Actor behind Operation LagTime targets Russia

2 min readNov 25, 2020

the file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal road document.

This file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.

This document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian authorities.

Analysis of the backdoor in memory

This backdoor is a state machine launching different threads. (function 00401640)

The backdoor checks the disk of the computer, the processes launched, the version of windows, the privileges of the user.

The malware tries many connections to the c2 in different functions:

The domain of the c2 is in clear text in the malware

This backdoor is very simple to analyze. There are no packing and no obfuscation code.


For Intezer, the similarity is high with the file 4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34be

This malware was used in operation lagtime.

The IP of the C2 is in operation LagTime.

So the campaign against russia is driven by the same threat actor of Operation LagTime IT

The configuration of the backdoor’s C2, which is hosted in Malaysia, has changed in July 2020. This date seems to be the beginning of the operation.


Rtf file








Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher