{
	"id": "5e5dcb56-6db5-4faf-834f-ab044f042f4b",
	"created_at": "2026-04-06T00:18:43.799408Z",
	"updated_at": "2026-04-10T03:21:07.893618Z",
	"deleted_at": null,
	"sha1_hash": "e617eda7b04abf7a606d91262df4684fc047e188",
	"title": "New Malware 'Rover' Targets Indian Ambassador to Afghanistan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1458952,
	"plain_text": "New Malware 'Rover' Targets Indian Ambassador to Afghanistan\r\nBy Vicky Ray, Kaoru Hayashi\r\nPublished: 2016-02-29 · Archived: 2026-04-05 15:53:35 UTC\r\nOn December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an\r\nAmbassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was\r\nsent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and\r\nsuccess.\r\nIndia has been a key nation in building and funding Afghanistan’s infrastructure and economic development, which includes\r\nsetting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam and\r\nconstructing a new Parliament Complex for the Afghan Government.\r\nGiven India’s significant contributions to the development of Afghanistan, it is likely that there may be groups or nations\r\nwho would be interested in tracking and spying on key individuals who officially represent India in Afghanistan.\r\nOverview of Rover infection\r\nFigure 1 gives an overview of the exploitation, infection and C2 communications of the 'Rover' Trojan campaign targeting a\r\nvictim running Windows XP.\r\nFigure 1: Overview of the infection flow and C2 communications\r\nRover Trojan Infection Steps:\r\n1. RTF file exploits CVE-2010-3333 and downloads an executable from newsumbrella[.]net.\r\n2. The executable file downloaded from newsumbrella[.]net is executed on the victim machine.\r\n3. The executable 'file.exe' is a downloader which is used to call out to a server with the IP '46.166.165.254' and\r\ndownload the main Rover malware along with plugins used by the Rover malware.\r\n4. Rover malware and plugins are downloaded and installed on the victim machine.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 1 of 11\n\n5. Data exfiltrated from the victim machine.\r\nTargeting and Infection\r\nFigure 2 shows an email which was sent to the Ambassador of India, appearing to commend the contributions the\r\nAmbassador has made in the development and success of projects on national interest, and attaching a letter of appreciation\r\nwith a file name, “Appreciation_letter.doc”.\r\nThe attachment is an RTF file which exploits a specific vulnerability in Microsoft Word, CVE-2010-3333.\r\n Figure 2: Spear phishing email sent to the Ambassador of Afghanistan\r\nIf the recipient of the e-mail opened the attachment in a vulnerable version of Word, the exploit code would download and\r\nexecute a file from the domain newsumbrella[.]net as shown in Figure 3 below.\r\nFigure 3: Hexdump showing the domain and the executable downloaded\r\nMalware Analysis\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 2 of 11\n\nDuring the time of analysis the executable file systemupdateAPI.exe was no longer being hosted on the newsumbrealla[.]net\r\ndomain. However, we have noticed the same domain hosting another executable in the past within the same parent directory\r\nand having a similar naming for the folders as shown below\r\nnewsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe\r\nnewsumbrella[.]net/ne3s/file[.]exe – hosted earlier\r\nWe believe that the executables hosted under the parent directory ‘ne3s’ are variants of the same downloader Trojan, which\r\nwas used to download the Rover Trojan. The file, file.exe, contains the following debug information that indicates the file\r\nwas originally named systemupdateAPI.exe.\r\nFigure 4: Debug information of downloader program\r\nBy analyzing file.exe, we can see that it is a downloader, which creates ‘c:\\system’ directory and depending on the OS\r\nversion used, downloads the main Rover payload along with multiple DLL modules from 46.166.165.254.