{ "id": "596d0fba-eab3-49f0-9355-75a6bb255f99", "created_at": "2026-04-06T00:10:25.759636Z", "updated_at": "2026-04-10T13:11:24.432708Z", "deleted_at": null, "sha1_hash": "f07d39801e0bd9c870b3d0b58002c004ee8306a6", "title": "The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1393623, "plain_text": "The slow Tick-ing time bomb: Tick APT group compromise of a DLP\r\nsoftware developer in East Asia\r\nBy Facundo Muñoz\r\nArchived: 2026-04-05 13:40:05 UTC\r\nESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick. The incident took\r\nplace in the network of an East Asian company that develops data-loss prevention (DLP) software.\r\nThe attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s\r\nnetwork, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of\r\nmalware on the computers of the company’s customers.\r\nIn this blogpost, we provide technical details about the malware detected in the networks of the compromised company and\r\nof its customers. During the intrusion, the attackers deployed a previously undocumented downloader named ShadowPy, and\r\nthey also deployed the Netboy backdoor (aka Invader) and Ghostdown downloader.\r\nBased on Tick’s profile, and the compromised company’s high-value customer portfolio, the objective of the attack was\r\nmost likely cyberespionage. How the data-loss prevention company was initially compromised is unknown.\r\nKey points in this blogpost:\r\nESET researchers uncovered an attack occurring in the network of an East Asian data-loss prevention company with\r\na customer portfolio that includes government and military entities.\r\nESET researchers attribute this attack with high confidence to the Tick APT group.\r\nThe attackers deployed at least three malware families and compromised update servers and tools used by the\r\ncompany. As a result, two of their customers were compromised.\r\nThe investigation revealed a previously undocumented downloader named ShadowPy.\r\nTick overview\r\nTick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group, suspected of being active since at least\r\n2006, targeting mainly countries in the APAC region. This group is of interest for its cyberespionage operations, which focus\r\non stealing classified information and intellectual property.\r\nTick employs an exclusive custom malware toolset designed for persistent access to compromised machines,\r\nreconnaissance, data exfiltration, and download of tools. Our latest report into Tick’s activity found it exploiting the\r\nProxyLogon vulnerability to compromise a South Korean IT company, as one of the groups with access to that remote code\r\nexecution exploit before the vulnerability was publicly disclosed. While still a zero-day, the group used the exploit to install\r\na webshell to deploy a backdoor on a webserver.\r\nAttack overview\r\nIn March 2021, through unknown means, attackers gained access to the network of an East Asian software developer\r\ncompany.\r\nThe attackers deployed persistent malware and replaced installers of a legitimate application known as Q-dir with trojanized\r\ncopies that, when executed, dropped an open-source VBScript backdoor named ReVBShell, as well as a copy of the\r\nlegitimate Q-Dir application. This led to the execution of malicious code in networks of two of the compromised company's\r\ncustomers when the trojanized installers were transferred via remote support software – our hypothesis is that this occurred\r\nwhile the DLP company provided technical support to their customers.\r\nThe attackers also compromised update servers, which delivered malicious updates on two occasions to machines inside the\r\nnetwork of the DLP company. Using ESET telemetry, we didn’t detect any other cases of malicious updates outside the DLP\r\ncompany’s network.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 1 of 12\n\nThe customer portfolio of the DLP company includes government and military entities, making the compromised company\r\nan especially attractive target for an APT group such as Tick.\r\nTimeline\r\nAccording to ESET telemetry, in March 2021 the attackers deployed malware to several machines of the software developer\r\ncompany. The malware included variants of the Netboy and Ghostdown families, and a previously undocumented\r\ndownloader named ShadowPy.\r\nIn April, the attackers began to introduce trojanized copies of the Q-dir installers in the network of the compromised\r\ncompany.