CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective

![](https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/cuckoo-spear-part-1-analysis-blog-analysis-featured.png)CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective==============================================================Written ByCybereason Security Services Team This Threat Analysis Report will delve into a newly discovered nation-state level threat Campaign tracked by Cybereason as Cuckoo Spear. It will outline how the associated Threat Actor persists stealthily on their victims’ network for years, highlighting strategies used across Cuckoo Spear and how defenders can detect and prevent these attacks.In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.This is the first part of three regarding the Cuckoo Spear threat campaign. It introduces the Threat Actor, the related campaign and their arsenal, and details the TTPs observed during the various incidents. The two next parts are going to cover a reverse engineering of their arsenal (NOOPLDR/NOOPDOOR in particular) and how to fight against this threat actor.**We have published Indicators of compromise, Yara rules and Python scripts related to this report and they are available on the following public Github repository : https://github.com/Cybereason-Open-Source/CuckooSpear/**KEY POINTS———-* **Nation-state Threat Actor targeting Japanese companies:** Cybereason observed similar Tactics, Techniques and Procedures (TTPs) of the threat Campaign targeting different Japanese companies. The attack focused on manufacturing, politics and industrial sectors, is assessed to be part of cyber espionage.* **Stealthy and advanced malware use:** Cuckoo Spear is using the same malware across victims, which is a new version of the previously called LODEINFO malware, part of APT10’s arsenal.* **NOOPLDR and NOOPDOOR:** Cybereason identified similarities with LODEINFO, but the identified malware across multiple cases included the unravel of two new discoveries: * **NOOPLDR** (Using two very different methods : C# language loading and persistence backdoor and a DLL file) * **NOOPDOOR** (DGA-Based C2 malware with C2 local network relaying capabilities)* **Persistent :**Cybereason identified some of the victims had the associated Threat Actor present in their network for a time period between 2 and 3 years* **Luring Techniques:** A variety of techniques were used to lure in potential victims, but the Threat Actors mainly rely on Phishing as the Initial Access vector### What is Cuckoo Spear?For the past several years, since December 2019, the cybersecurity landscape has been continuously challenged by the emergence and evolution of the **LODEINFO** malware. Recent investigations suggest the involvement of a Chinese state-backed Advanced Persistent Threat (APT) group, likely APT10, in orchestrating these attacks. A recent development identified ties between the Threat Actor utilizing LODEINFO with a new malware family that is called **NOOPDOOR**. Cybereason named this threat Campaign ‘Cuckoo Spear’.In this report, the Cybereason team examined several key aspects regarding Cuckoo Spear:* **Techniques employed by APT10 group to load the highly sophisticated malware** : We’ll explore the sophisticated functionalities and tactics that define the most recent iteration of **NOOPDOOR** and **NOOPLDR** malware and its surrounding capabilities.* **A deep dive into the Threat Actor’s arsenal**: During recent incident response activities, our team has uncovered and meticulously analyzed the newest arsenal deployed by the Threat Actor. This analysis, fueled by advanced reverse engineering techniques, revealed a sophisticated set of tools designed for stealth infiltration, data exfiltration, and persistent access.* **Strategies for Threat Hunting and Defense**: Leveraging open-source intelligence, Cybereason provides actionable insights on how organizations can effectively hunt and defend against these persistent threats.### Attribution**Summary****Victimology**CountryJapanIndiaTaiwanIndustriesAcademic, Government, Manufacturing**TTPs**Initial Infection VectorsSpear-PhishingExploit against public-facing applicationsE.g. Array AG, FortiOS/FortiProxy and ProselfTechniquesDLL Side-Loading[MSBuild](https://attack.mitre.org/techniques/T1127/001/)Exploitation for Client Execution E.g. CVE-2013-3900**Malwares**Downloader / Malware LoaderDOWNIISANOOPLDRBackdoorLODEINFONOOPDOORInfostealerMirrorStealerMSRAStealer**Tools**Cobalt Strike*Intrusion Set Table of Threat Actors Behind NOOPDOOR****Note*** *: Cybereason began writing this article in the beginning of January 2024 after encountering multiple cases of compromise from the same Threat Actor. The adversary was using weaponized tools that were not public at the time. On the week of the 22nd of January 2024, threat intelligence reports from Trend Micro and ESET were published highlighting similar findings.