{ "id": "f8f7dda2-a878-4174-a340-4ed699c442cf", "created_at": "2026-04-06T00:10:19.272947Z", "updated_at": "2026-04-10T03:32:27.393291Z", "deleted_at": null, "sha1_hash": "ea7f8a913769deef17dc6f6fecb583a4abd994b9", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285633, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 15:35:10 UTC\r\nIn March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks\r\nagainst a number of South Korean organizations to steal digital certificates. Since then we have identified a\r\nnumber of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks\r\ntargeted high-profile targets, including government and commercial organizations. These attacks occurred in\r\nseveral different countries, but our investigation revealed that the primary targets were individuals and\r\norganizations primarily located in India.\r\nWhile there have been several Suckfly campaigns that infected organizations with the group’s custom malware\r\nBackdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions.\r\nThis suggests that these attacks were part of a planned operation against specific targets in India.\r\nCampaign activity in India\r\nThe first known Suckfly campaign began in April of 2014. During our investigation of the campaign, we\r\nidentified a number of global targets across several industries who were attacked in 2015. Many of the targets we\r\nidentified were well known commercial organizations located in India. These organizations included:\r\nOne of India's largest financial organizations\r\nA large e-commerce company\r\nThe e-commerce company's primary shipping vendor\r\nOne of India's top five IT firms\r\nA United States healthcare provider's Indian business unit\r\nTwo government organizations\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 7\n\nSuckfly spent more time attacking the government networks compared to all but one of the commercial targets.\r\nAdditionally, one of the two government organizations had the highest infection rate of the Indian targets. Figure 1\r\nshows the infection rate for each of the targets.  \r\nFigure 1. Infection rates of Indian targets\r\nIndian government org #2 is responsible for implementing network software for different ministries and\r\ndepartments within India's central government. The high infection rate for this target is likely because of its access\r\nto technology and information related to other Indian government organizations.\r\nSuckfly's attacks on government organizations that provide information technology services to other government\r\nbranches is not limited to India. It has conducted attacks on similar organizations in Saudi Arabia, likely because\r\nof the access that those organizations have.\r\nSuckfly's targets are displayed in figure 2 by their industry, which provides a clearer view of the group’s\r\noperations. Most of the group's attacks are focused on government or technology related companies and\r\norganizations.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 7\n\nFigure 2. Suckfly victims, by industry\r\nSuckfly attack lifecycle\r\nOne of the attacks we investigated provided detailed insight into how Suckfly conducts its operations. In 2015,\r\nSuckfly conducted a multistage attack between April 22 and May 4 against an e-commerce organization based in\r\nIndia. Similar to its other attacks, Suckfly used the Nidiran back door along with a number of hacktools to infect\r\nthe victim's internal hosts. The tools and malware used in this breach were also signed with stolen digital\r\ncertificates. During this time the following events took place:\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 7\n\nFigure 3. Suckfly attack lifecycle\r\n1. Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the\r\ne-commerce company's internal network. We don't have hard evidence of how Suckfly obtained\r\ninformation on the targeted user, but we did find a large open-source presence on the initial target. The\r\ntarget's job function, corporate email address, information on work related projects, and publicly accessible\r\npersonal blog could all be freely found online.\r\n \r\n2. On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system\r\n(Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door\r\nto provide access for their attack. While we know the attackers used a custom dropper to install the back\r\ndoor, we do not know the delivery vector. Based on the amount of open-source information available on\r\nthe target, it is feasible that a spear-phishing email may have been used.\r\n \r\n3. After the attackers successfully exploited the employee’s system, they gained access to the e-commerce\r\ncompany's internal network. We found evidence that Suckfly used hacktools to move latterly and escalate\r\nprivileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account\r\ncredentials. With the account credentials, the attackers were able to access the victim's account and\r\nnavigate the internal corporate network as though they were the employee.\r\n \r\n4. On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40\r\nopen. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by\r\nattackers when they are not secured. It isn't clear why the attackers scanned for hosts with port 40 open\r\nbecause there isn't a common protocol assigned to this port. Based on Suckfly scanning for common ports,\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 7\n\nit’s clear that the group was looking to expand its foothold on the e-commerce company's internal network.\r\n \r\n5. The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure.\r\nWhile we know that the attackers used the Nidiran back door to steal information about the compromised\r\norganization, we do not know if Suckfly was successful in stealing other information.