This section analyzes the malware discovered in the actor's VMware dump and the spear-phishing and infrastructure operations identified in the VPS dump. Notably, the rootkit and backdoor found in the tomcat20220420_rootkit and tomcat20250414_rootkit_linux234 directories are linked to a past incident at a South Korean financial institution investigated by our team.

1.1. tomcat20220420_rootkit

1.1.1. Backdoor

The backdoor source code is located in the work/home/user/Desktop/tomcat20220420_rootkit/tomcat20220420_rootkit/work directory. The backdoor's primary functions are to execute malicious commands or to act as a proxy for relaying network traffic. It is always executed by the rootkit and does not run as a standalone process.

The backdoor's execution arguments are described in the table below.

| First Argument | Argument Count: 1 | Argument Count: 2 |
| --- | --- | --- |
| cb | Uses hardcoded IP address and port. | Uses hardcoded IP and the second argument as the port. |
| proxy | Activates the proxy flag. | Not applicable. |
| Any other value | Uses the first argument as the port. | Not applicable

caption - Command-line options

When the proxy flag is enabled, the command-handling logic is bypassed, and the backdoor waits to receive an AES-256-CBC encrypted "__step2__".

caption - Data validation logic in master.c

The AES key and IV are as follows:

• AES key: 603deb15153a715e2b73aef3857d758b1f552c573e6158d72d9811a33914defe

• IV: 603deb15153a715e2b73aef3857d758b1f552c573e6158d72d9811a33914defe

To masquerade its traffic, the backdoor can wrap its socket communication in one of the following protocols, as defined in install_common.h:

• HTTP

• HTTPS

• SSL

• TCP

• SMTP

caption - Protocol definition in install_common.h

All data, including command codes, is encrypted and decrypted using a multi-byte XOR operation with the key "1101link". The implementation of this logic results in an operation equivalent to a single-byte XOR with the value 1.

caption - EncodeDecode function in encrypt.c

The supported commands are listed below.

| Command Name | Command Code | Description | Response Name | Response Code |
| --- | --- | --- | --- | --- |
| CMD_LOGIN | 0x11 | Responds to the client to confirm connection. | CMD_LOGIN_YES | 0x12 |
| CMD_FILE_UP | 0x15 | Receives and saves a file from the client. | CMD_UP_YES | 0x16 |
| CMD_FILE_DOWN | 0x18 | Sends a specified file to the client. | CMD_DOWN_YES | 0x19 |
| CMD_SHELL | 0x1b | Executes a given shell command and sends the result to the client. | CMD_SHELL_YES | 0x1c |
| CMD_TRANSFER | 0x1f | Receives connection details for a new backdoor instance from the client. It sends a password to the new backdoor to trigger the termination of the current instance, then acts as a proxy, forwarding packets from the client to the new backdoor. | CMD_TRANSFER_YES | 0x20 |
| CMD_PROXY_TRANSFER | 0x21 | Receives connection details for a new backdoor instance. It sends an AES-encrypted password, __step2__, and __step3__ to the new backdoor to configure it as a proxy. It then acts as a proxy, forwarding subsequent packets from the client to the new backdoor. | CMD_PROXY_TRANSFER_YES | 0x22 |
| CMD_SOCKS_PROXY_TRANSFER | 0x23 | Functions similarly to CMD_PROXY_TRANSFER but establishes a SOCKS5 proxy connection. | CMD_SOCKS_PROXY_TRANSFER_YES | 0x24 |
| CMD_BACK | 0x13 | Responds to the client to confirm the back command. | CMD_BACK_YES | 0x14 |
| CMD_SINGLE_CMD | 0x25 | Executes a single shell command, returns the result, and terminates the backdoor process. | CMD_SINGLE_CMD_YES | 0x26 |
| CMD_IN_SINGLE_CMD | 0x27 | Executes a single shell command and returns the result without terminating. | CMD_IN_SINGLE_CMD_YES | 0x28 |
| CMD_D_SINGLE_CMD | 0x2b | Executes a shell command in a detached process. | CMD_D_SINGLE_CMD_YES | 0x2c |
| CMD_D_OUT_SINGLE_CMD | 0x2d | Executes a shell command in a detached process and then terminates the backdoor process. | CMD_D_OUT_SINGLE_CMD_YES | 0x2e

caption - Backdoor command descriptions

1.1.2. syslogk rootkit

The file work/home/user/Desktop/tomcat20220420_rootkit/tomcat20220420_rootkit/main.c contains the source code for the syslogk rootkit. This rootkit hides the directory containing the backdoor and related malware to evade detection. It also ensures the backdoor only runs when triggered by a specific magic packet from the actor.

The rootkit hooks three functions to hide processes, ports, and directories.

| Hooked Function | Hooking Function | Action |
| --- | --- | --- |
| proc_roo_readdir | hk_proc_readdir | Hides processes |
| tcp4_seq_show | hk_t4_seq_show | Hides open ports |
| readdir | hk_root_readdir | Hides directories

caption - Function hooks

The hooked functions use strstr to compare target entries against predefined strings (process names, paths, ports) and remove any matches before returning the results.

The rootkit then uses nf_register_hook to register callback functions at two Netfilter hook points:

• NF_INET_LOCAL_IN: Intercepts packets just before they are delivered to a local process.

• NF_INET_LOCAL_OUT: Intercepts packets just before they are sent from a local process.

caption - Netfilter hook registration logic in hkcap.c

This allows the rootkit to monitor all traffic and execute malicious actions upon receiving a magic packet.

The NF_INET_LOCAL_IN callback function inspects incoming TCP packets, decrypts the payload, and checks if it matches specific conditions. The decryption keys are listed below.

| Type | Value |
| --- | --- |
| AES key | 603deb15153a715e2b73aef3857d758b1f552c573e6158d72d9811a33914defe |
| IV | 12a3bb47535ec0d53953a6fbad43f573 |
| XOR key | 1101link

caption - Decryption keys

The conditions and corresponding actions are detailed below.

| Condition | Action | Callback Function |
| --- | --- | --- |
| 1. The first 4 bytes of the XOR-decrypted payload are 0x44332211.-n2. The next 8 bytes are ssecuremw. | Executes a shell command via /bin/sh -c. | nfinpro |
| 1. The packet is a SYN packet.-n2. The packet's window value is 1022, and its ID and sequence numbers are in predefined lists (id_list, seq_list). | Executes the backdoor via /bin/sh -c and forwards the packet payload. | nfin, nfinpro |
| 1. The packet is from the C&C IP.-n2. The payload is ssecuremw. | Terminates the currently running backdoor process. | nfin, nfinpro |
| 1. The packet is from the C&C IP.-n2. The payload is not ssecuremw. | Changes the packet's destination port to the backdoor's listening port. | nfin, nfinpro |
| 1. The first 4 bytes are 0x0000002c.-n2. The data at offset 10 contains the AES-encrypted password (ssecuremw). | Executes the backdoor with the proxy argument via /bin/sh -c. | nfinpro |
| The data begins with the AES-encrypted password (ssecuremw). | Executes the backdoor with the proxy argument via /bin/sh -c. | nfinpro |
| The data begins with the AES-encrypted string __step3__. | Updates the C&C IP to the source IP of the current packet. | nfinpro

caption - Conditions and actions

At the NF_INET_LOCAL_OUT hook point, the callback function changes the source port of packets originating from the backdoor to a non-listening port.

