Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\"><br \/>\n<meta property=\"og:title\" content=\"Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules\"><br \/>\n<meta property=\"og:description\" content=\"Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Water-Orthrus-New-Campaigns-Delivers-Rootkit-and-Phishing-Modules-976.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules\"><br \/>\n<meta name=\"twitter:description\" content=\"Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Water-Orthrus-New-Campaigns-Delivers-Rootkit-and-Phishing-Modules-976.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.167509970832\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"102307274\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.2983490566038\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.172169811321\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Endpoints<\/p>\n<p class=\"article-details__description\">Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.<\/p>\n<p class=\"article-details__author-by\">By: Jaromir Horejsi, Joseph C Chen <time class=\"article-details__date\">May 15, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"28\">\n<div readability=\"12\">\n<p>Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks. The threat actor has upgraded and modified the malware multiple times for different purposes, such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/c\/websites-hosting-cracks-spread-malware-adware.html\">injecting network advertisements<\/a>, <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer.html\">acquiring personal information<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\">stealing cryptocurrency<\/a>. We believe that they are associated with the threat campaign reported as \u201c<a href=\"https:\/\/download.bitdefender.com\/resources\/files\/News\/CaseStudies\/study\/253\/Bitdefender-Whitepaper-RootKit-CREAT3432-en-EN.pdf\" target=\"_blank\" rel=\"noopener\">Scranos<\/a>\u201d in 2019.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig1.png\" alt=\"CopperStealth infection chain\"><figcaption>Figure 1. CopperStealth infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are similar to those of CopperStealer and are likely developed by the same author, leading us to believe that these campaigns are likely Water Orthrus\u2019 new activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig2.png\" alt=\"CopperPhish infection chain\"><figcaption>Figure 2. CopperPhish infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.412960609911\">\n<div readability=\"32.559720457433\">\n<p>This blog post discusses our analysis of CopperStealth\u2019s and CopperPhish\u2019s infection chains, and how they are similar to Water Orthrus.<\/p>\n<p><b><span class=\"body-subhead-title\">CopperStealth campaign<\/span><\/b><\/p>\n<p>The first campaign distributed CopperStealth on March 8, 2023, delivering the malware via installers provided on a popular Chinese software sharing website. It disguised the malware as free software and targeted the country\u2019s users.<\/p>\n<p>CopperStealth\u2019s infection chain involves dropping and loading a rootkit, which later injects its payload into explorer.exe and another system process. These payloads are responsible for downloading and running additional tasks. The rootkit also blocks access to blocklisted registry keys and prevents certain executables and drivers from running.<\/p>\n<p>A sample of the installer (SHA-256: <i>8a21eae144a23fffd35f8714964ff316caaa37fe464e8bbc143f4485119b5575<\/i>) was distributed via a popular Chinese software download website. It was previously <a href=\"https:\/\/www.secrss.com\/articles\/14659\" target=\"_blank\" rel=\"noopener\">reported<\/a> to provide malicious installers for infecting malware. The installer contains numerous encoded URLs; when the installer is run these URLs will be decoded and the files located at the said URLs will be downloaded and run on the affected system. One of these files was a dropper that we identified as CopperStealth.<\/p>\n<p>CopperStealth (after decrypting the custom crypter) contains an export function called \u201cHelloWorld,\u201d which has been around since earlier versions of <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer.html\">CopperStealer<\/a>. The dropper then checks if the system architecture is 32-bit or 64-bit, which it uses as a basis to read the corresponding driver from its resources.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig3.png\" alt=\"CopperStealth\u2019s code for selecting 32-bit or 64-bit drivers\"><figcaption>Figure 3. CopperStealth\u2019s code for selecting 32-bit or 64-bit drivers<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig4.png\" alt=\"CopperStealth\u2019s resources contain two versions of the driver\"><figcaption>Figure 4. CopperStealth\u2019s resources contain two versions of the driver<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"26.311764705882\">\n<div readability=\"6.6823529411765\">\n<p>It then creates and starts a new <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winsvc\/nf-winsvc-createservicea\" target=\"_blank\" rel=\"noopener\">driver service<\/a>, which begins when the system starts.