{ "id": "ac4fdcc5-12ac-46b5-a252-a2ed7a74d68b", "created_at": "2026-04-06T00:17:52.847349Z", "updated_at": "2026-04-10T03:35:47.169901Z", "deleted_at": null, "sha1_hash": "fc6c438a8be2a3f8e89c7dfcab4c0cc7165a9306", "title": "The Naikon APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 416715, "plain_text": "The Naikon APT\r\nBy Kurt Baumgartner\r\nPublished: 2015-05-14 · Archived: 2026-04-05 12:56:04 UTC\r\nOur recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to\r\nthe Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”.\r\nNaikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It\r\nwas a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT.  Considering\r\nthe volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was\r\nworth looking into, so we did.\r\nThe #NaikonAPT group was spear-phished by an actor we now call “Hellsing”\r\nTweet\r\nThe Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven’t\r\ndiscovered any exact matches. It is hardly surprising that there is an element of overlap, considering both actors\r\nhave for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.\r\nThe #NaikonAPT group has for 5 years mined victims, apparently in search of geo-political intelligence\r\nTweet\r\nThis Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the\r\nincredible volume of attack activity around the South China Sea that has been going on since at least 2010.\r\nNoteworthy operational and logistical characteristics of this APT include:\r\nAt least five years of high volume, high profile,  geo-political attack activity\r\nGeographical  focus – per-country, individual operator assignment and proxy presence\r\nDynamic, well organized infrastructure\r\nReliance on an externally developed, consistent set of tools comprising a full-featured backdoor, a builder,\r\nand an exploit builder\r\nHigh success rate in infiltrating national organisations in ASEAN countries\r\nHighly Focused and Effective Around the South China Sea\r\nIn the spring of 2014, we noticed an increase in the volume of attack activity by the Naikon APT. The attackers\r\nappeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military\r\norganizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore,\r\nNepal, Thailand, Laos and China.\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 1 of 11\n\nDecoy\r\nAn attack typically starts with an email carrying an attachment that contains information of interest to the potential\r\nvictim. The document may be based on information from open sources or on proprietary information stolen from\r\nother compromised systems.\r\nThis bait “document”, or email attachment, appears to be a standard Word document, but is in fact an CVE-2012-\r\n0158 exploit, an executable with a double extension, or an executable with an RTLO filename, so it can execute\r\ncode without the user’s knowledge or consent. When the executable is launched, spyware is installed on the victim\r\ncomputer at the same time as a decoy document is displayed to the user; fooling them into thinking they have\r\nsimply opened a document.\r\nConfiguration\r\nThe Naikon tool of choice generates a special, small, encrypted file which is 8,000 bytes in size, containing code\r\nto be injected into the browser along with configuration data. With the help of a start-up module, this whole file is\r\ninjected into the browser memory and decrypts the configuration block containing the following:\r\nC\u0026C server\r\nPorts and path to the server\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 2 of 11\n\nUser-agent string\r\nFilenames and paths to its components\r\nHash sums of the user API functions\r\nThe same code then downloads its main body from the C\u0026C server using the SSL protocol, loads it independently\r\nfrom the operating system functions and, without saving it to the hard drive, hands over control to the XS02\r\nfunction. All functionality is handled in memory.