{
	"id": "eba77069-aa28-4c5a-816b-572e2dc102f4",
	"created_at": "2026-04-06T00:18:05.89118Z",
	"updated_at": "2026-04-10T03:25:40.473686Z",
	"deleted_at": null,
	"sha1_hash": "ff7099ddf46b406e4f02d169c31771acbf80b7a2",
	"title": "WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3161530,
	"plain_text": "WIP19 Espionage | New Chinese APT Targets IT Service Providers\r\nand Telcos With Signed Malware\r\nBy Joey Chen\r\nPublished: 2022-10-12 · Archived: 2026-04-05 13:10:20 UTC\r\nBy Joey Chen and Amitai Ben Shushan Ehrlich, with additional insights from QGroup\r\nExecutive Summary\r\nA new threat cluster we track as WIP19 has been targeting telecommunications and IT service providers in\r\nthe Middle East and Asia.\r\nWe assess it is highly likely this activity is espionage-related and that WIP19 is a Chinese-speaking threat\r\ngroup.\r\nThe threat cluster has some overlap with Operation Shadow Force but utilizes new malware and\r\ntechniques.\r\nWIP19 utilizes a legitimate, stolen certificate to sign novel malware, including SQLMaggie, ScreenCap\r\nand a credential dumper.\r\nOverview\r\nSentinelLABS has been monitoring a threat cluster we track as WIP19, a group characterized by the usage of a\r\nlegitimate, stolen digital certificate issued by a company called “DEEPSoft”. Based on our investigations, WIP19\r\nhas been targeting telecommunications and IT service providers in the Middle East and Asia.\r\nThroughout this activity, the threat actor abused the certificate to sign several malicious components. Almost all\r\noperations performed by the threat actor were completed in a “hands-on keyboard” fashion, during an interactive\r\nsession with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for\r\nstealth.\r\nOur analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the\r\ncomponents used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who\r\nhas created tools for a variety of groups and has been active since 2014.\r\nThe use of WinEggDrop-authored malware, stolen certificates and correlating TTPs indicate possible links to\r\nOperation Shadow Force, as reported by TrendMicro and AhnLab. As the toolset itself appears to be shared among\r\nseveral actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor\r\nutilizing similar TTPs. The activity we observed, however, represents a more mature actor, utilizing new malware\r\nand techniques.\r\nWe linked an implant dubbed “SQLMaggie”, recently described by DCSO CyTec, to this set of activity.\r\nSQLMaggie appears to be actively maintained and provides insights into the development timeline with\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 1 of 12\n\nhardcoded version names. In addition, we identified a number of other pieces of malware utilized by this threat\r\nactor.\r\nThis report focuses on detailing the set of activity we track as WIP19 and provides further context around the\r\nusage of these new tools.\r\nRelationship between the malware, certificates, and creators\r\nAbusing Valid Digital Certificates\r\nWIP19 has been observed signing malware with a valid digital certificate issued for DEEPSoft Co., Ltd., a Korean\r\ncompany specializing in messaging solutions. The threat actor used the certificate to sign several malware\r\ncomponents, some of which were tailor-made for specific targets. We assess that it is highly likely the certificate\r\nwas stolen, as it was also used to sign legitimate software used by DEEPSoft in the past.\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 2 of 12\n\nDEEPSoft digital certificate\r\nActivity involving toolsets authored by WingEggDrop and signed with both legitimate and fake certificates has\r\nbeen previously reported on by AhnLab. It’s commonly understood that malware created by WinEggDrop is\r\nshared among several threat clusters, making it possible that these associated toolsets could also be in use by the\r\nWIP19 threat actor.