{ "id": "7027b453-387c-4ca3-9aea-4d8c16f0e515", "created_at": "2026-04-06T00:06:48.971544Z", "updated_at": "2026-04-10T03:29:18.730325Z", "deleted_at": null, "sha1_hash": "eeeedaf4e10e34453a6f5fdafa74474578a7e517", "title": "POLONIUM targets Israel with Creepy malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1586095, "plain_text": "POLONIUM targets Israel with Creepy malware\r\nBy Matías Porolli\r\nArchived: 2026-04-05 17:28:06 UTC\r\nESET researchers reveal their findings about POLONIUM, an advanced persistent threat (APT) group about which little\r\ninformation is publicly available and its initial compromise vector is unknown. POLONIUM is a cyberespionage group first\r\ndocumented by Microsoft Threat Intelligence Center (MSTIC) in June 2022. MSTIC’s assessment is that POLONIUM is an\r\noperational group based in Lebanon, coordinating its activities with other actors affiliated with Iran’s Ministry of\r\nIntelligence and Security (MOIS).\r\nAccording to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September\r\n2021, with the group’s most recent actions being observed in September 2022. Verticals targeted by this group include\r\nengineering, information technology, law, communications, branding and marketing, media, insurance, and social services.\r\nOur findings describing the tactics of this group, including details about a number of previously undocumented backdoors,\r\nwere presented in late September at the Virus Bulletin 2022 conference.\r\nKey points of this blogpost:\r\nFocused only on Israeli targets, POLONIUM attacked more than a dozen organizations in various verticals such as\r\nengineering, information technology, law, communications, branding and marketing, media, insurance, and social\r\nservices.\r\nESET Research’s POLONIUM findings were revealed at the Virus Bulletin 2022 conference in late September.\r\nAccording to ESET telemetry, the group has used at least seven different custom backdoors since September 2021,\r\nand it is currently active at the time of writing.\r\nThe group has developed custom tools for taking screenshots, logging keystrokes, spying via the webcam, opening\r\nreverse shells, exfiltrating files, and more.\r\nFor C\u0026C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega.\r\nThe numerous versions and changes POLONIUM introduced into its custom tools show a continuous and long-term effort to\r\nspy on the group’s targets. While we haven’t observed what commands were executed by operators on compromised\r\nmachines, we can infer from their toolset that they are interested in collecting confidential data from their targets. The group\r\ndoesn’t seem to engage in any sabotage or ransomware actions.\r\nAs shown in Figure 1, POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and\r\nDropbox cloud services for C\u0026C; CreepySnail, which executes commands received from the attackers’ own infrastructure;\r\nDeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services respectively; and FlipCreep,\r\nTechnoCreep, and PapaCreep, which receive commands from attacker’s servers. The group has also used several custom\r\nmodules to spy on its targets.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 1 of 18\n\nFigure 1. Timeline of observed backdoors deployed by POLONIUM\r\nInitial access\r\nWhile we don’t know how the group gained initial access to the targeted systems, some of the victims’ Fortinet VPN account\r\ncredentials were leaked in September 2021 and were made available online. As such, it is possible that the attackers gained\r\naccess to the victims’ internal networks by abusing those leaked VPN credentials.