BS2005
BS2005 is a backdoor malware family associated with the China-linked espionage group APT15, also tracked as Ke3chang and Flea. The content describes BS2005 as an older APT15 backdoor that later evolved into Ketrican and then Graphican, with BS2005/Ketrican/Graphican characterized as one family with minor functional differences between members. BS2005 has traditionally been used by APT15 and was observed alongside the group’s additional backdoors RoyalCli and RoyalDNS. In a May 2017 intrusion investigated by NCC Group at a UK government services provider, BS2005 was present together with RoyalCli and was part of an operation involving theft of sensitive documents related to UK government departments and military technology. BS2005 communicated with command-and-control infrastructure over HTTP, using Base64 encoding in the message body of HTTP requests. The malware also communicated through Internet Explorer via the COM interface IWebBrowser2, a technique that caused C2 data to be cached on disk and enabled responders to recover attacker commands. Reported BS2005 C2 domains include Run.linodepower[.]com, Singa.linodepower[.]com, and log.autocount[.]org. The content also notes BS2005 activity during 1 March to 22 March 2012.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BS2005/Ketrican/Graphican (one family with minor differences in functionality between members)... This matches the capabilities of the BS2005 malware family used by the Ke3chang actor.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueAPT15 developed its own malware, allowing it to persist within victim networks (T1587.001).
Persistence
1 techniquePrivilege Escalation
1 techniqueCommand and Control
3 techniquesBS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BS2005 is a backdoor malware family used by APT15 for remote access and control of compromised systems, enabling espionage operations.
Backdoor malware family associated with APT15/Ke3chang, with minor functional variants across family members.
Earlier malware family used by Flea and forming the lineage behind Ketrican and Graphican.
APT15-associated backdoor that communicates with attacker C2 via Internet Explorer using the IWebBrowser2 COM interface, causing C2 data to be cached to disk by the IE process. Uses batch scripts and a Windows Run key for persistence installation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.