{ "id": "c2613ef5-6ce3-4a6e-9c2c-cdebc1ee3e57", "created_at": "2026-04-06T00:15:59.556155Z", "updated_at": "2026-04-10T03:32:09.366965Z", "deleted_at": null, "sha1_hash": "f4bdbbe370f56e03edfab1e83985016508bfe76e", "title": "IconDown – Downloader Used by BlackTech - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1889246, "plain_text": "IconDown – Downloader Used by BlackTech - JPCERT/CC Eyes\r\nBy JPCERT/CC\r\nPublished: 2019-11-20 · Archived: 2026-04-02 11:47:10 UTC\r\nBlackTech\r\nIn the past articles, we have introduced TSCookie and PLEAD, the malware used by an attack group BlackTech.\r\nWe have confirmed that this group also uses another type of malware called “IconDown”. According to ESET’s\r\nblog[1], it has been confirmed that the malware is distributed through the update function of ASUS WebStorage.\r\nThis article describes the details of IconDown found in Japanese organisations.\r\nIconDown’s behaviour\r\nThe malware downloads a file from a specific site. This is an example of the HTTP GET requests sent from\r\nIconDown.\r\nGET /logo.png HTTP/1.1\r\nHost: update.panasocin.com\r\nCache-Control: no-cache\r\nThen, it searches for the following HEX values (as a signature of the embedded data) from the beginning of the\r\ndownloaded file.\r\n91 00 13 87 33 00 90 06 19\r\nIf the signature value is found, the following 256-byte data is parsed as a RC4 key. It is used to decrypt the data\r\nembedded in the downloaded file. (See Table 1 in Appendix A for details.)\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 1 of 7\n\nFigure 1: RC4 key and encrypted data\r\nRC4-encrypted data is expected to contain configuration value and PE file. The following figure show the\r\ndecrypted data.\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 2 of 7\n\nFigure 2: Example of decrypted data\r\nIconDown creates a PE file from the decrypted data and save it to the filesystem. Based on the configuration\r\nvalue, it determines the path to save the file from the following:\r\nFile name contained in the configuration of the downloaded file\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\slui.exe\r\n%TEMP%\\F{random 8-digit hexadecimal string}.TMP\r\nThen, the saved PE file is executed as specified in the configuration value. (See Table 3 in Appendix B for details\r\nof the configuration.)\r\nIn Closing\r\nBlackTech has carried our attacks against Japanese organisations by using various types of malware. As the same\r\nactivity is likely to continue, we will keep an eye on the situation. The hash values of the sample are listed in\r\nAppendix C, as well as a C\u0026C server in Appendix D. Please make sure that none of your devices is\r\ncommunicating to the host.\r\nShintaro Tanaka\r\n(Translated by Yukako Uchida)\r\nReference\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 3 of 7\n\n[1]ESET: Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage\r\nhttps://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/\r\nAppendix A: Format of data downloaded by IconDown\r\nTable 1: Format of data downloaded by IconDown\r\nOffset Length Contents\r\n0x000 9 91 00 13 87 33 00 90 06 19 (HEX value)\r\n0x009 256 RC4 key\r\n0x209 - RC4-encrypted data (See Table 2 for details.)\r\nTable 2: Format of the encrypted data\r\nOffset Length Contents\r\n0x000 4 Fixed value (between 0 and 5, see Table 3 for details)\r\n0x010 -\r\nFile name (%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\slui.exe if\r\nnot configured)\r\n0x114 - PE file\r\nAppendix B: Method of creating/executing PE files\r\nTable 3: Methods of creating/executing PE files\r\nValue Contents\r\n0x00000000 Create a file named [File name in Table 2]\r\n0x00000001 Create a file named [File name in Table 2] and execute cmd.exe /c [File name in Table 2]\r\n0x00000002 Terminate itself\r\n0x00000003 Create a file named [File name in Table 2] and terminate itself\r\n0x00000004\r\nCreate a file named [File name in Table 2], execute cmd.exe /c [File name in Table 2] and\r\nterminate itself\r\n0x00000005\r\nCreate a file named [File name in Table 2] and %TEMP%\\F{random 8-digit hexadecimal\r\nstring}, execute cmd.exe /c %TEMP%\\F{random 8-digit hexadecimal string} and terminate\r\nitself\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 4 of 7\n\nAppendix C: Hash value of the samples\r\nIconDown\r\n634839b452e43f28561188a476af462c301b47bddd0468dd8c4f452ae80ea0af\r\n6bf301b26a919f86655e4ccb20237cc3b6b6888f258d96aac4d62df7980e51a5\r\n2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\r\nA sample file downloaded by IconDown\r\nf6494698448cdaf6ec0ed7b3555521e75fac5189fa3c89ba7b2ad492188005b4\r\nAppendix D: C\u0026C server\r\nupdate.panasocin.com\r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 5 of 7\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 6 of 7\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nhttps://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" ], "report_names": [ "icondown-downloader-used-by-blacktech.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4bdbbe370f56e03edfab1e83985016508bfe76e.pdf", "text": "https://archive.orkl.eu/f4bdbbe370f56e03edfab1e83985016508bfe76e.txt", "img": "https://archive.orkl.eu/f4bdbbe370f56e03edfab1e83985016508bfe76e.jpg" } }