Dark River. You can't see them, but they're there
2023-09-27 • Ptsecurity •
An investigation at a Russian industrial enterprise found a previously unseen modular backdoor, MataDoor, running with filenames chosen to mimic legitimate software and, in some cases, valid Sectigo signatures and Themida packing. The suspected initial access was a phishing DOCX tailored to defense-industry targets that exploited CVE-2021-40444 after the user enabled editing, with similar HTML-encoded payload URLs also seen in 2021 attacks against Russian defense organizations. MataDoor uses a loader service for persistence, encrypted configuration, an orchestrator-and-plugin architecture, and C2-driven functional and transport modules for long-term covert access. Kaspersky had associated the related MATAv5 backdoor with Lazarus activity, but the authors of this investigation state they could not definitively identify the tool’s operator and track the campaign as Dark River.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9b632505c27fa8ee58f680599fcc0b1… | 2023-09-27 | 2023-09-27 |
| HASH | 6251126c3a44d5f8a72f0790ae8aba1… | 2023-09-27 | 2023-09-27 |
| HASH | 660bfbeeaf674e4e95c43bb61d7d0ae… | 2023-09-27 | 2023-09-27 |
| HASH | 207f386ebeb29e64e6b7fd10929217e… | 2023-09-27 | 2023-09-27 |
| HASH | 0b06fb7f53bb7963ec2ff89d832b831… | 2023-09-27 | 2023-09-27 |
| HASH | 73d6694a0339cc4083f66395b6b4b3d… | 2023-09-27 | 2023-09-27 |
| HASH | 87e3e59f6653ae1306461bf9683bda9… | 2023-09-27 | 2023-09-27 |
| HASH | a1fc74b7fb105252aba222f5099fbd04 | 2023-09-27 | 2023-09-27 |
| HASH | 0085a02b9ba24afd266116df43acbd4… | 2023-09-27 | 2023-09-27 |
| HASH | ec1205a050693f750dd6a984b68eb25… | 2023-09-27 | 2023-09-27 |
| HASH | f463b1cf8d6dd8004edf047b4dea3c4… | 2023-09-27 | 2023-09-27 |
| HASH | 9cc89d708fcc2b114f6589d8077f663… | 2023-09-27 | 2023-09-27 |
| HASH | 6da222a04b4d0ad74f7ab186d235b55… | 2023-09-27 | 2023-09-27 |
| HASH | fcbe52f671d2f20b292c3057320d89a9 | 2023-09-27 | 2023-09-27 |
| HASH | e0f4924aeb8befbf6a78411f910d2c1… | 2023-09-27 | 2023-09-27 |
| HASH | 9320a614916bbfaa31853d785ffe0ed… | 2023-09-27 | 2023-09-27 |
| HASH | 2019322c33b648c9d3f7c8a17a99086… | 2023-09-27 | 2023-09-27 |
| HASH | c587cdbadc3573149c8b1a78fbbd876f | 2023-09-27 | 2023-09-27 |
| HASH | 4a65848af705b2d2b23af0b0795f0ec… | 2023-09-27 | 2023-09-27 |
| HASH | 41dacae2a33ee717abcc8011b705f2cb | 2023-09-27 | 2023-09-27 |
| HASH | 3c1cfc2b8b7e5c2d713ec5f329aa58a… | 2023-09-27 | 2023-09-27 |
| HASH | 73055a139a248cccb2b6f4360f072f7… | 2023-09-27 | 2023-09-27 |
| HASH | b822db93cde13ee2b2faf41e5a60967… | 2023-09-27 | 2023-09-27 |
| HASH | 1f19f7db272cc5ec22eb08987aaffcab | 2023-09-27 | 2023-09-27 |
| HASH | cc26e5fda0083f750d7748eeaea45350 | 2023-09-27 | 2023-09-27 |
| HASH | ec70414b2295392cf7200b99747922a… | 2023-09-27 | 2023-09-27 |
| HASH | ae0bf4a92b37da3ca4dbd965bc646a7… | 2023-09-27 | 2023-09-27 |
| HASH | 98e94d7be1d59c17f6bcf3ce09661f83 | 2023-09-27 | 2023-09-27 |
| HASH | 01f3a22bf3e409154e79e067370ed98a | 2023-09-27 | 2023-09-27 |
| HASH | fd7de2b8572f35f0f6f58bba6ff2360e | 2023-09-27 | 2023-09-27 |
| HASH | 4d1e16e2b914243e0c63017676956a73 | 2023-09-27 | 2023-09-27 |
| HASH | 538505d57722f6f6e747f7f1517f9c7d | 2023-09-27 | 2023-09-27 |
| HASH | bb93392daece237207b6e32fb5fb4f00 | 2023-09-27 | 2023-09-27 |
| HASH | 20ee5ab5724339f16c19be92d0912bb6 | 2023-09-27 | 2023-09-27 |
| HASH | 34e3e94f9955c101640b44926bc44393 | 2023-09-27 | 2023-09-27 |
| HASH | 610303b58eb5d039c15061e48b743d17 | 2023-09-27 | 2023-09-27 |
| HASH | 79fc7ed090bc935881e7c242e40071a2 | 2023-09-27 | 2023-09-27 |
