ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Worok

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Worok

NamesWorok (ESET)
CountryChina China
MotivationInformation theft and espionage
First seen2020
Description(ESET) ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia. These attacks were conducted by a previously unknown espionage group that we have named Worok and that has been active since at least 2020. Worok’s toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.

Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence.
ObservedSectors: Energy, Financial, Government, Telecommunications.
Countries: Botswana, Cambodia, China, Indonesia, Iran, Iraq, Japan, Kazakhstan, Kyrgyzstan, Laos, Lebanon, Malaysia, Mongolia, Myanmar, Namibia, North Korea, Oman, Philippines, Saudi Arabia, Singapore, South Africa, South Korea, Syria, Tajikistan, Thailand, Turkey, Turkmenistan, UAE, Uzbekistan, Vietnam, Yemen.
Tools usedCLRLoad, EarthWorm, Mimikatz, nbtscan, PNGLoad, PowHeartBeat, reGeorg.

Last change to this card: 13 September 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]