June 3, 2023

The Malicious activities of Moshen Dragon came into the limelight targeting telecommunication service providers in Central Asia. There persisted few similarities between this new threat organization and RedFoxtrot and Nomad Panda.

Sentinel Labs says Moshen Dragon is a proficient hacking gang capable of modifying its approach based on the protections they’re up against. The hackers spend a lot of time attempting to sideload malicious Windows DLLs into antivirus programs, steal passwords to move laterally, and exfiltrate data from affected PCs.


Since the infection vector is unclear, Sentinel Lab focuses on antivirus misuse, which includes TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky products.

In general, antivirus programs operate with elevated capabilities on Windows, sideloading a malicious DLL onto their processes allows hackers to run malware on the computer with minimal constraints and perhaps avoid detection.

Impacket, a Python package designed to permit lateral movement and remote code execution via WMI, is deployed in this way by Moshen Dragon. Impacket also aids credential theft by adding an open-source program that logs the details of password change events on a domain in the “C:\Windows\Temp\Filter.log” file.

The threat group installs a passive loader that verifies that it is on the correct machine before activating by comparing the hostname to a hardcoded value. The threat actor creates a new DLL for the devices it targets, demonstrating its skill and diligence.

The loader intercepts incoming data with the WinDivert packet sniffer until it finds the string necessary for self-decryption, then unpacks and launches the payload (SNAC.log or bdch.tmp). The payloads contain PlugX and ShadowPad versions, two backdoors that several Chinese APTs have employed in recent times. The threat actor’s ultimate purpose is to steal data from as many systems as feasible.


The loader evaluated by Sentinel Labs this time was detected in a US government system by Avast researchers in December 2021. This might indicate that Moshen Dragon has many targets or has switched its focus, or simply that multiple Chinese APTs use the loader.

Indicators of Compromise

Hijacked DLLs

  • ef3e558ecb313a74eeafca3f99b7d4e038e11516
  • 3c6a51961aa328ba507796153234309a5e83bee3
  • fae572ad1beab78e293f756fd53cf71963fdb1bd
  • 308ed56dc1fbc98b574f937d4b005190c878416f
  • 55e89f458b5f5642300dd7c50b444232e37c3fa7


  • e9e8c2e720f5179ff1c0ac30ce017224ac0b2f1b
  • b6c6c292cbd35298a5f055448177bcfd5d0b23bf
  • 2294ecbbb065c517bd0e01f3f01aabd0a0402f5a
  • 7021a62b68751b7a3a2984b2996139aca8d19fec

Password Filter

  • c4f1177f68676b770934b142f9c3e2c4eff7f164


  • bb68816f324f2ac4f0d4756b66af67d01c8b6e4e
  • 4025e14a7f8928753ba06ad155944624069497dc
  • f5b8ab4a7d9c723c2b3b842b49f66da2e1697ce0


  • freewula.strangled[.]net
  • szuunet.strangled[.]net
  • final.staticd.dynamic-dns[.]net
  • dhsg123.jkub[.]com
  • greenhugeman.dns04[.]com
  • gfsg.chickenkiller[.]com
  • pic.farisrezky[.]com

Leave a Reply

%d bloggers like this: