CINXE.COM

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com">  <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; if(container_q != '' && container_q != null){ sessionStorage.setItem('container',container_q); location.href = 'https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost'; } </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/unit42-henbox-chickens-come-home-roost/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" />  <title>HenBox: The Chickens Come Home to Roost</title> <meta name="description" content="Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="HenBox: The Chickens Come Home to Roost" /> <meta property="og:description" content="Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2018-03-13T12:00:04+00:00" /> <meta property="article:modified_time" content="2019-01-18T21:13:10+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg" /> <meta property="og:image:width" content="650" /> <meta property="og:image:height" content="300" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Alex Hinchliffe, Mike Harbison, Jen Miller-Osborn, Tom Lancaster" /> <meta name="twitter:card" content="summary_large_image" />  <link rel="alternate" type="application/rss+xml" title="Unit 42 » Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 » Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 » HenBox: The Chickens Come Home to Roost Comments Feed" href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:unit42-henbox-chickens-come-home-roost"; webData.pageURL = "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost"; webData.article_title = "HenBox: The Chickens Come Home to Roost"; webData.author = "Alex Hinchliffe,Mike Harbison,Jen Miller-Osborn,Tom Lancaster"; webData.published_time = "2018-03-13T05:00:04-07:00"; webData.description = "Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores."; webData.keywords = "Malware,Threat Research,9002,Android,HenBox,PlugX,Poison Ivy,Zupdax"; webData.resourceAssetID = "95f50fb917a084f1e41fcd1a4c986140"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="9"/> <meta property="og:readtime" content="18"/> <meta property="og:views" content="62,931"/> <meta property="og:date_created" content="March 13, 2018 at 5:00 AM"/> <meta property="og:post_length" content="8054"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Alex Hinchliffe"/> <meta property="og:author" content="Mike Harbison"/> <meta property="og:author" content="Jen Miller-Osborn"/> <meta property="og:author" content="Tom Lancaster"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/alex-hinchliffe/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/mike-harbison/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/jen-miller-osborn/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/tom-lancaster/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta name="post_tags" content="9002,Android,HenBox,PlugX,Poison Ivy,Zupdax"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"HenBox: The Chickens Come Home to Roost","name":"HenBox: The Chickens Come Home to Roost","description":"Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores.","url":"https:\/\/unit42.paloaltonetworks.com\/unit42-henbox-chickens-come-home-roost\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/unit42-henbox-chickens-come-home-roost\/","datePublished":"March 13, 2018","articleBody":"Summary\r\n\r\nUnit 42 recently discovered a new Android malware family we named \u201cHenBox\u201d masquerading as a variety of legitimate Android apps.\u00a0 We chose the name \u201cHenBox\u201d based on metadata found in most of the malicious apps such as package names and signer detail. HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app. While some of the legitimate apps HenBox use as decoys can be found on Google Play, HenBox apps themselves have only been found on third-party (non-Google Play) app stores.\r\nHenBox appears to primarily target the Uyghurs \u2013 a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China. It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI, an operating system based on Google Android made by Xiaomi. Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China. The result is a large online population who have been the subject of numerous cyber-attacks in the past.\r\nOnce installed, HenBox steals information from the devices from a myriad of sources, including many mainstream chat, communication, and social media apps. The stolen information includes personal and device information. Of note, in addition to tracking the compromised device\u2019s location, HenBox also harvests all outgoing phone numbers with an \u201c86\u201d prefix, which is the country code for the People\u2019s Republic of China (PRC). It can also access the phone\u2019s cameras and microphone.\r\nHenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. This also aligns with HenBox\u2019s timeline, as in total we have identified almost 200 HenBox samples, with the oldest dating to 2015. Most of the samples we found date from the last half of 2017, fewer samples date from 2016, and a handful date back to 2015. In 2018, we have already observed a small but consistent number of samples. We believe this indicates a fairly sustained campaign that has gained momentum over recent months.\r\n\r\nHenBox Enters the Uyghur App Store\r\nIn May 2016, a HenBox app was downloaded from uyghurapps[.]net. Specifically, the app was an Android Package (APK) file that will be discussed in more detail shortly. The domain name, language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs. Such app stores are so-called because they are not officially supported by Android, nor are they provided by Google, unlike the Play Store. Third-party app stores are ubiquitous in China for a number of reasons including: evermore powerful Chinese Original Equipment Manufacturers (OEM), a lack of an official Chinese Google Play app store, and a growing smartphone market.\r\nThe HenBox app downloaded in May 2016 was masquerading as the DroidVPN app. At the time of writing, the content served at the given URL on uyghurapps[.]net, is now a legitimate version of the DroidVPN app, and looks as shown in Figure 1 below.\r\n\r\nFigure 1 Uyghurapps[.]net app store showing the current DroidVPN app\r\nVirtual Private Network (VPN) tools allow connections to remote private networks, increasing the security and privacy of the user\u2019s communications. According to the DroidVPN app description, it \u201chelps bypass regional internet restrictions, web filtering and firewalls by tunneling traffic over ICMP.\u201d Some features may require devices to be rooted to function and according to some 3rd party app stores, unconditional rooting is required, which has additional security implications for the device.\r\nWe have not been able to ascertain how the DroidVPN app on the uyghurapps[.]net app store was replaced with the malicious HenBox app; however, some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system. In light of this, we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised.\r\nThe HenBox app downloaded in May 2016, as described in Table 1 below, masquerades as a legitimate version of the DroidVPN app by using the same app name \u201cDroidVPN\u201d and the same iconography used when displaying the app in Android\u2019s launcher view, as highlighted in Figure 2 below Table 1.\r\n\r\n\r\n\r\nAPK SHA256\r\nSize (bytes)\r\nFirst Seen\r\nApp Package name\r\n\u00a0\r\nApp name\r\n\r\n\r\n0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7\r\n2,740,860\r\nMay 2016\r\ncom.android.henbox\r\nDroidVPN\r\n\r\n\r\n\r\nTable 1 Details of the HenBox DroidVPN app on the uyghurapps[.]net app store\r\n\r\nFigure 2 HenBox app installed, purporting to be DroidVPN\r\nDepending on the language setting on the device, and for this particular variant of HenBox, the installed HenBox app may have the name \u201cBackup\u201d but uses the same DroidVPN logo. Other variants use other names and logos, as described later.\r\nGiven the DroidVPN look and feel being used by this variant of HenBox, it\u2019s highly likely the uyghurapps[.]net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps, just that the legitimate APK file had been replaced with HenBox for an unknown period of time.\r\nIn addition to the look and feel of DroidVPN, this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset, which could be compared to a resource item within a Windows Portable Executable (PE) file. Once the HenBox app is installed and launched, it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background, and to satisfy the victim with the app they were requesting, assuming they requested to download a particular app, such as DroidVPN.\r\nThe version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps[.]net, at the time of writing. It\u2019s worth noting, newer versions of the DroidVPN app are available on Google Play, as well as in some other third-party app stores, which could indicate uyghurapps[.]net is not awfully well maintained or updated to the latest apps available.\r\nAt the time of writing, to our knowledge no other third-party app stores, nor the official Google Play store, were or are hosting this malicious HenBox variant masquerading as DroidVPN.\r\n\r\nThe Right App at the Right Time\r\nThe malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims. These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population. It\u2019s worth noting however, about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps. Some were only 3 bytes long, containing strings such as \u201cddd\u201d and \u201c333\u201d, or were otherwise corrupted.\r\nBeyond the previously mentioned DroidVPN example, other viable embedded apps we found include apps currently available on Google Play, as well as many third-party app stores. Table 2 below lists some of these apps with their respective metadata.\r\n\r\n\r\n\r\n#\r\nParent APK SHA256\r\nFirst Seen\r\nPackage names\r\n(parent APK)\r\n[embedded APK]\r\nAPK App names\r\n(parent APK)\r\n[embedded APK]\r\n\r\n\r\n1\r\nfa5a76e86abb26e48a\r\nf0b312f056d24000bc\r\n969835c40b3f98e5ca\r\n7e301b5bee\r\nApril 2016\r\n(com.android.henbox)\r\n[com.ziipin.software]\r\n(Uyghurche Kirguzguch)\r\n[Emojicon]\r\n\r\n\r\n2\r\n1749df47cf37c09a92\r\nb6a56b64b136f15ec\r\n59c4f55ec835b1e569\r\nc88e1c6e684\r\nMay 2017\r\n(cn.android.setting)\r\n[com.apps.amaq]\r\n(\u8bbe\u7f6e (Backup))\r\n[Amaq Agency]\r\n\r\n\r\n3\r\n4d437d1ac29b1762c\r\nc47f8094a05ab73141\r\nd03f9ce0256d200fc6\r\n91c41d1b6e7\r\nJune 2017\r\n(cn.android.setting)\r\n[com.example.ourplayer]\r\n(islamawazi)\r\n[islamawazi]\r\n\r\n\r\n\r\nTable 2 Example HenBox variants containing embedded apps\r\nSample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy. The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones.\r\nSample 2, has the package name cn.android.setting masquerading as Android\u2019s Settings app, which has a similar package name (com.android.settings). This variant of HenBox also used the common green Android figure as the app logo and was named \u8bbe\u7f6e (\u201cBackup\u201d in English). This variant\u2019s app name, along with many others, is written in Chinese and describes the app as a backup tool. Please see the IOCs section for all app and package name combinations. Interestingly, the embedded app in sample 2 is not a version of the Android Settings app but instead the \u201cAmaq Agency\u201d app, which reports on ISIS related news. Reports indicate fake versions of the Amaq app exist, likely in order to spy on those that use it.\r\nA month after observing sample 2, we obtained another which used the same package name as sample 2 (cn.android.setting). However, this time the app name for both HenBox and the embedded app were identical: Islamawazi. \u00a0Islamawazi is also known as the Turkistan Islamic Party or \u201cTIP\u201d. This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists. The embedded app appears to be a media player.\r\nThese examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups. These threat actors appear to be choosing the right apps \u2013 those that could be popular with locals in the region, at the right time \u2013 while tensions grow in this region of China, to ensure a good victim install-base.\r\n\r\nHenBox Roosts\r\nHenBox has evolved over the past three years, and of the almost two hundred HenBox apps in AutoFocus, the vast majority contain several native libraries as well as other components in order to achieve their objective. Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more.\r\nThe remainder of this section describes at a high-level what HenBox is capable of, and how it operates. The description is based on analysis of the sample described in Table 3 below, which was of interest given its C2 domain mefound[.]com overlaps with PlugX, Zupdax, and Poison Ivy malware families discussed in more detail later.\r\n\r\n\r\n\r\nSHA256\r\nPackage Name\r\nApp Name\r\n\r\n\r\na6c7351b09a733a1b3ff8a0901c5bde\r\nfdc3b566bfcedcdf5a338c3a97c9f249b\r\ncom.android.henbox\r\n\u5907\u4efd (Backup)\r\n\r\n\r\n\r\nTable 3 HenBox variant used in description\r\nOnce this variant of HenBox is installed on the victim\u2019s device, the app can be executed in two different ways:\r\nOne method for executing HenBox is for the victim to launch the malicious app (named \u201cBackup\u201d, in this instance) from the launcher view on their device, as shown in Figure 3 below. This runs code in the onCreate() method of the app\u2019s MainActivity class, which in effect is the program\u2019s entry point. This process is defined in the app\u2019s AndroidManifest.xml config file, as shown in the following snippet.\r\n<activity android:excludeFromRecents=\"true\" android:label=\"@string\/app_name\" android:name=\"com.android.henbox.MainActivity\" android:theme=\"@android:style\/Theme.Translucent\">\r\n <intent-filter>\r\n <action android:name=\"android.intent.action.MAIN\"\/>\r\n <category android:name=\"android.intent.category.LAUNCHER\"\/>\r\n <\/intent-filter>\r\n <\/activity>\r\n\r\n\r\nFigure 3 HenBox app installed and visible on Android's Launcher view\r\nDoing so executes code checking if the device is manufactured by Xiaomi, or if Xiaomi\u2019s fork of Android is running on the device. Under these conditions, the app continues executing and the intent of targeting Xiaomi devices and users could be inferred, however poorly written code results in execution in more environments than perhaps intended; further checks are made to ascertain whether the app is running on an emulator, perhaps to evade researcher analysis environments. Assuming these checks pass, one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app\u2019s Dalvik code through the Java Native Interface (JNI).\r\nHenBox checks whether this execution is its first by using Android\u2019s shared preferences feature to persist XML key-value pair data. If it is the first execution, and if the app\u2019s path does not contain \u201c\/system\/app\u201d (i.e. HenBox is not running as a system app), another ELF library is loaded to aid with executing super-user commands.