{
	"id": "4a312dae-7b0e-4d78-8f4f-9b2138f19077",
	"created_at": "2026-04-06T00:11:19.814456Z",
	"updated_at": "2026-04-10T03:24:39.727467Z",
	"deleted_at": null,
	"sha1_hash": "fc5dae82afa532fc1ff3b6b83e3b5c3dea242dab",
	"title": "Holy water: ongoing targeted water-holing attack in Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1201579,
	"plain_text": "Holy water: ongoing targeted water-holing attack in Asia\r\nBy Ivan Kwiatkowski\r\nPublished: 2020-03-31 · Archived: 2026-04-05 16:43:08 UTC\r\nOn December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May\r\n2019, and targets an Asian religious and ethnic group.\r\nThe threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be\r\nin development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution,\r\nGo language, as well as Google Drive-based C2 channels.\r\nThe threat actor’s operational target is not clear because, unfortunately, we haven’t been able to observe many live\r\noperations, and we couldn’t identify any overlap with known intrusion sets.\r\nThou shalt update plugins: attack synopsis\r\nThe watering holes have been set-up on websites that belong to personalities, public bodies, charities and\r\norganizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server)\r\nare still compromised, and continue to direct selected visitors to malicious payloads:\r\nDomain Description\r\n*****corps.org Voluntary service program\r\n*****ct.org Religious personality’s charity\r\n*****policy.net Policy institute\r\n*****che.com Religious personality\r\n*****parliament.org Public body\r\n*****ialwork.org Charity\r\n*****nature.net Environmental conservation network\r\n*****airtrade.com Fair trade organization\r\nUpon visiting one of the watering hole websites, a previously compromised but legitimately embedded resource\r\nwill load a malicious JavaScript. It’s hosted by one of the water-holed websites, and gathers information on the\r\nvisitor. An external server (see Fig. 1) then ascertains whether the visitor is a target.\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 1 of 9\n\nFig. 1. Target validation service request.\r\nIf the visitor is validated as a target, the first JavaScript stage will load a second one, which in turn will trigger the\r\ndrive-by download attack, showing a fake update pop-up (see Fig. 2).\r\nFig. 2. Warning generated by the second payload.\r\nThe visitor is then expected to fall into the update trap, and download a malicious installer package that will set up\r\na backdoor.\r\n1st JavaScript stage\r\nThe first JavaScript stage is named (script|jquery)-css.js, and is obfuscated with the Chinese-language web service\r\nSojson, version 4 (see Fig. 3).\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 2 of 9\n\nFig. 3. Sojson v4 JavaScript obfuscated one-liner.\r\nThe payload leverages the RTCPeerConnection API and ipify service to fingerprint visitors. The gathered data is\r\nsent to loginwebmailnic.dynssl[.]com through HTTP GET requests, in order to validate the visitor as a target:\r\nhttps://loginwebmailnic.dynssl[.]com/all/content.php?jsoncallback=\u0026lanip=\u0026wanip=\u0026urlpath=\u0026_=\r\nThe JSON-formatted response, whose only key is “result”, can either be “t” or “f” (true or false). If the value is\r\n“f”, then nothing happens, while “t” will trigger the second JavaScript stage (see Fig. 4).\r\nFig. 4. First stage deobfuscated validation logic.\r\nIn a previous version of this first JavaScript script, an additional JavaScript payload was unconditionally loaded\r\nduring the first stage, and proceeded with another branch of visitor validation and the second stage.\r\nThis other branch loaded scripts from root20system20macosxdriver.serveusers[.]com, and leveraged\r\nhttps://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php URL to validate targets. The host and validation\r\npage names suggest this other branch may have been specifically targeting MacOS users, but we were unable to\r\nconfirm this hypothesis.