{ "id": "f8ea3bfe-9914-4dd7-8c87-1f7e9361b05e", "created_at": "2026-04-06T00:18:52.596508Z", "updated_at": "2026-04-10T03:36:33.545786Z", "deleted_at": null, "sha1_hash": "e24d02dfaf13e182bb7dc401b307dda5c5cdd0ce", "title": "Farseer: Previously Unknown Malware Family bolsters the Chinese armoury", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6748257, "plain_text": "Farseer: Previously Unknown Malware Family bolsters the Chinese\r\narmoury\r\nBy Alex Hinchliffe, Mike Harbison\r\nPublished: 2019-02-26 · Archived: 2026-04-05 12:47:02 UTC\r\nLast year, Unit 42 wrote about a newly discovered espionage Android malware family, HenBox, which had countless\r\nfeatures for spying on their victims – primarily the Uyghur population – including interaction with Xiaomi IoT devices, and\r\nthe Chinese consumer electronics manufacturer’s smart phones. \r\nThrough investigations into infrastructure used by HenBox malware, Unit 42 has discovered another malware family built\r\nfor the more frequently-targeted Microsoft Windows operating system we named ‘Farseer’. As with HenBox, Farseer also\r\nhas infrastructure ties to other malware, such as Poison Ivy and Zupdax.  \r\nWe named this malware Farseer malware due to a string found in the PDB path embedded within the executable files. For\r\nexample:  \r\n e:\\WorkSpace\\A1\\coding\\Farseer\\RemoteShellsRemote\\Release\\RemoteShellsRemote.pdb. \r\nTracking-back, we’ve seen over 30 unique samples throughout the past two and half years, with the majority in 2017 and\r\na handful in 2018, the most recent of which were seen, at least from our visibility, during the last two\r\nmonths indicating a relatively low-volume yet steady flow of Farseer samples. Figure 1 below shows the trend of malicious\r\nsessions for these samples according to AutoFocus. \r\n \r\nFigure 1 AutoFocus session trends for Farseer samples over time  \r\nTies to HenBox Android Malware et al \r\nAs previously mentioned, there are ties between Farseer, HenBox, PlugX, Zupdax, 9002, and Poison Ivy malware families.\r\nThe infrastructure used by the combination of malware families is pretty vast, with plenty of overlaps, however in\r\nthis blog we focus only on some of the core ties captured in the green rectangle, as shown in Figure 2 below. \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 1 of 12\n\nFigure 2 Maltego chart showing overlaps between Farseer and related threats \r\nFigure 2 shows a high-level representation of file hashes, IP addresses, and domain names used by some of\r\nthe various malware families already mentioned, together with their overlaps. Farseer has the largest number of samples in\r\nFigure 2 but that’s skewed given the focus of this blog. \r\n The green rectangle shows some of the core overlaps between the aforementioned families, which we will discuss in more\r\ndetail now. \r\n The most recent (at the point of publishing) Farseer sample (SHA256: 271E29FE… detailed in Table 2 below) introduced a\r\nnew C2 domain – tcpdo[.]net – into the Farseer set, as shown in Figure 3 below. \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 2 of 12\n\nFigure 3 Maltego diagram showing tcpdo[.]net and other Farseer / PoisonIvy overlaps. \r\n Figure 3 shows how this new (to Farseer) domain relates both directly to said Farseer sample and indirectly, through third-level domains and IP addresses, to other Farseer samples; a handful of Poison Ivy samples have also used this domain as\r\ntheir C2, mostly before this Farseer sample – as early as mid-2015 – but also more recently, one month after, on December\r\n17th, 2018 indicating it’s a domain in fairly active use. Third-level domains of tcpdo[.]net, together with all other indicators\r\nare listed at the end of this blog. \r\n The