{
	"id": "3fc0b735-f233-4e10-a4cc-bdac899509f7",
	"created_at": "2026-04-06T00:22:00.391689Z",
	"updated_at": "2026-04-10T03:22:00.374001Z",
	"deleted_at": null,
	"sha1_hash": "f8fa113fa21415b52d7372adb6bb5734737942bb",
	"title": "MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1233065,
	"plain_text": "MILE TEA: Cyber Espionage Campaign Targets Asia Pacific\r\nBusinesses and Government Agencies\r\nBy Kaoru Hayashi\r\nPublished: 2016-09-15 · Archived: 2026-04-05 14:31:28 UTC\r\nIn June 2016, Unit 42 published the blog post “Tracking Elirks Variants in Japan: Similarities to Previous\r\nAttacks”, in which we described the resemblance of attacks using the Elirks malware family in Japan and Taiwan.\r\nSince then, we continued tracking this threat using Palo Alto Networks AutoFocus and discovered more details of\r\nthe attacks, including target information. We’ve seen examples of this attack campaign, which we’ve named\r\n“MILE TEA” (MIcrass Logedrut Elirks TEA), appearing as early as 2011, and that it has since expanded the scope\r\nof targets. It involves multiple malware families and often tricks targets by sending purported flight e-tickets in\r\nemail attachments. The identified targets include three separate Japanese trading companies, a Japanese petroleum\r\ncompany, a mobile phone organization based in Japan, the Beijing office of a public organization of Japan, and a\r\ngovernment agency in Taiwan.\r\nAttack Overview\r\nFigure 1 shows the number of attacks considered as a part of the MILE TEA campaign since 2011. As we can see,\r\nthe volume of the threats is small in total.\r\nFigure 1 Number of threats used in the attack campaign\r\nIn the first three years, most of the reported attacks were from Taiwan. saw infections in a few other countries in\r\nAsia, but the number was miniscule. In mid-2013, the target base shifted to Japan. Since 2015, most of the\r\nreported attacks are from Japan.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 1 of 18\n\nFigure 2 Reports by countries\r\nThe primary infection vector is a spear phishing email with a malicious attachment. Although we collected several\r\ndocument based exploit files (RTF, XLS, and PDF) in this attack campaign, most of the attachments were\r\nexecutable files that, interestingly, suggest a custom malware installer. Attackers often use self-extracting\r\nexecutable files or existing installer packages to reduce development costs if they require dropping multiple files.\r\nHowever, in this campaign, the attacker group created its own installer program with the following features:\r\nWindows executable with folder icon\r\nCreates directory with pre-determined name in the same path as the installer\r\nCopies decoy files into the created directory\r\nInstalls a batch file and malware on Temp Dir\r\nExecutes a batch script to delete the installer\r\nFigure 3 shows examples of the custom installer and its different folder icons.\r\nFigure 3 Custom installers with the folder icon\r\nThe use of e-flight tickets as phishing lures has been seen repeatedly for a number of years. The following is the\r\nlist of malicious attachment samples that use this technique. It is the most prevalent lure used by this threat actor\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 2 of 18\n\nto entice targets for this campaign.