{ "id": "c423801c-93c6-4c26-b655-64bf41c3df40", "created_at": "2026-04-06T00:12:56.551527Z", "updated_at": "2026-04-10T03:37:16.521964Z", "deleted_at": null, "sha1_hash": "e5a8daf6e541dbd4e352e212ae403c148c94d6dd", "title": "Beyond appearances: unknown actor using APT29’s TTP against Chinese users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1255481, "plain_text": "Beyond appearances: unknown actor using APT29’s TTP against\r\nChinese users\r\nPublished: 2023-07-07 · Archived: 2026-04-05 18:49:27 UTC\r\nIntroduction\r\nLab52 has detected a different maldoc samples of a potential malicious campaign. The initial access is through a Chinese\r\nphishing.  The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in\r\nChinese. The social engineering technique applied into the maldoc’s content is to pretend to be a Curriculum Vitae of a 28\r\nyears old professional who is specialized in finance, concretely into the software development for banking systems and\r\nNCR.\r\nThe infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the\r\ntypical APT29’s infection chain that makes consider that it does not seem to be this threat actor.  \r\nThis is a compressed file with Chinese characters referring to “Sun Jichao – Peking University – Master”. The file has a file\r\nwith extension “.pdf” and a hidden directory “_MACOSX/.DOCX”, which contains a .bat file, two .tmp files (also hidden)\r\nand another .pdf file.\r\nIn the following image capture is shown the content of the .pdf maldoc:   \r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 1 of 9\n\nAnalysis\r\nStage 0\r\nThe infection starts with the file “孙继超-北京大学-硕士.pdf” which is actually a “.lnk” file that executes the binary\r\n“aaa.bat” using the following command: %windir%\\system32\\cmd.exe /c “__MACOSX\\.DOCX\\aaa.bat”. It is also\r\ninteresting to note the comment “chang the world google”.\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 2 of 9\n\nWhen analyzing the “.bat” binary, we observe that it is obfuscated with special characters.\r\nSearching for part of this string in Google, we found that it is obfuscated using a specific “.bat” file encryption technique.\r\nFortunately, there is a tool called Batch Encryption DeCoder that allows to decrypt the content automatically.\r\nAnalyzing the “.bat” file, it can be seen that it performs the following actions:\r\n1. First copy the files “wda.tmp” and “mbp.tmp” to the folder “C:\\ProgramData”.\r\n2. Then change the attributes of the file, to unhide them.\r\n3. Rename “wda.tmp” to “OfficeUpdate.exe” and “mbp.tmp” to “appvisvsubsystems64.dll”.\r\n4. Execute the “.pdf” file showing the Decoy (a resume).\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 3 of 9\n\n5. Execute “OfficeUpdate.exe” to continue with stage1.\r\n6. Finally delete the stage0 files “wda.tmp”, “mbp.tmp”, “aaa.bat” and the “lnk”; so that only what is in\r\nC:\\ProgramData\\ persists.\r\nStage 1\r\nWe continue the execution with the two files located in “C:\\ProgramData”, “OfficeUpdate” and “appvisvsubsystems64.dll”.\r\nThe first one is the legitimate “WinWord” binary and “appvisvsubsystems64.dll” is a malicious library that will load\r\n“WinWord” via DLL Side-Load.\r\nThese names and techniques are reminiscent of those used by APT29 in its campaigns in recent months and we discussed in\r\nthis Lab52 post.\r\nLooking at the dll “appvisvsubsystems64.dll” statically we find that its compilation date is quite recent (July 4th) and that it\r\nis packaged by the open source packer “UPX”. It is also noted that the binary is written in Go.\r\nThe DLL has several exports, but the malicious code is in the section called “test”. With IDA you can see how it creates a\r\nthread to execute this function.\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 4 of 9\n\nAnalyzing the operation of the library, it can be seen that it is a CobaltStrike beacon that the actor will use as a post-exploitation framework.\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 5 of 9\n\nInfection Chain\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 6 of 9\n\nComparison with APT29\r\nAs discussed above, the group uses a number of TTPs and artifacts that have been linked in previous campaigns to APT29.\r\nExamples of these could be:\r\nThe use of Side-Load DLL with the “appvisvsubsystems64.dll” library and the legitimate “WinWord.exe” binary.\r\nThe fact of developing the DLL in the go language (something that has also been seen in APT29).\r\nDeploying a CobaltStrike at the end of the infection.\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 7 of 9\n\nHowever, there are several features that suggest that the attack was not perpetrated by the Russian group:\r\nThe infection chain is different, employing an encrypted “.bat”.\r\nChinese characters are found in all the files and the “decoy” is addressed to Beijing.\r\nIt saves the files in the %ProgramData% folder, unlike APT29 which did so in %AppData%.\r\nIOCs\r\nCampaign: Sun Jichao – Peking University – Master\r\nFile Hash\r\n孙继超-北京大学-硕\r\n士.pdf.lnk\r\nD5A8B6635240CC190BC869A2A41BC437A48BFBFCCE0D218B879D9768D85D1D6F\r\naaa.bat F1F6BB1BDF41217D26EC33E00E1E52FBC479E636B5D43671736905210FC4D734\r\naaa.bat (DESCIPHER) A5A0BEE3304C77BDB5B6DCC4EDAFBFC941CDC0B5153E3D82E2689150E83B1329\r\nmbp.tmp\r\n(appvisvsubsystems64.dll)\r\n6B13519A3AEA8747400932191048D5DAB7DACCB3FD45A3F5E0FFD34C32AED35D\r\nappvisvsubsystems64.dll\r\n(UNPACKED)\r\nD465F6DA893F2F76CDFB7089C3B9292D09A201E7D0FAEFB0F88A8B8BA5FD3FBA\r\nwda.tmp\r\n(OffceUpdate.exe) [Legit]\r\nDD657A7A3688D039F0A208F39B1128EC447689EE664C6695D5C7E384DCDC1014\r\n孙继超-北京大学-硕\r\n士.pdf (Decoy)\r\nE15EE2E8ED2C3F37C1B47BF67E81AA2E89B0CE7B3159918A32DA2E30420E6819\r\nC2\r\ninfo.gtjas.site\r\nCampaign: 2023 Medical Examination Program\r\nFile Hash\r\n2023年体检项目.exe\r\n[Legit]\r\nDD657A7A3688D039F0A208F39B1128EC447689EE664C6695D5C7E384DCDC1014\r\nappvisvsubsystems64.dll FC6847A8B62AF02C2D1EFF1D77F7D8B90CBD34654AFF38C671D86194D351CD6E\r\nappvisvsubsystems64.dll\r\n(UNPACKED)\r\n4C750B8471BFEC0ED2DCF1A856163601FC140EB892710B8415D505A9088BD7F3\r\nC2\r\nhxxp://123.60.168.]69:443/jquery-3.3.2.slim.min.js\r\nCampaign: Beijing Municipal Communications Commission Year-end Summary Report – Template 1\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 8 of 9\n\nFile Hash\r\n北京市交通委\r\n年终总结报\r\n告-模版1.pdf\r\nD5A8B6635240CC190BC869A2A41BC437A48BFBFCCE0D218B879D9768D85D1D6F\r\naaa.bat F7CC627464981B8918347487BDC73C2026B645FD31A1FBAB4D5FCC03CBE88901\r\naaa.bat\r\n(DESCIPHER)\r\n256357877AE60DB9AD247AEF686AA3AAECB7DE0FDB84ED35EA91B28BE9725E36\r\n北京市交通委\r\n年终总结报\r\n告-模版\r\n1.pdf(Decoy)\r\n7EE465B6132819063B741D7F60246A539A1624E0667098BB162E22DE0D06CF2E\r\nReader Interactions\r\nSource: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nhttps://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/" ], "report_names": [ "beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5a8daf6e541dbd4e352e212ae403c148c94d6dd.pdf", "text": "https://archive.orkl.eu/e5a8daf6e541dbd4e352e212ae403c148c94d6dd.txt", "img": "https://archive.orkl.eu/e5a8daf6e541dbd4e352e212ae403c148c94d6dd.jpg" } }