{ "id": "f02f4fe7-cf47-4916-8f75-a2ff72d3fcd4", "created_at": "2026-04-06T03:35:39.833144Z", "updated_at": "2026-04-10T03:29:58.023366Z", "deleted_at": null, "sha1_hash": "e78745a86e78dc7e5bd92e9cd41bf16f390a05b7", "title": "New DarkHotel APT attack chain identified | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3149173, "plain_text": "New DarkHotel APT attack chain identified | Zscaler\r\nBy Sahil Antil, Sudeep Singh\r\nPublished: 2021-12-16 · Archived: 2026-04-06 03:25:13 UTC\r\nSummary\r\nIn November 2021, ThreatLabz identified a previously undocumented variant of an attack chain used by the South\r\nKorea-based Dark Hotel APT group. We also discovered new activity on the command-and-control (C2)\r\ninfrastructure previously associated with this APT group. The new activity on their infrastructure aligns with the\r\ntype of targets chosen by this threat actor in the past.\r\nIn this blog, we describe our new findings in detail, including technical analysis of the attack chain and its\r\ncomponents as well as the C2 infrastructure analysis.\r\nThreat attribution\r\nDarkHotel is an advanced persistent threat (APT) group based out of South Korea that has been active since at\r\nleast 2007. They are known to target senior business executives by uploading malicious code to their computers\r\nthrough infiltrated hotel WiFi networks, as well as through spear-phishing and P2P attacks.\r\nWe attribute this attack chain to the Dark Hotel APT group with a high level of confidence due to the below\r\nreasons:\r\n1. The multi-layer malicious document which drops a scriptlet post-exploitation.\r\n2. Filename of the dropped file system artifacts such as the scriptlet file - googleofficechk.sct\r\n3. The command-and-control (C2) commands are the same as earlier payloads used by Dark Hotel.\r\n4. Timestamps of the dropped payloads are around the same timeframe when previously documented Dark Hotel\r\nAPT activity was observed.\r\nAttack flow\r\nFigure 1 below illustrates the full attack chain.\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 1 of 12\n\nFigure 1: Attack chain\r\nTechnical analysis\r\nFor the purpose of technical analysis we will consider the document with MD5 hash:\r\n89ec1f32e1bbf794c41fa5f5bc6869c0\r\n[+] Stage 1: Malicious document\r\nThe first stage of this attack is a multi-layered malicious document which defines an AltChunk element to load an\r\nembedded DOCX file. The embedded DOCX file defines another AltChunk element which loads an embedded\r\nmalicious RTF file. Figure 2 below shows one of the defined AltChunk elements and its corresponding\r\nrelationship.\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 2 of 12\n\nFigure 2: AltChunk element and its corresponding relationship\r\nThe malicious RTF file contains three OLE objects as shown in Figure 3\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 3 of 12\n\nFigure 3: OLE objects present inside malicious RTF\r\nWhen the RTF file is loaded, the three OLE objects are dropped in the %temp% directory with the names “p”, “b”\r\nand “googleofficechk.sct”. Out of these three dropped files, the scriptlet file (googleofficechk.sct) is executed\r\nwhich is described in detail in the next section.\r\n[+] Stage-2: Scriptlet file\r\nSimilar to what has been described previously by Antiy Labs, the first operation performed by the scriptlet file is\r\nto send a Base64 encoded list of running processes to the configured C2 server. It sends a POST request to the\r\nURL “http://signing-config[.]com/cta/key.php” with DATA “L=G641giQQOWUiXE\u0026q={Base64 encoded list of\r\nrunning processes}”\r\nThe subsequent operations performed by this scriptlet file differ from what has been observed in past attacks.\r\nThe scriptlet file in our case performs the following operations:\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 4 of 12\n\n1. Checks if the directory “%LOCALAPPDATA%\\PeerDistRepub\\” exists else creates it.\r\n2. Checks for the presence of file “%LOCALAPPDATA%\\PeerDistRepub\\msrvcd32.exe”. If the file exists, then it\r\ndoesn't perform further operations.\r\nNote: This file check is likely performed to detect if the machine is already infected, which also indicates that the\r\nthreat actor used multiple variations while performing the attack.