\r\nDumper Analysis\r\nLike many components utilized by WIP19, all their credential harvesting tools – consisting mainly of password\r\ndumpers – were signed using the DEEPSoft certificate. The main dumper used by the threat actor utilized open\r\nsource projects to load an SSP to LSASS  and then dump the process.\r\nWIP19’s password dumper consists of two components, one used as a loader, and the other as a dumper. On many\r\nof the instances observed, the dumper was executed using WMIEXEC.\r\nLoader Analysis\r\nThe dumper loader component is a signed EXE file, internally dubbed ssp_rpc_loader , as indicated from the\r\nPDB path embedded within the file. As the name suggests, the loader uses RPC to load a malicious DLL file as an\r\nSSP (Security Support Provider), given as an argument. The loader appears to be taken from an open source\r\nproject available on GitHub.\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 3 of 12\n\nD:\\source\\dump_lsass-main\\ssp_rpc_loader\\x64\\Release\\ssp_rpc_loader.pdb\r\nSSP Analysis\r\nThe actual SSP loaded is NanoDump, which is loaded into LSASS and creates a minidump of the process.\r\nLoading NanoDump as an SSP is a built-in function embedded within NanoDump. This is done utilizing the\r\nMiniDumpWriteDump API. The dump will be created in the following path:\r\nC:\\\\windows\\\\temp\\\\1.bin\r\nMuch like the loader, the threat actor did not bother to remove the PDB path for the DLL dumper.\r\nD:\\source\\dump_lsass-main\\dll1\\x64\\release\\dll1.pdb\r\nCombining both components, a full execution of the dumper will look like this:\r\nC:\\attacker\\loader.exe c:\\attacker\\ssp.dll\r\nKeylogger \u0026 Screen Recording (ScreenCap)\r\nLoading Mechanism\r\nWIP19 has been observed utilizing a less-common (although documented) DLL search order hijacking of\r\nexplorer.exe to load a keylogging and screen recording component internally named ScreenCapDll_x64 .\r\nThe keylogging and screen recording components\r\nThe threat actor dropped the malicious, signed DLL, in the path c:\\windows\\linkinfo.dll . Dropping the file in\r\nthis specific path triggers the loading of the DLL into explorer.exe the next time it is executed. The threat actor\r\nmay manually kill and restart the explorer.exe process to initiate the screen recording and keylogging\r\nfunctionality.\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 4 of 12\n\nThe ScreenCap malware performs checks involving the victim’s machine name, indicating it is specially crafted\r\nfor each deployment. This does not prevent the actor from re-signing each of the payloads with the DEEPSoft\r\ncertificate, proving the actors have direct access to the stolen certificate.\r\nAfter verifying it is executed on the correct machine, the ScreenCap malware drops a RAR CLI binary in one of\r\nthe following paths, according to the target’s operating system:\r\nC:\\Documents and Settings\\All Users\\Application Data\\dwmgr.exe\r\nC:\\Users\\Public\\AppData\\MsTemp\\dwmgr.exe\r\nRAR executable drop file path\r\nKeylogging\r\nThe keylogging functionality mainly focuses on the user’s browser. The malware detects the user’s browser and\r\nlogs all keystrokes to .ax files stored in its current working directory. By default, it will keylog Internet Explorer\r\nactivity, but it also supports keylogging of other popular browsers including Chrome and Opera.