• IIT Kanpur
  • contact@treacletech.com
  • Treacle Technologies
Treacle Technologies
?php echo get_bloginfo( 'name' ); ?>
  • About Us
  • Products
    • AI-Based i-Mirage Proactive Defense System
    • Dynamic and Machine Learning-Based Honeypots
    • Deception-Based Early Warning i-Mirage
  • Resources
    • Blog
    • News & Articles
    • Case Studies
    • Data
  • Partners
  • Team
  • Contact Us
  • Request for Demo
Treacle Technologies

Caught in the Act: How Our Decoy Intercepted a Sophisticated APT Attack Targeting India’s Financial Sector

  • Home
  • Blog
  • Caught in the Act: How Our Decoy Intercepted a Sophisticated APT Attack Targeting India’s Financial Sector
  • July 16, 2026
  • contact@treacletech.com
  • 16 Views

Caught in the Act: How Our Decoy Intercepted a Sophisticated APT Attack Targeting India’s Financial Sector

On the evening of May 7, 2025, at 20:48 IST, Treacle Tech’s Octopus Decoy — deployed within the infrastructure of a major Indian financial institution — intercepted a live malware delivery attempt. The attack arrived not through a phishing email or a compromised webpage, but through an exposed MySQL service on port 3306, originating from an IP address geolocated to Jiangsu, China.

What followed was a textbook example of how advanced persistent threat (APT) groups probe, exploit, and establish footholds in critical financial infrastructure — and how proactive cyber deception can catch them before any damage is done.

This post walks through the anatomy of the attack, the clever obfuscation techniques employed by the adversary, and what it means for India’s BFSI sector.

The Attack: SQL Queries as a Weapon

The adversary’s approach was methodical. Rather than brute-forcing credentials or exploiting a known CVE, they targeted MySQL’s own functionality — specifically its ability to load dynamic libraries and execute system commands.

The attack unfolded in five distinct stages:

Stage 1 — Reconnaissance. The attacker issued a version query to fingerprint the database engine, a standard first step to tailor subsequent payloads to the target environment.

Stage 2 — Function Creation & DLL Injection. Multiple CREATE FUNCTION commands were fired in rapid succession, attempting to load malicious DLLs — including udf.dll and lib_mysqludf_sys.dll — into the MySQL environment. These user-defined functions give an attacker the ability to execute arbitrary system commands directly from within SQL.

Fig: Attacker's repeated attempts to create malicious functions in the MySQL environment

Stage 3 — Payload Download. With the UDF functions in place, the attacker used a custom downloader function to fetch a 33 MB executable (Server.exe) from a remote file server that, at the time of analysis, was still live.

Stage 4 — Execution Attempt. The attacker attempted to launch the downloaded payload via a cmdshell function call. This is where the Octopus Decoy’s design proved decisive — because it emulates a Windows MySQL server environment on a Linux host, the execution step failed silently. The malware was captured intact, but never ran.

Fig: The attacker downloads Server.exe from the C2 server and attempts execution via cmdshell

Stage 5 — Cleanup. In the final phase, the attacker dropped all created functions and exited the session — a disciplined attempt to erase forensic evidence.

Notably, the attacker’s remote file server was still live at the time of analysis, hosting a range of additional tools — Linux agents, VPN installers, and other executables — suggesting an established operational toolkit.

Fig: The attacker's file server, still live at the time of analysis, hosting a range of offensive tools

The Clever Disguise: Chinese Text Hiding Windows Commands

One of the most striking findings emerged during the analysis of a dropped batch file, Install.bat. When opened in a standard text editor, the file appeared to contain garbled Chinese characters:

Fig: Install.bat and Server_Agent.exe dropped using the bundled HaoZip archiving tool (original and translated views)

When the Chinese text was run through Google Translate, it produced innocuous sentences about the 2020 Beijing International Airport and the 1984 World Cup — clearly nonsensical decoy text designed to confuse analysts and bypass automated inspection tools.

Fig: Google Translate produces misleading, innocuous text — a deliberate decoy by the threat actor

But when the same file was examined in a hex editor, an entirely different picture emerged. Hidden beneath the Chinese characters were fully functional Windows batch commands — suppressing output, launching a hidden command prompt, silently installing malware, wiping evidence, and self-deleting.

Fig: Hex analysis reveals hidden Windows batch commands — silent execution, payload installation, evidence cleanup, and self-deletion

This is a classic example of polyglot obfuscation — a file that appears legitimate under one interpretation while carrying a completely different payload under another. It is a technique that can slip past signature-based detection tools and casual manual review alike.

