APT-C-00 HailianhuaAPT-C-00 (Hailianhua) is a government-backed foreign hacker organization that primarily targets enterprises and government departments in East Asian countries. The 360 Advanced Threat Research Institute has been continuously monitoring the latest attacks from the Hailianhua organization.
I. Overview
Recently, the 360 Advanced Threat Research Institute captured a suspicious Trojan loader during routine threat hunting. Analysis revealed that its development environment and execution process are quite similar to those of the Hailianhua organization. It currently maintains an excellent evasion effect with zero detections.

II. Sample Analysis
| MD5 |
64062595582c36d0aed322e98108ff4b |
|
File Type |
DLL Dynamic Link Library |
|
File Size |
824,320 Bytes |
The sample entry dynamically retrieves the required API functions using hash algorithms.

The exported function MPI_Init creates a mutex “Global\MicrosoftMPI” to ensure single instance execution. Command line parameter validation is used to evade conventional automation processes. Once the parameter check passes, the command line is added to the registry startup item “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftMPI” for persistence, and finally, the function that executes the Shellcode is set as a VEH exception handler callback function, waiting for the right moment to be called.


It calls the exported function located at 0x1800760F0 to load the system file certmgr.dll, using a module hollowing technique to replace the code in the certmgr module’s .text section with Shellcode.

Shellcode is used to reflectively load the Havoc RAT[1].

III. Correlation Analysis
The sample is a DLL file, and most of the exported functions point to the same function address, suggesting that the sample itself is loaded using a white exploitation method, consistent with the common tactics and techniques of the Hailianhua organization.

The sample was developed using Mingw-w64, consistent with the development environment of the Hailianhua organization in recent years.

This captured sample uses the same algorithm as previously known phishing samples to dynamically retrieve API addresses during the initialization phase.

The Hailianhua organization’s loader typically involves creating mutexes, checking command lines, and persistence during the initialization steps. For persistence, previous loaders have directly written to the registry and decrypted Shellcode to write registry startup items. Additionally, the bait document release step may involve the loader opening a bait document from a phishing archive or embedding it within the loader itself. Each attack round varies slightly but is generally similar.


IV. ATT&CK
|
Persistence (TA0003) |
Defense Evasion (TA0005) |
|
Registry Startup Items/Startup Folder (T1547.001) |
DLL Side-Loading (T1574.002) |
|
Process Hollowing Execution Code (T1055.012) |
SummaryBe cautious of unknown links and attachments: Do not click on links in emails or messages, especially those from unfamiliar or suspicious sources. Even messages from familiar contacts should be carefully verified.Employee security awareness training: Regularly conduct cybersecurity training for employees, simulating phishing attacks to help them recognize phishing emails and other online threats.Network segmentation and isolation: Separate critical business systems, data storage, and employee networks, using firewalls and access control lists to restrict access between segments, preventing attackers from moving laterally after an intrusion.Regularly review and patch vulnerabilities: Conduct regular security audits and penetration testing to promptly identify and fix vulnerabilities, reducing the likelihood of exploitation.Appendix IOC
MD5
64062595582c36d0aed322e98108ff4b
2ca07512ba04df5d2d22a2c97d83cd5f
860c9bc3c291de45856218c2059e1117
ca1376132df84cb3be08d43114ad32d7
2da7798e8f7fbeafefbd297e3be5b21b
6725c332b0fe684fbc94df399ab726bc
963448d96d81138413f192dd80558d76
C&C
144.202.46.221[:]443
46.37.124.147[:]80References
[1]https://github.com/HavocFramework/Havoc
Team IntroductionTEAM INTRODUCTION360Advanced Threat Research InstituteThe 360 Advanced Threat Research Institute is the core capability support department of the 360 Enterprise Security Group, composed of senior security experts from 360, focusing on the discovery, defense, handling, and research of advanced threats. It has been the first to capture several well-known 0-day attacks globally, such as Double Kill, Double Star, and Nightmare Formula, and has exclusively disclosed advanced actions of multiple national-level APT organizations, gaining widespread recognition both inside and outside the industry, providing strong support for 360 in safeguarding national cybersecurity.