{
	"id": "a61d477e-aa1c-4c6a-9874-dc64f1325b57",
	"created_at": "2026-04-06T00:10:28.369279Z",
	"updated_at": "2026-04-10T03:26:56.232613Z",
	"deleted_at": null,
	"sha1_hash": "e04331c243053b02f2919759edc0d5079cb554d4",
	"title": "The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3254288,
	"plain_text": "The Fractured Statue Campaign: U.S. Government Agency Targeted in\r\nSpear-Phishing Attacks\r\nBy Adrian McCabe\r\nPublished: 2020-01-23 · Archived: 2026-04-05 16:53:24 UTC\r\nExecutive Summary\r\nBetween July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see\r\nAttribution section below for more details) used to primarily target a US government agency, using the ongoing and\r\nheightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.\r\nThe malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders\r\nwith SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.\r\nCARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates\r\nthe installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control\r\n(C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two\r\nnon-US foreign nationals professionally associated with North Korea.\r\nThroughout the course of the campaign, Unit 42 ultimately observed a total of six unique malicious document lures being\r\nsent as attachments from four unique Russian email addresses to 10 unique targets. The subject matter of the lures featured\r\narticles written in Russian pertaining to ongoing geopolitical relations issues surrounding North Korea. Of those malicious\r\ndocuments, five contained CARROTBAT downloaders, and one contained a CARROTBALL downloader. All malicious\r\nsecond stage payloads were SYSCON.\r\nWhile this campaign does demonstrate some evolution in the actor’s tactics, techniques and procedures (TTPs) with the use\r\nof a new downloader family and new malicious code in the form of Word Document macros, the majority of its attributes\r\nbear a strong resemblance to the Fractured Block campaign previously reported by Unit 42 in November 2018. As such,\r\nUnit 42 has dubbed this campaign Fractured Statue. The Adversary Playbook for the activity described in this blog can be\r\nfound here.\r\nFigure 1. Fractured Statue Campaign Timeline\r\nOpening Wave of Attacks\r\nBetween July 15th, 2019 and July 17th, 2019, spear phishing emails were sent to a total of five individuals at a US\r\ngovernment agency from the email addresses 0tdelkorei@mail[.]ru and kargarnova@mail[.]ru. The spear phishing emails\r\nutilized three different email subjects with malicious macro documents attached with the same name; all file names were\r\nwritten in Russian. Further, all of the malicious documents contained articles written in Russian pertaining to ongoing\r\ngeopolitical relations issues surrounding North Korea. The documents themselves were rather generic and had no embedded\r\nimage enticements to enable macros. They did, however, leverage second-stage downloader components consistent with\r\nknown CARROTBAT samples, and almost all of them featured SYSCON payloads. The first pages of each of these\r\ndocuments are shown below:\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 1 of 12\n\nFigure 2. First page of initial malicious document observed in the campaign.\r\nAssociated with CARROTBAT.\r\nSHA256 Subject Sender\r\nTranslated\r\nSubject\r\nFile name\r\nT\r\nF\r\nN\r\n4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726\r\nО ситуации\r\nна\r\nКорейском\r\nполуострове\r\nи перспекти\r\nвах диалога\r\nмежду\r\nСША и К\r\nНДР\r\n0tdelkorei@mail[.]ru\r\nOn the\r\nsituation\r\non the\r\nKorean\r\nPeninsula\r\nand the\r\nprospects\r\nfor\r\ndialogue\r\nbetween\r\nthe USA\r\nand the\r\nPDR\r\nО\r\nситуации\r\nна\r\nКорейском\r\nA\r\nsi\r\nin\r\nTable 1. First phishing attempt details.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 2 of 12\n\nFigure 3. First page of second malicious document observed in the campaign.\r\nAssociated with CARROTBAT.\r\nSHA256 Subject Sender\r\nTranslated\r\nSubject\r\nFile name\r\nTra\r\nFile\r\nNam\r\n63c3817a5e9984aaf59e8a61ddd54793ffed11ac5becef438528447f6b2823af\r\nПродлится\r\nли мирная\r\nпауз а на\r\nКорейском\r\nполуостро\r\nве до 2024\r\nгода\r\n0tdelkorei@mail[.]ru\r\nWill there\r\nbe a\r\npeaceful\r\npause on\r\nthe\r\nKorean\r\nPeninsula\r\nuntil\r\n2024?\r\nПродлится\r\nли мирная\r\nпауз\r\nWil\r\npea\r\nbre\r\nlast\r\nTable 2. Second phishing attempt details.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 3 of 12\n\nFigure 4. First page of third malicious document observed in the campaign.\r\nAssociated with CARROTBAT.\r\nSHA256 Subject Sender\r\nTranslated\r\nSubject\r\nFile\r\nname\r\n9dfe3afccada40a05b8b34901cb6a63686d209e2b92630596646dba8ee619225\r\nРоссия –\r\nКНДР – РК –\r\nтор гово-экономические\r\nсвяз и –\r\nинвестиции.\r\nkargarnova@mail[.]ru\r\n“Russia -\r\nDPRK - RK\r\n- trade and\r\neconomic\r\nties and -\r\ninvestments.”\r\nРоссия\r\n–\r\nКНДР\r\n– РК –\r\nтор\r\nTable 3. Third phishing attempt details.\r\nSecond Wave\r\nRoughly one month later, beginning on August 15, 2019 and ending on September 14, 2019, the second wave of\r\nCARROTBAT attacks occurred against three additional email addresses at the same government agency. One attack featured\r\nthe same sender and malicious document but had a different subject and filename. The other two emails contained a\r\npreviously unseen malicious document and featured a mix of Russian and English languages in both the document lures and\r\nthe email correspondence.\r\nSHA256 Subject Sender\r\nFile\r\nname\r\nInitial C2 Doma\r\n9dfe3afccada40a05b8b34901cb6a63686d209e2b92630596646dba8ee619225 Russia –\r\nNorth Korea\r\nkargarnova@mail[.]ru Russia –\r\nNorth\r\nhandicap.eu5[.]o\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 4 of 12\n\n– Republic\r\nof Korea –\r\ntrade and\r\neconomic\r\nrelations –\r\ninvestments.\r\nKorea –\r\nRepublic\r\nof Korea\r\nTable 4. Fourth phishing attempt details.\r\nFigure 5. First page of fourth malicious document observed in the campaign. Associated with CARROTBAT.\r\nSHA256 Subject Sender File name Initial C2 Dom\r\ned63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a\r\nRepublic\r\nof Korea,\r\nthe\r\nRussian\r\nFederation\r\nand the\r\nDPRK\r\nrusrnirasaf@yandex[.]ru\r\nRepublic\r\nof Korea,\r\nthe\r\nRussian\r\nFederation\r\nand the\r\nDPRK.doc\r\npanda2019.eu\r\nTable 5. Fifth phishing attempt details.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 5 of 12\n\nFigure 6. First page of the fifth malicious document observed in the campaign. Associated with CARROTBAT.\r\nSHA256 Subject Sender\r\nTranslated\r\nSubject\r\na4f858c6b54683d3b7455c9adcf2bb6b7ddc1f4d35d0f8f38a0f131c60d1790f\r\nКорейский полуостров в\r\nглобальных и\r\nрегиональныхизмерениях.\r\nБезопасность\r\nивозможностивзаимодействия\r\nkargarnova@mail[.]ru\r\nThe Korea\r\nPeninsula\r\nglobal and\r\nregional\r\ndimension\r\nSecurity a\r\nInteropera\r\nTable 6. Sixth phishing attempt details.\r\nFinal Attempt\r\nOn October 29, 2019, one of the same individuals targeted in the second wave of attacks was targeted again with a malicious\r\ndocument, though in this attack the sender was different and the document lure did not feature CARROTBAT. Also of note\r\nis that the lure in this attack did feature a more traditional “enable macro” cover page, but was then followed by additional\r\npages in Russian that thematically matched with the documents found in the rest of the campaign.