{
	"id": "31464ef6-b65f-4df6-ba35-bf4c4931dc0d",
	"created_at": "2026-04-06T00:08:40.915688Z",
	"updated_at": "2026-04-10T03:26:37.628012Z",
	"deleted_at": null,
	"sha1_hash": "f329de3cb364c34022cb04b9fdb5dac3538645c2",
	"title": "New Indicators of Compromise for APT Group Nitro Uncovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90955,
	"plain_text": "New Indicators of Compromise for APT Group Nitro Uncovered\r\nBy Jen Miller-Osborn\r\nPublished: 2014-10-03 · Archived: 2026-04-05 15:50:06 UTC\r\nIn mid-July of this year, we noticed yet another legitimate website had been compromised by APT actors and was\r\nserving malware. In this case, it was a group commonly referred to as “Nitro,” which was coined by Symantec in\r\nits 2011 whitepaper.\r\nAs we dug deeper, we found additional compromised legitimate websites and malware from the same group back\r\nthrough March of this year. In most instances, the malware is one commonly referred to as “Spindest,” though we\r\nalso found “PCClient” and “Farfli” variants in use by the group. We don’t have enough data to say for certain that\r\nall of the malware in this blog was delivered via compromised legitimate websites.\r\nHistorically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware, which was not\r\nseen in these attacks.  Since at least 2013, Nitro appears to have somewhat modified their malware and delivery\r\nmethods to include Spindest and legitimate compromised websites, as reported by Cyber Squared’s TCIRT.  Our\r\nfindings indicate they are continuing to evolve with the addition of PCClient and Farfli variants.  The Maltego\r\nscreenshot below shows the activity we describe in this blog.\r\nThese events impacted at least the following industries, across four waves:\r\nA US based IT Solutions provider;\r\nThe European office of a major, US based commercial vendor of space imagery and geospatial content;\r\nA European leader in power technologies and automation for utilities and industry;\r\nA US based provider of medical and dental imaging systems and IT solutions.\r\nIn July, Nitro compromised a South Korean clothing and accessories manufacturer’s website to serve malware\r\ncommonly referred to as “Spindest.”  Of all the samples we’ve tied to this activity so far noted in this blog, this is\r\nthe only one configured to connect directly to an IP address for Command and Control (C2).  This IP address has\r\nbeen in use by this group for some time, which is interesting since they have evolved other components of their\r\nkill chain over time to ensure malware delivery, but oddly not altered their C2 infrastructure. It is simple for\r\nhttps://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nPage 1 of 5\n\ncompanies to block any outbound traffic to this IP, which would negate the effort Nitro put into successfully\r\ndelivering the malware.\r\n37 AV vendors within VirusTotal properly identify it, and the PE timestamp shows the day before we saw it. In\r\naddition, the following three samples were found roughly a week apart from each other, possibly indicating the\r\ntiming of the waves of activity.\r\nTable 1\r\nSHA256 0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0\r\nMD5 7915aabb2e66ff14841e4ef0fbff7486\r\nFile Name update.exe\r\nFile Size 106496\r\nFirst Seen 2014-07-24 11:54:02\r\nC2 IP 223.25.233.248\r\nThe next sample we found is commonly known as PCClient, which is not malware previously tied to this group.\r\n We discovered this, and many of the following samples, through historic IP resolution overlap between the same\r\ndomains alternately resolving to either the 223.25.233.248 or 196.45.144.12. The second IP has also not been\r\nreported as tied to this group before.  However, this shifting of IP resolutions back and forth indicates Nitro is in\r\ncontrol of these domains. It also makes is fairly easy for any Infosec team to reach the same conclusion we did,\r\nwhich again negates their use both of a previously unreported domain and IP for C2, as well as a new family of\r\nmalware. 25 AV vendors within VirusTotal properly classify this sample as malware.  Its PE timestamp was 8 July,\r\nalmost a week prior when we first saw it.\r\nTable 2\r\nSHA256 8aef92a986568ba31729269efa31a2488f35920d136ab41cb6fce55fd8e0b4b7\r\nMD5 7522baef20df95eeeeafdf4efe3aac3c\r\nFile Name lsm.exe\r\nFile Size 65536\r\nFirst Seen 2014-07-15 11:48:33\r\nC2 URL xenserver.ddns[.]net\r\nResolution 196.45.144.12\r\nThe next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient\r\nsample.  In addition, Nitro chose to use the same C2 for this sample, making it easy to both find and tie to the\r\nhttps://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nPage 2 of 5\n\ngroup. 