{
	"id": "fe4d1bed-19a4-4f8f-a9e6-f8a01bbee0a3",
	"created_at": "2026-04-06T00:21:15.615045Z",
	"updated_at": "2026-04-10T03:26:57.490462Z",
	"deleted_at": null,
	"sha1_hash": "f184a9dd9fdac7a582161e9b015e1d38a3037f60",
	"title": "NAPLISTENER: more bad dreams from developers of SIESTAGRAPH",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 724184,
	"plain_text": "NAPLISTENER: more bad dreams from developers of\r\nSIESTAGRAPH\r\nBy Remco Sprooten\r\nPublished: 2023-06-27 · Archived: 2026-04-05 15:16:46 UTC\r\nEinführung\r\nWhile continuing to monitor the REF2924 activity group, Elastic Security Labs observed that the attacker shifted\r\npriorities from data theft to persistent access using several mechanisms. On January 20, 2023, a new executable\r\nWmdtc.exe was created and installed as a Windows Service using a naming convention similar to the legitimate\r\nbinary used by the Microsoft Distributed Transaction Coordinator service ( Msdtc.exe ).\r\nWmdtc.exe is an HTTP listener written in C#, which we refer to as NAPLISTENER. Consistent with\r\nSIESTAGRAPH and other malware families developed or used by this threat, NAPLISTENER appears designed\r\nto evade network-based forms of detection. Notably, network- and log-based detection methods are common in the\r\nregions where this threat is primarily active (southern and southeastern asia).\r\nAnalyse\r\nThis unique malware sample contains a C# class called MsEXGHealthd that consists of three methods: Main ,\r\nSetRespHeader , and Listener . This class establishes an HTTP request listener that can process incoming\r\nrequests from the Internet, and respond accordingly by filtering malware commands and transparently passing\r\nalong legitimate web traffic. This class is depicted in the following image:\r\nNAPLISTENER MsEXGHealthd class\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 1 of 6\n\nMalware-Analyse\r\nThe Main method is invoked when the program runs and creates a thread object, which will be used by the\r\nListener method. The thread is then put to sleep for 0 milliseconds, and then started. Implementing a sleep\r\ncapability is consistent with SIESTAGRAPH, NAPLISTENER, and other malware developed or used by this\r\ngroup.\r\nThe SetRespHeader method sets the response headers for the HTTP response. It takes an\r\nHttpListenerResponse object as a parameter and defines headers such as Server , Content-Type , and X-Powered-By . In one aggressively-targeted victim environment, the IIS web server returns a 404 response with a\r\nServer header containing Microsoft-IIS/10.0 as seen below, unless specific parameters are present:\r\nHowever, the 404 error when requesting the listener URI adds Content-Type: text/html; charset=utf-8 as an\r\nextra header. When NAPLISTENER is installed, the string Microsoft-HTTPAPI/2.0 is appended to the Server\r\nheader. This behavior makes the listener detectable and does not generate a 404 error. It is likely this filtering\r\nmethodology was chosen to avoid discovery by web scanners and similar technologies.\r\nDefenders may instinctively search for these errors in IIS web server logs, but the NAPLISTENER implant\r\nfunctions inline and Windows will redirect these requests to the registered application, allowing the malware to\r\nensure those errors never reach the web server logs where analysts may see them. Additionally, security tools that\r\ningest web server logs will not have an opportunity to identify these behaviors.\r\nThe Listener method is where most of the work happens for NAPLISTENER.\r\nFirst, this method creates an HttpListener object to handle incoming requests. If HttpListener is supported\r\non the platform being used (which it should be), it adds a prefix to the listener and starts it.\r\nOnce running, it waits for incoming requests. When a request comes in, it reads any data that was submitted\r\n(stored in a Form field), decodes it from Base64 format, and creates a new HttpRequest object with the\r\ndecoded data. It creates an HttpResponse object and an HttpContext object, using these two objects as\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 2 of 6\n\nparameters. If the submitted Form field contains sdafwe3rwe23 , it will try to create an assembly object and\r\nexecute it using the Run method.\r\nThis means that any web request to /ews/MsExgHealthCheckd/ that contains a base64-encoded .NET assembly in\r\nthe sdafwe3rwe23 parameter will be loaded and executed in memory. It's worth noting that the binary runs in a\r\nseparate process and it is not associated with the running IIS server directly.\r\nIf that fails for some reason (e.g., invalid or missing data), then a \"404 Not Found\" response will be sent with an\r\nempty body instead . After either response has been sent, the stream is flushed and the connection closed before\r\nlooping back to wait for more incoming requests.\r\nProof-of-concept prerequisites\r\nAttention: Please remember that this is meant as a proof-of-concept to illustrate how NAPLISTENER must be\r\nprepared for a target environment: it should not be deployed in production environments for any reason.\r\nIn order to properly run NAPLISTENER, an SSL certificate must be generated and the application registered to\r\nuse it on a target endpoint. A general example of generating a self-signed certificate resembles the following\r\ncommands:\r\nThe adversary needs to then Import the certificate.pfx object into the windows certificate store, as depicted in\r\nthe following image:\r\nEach certificate contains a thumbprint, and the following screen capture depicts an example certificate:\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 3 of 6\n\nThe thumbprint value is necessary to register the application as seen in the following command:\r\nThe adversary needs to replace the certhash value with the thumbprint from their certificate. The appid is the\r\nGUID of the sample application ID. Once the environment is properly configured, the sample can be run from any\r\nprivileged terminal.\r\nThe following python script created by Elastic Security Labs demonstrates one method that can then be used to\r\ntrigger NAPLISTENER. The payload in this example is truncated for readability, and may be released at a later\r\ntime when the industry has better ability to detect this methodology.\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 4 of 6\n\nIn our PoC, running the python script results in a harmless instance of calc.exe .\r\nRessourcen\r\nElastic Security Labs has published a NAPLISTENER signature to the open protections artifact repository here.\r\nSources\r\nCode similarity analyses are an important part of our process. During our investigation of NAPLISTENER, we\r\nidentified a public GitHub repository that contains a similar project. Similar logic and identical debugging strings\r\nare present in both pieces of code, and we assess that SharpMemshell may have inspired the threat responsible\r\nfor NAPLISTENER.\r\nWichtigste Erkenntnisse\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 5 of 6\n\nThe attacker has shifted their focus from data theft to establishing persistent access using new malware\r\nincluding NAPLISTENER, an HTTP listener written in C#\r\nNAPLISTENER creates an HTTP request listener that can process incoming requests from the internet,\r\nreads any data that was submitted, decodes it from Base64 format, and executes it in memory\r\nNAPLISTENER is designed to evade network-based detection methods by behaving similarly to web\r\nservers\r\nThe attacker relies on code present in public repositories for a variety of purposes, and may be developing\r\nadditional prototypes and production-quality code from open sources\r\nSource: https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nhttps://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph"
	],
	"report_names": [
		"naplistener-more-bad-dreams-from-the-developers-of-siestagraph"
	],
	"threat_actors": [
		{
			"id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9",
			"created_at": "2023-11-07T02:00:07.108976Z",
			"updated_at": "2026-04-10T02:00:03.411448Z",
			"deleted_at": null,
			"main_name": "REF2924",
			"aliases": [],
			"source_name": "MISPGALAXY:REF2924",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775791617,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f184a9dd9fdac7a582161e9b015e1d38a3037f60.pdf",
		"text": "https://archive.orkl.eu/f184a9dd9fdac7a582161e9b015e1d38a3037f60.txt",
		"img": "https://archive.orkl.eu/f184a9dd9fdac7a582161e9b015e1d38a3037f60.jpg"
	}
}