*Trend Micro and ESET published their research findings in [JSAC2024](https://jsac.jpcert.or.jp/archive/2024/timetable.html) regarding Threat Actors leveraging **LODEINFO** and the new backdoor dubbed **NOOPDOOR**. From the intrusion sets observed in multiple campaigns, both companies have attributed Threat Actors behind this campaign to a group related to APT10, specifically Trend Micro have attributed the Threat Actors as ‘Earth Kasha’. Threat Actors behind NOOPDOOR consisted of Intrusion Sets represented in the table above during the campaign observed by Cybereason, ESET, and Trend Micro.The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks. The intention behind these behavior is likely espionage, as Threat Actors targeted critical infrastructure sectors and academic institutions, which are often intelligence gathering targets.### APT10APT10 is a sophisticated Chinese state-sponsored cyber espionage group that has been active as early as 2006, according to the [Department of Defense](https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion). The information security community widely believes the group’s focus is to support Chinese national security goals by gathering intelligence against the relevant targets. APT10 often targets various [critical infrastructure sectors](https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors) such as communications, manufacturing and various public sectors.### Cuckoo SpearCybereason documented the campaign as ‘Cuckoo Spear’. Cuckoo Spear is related to the APT10 Intrusion Set because of the links made between various incidents from Threat Actors ‘Earth Kasha’ and ‘MirrorFace’ including both APT10’s old arsenal (LODEINFO) and new arsenal presented in this report.This attribution is made based on four main aspects :* The arsenal used, mainly **NOOPLDR** and **NOOPDOOR**, which were first known to the public in January 2024 but remained on compromised networks for more than two years at most* The **LODEINFO** malware was identified during an incident also involving **NOOPLDR/NOOPDOOR**, linking them together* The domains used as C2 infrastructure, showing many similarities with other APT10 campaigns* The similarity in techniques employed by the Threat Actor to carry out their attacks### ArsenalThis section describes the arsenal related to Cuckoo Spear observed on the different incidents Cybereason worked on and the links that tie them together.**Backdoor****Incident A****Incident B****Incident C****Incident D****Cobalt Strike****GOSICLOADER**YES**LODEINFO**YES**NOOPLDR-DLL**YESYES**NOOPLDR-C#**YESYESYES**DOWNJPIT**YES**Incident Start Date****April 2021****May 2021****November 2021****October 2023**### TerminologyCybereason re-used the naming convention established by Trend Micro and ESET, naming the loader **NOOPLDR** in reference to the **NOOPDOOR** backdoor that is loaded afterwards. The names used in this report are the following:* **Campaign:**Cuckoo Spear* **Intrusion Set:** APT10* **Threat Actor:** Earth Kasha / MirroFace* **LODEINFO:** Initial malware identified in one case where NOOPLDR and NOOPDOOR were discovered* **NOOPLDR-C#:**C# Loader which loads NOOPDOOR* **NOOPLDR-DLL:** DLL Loaderwhich loads NOOPDOOR* **NOOPDOOR:**Shellcode loaded that will act as a Command and Control beacon### LODEINFO**![noopdoor-blog-1](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-1.png?width=1174&height=617&name=noopdoor-blog-1.png)***LODEINFO Execution Flow*LODEINFO, named by JPCERT in their [blog](https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html), is a backdoor known to be active since 2019. Threat actors often deploy LODEINFO by utilizing [DLL Side-loading](https://attack.mitre.org/techniques/T1574/002/), which loads LODEINFO loader DLL into legitimate executables. This execution flow attempts to load LODEINFO shellcode and execute the backdoor in memory. The currently known LODEINFO version is v0.7.3 and was observed first in the wild in October 2023.The interesting aspect of LODEINFO is that the developers change the C2 command functionality after the version update, often removing the previously supported commands. For example, developers removed the C2 command to remove files (*rm)* between v0.6.3 and v0.6.6, but this functionality came back after v0.6.8. The comparative graph of backdoor commands provided by [ITOCHU Cyber -& Intelligence Inc](https://blog-en.itochuci.co.jp/entry/2024/01/24/134100) consists of detailed information of the backdoor commands as well as the changes over the version v0.6.5, v0.7.1, and v0.7.2/v0.7.3.