{ "id": "869e3b19-e268-41fa-a523-d4bbe3e92aaa", "created_at": "2026-04-06T00:18:05.473082Z", "updated_at": "2026-04-10T03:26:46.31748Z", "deleted_at": null, "sha1_hash": "e79ae483f0b8148d3e0094490a2765c845d0ed99", "title": "Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 190822, "plain_text": "Recent Watering Hole Attacks Attributed to APT Group “th3bug”\r\nUsing Poison Ivy\r\nBy Jen Miller-Osborn, Ryan Olson\r\nPublished: 2014-09-19 · Archived: 2026-04-05 18:29:51 UTC\r\nWe’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past\r\nsummer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are\r\nmore aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. \r\nWatering hole attacks offer a much better chance of success because they involve compromising legitimate\r\nwebsites and installing malware intended to compromise website visitors. These are often popular websites\r\nfrequented by people who work in specific industries or have political sympathies to which the actors want to gain\r\naccess.\r\nThe attacks discussed in this blog are related to an APT campaign commonly referred to as “th3bug”, named for\r\nthe password the actors often use with their Poison Ivy malware. Of note, only the older of the samples we cover\r\nin this blog used that password.  We don’t know the reason the actors changed this, but it could possibly be in\r\nreaction to information widely published on the Internet about their activities, which use that password as a key\r\ncomponent to tie the activity together. FireEye in particular published a paper describing several APT campaigns\r\nwhose activity they correlate using Poison Ivy passwords.\r\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug”\r\nis known for compromising legitimate websites their intended visitors are likely to frequent.  Over the summer\r\nthey compromised several sites, including a well-known Uyghur website written in that native language.\r\nWhile we were unable to recover the initial vulnerability used, it is possibly the same CVE 2014-0515 Adobe\r\nFlash exploit first reported by Cisco TRAC in late July.  We cannot confirm the initial compromised sites, but we\r\nnoted traffic to several known re-direct sites and the malware was configured to use the same command and\r\ncontrol (C2) server.\r\nIn addition, the download dates of many of our files pre-date those noted by Cisco by only a few days. All of the\r\nmalware were variants of the Poison Ivy Remote Administration Tool (RAT) and were properly identified as such\r\nby our WildFire platform.  The targets of the attack were:\r\nUyghur sympathizers\r\nAn East Asian office for a major US based computer manufacturer\r\nA major US university\r\nAn international wholesale and retail telecom provider\r\nWe saw the first sample on July 14, 2014. This sample had an interesting PDB string - C:\r\n\\Users\\sophie\\documents\\visual studio 2010\\Projects\\init\\Release\\init.pdb with a time date string that exactly\r\nmatched the PE timestamp of 11 July, 2014.\r\nhttps://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nPage 1 of 5\n\nTable 1\r\nSHA256 ba509a1d752f3165dc2821e0b1c6543c15988fd7abd4e56c6155de09d1640ce9\r\nMD5 18ad696f3459bf47f97734f2f14506e3\r\nFile Name diff.exe\r\nFile Size 97280\r\nFirst Seen 2014-07-14 13:55:36\r\nDownload URL www.npec.com .tw/flash/diff.exe\r\nResolution 203.69.42.22\r\nC2 Domain diff.qohub.info\r\nResolution 115.23.172.151\r\nThe next day we collected several copies of the same malware intended for the same industry.  They were\r\ndownloaded from one of the download URLs in the below table, but all had the same MD5 and C2 domain.\r\nTable 2\r\nSHA256 9d149baceaaff2a67161fec9b8978abc22f0a73a1c8ce87edf6e2fb673ac7374\r\nMD5 1ea41812a0114e5c6ae76330e7b4af69\r\nFile Name diff.exe\r\nFile Size 126976\r\nFirst Seen 2014-07-15 18:22:25\r\nDownload\r\nURLs\r\nwww.aanon.com .tw/flash/diff.exewww.npec.com .tw/flash/diff.exeuyghurweb\r\n.net/player/gmuweb.exe\r\nResolution 203.69.42.22\r\nC2 Domain diff.qohub.info\r\nResolution 115.23.172.151\r\nOn July 16 WildFire picked up a malicious executable hosted on uyghurweb.net, a legitimate Uyghur website that\r\nwas compromised to infect users. The file was named “PYvBte.jar” but was actually a Windows executable. The\r\nfile has the characteristics listed in Table 3, and appears to be a stand-alone executable version of the Metasploit\r\nMeterpreter shell. When this file runs, it downloads a payload from uyghurweb.net/player/gmuweb.exe and\r\nexecutes it. This file is the same Poison Ivy RAT described in Table 2.\r\nhttps://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nPage 2 of 5\n\nThe Meterpreter payload masquerades as a copy of the ApacheBench tool made by the Apache Software\r\nFoundation.