{ "id": "d9bdc6e5-94be-42ab-9135-1df9c5e09674", "created_at": "2026-04-06T01:30:34.288925Z", "updated_at": "2026-04-10T03:32:09.278211Z", "deleted_at": null, "sha1_hash": "e73fd8b9d56f1a9d6fa037f3df40f5f8a25ad5c4", "title": "Bug in Malware “TSCookie” - Fails to Read Configuration - (Update) - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 568895, "plain_text": "Bug in Malware “TSCookie” - Fails to Read Configuration -\r\n(Update) - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2019-05-29 · Archived: 2026-04-06 00:31:49 UTC\r\nMay 30, 2019\r\nBlackTech\r\nOur past article has presented a bug in malware “TSCookie”, which is reportedly used by BlackTech attack group.\r\nThis article is to update the features of the malware.\r\nEven after we published the blog article in October 2018, the adversary had continued using the malware as it\r\nwas. Just in May 2019, we confirmed that the malware had its bug fixed and was used in some attack cases.\r\nDetails of the fix\r\nThe malware copies its configuration to the memory. In the previous version, the data size to be copied was\r\nincorrectly set, which resulted in the configuration not displayed properly (see the article for more details). In the\r\nupdated version, the data size is set to 0x1000 instead of 0x8D4.\r\nFig 1: Updates in TSCookie (Left: Code with the bug / Right: Updated code)\r\nThis update enables TSCookie to decode the configuration correctly. Fig 2 is the comparison of decoded\r\nconfiguration. This update has also fixed the issue where the malware fails to reconnect to a C\u0026C server for a few\r\ndays.\r\nhttps://blogs.jpcert.or.jp/en/2019/05/tscookie3.html\r\nPage 1 of 4\n\nFig 2: Decoded configurations of TSCookie (Left: Sample with the bug / Right: Updated sample)\r\nIn closing\r\nAs we pointed out before, it is likely that adversaries also follow publications and blogs from security vendors,\r\netc. We assume that the adversary recognised the bug on our blog and fixed the issue accordingly. If we see any\r\nupdates on the malware, we will introduce them here.\r\nHash values of the samples described in the article are listed in Appendix A, along with C\u0026C servers in Appendix\r\nB. Please make sure that none of your devices is accessing these hosts.\r\nThank you for reading.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: Hash value of the samples\r\nMalware with the bug\r\n96723797870a5531abec4e99fa84548837e9022e9f22074cf99973ab7df2a2e7\r\nUpdated malware\r\n1ec19677d1e48e4f6ff5f9fe7808b13964059e2ffd48ece19f7305d78e04ec4a\r\nc2c062ff84a18ad02e92dea0d6e12cafa66ff167ea8d02663fc9aae44de7f4e0\r\nAppendix B: List of C\u0026C servers\r\nwww.google.com.dns-report.com\r\nmicrosoft.com.appstore.dynamicdns.co.uk\r\ncartview.viamisoftware.com\r\nhttps://blogs.jpcert.or.jp/en/2019/05/tscookie3.html\r\nPage 2 of 4\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2019/05/tscookie3.html\r\nPage 3 of 4\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html\r\nhttps://blogs.jpcert.or.jp/en/2019/05/tscookie3.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html" ], "report_names": [ "tscookie3.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439034, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e73fd8b9d56f1a9d6fa037f3df40f5f8a25ad5c4.pdf", "text": "https://archive.orkl.eu/e73fd8b9d56f1a9d6fa037f3df40f5f8a25ad5c4.txt", "img": "https://archive.orkl.eu/e73fd8b9d56f1a9d6fa037f3df40f5f8a25ad5c4.jpg" } }