Splm

SPLM, also known as XAgent or CHOPSTICK, is a sophisticated malware variant deployed by the Sofacy group. The group, notorious for its cyber espionage campaigns, expanded its arsenal in 2013, adding SPLM among other backdoors and tools such as CORESHELL, JHUHUGIT, AZZY, and more. These campaigns have evolved into subsets of activity involving different types of malware, including GAMEFISH, Zebrocy, and SPLM. Notably, SPLM's deployment has been primarily focused on Central Asia, with some instances targeting entities with potential ties to NATO. The evolution of SPLM has been marked by significant changes and improvements over time. By May, the 64-bit modules of SPLM had already reached version 4. This latest revision showed distinct differences from earlier versions, with certain aspects not matching previous reports on SPLM/XAgent, while maintaining other similarities. The second stage of the SPLM backdoor saw refined changes, making the code reliably modular. This demonstrated the group's ability to innovate while maintaining familiar SPLM functionality, showing a pragmatic and systematic approach towards producing undetected or difficult-to-detect malware. The deployment of SPLM has varied over time, with an emphasis on stealth and evasion. Earlier SPLM activities involved deploying 32-bit modules over unencrypted HTTP and sometimes SMTP sessions. However, more recent deployments have been more targeted, focusing mostly on Central Asian targets with possible NATO connections. One outlier target profile within our visibility was an audit and consulting firm in Bosnia and Herzegovina. Overall, the consistent infrastructure and light deployment of SPLM in Central Asia underscore the strategic nature of these cyber attacks.