Darkhotel

DarkHotel is an advanced persistent threat group publicly disclosed in 2014, with reported activity dating back to at least 2010 and some reporting stating activity since at least 2007. It is also tracked as Tapaoux and has aliases including APT-C-06, APT-C-60, Dark Hotel, Dark_Hotel, Dubnium, Egobot, Fallout Team, Nemim, Paladin, Purple Pygmy, Shadow Crane, Tapaoux, Templar, Tieonjoe, and Zigzag Hail. The group is assessed in the provided content as having a Korean Peninsula government background. DarkHotel originally became known for targeting business executives and state dignitaries staying in luxury hotels, including through compromises of hotel Wi-Fi networks that delivered fake Adobe updates to selected guests. The content states that the group uploaded malware to hotel servers before a target arrived and deleted it after the victim departed. Reported targeting spans China, North Korea, Japan, Myanmar, India, several European countries, and in other reporting includes executives, government agencies, NGOs, research institutions, foreign trade, military industries, and the U.S. defense industrial base. The group has used spearphishing emails with malicious attachments, including RAR and LNK files, to lure victims into execution. Reported malware behaviors include searching for files with specific patterns; collecting IP address, network adapter information, hostname, OS version, service pack version, processor architecture, and running process lists; and disguising malware as a Secure Shell tool. DarkHotel has established persistence via Windows Run Registry keys and has dropped an mspaint.lnk shortcut that launches a shell script to download and execute a file. The content attributes to DarkHotel repeated use of obfuscation and encryption, including RC4, XOR, and RSA, as well as just-in-time string decryption to evade sandbox detection. It also notes use of forged or stolen code-signing certificates to sign malware, backdoors, and downloaders. A recent intrusion described in the content was attributed to DarkHotel with high confidence by Knownsec 404. In that activity, Microsoft-signed system binaries were used to side-load malicious DLLs, which decrypted and loaded additional components. Knownsec assessed the framework as an upgraded version of the 2023 InitPlugins framework based on shared XOR-based encryption, similar decryption-and-loading architecture, and identical loaded components. The campaign used MFC localization resource-loading abuse to load a malicious LOC.dll, modular loading, disguised encrypted module files including .pem files timestamped to match kernel32.dll, local RPC for component execution, and separate scheduled tasks for persistence. The malware supported multiple loading modes including shellcode execution via thread creation, reflective loading, injection execution, and LoadLibraryW-based loading. The attack also used dual-stage process injection and separated the remote-control component, identified as Meterpreter, from functional modules including keylogging, screen capture, and USB theft.