{ "id": "88d04307-9fbd-4020-87e1-4048652343b6", "created_at": "2026-04-06T01:31:22.933573Z", "updated_at": "2026-04-10T13:12:31.66464Z", "deleted_at": null, "sha1_hash": "f2a5e4513007b5ab01a805e078256f5e8d10dbc2", "title": "the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2256422, "plain_text": "the adversary playbook for the long-standing espionage activity of a\r\nChinese nation-state adversary\r\nArchived: 2026-04-06 00:19:10 UTC\r\nAlex Hinchliffe\r\nUnit 42, Palo Alto Networks, UK\r\nTable of contents\r\nAbstract\r\nThe discovery of two malware families – HenBox for Android and, recently, Farseer for Windows – with significant,\r\nmostly infrastructure-based overlaps with previously seen malware, such as 9002, PlugX, Poison Ivy and FHAPPI,\r\nhas led us towards what appears to be an undocumented nation-state group, or groups, in China that we refer to as\r\nPKPLUG. The malware families, infrastructure, and campaign delivery used by PKPLUG highlights broad targeting\r\nof multiple sectors and victims in and around the Southeast Asia region and beyond. This research will detail some of\r\nthe PKPLUG campaigns, describing the tooling used and, with MITRE’s ATT\u0026CK framework and other models that\r\nunderpin Unit 42’s adversary playbooks, highlight PKPLUG’s behaviour with some overlapping TTPs.\r\nIntroduction\r\nPKPLUG\r\nUnit 42 uses the moniker ‘PKPLUG’ in reference to a threat actor group, or groups, that we have been tracking for a\r\nfew years. The name comes from the adversary’s use of PlugX malware, which we noted in their early campaigns,\r\nand from the use of ZIP archive files to deliver the malware; the ZIP file format contains the ASCII magic bytes\r\n‘PK’.\r\nOver the years, Unit 42 has investigated PKPLUG and has discovered further malware families being used, including\r\nother custom malware for Android and Windows that will be described later in this report. Other malware families\r\nthat have been seen relating to PKPLUG include ‘usual suspects’ Poison Ivy, Zupdax and 9002.\r\nBased on targeting, the content in some of the malware, and ties to infrastructure documented publicly as being\r\nlinked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar origins.\r\nTargeting\r\nBased on our observations of PKPLUG’s campaigns and what we’ve learned from sharing with industry, we believe\r\nthat its victims lie mainly in and around the Southeast Asia region. This report will provide further details, but to be\r\nmore specific, considering the methods used for malware delivery, the social engineering topics of decoy applications\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 1 of 30\n\nand documents used, and the command‑and-control (C2) infrastructure themes, target countries include (with higher\r\nconfidence): Xinjiang, Mongolia, Myanmar and Taiwan; and (with lower confidence): Tibet, Vietnam and Indonesia.\r\nThree of these countries are ASEAN members [1], contributing towards intergovernmental cooperation, and another\r\nthree are autonomous regions (AR) [2] of China that tend to be classified by China’s ethnic minorities, granted the\r\nability to govern themselves but ultimately answering to the People’s Republic of China (PRC). Of the five\r\nautonomous regions, Tibet and Xinjiang are the only ones in which the ethnic group maintains a majority over other\r\npopulations.\r\nMost, if not all seven target countries are involved in some way with Beijing’s Belt and Road Initiative (BRI) [3],\r\ndesigned to connect 71 countries across Southeast Asia to Eastern Europe and Africa. The path through Xinjiang is\r\nespecially important [4] to the BRI’s success but is more often heard about due to conflicts [5] between the\r\nGovernment and the ethnic Uyghur population [6]. News of the BRI is peppered with stories of success and failure;\r\nof countries opposed to it, or buying into or pulling out of BRI projects.\r\nFurther tensions in the region are attributed to disputes over ownership of the South China Sea, including disputes\r\nover fishing quotas and the yet unproven oil and gas reserves [7]. At least three of the target countries mentioned\r\nabove have laid claim to parts of these waters, and some use the area for the vast majority of their trade; foreign\r\nmilitaries are also involved, attempting to keep the area open.\r\nTaiwan (a.k.a. Republic of China), which isn’t an AR, and which doesn’t appear to be actively involved with the\r\nBRI, has its own long-standing history with the PRC; a recent $2BN+ arms sale with the US [8] may exacerbate\r\nmatters.\r\nThe ultimate objective of PKPLUG is not entirely clear, but the backdoors and espionage malware used indicate that\r\ntracking victims and gathering information is key.\r\nXiaomi\r\nHenBox malware, described later in this report, references Xiaomi, hence this section.\r\nXiaomi is a firm that designs, develops and sells smartphones, mobile apps, laptops and related consumer electronics.\r\nThe firm released its first smartphone in August 2011 and rapidly gained market share in China where it became the\r\nlargest smartphone company in 2014. In 2017, Xiaomi became the world’s fifth largest smartphone company and\r\novertook Samsung to become the number one smartphone brand in India. Now in fourth place in worldwide\r\nsmartphone manufacturers behind Apple, Huawei and Samsung, the firm has yet to enter the US smartphone market\r\nspace.\r\nFigure 1 shows Xiaomi’s performance against other manufacturers. According to the International Data Comparison\r\n(IDC), Asia Pacific (excluding Japan) remains Xiaomi’s most important region, with China, India and Indonesia\r\naccounting for the majority volume [9].\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 2 of 30\n\nFigure 1: Xiaomi's performance against other manufacturers.\r\nOver the years Xiaomi has also expanded into the smart home and IoT device ecosystem, producing many devices for\r\nthe smart home, managed by the MiHome app for smartphones.\r\nAdversary playbooks\r\nUnit 42 [10] is the threat intelligence team at Palo Alto Networks that analyses available data to identify adversaries,\r\ntheir motivations, resources and tactics in order to better understand the threats our customers face. Adversary\r\nplaybooks provide a threat intelligence package in STIX 2.0 for ingestion by machines for research or protection\r\npurposes. These packages also include structured details about attack campaigns and adversary behaviours – their\r\ntools, techniques, and procedures (TTPs) – as well as the expected indicators of compromise (IOCs). Unit 42 aims to\r\nrelease adversary playbooks alongside research published.\r\nThe concept of adversary playbooks is straightforward: just as sports teams create offensive and defensive playbooks\r\nto win matches, adversaries also have offensive playbooks they employ during cyber attacks in an attempt to\r\ncompromise organizations.