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig5.png\" alt=\"The new driver service created by CopperStealth\"><figcaption>Figure 5. The new driver service created by CopperStealth<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.58\">\n<div readability=\"39.626666666667\">\n<p><b>Rootkit<\/b><\/p>\n<p>The rootkit is registered as a file system filter driver. In the main entry point (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/wdf\/driverentry-for-kmdf-drivers\" target=\"_blank\" rel=\"noopener\">DriverEntry<\/a> function), the driver has specific handlers for <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/irp-mj-create\" target=\"_blank\" rel=\"noopener\">IRP_MJ_CREATE<\/a>, <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/irp-mj-read\" target=\"_blank\" rel=\"noopener\">IRP_MJ_READ<\/a>, and <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/irp-mj-shutdown\" target=\"_blank\" rel=\"noopener\">IRP_MJ_SHUTDOWN<\/a>.<\/p>\n<p>When a shutdown request is received, the rootkit driver copies itself to a newly generated random driver. This is done with a few registry modifications, such as changing the driver name in the <i>HKLM\\SYSTEM\\CurrentControlSet\\Services<\/i> registry and inserting a \u201cPendingFileRenameOperations\u201d registry value in <i>HKLM\\SYSTEM\\CurrentControlSet\\Control\\SessionManager<\/i> to automatically <a href=\"https:\/\/qtechbabble.wordpress.com\/2020\/06\/26\/use-pendingfilerenameoperations-registry-key-to-automatically-delete-a-file-on-reboot\/\" target=\"_blank\" rel=\"noopener\">move the file upon reboot<\/a>.<\/p>\n<p>As for IRP_MJ_READ, this monitors any attempts to read the files on filesystem. If any attempt to read the current rootkit\u2019s SYS file or executable file in <i>\\windows\\temp <\/i>folder by one of the blocklisted processes (such as <i>\\360saf\\<\/i>, <i>\\kingsoft antivirus\\<\/i>, <i>\\360SD\\<\/i>, <i>\\Windows Defender\\<\/i>) is detected, the driver will result in a STATUS_ACCESS_DENIED error message, preventing access to those files.<\/p>\n<p>The rootkit then registers a <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/nf-wdm-cmregistercallback\" target=\"_blank\" rel=\"noopener\">registry callback routine<\/a>, which is called every time a thread performs an operation in the registry. In this case, the routine monitors attempts to access rootkit\u2019s registry path in <i>HKLM\\SYSTEM\\CurrentControlSet\\Services\\<drivername<\/i>>. Any attempt to delete the registry key (such as <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ns-wdm-_reg_delete_key_information\" target=\"_blank\" rel=\"noopener\">RegNtDeleteKey<\/a> OR <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ns-wdm-_reg_delete_value_key_information\" target=\"_blank\" rel=\"noopener\">RegNtDeleteValueKey<\/a>) will result in STATUS_ACCESS_DENIED, blocking the operation.<\/p>\n<p>An attempt to query the registry key (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ns-wdm-_reg_query_key_information\" target=\"_blank\" rel=\"noopener\">RegNtQueryKey<\/a> OR <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ns-wdm-_reg_query_value_key_information\" target=\"_blank\" rel=\"noopener\">RegNtQueryValueKey<\/a>) while any of the blocklisted processes (<i>360safe.exe<\/i>, <i>360sd.exe<\/i>, <i>QQPCTray.exe<\/i>, and <i>kxetray.exe<\/i>) is running will also result in a STATUS_ACCESS_DENIED message.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig6.png\" alt=\"Rootkit\u2019s code to block querying it\u2019s (rootkit\u2019s) own registry key, if any of the blocklisted processes is running\"><figcaption>Figure 6. Rootkit\u2019s code to block querying it\u2019s (rootkit\u2019s) own registry key, if any of the blocklisted processes is running<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.081318681319\">\n<div readability=\"14.90989010989\">\n<p>The rootkit also sets an <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-pssetloadimagenotifyroutine\" target=\"_blank\" rel=\"noopener\">image load notification routine<\/a>, which is called whenever a new image (i.e., an executable\/binary file, like .EXE, .DLL, and .SYS files) is loaded into memory. If an \u201cimage\u201d name corresponds to the hardcoded filename <i>(\\Fix\\fixMBR.exe<\/i>), then a DLL library (embedded inside the driver) is mapped and run into the newly created process. The 64-bit version of the rootkit contains a 32-bit and a 64-bit version of the DLL library.