SysUpdate
SysUpdate, also referred to as Soldier, FOCUSFJORD, and HyperSSL, is a malware family first publicly described in 2018 and observed in later versions including v1.2 to v1.3. It has been associated with UNC215 and Earth Lusca activity, and has been used in intrusions exploiting Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads. The content also notes a separate .NET implant named Soldier used since 2022 by a subgroup for persistence and downloading additional tools; however, the primary family described here is SysUpdate/Soldier/FOCUSFJORD/HyperSSL.
SysUpdate supports multiple persistence and execution mechanisms. It can create a Windows service for persistence, and Earth Lusca specifically created a service named SysUpdate with auto-start configuration. It can load DLLs through vulnerable legitimate executables, use WMI for execution, and has been signed with stolen digital certificates. Samples have also been packed with VMProtect.
The malware includes host discovery and collection capabilities. It can collect the username from a compromised host, enumerate services on the victim machine, and capture screenshots. It can set file attributes to hidden for concealment. SysUpdate can store its encoded configuration in the Windows Registry under Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.
For command and control, SysUpdate has used Base64-encoded C2 traffic, can exfiltrate data over its C2 channel, and can contact a Google-operated DNS server as part of C2 establishment. A newly reported Linux variant was discovered during a DFIR engagement: it is a packed ELF64 executable with no section header, disguised as a legitimate system service, implemented in C++, and performs reconnaissance by running the GNU/Linux id command before establishing encrypted C2 communications across multiple protocols. Researchers attributed this Linux sample to a new SysUpdate version with high confidence through dynamic analysis, endpoint detection metrics, and reverse engineering. The Linux variant uses complex cryptographic routines that hinder network analysis, and researchers developed Unicorn Engine-based emulation tooling to reproduce key generation and decrypt intercepted SysUpdate C2 traffic.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"The attackers also attempted to install their own version of SysUpdate..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "The attackers also attempted to install their own version of SysUpdate..."
"The attackers also attempted to install their own version of SysUpdate..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
"The attackers also attempted to install their own version of SysUpdate..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.
These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads... UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO... | "These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In December 2020, we found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018.
"Further, since 2022, the subgroup has started using two custom .NET implants (dubbed Drokbk and Soldier) to achieve persistence on victim machines and download additional tools."
"Further, since 2022, the subgroup has started using two custom .NET implants (dubbed Drokbk and Soldier) to achieve persistence on victim machines and download additional tools."
These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads... UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO...
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Multiple features that are expected of an espionage backdoor are present in the sample. These include... command execution.
The communication is made via a named pipe (in our case, it’s “\\.\pipe\testPipe”).
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
Persistence
3 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it (either 32- or 64-bit).
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
9 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples include: “ComRAT has encrypted and stored its orchestrator code in the Registry…”, “ShadowPad maintains a configuration block and virtual file system in the Registry.”, and “QakBot can store its configuration information…under HKCU\Software\Microsoft.”
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The launcher starts by instantiating the CLoadInfo object... Directory to copy all files %PROGRAMDATA%\Test\ ... Name of the legitimate executable dlpumgr32.exe ... Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it.
Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it (either 32- or 64-bit).
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
Defense Impairment
2 techniques
Defense Impairment
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
6 techniques
Discovery
Multiple features that are expected of an espionage backdoor are present in the sample. These include... process and services management...
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux-targeting malware/backdoor that disguises itself as a legitimate system service, performs host reconnaissance (e.g., runs the GNU/Linux id command), and establishes encrypted C2 communications across multiple protocols using complex cryptographic routines.
... SysUpdate ... (v1.2→v1.3) ...
SysUpdate (v1.2→v1.3)
Custom .NET implant used to maintain persistence on victim systems and download additional tooling.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.