Pulse Detail-

Campaign on the Government of Thailand Delivers Bookworm Trojan

概要

Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components. Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.

Created: 2026-02-23

Indicators

類似Pulses

Bookworm Trojan: A Model of Modular Architecture (score: 0.70)
KingKong.dll - Recent PoisonIvy and PlugX variants targeting South East Asia (score: 0.69)
Chinese Actors attacks on US Government and EU Media (score: 0.67)
Malware domain Thailand (score: 0.67)
Defending the White Elephant (score: 0.65)

このPulseに関連する脅威アクター (事実ベース)

Volt Typhoon

Score: 30.23

Matched TTPs:

T1148 - HISTCONTROL
T1553.002 - Code Signing
T1049 - System Network Connections Discovery
T1552.008 - Chat Messages
T1102.003 - One-Way Communication
T1584.002 - DNS Server
T1546.016 - Installer Packages
T1574.002 - DLL Side-Loading

MITREへのリンク →

Ember Bear

Score: 9.47

Matched TTPs:

T1564.008 - Email Hiding Rules
T1005 - Data from Local System
T1218.010 - Regsvr32

MITREへのリンク →

Sandworm Team

Score: 40.07

Matched TTPs:

T1564.008 - Email Hiding Rules
T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1098.007 - Additional Local or Domain Groups
T1193 - Spearphishing Attachment
T1049 - System Network Connections Discovery
T1122 - Component Object Model Hijacking
T1102.003 - One-Way Communication
T1187 - Forced Authentication
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1546.016 - Installer Packages
T1111 - Multi-Factor Authentication Interception

MITREへのリンク →

Andariel

Score: 10.95

Matched TTPs:

T1171 - LLMNR/NBT-NS Poisoning and Relay
T1187 - Forced Authentication
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

Magic Hound

Score: 31.04

Matched TTPs:

T1171 - LLMNR/NBT-NS Poisoning and Relay
T1070.003 - Clear Command History
T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1187 - Forced Authentication
T1547.002 - Authentication Package
T1578.002 - Create Cloud Instance
T1059.012 - Hypervisor CLI
T1547.008 - LSASS Driver
T1053.002 - At

MITREへのリンク →

HAFNIUM

Score: 20.61

Matched TTPs:

T1171 - LLMNR/NBT-NS Poisoning and Relay
T1059 - Command and Scripting Interpreter
T1049 - System Network Connections Discovery
T1608.005 - Link Target
T1552.008 - Chat Messages
T1122 - Component Object Model Hijacking

MITREへのリンク →

APT41

Score: 19.27

Matched TTPs:

T1539 - Steal Web Session Cookie
T1588.001 - Malware
T1218.010 - Regsvr32
T1002 - Data Compressed
T1574.002 - DLL Side-Loading
T1008 - Fallback Channels

MITREへのリンク →

TA551

Score: 6.88

Matched TTPs:

T1539 - Steal Web Session Cookie
T1027.014 - Polymorphic Code

MITREへのリンク →

Sea Turtle

Score: 9.60

Matched TTPs:

T1499.003 - Application Exhaustion Flood
T1098.007 - Additional Local or Domain Groups
T1122 - Component Object Model Hijacking
T1218.010 - Regsvr32

MITREへのリンク →

Axiom

Score: 15.26

Matched TTPs:

T1499.003 - Application Exhaustion Flood
T1049 - System Network Connections Discovery
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1160 - Launch Daemon

MITREへのリンク →

HEXANE

Score: 9.73

Matched TTPs:

T1499.003 - Application Exhaustion Flood
T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1547.002 - Authentication Package

MITREへのリンク →

Salt Typhoon

Score: 3.84

Matched TTPs:

T1553.002 - Code Signing

MITREへのリンク →

FIN13

Score: 5.94

Matched TTPs:

T1553.002 - Code Signing
T1588.001 - Malware

MITREへのリンク →

BlackByte

Score: 9.73

Matched TTPs:

T1070.003 - Clear Command History
T1091 - Replication Through Removable Media
T1102.002 - Bidirectional Communication

MITREへのリンク →

TA2541

Score: 8.25

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target
T1128 - Netsh Helper DLL