\r\nPOLONIUM is an active group that constantly introduces modifications to its custom tools. We have seen more than 10\r\ndifferent malicious modules since we started tracking the group, most of them with various versions or with minor changes\r\nfor a given version. Some of the most interesting characteristics of the group’s toolset are:\r\nAbundance of tools: We have seen seven different custom backdoors used by the group since September 2021, and\r\nalso saw many other malicious modules for logging keystrokes, taking screenshots, executing commands, taking\r\nphotos with the webcam, or exfiltrating files.\r\nCustom tools: In various attacks carried out by this group over a short period of time, we detected the same\r\ncomponent containing minor changes. In some other cases, we have seen a module, coded from scratch, that followed\r\nthe same logic as some previous components. Only in a few cases have we seen the group use publicly available tools\r\nor code. All of this indicates to us that POLONIUM builds and maintains its own tools.\r\nCloud services: The group abuses common cloud services such as Dropbox, OneDrive, and Mega for C\u0026C\r\ncommunications (receive commands and exfiltrate data).\r\nSmall components: Most of the group’s malicious modules are small, with limited functionality. In one case the\r\nattackers used one module for taking screenshots and another for uploading them to the C\u0026C server. On a similar\r\nnote, they like to divide the code in their backdoors, distributing malicious functionality into various small DLLs,\r\nperhaps expecting that defenders or researchers will not observe the complete attack chain.\r\nCreepyDrive\r\nCreepyDrive is a PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.\r\nIt can upload or download files from attacker-controlled accounts in these cloud services, and execute supplied PowerShell\r\ncode. Figure 2 shows part of the code that downloads files and executes commands. Note that this backdoor was\r\ndocumented in Microsoft’s report in June 2022.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 2 of 18\n\nFigure 2. Code used by CreepyDrive to download files or execute commands\r\nCreepyDrive uses the OneDrive HTTP API (and the Dropbox HTTP API) to access the cloud storage. In both cases it uses a\r\nrefresh token, client ID, and client secret (all hardcoded) to generate an access token that authenticates the user and grants\r\naccess to the accounts.\r\nWhile we didn’t observe commands being executed by the attackers on compromised systems, we spotted a log file\r\ndocumenting the execution of a command on a victimized computer. The contents of the log file (decoded) are shown in\r\nFigure 3.\r\nFigure 3. Execution log of a command and its output\r\nCreepySnail\r\nCreepySnail is another PowerShell backdoor that sends HTTP requests to a C\u0026C server and receives and executes\r\nPowerShell commands. We saw various versions of this backdoor in the wild, though the differences between them were\r\nminimal. Figure 4 shows one version that can run any executable specified by the C\u0026C server (as long as it’s in the malware\r\nfolder). We won’t go into more details about this backdoor as it has already been described by Microsoft in their report.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 3 of 18\n\nFigure 4. Code used by CreepySnail to execute commands\r\nDeepCreep\r\nDeepCreep is a previously undocumented backdoor written in C# that reads commands from a text file stored in Dropbox\r\naccounts and can upload or download files to and from those accounts. Some versions of DeepCreep have obfuscated\r\nstrings, some separate the code into DLLs, and some have more or less commands. We will focus on the most prevalent\r\nversion for this analysis, although interesting features of other versions will be mentioned.\r\nA command to be executed by the backdoor is read from the file cd.txt on the server-side root folder of the victim; once\r\nread, the file is deleted from the cloud. DeepCreep runs this process in an infinite loop, which means that a new cd.txt file\r\nhas to be placed in the cloud storage for every command to execute. If the file is not found, the backdoor sleeps then tries\r\nagain. A list of the commands that DeepCreep can process is shown in Table 1.