Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Sepulcher

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2017-11882Microsoft Office Equation Editor Remote Code Execution

In March 2020, Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed “Sepulcher”.

via proofpointproofpoint.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ta413

In March 2020, Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed “Sepulcher”.

via proofpointproofpoint.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

In March 2020, Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed “Sepulcher”.

T1566.001Spearphishing AttachmentEvidence1

The emails contained a weaponized RTF attachment that impersonated the WHO’s “Critical preparedness, readiness and response actions for COVID-19, Interim guidance” document.

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

It then creates a scheduled task named “lemp” which uses rundll32.exe to run the Sepulcher payload and call the export function “GetObjectCount” on an hourly basis. This scheduled task serves as a persistence mechanism for Sepulcher malware.

T1059.003Windows Command ShellEvidence1

Sepulcher is a basic RAT payload that can gather intelligence on the resources of the infected system, spawn a reverse CMD shell, and read from and write to file.

T1203Exploitation for Client ExecutionEvidence1

When the malicious RTF attachment named “Covdi.rtf” is executed, it exploits a Microsoft Equation Editor vulnerability and installs an embedded malicious RTF object in the form of a Windows meta-file (WMF).

Persistence

2 techniques
T1053.005Scheduled TaskEvidence1

It then creates a scheduled task named “lemp” which uses rundll32.exe to run the Sepulcher payload and call the export function “GetObjectCount” on an hourly basis. This scheduled task serves as a persistence mechanism for Sepulcher malware.

T1112Modify RegistryEvidence1

The Sepulcher configuration is stored in the registry under the Registry Key HKEY_CURRENT_USER\Software\Microsoft\WAB\Resources.

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

It then creates a scheduled task named “lemp” which uses rundll32.exe to run the Sepulcher payload and call the export function “GetObjectCount” on an hourly basis. This scheduled task serves as a persistence mechanism for Sepulcher malware.

Stealth

1 technique
T1218.011Rundll32Evidence1

schtasks /create /tr "rundll32.exe %APPDATA%\Identities\Credential.dll,GetObjectCount" /tn "lemp" /sc HOURLY

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

The Sepulcher configuration is stored in the registry under the Registry Key HKEY_CURRENT_USER\Software\Microsoft\WAB\Resources.

Discovery

4 techniques
T1007System Service DiscoveryEvidence1

6019 N/A Get list of services.

T1057Process DiscoveryEvidence1

6018 N/A Get list of running processes.

T1082System Information DiscoveryEvidence1

These commands include obtaining information about the drives, file information, directory statistics, directory paths, directory content, running processes, and services.

T1083File and Directory DiscoveryEvidence1

These commands include obtaining information about the drives, file information, directory statistics, directory paths, directory content...

Collection

1 technique
T1005Data from Local SystemEvidence1

Sepulcher malware has seven work modes that include conducting reconnaissance on an infected host, spawning a reverse command shell, reading from file, and writing to file.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

The malware receives commands including various mode commands and sub-commands via the C2 addresses decrypted from the malware’s configuration.

T1105Ingress Tool TransferEvidence1

When the PowerPoint attachment is executed, it calls out to the IP 118.99.13[.]4 to download a Sepulcher malware payload named “file.dll”.

T1573Encrypted ChannelEvidence1

The initial communication is initiated by the client via a single byte XOR encrypted handshake packet and completed via a server-to-client packet that is not encrypted. The communication then continues with a single byte XOR encrypted client-to-server PACKET_HELLO.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Finally, that result is exfiltrated to the C2 server using the above described PACKET_COMMAND method.

INDICATORS OF COMPROMISE

IOCs tracked for this family

11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app6 years ago
domain●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
hash.sha256●●●●●●●●●●●●View more in app6 years ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
proofpoint threat insight blogNews
Feb 25, 2021
TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations

Sepulcher is a backdoor malware used for espionage, delivered via malicious RTF documents (often created with the Royal Road builder) in phishing campaigns. It provides remote access and control to threat actors, enabling data theft and surveillance.

Read more
proofpointNews
Aug 31, 2020
Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe | Proofpoint US

Sepulcher is a basic RAT that gathers system intelligence, spawns a reverse CMD shell, reads from and writes to files, and maintains persistence via a scheduled task. It stores encrypted C2 configuration in the registry and communicates with C2 using single-byte XOR encrypted client traffic.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching11

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.