\r\nIn June and September 2021, in the network of the compromised company, the component that performs updates for the\r\nsoftware developed by the compromised company downloaded a package that contained a malicious executable.\r\nIn February and June 2022, the trojanized Q-dir installers were transferred via remote support tools to customers of the\r\ncompromised company.\r\nFigure 1. Timeline of the attack and related incidents.\r\nCompromised update servers\r\nThe first incident where an update containing malware was registered was in June, and then again in September, 2021. On\r\nboth cases the update was delivered to machines inside the DLP company’s network.\r\nThe update came in the form of a ZIP archive that contained a malicious executable file. It was deployed and executed by a\r\nlegitimate update agent from software developed by the compromised company. The chain of compromise is illustrated in\r\nFigure 2.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 2 of 12\n\nFigure 2. Illustration of the chain of compromise\r\nThe first detected case occurred in June 2021, and the update was downloaded from an internal server and deployed. The\r\nsecond case occurred in September 2021, from a public-facing server.\r\nThe malicious executable issues an HTTP GET request to http://103.127.124[.]117/index.html to obtain the key to decrypt\r\nthe embedded payload, which is encrypted with the RC6 algorithm. The payload is dropped to the %TEMP% directory with\r\na random name and a .vbe extension, and is then executed.\r\nAlthough we have not obtained the dropped sample from the compromised machine, based on the detection\r\n(VBS/Agent.DL), we have high confidence that the detected script was the open-source backdoor ReVBShell.\r\nUsing ESET telemetry, we didn’t identify any customers of the DLP company who had received any malicious files through\r\nthe software developed by that company. Our hypothesis is that the attackers compromised the update servers to move\r\nlaterally on the network, not to perform a supply-chain attack against external customers.\r\nTrojanized Q-Dir installers\r\nQ-Dir is a legitimate application developed by SoftwareOK that allows its user to navigate four folders at the same time\r\nwithin the same window, as shown in Figure 3. We believe that the legitimate application is part of a toolkit used by\r\nemployees of the compromised company, based on where the detections originated inside the network.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 3 of 12\n\nFigure 3. Screenshot of the Q-Dir application\r\nAccording to ESET telemetry, starting in April 2021, two months before the detection of the malicious updates, the attackers\r\nbegan to introduce 32- and 64-bit trojanized installers of the application into the compromised company’s network.\r\nWe found two cases, in February and June 2022, where the trojanized installers were transferred by the remote support tools\r\nhelpU and ANYSUPPORT, to computers of two companies located in East Asia, one in the engineering vertical, and the\r\nother a manufacturing industry.\r\nThese computers had software from the compromised company installed on them, and the trojanized Q-dir installer was\r\nreceived minutes after the support software was installed by the users.\r\nOur hypothesis is that the customers of the compromised DLP company were receiving technical support from that\r\ncompany, via one of those remote support applications and the malicious installer was used unknowingly to service the\r\ncustomers of the DLP company; it is unlikely that the attackers installed support tools to transfer the trojanized installers\r\nthemselves.\r\n32-bit installer\r\nThe technique used to trojanize the installer involves injecting shellcode into a cavity at the end of the Section Headers table\r\n– the application was compiled using 0x1000 for FileAlignment and SectionAlignment, leaving in a cavity of 0xD18 bytes –\r\nlarge enough to accommodate the malicious, position-independent shellcode. The entry point code of the application is\r\npatched with a JMP instruction that points to the shellcode, and is located right after the call to WinMain (Figure 4);\r\ntherefore the malicious code is only executed after the application’s legitimate code finishes its execution.