ACCE Release Notes v2.9.20250508

This release consists of the following:

• APT29 malware WineLoader and GrapeLoader
  • WineLoader: 943d896645d1e6b6706c7bbb6966f0e5
  • GrapeLoader: e025fa8354968f298af3f6ef2f22d7d3
• APT41 malware MoonWalk and DodgeBox
• DslogdRAT: 8cc9178466ef91c7c0fb795c5ab58c21
• MasonRAT, a derivative work of XWorm:
  • 74fd34ea47e881219cfd18503eae5a7b
  • 5955a92acd6b1de720a05f2534a4f464
  • 07dd36f569b35ddee9584ee558400568
• PE32 ransomware:
  • 9f4f86bb8487f35c2197cccc0b46c0b5
  • 631639d8873fd06f9266b3c59353612b
• Pupkin Stealer: 30308f77c997e1e06bf42b62665eff9b
• rutserv AutoHotkey implant
• DodgeBox and MoonWalk malware
  • DodgeBox + MoonWalk: 294cc02db5a122e3a1bc4f07997956da
  • DodgeBox Side-Loader: 393065ef9754e3f39b24b2d1051eab61
• Aurotun Stealer
• MonsterCrypt Loader (named based on PDB path), observed loading Aurotun Stealer
• Storybook malware (Loader and Downloader: 2c2b781866d5a38fca0aeb8dc34de1aa) and malware observed being loaded by Storybook, including:
  • Berserk Stealer
    • Storybook + Berserk: 1d19112b64c20319270a29785f518c10
  • Mallard Downloader
    • Storybook + Mallard: 99c22a535e93c3c36b5c9820990792ad
  • Supper Backdoor
    • Storybook + Supper: b58c5dc360969aff658f1eb2e7ca4a3c
  • PortStarter Implant
    • Storybook + PortStarter: a18db4d2e464befcf2ed0727212455b0
  • Plus Keylogger (CT-named malware)
    • Storybook + Plus: c5e583edaa38d42ac6d84868b0792eee

rutserv

While analyzing the malware described by Ontinue and ReliaQuest, we identified that the sideloaded DLL TV.dll (SHA256 782e997382734a4c80b6f2c6aef51a55c9434457f5ee125a3cf5938ec7a72f55) is a loader for an AutoHotkey script stored in its RT_RCDATA\\1 resource. During research, we identified two additional samples on VirusTotal, and all three samples referred to themselves as “rutserv”.

Each sample is configured with a URL in 5.252.153.0/24 and has the following capabilities:

• Downloads Components
• Keylogging
• System information logging
• Browser information stealing

Samples:

• 2982bcd3bf0dfbffdc2a5220bd0c4e29
• f8e30e9b1c730de986ac7e07460395d7
• 5f6a23e268f2a4c09084b5f168d95339

MonsterCrypt / Aurotun

When adding a module Aurotun malware, we observed that the configuration data blob was structured as follows:

Offset	Size (in bytes)	Description
0	32	Seed for deriving XChaCha20-Poly1305 parameters
32	8	Size of following data
40	<VARIABLE>	Encrypted data and Message authenticator (last 16-bytes of data)

Using the information in the table above, the configuration data is decrypted using the following methodology:

• The key and nonce for the XChaCha20-Poly1305 algorithm are derived using the BLAKE2b hashing algorithm against the seed
• The encrypted buffer is XChaCha20-Poly1305 decrypted
• The decrypted data is zlib decompressed
• The result is a JSON formatted dictionary containing an “ip”, “port”, “build_name”, varying flags, and Base64 encoded private keys

When analyzing the list of samples from the X post, we observed that some samples were contained in a loader with a PDB path descripting “MegaCrypt” and “MonsterCrypt”. When seeking additional samples on VirusTotal, we observed two variants of the loader that we are calling “MonsterCrypt”, one which stores the embedded component in plaintext, and a second which zlib decompresses the component.

• MonsterCrypt (Plaintext) + Aurotun: 00a56aaa09fa3cecd5558e76ffc8a1d4
• MonsterCrypt (zlib) + Aurotun: 28fbc58c841bd60c01204166b2cee3b6