Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese APT17 exploits Microsoft’s TechNet Portal to Host C&C IPs

The Chinese threat actor known as APT17 and DeputyDog has been using profile pages and forum threads on Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers. Security experts at FireEye and the colleagues at Microsoft Threat Intelligence Center have published a report on the activities of the Chinese group […]

Chinese APT17 exploits Microsoft’s TechNet Portal to Host C&C IPs

The Chinese threat actor known as APT17 and DeputyDog has been using profile pages and forum threads on Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers.

Security experts at FireEye and the colleagues at Microsoft Threat Intelligence Center have published a report on the activities of the Chinese group dubbed APT17. The experts found interesting the C&C obfuscation techniques adopted by the threat actors.

Hackers belonging to the APT17 are using the legitimate Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers. The IP addresses for C&C servers are encoded by attackers, the encoded string is found in profiles and posts limited with the “@MICROSOFT” and “CORPORATION” tags.

The Chinese APT17 has been targeting United States government organizations, the military, NGOs, defense contractors, law firms, IT firms, and mining companies. One of the tools leveraged by the group is BLACKCOFFEE, a backdoor that can be used to upload and download files, create a reverse shell on the infected system, enumerate files and processes, manipulate files, and terminate processes.

The technique implemented by the attackers allows them to delay detection of malicious activities and the discovery of the C&C server’s IP address.

“After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes,” states the report. 

The researchers involved in the investigation who analyzed the hacking tools used by the threat actors noticed the use of the BLACKCOFFEE backdoor, which could be used by attackers to perform several operations on the victim’s machine such as upload/download files, create a reverse shell, manipulate files, and kill processes.

The malware has been used since 2013 by the APT17 and researchers noticed that the C&C servers corresponding to the IP addresses on the Microsoft’s TechNet web portal are now controlling the malicious code.

APT17

The strain of BLACKCOFFEE backdoor detected by FireEye contains URLs that point to TechNet forum threads or biography sections in profiles created by the threat actors.

Once the malicious agent obtains the IP address of the C&C is obtained, the malware starts communicating with the server to receive commands and send back the exfiltrated data. The technique allows APT17 operators to improve resilience of the botnet to attacks of law enforcement, even if the C&C changes it is sufficient that malware load the new C&C list hosted on the Microsoft portal.

“If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines,” the companies explained in the report.

FireEye has published the Indicators of compromise on Github.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT17, cyber espionage)

[adrotate banner=”13″]