\r\nTable 1. List of commands supported by DeepCreep\r\nCommand Description\r\nGetNoThing Deletes cd.txt.\r\nupload \"\u003clocal_file_path\u003e\"\r\n\"\u003cfile_name_on_dropbox\u003e\"\r\nUploads a file on the victim’s computer to a subfolder 2 in Dropbox. Multiple\r\nupload lines can be included in cd.txt to execute more than one upload at once.\r\ndownload\r\n\"\u003cfile_name_on_dropbox\u003e\"\r\n\"\u003clocal_file_path\u003e\"\r\n\u003cbool_abs_p\u003e\r\nDownloads a file from the root folder in Dropbox to the victim’s computer. If\r\n\u003cbool_abs_p\u003e is 0, the file is downloaded into %TEMP%\\\u003clocal_file_path\u003e\r\n(relative path). If it’s 1, the file is downloaded into \u003clocal_file_path\u003e (absolute\r\npath).\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 4 of 18\n\nCommand Description\r\ndelay \u003cvalue\u003e Sets the delay for all sleep operations, where 1000 is 1 minute.\r\nzip\r\n\"\u003clocal_file_folder_path\u003e\"\r\n\"\u003coutput_path\u003e\" \"\u003csize_mb\u003e\"\r\nCreates a ZIP file with the specified file or folder and saves it in the specified path\r\non the victim’s computer. The archive is split in chunks of the specified size, in\r\nmegabytes.\r\nExecute with cmd.exe\r\nWhen none of the previous commands are found in the first line of cd.txt, then all\r\nof the lines are taken as commands to be executed with cmd.exe. The output\r\nproduced by the commands is uploaded to a text file in Dropbox. The output\r\nencoding for the console is set to Windows-1255, which handles Hebrew\r\ncharacters.\r\nDeepCreep persists by creating a LNK file in %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup and by\r\ncreating a scheduled task. A PowerShell command is used to create the LNK file, as shown in Figure 5.\r\nFigure 5. Part of the code that DeepCreep uses to establish persistence\r\nAuthentication with the cloud is done by using OAuth 2.0 tokens, which are hardcoded in the binaries. DeepCreep needs a\r\nlegitimate DLL with Dropbox SDK to be able to communicate with the cloud.\r\nWe saw some cases where a separate loader – WindowsTool.exe – was used to implement persistence and execute\r\nDeepCreep with InstallUtil, a legitimate tool from the .NET Framework. This version of the backdoor has its malicious code\r\nprovided in an uninstallation routine and is executed with the /u (uninstall) option of InstallUtil.exe, perhaps to mislead\r\ndefenders. Figure 6 shows part of the code of the loader.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 5 of 18\n\nFigure 6. Part of the code of the loader that executes DeepCreep\r\nIn terms of string obfuscation, we have seen two variations: ROT13 and AsStrongAsFuck obfuscator. The latest version of\r\nDeepCreep that we have seen uses AES encryption and has the same key commands as the MegaCreep backdoor, which we\r\nwill describe in the next section.\r\nMegaCreep\r\nMegaCreep is a previously undocumented backdoor based on DeepCreep, with added functionalities. It reads and executes\r\ncommands from a text file stored in Mega cloud storage. While MegaCreep is arguably just a newer version of DeepCreep,\r\nand in fact reuses code from DeepCreep, it seems the attackers consider both backdoors as separate projects.\r\nMegaCreep processes the same commands that we described for DeepCreep, but they are stored in AES-encrypted form in\r\nthe file cd.txt. It has additional commands, both related to the key used for decryption, which are described in Table 2.\r\nTable 2. List of new commands added to MegaCreep\r\nCommand Description\r\nNewASKey \u003ckey\u003e\r\nReceives the decryption key \u003ckey\u003e that is stored locally in Cert.dll (only if the file doesn’t\r\nalready exist).