BUBBLEWRAP
BUBBLEWRAP, also known as Backdoor.APT.FakeWinHTTPHelper, is a full-featured second-stage backdoor observed in a spear-phishing campaign targeting traditional Chinese readers commonly used in Hong Kong. In the reported intrusion chain, malicious Microsoft Word attachments exploiting CVE-2012-0158 installed the LOWBALL backdoor, which abused Dropbox as command-and-control infrastructure; after initial reconnaissance and target validation, operators uploaded BUBBLEWRAP to Dropbox for delivery to selected victims. An observed staging command renamed %temp%\upload to audiodg.exe and executed it. BUBBLEWRAP is configured to run at system boot, providing persistent remote access. It can communicate with command-and-control infrastructure over HTTP or HTTPS and can also communicate using SOCKS. One observed sample connected to the domain accounts.serveftp[.]com, which resolved to 59.188.0.197. FireEye previously observed the admin@338 threat group using BUBBLEWRAP. High-confidence indicators and related artifacts mentioned in the content include the alias Backdoor.APT.FakeWinHTTPHelper, C2 domain accounts.serveftp[.]com, C2 IP 59.188.0.197, and the staging filename audiodg.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158)
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account...
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Discovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
3 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"An APT3 downloader establishes SOCKS5 connections for its initial C2." / "Gamaredon Group has used SOCKS5 over port 9050 for C2 communication." / "BUBBLEWRAP can communicate using SOCKS."
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware that can use HTTP/HTTPS for communications (including C2).
Malware capable of communicating over HTTP or HTTPS.
Malware/tool that can communicate via SOCKS.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.