Iron Tiger, a threat actor group, has upgraded its toolkit with an updated SysUpdate malware variant. Recently, research from Trend Micro shed light on one of the group’s tools that hides files at the kernel level. This new malware variant is now using more files in its infection routine, with some updated tactics. 

What has happened?

Between 2020 and 2021, security service firm Talent-Jump identified new samples for malware families linked to the Iron Tiger APT group, otherwise known as EmissaryPanda, APT27, and LuckyMouse.
  • In a recent sample of SysUpdate malware, the threat actor is using two new files data[.]res and config[.]res, in addition to the current three files dlpumgr32[.]exe, DLPPREM32[.]DLL, and DLPPREM32[.]bin.
  • The recent sample has many new and unique classes that feature a distinct naming convention, which is probably the result of a framework developed by the threat actor.
  • The sample included multiple features mostly observed in espionage backdoors, such as screenshot feature, command execution, process and services management, and file management functions.

A bit of history

In December 2020, a sample was found belonging to the SysUpdate malware family, known as Soldier, FOCUSFJORD, and HyperSSL. It was first reported by the NCC Group in 2018.
  • In March and October 2020, a kernel rootkit had been deployed with a similar working mechanism as the NDISProxy driver and remote access trojan. The kernel rootkit was dropping a backdoor named Pandora.
  • In December, an updated version of the HyperBro malware family was believed to be used by this APT group. In addition, the APT group used the FRP tool on a Linux host similar to Avast’s findings in a report.
  • In some instances, the threat group exploited the Microsoft Exchange vulnerability (CVE-2020-0688).


Over time, Iron Tiger has devised new methods for launching its malware. In addition, it has adopted a new rootkit used for hiding backdoors, which means tracking and detecting these changes will be very difficult. Therefore, to stay safe from such threats, organizations should adapt their existing defense with ongoing trends in the threat landscape.
Cyware Publisher