{
	"id": "25312466-0db6-4122-a6fb-bc88ebf24994",
	"created_at": "2026-04-06T00:07:48.699741Z",
	"updated_at": "2026-04-10T13:11:20.028226Z",
	"deleted_at": null,
	"sha1_hash": "ef5ef546368b8746397d6be2f18a242619ff56da",
	"title": "New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 683943,
	"plain_text": "New APT Group Actor240524: A Closer Look at Its Cyber Tactics\r\nAgainst Azerbaijan and Israel - NSFOCUS, Inc., a global network\r\nand cyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2024-08-08 · Archived: 2026-04-05 18:55:18 UTC\r\nOverview\r\nLeveraging NSFOCUS’s Global Threat Hunting System, NSFOCUS Security Labs (NSL) captured an attack\r\ncampaign targeting Azerbaijan and Israel on July 1, 2024. By analyzing the tactics, attack vectors, weapons, and\r\ninfrastructure of the attack in this incident, it was found that the exposed attack characteristics have no direct\r\nconnection with known APT groups. Therefore, NSL attributes the attackers of this campaign to a new APT group,\r\nmarking the group as Actor240524 and naming the new type of Trojan program used by the group as ABCloader\r\nand ABCsync.\r\nIn this attack incident, Actor240524 attackers used spear-phishing emails to launch attacks on Azerbaijani and\r\nIsraeli diplomats, intending to steal sensitive data through new weapons.\r\nIntroduction to Actor240524\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 1 of 11\n\nFigure 2.1 Introduction to Actor240524\r\nActor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to\r\navoid overexposure of attack tactics and techniques.\r\nActivity Description\r\nIn this incident, the attackers used a Word document embedded with malicious macro code as bait, with the file\r\nname “iden.doc”. The content consists of three blurry images, as shown below:\r\nAn official document issued by government websites or news organizations.\r\nAn official page of Azerbaijan, displaying the national emblem, name, and some links of Azerbaijan.\r\nAn official page of Azerbaijan, displaying the cabinet building and a list of administrative personnel.\r\nNSL found that the bait document first appeared in the Israeli region, and all the languages in the above bait\r\nimages are Azerbaijani.\r\nAzerbaijan and Israel are allied countries with close economic and political exchanges. Actor240524’s operation\r\nthis time is likely aimed at the cooperative relationship between the two countries, targeting phishing attacks on\r\ndiplomatic personnel of both countries.\r\nFigure 3.1 Decoy Document Used by Actor240524\r\nAttack Process\r\nThe attacker lured the target into clicking “Enable Content” through the malicious document containing blurry\r\nimages, which upon execution, reads encrypted data from within itself, releases three executable files, and\r\nexecutes ABCsync. The attack process of this incident is summarized as follows:\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 2 of 11\n\n1. After opening the document, the user is prompted to click “Enable Content.” Upon clicking, the macro\r\ncode is executed, utilizing the embedded VBA program in the doc to decode and store the malicious\r\npayload to a specified path and execute ABCloader.\r\n2. Execute “MicrosoftWordUpdater.log” (ABCloader) to decrypt and release three executable files and load\r\nthe subsequent “synchronize.dll” (ABCsync).\r\n3. ABCsync connects to the C2 server, receives remote commands, and performs the corresponding functions\r\nof the commands.\r\nFigure 4.1 Attack Process of APT Group Actor240524\r\nThe VBA script executed after the victim runs the phishing document functions as follows: It decodes the\r\nmalicious payload stored within itself to a specified path\r\n“C:\\Users\\Public\\Documents\\MicrosoftWordUpdater.log” (this file is an .exe file, and the attacker has changed its\r\nextension to .log to confuse the user), then executes the command to run the program, with the code as shown\r\nbelow:\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 3 of 11\n\nFigure 4.2 Malicious Macro Code\r\n“MicrosoftWordUpdater.log” (ABCloader) is a loader. Its main function is to determine the running environment,\r\ndecrypt the program, and load the subsequent DLL (ABCsync).\r\nAfter the program runs, it initializes, executes the decryption function, and dynamically obtains the function\r\naddress, storing it in a global structure array for subsequent use.\r\nFigure 4.3 Initialization Execution\r\nIt then performs various anti-sandbox and anti-analysis techniques for environmental detection. If a sandbox\r\nenvironment or analysis behavior is detected, it will jump to the exit function and execute this function to\r\nterminate the current process.\r\nFigure 4.4 Exiting the Process After Detecting Analysis Behavior\r\nAfter passing the anti-analysis detection, it decrypts the encrypted data stored in the current program and writes\r\nthe decrypted data to a specified location (C:\\Users\\AppData\\Local\\Microsoft\\Edge\\User Data\\Synchronize).