RANCOR  (Back to overview)

aka: G0075, Rancor, Rancor Group, Rancor Taurus, Rancor group

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.

Associated Families
win.8t_dropper win.ddkong win.plaintee

2023-04-05Medium IlanduIlan Duhin
PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor
2023-03-07Check Point ResearchCheck Point Research
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
5.t Downloader 8.t Dropper Soul
The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO
2022-09-22Recorded FutureInsikt Group®
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO
2022-07-18Palo Alto Networks Unit 42Unit 42
Rancor Taurus
2022-07-07Sentinel LABSTom Hegel
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia Tonto Team
2021-10-26KasperskyKaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-13AlienVaultTom Hegel
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021-01-04nao_sec blognao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-09-16RiskIQJon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-08-19RiskIQCory Kennedy, Jon Gross
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-06-03Kaspersky LabsGiampaolo Dedola, GReAT, Mark Lechtik
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing
2020-03-21MalwareLab.plMaciej Kotowicz
On the Royal Road
8.t Dropper
2020-03-20Medium SebdravenSébastien Larinier
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
2020-03-12Check PointCheck Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-12Check Point ResearchCheck Point
Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda
2020-03-11Virus BulletinGhareeb Saad, Michael Raggi
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
2019-09-22Check Point ResearchCheck Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-07-23ProofpointDennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40
Another malicious document with CVE-2017–11882
8.t Dropper
2019-01-01Council on Foreign RelationsCyber Operations Tracker
Group description: Rancor
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper
2018-07-31Medium SebdravenSébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper PlugX 1937CN
2018-07-31Medium SebdravenSébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper
2018-06-26Palo Alto Networks Unit 42Brittany Ash, Josh Grunzweig, Tom Lancaster
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
2018-06-26Palo Alto Networks Unit 42Brittany Ash, Josh Grunzweig, Tom Lancaster
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families

Credits: MISP Project