\r\nUPKY \u003cold_key\u003e\r\n\u003cnew_key\u003e\r\nUpdates the decryption key from \u003cold_key\u003e to \u003cnew_key\u003e. The process is successful only if\r\n\u003cold_key\u003e is the same as the key that the backdoor is currently using. In this case, \u003cnew_key\u003e is\r\nstored locally in Cert.dll.\r\nMegaCreep checks for these commands first, which are stored unencrypted in cd.txt. If none of these commands are found,\r\nthen the contents of cd.txt are decrypted using the key that is in Cert.dll. After decryption, all the same commands that we\r\ndescribed for DeepCreep can be executed by MegaCreep.\r\nMegaCreep uses the MegaApiClient C# library to communicate with Mega cloud storage. Authentication is done with a\r\nusername and password, which are stored encrypted in a local file, Sess.dll. Figure 7 shows the code that loads the username\r\nand password from Sess.dll.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 6 of 18\n\nFigure 7. Code used in MegaCreep to load username and password\r\nThis backdoor is a good example of the preference that POLONIUM has for using separate DLLs with specific\r\nfunctionality, as shown in Figure 8. In the example, two methods from PRLib.dll are called: CHP, which kills running\r\nprocesses with the same name as the backdoor’s executable (i.e., previous executions of the backdoor that are still running),\r\nand XVDFv, which implements persistence (in the same way we described for DeepCreep).\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 7 of 18\n\nFigure 8. Example of MegaCreep calling methods from separate DLLs\r\nAnother feature that was added to MegaCreep is that the output from commands executed by cmd.exe is encrypted before it\r\nis uploaded to the cloud. The key used for encryption is the same as the one used to decrypt commands.\r\nWe saw one case where MegaCreep was deployed using a loader, WLAN-AutoConfig.exe. The main code for the backdoor\r\nwas placed in a DLL file, MainZero.dll, and other routines that communicate with Mega were placed in another DLL,\r\nMagLibrary.dll. Figure 9 shows the code in the loader that calls MainZero.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 8 of 18\n\nFigure 9. Code for MegaCreep's loader\r\nFlipCreep\r\nFlipCreep is another previously undocumented backdoor written in C# that has a very similar flow of execution as the other\r\nbackdoors that we have described: it reads commands from orders.txt – a text file stored on an FTP server operated by\r\nPOLONIUM – and can upload or download files from the server. The commands that FlipCreep can process are the same as\r\nthe other backdoors, with the following considerations:\r\nThe commands upload and download do the opposite of what’s expected. We don’t know if this was a mistake, but\r\nupload actually downloads files from the FTP server to the victim, and download uploads files. Both take two\r\narguments, as was the case in MegaCreep. Figure 10 shows part of the code that uploads files; we can see that it\r\nlooks for the string download.\r\nThere is a command ftpversion that uploads the version of the backdoor (hardcoded) to a file ver.txt on the FTP\r\nserver, in the root folder for the target.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 9 of 18\n\nFigure 10. Part of the FlipCreep code to upload files\r\nFlipCreep creates a folder with the username of the target on the FTP server, along with these subfolders:\r\nFiles: stores files uploaded from the victims\r\norders: stores output from commands executed with cmd.exe\r\nPersistence is achieved in the same way as was described for DeepCreep. As for string obfuscation, we’ve seen one sample\r\nwith ROT13 obfuscation.\r\nTechnoCreep\r\nTechnoCreep is a previously undocumented C# backdoor that communicates with a C\u0026C server via TCP sockets. In this\r\ncase, commands are not read from a file, but received in an exchange of messages. The first message is sent by the backdoor\r\nand contains initial information about the victim, in the format \u003cPC_NAME\u003e#\u003cUSERNAME\u003e#\u003cLIST_IP\u003e#\r\n\u003cLIST_OTHER\u003e#\u003cOS\u003e\r\n\u003cLIST_IP\u003e is a list of IP addresses that are resolved for the hostname of the victim, separated by /. The list is obtained by\r\ncalling Dns.GetHostByName and applying a regular expression for IP addresses. All the other elements that don’t match the\r\nregular expression are sent as \u003cLIST_OTHER\u003e to the C\u0026C server; note that in the most common scenario this list will be\r\nempty.\r\nTechnoCreep receives commands in an infinite loop. The list of commands is shown in Table 3.\r\nTable 3. List of commands supported by TechnoCreep\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 10 of 18\n\nCommand Description\r\nupload\r\nUploads a file on the victim’s computer to the C\u0026C server. The path of the file to upload is\r\nreceived in a separate message. If the file exists, the backdoor sends Exist, to which the\r\nserver replies start or stop. If start is received, the size of the file is sent. Finally, the file is\r\nsent to the server as raw bytes. If the message is stop, nothing is done. If the specified file\r\ndoesn’t exist, NotE is sent to the server.\r\ndownload\r\ndownload Downloads a file from the C\u0026C server. The path where the file will be saved on\r\nthe victim’s computer is received in a separate message. If NotE is received instead, the\r\nprocess stops. If the path is an absolute path, and the parent folder doesn’t exist, then the\r\nbackdoor sends NOT. Otherwise, it sends Exists, to which the server replies by sending the\r\nsize of the file. Then the backdoor sends ok, sleeps for 1 second, and then receives the file as\r\nraw bytes.\r\nExecute with  cmd.exe\r\nWhen neither of the previous commands are received, the message is taken as a command to\r\nbe executed with cmd.exe. The output is sent to the server.\r\nTechnoCreep persists by copying its executable to the Startup folder, as shown in Figure 11. Identical code can also be found\r\nin some versions of DeepCreep. Note that no LNK files are used in this method.\r\nFigure 11. TechnoCreep code establishing persistence\r\nPapaCreep\r\nPapaCreep is a previously undocumented custom backdoor written in C++ that can receive and execute commands from a\r\nremote server via TCP sockets. First seen in September 2022, this is the first backdoor used by POLONIUM that was not\r\nwritten in C# or PowerShell.\r\nPapaCreep is a modular backdoor; its code has been divided in various components, some of them with minimal\r\nfunctionalities. We can summarize the main components as:\r\nExecutive: looks for a file with commands and executes them with cmd.exe. The output is saved to a file.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 11 of 18\n\nMailman: communicates with a C\u0026C server to receive commands and writes them to a file. It also sends the file with\r\noutput from commands to the C\u0026C server.\r\nCreepyUp: uploads any file to the C\u0026C server.\r\nCreepyDown: downloads any file from the C\u0026C server.\r\nThe Executive and Mailman components run independently from each other and are even persisted with separate scheduled\r\ntasks in a compromised system. Communication with the remote server uses raw TCP sockets, but the information that is\r\nsent and received by the backdoor is contained in HTML code (with a fake HTTP header). Figure 12 shows that the header\r\nis hardcoded in the backdoor, and Content-length is always 1024. Note that Content-Type is text/-html, which is not a\r\nnormal value.\r\nFigure 12. Hardcoded HTTP header used by the PapaCreep backdoor\r\nThe Mailman component initiates communication with the C\u0026C server by sending \u003cPC_NAME\u003e-\u003cUSERNAME\u003e (base64\r\nencoded). It then starts two threads: one of them receives commands from the server and the other one sends any available\r\noutput from the execution of commands. Delimiters are used for both sending and receiving: code#s and code#f are used to\r\nmark the start and end of the data. An example of a message sent to the server with the output of a dir command is shown in\r\nFigure 13.