Trusted Design

Tracking Elirks Variants in Japan: Similarities to Previous Attacks

概要

Elirks, less widely known than PlugX, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. We mostly observe attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. We have seen multiple Elirks variants using Japanese blog services for the last couple of years. Figure 1 shows embedded URL in an Elirks sample found in early 2016.

Created: 2026-02-23

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Ember Bear

Score: 5.63
Matched TTPs:
  • T1564.008 - Email Hiding Rules
  • T1218.010 - Regsvr32
MITREへのリンク →

Sandworm Team

Score: 21.10
Matched TTPs:
  • T1564.008 - Email Hiding Rules
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1102.003 - One-Way Communication
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
  • T1546.016 - Installer Packages
MITREへのリンク →

APT41

Score: 14.29
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
  • T1002 - Data Compressed
  • T1008 - Fallback Channels
MITREへのリンク →

Scattered Spider

Score: 13.43
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1566.002 - Spearphishing Link
  • T1144 - Gatekeeper Bypass
  • T1498 - Network Denial of Service
MITREへのリンク →

TA505

Score: 5.26
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1091 - Replication Through Removable Media
MITREへのリンク →

Volt Typhoon

Score: 11.93
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1134.002 - Create Process with Token
  • T1102.003 - One-Way Communication
  • T1546.016 - Installer Packages
MITREへのリンク →

APT3

Score: 11.15
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1547.011 - Plist Modification
  • T1218.010 - Regsvr32
  • T1578.002 - Create Cloud Instance
MITREへのリンク →

FIN13

Score: 9.23
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1144 - Gatekeeper Bypass
  • T1588.001 - Malware
MITREへのリンク →

Sidewinder

Score: 3.95
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.010 - Regsvr32
MITREへのリンク →

Mustang Panda

Score: 21.03
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1612 - Build Image on Host
  • T1608.005 - Link Target
  • T1102.003 - One-Way Communication
  • T1218.010 - Regsvr32
  • T1526 - Cloud Service Discovery
  • T1055.005 - Thread Local Storage
MITREへのリンク →

Silent Librarian

Score: 4.98
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1134.002 - Create Process with Token
MITREへのリンク →

ZIRCONIUM

Score: 8.96
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
MITREへのリンク →

APT32

Score: 23.36
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1592.004 - Client Configurations
  • T1588.001 - Malware
  • T1612 - Build Image on Host
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Kimsuky

Score: 29.13
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1102.003 - One-Way Communication
  • T1547.002 - Authentication Package
  • T1526 - Cloud Service Discovery
  • T1008 - Fallback Channels
  • T1053.002 - At
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Magic Hound

Score: 20.16
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1134.002 - Create Process with Token
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1578.002 - Create Cloud Instance
  • T1059.012 - Hypervisor CLI
  • T1053.002 - At
MITREへのリンク →

APT28

Score: 21.95
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1547.011 - Plist Modification
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1146 - Clear Command History
  • T1546.007 - Netsh Helper DLL
MITREへのリンク →

Star Blizzard

Score: 7.72
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1102.003 - One-Way Communication
MITREへのリンク →

Moonstone Sleet

Score: 6.95
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
MITREへのリンク →

CURIUM

Score: 7.85
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Dragonfly

Score: 12.17
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.010 - Regsvr32
  • T1578.002 - Create Cloud Instance
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
MITREへのリンク →

Patchwork

Score: 9.00
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1008 - Fallback Channels
MITREへのリンク →

TA2541

Score: 6.73
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1608.005 - Link Target
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Earth Lusca

Score: 12.21
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1608.005 - Link Target
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
MITREへのリンク →

Mustard Tempest

Score: 7.02
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1059.012 - Hypervisor CLI
  • T1053.002 - At
MITREへのリンク →

OilRig

Score: 13.90
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1592.002 - Software
  • T1128 - Netsh Helper DLL
  • T1526 - Cloud Service Discovery
MITREへのリンク →

TeamTNT

Score: 4.50
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1612 - Build Image on Host
MITREへのリンク →

LazyScripter

Score: 6.51
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1612 - Build Image on Host
  • T1608.005 - Link Target
MITREへのリンク →

Gamaredon Group

Score: 16.88
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1612 - Build Image on Host
  • T1608.005 - Link Target
  • T1606.001 - Web Cookies
  • T1554 - Compromise Host Software Binary
  • T1547.002 - Authentication Package
MITREへのリンク →

Threat Group-3390

Score: 8.38
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1526 - Cloud Service Discovery
MITREへのリンク →

SideCopy

Score: 5.26
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1053.002 - At
MITREへのリンク →

BlackByte

Score: 5.82
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1606.001 - Web Cookies
MITREへのリンク →