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 6 of 12\n\nFigure 7. First page of sixth malicious document observed in the campaign. Associated with CARROTBALL.\r\nSHA256 Subject Sender\r\nTranslated\r\nSubject\r\nFile nam\r\nc1a9b923fc1f81d69bd0494d296c75887e4a0f9abfc1cdfbfa9c0f4ab6c95db7\r\nИнвестиционный\r\nклимат Северной\r\nКореи.\r\npryakhin20l0@mail[.]ru\r\n“The\r\ninvestment\r\nclimate of\r\nNorth\r\nKorea.”\r\nИнвест\r\nклимат\r\nTable 7. Seventh phishing attempt details.\r\nAlso interesting to note is that the sender added multiple recipients to their email; one was an individual at a US government\r\nagency, and the other two individuals were non-US foreign nationals professionally associated with ongoing activities in\r\nNorth Korea.\r\nTechnical Analysis\r\nWith the exception of the October 2019 attack, all of the malicious documents found in this campaign featured the following\r\nmacro code snippet of interest:\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 7 of 12\n\nFigure 8. Macro from malicious documents associated with CARROTBAT.\r\nWhen executed, this code will:\r\nDetermine whether the victim’s host machine is running Windows with an x86 or x64 architecture.\r\nParse the contents of a corresponding textbox within the document and convert it to a command line argument\r\nspecific to the Windows architecture on the victim’s machine.\r\nExecute the command.\r\nClear the contents of the textboxes and save the document.\r\nAs previously mentioned, all samples featuring the macros above also featured CARROTBAT as a second stage downloader.\r\nThe October 2019 attack, however, differed significantly from the previous ones. Instead of reading from the contents of the\r\ndocument itself, the macros leveraged an embedded Windows executable in the form of hex bytes delimited via the ‘|’\r\ncharacter that ultimately acted as a dropper. When the macro was executed, the hex bytes were split, converted to binary, and\r\ndropped onto disk as an executable. The first few lines of this functionality are shown below:\r\nFigure 9. Macro from malicious documents associated with CARROTBALL.\r\nIn this case, the dropped binary was a new type of downloader we have dubbed CARROTBALL. Its sole purpose was to\r\nserve as the main mechanism to facilitate the download and installation of the SYSCON backdoor. This is very similar to the\r\nCARROTBAT samples observed earlier on in this campaign and in the previous Fractured Block campaign (see technical\r\nanalysis here). Additionally, of novel interest in this attack was the use of two separate FTP credential pairs to conduct active\r\nC2 operations. One credential pair was hardcoded in the dropped CARROTBALL binary and used to connect to the domain\r\ndownplease.c1[.]biz to retrieve a CAB file renamed with a generic .dat extension.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 8 of 12\n\nFigure 10. Observed CARROTBALL FTP interaction.\r\nWhen extracted, the .cab file was found to contain two malicious batch files, two malicious dlls (one of which contained a\r\ncustom base64 alphabet), and a second domain (lookplease.c1[.]biz) with a set of FTP login credentials encoded in the\r\ncustom base64 alphabet. The contents of the cab file are as follows:\r\nFigure 11. Converted CAB file contents extracted from observed CARROTBALL FTP interaction.\r\nSHA256\r\nFile\r\nName\r\nFunctionality\r\n42e874d96cb9046cd4113d04c1c5463b1d43a4e828ca872de11c08cd314e650f alive.bat\r\nInstall and establish\r\npersistence for core\r\nSYSCON backdoor\r\ncomponent.