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 12 of 18\n\nFigure 13. Example of a message sent to the C\u0026C server, and the decoded content\r\nIf the content is bigger than 1024 bytes, more than one message will be transmitted. In that case, the first message will have\r\nthe start delimiter and the final message will have the end delimiter. The IP address and port of the C\u0026C server is read from\r\na text file, yetty.dll, with the format \u003cIP_address\u003e::\u003cport\u003e (base64 encoded).\r\nThe CreepyUp and CreepyDown modules are not part of the main flow of execution of the backdoor and can be executed on\r\ndemand. They are standalone command line tools that take two arguments, a local and a remote file. Curiously,\r\nCreepyDown’s filename in compromised computers is UCLN.exe and CreepyUp is DCLN.exe. This is similar as the\r\ncommands upload and download in the FlipCreep backdoor that do the opposite of what is expected. Both CreepyUp and\r\nCreepyDown read the server information from the yetty.dll text file.\r\nOther modules\r\nTo spy on their victims, POLONIUM uses several other modules on top of their backdoors, including reverse shell modules\r\nand a module for creating a tunnel. ESET researchers have observed many variants of the modules that the group uses for\r\ntaking screenshots. As for keyloggers, POLONIUM has used both custom and open-source ones. The group’s custom\r\nkeylogger monitors keystrokes and clipboard contents and supports both Hebrew and Arabic keyboards. POLONIUM has\r\nalso used a simple module that uses AForge.NET to take a snapshot from the webcam and save it in the TEMP folder.\r\nNetwork infrastructure\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 13 of 18\n\nPOLONIUM didn’t use domain names in any of the samples that we analyzed, only IP addresses. Most of the servers are\r\ndedicated VPS, likely purchased rather than compromised, hosted at HostGW. There is one special case: IP address\r\n45.80.149[.]154 hosts erichmocanu.tv, which seems to be a legitimate website. It is likely that POLONIUM used this server\r\nbefore it was assigned to its current owner.\r\nConclusion\r\nPOLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and\r\ndeveloping new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as\r\nDropbox, Mega and OneDrive for C\u0026C communications.\r\nIntelligence and public reports about POLONIUM are very scarce and limited, likely because the group’s attacks are highly\r\ntargeted, and the initial compromise vector is not known. ESET Research will continue to track its activities and document\r\nits attacks.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the\r\nESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of Indicators of Compromise and samples can be found in our GitHub repository.\r\nSHA-1 Filename ESET detection name Descripti\r\n3F4E3C5301752D39DAF97384CCA47564DA1C3314 dnw.exe PowerShell/Agent.GJ CreepyDr\r\nCC820ED9A23084104807941B76A2679243BA357C Request.exe PowerShell/Agent.HF CreepySn\r\n03A35A0167684E6CCCA641296969972E49B88D60 DropBox.exe MSIL/Agent.DPT DeepCree\r\n4E7DBFF20995E97190536B284D7E5CC65922FD55 Mega.exe MSIL/Agent.DPT MegaCre\r\n994EAD7666A67E33C57A51EF98076D41AABB7FB7 Regestries.exe MSIL/Tiny.DG FlipCreep\r\n79DE0AF2F10F8D39A93EED911D4048D87E3C8A1C WinUpdate.dll MSIL/Agent.DYU TechnoCr\r\n2B9444B0E1747EB4F482D29C9DE27D07CCE55A76 WindowsSartup22.exe Win64/HackTool.NetHacker.G PapaCree\r\nF26F43AD2E2980B96497242A3F30CA003E5CF54C WinSc.exe MSIL/Tiny.DG\r\nScreensho\r\nmodule\r\nF41E27C4C863821DE6CAD91CA7E77CD6CA6CE5D3 4kyro3fs.dll MSIL/Spy.Keylogger.FGC\r\nKeylogge\r\nmodule\r\n94E75BA7C4476AFDACF4B39E403379C5ECD1BED6 Device.exe