### GOSICLoaderGOSICLoader is a Golang based malware loader, which is responsible for loading Cobalt Strike. The loader abuses DLL Side-Loading, which loads GOSICLoader into legitimate process *jcef_helper.exe*, a JetBrains plugin process.![noopdoor-blog-2](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-2.png?width=624&height=166&name=noopdoor-blog-2.png)*GOSICLoader Execution Flow*### DOWNJPITDOWNJPIT is a fileless downloader dubbed by [Kaspersky](https://hitcon.org/2021/agenda/6d88317b-4d90-4249-ba87-d81c80a21382/APT10%20HUNTER%20RISE%20ver3.0%20Repel%20new%20malware%20LODEINFO%20DOWNJPIT%20and%20LilimRAT.pdf). DOWNJPIT is responsible for downloading, decrypting and executing LODEINFO.![noopdoor-blog-3](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-3.png?width=1062&height=388&name=noopdoor-blog-3.png)*DOWNJPIT Execution Flow Presented By Kaspersky* [*HITCON 2021*](https://hitcon.org/2021/agenda/6d88317b-4d90-4249-ba87-d81c80a21382/APT10%20HUNTER%20RISE%20ver3.0%20Repel%20new%20malware%20LODEINFO%20DOWNJPIT%20and%20LilimRAT.pdf)DOWNJPIT has been spotted in one of the incidents related to Cuckoo Spear .### NOOPLDR / NOOPDOOR![noopdoor-blog-4](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-4.png?width=931&height=440&name=noopdoor-blog-4.png)*NOOPLDR/NOOPDOOR Execution Flow*In this report, Cybereason exhibits a new backdoor utilized by Threat Actors called NOOPDOOR, as dubbed by ESET and Trend Micro. NOOPDOOR is a 64-bit modular backdoor which utilizes [DGA](https://attack.mitre.org/techniques/T1637/001/)-based C2 communication. The backdoor is seen to be loaded by a loader called NOOPLDR, which appears to have two different variants.* C#: Variant which relies on MSBuild task* DLL: Variant which relies on [DLL side-loading technique](https://www.cybereason.com/blog/threat-analysis-report-dll-side-loading-widely-abused)NOOPLDR is responsible for decrypting and executing NOOPDOOR, which utilizes DGA to actively communicate with the C2 server.Cybereason observed LODEINFO and NOOPDOOR both in one case. As mentioned in different reports, Threat Actors started to incorporate NOOPDOOR in the new campaigns. Based on the analysis of LODEINFO and as well as on the observation of these campaigns, LODEINFO appears to be utilized as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping persistence within the corporate network.### Observed Behaviors / TTPsIn this section, Cybereason outlines all the behaviors observed during incidents associated with the Cuckoo Spear campaign.### Initial AccessOther reports documenting this Threat Actor mentioned the following vulnerabilities used as initial access vector :* [**CVE-2023-27997**](https://nvd.nist.gov/vuln/detail/CVE-2023-27997): Buffer overflow vulnerability in FortiOS and FortiProxy, which allows attackers to execute arbitrary commands.* [**CVE-2023-28461**](https://nvd.nist.gov/vuln/detail/CVE-2023-28461): Remote code execution (RCE) vulnerability on Array Network Array AG series and vxAG.* [**CVE-2023-45727**](https://nvd.nist.gov/vuln/detail/CVE-2023-45727): Unauthenticated XML External Entity (XXE) vulnerability in Proself Enterprise/Standard Edition, Proself Gateway Edition, and Proself Mail Sanitize Edition, which allows attackers to gain unauthorized access to the environment.In the Cuckoo Spear campaign, two out of those three vulnerabilities have been identified as initial access vector leads.Spear-phishing is the common initial access technique observed by Threat Actors utilizing LODEINFO; however, malicious actors have started to shift their tactics to exploiting vulnerabilities.### PersistenceNOOPDOOR must be loaded first on the victim machines, which is done through persistence mechanisms and Cybereason observed three different methods.