\r\na761b47ab25dc2aa66b2f8ad4ab9636e40ebbcaf67f8a34f3524456c09f47d76 bpu.dll\r\nUPX-packed system\r\nprocess injection\r\nmechanism to gain\r\nexecution of alive.bat.\r\nReserved for use against\r\nnon-admin users.\r\nc3ac29e4b0c5e1a991d703769b94c0790fbf81fd38cf6acdb240c5246c2517ca mama.bat\r\nBatch file to delete\r\nassorted host based\r\nartifacts of malware.\r\nDeletes bpu.dll if running\r\nas Admin. Runs bpu.dll if\r\nnot Admin.\r\nad63b8677c95792106f5af0b99af04e623146c6206125c93cf1ec9fbfeafaac9 syssec.bin\r\nCustom base64 encoded\r\nFTP credentials and C2\r\ndomain.\r\nbdd90ed7e40c8324894efe9600f2b26fd18b22dcbf3c72548fee647a81d3c099 syssec.dll\r\nCore SYSCON backdoor\r\ncomponent.\r\nTable 8. CAB file contents.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 9 of 12\n\nWhile observing the malware’s interaction with the second domain, lookplease.c1[.]biz, two text files were subsequently\r\nidentified containing text encoded with the same custom base64 alphabet used previously. When decoded, these files were\r\nfound to contain additional commands to be executed on the infected host.\r\nSHA256\r\nFile\r\nName\r\nRaw FIle Contents\r\nDe\r\nCo\r\nf3d3fa4c76adfabd239accb453512af33ae8667bf261758f402fff22d9df1f67\r\nGei\r\nAll\r\n(0).txt\r\nFg37eqye0ee2eqse0e3SeY8evg3Geqhecy3-\r\neqAexf32eUAe\r\ncm\r\nsys\r\n4b8790e9cb2f58293c28e695bec0a35e2ebd2da8e151c7e8c4513a1508c8bc94\r\nGei\r\nAll\r\n(1).txt\r\nFg37eqye0ee2eqse0e3GeqOevg31eqge/y3SeYyeZfeD\r\ncm\r\ntas\r\nTable 9. SYSCON C2 file attributes.\r\nAt the time of the activity, both downplease.c1[.]biz and lookplease.c1[.]biz resolved to the IP address 185.176.43[.]94.\r\nAttribution\r\nKonni: Malware or Actor?\r\nOriginally, the name “Konni” was used to refer to a Remote Access Trojan utilized in targeted campaigns with strong links\r\nto North Korean interests. However, as additional campaigns began to appear with strongly overlapping TTPs yet did not\r\nfeature the Konni RAT, specifically, some industry researchers simply began to adopt the “Konni” moniker to refer to the\r\nactors behind the aggregated set of activity. Unit 42 has followed this trend, and now refers to the “Konni Group” as such.\r\nKonni’s Ties to Fractured Statue\r\nAs prominently documented by Cisco Talos, the first Konni Group activity was a sustained information stealing/RAT\r\ndistribution campaign spanning between 2014 and 2017. Throughout 2018, Unit 42 released several blogs on Konni Group\r\nactivity, and subsequently identified two new malware families the group was using in the attacks, dubbed NOKKI and\r\nCARROTBAT, respectively. Now, in 2019, Unit 42’s continued observation of targeted CARROTBAT activity (in addition\r\nto the new malware CARROTBALL being used during the same campaign) could indicate that both are still in use by the\r\nKonni Group, as thematically linked elements of Konni Group TTPs include:\r\nTargeting individuals/organizations who have interest in, are directly linked to, or conduct business in North Korea\r\n(corroborated by previous research by Unit 42).\r\nUtilizing malicious document phishing lures containing subject matter pertaining to North Korea (corroborated by\r\nprevious research by Unit 42).\r\nIteratively increasing the type and complexity of their payload delivery mechanisms (from their initial use of simple\r\nBase64 strings as reported by Trend Micro, then later leveraging CARROTBAT, and now leveraging\r\nCARROTBALL)\r\nHowever, there are non-trivial obstacles to obtaining a high-confidence attribution to the Konni Group, namely the fact that\r\nprevious blogs produced by Unit 42 and other researchers contain a great deal of technical detail about the group’s\r\noperations, and copycat actors may attempt to emulate previously observed TTPs to hinder attribution efforts or perform\r\nfalse-flag operations.