MSIL/Spy.Tiny.CZ\r\nWebcam\r\nmodule\r\nB87CC5269A5DF5CF093F8D28DF78952F662162B6 OnDrive.exe MSIL/Agent.DTP\r\nReverse\r\nshell mod\r\n809048A40274350BD0C453E49D8C1F7D32397164 Rehost.exe MSIL/Spy.Tiny.DA\r\nExfiltratio\r\nmodule\r\n43E3C3752A15D0BDE7135E1B52F1DE397B5314B5\r\nMicrosoft Malware\r\nProtection.exe\r\nMSIL/Agent.DYV\r\nTunnels\r\nmodule\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 14 of 18\n\nNetwork\r\nIP First seen Details\r\n37.120.233[.]89 2022-09-12 PapaCreep C\u0026C\r\n45.80.148[.]119:8080 2022-05-21 Reverse shell server\r\n45.80.148[.]167:21\r\n45.80.148[.]167:5055\r\n2021-11-27 Exfiltration\r\n45.80.148[.]186:8080 2022-01-08 Reverse shell server\r\n45.80.149[.]22:8080 2022-05-13 CreepySnail C\u0026C\r\n45.80.149[.]108:8080 2022-02-11 CreepySnail C\u0026C\r\n45.80.149[.]68:63047 2022-03-01 CreepySnail C\u0026C\r\n45.80.149[.]71:80 2022-03-11 CreepySnail C\u0026C\r\n185.244.129[.]79:63047 2022-03-01 CreepySnail C\u0026C\r\n45.80.149[.]154:1302\r\n45.80.149[.]154:21\r\n2021-09-23\r\nTechnoCreep C\u0026C\r\nExfiltration\r\n185.244.129[.]216:5055 2021-11-24 Exfiltration\r\n146.70.86[.]6:1433 2022-05-26 Exfiltration\r\n195.166.100[.]23:5055 2022-01-05 Exfiltration\r\n45.137.148[.]7:2121 2021-10-29 FlipCreep C\u0026C\r\n185.203.119[.]99:8080 2022-02-12 Reverse Shell\r\n212.73.150[.]174 2022-02-24 Tunneling\r\n94.156.189[.]103 2022-04-20 Tunneling\r\n51.83.246[.]73 2022-03-12 Tunneling\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nPOLONIUM has acquired various servers for C\u0026C\r\nand also for storing exfiltrated files.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nPOLONIUM has developed at least six backdoors\r\nand several other malicious modules.\r\nT1588.001 Obtain Capabilities: Malware\r\nPOLONIUM has used a publicly available\r\nkeylogger.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nPOLONIUM has used the CreepySnail and\r\nCreepyDrive PowerShell backdoors in their attacks.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 15 of 18\n\nTactic ID Name Description\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nDeepCreep, MegaCreep, FlipCreep and\r\nTechnoCreep use cmd.exei to execute commands in\r\na compromised computer.\r\nT1129 Shared Modules\r\nDeepCreep and MegaCreep have their code divided\r\ninto small DLLs, which are loaded both statically\r\nand dynamically.\r\nPersistence\r\nT1547.009\r\nBoot or Logon Autostart\r\nExecution: Shortcut\r\nModification\r\nPOLONIUM’s backdoors persist by writing\r\nshortcuts to the Windows Startup folder.\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nDeepCreep, MegaCreep and FlipCreep create\r\nscheduled tasks for persistence.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nDeepCreep and MegaDeep use AES encryption to\r\nobfuscate commands and login credentials stored in\r\nlocal files on the victim’s computer.\r\nT1070.004\r\nIndicator Removal on Host:\r\nFile Deletion\r\nPOLONIUM’s exfiltration modules delete\r\nscreenshot files or keystroke logs from a\r\ncompromised host after they are exfiltrated.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nPOLONIUM has used filenames such as Mega.exei\r\nor DropBox.exei for its backdoors, to make them\r\nlook like legitimate binaries.\r\nT1218.004\r\nSystem Binary Proxy\r\nExecution: InstallUtil\r\nPOLONIUM has used InstallUtil.exei to execute\r\nDeepCreep.\r\nT1083 File and Directory Discovery\r\nPOLONIUM’s custom exfiltrator module builds a\r\nlisting of files for any given folder.\r\nT1057 Process Discovery\r\nDeepCreep, MegaCreep and FlipCreep look for\r\nrunning processes and kill other instances of\r\nthemselves.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nTechnoCreep and POLONIUM’s reverse shell\r\nmodule send information such as computer name,\r\nusername, and operating system to a remote server,\r\nin order to identify their victims.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nTechnoCreep sends a list of IP addresses associated\r\nwith a victim’s computer.