\r\n2nd JavaScript stage\r\nThe second JavaScript stage is named (script|jquery)-file.js, and is obfuscated with Sojson version 5 (see Fig. 5).\r\nFig. 5. Nerve-breaking one-line obfuscation.\r\nThe payload leverages jquery.fileDownload to show a modal pop-up to the target. It offers visitors an update to\r\nFlash Player. No technical vulnerabilities are exploited: the threat actor relies on the target’s willingness to keep\r\ntheir system up to date. The deobfuscated JavaScript payload (see Fig. 6) reveals that the malicious update is\r\nhosted on GitHub.\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 3 of 9\n\nFig. 6. Malicious update source in second JavaScript payload.\r\nGitHub FlashUpdate repository\r\nThe pop-up links to a PE executable hosted on github[.]com/AdobeFlash32/FlashUpdate. GitHub disabled this\r\nrepository on February 14 after we reported it to them. However, the repository has been online for more than nine\r\nmonths, and thanks to GitHub’s commit history (see Fig. 7), we gained a unique insight into the attacker’s activity\r\nand tools.\r\nFig. 7. GitHub’s AdobeFlash32 commit history.\r\nFour executables were hosted in AdobeFlash32/FlashUpdate on the last day it was still available:\r\nAn installer package, embedding a decoy legitimate Flash update and a stager.\r\nGodlike12, a Go backdoor that implements a Google Drive based C2 channel.\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 4 of 9\n\nTwo versions of the open-source Stitch Python backdoor that the threat actor modified to add\r\nfunctionalities (persistence, auto-update, decoy download and execution).\r\nDigging into the repository for older commits, we also discovered a previous fake update toolset: a C installer\r\nbundling the legitimate Flash installer and a vanilla Stitch backdoor, as well as a C++ infostealer that collects\r\ninformation about host computers (OS version, IP address, hostname) and sends them over HTTP/S.\r\nInstaller package\r\nMD5 9A819F2CE060058745FF5374221ADA7C\r\nCompilation\r\ndate\r\n2017-Jul-24 06:35:22\r\nFile type\r\nPE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting\r\narchive\r\nFile size 4420 KB\r\nFile names flashplayer32ppi_xa_install.exe\r\nThis malicious update package is a NSIS installer version 3 that will drop and execute two other binaries:\r\nFlashUpdate.exe, D59B35489CB88619415D175953CA5400, a legitimate Windows Flash Player installer\r\nfrom January 15 that is used as a decoy to trick the user into believing they actually set up a Flash update.\r\nAs modern Adobe Flash installers ‘phone home’ to check for their own validity, this one will fail nowadays\r\nwith a message stating that the installer is outdated or renamed, and will direct the user to the Adobe\r\nwebsite.\r\nIntelsyc.exe, the malicious payload (described below).\r\nThe installer is detected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Tasker.gen.\r\nIntelsyc Go stager\r\nMD5 6DC5F8282DF76F4045F75FEA3277DF41\r\nCompilation date 1970-Jan-01 00:00:00\r\nFile type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nFile size 5976 KB\r\nFile names flashplayer32ppi_xa_install.exe\r\nC2 server adobeflash31_install.ddns[.]info\r\nUser Agent Go-http-client/1.1\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 5 of 9\n\nThe Go programmed Intelsyc implant is aimed at staging itself, downloading the Godlike12 backdoor (described\r\nbelow), and setting up persistence.