\r\nFigure 4. The assembly code shows the JMP instruction that diverts execution flow to the shellcode. The hexadecimal dump\r\nshows the shellcode at the end of the PE’s section headers.\r\nThe shellcode, shown in Figure 5, downloads an unencrypted payload from http://softsrobot[.]com/index.html to\r\n%TEMP%\\ChromeUp.exe by default; if the file cannot be created, it gets a new name using the GetTempFileNameA API.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 4 of 12\n\nFigure 5. Decompiled code of the function that orchestrates downloading the binary file and writing it to disk\r\n64-bit installer\r\nWhile only one malicious 32-bit installer was found, the 64-bit installers were detected in several places throughout the DLP\r\ncompany’s network. The installer contains the Q-Dir application and an encoded (VBE) ReVBShell backdoor that was\r\ncustomized by the attackers; both of them were compressed with LZO and encrypted with RC6. The files are dropped in the\r\n%TEMP% directory and executed.\r\nReVBShell\r\nReVBShell is an open-source backdoor with very basic capabilities. The backdoor code is written in VBScript and the\r\ncontroller code is written in Python. Communication with the server is over HTTP with GET and POST requests.\r\nThe backdoor supports several commands, including:\r\nGetting computer name, operating system name, architecture, and language version of the operating system\r\nGetting username and domain name\r\nGetting network adapter information\r\nListing running processes\r\nExecuting shell commands and sending back output\r\nChanging current directory\r\nDownloading a file from a given URL\r\nUploading a requested file\r\nWe believe that the attackers used ReVBShell version 1.0, based on the main branch commit history on GitHub.\r\nMore about the DLP company compromise\r\nIn this section, we provide more details about tools and malware families that Tick deployed in the compromised software\r\ncompany’s network.\r\nTo maintain persistent access, the attackers deployed malicious loader DLLs along with legitimate signed applications\r\nvulnerable to DLL search-order hijacking. The purpose of these DLLs is to decode and inject a payload into a designated\r\nprocess (in all cases of this incident, all loaders were configured to inject into svchost.exe).\r\nThe payload in each loader is one of three malware families: ShadowPy, Ghostdown, or Netboy. Figure 6 illustrates the\r\nloading process.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 5 of 12\n\nFigure 6. High-level overview of the Tick malware loading process\r\nIn this report we will focus on analyzing the ShadowPy downloader and Netboy backdoor.\r\nShadowPy\r\nShadowPy is a downloader developed in Python and converted into a Windows executable using a customized version of\r\npy2exe. The downloader contacts its C\u0026C to obtain Python scripts to execute.\r\nBased on our findings, we believe the malware was developed at least two years before the compromise of the DLP\r\ncompany in 2021. We have not observed any other incidents where ShadowPy was deployed.\r\nCustom py2exe loader\r\nAs previously described, the malicious DLL loader is launched via DLL side-loading; in the case of ShadowPy we observed\r\nvssapi.dll being side-loaded by avshadow.exe, a legitimate software component from the Avira security software suite.\r\nThe malicious DLL contains, encrypted in its overlay, three major components: the py2exe custom loader, the Python engine\r\nand the PYC code. First, the DLL loader code locates the custom py2exe loader in its overlay and decrypts it using a NULL-preserving XOR using 0x56 as the key, then it loads it in memory and injects it in a new svchost.exe process that it creates.\r\nThen the entry point of the custom py2exe loader is executed on the remote process.The difference between the original\r\npy2exe loader code and the customized version used by Tick, is that the custom loader reads the contents of the malicious\r\nvssapi.dll from disk and searches for the Python engine and the PYC code in the overlay, whereas the original locates the\r\nengine and the PYC code in the resource section.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 6 of 12\n\nThe loading chain is illustrated in Figure 7.