The group employs the BIFROSE/ Bifrost, KIVARS, and XBOW backdoors in their attacks. As an indicator of resources available to the group, Trend Micro notes that BIFROSE backdoor has sold for more than $10,000 on underground sites. BIFROSE backdoor has been around for about a decade and has been used in spam campaigns against NATO and United States government agencies. BIFROSE is a remote access Trojan (RAT) which establishes a persistent presence and then deploys tools to capture keystrokes, screenshots, and confidential information. Trend Micro actually believes that the group purchased the source code of BIFROSE, and then developed a new installer, created unique loader-backdoor pairs, and simplified the backdoor capabilities, thereby resulting in KIVARS. KIVARS is also available as a 64-bit variant. The group developed XBOW on their own, based on BIFROSE back door and KIVARS back door. The malware is delivered via spear phishing emails containing malicious .RAR files or .EXE. The email topics are generally breaking news, resumes, government data, or meeting requests. The malware corresponds to a C&C network of about 100 servers registered to free dynamic DNS or discrete IP addresses. The C&C servers appear to be organized according to the actor’s use. IP address changes and renewal of domains happen according to an organized schedule. Trend Micro suspects that in addition to the 10-member development team, the malware group may employ separate teams to design and deploy the malicious emails and to maintain the C&C infrastructure.