.dll (dumped from memory)\r\n8F6536397DC5E0D7699A1B2FDE87220C5D364A20\r\nB6CB96E57951C123B9A5F5D6E75455AFF9648BCB\r\nClient.dll (dumped from memory)\r\n35F7AD2300690E0EB95F6F327ACA57354D8103FF\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 28 of 29\n\nDomains\r\nbaderson[.]com\r\nMopscat[.]com\r\nGorsedog[.]com\r\nPintodoc[.]com\r\nRopitana[.]com\r\nPirenaso[.]com\r\nPapirosn[.]com\r\ndelcapen[.]com\r\nSteganography URLs\r\nhxxps://i.imgur[.]com/96vV0YR[.]png\r\nhxxp://oi65[.]tinypic[.]com/2z8thcz[.]jp\r\nSource: https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nhttps://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\nPage 29 of 29\n\n https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features \nWhen the user opens the document, the Japanese text instructs the unsuspecting user to click on the Enable\nContent button. They expect to see a preview of a document, but instead it will execute the embedded macro\ncode: \n Page 4 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" ], "report_names": [ "new-ursnif-variant-targets-japan-packed-with-new-features" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434589, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbd4ec4ef832aca953c71c0c9167c7d85677a673.pdf", "text": "https://archive.orkl.eu/dbd4ec4ef832aca953c71c0c9167c7d85677a673.txt", "img": "https://archive.orkl.eu/dbd4ec4ef832aca953c71c0c9167c7d85677a673.jpg" } }