A series of attacks were detected in January, which used PortDoor to backdoor government and defense organizations. The attacks were aimed at different countries in Eastern Europe.

Attack and the targets

Kaspersky has associated the campaign with a Chinese APT group named TA428. It is known for information theft and espionage attacks, targeting organizations in Eastern Europe and Asia.
  • The attackers compromised the networks of dozens of targets. In some cases, they took control of the victim’s entire IT infrastructure by hijacking systems used for managing security solutions.
  • They used Windows-based malware known as PortDoor.
  • The attack targeted industrial plants, design bureaus, research institutes, government agencies, ministries, and departments in Ukraine, Belarus, Russia, and Afghanistan.

Further, the analysis of the incidents implies that the key focus of these attacks was cyberespionage.

PortDoor deployment

  • The attacker used spear phishing emails laden with confidential details regarding targeted organizations and abused the CVE-2017-11882 flaw to deploy PortDoor.
  • Same as the other malware families used in this campaign, the new PortDoor backdoor allows the attackers to gather and steal system details and files from the infected systems.
  • Additionally, the threat group had installed more malware in the past (nccTrojan, Logtu, Cotx, and DNSep), along with a never seen threat named CotSam.
  • To spread CotSam, the attackers added a flawed version of Word together with the payload. For example, Microsoft Word 2007 on 32-bit systems and Word 2010 on 64-bit systems.

The stealing

  • After moving laterally inside networks using tools such as Ladon hacking utility (mostly used by Chinese threat actors), the attackers gained domain privileges and collected confidential files.
  • The information is sent to C2 servers located in different countries in encrypted and ZIP archives. However, all stolen data is forwarded by C2 servers to a second-stage server with a Chinese IP address.


The attack wave from the TA428 group is part of a known campaign detailed by multiple security firms. Further, researchers suspect that such threat groups are not going to stop or slow down their activities in the near future. Thus, organizations are suggested to have in-depth multi-layered security to stay protected.
Cyware Publisher