{ "type": "bundle", "id": "bundle--8a9e02ab-a1b0-4600-86a5-45d2cde92c9b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "created": "2023-03-08T12:51:45.70432Z", "modified": "2023-03-08T12:51:45.704399Z", "name": "Stairwell", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--7bc44ede-79e8-4460-b0b5-f605bb0272d2", "hashes": { "SHA-256": "485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028" } }, { "type": "url", "spec_version": "2.1", "id": "url--fcee3688-9227-4b77-8248-d17eae92598e", "value": "https://1drv.ms/u/s!Ar9zfrwxWWEoas5XiW9Me14ia" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d59e6ee8-55d8-4719-bfda-82def2fef84b", "created": "2026-06-24T22:23:05.960188Z", "modified": "2026-06-24T22:23:05.960188Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_Main\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler\"\r\ndescription = \"Detection for Main component of GOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$str1 = \"could not exec bash command.\" wide\r\n$str2 = \"%userprofile%\\\\AppData\" wide\r\n$str3 = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/90.0.3112.113 Safari/537.36\" wide\r\n$str4 = \"tickount: %d\"\r\n$str5 = \"Service-0x\" wide\r\n$str6 = \"Main Returned\"\r\n$b64_1 = \"TwBuAGUARAByAHYAVQBwAGQAYQB0AGUAAAA=\"\r\n$b64_2 = \"aGFnZW50dHJheQ==\"\r\n$b64_3 = \"YXBwbGljYXRpb24vdm5kLmdvb2dsZS1hcHBzLmZvbGRlcg==\"\r\n$pdb = \"D:\\\\Development\\\\GOLD-BACKDOOR\\\\\"\r\ncondition:\r\n4 of them or ( $pdb and 1 of them )\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dd6ad9f8-576e-430f-9167-fa8db66161c3", "created": "2026-06-24T22:23:05.961073Z", "modified": "2026-06-24T22:23:05.961073Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_generic_shellcode\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Generic detection for shellcode used to drop GOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$ = { B9 8E 8A DD 8D 8B F0 E8 ?? ?? ?? ?? FF D0 }\r\n$ = { B9 8E AB 6F 40 [1-10] 50 [1-10] E8 ?? ?? ?? ?? FF D0 }\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ebe8aa22-501c-4a52-9ddb-e060d40f725e", "created": "2026-06-24T22:23:05.961822Z", "modified": "2026-06-24T22:23:05.961822Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_injected_shellcode\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Detection for injected shellcode that decodes GOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$dec_routine = { 8A 19 57 8B FA 8B 51 01 83 C1 05 85 D2 74 0E 56 8B C1 8B F2 30 18 40 83\r\nEE 01 75 F8 5E 57 }\r\n$rtlfillmemory_load = {B9 4B 17 CD 5B 55 56 33 ED 55 6A 10 50 E8 86 00 00 00 FF D0}\r\n$ = \"StartModule\"\r\n$log_file_name = {C7 44 24 3C 25 6C 6F 63 50 8D 44 24 40 C7 44 24 44 61 6C 61 70 50 B9 BD\r\n88 17 75 C7 44 24 4C 70 64 61\r\n74 C7 44 24 50 61 25 5C 6C C7 44 24 54 6F 67 5F 67 C7 44 24 58 6F 6C 64 32 C7 44 24\r\n5C 2E 74 78 74}\r\n\r\n13\r\n\r\n04/2022\r\n\r\n\f\r\nThe ink-stained trail of GOLDBACKDOOR\r\nThreat report\r\n\r\n$ = { B9 8E 8A DD 8D 8B F0 E8 E9 FB FF FF FF D0 }\r\ncondition:\r\n3 of them\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--20707e95-dbcb-40a7-a649-dded06083030", "created": "2026-06-24T22:23:05.962452Z", "modified": "2026-06-24T22:23:05.962452Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_inital_shellcode\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Detection for initial shellcode loader used to deploy GOLDBACDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n//seg000:07600058 8D 85 70 FE FF FF\r\nlea\r\neax, [ebp+var_190]\r\n//seg000:0760005E C7 45 C4 25 6C 6F 63\r\nmov\r\ndword ptr [ebp+var_3C],\r\n'col%'\r\n//seg000:07600065 50\r\npush\r\neax\r\n//...\r\n//seg000:0760008F C7 45 D8 6F 6C 64 2E\r\nmov\r\ndword ptr\r\n[ebp+var_3C+14h], '.dlo'\r\n//seg000:07600096 C7 45 DC 74 78 74 00\r\nmov\r\ndword ptr\r\n[ebp+var_3C+18h], 'txt'\r\n$ = { C7 45 C4 25 6C 6F 63 50 8D 45 C4 C7 45 C8 61 6C 61 70 8B F9 C7 45\r\nCC 70 64 61 74 50 B9 BD 88 17 75 C7 45 D0 61 25 5C 6C 8B DA C7 45 D4 6F\r\n67 5F 67 C7 45 D8 6F 6C 64 2E C7 45 DC 74 78 74 00 }\r\n// Import loaders\r\n$ = { 51 50 57 56 B9 E6 8E 85 35 E8 ?? ?? ?? ?? FF D0 }\r\n$ = { 6A 40 68 00 10 00 00 52 6A 00 FF 75 E0 B9 E3 18 90 72 E8 ?? ?? ?? ?? FF D0}\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32723383-f22a-45b4-a0c8-203c3d32f1ea", "created": "2026-06-24T22:23:05.963162Z", "modified": "2026-06-24T22:23:05.963162Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_obf_payload\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Detection for encoded shellcode payload downloaded by LNK file that