| HASH | 647497d00704316a7414d357834ed3f… | 2023-09-27 | 2023-09-27 |
| HASH | 3f8016bafb700595490b732b92f8501… | 2023-09-27 | 2023-09-27 |
| HASH | b0a4a1998a1be57d5b9b9ce727d473f… | 2023-09-27 | 2023-09-27 |
| HASH | 2ba653faef17d9ea623be1138f6f420… | 2023-09-27 | 2023-09-27 |
| HASH | a1797d212560de7fd187d0771e8948b… | 2023-09-27 | 2023-09-27 |
| HASH | d00073956786fb8a6b7168b243fa2ea… | 2023-09-27 | 2023-09-27 |
| HASH | 4f544e8756373520e98ed12b921ea7e… | 2023-09-27 | 2023-09-27 |
| HASH | 178b11323f921c0216bedefdd575a9c… | 2023-09-27 | 2023-09-27 |
| HASH | 0818cda2299b358e1ddf4ea59249a6c4 | 2023-09-27 | 2023-09-27 |
| HASH | d3d38d113fcaf3ea2e1b8bc5c321821… | 2023-09-27 | 2023-09-27 |
| HASH | fdf50a01a8837c9f4280f3e7f7e336f… | 2023-09-27 | 2023-09-27 |
| HASH | 566835ce413271ddca8d5014c912dda… | 2023-09-27 | 2023-09-27 |
| HASH | 84674acffba5101c8ac518019a9afe2… | 2023-09-27 | 2023-09-27 |
| HASH | 4b35d14a2eab2b3a7e0b40b71955cdd… | 2023-09-27 | 2023-09-27 |
| HASH | b52439640b7f0e0273f0d15bb3af6198 | 2023-09-27 | 2023-09-27 |
| HASH | 6f736eac915c2b647bfbba9e5dccf0cb | 2023-09-27 | 2023-09-27 |
| HASH | 748b9e94dc62e1fa364e9daec7d4bbb… | 2023-09-27 | 2023-09-27 |
| HASH | 2e068beb40f8901b698d4fc2f576656… | 2023-09-27 | 2023-09-27 |
| HASH | 8a3d32cb67bbf600c81577f4c2dd0a5… | 2023-09-27 | 2023-09-27 |
| HASH | fe93382464347be4361c7e8fb131a668 | 2023-09-27 | 2023-09-27 |
| HASH | c8399484d20c0ebed376cc8147e003c… | 2023-09-27 | 2023-09-27 |
| HASH | 6924b5219448733c43be7f569b1040d… | 2023-09-27 | 2023-09-27 |
| HASH | 3d4c3856f86c1dac1fe644babe87f1e… | 2023-09-27 | 2023-09-27 |
| HASH | 09413b5d9d404398bc163bfe239e5f8… | 2023-09-27 | 2023-09-27 |
| HASH | 317f1027095bc41de8fbcfce2c764ac4 | 2023-09-27 | 2023-09-27 |
| HASH | bf8f0b845c8f13b4386b7204add3c5d… | 2023-09-27 | 2023-09-27 |
| DOMAIN | diemonge.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | reasonsalt.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | bestandgood.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | cravefool.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | futureinv-gp.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | mlaycld.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | endlessutie.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | iemcvv.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | investsportss.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | moveandtry.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | outsidenursery.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | zeltactib.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | flowuboy.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | cameoonion.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | tarzoose.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | bettertimator.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | biowitsg.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | pursestout.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | editngo.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | e5afaya.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | sureyuare.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | nuttyhumid.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | ganjabuscoa.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | wharfgold.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | myballmecg.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | casgone.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | xdinzky.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | merudlement.