
Researchers have discovered a new malware campaign targeting an East Asian company that develops data-loss prevention (DLP) software for government and military entities has been attributed to the APT group known as Tick.
Threat actor has breached the internal update servers to deliver malware within its network. It then trojanized legitimate tool installers used by the firm, leading to malware being executed on two of its customers’ computers.
During the intrusion, the attackers deployed downloader named ShadowPy, and they also deployed the Netboy backdoor and Ghostdown downloader.
Active since 2006, Tick employing a unique custom malware toolset created for persistent access in compromised machines, as well as reconnaissance, data exfiltration and additional tool download.
In the latest report, Tick activity found it exploiting the Proxy Logon vulnerability to compromise a South Korean IT company, as one of the groups with access to that remote code execution exploit before the vulnerability was publicly disclosed.
Attack duration.
- The attack was spotted in March 2021. The hackers would have deployed malware that month, and weeks later began introducing trojanized copies of the Q-Dir installers.
- The APT group then compromised the targeted company’s network in June and September 2021, transferring the trojanized Q-dir installers to customers of the compromised company in February and June 2022.

This research was documented by researchers from ESET
Indicators of Compromise
Hashes
- 72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC
- 8BC1F41A4DDF5CFF599570ED6645B706881BEEED
- 4300938A4FD4190A47EDD0D333E26C8FE2C7451E
- B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6
- F54F91D143399B3C9E9F7ABF0C90D60B42BF25C9
- FE011D3BDF085B23E6723E8F84DD46BA63B2C700
- 02937E4A804F2944B065B843A31390FF958E2415
C&C Server
- 115.144.69[.]108
- 110.10.16[.]56
- 103.127.124[.]117
- 103.127.124[.]119
- 103.127.124[.]76
- 58.230.118[.]78
- 192.185.89[.]178