\r\nThe second method uses intents, broadcasts, and receivers to execute HenBox code. Providing the app has registered an intent to process particular events from the system, and one of said events occurs, HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request, or the system itself broadcasting a particular event has occurred. These intents are typically defined statically in the app\u2019s AndroidManifest.xml config file; some HenBox variants register further intents from their code at run-time. Once a matching intent is triggered, the respective Receiver code will be executed, leading to other HenBox behaviors being launched, which are described later. Table 4 below lists the intents that are statically registered in this HenBox variant\u2019s AndroidManifest.xml config file, together with a description of what that intent does, and when it would be used. Depending on the intent triggered, one of two Receivers would be called, in this instance they are called Boot or Time but the name is somewhat immaterial.\r\n\r\n\r\n\r\nReceiver\r\nIntent Name\r\nDescription\r\n\r\n\r\nBootReceiver\r\nandroid.intent.action.BOOT_COMPLETED\r\nSystem notification that the device has finished booting.\r\n\r\n\r\nandroid.intent.action.restart\r\nA legacy intent used to indicate a system restart.\r\n\r\n\r\nandroid.intent.action.SIM_STATE_CHANGED\r\nSystem notification that the SIM card has changed or been removed.\r\n\r\n\r\nandroid.intent.action.PACKAGE_INSTALL\r\nSystem notification that the download and eventual installation of an app package is happening (this is deprecated)\r\n\r\n\r\nandroid.intent.action.PACKAGE_ADDED\r\nSystem notification that a new app package has been installed on the device, including the name of said package.\r\n\r\n\r\ncom.xiaomi.smarthome.receive_alarm\r\nReceived notifications from Xiaomi\u2019s smart home IoT devices.\r\n\r\n\r\nTimeReceiver\r\nandroid.intent.action.ACTION_TIME_CHANGED\r\nSystem notification that the time was set.\r\n\r\n\r\nandroid.intent.action.CONNECTIVITY_CHANGE\r\nSystem notification that a change in network connectivity has occurred, either lost or established. Since Android version 7 (Nougat) this information is gathered using other means, perhaps inferring the devices used by potential victim run older versions of Android.\r\n\r\n\r\n\r\nTable 4 HenBox variant's Intents and Receivers\r\nMost of the intents registered in the AndroidManifest.xml file, or loaded during run-time, are commonly found in malicious Android apps. What\u2019s more interesting, and much less common, is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter. Xiaomi, a privately owned Chinese electronics and software company, is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home. Most devices can be controlled by Xiaomi\u2019s \u201cMiHome\u201d Android app, which is available on Google Play with between 1,000,000 and 5,000,000 downloads.\r\nGiven the nature of connected devices in smart homes, it\u2019s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications would be received by the MiHome app or any other, such as HenBox, so long as they register their intent to do so. This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code, or perhaps afford additional data HenBox can collect and exfiltrate.\r\nEither method to load HenBox ultimately results in an instance of a service being launched. This service hides the app from plain sight and loads another ELF library to gather environmental information about the device, such as running processes and apps, and details about device hardware, primarily through parsing system logs and querying running processes. The service continues by loading an ELF, created by Baidu, which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code \u201c+86\u201d prefix, which relates to the People\u2019s Republic of China.\r\nFurther assets are decrypted and deployed, including another Dalvik DEX code file, which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages, loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems \u2013 and, interestingly, is capable of turning off the sound played when the device\u2019s cameras take pictures.\r\nThe Android permissions requested by HenBox, as defined in the apps\u2019 AndroidManifest.xml files, range from accessing location and network settings to messages, call, and contact data. HenBox can also access sensors such as the device camera(s) and the microphone.\r\nBeyond the Android app itself, other components such as the aforementioned ELF libraries have additional data-stealing capabilities. One ELF library, libloc4d.so, handles amongst other things the loading of the app-decoded ELF library file \u201csux\u201d, as well as handling connectivity to the C2.\r\nThe sux library appears to be a customized super user (su) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user (su) binary in order to run privileged commands on the system. The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample. A similar tool, with the same filename, has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox. More likely, this is a case of common attack tools being re-used between different threat actor groups.\r\nThis particular HenBox variant, as listed in Table 3 above, harvests data from two popular messaging and social media apps: Voxer Walkie Talkie Messenger (com.rebelvox.voxer) and Tencent\u2019s WeChat (com.tencent.mm). These types of apps tend to store their data in databases and, as an example, HenBox accesses Voxer\u2019s database from the file \u201c\/data\/data\/com.rebelvox.voxer\/databases\/rv.db\u201d. Once opened, HenBox runs the following query to gather message information.\r\nselect\r\nmessages.timestamp ,messages.sender,messages.body,profiles .first || profiles .last,profiles.profile_username\r\nfrom\r\nmessages,conversations left join profiles on messages.sender=profiles.username\r\nwhere\r\nmessages.thread_id=conversations .thread_id\r\n\r\nNot long after this variant was public, newer variants of HenBox were seen, and some had significant increases in the number of targeted apps. Table 5 describes the latest variant seen in AutoFocus.\r\n\r\n\r\n\r\nSHA256\r\nPackage Name\r\nApp Name\r\nFirst Seen\r\n\r\n\r\n07994c9f2eeeede199dd6b4e760fce3\r\n71f03f3cc4307e6551c18d2fbd024a24f\r\ncom.android.henbox\r\n\u5907\u4efd (Backup)\r\nJanuary 3rd 2018\r\n\r\n\r\n\r\nTable 5 Recent HenBox variant with updated functionality\r\nTable 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data. Interestingly, the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list.\r\n\r\n\r\n\r\nPackage Name\r\nApp Name\r\n\r\n\r\ncom.whatsapp\r\nWhatsApp Messenger\r\n\r\n\r\ncom.pugna.magiccall\r\nn\/a\r\n\r\n\r\norg.telegram.messenger\r\nTelegram\r\n\r\n\r\ncom.facebook.katana\r\nFacebook\r\n\r\n\r\ncom.twitter.android\r\nTwitter\r\n\r\n\r\njp.naver.line.android\r\nLINE: Free Calls & Messages\r\n\r\n\r\ncom.instanza.cocovoice\r\nCoco\r\n\r\n\r\ncom.beetalk\r\nBeeTalk\r\n\r\n\r\ncom.gtomato.talkbox\r\nTalkBox Voice Messenger - PTT\r\n\r\n\r\ncom.viber.voip\r\nViber Messenger\r\n\r\n\r\ncom.immomo.momo\r\nMOMO\u964c\u964c\r\n\r\n\r\ncom.facebook.orca\r\nMessenger \u2013 Text and Video Chat for Free\r\n\r\n\r\ncom.skype.rover\r\nSkype; 3rd party stores only\r\n\r\n\r\n\r\nTable 6 Targeted apps from a newer HenBox variant\r\nMost of these apps are well established and available on Google Play, however, com.skype.rover appears to be available only on third-party app stores. The same is likely to be the case for com.pugna.magiccall but this is unknown currently.\r\nIt\u2019s clear to see that the capabilities of HenBox are very comprehensive, both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim. Such data includes contact and location information, phone and message activity, the ability to record from the microphone, camera, and other sensors as well as the capability to access data from many popular messaging and social media apps.\r\n\r\nInfrastructure\r\nWhile investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users \u2013 notable overlaps included PlugX, Zupdax, 9002, and Poison Ivy. The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015.\r\n\r\nFigure 5. HenBox and related malware and C2s\r\nThe overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples; the first IP below is used for more than half of the HenBox samples we have seen to date:\r\n\r\n \t47.90.81[.]23\r\n \t222.139.212[.]16\r\n \tlala513.gicp[.]net\r\n\r\nThe overlaps between the Henbox, PlugX, Zupdax, and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below:\r\n\r\n \t59.188.196[.]172\r\n \tcdncool[.]com (and third-levels of this domain)\r\n \twww3.mefound[.]com\r\n \twww5.zyns[.]com\r\n \tw3.changeip[.]org\r\n\r\nTies to previous activity\r\nThe registrant of cdncool[.]com also registered six other domains. To date, Unit 42 has seen four of the seven (the first three in the list below, along with cdncool[.]com) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose.\r\n\r\n \ttcpdo[.]net\r\n \tadminsysteminfo[.]com\r\n \tmd5c[.]net\r\n \tlinkdatax[.]com\r\n \tcsip6[.]biz\r\n \tadminloader[.]com\r\n\r\nUnit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive. The spear phishing emails had Myanmar political-themed lures and, if the 9002 C2 server responded, the Trojan sent system specific information along with the string \u201cjackhex\u201d. \u201cjackhex\u201d has also been part of a C2 for what is likely related Poison Ivy activity detailed below, along with additional infrastructure ties.\r\nThe C2 for the aforementioned 9002 sample was logitechwkgame[.]com, which resolved to the IP address 222.239.91[.]30. At the same time, the domain admin.nslookupdns[.]com also resolved to the same IP address, suggesting that these two domains are associated with the same threat actors. In addition, admin.nslookupdns[.]com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a\u00a0blog\u00a0published by Arbor Networks in April 2016. Another tie between the activity is the C2 jackhex.md5c[.]net, which was also used as a Poison Ivy C2 in the Arbor Networks blog. \u201cjackhex\u201d is not a common word or phrase and, as noted above, was also seen in the beacon activity with the previously discussed 9002 sample. Finally, since publishing the 9002 blog, Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure.\r\nIn our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples, or domain registrant overlap with those C2 domains. When we published that blog Unit 42 hadn\u2019t seen any of the three registrants overlap domains used in malicious activity. Since then, we have seen Poison Ivy samples using third-levels of querlyurl[.]com, lending further credence the remaining two domains, gooledriveservice[.]com and appupdatemoremagic[.]com are or were intended for malicious use.\u00a0 While we do not have complete targeting, information associated with these Poison Ivy samples, several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures.\r\n\r\nConclusion\r\nTypically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It\u2019s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.\r\nThe hosting locations seen for some HenBox samples, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps, and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign.\r\n\r\nPalo Alto Networks customers are protected by:\r\nAutoFocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:\r\n\r\n \tHenBox\r\n \tPoison Ivy\r\n \tZupdax\r\n \t9002\r\n \tPlugX\r\n\r\nAndroid Hygiene\r\nUpdate:\u00a0Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.\r\nReview:\u00a0App permissions to see what the app is potentially capable of. This can be quite technical, but many permissions are named\u00a0intuitively describing if they intend to access contacts, messages, or sensors, such as the device microphone or camera. If\u00a0you the permission seem over the top compared to the described functionality, then don\u2019t install. Also read the app and developer reviews to evaluate their trustworthiness.\r\nAvoid:\u00a0Third-party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access\u00a0your\u00a0sensitive\u00a0data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.\r\n\r\nIOCs\r\nMost recent samples first:\r\n\r\n\r\n\r\nsha256\r\napk_package_name\r\napk_app_name\r\napk_app_name_en\r\n\r\n\r\n446734590904c5c44978e4646bbbc629d98236c16e29940b32100c1400aebc88\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nea0786bfe145d8c763684a2fdf2eb878da29c1b6ae5aacd1a428c9ffead4bad8\r\ncom.android.vivibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d\r\ncom.android.vivibox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\ne835e4907c9ff07a3a8281530552eaed97d9dea5b182d24a8db56335bad5213d\r\ncom.android.cicibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n9192602e5a3488c322025991ca7abcbdc8f916e08f279004a94cec8eb9f220b4\r\ncom.android.vivibox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n9b57ab06650a137a5962b85ca9ae719e9c3956d68938a6a2425dffe8d152941a\r\ncom.android.webbox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n7bf0e70fb4ffca19880fecdeb7e7e5d0fb4681064a98c71056cbb29c80ed6119\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n51cfc1a658e63624706a6bb2ed2baa63c588e7ce499bd116a3d5752743fefb54\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n3417899195780c8186356d49bc53b600b3b0e49aae83d9aeb27e518b6964be04\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nf0fd8c5f4487df7592e5b7fa02f19f23d3ad43f5aaab84257cc560bf5ea76f1e\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na6c1da9559d72563848802ed14a7421515009c2a0ffb85aab74c6e42584c222d\r\ncom.android.cicibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\nbf0ab0362ee39191587921b75ab92bf6da12e377dbfdf4f7a053c1217841bdfc\r\ncom.android.vivibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\nf5abd5e7e325f16df3e96ff55a19ebf524f40f9ade76003355eb1d68bc084006\r\ncom.android.vivibox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n7b7887d4ad7cab0c53d6f8557bbdf616985f3434ba536a5683f6fba604151d04\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n4eb768b52b687de49c7da8845bbd7671e2e076fe64bf23596a409108ef3fbbbc\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na7cfae9b12542b293d8265770a10946d422736d6f716af17f7b963603e422c51\r\ncom.jrzheng.supervpn.view\r\nSuperVPN\r\nSuperVPN\r\n\r\n\r\n3c2109adf469bfc6c320ac824355f97a2b0f5ff01891d1affcd1a5b017c97195\r\ncom.android.webbox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n3d525435cbd88b4f1f97e32e2c6accf7855f4cc576ecbd87ad05a05ddd2d2f79\r\ncom.android.vivibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n5a999904b2f03263a11bcc077ad179333b431fb9e6e8090f371d975ba188e55e\r\ncom.android.cicibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n4d1e37e5840e8a4d5ae0f60cf33c593f595af200fbf998c3af809fd0c225c475\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n3cce965887d4677069cb9160d7c7c122087a5f434e095a9f0848c3e838bca9f5\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n8095cf4f6aec1983bd9f81ca85c1b27415e200b315f757613afb4f0334c99f0b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nb098be6fd1859ee70ef123c59d5e2a1db435f990c9378b41af0c005f76ba24f2\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n56c1e23b12e83573440019084b9ce39f8f5ddd9d6de51edaf1f83e020fc648a0\r\ncom.android.cicibox\r\n\u5907\u4efd\u670d\u52a1\r\nBackup