{ "id": "ccc70662-8d38-4df7-bf54-01028ebf44ba", "created_at": "2026-04-06T00:14:01.692452Z", "updated_at": "2026-04-10T03:36:06.797723Z", "deleted_at": null, "sha1_hash": "e2f9503e43f3bb1947bbbe9bf4729f62f8434e1d", "title": "Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59607, "plain_text": "Carderbee: APT Group use Legit Software in Supply Chain Attack\r\nTargeting Orgs in Hong Kong\r\nBy About the Author\r\nArchived: 2026-04-05 17:02:07 UTC\r\n 12.20pm BST, 22 August 2023: Updated with additional IoCs\r\nA previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to\r\ncarry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim\r\ncomputers.\r\nIn the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the\r\nvictims in this campaign are based in Hong Kong, with some victims based in other regions of Asia.\r\nKorplug is known to be used by multiple APT groups, but we could not link this activity to a known threat actor\r\nso we have given the actor behind this activity a new name — Carderbee. \r\nCobra DocGuard and Previous Activity\r\nCobra DocGuard Client is software produced by a China-based company called EsafeNet and appears to\r\nlegitimately be used to protect, encrypt, and decrypt software. EsafeNet is owned by Chinese information security\r\nfirm NSFOCUS.\r\nAccording to a report from ESET, in September 2022, a malicious update to this software was used to compromise\r\na gambling company in Hong Kong. The same gambling company had been compromised in September 2021\r\nusing the same technique by Budworm (aka LuckyMouse, APT27), which led ESET to attribute this September\r\n2022 attack to Budworm too. In that attack, a new variant of the Korplug malware was also found. In that\r\ninstance, it used the magic header “ESET”, indicating that it may have been modified to try to bypass ESET\r\nproducts.\r\nA signed version of Korplug was also used in the activity investigated by the Symantec Threat Hunter Team, part\r\nof Broadcom. This activity began in April 2023. However, we did not find any other evidence to indicate that this\r\nattack was carried out by Budworm. Korplug is a backdoor that is known to be used by multiple APTs, including\r\nAPT41 and Budworm. We do not have any indication of the industry sectors of the companies targeted in this\r\nrecent activity, just their geographic location.\r\nAccordingly, it was not possible to link this activity definitively to a known group, which is why we attributed it to\r\na new group, Carderbee.\r\nMalicious activity was seen on about 100 computers in impacted organizations; however, the Cobra DocGuard\r\nsoftware was installed on around 2,000 computers, indicating that the attacker may be selectively pushing\r\npayloads to specific victims.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\r\nPage 1 of 4\n\nThe malicious software was delivered to the following location on infected computers, which is what indicates\r\nthat a supply chain attack or malicious configuration involving Cobra DocGuard is how the attackers\r\ncompromised affected computers:\r\n\"csidl_system_drive\\program files\\esafenet\\cobra docguard client\\update\"\r\nOver a period of a few months in 2023, multiple distinct malware families were observed being deployed via this\r\nmethod. In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from\r\nMicrosoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the\r\nKorplug backdoor on targeted systems. The downloader attempted to download a file named update.zip from the\r\nfollowing location: http://cdn.stream-amazon[.]com/update.zip.\r\nThe update.zip file is a zlib compressed archive file. It decompresses and executes a file named content.dll. This\r\nfile is not saved on disk. It acts as a dropper and contains x64 and x86 drivers, which are dropped depending on\r\nthe system environment. The dropper creates services and registry entries. The dropped drivers read encrypted\r\ndata from the registry, decrypt it, and inject it into svchost.exe. The injected payload is the Korplug backdoor. \r\nThe Korplug sample downloaded here is able to:\r\nExecute commands via cmd\r\nEnumerate files\r\nCheck running processes\r\nDownload files \r\nOpen firewall ports\r\nAct as a keylogger\r\nMicrosoft Certificate Abuse\r\nUse of Microsoft-signed malware is a known problem. In December 2022, Mandiant noted a POORTRY driver\r\nsample signed with a Microsoft Windows Hardware Compatibility Authenticode signature. Most recently, in July\r\n2023, Trend said that it had found a Microsoft-signed rootkit that appeared to have passed through the Windows\r\nHardware Quality Labs (WHQL) process for getting a valid signature. Microsoft acknowledged the issue and said\r\nthat drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used\r\nmaliciously in post-exploitation activity. \r\nThe company said it had investigated the issue and “determined that the activity was limited to the abuse of\r\nseveral developer program accounts and that no Microsoft account compromise has been identified.” Malware\r\nsigned with what appears to be a legitimate certificate can make it much harder for security software to detect.\r\nSupply Chain Attack and Certificate Abuse\r\nIt seems clear that the attackers behind this activity are patient and skilled actors. They leverage both a supply\r\nchain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they\r\nappear to only deploy their payload on a handful of the computers they gain access to also points to a certain\r\namount of planning and reconnaissance on behalf of the attackers behind this activity. Software supply chain\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\r\nPage 2 of 4\n\nattacks remain a major issue for organizations in all sectors, with multiple high-profile supply chain attacks\r\noccurring in the last 12 months, including the MOVEit, X_Trader, and 3CX attacks.\r\nSome unanswered questions remain about the activity of Carderbee, such as what sectors the group was targeting\r\nwith this activity, and whether there are any links between Carderbee and other actors such as Budworm. \r\nSymantec researchers will continue to track this activity, and we share indicators of compromise below so our\r\ncolleagues in the security community can do so as well.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256 file  hashes:\r\n96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622\r\n19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343\r\n1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d\r\n2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936\r\n2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4\r\n47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2\r\n5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7\r\n7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d\r\n85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af\r\n8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f\r\n8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f\r\n9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805\r\n9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c\r\nb5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea\r\nb7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510\r\nb84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\r\nPage 3 of 4\n\nf64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97\r\nRemote IP addresses:\r\n45.76.179[.]209\r\n104.238.151[.]104\r\nURLs:\r\nhttp://111.231.100[.]228:8888/CDGServer3/UpgradeService2\r\nhttp://103.151.28[.]11:8090/CDGServer3/UpgradeService2\r\nDomains:\r\ncdn.stream-amazon[.]com\r\ncdn.ofo[.]ac\r\ngobay[.]info\r\ntjj.active-microsoft[.]com\r\ngithubassets.akamaixed[.]net\r\nms-g9-sites-prod-cdn.akamaixed[.]net \r\nms-f7-sites-prod-cdn.akamaixed[.]net\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse" ], "report_names": [ "carderbee-software-supply-chain-certificate-abuse" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e737c474-a1f2-4e18-9d78-1c00f0887fa0", "created_at": "2023-11-05T02:00:08.085728Z", "updated_at": "2026-04-10T02:00:03.401539Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "MISPGALAXY:Carderbee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17cfc7a6-c8f2-4806-b77f-ba23fb772e70", "created_at": "2023-09-07T02:02:47.182792Z", "updated_at": "2026-04-10T02:00:04.604605Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "ETDA:Carderbee", "tools": [ "Agent.dhwf", "Cobra DocGuard", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434441, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2f9503e43f3bb1947bbbe9bf4729f62f8434e1d.pdf", "text": "https://archive.orkl.eu/e2f9503e43f3bb1947bbbe9bf4729f62f8434e1d.txt", "img": "https://archive.orkl.eu/e2f9503e43f3bb1947bbbe9bf4729f62f8434e1d.jpg" } }