{ "id": "c8d2f592-a986-4d6d-ae5a-eee1e28f0686", "created_at": "2026-04-06T00:11:50.403628Z", "updated_at": "2026-04-10T03:37:36.869949Z", "deleted_at": null, "sha1_hash": "e6d7f268478f9271e344ffc68f861b17b17969da", "title": "Please Confirm You Received Our APT | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 403850, "plain_text": "Please Confirm You Received Our APT | FortiGuard Labs\r\nBy Fred Gutierrez\r\nPublished: 2022-05-11 · Archived: 2026-04-05 21:27:48 UTC\r\nBecause we are constantly monitoring the threat landscape, FortiGuard Labs has the opportunity to see many unique and\r\nnovel attacks. Recently, one of our sample collectors was able to find one such incident. It began with a spearphishing email\r\nto a diplomat in Jordan. Like many of these attacks, the email contained a malicious attachment. However, the attached\r\nthreat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced\r\npersistent threats (APTs). Based on the techniques used in this attack, it appears to be another campaign launched by APT34.\r\nThe rest of this blog will analyze the attack chain associated with this email and the traits that set it apart from average\r\nmalware, such as DNS tunneling and stateful programming.\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Targeted Windows users\r\nImpact: Collects sensitive information from the compromised machine\r\nSeverity Level: Medium\r\nSpearphishing Email\r\nThis spearphishing attack targeted a Jordanian diplomat, with the sender pretending to be a colleague from the IT\r\ndepartment of the same governmental organization.\r\nFigure 1. Spearphishing email\r\nLooking at the headers of the email, we can determine that the email originated from outside the organization. But while it\r\ncame from an external email address, it used the first and last name of an employee in the IT department. The alert diplomat\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 1 of 16\n\ndecided to forward this to the real employee. This may have been done to verify the authenticity of the original email or,\r\nmore likely, for further analysis within the IT department. As suggested in the email body, the attached Excel file contained a\r\nconfirmation form for the targeted diplomat to fill out.\r\nFor those technically inclined, the next few sections break down the “how” and “what happened” of this malware. Other\r\nreaders should feel free to skip to the “C2 Servers” section for details on how to protect your organization.\r\nMalicious Excel File\r\nThe attached Excel file contains a malicious VBA (Visual Basic Application) macro as opposed to the Excel MacroSheets\r\nthat other malware such as Emotet and QBot typically use. In many cases, a malicious macro may install some sort of stager,\r\nsuch as those deployed by Cobalt Strike or Metasploit. In other cases, the macro may use living-off-the-land techniques to\r\ndownload and execute a second-stage binary. Another option a macro may use is to simply drop and run a malicious binary.\r\nIn this attack, the macro uses the latter option. This, however, was where similarities to other phishing attacks end.\r\nFigure 2. Macro opening\r\nOne of the unique techniques seen in this macro is the toggling of sheet visibility. In most attacks involving Excel, no hidden\r\nsheets are used. And in those cases where hidden sheets are used, the hidden sheet typically holds the malicious code. In this\r\nattack, however, the visibility of two sheets is quickly switched as soon as the workbook is opened. One possible reason for\r\nthis may be as an anti-emulation technique. Emulators (such as the freely available ViperMonkey) may or may not support\r\nall Excel functionality, such as the hiding of sheets.\r\nIncidentally, lines 16 and 17 are commented out. Perhaps these lines were used for testing purposes or were part of a\r\ndifferent lure, one in which TeamViewer (remote access and control software used for device maintenance) was used.\r\nThe astute observer may have also noticed line 25 in the previous image. Line 25 calls a function that contacts the C2 server.