Type: Likely Nation-State (based on targets)

APT16 Status: Believed Active

APT16 Other Names: OpTaiwan

Active Since/Discovered: June 2015

Last Report: January 1, 2016

Targets: Japanese organizations and Taiwanese Media and Entertainment

Target Sectors: financial services, high-tech, media, and government


  • ELMER Backdoor (Backdoor.APT.Suroot)
    • Non-persistent proxy-aware HTTP backdoor written in Delphi
    • Capable of performing file uploads and downloads, file execution, and process and directory listings
    • Sends HTTP GET requests to a hard-coded CnC server to receive commands
      • Parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed
    • Downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path
    • Persists by copying itself to the current user’s Startup folder
    • Encoded payload is written to a temporary file, decoded and executed in a hidden window

Preferred Attack Vector:  Spear phishing attack and Exploits


  • Malicious Microsoft Word document exploiting EPS (Encapsulated PostScript) embedded image file in Office (CVE-2015-2545 and CVE-2015-2546) document designed to bypass memory protections on Windows systems to abuse “dict and copy operators”
  • The attacker gains access to memory by forging a string via EPS
  • Used Windows local privilege escalation vulnerability CVE-2015-1701 to obtain SYSTEM level access to compromised machines
  • Afterward, exploit shellcode deployed either the IRONHALO downloader or the ELMER backdoor


  • Attacks against Taiwan corresponded with their January 16, 2016 elections
  • attacks may have been attempt to gain intel on politicians, anticipate election outcome, etc