\r\nTarget Year SHA256\r\nJapan 2016 71d5bc9404aa2aa40d79cb16837246a31fa3f12b195330a091e3867aa85f1bc6\r\nTaiwan 2015 7b1509051ccacc4676bf491f63c8a8c7c3b42ffd6cbf3d8bb1dd0269424df985\r\nJapan 2014 8c338446764db7478384700df811937dabc3c6747f54fd6325629e22e02de2cc\r\nTaiwan 2014 b393b9774c32de68b35bffd43ace22f9e9d695545de02d8b1d29c8ae38db3488\r\nTaiwan 2014 4607aa975fd9b5aaebe684b26fa31d8ef0840682b148dbcf7f57e9c35d107eb6\r\nTaiwan 2013 f23ab2ee9726c4061b2e0e7f6b9491e384de8103e410871c34b603326b7672da\r\nTaiwan 2013 5de5346613be67e3e3bdf82c215312e30bf5ab07aafd0da0e6967897752e0c1d\r\nTaiwan 2013 1ed808c7909bde7164d81a8c752a62ced116e03cfb6c7502019d84340f04b76a\r\nTaiwan 2012 b6034a3fc6e01729166a4870593e66d9daf0cdff8726c42231662c06358632a7\r\nTaiwan 2012 f18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68\r\nTable 1 Samples of malicious attachments masquerading as E-Ticket\r\nMalware\r\nIn this MILE TEA campaign, the actor uses the following three malware families as the initial infection by the\r\ncustom installer. The primary purpose of these families is to establish a bridgehead, collecting system information\r\nand downloading additional malware from a remote server.\r\nMalware Executable Type Cipher C2 address from Blog\r\nElirks PE, PE64, DLL TEA, AES Yes\r\nMicrass PE TEA No\r\nLogedrut PE, MSIL DES Yes\r\nTable 2 Malware characteristics\r\nWhile many security vendors classify these samples as different malware families, they share functionality, code,\r\nand infrastructure, leading us to conclude that they in fact belong to the previously mentioned malware families.\r\nFunctionality – Blog Access\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 3 of 18\n\nAs described in the previous blog post, one of the unique features of Elirks is that it retrieves a command and\r\ncontrol (C2) address from a public-facing blog service. When configured, the malware accesses a predetermined\r\nblog page, discovers a specific string, and proceeds to decode it with Base64 and decrypts it using the Tiny\r\nEncryption Algorithm (TEA) cipher. The same functionality is found in Logedrut, however, instead of using the\r\nTEA cipher, it uses DES.\r\nA sample of Logedrut (afe57a51c5b0e37df32282c41da1fdfa416bbd9f32fa94b8229d6f2cc2216486) accesses a\r\nfree blog service hosted in Japan and reads the following article posted by the threat actor.\r\nFigure 4 Encoded C2 address posted by attacker\r\nThe routine called GetAddressByBlog() in Logedrut looks for text between two pre-defined strings. In this\r\nparticular case, the malware sample will look for test between \"doctor fish\" and \"sech yamatala\". The threat\r\ndetermines encoded text is “pKuBzxxnCEeN2CWLAu8tj3r9WJKqblE+” and proceeds to handle it using the\r\nfollowing function.\r\nFigure 5 Code finding encoded C2 address from blog\r\nThis code deciphers the string with BASE64 and DES. So far all Logedrut samples use exactly the same key,\r\n1q2w3e4r, for decryption. The following Python code can be used to decode the C2 address.