service\r\n\r\n\r\n75fef2a0f05ae2ad971b01041fd3ed5ceacce306d78930bc2eba190c39799bc7\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na3deca8203792d4b34242e8f5d0f7e2e3d054f08d74885ab7ff6f3a6f4b2578a\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n77b6e8cd1e6de9ee22bf0e9d735089ae24134ab955f0975d4febc9ed6b60af38\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n9f8909b1615aaa0fed38ad27162ccf3437e2eaa59cb0c990261c866f075c4113\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n7ffc1afd5749e7731f4161a6348205555e5892f1bd3446b6d0c5e7bbaa5917e3\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na1644194faac76a1d49fd96b875a3f9026993e9f21f6dbc50dc59aeb5e7dac4b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\naf2d44e36cc28727e29b0d9aecb4b17534a195faacbf4192ce1483a9bde65edc\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n5010236b481d8d2ebc45ee95154f10ffbb317eced86401486f63276520049896\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n8de4e886b69046c2942e26d8b2f436695ca27060f6a74c797c620502f87887c9\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nfed084773542120fe77b880fc136bd20979cddc286b75b651d01aa6e32234b2d\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n43ce0c3e63de64f032ea7d4ca77c4b40b86d57e1d237f771b21c1f9c8f41eafb\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n6e1812f7bf313552bc60b6be5b46bdfd44582775e3cb19cf6a231a903aec508b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n7774432c67f3d3688a1a1b21edc0a73d9d47990cc1f132663b0010ff4bbd6e87\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n59ca2754279d9cba40334c35907e2e1fc6fd2888b2c180e5b0b8d73accbb40f2\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\ne326501a0fb15bf19ac135f501b84caa2587d1fb2cad9e034f1756898686dab4\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n51db059a833377666f92f64ae1e926b83da8821876c66949e320b55c1a929ff8\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\ndee79253deaaa57af0fddb2c8ec5d4cc0546dfe3c1d05c2916a44a37eef3d9f8\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nec2e060ac633978b9b700aa95784255b9796f4fb51c188b1c79d5947df07bf98\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na6c7351b09a733a1b3ff8a0901c5bdefdc3b566bfcedcdf5a338c3a97c9f249b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nae5598ccb3f2f31d2ec967808988a47d6ce4d1cd5e6808d1194ee93c6400039c\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n6f5e7f6ca2f25667d5fe55d7e8ec1b816d6db8b31cb28dff43b4f2f73d70ecdb\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n4cbb5a0d9b6f64dc9d8dd9aaac5651649e24b2cd7248eb9db32191102559ab9c\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nc375aad52c292b4d5c4efb02a33e2325a27f27158bb13c048f533a2a9d0837fb\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n779b09c61951818e5afb47c369fe9b5fa7b7f6139f589f14b3042b2ac96809d8\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n7ba216b88f84c9a0ce90ca5500ddc2e80100b23ef3784d133b69870768f1e3bc\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nbe548c26d0863b812948a16f982e96557319346fad897f67dc7873108203fdce\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n54366ee485b43cea10624d62247a48b12c1ce35c49295491f7fbb6323c68da7b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n51714b8f34db94cbd8916374af4d8e63b56ef41fa819d2d697f1a3975a32960e\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n48f38b671847bfba3810b74d1d815c2bb4cc94392b98e1f59f95e748eb410465\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nd0e58c3e9d881f875532d1bb8bee63e4ac8728458708361f754db97fba6be22e\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n8b78f469f3eda0cb02cfbf5598f0a7449cb63b7181d7fd5037ebb9cb8aff30a4\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n49556e972a35c9d592bf64ab37056f6da356b2061c1ce269d9c3af73978756d9\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n3c62d00a9740c49cf01fb7635260ff71e0ac44cf80da749ca4101869120f2233\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n993692d5540c40614f4da430cf4cea64a7e0e7f950452abae19bf608afdf20a6\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n3e026154767b6a101d3a852946e9eb3ed1c96662490afe9b601469a8459e325b\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n6a518d29232d3f68aa5c78df4a8d212f924e03379dc2be0a388b3118779fe583\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n70512a566f33c636ad071d18e82db89f9531a6133be89b7d3f18fc9f7730b078\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n53238af90efd8531686432245c516db04cd163584a811d6e5835a42fe738fbab\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nb48edd2270b1aeb014291eb3ac2aaa1d4b7ee4694965d0de2c0978b2feae946d\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n45e7dc9c0e33d4754384365a60604c66d72356a994cbed8e8eab8796cf1579e2\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na1e465d905434d5dae3bb7acb7c148ef8ed0d341a6d9121d09adbc126cc3a907\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n4d437d1ac29b1762cc47f8094a05ab73141d03f9ce0256d200fc691c41d1b6e7\r\ncn.android.setting\r\nislamawazi\r\nislamawazi\r\n\r\n\r\nd29646f2c665ef91c360e24242c634ee9051d4ab01cb8f87265088e47f41d690\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n44388ec38ee36177d6804d778ee554b2d063db3b88d7480eca6587ff68a15982\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1\r\ncn.android.seting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n7f28caeaa484496f85c80580cd88671961149aae2295c8777becb2970455504c\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n89ef65813bccb8197da4af68ba8f9e8e123f3aad4ed41736f8039ad2c6817a25\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n5f16c23f92a10de59efc9a081e0c79458faa3fabb24a1356dbfff7cea8611a3e\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n66eec9ffa2906e56656e649d5b632526e829d7142a75cd27a006bf82775e8c45\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na728c653b9c7be4b058eff329afb826db755fdddc4e10ba67191816db7dbeac0\r\ncn.android.setting\r\n\u7231\u5947\u827a\r\nIQIYI\r\n\r\n\r\nc4ee98d58d38f6109d843955277f1a37bfb138a14113c6cb38bcb6eb857d4977\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n577ed81e07b62d9c363c505271d1f2a81592a69e1a60a82fbe8fff16e7d3419d\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nb8f785a6581bf438b1947e498b8f2255607440347d8f8b5cb31f3b98427330e6\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n5a3c44a6e8c8e02e69caa430f41ec80b94740d099bbcfbf39cf08280fc6e16bb\r\ncom.android.henbox\r\nWJ VPN\r\nWJ VPN\r\n\r\n\r\n184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nefa3cd45e576ef8ab22d40fc9814456d06a6eeeaeada829c16122a39cb101dbf\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n9d85be32b54398a14abe988d98386a38ce2d35fff91caf1be367f7e4b510b054\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na8ea1140a739b2aeeb838d7fe2c073cb834bce46db22071022bd181a59422af1\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n80a35bcbce326d05dd74ed05560db41a0f9471c4922fc9fe88d0b1a94c3cb1ae\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nd3dd162e7dee6022826e7fef23cb84f17a948d2761013a09943f165f378197e0\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n3b345ffe7fac9aef0c9e0be3f01e8f9e1f3e0442849cc0e3f979b9866465b6bc\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na267176bdc1779b19fde2e38f5f062478e8cf173582e38a26538512d64d85ecd\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n7603126f04e9e7cff828aabc060349d6dfbd76e795df7b0e798b3b0914ad13a0\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\n1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nddea532ef46abb9bfa77acdbd38155d9a92381f777fe4c797967203578aa0966\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na89bdb4fd54b9488fd6f2685a4dcfa1c106d4ac9f9fb8f8992e557e306184f1a\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\nb0bbcee232f27a1b366f8a7ed1d2c3056f9a67fa70e42c1fa7cfb7c778df8cb5\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nbf16b9f012e1a0724f95a0e61a8748be3c9fc3fe3bb5a82bf3efd9b8211591fb\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nad5a6b9ca0389c458dde73a456404634eec473cf5833914c7466af41e23b6ea9\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\na5d9efae12c9e5913156b5415581678748bdeed25a5767438afadc869d25e0d4\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nb5598c4a26f3b4a143a413c46935f0506afd7e400ecf4c6ca05595e83d8dc2c7\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n4f6173659e2c23835228f2e05daacecb618c099878d0028dd9a52b9682de2ac4\r\ncn.android.setting\r\n\u65e0\u79d8\r\nNo secret\r\n\r\n\r\n7d8a47cda9367ee31ebf58dd226afc583b34a73476ed5ff1b2b3f2460cd4c339\r\ncn.android.setting\r\nuyhl\r\nuyhl\r\n\r\n\r\nb34b09d7b4bee3125ea9b27c128c4239c78d3be95d9d5dff73c68e479353db5b\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nb3413e09ceecc305187d08007ea86f654a451952807e37b8f2dcd14a8127042a\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n718bab91ba29791a494c31783b64ce1fe3d78bcdd6a6f909588e198fbea3b3cf\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\nde9d1c68ef9df6dd72455f50d1cdffd76e24a501bbbaa3cacc4aedb74b2f743d\r\ncn.android.setting\r\n\u63a2\u63a2\r\nExplore\r\n\r\n\r\n55e65d1fba82a21b0ee52435be890279cf7ae747abba7f448a6547ba2ed9666e\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n801d54f829668487c2ed28dc56beb6f156a6100a3be12805e1104fb9f68f6a00\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n3ffa8ef36934420b08e4139385400da774f61cabe000557ff025af650f2964bb\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n8b4e60160089b6af71e3c555c4bdaa9344b76a5f0dfd1ecc3a6e8c23f0940b2a\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\nb779a7a05c226a14c2f4bad1f22c493a2a9de8b988b01602fbe60d1f6dc2ba8c\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n4a8c5194183f2a5b593654a29213c6f705f083ddbbff10a0bb1e7695c66a0f89\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n775c2dbf6dd7423bd098b216bd6dcf11104e885e451fa95ae64dc18fb54a34c7\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n4ecf03a1eaa0255340a41e48728be1d50dab724b72f9096a1f537fa578e76d17\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n8a28fed36cf0d8640c7086770614e33d3788200bc7b0b408873873cd17e31653\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n35b1f11a97dd5c05c87328e2ed4ae5776b84d3ce6cf4cdbc2faa1865dab2e09b\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\nbb91d7bbea783bacd57a92691ebcbb449d9606f2f3bbb77538ec751a8b01d8a9\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\nda6d75e996b0bafad782d87c809269ef5ccfa62c938039790333f0f2b4ecafe3\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\neb31fc24f727bc6f25b7a90dc86c127099384398b7182ae52d3fe23950e9ed8c\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n6d441e6b75fa0ea1880937d7c94dbd1caaa210915d386dfb5a01ca22fd813d28\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\nc153ed3b2ae96cb2ec55294f89180302f89e9dbca6a192eec7bd4f3591b8252e\r\ncn.android.seting\r\n\r\n0\r\n\r\n\r\n2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\ne9da842ccf4a681226577c26e2becea079080a4b6838171c06bb358db132bc5e\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\ncdbd4b98625c4766cbf72f69ce951faf49a13394ea85e7a23188e70a209609be\r\ncn.android.seting\r\n\r\n0\r\n\r\n\r\nd4ef4bdea69a248f9792211c4d52882ad6262f7223fc1aa9f328abe50412669f\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n3db36dc3b21dbd0a9037cda21606d37c1a1dd493346e00e36231a252a14446d6\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n92c5fdf61b378e5252b0eb70a5cfd7af2d27c915aece48e32b9c2ba04a5fa5b3\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n740a54e1f89cb321d13396987fd26d52c6c66c49894283c6d9889156e063ecb3\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n7f76f102ab233528ce3cb111ae3b026cf16b3233c6bf3002de8a0daea3ebc0d7\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34\r\ncom.android.henbox\r\n\u5907\u4efd\r\nBackup\r\n\r\n\r\na1bf2f3fcac9d1aae94eb7a6dc37be00185e102e504032f4ffa391ddbd4bd353\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\n444e73bd1020d08dc2901a041d675db1060815914024855daeddbc201e3ad4ee\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\nf88c84156d8e9fdec6f5c400135277ecd03e4b1d95e7d3b6f5b8c8a77eeb055f\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\nefff4243b6143c937509f52dbe7c4e40ceb2eb226f7cc1c96d8cf9f287668e37\r\ncn.android.setting\r\n\u8bbe\u7f6e\r\nSetup\r\n\r\n\r\n000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n6f0de72ee2df4206102c1ff93955fef07cee84a1ba280ef3eda3db9a7eafb22e\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n88c08e7084d4e0db14fc5fec6c906ff89e68b54df09096d49573b1906dd1ecd2\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n5fff623781636b2af95327293f246e0d83b90012f067a8c9e6c2b5869e606465\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\na26802ebe8ad4dc076becbc18b32a825cf057ff2059a0742ece86afe6fcb496c\r\ncom.android.henbox\r\n\r\n0\r\n\r\n\r\ne0427ca401d68c347ef14f65a94735f76238f59710d99c4097e51da23cbb2a6d\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\ncf36fb6f2d4029876f50d6a1eb9eafb13eb0bc6a57e179172ffe67a305f33c41\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\nd68070f75341ce070b11a4ecda28d80a85303fa102fb4cb84c3dcbf97863bcc5\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n60adc526a1bfa8df150c25016d220544671a62820493b66a8467436181b8d224\r\ncn.android.setting\r\n\r\n0\r\n\r\n\r\n0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7\r\ncom.android.henbox\r\nDroidVPN\r\nDroidVPN\r\n\r\n\r\nf28761f897e3a0e1dcdb0a993076a1cc48a1b17361d3f401aa917406332a79f1\r\n\r\n\r\n0\r\n\r\n\r\nfa5a76e86abb26e48af0b312f056d24000bc969835c40b3f98e5ca7e301b5bee\r\ncom.android.henbox\r\nUyghurche Kirguzguch\r\nUyghurche Kirguzguch\r\n\r\n\r\n5808df07cedf15451ab0984e9c60b077602de258319d48cf88b0cc4ca7bb57a0\r\n\r\n\r\n0\r\n\r\n\r\nb0e0d35649d6e5405d051580d0c2a7ca5d3eb58f38bd51d0b8b7b98813256ea1\r\n\r\n\r\n0\r\n\r\n\r\n2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411\r\n\r\n\r\n0\r\n\r\n\r\nc6117397a54a1c2fda6efe40b1a209c14834f9ecb82136e06174c16644a59657\r\n\r\n\r\n0\r\n\r\n\r\ned35dab84aa4de72e782aef8cead90688d5c664de878207488828ed16902e828\r\n\r\n\r\n0\r\n\r\n\r\n2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf\r\n\r\n\r\n0\r\n\r\n\r\nf3d04a7f77498acec86efc8d372c4d6eac591d8030f0a867ab856074e4da1fe6\r\n\r\n\r\n0\r\n\r\n\r\n\r\nPoison Ivy\r\nd3d5a43a2a4f054d41acf6d5f5c1d4d87c7027d880172c3167eaa19f99db43db\r\ndfcff48fb7ad43940c46430a4cd28d52564ea9b6e40a23ff4324da919a5fb783\r\n12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8\r\n26c0349af2b5ffebd01d86eff16a0158bb3ceba9ecb04a0c0bd442bc5736328d\r\nac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2\r\n3d714e1c02c4baf37008fb2537b02c0c1f524fa49263f3400f97f9ef12f2c907\r\n58246d040c79c2a75729511f09b09ae709fbfbaa0bad6e72751a586f7b37ec5e\r\nc9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb\r\n98f16b65b8acd4610077edd92dcb090e3d97f427dbb621827096071ed333b7b4\r\n7cdd37ef4a45afa1b85c87f2a778cf8a7482f7beeee5178856d2f4acfa841135\r\nc9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb\r\n14e2e6bbcc68650bfd7c1eb374401eb606c7417dfae7bebb4bf86909e2ff524d\r\n6a5998faa2be7d8b44f23cd5e02c9e3fa4a22bdba32e4663780aa035bddef239\r\nb45e4ac7a790a7c6364cd93e371e548756f621028380c850059954340c0f13dc\r\nb82785a6d488798c43f9dba0dd3f6cf8a4b03b308203452f641456dde09bedd8\u00a0\r\n\r\nPlugX\r\n45c64508382f41056bed1a6d95927225791fe8fcd8ee9a9a133968b93c19e39f\r\n\r\n9002\r\nb2966c2702285d2cad851bae72fe22136d7975a2a50b43a855447703146c63f0\r\n1b168603010e5179d001f78e47176296776938dde2351ca2250f2977eff043d0\r\nC11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3\r\n\r\nZupdax\r\nce0a078d12698cfca9c4a00dcb6cb2425956538f271e6a151a0e646677ed4ae9\r\nffc3f886d142c5df35b8eb1c2aee77e553a74657b6054e596e8347b4f0c0975e\r\n\r\nDomains and IPs\r\n60.191.57[.]35\r\n47.90.81[.]23\r\n222.139.212[.]16\r\n59.188.196[.]172\r\n222.239.91[.]30\r\nwork.andphocen[.]com\r\nandphocen[.]com\r\nw3.ezua[.]com\r\nlala513.gicp[.]net\r\nlogitechwkgame[.]com\r\nwww5.zyns[.]com\r\nwww3.mefound[.]com\r\nw3.changeip[.]org\r\nadmin.nslookupdns[.]com\r\ncdncool[.]com\r\ndns.cdncool[.]com\r\ntcpdo[.]net\r\n3w.tcpdo[.]net\r\nmd5c[.]net\r\njackhex.md5c[.]net\r\nup.outhmail[.]com\r\nouthmail[.]com\r\nqueryurl[.]com\r\nupdate.queryurl[.]com\r\nre.queryurl[.]com\r\nmail.queryurl[.]com\r\nadminsysteminfo[.]com\r\ninfo.adminsysteminfo[.]com","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Alex Hinchliffe"},{"@type":"Person","name":"Mike Harbison"},{"@type":"Person","name":"Jen Miller-Osborn"},{"@type":"Person","name":"Tom Lancaster"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <link rel='stylesheet' id='crayon-theme-classic-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/themes/classic/classic.css?ver=_2.7.2_beta' media='all' /> <link rel='stylesheet' id='crayon-font-monaco-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/fonts/monaco.