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig7.png\" alt=\"Rootkit\u2019s code that terminates newly executed processes by injected DLL\"><figcaption>Figure 7. Rootkit\u2019s code that terminates newly executed processes by injected DLL<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"27.857142857143\">\n<div readability=\"8.5714285714286\">\n<p>In either version, the injected DLL library calls <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-exitprocess\" target=\"_blank\" rel=\"noopener\">ExitProcess<\/a> after <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/dlls\/dllmain\" target=\"_blank\" rel=\"noopener\">attaching<\/a> to the newly created process, which immediately terminates it.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig8.png\" alt=\"Termination DLL exits process\"><figcaption>Figure 8. Termination DLL exits process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>If the newly loaded process is a driver, then the rootkit searches for a few blocklisted byte sequences. If any of those are found, then the driver\u2019s entry point is patched to return STATUS_ACCESS_DENIED.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig9.png\" alt=\"Rootkit replaces blocklisted drivers\u2018 entrypoints to return error code\"><figcaption>Figure 9. Rootkit replaces blocklisted drivers\u2018 entrypoints to return error code<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.911818181818\">\n<div readability=\"16.723636363636\">\n<p>The blocklisted drivers contain one of the following byte sequences:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Beijing Huorong Network Technology Co., Ltd.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Beijing Kingsoft Security Software Co., Ltd.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Beijing Qihu Technology Co., Ltd.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">HuoRongBoRui (Beijing) Technology Co., Ltd.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Qihoo 360 Software (Beijing) Co., Ltd.<\/span><\/li>\n<\/ul>\n<p>Lastly, the rootkit starts a payload injection thread. In the samples we analyzed, we saw two types of payloads: statistics module and task module. This thread enumerates all running processes (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winternl\/nf-winternl-ntquerysysteminformation\" target=\"_blank\" rel=\"noopener\">SystemProcessInformation<\/a>) and looks for <i>explorer.exe<\/i> and another process with SYSTEM integrity having \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/security-policy-settings\/replace-a-process-level-token\" target=\"_blank\" rel=\"noopener\">assign primary token privilege<\/a>\u201d and \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/security-policy-settings\/adjust-memory-quotas-for-a-process\" target=\"_blank\" rel=\"noopener\">increase quota privilege<\/a>.\u201d It also increments the <i>HKLM\\SOFTWARE\\Microsoft\\recount<\/i> registry value, which holds the number of system restarts since the machine became infected. If the restart recount value is greater than three, the rootkit decrypts (AES cipher) and unpacks (7-Zip) embedded statistics in the DLL module, then it patches its statistics URL address inside the binary (placeholder starting with \u201ccnzz_url\u201d), and finally injects the patched module into <i>explorer.exe<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig10.png\" alt=\"Placeholder inside the statistics module, which the rootkit replaces with its statistics URL\"><figcaption>Figure 10. Placeholder inside the statistics module, which the rootkit replaces with its statistics URL<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>After successful injection into <i>explorer.exe<\/i>, it makes a GET request to the task URL to get the task command to be performed. Once the GET request is done by the driver, then the response to the GET request is then inserted (a place holder starting with \u201csearching_magic_url\u201d) into the task module, which, like the statistics module, is embedded in rootkit. It must be AES-encrypted, and then 7-Zip unpacked.And then the task module is injected into the previously found process with system integrity.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig11.png\" alt=\"Placeholder inside the task module, which the rootkit replaces with a response to the task URL\"><figcaption>Figure 11. Placeholder inside the task module, which the rootkit replaces with a response to the task URL<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.962203023758\">\n<div class=\"responsive-table-wrap\" readability=\"27.637149028078\">\n<p><b>Statistics module<\/b><\/p>\n<p>The statistics module is called <a href=\"https:\/\/www.crunchbase.com\/organization\/cnzz\" target=\"_blank\" rel=\"noopener\">cnzz<\/a> (the largest Chinese internet statistics analysis service), though it has nothing to do with this organization. Each time it is run it increases the counter in <i>HKCU\\Software\\Microsoft\\count_a0b1c2d3<\/i>. It checks the internet connection by trying to access <i>hxxp:\/\/www.msftconnecttest.com\/connecttest.txt<\/i>, and once verified it will get the computer\u2019s unique machine ID and report the statistics to <i>hxxp:\/\/cnzz_url&m=<machine ID><\/i> then exits the module.