{ "id": "f2893b3b-f718-4bf0-9e97-b1d563f937ad", "created_at": "2026-04-06T00:10:57.369271Z", "updated_at": "2026-04-10T03:35:10.784276Z", "deleted_at": null, "sha1_hash": "ebfda0e6fa14e173ec63d10b7d616d453cf18bb0", "title": "New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194080, "plain_text": "New APT Group Earth Berberoka Targets Gambling Websites\r\nWith Old and New Malware\r\nBy By: Daniel Lunghi, Jaromir Horejsi Apr 27, 2022 Read time: 10 min (2664 words)\r\nPublished: 2022-04-27 · Archived: 2026-04-05 17:55:24 UTC\r\nWe recently found a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka\r\nGamblingPuppet). This APT group targets gambling websites on Windows, macOS, and Linux platforms using\r\nold and new malware families.\r\n \r\nWe recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka\r\nGamblingPuppet). Based on our analysis, this group targets gambling websites. Our investigation has also\r\nuncovered that Earth Berberoka targets the Windows, Linux, and macOS platforms, and uses malware families\r\nthat have been historically attributed to Chinese-speaking individuals.\r\nIn this blog entry, we provide an overview of the Windows malware families used by Earth Berberoka in its\r\ncampaign. This malware lineup includes tried-and-tested malware families that have been upgraded, such as\r\nPlugX and Gh0st RAT, and a brand-new multistage malware family that we have dubbed PuppetLoader.\r\nWe discuss the full technical details of Earth Berberoka’s malware families aimed at Linux and macOS as well as\r\nWindows, infection vectors, targets, and possible connections with other APT groups in our research paper\r\n“Operation Earth Berberoka: An Analysis of a Multivector and Multiplatform APT Campaign Targeting Online\r\nGambling Sites.”\r\nTechnical analysis\r\nPuppetLoader\r\nWe discovered a new malware family that we have dubbed PuppetLoader. It is a complex, five-stage malware\r\nfamily that uses some interesting techniques, including hijacking loaded modules to launch malicious code and\r\nhiding malicious payloads and modules in modified bitmap image (BMP) files.\r\nStage 1: Obfuscator and loader\r\nIncorrect RC4 implementation\r\nIn this stage, a blob of payload data is decrypted using a hard-coded key (2726c6aea9970bb95211304705b5f595)\r\nand what appears to be an RC4 (Rivest Cipher 4) algorithm. However, the cipher’s “swap” operation in the\r\npseudorandom generation part of the cipher code was improperly implemented. This resulted in the proper\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 1 of 11\n\nencryption of only the headers and the first few sections of the payload, while the latter sections were left almost\r\nentirely in clear text.\r\nIt seems that this hard-coded key and flawed RC4 implementation were also used in a malware family named\r\nTigerPlug, probably because it spreads the PlugX malware. We found no public reporting of its behavior and\r\nfeatures.\r\nHijacking loaded module\r\nAfter the payload is decrypted, it is loaded in the machine’s memory and is executed using a stealthy method:\r\nPuppetLoader starts by loading a legitimate DLL from the Windows\\System32 directory. The loading process is\r\nthen hijacked to replace the legitimate library with a malicious one. This is done by hooking NTDLL APIs such as\r\nNtQueryAttributesFile, NtOpenFile, NtCreateSection, NtMapViewOfSection, NtQuerySection and ZwClose. \r\nThe loader uses undocumented NTDLL APIs, such as RtlPushFrame, RtlPopFrame, and RtlGetFrame, to avoid\r\nrecursive booking, which happens when a hooked function indirectly calls itself.\r\nTo properly load the malicious payload, a frame tagged as “LDFM” is allocated and filled with the necessary\r\nparameters, such as file names’ memory addresses and allocated buffer handles or addresses that contain the\r\nmalicious payload. After their values are identified, some parameters are set immediately, while others are set at a\r\nlater time.