\r\nNetwork defenders, threat researchers and others can create adversary playbooks through observation of live or past\r\nattacks; by sharing data; and through intelligence analysis. Those playbooks can then be used to better defend\r\nnetworks and describe threat actor groups. Combining multiple playbooks, and thus others’ visibility and data sets for\r\nthe same attack or adversary, will ultimately provide a much better picture of the opposition we face.\r\nIn order to be successful and useful for many different use-cases, adversary playbooks must use a structured format\r\nthat can be shared. We decided not to develop a proprietary format that would potentially make it exclusive to Palo\r\nAlto Networks, and instead we make use of Mitre ATT\u0026CK [11], Attack Lifecycle or Cyber Kill Chain(™) [12] and\r\nSTIX [13].\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 3 of 30\n\nMalware used by the PKPLUG adversary\r\nWe know that the attacks carried out by the PKPLUG actor used multiple malware families, all of which provide\r\nbackdoor, remote access and spying capabilities. The following sections describe only the newly discovered malware\r\n– HenBox and Farseer – in more detail.\r\nHenBox for Android\r\nIn early 2018, Unit 42 discovered [14, 15] a new Android malware family that we named ‘HenBox’ based on\r\nmetadata, such as app package names and developer signer information, found in most of the malicious apps\r\nanalysed. At the time of writing, Unit 42 is tracking over 400 HenBox samples dating back as far as late 2015, and\r\ncontinuing to the present day.\r\nHenBox often masquerades as legitimate Android apps, such as virtual private network (VPN) apps, Android system\r\napps and so on. Occasionally, HenBox will install legitimate versions of these apps as well as itself, tricking users\r\ninto thinking they have installed the desired app. Whilst some of the legitimate apps HenBox uses for such decoys\r\ncan be found on the official Google Play app store, HenBox apps themselves have only been found on third-party\r\n(non-Google Play) app stores.\r\nHenBox appears primarily to target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives\r\nmainly in the Xinjiang Uyghur autonomous region in Northwest China. It also targets devices made by Chinese\r\nmanufacturer Xiaomi and those running MIUI, an operating system based on Google Android made by Xiaomi.\r\nSmartphones are the dominant form of Internet access in the region [16], and Xinjiang was recently found to have a\r\nhigher number of Internet users than the national average in China [17]. The result is a large online population that\r\nhas been the subject of numerous cyber-attacks in the past [18, 19, 20, 21].\r\nOnce installed, HenBox steals information from the device from a myriad of sources, including many mainstream\r\nchat, communication and social media apps. The stolen information includes personal and device information. Of\r\nnote, in addition to tracking the location of the compromised device, HenBox also harvests all outgoing phone\r\nnumbers with a ‘+86’ prefix, which is the country code for the People’s Republic of China (PRC). It can also access\r\nthe phone’s microphone and cameras.\r\nDelivery via third-party app store\r\nOf the 400+ samples Unit 42 has seen, the vast majority, if used in attacks, have no associated delivery method. It is\r\nbelieved that such apps, as with many other malicious Android apps, would be delivered to victims via websites or\r\nfile-sharing forums, possibly from links shared in phishing emails or SMS messages. Social media platforms and\r\nmessaging – which support the larger file sizes often needed for Android package (APK) files – could also be used.\r\nThe large file size is the reason phishing emails with HenBox attachments are unlikely to be the delivery mechanism.\r\nIn May 2016, a HenBox app – an APK file – was downloaded from the uyghurapps[.]net website. The domain name,\r\nlanguage of the site and app content hosted on the site suggest that this is a third-party app store for which the\r\nintended users are the Uyghurs. Third-party app stores are so called because they are not officially supported by\r\nAndroid, and they are not provided by Google, unlike the Play Store. Third-party app stores are ubiquitous in China\r\nfor a number of reasons, including increasingly powerful Chinese original equipment manufacturers (OEMs), a lack\r\nof an official Chinese Google Play app store, and a growing smartphone market.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 4 of 30\n\nAt the time of analysis, the uyghurapps[.]net website hosted a number of secure communication, VPN and social\r\nmedia apps. Given what we know from the media about the region, it’s clear that such apps are critical for the\r\npopulation to protect themselves and communicate with others.\r\nThe HenBox app downloaded from uyghurapps[.]net was masquerading as an another app, DroidVPN. At the time of\r\nanalysis, the content served on uyghurapps[.]net at the URL from which HenBox was downloaded was a legitimate\r\nversion of DroidVPN. The app page, where users can download the app and learn more about it, is shown in Figure\r\n2. It’s highly likely that the page looked the same during the time HenBox was available, and that the APK file for\r\nDroidVPN was simply replaced with a copy of HenBox.\r\n Figure 2:\r\nThe uyghurapps[.]net app store showing the current DroidVPN app.\r\nVPNs allow connections to remote private networks, increasing the security and privacy of the user’s\r\ncommunications. According to the DroidVPN app description, it ‘helps bypass regional Internet restrictions, web\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 5 of 30\n\nfiltering and firewalls, by tunnelling traffic over ICMP’. Some features may require devices to be rooted in order to\r\nfunction and, according to some third-party app stores, unconditional rooting is required, which has additional\r\nsecurity implications for the target device.\r\nUnit 42 has not been able to ascertain how the malicious HenBox app, referenced in Table 1, got onto the app store.\r\nHowever, some open-source intelligence indicates that the server was running an outdated version of Apache Web\r\nServer on a Windows 32-bit operating system. In light of this, we believe an attack against unpatched vulnerabilities,\r\nor a brute-force login attack, are reasonable conjectures as to how the server was compromised, ultimately leading to\r\nthe DroidVPN APK file being overwritten with the malicious HenBox APK.\r\nAPK SHA256 Size (bytes) First seen App package name App name\r\n0589bed1e3b3d623\r\n4c30061be3be1cc66\r\n85d786ab3a892a8d4\r\ndae8e2d7ed92f7\r\n2,740,860 May 2016 com.android.henbox DroidVPN\r\nTable 1: Details of the HenBox DroidVPN app on the uyghurapps[.]net app store.\r\nAs can be seen in Table 1 and Figure 3, despite the unique ‘com.android.henbox’ package name, the HenBox\r\nmalware copied the legitimate app’s name, ‘DroidVPN’, as well as its icon to further trick victims into believing they\r\nhad installed DroidVPN and not something totally different.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 6 of 30\n\nFigure 3: HenBox app installed, purporting to be DroidVPN.\r\nIn addition to the look and feel of DroidVPN, the HenBox variant also contained a copy of the original, legitimate\r\nDroidVPN app as an asset within its APK package. Assets can be compared to resource items within a Windows\r\nPortable Executable (PE) file. Once the HenBox app is installed and run, it executes code that causes the Android\r\noperating system (OS) to launch the install process for the embedded app. HenBox probably does this for two\r\nreasons. First, to act as a decoy to detract from other malicious behaviours occurring in the background, and\r\nsecondly, to satisfy the victim that they are installing the app they wanted. Whether or not the user is suspicious of\r\nthe first app installation is unknown to us, but based on the names used in other HenBox variants, such as ‘Backup’\r\nand ‘Settings’, it’s highly likely that the app could be passed off in some instances as a benign activity to backup data\r\npre-install, or to change settings prior to install.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 7 of 30\n\nAt the time of our research, the version of DroidVPN available for download from uyghurapps[.]net matched that of\r\nthe embedded DroidVPN app inside HenBox. It’s worth noting that newer versions of the DroidVPN app were\r\navailable on Google Play at the time, as well as in some other third-party app stores, which could indicate that\r\nuyghurapps[.]net is not very well maintained or up to date with the latest app versions available.\r\nThe right app at the right time\r\nThe HenBox-with-embedded-DroidVPN app combination is one example of the attackers choosing to mimic a\r\nlegitimate app in order to compromise their victims. Further combinations included apps that, in their standalone\r\nform, were available on Google Play, as well as many third-party app stores. Table 2 lists just three further example\r\napps together with their and HenBox’s respective metadata.\r\n# Parent APK SHA256 First seen\r\nPackage names\r\n(HenBox parent APK)\r\n[embedded APK]\r\nAPK app names\r\n(HenBox parent APK)\r\n[embedded APK]\r\n1\r\nfa5a76e86abb26e48a\r\nf0b312f056d24000bc\r\n969835c40b3f98e5ca\r\n7e301b5bee\r\nApril 2016\r\n(com.android.henbox)\r\n[com.ziipin.software]\r\n(Uyghurche Kirguzguch)\r\n[Emojicon]\r\n2\r\n1749df47cf37c09a92\r\nb6a56b64b136f15ec\r\n59c4f55ec835b1e569\r\nc88e1c6e684\r\nMay 2017\r\n(cn.android.setting)\r\n[com.apps.amaq]\r\n(设置 (Backup))\r\n[Amaq Agency]\r\n3\r\n4d437d1ac29b1762c\r\nc47f8094a05ab73141\r\nd03f9ce0256d200fc6\r\n91c41d1b6e7\r\nJune 2017\r\n(cn.android.setting)\r\n[com.example.ourplayer]\r\n(islamawazi)\r\n[islamawazi]\r\nTable 2: Three example apps with their and HenBox’s respective metadata.\r\nThe app icons that would be seen and used to launch the app on an Android device are shown in Table 3.\r\n# Icon App description\r\n1\r\nFirst HenBox sample seen with a legitimate app embedded within. The app was a Uyghur\r\nlanguage keyboard app targeted at native speakers.\r\n2\r\nMasquerades as Android’s Settings app, and has a similar package name. App used the green\r\nBugdroid image for its logo; app name 设置 (‘Backup’). Interestingly, the embedded app was\r\n‘Amaq Agency’, which reports on ISIS-related news.\r\n3 The names for both the parent HenBox and the embedded (media player for news) app were\r\nidentical - Islamawazi. Islamawazi (a.k.a. Turkestan Islamic Party or ‘TIP’ [22]) is an\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 8 of 30\n\norganization formerly known as the East Turkestan Islamic Party, purported to be an Islamic\r\nextremist separatist organization founded by Uyghur jihadists.\r\nTable 3: The app icons that would be seen and used to launch the app on an Android device.\r\nThese examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at\r\nleast some of the intended targets of these malicious apps being Uyghurs, specifically those with a potential interest\r\nin, or association with, terrorist groups. The threat actors behind HenBox appear to be choosing the right apps (those\r\nthat could be popular with locals in the region) at the right time (while tensions grow in this region of China) to\r\nensure a high probability of installing their malware.\r\nHenBox capabilities\r\nHenBox has certainly evolved over the past four years but the structure of the over 400 samples has largely stayed\r\nthe same. This structure includes multiple component files and native libraries used to achieve the goal of data\r\ncollection and spying on the victim. Most components are obfuscated in some way, whether it be by simple XOR\r\nwith a single-byte key, compressing using ZIP or Zlib compression, or encryption using RC4. These components are\r\nresponsible for a myriad of functions and features including handling decryption, network communications, gaining\r\nsuper-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and\r\nmore.\r\nThe remainder of this section describes at a high level what HenBox is capable of, and how it operates. The\r\ndescription is based on analysis of the sample described in the table below, which was of interest given that its C2\r\ndomain, mefound[.]com, overlapped with the PlugX, Zupdax and Poison Ivy malware families discussed in more\r\ndetail later.\r\nSHA256 Package name App name\r\na6c7351b09a733a1b3ff8a0901c5bde\r\nfdc3b566bfcedcdf5a338c3a97c9f249b\r\ncom.android.henbox 备份 (Backup)\r\nTable 4: HenBox variant used in analysis.\r\nExecution flow\r\nOnce this variant of HenBox is installed on the victim’s device, the app can be executed in two different ways.\r\nThe first method, as depicted in Figure 4, is automatic based on the operating system generating one of a handful of\r\nevent broadcasts that HenBox registered its intent to process during the app installation process. Examples include\r\nevents like device reboots, when an app is newly installed, or when a network connection is changed.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 9 of 30\n\nFigure 4: Automatic HenBox execution.\r\nAll the intents registered statically via this HenBox variant’s AndroidManifest.xml file are listed and described in\r\nTable 5; HenBox also registers further intents at runtime.\r\nReceiver Intent name Description\r\nBootReceiver\r\nandroid.intent.action.BOOT_COMPLETED\r\nSystem notification that the device has\r\nfinished booting.\r\nandroid.intent.action.restart\r\nA legacy intent used to indicate a\r\nsystem restart\r\nandroid.intent.action.SIM_STATE_CHANGED\r\nSystem notification that the SIM card\r\nhas changed or been removed.\r\nandroid.intent.action.PACKAGE_INSTALL\r\nSystem notification that the download\r\nand eventual installation of an app\r\npackage is happening (this is\r\ndeprecated).\r\nandroid.intent.action.PACKAGE_ADDED\r\nSystem notification that a new app\r\npackage has been installed on the\r\ndevice, including the name of said\r\npackage.\r\ncom.xiaomi.smarthome.receive_alarm\r\nReceived notifications from Xiaomi’s\r\nsmart home IoT devices.