RESEARCH REPORT
Show in Graph
Image Description
Common Information
Type Value
UUID 14d54657-f2bb-45fa-8eee-c4048c52e8e7
Fingerprint 02239b10e1bd20684ac491617821040a4cb60d4c773181bf493a2e4a62ef5ffe
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 3, 2021, 5:32 p.m.
Added to db March 9, 2024, 11:23 p.m.
Last updated Aug. 30, 2024, 10:13 p.m.
Headline RESEARCH REPORT
Title RESEARCH REPORT
Detected Hints/Tags/Attributes 141/4/232
Source URLs
Redirection Url
Details Source http://pub1-bjyt.s3.360.cn/bcms/2020%E5%85%A8%E7%90%83%E9%AB%98%E7%BA%A7%E6%8C%81%E7%BB%AD%E6%80%A7%E5%A8%81%E8%83%81APT%E7%A0%94%E7%A9%B6%E6%8A%A5%E5%91%8A.pdf
URL Provider
Details Provider Source level domain
Details 360.cn pub1-bjyt.s3.360.cn
Attributes
Details Type #Events CTI Value
Details CVE 269 
cve-2017-0199
Details CVE 43 
cve-2020-0674
Details CVE 14 
cve-2019-17026
Details CVE 28 
cve-2019-2215
Details CVE 13 
cve-2017-0261
Details CVE 10 
cve-2020-16875
Details CVE 2 
cve-2020-17085
Details CVE 1 
cve-2020-17084
Details CVE 4 
cve-2020-17083
Details CVE 2 
cve-2020-17143
Details CVE 3 
cve-2020-17141
Details CVE 5 
cve-2020-17117
Details CVE 2 
cve-2020-7115
Details CVE 11 
cve-2020-6418
Details CVE 8 
cve-2020-8467
Details CVE 10 
cve-2020-8468
Details CVE 7 
cve-2020-6819
Details CVE 8 
cve-2020-6820
Details CVE 13 
cve-2020-1020
Details CVE 14 
cve-2020-0938
Details CVE 10 
cve-2020-1027
Details CVE 22 
cve-2020-1380
Details CVE 14 
cve-2020-0986
Details CVE 11 
cve-2020-15999
Details CVE 9 
cve-2020-17087
Details CVE 9 
cve-2020-16009
Details CVE 7 
cve-2020-16010
Details CVE 6 
cve-2020-27930
Details CVE 6 
cve-2020-27950
Details CVE 7 
cve-2020-27932
Details CVE 5 
cve-2020-16013
Details CVE 5 
cve-2020-16017
Details CVE 17 
cve-2020-4006
Details Domain 2 
anf.gov.pk
Details Domain 208 
mp.weixin.qq.com
Details Domain 20 
blogs.360.cn
Details Domain 259 
www.welivesecurity.com
Details Domain 35 
blackhat.com
Details Domain 67 
360.cn
Details Domain 70 
blogs.jpcert.or.jp
Details Domain 43 
www.solarwinds.com
Details Domain 184 
www.fireeye.com
Details Domain 605 
www.trendmicro.com
Details Domain 403 
securelist.com
Details Domain 58 
www.clearskysec.com
Details Domain 171 
www.crowdstrike.com
Details Domain 84 
www.forbes.com
Details Domain 12 
www.who.int
Details Domain 151 
www.bbc.com
Details Domain 16 
www.anquanke.com
Details Domain 1 
www.cert.org.cn
Details Domain 154 
us-cert.cisa.gov
Details Domain 1 
sindh.gov.pk
Details Domain 1 
kashmirexclusive.in
Details Domain 3 
threatbook.cn
Details Domain 37 
blog.alyac.co.kr
Details Domain 546 
www.recordedfuture.com
Details Domain 261 
blog.talosintelligence.com
Details Domain 84 
www.zscaler.com
Details Domain 139 
www.securityweek.com
Details Domain 1 
www.businessinsider.in
Details Domain 7 
cryptome.org
Details Domain 7 
www.telsy.com
Details Domain 78 
securityaffairs.co
Details Domain 362 
attack.mitre.org
Details Domain 112 
docs.google.com
Details Domain 67 
citizenlab.ca
Details Domain 17 
www.xinhuanet.com
Details Domain 26 
weibo.com
Details Domain 14 
www.tc260.org.cn
Details Domain 124 
www.reuters.com
Details Domain 8 
www.timesofisrael.com
Details File 268 
msiexec.exe
Details File 1 
通过eqnedt32.exe
Details File 1 
国家社科基金项目.exe
Details File 1 
中国南亚语种学会2020年会邀请函.exe
Details File 1 
但在使用的后门程序多为rekeywiz.exe
Details File 1 
rekeywize.exe
Details File 1 
加载duser.dll
Details File 1 
由于该框架的核心组件主要以thinmon.dll
Details File 28 
wlbsctrl.dll
Details File 1 
thinmon.dll
Details File 12 
msfte.dll
Details File 1 
clickonce.exe
Details File 1 
随clickonce.exe
Details File 1 
banner_m.jpg
Details File 1 
某国产办公软件的主程序wps.exe
Details File 1 
白文件wps.exe
Details File 1 
启动后会加载同目录下的krpt.dll
Details File 4 
v3medic.exe
Details File 1 
ptlauncher.exe
Details File 1 
lbtwiz.exe
Details File 2 
steamerrorreporter.exe
Details File 48 
applaunch.exe
Details File 2 
googletoolbarnotifier.exe
Details File 1258 
explorer.exe
Details File 8 
dbgview.exe
Details File 2 
ldvpreg.exe
Details File 1 
sharemgr.exe
Details File 8 
wps.exe
Details File 2 
qmbsrv.exe
Details File 1 
qbclient.exe
Details File 1 
cloudmusic.exe
Details File 2 
ptusersessionwrapper.exe
Details File 1 
qyupdate.exe
Details File 1 
xunjiepdfeditor.exe
Details File 1 
360kantu.exe
Details File 1 
kugou.exe
Details File 2 
comti.dll
Details File 2 
kltgtr.dll
Details File 1 
ingwyztn.dll
Details File 41 
wtsapi32.dll
Details File 2 
scpctr.dll
Details File 2 
whtnwfc.dll
Details File 1 
xxxud.exe
Details File 1 
xxxudc.exe
Details File 1014 
rundll32.exe
Details File 2 
ogg.bin
Details File 29 
orion.core
Details File 26 
businesslayer.dll
Details File 2 
apt-c-06_0day.html
Details File 1 
youre-in-when-appref-ms-abuse-is-operating-as-intended.pdf
Details File 8 
malware-wellmes-9b78.html
Details File 1 
campaign-targets-ukraine-government.html
Details File 1 
group.html
Details File 1 
campaign.pdf
Details File 1 
apt-c-23_target_at_middle_east.html
Details File 1 
apt-c-50.html
Details File 142 
www.cer
Details File 1 
20150914152821158428128_.html
Details File 1 
advisory23-1-20.pdf
Details File 1 
sophisticated_cyberespionage_actor_returns.pdf
Details File 1 
access-of-fireeye-red-team-tools.html
Details File 1 
poetrat-covid-19-lures.html
Details File 1 
nsa-aurora-gold-intercept-14-1203.pdf
Details File 1 
deadlykiss_taar.pdf
Details File 1 
hijacks-internet-traffic.html
Details File 1 
c_1126693293.htm
Details File 5 
postdetail.html
Details Mandiant Uncategorized Groups 97 
UNC2452
Details MITRE ATT&CK Techniques 52 
T1195
Details MITRE ATT&CK Techniques 694 
T1059
Details MITRE ATT&CK Techniques 122 
T1543
Details MITRE ATT&CK Techniques 164 
T1574
Details MITRE ATT&CK Techniques 439 
T1055
Details MITRE ATT&CK Techniques 287 
T1003
Details MITRE ATT&CK Techniques 185 
T1518
Details MITRE ATT&CK Techniques 159 
T1021
Details MITRE ATT&CK Techniques 94 
T1572
Details MITRE ATT&CK Techniques 422 
T1041
Details Threat Actor Identifier - APT-C 5 
APT-C-41
Details Threat Actor Identifier - APT-C 3 
APT-C-47
Details Threat Actor Identifier - APT-C 2 
APT-C-42
Details Threat Actor Identifier - APT-C 44 
APT-C-00
Details Threat Actor Identifier - APT-C 24 
APT-C-06
Details Threat Actor Identifier - APT-C 22 
APT-C-08
Details Threat Actor Identifier - APT-C 19 
APT-C-01
Details Threat Actor Identifier - APT-C 7 
APT-C-24
Details Threat Actor Identifier - APT-C 2 
APT-C-30
Details Threat Actor Identifier - APT-C 30 
APT-C-26
Details Threat Actor Identifier - APT-C 7 
APT-C-48
Details Threat Actor Identifier - APT-C 11 
APT-C-12
Details Threat Actor Identifier - APT-C 9 
APT-C-20
Details Threat Actor Identifier - APT-C 102 
APT-C-35
Details Threat Actor Identifier - APT-C 15 
APT-C-28
Details Threat Actor Identifier - APT-C 79 
APT-C-23
Details Threat Actor Identifier - APT-C 10 
APT-C-50
Details Threat Actor Identifier - APT-C 2 
APT-C-54
Details Threat Actor Identifier - APT-C 2 
APT-C-43
Details Threat Actor Identifier - APT-C 3 
APT-C-44
Details Threat Actor Identifier - APT-C 7 
APT-C-52
Details Threat Actor Identifier - APT-C 3 
APT-C-51
Details Threat Actor Identifier - APT-C 16 
APT-C-09
Details Threat Actor Identifier - APT 783 
APT28
Details Threat Actor Identifier - APT 277 
APT37
Details Url 2 
https://mp.weixin.qq.com/s/lh7y_khuxag_-pcfbc7d0q
Details Url 1 
https://mp.weixin.qq.com/s/kseyd0hpkmcuzbbcyadpaa
Details Url 1 
https://blogs.360.cn/post/apt-c-06_0day.html
Details Url 1 
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-
Details Url 1 
https://mp.weixin.qq.com/s/zv0fl1mzvvgw-fny9wdbog
Details Url 1 
https://mp.weixin.qq.com/s/h_mujfa3qgm9sqt_kzcdhq
Details Url 1 
https://i.blackhat.com/usa-19/wednesday/us-19-burke-clickonce-and-
Details Url 1 
https://mp.weixin.qq.com/s/5no0tr4ecvpp_xv4joxebg
Details Url 1 
https://b.360.cn/about/news/article5f15869528566f0055ff2524
Details Url 8 
https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html
Details Url 6 
https://www.solarwinds.com/securityadvisory
Details Url 2 
https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-
Details Url 1 
https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-
Details Url 1 
https://www.trendmicro.com/en_us/research/20/a/first-active-attack-
Details Url 2 
https://securelist.com/transparent-tribe-part-1/98127
Details Url 1 
https://www.clearskysec.com/wp-content/uploads/2020/08/dream-job-
Details Url 2 
https://www.crowdstrike.com/blog/who-is-pioneer-kitten
Details Url 1 
https://www.forbes.com/sites/zakdoffman/2020/02/16/terrorist-android-
Details Url 1 
https://blogs.360.cn/post/apt-c-23_target_at_middle_east.html
Details Url 1 
https://blogs.360.cn/post/apt-c-50.html
Details Url 1 
https://b.360.cn/about/news/article5f6ff23e46a3f50057643944
Details Url 1 
https://mp.weixin.qq.com/s/gwoirnplvqx761lw8x-s5g
Details Url 1 
https://www.who.int/news/item/23-04-2020-who-reports-fivefold-
Details Url 1 
https://www.bbc.com/russian/features-49050982
Details Url 1 
https://www.anquanke.com/vul/id/2049794
Details Url 1 
https://www.cert.org.cn/publish/main/12/2015/20150914152821158428128
Details Url 1 
https://www.anquanke.com/post/id/86657
Details Url 6 
https://securelist.com/operation-shadowhammer/89992
Details Url 1 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
Details Url 1 
https://mp.weixin.qq.com/s/ks9iw8eosgvi_1lhsq2g3w
Details Url 1 
https://sindh.gov.pk/notifications/january2020/advisory23-1-20.pdf
Details Url 1 
https://kashmirexclusive.in/2020/05/01/intel-agencies-caution-armed-
Details Url 1 
https://securelist.com/files/2015/06/the_mystery_of_duqu_2_0_a_
Details Url 1 
https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-
Details Url 1 
https://m.threatbook.cn/detail/2371
Details Url 1 
https://blog.alyac.co.kr/2896
Details Url 2 
https://securelist.com/deathstalker-mercenary-triumvirate/98177
Details Url 1 
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-
Details Url 1 
https://www.recordedfuture.com/pupyrat-malware-analysis
Details Url 1 
https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
Details Url 1 
https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-
Details Url 2 
https://www.securityweek.com/ransomware-operators-demand-14-
Details Url 1 
https://www.businessinsider.in/tech/news/mumbais-massive-power-cut-
Details Url 1 
https://cryptome.org/2014/12/nsa-aurora-gold-intercept-14-1203.pdf
Details Url 1 
https://mp.weixin.qq.com/s/nn_irvwa6yohfs9z3a0rba
Details Url 1 
https://www.telsy.com/wp-content/uploads/deadlykiss_taar.pdf
Details Url 1 
https://securityaffairs.co/wordpress/101134/security/rostelecom-telco-
Details Url 58 
https://attack.mitre.org
Details Url 1 
https://docs.google.com/spreadsheets/d/1lknj0uqwbec1ztrrxdtuplcil7
Details Url 1 
https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-
Details Url 1 
http://www.xinhuanet.com/politics/2020-11/03/c_1126693293.htm
Details Url 1 
https://weibo.com/7454177482/jxq2v8ay5?type=comment
Details Url 1 
https://www.tc260.org.cn/front/postdetail.html?id=20200313141548
Details Url 1 
https://mp.weixin.qq.com/s/wvlhs6luioseyugve8jtkg
Details Url 1 
https://www.reuters.com/article/us-ukraine-cyber-attacks-iduskbn19i1ij
Details Url 3 
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757
Details Url 1 
https://www.timesofisrael.com/iran-linked-group-claims-to-hack-israeli-