drops\r\nGOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$init = { e6b3 6d0a 6502 1e67 0aee e7e6 e66b eac2 }\r\ncondition:\r\n\r\n12\r\n\r\n04/2022\r\n\r\n\f\r\nThe ink-stained trail of GOLDBACKDOOR\r\nThreat report\r\n\r\n$init at 0\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5472578a-cfc1-44ed-ac86-2dc7d10732c8", "created": "2026-06-24T22:23:05.963792Z", "modified": "2026-06-24T22:23:05.963792Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_LNK_payload\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Detection for obfuscated Powershell contained in LNK file that deploys\r\nGOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$ = \"WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]\" ascii wide nocase\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2ef52674-17cc-4e54-9f0c-04e530328d09", "created": "2026-06-24T22:23:05.964566Z", "modified": "2026-06-24T22:23:05.964566Z", "name": "YARA Rule", "pattern": "rule NK_GOLDBACKDOOR_LNK\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (silas@Stairwell.com)\"\r\ndescription = \"Detection for LNK file used to deploy GOLDBACKDOOR\"\r\nversion = \"0.1\"\r\nstrings:\r\n$ = \"WINWORD.exe\" wide nocase\r\n$ = \"$won11 =\\\"$temple=\" wide\r\n$ = \"dirPath -Match 'System32' -or $dirPath -Match 'Program Files'\" wide\r\ncondition:\r\n2 of them and uint16(0) == 0x4c\r\n}", "pattern_type": "yara", "valid_from": "2022-04-21T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--49eca9e2-6326-4fa9-8584-c226dc68386c", "hashes": { "SHA-256": "9eddd99db6f5a7791f7e446792f04b301d29f6b0596920e8b39647cc7585185d" } }, { "type": "file", "spec_version": "2.1", "id": "file--677f4a39-5e9d-4d9c-b0b0-1e4b6ef9bfc5", "hashes": { "SHA-256": "18c9fd4f781789cd15cee4fcb18fa983897fc9876422d662a2243ff7499f5948" } }, { "type": "file", "spec_version": "2.1", "id": "file--8cc2b1b6-eada-4135-8d82-ce82a4687794", "hashes": { "SHA-256": "94ca32c0a3002574d7ea1bef094146a9d3b2ad0018b3e3d3f4ffca8689b89e5a" } }, { "type": "file", "spec_version": "2.1", "id": "file--b7498dbd-f5d5-4ab4-8023-c78ca939b144", "hashes": { "SHA-256": "c5369c2ce7f33d6cd209cd61226a0637adc809b864deb73a98d78bfed0883163" } }, { "type": "file", "spec_version": "2.1", "id": "file--81ea079f-822d-48c5-a369-265bfec25ad6", "hashes": { "SHA-256": "120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5" } }, { "type": "url", "spec_version": "2.1", "id": "url--dc48f087-9c2c-43bc-a931-28a4f2c26f5e", "value": "https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBcjl6ZnJ3eFdXRW9hczVYaV" }, { "type": "url", "spec_version": "2.1", "id": "url--687f2563-c4a0-43f4-9652-30bba63f7d43", "value": "https://main.dailynk.us/regex?id=oTks2&file=Kang" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c793af3a-509a-42c3-9b39-c6ea64d6f0f5", "value": "main.dailynk.us" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--7a13473b-3a92-4546-90df-c5419e546800", "value": "142.93.201.77" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0", "created": "2026-06-24T22:23:05.974897Z", "modified": "2026-06-24T22:23:05.974897Z", "name": "APT37" }, { "type": "report", "spec_version": "2.1", "id": "report--8214e43e-e815-4bb9-a074-59074d866134", "created_by_ref": "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "created": "2026-06-24T22:23:05.977782Z", "modified": "2026-06-24T22:23:05.977782Z", "name": "The ink-stained trail of GOLDBACKDOOR", "published": "2022-04-21T00:00:00Z", "object_refs": [ "identity--0477fe22-5e88-4b44-8d73-c5e43c65d520", "file--7bc44ede-79e8-4460-b0b5-f605bb0272d2", "url--fcee3688-9227-4b77-8248-d17eae92598e", "indicator--d59e6ee8-55d8-4719-bfda-82def2fef84b", "indicator--dd6ad9f8-576e-430f-9167-fa8db66161c3", "indicator--ebe8aa22-501c-4a52-9ddb-e060d40f725e", "indicator--20707e95-dbcb-40a7-a649-dded06083030", "indicator--32723383-f22a-45b4-a0c8-203c3d32f1ea", "indicator--5472578a-cfc1-44ed-ac86-2dc7d10732c8", "indicator--2ef52674-17cc-4e54-9f0c-04e530328d09", "file--49eca9e2-6326-4fa9-8584-c226dc68386c", "file--677f4a39-5e9d-4d9c-b0b0-1e4b6ef9bfc5", "file--8cc2b1b6-eada-4135-8d82-ce82a4687794", "file--b7498dbd-f5d5-4ab4-8023-c78ca939b144", "file--81ea079f-822d-48c5-a369-265bfec25ad6", "url--dc48f087-9c2c-43bc-a931-28a4f2c26f5e", "url--687f2563-c4a0-43f4-9652-30bba63f7d43", "domain-name--c793af3a-509a-42c3-9b39-c6ea64d6f0f5", "ipv4-addr--7a13473b-3a92-4546-90df-c5419e546800", "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0" ], "external_references": [ { "source_name": "source", "url": "https://assets.stairwell.com/hubfs/Marketing-Assets/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf" } ] } ] }