{
	"id": "c3269854-356b-4344-a0d8-decf6f73b2c8",
	"created_at": "2026-04-06T00:21:31.729314Z",
	"updated_at": "2026-04-10T03:34:27.6547Z",
	"deleted_at": null,
	"sha1_hash": "f4036e666095678b4051549ce5091f442df8fe2e",
	"title": "Deep Malware and Phishing Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1668867,
	"plain_text": "Deep Malware and Phishing Analysis\r\nBy Joe Security LLC\r\nArchived: 2026-04-05 13:21:56 UTC\r\nRecently we came across an interesting sample which seems to be related to Elise Malware. Elise is tight to\r\nthe Dragon Fish and Lotus Blossom APT groups which primary targets governments and defense contractors.\r\nElise is known to infect victims by using the latest exploits available and is often packed with interesting Sandbox\r\nevasion techniques.\r\nIn this blog post, we will dissect the latest version of Elise.\r\nThe sample under investigation is distributed as an Office document lure. To be more precise in Rich Text Format.\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 1 of 11\n\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 2 of 11\n\nCVE-2018-0802\r\nWe start the analysis by having a look at the behavior graph and acknowledge that the process EQNEDT32.EXE\r\nwas started among Winword.exe:\r\nThis process is the Microsoft Office Equation Editor. In November 2017 the security company Embedi detected\r\nan exploit in EQNEDT32.EXE which later got the identification CVE-2017-11882. Microsoft patched the flaw in\r\nNovember.\r\nSo, is Elise using this exploit? To answer this question we had a detailed look at the exploit itself. The outcome:\r\nno it is not CVE-2017-11882 but rather CVE-2018-0802. CVE-2018-0802? This a second exploit also included\r\nin EQNEDT32.EXE which was detected in later December.\r\nWe extracted the trampoline and shellcode:\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 3 of 11\n\nThe code renames and loads the PE file (named a.b) previously dropped by Word. The newly loaded code is then\r\ninjected into IExplorer.exe where the main payload is executed:\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 4 of 11\n\nSandbox Evasions\r\nElise performs a variety of sandbox checks in In IExplorer:\r\nVMware backdoor check\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 5 of 11\n\nDisk Name Check\r\nCheck for various Analysis Tools\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 6 of 11\n\nProcess Check\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 7 of 11\n\nMac Address Check\r\nPayloads\r\nAfter passing all the sandbox checks Elise creates an autostart key:\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 8 of 11\n\nAdd a Proxy to Internet Explorer\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 9 of 11\n\nAdd a Proxy to Firefox\r\nFinally, in function 514D05, 5159AF and 515486 we find the download, upload and command execution handlers.\r\nElise can collect and upload the following data:\r\nCPU Usage\r\nRam (size/free)\r\nDisk space (size/free)\r\nWindows Version\r\nUsername\r\nLocale\r\nTimezone\r\nSID\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 10 of 11\n\nList of tasks\r\nList of network adapters\r\nList of files on Desktop\r\nFinal Words\r\nElise is a very advanced piece of malware using for its distribution only the latest exploits. Before the main\r\npayload is executed many different Sandbox evasions are performed. The payload and the communication code is\r\ninjected into IExplorer likely bypassing PFW and HIPS. \r\nSource: https://www.joesecurity.org/blog/8409877569366580427\r\nhttps://www.joesecurity.org/blog/8409877569366580427\r\nPage 11 of 11\n\n  https://www.joesecurity.org/blog/8409877569366580427  \nMac Address Check   \nPayloads    \nAfter passing all the sandbox checks Elise creates an autostart key:\n   Page 8 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.joesecurity.org/blog/8409877569366580427"
	],
	"report_names": [
		"8409877569366580427"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434891,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4036e666095678b4051549ce5091f442df8fe2e.pdf",
		"text": "https://archive.orkl.eu/f4036e666095678b4051549ce5091f442df8fe2e.txt",
		"img": "https://archive.orkl.eu/f4036e666095678b4051549ce5091f442df8fe2e.jpg"
	}
}