\r\n  3. Releases the IP addresses bound to all DHCP-enabled network adapters\r\n4. Copies the executable from “%temp%\\p” to “%LOCALAPPDATA%\\PeerDistRepub\\qq3104.exe”\r\n5. Copies the executable from “%temp%\\b” to “%LOCALAPPDATA%\\PeerDistRepub\\qq2688.exe”\r\n6. Creates a ZoneIdentifier ADS (Alternate Data Stream) corresponding to the files copied above with the\r\nfollowing content:\r\nZoneTransfer\r\nZoneId=1\r\nNote: The ZoneID=1 is written to create the false evidence that the file was downloaded from the Intranet\r\n7. Execute the binary “qq3104.exe” whose functionality is described in detail in the next section\r\n8. Renew the IPv4 address for the network adapters\r\nFigure 4 below shows the relevant scriptlet code\r\nFigure 4: Scriptlet code\r\n[+] Stage-3: Dropped binaries\r\n# qq3104.exe\r\nAs mentioned in the previous section, the binary qq3104.exe gets executed as part of the operations performed by\r\nthe scriptlet file. This binary mainly performs three operations:\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 5 of 12\n\n1. Spoofs the process related information in the PEB structure to pretend as explorer.exe\r\nFigure 5: Code snippet responsible for PEB modification\r\n2. Perform UAC bypass using elevation moniker against the vulnerable COM interfaces {3E5FC7F9-9A51-4367-\r\n9063-A120244FBEC7} and {D2E7041B-2927-42fb-8E9F-7CE93B6DC937}\r\n3. Execute the binary qq2688.exe\r\n# qq2688.exe\r\nThis binary on execution checks if there is any running process with the name “360Tray.exe” or “QQPCTray.exe”\r\nand does some firewall checks. These process names correspond to security software popularly used in China.\r\nThe main operation performed by the binary is to register a Windows service which also serves as a persistence\r\nmechanism. \r\nTo register the Windows service, the binary creates the registry key\r\n“HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X” and populates the service related\r\nregistry values. Along with the service related registry values, two additional registry values are defined with the\r\nname “s” and “x” under the same registry key. \r\nBased on the service registry values, it is an auto start service which executes VBScript code using mshta.exe.\r\nFigure 6: Code snippet responsible for registering the Windows service\r\nThe VBScript code in turn executes an encoded PowerShell command which is shown in Figure 8 below\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 6 of 12\n\nFigure 7: Decoded PowerShell command executed by VBScript code\r\n[+] Stage-4: PowerShell scripts\r\nThe PowerShell command which is executed as part of the service execution reads, decodes and executes the data\r\nstored under registry value “HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X\\\\s”.\r\nThe decoded data is a PowerShell script which executes another PowerShell command. The command is shown in\r\nFigure 9 below.\r\nFigure 8: Decoded PowerShell command executed by PowerShell script\r\nSimilar to the first PowerShell command it also reads, decodes and executes the data stored under registry value\r\n“HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X\\\\x”.\r\nThe decoded data is an obfuscated PowerShell script which embeds an encoded .NET dll. The .NET dll is loaded\r\nand executed in-memory from within the PowerShell script.\r\n[+] Stage-5: .NET dll\r\nThe .NET dll on analysis turns out to be the same downloader which is described in Antiy blog. The only changes\r\nare in the configured C2 servers and the parameters which are used as part of network requests.\r\nInformation about the C2 servers is provided in Indicators of compromise section while the format for network\r\nrequests is described below:\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 7 of 12\n\nRequest format for data exfiltration:\r\n{C2 server URL}?im={MAC address}\u0026mk=u\u0026ltc={victim information}\r\n                OR\r\n{C2 server URL}?xt={MAC address}\u0026mk=u\u0026ltc={victim information}\r\nRequest format for payload download:\r\n{C2 server URL}?im={MAC address}\u0026mk=d\r\n            OR\r\n{C2 server URL}?xt={MAC address}\u0026mk=d\r\n[+] C2 infrastructure analysis\r\nWe analyzed the C2 infrastructure related to the IP address of the server hosting the domain - signing-config[.]com. This domain was configured in the stage-2 scriptlet file and used to exfiltrate system information to\r\nthe C2 server.