<\/p>\n<p>In some cases, cnzz_url contains keyword \u201ctongji\u201d (t\u01d2ng j\u00ec, <a href=\"https:\/\/chinese.yabla.com\/chinese-english-pinyin-dictionary.php?define=%E7%B5%B1\" target=\"_blank\" rel=\"noopener\">\u7d71<\/a><a href=\"https:\/\/chinese.yabla.com\/chinese-english-pinyin-dictionary.php?define=%E8%A8%88\" target=\"_blank\" rel=\"noopener\">\u8a08<\/a>), which translates to \u201cstatistics.\u201d<\/p>\n<p><b>Task module<\/b><\/p>\n<p>The task module is called curl, even though it has nothing to do with <a href=\"https:\/\/curl.se\/\" target=\"_blank\" rel=\"noopener\">curl<\/a> (command line tool for transferring data with URLs). The module then proceeds with base64 decoding and DES decrypting (key=\u201dtaskhost\u201d, IV=\u201dwinlogon\u201d, which is the same encryption as described in previous blog posts) of the task command. The decrypted task is in <a href=\"https:\/\/en.wikipedia.org\/wiki\/JSON\" target=\"_blank\" rel=\"noopener\">JSON<\/a> format and has the following keys:<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"4\">\n<tr>\n<td>Name<\/td>\n<td>Type<\/td>\n<td>Explanation<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>name<\/td>\n<td>string<\/td>\n<td>File name created in TEMP directory<\/td>\n<\/tr>\n<tr>\n<td>onlyone<\/td>\n<td>bool<\/td>\n<td>Run only once<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>exclude360<\/td>\n<td>bool<\/td>\n<td>Exclude machines where 360tray is running<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>reboot_count<\/td>\n<td>int<\/td>\n<td>The task should be run every n-th reboot of the system<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>url<\/td>\n<td>string<\/td>\n<td>URL with the file to download and execute<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. List of implemented key names and value types in task query response (in JSON format)<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>If payload is expected to run only once (with onlyone [sic] key has value = true), then the hash of the URL is stored in <i>HKLM\\Software\\Microsoft\\<hash><\/i><span>. The actual count of runs is taken from <\/span><i>HKEY_USERS\\<SID>\\Software\\Microsoft\\count_a0b1c2d3<\/i><span>, which is set by the statistics module.<\/span><\/p>\n<p><b><span class=\"body-subhead-title\">CopperPhish campaign<\/span><\/b><\/p>\n<p>In April 2023, we noticed another campaign distributing CopperPhish. This campaign was not geofenced and delivered the malware via PPI networks behind free anonymous file sharing websites. CopperPhish is an interesting phishing kit, which uses two different processes for persistence: credential verification and confirmation code to ensure that valid credentials are phished before the phishing kits considers its job successful and exits.<\/p>\n<p>CopperPhish\u2019s infection chain starts with downloaders like PrivateLoader (SHA-256: 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9). Visitors will be redirected to a download page designed by the PPI network after clicking on its advertisements, which pretended to be a download link. The downloaded file is PrivateLoader, which downloads and runs many different malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig12.png\" alt=\"The download page of the pay-per-install network redirected from file sharing websites.\"><figcaption>Figure 12. The download page of the pay-per-install network redirected from file sharing websites.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The downloader downloads and starts a new dropper we identified as CopperPhish. It decrypts and loads the second stage. This stage is responsible for dropping and starting the main payload. The main payload is again obfuscated with the same crypter used by CopperStealer, and then the second stage of the main payload drops a few files (PNG image with logo, PNG image with QR code, and HTML page with phishing URL) into <i>%APPDATA%\\Roaming\\Microsoft<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig13.png\" alt=\"Dropped phishing files by CopperPhish\"><figcaption>Figure 13. Dropped phishing files by CopperPhish<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>These files are stored in the main payload\u2019s second stage\u2019s resources. These HTML pages are localized to fifty different languages. Each language has its own HTML file, but since PNG images do not contain any text, they remain the same for all language versions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig14.png\" alt=\"Phishing webpages in different language variants, stored in resources\"><figcaption>Figure 14. Phishing webpages in different language variants, stored in resources<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The main malware then starts the two threads \u2014 the persistence thread is responsible for starting a rundll32 process and injecting a simple program with a browser window (written in Visual Basic) in it.