Chinotto_Backdoor_Technical_Analysis_of_the_APT_Reapers_Powerful.pdf (593 KB)

ThreatMon analyzes Chinotto, a C++ DLL backdoor linked in the report to North Korea-based APT37/Reaper activity. The sample creates the mutex IUAvx6CHOil92jqFiHCjiPhzDC, configures C2 communication to 172.93.193.158 over /Data/goldll/proc.php, and encodes host and user information by XORing it with the key PEXdRUSBACXX3DAD before Base64 encoding. Its command set supports shell execution through ShellExecute and cmd.exe, file retrieval and upload, log upload, copying itself to the common documents folder, registry RUN-key persistence, self-update, keylogging, screenshots, and data exfiltration. The report provides a YARA rule and representative indicators including the C2 URL and SHA-256 hash d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d.