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.7' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":66970,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"c1a02882bb","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.7" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"3e4986c795"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.13" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/66970" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=66970' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F&format=xml" /> <meta name="generator" content="WPML ver:4.6.13 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="pingback" href="https://unit42.paloaltonetworks.com/xmlrpc.php"><link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script>   </head> <body class="post-template-default single single-post postid-66970 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div>  <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ referer = 'Cortex' ; } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ referer = 'Cortex' ; sessionStorage.setItem("container","Cortex"); } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'Cortex'){ article.dataset.type = 'cortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script>  <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" title="Threat Research" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:breadcrumb:Threat Research">Threat Research</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/malware/" role="link" title="Malware" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:breadcrumb:Malware">Malware</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/malware/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Malware"><span class="ab-title__pre">Malware</span></a> <h1>HenBox: The Chickens Come Home to Roost</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 18</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Alex Hinchliffe" href="https://unit42.paloaltonetworks.com/author/alex-hinchliffe/">Alex Hinchliffe</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Mike Harbison" href="https://unit42.paloaltonetworks.com/author/mike-harbison/">Mike Harbison</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Jen Miller-Osborn" href="https://unit42.paloaltonetworks.com/author/jen-miller-osborn/">Jen Miller-Osborn</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Tom Lancaster" href="https://unit42.paloaltonetworks.com/author/tom-lancaster/">Tom Lancaster</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>March 13, 2018</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:9002" href="https://unit42.paloaltonetworks.com/tag/9002/">9002</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Android" href="https://unit42.paloaltonetworks.com/tag/android/">Android</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:HenBox" href="https://unit42.paloaltonetworks.com/tag/henbox/">HenBox</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:PlugX" href="https://unit42.paloaltonetworks.com/tag/plugx/">PlugX</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Poison Ivy" href="https://unit42.paloaltonetworks.com/tag/poison-ivy/">Poison Ivy</a></li><li><a data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:Zupdax" href="https://unit42.paloaltonetworks.com/tag/zupdax/">Zupdax</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/?pdf=download&lg=en&_wpnonce=5500d63d7e" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/?pdf=print&lg=en&_wpnonce=5500d63d7e" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" role="link" title="Copy link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=HenBox:%20The%20Chickens%20Come%20Home%20to%20Roost&body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F&title=HenBox:%20The%20Chickens%20Come%20Home%20to%20Roost" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F&text=HenBox:%20The%20Chickens%20Come%20Home%20to%20Roost" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=HenBox:%20The%20Chickens%20Come%20Home%20to%20Roost%20https%3A%2F%2Funit42.paloaltonetworks.com%2Funit42-henbox-chickens-come-home-roost%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/unit42-henbox-chickens-come-home-roost/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><p><span style="font-size: 18pt;">Summary</span><br /> <img class="alignleft wp-image-67336 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_1.png" alt="henbox_1" width="154" height="200" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_1.png 338w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_1-230x300.png 230w" sizes="(max-width: 154px) 100vw, 154px" /><br /> Unit 42 recently discovered a new Android malware family we named “HenBox” masquerading as a variety of legitimate Android apps. We chose the name “HenBox” based on metadata found in most of the malicious apps such as package names and signer detail. HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app. While some of the legitimate apps HenBox use as decoys can be found on Google Play, HenBox apps themselves have only been found on third-party (non-Google Play) app stores.<br /> HenBox appears to primarily target the <a href="https://en.wikipedia.org/wiki/Uyghurs">Uyghurs</a> – a minority <a href="https://en.wikipedia.org/wiki/Turkic_peoples">Turkic</a> ethnic group that is primarily Muslim and lives mainly in the <a href="https://en.wikipedia.org/wiki/Xinjiang">Xinjiang</a> Uyghur Autonomous Region in North West China. It also targets devices made by Chinese manufacturer <a href="https://en.wikipedia.org/wiki/Xiaomi">Xiaomi</a> and those running <a href="https://en.wikipedia.org/wiki/MIUI">MIUI</a>, an operating system based on Google Android made by Xiaomi. Smartphones are the dominant form of <a href="https://foreignpolicy.com/2014/04/21/welcome-to-the-uighur-web/">internet access</a> in the region and Xinjiang was recently above the <a href="https://www.chinadaily.com.cn/business/tech/2017-07/08/content_30041010.htm">national average</a> of internet users in China. The result is a large online population who have been the <a href="https://www.rfa.org/english/news/uyghur/hackers-09062012153043.html">subject</a> of <a href="https://securelist.com/cyber-attacks-against-uyghur-mac-os-x-users-intensify/64259/">numerous</a> <a href="https://securityledger.com/2014/08/study-finds-unrelenting-cyber-attacks-against-chinas-uyghurs/">cyber-attacks</a> in <a href="https://blog.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/">the past</a>.<br /> Once installed, HenBox steals information from the devices from a myriad of sources, including many mainstream chat, communication, and social media apps. The stolen information includes personal and device information. Of note, in addition to tracking the compromised device’s location, HenBox also harvests all outgoing phone numbers with an “86” prefix, which is the country code for the People’s Republic of China (PRC). It can also access the phone’s cameras and microphone.<br /> HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. This also aligns with HenBox’s timeline, as in total we have identified almost 200 HenBox samples, with the oldest dating to 2015. Most of the samples we found date from the last half of 2017, fewer samples date from 2016, and a handful date back to 2015. In 2018, we have already observed a small but consistent number of samples. We believe this indicates a fairly sustained campaign that has gained momentum over recent months.</p> <p><span style="font-size: 18pt;">HenBox Enters the Uyghur App Store</span><br /> In May 2016, a HenBox app was downloaded from uyghurapps[.]net. Specifically, the app was an Android Package (APK) file that will be discussed in more detail shortly. The domain name, language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs. Such app stores are so-called because they are not officially supported by Android, nor are they provided by Google, unlike the Play Store. Third-party app stores are ubiquitous in China for a number of reasons including: evermore powerful Chinese Original Equipment Manufacturers (OEM), a lack of an official Chinese Google Play app store, and a growing smartphone market.<br /> The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app. At the time of writing, the content served at the given URL on uyghurapps[.]net, is now a legitimate version of the DroidVPN app, and looks as shown in Figure 1 below.<br /> <a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_2.png" rel="wpdevart_lightbox"><img class="aligncenter wp-image-67375 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_2.png" alt="henbox_2" width="600" height="691" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_2.png 683w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_2-260x300.png 260w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_2-370x426.png 370w" sizes="(max-width: 600px) 100vw, 600px" /></a></p> <p style="text-align: center;"><em>Figure 1 Uyghurapps[.]net app store showing the current DroidVPN app</em></p> <p>Virtual Private Network (VPN) tools allow connections to remote private networks, increasing the security and privacy of the user’s communications. According to the DroidVPN app description, it “helps bypass regional internet restrictions, web filtering and firewalls by tunneling traffic over ICMP.” Some features may require devices to be rooted to function and according to some 3rd party app stores, unconditional rooting is required, which has additional security implications for the device.<br /> We have not been able to ascertain how the DroidVPN app on the uyghurapps[.]net app store was replaced with the malicious HenBox app; however, some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system. In light of this, we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised.<br /> The HenBox app downloaded in May 2016, as described in Table 1 below, masquerades as a legitimate version of the DroidVPN app by using the same app name “DroidVPN” and the same iconography used when displaying the app in Android’s launcher view, as highlighted in Figure 2 below Table 1.</p> <table align="center"> <tbody> <tr> <td width="193"><strong>APK SHA256</strong></td> <td width="63"><strong>Size (bytes)</strong></td> <td width="36"><strong>First Seen</strong></td> <td width="113"><strong>App Package name</strong><br /> <strong> </strong></td> <td width="63"><strong>App name</strong></td> </tr> <tr> <td width="193">0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7</td> <td width="63">2,740,860</td> <td width="36">May 2016</td> <td width="113">com.android.henbox</td> <td width="63">DroidVPN</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 1 Details of the HenBox DroidVPN app on the uyghurapps[.]net app store</em></p> <p style="text-align: left;"><img class="size-full wp-image-67414 aligncenter lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_3.png" alt="henbox_3" width="420" height="703" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_3.png 420w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_3-179x300.png 179w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_3-370x619.png 370w" sizes="(max-width: 420px) 100vw, 420px" /></p> <p style="text-align: center;"><em>Figure 2 HenBox app installed, purporting to be DroidVPN</em></p> <p>Depending on the language setting on the device, and for this particular variant of HenBox, the installed HenBox app may have the name “Backup” but uses the same DroidVPN logo. Other variants use other names and logos, as described later.<br /> Given the DroidVPN look and feel being used by this variant of HenBox, it’s highly likely the uyghurapps[.]net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps, just that the legitimate APK file had been replaced with HenBox for an unknown period of time.<br /> In addition to the look and feel of DroidVPN, this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset, which could be compared to a resource item within a Windows Portable Executable (PE) file. Once the HenBox app is installed and launched, it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background, and to satisfy the victim with the app they were requesting, assuming they requested to download a particular app, such as DroidVPN.<br /> The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps[.]net, at the time of writing. It’s worth noting, newer versions of the DroidVPN app are available on Google Play, as well as in some other third-party app stores, which could indicate uyghurapps[.]net is not awfully well maintained or updated to the latest apps available.<br /> At the time of writing, to our knowledge no other third-party app stores, nor the official Google Play store, were or are hosting this malicious HenBox variant masquerading as DroidVPN.</p> <p><span style="font-size: 18pt;">The Right App at the Right Time</span><br /> The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims. These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population. It’s worth noting however, about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps. Some were only 3 bytes long, containing strings such as “ddd” and “333”, or were otherwise corrupted.<br /> Beyond the previously mentioned DroidVPN example, other viable embedded apps we found include apps currently available on Google Play, as well as many third-party app stores. Table 2 below lists some of these apps with their respective metadata.</p> <table align="center"> <tbody> <tr> <td width="23"><strong>#</strong></td> <td width="120"><strong>Parent APK SHA256</strong></td> <td width="65"><strong>First Seen</strong></td> <td width="144"><strong>Package names</strong><br /> <strong>(parent APK)</strong><br /> <strong>[embedded APK]</strong></td> <td width="177"><strong>APK App names</strong><br /> <strong>(parent APK)</strong><br /> <strong>[embedded APK]</strong></td> </tr> <tr> <td width="23">1</td> <td width="120">fa5a76e86abb26e48a<br /> f0b312f056d24000bc<br /> 969835c40b3f98e5ca<br /> 7e301b5bee</td> <td width="65">April 2016</td> <td width="144">(com.android.henbox)<br /> [com.ziipin.software]</td> <td width="177">(Uyghurche Kirguzguch)<br /> [Emojicon]</td> </tr> <tr> <td width="23">2</td> <td width="120">1749df47cf37c09a92<br /> b6a56b64b136f15ec<br /> 59c4f55ec835b1e569<br /> c88e1c6e684</td> <td width="65">May 2017</td> <td width="144">(cn.android.setting)<br /> [com.apps.amaq]</td> <td width="177">(设置 (Backup))<br /> [Amaq Agency]</td> </tr> <tr> <td width="23">3</td> <td width="120">4d437d1ac29b1762c<br /> c47f8094a05ab73141<br /> d03f9ce0256d200fc6<br /> 91c41d1b6e7</td> <td width="65">June 2017</td> <td width="144">(cn.android.setting)<br /> [com.example.ourplayer]</td> <td width="177">(islamawazi)<br /> [islamawazi]</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 2 Example HenBox variants containing embedded apps</em></p> <p>Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy. The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones.<br /> Sample 2, has the package name cn.android.setting masquerading as Android’s Settings app, which has a similar package name (com.android.settings). This variant of HenBox also used the common green Android figure as the app logo and was named 设置 (“Backup” in English). This variant’s app name, along with many others, is written in Chinese and describes the app as a backup tool. Please see the IOCs section for all app and package name combinations. Interestingly, the embedded app in sample 2 is not a version of the Android Settings app but instead the “Amaq Agency” app, which reports on ISIS related news. <a href="https://www.ibtimes.co.uk/islamic-state-fake-version-isis-news-app-amaq-android-spying-its-supporters-1563313">Reports</a> indicate fake versions of the Amaq app exist, likely in order to spy on those that use it.<br /> A month after observing sample 2, we obtained another which used the same package name as sample 2 (cn.android.setting). However, this time the app name for both HenBox and the embedded app were identical: Islamawazi. Islamawazi is also known as the <a href="https://en.wikipedia.org/wiki/Turkistan_Islamic_Party">Turkistan Islamic Party or “TIP”</a>. This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists. The embedded app appears to be a media player.<br /> These examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups. These threat actors appear to be choosing the right apps – those that could be popular with locals in the region, at the right time – while tensions grow in this region of China, to ensure a good victim install-base.</p> <p><span style="font-size: 18pt;">HenBox Roosts</span><br /> HenBox has evolved over the past three years, and of the almost two hundred HenBox apps in AutoFocus, the vast majority contain several native libraries as well as other components in order to achieve their objective. Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more.<br /> The remainder of this section describes at a high-level what HenBox is capable of, and how it operates. The description is based on analysis of the sample described in Table 3 below, which was of interest given its C2 domain mefound[.]com overlaps with PlugX, Zupdax, and Poison Ivy malware families discussed in more detail later.</p> <table align="center"> <tbody> <tr> <td width="156"><strong>SHA256</strong></td> <td width="156"><strong>Package Name</strong></td> <td width="156"><strong>App Name</strong></td> </tr> <tr> <td width="156">a6c7351b09a733a1b3ff8a0901c5bde<br /> fdc3b566bfcedcdf5a338c3a97c9f249b</td> <td width="156">com.android.henbox</td> <td width="156">备份 (Backup)</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 3 HenBox variant used in description</em></p> <p>Once this variant of HenBox is installed on the victim’s device, the app can be executed in two different ways:<br /> One method for executing HenBox is for the victim to launch the malicious app (named “Backup”, in this instance) from the launcher view on their device, as shown in Figure 3 below. This runs code in the onCreate() method of the app’s MainActivity class, which in effect is the program’s entry point. This process is defined in the app’s AndroidManifest.xml config file, as shown in the following snippet.</p> <div id="crayon-6743b07c6e3e2500669030" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> <activity android:excludeFromRecents="true" android:label="@string/app_name" android:name="com.android.henbox.MainActivity" android:theme="@android:style/Theme.Translucent"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity></textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-6743b07c6e3e2500669030-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3e2500669030-2">2</div><div class="crayon-num" data-line="crayon-6743b07c6e3e2500669030-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3e2500669030-4">4</div><div class="crayon-num" data-line="crayon-6743b07c6e3e2500669030-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3e2500669030-6">6</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-6743b07c6e3e2500669030-1"><span class="crayon-h"><</span><span class="crayon-e">activity </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">excludeFromRecents</span>=<span class="crayon-s">"true"</span><span class="crayon-h"> </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">label</span>=<span class="crayon-s">"@string/app_name"</span><span class="crayon-h"> </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">name</span>=<span class="crayon-s">"com.android.henbox.MainActivity"</span><span class="crayon-h"> </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">theme</span>=<span class="crayon-s">"@android:style/Theme.Translucent"</span><span class="crayon-h">></span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3e2500669030-2"><span class="crayon-h">            </span><span class="crayon-h"><</span><span class="crayon-i">intent</span>-<span class="crayon-i">filter</span><span class="crayon-h">></span></div><div class="crayon-line" id="crayon-6743b07c6e3e2500669030-3"><span class="crayon-h">                </span><span class="crayon-h"><</span><span class="crayon-e">action </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">name</span>=<span class="crayon-s">"android.intent.action.MAIN"</span>/<span class="crayon-h">></span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3e2500669030-4"><span class="crayon-h">                </span><span class="crayon-h"><</span><span class="crayon-e">category </span><span class="crayon-i">android</span><span class="crayon-sy">:</span><span class="crayon-i">name</span>=<span class="crayon-s">"android.intent.category.LAUNCHER"</span>/<span class="crayon-h">></span></div><div class="crayon-line" id="crayon-6743b07c6e3e2500669030-5"><span class="crayon-h">            </span><span class="crayon-h"><</span>/<span class="crayon-i">intent</span>-<span class="crayon-i">filter</span><span class="crayon-h">></span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3e2500669030-6"><span class="crayon-h">        </span><span class="crayon-h"><</span>/<span class="crayon-i">activity</span><span class="crayon-h">></span></div></div></td> </tr> </table> </div> </div>  <p><img class="aligncenter wp-image-67453 size-full lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_4.png" alt="henbox_4" width="421" height="702" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_4.png 421w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_4-180x300.png 180w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_4-370x617.png 370w" sizes="(max-width: 421px) 100vw, 421px" /></p> <p style="text-align: center;"><em>Figure 3 HenBox app installed and visible on Android's Launcher view</em></p> <p>Doing so executes code checking if the device is manufactured by Xiaomi, or if Xiaomi’s fork of Android is running on the device. Under these conditions, the app continues executing and the intent of targeting Xiaomi devices and users could be inferred, however poorly written code results in execution in more environments than perhaps intended; further checks are made to ascertain whether the app is running on an emulator, perhaps to evade researcher analysis environments. Assuming these checks pass, one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app’s Dalvik code through the Java Native Interface (JNI).<br /> HenBox checks whether this execution is its first by using Android’s shared preferences feature to persist XML key-value pair data. If it is the first execution, and if the app’s path does not contain “/system/app” (i.e. HenBox is not running as a system app), another ELF library is loaded to aid with executing super-user commands.<br /> The second method uses intents, broadcasts, and receivers to execute HenBox code. Providing the app has registered an intent to process particular events from the system, and one of said events occurs, HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request, or the system itself broadcasting a particular event has occurred. These intents are typically defined statically in the app’s AndroidManifest.xml config file; some HenBox variants register further intents from their code at run-time. Once a matching intent is triggered, the respective Receiver code will be executed, leading to other HenBox behaviors being launched, which are described later. Table 4 below lists the intents that are statically registered in this HenBox variant’s AndroidManifest.xml config file, together with a description of what that intent does, and when it would be used. Depending on the intent triggered, one of two Receivers would be called, in this instance they are called Boot or Time but the name is somewhat immaterial.</p> <table class=" aligncenter" style="width: 718px;" width="750" align="center"> <tbody> <tr> <td style="width: 138px;">Receiver</td> <td style="width: 359px;">Intent Name</td> <td style="width: 201px;">Description</td> </tr> <tr> <td style="width: 138px;" rowspan="6">BootReceiver</td> <td style="width: 359px;">android.intent.action.BOOT_COMPLETED</td> <td style="width: 201px;">System notification that the device has finished booting.</td> </tr> <tr> <td style="width: 359px;">android.intent.action.restart</td> <td style="width: 201px;">A legacy intent used to indicate a system restart.</td> </tr> <tr> <td style="width: 359px;">android.intent.action.SIM_STATE_CHANGED</td> <td style="width: 201px;">System notification that the SIM card has changed or been removed.</td> </tr> <tr> <td style="width: 359px;">android.intent.action.PACKAGE_INSTALL</td> <td style="width: 201px;">System notification that the download and eventual installation of an app package is happening (this is deprecated)</td> </tr> <tr> <td style="width: 359px;">android.intent.action.PACKAGE_ADDED</td> <td style="width: 201px;">System notification that a new app package has been installed on the device, including the name of said package.</td> </tr> <tr> <td style="width: 359px;">com.xiaomi.smarthome.receive_alarm</td> <td style="width: 201px;">Received notifications from Xiaomi’s smart home IoT devices.</td> </tr> <tr> <td style="width: 138px;" rowspan="2">TimeReceiver</td> <td style="width: 359px;">android.intent.action.ACTION_TIME_CHANGED</td> <td style="width: 201px;">System notification that the time was set.</td> </tr> <tr> <td style="width: 359px;">android.intent.action.CONNECTIVITY_CHANGE</td> <td style="width: 201px;">System notification that a change in network connectivity has occurred, either lost or established. Since Android version 7 (Nougat) this information is gathered using other means, perhaps inferring the devices used by potential victim run older versions of Android.</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 4 HenBox variant's Intents and Receivers</em></p> <p>Most of the intents registered in the AndroidManifest.xml file, or loaded during run-time, are commonly found in malicious Android apps. What’s more interesting, and much less common, is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter. Xiaomi, a privately owned Chinese electronics and software company, is the 5<sup>th</sup> largest smart phone manufacturer in the world and also manufactures IoT devices for the home. Most devices can be controlled by Xiaomi’s “MiHome” Android app, which is available on Google Play with between 1,000,000 and 5,000,000 downloads.<br /> Given the nature of connected devices in smart homes, it’s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications would be received by the MiHome app or any other, such as HenBox, so long as they register their intent to do so. This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code, or perhaps afford additional data HenBox can collect and exfiltrate.<br /> Either method to load HenBox ultimately results in an instance of a service being launched. This service hides the app from plain sight and loads another ELF library to gather environmental information about the device, such as running processes and apps, and details about device hardware, primarily through parsing system logs and querying running processes. The service continues by loading an ELF, created by Baidu, which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “+86” prefix, which relates to the People’s Republic of China.<br /> Further assets are decrypted and deployed, including another Dalvik DEX code file, which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages, loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and, interestingly, is capable of turning off the sound played when the device’s cameras take pictures.<br /> The Android permissions requested by HenBox, as defined in the apps’ AndroidManifest.xml files, range from accessing location and network settings to messages, call, and contact data. HenBox can also access sensors such as the device camera(s) and the microphone.<br /> Beyond the Android app itself, other components such as the aforementioned ELF libraries have additional data-stealing capabilities. One ELF library, libloc4d.so, handles amongst other things the loading of the app-decoded ELF library file “sux”, as well as handling connectivity to the C2.<br /> The sux library appears to be a customized super user (su) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user (su) binary in order to run privileged commands on the system. The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample. A similar tool, with the same filename, has been discussed in <a href="https://blog.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/">previous research</a> but the SpyDealer malware appears unrelated to HenBox. More likely, this is a case of common attack tools being re-used between different threat actor groups.<br /> This particular HenBox variant, as listed in Table 3 above, harvests data from two popular messaging and social media apps: Voxer Walkie Talkie Messenger (com.rebelvox.voxer) and Tencent’s WeChat (com.tencent.mm). These types of apps tend to store their data in databases and, as an example, HenBox accesses Voxer’s database from the file “/data/data/com.rebelvox.voxer/databases/rv.db”. Once opened, HenBox runs the following query to gather message information.