\r\nTimeReceiver\r\nandroid.intent.action.ACTION_TIME_CHANGED\r\nSystem notification that the time was\r\nset.\r\nandroid.intent.action.CONNECTIVITY_CHANGE System notification that a change in\r\nnetwork connectivity has occurred (has\r\neither been lost or established). Since\r\nAndroid version 7 (Nougat) this\r\ninformation has been gathered using\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 10 of 30\n\nother means – perhaps suggesting that\r\nthe devices used by potential victims\r\nrun older versions of Android.\r\nTable 5: HenBox variant’s intents and receivers defined statically.\r\nMost of the intents listed in Table 5 and shown in Figure 4 are commonly found in malicious Android apps and are\r\nthe equivalent of setting registry run keys in Windows to autostart applications at reboot. One intent stands out and is\r\nmuch less common: com.xiaomi.smarthome.receive_alarm.\r\nGiven the nature of connected devices in smart homes, it’s highly likely they will communicate via alerts and\r\nnotifications with controller apps, such as Xiaomi’s MiHome. Because HenBox registers the same intent, it too can\r\nprocess alerts destined for MiHome and use them as a trigger to execute code. Essentially, this allows for external IoT\r\ndevices to act as a trigger to execute the malicious HenBox app’s code.\r\nTriggered intents result in execution of code that is present in either the BootReceiver class or the TimeReceiver\r\nclass, both of which ultimately lead to a new instance of the DaemonServer service being created and started (this\r\nservice is discussed in more detail later). In addition, BootReceiver changes the device ringer mode to a value of 2,\r\nwhich results in ringtones being audible and the vibrate mode being switched on. This may have been done in an\r\nattempt to get nearby people to interact with the (now noisy) device such that the information stolen may be richer in\r\ncontent.\r\nThe alternative method for executing HenBox is for the user to launch the malicious app (named ‘Backup’ in this\r\ninstance) from the launcher view on their device, as shown in Figure 5.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 11 of 30\n\nFigure 5: HenBox app installed and visible on Android’s launcher view.\r\nBehaviour\r\nUpon manual launch, the HenBox code executes and performs the steps highlighted in Figure 6.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 12 of 30\n\nFigure 6: Manual HenBox execution.\r\nFirst, checks are made to determine whether the device manufacturer is Xiaomi, or whether the firmware is MIUI\r\n(Xiaomi’s fork of Android). The intention here seems to be one of targeting Xiaomi and exiting prematurely if the\r\nchecks fail. However, poorly written code results in the code being executed in perhaps more environments than the\r\nadversary intended. Anti-emulation and anti-debug checks try to ascertain whether HenBox is being analysed.\r\nInterestingly, the adversaries concealed their code for these additional checks inside a class called AlarmService,\r\nwhich appears to be a direct copy from online developer tutorials for creating alarm apps. If these checks pass,\r\nHenBox continues to execute by next loading the ELF library libloc4d.so.\r\nUsing Android’s shared preferences feature to persist XML key value pair data, HenBox checks whether this\r\nexecution is its first. If it is, and if the app’s path does not contain ‘/system/app’ (i.e. HenBox is not running as a\r\nsystem app, which provides elevated privileges), one of two embedded ‘su?’ ELF libraries is XOR-decoded. A Java\r\nNative Interface (JNI) call is then issued to libloc4d.so to execute the ‘su?’ (henceforth sux) binary.\r\nThe two files, ‘suy’ and ‘sux’, are essentially the same: ‘sux’ is used if the Android version on the victim’s device is\r\n4.1 (a.k.a. ‘Jelly Bean’) or newer; ‘suy’ will be used for older versions.\r\nFinally, an instance of the DaemonServer service starts and, if a decoy app is embedded inside HenBox, as per the\r\nDroidVPN example, the installation process for the decoy also starts.\r\nFigure 7 illustrates the typical behaviour of the DaemonServer service, starting with hiding the HenBox app from the\r\nlauncher view and from the app drawer/tray. This behaviour is common amongst Android malware and, while the app\r\nremains installed with its services running, it is harder for the victim to discover it.\r\nFigure 7: DaemonServer service behaviour.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 13 of 30\n\nThe non-obfuscated ELF file ‘daemon’ is loaded next, to gather environmental information about the device by\r\naccessing system and radio log files, and by querying running processes.\r\nA Baidu library is loaded next, and used to gather device geo-location information.\r\nThe DaemonServer class then registers a runtime intent to intercept outgoing phone calls, allowing the checking of\r\nnumbers dialled. In particular, HenBox filters numbers based on prefixes matching ‘+86’ – the country code for the\r\nPeople’s Republic of China.\r\nFurther assets are then deployed and decoded, including a.zip and setting.txt – the config file for HenBox. Code is\r\nalso present in this variant to deploy additional assets named ‘plugin’ and ‘AppVoice’ – they are not present in this\r\nparticular sample, but are a likely indication of evolving development and the use of yet further components.\r\nHenBox’s config file, setting.txt, is decoded using XOR with a single-byte key, 0x88; filenames and XOR keys differ\r\noccasionally between variants. The config file is shown in the Farseer section later.\r\nFinally, DaemonServer launches a worker thread to perform further execution tasks. One of the key components used\r\nis the ELF file named b.dat, which in turn interacts with a.zip. The archive a.zip contains two further files:\r\nlibkernel.so (another ELF file) and lib.dat, which is actually a Dalvik DEX file containing further Java code and\r\nmalicious functionality beyond the app’s default (and mandatory) classes.dex file. Some of the key data-harvesting\r\nbehaviour of HenBox stems from these files – b.dat and the contents of a.zip, all four of which are RC4-encrypted,\r\nforming the most heavily obfuscated components within HenBox.\r\nOnce unpacked and available for use, the new DEX file is executed from within the DaemonServer class to\r\nenumerate all running applications and kill those that have the permission to receive SMS messages, before\r\nregistering its own runtime intent to process them instead, thus intercepting the victim’s messages.\r\nThe method continues by loading the libkernel.so library file, also unpacked from the a.zip archive. This ELF file has\r\nnumerous capabilities, many of which come from BusyBox – a package containing various stripped-down Unix tools\r\nthat are useful for system administration. This executable interacts with the aforementioned sux executable and,\r\namongst other things, temporarily disables the noise made by the device when photos are taken. This behaviour is\r\nachieved by moving the audio file ‘/system/media/audio/ui/camera_click.ogg’ elsewhere, then moving it back again\r\nonce picture-taking is complete.