Skip to content

Hide Navigation Hide TOC

TONERJAM (540b3e66-edbf-40ee-ae05-474b27c1ff40)

TONERJAM is a launcher that decrypts and executes a shellcode payload, in this case PHANTOMNET, stored as an encrypted local file and decrypts it using an AES key derived from a SHA hash of the final 16 bytes of the encrypted payload. TONERJAM maintains persistence via the Run registry key or by hijacking COM objects depending on the permissions granted to it upon execution.

Cluster A Galaxy A Cluster B Galaxy B Level
UNC5330 (c5ea778c-df2f-4c63-b401-dded9cb2419c) Threat Actor TONERJAM (540b3e66-edbf-40ee-ae05-474b27c1ff40) Tool 1
TONERJAM (540b3e66-edbf-40ee-ae05-474b27c1ff40) Tool PHANTOMNET (f97ea150-a727-4d47-823a-41de07a43ea9) Backdoor 1
UNC5330 (c5ea778c-df2f-4c63-b401-dded9cb2419c) Threat Actor GOST (c9f26173-ba82-4ed2-adbd-e2e07f582f31) Tool 2
UNC5330 (c5ea778c-df2f-4c63-b401-dded9cb2419c) Threat Actor PHANTOMNET (f97ea150-a727-4d47-823a-41de07a43ea9) Backdoor 2