\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 2 of 16\n\nFigure 3. C2 contact\r\nUnlike most malicious macros, this one uses WMI (Windows Management Instrumentation) to ping the C2 server instead of\r\na more commonly used tool, such as PowerShell or CMD. Furthermore, this function is called multiple times during macro\r\nexecution. It basically works as a state monitor to keep track of what’s happening during the attack. The tMsg variable\r\nchanged during different stages of the attack, allowing the attackers to view their network logs to see the state of their\r\nmacro. The rds variable is a random four-digit number, with the same four digits used consistently throughout the macro\r\nstate check-in process.\r\nC2 Macro State\r\nqwzbabz[four-digits].joexpediagroup[.]com Macro start\r\nqwzbbbz[four-digits].joexpediagroup[.]com Connected successfully to task scheduler\r\nqwzbaez[four-digits].joexpediagroup[.]com Successfully created malicious PE file\r\nqwzbbez[four-digits].joexpediagroup[.]com Successfully created XML config file\r\nqwzbcez[four-digits].joexpediagroup[.]com Successfully created signed Microsoft PE file\r\nqwzbdez[four-digits].joexpediagroup[.]com Double-check malicious PE file was created\r\nqwzbeez[four-digits].joexpediagroup[.]com Successful manual execution of malicious PE file\r\nqwzafzz[four-digits].joexpediagroup[.]com Begin task scheduler configuration for persistence\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 3 of 16\n\nqwzbbfz[four-digits].joexpediagroup[.]com Successfully created scheduled task\r\nFigure 4. Table of states\r\nAs alluded to in the table above, the macro has the capability to create three files. A malicious PE file was created\r\nas %LocalAppData%\\MicrosoftUpdate\\update.exe. A configuration file was created\r\nas %LocalAppData%\\MicrosoftUpdate\\update.exe.config. And the third\r\nfile, %LocalAppData%\\MicrosoftUpdate\\Microsoft.Exchange.WebServices.dll, was signed and clean.\r\nWhile the malware authors decided to store these three files inside the Excel file, they again chose to do so in a way that is\r\nnot commonly seen.\r\nFigure 5. Form caption\r\nThree user forms are stored inside the Excel file. Each user form has a label, and each label has a caption. As seen in the\r\nimage above, the caption contains base64 encoded data. Form1 contains the malicious update.exe file. Form2 contains the\r\nconfiguration file. And Form3 contains the clean Microsoft file. We will explore these files further later in this blog.\r\nThe malware authors also used the Excel macro to create a persistence method for their update.exe file. They accomplished\r\nthis by setting a scheduled task. \r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 4 of 16\n\nFigure 6. Scheduled task\r\nThe task is named MicrosoftUpdate and repeats every 4 hours. The macro also uses deprecated IdleSettings properties, such\r\nas Duration (which starts the task only if the computer has been idle for ten minutes) and WaitTimeout (which determines\r\nhow long to wait for an idle condition). This task was set to allow 20 days to complete. Taking into account the date of the\r\nemail and assuming the task ran immediately, the task would run until at least May 16, 2022.\r\nIn addition to the visibility switch technique described earlier, a second technique was also seen in this macro to possibly\r\navoid automated analysis. This macro does this by checking for the existence of a mouse. If a mouse is not connected, the\r\nmacro does not create any of the three files. There are a couple of instances where a mouse would not be attached to a\r\ncomputer. First, a mouse is not necessarily needed if the computer is controlled remotely. The only mouse needed would be\r\ninstalled on the controlling computer. And second, a mouse is not needed if an analysis machine is simply processing and\r\nemulating Office files. A script can be created to automatically perform all the actions necessary without a mouse.\r\nAs far as malicious macros go, this one contains several techniques not normally seen in most attacks. This suggests that\r\nmore time and care have been given to developing this portion of the attack. In the next section, we will look at the files that\r\nwere created by this macro.