This technical analysis explains OCEANMAP, a backdoor attributed to the Russian threat group APT28 (Sofacy/Fancy Bear) and originally discovered by CERT-UA. The malware establishes persistence by creating an Internet shortcut named “EdgeContext.url” in the Windows Startup folder, checks for and terminates duplicate processes, and can rename itself when executed as “_tmp.exe.” It connects to two hard-coded IMAP mail servers (likely compromised) using embedded credentials, pulls Base64-encoded commands from specific emails (Drafts), executes them via cmd.exe, and exfiltrates command output by appending emails to the Inbox folder. It supports commands that update sleep timing and can switch to new credentials and servers, and the paper lists key IOCs including the SHA256 hash, mail servers, s

Join for free to read