Orz
AIRBREAK, also referred to in the provided content as Orz, is a custom JavaScript backdoor associated with the China-linked espionage activity cluster tracked as APT40, Leviathan, MUDCARP, and temp.Periscope. It has been used in long-running cyber-espionage campaigns targeting defense contractors, government agencies, universities with military ties, legal organizations, maritime-related entities, and other organizations in the United States, Western Europe, and South China Sea-related contexts.
The malware is described as a first-stage backdoor used before downloading additional payloads. Reported delivery vectors include spearphishing emails with malicious attachments and URLs, including macro-enabled Microsoft Office files, malicious Microsoft Publisher documents, and exploits such as CVE-2017-0199 and CVE-2017-8759. In one documented chain, a larger JavaScript stage established persistence via a Startup shortcut and executed obfuscated PowerShell to download Cobalt Strike. Some infection chains used SeDll to decrypt and execute the final JavaScript backdoor.
Capabilities directly attributed to Orz/AIRBREAK in the content include system reconnaissance, gathering the victim’s Internet Explorer version, proxy discovery, process listing, drive enumeration, registry operations and registry modification, file upload and download, command execution, JavaScript execution, shell command execution, and HTTP GET/POST communications. It has also been noted to overwrite registry settings to reduce visibility on the victim host.
Command-and-control has used attacker-controlled servers, compromised victim web servers, and legitimate web pages including Technet and Pastebin. An older variant reportedly used vitaminmain[.]info as a secondary C2 server. Some versions embed a DLL known as MockDll, which uses process hollowing and regsvr32 to execute another payload. Separate reporting also describes Orz being dropped by a Windows executable masquerading as a decryption tool and then executed with Wscript; related persistence used a Run key invoking rundll32.exe with zipfldr.dll RouteTheCall.
Known related infrastructure and indicators mentioned in the content include ftp://185.106.120[.]206/pub/readme.txt, hxxp://185.106.120[.]206/favicon.ico, vitaminmain[.]info, chemscalere[.]com and its subdomains, candlelightparty[.]org, www.candlelightparty[.]org, and newapp.freshasianews[.]com, as well as hashes cd195ee448a3657b5c2c2d13e9c7a2e2, b43ad826fe6928245d3c02b648296b43, 889a9b52566448231f112a5ce9b5dfaf, b8ec65dab97cdef3cd256cc4753f0c54, and 04d83cd3813698de28cfbba326d7647c.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tools Nanhaishu, Orz, SeDll, Cobalt Strike, GreenCrash, AIRBREAK, BlackCoffee, China Chopper, FUSIONBLAZE, HOMEFRY, MURKYTOP, Metasploit / Meterpreter, ScanBox, Derusbi Trojan, Derusbi, Metasploit
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
This definition in turn downloads a VBScript favicon.ico file, which then creates and runs two JavaScript files in the %TMP% directory.
The actor continues to: Use scripting languages such as JavaScript, JavaScript Scriptlets, VBScript, and XML
Persistence
1 technique
Persistence
Stealth
4 techniques
Stealth
Use simple obfuscation such as base64, gzip compression, and insertion of garbage characters
APT42 has cleared Chrome browser history. ... APT5 has used the THINBLOOD utility to clear SSL VPN log files ... Bankshot deletes all artifacts ... DarkWatchman ... clear the browser history ... CSPY Downloader ... remove values it writes to the Registry ... Mustang Panda has deleted registry keys ...
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
Basic functionality includes: Information gathering (computer name, user name, serial number, proxy server)
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
"Bundlore has the ability to enumerate what browser is being used as well as version information"; "Orz can gather the victim's Internet Explorer version"; "SUGARDUMP can identify ... browsers, including version number"; "SideCopy has collected browser information"
"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."
Command and Control
4 techniques
Command and Control
Its functionality includes: GET request to a URL POST request to a URL
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware with an embedded DLL, MockDll, that uses Process Hollowing and regsvr32 to execute another payload.
A custom-built JavaScript backdoor associated with MUDCARP that is dropped by a Windows executable and executed using Wscript, with persistence established via rundll32 and zipfldr.dll RouteTheCall after reboot.
Backdoor that uses public web pages (TechNet, Pastebin) for command-and-control.
Malware that uses TechNet and Pastebin web pages for command and control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.