\r\nDropped Files\r\nAs explained earlier, this malicious Excel macro includes the ability to create three files. In this section, we will look at them\r\nindividually, starting with the two benign files.\r\nA signed file was embedded inside the Excel file and dropped to the following\r\nlocation: %LocalAppData%\\MicrosoftUpdate\\Microsoft.Exchange.WebServices.dll. Another innocuous file was dropped\r\nas %LocalAppData%\\MicrosoftUpdate\\update.exe.config. Its contents are to be used as configuration data. Here are the\r\ncontents after decoding:\r\nFigure 7. Config data\r\nThe third file is the actual malware. It was created in the same location as the two previously dropped files,\r\nas %LocalAppData%\\MicrosoftUpdate\\update.exe. It was a .NET binary and contained the main payload.\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 5 of 16\n\nThis malware binary was certainly developed by the same group that created the Excel macro, as there are similarities\r\nbetween the two. One similarity deals with the idea of states and the tracking of what was happening at any given point in\r\ntime within the execution flow. Since .NET is a more robust programming language than the scripting nature of VBA, the\r\nmalware binary has a much easier way of keeping state. \r\nFigure 8. Dictionary of states\r\nThe figure above shows a partial state dictionary defined by the malware. Depending on the execution flow and what state\r\nthe malware lands in, certain delays are introduced.\r\nFigure 9. Delay times in milliseconds\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 6 of 16\n\nThese delays are executed by calling the Sleep() function. In .NET, Sleep() accepts values in milliseconds. In certain cases,\r\nfor example, from DelayMinAlive to DelayMaxAlive, the malware can sleep anywhere from 6 to 8 hours!\r\nWhile this malware sleeps in certain program states, other program states require it to contact the C2 server. Like the Excel\r\nmacro, it contacts seemingly random subdomains. However, in actuality, it uses a domain generation algorithm (DGA) to\r\ncalculate a subdomain.\r\nFigure 10. DGA\r\nThe malware constructs the DGA by first randomly assigning a value to _AgentID. This value is then fed as a seed into\r\nthe RandomMersenneTwister function, highlighted above. It then performs further calculations using the haruto string as\r\nwell as the strings found in the CharsDomain and CharsCounter variables. Once a subdomain string is generated, the\r\nmalware randomly chooses one of three domains to concatenate with (joexpediagroup[.]com, asiaworldremit[.]com,\r\nor uber-asia[.]com).\r\nOnce the URL is generated, the next step the malware takes is to check for the C2 server’s DNS data.\r\nFigure 11. DNS\r\nWhen DNS is queried for a domain, a DNS server returns an IP address that points to the requested domain. The malware\r\nthen checks the first octet of the IP address to ensure the value is at least 128 to be considered valid. Perhaps this is a way for\r\nthe malware to avoid internal IP addresses, such as the 127[.]0[.]0[.]1 local loopback address or the 10[.]0[.]0[.]0 internal\r\nsubnet. Lines 260-261 are used to define the byte array DnsClass._ReceiveData with a size defined by the remaining octets.\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 7 of 16\n\nFor example, a DNS test server is set up to return the IP address 192[.]5[.]4[.]3 for any DNS requests. That means the byte\r\narray has a size of 0x050403. Later in the malware’s execution flow, this data from the DNS request is used to\r\ndefine TaskClass properties. \r\nFigure 12. DNS tunneling\r\nSpecifically on line 245, TaskClass.ListData is set to the received data from the DNS request. In the end, this basically\r\nmeans that this malware is receiving tasks inside a DNS response. Apparently, this malware uses DNS tunneling to\r\ncommunicate with its C2. APT34 has historically used DNS for communications as well.\r\nSeveral types of tasks are defined for this malware.