{
	"id": "ebf30b77-c7ad-49dd-81ef-25386920f557",
	"created_at": "2026-04-06T00:22:21.792961Z",
	"updated_at": "2026-04-10T03:32:20.82895Z",
	"deleted_at": null,
	"sha1_hash": "f4b7cc2a5430c5bb3ff4a7ea54363945dc1c574a",
	"title": "Study of the Spyder modular backdoor for targeted attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 285378,
	"plain_text": "Study of the Spyder modular backdoor for targeted attacks\r\nPublished: 2021-03-04 · Archived: 2026-04-05 19:54:50 UTC\r\n04.03.2021\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nDownload PDF\r\nMarch 4, 2021\r\nIn December 2020, the Doctor Web virus laboratory was contacted by a telecommunications company\r\nbased in Central Asia after its employees discovered suspicious files on their corporate network. During the\r\nexamination, our analysts extracted and studied a malicious sample, which turned out to be one of the\r\nbackdoors used by the hacker group known as Winnti.\r\nWe already came across the malware Winnti uses when we studied the ShadowPad backdoor samples that we\r\nfound in the compromised network of a state institution in Kyrgyzstan. In addition, earlier in the same network,\r\nwe found another specialized backdoor called PlugX, which has many intersections with ShadowPad in the code\r\nand network infrastructure. A separate material was devoted to the comparative analysis of both families.\r\nIn this study, we analyze the uncovered malicious module, explore its algorithms and features, and define its\r\nconnection with other well-known tools of the Winnti APT group.\r\nMain features\r\nOn the infected device, the malicious module was located in the system directory C:\\Windows\\System32 as\r\noci.dll. Thus, the module was prepared for launch by the MSDTC (Microsoft Distributed Transaction Coordinator)\r\nsystem service using the DLL Hijacking method. According to our data, the file got to the computers in May 2020,\r\nbut the method of initial infection remains unknown. The Event Log contained records of the creation of services\r\ndesigned to start and stop MSDTC, as well as for the backdoor execution.\r\nLog Name: System\r\nSource: Service Control Manager\r\nDate: 23.11.2020 5:45:17\r\nEvent ID: 7045\r\nTask Category: None\r\nLevel: Information\r\nKeywords: Classic\r\nUser: \u003credacted\u003e\r\nComputer: \u003credacted\u003e\r\nDescription:\r\nA service was installed in the system.\r\n \r\nhttps://news.drweb.com/show/?i=14154\u0026lng=en\r\nPage 1 of 4\n\nService Name: IIJVXRUMDIKZTTLAMONQ\r\nService File Name: net start msdtc\r\nService Type: user mode service\r\nService Start Type: demand start\r\nService Account: LocalSystem\r\nLog Name: System\r\nSource: Service Control Manager\r\nDate: 23.11.2020 5:42:20\r\nEvent ID: 7045\r\nTask Category: None\r\nLevel: Information\r\nKeywords: Classic\r\nUser: \u003credacted\u003e\r\nComputer: \u003credacted\u003e\r\nDescription:\r\nA service was installed in the system.\r\n \r\nService Name: AVNUXWSHUNXUGGAUXBRE\r\nService File Name: net stop msdtc\r\nService Type: user mode service\r\nService Start Type: demand start\r\nService Account: LocalSystem\r\nWe also found traces of other services running that had random names. Their files were located in directories like\r\nC:\\Windows\\Temp\\\u003crandom1\u003e\\\u003crandom2\u003e\u003e, where random1 and random2 are strings of random length and\r\nrandom Latin characters. At the time of the study, these services’ executable files were missing.\r\nAn interesting find was a service that indicates the use of a smbexec.py utility for remote code execution from\r\nthe Impacket set. The attackers used this tool to establish remote access to the command shell in a semi-interactive\r\nmode.\r\nhttps://news.drweb.com/show/?i=14154\u0026lng=en\r\nPage 2 of 4\n\nThe studied malicious sample was added to the Dr.Web virus database as BackDoor.Spyder.1. In one of the\r\ndiscovered Spyder samples, the debug logging functions and messages remained. Messages used when\r\ncommunicating with the C\u0026C server contained the string \"Spyder\".\r\nThe backdoor is notable for a number of interesting features. First, oci.dll contains the main PE module, but with\r\nmissing file signatures. Erasing the header signatures was presumably done to obstruct the backdoor detection in\r\nthe device's memory. Secondly, the payload itself does not carry malicious functionality, but serves to load and\r\ncoordinate additional plug-ins received from the С\u0026С server. With these plug-ins, the backdoor performs its main\r\ntasks. Therefore, this family has a modular structure, just like the other backdoor families used by Winnti — the\r\npreviously mentioned ShadowPad and PlugX.\r\nAnalysis of Spyder's network infrastructure revealed a link to other Winnti attacks. In particular, the infrastructure\r\nused by the Crosswalk and ShadowPad backdoors described in the Positive Technologies study corresponds with\r\nsome of the Spyder samples. The graph below clearly shows the identified intersections.\r\nhttps://news.drweb.com/show/?i=14154\u0026lng=en\r\nPage 3 of 4\n\nFor a detailed description of BackDoor.Spyder.1 and how it works, see the PDF-version of the study or the Doctor\r\nWeb Virus Library.\r\nConclusion\r\nThe analyzed sample of BackDoor.Spyder.1 is notable primarily because its code does not perform direct\r\nmalicious functions. Its main tasks are to covertly operate within the infected system and establish communication\r\nwith the control server and then wait for operator commands. At the same time, it has a modular structure that\r\nallows the operator to scale its capabilities, providing any functionality depending on the needs of the attackers.\r\nThe plug-ins make the considered sample similar to ShadowPad and PlugX, which, together with the\r\nintersections in their network infrastructures, allows us to conclude that it is used by Winnti.\r\nIndicators of compromise.\r\nSource: https://news.drweb.com/show/?i=14154\u0026lng=en\r\nhttps://news.drweb.com/show/?i=14154\u0026lng=en\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://news.drweb.com/show/?i=14154\u0026lng=en"
	],
	"report_names": [
		"?i=14154\u0026lng=en"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4b7cc2a5430c5bb3ff4a7ea54363945dc1c574a.pdf",
		"text": "https://archive.orkl.eu/f4b7cc2a5430c5bb3ff4a7ea54363945dc1c574a.txt",
		"img": "https://archive.orkl.eu/f4b7cc2a5430c5bb3ff4a7ea54363945dc1c574a.jpg"
	}
}