Airbreak

Airbreak is a malicious software (malware) used by Advanced Persistent Threat group APT40, known for its sophisticated cyber-espionage campaigns. This JavaScript-based backdoor malware retrieves commands from hidden strings in compromised webpages and actor-controlled profiles on legitimate services. It's often deployed alongside other custom credential theft utilities like HOMEFRY, a 64-bit Windows password dumper/cracker, and BADFLICK, a backdoor capable of modifying the file system, generating a reverse shell, and altering its command-and-control configuration. Airbreak continues to be used not only during the Establish Foothold phase but also throughout the Maintain Presence phase of an attack. The activities of APT40, including the use of Airbreak, overlap significantly with TEMP.Jumper and TEMP.Periscope groups, which are also associated with Chinese cyber-espionage operations. These groups share a large library of malware tools, among them Airbreak, also reported as "Orz". In their recent spike in activity, TEMP.Periscope has leveraged this shared arsenal to carry out its operations, indicating a high degree of coordination and resource sharing among these groups. First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are typically deployed before downloading additional payloads. These tools serve to establish an initial foothold in the targeted system, allowing the attackers to gain control and further exploit the compromised system. The use of these tools, along with others like PHOTO, a tool also reported as Derusbi, and MURKYTOP, a command-line reconnaissance tool, underscores the multi-faceted and layered approach these threat actors employ to infiltrate, maintain presence, and achieve their objectives within target systems.