New APT-Q-27 sample spotted
A new campaign has been identified utilizing a valid digital signature from a Chinese technology company that remains unrevoked. The attack chain employs a dropper that retrieves an extension-based module list from command and control infrastructure. The malicious payloads exploit DLL Side-Loading techniques through a legitimate Tencent-signed executable to achieve code execution. The infrastructure includes Google Cloud Storage and a dedicated domain for command and control operations. Multiple components have been identified including an EXE dropper, DLL loader, DAT payload, and the legitimate Tencent executable used for side-loading purposes.
Indicators of Compromise
- domain: api.keensie.com
- hash: 8838df7298abf4d4312648e2ee80bdee
- hash: c0aca5dfbbfcb1c9796b3d974b1ee78b
- hash: 1d1808686dbf36138f3067c34566d627
- hash: 130fbe74fea31b30b59b071ccf22bf68
- url: http://api.keensie.com:5198/
New APT-Q-27 sample spotted
Description
A new campaign has been identified utilizing a valid digital signature from a Chinese technology company that remains unrevoked. The attack chain employs a dropper that retrieves an extension-based module list from command and control infrastructure. The malicious payloads exploit DLL Side-Loading techniques through a legitimate Tencent-signed executable to achieve code execution. The infrastructure includes Google Cloud Storage and a dedicated domain for command and control operations. Multiple components have been identified including an EXE dropper, DLL loader, DAT payload, and the legitimate Tencent executable used for side-loading purposes.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/askardyuss/status/2066859258130665974"]
- Adversary
- APT-Q-27
- Pulse Id
- 6a325eca53b232c21f5b84ff
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.keensie.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash8838df7298abf4d4312648e2ee80bdee | — | |
hashc0aca5dfbbfcb1c9796b3d974b1ee78b | — | |
hash1d1808686dbf36138f3067c34566d627 | — | |
hash130fbe74fea31b30b59b071ccf22bf68 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://api.keensie.com:5198/ | — |
Threat ID: 6a32627a0b89be68880bd195
Added to database: 6/17/2026, 9:01:46 AM
Last updated: 6/17/2026, 9:02:01 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.