</p> <div id="crayon-6743b07c6e3ec123252379" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;"> <div class="crayon-toolbar" data-settings=" mouseover overlay hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span> <div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div> <div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div> <div class="crayon-plain-wrap"><textarea class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;"> select messages.timestamp ,messages.sender,messages.body,profiles .first || profiles .last,profiles.profile_username from messages,conversations left join profiles on messages.sender=profiles.username where messages.thread_id=conversations .thread_id</textarea></div> <div class="crayon-main" style=""> <table class="crayon-table"> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-6743b07c6e3ec123252379-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3ec123252379-2">2</div><div class="crayon-num" data-line="crayon-6743b07c6e3ec123252379-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3ec123252379-4">4</div><div class="crayon-num" data-line="crayon-6743b07c6e3ec123252379-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-6743b07c6e3ec123252379-6">6</div></div> </td> <td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;"><div class="crayon-line" id="crayon-6743b07c6e3ec123252379-1"><span class="crayon-e">select</span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3ec123252379-2"><span class="crayon-i">messages</span><span class="crayon-sy">.</span><span class="crayon-i">timestamp</span><span class="crayon-h"> </span><span class="crayon-sy">,</span><span class="crayon-i">messages</span><span class="crayon-sy">.</span><span class="crayon-i">sender</span><span class="crayon-sy">,</span><span class="crayon-i">messages</span><span class="crayon-sy">.</span><span class="crayon-i">body</span><span class="crayon-sy">,</span><span class="crayon-i">profiles</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-i">first</span><span class="crayon-h"> </span><span class="crayon-sy">|</span><span class="crayon-sy">|</span><span class="crayon-h"> </span><span class="crayon-i">profiles</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-i">last</span><span class="crayon-sy">,</span><span class="crayon-i">profiles</span><span class="crayon-sy">.</span><span class="crayon-e">profile_username</span></div><div class="crayon-line" id="crayon-6743b07c6e3ec123252379-3"><span class="crayon-e">from</span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3ec123252379-4"><span class="crayon-i">messages</span><span class="crayon-sy">,</span><span class="crayon-e">conversations </span><span class="crayon-e">left </span><span class="crayon-e">join </span><span class="crayon-e">profiles </span><span class="crayon-e">on </span><span class="crayon-i">messages</span><span class="crayon-sy">.</span><span class="crayon-i">sender</span>=<span class="crayon-i">profiles</span><span class="crayon-sy">.</span><span class="crayon-e">username</span></div><div class="crayon-line" id="crayon-6743b07c6e3ec123252379-5"><span class="crayon-e">where</span></div><div class="crayon-line crayon-striped-line" id="crayon-6743b07c6e3ec123252379-6"><span class="crayon-i">messages</span><span class="crayon-sy">.</span><span class="crayon-i">thread_id</span>=<span class="crayon-i">conversations</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-i">thread_id</span></div></div></td> </tr> </table> </div> </div>  <p>Not long after this variant was public, newer variants of HenBox were seen, and some had significant increases in the number of targeted apps. Table 5 describes the latest variant seen in AutoFocus.</p> <table align="center"> <tbody> <tr> <td width="199"><strong>SHA256</strong></td> <td width="133"><strong>Package Name</strong></td> <td width="81"><strong>App Name</strong></td> <td width="85"><strong>First Seen</strong></td> </tr> <tr> <td width="199">07994c9f2eeeede199dd6b4e760fce3<br /> 71f03f3cc4307e6551c18d2fbd024a24f</td> <td width="133">com.android.henbox</td> <td width="81">备份 (Backup)</td> <td width="85">January 3<sup>rd</sup> 2018</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 5 Recent HenBox variant with updated functionality</em></p> <p>Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data. Interestingly, the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list.</p> <table align="center"> <tbody> <tr> <td width="195"><strong>Package Name</strong></td> <td width="301"><strong>App Name</strong></td> </tr> <tr> <td width="195">com.whatsapp</td> <td width="301">WhatsApp Messenger</td> </tr> <tr> <td width="195">com.pugna.magiccall</td> <td width="301">n/a</td> </tr> <tr> <td width="195">org.telegram.messenger</td> <td width="301">Telegram</td> </tr> <tr> <td width="195">com.facebook.katana</td> <td width="301">Facebook</td> </tr> <tr> <td width="195">com.twitter.android</td> <td width="301">Twitter</td> </tr> <tr> <td width="195">jp.naver.line.android</td> <td width="301">LINE: Free Calls & Messages</td> </tr> <tr> <td width="195">com.instanza.cocovoice</td> <td width="301">Coco</td> </tr> <tr> <td width="195">com.beetalk</td> <td width="301">BeeTalk</td> </tr> <tr> <td width="195">com.gtomato.talkbox</td> <td width="301">TalkBox Voice Messenger - PTT</td> </tr> <tr> <td width="195">com.viber.voip</td> <td width="301">Viber Messenger</td> </tr> <tr> <td width="195">com.immomo.momo</td> <td width="301">MOMO陌陌</td> </tr> <tr> <td width="195">com.facebook.orca</td> <td width="301">Messenger – Text and Video Chat for Free</td> </tr> <tr> <td width="195">com.skype.rover</td> <td width="301">Skype; 3rd party stores only</td> </tr> </tbody> </table> <p style="text-align: center;"><em>Table 6 Targeted apps from a newer HenBox variant</em></p> <p>Most of these apps are well established and available on Google Play, however, com.skype.rover appears to be available only on third-party app stores. The same is likely to be the case for com.pugna.magiccall but this is unknown currently.<br /> It’s clear to see that the capabilities of HenBox are very comprehensive, both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim. Such data includes contact and location information, phone and message activity, the ability to record from the microphone, camera, and other sensors as well as the capability to access data from many popular messaging and social media apps.</p> <p><span style="font-size: 18pt;">Infrastructure</span><br /> While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX, Zupdax, 9002, and Poison Ivy. The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015.<br /> <a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5.png" rel="wpdevart_lightbox"><img class="aligncenter wp-image-67492 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5.png" alt="henbox_5" width="600" height="294" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5.png 973w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5-900x441.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5-300x147.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5-768x377.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2018/03/henbox_5-370x181.png 370w" sizes="(max-width: 600px) 100vw, 600px" /></a></p> <p style="text-align: center;"><em>Figure 5. HenBox and related malware</em> <em>and C2s</em></p> <p>The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples; the first IP below is used for more than half of the HenBox samples we have seen to date:</p> <ul> <li>47.90.81[.]23</li> <li>222.139.212[.]16</li> <li>lala513.gicp[.]net</li> </ul> <p>The overlaps between the Henbox, PlugX, Zupdax, and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below:</p> <ul> <li>59.188.196[.]172</li> <li>cdncool[.]com (and third-levels of this domain)</li> <li>www3.mefound[.]com</li> <li>www5.zyns[.]com</li> <li>w3.changeip[.]org</li> </ul> <p><span style="font-size: 18pt;">Ties to previous activity</span><br /> The registrant of cdncool[.]com also registered six other domains. To date, Unit 42 has seen four of the seven (the first three in the list below, along with cdncool[.]com) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose.</p> <ul> <li>tcpdo[.]net</li> <li>adminsysteminfo[.]com</li> <li>md5c[.]net</li> <li>linkdatax[.]com</li> <li>csip6[.]biz</li> <li>adminloader[.]com</li> </ul> <p>Unit 42 published a <a href="https://blog.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/">blog</a> in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive. The spear phishing emails had Myanmar political-themed lures and, if the 9002 C2 server responded, the Trojan sent system specific information along with the string “jackhex”. “jackhex” has also been part of a C2 for what is likely related Poison Ivy activity detailed below, along with additional infrastructure ties.<br /> The C2 for the aforementioned 9002 sample was logitechwkgame[.]com, which resolved to the IP address 222.239.91[.]30. At the same time, the domain admin.nslookupdns[.]com also resolved to the same IP address, suggesting that these two domains are associated with the same threat actors. In addition, admin.nslookupdns[.]com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a <a href="https://www.arbornetworks.com/blog/asert/recent-poison-iv/">blog</a> published by Arbor Networks in April 2016. Another tie between the activity is the C2 jackhex.md5c[.]net, which was also used as a Poison Ivy C2 in the Arbor Networks blog. “jackhex” is not a common word or phrase and, as noted above, was also seen in the beacon activity with the previously discussed 9002 sample. Finally, since publishing the 9002 blog, Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure.<br /> In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples, or domain registrant overlap with those C2 domains. When we published that blog Unit 42 hadn’t seen any of the three registrants overlap domains used in malicious activity. Since then, we have seen Poison Ivy samples using third-levels of querlyurl[.]com, lending further credence the remaining two domains, gooledriveservice[.]com and appupdatemoremagic[.]com are or were intended for malicious use. While we do not have complete targeting, information associated with these Poison Ivy samples, several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures.</p> <p><span style="font-size: 18pt;">Conclusion</span><br /> Typically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It’s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.<br /> The hosting locations seen for some HenBox samples, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps, and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign.</p> <p><strong><span style="font-size: 12pt;">Palo Alto Networks customers are protected by:</span></strong><br /> AutoFocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:</p> <ul> <li><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.HenBox">HenBox</a></li> <li><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.PoisonIvy">Poison Ivy</a></li> <li><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.Zupdax">Zupdax</a></li> <li><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.9002">9002</a></li> <li><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.PlugX">PlugX</a></li> </ul> <p><span style="font-size: 18pt;">Android Hygiene</span><br /> <strong>Update: </strong>Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.<br /> <strong>Review: </strong>App permissions to see what the app is potentially capable of. This can be quite technical, but many permissions are named intuitively describing if they intend to access contacts, messages, or sensors, such as the device microphone or camera. If you the permission seem over the top compared to the described functionality, then don’t install. Also read the app and developer reviews to evaluate their trustworthiness.<br /> <strong>Avoid: </strong>Third-party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access your sensitive data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.</p> <p><span style="font-size: 18pt;">IOCs</span><br /> Most recent samples first:</p> <table align="center"> <tbody> <tr> <td width="248"><strong>sha256</strong></td> <td width="93"><strong>apk_package_name</strong></td> <td width="58"><strong>apk_app_name</strong></td> <td width="69"><strong>apk_app_name_en</strong></td> </tr> <tr> <td width="248">446734590904c5c44978e4646bbbc629d98236c16e29940b32100c1400aebc88</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">ea0786bfe145d8c763684a2fdf2eb878da29c1b6ae5aacd1a428c9ffead4bad8</td> <td width="93">com.android.vivibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d</td> <td width="93">com.android.vivibox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">e835e4907c9ff07a3a8281530552eaed97d9dea5b182d24a8db56335bad5213d</td> <td width="93">com.android.cicibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">9192602e5a3488c322025991ca7abcbdc8f916e08f279004a94cec8eb9f220b4</td> <td width="93">com.android.vivibox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">9b57ab06650a137a5962b85ca9ae719e9c3956d68938a6a2425dffe8d152941a</td> <td width="93">com.android.webbox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">7bf0e70fb4ffca19880fecdeb7e7e5d0fb4681064a98c71056cbb29c80ed6119</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">51cfc1a658e63624706a6bb2ed2baa63c588e7ce499bd116a3d5752743fefb54</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">3417899195780c8186356d49bc53b600b3b0e49aae83d9aeb27e518b6964be04</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">f0fd8c5f4487df7592e5b7fa02f19f23d3ad43f5aaab84257cc560bf5ea76f1e</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a6c1da9559d72563848802ed14a7421515009c2a0ffb85aab74c6e42584c222d</td> <td width="93">com.android.cicibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">bf0ab0362ee39191587921b75ab92bf6da12e377dbfdf4f7a053c1217841bdfc</td> <td width="93">com.android.vivibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">f5abd5e7e325f16df3e96ff55a19ebf524f40f9ade76003355eb1d68bc084006</td> <td width="93">com.android.vivibox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">7b7887d4ad7cab0c53d6f8557bbdf616985f3434ba536a5683f6fba604151d04</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">4eb768b52b687de49c7da8845bbd7671e2e076fe64bf23596a409108ef3fbbbc</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a7cfae9b12542b293d8265770a10946d422736d6f716af17f7b963603e422c51</td> <td width="93">com.jrzheng.supervpn.view</td> <td width="58">SuperVPN</td> <td width="69">SuperVPN</td> </tr> <tr> <td width="248">3c2109adf469bfc6c320ac824355f97a2b0f5ff01891d1affcd1a5b017c97195</td> <td width="93">com.android.webbox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">3d525435cbd88b4f1f97e32e2c6accf7855f4cc576ecbd87ad05a05ddd2d2f79</td> <td width="93">com.android.vivibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">5a999904b2f03263a11bcc077ad179333b431fb9e6e8090f371d975ba188e55e</td> <td