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig15.png\" alt=\"The thread responsible for starting processes with a web browser window\"><figcaption>Figure 15. The thread responsible for starting processes with a web browser window<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The exit message thread connects to a named pipe and waits for a message containing a magic string to be received. If the message is received, then the main program uninstalls itself (and deletes all the dropped phishing files) and exits. This indicates that the confirmation code (more on this code later) entered by the victim was correct, which means that the phishing was successful and it can uninstall itself.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig16.png\" alt=\"Opened pipe that waits for a message to close and uninstall CopperPhish\"><figcaption>Figure 16. Opened pipe that waits for a message to close and uninstall CopperPhish<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig17.png\" alt=\"Code that uninstalls the phishing tool after receiving magic values\"><figcaption>Figure 17. Code that uninstalls the phishing tool after receiving magic values<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.716836734694\">\n<div readability=\"9.905612244898\">\n<p>The web browser program loads an instance of an <a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/internet-explorer\/ie-developer\/platform-apis\/aa752084(v=vs.85)\" target=\"_blank\" rel=\"noopener\">Internet Explorer object<\/a> and uses the web browser control class (SHDocVwCtl) to control the behavior of the web browser object. It <a href=\"https:\/\/www.w3schools.com\/jsref\/met_document_getelementbyid.asp\" target=\"_blank\" rel=\"noopener\">reads the value<\/a> written by the victim of the input text field called \u201ccheckcode\u201d (which will be explained later). If correct, it then sends the exit message to the main payload via the pipes mentioned earlier.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig18.png\" alt=\"Exit message sent to the main payload via pipe\"><figcaption>Figure 18. Exit message sent to the main payload via pipe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The phishing webpage displayed by the web browser shows the content of the dropped page with the Microsoft logo and QR code. The window has no controls that can be used to minimize or close it. The victim could close the browser\u2019s process in Task Manager or Process Explorer, but they would also need to terminate the main payload process, otherwise the browser process will happen again due to the persistence thread. Thus, to proceed, a confirmation code will be asked (which was stated after Figure 15), and this code will act as proof that the victim provided the correct details.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig19.png\" alt=\"Initial phishing webpage displayed by CopperPhish\"><figcaption>Figure 19. Initial phishing webpage displayed by CopperPhish<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After scanning and opening the phishing URL, the victim is presented with a webpage asking to confirm the identity.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig20.png\" alt=\"Phishing webpage asking to confirm the user\u2019s identity\"><figcaption>Figure 20. Phishing webpage asking to confirm the user\u2019s identity<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>A follow-up webpage asks for various sensitive details, such as the user\u2019s credit card number, its expiration date, and the CVV code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig21.png\" alt=\"Phishing website asking for sensitive banking details\"><figcaption>Figure 21. Phishing website asking for sensitive banking details<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>And after entering the sensitive details and passing checks (such as a credit card number validity check), the phishing kit displays a success message and shows the confirmation code, which closes the browser and uninstalls the phishing kit from the system. This is the \u201ccheckcode\u201d mentioned previously.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig22.png\" alt=\"Confirmation code displayed after credentials were successfully phished\"><figcaption>Figure 22. Confirmation code displayed after credentials were successfully phished<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/Fig23.png\" alt=\"Code in the phishing webpage to validate the user\u2019s credit card number, expiration date, and CVV\"><figcaption>Figure 23. Code in the phishing webpage to validate the user\u2019s credit card number, expiration date, and CVV<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.999230473259\">\n<div readability=\"46.077722200846\">\n<p>This is a simple but interesting approach. If the phishing page is displayed in a standard browser window or tab, the user can simply close the window or tab and continue working. In this case, two processes are used \u2014 one for persistence, and another for displaying the phishing window. This sort of persistence, though simple and easy to remove, can remain and display longer, which could annoy victims enough to force them to enter the credentials just to get rid of the phishing window.