Crosswalk

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Crosswalk, a threat actor in the cybersecurity industry, has been identified as utilizing FakeTLS in its traffic, presenting significant security concerns. This modular backdoor is implemented in shellcode, with the main payload being the Crosswalk backdoor itself. The malicious files associated with this threat are self-contained PL shellcode loaders, but the payload is specifically Crosswalk version 2.0. An investigation into network infrastructure and monitoring of new Crosswalk samples led to the discovery of other malicious objects containing Crosswalk shellcode as their payload. AI has facilitated crosswalk analysis between different cybersecurity frameworks from two different countries in mere minutes, demonstrating its potential to significantly enhance work efficiency. This was done through the HIPAA/NIST CSF Crosswalk Guide and the AI RMF Crosswalk. During the investigation, two Crosswalk C2 servers were found, 103.248.21[.]134 and 103.248.21[.]179, which contained an SSL certificate with SHA-1 value of b1d749a8883ac9860c45986e2ffe370feb3d9ab6. There is evidence to suggest a connection between the Crosswalk and ShadowPad network infrastructures. Other tools discovered during the investigation include Crosswalk and Metasploit injectors, the juicy-potato utility, and samples of FunnySwitch and ShadowPad. Notably, Crosswalk and FunnySwitch shellcode are located "as-is" in the data sections, while the samples with Metasploit show additional XOR encryption with the key "jj1". This highlights the complexity and sophistication of the Crosswalk threat actor's methods.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	1	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Shellcode

Backdoor

Payload

School

Encryption

Malware

Signal

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Meterpreter	Unspecified	1	Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Axiomaticasymptote	Unspecified	1	Axiomaticasymptote is a type of malware, a malicious software designed to infiltrate and damage computer systems without the user's knowledge. It typically operates in conjunction with other malware such as Cobalt Strike, Meterpreter, PlugX, Mythic, Metasploit, XtremeRAT, and CROSSWALK. These harmfu
PlugX	Unspecified	1	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
ShadowPad	Unspecified	1	ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Winnti	Unspecified	1	Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Crosswalk Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	5 months ago	New Guides Aim to Help Health Sector Beef Up Cyber, Privacy
Trend Micro	5 months ago	Global Security Trends: AI, Politics & Zero Trust
CERT-EU	a year ago	Artificial Intelligence Has a NIST Framework for Cybersecurity Risk
CERT-EU	a year ago	Higaisa or Winnti? APT41 backdoors, old and new
CERT-EU	a year ago	Artificial Intelligence Has a NIST Framework for Cybersecurity Risk \| Polsinelli \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
Recorded Future	a year ago	2022 Adversary Infrastructure Report
CERT-EU	a year ago	Back to School Safety from the Dover Police Department – City of Dover Police Department \| #schoolsaftey \| National Cyber Security Consulting