Hellsing APT

This group targets government and diplomatic organizations in the APAC region, particularly organizations located in nations along the South China Sea. Most targets are from Malaysia, the Philippines, Indonesia, and India. Hellsing malware samples were primarily compiled in either UTC+6 or UTC+8. Typically, it infects targets through spear phishing emails containing password protected RAR, ZIP, and 7ZIP archives. The passwords are sent in the emails to the target. Locking the archives bypasses some security features such as Gmail scans. Hellsing APT was discovered when Kaspersky Lab was investigating the Naikon group and found that Hellsing had responded to a 2014 spear phishing email from Naikon with a custom backdoor. It is not clear whether Naikon intentionally targeted Hellsing or if Hellsing actually managed to infect Naikon; however, it is clear that Hellsing took the attempt as an attack and responded with an escalated attack. Hellsing responded to the spear phishing request for information with a series of inquisitive exchanges, pressing Naikon’s assumed identity (as an employee of the secretariat division of the government of the assumed target nation) and fake credentials. The conversation demonstrates that the Hellsing members are more proficient in English than the Naikon group. Finally, Hellsing emailed back a “confidential” locked RAR and the accompanying password. The archive contained two PDFs and a malicious SCR file. The latter file was a backdoor specifically customized to target the Naikon group.

The backdoor can upload and download files, update itself, and uninstall itself. Each instance of the backdoor has a command and control server, a version number, and a campaign or victim identifier. The same Hellsing backdoor has been seen in attacks against ASEAN related entities in the South China Sea region. Some of the APT infrastructure overlaps with an APT group tracked internally by Kaspersky, dubbed PlayfulDragon/ GREF, while other portions of the infrastructure coincide with the Mirage APT group and the Vixen Panda group.

After this APT establishes a variant of its backdoor, it deploys information-gathering tools. One tool, test.exe, gathers system information and tests available proxies. Another tool, xkat.exe, operates from the Dbgv.sys driver to delete files and kill processes. Kaspersky Lab claims to have seen the tool used to remove malware from competitor groups from this APT victim systems.

Status: believed inactive

Other Names: Goblin Panda/ Cycldek

Active Since/Discovered: July 2012 – July 2013

Last Report: Oct. 2013


  • Vietnam, Southeast Asia, any country involved in South China Sea (U.S., Japan, Malaysia, Philippines, India, etc.)

Target Sectors: government and diplomatic organizations in nations near the South China Sea; Aerospace, Defense, Energy, Government, Shipping, Technology


  • ZeGhost
    • information gathering tools
    • upload files, download files, update the malware, and uninstall the malware
    • test.exe- gathers system info and tests proxies
    • xkat.exe – deletes and kills processes
  • PlugX

Preferred Attack Vector:  

  • Spear phishing emails containing password protected RAR, ZIP, and 7ZIP archives
    • password included in email
    • archives compressed and locked to avoid detection