overlaps between Farseer and Poison Ivy don’t end with tcpdo[.]net. Much like with HenBox,\r\nother infrastructure ties exist: directly through sony36[.]com and  md.son36[.]com; indirectly through third-level domains\r\nof tcpdo[.]net and IP addresses 45.32.251[.]7 and 45.32.53[.]250. \r\n Farseer also overlaps with HenBox and PlugX samples through multiple C2 domains and IP address resolutions:  \r\nouthmail[.]com (and third-levels of this domain) \r\ncdncool[.]com (and third-levels of this domain) \r\nwww3.mefound[.]com \r\nw3.changeip[.]org \r\nwww5.zyns[.]com  \r\n45.32.53[.]250 \r\n45.32.44[.]52 \r\n45.32.45[.]77 \r\n59.188.196[.]162 \r\n59.188.196[.]172 \r\nDomain outhmail[.]com was documented as part of research into a 9002 Trojan delivered through Google Drive back in\r\n2016 further expanding the capabilities of this group and its tools.\r\nGhost Dragon Overlaps  \r\nBefore we detail the Farseer malware itself, it’s worth noting another overlap we encountered during this research. Third-level domain 3w.tcpdo[.]net, as shown towards the bottom of Figure 4 below, resolved to IP 175.45.192[.]234 in 2015.\r\nThis IP address relates to domains and custom Gh0st RAT malware samples, some of which are documented in this Ghost\r\nDragon campaign report. Considering the time that’s passed since this publication, it’s harder to investigate how strong the\r\nties are, however, the two domains used by Poison Ivy (md5c[.]net) and Farseer (3w.tcpdo[.]net) have resolved\r\nto that IP address more recently than documented in the Ghost Dragon report. Specifically, June 2015, and between July and\r\nAugust 2015, respectively for Poison Ivy and Farseer; these two domains and five others - adminloader[.]com,\r\ncsip6[.]biz, cdncool[.]com, linkdatax[.]com and adminsysteminfo[.]com - have a common registrant, 46313@QQ[.]COM \r\nbut no such commonality exists within the set of known Ghost Dragon domains.  \r\nIt’s possible the infrastructure relates to the same group, or multiple groups, conducting various attacks against different\r\noperating systems using the various malware families described in this, and related, reports. The possible ties require further\r\ninvestigation. \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 3 of 12\n\nFigure 4 Maltego chart showing overlaps to Ghost Dragon campaign \r\nC2 Server Structure \r\n As previously mentioned in the first HenBox blog, a common registrant registered seven known domains, four of which had\r\nmalicious activity related to Poison Ivy and Zupdax malware families. Interestingly, all of the domains share at least one\r\nthird-level domain in common, perhaps indicating a template being used for the infrastructure setup or based on the\r\nrequirements of the malware’s C2 communication. Table 1 below lists the commonalities, aside from other domains such as\r\nwww, mail and dns.  \r\nDomain / Third-level Domain  info.  re.  update.  up. \r\ntcpdo[.]net         \r\nadminsysteminfo[.]com         \r\nmd5c[.]net         \r\nlinkdatax[.]com         \r\ncsip6[.]biz         \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 4 of 12\n\nadminloader[.]com         \r\ncdncool[.]com         \r\nnewfacebk[.]com         \r\nTable 1 Common third-level domain names \r\nFarseer Malware \r\nNow that we have introduced Farseer, and how it relates to other known malware families, let’s dive into how the malware\r\nworks. This section aims to provide a description of the general behavior for this malware based on a small subset of total\r\nset of samples; a more detailed description exists in the technical appendix.\r\nFigure 5, below, describes at a high-level the post-installation execution flow of a typical Farseer sample.