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 4 of 18\n\nimport base64\r\nimport Crypto.Cipher.DES\r\nencoded_string = \"pKuBzxxnCEeN2CWLAu8tj3r9WJKqblE+\"\r\niv = key = \"1q2w3e4r\"\r\ndecoded_string = base64.b64decode(encoded_string)\r\ndes = Crypto.Cipher.DES.new(key, Crypto.Cipher.DES.MODE_CBC, iv)\r\ndecrypted_string = des.decrypt(decoded_string)\r\nprint decrypted_string\r\nCode - TEA with XOR\r\nElirks and Micrass employ exactly the same TEA cipher. TEA is a block cipher that operates against 64-bit (8\r\nbytes) of data at a time to encrypt and decrypt. The author of the code added and extra cipher operation by\r\nXORing data when a block size is less than 64 bits. For example, if the encrypted data length is 248 bits (31\r\nbytes), the code in both malware samples decrypts the first three blocks (64 x 3 = 192 bits) with TEA. The final\r\nblock is only 56 bits (248 - 192 = 56), so the code uses a simple XOR operation against the remaining data. This\r\nsupplement to TEA has not been widely used, and all Elirks and Micrass samples have the same static key (2D 4E\r\n51 67 D5 52 3B 75) for the XOR operation. Due to these similarities, we can conclude that the author of both\r\nfamilies may be the same, or has access to the same source code.\r\nFigure 6 TEA with XOR Cipher in Elirks and Micrass\r\nInfrastructure - C2 Servers\r\nBased on our analysis, we see that only a handful samples share the same infrastructure directly. The threat actors\r\ncarefully minimize reusing C2 domains and IP addresses among their malware samples, and yet they prefer using\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 5 of 18\n\nservers located in Hong Kong no matter where the target resides.\r\nFigure 7 Location of C2 servers\r\nTarget Analysis\r\nIdentifying targets from spear-phishing emails\r\nWe found a spear phishing email sent to a government agency in Taiwan on March 2015. The email sender\r\nmasquerades as an airline company, and the RAR archive attachment contains the custom installer named\r\nTicket.exe that drops Ticket.doc and Micrass malware.\r\nFigure 8 Spear-phishing email sent to an agency in Taiwan\r\nDuring the analysis of the email, we came across an article in a Taiwan newspaper from February 2014 that\r\nalerted the public about a similar email message being widely distributed that contained a malicious attachment.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 6 of 18\n\nThe only difference between the email messages in Figure 8 and in the news article was the date. The adversary\r\nreused the email message more than a year ago.\r\nIdentifying targets from decoy files\r\nThe most interesting part of this attack campaign is that the threat actor has been using stolen documents from\r\npreviously compromised organizations to perform additional attacks since early 2015. These documents are not\r\npublicly available nor do they look to be created from scratch by the attacker. Because they contain sensitive data\r\ntying to the specific business, it is unlikely that a third party would be able to craft them.\r\nThe following figure shows the decoy file installed by a sample identified in early April 2015. The file is a weekly\r\nreport created at the end of March 2015 by a salesperson at a Japanese trading company. The report includes\r\nvarious sensitive information specific to their business.\r\nFigure 9 Weekly report from a Japanese trading company\r\nThe properties identified within the document indicate that the company name matches the context, and the person\r\nwho last modified it is the same individual seen in the document itself. Because of this, the file appears legitimate\r\nand it’s very unlikely that this document would ever be made publicly available. The threat actor almost certainly\r\nstole this document soon after it was created, and reused it as the decoy for next target within a week of the theft.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 7 of 18\n\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 8 of 18\n\nFigure 10 Property of the decoy document\r\nAnother installer found in Japan in May 2015 also contained sensitive information. The decoy looks to be a draft\r\nversion of a legitimate contract addendum between the subsidiary of a Japanese petroleum company based in\r\nAustralia, and a China-based company. The document provides details of the deal, including price. It contains a\r\nbunch of tracked changes by what appears to be two Japanese speaking individuals. We have confirmed that one\r\nof the individuals was a manager of an overseas project of the parent company in Japan by the official release of\r\npersonnel change in 2013. The file is also considered to be stolen from a target organization and used for decoy\r\nfor the next attack.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 9 of 18\n\nFigure 11 Contract addendum decoy file\r\nIn addition to those examples, we found the following decoy files that are likely stolen from previously\r\ncompromised organizations.\r\nOrganization Type of document\r\nBeijing Office of a public organization of Japan Budget Report\r\nAnother Trading Company in Japan Internal investigation document\r\nMobile phone organization in Japan Inventory of new smartphones\r\nTable 3 Potential source of another decoy file\r\nWe cannot confirm whether those files were stolen as part of the MILE TEA campaign or not. Either way, it’s\r\ndifficult to imagine that the threat actor sent those internal documents to entirely different organization or\r\nindustries. One plausible explanation would be that the threat actors target different persons or departments within\r\nsame organization or industry.\r\nIdentifying target from Malware\r\nSo far, we have described two trading companies in Japan that are possibly targeted. In addition to these two\r\ncompanies, there is another company in Japan that could be involved in the attack campaign as well. A sample of\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 10 of 18\n\nLogedrut was identified and is capable of communicating with C2 through an internal proxy server in the\r\ncompromised organization. The sample contains an internal proxy address for a trading company in Japan as seen\r\nin String7 in the image below. Thus, the sample is specially crafted for this specific enterprise.\r\nFigure 12 Internal proxy address in Logedrut\r\nConclusion\r\nMILE TEA is five-year-long targeted attack campaign focused on businesses and government agencies in Asia\r\nPacific and Japan. The threat actor behind this maintains and uses multiple malware families, including a custom\r\ninstaller. The actor is interested in organizations that conduct business in multiple countries. The trading\r\ncompanies cover an immensely broad area, from commodity products to aviation around the world. Another\r\npossible target is a Japanese petroleum company that has multiple offices and subsidiary companies in overseas\r\ncountries. A public organization in Japan and a government agency in Taiwan were also targeted.