* **Scheduled Tasks*** **WMI Consumer Events*** **Windows Services (** [**Service DLL**](https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain)**)**### Scheduled TaskThreat Actors maintain persistence within the environment by abusing Scheduled Tasks. The scheduled task consists of execution of MSBuild, which loads malicious XML files and compiles the NOOPDOOR loader at runtime.![noopdoor-blog-5](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-5.png?width=1029&height=221&name=noopdoor-blog-5.png)*MSBuild Execution Via Schedule Task*### WMI Event ConsumersThe Threat Actors leverage the WMI event consumer, which executes the main action when it gets triggered by a filter. The Threat actor then utilizes ActiveScript, which appears to execute in the JScript engine. For the consumer action in this WMI event, the Threat Actor leverages MSBuild execution for NOOPDOOR loader, similar to the scheduled task which also leverages MSBuild.Utilizing [WMI event consumers](https://attack.mitre.org/techniques/T1546/003/) are the alternate methodologies to persist within the environment.![noopdoor-blog-6](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-6.png?width=998&height=392&name=noopdoor-blog-6.png)*WMI Event Consumers For NOOPDOOR*The process responsible for hosting WMI event consumers for scripting, such as ActiveScript, is *scrcons.exe*, which then spawns necessary processes declared in its scripts.![noopdoor-blog-7](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-7.png?width=1124&height=650&name=noopdoor-blog-7.png)*NOOPLDR/NOOPDOOR Attack Tree*### Windows ServicesThreat actors also maintain persistence within the environment by creating malicious services that load unsigned DLL files.In this case, unsigned DLL files are written to the C:–Windows–System32– folder.An entry in the registry is found, indicating that this DLL is loaded under svchost.exe process through a Service DLL.![noopdoor-blog-8](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-8.png?width=864&height=142&name=noopdoor-blog-8.png)*Extract From Velociraptor IR Tool*The screenshot above shows a registry key involving a Service named *DssSvc* and a ServiceDll configured to be C:–Windows–System32–pgodb100.dll, which is in fact NOOPLDR (DLL version).To summarize how Service DLLs are used as persistence, one technique involves creating a new Windows service hosted by svchost.exe. Here is an overview of the process:* **Threat Actor drops the NOOPLDR (DLL version) file on the disk** : The DLL (for instance, *pgodb100.dll* ) containing the code to execute on system reboot is located in *C:–Windows–System32–*.* **Create a New Service** : Establish a new service (for instance, *DssSvc* ) with binPath set to *svchost.exe*.* **Add ServiceDll Value** : Include the ServiceDll value in the *DssSvc* service, pointing to the DLL dropped in step 1.* **Modify Registry**: Adjust HKLM–SOFTWARE–Microsoft–Windows NT–CurrentVersion–Svchost to specify the service’s loading group.* **Start the Service** : Initiate the *DssSvc* service.* **Execution** : The *DssSvc* is launched, and its service DLL (pgodb100.dll, in our example) is loaded into an *svchost.exe* process.This method leverages the Windows service infrastructure to achieve persistence by loading a custom DLL into *svchost.exe*, ensuring execution of specified code on system restarts.In a detection perspective, defenders can look for the loading of unsigned DLL under the following process:* **svchost.exe -k netsvcs**### Command -& Control#### Domain Generation Algorithm (DGA)Cybereason observed several domains created by the DGA, and will detail these aspects in the following sections.![noopdoor-blog-9](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-9.png?width=973&height=474&name=noopdoor-blog-9.png)*DGA Sample*#### Connection To Internal PivotAside from the C2 domains that connect to external ip addresses, Cybereason has also observed internal C2 communications amongst the infected machines.Cybereason identified processes injected with NOOPDOOR listening on the following CP ports :* 5984* 47000* 8532This allows the Threat Actor to connect to internal machines in case the external C2 is unavailable, streamlining C2 connections to an internal server that will be the sole point of communication with the Internet.![noopdoor-blog-10](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-10.png?width=858&height=249&name=noopdoor-blog-10.png)![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXe3RUyjP_dYHGUu9TgLD2IhtIvKraTGnEz1oshlK1G0wgsDWt4GTGof8sZhEfP-wJ8PA6Usl2ZIVvf6TWPbkpoH1pY0PLtXNEJonn4yjXPSaMqDoOVNytc6EnYgQucqKMoXe-gTfYX78MU2LWoJCPmSBAw?key=wLywKVNeOtfT5AfhaUM8Dg)*Internal Communication To NOOPDOOR On Port 5984*This also gives the Threat Actor a capability to remotely control a machine that is not connected to the Internet or has limited outbound network capability.#### C2 Servers -& DomainsDuring the different cases Cybereason observed, Domain Generation Algorithm (DGA) have been used :* *www.-[DGA-]-[.-]com* with -[DGA-] being the generated domain based off parameters such as the current date and a C2 URL hardcoded in LODEINFO* *www.-[DGA-]-[.-]net* with -[DGA-] same as above* *-[DGA-].