Backdoor.Oldrea
Havex, also known as Backdoor.Oldrea, is a remote access trojan associated with the Russia-attributed Energetic Bear / Dragonfly activity cluster, also referred to in the content as CrouchingYeti. It was publicly reported in 2013 and is notable as ICS-tailored malware used in campaigns against critical infrastructure and industrial environments.
The malware was used in Operation Dragonfly and related campaigns to establish a foothold, perform reconnaissance, and provide command-and-control access for follow-on activity. Reported initial access vectors included spear-phishing, watering-hole attacks, and supply-chain compromise of ICS vendor websites and software downloads. The content states that compromised vendors included MESA Imaging, eWON/Talk2M, and MB Connect Line, and that watering-hole delivery used the LightsOut and Hello exploit kits exploiting Java and browser vulnerabilities.
Havex includes a RAT component and a PHP-based C2 server, and multiple samples/variants are described. Some Backdoor.Oldrea samples use Base64 plus bzip2, while others use Base64 plus reverse XOR plus RSA-2048 to decrypt data received from C2 servers. The malware collects host information including OS and computer name, writes collected data to temporary files in encrypted form before exfiltration, and some samples contain a publicly available web browser password recovery tool. It can inject itself into explorer.exe and can use rundll32 for execution on compromised hosts.
A key distinguishing capability is industrial reconnaissance. Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments and use a network scanning module to identify ICS-related ports. The content states its OPC scanning module searches for industrial devices and scans for TCP ports 44818, 105, and 502. Havex abused the older DCOM-based OPC standard to enumerate OPC servers and interrogate their capabilities and tags, making it the first publicly reported malware observed actively scanning OPC servers used in SCADA environments. FireEye analyzed a Havex variant referred to as Fertger or PEACEPIPE that recursively enumerated accessible servers, checked for OPC-related COM interfaces, queried fields such as server state, tag name, type, access, and ID, and stored results in temporary files before encrypting them for likely exfiltration.
The campaign primarily targeted the energy sector, but also aviation, pharmaceutical, defense, petrochemical, manufacturing, water, and electric utility environments, with victims mainly in the United States and Europe. The content notes Havex has been cited alongside other OT/ICS malware such as BlackEnergy, CrashOverride/Industroyer, Trisis, and Incontroller as malware tailored for use against OT and critical infrastructure. Havex was also reportedly used to deliver the Karagany payload, which can steal credentials, take screenshots, and transfer files.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Berserk Bear is a Russian state-sponsored cyber espionage group linked to the FSB. They have been active since at least 2010 under many names (Dragonfly, Energetic Bear, Havex, Crouching Yeti, Koala, TeamSpy, etc.) and specialize in penetrating critical infrastructure."
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesit used a watering hole campaign to circumvent the normal practice of users accessing vendor resources.
Sometimes threat actors will plan a multi-pronged attack. For example, an intruder may decide to use a targeted spear-phishing attack to infiltrate the corporate network and use it as a vector into the control system architecture.
Persistence
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniquesThe content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
4 techniques"ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."; "Agent Tesla can encrypt data with 3DES..."; "APT32's backdoor has used...RC4 encryption before exfiltration."; "Epic encrypts collected data using a public key framework..."; "Some variants encrypt...with AES and encode it with base64..."; "Prikormka...encrypts it with Blowfish."; "VERMIN encrypts the collected files using 3-DES."; "Zebrocy...RC4...as well as AES...and hexadecimal for encoding"
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Defense Impairment
1 techniqueCredential Access
1 techniqueThe content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
8 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
Through recursive calls to WNetOpenEnum and WNetEnumResources, the scanner builds a list of all servers that are globally accessible through Windows networking.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
The HAVEX malware leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network.
Lateral Movement
1 techniqueThe next stage in the intrusion involves the enumeration of the asset owners’ OPC servers, specifically targeting a vulnerability in the OPC Classic protocol.
Collection
2 techniquesWhen executing PE.dll, all of the OPC server data output is first saved as %TEMP%\[random].tmp.dat. The results of a capability scan of an OPC server is stored in %TEMP%\OPCServer[random].txt.
"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."
Command and Control
3 techniquesSome Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
It employed the “Havex” Remote Access Trojan (RAT) within targeted spear-phishing campaigns against industry asset owners...
Exfiltration
1 techniqueWhile we don’t have a particular case study to prove the attacker’s next steps, it is likely after these files are created and saved, they will be exfiltrated to a command and control server for further processing.
Impact
1 techniqueOnce the scanning completes, the log is deleted and the contents are encrypted and stored into a file named %TEMP%\[random].tmp.yls.
Recent activity
51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ICS-targeting malware cited as demonstrating the ability to disrupt operations, cause outages, and inflict physical damage.
ICS-focused malware/RAT referenced as affecting industrial processes and critical infrastructure environments.
Malware/tooling associated with a Russia-linked ICS-focused threat cluster targeting power/energy environments; described in the context of destructive attacks and custom malware/wiper capability across IT/OT.
Havex is a known espionage backdoor/RAT historically associated with the Berserk Bear/Dragonfly activity set, used to gain remote access and support intrusion operations against critical infrastructure environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.