After registering the Netfilter callbacks, the rootkit removes itself from the system's module list to evade detection by tools like lsmod.

caption - hide_module function

The hidden rootkit can be made visible again by writing the value of MAGIC_DRBIN (defined in install.h) to a specific file controlled by the rootkit.

caption - proc_write function logic

1.1.3. Backdoor Client

The file work/home/user/Desktop/tomcat20220420_rootkit/tomcat20220420_rootkit/work/tcat.c contains the source code for the backdoor client. This tool was likely run by the actor on their C&C server.

The client accepts several command-line options, which are detailed below.

| Long Option | Short Option | Description |
| --- | --- | --- |
| HOST | H | Backdoor address. |
| PORT | P | Backdoor port. |
| password | p | Password for backdoor connection (default: ssecuremw). |
| callback | c | Enable callback mode. |
| single_command | s | Send a single command for execution. |
| daemon_command | d | Send a command to be executed in a new process (background execution). |
| proxy | x | Use a proxy server. |
| socks_proxy | y | Use a SOCKS5 proxy server. |
| socks_aim_hostname | i | Address of the SOCKS5 proxy server. |
| socks_aim_port | o | Port of the SOCKS5 proxy server. |
| socks_username | u | Username for the SOCKS5 proxy server. |
| socks_password | a | Password for the SOCKS5 proxy server. |
| knock_protocol | k | Protocol for the initial connection attempt (0: TCP, 1: HTTP, 2: SSH). |
| ethernet_interface | e | Ethernet interface to use. |
| cookie | 5 | Cookie value for HTTP/HTTPS communication. |
| host | 6 | Custom host header value for HTTP/HTTPS communication. |
| main_protocol | m | Protocol for backdoor communication (0: TCP, 1: HTTP, 99: old HTTP). |
| kc | 1 | Send a command to be executed by the kernel module without output

caption - Command-line options

Commands can be delivered to the backdoor in four ways:

• single cmd: Sends a single command to the backdoor for execution.

• single daemon cmd: Sends a command to be executed in a new process on the backdoor host.

• input loop: Enters an interactive loop, accepting commands until exit is entered.

• kernel cmd: Sends a command to be executed by the kernel module without returning output.

Except for the input loop, the client terminates after sending the command. The commands available in the input loop are listed below.

| Command | Description |
| --- | --- |
| shell | Forwards shell commands to the backdoor until exit is entered. |
| trans | Uses the current backdoor as a proxy to connect to a new backdoor instance. Sends the CMD_TRANSFER command. |
| upload | Uploads a single file to the backdoor. |
| download | Downloads a single file from the backdoor. |
| back | Terminates the current connection and reconnects to the previous backdoor in a proxy chain. |
| exit | Terminates the client process. |
| proxy_trans | Uses the current backdoor as a proxy to connect to a new backdoor instance. Sends the CMD_PROXY_TRANSFER command. |
| socks_trans | Uses the current backdoor as a SOCKS5 proxy to connect to a new backdoor instance. Sends the CMD_SOCKS_PROXY_TRANSFER command. |
| old_trans | Same as trans but does not set a communication protocol. |
| old_proxy_trans | Same as proxy_trans but does not set a communication protocol. |
| old_socks_trans | Same as socks_trans but does not set a communication protocol. |
| sh | Sends a single command to the backdoor for execution. |
| dsh | Sends a command to be executed in a new process on the backdoor host (background execution). |
| cookie | Sets or displays the current cookie value for HTTP communication. |
| host | Displays information about the currently connected backdoor

caption - Backdoor client command descriptions

All communication is encrypted with the XOR key "1101link". For each message, the client computes a SHA512 hash of the password combined with the GENERAL_MODULE and GENERAL_PROTOCOL values defined in common.h. This hash is prepended to the message before transmission. Communication with the backdoor can be configured to use one of the following protocols:

• TCP

• HTTP

• OLD HTTP (A variant of HTTP that does not use cookies)

1.2. tomcat20250414_rootkit_linux234

1.2.1. Backdoor

The directory work/mnt/hgfs/Desktop/tomcat20250414_rootkit_linux234/tomcat20250414_rootkit_linux2345/work contains the source code for the 2025 version of the backdoor. This is an upgraded version of the 2022 backdoor, with new features such as password verification for delayed callbacks, configurable callback timers, and rate-limiting for file transfers. Its command-line options are listed below.

| Long Option | Short Option | Description |
| --- | --- | --- |
| module | m | Set callback mode. |
| protocol | p | Set communication protocol. |
| port | P | Set port. |
| HOST | H | Set address for the callback proxy. |
| ft | f | Set initial delay time for callbacks. |
| tt | t | Set subsequent delay time for callbacks. |
| LL | L | Set log file path

caption - Command-line options

In addition to the existing password, this version introduces a master password. When a client connects, the backdoor computes a SHA512 hash of the master password and connection settings. The master password, !@nf4@#fndskgadnsewngaldfkl, is defined in common.h. While the hash is stored in a global variable and checked during SSL communications, it is not actively used. The client's provided password is then hashed in the same manner and verified.

caption - passcheck_check function in encrypt.c

The password is Miu2jACgXeDsxd. Configuration settings, including the password, can be modified in config.sh and are applied at build time.

caption - Default settings in config.sh

The communication protocols are the same as the 2022 version:

• HTTP

• HTTPS

• SSL

• TCP

• SMTP

While the original XOR key is still present, five new XOR keys and corresponding encryption/decryption functions have been added.

caption - All XOR keys found in encrypt.c

This version adds several new commands and modifies the behavior of commands with "TRANSFER" in their names. The newly added command codes are:

• CMD_NEW_UPLOAD

• CMD_NEW_DOWNLOAD

• CMD_LISTEN_PROXY_TRANS

• CMD_TRANSFER

• CMD_PROXY_TRANSFER

• CMD_SOCKS_PROXY_TRANSFER

• CMD_SOCKS_PROXY

• CMD_NEW_SINGLE_CMD

The command behaviors are detailed in the table below. (new or significantly modified commands are grouped with an asterisk).

| Command Name | Command Code | Description | Response Name | Response Code |
| --- | --- | --- | --- | --- |
| CMD_LOGIN | 0x11 | Responds to the client to confirm connection. | CMD_LOGIN_YES | 0x12 |
| CMD_FILE_UP | 0x15 | Receives and saves a file from the client. | CMD_UP_YES | 0x16 |
| CMD_FILE_DOWN | 0x18 | Sends a specified file to the client. | CMD_DOWN_YES | 0x19 |
| *CMD_NEW_UPLOAD* | *0xb3* | *Receives and saves a file from the client.* | *CMD_NEW_UPLOAD_YES* | *0xb4* |
| *CMD_NEW_DOWNLOAD* | *0xb1* | *Sends a specified file to the client according to specified options (e.g., transfer speed, chunk size).* | *CMD_NEW_DOWNLOAD_YES* | *0xb2* |
| CMD_SHELL | 0x1b | Executes a given shell command and sends the result to the client. | CMD_SHELL_YES | 0x1c |
| *CMD_LISTEN_PROXY_TRANS* | *0x3f* | *Acts as a callback proxy server.* | *CMD_LISTEN_PROXY_TRANS_YES* | *0x40* |
| *CMD_LISTEN_TRANS* | *0x3d* | *Acts as a callback server.* | *CMD_LISTEN_TRANS_YES* | *0x3e* |
| *CMD_TRANSFER* | *0x1f* | *Receives connection details for a new backdoor instance, sends a password to activate it, and then acts as a proxy, forwarding packets from the client to the new backdoor.* | *CMD_TRANSFER_YES* | *0x20* |
| *CMD_PROXY_TRANSFER* | *0x21* | *Receives connection details for a new backdoor instance, sends a SHA512 hash of the password and connection settings, and then acts as a proxy. The first 9 bytes of the packet are set to 0000002c061e00000020.* | *CMD_PROXY_TRANSFER_YES* | *0x22* |
| *CMD_SOCKS_PROXY_TRANSFER* | *0x23* | *Functions similarly to CMD_PROXY_TRANSFER but establishes a SOCKS5 proxy server. The first 9 bytes of the packet are set to 0000002c061e00000020.* | *CMD_SOCKS_PROXY_TRANSFER_YES* | *0x24* |
| CMD_BACK | 0x13 | Responds to the client to confirm the back command. | CMD_BACK_YES | 0x14 |
| *CMD_SOCKS_PROXY* | *0x29* | *Uses the client as a proxy.* | *CMD_SOCKS_PROXY_YES* | *0x30* |
| CMD_SINGLE_CMD | 0x25 | Executes a single shell command, returns the result, and terminates the backdoor process. | CMD_SINGLE_CMD_YES | 0x26 |
| CMD_IN_SINGLE_CMD | 0x27 | Executes a single shell command and returns the result without terminating. | CMD_IN_SINGLE_CMD_YES | 0x28 |
| CMD_D_SINGLE_CMD | 0x2b | Executes a shell command in a detached process. | CMD_D_SINGLE_CMD_YES | 0x2c |
| CMD_D_OUT_SINGLE_CMD | 0x2d | Executes a shell command in a detached process and then terminates the backdoor process. | CMD_D_OUT_SINGLE_CMD_YES | 0x2e |
| *CMD_NEW_SINGLE_CMD* | *0x2f* | *Executes a given command and returns the result to the client.* | *CMD_NEW_SINGLE_CMD_YES* | *0x30

caption - Backdoor command descriptions

1.2.2. syslogk rootkit

The file at work/mnt/hgfs/Desktop/tomcat20250414_rootkit_linux234/tomcat20250414_rootkit_linux2345/main.c is the 2025 version of the rootkit. Like its predecessor, it registers callbacks at Netfilter hook points, but it features significant changes to its function hooking, module hiding, and Netfilter implementation.

While the 2022 rootkit used the udis86 library for function hooking, the 2025 version uses the khook library.

caption - Left: 2022 rootkit (udis86). Right: 2025 rootkit (khook).

This version hooks a total of five functions, up from three in the 2022 version.

| Hooked Function | Hooking Function | Action |
| --- | --- | --- |
| tcp4_seq_show | khook_tcp4_seq_show | Hides open ports |
| proc_filldir | khook_proc_filldir | Hides processes |
| filldir | khook_filldir | Hides directories |
| filldir64 | khook_filldir64 | Hides directories |
| proc_root_readdir | khook_proc_root_readdir | Hides directories

caption - Function hooks

The number of Netfilter hooks has increased from two to four.

• NF_INET_LOCAL_IN: Before a packet is delivered to a local process.

• NF_INET_LOCAL_OUT: Before a packet is sent from a local process.

• NF_INET_PRE_ROUTING: Immediately after a packet enters the network stack.

• NF_INET_POST_ROUTING: Just before a packet is placed on the wire, after routing.

caption - Netfilter hook registration logic in hkcap.c

The NF_INET_PRE_ROUTING callback performs two main actions. First, it checks for a magic packet to execute the backdoor, similar to the NF_INET_LOCAL_IN hook in the 2022 version. However, the condition is simpler: it only checks for a TCP SYN packet where the ID and sequence number are present in the id_list and seq_list.

If the condition is met, the packet's window value is used to determine which masquerade protocol to use when launching the backdoor.

| Magic Packet window Value | Masquerade Protocol |
| --- | --- |
| 1022 | TCP |
| 2025 | HTTP |
| 29201 | HTTPS |
| 1130 | SSL |
| 2101 | SMTP

caption - Masquerade protocols

The method for executing the backdoor has also changed significantly. Instead of /bin/sh -c, this version uses call_usermodehelper to launch the backdoor on a random port between 3000 and 8000.

caption - kernel_run function in hkcap.c

The second action of the

PRE_ROUTING

hook is to change the destination port of any packet from the C&C IP to the randomly generated backdoor port. This allows the actor to communicate with the backdoor without knowing the randomly assigned port in advance.

caption - Code to change packet destination in hkcap.cThe NF_INET_LOCAL_IN callback function then changes the packet's destination port again, from the random port to the actual port the backdoor is listening on. This two-step redirection appears designed to obscure the backdoor's true listening port.

caption - Code to change packet destination to the backdoor port in hkcap.c

The NF_INET_LOCAL_OUT callback changes the source port of outgoing backdoor packets from the listening port to an arbitrary port.

