Home > List all groups > List all tools > List all groups using tool GLASSES

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GLASSES

Description(Citizen Lab) The dropped executable connects to a website and downloads a single HTML page. The site appears to be part of a legitimate website for an eyeglasses company, suggesting that it has been compromised.

The accessed page contains an anchor with an encoded command in it. The malware looks for the string in the anchor tag with the target NewRef, and then decodes it to a command. The link itself is empty, so that there is nothing to click on and it is invisible on the page. Another page on the same site, aboutus.htm, contains a different command although the URL is not apparently used by this binary.

Looking through the malware code, it is evident that this is a simple downloader with only two commands.

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

Previous: GlanceLove
Next: GlitchPOS

All groups using tool GLASSES


APT groups

 Comment Crew, APT 1China2006-May 2018X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key