Category: threat-actors

APT36 – “Abaris” Deobfuscating VB Dropper

I recently discovered a sample attributed to the threat actor APT36 (“Transparent Tribe”) on MalwareBazaar.
APT36 (aka Transparent Tribe) is a Pakistan-aligned cyber-espionage group that has been active since at least 2013 and is primarily focused on intelligence collection against targets in South Asia (government, military, diplomatic and research organizations in India and Afghanistan)
The group is known for tailored phishing campaigns and diverse staging techniques (weaponized documents, malicious installers and platform-specific lures), and has a history of delivering custom backdoors and RAT families such as variants of Crimson/Eliza-style malware.
Recently observed activity shows the actor expanding its toolset and delivery methods (including Linux desktop-lures and cloud-hosted payloads), which underlines the need to treat seemingly innocuous artifacts (obfuscated scripts, shortcut files, or odd AppData/Temp files) as potentially dangerous.


The sample turned out to be a heavily obfuscated VBScript. In this post I will walk through the manual deobfuscation steps I performed.
The SHA256 hash of the file is “d35f88dce5dcd7a1a10c05c2feba1cf478bdb8a65144f788112542949c36dd87”

I first uploaded the file to virustotal. It has been uploaded the first time yesterday (18th of October 2025).
Some AV systems already detect the file as malicious.

(note: I call this sample “Abaris” because the dropper decodes part of its payload and writes it into a file named Abaris.txt, which is later used for execution.)

If you want to download the sample or my cleaned copy, you can find them here: https://github.com/Mr128Bit/apt-malware-samples/tree/main/Pakistan/APT36/Abaris

Original filename: Pak_Afghan_War_Impact_on_Northern_Border_India.vbs. I made a copy and renamed it to ap3.vbs for analysis.

When opening the file, you immediately notice a lot of Danish-looking comments/words scattered through the source. These are purely noise, they are there to hinder analysis and evade signature detection. But underneath the noise we can still find Visual Basic constructs that we want to extract.


We can filter out those comment lines very easily.

grep -v "^'" apt33.vbs | sed '/^[[:space:]]*$/d' > apt33_clean.vbs

The output looks much cleaner now, clear VB structures are visible, although the script remains heavily obfuscated.

The next step is to remove additional noise by deleting variables or code blocks that are only used in initialization and never referenced later.

After cleanup, the following code remains:

This is already much tidier. We identified three functions of interest: Crocodilite, Subskribenten, and Cashoo. They are small and not deeply obfuscated, so we can determine their purpose fairly quickly. It’s often useful at this stage to rename obfuscated variables and functions to meaningful names.

Crocodilite

This function creates a text file and writes the passed string into it. In this sample it is used to write the content of the variable tendrilous into Abaris.txt.

' ORIGINAL
Sub Crocodilite(Tudemiklens, Fissuriform)

    Dim Sinh, Galactometer
    Set Sinh = CreateObject("Scripting.FileSystemObject")
    Set Galactometer = Sinh.CreateTextFile(Fissuriform, True)
    Galactometer.Write Tudemiklens
    Galactometer.Close

End Sub
' ADJUSTED
Sub write_to_file(text, path)
    Dim fileSysObj, file
    Set fileSysObj = CreateObject("Scripting.FileSystemObject")
    Set file = fileSysObj.CreateTextFile(path, True)
    file.Write text
    file.Close

Subskribenten

This is a simple wrapper that executes a command via WScript.Shell. It’s used to invoke the payload that was written to disk.

' ORIGINAL
Set Plenicorn = CreateObject("WScript.Shell")
...
Function Subskribenten(Tautegorical)

    Call Plenicorn.Run(Tautegorical,0)

End Function

' ADJUSTED
Set shell = CreateObject("WScript.Shell")
...
Function Execute(payload)
    Call shell.Run(payload,0)

Cashoo

A decoder routine. It extracts characters at fixed intervals from a masking string (i.e. it removes padding characters and reconstructs the hidden string). This is a classic technique to hide URLs, commands or other sensitive strings from static signature scanners.