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies all malware samples related to this operation as malicious.\r\n2. Domains used by this operation have been flagged as malicious in Threat Prevention.\r\n3. AutoFocus users can view malware related to this attack using the “Micrass”, \"Elirks\", and \"Logedrut\"\r\ntags.\r\nIndicators of Compromise\r\nNote: We omitted some hashes containing potentially stolen documents from the compromised organization.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 11 of 18\n\nWindows Executable Custom Installer\r\n064474ac22dd28bf2211ca6602946409925b11f1cfa5e593487bf65e033f1057\r\n136978934c8a61e4adff415d4f8f6cd39d110cfa27df2c18367c7036c36e006a\r\n1ed808c7909bde7164d81a8c752a62ced116e03cfb6c7502019d84340f04b76a\r\n37e79e1ee7cde57cf3af80c54851fa3f9bea3a7208c5cdb5bd290d832f1c50c6\r\n4607aa975fd9b5aaebe684b26fa31d8ef0840682b148dbcf7f57e9c35d107eb6\r\n47c489ad097ea2813a993f05d0422361196efa8a7fec08c3f0c0d1d19db9f6a9\r\n5135377eb6db61ace45e88eca753fb08ae4e185176940e786050c0514a775294\r\n5de5346613be67e3e3bdf82c215312e30bf5ab07aafd0da0e6967897752e0c1d\r\n71d5bc9404aa2aa40d79cb16837246a31fa3f12b195330a091e3867aa85f1bc6\r\n7b1509051ccacc4676bf491f63c8a8c7c3b42ffd6cbf3d8bb1dd0269424df985\r\n7b3980734ccef487a7ee1f89fcc19a397782e5f38ecd0549c871e8acd918f092\r\n87a6ec28357409e547f22edba03c1874500636f9860069db51bfe7a351d20481\r\n8c338446764db7478384700df811937dabc3c6747f54fd6325629e22e02de2cc\r\n91569b8a68d004a7d8ef031846dca3e9facb4401d3fac23d4009fcb2e4c4f2c4\r\nade2eabdf113abeff41a79a7bbbd097187a8e69e16c9e622a53f9f68edc69ec2\r\nb6034a3fc6e01729166a4870593e66d9daf0cdff8726c42231662c06358632a7\r\nb693be834ffdb1865abfd2fe5e3c6f29134579ef2ecbc2837cb1b85bd7e757e0\r\nd50a419daff4290f3870b66ff94050a0cbcd76e278d5c4015a79a6b578e44724\r\nd6935edeb50cab2f1ae90776e4c8bdd709ec78ccc71b1e94f079fb9770b7c220\r\ne32eb45287443d510b1a30009abd14701c4306b817b4c4d83ff1377b4312d807\r\nf18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68\r\nf23ab2ee9726c4061b2e0e7f6b9491e384de8103e410871c34b603326b7672da\r\nRTF File\r\nb8795e8dcbe4198160bab1c75505652a15569d6dd6e74b1eae2321edaa00f5b6\r\nXLS File\r\nb393b9774c32de68b35bffd43ace22f9e9d695545de02d8b1d29c8ae38db3488\r\nb5b2974251e6bb963c0a37f12a167efd5ba702c142cd9f5571090f8838be4335\r\nPDF File\r\n200a4708afe812989451f5947aed2f30b8e9b8e609a91533984ffa55d02e60a2\r\n5806703c28991675aee2e1204f748ce7e2814ea8f2a7ef925693fb52b0ef4d9c\r\n755138308bbaa9fcb9c60f0b089032ed4fa1cece830a954ad574bd0c2fe1f104\r\nbfe0e6ce5d33c498b9d048c33d5943ed4619383eea00ca6b3c613407b7b5ae96\r\nee6564baf5c5c61f95b8840c1d8a47e84c0704de8062e51c5fa3cf550612a879\r\nElirks\r\n027ff8faf7952d791e39c9dda392dfce1094a4ceece46dbd2f53cf2ad5f8bc21\r\n0cae035a40fcfc760a2f47b98ab27feaba9cee95d59467ab09b32063ac17df5b\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 12 of 