\r\nFigure 13. Task types\r\nThis malware has the ability to take a DNS response and create an arbitrary file on the infected machine if that was the task\r\nthe malware authors wanted to perform. File and CompressedFile are task types used to create a file. The remaining task\r\ntypes are used to send backdoor commands to the malware. These backdoor commands are meant to be executed through\r\nPowerShell or through the Windows CMD interpreter. The following table lists supported commands.\r\nCommand Interpreter Payload\r\n1 PS Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress\r\n2 PS Get-NetNeighbor -AddressFamily IPv4 | Select-Object \"IPADDress\"\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 8 of 16\n\n3 CMD whoami\r\n4 PS [System.Environment]::OSVersion.VersionString\r\n5 CMD net user\r\n7 PS Get-ChildItem -Path \"C:\\Program Files\" | Select-Object Name\r\n8 PS Get-ChildItem -Path 'C:\\Program Files (x86)' | Select-Object Name\r\n9 PS Get-ChildItem -Path 'C:' | Select-Object Name\r\n10 CMD hostname\r\n11 PS\r\nGet-NetTCPConnection | Where-Object {$_.State -eq \"Established\"} | Select-Object\r\n\"LocalAddress\", \"LocalPort\", \"RemoteAddress\", \"RemotePort\"\r\n12 PS\r\n$(ping -n 1 10.65.4.50 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.51 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.65.65.65 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.53.53 | findstr /i\r\nttl) -eq $null;$(ping -n 1 10.65.21.200 | findstr /i ttl) -eq $null\r\n13 PS\r\nnslookup ise-posture.mofagov.gover.local | findstr /i Address;nslookup webmail.gov.jo |\r\nfindstr /i Address\r\n14 PS\r\n$(ping -n 1 10.10.21.201 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.201 | findstr /i ttl) -\r\neq $null;$(ping -n 1 10.10.19.202 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.24.200 |\r\nfindstr /i ttl) -eq $null\r\n15 PS\r\n$(ping -n 1 10.10.10.4 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.50.10 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.10.22.50 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i\r\nttl) -eq $null\r\n16 PS\r\n$(ping -n 1 10.65.51.11 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.1 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.65.52.200 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.3 | findstr /i ttl)\r\n-eq $null\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 9 of 16\n\n17 PS\r\n$(ping -n 1 10.65.45.18 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.28.41 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.65.36.13 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.51.10 | findstr /i\r\nttl) -eq $null\r\n18 PS\r\n$(ping -n 1 10.10.22.42 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.23.200 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.10.45.19 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.50 | findstr /i\r\nttl) -eq $null\r\n19 PS\r\n$(ping -n 1 10.65.45.3 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.52 | findstr /i ttl) -eq\r\n$null;$(ping -n 1 10.65.31.155 | findstr /i ttl) -eq $null;$(ping -n 1 ise-posture.mofagov.gover.local | findstr /i ttl) -eq $null\r\n20 PS Get-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object NextHop\r\n21 PS Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object SERVERAddresses\r\n22 CMD systeminfo | findstr /i \\\"Domain\\\"\r\nFigure 14. Table of backdoor commands\r\nThe 6 command is actually missing from this malware. Whether a file is uploaded or a backdoor command is executed, there\r\nis some sort of output. This output is then formatted and compressed using .NET’s compression mode. After the result is\r\nencoded with base32, this new result is then incorporated into the DGA. Base32 is also the same encoding scheme that\r\nAPT34 has used.\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 10 of 16\n\nFigure 15. DNS exfiltration\r\nThis is how the malware exfiltrated the data. It may look like a simple DNS request in a network log, but the exfiltrated data\r\nis actually built into the DNS request.