The Shadow Campaigns Uncovering Global Espionage

src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

@@ -609,6 +609,25 @@ struct Header {
 - Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins.
 - Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout).
 
+### Screen-resolution + companion-file guardrails (Diaoyu loader)
+- Some loaders gate execution on *both* host attributes and packaging integrity to defeat automated sandboxes. Diaoyu checks for a horizontal resolution >= 1440 **and** verifies a zero-byte `pic1.png` sits beside the EXE; without it, the sample quits cleanly before payload staging.
+- Dynamic analysis tip: recreate the original archive layout (drop `pic1.png` next to the loader) and set a matching resolution, otherwise the detonation path (security product probing + next-stage download) will never execute.
+
+### Payload staging from public code hosting
+- After the guardrails, Diaoyu fetched three blobs from GitHub raw URLs masquerading as images (`admin-bar-sprite.png`, `Linux.jpg`, `Windows.jpg`) under a fake `wp-includes/images/` path and transformed them locally into a Cobalt Strike implant.
+- Treat sequential `raw.githubusercontent.com/.../wp-includes/images/*.png|jpg` pulls as potential staged payloads; archive the downloaded content and attempt decoding/decryption to recover the beacon even if the repository vanishes.
+
+### eBPF kernel rootkit process/file hiding (ShadowGuard)
+- eBPF backdoors execute inside the kernel BPF VM (no LKM artifact) and can intercept syscalls/tracepoints before userland sees them. ShadowGuard verifies root, eBPF, and tracepoint support, then hides operator-selected processes (up to 32 PIDs) and any path containing `swsecret` (shown as `.` in `ls` output).
+- Operator controls for allow-listing the hide filter use custom kill signals:
+```bash
+# keep a PID visible / exclude it from hiding
+kill -900 <pid>
+# remove from allow list so hiding can apply again
+kill -901 <pid>
+```
+- DFIR tips: inspect active programs/maps (`bpftool prog show`, `bpftool map dump`) for unsigned eBPF hooks, hunt for repeated `kill -900/-901` usage, and enumerate directories via raw inodes/debugfs when `swsecret*` artifacts disappear from normal listings.
+
 ## References
 
 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
@@ -628,5 +647,6 @@ struct Header {
 - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)
 - [Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/)
 - [Nodejs-Tracer – GitHub](https://github.com/CheckPointSW/Nodejs-Tracer)
+- [Unit42 – The Shadow Campaigns: Uncovering Global Espionage](https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/)
 
 {{#include ../../banners/hacktricks-training.md}}