\r\nTable 3\r\nSHA256 ccfe61a28f35161c19340541dfd839075e31cd3b661f0936a4c667d805a65136\r\nMD5 7b0cb4d14d3d8b6ccc7453f7ddb33997\r\nFile Name PYvBte.jar\r\nFile Size 73802\r\nFirst Seen 2014-07-16 01:42:24\r\nDownload URL uyghurweb .net/player/PYvBte.jar\r\nOn 21 July, we detected another sample that was noted in the Cisco TRAC blog. The initial download URL and IP\r\nresolution were different than the previous samples, but the C2 domain and resolution matched. This file is also a\r\nPoison Ivy variant.\r\nTable 4\r\nSHA256 7f39e5b9d46386dd8142ef40ae526343274bdd5f27e38c07b457d290a277e807\r\nMD5 efad656db0f9cc92b1e15dc9c540e407\r\nFile Name setup.exe\r\nhttps://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nPage 3 of 5\n\nFile Size 126976\r\nFirst Seen 2014-07-21 05:09:56\r\nDownload URL www.ep66.com .tw/setup.exe\r\nResolution 203.69.42.23\r\nC2 Domain app.qohub.info\r\nResolution 115.23.172.151\r\nBased on historical IP resolution overlaps between the above C2 domains and other domains that have also\r\nresolved to the same IPs, we found an additional sample from the beginning of this year.\r\nInterestingly, the first sample was not logged in VirusTotal prior to our submission, despite the sample having\r\nbeen in use in the wild for at least seven months. In addition, it is the only sample tied to this activity we found\r\nthat used the Poison Ivy password “th3bug”. AVAST wrote a blog related to the activity we describe here and tied\r\na file with the same name, but the sample we found doesn’t match any other details of the file they documented.\r\nAlso of note, the IP resolution for this C2 domain was changed to match the IP resolution of the C2 domains used\r\nin the July activity only a few days after these samples were seen. Additionally, the files PE timestamp was\r\nJanuary 21, the day before we detected the sample. Targeted industries for this series are listed below.\r\nAnother international wholesale and retail telecom provider\r\nA major visual computing company headquartered in the US\r\nA state-owned East Asian financial services company\r\nTable 5\r\nSHA256 e3d02e5f69d3c2092657d64c39aa0aea2a16ce804a47f3b5cf44774cde3166fe\r\nMD5 0cabd6aec2555e64bdf39320f338e027\r\nFile Name AppletLow.jar\r\nFile Size 53248\r\nFirst Seen 2014-01-22 18:47:03\r\nDownload URL 140.112.158 .132/phpmyadmin/test/AppletLow.jar\r\nC2 Domain 2014year.qpoe .com\r\nResolution 192.168.1.3\r\nWatering hole attacks will continue to be popular with APT campaigns, as they are much harder to defend against\r\nthen spear phishing attacks. There is no way for people browsing to these websites to know in advance the\r\nhttps://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nPage 4 of 5\n\nnormally trusted website has been compromised and will serve them malware when they visit it.\r\nEnsuring web browsers and operating system software is fully patched and up-to-date is the best way to defend\r\nagainst this type of threat. However, to increase success rates APT campaigns can use zero-day exploits, so even a\r\nproperly patched system would be compromised.  Palo Alto Networks users should use our firewall’s ability to\r\nblock executable downloads unless the user specifically authorizes it. If you want to allow executables through but\r\nprefer that they be analyzed for malicious activity, use our WildFire platform, which correctly identified all of the\r\nfiles listed in this blog as malware and provides users with a full report on the samples host and network-based\r\nactivities.\r\nSource: https://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nhttps://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" ], "report_names": [ "recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy" ], "threat_actors": [ { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dd583696-3de6-4c23-bfb6-e675a38a7000", "created_at": "2022-10-25T16:07:23.338398Z", "updated_at": "2026-04-10T02:00:04.548798Z", "deleted_at": null, "main_name": "APT 20", "aliases": [ "APT 20", "APT 8", "Crawling Taurus", "Operation Wocao", "TH3Bug", "Violin Panda" ], "source_name": "ETDA:APT 20", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Filesnfer", "Gen:Trojan.Heur.PT", "Kaba", "KeeThief", "Kerberoast", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "Poison Ivy", "ProcDump", "PsExec", "RedDelta", "SMBExec", "SPIVY", "SharpHound", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "XServer", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434685, "ts_updated_at": 1775791606, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e79ae483f0b8148d3e0094490a2765c845d0ed99.pdf", "text": "https://archive.orkl.eu/e79ae483f0b8148d3e0094490a2765c845d0ed99.txt", "img": "https://archive.orkl.eu/e79ae483f0b8148d3e0094490a2765c845d0ed99.jpg" } }