BITTER

Score: 5.56
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
MITREへのリンク →

HEXANE

Score: 6.89
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1547.002 - Authentication Package
MITREへのリンク →

Saint Bear

Score: 8.00
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
MITREへのリンク →

Contagious Interview

Score: 11.81
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1608.005 - Link Target
  • T1102.003 - One-Way Communication
  • T1221 - Template Injection
MITREへのリンク →

FIN7

Score: 11.14
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1490 - Inhibit System Recovery
MITREへのリンク →

EXOTIC LILY

Score: 8.51
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1612 - Build Image on Host
  • T1218.010 - Regsvr32
MITREへのリンク →

APT42

Score: 7.24
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1612 - Build Image on Host
  • T1128 - Netsh Helper DLL
MITREへのリンク →

MoustachedBouncer

Score: 4.54
Matched TTPs:
  • T1055.003 - Thread Execution Hijacking
MITREへのリンク →

APT39

Score: 5.14
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1547.002 - Authentication Package
MITREへのリンク →

Tonto Team

Score: 4.24
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1218.010 - Regsvr32
MITREへのリンク →

Lazarus Group

Score: 29.47
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1134.002 - Create Process with Token
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1606.001 - Web Cookies
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1055.005 - Thread Local Storage
  • T1216 - System Script Proxy Execution
MITREへのリンク →

APT29

Score: 12.76
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1592.004 - Client Configurations
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
  • T1490 - Inhibit System Recovery
MITREへのリンク →

MuddyWater

Score: 8.65
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
MITREへのリンク →

Winter Vivern

Score: 12.02
Matched TTPs:
  • T1548 - Abuse Elevation Control Mechanism
  • T1588.001 - Malware
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

HAFNIUM

Score: 7.20
Matched TTPs:
  • T1134.002 - Create Process with Token
  • T1608.005 - Link Target
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Aquatic Panda

Score: 5.94
Matched TTPs:
  • T1144 - Gatekeeper Bypass
  • T1588.001 - Malware
MITREへのリンク →

BRONZE BUTLER

Score: 10.39
Matched TTPs:
  • T1592.004 - Client Configurations
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1008 - Fallback Channels
MITREへのリンク →

Carbanak

Score: 4.49
Matched TTPs:
  • T1588.001 - Malware
  • T1547.002 - Authentication Package
MITREへのリンク →

Wizard Spider

Score: 5.25
Matched TTPs:
  • T1588.001 - Malware
  • T1526 - Cloud Service Discovery
MITREへのリンク →

FIN6

Score: 7.36
Matched TTPs:
  • T1588.001 - Malware
  • T1612 - Build Image on Host
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Fox Kitten

Score: 4.62
Matched TTPs:
  • T1588.001 - Malware
  • T1612 - Build Image on Host
MITREへのリンク →

PROMETHIUM

Score: 6.53
Matched TTPs:
  • T1588.001 - Malware
  • T1059.012 - Hypervisor CLI
  • T1490 - Inhibit System Recovery
MITREへのリンク →

UNC3886

Score: 3.59
Matched TTPs:
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
MITREへのリンク →

Higaisa

Score: 3.59
Matched TTPs:
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
MITREへのリンク →

RedCurl

Score: 5.27
Matched TTPs:
  • T1612 - Build Image on Host
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Inception

Score: 4.02
Matched TTPs:
  • T1612 - Build Image on Host
  • T1218.010 - Regsvr32
MITREへのリンク →

Rocke

Score: 5.81
Matched TTPs:
  • T1612 - Build Image on Host
  • T1008 - Fallback Channels
MITREへのリンク →

FIN8

Score: 8.42
Matched TTPs:
  • T1612 - Build Image on Host
  • T1128 - Netsh Helper DLL
  • T1526 - Cloud Service Discovery
MITREへのリンク →

Turla

Score: 17.82
Matched TTPs:
  • T1612 - Build Image on Host
  • T1608.005 - Link Target
  • T1218.001 - Compiled HTML File
  • T1547.002 - Authentication Package
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Medusa Group

Score: 8.38
Matched TTPs:
  • T1608.005 - Link Target
  • T1128 - Netsh Helper DLL
  • T1216 - System Script Proxy Execution
MITREへのリンク →

Confucius

Score: 3.51
Matched TTPs:
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
MITREへのリンク →

POLONIUM

Score: 4.41
Matched TTPs:
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
MITREへのリンク →

Leviathan

Score: 10.22
Matched TTPs:
  • T1554 - Compromise Host Software Binary
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
MITREへのリンク →

APT37

Score: 9.28
Matched TTPs:
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1216 - System Script Proxy Execution
MITREへのリンク →

APT12

Score: 3.89
Matched TTPs:
  • T1547.002 - Authentication Package
  • T1218.010 - Regsvr32
MITREへのリンク →