\r\nFigure 5 Farseer Execution Flow\r\nFarseer employs the known technique of DLL sideloading - the use of trusted binaries to load malicious code – to load its\r\npayload, see Figure 5. To achieve this, the malware begins by dropping known, legitimate, signed binaries to the\r\nhost. These binaries, signed by Microsoft or other vendors, are typically trusted applications when checked by antivirus\r\nsoftware or the operating system and thus do not raise any suspicious alerts. Figure 6 below shows the import library list for\r\nboth the benign PE files highlighting how the nested imports work to ultimately load sys.dll – the malicious payload. \r\n \r\nFigure 6 bscmake.exe importing mspdb80.dll importing Farseer's sys.dll  \r\nThe payload on disk is an encrypted and compressed file that most antivirus software will not flag as malicious\r\nsince the underlying code is hidden. More information about how the decompression and decryption can be found in the\r\nappendix.  \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 5 of 12\n\nOnce sys.dll is running, it locates a file named stub.bin located in the same folder, and in-turn loads the Farseer config\r\nfile, sys.dat, on disk. The config relates to C2 communications, amongst other things.  \r\nThe following two code excerpts show the obfuscated and deobfuscated versions of this variant’s configuration file. The\r\nobfuscation routine used in this case – and many others – is simply ASCII encoding where characters are replaced with\r\ntheir ASCII value; other variants have used stronger, custom encryption algorithms to hide configuration data. Details are in\r\nthe appendix.\r\n[StudentInfo] \r\np1=117,112,46,111,117,116,104,109,97,105,108,46,99,111,109,\r\np2=56,48,\r\np4=116,101,115,116,45,48,52,45,49,49,\r\np5=67,58,92,85,115,101,114,115,92,65,68,77,73,78,73,126,49,46,87,73,78,92,65,112,112,68,97,116,97,92,76,111,99,97,108,92,84,101,109,112,92,1\r\np1=up.outhmail[.]com\r\np2=80\r\np4=test-04-11 \r\np5=C:\\Users\\[\u003ci\u003eusername\u003c/i\u003e]\\AppData\\Local\\Temp\\main.exe\r\nThe line items in the second code excerpt above are represented as follows:  \r\np1 relates to the C2 FQDN; \r\np2 is the TCP port used for C2 – many variants use non-standard TCP ports;  \r\np3 is missing;  \r\np4 appears to be a version string of some sort, which is sent as part of the C2 communication – other variants have\r\nused strings, such as “mark”;  \r\np5 is the full file path from where the malware was launched. \r\nFarseer config files share some similarities with those of HenBox, as documented here and shown in Figure 7 below for\r\nconvenience.  \r\n \r\nFigure 7 Screenshot of HenBox configuration file, setting.txt  \r\nBoth are text files, read and parsed at run-time; more often than not, the ASCII data is obfuscated using encoding methods of\r\nvarying sophistication. Perhaps the most notable similarity is the notation of the content, which in both malware families:  \r\nis delimited by an ‘=’ equals character; \r\nuses a single character followed by a single digit starting from 1 to begin each line; \r\nhas the C2 host/FQDN on the first line; \r\nhas the TCP port to use to connect the C2 on the second line; \r\nFor persistence on the host, the Farseer malware creates a registry entry named sys under:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  \r\nThe entry runs the VBS script slmgr.vbs shown below, which executes bscmake.exe, and thus Farseer, each time a user logs\r\non to their PC. \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 6 of 12\n\ncreateobject(\"wscript.shell\").run \"C:\\Users\\[username]\\AppData\\Roaming\\windows\\bscmake.exe\"  \r\nOne of the earliest Farseer samples Unit 42 analysed also used a decoy PDF document during execution. The\r\nPDF content included a copied news