\r\nIP address = 23.111.184[.]119\r\nLeveraging passive DNS data, we identified several domains hosted on the server with the above IP address and\r\nnoticed a pattern in the domain names. A lot of domains were created to spoof the names of organizations in China\r\nrelated to the government, education, and political think tanks.\r\nBelow are a few examples summarized in a table:\r\n \r\nDomain name Target spoofed\r\nwww.onlinesurvey.register.moe.edu.cn[.]serviceneteasse.com Ministry of Education, China\r\nwww.preview.maiil.caict.ac.cn.coremailxt[.]serviceneteasse.com Political think tanks of China\r\nwww.prevwdoc.mofcom.gov.cn.loginwebbauthh[.]serviceneteasse.com Beihang University in China\r\nwww.compliance.maill.buaa.edu.cn.coremailxt[.]serviceneteasse.com Ministry of commerce, China\r\nwww.compliance.maill.hit.edu.cn[.]coremailxt.serviceneteasse.com Harbin Institute of Technology\r\nsecureattch.nudt.edu.cn[.]coremailxt.serviceneteasse.com\r\nNational University of Defence\r\nand Technology\r\nIn addition to this, we also identified several newly registered domains on this server which are used to spoof\r\ncryptocurrency projects popularly used in China such as the Deeper network.\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 8 of 12\n\nThe domain, deepersbot[.]network was registered by the threat actor to spoof the legitimate domain,\r\ndeeper[.]network.\r\nFigure 9: Phishing website\r\nThe fake domain asks the users to validate their wallet on the main page and presents them an option to choose\r\nfrom a wide variety of popularly used crypto currency wallets.\r\nFigure 10: Wallet options provided on the phishing website\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 9 of 12\n\nOnce the user chooses the wallet type, they will be redirected to a page which prompts them to share their private\r\nkey.\r\nFigure 11: Page asking for user Private key information\r\nIt uses one of the following 3 ways:\r\nPhrase: A 12 or 24 word recovery phrase which can be used to restore the private key and steal the funds.\r\nJSON file: a password-protected JSON file which stores the encrypted private key\r\nPrivate key: The private key itself\r\nThe table below summarizes the list of domains registered which use social engineering to steal the private keys\r\nof crypto currency wallets of the users:\r\n \r\nDate registered Domain name\r\n13th Nov 2021 dappconnectmainbott[.]org\r\n13th Nov 2021 deepersbot[.]network\r\n5th Nov 2021 www.walletauthenticatorbot[.]net\r\n2nd Nov 2021 dapp-connect[.]org\r\nZscaler Cloud Sandbox report\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 10 of 12\n\nFigure 12: Zscaler Cloud Sandbox detection\r\nIndicators of compromise\r\n[+] Hashes\r\n \r\nMD5 Description\r\n89ec1f32e1bbf794c41fa5f5bc6869c0 Document\r\n[+] C2 Domains\r\nsigning-config[.]com\r\nsvcstat[.]com\r\nrelay-server[.]com\r\n[+] C2 URLs\r\n \r\nComponent URL\r\nScriptlet file http://signing-config[.]com/cta/key.php\r\n.NET backdoor\r\nhttp://svcstat[.]com/policy/v2.php?im=\r\nhttp://relay-server[.]com/mint/mvv.php?xt=\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 11 of 12\n\n[+] Files system artifacts\r\n# Dropped binaries\r\n%LOCALAPPDATA%\\PeerDistRepub\\qq3104.exe\r\n%LOCALAPPDATA%\\PeerDistRepub\\qq2688.exe\r\n%TEMP%\\p\r\n%TEMP%\\b\r\n# Scriptlet file\r\n%TEMP%\\googleofficechk.sct\r\n[+] Registry artifacts\r\nRegistry Key: HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X\r\nRegistry Values: \r\nHKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X\\\\s\r\nHKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\X\\\\x\r\nSource: https://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nhttps://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified" ], "report_names": [ "new-darkhotel-apt-attack-chain-identified" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446539, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e78745a86e78dc7e5bd92e9cd41bf16f390a05b7.pdf", "text": "https://archive.orkl.eu/e78745a86e78dc7e5bd92e9cd41bf16f390a05b7.txt", "img": "https://archive.orkl.eu/e78745a86e78dc7e5bd92e9cd41bf16f390a05b7.jpg" } }