' ORIGINAL
Function Cashoo(ByVal Microsphaeric)

    for i = 4 to len(Text) Step 4
    ' Mid(string, start, length) extract a specified amount of characters from a string
    Cashoo = Cashoo & Mid(Text,i,Alenlang) 

    Next


End Function

' ADJUSTED
Function ExtractEveryFourthChar(ByVal Text)

    for i = 4 to len(Text) Step 4
    ' Mid(string, start, length) extract a specified amount of characters from a string
    ExtractEveryFourthChar = ExtractEveryFourthChar & Mid(Text,i,Alenlang) 

    Next


End Function


I implemented a Python equivalent to decode the payload. After I finished the script I fed several encoded strings from the VB file through it.
Additionally i loaded every string found for the variable “tendrilous” into a separate file “tendrilous.txt” for decoding purposes.
You can view the script here.

Result:

$Commonplacer=[char]34;
$Rasping=$env:tmp;
$Unbefringed=gc $Rasping\Abaris.txt -Delimiter $Commonplacer;
$Emydes=$Unbefringed.'substring'(4696-1,3);
.$Emydes $Unbefringed

The Python routine works as intended: it reads Abaris.txt, extracts a three-character command name from a specific offset, and would invoke that command with the file content as parameter i.e., dynamic code execution.

I also implemented a Python equivalent for this routine; the script is available in the repository.

After running my script, the payload output looks like this:

At first glance the output looks nasty, but it can be disentangled. Don’t panic. I applied line breaks and indentation in the right places to make control flow and function calls visible.

To make the code more readable I used the following commands:

sed -i 's/;\$/;\n\$/g' "$1"
sed -i 's/;Cenogenesis/;\nCenogenesis/g' "$1"
sed -i 's/{/{\n/g' "$1"
sed -i 's/}/\n}\n/g' "$1"
sed -i 's/;function/;\nfunction/g' "$1"
sed -i 's/;while/;\nwhile/g' "$1"

The result now looks much more promising:

There is still some noise embedded in a few places. We also discovered repeated calls to the Roberts function with additional encoded strings. I wrote a Python helper to extract those strings from the file and decode them with the same Roberts / Cashoo logic.

When we run that pipeline and merge the output under the previous deobfuscated view, we obtain the following consolidated result:

Final Script

This is the final deobfuscated dropper script. From it we can conclude the following:

  • The script repeatedly attempts to download a remote file from a suspicious URL and save it locally.
  • Once the file is available, it reads parts of it, Base64-decodes contained data, and reconstructs executable PowerShell code.
  • Finally, it executes that decoded code dynamically (via dot-sourcing / Invoke-Expression style execution).
    This is a classic loader / bootstrapper pattern for delivering secondary stages of malware.

There are some formatting glitches in the decompiled output that likely arose during processing, but the overall intent is clear.

The dropper notably points at hxxps[://]zohmailcloud[.]com//cloud/Assholes[.]psm as one of the remote payload locations. I could not retrieve the file, the URL is no longer reachable but I did find a Twitter post referencing the file with MD5 7a5fe1af036b6dba35695e6d4f5cc80f.

If I manage to acquire the remote artifact later, I will write a dedicated follow-up article with a full 2nd-stage analysis.


APT44 – Sandworm Team

APT44 (Sandworm Team) – Quick Facts

  • Type: Advanced Persistent Threat (APT)
  • Aliases: Sandworm, Sandworm Team, Seashell Blizzard, Iron Viking, Telebots, Voodoo Bear, Iridium, FrozenBarents
  • Origin: Russia, linked to MUN 74455, a cyberwarfare unit of the GRU, Russia’s military intelligence service
  • Active Since: 2004
  • Primary Targets: Western corporations, government organizations, defense contractors
  • Motivation: Cybersabotage , Data theft
Tactics & Techniques (CLICK TO OPEN)