\r\nIt will first retrieve /flash/sys.txt with HTTP GET on adobeflash31_install.ddns[.]info. The file contents may be\r\nused as a killswitch to stop any further deployment. If the content is “1” though, the implant will:\r\ncopy itself to C:/ProgramData/Intel/Intelsyc.exe;\r\nestablish persistence through schtasks [T1053] with a logon task named Intelsyc, run as system, and\r\npointing to a previously created self copy;\r\ndownload Godlike12 from github[.]com/AdobeFlash32/FlashUpdate, as\r\nC:\\ProgramData\\Adobe\\flashdriver.exe;\r\nestablish Godlike12 persistence through a registry run key [T1060] named flashdriver in\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run, and pointing to a previously downloaded\r\nbackdoor.\r\nThe stager is detected by Kaspersky endpoint protection heuristics as UDS:DangerousObject.Multi.Generic, and\r\nmay be misidentified as the GoRansom Go ransomware proof of concept by other endpoint protection products.\r\nSource files paths in the code suggest this backdoor may have been developed on a Windows system.\r\nGodlike12 Go backdoor\r\nMD5 BEC4482890A89F0184B463C727709D53\r\nCompilation date 1970-Jan-01 00:00:00\r\nFile type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nFile size 4436 KB\r\nFile names flashdriver.exe\r\nC2 server Google Drive\r\nThis implant is written in Go language, and its C2 channel relies on file exchanges with a Google Drive space,\r\nthrough Google Drive’s HTTPS API v3. The implant probably leverages the gdrive Go source from GitHub, as it\r\nshares several identical code source paths with it.\r\nGodlike12 is the name the threat actor gave to the Google Drive space connections from this implant. Source file\r\npaths in the code suggest this backdoor may have been developed on a GNU/Linux system. The not-so-common\r\n(less than 100 results in a popular search engine) /root/gowork GOPATH that some of this backdoor’s modules\r\nhave been compiled from seems popular in Chinese-speaking communities, and may originate from a Chinese-authored tutorial on Go language.\r\nGodlike12 first proceeds with host fingerprinting upon startup (hostname, IP address, MAC address, Windows\r\nversion, current time). The result is encrypted, base64-encoded, stored in a text file at %TEMP%/[ID]-lk.txt, and\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 6 of 9\n\nuploaded to the remote Google Drive. The implant then regularly checks for a remote [ID]-cs.txt, that contains\r\nencrypted commands to execute, and stores encrypted command results in %TEMP%/[ID]-rf.txt to later upload\r\nthem to the same Google Drive space. ID is the MD5 hash of the base64-encoded MAC address of the first\r\nconnected network adapter, while TripleDES in ECB mode is used as an encryption algorithm. It is worth\r\nmentioning that once again, the encryption function seems to have been inspired from existing open-source code,\r\nwhich mainly appears popular in Chinese-language forums.\r\nGodlike12 does not implement a persistence mechanism, as it is provided by the previous installer package. It is\r\ndetected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Generic.\r\nWith this implant being a month old at the time of writing (while being in use since at least October 2019), and\r\nother malicious update implants having been used before, it is possible that Godlike12-based operations were still\r\na work in progress when we investigated them.\r\nModified Stitch Python backdoor\r\nMD5 EC993FF561CBC175953502452BFA554A\r\nCompilation date 2008-Nov-10 09:40:35\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 7259 KB\r\nFile names\r\nflashplayer32_xa_pp_install.exe\r\nflashplayer32pp_xa_install.exe\r\nC2 server system0_update04driver_roots.dynamic-dns[.]net:443\r\nThis implant is a modified version of the open-source Python backdoor called Stitch, packed as a standalone PE\r\nexecutable with Py2exe.\r\nThreat actors wrapped Stitch with custom Python code to perform additional operations:\r\nIt downloads a legitimate Adobe Flash installation program from the C2 server at startup;\r\nIt auto-updates the backdoor from ubntrooters.serveuser[.]com at startup;\r\nIt ensures persistence through schtasks [T1053] with a logon task named AdobeUpdater pointing to\r\nC:\\ProgramData\\package\\AdobeService.exe.\r\nUnder the hood, Stitch is a remote shell program that provides classic backdoor functionalities by establishing a\r\ndirect socket connection, to exchange AES-encrypted data with the remote server.\r\nConclusion\r\nWith almost 10 compromised websites and dozens of implanted hosts (that we know of), the attackers have set up\r\na sizable yet very targeted water-holing attack. The toolset that’s being used seems low-budget and not fully\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 7 of 9\n\ndeveloped, but has been modified several times in a few months to leverage interesting features like Google Drive\r\nC2, and would be characteristic of a small, agile team.\r\nWe were unable to observe any live operations, but some tracks indicate that the Godlike12 backdoor is not\r\nwidespread, and is probably used to conduct reconnaissance and data-exfiltration operations.\r\nWe were unable to correlate these attacks to any known APT groups.\r\nFor more details and the latest information on this threat actor, please contact intelreports@kaspersky.com\r\nAppendix – IOCs\r\nInfrastructure\r\nDomain IP address Description\r\nroot20system20macosxdriver.serveusers[.]com 45.32.154[.]111\r\nWatering hole targets validator\r\nserver\r\nloginwebmailnic.dynssl[.]com 207.148.117[.]159\r\nWatering hole targets validator\r\nserver\r\nubntrooters.serveuser[.]com 45.76.43[.]153 Stitch auto-update server\r\nsystem0_update04driver_roots.dynamic-dns[.]net\r\n95.179.171[.]173 Stitch C2\r\nsys_andriod20_designer.dynamic-dns[.]net 45.63.114[.]152 Stitch C2\r\nadobeflash31_install.ddns[.]info 95.179.171[.]173 Installer package C2\r\nairjaldinet[.]ml 108.61.178[.]125 Older C++ validator C2\r\nURLs\r\nhttps://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php\r\nhttps://loginwebmailnic.dynssl[.]com/all/content.php\r\nhttps://loginwebmailnic.dynssl[.]com/lh/content.php\r\nhttps://root20system20macosxdriver.serveusers[.]com/yW6jOyQM16rj.html\r\nhttps://root20system20macosxdriver.serveusers[.]com/itV6E1uKYiOo.html\r\nhttp://ubntrooters.serveuser[.]com/wuservice.exe\r\nhttp://ubntrooters.serveuser[.]com/upgrade.exe\r\nhttp://ubntrooters.serveuser[.]com/flashplayer_update.exe\r\nhttp://adobeflash31_install.ddns[.]info/flash/sys.txt\r\nhttps://github[.]com/AdobeFlash32/FlashUpdate/\r\nhttps://airjaldinet[.]ml/\r\nHashes (MD5)\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 8 of 9\n\n0C6025A2C68E1C702A3022F1A6AE9169\r\n1076A0EE924F198A7BD58A2DE1F060A0\r\n10B4D3A667E06DC4B06AA542173D052C\r\n11294E27491B496E36CA7DB9F363ADCD\r\n11A16E109DBAF2FD080D8490328DE5A1\r\n2E1862BC23085402EE11C88E540533C0\r\n3989AC9EFB6A725918BD1810765D30B3\r\n481DD1A37C86FDA68BCED0ECB2F47597\r\n5287045D15FF60618F426AFC03BBB331\r\n53CB974CAF909EEDCD86D2F80E75AD0A\r\n5F19BB1688CA836B9207248F9096B9D2\r\n6DF39D2CE9FCA27B78CC5CA0BED89703\r\n7EB0C103AE21189AD9AD4A9804293B22\r\n8623FA35226AC92CF6F02447AC80AFB0\r\n9E69DDE252038B4A38EF0BFF6CE7FCD7\r\nAD7A4333BC364DF3D4FA00B13CBBBEB4\r\nB02ABA86409BE2AB263B1A476C1A1417\r\nB21AF331B1752A70360B5D8DC9013F3F\r\nB21BD93F15916A9A4AC76350D8FDBE10\r\nBE3E563E95DEDCA0CEC9792194FFF2AC\r\nDE2D8AF2EFED0C145690B2F13CD063B3\r\nEC993FF561CBC175953502452BFA554A\r\nED081A869D30BB90B76552C83BD784C8\r\nBEC4482890A89F0184B463C727709D53\r\n9A819F2CE060058745FF5374221ADA7C\r\n6DC5F8282DF76F4045F75FEA3277DF41\r\nSource: https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nhttps://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/"
	],
	"report_names": [
		"96311"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434279,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc5dae82afa532fc1ff3b6b83e3b5c3dea242dab.pdf",
		"text": "https://archive.orkl.eu/fc5dae82afa532fc1ff3b6b83e3b5c3dea242dab.txt",
		"img": "https://archive.orkl.eu/fc5dae82afa532fc1ff3b6b83e3b5c3dea242dab.jpg"
	}
}