{
	"id": "c8e45063-7149-4cd5-a3fd-5f13cedb7692",
	"created_at": "2026-04-06T03:36:31.903677Z",
	"updated_at": "2026-04-10T03:36:13.654513Z",
	"deleted_at": null,
	"sha1_hash": "ff3abea8ee94249613450550178aaac104c10b0a",
	"title": "Additional Activities of the Tick Group That Attacks with a Modified Q-Dir and Their Ties with Operation Triple Tiang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1640601,
	"plain_text": "Additional Activities of the Tick Group That Attacks with a\r\nModified Q-Dir and Their Ties with Operation Triple Tiang\r\nBy ATCP\r\nPublished: 2023-04-09 · Archived: 2026-04-06 03:14:29 UTC\r\nIn March 2023, Eset analyzed malware that was found in an East Asian DLP manufacturer and announced that the\r\nTick group was responsible for it. The Tick group has been active mainly in Korea and Japan since 2014, targeting\r\nvarious sectors such as aerospace, military, defense industries, heavy industries, electronics, telecommunications,\r\ngovernment agencies, and diplomacy. AhnLab Security Emergency response Center (ASEC) has confirmed\r\nadditional activities from this group and will be disclosing them here.\r\n* Modified Q-Dir Variants\r\nFrom January 2021 to August 2022, AhnLab Security Emergency response Center (ASEC) discovered 3\r\nadditional malware disguised as Q-Dir in Korea. Two of the confirmed variants drop a ReVBSHell backdoor, but\r\nthe variant (md5: 00b170970d46c9212b6d75ce7afc0870) discovered in August of 2022 creates an FTP server file.\r\n* ShadowPY Variant\r\nEset also revealed information about the ShadowPY malware used in the attack, and upon verification, it was\r\nfound to be similar to the malware that was reported to AhnLab in September 2021 by a Korean client. The\r\nhttps://asec.ahnlab.com/en/51340/\r\nPage 1 of 3\n\nprogram used as a loader at the time was Avira’s avshadow.exe, and the name of the malicious DLL file was also\r\nvssapi.dll. Both of these align with the information disclosed by Eset. The code was also found to be similar.\r\nvssapi.dll file comparison\r\n * Ties with Operation Triple Tiang\r\nEset revealed that there is a chance that Operation Triple Tiang, which was reported on by AhnLab, is related to\r\nthe Tick group. Operation Triple Tiang is a cyber attack campaign that has been targeting political and diplomatic\r\nsectors of Korea. A clear culprit behind this campaign was not identified at the point the report was released in\r\n2022. AhnLab Security Emergency response Center (ASEC) has confirmed that the ReVBSHell dropper used in\r\nOperation Triple Tiang and the ReVBSHell dropper variant used in the attack against the DLP manufacturer\r\nutilizes the same technique. Both droppers check the number of files in the temp folder when the malware is\r\nexecuted, and only create the malware file when the number exceeds a certain amount (10 or 18 depending on the\r\nvariant).\r\nOperation comparison to check number of files inside Temp\r\nhttps://asec.ahnlab.com/en/51340/\r\nPage 2 of 3\n\nConsidering that they both use the same ReVBSHell and their droppers use similar codes, there is a high\r\npossibility that the Tick group is behind Operation Triple Tiang.\r\n* Conclusion\r\nThe Tick group has been targeting government agencies, the military, and various industries in Korea and Japan\r\nfor over a decade. There is a high possibility that they are still active covertly, and AhnLab plans to continue\r\ntracking their activities. * Special thanks to Facundo Muñoz from Eset for providing the samples and information.\r\n[File Detection] Backdoor/VBS.Agent (2023.03.29.02) Dropper/Win.Revbshell (2023.03.28.03)\r\nDowonloader/Win.Agent (2022.03.15.00) Trojan/VBS.Obfus (2023.04.06.00) Trojan/Win.ShadowPY\r\n(2023.04.05.03) \r\nMD5\r\n00b170970d46c9212b6d75ce7afc0870\r\n19d0edc452b32b0d3da407459a1a9c56\r\n2db7b0e8b0a3b7f142c4246d8c8bf892\r\n31329cce9d0517233053b5363f06f5af\r\n574df15b8bc888750ca28dd4f4f11fae\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/51340/\r\nhttps://asec.ahnlab.com/en/51340/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/51340/"
	],
	"report_names": [
		"51340"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446591,
	"ts_updated_at": 1775792173,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff3abea8ee94249613450550178aaac104c10b0a.pdf",
		"text": "https://archive.orkl.eu/ff3abea8ee94249613450550178aaac104c10b0a.txt",
		"img": "https://archive.orkl.eu/ff3abea8ee94249613450550178aaac104c10b0a.jpg"
	}
}