\r\nWith the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete\r\nitself, like other stealthy infostealers. Perhaps to avoid triggering any behavioral detections, this malware also does not\r\ncreate any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task. Since\r\nExcel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines. The\r\nproblem with using a scheduled task as a persistence mechanism, however, is that it runs the risk of having multiple copies\r\nof itself running concurrently. To avoid this problem, the malware creates a mutex. A mutex (mutual exclusion object) is a\r\nprogram object that is created so multiple program threads can take turns sharing the same resource. In its most basic\r\ndefinition, it is simply a locking mechanism. If a mutex with a value of 726a06ad-475b-4bc6-8466-f08960595f1e already\r\nexists on the system, it means there is already a previous instance of the malware running on the infected computer. As a\r\nresult, if a scheduled task starts another copy of the malware, the malware detects the mutex, and it is terminated\r\nimmediately.\r\nC2 Servers\r\nThis malware has the ability to contact three domains (joexpediagroup[.]com, asiaworldremit[.]com, uber-asia[.]com).\r\nSimilarly, the Excel macro is able to contact the joexpediagroup[.]com domain.\r\nUber-asia[.]com\r\nThis domain, which may be imitating Uber rideshare for Asia, was registered slightly more than two months ago, on\r\nFebruary 27, 2022. According to passive DNS records, this domain resolves to 127[.]0[.]0[.]1. Interestingly enough,\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 11 of 16\n\nVirusTotal was able to record a DNS entry.\r\nFigure 16. Virustotal DNS results\r\nThis certainly fits the format used by the malware. The subdomain appears to be a DGA. The first octet of the IP address is\r\ngreater than 128, and the remaining octets define the size of the command to be executed. Unfortunately, the rest of the DNS\r\ndata is not available. This suggests that the malware operators are closely monitoring this C2 server and only activate it\r\nwhen necessary.\r\nJoexpediagroup[.]com\r\nThis domain, which may be imitating Expedia travel for Jordan, was created earlier this year, on January 20, 2022.\r\nSometime after April 20, 2022, this domain also started resolving to 127[.]0[.]0[.]1, most likely for the same reason as\r\nabove. Prior to that, however, the domain resolved to 45[.]11[.]19[.]47. The server also had SSH port 22 open. Our own\r\nFortinet telemetry detected someone connecting to this IP address from the country of Jordan.\r\nAsiaworldremit[.]com\r\nThis domain, which may be imitating WorldRemit for Asia, was created on the same day as the first C2 server, on February\r\n27, 2022. Around April 19, 2022, this domain also resolved to 127[.]0[.]0[.]1. Prior to that, however, it resolved to\r\n193[.]239[.]84[.]207. In the past, this IP address has been used by the NSO group with their Pegasus spyware. According to\r\nour telemetry, this IP address has also been used by APT34/OilRig/Helix Kitten and GoziIFSB. It has also been used as a\r\nVPN address. Passive DNS records indicate the IP address is currently hosting several suspiciously-named domains, some\r\nof which are listed below.\r\nRegistered Domain Attempting to masquerade as\r\nastrazeneeca[.]com AstraZeneca\r\nastrazencea[.]com AstraZeneca\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 12 of 16\n\nhsbcbkcn[.]com HSBC Bank China\r\nvaltronics-ae[.]com Valtronics AE\r\nntu-sg-edu[.]com Nanyang Technological University Singapore\r\ntheworldbank[.]uk World Bank Group\r\ncoinbasedeutschland[.]com Coinbase for Germany\r\ncisco0[.]com Cisco\r\nFigure 17. Fake domains\r\nThe three C2 domains used by this malware seem to have a similar naming convention as the other domains found on this IP\r\naddress.\r\nConclusion\r\nThe amount of effort put into developing this attack is much higher than the average run-of-the-mill phishing/spam\r\ncampaign, putting it on the level of an APT attack. From the start, the attackers posed as a valid user and kept the email short\r\nwithout any grammatical errors. They then proceeded to use an Excel macro with advanced techniques, including possible\r\nanti-analysis techniques with the mouse check and the sheet visibility switch.\r\nFurthermore, while state programming is rarely used in malware, in this attack, both the Excel macro and the malware make\r\nuse of it. After checking in, the malware sleeps for 6-8 hours. One likely reason might be that the threat actors expected the\r\ndiplomat to open the spearphishing email in the morning and then leave at the end of the day. At that point, the attackers\r\nwould be free to operate.