MITREへのリンク →

Earth Lusca

Score: 13.72

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target
T1218.001 - Compiled HTML File
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages

MITREへのリンク →

Mustang Panda

Score: 18.95

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target
T1102.003 - One-Way Communication
T1169 - Sudo
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage

MITREへのリンク →

Kimsuky

Score: 22.60

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1102.003 - One-Way Communication
T1027.014 - Polymorphic Code
T1547.002 - Authentication Package
T1008 - Fallback Channels
T1053.002 - At

MITREへのリンク →

Mustard Tempest

Score: 7.02

Matched TTPs:

T1091 - Replication Through Removable Media
T1059.012 - Hypervisor CLI
T1053.002 - At

MITREへのリンク →

OilRig

Score: 14.10

Matched TTPs:

T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1098.007 - Additional Local or Domain Groups
T1218.010 - Regsvr32
T1128 - Netsh Helper DLL
T1547.008 - LSASS Driver

MITREへのリンク →

TeamTNT

Score: 3.49

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups

MITREへのリンク →

LazyScripter

Score: 5.50

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target

MITREへのリンク →

Gamaredon Group

Score: 15.18

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target
T1554 - Compromise Host Software Binary
T1547.002 - Authentication Package
T1200 - Hardware Additions

MITREへのリンク →

Star Blizzard

Score: 6.78

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1102.003 - One-Way Communication

MITREへのリンク →

Threat Group-3390

Score: 9.50

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1122 - Component Object Model Hijacking
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

SideCopy

Score: 9.39

Matched TTPs:

T1091 - Replication Through Removable Media
T1584.002 - DNS Server
T1053.002 - At

MITREへのリンク →

TA505

Score: 3.49

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups

MITREへのリンク →

BITTER

Score: 7.08

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1218.010 - Regsvr32

MITREへのリンク →

APT32

Score: 13.60

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

Saint Bear

Score: 5.48

Matched TTPs:

T1091 - Replication Through Removable Media
T1608.005 - Link Target
T1218.010 - Regsvr32

MITREへのリンク →

Moonstone Sleet

Score: 6.01

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1547.008 - LSASS Driver

MITREへのリンク →

Contagious Interview

Score: 15.44

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1021.006 - Windows Remote Management
T1608.005 - Link Target
T1102.003 - One-Way Communication
T1547.008 - LSASS Driver

MITREへのリンク →

FIN7

Score: 10.00

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1547.002 - Authentication Package

MITREへのリンク →

EXOTIC LILY

Score: 7.51

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1218.010 - Regsvr32
T1547.008 - LSASS Driver

MITREへのリンク →

APT42

Score: 6.24

Matched TTPs:

T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1128 - Netsh Helper DLL

MITREへのリンク →

APT28

Score: 24.16

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target
T1122 - Component Object Model Hijacking
T1548.004 - Elevated Execution with Prompt
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1146 - Clear Command History
T1200 - Hardware Additions

MITREへのリンク →

Storm-1811

Score: 12.20

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1567.003 - Exfiltration to Text Storage Sites
T1578.002 - Create Cloud Instance
T1547.008 - LSASS Driver

MITREへのリンク →

APT1

Score: 4.80

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1053.002 - At

MITREへのリンク →

IndigoZebra

Score: 3.53

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1608.005 - Link Target

MITREへのリンク →

Leviathan

Score: 14.49

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1554 - Compromise Host Software Binary
T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages

MITREへのリンク →

Scattered Spider

Score: 5.65

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1557.002 - ARP Cache Poisoning

MITREへのリンク →

Dragonfly

Score: 18.23

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1193 - Spearphishing Attachment
T1218.010 - Regsvr32
T1578.002 - Create Cloud Instance
T1059.012 - Hypervisor CLI
T1200 - Hardware Additions
T1546.016 - Installer Packages

MITREへのリンク →

Transparent Tribe

Score: 8.06

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1053.002 - At

MITREへのリンク →

ZIRCONIUM

Score: 8.02

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1547.002 - Authentication Package

MITREへのリンク →

RedEcho

Score: 4.26

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1128 - Netsh Helper DLL

MITREへのリンク →

Lazarus Group

Score: 28.93

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1608.005 - Link Target
T1069.001 - Local Groups
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1055.005 - Thread Local Storage
T1547.008 - LSASS Driver
T1216 - System Script Proxy Execution

