216.73.217.80

Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

· Published 04/04/2025 11:47 · Modified 04/04/2025 17:32

Export JSON

Essential information

Published
04/04/2025 11:47
Modified
04/04/2025 17:32
Tags
2025-04-04 central asia cyber espionage hta trojan kazakhstan multi-layer obfuscation vbe techniques windows script encoder x32dbg debugging
Related entities
1 intrusion sets (apt), 6 techniques (mitre), 1 malware, 2 others

Description

This analysis delves into APT28's campaign targeting and diplomatic relations, focusing on their . The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and . The investigation uses to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in .

External references