\r\nThe variant of HenBox analysed and described in the previous section specifically checked the compromised device\r\nfor two apps listed in Table 6 below. If the apps are present, HenBox harvests information from them about contacts,\r\nnumbers and conversations.\r\nPackage name App name\r\ncom.rebelvox.voxer Voxer Walkie Talkie Messenger\r\ncom.tencent.mm Tencent’s WeChat\r\nTable 6: Targeted messaging apps in August 2017.\r\nThese types of apps tend to use databases to store their data, which for Voxer is located in\r\n‘/data/data/com.rebelvox.voxer/databases/rv.db’ on the device. HenBox runs SQL queries against the database to\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 14 of 30\n\ngather their stored information.\r\nA little over four months after this variant of HenBox was seen, newer versions were available with significant\r\nchanges to the number of targeted apps, as shown in Table 7.\r\nPackage name App name\r\ncom.whatsapp WhatsApp Messenger\r\ncom.pugna.magiccall n/a\r\norg.telegram.messenger Telegram\r\ncom.facebook.katana Facebook\r\ncom.twitter.android Twitter\r\njp.naver.line.android LINE: Free Calls \u0026 Messages\r\ncom.instanza.cocovoice Coco\r\ncom.beetalk BeeTalk\r\ncom.gtomato.talkbox TalkBox Voice Messenger – PTT\r\ncom.viber.voip Viber Messenger\r\ncom.immomo.momo MOMO陌陌\r\ncom.facebook.orca Messenger – Text and Video Chat for Free\r\ncom.skype.rover Skype; 3rd party stores only\r\nTable 7: Targeted messaging apps in January 2018.\r\nMost of these apps are well established and available on Google Play, however, com.skype.rover and\r\ncom.pugna.magiccall appear to be available only on third-party app stores.\r\nIt’s clear to see that the capabilities of HenBox are very comprehensive, not only in terms of a complex and pretty\r\nsophisticated Android app, but also as a very effective spying tool.\r\nInfrastructure and related overlaps\r\nWhile investigating HenBox, Unit 42 discovered infrastructure ties to other malware families associated with\r\ntargeted attacks against Windows users, with notable overlaps including PlugX, Zupdax, 9002 and Poison Ivy. Figure\r\n8 paints a picture of an adversary with at least five malware families in its toolbox, dating back to at least 2015.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 15 of 30\n\nFigure 8: HenBox and related malware.\r\nThe overlap between the HenBox and 9002 malware families involves three shared C2s between several samples:\r\n47.90.81[.]23\r\n222.139.212[.]16\r\nlala513.gicp[.]net\r\nThe overlaps between the HenBox, PlugX, Zupdax and Poison Ivy malware families involves a web of shared C2s\r\nand IP resolutions centred around the following:\r\n59.188.196[.]172\r\ncdncool[.]com (and third levels of this domain)\r\nwww3.mefound[.]com\r\nwww5.zyns[.]com\r\nW3.changeip[.]org\r\nTies to previous activity\r\nThe registrant of cdncool[.]com also registered six other domains. To date, we have seen four of the seven (the first\r\nthree in the list below, along with cdncool[.]com) used in malicious activity, and it is reasonable to assume that the\r\nremaining three are, or were, intended to serve the same purpose.\r\ntcpdo[.]net\r\nadminsysteminfo[.]com\r\nmd5c[.]net\r\nlinkdatax[.]com\r\ncsip6[.]biz\r\nadminloader[.]com\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 16 of 30\n\nUnit 42 published a blog [23] in July 2016 about 9002 malware being delivered using a combination of shortened\r\nlinks and a file hosted on Google Drive. The spear-phishing emails had Myanmar political-themed lures and, if the\r\n9002 C2 server responded, the trojan sent system-specific information along with the string ‘jackhex’. ‘Jackhex’ has\r\nalso been part of a C2 for what is probably related Poison Ivy activity (detailed below), along with additional\r\ninfrastructure ties.\r\nThe C2 for the aforementioned 9002 sample was logitechwkgame[.]com, which resolved to the IP address\r\n222.239.91[.]30. At the same time, the domain admin.nslookupdns[.]com also resolved to the same IP address,\r\nsuggesting that these two domains are associated with the same threat actor. In addition, admin.nslookupdns[.]com\r\nwas a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries and discussed in a\r\nblog post [24] published by Arbor Networks in April 2016. Another tie between the activities is the C2\r\njackhex.md5c[.]net, which was also used as a Poison Ivy C2 by the samples discussed in the Arbor Networks blog.\r\nFinally, since publishing the 9002 blog, Unit 42 has also seen the aforementioned 9002 C2 being used as a Poison\r\nIvy C2 with a Myanmar political-themed lure.\r\nIn our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples, or as\r\ndomain registrant overlap with those C2 domains. When we published that blog we hadn’t seen any of the three\r\nregistrants overlap domains used in malicious activity. Since then, we have seen Poison Ivy samples using third\r\nlevels of querlyurl[.]com, lending further credence to the idea that the remaining two domains,\r\ngooledriveservice[.]com and appupdatemoremagic[.]com, are, or were, intended for malicious use. While we do not\r\nhave complete targeting information associated with these Poison Ivy samples, several of the decoy files were in\r\nChinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures.\r\nFarseer for Windows\r\nThrough further investigations into infrastructure used by the HenBox malware, Unit 42 discovered [25] another,\r\npreviously unknown, malware family designed to run on Windows.\r\nFarseer – named due to a string found in the PDB path embedded within the executable files (see example below) –\r\nis a backdoor trojan that we can trace back in our data to 2016 and that we continue to see in 2019, albeit in small\r\nnumbers.\r\ne:\\WorkSpace\\A1\\coding\\Farseer\\RemoteShellsRemote\\Release\\RemoteShellsRemote.pdb.\r\nTies to HenBox\r\nThe infrastructure used by the combination of malware families discussed so far is vast, with numerous overlaps,\r\nhowever the remainder of this report will focus only on some core ties between the Farseer and HenBox, PlugX,\r\nZupdax, 9002 and Poison Ivy malware families.\r\nFigure 9 shows a high-level representation of file hashes, IP addresses and domain names used by some of the\r\nmalware families mentioned, together with their overlaps highlighted by the green rectangle.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 17 of 30\n\nFigure 9: Maltego chart showing overlaps between Farseer and related threats.\r\nDespite the image indicating that Farseer has the largest number of malware samples (red dots), this is not the case\r\nwhen considering the entire set of malware samples and merely appears this way due to the focus of this section of\r\nthe report.\r\nOne of the most recent Farseer samples (SHA256:\r\n271e29fe8e23901184377ab5d0d12b40d485f8c404aef0bdcc4a4148ccbb1a1a) introduced a new C2 domain –\r\ntcpdo[.]net – into the Farseer set, as shown in Figure 10.