COMpfun successor Reductor: compromise TLS traffic
In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have. We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors. The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus. We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.
AI Analysis
Technical Summary
The Reductor malware, identified as a successor to the COMpfun Trojan, represents a sophisticated threat primarily targeting encrypted web communications by compromising TLS traffic. Discovered in April 2019, Reductor is notable for its advanced capabilities that allow operators to exert control over the target's network channel. This control enables the attackers to perform man-in-the-middle style manipulations, such as replacing legitimate software installers with infected versions in real time. The malware includes typical Remote Access Trojan (RAT) functionalities, such as uploading, downloading, and executing files on compromised systems. However, its distinguishing feature lies in its manipulation of digital certificates and the marking of outbound TLS traffic with unique host-related identifiers, which could facilitate persistent tracking and targeted interception of encrypted communications. Technical analysis reveals strong code similarities between Reductor and the earlier COMpfun Trojan, which was first documented in 2014 and tentatively attributed to the Turla Advanced Persistent Threat (APT) group based on victimology. Reductor appears to be distributed through two primary infection vectors: first, by infecting popular software distributions such as Internet Downloader Manager and WinRAR, including distribution via a popular warez website over unencrypted HTTP; second, by leveraging COMpfun's downloader capabilities on already infected hosts to deploy Reductor's decryptor/dropper modules. This multi-stage infection approach indicates a well-resourced and persistent actor with the ability to compromise supply chains and exploit existing footholds. The campaign using Reductor has been active since at least April 2019, with confirmed targets in Russia and Belarus. The malware's ability to compromise TLS traffic is particularly concerning because it undermines the confidentiality and integrity of encrypted communications, which are generally trusted as secure. The lack of available patches and absence of known exploits in the wild suggest that the threat relies on targeted infection methods rather than widespread exploitation of software vulnerabilities. Overall, Reductor exemplifies a high level of operational sophistication, combining supply chain compromise, advanced network manipulation, and stealthy RAT capabilities to maintain persistence and exfiltrate sensitive information from high-value targets.
Potential Impact
For European organizations, the Reductor malware poses a significant threat to the confidentiality and integrity of sensitive communications, especially those relying on TLS encryption for secure data exchange. The ability to manipulate digital certificates and mark TLS traffic could allow attackers to bypass traditional network security controls, intercept confidential information, and maintain long-term surveillance on targeted entities. This is particularly critical for organizations involved in government, defense, critical infrastructure, and sectors handling sensitive intellectual property or personal data. Given the malware's infection vectors—compromised popular software installers and supply chain attacks—European organizations using affected software like Internet Downloader Manager or WinRAR are at risk of inadvertent infection. The use of warez websites as distribution points also highlights the risk posed by employees or users engaging with unauthorized or pirated software, which can serve as an entry point for the malware. The campaign's association with the Turla APT group, known for targeting governmental and diplomatic entities, suggests that European governmental agencies and strategic enterprises could be primary targets. The compromise of TLS traffic undermines trust in encrypted communications, potentially exposing sensitive diplomatic communications, internal strategies, and confidential negotiations. This could lead to espionage, intellectual property theft, and disruption of critical services. Although current telemetry indicates primary targeting in Russia and Belarus, the malware's capabilities and infection methods could be adapted or extended to European targets, especially those with geopolitical significance or strategic value to the threat actor.
