2016-04-29 PLATINUM Targeted attacks in South and Southeast Asia

📃Title: PLATINUM Targeted attacks in South and Southeast Asia
📅Date: 2016-04-29
🔗References:

• https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Microsoft
• threat-actor PLATINUM
• target-information=“China”
• target-information=“India”
• target-information=“Indonesia”
• target-information=“Malaysia”
• target-information=“Singapore”
• target-information=“Thailand”
• sector=“Academia - University”
• sector=“Diplomacy”
• sector=“Government, Administration”
• sector=“IT - ISP”
• malpedia=“REDSALT”
• mitre-attack-pattern=[]

MISP event uuid: 592acc60-42a9-42e2-ad37-c100dca752e9

Indicator of Compromise (IoCs)

type,value,comment
sha1, e9f900b5d01320ccd4990fd322a459d709d43e4b, 'No sample in VT\r\nLast check:15/02/2026'
sha1, 9a4e82ba371cd2fedea0b889c879daee7a01e1b1, 'No sample in VT\r\nLast check:15/02/2026'
sha1, 92a3ece981bb5e0a3ee4277f08236c1d38b54053, 'Malaysia a victim of American irregular warfare ops.doc No sample in VT\r\nLast check:15/02/2026'
sha1, 0bc08dca86bd95f43ccc78ef4b27d81f28b4b769, 'No sample in VT\r\nLast check:15/02/2026'
sha1, f4af574124e9020ef3d0a7be9f1e42c2261e97e6, 'No sample in VT\r\nLast check:15/02/2026'
url, mister.nofrillspace.com/users/web8_dice/4226/space.gif, ''
url, intent.nofrillspace.com/users/web11_focus/3807/space.gif, ''
url, mister.nofrillspace.com/users/web8_dice/3791/space.gif, ''
url, intent.nofrillspace.com/users/web11_focus/4307/space.gif, ''
url, www.police28122011.0fees.net/pages/013/space.gif, ''
hostname, box62.a-inet.net, ''
hostname, eclipse.a-inet.net, ''
hostname, joomlastats.a-inet.net, ''
hostname, updates.joomlastats.co.cc, ''
hostname, server.joomlastats.co.cc, ''
hostname, scienceweek.scieron.com, ''
hostname, mobileworld.darktech.org, ''
hostname, geocities.efnet.at, ''
hostname, bpl.blogsite.org, ''
hostname, wiki.servebbs.net, ''
ip-dst, 200.61.248.8, 'Hardcoded IP'
ip-dst, 209.45.65.163, 'Hardcoded IP'
ip-dst, 190.96.47.9, 'Hardcoded IP'
ip-dst, 192.192.114.1, 'Hardcoded IP'
ip-dst, 61.31.203.98, 'Hardcoded IP'
sha1, ff7f949da665ba8ce9fb01da357b51415634eaad, 'Hotpatching Injector No sample in VT\r\nLast check:15/02/2026'
sha1, dff2fee984ba9f5a8f5d97582c83fca4fa1fe131, 'Hotpatching Injector No sample in VT\r\nLast check:15/02/2026'
sha1, e0ac2ae221328313a7eee33e9be0924c46e2beb9, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, ca3bda30a3cdc15afb78e54fa1bbb9300d268d66, 'Variant of the JPin backdoor No sample in VT\r\nLast check:15/02/2026'
sha1, 2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24, 'Variant of the JPin backdoor No sample in VT\r\nLast check:15/02/2026'
sha1, 0096a3e0c97b85ca75164f48230ae530c94a2b77, 'Keylogger component No sample in VT\r\nLast check:15/02/2026'
sha1, 6a1412daaa9bdc553689537df0a004d44f8a45fd, 'Keylogger component No sample in VT\r\nLast check:15/02/2026'
sha1, a80051d5ae124fd9e5cc03e699dd91c2b373978b, 'Adupib SSL Backdoor No sample in VT\r\nLast check:15/02/2026'
sha1, 29cb81dbe491143b2f8b67beaeae6557d8944ab4, 'Loader / possible incomplete LSA Password Filter No sample in VT\r\nLast check:15/02/2026'
sha1, 6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a, 'Dipsind variant No sample in VT\r\nLast check:15/02/2026'
sha1, 960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2, 'Raw-input based keylogger No sample in VT\r\nLast check:15/02/2026'
sha1, 99c08d31af211a0e17f92dd312ec7ca2b9469ecb, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, dcb6cf7cf7c8fdfc89656a042f81136bda354ba6, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, 99dcb148b053f4cef6df5fa1ec5d33971a58bd1e, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, c1c950bc6a2ad67488e675da4dfc8916831239a7, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, 831a5a29d47ab85ee3216d4e75f18d93641a9819, 'Hook-based keylogger No sample in VT\r\nLast check:15/02/2026'
sha1, e18750207ddbd939975466a0e01bd84e75327dda, 'Hook-based keylogger No sample in VT\r\nLast check:15/02/2026'
sha1, 3119de80088c52bd8097394092847cd984606c88, 'JPin backdoor No sample in VT\r\nLast check:15/02/2026'
sha1, 3acb8fe2a5eb3478b4553907a571b6614eb5455c, 'JPin backdoor No sample in VT\r\nLast check:15/02/2026'
sha1, 6d1169775a552230302131f9385135d385efd166, 'Installer component No sample in VT\r\nLast check:15/02/2026'
sha1, d807648ddecc4572c7b04405f496d25700e0be6e, 'Dipsind variant No sample in VT\r\nLast check:15/02/2026'
sha1, bbd4992ee3f3a3267732151636359cf94fb4575d, 'Dipsind variant No sample in VT\r\nLast check:15/02/2026'
sha1, 2abb8e1e9cac24be474e4955c63108ff86d1a034, 'Installer for Dipsind variant No sample in VT\r\nLast check:15/02/2026'
sha1, 3a678b5c9c46b5b87bfcb18306ed50fadfc6372e, 'Injector / loader component No sample in VT\r\nLast check:15/02/2026'
sha1, 88ff852b1b8077ad5a19cc438afb2402462fbd1a, 'Zc tool No sample in VT\r\nLast check:15/02/2026'
sha1, dc991ef598825daabd9e70bac92c79154363bab2, 'Zc tool v2 No sample in VT\r\nLast check:15/02/2026'

Full IOCs available in Rectifyq's MISP```