{"id":48317,"date":"2022-09-06T20:44:34","date_gmt":"2022-09-06T20:44:34","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/mysterious-worok-spy-obfuscated-code-private-tools"},"modified":"2022-09-06T20:44:34","modified_gmt":"2022-09-06T20:44:34","slug":"mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/","title":{"rendered":"Mysterious &#8216;Worok&#8217; Group Launches Spy Effort With Obfuscated Code, Private Tools"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.<\/p>\n<p>According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is&nbsp;dubbed Worok,&nbsp;is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.<\/p>\n<p>In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.<\/p>\n<p>ESET <a href=\"https:\/\/www.welivesecurity.com\/2022\/09\/06\/worok-big-picture\/\" target=\"_blank\" rel=\"noopener\">issued the advisory<\/a> on the group because the company&#8217;s researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.<\/p>\n<p>&#8220;Worok is a group that uses exclusive and new tools to steal data \u2014 their targets are worldwide and include private companies, public entities, as well as governmental institutions,&#8221; he says. &#8220;Their usage of various obfuscation techniques, especially steganography, makes them really unique.&#8221;<\/p>\n<h2 class=\"regular-text\">Worok&#8217;s Custom Toolset<\/h2>\n<p>Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/evilproxy-commodifies-reverse-proxy-tactic-phishing-bypassing-2fa\" target=\"_blank\" rel=\"noopener\">allows phishing attacks to bypass two-factor authentication methods<\/a> by capturing and modifying content on the fly. Other groups have specialized in specific services such as <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/raspberry-robin-malware-russian-evil-corp\" target=\"_blank\" rel=\"noopener\">initial access brokers<\/a>, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.<\/p>\n<p>Worok&#8217;s toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).<\/p>\n<p>For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.<\/p>\n<p>While the targeting of the malware and the use of some common exploits \u2014 such as <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/cisa-warns-of-ongoing-attacks-targeting-proxyshell-vulnerabilities\" target=\"_blank\" rel=\"noopener\">the ProxyShell exploit<\/a>, which has been actively used for more than a year \u2014 are similar to existing groups, other aspects of the attack are unique, Passilly says.<\/p>\n<p>&#8220;We have not seen any code similarity with already known malware for now,&#8221; he says. &#8220;This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked.&#8221;<\/p>\n<h2 class=\"regular-text\">Few Links to Other Groups<\/h2>\n<p>While the Worok group has aspects that resemble <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/chinese-apt-operation-lagtime-it-targets-government-information-technology\" target=\"_blank\" rel=\"noopener\">TA428, a Chinese group<\/a> that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.<\/p>\n<p>&#8220;[W]e have observed a few common points with TA428, especially the <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/shadowpad-malware-platform-proves-a-threat-to-watch\" target=\"_blank\" rel=\"noopener\">usage of ShadowPad<\/a>, similarities in the targeting, and their activity times,&#8221; he says. &#8220;These similarities are not that significant; therefore we link the two groups with low confidence.&#8221;<\/p>\n<p>For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.<\/p>\n<p>&#8220;The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions,&#8221; Passilly says.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/mysterious-worok-spy-obfuscated-code-private-tools\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The threat actor \u2014 whose techniques and procedures do not match known groups \u2014 has created custom attack tools, including a program that hides scripts in .PNG images.Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/mysterious-worok-spy-obfuscated-code-private-tools\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-48317","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Mysterious &#039;Worok&#039; Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mysterious &#039;Worok&#039; Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-06T20:44:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Mysterious &#8216;Worok&#8217; Group Launches Spy Effort With Obfuscated Code, Private Tools\",\"datePublished\":\"2022-09-06T20:44:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/\"},\"wordCount\":618,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt674c704980c68d24\\\/62eadab823241d5e0cb4f0b7\\\/identity_cybersecurity_Stu_Gray_ALamy.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/\",\"name\":\"Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt674c704980c68d24\\\/62eadab823241d5e0cb4f0b7\\\/identity_cybersecurity_Stu_Gray_ALamy.jpg\",\"datePublished\":\"2022-09-06T20:44:34+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt674c704980c68d24\\\/62eadab823241d5e0cb4f0b7\\\/identity_cybersecurity_Stu_Gray_ALamy.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt674c704980c68d24\\\/62eadab823241d5e0cb4f0b7\\\/identity_cybersecurity_Stu_Gray_ALamy.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mysterious &#8216;Worok&#8217; Group Launches Spy Effort With Obfuscated Code, Private Tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/","og_locale":"en_US","og_type":"article","og_title":"Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-09-06T20:44:34+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Mysterious &#8216;Worok&#8217; Group Launches Spy Effort With Obfuscated Code, Private Tools","datePublished":"2022-09-06T20:44:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/"},"wordCount":618,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/","url":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/","name":"Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg","datePublished":"2022-09-06T20:44:34+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt674c704980c68d24\/62eadab823241d5e0cb4f0b7\/identity_cybersecurity_Stu_Gray_ALamy.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/mysterious-worok-group-launches-spy-effort-with-obfuscated-code-private-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Mysterious &#8216;Worok&#8217; Group Launches Spy Effort With Obfuscated Code, Private Tools"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48317"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48317\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}