Splm

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SPLM, also known as XAgent or CHOPSTICK, is a sophisticated malware variant deployed by the Sofacy group. The group, notorious for its cyber espionage campaigns, expanded its arsenal in 2013, adding SPLM among other backdoors and tools such as CORESHELL, JHUHUGIT, AZZY, and more. These campaigns have evolved into subsets of activity involving different types of malware, including GAMEFISH, Zebrocy, and SPLM. Notably, SPLM's deployment has been primarily focused on Central Asia, with some instances targeting entities with potential ties to NATO. The evolution of SPLM has been marked by significant changes and improvements over time. By May, the 64-bit modules of SPLM had already reached version 4. This latest revision showed distinct differences from earlier versions, with certain aspects not matching previous reports on SPLM/XAgent, while maintaining other similarities. The second stage of the SPLM backdoor saw refined changes, making the code reliably modular. This demonstrated the group's ability to innovate while maintaining familiar SPLM functionality, showing a pragmatic and systematic approach towards producing undetected or difficult-to-detect malware. The deployment of SPLM has varied over time, with an emphasis on stealth and evasion. Earlier SPLM activities involved deploying 32-bit modules over unencrypted HTTP and sometimes SMTP sessions. However, more recent deployments have been more targeted, focusing mostly on Central Asian targets with possible NATO connections. One outlier target profile within our visibility was an audit and consulting firm in Bosnia and Herzegovina. Overall, the consistent infrastructure and light deployment of SPLM in Central Asia underscore the strategic nature of these cyber attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Carberp
1
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
Xagent
1
XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZebrocyUnspecified
1
Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits i
CORESHELLUnspecified
1
Coreshell is a variant of Sofacy malware used by threat actors to compromise systems and steal sensitive information. Malware, like Coreshell, can infect computer systems through suspicious downloads, emails, or websites. Once inside, it can disrupt operations, steal personal information, or hold da
ADVSTORESHELLUnspecified
1
None
AzzyUnspecified
1
Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appea
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
SofacyUnspecified
1
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
Sofacy GroupUnspecified
1
The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Splm Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset
MITRE
a year ago
A Slice of 2017 Sofacy Activity