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | cakeduer.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | speclaurp.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | metaversalk.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | igloogawk.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | interactive-guides.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | getmyecoin.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | kixthstage.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | aliveyelp.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | ismysoulmate.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | trendparlye.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | primventure.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | fledscuba.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | ipodlasso.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | capetipper.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | fetchbring.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | wemobiledauk.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | searching4soulmate.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | eimvivb.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | otopitele.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | beez.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | justlikeahummer.com | 2023-09-27 | 2023-09-27 |
| DOMAIN | read.system.info | 2023-09-27 | 2023-09-27 |
Related Actors
Related Reports
2023-10-27 •
26% Match
#LPEClient
#SIGNBT
#T1082
#T1140
#T1041
#T1113
#T1071.001
#T1083
#T1057
#T1620
#T1574.002
#T1027.002
#T1573.001
#T1203
#T1189
#T1132.002
#T1003.001
#T1027.001
#T1547.012
Shares tags: T1082, T1140, T1041 • Published within a month
2023-09-26 •
25% Match
#Konni
#LNK
#T1082
#T1119
#T1059.003
#T1140
#T1585.003
#T1070.004
#T1041
#T1071.001
#T1083
#T1204.002
#T1566.002
#T1566.003
#T1057
#T1059.005
#T1585.002
#T1053.005
#T1598.003
#T1059.001
#T1598.002
Shares tags: T1082, T1059.003, T1140 • Published within a week
2025-08-13 •
24% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1218.010
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1573
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
Shares tags: T1082, T1059.003, T1140
2021-12-02 •
23% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1573.001
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
#T0865
Shares tags: T1082, T1059.003, T1140
2021-04-27 •
18% Match
#DreamJob
#T1082
#T1059.003
#T1070.004
#T1071.001
#T1027
#T1566.003
#T1057
#T1135
#T1132.002
#T1564.001
#T1016
#T1087.001
#T1218.011
#T1106
#T1047
#T1021.002
#T1033
#T1543.003
#T1012
#T1547.009
#T1069.002
#T1136
Shares tags: T1082, T1059.003, T1057 • Same author: Ptsecurity
2024-07-19 •
16% Match
#Trend
#Andariel
#Kimsuky
#MoonstoneSleet
#Lazarus
#T1082
#T1059.003
#T1090
#T1140
#T1005
#T1070.004
#T1041
#T1113
#T1555
#T1560
#T1071.001
#T1046
#T1112
#T1115
#T1083
#T1497
#T1056.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1555.003
#T1071
#T1124
#T1222
#T1552
#T1057
#T1583.003
#T1518.001
#T1547.001
#T1053.005
#T1539
#T1608.005
#T1583.001
#T1059.001
#T1053
#T1552.001
#T1566
#T1059
#T1003
#T1497.001
#T1102.001
#T1574.002
#T1562.001
#T1490
#T1486
#T1129
#T1133
#T1571
#T1548
#T1190
#T1203
#T1564.001
#T1087
#T1562.004
#T1218.011
#T1070.006
#T1547
#T1068
#T1614
#T1573
#T1095
#T1562
#T1070
#T1047
#T1056
#T1176
#T1010
#T1033
#T1569.002
#T1543.003
#T1485
#T1012
#T1202
#T1087.002
#T1021.004
#T1222.001
#T1518
#T1564.003
#T1505.003
#T1069.002
#T1564
#T1595.002
#T1027.005
#T1070.001
#T1056.004
#T1584
Shares tags: T1082, T1059.003, T1140