A cyberespionage campaign by Worok has been found targeting governments and high-profile organizations based in Central Asia, Southern Asia, Africa, and the Middle East since 2020. The threat group is using custom and existing malicious tools for its attacks.

About Worok and its campaign

Researchers from ESET tracked the threat group and believe that the group is looking for information from government entities.
  • The threat group has been associated with attacks aimed at telecommunications, maritime, banking, energy, military, government, and public sectors over a period of time.
  • In late 2020, it targeted a telecommunications firm in East Asia, a bank in Central Asia, a maritime industry in Southeast Asia, a government in the Middle East, and a private firm in Southern Africa.
  • In February 2022, researchers once again associated the group with new attacks on energy firms in Central Asia and a public sector firm in Southeast Asia.

The time of their activities and used toolset reveal a possible connection with TA428, an assessment with low confidence.

Tools and tactics 

The group used ProxyShell exploits for initial access, however, the access vector remains unknown for most attacks.
  • Once access was gained, the attackers deployed publicly available tools for reconnaissance such as Mimikatz, ReGeorg, EarthWorm, NBTscan, PowerShell, HTTP, ICMP, and WinRAR.
  • In addition, Worok's malicious toolset includes two loaders - a C++ loader named CLRLoad and a C# loader named PNGLoad. These loaders allow the attackers to hide malware payloads in PNG images using steganography.
  • For persistence, web shells are uploaded after abusing the vulnerabilities inside the victim's network.

A new backdoor in use

  • In addition to the above tools, a new PowerShell backdoor PowHeartBeat was used by Worok, which replaced CLRLoad in attacks observed from February. It was used to launch PNGLoad.
  • PowHeartBeat has several capabilities, such as file manipulation and process or command execution, along with downloading or uploading files to and from victims' systems.


Worok is developing its own tools, along with using existing tools to target its victims across multiple sectors. Thus, organizations are suggested to protect their sensitive information with multiple layers of security, such as firewalls, adequate encryption, and multi-factor authentication.
Cyware Publisher