\r\nPayload\r\nThe main module is a remote administration utility. Using SSL, the module establishes a reverse connection to the\r\nC\u0026C server as follows: it sets up an outgoing connection to the C\u0026C server and checks if there is a command that\r\nit should execute. If there is, it executes the command and returns the result to the C\u0026C. There are 48 commands\r\nin the module’s repertoire, which a remote operator can use to effectively control the victim computer. This\r\nincludes taking a complete inventory, downloading and uploading data, installing add-on modules, or working\r\nwith the command line.\r\nThe main module supports 48 commands, which the attackers can use to control the victim machine\r\n#NaikonAPT\r\nTweet\r\nHere is the complete list of commands:\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 3 of 11\n\n0 CMD_MAIN_INFO\r\n1 CMD_PROCESS_REFRESH\r\n2 CMD_PROCESS_NAME\r\n3 CMD_PROCESS_KILL\r\n4 CMD_PROCESS_MODULE\r\n5 CMD_DRIVE_REFRESH\r\n6 CMD_DIRECTORY\r\n7 CMD_DIRECTORY_CREATE\r\n8 CMD_DIRECTORY_CREATE_HIDDEN\r\n9 CMD_DIRECTORY_DELETE\r\n10 CMD_DIRECTORY_RENAME\r\n11 CMD_DIRECOTRY_DOWNLOAD\r\n12 CMD_FILE_REFRESH\r\n13 CMD_FILE_DELETE\r\n14 CMD_FILE_RENAME\r\n15 CMD_FILE_EXECUTE_NORMAL\r\n16 CMD_FILE_EXECUTE_HIDDEN\r\n17 CMD_FILE_EXECUTE_NORMAL_CMD\r\n18 CMD_FILE_EXECUTE_HIDDEN_CMD\r\n19 CMD_FILE_UPLOAD\r\n20 CMD_FILE_DOWNLOAD\r\n21 CMD_WINDOWS_INFO\r\n22 CMD_WINDOWS_MESSAGE\r\n23 CMD_SHELL_OPEN\r\n24 CMD_SHELL_CLOSE\r\n25 CMD_SHELL_WRITE\r\n26 CMD_SERVICE_REFRESH\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 4 of 11\n\n27 CMD_SERVICE_CONTROL\r\n28 CMD_PROGRAM_INFO\r\n29 CMD_UNINSTALL_PROGRAM\r\n30 CMD_REGESTRY_INFO\r\n31 CMD_ADD_AUTO_START\r\n32 CMD_MY_PLUGIN\r\n33 CMD_3RD_PLUGIN\r\n34 CMD_REG_CREATEKEY\r\n35 CMD_REG_DELETEKEY\r\n36 CMD_REG_SETVALUE\r\n37 CMD_REG_DELETEVALUE\r\n38 CMD_SELF_KILL\r\n39 CMD_SELF_RESTART\r\n40 CMD_SELF_CONFIG\r\n41 CMD_SELF_UPDATE\r\n42 CMD_SERVER_INFO\r\n43 CMD_INSTALL_SERVICE\r\n44 CMD_FILE_DOWNLOAD2\r\n45 CMD_RESET\r\n46 CMD_CONNECTION_TABLE\r\n50 CMD_HEART_BEAT\r\nSeveral modifications of the main module exist. There are no fundamental differences between modifications; it’s\r\njust that extra features get added to the latest versions, such as compression and encryption of transmitted data, or\r\nthe piecemeal download of large files.\r\nd085ba82824c1e61e93e113a705b8e9a 118272 Aug 23 18:46:57 2012\r\nb4a8dc9eb26e727eafb6c8477963829c 140800 May 20 11:56:38 2013\r\n172fd9cce78de38d8cbcad605e3d6675 118784 Jun 13 12:14:40 2013\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 5 of 11\n\nd74a7e7a4de0da503472f1f051b68745 190464 Aug 19 05:30:12 2013\r\n93e84075bef7a11832d9c5aa70135dc6 154624 Jan 07 04:39:43 2014\r\nCC-Proxy-Op\r\nC\u0026C server operations are characterized by the following:\r\nLow maintenance requirements\r\nOrganized geo-specific task assignments\r\nDifferent approaches to communication\r\nThe C\u0026C servers must have required only a few operators to manage the entire network. Each operator appears to\r\nhave focused on their own particular set of targets, because a correlation exists between C\u0026C and the location of\r\ntargets/victims.\r\nThere is a geo-specific correlation between the location of #NaikonAPT C\u0026Cs and that of\r\ntargets/victims\r\nTweet\r\nCommunication with victim systems changed depending on the target involved. In some cases, a direct connection\r\nwas established between the victim computer and the C\u0026C. In other cases, the connection was established via\r\ndedicated proxy servers installed on dedicated servers rented in third countries. In all likelihood, this additional\r\nsetup was a reaction to the network administrators in some targets limiting or monitoring outbound network\r\nconnections from their organizations.