{ "id": "fbddc36d-3c21-4cb3-9d85-b1a632768ccb", "created_at": "2026-04-06T00:17:39.860216Z", "updated_at": "2026-04-10T03:34:57.551132Z", "deleted_at": null, "sha1_hash": "e3a45a80568e2b9dffa06eb20b89edc60a33713e", "title": "The Trail of BlackTech’s Cyber Espionage Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249134, "plain_text": "The Trail of BlackTech’s Cyber Espionage Campaigns\r\nBy Lenart Bermejo, Razor Huang, CH Lei ( words)\r\nPublished: 2017-06-22 · Archived: 2026-04-05 21:15:19 UTC\r\nBlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally,\r\nJapan and Hong Kong. Based on the mutexes and domain names of some of their C\u0026C servers, BlackTech’s\r\ncampaigns are likely designed to steal their target’s technology.\r\nFollowing their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate\r\nthat connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.\r\nOver the course of their campaigns, we analyzed their modus operandi and dissected their tools of the trade—and\r\nuncovered common denominators indicating that PLEAD, Shrouded Crossbow, and Waterbear may actually be\r\noperated by the same group.\r\nPLEAD\r\nPLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so\r\nfar targeted Taiwanese government agencies and private organizations.  PLEAD’s toolset includes the self-named\r\nPLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their\r\nbackdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts\r\nused to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.\r\nPLEAD’s installers are disguised as documents using the right-to-left-overrideopen on a new tab (RTLO)\r\ntechnique to obfuscate the malware’s filename. They are mostly accompanied by decoy documents to further trick\r\nusers. We’ve also seen PLEAD use exploits for these vulnerabilities:\r\nCVE-2015-5119, patched by Adobe last July, 2015\r\nCVE-2012-0158, patchedopen on a new tab by Microsoft last April, 2012\r\nCVE-2014-6352, patchedopen on a new tab by Microsoft last October, 2014\r\nCVE-2017-0199, patchedopen on a new tab by Microsoft last April, 2017\r\nPLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for a Flash\r\nvulnerability (CVE-2015-5119) that was leaked during the Hacking Team breachnews article.\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 1 of 6\n\nFigure 1: How PLEAD utilizes compromised routers\r\nPLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the\r\nrouter’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C\u0026C\r\nserver or an HTTP server that delivers PLEAD malware to their targets.\r\nPLEAD also uses CVE-2017-7269, a buffer overflow vulnerability Microsoft Internet Information Services (IIS)\r\n6.0open on a new tab to compromise the victim’s server. This is another way for them to establish a new C\u0026C or\r\nHTTP server.\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 2 of 6\n\nFigure 2: One of the methods PLEAD operators use to distribute their malware\r\nPLEAD’s backdoor can:\r\nHarvest saved credentials from browsers and email clients like Outlook\r\nList drives, processes, open windows, and files\r\nOpen remote Shell\r\nUpload target file\r\nExecute applications via ShellExecute API\r\nDelete target file\r\nPLEAD also uses the document-targeting exfiltration tool DRIGO, which mainly searches the infected machine\r\nfor documents. Each copy of DRIGO contains a refresh token tied to specific Gmail accounts used by the\r\nattackers, which are in turn linked to a Google Drive account. The stolen files are uploaded to these Google\r\nDrives, where the attackers can harvest them.\r\nShrouded Crossbow\r\nThis campaign, first observed in 2010, is believed to be operated by a well-funded group given how it appeared to\r\nhave purchased the source code of the BIFROST backdoor, which the operators enhanced and created other tools\r\nfrom. Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the\r\nconsumer electronics, computer, healthcare, and financial industries.\r\nShrouded Crossbow employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. Like PLEAD,\r\nShrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique\r\nand accompanied by decoy documents.\r\nBIFROSE, known for evading detection by communicating with its C\u0026C servers via Tor protocol, also has a\r\nversion targeting UNIX-based operating systems, which are usually used in servers, workstations, and mobile\r\ndevices. KIVARS has less functionality than BIFROSE, but its modular structure made it easier to maintain.\r\nKIVARS enabled attackers to download and execute files, list drives, uninstall malware service, take screenshots,\r\nactivate/deactivate keylogger, show/hide active windows, and trigger mouse clicks and keyboard inputs. A 64-bit\r\nversion of KIVARS also emerged to keep pace with the popularity of 64-bit systems. XBOW’s capabilities are\r\nderived from BIFROSE and KIVARS; Shrouded Crossbow gets its name from its unique mutex format.\r\nWaterbear\r\nWaterbear has actually been operating for a long time. The campaign’s name is based on its malware’s capability\r\nto equip additional functions remotely.\r\nWaterbear similarly employs a modular approach to its malware. A loader component executable will connect to\r\nthe C\u0026C server to download the main backdoor and load it in memory. A later version of this malware appeared\r\nand used patched server applications as its loader component, while the main backdoor is either loaded from an\r\nencrypted file or downloaded from the C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 3 of 6\n\nThe tactic it later adopted required prior knowledge of their targets’ environment. It’s possible attackers used\r\nWaterbear as a secondary payload to help maintain presence after gaining some levels of access into the targets’\r\nsystems.\r\nAll Roads Lead to BlackTech\r\nBased on the use of the same C\u0026C servers, the campaigns’ coordinated efforts, and similarities in tools,\r\ntechniques, and objectives, we can conclude that they are operated by the same group. It is not uncommon, for\r\ninstance, for a group—especially a well-funded one—to split into teams and run multiple campaigns. While most\r\nof the campaigns’ attacks are conducted separately, we’ve seen apparently joint operations conducted in phases\r\nthat entail the work of different teams at each point in the infection chain.\r\nUse of the Same C\u0026C Servers. In several instances, we found the campaigns’ malware communicating with the\r\nsame C\u0026C servers. In targeted attacks, C\u0026C servers are typically not shared with other groups. Here are some of\r\nthe C\u0026C servers we found that are shared by the campaigns:\r\nC\u0026C Server PLEAD Shrouded Crossbow Waterbear\r\nitaiwans[.]com Yes No Yes\r\nmicrosoftmse[.]com Yes Yes No\r\n211[.]72[.]242[.]120 Yes Yes No\r\nTable 1: C\u0026C servers shared by PLEAD, Shrouded Crossbow, and Waterbear\r\nAdditionally, the IP 211[.]72 [.]242[.]120 is one of the hosts for the domain microsoftmse[.]com, which has been\r\nused by several KIVARS variants.\r\nJoint Operations. We also found incidents where the backdoors were used on the same targets. While it’s possible\r\nfor separate groups to attack at the same time, we can construe at they are at least working together:\r\n  PLEAD Shrouded Crossbow\r\nSamples from different\r\ngroups using the same\r\nfilename\r\nLoader component named after its\r\ntarget, i.e. {target name}.exe\r\nLoader component named after its target,\r\ni.e. {target name}.exe or {target\r\nname}64.exe\r\nBackdoors using the\r\nsame C\u0026C servers\r\nConnected to\r\n211[.]72[.]242[.]120:53\r\nConnected to 211[.]72[.]242[.]120:443\r\nTimeline indicating\r\narrival order\r\nArrived two days after initial\r\ninfection by SC\r\nEstablished presence two years prior, but\r\nre-infected at a recent time\r\nTable 2: Incident where PLEAD and KIVARS attack the same target\r\n  PLEAD Shrouded Crossbow Waterbear\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 4 of 6\n\nSamples found in same machine vmdks.exe  cfbcjtqx.dll tpauto.dll\r\nTimeline of infection 3/16/2017 2/23/2017 3/8/2017\r\nTable 3: Incidents where PLEAD, KIVARS, and Waterbear were used on the same target\r\nSimilarities between tools and techniques. PLEAD and KIVARS, for instance, share the use of RTLO techniques\r\nto disguise their installers as documents. Both also use decoy documents to make the RTLO attack more\r\nconvincing. Another similarity is the use of a small loader component to load encrypted backdoors into memory.\r\nSimilar Objectives. The ulterior motive of these campaigns is to steal important documents from their victims;\r\ninitial recipients of their attacks are not always their primary target. For instance, we saw several decoy documents\r\nstolen by the attackers that are then used against another target. This indicates that document theft is most likely\r\nthe first phase of an attack chain against a victim with ties to the intended target. While PLEAD and KIVARS are\r\nmost likely to be used in first phase attacks, Waterbear can be seen as a secondary backdoor installed after\r\nattackers have gained a certain level of privilege.\r\nBased on the type of documents stolen by these campaigns, we can get a clearer view of who they’re targeting and\r\ncompromising, the purpose of their campaigns, and when they take place. Below are some of the categories or\r\nlabels of the stolen documents:\r\nAddress book\r\nBudget\r\nBusiness\r\nContract\r\nCulture\r\nDefense\r\nEducation\r\nEnergy\r\nForeign affairs\r\nFunding application\r\nHuman affairs\r\nInternal affairs\r\nLaws\r\nLivelihood economy\r\nMeeting\r\nOfficial letter\r\nPassword list\r\nPerformance appraisal\r\nPhysical culture\r\nPress release\r\nPublic security\r\nSchedule\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 5 of 6\n\nEnterprises Need to be Proactive\r\nPLEAD, Shrouded Crossbow, and Waterbear are still actively mounting their campaigns against its targets, which\r\nis why organizations must proactively secure their perimeter.\r\nIT/system administrators and information security professionals can consider making a checklist of what to look\r\nout for in the network for any signs of anomalies and suspicious behavior that can indicate intrusions. Adopting\r\nbest practicesnews article and employing multilayered security mechanisms and strategies against targeted attacks\r\nare also recommended. Network traffic analysisnews article, deployment of firewallsnews article and intrusion\r\ndetection and prevention systems, network segmentation, and data categorization are just some of them.  \r\nTrend Micro Solutions\r\nTrend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy\r\nmalware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations\r\nagainst targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless\r\ncorrelation across the entire attack lifecycle, allowing it to detect threats like the above mentioned zero-day attacks\r\neven without any engine or pattern update.\r\nTrend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from\r\nthreats that abuses unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shield endpoints from\r\nidentified and unknown vulnerability exploits even before patches are deployed.\r\nTrend Micro™ Smart Protection with Maximum XGen™ security infuses high-fidelity machine learning into a\r\nblend of threat protection techniques to eliminate security gaps across user activity and any endpoint—the\r\nbroadest possible protection against advanced attacks. An overview and analysis of the various malware used by\r\nPLEAD, Shrouded Crossbow, and Waterbear, along with their Indicators of Compromise (hashes, C\u0026Cs), can be\r\nfound in this technical brief.\r\nSource: https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nhttps://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html" ], "report_names": [ "threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "c93a7f58-3f75-487c-9bd6-e705b73fc07f", "created_at": "2023-01-06T13:46:38.330916Z", "updated_at": "2026-04-10T02:00:02.931171Z", "deleted_at": null, "main_name": "RADIO PANDA", "aliases": [ "Shrouded Crossbow" ], "source_name": "MISPGALAXY:RADIO PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3a45a80568e2b9dffa06eb20b89edc60a33713e.pdf", "text": "https://archive.orkl.eu/e3a45a80568e2b9dffa06eb20b89edc60a33713e.txt", "img": "https://archive.orkl.eu/e3a45a80568e2b9dffa06eb20b89edc60a33713e.jpg" } }