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nPOLONIUM has executed whoami.exei to identify\r\nthe logged-on user.\r\nCollection\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nDeepCreep, MegaCreep and FlipCreep use .NET’s\r\nZipFile class to archive collected data.\r\nT1115 Clipboard Data\r\nPOLONIUM’s custom keylogger retrieves clipboard\r\ndata from compromised computers.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nT1005 Data from Local System\r\nPOLONIUM’s exfiltrator module collects files from\r\na compromised system.\r\nT1056.001 Input Capture: Keylogging\r\nPOLONIUM has used custom and publicly\r\navailable keyloggers.\r\nT1113 Screen Capture\r\nPOLONIUM has used custom modules for taking\r\nscreenshots.\r\nT1125 Video Capture\r\nPOLONIUM has used a custom module to capture\r\nimages using the compromised computer’s webcam.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nCreepySnail and POLONIUM’s file exfiltrator\r\nmodules use HTTP communication with the C\u0026C\r\nserver.\r\nT1071.002\r\nApplication Layer Protocol:\r\nFile Transfer Protocols\r\nFlipCreep and POLONIUM’s file exfiltrator\r\nmodules use FTP communication with the C\u0026C\r\nserver.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nCreepySnail, CreepyDrive and some of\r\nPOLONIUM’s reverse shell modules use base64-\r\nencoded commands to communicate with the C\u0026C\r\nserver.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nDeepCreep and MegaCreep AES encrypt commands\r\nand their output.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nTechnoCreep and POLONIUM’s reverse shell\r\nmodule use TCP.\r\nT1571 Non-Standard Port\r\nPOLONIUM has used non-standard ports, such as\r\n5055 or 63047, for HTTP.\r\nT1572 Protocol Tunneling\r\nPOLONIUM’s tunnels module uses the Plink utility\r\nto create SSH tunnels.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nPOLONIUM has used cloud platforms such as\r\nOneDrive, Dropbox, and Mega to send commands\r\nand store the output.\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nDeepCreep, MegaCreep, FlipCreep and\r\nTechnoCreep exfiltrate files over the C\u0026C channel\r\nvia uploadi commands.\r\nT1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to Cloud\r\nStorage\r\nPOLONIUM has used OneDrive, Dropbox, and\r\nMega cloud storage to store stolen information.\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 17 of 18\n\nSource: https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nhttps://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/\r\nPage 18 of 18\n\n994EAD7666A67E33C57A51EF98076D41AABB7FB7 79DE0AF2F10F8D39A93EED911D4048D87E3C8A1C Regestries.exe WinUpdate.dll MSIL/Tiny.DG MSIL/Agent.DYU FlipCreep TechnoCr\n2B9444B0E1747EB4F482D29C9DE27D07CCE55A76 WindowsSartup22.exe Win64/HackTool.NetHacker.G PapaCree\n Screensho\nF26F43AD2E2980B96497242A3F30CA003E5CF54C WinSc.exe MSIL/Tiny.DG \n module\n Keylogge\nF41E27C4C863821DE6CAD91CA7E77CD6CA6CE5D3 4kyro3fs.dll MSIL/Spy.Keylogger.FGC \n module\n Webcam\n94E75BA7C4476AFDACF4B39E403379C5ECD1BED6 Device.exe MSIL/Spy.Tiny.CZ \n module\n Reverse\nB87CC5269A5DF5CF093F8D28DF78952F662162B6 OnDrive.exe MSIL/Agent.DTP \n shell mod\n Exfiltratio\n809048A40274350BD0C453E49D8C1F7D32397164 Rehost.exe MSIL/Spy.Tiny.DA \n module\n Microsoft Malware Tunnels\n43E3C3752A15D0BDE7135E1B52F1DE397B5314B5 MSIL/Agent.DYV \n Protection.exe module\n Page 14 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" ], "report_names": [ "polonium-targets-israel-creepy-malware" ], "threat_actors": [ { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434008, "ts_updated_at": 1775791758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eeeedaf4e10e34453a6f5fdafa74474578a7e517.pdf", "text": "https://archive.orkl.eu/eeeedaf4e10e34453a6f5fdafa74474578a7e517.txt", "img": "https://archive.orkl.eu/eeeedaf4e10e34453a6f5fdafa74474578a7e517.jpg" } }