\r\nHere is a partial list of C\u0026C servers and victim locations, demonstrating the geo-specific correlation:\r\nID Jakarta linda.googlenow.in\r\nID Jakarta admin0805.gnway.net\r\nID Jakarta free.googlenow.in\r\nID frankhere.oicp.net\r\nID Bandung frankhere.oicp.net\r\nID Bandung telcom.dhtu.info\r\nID Jakarta laotel08.vicp.net\r\nJP Tokyo greensky27.vicp.net\r\nKH googlemm.vicp.net\r\nKH Phnom Penh googlemm.vicp.net\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 6 of 11\n\nMM peacesyou.imwork.net\r\nMM sayakyaw.xicp.net\r\nMM ubaoyouxiang.gicp.net\r\nMM Yangon htkg009.gicp.net\r\nMM kyawthumyin.xicp.net\r\nMM myanmartech.vicp.net\r\nMM test-user123.vicp.cc\r\nMY us.googlereader.pw\r\nMY net.googlereader.pw\r\nMY lovethai.vicp.net\r\nMY yahoo.goodns.in\r\nMY Putrajaya xl.findmy.pw\r\nMY Putrajaya xl.kevins.pw\r\nPH Caloocan oraydns.googlesec.pw\r\nPH Caloocan gov.yahoomail.pw\r\nPH pp.googledata.pw\r\nPH xl.findmy.pw\r\nPH mlfjcjssl.gicp.net\r\nPH o.wm.ggpw.pw\r\nPH oooppp.findmy.pw\r\nPH cipta.kevins.pw\r\nPH phi.yahoomail.pw\r\nSG Singapore xl.findmy.pw\r\nSG Singapore dd.googleoffice.in\r\nVN Hanoi moziliafirefox.wicp.net\r\nVN Hanoi bkav.imshop.in\r\nVN Hanoi baomoi.coyo.eu\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 7 of 11\n\nVN Dong Ket macstore.vicp.cc\r\nVN Hanoi downloadwindows.imwork.net\r\nVN Hanoi vietkey.xicp.net\r\nVN Hanoi baomoi.vicp.cc\r\nVN Hanoi downloadwindow.imwork.net\r\nVN Binh Duong www.ttxvn.net\r\nVN Binh Duong vietlex.gnway.net\r\nVN Hanoi www.ttxvn.net\r\nVN Hanoi us.googlereader.pw\r\nVN Hanoi yahoo.goodns.in\r\nVN Hanoi lovethai.vicp.net\r\nVN Hanoi vietlex.gnway.net\r\nXSControl – the Naikon APT’s “victim management software”\r\nIn the Naikon scheme, a C\u0026C server can be specialized XSControl software running on the host machine. It can\r\nbe used to manage an entire network of infected clients. In some cases, a proxy is used to tunnel victim traffic to\r\nthe XSControl server. A Naikon proxy server is a dedicated server that accepts incoming connections from victim\r\ncomputers and redirects them to the operator’s C\u0026C. An individual Naikon proxy server can be set up in any\r\ntarget country with traffic tunnelling from victim systems to the related C\u0026C servers\r\nXSControl is written in .NET with the use of DevExpress:\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 8 of 11\n\nIts main capabilities are:\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 9 of 11\n\nAccept initial connections from clients\r\nProvide clients with the main remote administration module\r\nEnable them to remotely administer infected computers with the help of a GUI\r\nKeep logs of client activity\r\nKeep logs of operator activity\r\nUpload logs and files to an FTP server\r\nThe operator’s activity logs contain the following:\r\nAn XML database of downloaded files, specifying the time of operation, the remote path and the local path\r\nA database of file names, the victim computer registry keys for the folders and requested sections\r\nA history of executed commands\r\nCountry X, Operator X\r\nNow let’s do an overview of one Naikon campaign, focusing on country “X”.\r\nAnalysis revealed that the cyber-espionage campaign against country X had been going on for many years.\r\nComputers infected with the remote control modules provided attackers with access to employees’ corporate email\r\nand internal resources, and access to personal and corporate email content hosted on external services.\r\nBelow is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X.\r\nOffice of the President\r\nMilitary Forces\r\nOffice of the Cabinet Secretary\r\nNational Security Council\r\nOffice of the Solicitor General\r\nIntelligence Services\r\nCivil Aviation Authority\r\nDepartment of Justice\r\nFederal Police\r\nExecutive/Presidential Administration and Management Staff\r\nA few of these organizations were key targets and under continuous, real-time monitoring. It was during operator\r\nX’s network monitoring that the attackers placed Naikon proxies within the countries’ borders, to cloak and\r\nsupport real-time outbound connections and data exfiltration from high-profile victim organizations.\r\nIn order to obtain employees’ credentials, operator X sometimes used keyloggers. If necessary, operator X\r\ndelivered them via the remote control client. In addition to stealing keystrokes, this attacker also intercepted\r\nnetwork traffic. Lateral movements included copying over and remotely setting up winpcap across desktop\r\nsystems within sensitive office networks, then remotely setting up AT jobs to run these network sniffers. Some\r\nAPTs like Naikon distribute tools such as these across multiple systems in order to regain control if it is lost\r\naccidentally and to maintain persistence.\r\nThe #NaikonAPT group took advantage of cultural idiosyncrasies in its target countries\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 10 of 11\n\nTweet\r\nOperator X also took advantage of cultural idiosyncrasies in its target countries, for example, the regular and\r\nwidely accepted use of personal Gmail accounts for work. So it was not difficult for the Naikon APT to register\r\nsimilar-looking email addresses and to spear-phish targets with attachments, links to sites serving malware, and\r\nlinks to google drive.\r\nThe empire strikes back\r\nEvery once in a while the Naikon group clashes with other APT groups that are also active in the region. In\r\nparticular, we noticed that the Naikon group was spear-phished by an actor we now call “Hellsing”. More details\r\nabout the cloak and dagger games between Naikon and Hellsing can be found in our blogpost: “The Chronicles of\r\nthe Hellsing APT: The Empire Strikes Back“.\r\nRead more about how you can protect your company against the Naikon threat actor here\r\nSource: https://securelist.com/the-naikon-apt/69953/\r\nhttps://securelist.com/the-naikon-apt/69953/\r\nPage 11 of 11\n\njust that extra the piecemeal features get download added to the of large files. latest versions, such as compression and encryption of transmitted data, or\nd085ba82824c1e61e93e113a705b8e9a 118272 Aug 23 18:46:57 2012\nb4a8dc9eb26e727eafb6c8477963829c 140800 May 20 11:56:38 2013\n172fd9cce78de38d8cbcad605e3d6675 118784 Jun 13 12:14:40 2013\n Page 5 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://securelist.com/the-naikon-apt/69953/" ], "report_names": [ "69953" ], "threat_actors": [ { "id": "a9ee8219-1882-4b1b-bac8-641b1603787d", "created_at": "2022-10-25T15:50:23.78263Z", "updated_at": "2026-04-10T02:00:05.351155Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "APT30" ], "source_name": "MITRE:APT30", "tools": [ "SHIPSHAPE", "FLASHFLOOD", "NETEAGLE" ], "source_id": "MITRE", "reports": null }, { "id": "30ed778d-15b3-484e-a90b-e1e05b36a42f", "created_at": "2023-01-06T13:46:38.290626Z", "updated_at": "2026-04-10T02:00:02.91411Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "G0013" ], "source_name": "MISPGALAXY:APT30", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc6c438a8be2a3f8e89c7dfcab4c0cc7165a9306.pdf", "text": "https://archive.orkl.eu/fc6c438a8be2a3f8e89c7dfcab4c0cc7165a9306.txt", "img": "https://archive.orkl.eu/fc6c438a8be2a3f8e89c7dfcab4c0cc7165a9306.jpg" } }