\r\nFigure 7. High-level overview of the steps taken to execute the PYC payload\r\nPython downloader\r\nThe PYC code is a simple downloader whose purpose is to retrieve a Python script and execute it in a new thread. This\r\ndownloader randomly picks a URL from a list (although for the samples we analyzed only one URL was present) and builds\r\na unique ID for the compromised machine by building a string composed of the following data:\r\nMachine local IP address\r\nMAC address\r\nUsername (as returned by the %username% environment variable)\r\nDomain and username (results of the whoami command)\r\nNetwork computer name (as returned by Python’s platform.node function)\r\nOperating system information (as returned by Python’s platform.platform function)\r\nArchitecture information (as returned by Python’s platform.architecture function)\r\nFinally, it uses abs(zlib.crc32(\u003cSTRING\u003e)) to generate the value that will serve as an ID. The ID is inserted in the middle of\r\na string composed of random characters and is further obfuscated, then it is appended to the URL as shown in Figure 8.\r\nFigure 8. Decompiled Python code that prepares the URL, appending the obfuscated unique user ID\r\nIt issues an HTTP GET request to travelasist[.]com to receive a new payload that is XOR-decrypted with a fixed, single-byte\r\nkey, 0xC3, then base64-decoded; the result is decrypted using the AES algorithm in CFB mode with a 128-bit key and IV\r\nprovided with the payload. Lastly it is decompressed using zlib and executed in a new thread.\r\nNetboy\r\nNetboy (aka Invader) is a backdoor programmed in Delphi; it supports 34 commands that allow the attackers to capture the\r\nscreen, perform mouse and keyboard events on the compromised machine, manipulate files and services, and obtain system\r\nand network information, among other capabilities.\r\nNetwork protocol\r\nNetboy communicates with its C\u0026C server over TCP. The packet format used to exchange information between the\r\nbackdoor and its C\u0026C is described in Figure 9.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 7 of 12\n\nFigure 9. Illustration of the C\u0026C packet format implemented by Netboy\r\nIn order to fingerprint its packets, it generates two random numbers (first two fields in the header) that are XORed together\r\n(as shown in Figure 10) to form a third value that is used to validate the packet.\r\nFigure 10. Decompiled code that generates two random numbers and combines them to generate a packet fingerprint value\r\nPacket validation is shown in Figure 11, when the backdoor receives a new command from its controller.\r\nFigure 11. Decompiled code that performs validation of a newly received packet\r\nThe packet header also contains the size of the encrypted compressed data, and the size of the uncompressed data plus the\r\nsize (DWORD) of another field containing a random number (not used for validation) that is prepended to the data before it\r\nis compressed, as shown in Figure 12.\r\nFigure 12. Decompiled code that creates a new packet to be sent to the controller\r\nFor compression, Netboy uses a variant of the LZRW family of compression algorithms and for encryption it uses the RC4\r\nalgorithm with a 256-bit key made up of ASCII characters.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 8 of 12\n\nBackdoor commands\r\nNetboy supports 34 commands; however, in Table 1 we describe only 25 of the most prominent ones giving the attackers\r\ncertain capabilities on the compromised systems.\r\nTable 1. Most interesting Netboy backdoor commands\r\nCommand ID Description\r\n0x05 Create new TCP socket and store received data from its controller to a new file.\r\n0x06 Create new TCP socket and read file; send contents to the controller.\r\n0x08\r\nGets local host name, memory information, system directory path, and configured operating hours\r\nrange for the backdoor (for example, between 14-18).\r\n0x0A List network resources that are servers.\r\n0x0B List files in a given directory.\r\n0x0C List drives.\r\n0x0E Execute program with ShellExecute Windows API.\r\n0x0F Delete file.\r\n0x10 List processes.\r\n0x11 Enumerate modules in a process.\r\n0x12 Terminate process.\r\n0x13 Execute program and get output.\r\n0x16 Download a new file from the server and execute with ShellExecute Windows API.\r\n0x1D Create reverse shell.\r\n0x1E Terminate shell process.\r\n0x1F Get TCP and UDP connections information using the WinSNMP API.\r\n0x23 List services.