{ "id": "b9bf2b21-cf36-4642-950a-b522fc0300d8", "created_at": "2026-04-06T00:17:56.675559Z", "updated_at": "2026-04-10T03:33:57.359521Z", "deleted_at": null, "sha1_hash": "e47eb5c8abf3821f6326471737c7e239b8a120d6", "title": "Blackgear Cyberespionage Campaign Resurfaces", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84402, "plain_text": "Blackgear Cyberespionage Campaign Resurfaces\r\nBy By: Joey Chen Jul 17, 2018 Read time: 6 min (1675 words)\r\nPublished: 2018-07-17 · Archived: 2026-04-05 15:26:43 UTC\r\nBlackgear (also known as Topgear and Comnie) is a cyberespionage campaign dating back to 2008open on a new\r\ntab, at least based on the Protux backdoor used by its operators. It targets organizations in Japan, South Korea, and\r\nTaiwan, leveling its attacks on public sector agencies and telecommunications and other high-technology\r\nindustries. In 2016, for instance, we found their campaigns attacking Japanese organizations with various malware\r\ntools, notably the Elirks backdoor. Blackgear’s operators are well-organized, developing their own tools, which\r\nwe observed to have been recently fine-tuned, based on their latest attacks.\r\nA notable characteristic of Blackgear is the degree to which its attacks are taken to evade detection, abusing\r\nblogging, microblogging, and social media services to hide its command-and-control (C\u0026C) configuration.\r\nCompared to when C\u0026C information is embedded within the malware, where it’s preset and can thus be easily\r\nblocked, this tactic lets Blackgear’s operators to quickly change C\u0026C servers as needed. It can, in turn, prolong\r\nthe campaign’s foothold in the system and enable attackers to carry out further lateral movement.\r\nAnalyzing the Marade downloader (detected by Trend Micro as TSPY_MARADE.ZTBC) and the version of\r\nProtux (BKDR_PROTUX.ZTBC) employed by Blackgear’s latest campaigns, we found their encrypted\r\nconfigurations on blog and social media posts (see Figure 1). This can be an indication that these malware tools\r\nwere developed by the same group.\r\nintelFigure 1. Marade’s encrypted configuration on a Facebook post\r\nintelFigure 2. Infection chain of Blackgear’s attack\r\nAttack chain\r\nTo paint a bigger picture of Blackgear’s attacks, we correlated the tools and tactics they used against their targets.\r\nHere’s a summary of Blackgear’s latest campaign:\r\n1. Use a decoy document or fake installer file, sent via spam email to lure a potential victim into clicking it.\r\n2. The decoy document will extract the Marade downloader. It drops itself in the machine’s Temp folder and\r\nincreases its file size to over 50MB in order to bypass traditional sandbox solutions.\r\n3. Marade will check if the infected host can connect to the internet and if it is installed with anti-virus (AV)\r\nsoftware.\r\n4. If the affected system can connect online and doesn’t have AV software, Marade will connect to a\r\nBlackgear-controlled public blog or social media post to retrieve an encrypted C\u0026C configuration.\r\nOtherwise, Marade will use the C\u0026C information embedded in its code.\r\n5. The encrypted strings will pose as a magnet link to keep its malicious traffic from being detected by AV\r\nsoftware. Marade will then decrypt the encrypted strings and retrieve the C\u0026C server information.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nPage 1 of 5\n\n6. The C\u0026C server will send Protux to the victim’s host and execute it. Protux, a known backdoor, is\r\nexecuted by abusing the rundll32 dynamic-link library (DLL). It tests the host’s network, retrieves the\r\nC\u0026C server from another blog, and uses the RSA algorithm to generate the session key and send\r\ninformation to the C\u0026C server.\r\nBlackgear’s malware tools are delivered to targets using RAR self-extracting executable (SFX) files or office\r\nVisual Basic Script (VBScript) to create a decoy document. Below is a screenshot of the SFX files and document\r\nused by the latest campaigns:\r\nintelFigure 3. Contents of malicious SFX file used by Blackgear, posing as a Flash Player installer\r\nintel\r\nintelFigure 4. Malicious document used by Blackgear (top) and how VBScript is used to execute Marade\r\n(bottom)\r\nintelFigure 5. Encrypted configurations of Protux (top) and Marade (bottom) in the same blog post\r\nCorrelating Marade and Protux\r\nThe encrypted configurations of Marade and Protux can both be found on a single blog post. As shown in Figure\r\n5, the strings highlighted in red function as a search tag to identify the location of the configuration information;\r\nthose highlighted in orange pertain to the encrypted configuration that Protux will retrieve.