Elastic charms SPECTRALVIPER

Key takeaways,

• The REF2754 intrusion set leverages multiple PE loaders, backdoors, and PowerShell runners


• SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities


• We are attributing REF2754 to a Vietnamese-based intrusion set and aligning with the Canvas Cyclone/APT32/OceanLotus threat actor

The unsigned DLL (dbg.config) contained DONUTLOADER shellcode which it attempted to inject into sessionmsg.exe, the Microsoft Remote Session Message …

apt32 backdoor backdoors canvas capabilities directory download elastic file file upload impersonation injection intrusion key loaders manipulation obfuscated oceanlotus powershell runners takeaways threat token upload x64