-[C2 domain-].com* ![noopdoor-blog-12c](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-12c.png?width=344&height=64&name=noopdoor-blog-12c.png)![noopdoor-blog-13c](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-13c.png?width=343&height=133&name=noopdoor-blog-13c.png)#### Use of NO-IP ServicesThreat actors often use [dynamic DNS](https://attack.mitre.org/techniques/T1568/) services like No-IP to manage their command and control (C2) infrastructure. Since the IP address of a C2 server can change frequently, using a dynamic DNS service helps maintain consistent communication with malware or compromised systems.Due to their nature, it’s more difficult for cybersecurity systems to track and blacklist IP addresses associated with Dynamic DNS services as, by design, the IP addresses change on a regular basis. This dynamic aspect helps Threat Actors avoid detection by security tools that rely on IP blacklists. Threat actors can create redundant systems, ensuring that if one domain is taken down or blocked, others are still operational.Cybereason identified the Threat Actor behind these attacks using the following domains through a service similar to NO-IP :* *3utilities-[.-]com** *onthewifi-[.-]com** *redirectme-[.-]net** *serveblog-[.-]net** *zapto-[.-]org** *hopto-[.-]org*#### **Use of Specific Domains**In addition to these NO-IP domains, Cybereason also witnessed additional domains being used. These domains were mainly registered by companies such as [NAMECHEAP](https://www.namecheap.com/) or [Tucows](https://www.tucows.com/).#### **Infrastructure IP Addresses**In the screenshot below, Cybereason lists the IP addresses related to the domains that were resolved during the observation period of each incident :![noopdoor-blog-14](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-14.png?width=892&height=863&name=noopdoor-blog-14.png)*Resolved Cuckoo Spear IPs (VirusTotal)*Those IP addresses are mostly hosted in Japan under hosting services such as Akamai or AS-CHOOPA. The other countries are :* US (Cloudflare)* DE* NL* VN### Lateral Movement#### Scheduled TaskIn one instance from Cuckoo Spear, the Threat Actor utilizes scheduled tasks to conduct lateral movement within the environment. They create the scheduled task by abusing *schtasks.exe*, which then creates the scheduled task responsible for executing the C# Loader via MSBuild execution on the startup.![noopdoor-blog-15](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-15.png?width=896&height=234&name=noopdoor-blog-15.png)*Scheduled Task Creation On Remote Machine*Once the scheduled task creation is complete, another instance of *schtasks.exe* executes the created task immediately on the remote machine### Defense EvasionThe Threat Actor deployed several techniques of defense evasion in both NOOPDOOR and NOOPLDR.Aside from the attacker tools, the Threat Actor also deleted event logs on target systems.### Discovery ActivityThe Threat Actor also displayed post-exploitation behavior, discovering the Active Directory through *net.exe* commands or the local network through *ping.exe* and *nslookup.exe* tools.* **Msbuild.exe** : resulting from the persistence capability, this command will be responsible for injecting NOOPLOADER inside *pcwrun.exe* after spawning the process* **Pcwrun.exe** or another arbitrary executable file present in C:–Windows–System32– – This process is created by the code loaded by *msbuild.exe* . As stated earlier, that process name varies depending on the C2 configuration * **net user Administrator /domain** – Active Directory discovery related to the domain administrator account * **nslookup** – This command was used to discover existing machines on the network and their internal IP addresses * **ping** **-n 1 -[redacted-]** – This command is used to check connectivity to the specified IP of internal machines being searched by the Threat Actor * **tasklist** **/v** – This verbose command line under tasklist.exe indicates that detailed information about running processes is being gathered, potentially for reconnaissance or to find processes to inject into or terminate. ![noopdoor-blog-16](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-16.png?width=851&height=734&name=noopdoor-blog-16.png)*Post-Exploitation Behavior Attack Tree*In one incident, the Threat Actors utilized the following CMD commands as part of the post-exploitation./ccopy —–[REDACTED-]–C$–Windows–System32–Winevt–Logs–security.evtx/cdel C:–Users—[REDACTED-]AppData–Local–Temp–Cookie–* /f /q/cdel —–[REDACTED-]–C$–Windows–System32–RegSSHelper.exe/cdel security.evtx/cnet group ‘domain controllers’ /domain/cnet use -* /del /y/cnet use —–[REDACTED-]–ipc$ -[REDACTED-] /user:-[REDACTED-]/cnet