\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 5 of 12\n\nKeylogger drop file path and the browser it targets\r\nScreen Recording\r\nA relatively unique TTP observed in this activity is the recording of the user’s screen. Much like keylogging, this\r\nhelps the actor harvest credentials and access sensitive information. The malware will record the screen for\r\n1,296,000 milliseconds at a time, 30 times, and store the output as .avi files in its current working directory.\r\nUsing Windows Multimedia (vfw.h) to record the user’s screen\r\nDuring our analysis of the ScreenCap malware, we identified a number of samples that contained hardcoded\r\nvictim IDs. This indicates that some of the intrusions are well researched and highly targeted.\r\nHardcoded victim host identity number “DESKTOP-xxxxxxx\r\nExtendedProcedure SQL (SQLMaggie)\r\nWhilst we did not observe the initial infection vector in this intrusion, the SQLmaggie malware dropped on victim\r\nnetworks targets Windows systems and has to be executed in an MSSQL server. This provided us a foundation\r\nfrom which to investigate further.\r\nWe found that SQLMaggie masquerades as a legitimate DLL containing extended stored procedure functions for\r\nan MSSQL Server. The executed methodology uses the sp_addextendedproc function to register an external\r\nDLL in a MSSQL server. After registering the DLL into the MSSQL server, the threat actor is able to fully control\r\nthe server machine and use this backdoor to conduct reconnaissance in the internal network. For instance:\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 6 of 12\n\nsp_addextendedproc 'malicious', 'c:\\Program Files\\Microsoft SQL Server\\MSSQL13.0.MSSQLSERVER\\MSSQL\\Bi\r\nReproduced SQLMaggie backdoor command\r\nOur analysis showed that this backdoor was authored by WinEggDrop.\r\nFrom the timestamp of the sample, we can confirm the first version of this backdoor variant was developed in or\r\nbefore 2019. Available commands in each version vary according to the target environment. Unlike some of the\r\nother components which can be found on public, open-source repositories, neither the source code nor the\r\nexecutable for SQLMaggie appear to be publicly available. This suggests that the tool is either sold or used\r\nprivately, or is in exclusive use by WinEggDrop.\r\nThe author’s purported signature in SQLMaggie\r\nBelow we detail SQLMaggie backdoor commands and capabilities. The following commands appear in all\r\nversions of SQLMaggie.\r\nCommand Description\r\nSysInfo Show system information and detected is it in the VM or not\r\nFileAccess Modify file permissions\r\nls List DIR\r\nExec Create process\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 7 of 12\n\nRShell Reverse Shell\r\nType Open file and print the strings inside\r\nDownload Download files\r\nAdditionally, the following commands appear variously in different versions of SQLMaggie coded for specific\r\ntargets.\r\nCommand Description\r\nStopSocks5 Stop Socks5 tunnel stopped\r\nStartHook Start WinSock socket hook\r\nStopHook Stop Winsock socket Hook\r\nResetClientData Attacker input information\r\nViewClientData Show client data, attacker input information\r\nTS Checking regkey about TermService and its port\r\nListIP Get host name, IP\r\nCheckPath Get data path\r\nStartSocks5 Create Socks5 tunnel\r\nSetClient Set client data, include hook winsock and allow ip, port\r\nInstallTS Install TermService\r\nDelFile Delete file\r\nSetFile Set file attributes\r\nGetUser Using ROOT\\\\CIMV2 to get host account\r\nGetModule Print out the execute module file path\r\nScanStatus Scan the victim’s environment machines\r\nStopScan Terminate all scan threads\r\nGetAdmin Get domain admin account\r\nSqlCheck Check SQL server is running and list username \u0026 password\r\nSqlScan Create a thread to scan for SQL server\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 8 of 12\n\nExploit Run Use exploit to execute process\r\nExploit AddUser Use exploit to add user\r\nExploit Clone Use exploit to clone user\r\nExploit TS Use exploit to install TermService on a machine\r\nStartHook Hook WinSock socket and show client data, attacker input information\r\nPort Check if port is open\r\nWriteAll MSSQLServer Write permission\r\nAccessAll MSSQLServer Access permission\r\nAttribution Analysis\r\nWe assess it is highly likely this activity is espionage-related and that WIP19 is a Chinese-speaking threat group.\r\nThe Work-In-Progress (WIPxx) designation is used for unattributed clusters of activity. A WIP may represent\r\nactivity that fits under the umbrella of an existing – but thus far unknown – actor or ultimately represent the\r\nactivity of a new threat actor.\r\nThe intrusions we have observed involved precision targeting and were low in volume. Specific user machines\r\nwere hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the\r\ntargeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind\r\nthis activity is espionage-related. Communications providers are frequent targets of espionage activity due to the\r\nkinds and amount of sensitive data they hold.\r\nThe overlap with Operation Shadow Force through a possible common developer in WinEggDrop, and the fact\r\ntheir tooling has been observed in other Chinese espionage-related activity, supports the assessment that this\r\nactivity is likely being carried out by a thus far unidentified Chinese-speaking threat group. The hardcoding of\r\nmachine identifiers and the usage of malware to log keystrokes and screenshot specific user machines, suggests\r\nthat WIP19 is after very specific information.\r\nConclusion\r\nWIP19 is an example of the greater breadth of Chinese espionage activity experienced in critical infrastructure\r\nindustries. The existence of reliable quartermasters and common developers enables a landscape of hard-to-identify threat groups that are using similar tooling, making threat clusters difficult to distinguish from the\r\ndefenders point of view. We hope this report helps move the needle forward in the effort to continue identifying\r\nthreat groups engaged in spying on industries critical to society.\r\nSentinelLABS continues to track this activity to provide further insight into their evolution and future activity.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 9 of 12\n\nSQLMaggie SHA1 Real File Name\r\n4AABB34B447758A2C676D8AD49338C9E0F74A330 sqlmaggieAntivirus_32.dll\r\n5796068CFD79FBA65394114BA0EDC8CC93EAE151 sqlmaggieVS2008new_64.dll\r\n13BA1CFD66197B69A0519686C23BDEF17955C52E sqlmaggieVS2008new_32.dll\r\nCA25FCBA11B3B42D9E637132B5753C9B708BE6F0 sqlmaggieVS2008new_64.dll\r\n26cbd3588b10cabc7c63492c82808104829e9ac0 sqlmaggieAntiVirus_64.dll\r\n5e0291928e29db46386fd0bd85f269e967758897 sqlmaggieVS2008new_64.dll\r\n96099015981559237a52a7d50a07143870728fd0 sqlmaggieAntiVirus_64.dll\r\n7eb6e7d4e5bd5a34c602879cad0a26b35a3ca4fb sqlmaggieVS2008new_32.dll\r\nfe2e7c663913e0744822d1469be0c3655d24178d sqlmaggieAntivirus_32.dll\r\nb15bae6a8379a951582fc7767fa8490722af6762 sqlmaggieAntiVirus_64.dll\r\nc81de9a27f7e8890d30bd9f7ec0f705029b74170 sql_epX64_MD.dll\r\n829df7b229220c56eedc5660e8f0e7f366fa271f sqlmaggieAntivirus_32.dll\r\nd02fce5d87ea1fe9fabe7ac52cae2439e8215121 sqlmaggieAntivirus_32.dll\r\n1c6d0e8920af9139a8a9fe3d60b15cf01fb85461 sqlmaggieAntiVirus_64.dll\r\n2cad0328863cb09a6b27414d5158075d69bfb387 sqlmaggieAntiVirus_64.dll\r\n26c0722a1d16641d85b97594deea2a65399daef7 sqlbackupAntiVirus_64.dll\r\n17ff9fc9ee72baaf8d66ef9b3ab6411c47384968 sqlmaggieAntiVirus_64.dll\r\n5be50453f6e941c5c1dd20e0ba53e9abb6d00b68 sqlmaggieVS2008new_32.dll\r\n56d326dfe7dcb1ce7cae2cb4c13819510fc9945c sqlmaggieAntiVirus_64.dll\r\n253e702ff8201eec6fdf9630a39f5a8c28b132ed xp_OAreateX64.dll\r\nb91ab391a4e26e4ff0717cd989ad5ce7f6af235c xp_OAreateX64.dll\r\n4d2eb6e03be068f364e8e3f3c9645e03e1052e66 xp_OAreate.dll\r\nb91ab391a4e26e4ff0717cd989ad5ce7f6af235c xp_OAreateX64.dll\r\n4d2eb6e03be068f364e8e3f3c9645e03e1052e66 xp_OAreate.dll\r\n8941d889cb199a234d99c90ce78a96411b6dedb6 sqlmaggieAntivirus_32.dll\r\n5aa9a9299865b0cb81fcad5f42424d79c67c403b sqlmaggieVS2008new_64.dll\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 10 of 12\n\n5182e0a5f075317171ad0e01e52d32937ec2fa01 sqlmaggieVS2008new_64.dll\r\nbfccf57e173b8233d35928956022bae85fc5d722 sqlmaggieAntiVirus_64.dll\r\n18d3ac848955295381f769b923a86871e01bfa1c sqlmaggieVS2008new_64.dll\r\n2bf1b6163af5685824c2d7ecda4f3f65f3ca4723 sqlmaggieAntiVirus_64.dll\r\n9577a2c15494edc2f7f4a59ecfb3ee90dd1df9d7 sqlmaggieAntiVirus_64.dll\r\n32e96ef4754c8f357e2366078387750e7f6add43 sqlmaggieAntiVirus_64.dll\r\n11678237dfccc88f257acca2b66b578713deaca8 sqlmaggieVS2008new_64.dll\r\n327bedce44160ebccc7d465c673d3464e23292b9 sqlmaggieVS2008new_32.dll\r\n7d58e51aee7da91dc93025854712cee47ed03101 sqldoorVS2005_64.dll\r\n4a6cf3d5b005e97ef6f2be09f8ab19c2755cae39 sqlmaggieAntiVirus_64.dll\r\nf37d9ce547894ab5449e5632188a3a3bb9e91fed sqlbackupAntiVirus_64.dll\r\na347aaf152d8ddcd299d86d7839d4ffa369ef2ef sqlmaggieVS2008new_32.dll\r\nf2c64108cb670e82908e5f41c58f1aab97ee7786 sqlmaggieVS2008new_64.dll\r\na34bda87bd253eda794462c20074baed19e1c01c sqlmaggieAntiVirus_64.dll\r\ndf1a7c13a3ec612a10819353ba0d34348a404bc8 sqlmaggieAntiVirus_64.dll\r\nb3249b6f05eeeb2cf5f74931aa990fbc92027b54 sqlmaggieAntiVirus_64.dll\r\nd3eeb9db89f0b21dc945f5410be9a9532e0c951e sqlmaggieAntiVirus_64.dll\r\nScreenCap SHA1 Real File Name\r\nc6cb7ec82ee55ccb56a4cc8b91c64e9b4f4e14da ScreenCapDll_x64.dll\r\n19f2a546a76458dda6eab6e2fae07d0942759b84 ScreenCapDll_x64.dll\r\n693e4ed784279bc47a013dc56f87cbd103e1db2e x\r\nad72aa442ff2c357b48ae8b4f8ba9b04b63c698b ScreenCapDll.dll\r\nHacking Tool SHA1 Description\r\nda876cd6e3528f95aafb158713d3b21db5fc780b Browser credential stealer\r\n1121324a15e6714e4313dfa18c8b03a6da381ba1 Credential dumper loader\r\n9bedb5810536879fae95c70a918eb90ac628953e Network scanning tool\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 11 of 12\n\n539d87139de6d5136b6d45dbc33a1aae69926eee Credential dumper\r\nafe25455804a7afb7639cb4e356cb089105be82d Port relay tool\r\n37cca724227a8e77671ecde3d295f5b98531705b Credential dumper loader\r\n2eeb46d538c486f8591a78a65dde250b0bf62f89 Windows domain tool\r\nSource: https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
	],
	"report_names": [
		"wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware"
	],
	"threat_actors": [
		{
			"id": "1d4e09da-fc00-4b5b-ac1a-f08813e611d4",
			"created_at": "2023-01-06T13:46:39.125711Z",
			"updated_at": "2026-04-10T02:00:03.223339Z",
			"deleted_at": null,
			"main_name": "Operation Shadow Force",
			"aliases": [
				"TA-ShadowCricket",
				"Larva-24013"
			],
			"source_name": "MISPGALAXY:Operation Shadow Force",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0cf4cd05-46f5-41cc-82b2-2bb74edd0e8e",
			"created_at": "2023-12-08T02:00:05.743414Z",
			"updated_at": "2026-04-10T02:00:03.491999Z",
			"deleted_at": null,
			"main_name": "WIP19",
			"aliases": [],
			"source_name": "MISPGALAXY:WIP19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434685,
	"ts_updated_at": 1775791540,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff7099ddf46b406e4f02d169c31771acbf80b7a2.pdf",
		"text": "https://archive.orkl.eu/ff7099ddf46b406e4f02d169c31771acbf80b7a2.txt",
		"img": "https://archive.orkl.eu/ff7099ddf46b406e4f02d169c31771acbf80b7a2.jpg"
	}
}