What the Malware Actually Does

The primary payload, Server.exe, is a 33 MB PE32 executable compiled with Visual Studio 2013, packed using 7-Zip SFX, and carrying a Chinese-Simplified language identifier. Upon execution in our controlled sandbox and cloud VM environment, it exhibited a wide range of capabilities:

Persistence

The malware establishes multiple persistence mechanisms — creating scheduled tasks (DCAgentUpdater.job), registering itself as a Windows service (DesktopCentral), and copying files to system directories. It abuses legitimate ManageEngine UEMS Agent binaries to blend into enterprise environments where ManageEngine products are commonly deployed.

Privilege Escalation

Through DLL side-loading (targeting apphelp.dll, version.dll, and others) and process injection into trusted processes like Windows Explorer, the malware escalates its privileges while evading process-based defenses.

Defense Evasion

The malware employs XOR encryption, software packing, guard page creation to thwart debuggers, and — critically — sandbox and VM detection. It queries WMI for network adapter, memory, and processor details to determine if it is running in an analysis environment, and alters its behavior accordingly. Our initial sandbox analysis yielded only partial results for this exact reason.

Command and Control

The malware communicates with a C2 server at star.zcnet.net (IP: 114.234.239.89, Jiangsu, China) over non-standard port 8383 using TLS. It also contacts sectigo.com and crl.sectigo.com — legitimate certificate authorities — likely to validate or install certificates that help its encrypted C2 traffic appear trustworthy.

 

Fig: Network traffic analysis showing DNS resolution of star.zcnet.net and TLS connection to the C2 server in Jiangsu, China

Credential Theft

Using DirectInput via DDRAW.DLL, the malware implements keystroke logging to capture credentials — a direct threat to banking operations.

An Evolving Adversary

This was not the first time we intercepted this threat actor. A closely related malware sample was captured on April 18, 2025. The two variants share nearly identical post-exploitation behavior — the same dropped files, the same C2 infrastructure, the same MITRE ATT&CK technique profile.

The key difference? The delivery mechanism evolved. The April variant dropped files directly into the user’s AppData temp directory. The May variant switched to using HaoZip (a Chinese archiving tool) to extract files into C:\PerfLogs\ — a less-monitored directory that is more likely to bypass endpoint detection rules. This tactical shift is a clear indicator of an adversary that is actively iterating on their tradecraft in response to detection.

MITRE ATT&CK Mapping

The malware maps to techniques across nine MITRE ATT&CK tactics, demonstrating a comprehensive attack capability that is not typical of commodity malware:

 

Tactic

Key Techniques

Initial Access

Replication Through Removable Media (T1064)

Execution

WMI (T1047), Command Interpreter (T1059), Scheduled Task (T1053)

Persistence

DLL Side-Loading (T1574.002), Windows Service (T1543.003), Scripting (T1064)

Privilege Escalation

Process Injection (T1055), DLL Side-Loading (T1574.002)

Defense Evasion

Obfuscated Files (T1027), Sandbox Evasion (T1497), Masquerading (T1036), File Deletion (T1070.004)

Credential Access

Input Capture / Keystroke Logging (T1056)

Discovery

System Info (T1082), Process Discovery (T1057), Security Software Discovery (T1518.001)

Collection

Keystroke Logging (T1056)

Command & Control

Non-Standard Port (T1571), Application Layer Protocol (T1071)

Attribution: Who Is Behind This?

Based on the TTP mapping, C2 infrastructure geolocation, tooling characteristics (Chinese-language artifacts, HaoZip usage, UDF-based MySQL exploitation), and targeting pattern (financial sector in India), the observed behavior aligns with three known APT groups:

APT41 (Double Dragon) — A Chinese state-affiliated group known for blending cyber espionage with financially motivated operations. Their use of DLL side-loading, process injection, and non-standard C2 ports closely mirrors what we observed. APT41 has a documented history of targeting the financial and telecommunications sectors across Asia.

APT32 (OceanLotus) — A Vietnamese state-linked group with expanding operations against financial targets in Asia. Their reliance on DLL side-loading and WMI for persistence aligns with several techniques in this attack chain.

Lazarus Group (APT38) — The North Korean group infamous for targeting banks and financial infrastructure globally. Their use of Windows services, scheduled tasks, and covert C2 protocols is consistent with what we found.

While definitive attribution requires intelligence beyond the scope of malware analysis alone, the convergence of technical indicators strongly suggests a state-sponsored or state-affiliated actor with specific interest in India’s financial infrastructure.

What This Means for Indian BFSI

This attack was intercepted before it could cause harm — but not every organization has deception technology deployed at the right choke points. The adversary’s approach — targeting MySQL services, abusing ManageEngine agents, and communicating with C2 servers in China — exploits the exact combination of legacy infrastructure and legitimate enterprise tooling that is common across Indian banks and financial institutions.