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 18 of 30\n\nFigure 10: Tcpdo[.]net ties between Farseer and Poison Ivy samples.\r\nThis sample communicates directly with tcpdo[.]net for its C2 whereas other Farseer samples communicate\r\nindirectly, through third-level domains and IP addresses. A handful of Poison Ivy samples have also used this domain\r\nas their C2, most of them prior to this Farseer sample (as early as mid-2015) but also more recently, on 17 December\r\n2018, indicating a fairly active domain.\r\nThe overlaps between Farseer and Poison Ivy don’t end with tcpdo[.]net. Much as with HenBox, other infrastructure\r\nties exist: directly through sony36[.]com and md.son36[.]com; indirectly through third-level domains of tcpdo[.]net\r\nand IP addresses 45.32.251[.]7 and 45.32.53[.]250.\r\nFarseer also overlaps with HenBox and PlugX samples through multiple C2 domains and IP address resolutions:\r\nouthmail[.]com (and third levels of this domain)\r\ncdncool[.]com (and third levels of this domain)\r\nwww3.mefound[.]com\r\nw3.changeip[.]org\r\nwww5.zyns[.]com\r\n45.32.53[.]250\r\n45.32.44[.]52\r\n45.32.45[.]77\r\n59.188.196[.]162\r\n59.188.196[.]172\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 19 of 30\n\nC2 server structure\r\nAs previously mentioned, a common registrant registered seven known domains related to the malware discussed.\r\nInterestingly, all of the domains have at least one third-level domain in common, perhaps indicating a template being\r\nused for the infrastructure setup. Table 8 lists the commonalities, aside from other more common sub-domains such\r\nas www, mail and dns.\r\nDomain / third-level domain info. re. update. up.\r\ntcpdo[.]net •   • •\r\nadminsysteminfo[.]com • • •  \r\nmd5c[.]net        \r\nlinkdatax[.]com • • •  \r\ncsip6[.]biz • • •  \r\nadminloader[.]com   • •  \r\ncdncool[.]com • • • •\r\nnewfacebk[.]com     •  \r\nTable 8: Common third-level domain names set up on C2 servers.\r\nMalware execution flow\r\nThis section aims to provide a description of the general behaviour of the Farseer malware. Figure 11 describes at a\r\nhigh level the post-installation execution flow of a typical sample.\r\nFigure 11: Execution flow of Farseer malware.\r\nFor persistence on the host, Farseer creates a registry entry named sys under:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 20 of 30\n\nThis runs the VBS script slmgr.vbs that contains:\r\ncreateobject(\"wscript.shell\").run \"C:\\Users\\[username]\\AppData\\Roaming\\windows\\bscmake.exe\"\r\nThis is step 1 (in Figure 11), which starts the Farseer execution when a user logs onto their PC.\r\nSteps 2 and 3 involve a DLL-sideloading technique using a signed Microsoft file, bscmake.exe, which is part of\r\nVisualStudio. This executable in turn imports several DLL files, including mspdb80.dll, which in turn imports sys.dll\r\n– the malicious payload.\r\nThe payload, stub.bin, is encrypted and compressed on disk but is decrypted as it’s loaded into memory by sys.dll.\r\nFarseer’s config file, sys.dat, is also loaded during this fourth step in the flow. Much like the HenBox config file,\r\nsys.dat is obfuscated simply using ASCII encoding. Once decoded, the config is structured as per the example in the\r\nleft column of Table 9.\r\nFarseer config HenBox config\r\np1=up.outhmail[.]com\r\np2=80\r\np4=test-04-11\r\np5=C:\\Users\\[username]\\AppData\\Local\\Temp\\main.exe\r\na1=wd.w3.ezua[.]com\r\na2=80\r\na3=crash_report@21cn[.]com\r\na4=smtp.21cn[.]com\r\na5=crash_report\r\na6=lxy.cn@163[.]com\r\na7=\r\na8=0914D1D428914B09A5372866B39524B9\r\na9=\r\nb1=0\r\nb2=0\r\nb3=1\r\nb4=http://www3.mefound[.]com/aa.txt\r\nTable 9: Similarities between the Farseer and HenBox config files.\r\nIn the Farseer config file:\r\np1 is the C2 FQDN\r\np2 is the TCP port used (many variants use non-standard ports)\r\np3 is missing\r\np4 is a version string sent in the C2, perhaps a campaign identifier of some sort\r\np5 is the full file path from which the malware was launched.\r\nAt present, we do not know what all the HenBox options refer to.\r\nThe two malware config files have some similarities, which strengthens the idea of them being related to a common\r\nadversary. Both are text files, read and parsed at runtime; more often than not, the data is encoded simply. Perhaps\r\nthe most notable similarities in notation are as follows:\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 21 of 30\n\nKey value pairs are ‘=’ delimited\r\nEach line uses a single character followed by a single digit starting at 1\r\nBoth have the C2 host on line 1\r\nBoth have the TCP port on line 2.\r\nTargeting\r\nOne of the earliest Farseer samples we analysed also contained a decoy PDF document that was opened during\r\nexecution. The PDF content included a copy of an article from a Myanmar news website that reports on the\r\nSoutheast Asia region. The PDF file properties indicate that it was created on a Chinese-language system, and the\r\ncreation date was eight days prior to the Farseer sample using said PDF.\r\nAfter publishing information on Farseer, an industry partner told us that their product telemetry showed a Farseer\r\nsample running on a Windows system located in, or communicating through an ISP in Ulaanbaatar, Mongolia. This\r\nadditional context, along with the decoy document used, helps to confirm our suspected target countries.\r\nConstructing an adversary playbook\r\nThis section introduces the public frameworks and tools underpinning adversary playbooks, and describes the\r\nPKPLUG edition.\r\nATT\u0026CK\r\nMITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT\u0026CK™) is a curated knowledgebase and\r\nmodel for cyber adversary behaviour, reflecting the various phases of an adversary’s lifecycle and the platforms they\r\nare known to target.\r\nSTIX\r\nStructured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber\r\nthreat intelligence (CTI).\r\nSpecifically, the latest iteration of the STIX format, version 2.0, simplifies the creation of documents and uses JSON,\r\nrather than XML. This version also provides a list of objects to represent types of information typically generated for\r\nCTI. For instance, STIX includes objects for intrusion sets, malware and indicators, amongst others. The information\r\nand attributes stored within STIX objects, and the relationship between the various object types, adhere to standards,\r\nwhich allows this intelligence to be shared and consumed without the need for complex parsing tools.\r\nAttack lifecycle\r\nAn adversary must complete a linear, phase-based process to successfully execute an attack. Humans can better\r\ncomprehend an attack by breaking it down into smaller, phased-based pieces, and work to break the lifecycle at\r\nvarious points in order to prevent successful attacks.\r\nThe attack lifecycle is a customized Cyber Kill Chain(™) from Lockheed Martin, and is described in Figure 12.