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 3 of 11\n\nFigure 5: Code snippet showing the OS version check and the subsequent download from 46.166.165.254\r\nIf the infected system is running an OS version prior to Windows Vista, it would download the following files from\r\n46.166.165.254:\r\nWindowsSecurityService2.exe ('Rover' main module)\r\nOpenal32.dll\r\nCxcore210.dll (OpenCV)\r\nHighgui210.dll (OpenCV)\r\nlibsndfile-1.dll\r\nIf the OS version is Windows Vista or later, it would download the following files from 46.166.165.254 :\r\nWindowsSecurityService3.exe ('Rover' main module)\r\nOpenAL32.dll\r\nopencv_world300.dll\r\nmsvcp100.dll\r\nmsvcp110.dll\r\nmsvcp120.dll\r\nmsvcr100.dll\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 4 of 11\n\nmsvcr110.dll\r\nmsvcr120.dll\r\nAfter retrieving these files, the downloader Trojan executes the main module. Even though the main modules use different\r\nlibrary versions, the functionality of the backdoors are identical.\r\nBy analyzing the files downloaded to the victim machine, we can see that the executable WindowsSecurityService2.exe\r\nimports the four DLL files that were downloaded to the same directory. The four DDLs are cxcore210.dll, highgui210.dll,\r\nOpenAL32.dll and libsndfile-1.dll as shown in Figure 6\r\nFigure 6: Executable and DLLs downloaded to the victim machine\r\nAttributes of the Rover variant\r\n##############################################\r\nFile: WindowsSecurityService2.exe\r\n##############################################\r\nMeta-data\r\n===============================================\r\nSize          : 337920 bytes\r\nType          : PE32 executable (console) Intel 80386, for MS Windows\r\nArchitecture  : 32 Bits binary\r\nMD5           : 76429f8515768f9f5def697e71071f51\r\nSHA1          : d04ce934561934f758d77dfa944bd6743dd82cff\r\nSHA256: 7757517ae6b4d513a57826f9ab65bd070d99d25ac526cfae3e9955c3c7cd457assdeep              :\r\n6144:JabBRNUKgZ9SN0jzoFBB9hcrpXwg9xXYOGl93XO2rQLfbTpLuO7bIWjRO5gjPNq:JarSKu6yzoF8rpAqXYv3XOgQLfnpL\r\nimphash               : b5aa366f452feb9f4dff3c72157ca1f9\r\nDate          : 0x5637227B [Mon Nov 2 08:44:43 2015 UTC]\r\nLanguage      : ENGLISH\r\nCRC:   (Claimed) : 0x59736, (Actual): 0x59736\r\nEntry Point   : 0x43e3c8 .text 0/5\r\n===============================================\r\nImports\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 5 of 11\n\n===============================================\r\n[1] ADVAPI32.dll\r\n[2] WS2_32.dll\r\n[3] WLDAP32.dll\r\n[4] cxcore210.dll (OpenCV module)\r\n[5] highgui210.dll (OpenCV module)\r\n[6] OpenAL32.dll\r\n[7] libsndfile-1.dll\r\n[8] GDI32.dll\r\n[9] KERNEL32.dll\r\n[10] USER32.dll\r\n[11] MSVCP90.dll\r\n[12] RPCRT4.dll\r\n[13] MSVCR90.dll\r\nThe author of 'Rover' used the following open source projects to implement the main functionalities of this custom malware.\r\nOpenCV – Taking photos from the web cam\r\nOpenAL – Recording Audio\r\nLibsndfile – C library used for reading and writing audio files\r\nLibCurl – For all network communications\r\nOpenCV and OpenAL\r\nBoth versions of Rover use OpenCV and OpenAL for some of the main functions.\r\nOpenCV is a library of functions written primarily for building real time computer vision applications, image processing and\r\nalso machine learning. It has seen wide acceptance in security systems, medical image analysis, unmanned vehicles, visual\r\nsurveillance, object tracking, Artificial Intelligence and many other applications.\r\nOpenAL is a cross-platform audio API for rendering multichannel three-dimensional positional audio (i.e., It is a means to\r\ngenerate audio in a three-dimensional space.) Earlier versions of OpenAL were opensource but later versions (since v1.1)\r\nhave been proprietary.\r\nOnce executed, Rover creates following registry entry to execute itself when the computer reboots.\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"System Application\" =\r\nc:\\system\\WindowsSecurityService[2 or 3].exe\r\nThe malware then creates six threads, each with a different job:\r\nHeartbeat\r\nScreenshot\r\nStealing Files from HDD\r\nKeylogger\r\nSearch files on USB\r\nBackdoor\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 6 of 11\n\nFigure 7: Threads created by the malware\r\n1. Heartbeat:\r\nThis sends heartbeat signal on HTTP to the C2 server at 46.166.165.254 every five seconds and checks whether the C2\r\nserver is running.\r\n2. ScreenShot:\r\nThis saves screenshots as c:\\system\\screenshot.bmp and sends it to the C2 server at 46.166.165.254 every 60 minutes.\r\nFigure 8: Screenshots sent to C2 server at 46.166.165.254\r\n3. Finding specific file types on Removable Drive:\r\nThis thread searches for for files with the following extensions on removable drives and copies them to ‘c:\\system’ every 5\r\nseconds.