The NF_INET_POST_ROUTING callback then changes the source port from the arbitrary port to the actual C&C port.

caption - Code to change packet destination to the actor's port in hkcap.c

The rootkit's hiding mechanism has been enhanced to remove the module from sysfs in addition to the standard module list.

caption - Module hiding code in hkmod.c

The sysfs-related functions are taken directly from the kv_hide_mod function of the KoviD rootkit.

caption - kv_hide_mod function in the KoviD rootkit

While writing a specific string to the rootkit still unhides it, this version adds the ability to dynamically configure the ports used by the Netfilter hooks by writing other specific strings.

caption - Port configuration code in hkcap.c

All strings written to the rootkit, except for the unhide command, are first decrypted with AES-256-CBC. The key and IV are as follows:

• AES key: d03deb92153a71458973aef3857d75b27e552cc63e6158a8339811873994de47

• IV: efa3c987532cc0bdac533845ad8df5ea

The actions triggered by writing to the rootkit are listed below.

| String Name | String | Action |
| --- | --- | --- |
| ModuleDecodeKey | mrdyZwIh2Bh | Unhides the rootkit module. |
| PROC_CMD_TRANSREG | h9WJZ1 | Sets the C&C IP/port and backdoor port to the values provided after the string. |
| PROC_CMD_TRANSCLR | 64OWE2 | Deletes C&C session information corresponding to the backdoor port provided after the string. |
| PROC_CMD_CONNSET | C8lnS3 | Modifies C&C session information for a given backdoor port to the IP and port values provided after the string

caption - Strings and triggered actions

1.2.3. Backdoor Client

The file

work/mnt/hgfs/Desktop/tomcat20250414_rootkit_linux234/tomcat20250414_rootkit_linux2345/work/tcat.c contains the source code for the 2025 backdoor client. Compared to the 2022 version, the primary change is the removal of the kernel command (kc) option. A new LLL option for specifying a log file path has been added. The full list of options is below.

| Long Option | Short Option | Description |
| --- | --- | --- |
| HOST | H | Backdoor address. |
| PORT | P | Backdoor port. |
| password | p | Password for backdoor connection (default: ssecuremw). |
| callback | c | Enable callback mode. |
| single_command | s | Send a single command for execution. |
| daemon_command | d | Send a command to be executed in a new process (background execution). |
| proxy | x | Use a proxy server. |
| socks_proxy | y | Use a SOCKS5 proxy server. |
| socks_aim_hostname | i | Address of the SOCKS5 proxy server. |
| socks_aim_port | o | Port of the SOCKS5 proxy server. |
| socks_username | u | Username for the SOCKS5 proxy server. |
| socks_password | a | Password for the SOCKS5 proxy server. |
| knock_protocol | k | Protocol for the initial connection attempt (0: TCP, 1: HTTP, 2: SSL, 3: HTTPS, 4: SMTP). |
| ethernet_interface | e | Ethernet interface to use. |
| cookie | 5 | Cookie value for HTTP/HTTPS communication. |
| host | 6 | Custom host header value for HTTP/HTTPS communication. |
| main_protocol | m | Protocol for backdoor communication (0: TCP, 1: HTTP, 2: SSL, 3: HTTPS, 4: SMTP). |
| LLL | L | Log file path

caption - Command-line options

With the removal of the kernel command feature, commands are delivered in three ways:

• single cmd: Sends a single command to the backdoor for execution.

• single daemon cmd: Sends a command to be executed in a new process on the backdoor host.

• input loop: Enters an interactive loop, accepting commands until exit is entered.

While the 2022 client only accepted simple commands, the 2025 client allows options to be specified for each command, enabling more precise control. The number of top-level commands has decreased, but their functionality is more sophisticated. The commands available in the input loop are listed below.

| Command | Description |
| --- | --- |
| shell | Forwards shell commands to the backdoor. |
| inc | Displays connection information for all currently connected backdoors. |
| trans | Uses the current backdoor as a proxy server to connect to a new backdoor. |
| socks5 | Uses the current backdoor as a SOCKS5 proxy server to connect to a new backdoor. |
| upload | Uploads a single file to the backdoor. |
| download | Downloads a single file from the backdoor. |
| nup | Uploads a file to the backdoor with specified options. |
| ndown | Downloads a file from the backdoor with specified options. |
| back | Terminates the current connection and reconnects to the previous backdoor in a proxy chain. |
| exit | Terminates the client process. |
| cookie | Sets or displays the current cookie value. |
| host | Displays information about the currently connected backdoor

caption - Backdoor client command descriptions

A full analysis of the new features was not possible, as key functions for the new commands (e.g., tcat_new_send_file, tcat_new_recv_file) were not defined in the provided source code.

Unlike the 2022 client, which sent a SHA512 hash of the password with every communication, the 2025 client sends it only once during the initial connection.

All communication is still encrypted with the XOR key "1101link". However, the available communication protocols have changed. The "OLD HTTP" option has been removed, and HTTPS and SMTP have been added. The supported protocols are:

• TCP

• HTTP

• HTTPS

• SMTP

1.3. Cobalt Strike

1.3.1. Cobalt Strike Loader

A Rust-based loader designed to decrypt and execute embedded shellcode was found at the following paths:

• work/mnt/hgfs/Desktop/New folder (2)/DboRrmSS.exe

• work/mnt/hgfs/Desktop/New folder (2)/m01QzOfI.exe

• work/mnt/hgfs/Desktop/New folder (2)/voS9AyMZ.tar.gz

• work/home/user/.cache/vmware/drag_and_drop/0pkbW4/3Powwovv.exe

• work/home/user/.cache/vmware/drag_and_drop/gWMDML/GnAN3FhY.exe

• work/home/user/.cache/vmware/drag_and_drop/QqiN9h/DboRrmSS.exe

• work/home/user/.cache/vmware/drag_and_drop/rM0FG0/m01QzOfI.exe

The loader dynamically resolves Windows APIs using djb2 hashing. It then decrypts the shellcode with AES-256-CBC and executes it in memory.

caption - API hashing function

The AES keys and IVs for each loader instance are listed below.