\r\nIn light of these factors, Unit 42 assesses with moderate confidence that this activity is related to the Konni Group.\r\nConclusion\r\nOverall, the Fractured Statue campaign provides clear evidence that the TTPS discovered in Fractured Block are still\r\nrelevant, and that the group behind the attacks still appears to be active. Additionally, development and use of the new\r\ndownloader, CARROTBALL, alongside the more commonly observed malware delivery mechanism, CARROTBAT, may\r\nindicate that the previous methods employed by the group to successfully infect their targets are becoming less effective.\r\nThe Adversary Playbook for the activity described in this blog can be found here.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n* AutoFocus customers can track these samples with the FracturedStatue, SYSCON, KONNI, CARROTBAT and\r\nCARROTBALL tags.\r\n* WildFire detects all files mentioned in this report with malicious verdicts.\r\n* Cortex XDR blocks all of the files currently associated with the Fractured Block campaign.\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 10 of 12\n\nIOCS:\r\nMalicious Documents with CARROTBAT:\r\na4f858c6b54683d3b7455c9adcf2bb6b7ddc1f4d35d0f8f38a0f131c60d1790f\r\ned63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a\r\n9dfe3afccada40a05b8b34901cb6a63686d209e2b92630596646dba8ee619225\r\n4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726\r\n63c3817a5e9984aaf59e8a61ddd54793ffed11ac5becef438528447f6b2823af\r\nMalicious Document with CARROTBALL:\r\nc1a9b923fc1f81d69bd0494d296c75887e4a0f9abfc1cdfbfa9c0f4ab6c95db7\r\nCARROTBALL Downloader:\r\n56924402a17393e542f6bf5b02cd030cc3af73bc2e1c894a133cebb2ca9405ee\r\nSYSCON Samples:\r\nceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e\r\n52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2\r\n4958fe8c106200da988c22957821513efd05803460e8e5fcfedb5cbca8d87a5b\r\n7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c\r\nbdd90ed7e40c8324894efe9600f2b26fd18b22dcbf3c72548fee647a81d3c099\r\nAssociated SYSCON C2 Files:\r\nf3d3fa4c76adfabd239accb453512af33ae8667bf261758f402fff22d9df1f67\r\n4b8790e9cb2f58293c28e695bec0a35e2ebd2da8e151c7e8c4513a1508c8bc94\r\nad63b8677c95792106f5af0b99af04e623146c6206125c93cf1ec9fbfeafaac9\r\nc3ac29e4b0c5e1a991d703769b94c0790fbf81fd38cf6acdb240c5246c2517ca\r\na761b47ab25dc2aa66b2f8ad4ab9636e40ebbcaf67f8a34f3524456c09f47d76\r\n42e874d96cb9046cd4113d04c1c5463b1d43a4e828ca872de11c08cd314e650f\r\nInfrastructure:\r\nDomain: handicap[.]eu5[.]org\r\nIP Resolution: 69.197.143[.]12\r\nDomain: panda2019[.]eu5[.]org\r\nIP Resolution: 162.253.155[.]226\r\nDomain: downplease[.]c1[.]biz\r\nIP Resolution: 185.176.43[.]94\r\nDomain: lookplease[.]c1[.]biz\r\nIP Resolution: 185.176.43[.]94\r\nAdditional CARROTBALL Samples Identified on VirusTotal:\r\n6fa895d0472e87dea3c5c5bd6774488d2d7fe409ff9ae83870be3740fdfd40e8\r\nDomain: downyes[.]c1[.]biz\r\nIP Resolution: Unavailable/unknown\r\n989c042ab9a07b11026bce78dc091f25fa51cb5e310c668904afc7939b197624\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 11 of 12\n\nDomain: downplease[.]c1[.]biz\r\nIP Resolution: 185.176.43[.]94\r\nSource: https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nhttps://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/"
	],
	"report_names": [
		"the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434228,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e04331c243053b02f2919759edc0d5079cb554d4.pdf",
		"text": "https://archive.orkl.eu/e04331c243053b02f2919759edc0d5079cb554d4.txt",
		"img": "https://archive.orkl.eu/e04331c243053b02f2919759edc0d5079cb554d4.jpg"
	}
}