{
	"id": "eb11941f-df84-45cc-a034-4d37a1800e0a",
	"created_at": "2026-04-06T01:32:12.548508Z",
	"updated_at": "2026-04-10T03:32:24.130009Z",
	"deleted_at": null,
	"sha1_hash": "f4887377e8b0eb2d20f2034c66d50f59af967524",
	"title": "“Filesnfer” Tool (C#, Python) – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 443090,
	"plain_text": "“Filesnfer” Tool (C#, Python) – One Night in Norfolk\r\nPublished: 2019-05-07 · Archived: 2026-04-06 01:21:08 UTC\r\nOn 6 May 2019, Symantec published reporting on a series of tools possibly used by APT3 (or a broader China-based espionage apparatus), including a previously publicly unreported backdoor dubbed “Filesnfer.”* Several\r\nhashes were made available for this malware, including one for a variant written in C++, one for a variant written\r\nin Python (compiled via Py2Exe), and one purportedly written in PowerShell.\r\nThe hash for the PowerShell file is unavailable on VirusTotal; however, analysis of the Python code can be used to\r\nidentify a different file uploaded to the Hybrid Analysis platform that is delivered via a PowerShell loader, written\r\nin C#, and contains significant code-level and unique-string overlaps with the Python variant. This file was also\r\nnot made available for download on the platform, but the strings for the loaded C# code in this sandbox run are\r\nenough to find an additional sample of the entire decompiled code on VirusTotal.\r\nThis blog contains a brief technical overview of each of these variants, and the pivoting method described. If\r\nyou’re just here for the C# (“PowerShell”) hash: 8de3b2eac3fa25e2cf9042d1b952f0d9. For analysis of these files,\r\nkeep reading.\r\n* (Symantec notes that the connection between this backdoor and APT3 was provided to them through\r\ncollaboration with another vendor).\r\nPy2Exe Filesnfer\r\nMD5: a3932533efc04ac3fe89fb5b3d60128a\r\nSHA1: 2a01d103b2bb66cba2cdb201f09933fee2055db3\r\nSHA256: 3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e\r\nAs Symantec notes, this file is a compiled Python executable built using Py2Exe. The python-exe-unpacker\r\navailable on Github can be used to partially decompile the code, although it did encounter an error during this\r\nanalysis that prevented a full dump from being created:\r\nDecompilation error of the Py2Exe-compiled file\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 1 of 7\n\nDespite this limitation, it’s still possible to infer some of the functionality and, as described above, identify a\r\ncomplete dump of the C# version through additional pivoting. The Python code defines several classes including:\r\n– DirItem\r\n– TransArgs\r\n– LoadCert\r\n– Monitor\r\n– Timer\r\nIn addition, the following functions are defined:\r\n– print_log(xtype, pstr, btime=True)\r\n– Recv(sock, size, timeout=3, bLoop=True)\r\n– SendPacket(sock, buf)\r\n– RecvPacket(sock, size=0)\r\n– GenFileName(strFile)\r\n– UnitConv(fSize)\r\n– PutFileData(pSocket, sourceFile, Length, types=0, lLen=0, Speeds=10485760, bZip=True)\r\n– GetFileData(gSocket, destFile, Length, types, lLen, bZip=True)\r\n– SendDirList(sock, filepath)\r\n– ServerLoopPro\r\n– ServerX(host, port)\r\n– handler(signum, frame)\r\nOf these, ServerLoopPro failed to decompile. The rest of the available code can be used to determine the intent\r\nand functionality of this section, however. On execution, the “main” block of the code defines variables that call\r\nthe Monitor, Timer, and LoadCert classes, which set a backconnect Boolean to “True,” initiates a “timer” interval,\r\nand defines a certificate and key respectively.\r\n“Main” initiating the Monitor and Timer classes\r\nThe malware then performs a series of checks on any supplied parameters to make sure that they are properly\r\nformatted. The code then calls the “ServerX” function if a host and port have been specified.\r\nServerX and ServerLoopPro\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 2 of 7\n\nThe ServerX function operates as the second “parent” routine within the decompiled code. ServerX will read a\r\nspecified host and port and attempt to open a socket connection to this location (using the certificate and key\r\ndefined earlier). From here, it creates a thread for the ServerLoopPro function.\r\nServerLoopPro did not properly decompile during this analysis, but the code provided offers insight into the\r\nfunctionality. The code references several “orders” that are compared to integer constants. If these conditions are\r\nnot met, the code jumps to a different location, often performing a similar comparison against a different value. In\r\naddition, there are several references to the functions defined above, such as PutFileData and GetFileData:\r\nReferences to “PutFileData” and “Order”\r\nA likely inferences is that these functions are part of a command structure contained within the ServerLoopPro\r\nroutine. Thus, analyzing these functions lends insight into the likely commands available to the attackers.