\r\n0x24 Start service specified by the controller.\r\n0x25 Stop service specified by the controller.\r\n0x26\r\nCreate a new service. Details such as service name, description, and path are received from the\r\ncontroller.\r\n0x27 Delete service specified by the controller.\r\n0x28 Set TCP connection state.\r\n0x29 Start screen capture and send to the controller every 10 milliseconds.\r\n0x2A Stop screen capture.\r\n0x2B Perform mouse and keyboard events requested by the controller.\r\nAttribution\r\nWe attribute this attack to Tick with high confidence based on the malware found that has been previously attributed to Tick,\r\nand to the best of our knowledge has not been shared with other APT groups, and the code similarities between ShadowPy\r\nand the loader used by Netboy.\r\nAdditionally, domains used by the attackers to contact their C\u0026C servers were previously attributed to Tick in past cases:\r\nwaterglue[.]org in 2015, and softsrobot[.]com in 2020.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 9 of 12\n\nIn May 2022, AhnLab researchers published a report about an unidentified threat actor targeting entities and individuals\r\nfrom South Korea with CHM files that deploy a legitimate executable and a malicious DLL for side-loading. The purpose of\r\nthe DLL is to decompress, decrypt, drop, and execute a VBE script in the %TEMP% folder. The decoded script reveals a\r\nReVBShell backdoor once again.\r\nWe believe that campaign is likely to be related to the attack described in this report, as the custom ReVBShell backdoor of\r\nboth attacks is the same, and there are multiple code similarities between the malicious 64-bit installer (SHA-1:\r\nB9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6) and the quartz.dll sample (SHA-1:\r\nECC352A7AB3F97B942A6BDC4877D9AFCE19DFE55) described by AhnLab.\r\nConclusion\r\nESET researchers uncovered a compromise of an East Asian data loss prevention company. During the intrusion, the\r\nattackers deployed at least three malware families, and compromised update servers and tools used by the compromised\r\ncompany. As a result, two customers of the company were subsequently compromised.\r\nOur analysis of the malicious tools used during the attack revealed previously undocumented malware, which we named\r\nShadowPy. Based on similarities in the malware found during the investigation, we have attributed the attack with high\r\nconfidence to the Tick APT group, known for its cyberespionage operations targeting the APAC region.\r\nWe would like to thank Cha Minseok from AhnLab for sharing information and samples during our research.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET\r\nThreat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename ESET detection name Description\r\n72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC dwmapi.dll Win32/Netboy.A Netboy backdoor.\r\n8BC1F41A4DDF5CFF599570ED6645B706881BEEED vssapi.dll Win64/ShadowPy.A ShadowPy downloader.\r\n4300938A4FD4190A47EDD0D333E26C8FE2C7451E N/A Win64/TrojanDropper.Agent.FU\r\nTrojanized Q‑dir installer\r\nDrops the customized Re\r\nversion A.\r\nB9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6 N/A Win64/TrojanDropper.Agent.FU\r\nTrojanized Q‑dir installer\r\nDrops the customized Re\r\nversion B.\r\nF54F91D143399B3C9E9F7ABF0C90D60B42BF25C9 N/A Win32/TrojanDownloader.Agent.GBY Trojanized Q-dir installer\r\nFE011D3BDF085B23E6723E8F84DD46BA63B2C700 N/A VBS/Agent.DL\r\nCustomized ReVBShell b\r\nversion A.\r\n02937E4A804F2944B065B843A31390FF958E2415 N/A VBS/Agent.DL\r\nCustomized ReVBShell b\r\nversion B.\r\nNetwork\r\nIP Provider First seen Details\r\n115.144.69[.]108 KINX 2021‑04‑14\r\ntravelasist[.]com\r\nShadowPY C\u0026C server\r\n110.10.16[.]56 SK Broadband Co Ltd 2020‑08‑19\r\nmssql.waterglue[.]org\r\nNetboy C\u0026C server\r\n103.127.124[.]117 MOACK.Co.LTD 2020‑10‑15\r\nServer contacted by the malicious update executable\r\nto retrieve a key for decryption.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 10 of 12\n\nIP Provider First seen Details\r\n103.127.124[.]119 MOACK.Co.LTD 2021-04-28\r\nslientship[.]com\r\nReVBShell backdoor version A server.\r\n103.127.124[.]76 MOACK.Co.LTD 2020‑06‑26 ReVBShell backdoor version B server.\r\n58.230.118[.]78 SK Broadband Co Ltd 2022-01-25\r\noracle.eneygylakes[.]com\r\nGhostdown server.