Mitigation Recommendations
1. Supply Chain Security: European organizations should implement strict software supply chain security measures, including verifying the integrity and authenticity of software installers before deployment. This can be achieved through digital signature verification and using trusted sources for software downloads. 2. Network Traffic Monitoring: Deploy advanced network monitoring solutions capable of detecting anomalies in TLS traffic, such as unusual certificate manipulations or unexpected host-related identifiers. Implement TLS inspection where legally and operationally feasible to detect malicious traffic. 3. Endpoint Detection and Response (EDR): Utilize EDR solutions with behavioral analytics to detect RAT-like activities, including unauthorized file uploads/downloads and execution of unknown binaries. 4. User Awareness and Policy Enforcement: Educate users about the risks of downloading software from untrusted sources, including warez and pirated software websites. Enforce strict policies against the use of unauthorized software. 5. Incident Response Preparedness: Develop and regularly update incident response plans that include scenarios involving supply chain compromises and TLS interception techniques. 6. Network Segmentation: Limit the lateral movement potential of malware by segmenting networks, especially isolating critical systems that handle sensitive communications. 7. Certificate Management: Regularly audit and monitor digital certificates within the organization to detect unauthorized issuance or manipulation. 8. Collaboration with Vendors: Engage with software vendors to encourage transparency and security in their distribution channels, and to receive timely alerts about potential compromises. These measures go beyond generic advice by focusing on the unique infection vectors and capabilities of Reductor, emphasizing supply chain security, TLS traffic analysis, and user behavior controls.
Affected Countries
Russia, Belarus, Germany, France, United Kingdom, Poland, Ukraine
Indicators of Compromise
- link: https://securelist.com/compfun-successor-reductor/93633/
- hash: 27ce434ad1e240075c48a51722f8e87f
- hash: 4e02b1b1d32e23975f496d1d1e0eb7a6
- hash: 518ab503808e747c5d0dde6bfb54b95a
- hash: 7911f8d717dc9d7a78d99e687a12d7ad
- hash: 9c7e50e7ce36c1b7d8ca2af2082f4cd5
- hash: a0387665fe7e006b5233c66f6bd5bb9d
- hash: f6caa1bfcca872f0cbe2e7346b006ab4
- domain: adstat.pw
- domain: bill-tat.pw
- ip: 200.63.45.192
- text: In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have. We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors. The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus. We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.
- hash: 3e93f8b7c46a32236c225926d9f063f2
- hash: 5a5de7165faa9ad0ed3b2094ee6cff89
- hash: 7911f8d717dc9d7a78d99e687a12d7ad
- hash: e49666f7882f299c2845c7e31e3d842a387ef10d
- hash: 4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1
- datetime: 2019-05-19 16:41:15
- link: https://www.virustotal.com/file/4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1/analysis/1558284075/
- text: 26/68
- x509-fingerprint-sha1: 119b2be9c17d8c7c5ab0fa1a17aaf69082bab21d
- text: ie-paypal
- datetime: 20311117T000000-0800
- x509-fingerprint-sha1: 546f7a565920aeb0021a1d05525ff0b3df51d020
- text: GeoTrust Rsa CA
- datetime: 20311117T000000-0800
- x509-fingerprint-sha1: 959eb6c7f45b7c5c761d5b758e65d9ef7ea20cf3
- text: GeoTrust Rsa CA
- datetime: 20311117T000000-0800
- x509-fingerprint-sha1: 992bace0bc815e43626d59d790cef50907c6ea9b
- text: VeriSign, Inc.
- datetime: 20311117T000000-0800
- text: All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID encrypted with AES 128. The C2 returns one of the following encrypted commands.
- text: Network
- text: Bundled
- text: Get the host name
- text: hostinfo
- text: Get the timeout value from the corresponding registry value
- text: gettimeout
- text: Parse strings and set corresponding values in the system registries. So far only one option is supported – timeout
- text: options
- text: Transmit the current C2 domains used by target
- text: domainlist
- text: Download the file of interest
- text: downfile
- text: Upload the file of interest
- text: upfile
- text: Create the process that executes mentioned file
- text: execfile
- text: Do nothing. Possibly used to check the connection with the host
- text: nop
- text: Delete installed digital certificates, files, cookies and system registry values including those related to COM CLSID or LSA notification package persistence
- text: kill
- text: Delete file at a specified path
- text: deletefile
- text: Renew the digital certificates installed on target
- text: certlist
COMpfun successor Reductor: compromise TLS traffic
Description
In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have. We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors. The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus. We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.
