HOMETHREATSUnidentified 121
APT / THREAT GROUP

Unidentified 121

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

unidentified_121 acts as a downloader and reflective PE loader, employing a dual-mode execution strategy based on its privilege level. When executed without administrative rights, it uniquely attempts to bypass User Account Control (UAC) by first patching its own Process Environment Block (PEB) in memory to masquerade as explorer.exe, and then leveraging a specific COM object ({3E5FC7F9-9A51-4367-9063-A120244FBEC7} with the Elevation:Administrator!new: moniker) to relaunch itself with elevated privileges. This initial stage focuses purely on achieving elevation and does not perform C2 communication or direct payload execution itself in the non-elevated state.

Once running with administrative privileges (either initially or after successful elevation), the malware establishes persistence by creating a Scheduled Task named "BlaBlaAgu" using COM, configuring it to run with the highest privileges and repeat every five minutes indefinitely. It actively evades defenses by using PowerShell commands (Add-MpPreference) to add Windows Defender exclusions for its own process and the user's profile directory, reinforcing these exclusions every 60 seconds via a separate thread. Its primary function in this elevated state is to act as a downloader, connecting to its Command and Control (C2) server over TCP port 33334 using a custom protocol encrypted with an RC4-like cipher and the hardcoded key "ALB9SxZBzCqwPFnD"; after a distinct 20-byte client handshake (RC4 Key + integer 444, followed by a 16-byte server response (RC4 Key) for validation), it downloads further encrypted PE payloads and executes them reflectively in its own memory space.

Threat Analysis

Unidentified 121 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.unidentified_121Unidentified 121

External Intelligence

Malpedia: win.unidentified_121

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.