Poison Ivy

The actors also appear to have access to legitimate servers that they use to host Bookworm and other related tools for attacks.

Considering all the malware related to PKPLUG that Unit 42 has analyzed, the use of such exploits appears to be less common than a spear-phishing technique making use of social engineering to lure victims into running their malware.

We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions. | Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019.

Unit 42 published research that reported attacks using the 9002 Trojan delivered through Google Drive. The download originated with a spear-phishing email containing a shortened URL that redirected multiple times before downloading a ZIP file hosted on Google Drive.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The spreadsheet contained a zero-day exploit that installs a backdoor... In the case of the RSA attack the assault involved a variant of the Poison Ivy Trojan.

The content of the website contained encoded VBScript that executed PowerShell commands ... as well as another encoded PowerShell script closely resembling PowerSploit ... that was responsible for decoding and launching a Poison Ivy payload.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

The content of the website contained encoded VBScript that executed PowerShell commands to download a Microsoft Word document from the same GeoCities site

The malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0798, before downloading subsequent payloads.

PlugX is usually distributed as a package of several files. These files are composed to exploit a phenomenon called DLL search order hijacking (also called sideloading)... The malware thus gets the unwitting help of a trusted executable to run.

GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions.

The contents of the file, assuming a victim clicked on the URL in the spear-phishing email, resembles the structure used in a technique known as AppLocker Bypass whereby trusted Windows executables can be used to execute malicious payloads.

PlugX is usually distributed as a package of several files. These files are composed to exploit a phenomenon called DLL search order hijacking (also called sideloading)... The malware thus gets the unwitting help of a trusted executable to run.

GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Ember Bear gathers victim system information such as enumerating the volume of a given device; Frankenstein used Empire to gather various local system information; many malware entries state they collect system information from compromised hosts.

攻撃者はEternal Blueを悪用して同一ネットワーク上のいくつかのホストに移動することに成功すると、そのうちの1つのホスト上で興味深いマルウェアを動かし始めました。

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

As part of the second stage, the group deploys customized Gh0st RAT and Poison Ivy malware payloads designed to evade detection... GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures.

The command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted communication.

Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC... they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer.

Use of large command and control (C2) infrastructure, which heavily favors dynamic DNS domains for C2 servers.

Use of a large number of Dynamic DNS (DDNS) domains which form part of overlapping infrastructure clusters