WIP19 is a Chinese-speaking threat cluster targeting telecommunications and IT service providers in the Middle East and Asia, using a stolen DEEPSoft certificate to sign multiple malware components. The operation features mature tooling (including SQLMaggie and ScreenCap) and shows links to WinEggDrop and Operation Shadow Force, while focusing on targeted, non-wide proliferation. Hashtags: #WIP19 #SQLMaggie #ScreenCap #WinEggDrop #DEEPSoft #OperationShadowForce
Keypoints
- WIP19 targets telecommunications and IT service providers in the Middle East and Asia, indicating espionage intent.
- The activity is linked to a Chinese-speaking threat ecosystem and shows overlap with known tooling and actors (WinEggDrop) and Operation Shadow Force.
- The group signs malware with a legitimate, stolen certificate (DEEPSoft), boosting stealth and trust in the payloads.
- SQLMaggie is a backdoor for MSSQL servers, used to conduct internal reconnaissance via extended stored procedures.
- Credential dumping and data theft tooling (loader/dumper) are signed with DEEPSoft and deployed via interactive hands-on keyboard operations.
- ScreenCap combines keylogging and screen recording using DLL hijacking and targeted drop locations, with hardcoded victim identifiers in some samples.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – The actors sign malware with a stolen certificate to evade defenses. Quote: “WIP19 has been observed signing malware with a valid digital certificate issued for DEEPSoft Co., Ltd.”
- [T1003.001] LSASS Credential Dumping – The credential dumper loads an SSP into LSASS and dumps the process. Quote: “load an SSP to LSASS and then dump the process.”
- [T1574.001] DLL Search Order Hijacking – ScreenCap and related components are loaded via DLL search order hijacking in explorer.exe. Quote: “DLL search order hijacking of explorer.exe to load a keylogging and screen recording component internally named ScreenCapDll_x64.”
- [T1056.001] Keylogging – The malware logs keystrokes from targeted browsers into .ax files. Quote: “The keylogging functionality mainly focuses on the user’s browser. … logs all keystrokes to .ax files stored in its current working directory.”
- [T1113] Screen Capture – The screen recording feature saves output as .avi files after capturing the display. Quote: “the malware will record the screen for 1,296,000 milliseconds at a time, 30 times, and store the output as .avi files.”
- [T1059] Command and Scripting Interpreter – SQLMaggie exposes commands (SysInfo, FileAccess, ls, Exec, RShell, Type, Download) to interact with target hosts. Quote: “The following commands appear in all versions of SQLMaggie… SysInfo… Download.”
- [T1105] Ingress Tool Transfer – The SQLMaggie backdoor supports downloading additional payloads/files (Download command). Quote: “Download” (as a command).
Indicators of Compromise
- [SHA1] SQLMaggie – 4AABB34B447758A2C676D8AD49338C9E0F74A330, 5796068CFD79FBA65394114BA0EDC8CC93EAE151
- [File Name] sqlmaggieAntivirus_32.dll, sqlmaggieVS2008new_64.dll
- [SHA1] ScreenCap – c6cb7ec82ee55ccb56a4cc8b91c64e9b4f4e14da, 19f2a546a76458dda6eab6e2fae07d0942759b84
- [File Name] ScreenCapDll_x64.dll, ScreenCapDll.dll
- [SHA1] Hacking Tool – da876cd6e3528f95aafb158713d3b21db5fc780b, 1121324a15e6714e4313dfa18c8b03a6da381ba1
- [File Name] dwmgr.exe