{ "id": "906d20cc-d1bf-40aa-847e-48026f27405f", "created_at": "2026-04-06T00:10:43.31993Z", "updated_at": "2026-04-10T03:37:36.879004Z", "deleted_at": null, "sha1_hash": "e25a45e0e48b7830ca93f7b582bae693f7841cca", "title": "APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 519445, "plain_text": "APT34 Unleashes New Wave of Phishing Attack with Variant of\r\nSideTwist Trojan - NSFOCUS, Inc., a global network and cyber\r\nsecurity leader, protects enterprises and carriers from advanced\r\ncyber attacks.\r\nBy NSFOCUS\r\nPublished: 2023-08-30 · Archived: 2026-04-05 14:52:02 UTC\r\nRecently, NSFOCUS Security Labs captured a new APT34 phishing attack. During the campaign, APT34\r\nattackers disguised as a marketing services company called GGMS launched attacks against enterprise targets and\r\nreleased a variant of SideTwist Trojan to achieve long-term control of the victim host.\r\nIntroduction to APT34\r\nAPT34, also known as OilRig or Helix Kitten, is an APT group suspected of coming from Iran. The group has\r\nbeen active since 2014, conducting cyber espionage and cyber sabotage operations against countries in the Middle\r\nEast. Its main targets include multiple industries such as finance, government, energy, chemical industry and\r\ntelecommunications.\r\nAPT34 has a high level of attack technology, can design different intrusion methods for different types of targets,\r\nand has supply chain attack capability. After this group’s main attack tools were disclosed in a leak in 2019, it\r\nbegan to develop new attack tools, including RDAT, SideTwist and Saitama.\r\nRelated links:\r\nAnalysis of File Disclosure by APT34\r\nAnalysis of File Disclosure by APT34 APT34 Event Analysis Report\r\nDecoy Information\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 1 of 8\n\nThe decoy file used by APT34 this time is called “GGMS Overview.doc”, and the document’s body shows an\r\nintroduction to a so-called “Ganjavi Global Marketing Services” company, as shown in the figure below.\r\nFigure 1 Decoy document used by APT34 in this attack\r\nThe introduction claimed that the company was able to provide worldwide marketing services. Apparently, it\r\ntargets enterprises.\r\nThere are twice upload records, located in the United States, demonstrating that APT34 was actually targeted at\r\nUnited States businesses.\r\nAttack Process\r\nIn this event, APT34 followed an attack process that has been in use since 2021, but with some variations in\r\ndetails. The key steps of this attack process are illustrated in the following figure.\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 2 of 8\n\nFigure 2 Attack process used by APT34 in this attack\r\nDuring this attack, malicious macrocode hidden in the decoy file undertakes the work of deployment environment.\r\nThe macrocode will extract the Trojan SystemFailureReporter.exe stored in base64 format in the document,\r\nrelease it to %LOCALAPPDATA%\\SystemFailureReporter\\ directory, and create a text file named update.xml\r\nunder the same directory, acting as the start switch of the Trojan program, as shown in the figure below.\r\nFigure 3 Malicious files released from decoy document\r\nThe malicious macro then creates a scheduled task called SystemFailureReporter that calls up the Trojan every 5\r\nminutes, through which it runs repeatedly.\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 3 of 8\n\nFigure 4 Trigger information of scheduled task set by decoy document\r\nFigure 5 Action information of scheduled tasks set by decoy document\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 4 of 8\n\nThe called Trojan program SystemFailureReporter.exe is a variant of SideTwist, the main Trojan tool used by\r\nAPT34 in recent operations. Its CnC address is 11.0.188.38:443, but it uses HTTP for communication.\r\nTrojan Analysis\r\nThe variant Trojan presented in this campaign is similar to the SideTwist Trojan used by APT34 in previous\r\ncampaigns, with the main difference that it is compiled using GCC.\r\nThe main function of the SideTwist Trojan is to communicate with the CnC, execute commands or program files\r\nissued by the CnC terminal, and upload local files to the CnC.\r\n After the Trojan runs, it will first check whether there is a file named update.xml in the same directory. If not,\r\noutput a line of prompt text through the debugging port and exit. This is a typical anti-sandbox operation.\r\nFigure 6 Environment detection operation of SideTwist Trojan\r\nThe Trojan will then collect the user name, computer name and local domain name of the victim’s host, assemble\r\nand calculate a 4-byte hash as the unique ID of the victim.\r\nFigure 7 Host information collection of SideTwist Trojan\r\nThe Trojan then attempts to establish communication with the CnC and obtain return information using the\r\ngenerated victim ID.