article from a Myanmar website that reports on news in the Southeast Asia region. The\r\nfile properties of said PDF, as shown below, describe the language setting of the application that created it, together with the\r\ncreation date – eight days prior to the Farseer sample that used the document. \r\n Language     : zh-CN \r\nAuthor       : Administrator \r\nCreator      : Microsoft® Word 2013 \r\nCreate Date  : 2016:04:11 11:06:30+08:00 \r\nModify Date  : 2016:04:11 11:06:30+08:00 \r\nMore information about this variant of Farseer, and the decoy PDF, can be found in the appendix section. \r\n Targeting \r\nIn this case, we do not have great visibility into the targets of the Farseer malware. However, given our existing\r\nknowledge based on previous research, and around malware with closely-related infrastructure, together\r\nwith certain targeting themes seen in some Farseer samples, it is highly likely that victims lay in and around the South East\r\nAsia region. \r\nATT\u0026CK Techniques Observed \r\nID  Technique \r\nT1140  Deobfuscate / Decode Files or Information \r\nT1071  Standard Application Layer Protocol \r\nT1060  Registry Run Keys / Startup Folder \r\nT1045  Software Packing \r\nT1073  DLL Side-Loading \r\nT1065  Uncommonly Used Port \r\nT1043  Commonly Used Port \r\nT1328  Buy domain name \r\nT1319  Obfuscate or encrypt code \r\n Conclusion \r\nThe threat actors behind Farseer, and related malware including HenBox, continue to grow their armoury with the addition\r\nof this previously-unknown malware family. The overlapping infrastructure, shared TTPs and similarities in malicious code\r\nand configurations highlights the web of threats used to target victims in and around the South East Asia region and perhaps\r\nbeyond.  \r\nFarseer payloads are backdoors that beacon to pre-configured C2 servers for instructions. The malware uses various\r\ntechniques to evade detection and inhibit analysis. For example, DLL sideloading using trusted, signed executables allows\r\nthe malware to execute rather seamlessly; some payloads are encrypted on disk preventing analysis, especially\r\nas decompression and decryption occurs at runtime, in-memory, where code is further altered to thwart forensic analysis.  \r\nWhereas HenBox posed a threat for devices running Android, Farseer is built to target Windows, which appears to be more\r\ntypical given previous threats seen from the group or groups behind this, and related malware.  \r\nPalo Alto Networks customers are already protected via:  \r\nAll samples in this report have a malicious verdict in WildFire. \r\nTraps advanced endpoint protection detects Farseer malware. \r\nDomains have been classified as malicious. \r\nAutoFocus tags are available for additional context: Farseer. \r\nUpdate 18th September 2019: This blog has changed to remove two references to PKPLUG as a malware family.\r\n Appendix \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 7 of 12\n\nThe technical analysis of Farseer malware is described in this section. Table 2 below lists the samples we have chosen for\r\nour investigation. The list includes a couple of recent samples and the first Farseer sample seen, according to our data, to\r\nhighlight key differences in the threat’s evolution.  \r\n#  SHA256  First Seen (Pacific Time)  Key Indicator / Domain \r\n1 \r\n271E29FE8E23901184377AB5D0D12B40 \r\nD485F8C404AEF0BDCC4A4148CCBB1A1A \r\n11/17/2018 10:11:16 pm  tcpdo[.]net:158 \r\n2 \r\n4AB41A025624F342DEB85D798C6D6264 \r\nA9FB88B8B3D9037CF8D5248A9F730339 \r\n04/02/2018 \r\n7:18:07 pm \r\nhonor2020[.]ga:993 \r\n3 \r\n9E08EFC73DC9145358898D2735C5F31D \r\n45A2571663C7F4963ABD217AE979C7CA \r\n04/19/2016 \r\n6:26:15 pm \r\nouthmail[.]com:80 \r\nTable 2 Samples discussed in this blog  \r\nFarseer employs the known technique of DLL sideloading - the use of trusted binaries to load malicious code – to load its\r\npayload, see Figure 5. To achieve this, the malware begins by dropping known, legitimate, signed binaries to the host. These\r\nbinaries, signed by Microsoft or other vendors, are typically trusted applications when checked by antivirus software or the\r\noperating system and thus do not raise any suspicious alerts.  