\r\nFigure 1. LDFM loading frame\r\nLdrLoadDll is then called to load a legitimate asyclfilt.dll library. Afterward, previously hooked API functions are\r\ncalled, resulting in the loaded DLL name’s being replaced with lz32.dll, which is a legitimate DLL. The content of\r\nthis legitimate DLL is then replaced by a malicious payload that is inside the hooked NtMapViewOfSection\r\nfunction.\r\nThen, the LdrLoadDll function rebases the newly loaded malicious image and loads all of the needed\r\ndependencies. The malware no longer needs the frame once the handle is returned from the LdrLoadDLL function,\r\nwhich is why it pops the frame by calling RtlPopFrame, unhooks previously hooked functions, and verifies\r\nwhether the loading is successful or not by calling GetModuleHandleW (asycfilt.dll).\r\nThe malware then dynamically resolves the export function called Install and sets the parameter value to\r\n“11BF29E1371C0D83C530BD1BF346”, which decrypts to a function called OneTime. For its command-line\r\nparameters, PuppetLoader uses the same flawed RC4 implementation using the password “whk0q9ogev6ofg8d”.\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 2 of 11\n\nThese hijacking steps result in the following:\r\nThe loaded asycfilt.dll module can be seen by parsing the PEB_LDR_DATA structure that contains all\r\nloaded modules in the current process.\r\nFigure 2. asycfilt.dll shown among loaded module names\r\nlz32.dll is opened based on process monitoring tools.\r\nFigure 3. lz32.dll shown among opened files\r\nOnly PuppetLoader’s dropper payload is loaded and none of the previously mentioned libraries is actually\r\nloaded.\r\nStage 2: Dropper\r\nThe dropper creates and drops several files in an infected machine.\r\nFile Function\r\nCpuppetProcessFileSharer Used for sharing data during the different infection stages\r\nConfig.ini\r\nSaves the execution reason and the globally unique identifier (GUID) value\r\nbased on ComputerName\r\nMSVCPX00.dll DLL file of BasicLoader\r\nverisign.bmp BMP file with encrypted Core\r\nbitmap.bmp BMP file with encrypted Client.MainConsole\r\nTable 1. The files created and dropped by the dropper\r\nThe hard-coded GUID ({78106D5F-CD1A-A8C4-A625-6863092B4BBA}) is inserted into\r\nCPuppetProcessFileSharer (C:\\\\Users\\\\Public\\\\Pictures\\\\Desktop.inf). We believe that it serves as a marker that\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 3 of 11\n\nstage 2 has been completed.\r\nConfig.ini (C:\\Users\\Public\\Videos\\Config.ini) contains the GUID and the reason, which is the hard-coded value\r\n“StartupBasicLoader” encrypted using a key (whk0q9ogev6ofg8d).\r\nThe svchost.exe is started in suspended mode with this command-line parameter:\r\n -cmd -NoModuleLoadDLL -DisplayName=KeepAuthority.Client.MainConsole.x64.Release -\r\nInvokeMethodName=Run -InokeMethodParam=NULL”\r\nThis is also encrypted with the previously mentioned key and a new thread is created within svchost.exe to make\r\nit load the BasicLoader payload, MSVCPX00.dll. It is interesting to note that there is a typographical error in “-\r\nInokeMethodParam.”\r\nStage 3: BasicLoader\r\nThe BasicLoader stage starts by adding a hard-coded GUID ({78106D5F-CD1A-A8C4-A625-6863092B4BBA})\r\ninto CPuppetProcessFileSharer. As with stage 2, we believe that this is likely a marker that stage 3 has started\r\nrunning.\r\nBasicLoader searches for BMP files across directories in Users\\\\Public (Desktop, Documents, Downlaods, Music,\r\nPictures, and Videos). It checks each directory for BMP files that would pass the required structure. For the BMP\r\nfiles that do, the payload appended to the BMP file is decrypted, loaded into memory, and executed. The BMP file\r\nis made up of only 33 x 11 pixels and 338 bytes, and the data appended to it is the payload that is encrypted with\r\nthe same flawed RC4 implementation.\r\nFigure 4. A small BMP file, to which encrypted payloads are appended\r\nStage 4: Core\r\nThis stage begins when a hard-coded GUID ({7D8DA9DC-1F3B-2E5C-AA59-9418E652E4AA}) is added to\r\nCPuppetProcessFileSharer. Similar to the other stages, this is likely a marker that stage 4 has started running.