\r\n192.185.89[.]178 Network Solutions, LLC 2020-01-28\r\nServer contacted by the malicious 32-bit installer to\r\nretrieve a payload.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1195.002\r\nSupply Chain Compromise:\r\nCompromise Software\r\nSupply Chain\r\nTick compromised update servers to deliver malicious\r\nupdate packages via the software developed by the\r\ncompromised company.\r\nT1199 Trusted Relationship\r\nTick replaced legitimate applications used by\r\ntechnical support to compromise customers of the\r\ncompany.\r\nExecution\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nTick used a customized version of ReVBShell written\r\nin VBScript.\r\nT1059.006\r\nCommand and Scripting\r\nInterpreter: Python\r\nShadowPy malware uses a downloader written in\r\nPython.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nNetboy and ShadowPy loaders persist via a Run key.\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nNetboy and ShadowPy loaders persist by creating a\r\nservice.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nNetboy and ShadowPy loaders use legitimate service\r\nand description names when creating services.\r\nDefense\r\nEvasion\r\nT1036.004 Masquerading: Masquerade\r\nTask or Service\r\nNetboy and ShadowPy loaders use legitimate service\r\nand description names when creating services.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nNetboy and ShadowPy loaders use legitimate service\r\nand description names when creating services.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nNetboy, ShadowPy, and their loader use encrypted:\r\npayloads, strings, configuration. Loaders contain\r\ngarbage code.\r\nT1027.001\r\nObfuscated Files or\r\nInformation: Binary Padding\r\nNetboy and ShadowPy loaders DLLs are padded to\r\navoid security solutions from uploading samples.\r\nT1055.002\r\nProcess Injection: Portable\r\nExecutable Injection\r\nNetboy and ShadowPy loaders inject a PE into a\r\npreconfigured system process.\r\nT1055.003\r\nProcess Injection: Thread\r\nExecution Hijacking\r\nNetboy and ShadowPy loaders hijack the main thread\r\nof the system process to transfer execution to the\r\ninjected malware.\r\nDiscovery T1135 Network Share Discovery Netboy has network discovery capabilities.\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 11 of 12\n\nTactic ID Name Description\r\nT1120 Peripheral Device Discovery Netboy enumerates all available drives.\r\nT1057 Process Discovery\r\nNetboy and ReVBShell have process enumeration\r\ncapabilities.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nNetboy and ReVBShell, gather system information.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nNetboy and ReVBShell, gather user information.\r\nT1124 System Time Discovery\r\nNetboy uses system time to contact its C\u0026C only\r\nduring a certain time range.\r\nLateral\r\nMovement\r\nT1080 Taint Shared Content\r\nTick replaced legitimate applications used by\r\ntechnical support, which resulted also in malware\r\nexecution within the compromised network on\r\npreviously clean systems.\r\nCollection\r\nT1039\r\nData from Network Shared\r\nDrive\r\nNetboy and ReVBShell have capabilities to collect\r\nfiles.\r\nT1113 Screen Capture Netboy has screenshot capabilities.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nShadowPy and ReVBShell communicate via HTTP\r\nprotocol with their C\u0026C server.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nTick’s customized ReVBShell uses base64 to encode\r\ncommunication with their C\u0026C servers.\r\nT1573 Encrypted Channel Netboy uses RC4. ShadowPy uses AES.\r\nExfiltration\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nNetboy and ReVBShell have exfiltration capabilities.\r\nT1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nTick deployed a custom tool to download and\r\nexfiltrate files via a web service.\r\nSource: https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nhttps://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/" ], "report_names": [ "slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia" ], "threat_actors": [ { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434225, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f07d39801e0bd9c870b3d0b58002c004ee8306a6.pdf", "text": "https://archive.orkl.eu/f07d39801e0bd9c870b3d0b58002c004ee8306a6.txt", "img": "https://archive.orkl.eu/f07d39801e0bd9c870b3d0b58002c004ee8306a6.jpg" } }