\r\nThese steps were taken over a 13-day period, but only on specific days. While tracking what days of the week\r\nSuckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no\r\nactivity from the group on weekends. We were able to determine this because the attackers’ hacktools are\r\ncommand line driven and can provide insight into when the operators are behind keyboards actively working.\r\nFigure 4 shows the attackers’ activity levels throughout the week.\r\nFigure 4. Signed hacktools in use against targets, by day\r\nThis activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized\r\ngroup.\r\nSuckfly's command and control infrastructure\r\nSuckfly made its malware difficult to analyze to prevent their operations from being detected. However, we were\r\nable to successfully analyze Suckfly malware samples and extract some of the communications between the\r\nNidiran back door and the Suckfly command and control (C\u0026C) domains.\r\nWe analyzed the dropper, which is an executable that contains the following three files:\r\n1. dllhost.exe: The main host for the .dll file\r\n2. iviewers.dll: Used to load encrypted payloads and then decrypt them\r\n3. msfled: The encrypted payload\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 7\n\nAll three files are required for the malware to run correctly. Once the malware has been executed, it checks to see\r\nif it has a connection to the internet before running. If the connection test is successful, the malware runs and\r\nattempts to communicate with the C\u0026C domain over ports 443 and 8443. In the samples we analyzed we found\r\nthe port and C\u0026C information encrypted and hardcoded into the Nidiran malware itself. The Nidiran back door\r\nmade the following initial communication request to the Suckfly C\u0026C domain:\r\nGET /gte_ok0/logon.php HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR\r\n1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152;\r\n.NET CLR 3.5.30729)\r\nHost: REDACTED\r\nConnection: Keep-Alive\r\nCookie:\r\ndfe6=OIAXUNXWn9CBmFBqtwEEPLzwRGmbMoNR7C0nLcHYa+C1tb4fp7ydcZSmVZ1c4akergWcQQ==\r\nThe interesting information being transmitted to the C\u0026C server in the initial request is located in the cookie\r\nwhich is comprised of the following:\r\n[COOKIE NAME]=[RC4 ENCRYPTED + B64 ENCODED DATA FROM VICTIM]\r\nThe key for the RC4 encryption in this sample is the hardcoded string “h0le”. Once the cookie data is decoded,\r\nSuckfly has the network name, hostname, IP address, and the victim's operating system information.\r\nInformation about the C\u0026C infrastructure identified in our analysis of Suckfly activity can be seen in Table 1.\r\nDomain Registration IP address Registration date\r\naux.robertstockdill[.]com kumar.pari@yandex[.]com Unknown April 1, 2014\r\nssl.2upgrades[.]com kumar.pari@yandex[.]com 176.58.96.234 July 5, 2014\r\nbss.pvtcdn[.]com registrar@mail.zgsj[.]com 106.184.1.38 May 19, 2015\r\nssl.microsoft-security-center[.]com Whoisguard Unknown July 20, 2015\r\nusv0503.iqservs-jp[.]com Domain@quicca[.]com 133.242.134.121 August 18, 2014\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 7\n\nfli.fedora-dns-update[.]com Whoisguard Unknown Unknown\r\nTable. Suckfly C\u0026C infrastructure information\r\nConclusion\r\nSuckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s\r\nlargest financial organizations, and an IT firm that provides support for India’s largest stock exchange. All of these\r\ntargets are large corporations that play a major role in India’s economy. By targeting all of these organizations\r\ntogether, Suckfly could have had a much larger impact on India and its economy. While we don't know the\r\nmotivations behind the attacks, the targeted commercial organizations, along with the targeted government\r\norganizations, may point in this direction.\r\nSuckfly has the resources to develop malware, purchase infrastructure, and conduct targeted attacks for years\r\nwhile staying off the radar of security organizations. During this time they were able to steal digital certificates\r\nfrom South Korean companies and launch attacks against Indian and Saudi Arabian government organizations.\r\nThere is no evidence that Suckfly gained any benefits from attacking the government organizations, but someone\r\nelse may have benefited from these attacks.\r\nThe nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on\r\ntheir own. We believe that Suckfly will continue to target organizations in India and similar organizations in other\r\ncountries in order to provide economic insight to the organization behind Suckfly's operations.\r\nProtection\r\nSymantec has the following detections in place to protect against Suckfly’s malware:\r\nAntivirus\r\nBackdoor.Nidiran\r\nBackdoor.Nidiran!g1\r\nHacktool\r\nExp.CVE-2014-6332\r\nIntrusion prevention system\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332 2\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332 4\r\nWeb Attack: OLEAUT32 CVE-2014-6332 3\r\nSystem Infected: Trojan.Backdoor Activity 120\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "aada2650-7bef-45e4-8371-18c4318a7056", "created_at": "2022-10-25T15:50:23.422502Z", "updated_at": "2026-04-10T02:00:05.278662Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "Suckfly" ], "source_name": "MITRE:Suckfly", "tools": [ "Nidiran" ], "source_id": "MITRE", "reports": null }, { "id": "a4a3c2a4-992d-4ce6-8c97-e39b23da9a26", "created_at": "2022-10-25T16:07:24.242051Z", "updated_at": "2026-04-10T02:00:04.909353Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "G0039" ], "source_name": "ETDA:Suckfly", "tools": [ "Backdoor.Nidiran", "Nidiran", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "gsecdump", "smbscan" ], "source_id": "ETDA", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434219, "ts_updated_at": 1775791947, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea7f8a913769deef17dc6f6fecb583a4abd994b9.pdf", "text": "https://archive.orkl.eu/ea7f8a913769deef17dc6f6fecb583a4abd994b9.txt", "img": "https://archive.orkl.eu/ea7f8a913769deef17dc6f6fecb583a4abd994b9.jpg" } }