\r\nAfter this, the malware starts a system logger thread, where the logged information is received via a pipe and is\r\nsaved to a file with a hard-coded name. The logged information can come from other modules or processes. Based\r\non our analysis, each log file entry is separated by a separator (0xAABBCCDD), followed by a custom RC4\r\npassword and message length.\r\nThe decrypted log can include the following information:\r\nThe module that was run\r\nThe parameters at which this module was run\r\nAt which stage (GUID from CPuppetProcessFileSharer) the action was performed\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 4 of 11\n\nFigure 5. Decrypted log from Core\r\nThe following command-line arguments are also implemented during this stage:\r\n-DisplayName\r\n-InokeMethodParam (sic)\r\n-InvokeMethodName\r\n-NoModuleLoadDLL\r\n-LoadShellcode\r\nWhile the other arguments are mostly self-explanatory, we highlight two arguments worth noting: -\r\nNoModuleLoadDLL uses the same technique as the stage 1 loader and -LoadShellcode allocates a memory block,\r\ncopies shellcode, and executes it.\r\nStage 5: Client.MainConsole\r\nThis is the main client binary written in C++, which is the last stage of PuppetLoader’s infection chain.\r\nThe code is structured in several classes that handle different tasks, such as managing the interactive shell,\r\nuploading and downloading files, installing new modules, monitoring victim behavior, and  executing callback\r\nfunctions when conditions are met.\r\nCPipeCmdManager – interactive shell manager\r\nArguments:\r\n-flushusersession\r\n-createcmd\r\n-destorycmd (sic)\r\n-excutecmd\r\n-cmdkeepalive\r\nCommonLib::CcmdMulArgDecoder – command-line argument decoder, additional module related to\r\ncommand-line arguments\r\nArguments:\r\n-ModuleLog\r\n-LogText\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 5 of 11\n\n-ModuleID\r\n-ModuleVersion\r\n-MountStatus\r\n-Path\r\n-IsDelete\r\n-ModuleKeepAlive\r\n-UploadFile\r\nThe client then establishes communication with a command-and-control (C\u0026C) server via UDP (User Datagram\r\nProtocol) and recognizes different types of custom UDP packets:\r\nUDP packet Description\r\nRemoteModuleCommandPacket Command to be executed by interactive shell\r\nRemoteModuleCommandResultPacket Result of running shell command\r\nFileTransferContent_Packet Determines whether to upload or download a file\r\nUploadFilePacket Uploaded file content\r\nFileManage_FolderContent_Packet Folder content\r\nVecProcessPacket Vector object with running processes\r\nInstallModulePacket BMP with encrypted module to be installed\r\nRemoteClientSystemInfoPacket        Sent by login callback every time a new user logs in\r\nModuleKeepAlivePacket Tells the C\u0026C server that the connection is still alive\r\nTable 2. The custom UDP packets recognized by the client\r\nThe backdoor functions implemented in the main client are:\r\nInteractive shell\r\nUpload file\r\nDownload file\r\nList files\r\nTerminate process\r\nList processes\r\nInstall module\r\nLogin callback\r\nEnumerate RDP sessions\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 6 of 11\n\nThe communication protocol via UDP uses the same RC4 encryption. A sent and/or received packet contains a 16-\r\nbyte RC4 key and the length of an RC4-encrypted payload, followed by another packet with the encrypted\r\npayload itself.\r\noRAT\r\nAnother malware family that we obtained both Windows and macOS samples of during our investigation was\r\noRAT. Interestingly, this was the first time that we had analyzed samples of this malware family written in the Go\r\nlanguage.\r\nThe oRAT droppers that we found in our analysis were a MiMi chat application built using the Electron JS\r\nframework and a DMG (disk image) file. We discuss the full details of both in our research paper.\r\nThe samples are flagged as version 0.5.1 for both Windows and macOS samples, and have the same features and\r\nconfigurations.\r\nThe configuration file and the AES decryption key are appended in an encrypted form to the PE (Portable\r\nExecutable) file overlay.