Rule Digest: APT Groups, Malware Campaigns and Windows Telemetry

This week our Rule Digest covers more content than usual. It compiles rules for detecting recent attacks of state-sponsored actors, malware campaigns conducted by cybercriminals, and abusing Windows telemetry.


Mustang Panda is the China-based threat group that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations. This APT group targets non-governmental organizations in general, and the adversaries often use shared malware like Poison Ivy or PlugX in their campaigns. They may use series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems and reuse previously-observed legitimate domains to host files. 

The rule by Ariel Millahuel uncovers the Threat Actor activities related to the utilization of the DLL-Sideload technique (with a legitimate binary) and the PlugX Trojan deploy.

Possible New Mustang Panda activity (via PlugX Trojan)

More rules to detect PlugX Trojan on Threat Detection Marketplace


The Lookback malware was first used in a spear-phishing campaign targeted at US companies in the utility sector. After exposure, instead of stopping the campaign, the LookBack trojan operators changed the text of the phishing emails and continued to attack organizations. At first, these attacks were linked to the Chinese cyber-espionage unit, but further observation of the campaigns allowed researchers to suggest that the similarity in TTPs could be used by attackers as a false flag to complicate the attribution. At the same time as the LookBack campaigns, Proofpoint researchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities providers. The malware gives threat actor complete control over an infected machine. Its functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control. The community rule by Den Iuzvik detects characteristics of the TA410 Group in LookBack and FlowCloud malware campaigns.

TA410 LookBack and FlowCloud malware campaigns (Sysmon Behavior)


Charming Kitten is an Iranian cyber-espionage unit that has been active since approximately 2014 targeting organizations involved in government, defense technology, military, and diplomacy sectors. Most of their targets were located in Iran, the United States, Israel, and the United Kingdom. Charming Kitten usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. During attacks, the APT group often uses DownPaper backdoor Trojan, whose main function is to download and run a next stage malware. This week Lee Archinal released a series of rules to detect DownPaper backdoor:

Charming Kitten Downpaper File Creation (Sysmon Behavior)

Charming Kitten Downpaper Process Executed (Command Line) (Sysmon Behavior)

Charming Kitten Downpaper Process Executed (Powershell) (Sysmon Behavior)

Charming Kitten Downpaper Registry Modification (Sysmon Behavior)


Further in our digest a couple of rules that detect abuse of Windows telemetry for persistence which affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10. The community rules were submitted by Den Iuzvik and can be used to uncover the abusing of CompatTelRunner.exe for persistence. They also can help to detect actions of advanced threat actor who has already penetrated the system and is trying to elevate privileges to the System level.

Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior)

Abusing Windows telemetry CompatTelRunner.exe(Audit Rule)

We will also release a community rule by Sreeman Shanker that also discovers this way to achieve persistence 


Valak is a sophisticated malware that was first observed in late 2019. It can be used independently as an information stealer to target individuals and enterprises. The recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. It can hijack email replies and embed malicious URLs or attachments to infect devices with fileless scripts. Discovered campaigns were specifically targeted at enterprises in the United States and Germany. The new rule by Osman Demir is aimed to spot this threat in the enterprise network.

Valak Malware and the Connection to Gozi Loader ConfCrew



The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Initial Access, Defense Evasion, Execution, Persistence, Privilege Escalation, Command And Control 

Techniques: Spearphishing Attachment (T1193), DLL Side-Loading (T1073), Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053), Modify Registry (T1112), Command-Line Interface (T1059), PowerShell (T1086), Scripting (T1064), Commonly Used Port (T1043), Timestomp (T1099)


Wait for the next digest in a week, and don’t forget to register to Weekly Talks on Breaking News in Cybersecurity:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko