MalwareUsed by 2 actors

Deuterbear

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BlackTech

"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — ... we consider it a different malware entity from the original Waterbear."

via trend micro researchtrendmicro.com

Earth Hundun

"In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — ... we consider it a different malware entity from the original Waterbear."

via trend micro researchtrendmicro.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1106Native APIEvidence1

TacticExecution

“Dynamically loads the APIs through the shellcode”

T1129Shared ModulesEvidence1

TacticExecution

“Dynamically loads the DLLs through the shellcode”

Persistence

1 technique

T1547.012Print ProcessorsEvidence1

TacticsPersistence Privilege Escalation

“Abuses print processors to run malicious DLLs during system”

Privilege Escalation

1 technique

T1547.012Print ProcessorsEvidence1

TacticsPersistence Privilege Escalation

“Abuses print processors to run malicious DLLs during system”

Stealth

4 techniques

T1140Deobfuscate/Decode Files or InformationEvidence1

TacticStealth

“uses the same custom salted RC4 decryption… to decrypt the downloader… [and] uses the CryptUnprotectData API.”

T1480Execution GuardrailsEvidence1

TacticStealth

“Targets specific path/registry in the victim’s environment” and “Note that the CLSID value is unique and defined during malware installation.”

T1497.003Time Based ChecksEvidence1

TacticsStealth Discovery

“Checking sandbox environment by API, Sleep… Checking execution in specific time, like 9~10 o’clock”

T1622Debugger EvasionEvidence1

TacticsStealth Discovery

“checks the debugger mode” and “Checking debugger mode by process time”

Discovery

4 techniques

T1012Query RegistryEvidence1

TacticDiscovery

“Query password from registry… Query path of encrypted downloader from registry… [then] Downloader decryption…”

T1016.001Internet Connection DiscoveryEvidence1

TacticDiscovery

“Downloaders check for internet connectivity on compromised systems.”

T1497.003Time Based ChecksEvidence1

TacticsStealth Discovery

“Checking sandbox environment by API, Sleep… Checking execution in specific time, like 9~10 o’clock”

T1622Debugger EvasionEvidence1

TacticsStealth Discovery

“checks the debugger mode” and “Checking debugger mode by process time”

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

“Downloaders communicate with C&C by HTTP/HTTPS” and “Deuterbear downloader enables HTTPS tunnel”

T1132.002Non-Standard EncodingEvidence1

TacticCommand and Control

“Encodes traffic with a non-standard RC4 to make the content of traffic more difficult to detect”

T1573Encrypted ChannelEvidence1

TacticCommand and Control

“Employs a RC4/RSA to conceal command and control traffic” and “The downloader… generate an RSA… [then] RC4_KEY_1 and RC4_KEY_2… encrypted by RSA”

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

“Sends collected data to C&C”

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

trend micro researchNews

Apr 11, 2024

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

A significantly updated Waterbear-associated downloader assessed as a distinct malware entity, active since 2022. It uses registry-stored encrypted payloads and a multi-step XOR + CryptUnprotectData decryption flow, adds stronger anti-analysis (time-based execution guardrails, debugger/sandbox checks, inherited and enhanced anti-memory scanning executing decrypted code in new virtual memory), and shifts C2 to an HTTPS tunnel with an RSA key exchange to establish per-direction RC4 session keys before downloading a shellcode-format next-stage RAT.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.