\r\nIn Blackgear’s previous campaigns, Protux’s configuration format had to be changed to another version. For\r\ninstance, Protux’s older iteration will look for the “++a++” tag, as shown in Figure 5. The format used by Protux’s\r\nlatest version is now similar to Marade’s, as shown in Figure 6.\r\nintelFigure 6. Protux’s encrypted configuration on a public blog (note the six magnet URLs; the third is\r\nProtux’s latest configuration format)\r\nReverse analysis of Protux’s latest version also allowed us to determine how to decrypt the C\u0026C information,\r\nwhich is done in the Python code shown below. This can also be used by researchers, system administrators, and\r\ninformation security professionals when decrypting Protux’s latest version.\r\n#!/usr/bin/env python2\r\n#-*-coding:utf-8 -*-\r\nimport os, sys, datetime, operator, base64\r\ndef decrypt():    \r\nif len(sys.argv) != 2:      \r\nprint \"Usegae : ./decrypt_protux_magnet.py \u003cFull magnet strings\u003e\"\r\nsys.exit(0)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nPage 2 of 5\n\nstr = sys.argv[1]\r\nhead = str.find(\"magnet:?xt=urn:bhih:\")\r\ntail = str.find(\"\u0026xl=\")    \r\nif -1 ==tail:\r\ntail = str.find(\"\u0026amp;xl=\")    \r\nif -1 == head or -1 == tail:      \r\nprint(\"can't find delimiter\")\r\nsys.exit()\r\nb64_data = str[len(\"magnet:?xt=urn:bhih:\"): tail]\r\nb64_decode = base64.b64decode(b64_data)\r\nkey = ord(b64_decode[2])\r\ndata = b64_decode[4:]\r\noutput_file = open(\"C2_info\", \"wb\")    \r\nfor single_byte in data:\r\noutput_file.write(chr(ord(single_byte) ^ key))\r\noutput_file.close()\r\nif __name__ == '__main__':\r\ndecrypt ()\r\nA new remote controller tool\r\nWe were also able to source a sample of Protux’s remote controller tool. This provides a user interface (UI) that\r\nallows attackers to send instructions to and monitor any compromised endpoint host. This tool can also remotely\r\ncontrol Marade in the affected system.\r\nintel\r\nintelFigure 7. The controller retrieving the Marade-related information (top) and collecting Protux-related\r\ninformation (bottom)\r\nBased on the controller’s behavior, we can posit that both Marade and Protux were authored by the same threat\r\nactors. Each serves a specific role once in the system. Marade acts as the first stage of attack, sending the\r\ncompromised system’s information to the C\u0026C server and then awaiting commands from the controller. This\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nPage 3 of 5\n\nallows threat actors to monitor and check whether the affected system is of interest to them. If so, the attack moves\r\nto the second stage by deploying Protux. The tool can also control the communication between the backdoor and\r\nattacker in real time. The following is a list of Protux’s notable components and their functions:\r\nFileManage - Lists all of the system’s drives and folders.\r\nProcManage - Lists all of the processes, modules, threads, and ports in the compromised host.\r\nServiceManage - Lists all of the services in the compromised host.\r\nRegManage - Lists all of the registries in the compromised host.\r\nScreenManage - Takes a screenshot.\r\nShellManage - Creates a shell.\r\nProtux: An old dog learning new tricks\r\nProtux is an old backdoor, with its first version developed in 2005. It uses DLL injection to execute its routines.\r\nBased on this behavior, we can map out a pattern, from the downloader to the decoy documents used. The trigger\r\nformat is: %system32/rundll32.exe \u003cPROTUX file name\u003e \u003cexport name\u003e.\r\nWe saw two notable changes throughout Protux’s history: its export name and how it functions:\r\nExport\r\nname\r\nYear How C\u0026C information is retreieved\r\nTStartUp\r\n2005 –\r\n2012\r\nDirectly connect to the C\u0026C server and use DNS server to retrieve the C\u0026C\r\nIP address.\r\nCRestart\r\n2009 –\r\n2014\r\nUse web DNS query to retrieve the C\u0026C IP address, e.g., ip138[.]com.\r\nCReset\r\n2013 –\r\n2018\r\nFind the encrypted configuration through keywords on blog services.\r\nOur research into and correlation of Protux led us to several samples that have version numbers embedded in\r\nthem. The highlighted portions in Figure 8 show the backdoor’s version number and timestamp with the “with\r\nencrypt” strings. We also found that these versions encrypt the communication to its C\u0026C servers.