Connect with us

Hi, what are you looking for?



Security Companies Hit Hikit Backdoor Used by APT Group

A coordinated effort by security companies has struck a blow against malware tools used by a cyber-espionage group known as Hidden Lynx.

A coordinated effort by security companies has struck a blow against malware tools used by a cyber-espionage group known as Hidden Lynx.

Hidden Lynx is believed to be based in China and has been tied to attacks against U.S. defense contractors and other organizations around the world. In a collaboration dubbed ‘Operation SMN’, researchers from a number of companies joined forces to target the Hikit backdoor and other malware used by the group.

The effort was coordinated by security firm Novetta as part of Microsoft’s new Coordinated Malware Eradication program, and also involved Symantec, Cisco Systems, FireEye, F-Secure, iSight Partners, ThreatConnect, Tenable, Microsoft, ThreatTrack Security and Volexity. A report with technical details about the effort is set to be released Oct. 28.

“We felt it was important to take action proactively in coordination with our coalition security industry partners,” said Novetta CEO Peter B. LaMontagne, in a statement. “The cumulative effect of such coordinated approaches could prove quite disruptive to the adversaries in question and mitigate some of the threat activity that plagues the joint customer base of this coalition.”

Through the operation those involved were able to develop knowledge about the malware family and associated tool chain, and have begun shipping signatures and recommendations on remediation to industry partners.

Advertisement. Scroll to continue reading.

“This is akin to an ‘open source software’ approach for cyber threat mitigation—the adversaries share and retool their malware,” said LaMontagne. “We need to do the same on the defensive side.” 

According to Symantec’s Security Response Team, the Hikit backdoor has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan, South Korea, and other regions. Those targets included organizations in the government, technology, research, defense and aerospace sectors.

According to researchers with Symantec, Hikit is a stealthy remote access Trojan (RAT) that has been used in attacks going back to 2011. Hikit comes in 32-bit and 64-bit versions, which are deployed depending on the target’s infrastructure. The malware has been used by at least two China-based advanced persistent threat (APT) groups to launch cyber attacks, Hidden Lynx and Pupa (Deep Panda).

“Hidden Lynx used Hikit during its compromise of Bit9’s trusted file-signing infrastructure in 2012,” Symantec noted. “This attack was then leveraged to mount the VOHO campaign in July 2012 using Bit9-signed malware. The ultimate target of this campaign was US companies whose computers were protected by Bit9. Hikit once again played a key role in this attack campaign.”

“Since then, Hidden Lynx has continued to use Hikit in its attacks against organizations predominantly in Taiwan, the US, Japan, and South Korea,” Symantec continued. “In 2013, Hidden Lynx underwent a significant re-tooling effort, introducing two new malware tools, Backdoor.Fexel and Backdoor.Gresim, which it continues to use in conjunction with Hikit. Backdoor.Gresim was undiscovered prior to this collaboration effort.”

“Together as a coalition, we plan to release a comprehensive technical report by October 28, 2014 that will include a high level overview of the threat actor group, some of the targeted industries they attacked, an overview of malware families they used and their capabilities,” blogged Stephen Ward of iSight Partners. “This report will also include an in-depth review of the tactics, techniques and procedures (TTPs) of this group and who we believe they could be based on this larger narrative.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...