AI-Powered Analysis
Technical Analysis
The Reductor malware, identified as a successor to the COMpfun Trojan, represents a sophisticated threat primarily targeting encrypted web communications by compromising TLS traffic. Discovered in April 2019, Reductor is notable for its advanced capabilities that allow operators to exert control over the target's network channel. This control enables the attackers to perform man-in-the-middle style manipulations, such as replacing legitimate software installers with infected versions in real time. The malware includes typical Remote Access Trojan (RAT) functionalities, such as uploading, downloading, and executing files on compromised systems. However, its distinguishing feature lies in its manipulation of digital certificates and the marking of outbound TLS traffic with unique host-related identifiers, which could facilitate persistent tracking and targeted interception of encrypted communications. Technical analysis reveals strong code similarities between Reductor and the earlier COMpfun Trojan, which was first documented in 2014 and tentatively attributed to the Turla Advanced Persistent Threat (APT) group based on victimology. Reductor appears to be distributed through two primary infection vectors: first, by infecting popular software distributions such as Internet Downloader Manager and WinRAR, including distribution via a popular warez website over unencrypted HTTP; second, by leveraging COMpfun's downloader capabilities on already infected hosts to deploy Reductor's decryptor/dropper modules. This multi-stage infection approach indicates a well-resourced and persistent actor with the ability to compromise supply chains and exploit existing footholds. The campaign using Reductor has been active since at least April 2019, with confirmed targets in Russia and Belarus. The malware's ability to compromise TLS traffic is particularly concerning because it undermines the confidentiality and integrity of encrypted communications, which are generally trusted as secure. The lack of available patches and absence of known exploits in the wild suggest that the threat relies on targeted infection methods rather than widespread exploitation of software vulnerabilities. Overall, Reductor exemplifies a high level of operational sophistication, combining supply chain compromise, advanced network manipulation, and stealthy RAT capabilities to maintain persistence and exfiltrate sensitive information from high-value targets.
Potential Impact
For European organizations, the Reductor malware poses a significant threat to the confidentiality and integrity of sensitive communications, especially those relying on TLS encryption for secure data exchange. The ability to manipulate digital certificates and mark TLS traffic could allow attackers to bypass traditional network security controls, intercept confidential information, and maintain long-term surveillance on targeted entities. This is particularly critical for organizations involved in government, defense, critical infrastructure, and sectors handling sensitive intellectual property or personal data. Given the malware's infection vectors—compromised popular software installers and supply chain attacks—European organizations using affected software like Internet Downloader Manager or WinRAR are at risk of inadvertent infection. The use of warez websites as distribution points also highlights the risk posed by employees or users engaging with unauthorized or pirated software, which can serve as an entry point for the malware. The campaign's association with the Turla APT group, known for targeting governmental and diplomatic entities, suggests that European governmental agencies and strategic enterprises could be primary targets. The compromise of TLS traffic undermines trust in encrypted communications, potentially exposing sensitive diplomatic communications, internal strategies, and confidential negotiations. This could lead to espionage, intellectual property theft, and disruption of critical services. Although current telemetry indicates primary targeting in Russia and Belarus, the malware's capabilities and infection methods could be adapted or extended to European targets, especially those with geopolitical significance or strategic value to the threat actor.