This technique takes advantage of the Windows search order\r\nfor loading dependencies when a program launches. By default, the Windows loader will first look for any dependency\r\nfiles of the executable in its current working directory. If found, the executable will then load them into memory. With this in\r\nmind, the actors place their malicious DLL’s in the same directory as the signed executable that was dropped on disk. By\r\nnaming them as dependency files of that executable, the malicious code will run whenever the executable is started.  \r\nNow that the actor has found a way to execute malicious code on the host, they use it to load their final payload, which\r\ncontains the core functionality of the Farseer malware. The payload on disk is an encrypted and compressed file that most\r\nantivirus software will not flag as malicious since the underlying code is hidden. To avoid detection from users and blend\r\nwith the Windows file system, the payload files themselves have innocuous or common Windows file names\r\nand extensions.   \r\nDecompression and decryption of the payload occurs only at runtime, in-memory, and the in-memory code is altered to\r\nthwart forensic analysis. This is achieved by deconstructing the import address table (IAT) and resolving necessary API calls\r\nmanually versus relying on the Windows loader.  In addition, it further avoids IAT reconstruction by using what is known as\r\nstolen code technique, wherein some of the instructions in the beginning of an API subroutine are emulated somewhere else\r\nin an allocated memory region.  This can cause unexpected results during memory analysis as the IAT API’s cannot be\r\nresolved.  We determined that the in-memory payloads are backdoors that beacon to a pre-configured command and control\r\nserver (C2) for instructions.  \r\nFirst, bscmake.exe runs and imports mspdb80.dll, one of its dependency files. Bscmake.exe is an older Microsoft executable\r\nthat is part of Visual Studio. When mspdb80.dll is loaded, it will import its dependency files, one of which is sys.dll. It\r\nshould be stated that both bscmake.exe and mspdb80.dll are known, trusted files signed by Microsoft Corporation and have\r\nnot been modified. Sys.dll however is the Farseer malware and is responsible for loading the encrypted file stub.bin file in-memory and begins code execution.  \r\n \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 8 of 12\n\nFigure 8 Sys.dll loading stub.bin \r\nFigure 8 illustrates the connection between sys.dll and stub.bin. When sys.dll is loaded it will look for stub.bin in the current\r\nworking directory. \r\nC2 \r\nThe most recent Farseer sample (#1, as per Table 2 above) communicates with update.tcpdo[.]net over TCP port 158. The\r\ncontents of the network communications are encoded, unlike the earlier Farseer samples that used no encoding, highlighting\r\none of many changes in the evolution of this malware. Figure 10 below highlights some of the key differences between the\r\nthree samples used in the analysis for this appendix section.  \r\nFigure 9 Timeline for 3 Farseer samples in analysis; comparing notable differences  \r\nSample #2 (SHA256: 4AB41A025...) behaves almost identically as the others but with the following differences: \r\nPersistent VBS script renamed to common.vbs \r\nEncoded network communications \r\nConfiguration file renamed to base.dat \r\nEncrypted and compressed configuration file \r\nDoes not employ the use of any decoy documents  \r\nThis sample, seen in early April 2018, communicates with honor2020[.]ga, which started resolving to 199.247.25[.]110 in\r\nAugust 2018, according to Passive Total.  \r\nDomain honor2020[.]ga bucks the trend when compared to others’ third-level domains, as per Table 1, above. From what we\r\ncan tell, it has no such subdomains.  \r\nOther Farseer samples fall into the same bucket as honor2020[.]ga. That is, they have no third-level domains, or don’t match\r\nthe pattern of others, and they share no overlaps to existing infrastructure whether used by Farseer or\r\nother malware families. Examples include windowsnetwork[.]org and newfacebk[.]com. The latter does share one third-level domain with the others in Table 1 but that’s where the commonality ends. \r\nReviewing the dozen or so domains resolving to 199.247.25[.]110, most also make use free ccTLDs from Freenom,\r\nincluding .tk and .ml as per the .ga in honor2020[.]ga. At this point, these domains and others resolving to this IP appear\r\nunrelated to Farseer, except for honor2020[.]ga that is connected to Farseer sample 4AB41A025.... It’s\r\npossible honor2020[.]ga was simply chosen during testing for this more recent Farseer sample but whatever the reason, it’s a\r\nchange from the typically-used .com, .net and .org TLDs used by other samples.  \r\nThe final sample to discuss (9E08EFC73…) as per Table 2 above, is the oldest sample we have record of in AutoFocus, seen\r\non April 19th, 2016. In this case, a decoy PDF file is dropped and executed from the victim’s %TEMP% folder as the\r\nmalware continues to execute – a behavior not seen again in other Farseer samples. The PDF has filename “Dateline\r\nIrrawaddy “Corruption Is Still Rampant Despite The Anti-Corruption Law.pdf” and file properties as shown below,\r\ndescribing the language setting of the application that created it, together with the creation date – eight days prior to us\r\nseeing the sample. \r\nLanguage     : zh-CN \r\nAuthor       : Administrator \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 9 of 12\n\nCreator      : Microsoft® Word 2013 \r\nCreate Date  : 2016:04:11 11:06:30+08:00 \r\nModify Date  : 2016:04:11 11:06:30+08:00 \r\nThe content of the benign PDF (shown in Figure 10 below) appears to be a direct copy / paste from old content once posted\r\non the Irrawaddy[.]com news website; their mission “to cover the news in Burma/Myanmar and Southeast Asia accurately\r\nand impartially.” From what we can tell, the article shown in the PDF was published on the news website sometime in early\r\nApril 2016, and used as a timely and potentially very topical, social engineering theme for the attack. \r\nFigure 10 Decoy PDF dropped by earliest version of Farseer malware  \r\nWhilst the decoy PDF is shown to the victim, Farseer continues with the execution process by first creating a Windows sub-folder within the victims C:\\Users\\[username]\\AppData\\Roaming folder and drops into it the files listed in Table 3 below.  \r\nFilename  Size in bytes  File Type / Comment \r\nbscmake.exe  77,312  Application signed by Microsoft; used in DLL sideloading technique \r\nmspdb80.dll  193,024  Microsoft-signed file imported by bscmake.exe \r\nslmgr.vbs  260  Shell-executes bscmake.exe \r\nstub.bin  71,767  Encrypted in-memory payload \r\nsys.dat  297  Config file read by stub.bin \r\nsys.dll  85,504  Malicious DLL loaded by benign mspdb80.dll file. \r\nTable 3 Farseer dropped files  \r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\ncyberthreatalliance.org.