Researchers at Fortinet FortiEDR detected a campaign by Deep Panda — a Chinese APT group — exploiting the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers to deploy a custom backdoor dubbed Milestone and a novel kernel rootkit signed with a stolen digital certificate. Notably, the same stolen certificate was also used by another Chinese APT group, Winnti, to sign some of their tools — suggesting shared infrastructure or coordination between the two groups.
Opportunistic Log4Shell Exploitation Across Multiple Sectors
The campaign's targeting was opportunistic: multiple infections across several countries and sectors — financial, academic, cosmetics, and travel — occurred on the same dates, indicating the actors were scanning broadly for vulnerable VMware Horizon deployments rather than pursuing specific organizations. Log4Shell exploitation spawned a PowerShell process that downloaded and executed a chain of scripts, ultimately installing a malicious DLL as the final payload.
The attack chain proceeds in three stages: an encoded PowerShell command downloads a second-stage script (p.txt) that fetches three files — 1.bat, syn.exe, and 1.dll. The batch script executes syn.exe, which loads 1.dll via LoadLibrary, then deletes all three files from disk.
Milestone Backdoor: Gh0st RAT Evolved
The final payload — 1.dll — is the Milestone backdoor, based on leaked Gh0st RAT/Netbot Attacker source code and packed with Themida. Milestone copies itself to %APPDATA%\newdev.dll (mimicking the legitimate Microsoft newdev.dll while sharing only two of its exports plus a ServiceMain export) and registers persistence as a service named msupdate2 directly via registry. Key behavioral differences from base Gh0st RAT include uncompressed C2 communication (versus Gh0st's zlib compression), a command that sends active session information to the C2 server, and — in the MileStone2016 variant — the ability to create a new local administrator account with the username ANONYMOUS and password MileSt0ne2@16 before executing a second instance under that account via CreateProcessAsUser and immediately deleting the account. Two main versions exist: MileStone2016 (unpacked, XOR-encrypted comms) and MileStone2017 (Themida-packed, forged timestamps, used in all observed recent attacks).
Novel Rootkit Signed With Stolen Certificate
Beyond the backdoor, a dropper component delivers a kernel-mode rootkit (crtsys.sys) installed as a driver named FSFilter-Min, supporting both 32-bit and 64-bit architectures. Payloads are stored XOR-encrypted and LZMA-compressed within the dropper, with a per-sample hardcoded DWORD XOR key. The rootkit is signed with a stolen digital certificate — the same certificate observed on Winnti tools — creating an attribution link between the two Chinese APT groups and raising the possibility of shared tooling infrastructure or a common certificate theft source.
The dropper patches the Milestone loader's .data section with a configuration before writing it to disk, then executes syn.exe (a legitimately signed Synaptics binary) to sideload the malicious newdev.dll loader, which in turn decrypts and executes the embedded Milestone backdoor — a layered sideloading chain designed to abuse trusted binary signatures at multiple stages.