Briba
Briba is a malware family observed in targeted APT activity and associated in the provided content with the Sunshop Campaign and broader Sunshop Digital Quartermaster-linked operations. FireEye collected one Briba sample among 110 malware binaries tied to 11 linked APT campaigns, where the overall malware set was primarily detected as Trojan.APT.9002, PoisonIvy, Gh0st, Kaba, and Briba. In the Sunshop Campaign, a Briba sample with MD5 6fe0f6e68cd9cc6ed7e100e7b3626665 was found connecting to the command-and-control infrastructure at IP address 58.64.205.53 via nameserver1.zapto.org. The same campaign used strategic web compromises and exploit delivery, including CVE-2013-1347, CVE-2013-2423, and CVE-2013-1493, to deploy malware families including 9002 RAT, Poison Ivy, and Briba. The content also states that the Sunshop Group had used Briba in past campaigns, including a related attack exploiting a Flash zero-day. On infected Windows hosts, Briba uses rundll32 within Registry Run Keys or Startup Folder entries to execute malicious DLLs, indicating a persistence and execution mechanism based on malicious DLL loading. The content further states that Briba downloads files onto infected hosts. FireEye detects Briba as Backdoor.APT.IndexASP. High-confidence indicators directly mentioned in the content include MD5 6fe0f6e68cd9cc6ed7e100e7b3626665, C2 domain nameserver1.zapto.org, and associated IP address 58.64.205.53.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After further research into 58.64.205.53 with our friends at Mandiant we uncovered a Briba sample with the MD5 6fe0f6e68cd9cc6ed7e100e7b3626665 that connected to this IP address.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
3 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniques“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
1 techniqueDefense Impairment
1 techniqueCommand and Control
1 techniqueIOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Briba is a backdoor used in APT campaigns for remote access and control, often delivered via zero-day exploits and strategic web compromises.
Malware that downloads files onto infected hosts.
Malware that uses rundll32 via Registry Run keys/Startup Folder for DLL execution and persistence.
Malware that uses rundll32 via Registry Run keys/Startup Folder for DLL execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.