ACCE Release Notes v2.5.20240220

Release Notes

This release consists of the following:

  • ToneShell Backdoor and Dropper
  • XPhase Clipper
  • Coin Dropper, Installer, and Downloader (CT named malware associated with XPhase Clipper)
  • TakeOut Powershell dropper and loader
  • DiceLoader malware
  • RustDoor backdoor
  • IceNova (IBM name), aka Latrodectus
  • TinyTurla-NG malware
  • Pikabot Injector and Core variants
  • JKwerlo Ransomware
  • HodeRAT implant (CT named malware)


Following a post from Any.RUN on X, including an article from Cyble, we added support for the ToneShell dropper and backdoor components associated with Mustang Panda activity. Given the numerous variants of ToneShell, there are multiple parser components for ACCE ToneShell support to extract the C2 socket addresses or C2 addresses.


Cyble recently published research about XPhase Clipper, which is configured with numerous CryptoCurrency addresses for the purposes of monitoring and modifying addresses observed on the infected machines clipboard. While researching XPhase, we identified Nukita compiled Python versions, sharing not only the unique regex patterns, but also multiple CryptoCurrency addresses with the Cyble reported samples.

The VBScript dropper, downloader, and installer components reported by Cyble were unnamed, and we dubbed them “Coin” in order to add ACCE modules for them.


Sekoia published research about a FIN7 intrusion set downloader called DiceLoader, which is loaded into memory using a PowerShell loader known as TakeOut.

The TakeOut PowerShell loader is highly obfuscated, using multiple methods to construct, shuffle, and ultimately concatenate a Base64-encoded payload. Payloads have been observed to include DiceLoader, CARBANAK Backdoor, and CobaltStrike BEACON.

ACCE modules were added for the TakeOut Dropper and Loader, as well as DiceLoader.


We continuously monitor an array of sources for new variants of malware that ACCE supports, and recently came across reported Pikabot samples on Malware Bazaar that we did not recognize. As we analyzed the reported sample (and other related samples) we identified a few major changes from previous Pikabot injectors:

  • Previous Pikabot injectors used steganography to store chunks of the encrypted component in PE resources. The new version stores the chunks of the encrypted component in Base64 encoded global buffers.
  • In previous versions, each chunk was XOR decrypted and, after concatenating all of the buffers, either RC4 or AES-CBC decrypted. In the new version, each buffer is Base64 decoded and RC4 decrypted, and the concatenated results are LZNT1 decompressed.

A marked change was also observed in the configuration for the resulting Pikabot Core components. While the C2 configuration was previously AES-CBC decrypted following string decryption, in the latest version all of the configuration data is in plaintext. Additionally, the configuration data consists of multiple fields, including interval values, a mission id, a registry value, a user-agent string, HTTP headers, and C2 socket addresses and URL paths.

  • Pikabot: f5cea7d74d36624df4e136c6c74b30f0


When we conducted research on Donut Shellcode in October, we observed a fully functional RAT containing RC4 encrypted configuration, including at least 100 C2 socket addresses, a kill date (ranging from 2023-06-04 to 2023-08-26), and optional SSL certificate hashes (fingerprints). We have not observed samples compiled since 2023-08-11, and have finalized support in ACCE for the RAT, dubbing it HodeRAT.

All IOCs associated with HodeRAT can be found on our GitHub, with example ACCE support found below.

  • HodeRAT: 13ac24fc44c7794fb4470d7afee2ca4b
Posted in Uncategorized and tagged , .