41 AV vendors within VirusTotal properly classify this sample as malware.\r\nTable 3\r\nSHA256 995bc16a5c2c212b57ba00c2376ac57c8032c7f2b1d521f995a5e1d49066d64d\r\nMD5 6527ba8baab0f86b0ffb6178247772c4\r\nFile Name install_reader11_en_aaa_aih.exe\r\nFile Type PE\r\nFile Size 81920\r\nFirst Seen 2014-07-09 16:31:26\r\nC2 URL xenserver.ddns[.]net\r\nResolution 196.45.144.12\r\nThe next wave of activity we found took place in mid-May. Both samples were Spindest variants with the same\r\nPE timestamp of 15 May. While neither MD5s for C2 match, the aforementioned link to a post by Cyber\r\nSquared’s TCIRT did document Nitro using Spindest variants with the same file name starting late December last\r\nyear. In that case they used the historic C2 IP we note in Table 1 in this blog. 34 AV vendors within VirusTotal\r\nproperly classify the first sample as malware, and 40 AV Vendors the second sample.\r\nTable 4\r\nSHA256 e7f2af8c48f837da57000c068368d77bc9b06eba1e077edfab58df6aa2ea40ec\r\nMD5 271e6a4d45c2817f86148ca413f97604\r\nFile Name mdm.exe\r\nFile Size 118784\r\nFirst Seen 2014-05-20 08:43:15\r\nC2 URL zipoo.redirectme[.]net\r\nResolution 196.45.144.12\r\nTable 5\r\nSHA256 e601da16f923b33465dbafbff9d47195e8fc50099fd0581a16a1745bf890afb6\r\nMD5 be765cd5723e4366d35172aaf13fad44\r\nFile Name CitrixReceiverWeb.exe\r\nhttps://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nPage 3 of 5\n\nFile Size 135168\r\nFirst Seen 2014-05-15 16:34:10\r\nC2 URL zipoo.redirectme[.]net\r\nResolution 196.45.144.12\r\nThe malware dropped was configured to use good.myftp[.]org as the C2 URL, and the IP resolution was\r\n223.25.233.248.  Both of these are known Nitro Indicators of Compromise (IOCs). In this case, the malware was a\r\nFarfli variant, again not a malware previously tied to this group. 39 AV vendors within VirusTotal properly\r\nidentify the file as malware.  The PE timestamp on the file was 1 April, about two weeks before we saw the\r\nfile. Continuing the activity, we discovered the actors had compromised a legitimate website belonging to an\r\ninternational technology company that provides Software Configuration and Change Management (SCCM)\r\nsolutions in mid-May. (It is a well regarded company and partners with large companies such as Microsoft.)\r\nTable 6\r\nSHA256 184c083e839451c2ab0de7a89aa801dc0458e2bd1fe79e60f35c26d92a0dbf6a\r\nMD5 ec519d709c0582346741fe0094208216\r\nFile Name update.exe\r\nFile Size 159744\r\nFirst Seen 2014-04-15 01:13:14\r\nC2 URL good.myftp[.]org\r\nResolution 223.25.233.248\r\nThe final sample, from mid-March, was also hosted on a compromised legitimate website, this time a small, US\r\nbased IT company.  The IP resolved by the C2 URL was changed two days after we saw this file to overlap with\r\ngood.myftp[.]org for a month before returning the below resolution. The filename matches that of the sample in\r\nTable 5, which had a very similar third level C2 domain and the same IP resolution. This is also a Spindest variant\r\nwith a PE timestamp of the same day we saw it. 39 AV vendors within VirusTotal properly identify the file as\r\nmalware.\r\nTable 7\r\nSHA256 ffbddfb536e8e604c880ec977d06f804a500fc0396899bd2c195fb1f5b74207a\r\nMD5 a3b2e34973691ad320b70248bd67fbd2\r\nFile Name CitrixReceiverWeb.exe\r\nFile Size 192512\r\nhttps://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nPage 4 of 5\n\nFirst Seen 2014-03-12 06:58:22\r\nC2 URL zip.redirectme[.]net\r\nResolution 196.45.144.12\r\nAs this post and previous cited research show, APT groups such as Nitro will continue to evolve their techniques\r\nwithin the kill chain to avoid detection.  However, they also demonstrate the value of tracking these threats over\r\ntime, as this allowed us to uncover and properly attribute the new IOCs because Nitro was still re-using old C2\r\ninfrastructure with their new malware.\r\nFor Palo Alto Networks customers, all of these files were properly identified by WildFire as malware and all of the\r\nC2 domains are labeled as threats in both Threat Prevention and URL Filtering systems.\r\nSource: https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nhttps://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/"
	],
	"report_names": [
		"new-indicators-compromise-apt-group-nitro-uncovered"
	],
	"threat_actors": [
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775791597,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f329de3cb364c34022cb04b9fdb5dac3538645c2.pdf",
		"text": "https://archive.orkl.eu/f329de3cb364c34022cb04b9fdb5dac3538645c2.txt",
		"img": "https://archive.orkl.eu/f329de3cb364c34022cb04b9fdb5dac3538645c2.jpg"
	}
}