Trusted Design

Campaign on the Government of Thailand Delivers Bookworm Trojan

概要

Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components. Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.

Created: 2026-02-23

Indicators

• hostname - news.nhknews.hk -
• hostname - wmail.gotdns.com -
• hostname - tree.crabdance.com -
• hostname - news.nowpublic.us -
• hostname - education.suroot.com -
• hostname - anhei.gotdns.com -
• hostname - weather.webhop.me -
• hostname - pcal2.dwy.cc -
• hostname - web.vancouversun.us -
• hostname - will-smith.dtdns.net -
• hostname - web.voanews.hk -
• hostname - www.vxea.com -
• hostname - flashcard.gotdns.com -
• hostname - back.rooter.tk -
• hostname - www.ifilmone.com -
• hostname - www.tibetonline.info -
• hostname - welcometohome.strangled.net -
• hostname - breaknews.mefound.com -
• hostname - webupdate.strangled.net -
• hostname - supercat.strangled.net -
• hostname - server.organiccrap.com -
• hostname - hope.jumpingcrab.com -
• hostname - ftpseck.ftp21.net -
• hostname - happy.tftpd.net -
• hostname - romadc.homelinux.com -
• hostname - bugatti.from-wa.com -
• hostname - news.voanews.hk -
• hostname - systeminfothai.gotdns.ch -
• hostname - www.chinabztech.com -
• hostname - ahcase.gotdns.com -
• hostname - web12.nhknews.hk -
• hostname - blog.nhknews.hk -
• hostname - wuzhiting.3322.org -
• hostname - sysnc.sytes.net -
• hostname - 3389temp.dyndns.org -
• hostname - flashgame.gotdns.com -
• hostname - xcase.gotdns.com -
• hostname - thailandbbs.ddns.net -
• hostname - durant.dumb1.com -
• hostname - kcase.gotdns.com -
• hostname - nine.alltosec.com -
• domain - windowsupdating.net -
• hostname - welcome.dnsd.info -
• hostname - pricetag.deaftone.com -
• hostname - bkmail.blogdns.com -
• hostname - williamsblog.dtdns.net -
• hostname - ns1.vancouversun.us -
• hostname - products.alltosec.com -
• hostname - office.alltosec.com -
• URL - http://bdimg.s.dwy.cc -
• hostname - 3389.homeunix.org -
• hostname - www.rooter.tk -
• hostname - app.rooter.tk -
• hostname - kr-update.homelinux.com -
• hostname - ns3.yomiuri.us -
• hostname - zz.alltosec.com -
• hostname - apple.dynamic-dns.net -
• hostname - sswwmail.gotdns.com -
• hostname - qemail.gotdns.com -
• domain - googleupdating.com -
• hostname - luotuozhizhu.blog.163.com -
• hostname - debain.servehttp.com -
• hostname - xxcase.gotdns.com -
• hostname - succ.gotdns.com -
• hostname - 3h01.dwy.cc -
• hostname - hkemail.f3322.org -
• hostname - linuxdns.sytes.net -
• hostname - imail.gotdns.com -
• hostname - ubuntudns.sytes.net -
• hostname - wucy08.eicp.net -
• hostname - pcal2.yahoolive.us -
• hostname - 3389pi.servegame.org -
• hostname - sswmail.gotdns.com -
• hostname - n5579a.voanews.hk -

類似Pulses

• Bookworm Trojan: A Model of Modular Architecture (score: 0.70)
• KingKong.dll - Recent PoisonIvy and PlugX variants targeting South East Asia (score: 0.69)
• Chinese Actors attacks on US Government and EU Media (score: 0.67)
• Malware domain Thailand (score: 0.67)
• Defending the White Elephant (score: 0.65)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る