\r\npdf\r\ndoc\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 7 of 11\n\ndocx\r\nppt\r\npptx\r\nxls\r\nxlsx\r\n4. Keylogger:\r\nThis logs key strokes at ‘c:\\system\\log.txt’ and sends captured data to the C2 every 10 seconds\r\n5. Stealing specific file types from Hard Drive:\r\nThis thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes.\r\npdf\r\ndoc\r\ndocx\r\nppt\r\npptx\r\nxls\r\nxlsx\r\nFigure 9: Document file being sent to C2\r\n6. Backdoor:\r\nThis thread obtains backdoor commands from C2 every 10 seconds and executes them. Backdoor commands are listed\r\nbelow:\r\nCommand Description\r\nCAMERA Take photos using system webcam and store them as c:\\system\\camera.jpg before sending to the C2.\r\nAUDIO Record audio from default audio input as c:\\system\\audio.ogg and sending it to the C2.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 8 of 11\n\nSCREEN Take a screenshot and save it as c:\\system\\screenshot.bmp then send it to the C2.\r\nKILL Remove persistence registry entry and terminate itself.\r\nThough 'Rover' is unsophisticated and lacks many modern features common to advanced malware, detection rate of the\r\n'Rover' is extremely low. At the time of this writing, two out of three samples on VirusTotal were not detected by any\r\nAntivirus product\r\nFigure 10: No detection by any AV product on Virustotal\r\nFigure 11: Low detection rate\r\nSummary\r\nOpenCV has been extensively used by organizations, government bodies, and research groups for real time capture, image\r\nmanipulation, object detection and many other uses in new forms of Human-Computer interaction, security systems, driver-less cars among many others. OpenCV was also used by the Mars Rovers to send captured data back to Earth.\r\nIt is interesting to see the very code used in such significant projects also being used to track and spy on individuals being\r\ntargeted and which can remain undetected by traditional security systems. Though 'Rover' is an unsophisticated malware\r\nlacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the\r\nobjectives of the threat actor behind the campaign in exfiltrating information from the targeted victim. It is important to\r\nunderstand the techniques and tools being used by such threat actors to better defend and protect organizations from such\r\nthreats.\r\nPalo Alto Networks AutoFocus users can identify this threat using the Rover tag.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 9 of 11\n\nIOCs:\r\nC2:\r\n46.166.165.254\r\nDownloader hosting links:\r\nnewsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe\r\nnewsumbrella[.]net/ne3s/file[.]exe\r\nnewsumbrella[.]net/bla3k/extra7/systemupdateAPI[.]exe \r\nFilename File Type SHA 256\r\nAppreciation_letter.doc RTF\r\n6c9862a65741b56b849928300\r\naff310d60b815ee5f5f9f133469\r\ne3b035e7e936\r\nQuestionnaire.doc RTF\r\n5f656cf07a1d5e7c439aad4023\r\n5dc78e47bac719c62e03728cc\r\n40267383880bd\r\nTerrorism.doc;India \u0026amp RTF\r\n6096ff941af95638944f2fcdf4a5\r\n046aa028b803b010b1a2d000\r\n028b1a4967bc\r\nAppreciation_\r\nletter.doc\r\nRTF\r\n7bf3a425be41ad9cc713e4821\r\n6e061c788f36e2727de5d0b6b\r\n6ac4f435fe1c06\r\nRTF\r\n06b12649dba7f61cb581f97797\r\nbdfba3a7f057a36b448d4c91a3\r\na7d89fff8d54\r\nWindowsSecurity\r\nService3.exe\r\nPE\r\n61a2935fcb0a385f9e67855ef6f\r\n95bda5f09fdb7c1435f215ce18\r\nb7b61993daa\r\nfile.exe PE\r\na5e5571cda838e97a6beb1a65\r\nacdfbaaf80027f60417aadb0d3\r\n4292f19c0f3b3\r\nWindowsSecurity\r\nService2.exe\r\nPE\r\n7757517ae6b4d513a57826f9ab\r\n65bd070d99d25ac526cfae3e99\r\n55c3c7cd457a\r\nWindowsSecurity\r\nService3.exe\r\nPE\r\n3dc709a3bcaa82220d6a76ea47\r\n374bd864c37817c7041c7e9f4e\r\ne8ba42847f34\r\nReferences\r\nhttps://en.wikipedia.org/wiki/Afghanistan%E2%80%93India_relations\r\nhttp://docs.opencv.org/3.1.0/#gsc.tab=0\r\nhttp://docs.opencv.org/2.4/modules/highgui/doc/highgui.html\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 10 of 11\n\nhttps://en.wikipedia.org/wiki/OpenAL\r\nhttp://www.cs.uml.edu/~holly/teaching/91450/spring2013/bschroeder_vision_robotics1.pdf\r\nhttps://ti.arc.nasa.gov/m/pub-archive/422h/0422%20(Pedersen).pdf\r\nSource: http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"
	],
	"report_names": [
		"new-malware-rover-targets-indian-ambassador-to-afghanistan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e617eda7b04abf7a606d91262df4684fc047e188.pdf",
		"text": "https://archive.orkl.eu/e617eda7b04abf7a606d91262df4684fc047e188.txt",
		"img": "https://archive.orkl.eu/e617eda7b04abf7a606d91262df4684fc047e188.jpg"
	}
}