\r\nThe following figure shows the sample HTTP communication content of this Trojan, and suWW in the URI path\r\nis the victim ID:\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 5 of 8\n\nFigure 8 First communication content of SideTwist Trojan\r\nIf the CnC path is online, the Trojan will extract and parse specific contents in the HTML code returned by CnC\r\ninto CnC instructions. These specific contents are hidden between \u003cscript\u003e/* and */\u003cscript\u003e tags of the HTML\r\ncode.\r\nIn this variant Trojan, the CnC instruction is stored in base64 encoding and decrypted as a multi-byte XOR key\r\nwith the string “notmersenne”.\r\nThe decrypted CnC instruction is divided into three segments, namely CnC number, CnC instruction code and\r\noperating parameters, which are separated by the symbol “|”, as shown below.\r\n[CnC number] | [CnC instruction code] | [operation parameter 1] | [operation parameter 2]\r\nThe CnC number is only used as an index during CnC communication, and the Trojan can be controlled to\r\nterminate subsequent CnC communication behaviors only when this value is “-1”;\r\nThe CnC instruction code is used to control the Trojan to perform several corresponding behaviors, and its\r\ninstruction code number and function correspondence are shown in the following table.\r\nTable 1 CnC Instruction Code\r\nCnC Instruction\r\nCode  \r\nFunction\r\n101\r\nRun the shell command issued by CnC, and the command line is specified\r\nby operation parameter 1.\r\n102\r\nDownload the specified file on the CnC server. The file save path and\r\nremote file name are respectively specified by operating parameters 1 and\r\n2.\r\n103\r\nUpload a local file to the CnC server. The file path is specified by\r\noperation parameter 1.\r\n104\r\nExecute the shell command issued by CnC, and the command line is\r\nspecified by operation parameter 1 (the same as instruction code 101)\r\nIt should be noted that the 102 instruction code of this Trojan will trigger a subsequent CnC communication\r\nbehavior. The Trojan program will initiate an HTTP GET request according to the remote file name in the CnC\r\ninstruction parameters, obtain and decrypt the files in the remote location “/getFile/[file name]”. The decryption\r\nmethod is also base64 transcoding and multi-byte XOR, as shown below.\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 6 of 8\n\nFigure 9 Communication logic in SideTwist Trojan 102 instruction code\r\nAfter all the above CnC instructions are completed, the Trojan will reply an HTTP POST request to the CnC to\r\nreport the instruction execution result. The POST request body contains information in the following format:\r\n{“[CnC number]”}:{“[CnC instruction execution result]”}\r\nUnlike common Trojan programs, this Trojan does not have a cyclic or sleep mechanism and will automatically\r\nexit after a CnC communication, waiting for the scheduled task to invoke the Trojan again 5 minutes later.\r\nIoC Analysis\r\nWhat is special about this APT34 attack event is that the SideTwist Trojan used IP address 11.0.188.38 as the\r\nCnC.\r\nIt is found that port 443 of the IP address does not provide service at present, and the nature of its CnC server\r\ncannot be confirmed through the content returned by the IP address;\r\nQuerying the IP address assignment revealed that 11.0.188.38 was assigned to segment 11.0.188.0/22, owned by\r\nthe United States Department of Defense Network Information Center and located in Columbus, Ohio, United\r\nStates, matching the agency’s geographic location.\r\nConclusion\r\nThe APT34 attack discovered this time not only shows its commonly-used attack method, but also introduced a\r\nGCC-based variant of the SideTwist Trojan and a sensitive IP address as the CnC address of the Trojan.\r\nWe believe that the specificity of this CnC IP suggests that the APT34 attacker probably used this activity as a test\r\nand did not enable the real CnC address. This is an operation to protect attack resources and a tactic that may be\r\nused by APT groups, which means that APT groups will enable the real CnC address to launch attacks only after\r\ncompleting debugging and ensuring the concealment of the attack process.\r\nIoC\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 7 of 8\n\n056378877c488af7894c8f6559550708\r\n5e0b8bf38ad0d8c91310c7d6d8d7ad64\r\nhttp[:]//11.0.188[.]38:443/\r\nSource: https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nhttps://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/\r\nPage 8 of 8\n\n https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/ \nFigure 4 Trigger information of scheduled task set by decoy document\nFigure 5 Action information of scheduled tasks set by decoy document\n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/" ], "report_names": [ "apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e25a45e0e48b7830ca93f7b582bae693f7841cca.pdf", "text": "https://archive.orkl.eu/e25a45e0e48b7830ca93f7b582bae693f7841cca.txt", "img": "https://archive.orkl.eu/e25a45e0e48b7830ca93f7b582bae693f7841cca.jpg" } }