DRBControl is an advanced persistent threat (APT) group focused on cyber-espionage. The group was publicly analyzed in a 2020 report titled “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.” Based on similarities in malware architecture, code patterns, and execution flow, researchers have assessed that DRBControl may be associated with APT411 and APT272.
This article describes a recently observed malware sample attributed to this activity cluster, with a focus on its execution flow and the technical differences compared to previously documented variants.
Shellcode Loader
The investigation began with the analysis of a suspicious DLL named wlbsctrl.dll, which was uploaded to VirusTotal from Taiwan. The filename closely mimics a legitimate Windows component, indicating that the DLL is intended to be executed through DLL side-loading.
When the exported function WlbsCancelConnectionNotify is invoked, the DLL reads shellcode stored in C:\ProgramData\ntuser.ini. The loader then injects this shellcode into the winlogon.exe process using CreateRemoteThread (or a similar injection mechanism) and executes it within the context of that process.
A search on VirusTotal revealed that ntuser.ini was also uploaded from Taiwan. Notably, the loader DLL was uploaded in late November 2025, while the shellcode file appeared in early June 2025. This discrepancy suggests that the two components may have been reused across different attack campaigns. Furthermore, the compile timestamp of the loader (2024-02-23 09:07:46 UTC) differs from that of the RAT executed by the shellcode (2023-07-11 02:27:55 UTC), indicating that the malware described here may not necessarily have been actively used in attacks during 2025.
Shellcode (Mofu Loader)
Once executed, the shellcode dynamically resolves Windows API functions such as GetProcAddress, LoadLibraryA, VirtualAlloc, memcpy, and RtlDecompressBuffer. This is achieved using API hashing based on a ROR11 algorithm.
The embedded data within the shellcode is then decrypted using a custom routine that combines subtraction, XOR, and addition operations. After decryption, the data is decompressed using the LZNT1 algorithm via RtlDecompressBuffer. The resulting payload is a DLL backdoor (Type 1 Backdoor) with the PE header magic number intentionally removed. The shellcode restores execution by directly invoking the DLL’s entry point.
Based on multiple shared characteristics—including identical XOR decryption logic, use of the same Windows APIs, and removal of the PE magic number—the shellcode is highly likely to be a variant of Mofu Loader. While the API hashing implementation differs slightly, the overall execution flow closely matches previously documented Mofu Loader samples. This loader has historically been used by multiple APT groups to deploy malware such as micDown and RatelS, and its use as a second-stage loader aligns with known attack chains.
Type 1 Backdoor
The final payload is a sophisticated C++-based RAT. Compared to earlier variants, this sample introduces several notable changes.
First, persistence is achieved through the startup folder rather than registry Run keys. The malware copies existing shortcut files such as C:\ProgramData\Microsoft\chrome.lnk into user startup directories, including AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. It also copies files such as C:\ProgramData\Microsoft\NTUSER.DAT and C:\ProgramData\ntuser.ini into ProgramData and user directories. These shortcuts likely trigger DLL side-loading of wlbsctrl.dll when users log on.
Second, configuration data is no longer embedded directly in the binary. Instead, the malware enables promiscuous network mode and passively monitors TCP packets that meet specific conditions: the destination IP matches the infected host, the payload length is 29 bytes, and the first four bytes contain the magic value 0x12349876. These packets provide the communication method, C2 address, ports, and optional proxy information. This design prevents analysts from identifying C2 infrastructure through static analysis or VirusTotal uploads.
The malware also includes an unused function capable of retrieving configuration data from legitimate services such as social.msdn.microsoft.com, a technique previously observed in APT41 and ShadowPad malware. Although the service is no longer available as of December 2025, its presence suggests reuse from earlier campaigns.
Class analysis using RTTI shows that several previously observed components (CHPAvi, CHPProcess, CHPRegedit, CHPService) have been removed. New classes such as CHPPipe and CHPOnline have been introduced, supporting named-pipe communication, enhanced screen capture, and UDP tunneling. The modular design suggests attackers can selectively build plugins based on operational needs.
Finally, the keylogger and clipboard monitor now store data under disguised filenames within NTUSER.DAT, using proprietary encoding. Decoded logs contain timestamps, usernames, application paths, window titles, and captured keystrokes.
Conclusion
These findings indicate that DRBControl has likely continued its development beyond its initial exposure in 2020. The updated Type 1 backdoor demonstrates increased stealth, modularity, and resistance to analysis. Continued monitoring is essential, as this malware may be reused in future campaigns.
Appendix: Indicators of Compromise (IoCs)
| SHA256 | Description |
|---|---|
| 9320b3f31c5a57fe7978741ea42f3a20c19564556218a88d3b71cf8af589d9a2 | wlbsctrl.dll (loader) |
| 2b3e7bf360fb89df77fec3e8dd034319ac37d40d19bb80db80c2b20b252c506a | ntuser.ini (shellcode) |