18\n\n0cffc3fb0b4ebf2a4b8cad4fb2a477737e4f8ca0b45494e541b2f92ee9719fa8\r\n0e317e0fee4eb6c6e81b2a41029a9573d34cebeabab6d661709115c64526bf95\r\n0f1f6838c591a0456881fbcd65d511932d2fa6c16fcb27eb4a793240ef0c25de\r\n1194650bdfeb03940e07718726cfeb49645b089899e216a79cbafe7fae01678a\r\n138993de871eefc72967b61b7c030649e1881be8adacbee933636fb4fc2ae444\r\n1434fa8719602b252bb12e1e0023e86becada3b86ed07e1f7836fdf057dcebf5\r\n1fb47c308bfed89069a4dca561cf818910c25bf2e6bf2679992f01e2da393506\r\n24ae29defeb167cba2dc8b647514e9c44c027c6f2ad6c789ec836358c1007f74\r\n262d7106f1a227f278bcb344bc20186ff4231e1513aa61bd25c1da833cc142c5\r\n27a836f9db61b63a7d90b9c13ec5e7dfdada65eae2860e748ba5dd4ca6918b9b\r\n2dd6ff42d53b01c6f1c4ee3336c3ada53739de587adc78fb011237f926326f61\r\n38ae57f7e565dc51544c7b7c9b890eddeb3da7632a623e16cba5bdfd6141e241\r\n3acc6fec0e7275b3774af1274872d42c0afc330cf48d543ff8fdf4bb4b37ed73\r\n40cc76ef34c03a04ad393b68c2110b0e58ec0a7b9da16fd5005993bd8700b951\r\n45496be07ab8a3fad86980219073a28576106c8bca5c8fd70c882eef0e9df428\r\n53a3c1aa683d296c88bd6565a8b417f09e392ceae4c285464859df1953e75382\r\n569ee23acc18b5ff0f18f02d5010d0e9e9870a9b5845c3618e6f31ee4552c475\r\n58f2790133e5987f6f3eb960c5ad547e149a037b1f5a56526026d8a22f7fa51e\r\n5b01d16a4d39cc30a6dd501d214c8ee4916e46ab338c3437f4cf1ae6f71d1ae6\r\n5d4b91593d1cc110c966a3b3bcca6c02492e6df5dff83cd0653f9ffca9d5256e\r\n5e4377e4d0998c09db357d8cd393c949af66a3cd7592a427752dc876430dbef2\r\n633e849407f22fae3e5c6d2bf1921f1b11074229c797ea1e57a85cbc05880c84\r\n636c3af6ca45f5ebc413fdde9e706603151e4ce081bc73addf666ba6c9d198ba\r\n688e33d45ae76dbbbd0f7462f4736453c36abfbf3d6fd1cca02a8e7ef0ea610a\r\n7902d0cbf32897815c10a68c97f27d23cde38111f1e0167d942d5c6d15423719\r\n7bf2ce5acd108ac5f326ba303dac3096ced8afd3e7c88dc14e58765161fd2c00\r\n82f4bd3abd557513e51b84f85d1ac03cfbd049284416640f624aea08821bcf7c\r\n84117f538361883e7ba3dd6d7825059f1b9378c71726fb70189cbd3d66812997\r\n84fcca9d2f61c4a8b94d4a6ef8a12cf36422ddf409ce860047f1d6f8b193f71c\r\n8587e3a0312a6c4374989cbcca48dc54ddcd3fbd54b48833afda991a6a2dfdea\r\n8597beac6316597dbefb5d5193bdf72fabeebeca9466c1aef6289550c765614b\r\n85a227dd905a3fb458e35c76adfede77a03e65c43b4dff8162f5e438f4e55d65\r\n8616976726d25f25646964edd23e9355efc746a11c5a11ef7d14ab6115b72d75\r\n87f1ca62e1af433342fca7665cda0e608aadf8852e7384654e8074380f34fd0d\r\n8b413fe0149e3bbbef8c40f2fe2c835ea6d8399867d392099984853a772d38ae\r\n8bc8dd186369542d4e97c9967cea667de226b4738c3d6a2249e19a6fbff2109f\r\n8c0a2226d378baa1a682b782163143ce612b790d7cbd46d08a83ebb3bf866f4f\r\n8cbe7a11ae59e607fdba324316925ff1bf16d10b4d8af271901e63873bc2bfb6\r\n91569b8a68d004a7d8ef031846dca3e9facb4401d3fac23d4009fcb2e4c4f2c4\r\n9384bded640a8dda65558f92e8ef34f73ec13540160bf149aa3986e01dc688bb\r\n93c5bd2914a1ebd9584dbe1e0d8de1060e0bea2fa51789ede5f11da25ae5c65b\r\n9d212233e669d61fb1c432c9889f4c723819ece549954ff6f741921534ed6336\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 13 of 