Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New SkinnyBoy Malware Used By Russian Hackers to Breach Sensitive Orgs

New SkinnyBoy Malware Used By Russian Hackers to Breach Sensitive Orgs

Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28.

The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.

Classic tactics, new tool

SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control (C2) server.

According to Cluster25 threat research company, APT28 likely started this campaign at the beginning of March, focusing on ministries of foreign affairs, embassies, defense industry, and the military sector.

Multiple victims are in the European Union but the researchers told BleepingComputer that the activity may have impacted organizations in the United States, too.

SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader.

The lure is a message with a spoofed invitation to an international scientific event held in Spain at the end of July.

Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper (tpd1.exe), a malicious file that downloads the main payload.

Also Read: 3 Reasons Why You Must Take a PDPA Singapore Course

Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file.

This payload deletes itself after extracting two files on the compromised system:

  • C:\Users\%username%\AppData\Local\devtmrn.exe (2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce)
  • C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll (ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698)

To keep a low profile, the malware executes these files at a later stage, after creating a persistence mechanism via a LNK file under Windows Startup folder, Cluster25 says in a report shared with BleepingComputer.

The LNK file is triggered at the next reboot of the infected machine and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:\Users\%username%\AppData\Local.

SkinnyBoy’s purpose is to exfiltrate information about the infected system, download, and launch the final payload of the attack, which remains unknown at the moment.

Collecting the data is done by using the systeminfo.exe and tasklist.Exe tools already present in Windows, which allow it to extract file names in specific locations:

  • C:\Users\%username%\Desktop
  • C:\Program Files – C:\Program Files (x86)
  •  C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
  • C:\Users\%username%\AppData\Roaming
  • C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates
  • C:\Windows – C:\Users\user\AppData\Local\Temp

All the information extracted this way is delivered to the C2 server in an organized fashion and encoded in base64 format.

Cluster25 says that the attacker used commercial VPN services to purchase elements for their infrastructure, a tactic that adversaries typicall use to better lose their tracks.

Also Read: The Difference Between GDPR and PDPA Under 10 Key Issues

After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28. The company has mid-to-high confidence in its attribution.

In the report today, Cluster25 provides YARA rules for all the tools examined by its researchers (SkinnyBoy dropper, launcher, and the payload itself) as well as a list of observed indicators of compromise that can help organizations detect the presence of the new malware.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us