width="93">com.android.cicibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">4d1e37e5840e8a4d5ae0f60cf33c593f595af200fbf998c3af809fd0c225c475</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">3cce965887d4677069cb9160d7c7c122087a5f434e095a9f0848c3e838bca9f5</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">8095cf4f6aec1983bd9f81ca85c1b27415e200b315f757613afb4f0334c99f0b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">b098be6fd1859ee70ef123c59d5e2a1db435f990c9378b41af0c005f76ba24f2</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">56c1e23b12e83573440019084b9ce39f8f5ddd9d6de51edaf1f83e020fc648a0</td> <td width="93">com.android.cicibox</td> <td width="58">备份服务</td> <td width="69">Backup service</td> </tr> <tr> <td width="248">75fef2a0f05ae2ad971b01041fd3ed5ceacce306d78930bc2eba190c39799bc7</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a3deca8203792d4b34242e8f5d0f7e2e3d054f08d74885ab7ff6f3a6f4b2578a</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">77b6e8cd1e6de9ee22bf0e9d735089ae24134ab955f0975d4febc9ed6b60af38</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">9f8909b1615aaa0fed38ad27162ccf3437e2eaa59cb0c990261c866f075c4113</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">7ffc1afd5749e7731f4161a6348205555e5892f1bd3446b6d0c5e7bbaa5917e3</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a1644194faac76a1d49fd96b875a3f9026993e9f21f6dbc50dc59aeb5e7dac4b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">af2d44e36cc28727e29b0d9aecb4b17534a195faacbf4192ce1483a9bde65edc</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">5010236b481d8d2ebc45ee95154f10ffbb317eced86401486f63276520049896</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">8de4e886b69046c2942e26d8b2f436695ca27060f6a74c797c620502f87887c9</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">fed084773542120fe77b880fc136bd20979cddc286b75b651d01aa6e32234b2d</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">43ce0c3e63de64f032ea7d4ca77c4b40b86d57e1d237f771b21c1f9c8f41eafb</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">6e1812f7bf313552bc60b6be5b46bdfd44582775e3cb19cf6a231a903aec508b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">7774432c67f3d3688a1a1b21edc0a73d9d47990cc1f132663b0010ff4bbd6e87</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">59ca2754279d9cba40334c35907e2e1fc6fd2888b2c180e5b0b8d73accbb40f2</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">e326501a0fb15bf19ac135f501b84caa2587d1fb2cad9e034f1756898686dab4</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">51db059a833377666f92f64ae1e926b83da8821876c66949e320b55c1a929ff8</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">dee79253deaaa57af0fddb2c8ec5d4cc0546dfe3c1d05c2916a44a37eef3d9f8</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">ec2e060ac633978b9b700aa95784255b9796f4fb51c188b1c79d5947df07bf98</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a6c7351b09a733a1b3ff8a0901c5bdefdc3b566bfcedcdf5a338c3a97c9f249b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">ae5598ccb3f2f31d2ec967808988a47d6ce4d1cd5e6808d1194ee93c6400039c</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">6f5e7f6ca2f25667d5fe55d7e8ec1b816d6db8b31cb28dff43b4f2f73d70ecdb</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">4cbb5a0d9b6f64dc9d8dd9aaac5651649e24b2cd7248eb9db32191102559ab9c</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">c375aad52c292b4d5c4efb02a33e2325a27f27158bb13c048f533a2a9d0837fb</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">779b09c61951818e5afb47c369fe9b5fa7b7f6139f589f14b3042b2ac96809d8</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">7ba216b88f84c9a0ce90ca5500ddc2e80100b23ef3784d133b69870768f1e3bc</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">be548c26d0863b812948a16f982e96557319346fad897f67dc7873108203fdce</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">54366ee485b43cea10624d62247a48b12c1ce35c49295491f7fbb6323c68da7b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">51714b8f34db94cbd8916374af4d8e63b56ef41fa819d2d697f1a3975a32960e</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">48f38b671847bfba3810b74d1d815c2bb4cc94392b98e1f59f95e748eb410465</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">d0e58c3e9d881f875532d1bb8bee63e4ac8728458708361f754db97fba6be22e</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">8b78f469f3eda0cb02cfbf5598f0a7449cb63b7181d7fd5037ebb9cb8aff30a4</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">49556e972a35c9d592bf64ab37056f6da356b2061c1ce269d9c3af73978756d9</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">3c62d00a9740c49cf01fb7635260ff71e0ac44cf80da749ca4101869120f2233</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">993692d5540c40614f4da430cf4cea64a7e0e7f950452abae19bf608afdf20a6</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">3e026154767b6a101d3a852946e9eb3ed1c96662490afe9b601469a8459e325b</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">6a518d29232d3f68aa5c78df4a8d212f924e03379dc2be0a388b3118779fe583</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">70512a566f33c636ad071d18e82db89f9531a6133be89b7d3f18fc9f7730b078</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">53238af90efd8531686432245c516db04cd163584a811d6e5835a42fe738fbab</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">b48edd2270b1aeb014291eb3ac2aaa1d4b7ee4694965d0de2c0978b2feae946d</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">45e7dc9c0e33d4754384365a60604c66d72356a994cbed8e8eab8796cf1579e2</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a1e465d905434d5dae3bb7acb7c148ef8ed0d341a6d9121d09adbc126cc3a907</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">4d437d1ac29b1762cc47f8094a05ab73141d03f9ce0256d200fc691c41d1b6e7</td> <td width="93">cn.android.setting</td> <td width="58">islamawazi</td> <td width="69">islamawazi</td> </tr> <tr> <td width="248">d29646f2c665ef91c360e24242c634ee9051d4ab01cb8f87265088e47f41d690</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">44388ec38ee36177d6804d778ee554b2d063db3b88d7480eca6587ff68a15982</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1</td> <td width="93">cn.android.seting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">7f28caeaa484496f85c80580cd88671961149aae2295c8777becb2970455504c</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">89ef65813bccb8197da4af68ba8f9e8e123f3aad4ed41736f8039ad2c6817a25</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">5f16c23f92a10de59efc9a081e0c79458faa3fabb24a1356dbfff7cea8611a3e</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">66eec9ffa2906e56656e649d5b632526e829d7142a75cd27a006bf82775e8c45</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a728c653b9c7be4b058eff329afb826db755fdddc4e10ba67191816db7dbeac0</td> <td width="93">cn.android.setting</td> <td width="58">爱奇艺</td> <td width="69">IQIYI</td> </tr> <tr> <td width="248">c4ee98d58d38f6109d843955277f1a37bfb138a14113c6cb38bcb6eb857d4977</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">577ed81e07b62d9c363c505271d1f2a81592a69e1a60a82fbe8fff16e7d3419d</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">b8f785a6581bf438b1947e498b8f2255607440347d8f8b5cb31f3b98427330e6</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">5a3c44a6e8c8e02e69caa430f41ec80b94740d099bbcfbf39cf08280fc6e16bb</td> <td width="93">com.android.henbox</td> <td width="58">WJ VPN</td> <td width="69">WJ VPN</td> </tr> <tr> <td width="248">184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">efa3cd45e576ef8ab22d40fc9814456d06a6eeeaeada829c16122a39cb101dbf</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">9d85be32b54398a14abe988d98386a38ce2d35fff91caf1be367f7e4b510b054</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a8ea1140a739b2aeeb838d7fe2c073cb834bce46db22071022bd181a59422af1</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">80a35bcbce326d05dd74ed05560db41a0f9471c4922fc9fe88d0b1a94c3cb1ae</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">d3dd162e7dee6022826e7fef23cb84f17a948d2761013a09943f165f378197e0</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">3b345ffe7fac9aef0c9e0be3f01e8f9e1f3e0442849cc0e3f979b9866465b6bc</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a267176bdc1779b19fde2e38f5f062478e8cf173582e38a26538512d64d85ecd</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">7603126f04e9e7cff828aabc060349d6dfbd76e795df7b0e798b3b0914ad13a0</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">ddea532ef46abb9bfa77acdbd38155d9a92381f777fe4c797967203578aa0966</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a89bdb4fd54b9488fd6f2685a4dcfa1c106d4ac9f9fb8f8992e557e306184f1a</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">b0bbcee232f27a1b366f8a7ed1d2c3056f9a67fa70e42c1fa7cfb7c778df8cb5</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">bf16b9f012e1a0724f95a0e61a8748be3c9fc3fe3bb5a82bf3efd9b8211591fb</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">ad5a6b9ca0389c458dde73a456404634eec473cf5833914c7466af41e23b6ea9</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">a5d9efae12c9e5913156b5415581678748bdeed25a5767438afadc869d25e0d4</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">b5598c4a26f3b4a143a413c46935f0506afd7e400ecf4c6ca05595e83d8dc2c7</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">4f6173659e2c23835228f2e05daacecb618c099878d0028dd9a52b9682de2ac4</td> <td width="93">cn.android.setting</td> <td width="58">无秘</td> <td width="69">No secret</td> </tr> <tr> <td width="248">7d8a47cda9367ee31ebf58dd226afc583b34a73476ed5ff1b2b3f2460cd4c339</td> <td width="93">cn.android.setting</td> <td width="58">uyhl</td> <td width="69">uyhl</td> </tr> <tr> <td width="248">b34b09d7b4bee3125ea9b27c128c4239c78d3be95d9d5dff73c68e479353db5b</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">b3413e09ceecc305187d08007ea86f654a451952807e37b8f2dcd14a8127042a</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">718bab91ba29791a494c31783b64ce1fe3d78bcdd6a6f909588e198fbea3b3cf</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">de9d1c68ef9df6dd72455f50d1cdffd76e24a501bbbaa3cacc4aedb74b2f743d</td> <td width="93">cn.android.setting</td> <td width="58">探探</td> <td width="69">Explore</td> </tr> <tr> <td width="248">55e65d1fba82a21b0ee52435be890279cf7ae747abba7f448a6547ba2ed9666e</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">801d54f829668487c2ed28dc56beb6f156a6100a3be12805e1104fb9f68f6a00</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">3ffa8ef36934420b08e4139385400da774f61cabe000557ff025af650f2964bb</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">8b4e60160089b6af71e3c555c4bdaa9344b76a5f0dfd1ecc3a6e8c23f0940b2a</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">b779a7a05c226a14c2f4bad1f22c493a2a9de8b988b01602fbe60d1f6dc2ba8c</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">4a8c5194183f2a5b593654a29213c6f705f083ddbbff10a0bb1e7695c66a0f89</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">775c2dbf6dd7423bd098b216bd6dcf11104e885e451fa95ae64dc18fb54a34c7</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">4ecf03a1eaa0255340a41e48728be1d50dab724b72f9096a1f537fa578e76d17</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">8a28fed36cf0d8640c7086770614e33d3788200bc7b0b408873873cd17e31653</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">35b1f11a97dd5c05c87328e2ed4ae5776b84d3ce6cf4cdbc2faa1865dab2e09b</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">bb91d7bbea783bacd57a92691ebcbb449d9606f2f3bbb77538ec751a8b01d8a9</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">da6d75e996b0bafad782d87c809269ef5ccfa62c938039790333f0f2b4ecafe3</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">eb31fc24f727bc6f25b7a90dc86c127099384398b7182ae52d3fe23950e9ed8c</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">6d441e6b75fa0ea1880937d7c94dbd1caaa210915d386dfb5a01ca22fd813d28</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">c153ed3b2ae96cb2ec55294f89180302f89e9dbca6a192eec7bd4f3591b8252e</td> <td width="93">cn.android.seting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">e9da842ccf4a681226577c26e2becea079080a4b6838171c06bb358db132bc5e</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">cdbd4b98625c4766cbf72f69ce951faf49a13394ea85e7a23188e70a209609be</td> <td width="93">cn.android.seting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">d4ef4bdea69a248f9792211c4d52882ad6262f7223fc1aa9f328abe50412669f</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">3db36dc3b21dbd0a9037cda21606d37c1a1dd493346e00e36231a252a14446d6</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">92c5fdf61b378e5252b0eb70a5cfd7af2d27c915aece48e32b9c2ba04a5fa5b3</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">740a54e1f89cb321d13396987fd26d52c6c66c49894283c6d9889156e063ecb3</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">7f76f102ab233528ce3cb111ae3b026cf16b3233c6bf3002de8a0daea3ebc0d7</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34</td> <td width="93">com.android.henbox</td> <td width="58">备份</td> <td width="69">Backup</td> </tr> <tr> <td width="248">a1bf2f3fcac9d1aae94eb7a6dc37be00185e102e504032f4ffa391ddbd4bd353</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">444e73bd1020d08dc2901a041d675db1060815914024855daeddbc201e3ad4ee</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">f88c84156d8e9fdec6f5c400135277ecd03e4b1d95e7d3b6f5b8c8a77eeb055f</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">efff4243b6143c937509f52dbe7c4e40ceb2eb226f7cc1c96d8cf9f287668e37</td> <td width="93">cn.android.setting</td> <td width="58">设置</td> <td width="69">Setup</td> </tr> <tr> <td width="248">000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">6f0de72ee2df4206102c1ff93955fef07cee84a1ba280ef3eda3db9a7eafb22e</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">88c08e7084d4e0db14fc5fec6c906ff89e68b54df09096d49573b1906dd1ecd2</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">5fff623781636b2af95327293f246e0d83b90012f067a8c9e6c2b5869e606465</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">a26802ebe8ad4dc076becbc18b32a825cf057ff2059a0742ece86afe6fcb496c</td> <td width="93">com.android.henbox</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">e0427ca401d68c347ef14f65a94735f76238f59710d99c4097e51da23cbb2a6d</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">cf36fb6f2d4029876f50d6a1eb9eafb13eb0bc6a57e179172ffe67a305f33c41</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">d68070f75341ce070b11a4ecda28d80a85303fa102fb4cb84c3dcbf97863bcc5</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">60adc526a1bfa8df150c25016d220544671a62820493b66a8467436181b8d224</td> <td width="93">cn.android.setting</td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7</td> <td width="93">com.android.henbox</td> <td width="58">DroidVPN</td> <td width="69">DroidVPN</td> </tr> <tr> <td width="248">f28761f897e3a0e1dcdb0a993076a1cc48a1b17361d3f401aa917406332a79f1</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">fa5a76e86abb26e48af0b312f056d24000bc969835c40b3f98e5ca7e301b5bee</td> <td width="93">com.android.henbox</td> <td width="58">Uyghurche Kirguzguch</td> <td width="69">Uyghurche Kirguzguch</td> </tr> <tr> <td