Key recommendations for defenders:

  1. Block known C2 infrastructure. Add *.zcnet.net and the 114.234.239.0/24 subnet to your firewall and proxy blocklists immediately.
  2. Audit ManageEngine deployments. Verify the integrity of all ManageEngine UEMS Agent binaries. Check hashes of dcagentregister.exe, dcstatusutil.exe, and dcconfig.exe against known-good versions.
  3. Deploy IoC-based detection rules. Add the file hashes listed at the end of this post to your EDR/SIEM solutions.
  4. Monitor non-standard port traffic. Set up alerts for outbound connections on port 8383 and DNS queries to star.zcnet.net.
  5. Restrict execution from high-risk directories. Implement application control policies to block binaries executing from C:\PerfLogs\, Temp folders, AppData, and removable drives.
  6. Remove persistence artifacts. Hunt for scheduled tasks named DCAgentUpdater.job, services named DesktopCentral under non-standard registry paths, and related registry modifications.

Why Cyber Deception Works

This incident reinforces a fundamental truth about modern cyber defense: you cannot stop what you cannot see.

Traditional perimeter defenses — firewalls, antivirus, even EDR — are reactive. They rely on knowing what an attack looks like before it arrives. The adversary in this case used sandbox evasion, VM detection, polyglot obfuscation, and legitimate tool abuse specifically to bypass these defenses.

Cyber deception flips the equation. By deploying realistic decoys — database services, file shares, application servers — inside the network, defenders create an environment where any interaction is inherently suspicious. There is no legitimate reason for anyone to connect to a decoy MySQL instance. The moment the attacker engaged, the game was already over.

Treacle Tech’s Octopus Decoy captured this malware sample in its entirety, with full bitstream logs of every SQL query, every function creation, and every download attempt. The malware was preserved for analysis without ever executing in the production environment — zero risk, full intelligence.

This is the promise of cyber deception: early detection, zero false positives, and complete threat intelligence capture.

Indicators of Compromise (IoCs)

 

Indicator

Value

MD5 (Server.exe)

a914ad6423a307cf0cf4e7f82d1d22d6

SHA256 (Server.exe)

c2efb1e0e93c97b201cc85710874d8f03615ce9353d02bab6e8c7660836c609e

SHA256 (Install.bat)

39547511ed9e35d635555ce18cdd0e1ebad6d2903b301a8de5b3bea84a56b589

SHA256 (Server_Agent.exe)

09fc4c71577f1ddafc1528ebeae7fd88aaddeff857254513cd1041dbf399cd25

C2 Domain

star.zcnet.net

C2 IP Address

114.234.239.89 (ASN 4134, Jiangsu, China)

Source IP Address

114.234.239.88 (ASN 4134, Jiangsu, China)

C2 Port

8383 (TCP/TLS)

Contacted Domains

crl.sectigo.com, sectigo.com, EndpointCentral.local

Attack Protocol

MySQL (port 3306)

Dropped Paths

C:\PerfLogs\Install.bat, C:\PerfLogs\Server_Agent.exe

Persistence

DCAgentUpdater.job, DesktopCentral service

 

  About Treacle Technologies

 

Treacle Technologies is an IIT Kanpur-incubated cybersecurity startup specializing in AI-powered cyber deception. Our flagship platform, i-Mirage, deploys intelligent decoys across enterprise networks to detect, deceive, and deflect advanced threats in real time.

Website: www.treacletech.com  |  Email: contact@treacletech.com  |  Phone: +91-8420407686 

                                                                                                                                                Contributed by Raj Kumar

Previous Post
207 Days

Comments are closed

Recent Post

  • July 16, 2026
    Caught in the Act: How Our Decoy Intercepted a Sophisticated APT Attack Targeting India’s Financial Sector
  • June 16, 2025
    207 Days to Spot a Hack? How Treacle i-Mirage System Slashes Detection to Hours!
  • June 5, 2025
    Beyond Firewalls: How Deception Technology is Becoming Cybersecurity’s Silent Hunter

Our Company

  • About Us
  • Blog
  • News & Articles
  • Case Studies
  • Partners
  • Privacy Policy
  • Terms and Conditions

Our Products

  • AI-Based i-Mirage Proactive Defense System
  • Dynamic and Machine Learning-Based Honeypots
  • Deception-Based Early Warning i-Mirage

Contact Us

Headquarters-

Technopark IIT Kanpur, Phase-1 Facility, Opposite Ncc Office, IIT Kanpur, Kanpur-208016

Office Address-

Office No. 704, 7th Floor, Palm Court M.g.road, Gurgaon-122007

+91-8420407686

Treacle Technologies

Camouflage, Deceive, Entrap, Defend

Follow us on
Facebook X-twitter Linkedin
© Copyright 2024. All Rights Reserved by Treacle Tech.
Designed and Developed by Treacle Technologies
↑