Ketrum and Backdoor Recycling by Ke3chang APT

The Ke3chang hacking group has developed a new malware - Ketrum - by combining source codes and features from their older Okrum and Ketrican backdoors.

Evolutionary history

  • The samples discovered were a combination of Okrum and Ketrican backdoors, which was found in 2019.  
  • Two new samples were detected in 2019, one of which was similar to the 2018 Ketrican backdoor, and the other one evolved from it.
  • The Ketrican samples found in 2018 were the most evolved Ketrican backdoors, with an option to load DLL to the conventional set of supported commands.


The threat actor

Ke3chang is an APT group, also known as Royal APT, Vixen Panda, APT15, and Playful Dragon, that has been operating since 2010. The group targets a vast range of sectors, including the oil and military sectors, along with European diplomatic organizations and government contractors.

What the experts are saying

  • The tools used by Ke3chang, such as Ketrican, Okrum, Mirage, Ketrum, and TidePool, serve the same purpose, with the exception of a few attributes.
  • The group morphs its code and switches basic functionalities across their several backdoors.

Worth noting

  • The IOCs related to the new backdoor can be found here.
  • Ke3chang-attributed malware is developed by various teams and the developers of Ketrum are believed to be different from the developers of Ketrican and Okrum, even though they are related.

In essence

This is the golden age for cyber espionage due to the prevalence of malware focused on stealing sensitive information and providing backdoor capabilities. The Ke3chang group's tools have not been modified much since it was initially discovered. Besides making minor changes to create new malware variants, Ke3chang has not shown any signs of deviating from their usual TTPs.