{
	"id": "e38458e5-c33b-4391-a145-0cd64a5f4b73",
	"created_at": "2026-04-06T00:12:47.63922Z",
	"updated_at": "2026-04-10T03:24:29.11327Z",
	"deleted_at": null,
	"sha1_hash": "dd3c03359ef87f6bd0e5119aa66bc02dd86f36d9",
	"title": "Opachki, from (and to) Russia with love - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58369,
	"plain_text": "Opachki, from (and to) Russia with love - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:01:54 UTC\r\nOpachki is a pretty interesting link hijacking trojan that has been spreading quite a bit in last couple of weeks. I\r\nstarted analyzing it couple of days ago and noticed that in the mean time Joe Stewart of SecureWorks posted his\r\nanalysis as well (available here).\r\nThere are some very interesting things about Opachki so let me start at the beginning. The Trojan is distributed\r\nwith a dropper which, when infecting the system, drops a DLL file. Both the dropper and the DLL file are packed\r\nwith a packer called \"Mystic Compressor\". Besides this, the trojan never actually decrypts all strings in memory\r\nbut calls a function to decrypt only what it needs and immediately deletes the data after it is not needed. Finally,\r\nthe packer destroys PE header data from memory to make dumping more difficult.\r\nBesides dropping the DLL, the dropper also does one vary nasty action: it completely deletes the SafeBoot\r\nregistry key by calling reg.exe, as shown below:\r\nThis prevents the system from booting in Safe Mode – the attackers did this to make it more difficult to remove\r\nthe trojan. This goes well with what I've been always saying – do not try to clean an infected machine, always\r\nreimage it.\r\nAs Opachki's main goal is to hijack links, it hooks the send and recv API calls in the following programs:\r\nFIREFOX.EXE, IEXPLORE.EXE, OPERA.EXE and QIP.EXE. While the first three are well known, I had to\r\ninvestigate the last one. It turned out that QIP.EXE is an ICQ client that is very popular in Russia, so the trojan has\r\na component that directly attacks Russian users.\r\nThe trojan will monitor web traffic (requests and responses) that above mentioned applications make and will\r\ninject a malicious script tag into every response. The injected script tag can be actually seen in the browser (by\r\nselecting the view source option) and can be seen in the image below:\r\nhttps://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519\r\nPage 1 of 2\n\nThis will cause the browser to go to the shown site (google-analystisks.us), which is still live at the time of writing\r\nthis diary. The site serves back a JavaScript file which modifies all links in the currently shown web page so they\r\nare redirected to a third site (http://thefeedwater.com/?do=rphp\u0026sub=241\u0026b= when I posted the diary). The PHP\r\nscript at the google-analystisk.us web site is interesting as well – if you try to retrieve it directly you'll get an error\r\nback so you have to supply a referrer field. It also checks if you came from a search engine (i.e. Google) and\r\nreturns back a different JavaScript file so it steals search queries as well.\r\nFinally, Opachki performs another interesting action: it tries to see if the system is already infected with ZEUS\r\nand will remove ZEUS' files (rename them to C:ntldrs). It will check for all four ZEUS versions by verifying\r\npresence of the following files: C:WINDOWSsystem32ntos.exe, C:WINDOWSsystem32oembios.exe,\r\nC:WINDOWSsystem32twext.exe and C:WINDOWSsystem32sdra64.exe. I don't know why they do this, it could\r\nbe that they are hijacking ZEUS or simply competing for same machines or using same attack vectors as the\r\nZEUS crew.\r\nThe whole story about Opachki shows how that the bad guys are prepared to invest a lot of effort into building\r\nmalware. Removing such a trojan is not simple and I would recommend reimaging the machine as the trojan puts\r\na lot of effort into making removing difficult. As the Trojan is specifically attacking Russian users (among the\r\nothers), it is probably safe to assume that it originates from Russia as well.\r\nFinally, this shows that the bad guys are (probably) making good money by just hijacking links/clicking.\r\n--\r\nBojan\r\nINFIGO IS\r\nSource: https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519\r\nhttps://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519"
	],
	"report_names": [
		"7519"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434367,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd3c03359ef87f6bd0e5119aa66bc02dd86f36d9.pdf",
		"text": "https://archive.orkl.eu/dd3c03359ef87f6bd0e5119aa66bc02dd86f36d9.txt",
		"img": "https://archive.orkl.eu/dd3c03359ef87f6bd0e5119aa66bc02dd86f36d9.jpg"
	}
}