Mitigation Recommendations
1. Supply Chain Security: European organizations should implement strict software supply chain security measures, including verifying the integrity and authenticity of software installers before deployment. This can be achieved through digital signature verification and using trusted sources for software downloads. 2. Network Traffic Monitoring: Deploy advanced network monitoring solutions capable of detecting anomalies in TLS traffic, such as unusual certificate manipulations or unexpected host-related identifiers. Implement TLS inspection where legally and operationally feasible to detect malicious traffic. 3. Endpoint Detection and Response (EDR): Utilize EDR solutions with behavioral analytics to detect RAT-like activities, including unauthorized file uploads/downloads and execution of unknown binaries. 4. User Awareness and Policy Enforcement: Educate users about the risks of downloading software from untrusted sources, including warez and pirated software websites. Enforce strict policies against the use of unauthorized software. 5. Incident Response Preparedness: Develop and regularly update incident response plans that include scenarios involving supply chain compromises and TLS interception techniques. 6. Network Segmentation: Limit the lateral movement potential of malware by segmenting networks, especially isolating critical systems that handle sensitive communications. 7. Certificate Management: Regularly audit and monitor digital certificates within the organization to detect unauthorized issuance or manipulation. 8. Collaboration with Vendors: Engage with software vendors to encourage transparency and security in their distribution channels, and to receive timely alerts about potential compromises. These measures go beyond generic advice by focusing on the unique infection vectors and capabilities of Reductor, emphasizing supply chain security, TLS traffic analysis, and user behavior controls.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 0
- Uuid
- 5d95e39a-712c-41b6-b17b-459d950d210f
- Original Timestamp
- 1570686944
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://securelist.com/compfun-successor-reductor/93633/ | — | |
linkhttps://www.virustotal.com/file/4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1/analysis/1558284075/ | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash27ce434ad1e240075c48a51722f8e87f | — | |
hash4e02b1b1d32e23975f496d1d1e0eb7a6 | — | |
hash518ab503808e747c5d0dde6bfb54b95a | — | |
hash7911f8d717dc9d7a78d99e687a12d7ad | — | |
hash9c7e50e7ce36c1b7d8ca2af2082f4cd5 | — | |
hasha0387665fe7e006b5233c66f6bd5bb9d | — | |
hashf6caa1bfcca872f0cbe2e7346b006ab4 | — | |
hash3e93f8b7c46a32236c225926d9f063f2 | — | |
hash5a5de7165faa9ad0ed3b2094ee6cff89 | — | |
hash7911f8d717dc9d7a78d99e687a12d7ad | — | |
hashe49666f7882f299c2845c7e31e3d842a387ef10d | — | |
hash4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainadstat.pw | — | |
domainbill-tat.pw | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip200.63.45.192 | Attribute #7635901 enriched by dns. |
Text
| Value | Description | Copy |
|---|---|---|
textIn April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have.
We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.
The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors.
The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.
We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts. | — | |
text26/68 | — | |
textie-paypal | — | |
textGeoTrust Rsa CA | — | |
textGeoTrust Rsa CA | — | |
textVeriSign, Inc. | — | |
textAll C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID encrypted with AES 128. The C2 returns one of the following encrypted commands. | — | |
textNetwork | — | |
textBundled | — | |
textGet the host name | — | |
texthostinfo | — | |
textGet the timeout value from the corresponding registry value | — | |
textgettimeout | — | |
textParse strings and set corresponding values in the system registries. So far only one option is supported – timeout | — | |
textoptions | — | |
textTransmit the current C2 domains used by target | — | |
textdomainlist | — | |
textDownload the file of interest | — | |
textdownfile | — | |
textUpload the file of interest | — | |
textupfile | — | |
textCreate the process that executes mentioned file | — | |
textexecfile | — | |
textDo nothing. Possibly used to check the connection with the host | — | |
textnop | — | |
textDelete installed digital certificates, files, cookies and system registry values including those related to COM CLSID or LSA notification package persistence | — | |
textkill | — | |
textDelete file at a specified path | — | |
textdeletefile | — | |
textRenew the digital certificates installed on target | — | |
textcertlist | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2019-05-19 16:41:15 | — | |
datetime20311117T000000-0800 | — | |
datetime20311117T000000-0800 | — | |
datetime20311117T000000-0800 | — | |
datetime20311117T000000-0800 | — |
X509 fingerprint-sha1
| Value | Description | Copy |
|---|---|---|
x509-fingerprint-sha1119b2be9c17d8c7c5ab0fa1a17aaf69082bab21d | — | |
x509-fingerprint-sha1546f7a565920aeb0021a1d05525ff0b3df51d020 | — | |
x509-fingerprint-sha1959eb6c7f45b7c5c761d5b758e65d9ef7ea20cf3 | — | |
x509-fingerprint-sha1992bace0bc815e43626d59d790cef50907c6ea9b | — |
Threat ID: 6834b40a290ffd83a4ebaa0f
Added to database: 5/26/2025, 6:33:46 PM
Last enriched: 6/25/2025, 6:58:13 PM
Last updated: 7/25/2025, 9:24:39 PM
Views: 11
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.