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 22 of 30\n\nTo meld these three frameworks together, we looked at how ATT\u0026CK data mapped to STIX 2.0 and then chose\r\nappropriate objects for additional adversary playbook components, as Table 10 describes.\r\nFigure 12: Attack lifecycle.\r\nSTIX 2.0 object Adversary playbook component\r\nIntrusion Set Adversary\r\nReport Playbook\r\nReport Play\r\nCampaign Campaign\r\nKill-Chain-Phase ATT\u0026CK Tactic\r\nAttack-Pattern ATT\u0026CK Techniqu\r\nIndicator Indicator\r\nMalware Adversary Malware\r\nTool Adversary Tool\r\n Table 10: STIX 2.0 to adversary playbook object mapping.\r\nWith these definitions complete, we began mapping the activities of particular adversaries to the ATT\u0026CK\r\nframework, and stored the respective data and related IOCs as STIX in JSON format.\r\nPlaybook Viewer\r\nAs previously mentioned, adversary playbooks are JSON-formatted STIX CTI packages describing threat actors,\r\ntheir campaigns (each one an instance of the attack lifecycle), their behaviours (using ATT\u0026CK) and, finally, the\r\nIOCs for each campaign. Consumers can ingest the STIX as they always have done, however, many systems (at the\r\ntime of launch) did not handle STIX 2.0 content, and certainly none existed that would display an entire adversary\r\nplaybook for humans to better understand and visualize the information.\r\nUnit 42 released a simple tool to enable the playbook to be viewed through a web interface. A screenshot of the\r\nPlaybook Viewer [26] is shown in Figure 13; a live version can be accessed at GitHub.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 23 of 30\n\nFigure 13: Example Rancor adversary playbook viewed through Playbook Viewer.\r\nPlaybook Viewer allows a user to choose an adversary from the list shown. This provides a description and another\r\nlist of their campaigns (at least the ones we know about, and those we’ve converted to STIX). Selecting a campaign\r\nshows lists of the adversary’s TTPs (using ATT\u0026CK notation) laid out in columns as per the attack lifecycle phases.\r\nOf course, the level of detail described in each playbook is limited to the visibility one has of a given campaign, thus\r\nthe sharing, merging and enriching of these is critical to build a more holistic view of a given adversary.\r\nDefence analysis\r\nBeyond ingesting IOCs and visualizing adversary playbooks, another use-case exists around improving defences.\r\nUnderstanding the common TTPs used by malware and adversaries that persistently attack your organization should\r\nhelp to prioritize defence efforts. These don’t just have to be deploying security solutions but also designing policies\r\nand processes to reduce the risk for the organization and enforcing them, wherever possible, using technology.\r\nPKPLUG adversary playbook\r\nSome of the malware families used by the PKPLUG adversary have been described in detail in this report. It is those\r\n(HenBox and Farseer) that are described here, in playbook form.\r\nHenBox\r\nTable 11 describes the single ‘play’ (a.k.a. campaign) related to the variant of HenBox discovered on the Uyghur app\r\nstore. Other plays, each an instance of an attack lifecycle, exist for many more samples and may have some TTPs\r\nthat differ. A full list of plays, together with all the IOCs, is available on the Playbook Viewer.\r\nPhase TTP Description / STIX \u0026 IOCs\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 24 of 30\n\nReconnaissance\r\nT1249:\r\nConduct\r\nsocial\r\nengineering\r\nCreation of decoy documents; spoofing legitimate mobile apps; setting up\r\ndomains with copycat names using relevant and interesting themes.\r\nT1264:\r\nIdentify\r\ntechnology\r\nusage\r\npatterns\r\nTargeting of Xiaomi devices, Android users and Uyghur app store infers\r\nunderstanding of the victims’ MO.\r\nT1265:\r\nIdentify\r\nsupply chains\r\nUsing the Uyghur app store to deliver HenBox would first require identification\r\nof the delivery mechanism.\r\nT1295:\r\nAnalyse\r\nsocial and\r\nbusiness\r\nrelationships,\r\ninterests, and\r\naffiliations\r\nKnowledge of the Uyghur ethnicity and religious beliefs to use in social\r\nengineering lures (e.g. Islam-related apps); knowledge, or suspected use, of\r\nvarious social network, secure messaging and communications apps by the\r\nvictims.\r\nWeaponization\r\nT1307:\r\nAcquire\r\nand/or use\r\nthird-party\r\ninfrastructure\r\nservices\r\nUse of Uyghur app store to deliver HenBox.\r\nT1312:\r\nCompromise\r\nthird-party\r\ninfrastructure\r\nto support\r\ndelivery\r\nHow the app store is compromised but an app was overwritten with HenBox.\r\nT1345:\r\nCreate\r\ncustom\r\npayloads\r\nHenBox and Farseer are custom malware; others used, such as PlugX, were\r\ncustom when discovered but are now believed to be used by many groups.\r\nDelivery T1474:\r\nSupply chain\r\ncompromise\r\n(mobile)\r\nThird-party app store APK URL:\r\n[url:value = ’uyghurapps[.]net/mobile/downAction.action?appId=40’]\r\nHash of HenBox APK purporting to be DroidVPN app on third-party app store:\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 25 of 30\n\n[file.hashes.’SHA-256’ =\r\n‘0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7’]\r\nT1476:\r\nDeliver\r\nmalicious\r\napp via other\r\nmeans\r\n(mobile)\r\nDelivery of HenBox through compromised third-party app store; other methods\r\nassumed including phishing/smishing, file-sharing websites, forums, etc. These\r\nare common with Android malware delivery.\r\nExploitation -\r\nNo exploits against vulnerabilities used, to our knowledge; requires user\r\ninteraction.\r\nInstallation\r\nT1027:\r\nObfuscated\r\nfiles or\r\ninformation\r\nMixture of compression, obfuscation and encryption used for components of\r\nHenBox malware, including config files and further payloads. T1406:\r\nObfuscated\r\nfiles or\r\ninformation\r\n(mobile)\r\nT1204: User\r\nexecution\r\nHenBox requires installation by victim, through social engineering.\r\nT1402: App\r\nauto-start at\r\ndevice boot\r\n(Mobile)\r\nHenBox monitors for system event broadcasts and executes accordingly. This\r\nincludes device reboots, SIM card and network changes, new apps installed,\r\nand so on.\r\nT1418:\r\nApplication\r\ndiscovery\r\n(mobile)\r\nHenBox monitors installed apps to steal information from target apps.\r\nCommand \u0026\r\ncontrol\r\nT1065:\r\nUncommonly\r\nused port\r\nThis variant of HenBox used TCP port 888.\r\nT1071:\r\nStandard\r\napplication\r\nlayer\r\nprotocol\r\nHenBox used HTTP to communicate with the C2.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 26 of 30\n\nActions on\r\nobjectives\r\nT1412:\r\nCapture SMS\r\nmessages\r\n(mobile)\r\nIntercepts SMS messages.\r\nT1413:\r\nAccess\r\nsensitive data\r\nin device\r\nlogs (mobile)\r\nGathers system and device logs.\r\nT1416:\r\nAndroid\r\nintent\r\nhijacking\r\n(mobile)\r\nHenBox registered for Xiaomi events likely to originate from IoT devices.\r\nT1418:\r\nApplication\r\ndiscovery\r\n(mobile)\r\nEnumeration of existing and monitoring of newly installed apps.