| File Path | Key | IV |
| --- | --- | --- |
| work/mnt/hgfs/Desktop/New folder (2)/DboRrmSS.exe | 0e9cae6dc34ae064b71604c221bca933f1ffcb63df4af7e6806fa94849d66924 | 33081eba056e1ad1c8e5618829b84030 |
| work/mnt/hgfs/Desktop/New folder (2)/m01QzOfI.exe | b5976580954f47b49a33a5c580610aeb77e8c2ef66e0ab337ddfb2d1851e7998 | 545644526a2a08dff2dd4e3a812be126 |
| work/mnt/hgfs/Desktop/New folder (2)/voS9AyMZ.tar.gz | ae49597d8c87d5cf23f485fa0fc138d06c13aa743405e3c9c44b3097ba008dcf | a61080d5ee883489ee8ce40f84569fc3 |
| work/home/user/.cache/vmware/drag_and_drop/0pkbW4/3Powwovv.exe | 6f627869fe1f05add75dc039fce970fce9bb4531d5601f894877aab3bc9dfe89 | 5fb9604da0d50bce37e53c194ab074b0 |
| work/home/user/.cache/vmware/drag_and_drop/gWMDML/GnAN3FhY.exe | 62609005b9ace1387a1065e6a72b7f796e12fd7c3b34b30a94af5d9112287b3c | 5990b37f9e73a20c2d5605cba72399cc |
| work/home/user/.cache/vmware/drag_and_drop/QqiN9h/DboRrmSS.exe | 0e9cae6dc34ae064b71604c221bca933f1ffcb63df4af7e6806fa94849d66924 | 33081eba056e1ad1c8e5618829b84030 |
| work/home/user/.cache/vmware/drag_and_drop/rM0FG0/m01QzOfI.exe | b5976580954f47b49a33a5c580610aeb77e8c2ef66e0ab337ddfb2d1851e7998 | 545644526a2a08dff2dd4e3a812be126

caption - Cobalt Strike Loader AES keys and IVs

1.3.2. Shellcode

The shellcode executed by the Cobalt Strike Loader decrypts and runs the final Cobalt Strike Beacon payload in memory. This shellcode was also found as standalone files at the following paths:

• work/home/user/.cache/vmware/drag_and_drop/5wdgDr/payload.bin

• work/home/user/.cache/vmware/drag_and_drop/6bX9mm/Black.x64.exe

• work/home/user/.cache/vmware/drag_and_drop/NDBu65/payload.bin

• work/home/user/.cache/vmware/drag_and_drop/yf91yD/payload.bin

• work/home/user/.cache/vmware/drag_and_drop/zlLWeR/payload.bin

The file work/home/user/.cache/vmware/drag_and_drop/6bX9mm/Black.x64.exe is a compiled executable but is functionally identical to the other shellcode files.

caption - DIE result for Black.x64.exe

Like the loader, the shellcode dynamically resolves Windows APIs using djb2 hashing. The embedded Cobalt Strike Beacon is decrypted using RC4 and executed in memory.

caption - RC4 ksa function

The RC4 keys used by each file are listed below.

| File Path | RC4 Key |
| --- | --- |
| work/mnt/hgfs/Desktop/New folder (2)/DboRrmSS.exe | QGWYqgYFSXgkEvmll |
| work/mnt/hgfs/Desktop/New folder (2)/m01QzOfI.exe | bVeuvyKwejaykgTg |
| work/mnt/hgfs/Desktop/New folder (2)/voS9AyMZ.tar.gz | YPJngQShuxKNEcPw |
| work/home/user/.cache/vmware/drag_and_drop/0pkbW4/3Powwovv.exe | xYHuKSOLEkSzrxVq |
| work/home/user/.cache/vmware/drag_and_drop/gWMDML/GnAN3FhY.exe | xYHuKSOLEkSzrxVq |
| work/home/user/.cache/vmware/drag_and_drop/QqiN9h/DboRrmSS.exe | QGWYqgYFSXgkEvmll |
| work/home/user/.cache/vmware/drag_and_drop/rM0FG0/m01QzOfI.exe | bVeuvyKwejaykgTg |
| work/home/user/.cache/vmware/drag_and_drop/5wdgDr/payload.bin | xYHuKSOLEkSzrxVq |
| work/home/user/.cache/vmware/drag_and_drop/6bX9mm/Black.x64.exe | xYHuKSOLEkSzrxVq |
| work/home/user/.cache/vmware/drag_and_drop/NDBu65/payload.bin | xYHuKSOLEkSzrxVq |
| work/home/user/.cache/vmware/drag_and_drop/yf91yD/payload.bin | bVeuvyKwejaykgTg |
| work/home/user/.cache/vmware/drag_and_drop/zlLWeR/payload.bin | xYHuKSOLEkSzrxVq

caption - Shellcode RC4 keys

Notably, the Cobalt Strike Beacons deployed via this shellcode patch ETW and AMSI functions to evade detection. The encrypted beacon configuration was truncated, preventing a full analysis of its contents.

1.3.3. Cobalt Strike Beacon

The source code for a Cobalt Strike Beacon was found under work/mnt/hgfs/Desktop/111/beacon. Upon execution, it decrypts its configuration using a single-byte XOR key (0x2e). A portion of the decrypted configuration, as parsed by CobaltStrikeParser, is shown below.

caption - CobaltStrikeParser output

Although the configuration contains a C&C server address and endpoint, the beacon ignores these and uses hardcoded values instead.

caption - send_Metadata function in comm.cpp

After parsing the configuration, the beacon generates metadata to send to the C&C server. Key values are listed below.

| Variable Name | Description |
| --- | --- |
| beacon_key | Random 16-byte session key |
| codepage | 65001 (hardcoded) |
| oem | 65001 (hardcoded) |
| beacon_id | Random 4-byte agent identifier |
| MajorVersion | Major version (from uname output) |
| dwBuildNumber | Minor version (from uname output) |
| build | Patch version (from uname output) |
| machine | 2 for x86_64, 0 otherwise |
| hostinfo | IP address |
| ComputerName | Hostname |
| UserName | Username |
| ProcessName | Basename of the program

caption - Metadata fields

After sending the initial metadata, it begins polling for commands from the C&C server via HTTP GET requests every 5 seconds and sends the results back via HTTP POST. The supported command ids are listed below.

| id | Function Name | Status | Description |
| --- | --- | --- | --- |
| 5 | cd | Functional | Changes the current directory |
| 10 | upload | Disabled | File upload-related code is commented out |
| 11 | download | Disabled | File download-related code is commented out |
| 12 | execute | Unimplemented | The main function BeaconExecuteCommand is undefined, related code is commented out |
| 14 | proxy_connect | Unimplemented | Call to undefined function is commented out |
| 15 | proxy_write | Unimplemented | Call to undefined function is commented out |
| 16 | proxy_close | Disabled | Code to set the global gBeaconRportfwd.state = 0 is commented out |
| 17 | proxy_listen | Unimplemented | Call to undefined function is commented out |
| 39 | pwd | Functional | Returns the current directory |
| 53 | ls | Functional | Lists the files in the current directory |
| 100 | bof | Unimplemented | Call to undefined function is commented out

caption - Cobalt Strike Beacon commands

The majority of commands are either unimplemented or disabled, suggesting this is an incomplete version of the beacon.

1.3.4. C# Loader

The directory work/home/user/Desktop/0128.zip contained a C# loader (ok.dll), its source code (ok.cs), and a runner script (ok.sct) designed to inject a Cobalt Strike Beacon into another process.

The frequent use of the word "test" in function names and arguments suggests this tool was experimental.

ok.hta

The ok.hta file is an HTML Application that downloads a script from hxxp://192.168[.]123.200/ok.sct and calls its Fuk method.

caption - ok.hta content

The downloaded script is presumed to be the ok.sct file found in the same archive.

ok.sct

This script deserializes an embedded byte array into a C# object and invokes its Work method. This object is presumed to be the ok.dll loader.

caption - deserialization code in C# Loader

The C# loader injects a Cobalt Strike Beacon into a conhost.exe process. The beacon payload is stored as a zlib-compressed and Base64-encoded string.

caption - Cobalt Strike Beacon decode function

Below is a portion of the beacon's configuration, extracted using CobaltStrikeParser.

caption - CobaltStrikeParser output

1.4. Ivanti Connect Secure

1.4.1. BRUSHFIRE

The zip file at work/mnt/hgfs/Desktop/ivanti-new-exp-20241220.zip contains Python scripts that leverage an Ivanti Connect Secure RCE exploit to deploy a backdoor.

The script crafts a clientCapabilities value to trigger CVE-2025-0282 and achieve RCE.

caption - exploit in exp*.py

CVE-2025-0282 has been exploited by UNC5221, a suspected China-nexus threat actor.

Multiple versions of these scripts were found, all functionally equivalent with minor variations in function offsets and service endpoints. The command-line arguments accepted by the scripts are listed below.

| Long Option | Short Option | Description |
| --- | --- | --- |
| ip | i | Target IP address |
| port | p | Target port |
| leak |  | Leak memory info |
| detect_version |  | Check if the server is vulnerable |
| install |  | Install backdoor |
| check |  | Check config |
| check_path |  | Check if the exploit works |
| delay |  | Set the timeout |
| check_backdoor |  | Check for backdoor |
| cmd |  | Execute command as root |
| python |  | Execute Python script using perl-static |
| perl |  | Execute Perl script using perl-static |
| lcmd |  | Execute command |
| version |  | Read /home/ssl-vpn-VERSION |
| config |  | Execute dsls -B -R -S / |
| local_path |  | Path to upload |
| upload |  | Upload file |
| download |  | Download file |
| clear_log |  | Clear logs |
| clean |  | Clear tracks and uninstall |
| verbose | v | Unused

caption - Command-line options

The script establishes a random 3-byte magic value and a random 4-byte key for each host. It uses the RCE exploit to execute plugins/install, which overwrites the legitimate ssl_read function with the backdoor from plugins/ssl_read. During communication, when the backdoor receives a payload starting with themagic value, it XOR-decrypts the rest of the payload with the key and executes it as shellcode.

caption - shellcode execution code in ssl_read

The script generates and uploads different shellcode payloads to the target server based on the provided options. It uses the replace method to patch the shellcode, adapting hardcoded placeholder values for the target environment. The table below details the options that deploy shellcode from the plugins directory and the purpose of each payload.

| Option | Shellcode Name | Description |
| --- | --- | --- |
| install | install | Overwrites ssl_read with the ssl_read backdoor shellcode |
| install | leak_info | Leaks function addresses needed for the inject shellcode |
| install | inject | Overwrites ssl_read using the leaked addresses |
| install | patch | The strncpy function used during ssl_read injection |
| version, download | read_file_asm | Reads a file, encrypts it with the key, and sends it |
| python, perl, upload | write_file_asm | Receives data, decrypts it with the key, and saves it to a file |
| upload, lcmd, cmd, config | cmd_asm | Executes a command, encrypts the output with the key, and sends it

caption - Options and corresponding shellcode

The plugins/ssl_read backdoor and its associated file paths match the description of the BRUSHFIRE malware used by UNC5221, as detailed in this report.

1.4.2. SPAWN Family Client

The zip file at work/mnt/hgfs/Desktop/New folder/203.234.192.200_client.zip was found to contain a tunneling script, an SSH client, and an SSH private key. The included readme.txt file contains instructions for using client.py and controller.py to connect to 203.234[.]192.200, an IP address belonging to the South Korean news organization Hankyoreh.

caption - content of readme.txt

client.py uses a SOCKS5 proxy to tunnel network traffic and accepts the following options:

| Option | Description | Default |
| --- | --- | --- |
| -h | local socks5 bind address, default: 127.0.0.1 | 127.0.0.1 |
| -p | local socks5 bind port, default: 1080 | 1080 |
| -H | Pulse Connect Secure address/hostname | raddr |
| -P | Pulse Connect Secure port, default: 443 | 443 |
| -v | enable verbose logging |  |
| --ca | CA certificate, default: use embeded CA |  |
| --cert | client certificate, default: ./client.crt |  |
| --key | client private key, default: ./client.key |  |

caption - Option descriptions

client.py initializes values for client_hello and client_key_exchange packets, which are used as follows:

• client_hello: Before transmission, random data is written to client_hello[15:43], the CRC32 checksum of this data is written to client_hello[11:15], and a random 32-byte sessionid is included in the message.

• client_key_exchange: Before transmission, a random 256-byte value is written to the premaster field, and a random 32-byte value is written to the enc_handshake_msg field.

The initial hardcoded value of client_hello is identical to the magic packet in the SPAWNMOLE sample detailed in this UNC5221 report. The runtime modification—writing random data and its CRC32 checksum—is consistent with the behavior of the SPAWNCHIMERA sample described in JPCert's report.

Like SPAWNMOLE, SPAWNCHIMERA was deployed by UNC5221 using CVE-2025-0282 as an initial access vector.

controller.py is an SSH client that uses the SOCKS5 proxy established by client.py for communication.

caption - SSH client code in controller.py

SPAWNMOLE was discovered alongside SPAWNSNAIL, which is capable of running an SSH server. SPAWNCHIMERA also includes SSH server functionality. Therefore, controller.py is likely a client for the SSH server component of either SPAWNSNAIL or SPAWNCHIMERA.

1.4.3. ROOTROT Client

The script at work/mnt/hgfs/Desktop/ivanti_control/main.py functions as a client for a webshell. Depending on the options provided, it generates a Perl script fragment, Base64-encodes it, sets a cookie to the encoded value, and sends an HTTP GET request. The options and their corresponding scripts are listed below.

• download {file_path}

  my $s = "";
  my $path = "{file_path}";
  local *FH;open(*FH, "<". $path);
  while (<FH>) { $s.= "$_";}
  close(*FH);
  print  "<!-- ".MIME::Base64::encode_base64($s,"")."-->"
  
  

• {command}

  my $l ="";
  my $r = "";
  my $fd = popen(*PIPE,"{command}",\\\\'r\\\\') ;
  while (<PIPE>) {$l.= $_;};
  $r.= MIME::Base64::encode_base64($l,"");
  my $s = "<!-- ". pack("C*", unpack("C*", $r));$s.= "-->";
  print $s
  
  

Both Perl scripts Base64-encode their output and wrap it in HTML comments. The main.py client then extracts the content of the last comment in the HTTP response, Base64-decodes it, and prints the result.

caption - The function that sends the request and decodes the response

ROOTROT, as described in this UNC5221 report, is a Perl-based web shell that Base64-decodes a cookie value before executing it with eval. It then sends the Base64-encoded results back within HTML comments. This behavior confirms that main.py is the client for the ROOTROT web shell.

Like the other UNC5221 malware mentioned, ROOTROT has been found in attacks targeting Ivanti Connect Secure vulnerabilities.

1.5. Phishing Attacks

1.5.1. Naver AitM Attack

Files related to an Adversary-in-the-Middle (AitM) attack targeting Naver credentials were found in work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing. The file work/mnt/hgfs/Desktop/New folder/readme.txt contains a configuration guide written in Chinese.

caption - content of readme.txt

Below is a machine translation of

readme.txt:

Bastion VPS Configuration
Configure wildcard domain certificate
apt install snapd
apt install certbot
For details, see <https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04>

certbot certonly  -d "*.nid-security.com" -d nid-security.com --manual --preferred-challenges dns-01  --server <https://acme-v02.api.letsencrypt.org/directory>
In forward.conf, replace `Require ip 27.255.80.170` with the phishing VPS address
In default-ssl.conf, replace `/etc/letsencrypt/live/nid-security.com/` with the path to your own generated certificate
Replace the IP in ProxyPass and ProxyPassReverse with the backend phishing VPS address
Place default-ssl.conf and forward.conf into the tomcat configuration folder sites-available
Replace /etc/apache2/ports.conf with ports.conf
a2enmod ssl
a2enmod headers
a2enmod proxy proxy_http proxy_connect
a2ensite forward.conf
systemctl restart apache2

Phishing VPS environment configuration
Install Python dependencies
apt install python3-pip
pip install -r requirements.txt
In the config folder, modify the `server` field in naverconfig.py to the actual phishing bare domain, for example `navertest.com`. The phishing subdomain is fixed as `nid.navertest.com`
Modify AUT_OK_302 to the actual redirect address
Run
python .\\\\

The script work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/cipherginx.py acts as a proxy between Naver and the victim. When the victim accesses Naver through this proxy, their headers, cookies, username, and password are saved to the cookies directory under the following filenames:

• {nid_id}.headers

• {nid_id}.cookie

• accounts.txt

caption - accounts.txt writer in cipherginx.py

The configuration file work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/naverconfig.py contains a malicious JavaScript payload. The proxy injects this payload into the Naver login page to capture and exfiltrate user credentials.

caption - Naver credential exfiltration code in naverconfig.py

Scripts using the exfiltrated credentials to steal the victim's email, contacts, account details, and other data were found at the following paths:

| File Path | Description |
| --- | --- |
| work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/downloader/download.py | Collects emails, contacts, and login history. |
| work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/downloader/gen_eml.py | Packages collected emails into EML files. |
| work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/downloader/manuel_download.py | Manually triggers email collection for a given nid. |
| work/mnt/hgfs/Desktop/New folder/vps2/Cipherishing/downloader/models.py | Logs exfiltrated credentials and mailSN to his.db to prevent duplicates

caption - File descriptions

1.5.2. Kakao Login Phishing Attack

The file vps/var/www/html/kakao-login.php is a phishing page that spoofs the Kakao login portal. The HTML template for this page is located at vps/var/www/html/templates/kakao.html.

On a GET request, kakao-login.php checks if a cookie named ft is set. If the cookie exists, it redirects the user to https://mail.daum.net.

caption - GET request handler

If the ft cookie is not set, the script displays the fake Kakao login page. When a user attempts to log in, the form submits the entered credentials via a POST request.

Upon receiving a POST request, the script saves the credentials to log/password_log.txt and sets the ft cookie to no.

caption - POST request handler

Although password_log.txt contains 14 entries, all but one appear to be test data (e.g., (123123, 1212121212), (ttttt222, 2323232323).

1.5.3. Email Phishing Attack

Web server code for generating phishing emails and managing victim logs was found under vps/var/www/html.

The web server scripts save logs, and all except generator.php use a common format.