Andariel

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

BlackTech

Score: 4.65
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1526 - Cloud Service Discovery
MITREへのリンク →

Axiom

Score: 7.80
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1160 - Launch Daemon
MITREへのリンク →

Cobalt Group

Score: 4.24
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Sea Turtle

Score: 4.16
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Transparent Tribe

Score: 6.54
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1053.002 - At
MITREへのリンク →

Tropic Trooper

Score: 6.91
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1128 - Netsh Helper DLL
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Elderwood

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Darkhotel

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Volatile Cedar

Score: 4.13
Matched TTPs:
  • T1002 - Data Compressed
MITREへのリンク →

Storm-1811

Score: 8.16
Matched TTPs:
  • T1567.003 - Exfiltration to Text Storage Sites
  • T1578.002 - Create Cloud Instance
MITREへのリンク →

Velvet Ant

Score: 5.41
Matched TTPs:
  • T1128 - Netsh Helper DLL
  • T1490 - Inhibit System Recovery
MITREへのリンク →

RTM

Score: 5.05
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1008 - Fallback Channels
MITREへのリンク →

APT38

Score: 5.39
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1216 - System Script Proxy Execution
MITREへのリンク →

Daggerfly

Score: 4.60
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Indrik Spider

Score: 6.68
Matched TTPs:
  • T1498 - Network Denial of Service
  • T1546.016 - Installer Packages
MITREへのリンク →

Salt Typhoon

Score: 3.84
Matched TTPs:
  • T1498 - Network Denial of Service
MITREへのリンク →

APT1

Score: 3.29
Matched TTPs:
  • T1053.002 - At
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Lazarus Group

Score: 0.81
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1134.002 - Create Process with Token
  • T1055.005 - Thread Local Storage
  • T1216 - System Script Proxy Execution
  • T1546.016 - Installer Packages
  • T1606.001 - Web Cookies
  • T1059.012 - Hypervisor CLI
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
MITREへのリンク →

Kimsuky

Score: 0.81
Matched TTPs:
  • T1526 - Cloud Service Discovery
  • T1490 - Inhibit System Recovery
  • T1008 - Fallback Channels
  • T1053.002 - At
  • T1134.002 - Create Process with Token
  • T1091 - Replication Through Removable Media
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1102.003 - One-Way Communication
  • T1547.002 - Authentication Package
  • T1566.002 - Spearphishing Link
MITREへのリンク →

APT32

Score: 0.67
Matched TTPs:
  • T1592.004 - Client Configurations
  • T1490 - Inhibit System Recovery
  • T1134.002 - Create Process with Token
  • T1612 - Build Image on Host
  • T1091 - Replication Through Removable Media
  • T1059.012 - Hypervisor CLI
  • T1588.001 - Malware
  • T1218.010 - Regsvr32
  • T1608.005 - Link Target
  • T1566.002 - Spearphishing Link
MITREへのリンク →

APT28

Score: 0.63
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1059.012 - Hypervisor CLI
  • T1146 - Clear Command History
  • T1546.007 - Netsh Helper DLL
  • T1218.010 - Regsvr32
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1566.002 - Spearphishing Link
MITREへのリンク →

Mustang Panda

Score: 0.61
Matched TTPs:
  • T1526 - Cloud Service Discovery
  • T1612 - Build Image on Host
  • T1055.005 - Thread Local Storage
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1608.005 - Link Target
  • T1102.003 - One-Way Communication
  • T1566.002 - Spearphishing Link
MITREへのリンク →

Sandworm Team

Score: 0.61
Matched TTPs:
  • T1564.008 - Email Hiding Rules
  • T1134.002 - Create Process with Token
  • T1091 - Replication Through Removable Media
  • T1546.016 - Installer Packages
  • T1218.010 - Regsvr32
  • T1102.003 - One-Way Communication
  • T1547.002 - Authentication Package
  • T1566.002 - Spearphishing Link
MITREへのリンク →

Magic Hound

Score: 0.57
Matched TTPs:
  • T1578.002 - Create Cloud Instance
  • T1053.002 - At
  • T1134.002 - Create Process with Token
  • T1059.012 - Hypervisor CLI
  • T1588.001 - Malware
  • T1608.005 - Link Target
  • T1547.002 - Authentication Package
  • T1566.002 - Spearphishing Link
MITREへのリンク →

Turla

Score: 0.56
Matched TTPs:
  • T1490 - Inhibit System Recovery
  • T1612 - Build Image on Host
  • T1546.016 - Installer Packages
  • T1059.012 - Hypervisor CLI
  • T1608.005 - Link Target
  • T1218.001 - Compiled HTML File
  • T1547.002 - Authentication Package
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る