Caught in the Act: How Our Decoy Intercepted a Sophisticated APT Attack Targeting India’s Financial Sector
On the evening of May 7, 2025, at 20:48 IST, Treacle Tech’s Octopus Decoy — deployed within the infrastructure of a major Indian financial institution — intercepted a live malware delivery attempt. The attack arrived not through a phishing email or a compromised webpage, but through an exposed MySQL service on port 3306, originating from an IP address geolocated to Jiangsu, China.
What followed was a textbook example of how advanced persistent threat (APT) groups probe, exploit, and establish footholds in critical financial infrastructure — and how proactive cyber deception can catch them before any damage is done.
This post walks through the anatomy of the attack, the clever obfuscation techniques employed by the adversary, and what it means for India’s BFSI sector.
The Attack: SQL Queries as a Weapon
The adversary’s approach was methodical. Rather than brute-forcing credentials or exploiting a known CVE, they targeted MySQL’s own functionality — specifically its ability to load dynamic libraries and execute system commands.
The attack unfolded in five distinct stages:
Stage 1 — Reconnaissance. The attacker issued a version query to fingerprint the database engine, a standard first step to tailor subsequent payloads to the target environment.
Stage 2 — Function Creation & DLL Injection. Multiple CREATE FUNCTION commands were fired in rapid succession, attempting to load malicious DLLs — including udf.dll and lib_mysqludf_sys.dll — into the MySQL environment. These user-defined functions give an attacker the ability to execute arbitrary system commands directly from within SQL.
Stage 3 — Payload Download. With the UDF functions in place, the attacker used a custom downloader function to fetch a 33 MB executable (Server.exe) from a remote file server that, at the time of analysis, was still live.
Stage 4 — Execution Attempt. The attacker attempted to launch the downloaded payload via a cmdshell function call. This is where the Octopus Decoy’s design proved decisive — because it emulates a Windows MySQL server environment on a Linux host, the execution step failed silently. The malware was captured intact, but never ran.
Stage 5 — Cleanup. In the final phase, the attacker dropped all created functions and exited the session — a disciplined attempt to erase forensic evidence.
Notably, the attacker’s remote file server was still live at the time of analysis, hosting a range of additional tools — Linux agents, VPN installers, and other executables — suggesting an established operational toolkit.
The Clever Disguise: Chinese Text Hiding Windows Commands
One of the most striking findings emerged during the analysis of a dropped batch file, Install.bat. When opened in a standard text editor, the file appeared to contain garbled Chinese characters:
When the Chinese text was run through Google Translate, it produced innocuous sentences about the 2020 Beijing International Airport and the 1984 World Cup — clearly nonsensical decoy text designed to confuse analysts and bypass automated inspection tools.
But when the same file was examined in a hex editor, an entirely different picture emerged. Hidden beneath the Chinese characters were fully functional Windows batch commands — suppressing output, launching a hidden command prompt, silently installing malware, wiping evidence, and self-deleting.
This is a classic example of polyglot obfuscation — a file that appears legitimate under one interpretation while carrying a completely different payload under another. It is a technique that can slip past signature-based detection tools and casual manual review alike.
What the Malware Actually Does
The primary payload, Server.exe, is a 33 MB PE32 executable compiled with Visual Studio 2013, packed using 7-Zip SFX, and carrying a Chinese-Simplified language identifier. Upon execution in our controlled sandbox and cloud VM environment, it exhibited a wide range of capabilities:
Persistence
The malware establishes multiple persistence mechanisms — creating scheduled tasks (DCAgentUpdater.job), registering itself as a Windows service (DesktopCentral), and copying files to system directories. It abuses legitimate ManageEngine UEMS Agent binaries to blend into enterprise environments where ManageEngine products are commonly deployed.
Privilege Escalation
Through DLL side-loading (targeting apphelp.dll, version.dll, and others) and process injection into trusted processes like Windows Explorer, the malware escalates its privileges while evading process-based defenses.
Defense Evasion
The malware employs XOR encryption, software packing, guard page creation to thwart debuggers, and — critically — sandbox and VM detection. It queries WMI for network adapter, memory, and processor details to determine if it is running in an analysis environment, and alters its behavior accordingly. Our initial sandbox analysis yielded only partial results for this exact reason.
Command and Control
The malware communicates with a C2 server at star.zcnet.net (IP: 114.234.239.89, Jiangsu, China) over non-standard port 8383 using TLS. It also contacts sectigo.com and crl.sectigo.com — legitimate certificate authorities — likely to validate or install certificates that help its encrypted C2 traffic appear trustworthy.
Credential Theft
Using DirectInput via DDRAW.DLL, the malware implements keystroke logging to capture credentials — a direct threat to banking operations.
An Evolving Adversary
This was not the first time we intercepted this threat actor. A closely related malware sample was captured on April 18, 2025. The two variants share nearly identical post-exploitation behavior — the same dropped files, the same C2 infrastructure, the same MITRE ATT&CK technique profile.
The key difference? The delivery mechanism evolved. The April variant dropped files directly into the user’s AppData temp directory. The May variant switched to using HaoZip (a Chinese archiving tool) to extract files into C:\PerfLogs\ — a less-monitored directory that is more likely to bypass endpoint detection rules. This tactical shift is a clear indicator of an adversary that is actively iterating on their tradecraft in response to detection.
MITRE ATT&CK Mapping
The malware maps to techniques across nine MITRE ATT&CK tactics, demonstrating a comprehensive attack capability that is not typical of commodity malware:
|
Tactic |
Key Techniques |
|
Initial Access |
Replication Through Removable Media (T1064) |
|
Execution |
WMI (T1047), Command Interpreter (T1059), Scheduled Task (T1053) |
|
Persistence |
DLL Side-Loading (T1574.002), Windows Service (T1543.003), Scripting (T1064) |
|
Privilege Escalation |
Process Injection (T1055), DLL Side-Loading (T1574.002) |
|
Defense Evasion |
Obfuscated Files (T1027), Sandbox Evasion (T1497), Masquerading (T1036), File Deletion (T1070.004) |
|
Credential Access |
Input Capture / Keystroke Logging (T1056) |
|
Discovery |
System Info (T1082), Process Discovery (T1057), Security Software Discovery (T1518.001) |
|
Collection |
Keystroke Logging (T1056) |
|
Command & Control |
Non-Standard Port (T1571), Application Layer Protocol (T1071) |
Attribution: Who Is Behind This?
Based on the TTP mapping, C2 infrastructure geolocation, tooling characteristics (Chinese-language artifacts, HaoZip usage, UDF-based MySQL exploitation), and targeting pattern (financial sector in India), the observed behavior aligns with three known APT groups:
APT41 (Double Dragon) — A Chinese state-affiliated group known for blending cyber espionage with financially motivated operations. Their use of DLL side-loading, process injection, and non-standard C2 ports closely mirrors what we observed. APT41 has a documented history of targeting the financial and telecommunications sectors across Asia.
APT32 (OceanLotus) — A Vietnamese state-linked group with expanding operations against financial targets in Asia. Their reliance on DLL side-loading and WMI for persistence aligns with several techniques in this attack chain.
Lazarus Group (APT38) — The North Korean group infamous for targeting banks and financial infrastructure globally. Their use of Windows services, scheduled tasks, and covert C2 protocols is consistent with what we found.
While definitive attribution requires intelligence beyond the scope of malware analysis alone, the convergence of technical indicators strongly suggests a state-sponsored or state-affiliated actor with specific interest in India’s financial infrastructure.
What This Means for Indian BFSI
This attack was intercepted before it could cause harm — but not every organization has deception technology deployed at the right choke points. The adversary’s approach — targeting MySQL services, abusing ManageEngine agents, and communicating with C2 servers in China — exploits the exact combination of legacy infrastructure and legitimate enterprise tooling that is common across Indian banks and financial institutions.
Key recommendations for defenders:
- Block known C2 infrastructure. Add *.zcnet.net and the 114.234.239.0/24 subnet to your firewall and proxy blocklists immediately.
- Audit ManageEngine deployments. Verify the integrity of all ManageEngine UEMS Agent binaries. Check hashes of dcagentregister.exe, dcstatusutil.exe, and dcconfig.exe against known-good versions.
- Deploy IoC-based detection rules. Add the file hashes listed at the end of this post to your EDR/SIEM solutions.
- Monitor non-standard port traffic. Set up alerts for outbound connections on port 8383 and DNS queries to star.zcnet.net.
- Restrict execution from high-risk directories. Implement application control policies to block binaries executing from C:\PerfLogs\, Temp folders, AppData, and removable drives.
- Remove persistence artifacts. Hunt for scheduled tasks named DCAgentUpdater.job, services named DesktopCentral under non-standard registry paths, and related registry modifications.
Why Cyber Deception Works
This incident reinforces a fundamental truth about modern cyber defense: you cannot stop what you cannot see.
Traditional perimeter defenses — firewalls, antivirus, even EDR — are reactive. They rely on knowing what an attack looks like before it arrives. The adversary in this case used sandbox evasion, VM detection, polyglot obfuscation, and legitimate tool abuse specifically to bypass these defenses.
Cyber deception flips the equation. By deploying realistic decoys — database services, file shares, application servers — inside the network, defenders create an environment where any interaction is inherently suspicious. There is no legitimate reason for anyone to connect to a decoy MySQL instance. The moment the attacker engaged, the game was already over.
Treacle Tech’s Octopus Decoy captured this malware sample in its entirety, with full bitstream logs of every SQL query, every function creation, and every download attempt. The malware was preserved for analysis without ever executing in the production environment — zero risk, full intelligence.
This is the promise of cyber deception: early detection, zero false positives, and complete threat intelligence capture.
Indicators of Compromise (IoCs)
|
Indicator |
Value |
|
MD5 (Server.exe) |
a914ad6423a307cf0cf4e7f82d1d22d6 |
|
SHA256 (Server.exe) |
c2efb1e0e93c97b201cc85710874d8f03615ce9353d02bab6e8c7660836c609e |
|
SHA256 (Install.bat) |
39547511ed9e35d635555ce18cdd0e1ebad6d2903b301a8de5b3bea84a56b589 |
|
SHA256 (Server_Agent.exe) |
09fc4c71577f1ddafc1528ebeae7fd88aaddeff857254513cd1041dbf399cd25 |
|
C2 Domain |
star.zcnet.net |
|
C2 IP Address |
114.234.239.89 (ASN 4134, Jiangsu, China) |
|
Source IP Address |
114.234.239.88 (ASN 4134, Jiangsu, China) |
|
C2 Port |
8383 (TCP/TLS) |
|
Contacted Domains |
crl.sectigo.com, sectigo.com, EndpointCentral.local |
|
Attack Protocol |
MySQL (port 3306) |
|
Dropped Paths |
C:\PerfLogs\Install.bat, C:\PerfLogs\Server_Agent.exe |
|
Persistence |
DCAgentUpdater.job, DesktopCentral service |
About Treacle Technologies
Treacle Technologies is an IIT Kanpur-incubated cybersecurity startup specializing in AI-powered cyber deception. Our flagship platform, i-Mirage, deploys intelligent decoys across enterprise networks to detect, deceive, and deflect advanced threats in real time.
Website: www.treacletech.com | Email: contact@treacletech.com | Phone: +91-8420407686
Contributed by Raj Kumar

Comments are closed