Based on the check in information from infected machines, it appears that there is a single infected Hong Kong victim of interest to this threat actor connecting to the Dropbox app besides the target we described at the start. The files exfiltrated from this victim appeared to be personal documents related to the victim traveling to the United States, business forms, and Christian hymns.

Besides those exfiltrated documents, the C2 server also appeared to host their next stage malware such as two files named “GetCurrentRollback.exe” and “GetCurrentDeploy.dll”. “GetCurrentRollback.exe” is a signed Microsoft executable which seems to be for upgrading the previous Windows operating system version to Windows 10, and “GetCurrentDeploy.dll” likely being the name of the DLL which is side loaded. The first version of “GetCurrentRollback.exe” we could find was since 2016 and the latest in 2019 November, which means all version might be exploitable by DLL Sideloading at first glance.