For parameters, only the xml parameter is treated specially, as detailed in the request.php section. Log files are saved with the format {name}.txt.{%Y%m%d}.

generator.php

vps/var/www/html/generator.php is a page for generating phishing emails. Its behavior depends on the value of the cookie HnoplYTfPX and the request method.

| Cookie HnoplYTfPX Exists | Request Method | Behavior |
| --- | --- | --- |
| No | POST | Compares the passwd parameter with "hkjOPQIBBgU". If it matches, sets the cookie HnoplYTfPX. |
| Yes | GET | Shows the phishing email generation form. |
| Yes | POST | Shows the generated phishing email content

caption - Execution logic

The phishing email generation form contains the following fields.

| Name | Label | HTML Tag | Default Value |
| --- | --- | --- | --- |
| to_email_address | to email_address | input type="text" |  |
| onlysniff | only sniff | input type="checkbox" |  |
| phishing_url | Phishing URL | input type="text" | https://nid.navermails.com/nidlogin.login?mode=form&url= |
| redirect_url | Redirect URL | input type="text" | https://bigfile.mail.naver.com/bigfileupload/download?fid=9leqBrJ4Wrdjb4kOM6kmK3Y/aAu/KIYZKAurKxUwFxgXKxbmKCYwFA2dFAg9axvlHruqMq0opx2wazUlMovlFzK/K4MlKqMlp6JoKx0CMq04 |
| content | html content %img% %link_url% | textarea |  |
| saveForm |  | input type="submit" | Submit

caption - Phishing email generation form fields

The generated phishing email components are displayed as follows.

| Title | Value |
| --- | --- |
| dot image url: | An img tag pointing to {base_url}/request.php?i={b64encode(to_email_address)}&dot.png. |
| redict url: | {base_url}/bigDataDownload/{b64encode(to_email_address)}. |
| link url: | {phishing_url}{urlencode(redirect_url)}&login_id={b64encode(to_email_address)}{"&f=yes" if onlysniff else ""}. |
| content: | The content field with %img% and %link_url% substituted with the values above

The value under content: is presumed to be the email body. Each generation is logged to log/generator_log.txt.{%Y%m%d} in the format below.

caption - Generated phishing email components

--------{%B %d, %Y, %I:%M %p}----------------
[to_emailaddress]_[b64encode(to_email_address)]
[link url]
[client ip]

If the victim's email client is configured to load external resources, the img tag triggers a request to request.php.

request.php

vps/var/www/html/request.php logs victim system information to log/request_log.txt.{%Y%m%d}.

If the request URI contains .png, the script returns a randomly colored image. Otherwise, it returns a page containing JavaScript to gather information about the victim's system and sends the results as URL parameters.

| Script Path | Collected Information |
| --- | --- |
| payload/adobe.js | Adobe Reader version (navigator.plugins/ActiveX) |
| payload/flash.js | Adobe Flash version |
| payload/java.js.bak | JRE versions |
| payload/plugin.js | Plugins and versions (navigator.plugins) |
| payload/xecure.js | XecureWeb version |
| payload/ie/drive.js.bak | Drive letters (via FilesystemObject, WMIC, etc.) |
| payload/ie/office.js | Microsoft Office version (via Word.Application COM/ActiveX) |
| payload/ie/pdf.js | Adobe Reader (via AcroPDF.PDF ActiveX) |
| payload/ie/xecure.js | XecureWeb ActiveX version |
| payload/ie/xmldom.js | Installed programs |
| payload/non-ie/webrtc.js.bak | Local and public IP addresses (via WebRTC)

caption - JavaScript files and collected information

The script then redirects to response.php?i={b64encode(email)}&{results}.

response.php The script at vps/var/www/html/response.php inspects the victim's IP address, user-agent, and locale. If these attributes meet specific criteria, the script Base64-decodes the i parameter and logs the result to log/response_log.txt.{%Y%m%d}. The conditions are as follows:

1. The locale is on a whitelist.

2. The IP address and user-agent are not on a blacklist.

The locale whitelist includes:

• us

• jp

• ja

• kr

• ko

The user-agent blacklist includes:

• bot

• spider

• crawl

• trend

• symantec

• virus

• spam

• secure

The IP blacklist is detailed below.

| IP range | Info | IP range | Info |
| --- | --- | --- | --- |
| 103.246.39.0/24 | bluecoat | 222.122.128.0/24 | Korea Telecom KORNET |
| 104.132.0.0/14 | Google | 222.122.185.0/24 | Korea Telecom KORNET |
| 121.156.79.0/24 | Korea Telecom KORNET | 23.192.0.0/11 | Akamai |
| 125.141.228.0/24 |  | 52.84.0.0/14 | Amazon |
| 15.211.153.0/24 | HP | 52.88.0.0/13 | Amazon |
| 150.70.0.0/16 | Trend Micro | 54.192.0.0/16 | Amazon |
| 182.162.206.103 | with symantec client v1 | 59.12.199.252 |  |
| 182.162.206.39 | with symantec client v2 | 59.18.85.26 |  |
| 183.99.48.26 | 20170124 fake chrome | 61.98.76.115 |  |
| 199.19.248.0/21 | bluecoat 199.19.248.0/21 | 61.111.0.0/18 | LG DACOM KIDC |
| 200.63.47.32/32 | AboveNet Engineering [ipeng@zayo.com](mailto:ipeng@zayo.com) | 66.102.0.0/20 | Google |
| 210.121.169.0/24 |  | 66.249.64.0/19 | Google |
| 211.115.119.0/24 | jnjedu | 72.13.86.0/24 | ??echosting |
| 211.233.80.0/ | Ahnlab | 83.223.96.0/19 | Gyron |
| 211.55.19.0/24 | KT CUSTOMER | 89.145.108.0/22 | Gyron |
| 216.104.0.0/19 | Trend Micro | 89.148.104.0/21 | DUNAWEB_89.148.104.0/21 |
| 218.153.8.0/24 |  | 115.90.74.131 |  |
| 221.141.3.0/24 | SK Broadband Co Ltd | 211.249.40.0/24 | naver |
| 221.252.42.0/24 | NRI SecureTechnologies | 211.56.96.0/24 | kakao |
| 222.99.190.104 | 20170124 chrome alike testing

caption - IP blacklist

A summary of the log files, their corresponding scripts, and activity statistics is provided below.

| Log Path | Script | Suspected Victims / Total Logs |
| --- | --- | --- |
| log/generator_log.txt | generator.php | 220 / 315 |
| log/password_log.txt | kakao-login.php | 1 / 14 |
| log/request_log.txt | redirect.php, request.php | 42 / 536 |
| log/response_log.txt | response.php | 4 / 33

caption - Summary of all logs and actual victim logs

1.6. Yonsei University Email Exfiltration Malware

The script at vps/var/www/html/js/chks.js is designed to exfiltrate emails from Yonsei University's webmail service (mail.yonsei.ac.kr).

The script first collects user information from the endpoint https://mail.yonsei.ac.kr/common/json/agent.do. It then adds cimoon185@daum.net to the account's list of forwarding addresses.

caption - Forward function in chks.js

After setting up the forwarding rule, it exfiltrates all emails dated since 2017-10-01 from the ent_{user} and TOTAL mailboxes. The emails are sent to https://service.navers.org/emuy.php?i={user} via POST requests. Notably, the script manually constructs the multipart/form-data request bodies instead of using the standard FormData API.