use —–[REDACTED-]–netlogon -[REDACTED-] /user:-[REDACTED-]/cnet user -[REDACTED-] /domain/cnet user -[REDACTED-] /domain/cnet user -[REDACTED-] /domain/cnet user -[REDACTED-] /domain/cnslookup -[REDACTED-]/cschtasks /create /s -[REDACTED-] /sc onstart /tn ‘Microsoft–Windows–Windows Defender–Windows Defender Maintenance’ /tr ‘C:–Windows–Microsoft.NET–Framework64–v4.0.30319–MSBuild.exe C:–Windows–system32—[REDACTED-].xml’ /ru System /u:’-[REDACTED-]’ /p:’-[REDACTED-]’ /f/cschtasks /run /s -[REDACTED-] /tn ‘Microsoft–Windows–Windows Defender–Windows Defender Maintenance’ /u:’-[REDACTED-]’ /p:’-[REDACTED-]’These findings are very similar to those from [JPCERT](https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_en.pdf) published back in 2023 :![noopdoor-blog-17](https://www.cybereason.com/hs-fs/hubfs/dam/images/images-web/blog-images/noopdoor-blog-17.png?width=624&height=265&name=noopdoor-blog-17.png)*Source : *Keep an eye out for part 2 in our Cuckoo Spear analysis in the [research category](/blog/category/research). Share ![Share on twitter](https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg) ![Share on facebook](https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg) ![Share on linkedin](https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg) ![Cybereason Security Services Team](https://www.cybereason.com/hubfs/Cybereason%20Logos/Cybereason%20Logo-1.png) About the Author#### Cybereason Security Services Team[All Posts by Cybereason Security Services Team](https://www.cybereason.com/blog/authors/cybereason-security-services-team) ### Related Posts![THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies](https://www.cybereason.com/hubfs/Black%20Basta%20Threat%20Alert.png)#### [THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies](https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies)This threat alert describes an aggressive new attack campaign operated by the Black Basta ransomware group. The fast-moving campaign is targeting U.S. companies, and in many cases, is causing serious damage to their IT infrastructures. ![PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage](https://www.cybereason.com/hubfs/powerless.png)#### [PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage](https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage)Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context… [#### SubscribeNever miss a blog.](#blog-subscribe) #### Recent Posts[CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective](https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor) [SoC Modernization: Where are you on the Evolutionary Journey?](https://www.cybereason.com/blog/soc-modernization-where-are-you-on-the-evolutionary-journey) [Malicious Life Podcast: SNAP Fraud: Getting Rich by Stealing from the Poor](https://www.cybereason.com/blog/malicious-life-podcast-snap-fraud-getting-rich-by-stealing-from-the-poor) #### Categories* [Research](https://www.cybereason.com/blog/category/research)* [Podcasts](https://www.cybereason.com/blog/category/podcasts)* [Webinars](https://www.cybereason.com/blog/category/webinars)* [Resources](https://www.cybereason.com/blog/category/resources)* [Videos](https://www.cybereason.com/blog/category/videos)* [News](https://www.cybereason.com/blog/category/news)[All Posts](/blog/category/research) ### Related Posts![THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies](https://www.cybereason.com/hubfs/Black%20Basta%20Threat%20Alert.png)#### [THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies](https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies)This threat alert describes an aggressive new attack campaign operated by the Black Basta ransomware group. The fast-moving campaign is targeting U.S. companies, and in many cases, is causing serious damage to their IT infrastructures. ![PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage](https://www.cybereason.com/hubfs/powerless.png)#### [PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage](https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage)Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context… NEWSLETTER### Never miss a blogGet the latest research, expert insights, and security industry news.[Subscribe](#blog-subscribe) Want to see the Cybereason Defense Platform in action? [Schedule a Demo](https://www.cybereason.com/request-a-demo) X

Related Tags:
CVE-2023-45727

BRONZE RIVERSIDE

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 61 – Educational Services

NAICS: 611 – Educational Services

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

Associated Indicators:
null