Tactics & Techniques:
Initial Access
T1190 – Exploit Public-Facing Application.
T1203 – Exploitation for Client Execution.
T1199 / related: Spearphishing / Use of malicious files (spearphishing attachments / malicious files)
Execution
T1059 – Command and Scripting Interpreter.
T1059.001 – PowerShell.
T1059.003 – Windows Command Shell.
T1059.005 – Visual Basic (VBS).
Persistence
T1543 / Create or Modify System Process (Service techniques) – z. B. Windows Service / Systemd service modifications.
T1053.005 – Scheduled Task (Scheduled Task used via GPOs / scheduled jobs).
Privilege Escalation
– (verschiedene techniques observed in campaign artifacts; see Mandiant for low-level syscall / evasive behaviors)
Defense Evasion
T1140 – Deobfuscate/Decode Files or Information (Base64, TripleDES, GZip usage).
T1202 / Obfuscated Files or Information (software packing / obfuscation).
T1562 / Impair Defenses – e.g., Disable or Modify Tools; Disable Windows Event Logging.
Credential Access
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers.
T1003 (OS Credential Dumping) – e.g., LSASS memory dumping observed historically.
T1056.001 – Input Capture: Keylogging (SetWindowsHookEx keylogger observed).
Discovery
T1087.002 – Account Discovery: Domain Account discovery via LDAP queries.
T1592.002 – Gather Victim Host Information: Software.
T1018 – Remote System Discovery.
T1046 / Network Service Scanning (Active Scanning / vulnerability scanning).
Lateral Movement
T1021.002 – Remote Services: SMB/Windows Admin Shares (use of ADMIN$, net use).
T1570 – / Lateral Tool Transfer / Ingress Tool Transfer (copying payloads, using network shares).
Collection
T1213 – Data from Information Repositories (databases) – e.g., use of Adminer to exfiltrate DB data.
T1005 – Data from Local System (internal docs, files).
Exfiltration
T1041 – Exfiltration Over C2 Channel (HTTP C2 exfil observed).
Command and Control
T1071.001 – Application Layer Protocol: Web Protocols (HTTP used by BCS-server and other tools).
– Protocol Tunneling / non-standard channels have also been used in some campaigns.
Impact
T1486 – Data Encrypted for Impact (ransomware / Prestige used).
T1561.002 – Disk Wipe: Disk Structure Wipe (KillDisk/CaddyWiper usage).
T1484.001 – Domain or Tenant Policy Modification: Group Policy Modification (used to deploy wipers via GPO).
T1499 – Endpoint Denial of Service (observed in disruption campaigns).
T1491.002 – Defacement: External Defacement (mass website defacements).
Resource Development / Recon & Support (preparation)
T1583 – Acquire Infrastructure (domains, servers, covert leased infrastructure).
T1583.001 – Domains (register spoofing domains).
T1583.004 – Server (use of leased / reseller infrastructure).
T1595.002 – Active Scanning: Vulnerability Scanning (scanning target infrastructure).
Other observed behaviours / capabilities
– Use of custom destructive malware families (NotPetya, Industroyer variants, Olympic Destroyer, CaddyWiper, etc.).
– Use of third-party services for phishing campaigns and use of spoofed pages for credential harvesting.

  • Notable Campaigns:
    • Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
  • Attributed Tools & Malware:
    • BlackEnergy (BlackEnergy 3) – former backdoor/botnet framework used in attacks on Ukrainian energy suppliers (2015), among others.
    • KillDisk (various wiper variants) – Destructive component used to destroy hosts in multiple campaigns.
    • NotPetya / ExPetr (wiper masquerading as ransomware) – large-scale destruction/worm campaign in 2017.
    • Industroyer / Industroyer2 (CrashOverride) – specifically designed for industrial control systems (ICS); the Industroyer family has been observed in Ukrainian infrastructure operations.
    • Olympic Destroyer – Wiper/disruption malware used against the Pyeongchang Olympics; attribution was complicated, but often linked to Sandworm.
    • CaddyWiper / other GPO/AD wipers – modern wiper variants that have appeared in recent sabotage campaigns.
    • Infamous Chisel (Android components / Infamous Chisel family) – Persistent access/backdoor components for Android (2023 reports on Android targets).
    • SwiftSlicer / AD-viper / Active Directory wipers – local/AD-targeted wiper components that appear in attack reports in 2023–2024.
    • Custom C2/Beacon implementations & loaders (TeleBots / bespoke tooling) – Sandworm used its own C2 backdoors, beacon implementations, and droppers; TeleBots branding appears in connection with NotPetya.
    • Downloaders / droppers / Android wrappers / malicious app wrappers – previous campaigns showed downloader wrappers in Play Store apps and disguised Android apps to deliver additional components.
  • Malware Samples:

Description

APT44 (commonly tracked as Sandworm Team or GRU Unit 74455) is a state-sponsored Russian cyber-espionage and sabotage actor known for highly targeted, persistent operations against government, military, critical-infrastructure, and high-value private sector targets. The group blends sophisticated custom tooling with commodity malware and living-off-the-land techniques to gain access, escalate privileges, move laterally, and maintain stealthy persistence. Its campaigns range from long-term intelligence collection to disruptive, destructive actions, deploying modular router malware, destructive wipers, and ICS-focused toolsets when operational goals demand sabotage. Operators demonstrate strong operational security, anti-sandbox/anti-analysis measures, and careful timing to align cyber activity with geopolitical objectives.