\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 4 of 11\n\nDepending on whether the value at the memory location 0x7ffe0260 is less than 0x4E20, it decrypts either\r\n“vcruntime220.dll” or “vcruntime190.dll,” and then decrypts two files fixedly, “synchronize.dll” and\r\n“synchronize.exe.” Finally, it loads the “synchronize.dll” dynamic link library (ABCsync).\r\nFigure 4.5 Loading the “synchronize.dll” Dynamic Link Library\r\nAdversarial Technique Analysis\r\nThe ABCloader and the malicious payload ABCsync employ similar adversarial analysis detection methods. The\r\nfollowing is a detailed description of the adversarial techniques of the Trojan.\r\nAPI Encryption\r\nImportant strings within the program (file paths, file names, keys, error messages, C2 addresses) and key API\r\nfunctions are encrypted to counteract sandbox detection and static analysis.\r\nFigure 5.1 String Encryption\r\nPEB Detection\r\nThe BeingDebugged field and the NtGlobalFlag flag are checked to determine if the process is being debugged.\r\nThe BeingDebugged field in the PEB, if set to 1, indicates that the process is being debugged.\r\nFigure 5.2 Anti-Debugging with PEB\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 5 of 11\n\nBy calling the NtQueryInformationProcess function, it checks for the presence of a debugger, using\r\nProcessDebugPort(0x7) and ProcessDebugObjectHandle(0x1E) to determine if the process is in a debugging state.\r\nFigure 5.3 Detects the Program State by Calling the NtQueryInformationProcess Function\r\nHardware Breakpoint Detection\r\nIt determines the presence of debugging behavior by checking whether hardware breakpoints have been set.\r\nFigure 5.4 Detecting Hardware Breakpoints for Anti-Debugging\r\nScreen Resolution Detection\r\nIt checks the screen resolution to determine whether the environment is a virtual machine or sandbox: by\r\ndetermining if the display uses standard resolutions (1920, 2560, 1440, 1080, 1200, 1600, 900) to judge whether\r\nthe process is running in a sandbox or virtual machine environment.\r\nFigure 5.5 Enumerating All Monitors in the System\r\nProcess Count Detection\r\nIt determines if the number of processes running in the system is less than 200, and if so, it exits the process.\r\nFigure 5.6 Determining the Number of Running Processes in the Current System\r\nSpecific Permission Detection\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 6 of 11\n\nWhether the current process’s access token has specific permissions (built-in domain and administrator group). It\r\ndetermines the running environment by checking for special permissions.\r\nFigure 5.7 Checking if the Current Process Token Belongs to a Specific SID Group\r\nAttack Payload Analysis \r\n“ABCsync” is the attack payload of the attack process, with its main functions being to execute remote shells,\r\nmodify user data, steal user files, etc.\r\n“ABCsync” uses the same adversarial techniques as “ABCloader” for encrypted communication. Multiple\r\ncommunication commands combine to complete a function, suggesting that the program is still in the testing\r\nphase.\r\nFirst, “ABCloader” will load “ABCsync,” then use the same adversarial techniques for anti-debugging. It then\r\ninitializes strings and the AES encryption key, creates registry entries and values to achieve COM component\r\nhijacking. Finally, it connects to the C2 to receive commands and execute them.\r\nCommunication\r\nAfter decrypting the C2 address “185.23.253.143,” it connects and sends a fixed data packet. After sending the\r\ndata packet, the server automatically sends the command “aaaa” (after decryption). It executes the function to\r\nobtain basic computer information. It continuously receives commands and sends online packages until the next\r\ncommand is updated.\r\nThe program uses the UDP protocol for communication, and during the communication process, it uses the\r\nencryption algorithm AES-256 (with the encryption mode ChainingModeCBC) to encrypt the communication\r\ndata.\r\nFigure 6.1 Initializing AES Encryption Function\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 7 of 11\n\nFunctionality\r\nThe main functions of the Trojan program are to execute remote shells, modify user data, and steal user files\r\nthrough pipe communication. The C2 end issues command functions in steps, and the client will return error\r\ninformation. Therefore, it is speculated that this program is still in the testing phase. Because the commands are\r\ndetailed and each step is well-ordered, it is speculated that this Trojan program has a very complex control end,\r\ncapable of combining functions for more diverse operations.\r\nTo execute a remote shell, the server first issues the command “aaaaaa aaaaa-” as needed, establishing pipe\r\ncommunication between CMD and the current process. Then, by sending “aaaa aaaaaaa” plus “CMD”, the desired\r\ncommand is sent to the client to execute the remote shell command.\r\nFigure 6.2 Establishing an Anonymous Pipe\r\nTo obtain file data, the server first sends “bbbbbbbb-,” the client creates a file to get the handle and obtain the size\r\nof the file. The file location is identified through the parameters following the command. Then, the command\r\n“aaaa-aaaaa-” is sent to read the file data through the handle and send it to the server.\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 8 of 11\n\nFigure 6.3 Reading the File to be Sent\r\nTo rewrite the content of a specified file in the computer, the server first issues the command “aaaaaa-” to set the\r\nfile to be modified, and then uses the “aaaaaaaa-” command to set the data to be modified for the specific\r\nmodification operation. The specified file is modified through the API.\r\nSpecific function parameters are shown in the table 6.1. Parameters follow the command, forming a long string.\r\nTable 6.1 Function Parameters\r\nInstruction Parameter Function Sent Value\r\naaaa – Send system information\r\nEncrypted\r\nsystem\r\ninformation\r\naaa aaaaa- – Parse instruction –\r\naaaaaa\r\naaaaa-\r\n–\r\nEstablish pipe communication between\r\nCMD and the current process (Create a\r\npipe for subsequent execution of cmd\r\ninstructions)\r\nSend bbbbbb\r\non failure\r\nSend aaaaaaa\r\non success\r\naaaa\r\naaaaaaa\r\nCommand to\r\nexecute\r\nWrite the CMD instruction to be\r\nexecuted\r\nSend bbbbbb\r\non failure\r\nSend aaaaaaa\r\non success\r\naaaaa\r\naaaaaa\r\n–\r\nRead the output information after\r\nexecuting the CMD instruction\r\nReturn –aa\r\naaaa– on\r\nfailure\r\naaaa aaaaa – Exit the process –\r\naaaaaa-Specified file\r\npath to retrieve\r\nGet the handle of the specified file (open\r\nthe file for subsequent writing)\r\nSend bbbbbb\r\non failure\r\nSend aaaaaaa\r\non success\r\naaaaaaaa-Data to write\r\nto the file\r\nWrite the specified content to the file\r\nobtained by the handle from the aaaaaa-instruction–\r\nbbbbbbbb-Specified file\r\npath to retrieve\r\nGet the handle of the specified file and\r\nthe file size (open the file and get the size\r\nfor subsequent sending)\r\nSend bbbbbb\r\non failure\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 9 of 11\n\naaaa-aaaaa- –\r\nSend the file specified by the bbbbbbb-instruction\r\n–\r\nccccc – Reconnect to the network –\r\naa aaaaa – Execute synchronize.exe –\r\nbbbbb – Interactive instruction aaaaaaaaaa\r\n– – Receive data with a length of 0 aaaaaaaaaa\r\nThere are also other behaviors in ABCsync, such as initializing program execution detection; if some initialization\r\nfails, a forged error message pops up to deceive the victim.\r\nFigure 6.4 Forged Error Message\r\nThe Trojan also determines the system version based on the value stored at the address 0x7ffe0260, confirming\r\nwhich COM component to hijack.\r\nFigure 6.5 System Registry Operations\r\nOther Component Functions\r\nsynchronize.exe\r\nsynchronize.exe is a loader with functions essentially identical to ABCloader, with the main difference being that\r\nsynchronize.exe removes the encrypted data used to decrypt the synchronize.exe program itself, meaning that the\r\nprogram will not decrypt itself repeatedly.\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 10 of 11\n\nFigure 7.1 Encryption Content Input Value Changed to 0\r\nvcruntime190.dll\r\nABCsync implements COM component hijacking, replacing the originally called\r\nLanguageComponentsInstaller.dll with the malicious vcruntime190.dll, achieving persistent residency capabilities.\r\nWhen the system calls LanguageComponentsInstaller.dll, it results in the execution of vcruntime190.dll, whose\r\nmain function is to create a thread to run synchronize.exe, thus achieving persistence (the normal component is\r\nlocated at C:\\Windows\\System32\\LanguageComponentsInstaller.dll).\r\nFigure 7.2 Execution of the program synchronize.exe\r\nvcruntime220.dll\r\nvcruntime220.dll has the same functionality as vcruntime190.dll. It replaces the originally called executable file\r\nwith a malicious dll to achieve persistent residency capabilities. The difference lies in that Vcruntime220.dll\r\nhijacks the COM component Windows.UI.FileExplorer.dll. Windows.UI.FileExplorer.dll is mainly used to support\r\ncertain features and interface elements of the File Explorer and the normal component is located at\r\nC:\\Windows\\System32\\Windows.UI.FileExplorer.dll.\r\nIoC\r\nDecoy Document: iden.doc\r\nHASH: 1ee73b17111ab0ffb2f62690310f4ada\r\nC2: 185.23.253.143: 36731\r\nSource: https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nhttps://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/"
	],
	"report_names": [
		"new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel"
	],
	"threat_actors": [
		{
			"id": "57202244-bc71-4bf5-820b-588f06be0fa1",
			"created_at": "2024-09-20T02:00:04.570865Z",
			"updated_at": "2026-04-10T02:00:03.692646Z",
			"deleted_at": null,
			"main_name": "Actor240524",
			"aliases": [],
			"source_name": "MISPGALAXY:Actor240524",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef5ef546368b8746397d6be2f18a242619ff56da.pdf",
		"text": "https://archive.orkl.eu/ef5ef546368b8746397d6be2f18a242619ff56da.txt",
		"img": "https://archive.orkl.eu/ef5ef546368b8746397d6be2f18a242619ff56da.jpg"
	}
}