<\/p>\n<p>The credential verification and confirmation code are two useful features that make this phishing kit more successful, as the victim cannot simply close the window or enter fake information just to get rid of the window.<\/p>\n<p><b><span class=\"body-subhead-title\">Attribution<\/span><\/b><\/p>\n<p>We classify both previously mentioned campaigns to be related to previously analyzed campaigns because of the following similarities:<\/p>\n<ol>\n<li>The use of the same crypter, which encrypts the dropper stage (described in our previous blog posts).<\/li>\n<li>The use of Data Encryption Standard (DES) with the same key (\u201ctaskhost\u201d) and initialization vector (\u201cwinlogon\u201d).<\/li>\n<li>The use of the same name of the DLL export function (for later versions of CopperStealer).<\/li>\n<li>The use of similar mutex naming conventions (previously: exist_sign_cps, exist_sign_task_Hello001, exist_sign__install_r3 now: exist_sign_redns, dl_exist_sign_cnzz, dl_exist_sign_sys).<\/li>\n<\/ol>\n<p><b><span class=\"body-subhead-title\">Conclusion<\/span><\/b><\/p>\n<p>We uncovered two new campaigns conducted by the Water Orthrus threat actor. The actor has not only refined their malware but has also tailored their attacks for different targets. The CopperStealth campaign, distributed to machines in China, focuses in installing the rootkit, which later delivers additional malware. Meanwhile, CopperPhish aims to phish credit card information and is distributed globally. It is likely that the actor has multiple objectives at the same time. Our findings also highlight the shift of Water Orthrus\u2019s interests, from personal information to cryptocurrency, and now targeting credit card information.<\/p>\n<p>A proactive approach on security can help organizations protect their devices against these types of threats. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a> employs a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, and memory and browser attacks related to fileless threats. Additionally, the <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint\/endpoint-sensor.html\">Apex One Endpoint Sensor<\/a> provides context-aware endpoint detection and response (EDR) that monitors events and quickly examines what processes or events are triggering malicious activity. <\/p>\n<p><span class=\"body-subhead-title\">IOCs<\/span><\/p>\n<p>The full list of IOCs can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules\/waterorthrus_iocs.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":51909,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9577,9509],"class_list":["post-51908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-phishing","tag-trend-micro-research-research"],"yoast_head":"\n<title>Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Water-Orthrus-New-Campaigns-Delivers-Rootkit-and-Phishing-Modules-976.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules\",\"datePublished\":\"2023-05-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/\"},\"wordCount\":2611,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/\",\"name\":\"Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png\",\"datePublished\":\"2023-05-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png\",\"width\":1000,\"height\":1000},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/","og_locale":"en_US","og_type":"article","og_title":"Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-15T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Water-Orthrus-New-Campaigns-Delivers-Rootkit-and-Phishing-Modules-976.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules","datePublished":"2023-05-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/"},"wordCount":2611,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Phishing","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/","url":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/","name":"Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png","datePublished":"2023-05-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules.png","width":1000,"height":1000},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51908"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51908\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51909"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":51908,"date":"2023-05-15T00:00:00","date_gmt":"2023-05-15T00:00:00","guid":{"rendered":"urn:uuid:4a39a7ba-a946-1799-4dfd-3cc17562c7eb"},"modified":"2023-05-15T00:00:00","modified_gmt":"2023-05-15T00:00:00","slug":"water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/water-orthruss-new-campaigns-deliver-rootkit-and-phishing-modules\/","title":{"rendered":"Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules"},"content":{"rendered":"