\r\nWhile using DNS tunneling for C2 communications is nothing new, it is rarely seen in practice. Their backdoor also\r\nsupports a long list of very specific commands. From the looks of things, the threat actors did their homework since their\r\nbackdoor commands clearly demonstrate they already had prior knowledge of their target’s internal network infrastructure.\r\nThis indicates that the threat actors most likely gained limited access somewhere else before this spearphishing attempt was\r\nmade.\r\nLooking at their C2 servers, two out of the three seem to be tightly controlled. They were only brought up at specific times.\r\nThe third C2 server has been lumped in with various other domains to further complicate proper attribution. Given all the\r\nbreadcrumbs, this campaign looks to be another one launched by APT34. They have demonstrated they possess the\r\nresources necessary to infiltrate a government network and are no strangers to using more advanced techniques.\r\nFortinet Protections\r\nFortinet customers are protected from this malware by FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient,\r\nFortiEDR, and CDR (content disarm and reconstruction) services:\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 13 of 16\n\nThe FortiGuard Antivirus service detects and blocks the malicious Excel file as MSExcel/Agent.7CCA!tr and the malware\r\nbinary as MSIL/Agent.A52D!tr.\r\nThe malicious macros inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction)\r\nservice.\r\nFortiEDR detects the Excel file and the malware binary as malicious based on their behavior.\r\nFortinet customers are protected from this malicious Excel file and malware binary by FortiGuard AntiVirus, which is\r\nincluded in FortiMail. It detects all malicious macro file types, including Excel 4.0 Macro samples.\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nIOCs\r\nFiles\r\nIndicator SHA256\r\nConfirmation Receive Document.xls 82A0F2B93C5BCCF3EF920BAE425DD768371248CDA9948D5A8E70F3C34E9F7CCA\r\nMicrosoft.Exchange.WebServices.dll 7EBBEB2A25DA1B09A98E1A373C78486ED2C5A7F2A16EEC63E576C99EFE0C7A4\r\nupdate.exe.config C744DA99FE19917E09CD1ECC48B563F9525DAD3916E1902F61B79BDA35298D87\r\nupdate.exe E0872958B8D3824089E5E1CFAB03D9D98D22B9BCB294463818D721380075A52D\r\nOther\r\nIndicator Value\r\nMutex 726a06ad-475b-4bc6-8466-f08960595f1e\r\nC2 domain joexpediagroup[.]com\r\nC2 domain asiaworldremit[.]com\r\nC2 domain uber-asia[.]com\r\nMitre TTPs\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 14 of 16\n\nInitial Access\r\nT1566.001 Spearphishing\r\nExecution\r\nT1059.001 PowerShell\r\nT1059.003 Windows Command Shell\r\nT1053.005 Scheduled Task\r\nT1204.002 Malicious File\r\nT1047 Windows Management Instrumentation\r\nPersistence\r\nT1053.005 Scheduled Task\r\nDefense Evasion\r\nT1480 Execution Guardrails\r\nDiscovery\r\nT1087.001 Local Account\r\nT1083 File and Directory Discovery\r\nT1049 System Network Connections Discovery\r\nCommand and Control\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 15 of 16\n\nT1071.004 DNS\r\nT1132.002 Non-Standard Encoding\r\nT1568.002 Domain Generation Algorithms\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nhttps://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt\r\nPage 16 of 16\n\nIncidentally, lines different lure, 16 and 17 are commented one in which TeamViewer out. Perhaps (remote access these lines and control were used for software used testing purposes for device maintenance) or were part was of a used.\nThe astute observer may have also noticed line 25 in the previous image. Line 25 calls a function that contacts the C2 server.\n Page 2 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt" ], "report_names": [ "please-confirm-you-received-our-apt" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6d7f268478f9271e344ffc68f861b17b17969da.pdf", "text": "https://archive.orkl.eu/e6d7f268478f9271e344ffc68f861b17b17969da.txt", "img": "https://archive.orkl.eu/e6d7f268478f9271e344ffc68f861b17b17969da.jpg" } }