\r\nT1421:\r\nSystem\r\nnetwork\r\nconnections\r\ndiscovery\r\n(mobile)\r\nEnumerates cellular and Wi-Fi networks; monitors for network changes (e.g.\r\nswitching from one to another).\r\nT1422:\r\nSystem\r\nnetwork\r\nconfiguration\r\ndiscovery\r\n(mobile)\r\nHenBox gathers IMEI and similar device and system identifiers.\r\nT1426:\r\nSystem\r\ninformation\r\ndiscovery\r\n(mobile)\r\nGathers system version information.\r\nT1429:\r\nMicrophone\r\nor camera\r\nRecords information using device sensors.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 27 of 30\n\nrecordings\r\n(mobile)\r\nT1430:\r\nLocation\r\ntracking\r\n(mobile)\r\nTracks device location.\r\nT1432:\r\nAccess\r\ncontact list\r\n(mobile)\r\nGathers information from device contacts database, as well as contacts stored\r\non certain target messaging apps.\r\nT1433:\r\nAccess call\r\nlog (mobile)\r\nGathers call log information and sets a filter for calls to +86 country code\r\n(China) to steal the phone numbers involved.\r\nTable 11: The single ‘play’ (a.k.a. campaign) related to the variant of HenBox discovered on the Uyghur app store.\r\nFarseer\r\nTable 12 describes the single ‘play’ (a.k.a. campaign) related to some of the latest variants of Farseer.\r\nPhase TTP Description / STIX \u0026 IOCs\r\nPre-ATT\u0026CK:\r\nAdversary opsec\r\nT1319 Obfuscate or\r\nencrypt code\r\nMixture of compression, obfuscation and encryption used\r\nfor components of Farseer malware, including config files\r\nand further payloads.\r\nEstablish \u0026 maintain\r\ninfrastructure\r\nT1328 Buy domain name\r\nBuying and registering domains for command \u0026 control\r\nuse.\r\nATT\u0026CK:   \r\nPersistence \r\nT1060 Registry run keys /\r\nstartup folder\r\nSets a registry run key to launch. \r\nDefence evasion   \r\nT1140 Deobfuscate /\r\ndecode files or\r\ninformation   Mixture of compression, obfuscation and encryption used\r\nfor components of Farseer malware, including config files\r\nT1045 Software packing   and further payloads.   \r\nT1073 DLL side-loading  \r\nCommand \u0026\r\ncontrol  \r\nT1071 Standard\r\napplication layer protocol \r\nFarseer used HTTP to communicate with the C2\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 28 of 30\n\nT1065 Uncommonly used\r\nport  \r\nFarseer has used TCP ports 158, 993 and others \r\nT1043 Commonly used\r\nport \r\nFarseer has also used TCP port 80 \r\nTable 12: The single ‘play’ (a.k.a. campaign) related to some of the latest variants of Farseer.\r\nConclusions\r\nPKPLUG is a fairly long-standing, active and formidable adversary operating against targets in the Southeast Asia\r\nregion for what could be various reasons, but clearly interested in information‑gathering, tracking and espionage.\r\nSharing threat intelligence data is very important if others are to learn about targeted cyber attacks and data breaches.\r\nFurthermore, sharing not only the IOCs of a given attack but also the TTPs of how the adversary breached and\r\nmoved throughout the network to fulfil its goals is critical. Sharing TTPs is more difficult, but the use of adversary\r\nplaybooks – building on solid foundational frameworks – is a great start in providing the necessary structure to do so.\r\nUnit 42 continues to track PKPLUG and the tools used by this adversary; updates to research, IOCs and the\r\nPKPLUG adversary playbook will be released periodically.\r\nReferences\r\n[1] ASEAN Member States. https://asean.org/asean/asean-member-states/.\r\n[2] What Are the Autonomous Regions of China? https://www.sporcle.com/blog/2019/04/what-are-the-autonomous-regions-of-china/.\r\n[3] What is China’s Belt and Road Initiative? https://www.theguardian.com/cities/ng-interactive/2018/jul/30/what-china-belt-road-initiative-silk-road-explainer.\r\n[4] China and Xinjiang: The Fate of BRI. https://thegeopolitics.com/china-and-xinjiang-the-fate-of-bri/.\r\n[5] China’s Crackdown on Uighurs in Xinjiang. https://www.cfr.org/backgrounder/chinas-crackdown-uighurs-xinjiang.\r\n[6] This map shows a trillion-dollar reason why China is oppressing more than a million Muslims.\r\nhttps://www.businessinsider.com/map-explains-china-crackdown-on-uighur-muslims-in-xinjiang-2019-2.\r\n[7] The Battle for the South China Sea. https://edition.cnn.com/interactive/2018/08/asia/south-china-sea/.\r\n[8] China Demands US Cancel Arms Sale to Taiwan. https://www.military.com/daily-news/2019/07/10/china-demands-us-cancel-arms-sale-taiwan.html.\r\n[9] Smartphone Shipments Experience Deeper Decline in Q1 2019 with a Clear Shakeup Among the Market Leaders,\r\nAccording to IDC. https://www.idc.com/getdoc.jsp?containerId=prUS45042319.\r\n[10] Unit 42. https://unit42.paloaltonetworks.com/.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 29 of 30\n\n[11] Mitre ATT\u0026CK. https://attack.mitre.org/.\r\n[12] The Cyber Kill Chain(™). https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.\r\n[13] Structured Threat Information Expression (STIX™). https://oasis-open.github.io/cti-documentation/stix/intro.\r\n[14] HenBox: The Chickens Come Home to Roost. https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/.\r\n[15] HenBox: Inside the Coop. https://unit42.paloaltonetworks.com/unit42-henbox-inside-coop/.\r\n[16] Welcome to the Uighur Web. https://foreignpolicy.com/2014/04/21/welcome-to-the-uighur-web/.\r\n[17] Internet popularity in Xinjiang higher than China’s national average.\r\nhttp://www.chinadaily.com.cn/business/tech/2017-07/08/content_30041010.htm.\r\n[18] Hackers Target Uyghur Groups. https://www.rfa.org/english/news/uyghur/hackers-09062012153043.html.\r\n[19] Study Finds Unrelenting Cyber Attacks Against China’s Uyghurs. https://securityledger.com/2014/08/study-finds-unrelenting-cyber-attacks-against-chinas-uyghurs/.\r\n[20] Cyber Attacks Against Uyghur Mac OS X Users Intensify. https://securelist.com/cyber-attacks-against-uyghur-mac-os-x-users-intensify/64259/.\r\n[21] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists.\r\nhttps://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/.\r\n[22] Turkistan Islamic Party. https://en.wikipedia.org/wiki/Turkistan_Islamic_Party.\r\n[23] Attack Delivers ‘9002’ Trojan Through Google Drive. https://unit42.paloaltonetworks.com/unit-42-attack-delivers-9002-trojan-through-google-drive/.\r\n[24] New Poison Ivy Activity Targeting Myanmar, Asian Countries.\r\nhttps://web.archive.org/web/20160618095613/https://www.arbornetworks.com/blog/asert/recent-poison-iv/.\r\n[25] Farseer: Previously Unknown Malware Family bolsters the Chinese armoury.\r\nhttps://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/.\r\n[26] Unit 42 Adversary Playbook Viewer. https://pan-unit42.github.io/playbook_viewer/.\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/" ], "report_names": [ "vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439082, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2a5e4513007b5ab01a805e078256f5e8d10dbc2.pdf", "text": "https://archive.orkl.eu/f2a5e4513007b5ab01a805e078256f5e8d10dbc2.txt", "img": "https://archive.orkl.eu/f2a5e4513007b5ab01a805e078256f5e8d10dbc2.jpg" } }