\r\nPutFileData and GetFileData read and write content to and from the infected device. SendDirList enumerates the\r\ncontents of a specified directory back to the attacker:\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 3 of 7\n\nSnipper of “SendDirList”\r\nPowerShell/C# Filesnfer\r\nMD5: 8de3b2eac3fa25e2cf9042d1b952f0d9\r\nSHA1: 23b1c6b81fd7d4d6ea0bc81109ce886a45967180\r\nSHA256: 6972ba198ed0d30de9f66be5777ecdba2d657078f138325ee6db225c20b29e6e\r\nAs noted above, the hash Symantec provided for the “PowerShell” version of this tool is not available on\r\nVirusTotal; however, searching for the unique function strings ServerLoopPro and ServerX leads to a Hybrid\r\nAnalysis sandbox report containing a likely variant.\r\nPivoting results from unique strings in Python file\r\nAlthough the file is not available for download, analysis of the strings in memory suggests an encrypted payload\r\ndelivered via a PowerShell file (that also opens a firewall exception). In addition, the malware launches “csc.exe,”\r\nthe legitimate Microsoft C# compiler, and appears to compile and run a file with this tool. Analysis of the C# code\r\nin the sandbox report reveals the similar function names as well as the suspected “order” commands:\r\nEncrypted contents of the PowerShell file\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 4 of 7\n\nIdentical function names within the C# code as well as “order” references\r\nA VirusTotal content search on these unique strings reveals a nearly identical C# file\r\n(8de3b2eac3fa25e2cf9042d1b952f0d9). Much like the Python variant, the C# variant defines several similar\r\nstructures and classes at the start:\r\nClass and structure definitions within the C# variant of Filesnfer\r\nIn some cases, the code overlaps are almost identical:\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 5 of 7\n\nDirectory listing function in Python variant (left) compared to C# variant (right)\r\nAs a whole, the C# variant functions in largely the same fashion, with some slight differences. The “Main” routine\r\nonly requires a listening port (in this case, port 47000) to pass to ServerX (interestingly, the entire file is also held\r\nwithin a class named “xserver”). ServerX can allow the malware to act as a proxy in addition to calling\r\nServerLoopPro; in turn, ServerLoopPro can receive “order” (just as inferred in the Python sample). Several of\r\nthese orders are commented by the malware author, and include the following (largely self-explanatory) options:\r\n– list\r\n– download\r\n– upload\r\n– del\r\n– exec\r\n– read interval\r\n– set interval\r\n– change dir\r\n– process list\r\nExample of command structure within the C# variant\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 6 of 7\n\nConcluding Thoughts\r\nSymantec’s article notes that the Filesnfer backdoor was observed by a undisclosed additional vendor, and that\r\ncorroborating analysis tying it to the APT3 threat actor is unavailable at this time; as such, this blog post is only\r\nintended to highlight the functionality of this backdoor (and identify a publicly available variant of the\r\nC#/PowerShell version). Regardless of the operator, the backdoor is capable of providing several basic but\r\nimportant capabilities, including file transfers, command execution, and basic reconnaissance.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/filesnfer-tool-c-python/\r\nhttps://norfolkinfosec.com/filesnfer-tool-c-python/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://norfolkinfosec.com/filesnfer-tool-c-python/"
	],
	"report_names": [
		"filesnfer-tool-c-python"
	],
	"threat_actors": [
		{
			"id": "13354d3f-3f40-44ec-b42a-3cda18809005",
			"created_at": "2022-10-25T15:50:23.275272Z",
			"updated_at": "2026-04-10T02:00:05.36519Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"APT3",
				"Gothic Panda",
				"Pirpi",
				"UPS Team",
				"Buckeye",
				"Threat Group-0110",
				"TG-0110"
			],
			"source_name": "MITRE:APT3",
			"tools": [
				"OSInfo",
				"schtasks",
				"PlugX",
				"LaZagne",
				"SHOTPUT",
				"RemoteCMD"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4",
			"created_at": "2023-01-06T13:46:38.269054Z",
			"updated_at": "2026-04-10T02:00:02.90356Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"GOTHIC PANDA",
				"TG-0110",
				"Buckeye",
				"Group 6",
				"Boyusec",
				"BORON",
				"BRONZE MAYFAIR",
				"Red Sylvan",
				"Brocade Typhoon"
			],
			"source_name": "MISPGALAXY:APT3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c",
			"created_at": "2025-08-07T02:03:24.631402Z",
			"updated_at": "2026-04-10T02:00:03.608938Z",
			"deleted_at": null,
			"main_name": "BRONZE MAYFAIR",
			"aliases": [
				"APT3 ",
				"Gothic Panda ",
				"Pirpi",
				"TG-0110 ",
				"UPSTeam"
			],
			"source_name": "Secureworks:BRONZE MAYFAIR",
			"tools": [
				"Cookiecutter",
				"HUC Proxy Malware (Htran)",
				"Pirpi",
				"PlugX",
				"SplitVPN",
				"UPS",
				"ctt",
				"ctx"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439132,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4887377e8b0eb2d20f2034c66d50f59af967524.pdf",
		"text": "https://archive.orkl.eu/f4887377e8b0eb2d20f2034c66d50f59af967524.txt",
		"img": "https://archive.orkl.eu/f4887377e8b0eb2d20f2034c66d50f59af967524.jpg"
	}
}