IndigoZebra APT continues to attack Central Asia with evolving tools

July 1, 2021


Check Point research recently discovered an ongoing spear-phishing campaign targeting the Afghan government. Further investigation revealed this campaign was a part of a long-running activity targeting other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.

The actor suspected of this cyber-espionage operation is an APT group dubbedIndigoZebra“, previously attributed by researchers to China. The technical details of the operation were not publicly disclosed before.

In this article, we will discuss the tools, TTPs and infrastructure used by the attacker during the years of its activity. We will also provide technical analysis of the two different strains of the previously publicly undescribed backdoor xCaon, including its latest version we dubbed BoxCaon which uses the legitimate cloud-storage service Dropbox to act as its Command and Control server.

Infection Chain

Our investigation started with the emails sent from an employee of the Administrative Office of the President in Afghanistan to the employees of the Afghanistan National Security Council (NSC). The email asked the recipient to review the modifications in the document related to the upcoming press conference of the NSC.

Fig 1: Malicious email sent to the Afghan government employees


The email contains a password-protected RAR archive named NSC Press conference.rar. Extracting the archive with the password provided in the email requires user interaction and therefore provides a challenge for some sandbox security solutions.

Fig 2: The infection chain


The extracted file, NSC Press conference.exe, acts as a dropper. The content of the lure email suggests that the attached file is the document, hence, to reduce the suspicion of the victim running the executable, the attackers use the simple trick – the first document on the victim’s desktop is opened for the user upon the dropper execution.

Whether the dropper found a document to open or not, it will proceed to the next stage – drop the backdoor to C:\users\public\spools.exe and execute it.


BoxCaon Backdoor Analysis

The backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results. However short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral movement.

To hide malicious functionality – persistence and C&C communication – from static detections, the malware uses a common obfuscation technique known as “stackstrings” to build wide char strings.


Dropbox as a C&C Server

The backdoor utilizes Dropbox as a C&C server, by sending and receiving commands written to a specific folder in a specially created Dropbox account, prepared by the attacker before the operation. By using the legitimate Dropbox service for C&C communications, instead of regular dedicated server infrastructure, aids in masking the malicious traffic in the target’s network, as no communication to abnormal websites is taking place. The backdoor uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files.

In the initialization stage, the backdoor creates a unique folder for the victim in an attacker-controlled Dropbox account. The folder is named by the victim’s MAC address which is obtained using GetAdaptersInfo API.

Fig 3: Creation of a folder in Dropbox by the backdoor and stackstrings obfuscation


Locally, the backdoor creates a working folder at C:\users\public\<d> (where <d> is a random integer). It then proceeds by uploading two files to the server:

  • m-<date>.txt – containing the backdoor execution path
  • d-<date>.txt – containing the local working folder path.

Fig 4: File upload to Dropbox by the backdoor


When the attackers need to send a file or command to the victim machine, they place them to the folder named d in the victim’s Dropbox folder. The malware retrieves this folder and downloads all its contents to the working folder. Finally, if the file named c.txt – that contains the attacker command, exists in this working folder, the backdoor executes it using the ComSpec environment variable, which normally points to the command line interpreter (like cmd.exe), and uploads the results back to the Dropbox drive while deleting the command from the server.



The backdoor establishes persistence by setting the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load registry key to point to its executable. This method is less common than Run or RunOnce keys but achieves its ultimate goal: the program listed in the Load registry value runs when any user logs on.



Once the C&C communication is established, the threat actor starts by executing fingerprinting and reconnaissance commands on the machine. In this attack, some of the actions we spotted included:

  • Download and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45) – NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10
  • Execution of Windows built-in networking utility tools
  • Access to the victim’s files, especially documents located on the Desktop


Searching for related samples in the wild yielded almost 30 executables, each of them bear varying degrees of similarity with the spools.exe BoxCaon backdoor.

One of the common similarities is a very specific implementation of the command execution: first constructing the ComSpec string on stack, using the same path naming convention for the output file, and deleting it right after the execution:

Fig 5: Code similarities between BoxCaon (left) and Investigating China’s Crimes against Humanity.exe (sha1:3557d162828baab78f2a7af36651a3f46d16c1cb)


The earliest of the found samples is dated back to 2014. Even though some of the executables claim to be compiled in 2004 or 2008, based on the C&C servers registration time and the activity, we believe the compilation date was probably modified by the actor.

While we were collecting additional information about this long-lasting operation, we noticed a reference to the Kaspersky 2017 APT trends report where one of the samples is referred to as xCaon malware, used by the Chinese-speaking APT actor “IndigoZebra“. The other samples in our set appear to be the different variants of xCaon, including packed ones, or the PoisonIvy malware which was also reported as a part of the actor’s arsenal.

Based on the code and functionality similarities we can attribute the BoxCaon backdoor to the updated variant of the same xCaon family (hence the name). It is the only xCaon version that communicates over Dropbox API in clear text commands, whereas all the other samples use HTTP protocol with Base64+XOR encryption to communicate with their C&C servers. Although the xCaon malware family is used in the wild for several years, there was no technical analysis publicly available until now. In the next section, we will summarize the technical details of all the versions we’ve encountered.


xCaon HTTP variant analysis

As mentioned earlier, we found an approximate of 30 different samples of the xCaon HTTP variant with slightly different functionality. Below we will cover the most note-worthy features of the backdoor, highlighting samples with unique functionality.



The HTTP variant checks if Kaspersky is installed on the victim’s machine by searching for the existence of files in the Kaspersky installation folder.

Fig 6: Backdoor searches for files in the installation directory of Kaspersky AV

If Kaspersky AV is not installed on the system, persistence via registry is installed. First, the backdoor makes sure that a copy of the executable exists in the specific path of the TEMP folder, and then the path is written to the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load key, causing the malware to run each time any user logs in.

Fig 7: Backdoor establishes persistence via Load registry if Kaspersky is not installed


Command Execution

The backdoor receives commands from the attacker and runs them in an interactive CMD shell using pipes. The commands may differ between the samples, the full list of the commands is provided in [Appendix B].

Fig 8: Interactive CMD shell using pipes


Victim Fingerprinting

The backdoor collects the victim’s MAC address using the GetAdaptersInfo API. Some of the versions generate a user ID and save it in a temporary file. These IDs are then passed to the C&C server as one of the POST body parameters (MAC address is sent encrypted as discussed later).

Fig 9: Generate a user ID and save it in a temp file


C&C Communication Protocol

The communication between the malware and the server is based on the HTTP protocol and slightly varies between the samples. Every few seconds the backdoor sends a POST request to the C&C URL. In the response (which looks like an HTML page), the malware searches for a specific pattern: it takes the string between <!—|# and #|-> , decodes it, and executes the command. The result is encrypted and sent back to another URL on the server as the parameter of a POST request.

Fig 10: C&C communication



The HTTP variant used an interesting and unique method of encryption for both configuration and communication. It uses a predefined key, which we found to be one of the following two (depends on the malware variant):


"GetMessagePos SendMessage GetExitCodeProces CreateProcess GetTickCount GetDCEx CopyImage DrawText CloseHandle SendMessageTimeout"



The decryption process is based on splitting the “fake” base64-like string into two strings, XORing the first part with the predefined key, base64-decoding the second part, and finally, XOR both the results.



Fig 11: Targeted region


While we saw the Dropbox variant (BoxCaon) targeting Afghan government officials, the HTTP variants are focused on political entities in two particular Central Asian countries – Kyrgyzstan and Uzbekistan.

This very specific victimology is based upon the following overlapping indicators:

  • Check Point products’ telemetry
  • C&C domains impersonating known Uzbek and Kyrgyz domains (post[.]mfa-uz[.]com – Uzbekistan Ministry of Foreign Affairs; ousync[.]kginfocom[.]com – Kyrgyz state enterprise “Infocom”)
  • – malware names of the samples were written in Kyrgyz and Russian (Министрге сунуштама.exeRecommendation to the Minister.exe in Kyrgyz; материалы к массовому беспорядку.exematerials to riots.exe in non-native Russian)
  • VT submitters’ countries for multiple samples from this campaign are Uzbekistan and Kyrgyzstan.



As the Dropbox variant uses Dropbox API for communication, the only information we were able to gather from it is the Dropbox account information [Appendix C].

However, when we analyzed the infrastructure of the HTTP variants, we saw that the samples have a common infrastructure for over 6 years since the first sample was in the wild.

Fig 12: HTTP Variant Infrastructure Graph


To get a clearer picture of how the attackers operated their infrastructure throughout the years, we have plotted the various malicious domains according to the ASN they were hosted on. The results are presented in the figure below:

Fig 13: Correlation between domains and ASNs over time

Few observations:

  • Most of the domains are relatively short-lived. This can be explained by the precision targeting of the whole operation: the lookalike domains were most likely created to mislead a specific entity and were not reused anymore.
  • Since 2019, all of the new infrastructure has been concentrated on ASN 20473 (CHOOPA). This observation does not come as a surprise: Vultr, a subsidiary of CHOOPA, is considered an “attractive platform for criminals” by the research community and widely used for malicious purposes by multiple groups including, for example, Chinese-based APT group ViciousPanda whose recent C&C servers are also all hosted on Vultr servers.



In this publication we unveiled the latest activity and tools of the long-running IndigoZebra operation, previously attributed to a Chinese-speaking threat actor.

In this case, we observed a cyber-espionage operation focusing on governmental agencies in Central Asia, being targeted with the Poison Ivy and xCaon backdoors, along with the newly discovered BoxCaon backdoor variant – whose C&C communication capability was updated to utilize the Dropbox service itself as the C&C infrastructure of the operation.

While the IndigoZebra actor was initially observed targeting former Soviet republics such as Uzbekistan and Kyrgyzstan, we have now witnessed that its campaigns do not dial down, but on the contrary – they expand to the new targets in the region, with a new toolset.

Check Point products block this attack from the very first step.

Appendix A: Indicators of Compromise










C&C servers








































Appendix B: HTTP variant commands list




Create BAT file on the victim’s machine


Upload file to the victim’s machine


Download a file to the victim’s machine from a URL and execute it


Start interactive shell


Exit the process (uninstall)


Sleep for X seconds


Execute a file


Download a file to the victim’s machine from a URL



Appendix C: Dropbox account information


Appendix D: MITRE ATT&CK Matrix



Technique name

Initial Access


Phishing: Spearphishing Attachment



User Execution: Malicious File



Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Defense Evasion


Obfuscated Files or Information



Software Discovery: Security Software Discovery

Command and Control


Application Layer Protocol: Web Protocols



Web Service: Bidirectional Communication



Data encoding



Exfiltration Over Web Service: Exfiltration to Cloud Storage