\r\nProtux’s latest version, 3.7, uses the open-source compiler OpenCSP to generate a session key with the RSA\r\nalgorithm.\r\nintel intel intelFigure 8. Different versions of Protux used by Blackgear\r\nintelFigure 9. Protux with the OpenCSP encryption function\r\nBuilding a proactive incident response strategy\r\nBlackgear has been targeting various industries since its emergence a decade ago. Its apparent staying power\r\nstems from the furtive ways with which its attacks can evade traditional security solutions. For instance,\r\nBlackgear employs two stages of infection for each of its attacks. The potential victim may not be able to notice\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nPage 4 of 5\n\nthe intrusions as the first stage involves only profiling and reconnaissance. And once infection with a backdoor\r\noccurs, typical red flags may not be raised as it abuses microblogging and social media services to retrieve\r\ninformation needed for C\u0026C communication.\r\nIndeed, Blackgear’s attacks exemplify the need for organizations to develop and implement security strategies that\r\ncan proactively respond to threats. A robust threat hunting strategyproducts, for instance, helps validate indicators\r\nof attack to ascertain if the intrusions, threats, or suspicious system activities are one-off attacks or part of a larger\r\ncampaign. This further visibility equips organizations with actionable threat intelligencenews- cybercrime-and-digital-threats, context, and insights that can be used to delve deeper into an attack — which security gaps are\r\nexploited, if the attack has multiple payloads, or if the malware has already spread within the network.\r\nOrganizations can also consider managed detection and response, which provides in-depth threat analysis and\r\ncorrelation — from networks to servers and endpoints — to obtain a complete picture of and further understand a\r\ntargeted attack. Managed detection and response also helps make better sense of system- and network-level\r\nactivities that an organization may not have the time or resources to do.\r\nA list of indicators of compromise (IoCs) related to Blackgear is in this appendixopen on a new tab.\r\nTrend Micro solutions\r\nThe Trend Micro™ Deep Discovery™products solution provides detection, in-depth analysis, and proactive\r\nresponse to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense\r\ntailored to protect organizations against targeted attacks and advanced threats through specialized engines,\r\ncustom sandboxingopen on a new tab, and seamless correlation across the entire attack life cycle, allowing it to\r\ndetect threats delivered by Blackgear even without any engine or pattern update.\r\nBlackgear’s campaigns also use email as an entry point, which is why it’s important to secure the email gateway.\r\nThe Trend Micro™ Hosted Email Securityproducts no-maintenance cloud solution delivers continuously updated\r\nprotection to stop spam, malware, spear phishing, and advanced targeted attacks before they reach the\r\nnetwork. The Trend Micro™ Deep Discovery™ Email Inspectorproducts and InterScan™ Web\r\nSecurityproducts solutions prevent malware from ever reaching end users. At the endpoint level, the Trend\r\nMicro™ Smart Protection Suitesproducts deliver several capabilities that minimize the impact of attacks.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/" ], "report_names": [ "blackgear-espionage-campaign-evolves-adds-japan-target-list" ], "threat_actors": [ { "id": "ad59becc-29c2-4b7a-a958-d7f242d222ea", "created_at": "2023-01-06T13:46:38.956494Z", "updated_at": "2026-04-10T02:00:03.161471Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "BLACKGEAR", "Topgear", "Comnie" ], "source_name": "MISPGALAXY:Blackgear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6750d709-9153-4e90-baa3-04883a9b762b", "created_at": "2022-10-25T16:07:23.397596Z", "updated_at": "2026-04-10T02:00:04.580074Z", "deleted_at": null, "main_name": "Blackgear", "aliases": [ "Topgear" ], "source_name": "ETDA:Blackgear", "tools": [ "Comnie", "Elirks", "Protux" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434676, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e47eb5c8abf3821f6326471737c7e239b8a120d6.pdf", "text": "https://archive.orkl.eu/e47eb5c8abf3821f6326471737c7e239b8a120d6.txt", "img": "https://archive.orkl.eu/e47eb5c8abf3821f6326471737c7e239b8a120d6.jpg" } }