18\n\n9f979a94f47f70c833ac9c3195fc245d58b7830f7b6857e875e07e67c3aa835e\r\na20b019095b3135f40c075b0bdb1e1ef1c6e7fbb0ce3e643a2222c70e4a1254d\r\na29a1dfa7142efdcfbc39e35f15d1718502050d81302afd1ba464d705a9afab3\r\na6f74c22bd7a808a79fbf2e7e71a02aa9755b0bfad2c2888b51e4161dbf8c069\r\nab1f5290d36fcedb249bb3ed1251663130607fc578a1bf910d9a60eb8ba7de1a\r\nb03ae41d7082405a9f4d74792c7438b0a450dee7fa67f63fcc11c050bc527c68\r\nb6856d07881e24eef676e8766eba258d6ed47359b34134e98be58190927ba22c\r\nbf49ec24eb1bd4e09f4e60a3b72bda0907c2400e3221e3fee28eeff76136b8df\r\nbff33857480038d9ee24cc848140636616a04c90bb863673bb4720ff5a61b5c3\r\nc1c64b167303518f5cf762ae76b6a4026248767e394e0cbc9bc961cd37833937\r\nc4407ce7718eecaa0d09df1352e3bbe13fa9600628bd0a42dbee26d7ff4534a0\r\nc949f811b2d67ab76564223b0c4ae40179b14f892c4f6f6ab5de363dbf4df17f\r\ncd4789bf41c8498ff83b13a53d83cb503e27b3283b2c2585d793a5ea6771d8aa\r\nd1617e66d84da7371884ad31a21f099754784ca585622d3197778d9886d56232\r\nd5db887a8875346a118288062d36ad44eadb2e5d345e2cbf5233f8f36ecf3809\r\nd642f5b4cbfa29ca268b18ed76efc3efef0f4b3866e67b6ef6af32f6cca468bb\r\nd7cd8432b89148bc21e3a9e76970fb8d33b4103af9c94599ca8401c5e6d71a97\r\ne01441c1eb568ca57cb59c1e814b22d5611a53f714bc85eb2be00b08d9b6f13f\r\ne44bd67d0828c375760ebe16a62e73b5eff1540ff587a6c358a63d7d5ab5f5cf\r\ne4ab42e5900ed193f305d6e3a28ac8743b64d1ac5dc2e0e1ef1a927322933c81\r\ne50692aa80020ade381d6fa8751e0f1eabab78e8860c47d95c6bc1e224b02f6c\r\ne929a008dd9c58e2814ecfb84be2cd8df8a809aa2ec64a4a82553047e0507ee5\r\neaeb778224f16311af071d3f82a4f04eacb6b73b97b001fcd40051a8963050fc\r\nee9b8e6902b62e76138c9ed8a6d376f35a0361f85519e47b45ee776cf0474f28\r\nf18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68\r\nf6cb59b697cd27359f12228cf11ae5aa21b17e1845ae8007c668319672cdfb33\r\nfdcaac1a818a088e41bcf764493e203089e21bd35521da1c3c999e90eccb99a8\r\nLogedrut\r\n2d9c0f32401404ab515690e052d378b0acdd22e30ce8a6a2ce6e5088b2c62795\r\n4591134a77b3532c85576e7b1942476eb73775d118e49ad215dbbe1c42761760\r\n66c9e75398c202c5c2b917fd0fe9a3089c6a1fa5e74a64c6a2c2b5d6acaf2f14\r\n843b14a44374987ebdd735d23ac89f8aef8c6972510d53d283eb79004c5e3ec7\r\n8be58e9b58727e9195c037810a5e57ec6a9107547e2d4e4b75e299c5f4ad9be0\r\na205027c7f1241dce0807de7733a23ffc398c64bd2130f2fd17316c2860b5dc1\r\na74604f65d92579295b4fa16f6cca91fc2a66387eb1c1744b22081fb05aefa16\r\nafe57a51c5b0e37df32282c41da1fdfa416bbd9f32fa94b8229d6f2cc2216486\r\nc267e01e047a0ddfa96fb5c65483532c44647dc7153c149aeeb9833b9952f7b5\r\ncc8844b46972af665739e8fe689412621737bc87ca9f700e873622006d8fc62a\r\nd1373c0be7cdb76b2735d0df87d81db09eb3583f145cdcfe4ac6d1d217de9781\r\ne8186a03a53cba3cfe6b0ea3bcbc7893eb1da84e612060ecfffb8110fa0199a2\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 14 of 18\n\nMicrass\r\n4bcc727506706634b56cad358828037189898097c363e2ea2147ec253b81a009\r\n674865c337f23ab23b7c866893d179467e5f834ee95a0952aaeb7fa7f3d34573\r\n68ec202ebce297031a7d02ab0417ec01c5fc0a94171b1443d3bfd6ad5f27055e\r\n6b2fea7284bcc4f505b124d216bb33f723a1c93f3a3d5d9a10307d4069950cfb\r\n70c37934e89eb796724a36f32ff654b01341531c980cee09d26c16a1320fcdf7\r\n7b3980734ccef487a7ee1f89fcc19a397782e5f38ecd0549c871e8acd918f092\r\n80db64dc96c59893203074e36852537c0f617e5a5fa73548d65618a16b5f6b4e\r\n94ec1723693c21ff239b33c555dc1e4589a3310fa11bb9fe8b742a9231c36134\r\na68735dccb378eba908f487906050bacedd73fa8f6503623048f03d71071170c\r\nb7f72805660dc2f76c75d7440cfdf98831ccb5e49985b2f476a0c7b336c618c4\r\nbf58614f2e5b195ce1ee1c096c1b6b560e81d2a31e7ad04522d5d705c2788293\r\ncf7d2d2efaf0eb483cc3152b568ebc45ca0540de2ee57ce3536ae20d7d4a268d\r\ne205a7287d624ef4690da26d9ec44f008ee17efd8ff83c18364e8727215ee4f1\r\ne4351c9f8862677bfc1d2992922ac9985a05504f6050e6916fd7bae3b1501810\r\ne78f1d60aea0652d65275c40e88be9409eb9117dc5c1f8aac122eed338054f16\r\nCommand