width="248">5808df07cedf15451ab0984e9c60b077602de258319d48cf88b0cc4ca7bb57a0</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">b0e0d35649d6e5405d051580d0c2a7ca5d3eb58f38bd51d0b8b7b98813256ea1</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">c6117397a54a1c2fda6efe40b1a209c14834f9ecb82136e06174c16644a59657</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">ed35dab84aa4de72e782aef8cead90688d5c664de878207488828ed16902e828</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> <tr> <td width="248">f3d04a7f77498acec86efc8d372c4d6eac591d8030f0a867ab856074e4da1fe6</td> <td width="93"></td> <td width="58"></td> <td width="69">0</td> </tr> </tbody> </table> <p><strong>Poison Ivy</strong><br /> <span style="font-family: 'courier new', courier, monospace;">d3d5a43a2a4f054d41acf6d5f5c1d4d87c7027d880172c3167eaa19f99db43db</span><br /> <span style="font-family: 'courier new', courier, monospace;">dfcff48fb7ad43940c46430a4cd28d52564ea9b6e40a23ff4324da919a5fb783</span><br /> <span style="font-family: 'courier new', courier, monospace;">12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8</span><br /> <span style="font-family: 'courier new', courier, monospace;">26c0349af2b5ffebd01d86eff16a0158bb3ceba9ecb04a0c0bd442bc5736328d</span><br /> <span style="font-family: 'courier new', courier, monospace;">ac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2</span><br /> <span style="font-family: 'courier new', courier, monospace;">3d714e1c02c4baf37008fb2537b02c0c1f524fa49263f3400f97f9ef12f2c907</span><br /> <span style="font-family: 'courier new', courier, monospace;">58246d040c79c2a75729511f09b09ae709fbfbaa0bad6e72751a586f7b37ec5e</span><br /> <span style="font-family: 'courier new', courier, monospace;">c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb</span><br /> <span style="font-family: 'courier new', courier, monospace;">98f16b65b8acd4610077edd92dcb090e3d97f427dbb621827096071ed333b7b4</span><br /> <span style="font-family: 'courier new', courier, monospace;">7cdd37ef4a45afa1b85c87f2a778cf8a7482f7beeee5178856d2f4acfa841135</span><br /> <span style="font-family: 'courier new', courier, monospace;">c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb</span><br /> <span style="font-family: 'courier new', courier, monospace;">14e2e6bbcc68650bfd7c1eb374401eb606c7417dfae7bebb4bf86909e2ff524d</span><br /> <span style="font-family: 'courier new', courier, monospace;">6a5998faa2be7d8b44f23cd5e02c9e3fa4a22bdba32e4663780aa035bddef239</span><br /> <span style="font-family: 'courier new', courier, monospace;">b45e4ac7a790a7c6364cd93e371e548756f621028380c850059954340c0f13dc</span><br /> <span style="font-family: 'courier new', courier, monospace;">b82785a6d488798c43f9dba0dd3f6cf8a4b03b308203452f641456dde09bedd8<strong> </strong></span></p> <p><strong>PlugX</strong><br /> <span style="font-family: 'courier new', courier, monospace;">45c64508382f41056bed1a6d95927225791fe8fcd8ee9a9a133968b93c19e39f</span></p> <p><strong>9002</strong><br /> <span style="font-family: 'courier new', courier, monospace;">b2966c2702285d2cad851bae72fe22136d7975a2a50b43a855447703146c63f0</span><br /> <span style="font-family: 'courier new', courier, monospace;">1b168603010e5179d001f78e47176296776938dde2351ca2250f2977eff043d0</span><br /> <span style="font-family: 'courier new', courier, monospace;">C11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3</span></p> <p><strong>Zupdax</strong><br /> <span style="font-family: 'courier new', courier, monospace;">ce0a078d12698cfca9c4a00dcb6cb2425956538f271e6a151a0e646677ed4ae9</span><br /> <span style="font-family: 'courier new', courier, monospace;">ffc3f886d142c5df35b8eb1c2aee77e553a74657b6054e596e8347b4f0c0975e</span></p> <p><strong>Domains and IPs</strong><br /> <span style="font-family: 'courier new', courier, monospace;">60.191.57[.]35</span><br /> <span style="font-family: 'courier new', courier, monospace;">47.90.81[.]23</span><br /> <span style="font-family: 'courier new', courier, monospace;">222.139.212[.]16</span><br /> <span style="font-family: 'courier new', courier, monospace;">59.188.196[.]172</span><br /> <span style="font-family: 'courier new', courier, monospace;">222.239.91[.]30</span><br /> <span style="font-family: 'courier new', courier, monospace;">work.andphocen[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">andphocen[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">w3.ezua[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">lala513.gicp[.]net</span><br /> <span style="font-family: 'courier new', courier, monospace;">logitechwkgame[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">www5.zyns[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">www3.mefound[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">w3.changeip[.]org</span><br /> <span style="font-family: 'courier new', courier, monospace;">admin.nslookupdns[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">cdncool[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">dns.cdncool[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">tcpdo[.]net</span><br /> <span style="font-family: 'courier new', courier, monospace;">3w.tcpdo[.]net</span><br /> <span style="font-family: 'courier new', courier, monospace;">md5c[.]net</span><br /> <span style="font-family: 'courier new', courier, monospace;">jackhex.md5c[.]net</span><br /> <span style="font-family: 'courier new', courier, monospace;">up.outhmail[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">outhmail[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">queryurl[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">update.queryurl[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">re.queryurl[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">mail.queryurl[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">adminsysteminfo[.]com</span><br /> <span style="font-family: 'courier new', courier, monospace;">info.adminsysteminfo[.]com</span></p> </div>  <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/9002/" role="link" title="9002" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:9002">9002</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/android/" role="link" title="Android" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:Android">Android</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/henbox/" role="link" title="HenBox" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:HenBox">HenBox</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/plugx/" role="link" title="PlugX" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:PlugX">PlugX</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/poison-ivy/" role="link" title="Poison Ivy" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:Poison Ivy">Poison Ivy</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/zupdax/" role="link" title="Zupdax" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:tags:Zupdax">Zupdax</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" role="link" title="Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:article-nav:Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent"> <span>Next: Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:sidebar:related-articles:Beware of BadPack: One Weird Trick Being Used Against Android Devices"> Beware of BadPack: One Weird Trick Being Used Against Android Devices </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/dll-hijacking-techniques/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:sidebar:related-articles:Intruders in the Library: Exploring DLL Hijacking"> Intruders in the Library: Exploring DLL Hijacking </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze-android-apk/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:sidebar:related-articles:Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform"> Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Malware Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-01T22:00:12+00:00">November 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit"> <h4 class="post-title">TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-exfiltration/" title="data exfiltration" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:data exfiltration">Data exfiltration</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" title="TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-09T10:00:54+00:00">October 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware"> <h4 class="post-title">Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" title="social engineering" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:social engineering">Social engineering</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Python">Python</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" title="Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" data-card-link="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-video-cta-tracking="unit42-henbox-chickens-come-home-roost:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:card:video-modal:Read the article" data-video-title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <div class="card-media has-video" data-video="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg"> <figure> <img width="718" height="440" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg" class="lozad" alt="A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg 718w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-1143x700.jpg 1143w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-768x470.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg 1505w" sizes="(max-width: 718px) 100vw, 718px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-01T10:00:05+00:00">October 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <h4 class="post-title">Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/machine-learning/" title="Machine Learning" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Machine Learning">Machine Learning</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-26T10:00:51+00:00">September 26, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy"> <h4 class="post-title">Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:MITRE">MITRE</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/keylogger/" title="Keylogger" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Keylogger">Keylogger</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" title="Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of SnipBot. Digital abstract background featuring binary code and technology symbols with a blue glow in the shape of a skull." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-23T21:00:55+00:00">September 23, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Inside SnipBot: The Latest RomCom Malware Variant"> <h4 class="post-title">Inside SnipBot: The Latest RomCom Malware Variant</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/backdoor/" title="backdoor" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:backdoor">Backdoor</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/romcom/" title="RomCom" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:RomCom">RomCom</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" title="Inside SnipBot: The Latest RomCom Malware Variant" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of a red team tool like Splinter. A digital illustration showing a 3D brain model surrounded by rising data columns on a circuit board, representing advanced artificial intelligence technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-19T10:00:43+00:00">September 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool"> <h4 class="post-title">Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/red-teaming-tool/" title="red teaming tool" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:red teaming tool">Red teaming tool</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/pentest-tool/" title="pentest tool" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:pentest tool">Pentest tool</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" title="Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png" class="lozad" alt="Pictorial representation of APT groups from North Korea. The silhouette of two fish and the Pisces constellation inside an orange abstract planet, surrounded by two larger blue fish. Abstract, stylized cosmic setting with vibrant blue and purple shapes, representing space and distant planetary bodies." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-18T21:00:59+00:00">September 18, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors"> <h4 class="post-title">Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cryptocurrency/" title="Cryptocurrency" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Cryptocurrency">Cryptocurrency</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" title="Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-786x368.png" class="lozad" alt="Illustrative image featuring two fish and the Pisces constellation superimposed on a stylized, abstract background with flowing purple waves and a starry night sky." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups:High Profile Threats"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/top-threats.svg" alt=" category icon">High Profile Threats</span></a> <span class="post-pub-date"><time datetime="2024-09-09T22:00:58+00:00">September 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups"> <h4 class="post-title">Threat Assessment: North Korean Threat Groups</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-access-trojan/" title="Remote Access Trojan" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups:Remote Access Trojan">Remote Access Trojan</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/finance/" title="Finance" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups:Finance">Finance</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" title="Threat Assessment: North Korean Threat Groups" role="link" data-page-track="true" data-page-track-value="unit42-henbox-chickens-come-home-roost:related-resources:Threat Assessment: North Korean Threat Groups:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main>  <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script>  <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/prisma/whyprisma" role="link" title="Code to Cloud Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform">Code to Cloud Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud">Prisma Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/content/pan/en_US/prisma/cloud/cloud-native-application-protection-platform" role="link" title="Cloud-Native Application Protection Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud:Cloud-Native Application Protection Platform">Cloud-Native Application Protection Platform</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection & Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection & Response">Threat Prevention, Detection & Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item "> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2024 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/unit42-henbox-chickens-come-home-roost/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div>  <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.6.2' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script>  <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); }); </script>  </body> </html>