\r\nIndicators of Compromise: \r\nSamples: \r\n271e29fe8e23901184377ab5d0d12b40d485f8c404aef0bdcc4a4148ccbb1a1a \r\n4ab41a025624f342deb85d798c6d6264a9fb88b8b3d9037cf8d5248a9f730339 \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 10 of 12\n\n8ff03c13d0a78003840b7a612e372242c7def123b4fbf5ea1780f2d70eb806a1 \r\n5a461104a2b6e313d3d0ee08c26e90db965139b1bff4a785ec297047d570340c \r\na999489d95e5a94f75de4695c9579ffc88bae02048838e3523f089d970a35abb \r\n0c7e35ca1312204063319a3455ec14bc4b701de205503e63de584f28d99f0291 \r\n10bd4507eb12bebc17e216e16950bf77e56c2aad01be7033bf0d5c235f2ad6e5 \r\nd44f388842d93807c0b56399c8b7eae5b3dd76871e4908ef3d7d8a559f014fe6 \r\n24b52403ff652416c84afed7e12ece11dc59b07f7dba5f007e117a4cfc67c1ab \r\n8890a06d3233ecf661c040ca5c03393c3afd620ccce49fbe08477bbf6b7d9b04 \r\n542b2ca4fe2d7d13fa317c58f46942cdf6eb33771bb898d7be773f8ccb50b13c \r\nb782b4c5f8fe2ee318e50ddf985c9132bff6d48b01ea36d6825967bf89e5d0c2 \r\nc8b2232360d5d6f56cd6b1076e5e21f0d501f5cb725e0a9b32a0ab661b4c38dd \r\nb82caa5087c6fd8ac79019185c6f8884f5dd9d0266bb7ad635277f3c7ca5c615 \r\nda02edf3f33d9801d066c1f93feef33cdedc1bc7b5605498404e8cad8015729f \r\n1e62b7dcb503f47a6330c4dcfc49ea9d921b7d2f8c508769d27df04e61b9471d \r\n0306585900f1b1bddc76149352f90962c365959e44a486ba3547c80d12d56e41 \r\n1e46c88420c657c685786bee88f606d494f3d50bcbc616b0f64d2886edd572f2 \r\nfd8bb808c7b16cffcb83d7e86d642b5cb6e913e22df69c8dd03ce4e7498f5fdc \r\nf46f162ef279cc6e9c022cffe3a6685d001524e312e7a5f23bd24d76fed1fa99 \r\n6e367e10f9c0fb818394e9517ab13c1da00b2545602c23bf6ab83e93063076b8 \r\n3d47b99d34e169a8283062937c373264829cf6fe1c7fa0bacee135c392ca24bb \r\nd11d871b07520f43437183fa44bd118c01a3c4c86cffe0cc7343ae9038565cf1 \r\n2e84de3408283423ed58764139eed4dd7e343115b943b58a46e2dc25ca2ef3c8 \r\n7d5386253d403b74e86658699f9a6d683b7ac3065c4e2cdae192b32b9ac54edb \r\n2085fca368af15a1bd54f7809dfee7cdd4d73df7af88fa53fe5341f0523ca7ea \r\n97c04702aaa0a9018cc46ea874e7e3644146ba4d6b3b30c78a6a6430172b13c7 \r\n4552f70d94743206489da85da2e9eb9f1eb3ad017a42edb7a60edb69e5c15a32 \r\n75ca95ae317b1e848d54bbb01798d5b61ebcaf4328b3940b5d5f644a01f1943a \r\nf169b8d93ea27ab6ae24c26eaecc039a838bd7e74aef18c1e7a953283c418c30 \r\nc1e80458ae652dbf40981dfe33bf109d1b4c85d0affbd16c8d1df6be9e233e05 \r\n9e08efc73dc9145358898d2735c5f31d45a2571663c7f4963abd217ae979c7ca \r\nC2s \r\ncdncool[.]com \r\ndns.cdncool[.]com \r\nouthmail[.]com \r\nup.outhmail[.]com \r\ntcpdo[.]net \r\nsony36[.]com \r\nmd.sony36[.]com \r\nnewfacebk[.]com \r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 11 of 12\n\napp.newfacebk[.]com \r\nwindowsnetwork[.]org \r\nupdate.newfacebk[.]com \r\nnetvovo.windowsnetwork[.]org \r\nhonor2020[.]ga \r\nupdate.tcpdo[.]net \r\nadminsysteminfo[.]com \r\nmd5c[.]net \r\nlinkdatax[.]com \r\ncsip6[.]biz \r\nadminloader[.]com \r\nouthmail[.]com  \r\ncdncool[.]com \r\nwww3.mefound[.]com \r\nw3.changeip[.]org \r\nwww5.zyns[.]com  \r\n108.61.197[.]172 \r\n175.45.192[.]234 \r\n199.247.25[.]110 \r\n208.115.125[.]43 \r\n43.224.33[.]130 \r\n45.125.33[.]219 \r\n45.32.108[.]11 \r\n45.32.159[.]168 \r\n45.32.24[.]39 \r\n45.32.25[.]107 \r\n45.32.251[.]7 \r\n45.32.44[.]52 \r\n45.32.53[.]250 \r\n45.76.92[.]113 \r\nFarseer Decoy Docs \r\n06C091BB0630539DEC0D26EB6BFBF9108152E4C5AF27FF649CE84238CD88F81E - Dateline Irrawaddy “Corruption\r\nIs Still Rampant Despite The Anti-Corruption Law.pdf \r\n7F091DA89C4412D71AE583481F91A471751A3C0E8DB0037CF31FFD00F4245B5B –New Microsoft Word 文档.doc \r\nSource: https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" ], "report_names": [ "farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e24d02dfaf13e182bb7dc401b307dda5c5cdd0ce.pdf", "text": "https://archive.orkl.eu/e24d02dfaf13e182bb7dc401b307dda5c5cdd0ce.txt", "img": "https://archive.orkl.eu/e24d02dfaf13e182bb7dc401b307dda5c5cdd0ce.jpg" } }