MITREへのリンク →

APT38

Score: 6.90

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1059.012 - Hypervisor CLI
T1216 - System Script Proxy Execution

MITREへのリンク →

Winter Vivern

Score: 9.00

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1588.001 - Malware
T1218.001 - Compiled HTML File
T1059.012 - Hypervisor CLI

MITREへのリンク →

CURIUM

Score: 9.43

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1218.001 - Compiled HTML File
T1059.012 - Hypervisor CLI
T1547.008 - LSASS Driver

MITREへのリンク →

menuPass

Score: 4.26

Matched TTPs:

T1098.007 - Additional Local or Domain Groups
T1122 - Component Object Model Hijacking

MITREへのリンク →

MoustachedBouncer

Score: 4.54

Matched TTPs:

T1055.003 - Thread Execution Hijacking

MITREへのリンク →

UNC3886

Score: 7.72

Matched TTPs:

T1021.006 - Windows Remote Management
T1588.001 - Malware
T1218.010 - Regsvr32

MITREへのリンク →

LAPSUS$

Score: 10.72

Matched TTPs:

T1193 - Spearphishing Attachment
T1122 - Component Object Model Hijacking
T1557.002 - ARP Cache Poisoning

MITREへのリンク →

Carbanak

Score: 4.49

Matched TTPs:

T1588.001 - Malware
T1547.002 - Authentication Package

MITREへのリンク →

FIN6

Score: 7.36

Matched TTPs:

T1588.001 - Malware
T1128 - Netsh Helper DLL
T1547.008 - LSASS Driver

MITREへのリンク →

PROMETHIUM

Score: 3.86

Matched TTPs:

T1588.001 - Malware
T1059.012 - Hypervisor CLI

MITREへのリンク →

Higaisa

Score: 3.59

Matched TTPs:

T1588.001 - Malware
T1218.010 - Regsvr32

MITREへのリンク →

Storm-0501

Score: 8.46

Matched TTPs:

T1588.001 - Malware
T1027.014 - Polymorphic Code
T1102.002 - Bidirectional Communication

MITREへのリンク →

Medusa Group

Score: 8.38

Matched TTPs:

T1608.005 - Link Target
T1128 - Netsh Helper DLL
T1216 - System Script Proxy Execution

MITREへのリンク →

Turla

Score: 12.63

Matched TTPs:

T1608.005 - Link Target
T1218.001 - Compiled HTML File
T1547.002 - Authentication Package
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages

MITREへのリンク →

MuddyWater

Score: 5.90

Matched TTPs:

T1608.005 - Link Target
T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

APT29

Score: 13.31

Matched TTPs:

T1608.005 - Link Target
T1122 - Component Object Model Hijacking
T1218.010 - Regsvr32
T1218.009 - Regsvcs/Regasm
T1547.008 - LSASS Driver

MITREへのリンク →

Confucius

Score: 6.66

Matched TTPs:

T1608.005 - Link Target
T1218.010 - Regsvr32
T1200 - Hardware Additions

MITREへのリンク →

POLONIUM

Score: 7.16

Matched TTPs:

T1608.005 - Link Target
T1122 - Component Object Model Hijacking
T1547.002 - Authentication Package

MITREへのリンク →

Indrik Spider

Score: 6.68

Matched TTPs:

T1552.008 - Chat Messages
T1546.016 - Installer Packages

MITREへのリンク →

RedCurl

Score: 5.49

Matched TTPs:

T1122 - Component Object Model Hijacking
T1128 - Netsh Helper DLL

MITREへのリンク →

Cobalt Group

Score: 6.99

Matched TTPs:

T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1128 - Netsh Helper DLL

MITREへのリンク →

Inception

Score: 7.39

Matched TTPs:

T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1200 - Hardware Additions

MITREへのリンク →

APT19

Score: 4.51

Matched TTPs:

T1027.014 - Polymorphic Code
T1059.012 - Hypervisor CLI

MITREへのリンク →

APT37

Score: 9.28

Matched TTPs:

T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1216 - System Script Proxy Execution

MITREへのリンク →

APT12

Score: 3.89

Matched TTPs:

T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

Patchwork

Score: 6.54

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1008 - Fallback Channels

MITREへのリンク →

APT3

Score: 5.12

Matched TTPs:

T1218.010 - Regsvr32
T1578.002 - Create Cloud Instance

MITREへのリンク →

BRONZE BUTLER

Score: 6.54

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1008 - Fallback Channels

MITREへのリンク →

Tropic Trooper

Score: 7.39

Matched TTPs:

T1218.010 - Regsvr32
T1128 - Netsh Helper DLL
T1200 - Hardware Additions

MITREへのリンク →

Elderwood

Score: 3.26

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

Darkhotel

Score: 3.26

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

Volatile Cedar

Score: 4.13

Matched TTPs:

T1002 - Data Compressed

MITREへのリンク →

Ke3chang

Score: 3.62

Matched TTPs:

T1102.002 - Bidirectional Communication

MITREへのリンク →

Malteiro

Score: 3.62

Matched TTPs:

T1102.002 - Bidirectional Communication

MITREへのリンク →

DarkVishnya

Score: 4.54

Matched TTPs:

T1213.003 - Code Repositories

MITREへのリンク →

RTM

Score: 5.05

Matched TTPs:

T1059.012 - Hypervisor CLI
T1008 - Fallback Channels

MITREへのリンク →

Windshift

Score: 4.29

Matched TTPs:

T1059.012 - Hypervisor CLI
T1547.008 - LSASS Driver

MITREへのリンク →

Dark Caracal

Score: 4.29

Matched TTPs:

T1059.012 - Hypervisor CLI
T1547.008 - LSASS Driver

MITREへのリンク →

Daggerfly

Score: 4.60

Matched TTPs:

T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages

MITREへのリンク →

DarkHydrus

Score: 3.15

Matched TTPs:

T1200 - Hardware Additions

MITREへのリンク →

Rocke

Score: 3.29

Matched TTPs:

T1008 - Fallback Channels

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Sandworm Team

Score: 0.83

Matched TTPs:

T1005 - Data from Local System
T1193 - Spearphishing Attachment
T1187 - Forced Authentication
T1122 - Component Object Model Hijacking
T1091 - Replication Through Removable Media
T1098.007 - Additional Local or Domain Groups
T1218.010 - Regsvr32
T1102.003 - One-Way Communication
T1546.016 - Installer Packages
T1111 - Multi-Factor Authentication Interception
T1547.002 - Authentication Package
T1564.008 - Email Hiding Rules
T1049 - System Network Connections Discovery

MITREへのリンク →

Magic Hound

Score: 0.66

Matched TTPs:

T1608.005 - Link Target
T1059.012 - Hypervisor CLI
T1588.001 - Malware
T1187 - Forced Authentication
T1098.007 - Additional Local or Domain Groups
T1547.008 - LSASS Driver
T1053.002 - At
T1070.003 - Clear Command History
T1578.002 - Create Cloud Instance
T1547.002 - Authentication Package
T1171 - LLMNR/NBT-NS Poisoning and Relay

MITREへのリンク →

Volt Typhoon

Score: 0.65

Matched TTPs:

T1584.002 - DNS Server
T1148 - HISTCONTROL
T1552.008 - Chat Messages
T1102.003 - One-Way Communication
T1546.016 - Installer Packages
T1553.002 - Code Signing
T1049 - System Network Connections Discovery
T1574.002 - DLL Side-Loading

MITREへのリンク →

Lazarus Group

Score: 0.62

Matched TTPs:

T1608.005 - Link Target
T1059.012 - Hypervisor CLI
T1588.001 - Malware
T1055.005 - Thread Local Storage
T1098.007 - Additional Local or Domain Groups
T1547.008 - LSASS Driver
T1218.010 - Regsvr32
T1546.016 - Installer Packages
T1547.002 - Authentication Package
T1069.001 - Local Groups
T1216 - System Script Proxy Execution

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る

Campaign on the Government of Thailand Delivers Bookworm Trojan

概要

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

Pulse – 脅威アクター グラフ

Pulse – 脅威アクターグラフ