{
	"id": "b75ae1b9-db60-4eac-ba96-2355dd772733",
	"created_at": "2026-04-06T00:13:07.297894Z",
	"updated_at": "2026-04-10T03:26:40.102218Z",
	"deleted_at": null,
	"sha1_hash": "ec678f5c5424f6c69573031d4c515e940af65663",
	"title": "MSUpdater Trojan And Link To Targeted Attacks | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 147314,
	"plain_text": "MSUpdater Trojan And Link To Targeted Attacks | Zscaler\r\nBy ThreatLabz\r\nPublished: 2012-01-31 · Archived: 2026-04-05 17:11:31 UTC\r\nThis blog post is based on a joint report by Zscaler and Seculert. Researchers from both companies separately\r\nidentified attacks which used a remote access tool (RAT) malware that apparently targeted defense-related\r\norganizations. With joined forces, we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present.\r\nFigure 1: Screenshot of Report Heading\r\nThe threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular\r\ntargeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against\r\nCVE-2010-2883) which then drops a series of files to begin communicating with the command and control\r\n(C\u0026C).\r\nFigure 2: Screenshot of Example Conference PDF \"Lure\"\r\nThe malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in\r\norder to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes\r\nexpected functionality, such as, downloading, uploading, and executing files driven by commands from the C\u0026C.\r\nCommunication with the C\u0026C is over HTTP but is encoded to evade detection. The Trojan file name (e.g.,\r\nhttps://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks\r\nPage 1 of 2\n\n\"msupdate.exe\") and the HTTP paths used in the C\u0026C (e.g., \"/microsoftupdate/getupdate/default.aspx\") are used\r\nto stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this\r\nTrojan.\r\nCorrelating this information with open-source intelligence (OSINT), we were able to find other reports of this\r\nTrojan within past targeted incidents, as well as a link to other incidents and compromise indicators. Further\r\ndetails of this information can be read within our joint report. The mission of this report is to inform organizations\r\nand security executives about these threats, and assist them in detection and mitigation.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks\r\nhttps://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks"
	],
	"report_names": [
		"msupdater-trojan-and-link-targeted-attacks"
	],
	"threat_actors": [
		{
			"id": "abd17060-62f6-4743-95e8-3f23c82cc229",
			"created_at": "2022-10-25T15:50:23.428772Z",
			"updated_at": "2026-04-10T02:00:05.365894Z",
			"deleted_at": null,
			"main_name": "Putter Panda",
			"aliases": [
				"Putter Panda",
				"APT2",
				"MSUpdater"
			],
			"source_name": "MITRE:Putter Panda",
			"tools": [
				"pngdowner",
				"3PARA RAT",
				"4H RAT",
				"httpclient"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "468b7acd-895c-4c93-b572-b42f4035b4d4",
			"created_at": "2023-01-06T13:46:38.265636Z",
			"updated_at": "2026-04-10T02:00:02.902436Z",
			"deleted_at": null,
			"main_name": "APT2",
			"aliases": [
				"MSUpdater",
				"4HCrew",
				"SearchFire",
				"TG-6952",
				"G0024",
				"PLA Unit 61486",
				"PUTTER PANDA"
			],
			"source_name": "MISPGALAXY:APT2",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775791600,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec678f5c5424f6c69573031d4c515e940af65663.pdf",
		"text": "https://archive.orkl.eu/ec678f5c5424f6c69573031d4c515e940af65663.txt",
		"img": "https://archive.orkl.eu/ec678f5c5424f6c69573031d4c515e940af65663.jpg"
	}
}