\r\nFigure 6. The decrypted oRAT configuration\r\nThe configuration is decrypted using the AES-GCM (AES with Galois/Counter Mode) algorithm. The malware\r\nthen parses it and enables the gateway or traffic forwarder mode if it is specified in the configuration settings.\r\nFor the malware operator to directly connect to an infected machine and execute commands via GET or POST\r\nrequests, the malware starts local servers on the infected machine to listen on ports that have been specified in the\r\nconfiguration settings for control commands.\r\nThe network communications can be in plain text or encrypted, depending on the configuration of the file:\r\n“tcp” for plain text\r\n“stcp” for encrypted TCP communications using the golang-tls library\r\n“sudp” for encrypted UDP traffic using the Quic-go library\r\nThe control server is implemented by registering routes. This simple mechanism leads to translating GET/POST\r\nrequests directly as internal Go commands. Requesting a URL therefore results in executing the corresponding\r\ncode on an infected system.\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 7 of 11\n\nWe obtained oRAT samples that register these routes:\r\nGET /agent/info\r\nGET /agent/ping\r\nPOST /agent/upload\r\nGET /agent/download\r\nGET /agent/screenshot\r\nGET /agent/zip\r\nGET /agent/unzip\r\nGET /agent/kill-self\r\nGET /agent/portscan\r\nGET /agent/proxy\r\nGET /agent/ssh\r\nGET /agent/net\r\nPuppetDownloaders (C++ downloaders)\r\nDuring our investigation, we also saw malicious websites that distribute fake Adobe Flash Player updates that\r\nwere actually delivering C++ downloaders.\r\nThe infection starts with an executable written in C++ that connects through a Winsock API to a domain or IP\r\naddress in a specific port. The downloaded content is saved as SMTemp.dat, and using the executable’s file name\r\nand a hard-coded XOR key, a file named Loader.dll is decrypted and copied to the disk. If the executable is\r\nrenamed for whatever reason, the DLL decryption fails and the malware’s second stage does not go through.\r\nIf the SMTemp.dat file exists, the Loader.dll file executes it. After that, the loader decrypts a legitimate Adobe\r\nFlash Player installer and executes it, in order to deceive the victim into thinking that the executable is a legitimate\r\ninstaller.\r\nDuring our investigation, we noted that the server hosting the second stage of the PuppetDownloaders malware\r\npayload was offline. It is also interesting to note that the string decryption routine of this malware is a simple\r\nXOR with the string “2020-05-24 13:00:29” as its key. The first 13 bytes of the password that is used to decode\r\nthe string are the same as the last 13 bytes.\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 8 of 11\n\nFigure 7. XOR decryption routine\r\nWe dubbed these downloaders PuppetDownloaders since they are connected to the PuppetLoader malware family,\r\nas evidenced by our observations:\r\nThis malware and PuppetLoader both use the same string decryption routine that uses the same key.\r\nThis malware and PuppetLoader both use the same XOR key (2726c6aea9970bb95211304705b5f595) that\r\nis used to decrypt the embedded Loader.dll file.\r\nThis malware and PuppetLoader’s decrypted Loader.dlls share similar strings such as “[-] UnExist\r\npwszModuleFunName:”. This suggests that a common framework was used to compile both DLLs.\r\nMFC socket downloaders\r\nWe also saw WinRAR self-extracting (SFX) files dropping downloaders written using the Microsoft Foundation\r\nClass Library (MFC) framework. These MFC socket downloaders have an identical structure: One function\r\ncreates a socket, connects to a domain or IP address, sends a short string, and then calls “recv” twice.\r\nThe code flow is redirected through a call to EnumDesktopsA or EnumWindows, whose callback function\r\npointers point to the downloaded content.\r\nThe downloaders attempt to access ports 8080, 29527, and 8885. They also send the strings “feiji”, “@5436”, and\r\n“fhfgj@jfggdsg” to the sockets. We found multiple additional samples of the same malware family that have the\r\nsame structure and send the same strings. However, it is possible that multiple groups might be covertly sharing\r\nthe source code for this malware.\r\nPlugX\r\nPlugX is a remote access tool (RAT) that has been used as a malicious tool for espionage for more than a decade.\r\nWe found that Earth Berberoka uses PlugX to target 32-bit and 64-bit architectures, based on the samples we\r\nobtained and analyzed.\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 9 of 11\n\nThis malware family sends a DWORD, a 32-bit unsigned integer, in the HELLO packet. A compromised system\r\nthen sends the HELLO packet, which looks like a date in the “yyyymmdd” format, to the C\u0026C server.\r\nWe found the following DWORDs in multiple samples we analyzed, which suggest that the versions we found\r\nwere developed within the last three years: 20190520, 20201106, and 20210804.\r\nAll of the samples we found are loaded in the same way: A legitimate and signed file that is vulnerable to DLL\r\nsideloading is placed alongside a malicious DLL, which decrypts and loads the third file containing the final\r\npayload.\r\nOne of these malicious DLL files has the PDB (program database) path\r\nC:\\Users\\Administrator\\Desktop\\Plug7.0(Logger)\\logexts\\x64\\Release\\logexts.pdb.\r\nGh0st RAT\r\nWe also saw at least three different variants of Gh0st RAT, another malware family that has been in the wild for\r\nmore than 10 years, being used in Earth Berberoka’s campaign. This malware family’s source code is public,\r\nwhich is why it has many variants.\r\nOne of the variants we analyzed had an interesting destructive feature: It replaces the master boot record (MBR) to\r\ndisplay an explicit message (“I am virus ! F*ck you :-)”). This particular message was also seen in a public report\r\nfrom a victim of this Gh0st RAT variant. A 2017 Industrial Control Systems Cyber Emergency Response Team\r\n(ICS-CERT) report also discussed how Gh0st RAT variants wiped the MBR and replaced it with messages that\r\nvaried across different samples.\r\nOther Known Malware Families\r\nWe also found other legitimate tools being abused by Earth Berberoka and a malware family being used by the\r\ngroup in its campaign:\r\nQuasar RAT – a Windows-based open-source RAT that has been used by APT groups for network\r\nexploitation\r\nAsyncRAT – an open-source RAT that can be used to remotely monitor and control devices via an\r\nencrypted connection\r\nTrochilus – a stealthy RAT that can evade sandbox analysis and can be used in cyberespionage campaigns\r\nSecurity recommendations\r\nOur analysis points to Earth Berberoka’s having multiple tools and a large infrastructure at its disposal to target\r\nthe Southeast Asian gambling market. To avoid falling victim to Earth Berberoka’s attacks, users and operators of\r\ngambling websites can adopt the following security recommendations:\r\nProperly vet emails, websites, and apps before clicking on links or downloading apps.\r\nDownload apps only from trusted sources.\r\nWatch out for malicious website flags, such as errors in grammar and spelling.\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 10 of 11\n\nBlock threats that arrive via email, such as malicious links, through hosted email security and antispam\r\nprotection.\r\nUse a multilayered security solution that helps with detecting, scanning, and blocking malicious URLs.\r\nThe full technical details of our investigation can be found in our research paper, which we will publish soon. We\r\nlist down the indicators of compromise (IOCs) for Windows, Linux, and macOS in separate text files. We also\r\nprovide the domain list in a separate text file. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nhttps://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html" ], "report_names": [ "new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html" ], "threat_actors": [ { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434257, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebfda0e6fa14e173ec63d10b7d616d453cf18bb0.pdf", "text": "https://archive.orkl.eu/ebfda0e6fa14e173ec63d10b7d616d453cf18bb0.txt", "img": "https://archive.orkl.eu/ebfda0e6fa14e173ec63d10b7d616d453cf18bb0.jpg" } }