and Control Servers\r\n124rsdtw4r23rsae.4pu[.]com\r\naccount.yahoo-account-tw[.]com\r\nasp.domain-googletw[.]com\r\natashaerlanmuscle.nikitacommonprofessional.cloudns[.]info\r\nbillyxcatch.garfieldmercyscream.cloudns[.]eu\r\nchargewike.google-robot[.]com\r\ndns.pchome-shop[.]com\r\ndockcharge.msn2013[.]com\r\ndueyamata.ddo[.]jp\r\newr235rew.gsn-operation[.]com\r\nflights.marketddy[.]com\r\ngooglehostlogin.hopto[.]org\r\nhiair.henet-web[.]net\r\nhotlogin.ddo[.]jp\r\nindication.google-robot[.]com\r\nislam.youtubesitegroup[.]com\r\njumpintothesea.seesaa[.]net\r\nkmtgogogo.bluestartw[.]com\r\nlikyamaha.msn2013[.]com\r\nlovetamakata.mywww[.]biz\r\nlovetamaya.mywww[.]biz\r\nlovetrick2014.redirectme[.]net\r\nmail-asp.domain-googletw[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 15 of 18\n\nmails.domain-googletw[.]com\r\nmakoidata.msn2013[.]com\r\nmis.domain-googletw[.]com\r\npls.utvsoft[.]com\r\npress.ufoneconference[.]com\r\nrdane.msn2013[.]com\r\nreposibility2014.ddo[.]jp\r\nsce.hopto[.]org\r\nserver.henet-web[.]net\r\nservers.domain-googletw[.]com\r\nservice.net-seed[.]com\r\nsftp.domain-googletw[.]com\r\nsiteadmin.yahoo-account-tw[.]com\r\ntakamato.4pu[.]com\r\ntaoyato.domain-googletw[.]com\r\ntomatopota.4pu[.]com\r\ntrains.pchome-shop[.]com\r\ntrustlogin.ddo[.]jp\r\ntrustly.google-robot[.]com\r\ntwitter.google-robot[.]com\r\nvmail.net-seed[.]com\r\nwebmail.domain-googletw[.]com\r\nwww.vaseline.dumb1[.]com\r\nxuite.henet-web[.]net\r\nyahamata.google-robot[.]com\r\nyourservers.blog-pixnet[.]com\r\nzoe.minidns[.]net\r\n101.1.25[.]40\r\n101.1.25[.]58\r\n101.1.25[.]90\r\n103.17.119[.]137\r\n103.20.192[.]248\r\n103.245.209[.]125\r\n103.245.209[.]153\r\n103.245.209[.]21\r\n103.245.209[.]62\r\n103.28.45[.]241\r\n103.39.109[.]30\r\n103.39.109[.]51\r\n103.39.109[.]66\r\n103.39.109[.]68\r\n103.59.45[.]54\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 16 of 18\n\n113.10.246[.]154\r\n113.10.246[.]172\r\n113.10.246[.]176\r\n128.199.34[.]140\r\n142.91.119[.]136\r\n173.254.227[.]138\r\n175.45.22[.]122\r\n175.45.22[.]233\r\n180.43.171[.]205\r\n202.82.225[.]161\r\n203.124.14[.]131\r\n206.161.216[.]144\r\n210.209.81[.]170\r\n210.209.81[.]172\r\n210.209.81[.]173\r\n210.209.81[.]188\r\n210.209.81[.]192\r\n210.209.81[.]249\r\n210.209.86[.]136\r\n210.209.86[.]158\r\n210.209.86[.]162\r\n210.209.86[.]175\r\n210.209.86[.]176\r\n210.209.86[.]185\r\n23.253.46[.]64\r\n54.178.93[.]212\r\n59.106.98[.]139\r\n59.188.239[.]110\r\n59.188.87[.]17\r\n59.188.87[.]34\r\n74.126.176[.]218\r\n74.126.177[.]92\r\n74.126.183[.]170\r\n95.211.14[.]53\r\n96.46.0[.]178\r\n96.46.0[.]180\r\n96.46.10[.]179\r\n96.46.10[.]181\r\n96.46.10[.]235\r\n96.46.10[.]237\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 17 of 18\n\nSource: https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-governm\r\nent-agencies/\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/"
	],
	"report_names": [
		"mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434920,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8fa113fa21415b52d7372adb6bb5734737942bb.pdf",
		"text": "https://archive.orkl.eu/f8fa113fa21415b52d7372adb6bb5734737942bb.txt",
		"img": "https://archive.orkl.eu/f8fa113fa21415b52d7372adb6bb5734737942bb.jpg"
	}
}