Type: Likely Nation-State (based on targets)

APT16 Status: Believed Active

APT16 Other Names: OpTaiwan

Active Since/Discovered: June 2015

Last Report: January 1, 2016

Targets: Japanese organizations and Taiwanese Media and Entertainment

Target Sectors: financial services, high-tech, media, and government


  • ELMER Backdoor (Backdoor.APT.Suroot)
    • Non-persistent proxy-aware HTTP backdoor written in Delphi
    • Capable of performing file uploads and downloads, file execution, and process and directory listings
    • Sends HTTP GET requests to a hard-coded CnC server to receive commands
      • Parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed
    • Downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path
    • Persists by copying itself to the current user’s Startup folder
    • Encoded payload is written to a temporary file, decoded and executed in a hidden window

Preferred Attack Vector:  Spear phishing attack and Exploits


  • Malicious Microsoft Word document exploiting EPS (Encapsulated PostScript) embedded image file in Office (CVE-2015-2545 and CVE-2015-2546) document designed to bypass memory protections on Windows systems to abuse “dict and copy operators”
  • The attacker gains access to memory by forging a string via EPS
  • Used Windows local privilege escalation vulnerability CVE-2015-1701 to obtain SYSTEM level access to compromised machines
  • Afterward, exploit shellcode deployed either the IRONHALO downloader or the ELMER backdoor


  • Attacks against Taiwan corresponded with their January 16, 2016 elections
  • attacks may have been attempt to gain intel on politicians, anticipate election outcome, etc
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google