APT1

APT1 (Comment Crew / Shanghai Group) – Quick Facts

  • Type: Advanced Persistent Threat (APT)
  • Aliases: Comment Crew, Comment Group, Comment Panda, Unit 61398.
  • Origin: China, linked to PLA Unit 61398
  • Active Since: Mid-2000s
  • Primary Targets: Western corporations, government organizations, defense contractors
  • Motivation: Cyber espionage, intellectual property theft
  • Tactics & Techniques:
    • Spear-phishing emails
    • Custom malware and remote access tools (RATs)
    • Long-term network infiltration for intelligence gathering
  • Notable Campaigns:
    • Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
  • Significance:
    • One of the first publicly documented APT groups
    • Exposed in Mandiant’s 2013 report, raising global awareness of state-sponsored cyber espionage
  • Attributed Tools & Malware:
    • Malware Samples & More Malware Samples
    • WEBC2 Family:
      • WEBC2-AUSOV
      • WEBC2-ADSPACE
      • WEBC2-BOLID
      • WEBC2-CLOVER
      • WEBC2-CSON
      • WEBC2-DIV
      • WEBC2-GREENCAT
      • WEBC2-HEAD
      • WEBC2-KT3
      • WEBC2-QBP
      • WEBC2-RAVE
      • WEBC2-TABLE
      • WEBC2-TOCK
      • WEBC2-UGX
      • WEBC2-YAHOO
      • WEBC2-Y21K
    • GOGGLES – Downloader used by the group (serves as a payload/secondary-stage downloader).
    • GLASSES – A variant or close relative of GOGGLES; identified in a Citizen Lab analysis and likely an earlier or related implementation.
    • AURIGA / BANGAT – Tools linked to a developer tracked as “SuperHard”; mentioned by Mandiant but not always named in the public report.
    • Email-exfiltration utilities: GETMAIL (used to extract PST files) and MAPIGET (used to read emails that haven’t been archived).
    • Public privilege-escalation tools: examples include cachedump, fgdump, and gsecdump, not unique to APT1 but observed in their operations.
    • HTRAN (HUC Packet Transmit Tool) – used as a hop/proxy relay to forward communications between victims and command-and-control servers, helping to obscure origin and routing.
  • MITRE ATT&CK: https://attack.mitre.org/groups/G0006/

Description

APT1, often called the Comment Crew or PLA Unit 61398, is one of the most infamous and well-documented cyber espionage groups linked to the Chinese government. First brought into the spotlight by Mandiant’s 2013 report, APT1 was among the first hacking units publicly tied to a specific branch of China’s military, the People’s Liberation Army, revealing the true scale of state-backed digital espionage for economic and strategic gain.

Active since at least 2006, APT1 ran one of the most disciplined and long-running hacking operations ever uncovered. Its members focused on stealing intellectual property and confidential business information from hundreds of organizations across industries like aerospace, defense, energy, telecom, and manufacturing – mostly in the United States, but also in Europe and Asia. Everything they took seemed to serve China’s national interests, whether by boosting its industries or informing military and political strategies.

Technically, APT1 was known for its methodical and repeatable playbook. The group broke in through targeted phishing emails and custom malware such as the WEBC2 family (with variants like WEBC2-AUSOV and WEBC2-GREENCAT). Once inside, they established persistence with credential-stealing tools (GETMAIL, MAPIGET, FGDump) and routed stolen data through a vast command-and-control network of more than 1,000 servers and 2,500 domains, often masked with tools like HTRAN to hide their tracks. Their infrastructure and coding style were remarkably consistent, the work of full-time engineers, not lone hackers.

What made APT1 stand out wasn’t just the scale of its operations, but the professionalism behind it. Investigators found evidence of shift-based work hours, organized infrastructure, and shared codebases, all pointing to a state-run, military-grade espionage unit based in Shanghai. The exposure of APT1 changed how the world viewed cyber conflict, proving that digital espionage could be conducted with the same structure and intent as any traditional military campaign.

In many ways, APT1 set the template for the modern nation-state hacking group: large, organized, patient, and focused on long-term strategic advantage rather than chaos or quick profit. Its legacy still shapes how governments and companies think about cybersecurity and geopolitical risk today.

References: