3.Use Tools for Investigation and Handling

Based on the fact that the attackers used variants of the Gh0st remote control Trojan family in this attack, users can download and use the “Visco” special investigation tool and the Antiy System Security Kernel Analysis Tool on the Antiy Vertical Response Platform (https://vs2.antiy.cn) to investigate and remove the Gh0st remote control Trojan.

The “SwimSnake” special inspection tool can be used to inspect the loaders dropped by the “SwimSnake” cybercriminal group in its attack activities and the remote control Trojans loaded into the memory (including the Gh0st remote control Trojan family).

Antiy System Security Kernel Analysis Tool (ATool for short) is a deep analysis tool for Windows systems for threat detection and threat analysts. It can effectively detect potential malicious programs such as secret-stealing Trojans, backdoors and hacker tools in the operating system and assist professionals in manual disposal. It has the functions of effective detection of known threats, timely discovery of unknown threats, and one-click disposal of stubborn infections.

3.1 Use the “SwimSnake” Special Troubleshooting Tool to Detect the Gh0st Remote Control Trojan

In order to more accurately and comprehensively remove threats existing in the victim host, customers can contact Antiy’s emergency response team (cert@antiy.cn) after using special troubleshooting tools to detect threats.

3.2  Use Antiy System Security Kernel Analysis Tool to Remove Gh0st Remote Control Trojan

After discovering the Gh0st remote control Trojan, users can download and use ATool on the Antiy Vertical Response Platform to remove the Trojan. For example, in the “Process Management” page of ATool, right-click the malicious process “Shine.exe ” : first click “Locate in Windows File Manager” to locate the path where “Shine.exe ” is located, then click “Terminate” to end the “Shine.exe ” process, and finally delete the malicious files in the path where the “Shine.exe” program is located .

In the “Startup Items” page of ATool, use the “Find” function to search for malicious process names, find and delete malicious startup items.

In addition, ATool supports reputation query of four object dimensions for executable objects, namely “Publisher Reputation”, “Content Reputation”, “Behavior Reputation” and “Path Reputation (Location Reputation)”. Clicking the “Reputation Analysis” button above the tool can perform a cloud reputation query on the current inventory object, thus helping users discover potential threats in the system.

4. Terminal Security Protection

After testing, Antiy Intelligent Endpoint Protection System product series (hereinafter referred to as “IEP”) can effectively detect and defend against the virus samples discovered this time by relying on Antiy’s self-developed threat detection engine and kernel-level active defense capabilities.

IEP can monitor local disks in real time and automatically detect viruses on newly added files. In response to this threat, when the virus file libcef.dll is found locally, IEP will immediately detect and kill the virus file and send an alert to the user, effectively preventing the virus from starting.

In addition, IEP has a driver-level active defense module that can monitor process behavior in real time. When a process is found to have risky behavior, it can be immediately intercepted to effectively prevent the execution of attack behavior. In this incident, when the attacker used Shine.exe to load the malicious file libcef.dll, IEP would capture the loading behavior of the malicious program through the memory protection module and immediately intercept it.

IEP also provides users with a unified management platform, through which administrators can centrally view the details of threat events within the network and handle them in batches, thereby improving the efficiency of terminal security operation and maintenance.

5.ttack Payload Executor Life Cycle and Security Product Key Capabilities Mapping Matrix

Through threat event analysis, we can obtain the attack process of running objects and running actions in the entire life cycle of the attack payload execution body, and further evaluate the key capability mapping matrix of anti-virus engine and active defense that the security protection software deployed on the terminal side should have. The key capabilities of detection and defense of this series of attack activities are described in the following table:

Attack Executor Lifecycle		Object	Action	Threat Detection Engine Key Capabilities	Active Defense Capability Key Capabilities
Pre-set and drop	Drop	Phishing Websites	Impersonating the WPS Office download site, tricking users into downloading a backdoored installer. The program is larger than 200M .	Phishing Domain Detection	1. (Host firewall) monitors application access to C2 server request packets, obtains accessed IP, domain name and URL, and detects the delivery engine to intercept threat C2 server access request packets 2. (Host firewall) Set record/alert/block rules for application request IP, Domain and URL for untrusted addresses
Load Execution	Execute	Installer bundled with backdoor	Release the file: %temp%\WPS_Setup.exe (white file) C:\Program Data \Shine.exe (white file) C:\Program Data \libcef.dll C:\Program Data \ 1.txt	1. Installation package type identification 2. Installer derivative files disassemble and recursively detect 3. Identification of redundant and false data anomalies in large files	1. (File defense) Monitor disk file creation/modification, delivery engine detection, and delete threat files 2. (File defense) Set up full file monitoring
		Load and decrypt; 1. White plus black loading : Shine.exe (white file) 2. Decryption: libcef.dll	Shine.exe (white file) load: libcef.dll libcef.dll decryption: 1.txt Solved: Install.dll (executable file)	1. Offline digital signature verification 2. PE format and compiler type identification 3. PE real entry point malicious instruction detection	(Process defense) Monitors process module loading, disassembles the full path of the process and the full path of the loaded module, and then detects the delivery engine, intercepts the loading of threat modules, and deletes the threat modules.
		Memory Loading: Install.dll	Gh0st Remote Control Trojan	Gh0st remote control trojan embedded malicious command detection	1. (Memory Defense) Monitor memory loading behavior 2. (Memory Defense) Set to prohibit loading memory containing certain shellcode content
	Persistence	Add a registry startup item: libcef.dll	Add a registry startup item: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: String: “Management” : ” C:\Program Data\Shine.exe”	Registry key detection	(Registry defense) Monitors the creation/modification of registry startup items, disassembles the file path, startup item name and content of the registry modification process, and then delivers engine detection and deletes threat startup items
Effective Application	Process effectiveness	Remote control Trojan ( Gh0st ): Install.dll	1. Collect system information and send online packets back to C2 2. Wait for receiving and execute remote control commands	Remote control C2 domain name detection	1. (Host firewall) monitors application access to C2 server request packets, obtains accessed IP, domain name and URL, and detects the delivery engine to intercept threat C2 server access request packets 2. (Host firewall) Set record/alert/block rules for application request IP, Domain and URL for untrusted addresses

6. IoCs

IoCs

9232FBCCF8B566B0C0A6D986B65BBC98

A9710294489B6893F59120C5DF76A60C

444F87D1D78B9C1162963D6F775FB60E

h xx ps://wpsice [ . ] com

h xx ps://cn-wps-oss-1.cdn-yun [ . ] cloud/WPS_Setup.exe

45.207.12 [ . ] 71:1803

7.List of Historical Reports on the Threat of “SwimSnake” By Antiy

• [1] Analysis of the Attack Activity of Launching Remote Control Trojans Through Forged Chinese Version of Telegram Website [R/OL].(2022-10-24)

https://www.antiy.cn/research/notice&report/research_report/20221024.html

• [2] Analysis of Attack Activities Using Cloud Note Platform to Deliver Remote Control Trojans [R/OL].(2023-03-24)

https://www.antiy.cn/research/notice&report/research_report/20230324.html

• [3] Analysis of the Cybercriminal Group That Uses the Cloud Note Platform to Deliver Remote Control Trojans [R/OL].(2023-03-30)

https://www.antiy.cn/research/notice&report/research_report/20230330.html

• [4] Analysis of the Large-Scale Attack Activities Launched by the “Swimsnake” Cybercriminal Group Against Domestic Users [R/OL].(2023-05-18)

https://www.antiy.cn/research/notice&report/research_report/20230518.html

• [5] Analysis of Recent Phishing Attacks by the “Swimsnake” Cybercriminal Group [R/OL].(2023-07-11)

https://www.antiy.cn/research/notice&report/research_report/TrojanControl_Analysis.html

• [6] Analysis of the Activities of the “Swimsnake” Cybercriminal Group Using Wechat to Spread Malicious Code [R/OL].(2023-08-22)

https://www.antiy.cn/research/notice&report/research_report/SnakeTrojans_Analysis.html

• [7] Special Analysis Report on the “swimsnake” Cybercriminal Group [R/OL].(2023-10-12)

https://www.antiy.cn/research/notice&report/research_report/SwimSnakeTrojans_Analysis.html

• [8] Analysis of the New Round of Attacks by the “Swimsnake” Cybercriminal Group Against Financial Personnel and E-Commerce Customer Service [R/OL].(2023-11-11)

https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis.html

• [9] Analysis of Recent Attack Activities of the “swimsnake” Cybercriminal Group [R/OL].(2024-04-07)

https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202404.html

• [10] Analysis of the “Swimsnake” Cybercriminal Group Using Malicious Documents to Carry out Phishing Attacks [R/OL].(2024-06-21)

https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202406.html

• [11] Phishing Download Website Spreads “Swimsnake” Threat, Malicious Installer Hides Remote Control Trojan [R/OL].(2024-12-20)

https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202412.html

• [12] “Swimsnake” Cybercriminal Attacks Are Rampant, And Special Investigation and Disposal Should Be Launched Immediately [R/ OL ] . ( 2025-04-23 )

https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202504.html

Appendix 1: References

• [Identified] Fake WPS website [R/OL]. (2025-05-08)

https://bbs.kafan.cn/thread-2281325-1-1.html

Appendix 2: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.

Official Website www.antiy.cn

WeChat Subscription Antiylab