Peppy

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Peppy is a malicious software (malware) that has been identified as part of a broader cyber threat landscape. The malware, which is a Python-based Remote Access Trojan (RAT), was discovered during an analysis of the registration information of several Trojan command and control domains used by ProjectM, including Andromeda, Crimson, and Peppy. This malware can infiltrate your system through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The Andromeda samples were found to be delivering Peppy Trojans using undisguised domains. These Trojans utilized the previously observed ProjectM domain "bbmdroid.com" as a Command and Control (C2) server. Unit 42 observed this domain hosting several ProjectM tools, including identical Andromeda and Peppy samples that had previously used bbmdroid[.]com as a C2. These samples were hosted at "/est/estma.exe" and "/est/controller.exe" respectively. Furthermore, the group primarily targets military organizations, typically compromising them with Office documents armed with malicious VBA and open-source malware like Peppy RAT and CrimsonRAT. The Operation Transparent Tribe report by Darien Huss of Proofpoint provides a comprehensive analysis of the various tools used by this group, including Crimson and Peppy and their associated infrastructure. The actors have access to a sizeable toolset of Trojans, including custom developed tools called Crimson and Peppy, along with off-the-shelf remote administration tools (RATs) and downloaders, such as DarkComet and Bozok. Over the years, they have also been observed using other custom .NET malware, including a .NET RAT known as Crimson RAT.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Crimson
1
Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crims
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Rat
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkCometUnspecified
1
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
Peppy TrojanUnspecified
1
None
ANDROMEDAUnspecified
1
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
Crimson RatUnspecified
1
Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, Tra
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProjectMUnspecified
1
ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of
APT36Unspecified
1
APT36, also known as Transparent Tribe and Earth Karkaddan, is a notorious threat actor believed to be based in Pakistan. The group has been involved in cyberespionage activities primarily targeting India, with a focus on government, military, defense, aerospace, and education sectors. Their campaig
Transparent TribeUnspecified
1
Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Peppy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE
a year ago
Transparent Tribe: Evolution analysis, part 1 | Securelist