REF3864 is an intrusion set tracked by Elastic Security Labs that targets Chinese-speaking regions and users with trojanized installers masquerading as legitimate software, including Telegram and Opera GX. Elastic observed the activity in samples uploaded to VirusTotal in November and extracted configurations indicating related operations have likely been ongoing since at least December 2023. Elastic did not attribute the activity or determine the operators’ ultimate motivation. The activity spans Windows, Linux, and Android, with the documented Windows infection chain using a custom loader named SADBRIDGE to deploy GOSAR, a Golang reimplementation of the QUASAR RAT. Delivery commonly uses ZIP archives containing trojanized MSI installers with low detection rates. The MSI packages abuse legitimate applications such as x64dbg.exe for DLL side-loading, launching a patched x64bridge.dll that in turn launches a renamed MonitoringHost.exe as DevQueryBroker.exe to side-load another malicious DLL, HealthServiceRuntime.dll. SADBRIDGE stores an encrypted configuration under C:\Users\Public\Documents<hostname_hash>\edbtmp.log using hidden, system, and read-only attributes. It uses subtraction-by-0x1 for configuration obfuscation and XOR plus LZNT1 decompression for encrypted stage files with .log extensions. On Windows, SADBRIDGE establishes persistence through Windows service creation and registry modifications, silently elevates privileges via a UAC bypass abusing the ICMLuaUtil COM interface, and also uses Windows Task Scheduler and the IElevatedFactorySever COM object to execute payloads with SYSTEM privileges. It employs PoolParty, APC queues, and token manipulation for process injection, patches AmsiScanBuffer and AmsiOpenSession in amsi.dll and EtwEventWrite in ntdll.dll to disable AMSI and ETW, and uses long Sleep API calls for sandbox evasion. Elastic assessed that both the operators and intended victims are likely Chinese-speaking based on extensive Chinese-language logging, checks for Chinese AV-related artifacts such as 360tray.exe, and Chinese firewall-rule names and descriptions. The final GOSAR payload is injected into svchost.exe for logged-in sessions and dllhost.exe for service sessions or sessions without a logged-in user. GOSAR is a multi-functional remote access trojan for Windows and Linux. Elastic described it as a newly identified Golang rewrite of QUASAR and its first observed QUASAR rewrite in Golang. GOSAR supports system information collection, command execution, screenshots, keylogging, clipboard logging, plugin execution, and hidden VNC. It communicates over TCP with TLS, sends expanded host profiling data to C2, retains compatibility with the original .NET QUASAR communication protocol, and keeps the default listening port 1080. Additional observed behavior includes creating an inbound firewall rule for ports 51756 through 51776 under a Chinese name translated as Distributed Transaction Coordinator (LAN), modifying the hosts file with 127.0.0.1 micrornetworks.com, and running an HTTP listener on the first available port in that range. Known alias from the provided content: REF3864. Known malware and components associated with this intrusion set include SADBRIDGE and GOSAR.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A separate intrusion set mentioned for comparison, associated with malicious installers targeting Chinese-speaking regions and linked to SADBRIDGE and GOSAR activity.
An intrusion set conducting organized malware campaigns against Chinese-speaking victims using trojanized installers masquerading as legitimate software such as Telegram and Opera GX. The activity uses the SADBRIDGE loader to deploy the Golang-based QUASAR variant GOSAR across Windows, with broader multi-platform malware delivery also noted for Linux and Android.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.