typeentityconfidencemediumcreated2026-05-30updated2026-06-15malware-familyloaderpecompilerobfuscationevasionsigningc2anti-debug

sunwukong

Overview

Windows x64 loader / dropper family characterized by a heavily masqueraded Authenticode identity ("Erdman Group"), a 500+ entry export table filled with semantically-obfuscated jargon, and zero static IAT imports. Runtime API resolution is performed via PEB module walking and hash-based export resolution. A parent-process / sandbox / debugger gate at entry uses hardcoded hash constants paired with NtQuerySystemInformation-equivalent calls. Not to be confused with the sunwukong label applied as a filename-themed tag on the separate menomoushop Go infostealer cluster.

Build Stack

Language / Toolchain: MSVC 14.50 (Visual Studio 2022), pure C, x64 Release ^[sample fa16b64a/rabin2-info.txt]
Arch: PE32+ x86-64, Windows GUI subsystem ^[sample fa16b64a/file.txt]
IAT: Empty (IMAGE_DIRECTORY_ENTRY_IMPORT VirtualAddress = 0) ^[sample fa16b64a/pefile.txt:223-224]
API resolution: PEB-walking, hash lookup (DJB2 or custom) ^[/intel/analyses/fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce.html]
Signing: Authenticode PKCS#7, leaf CN Erdman Group (GB, "Maraport LLC Ltd"), government CA fabrication, DigiCert cross-signed root ^[sample fa16b64a/binwalk.txt:10-14]
Masquerade: Version info claims "1080p protocol Business Suite" by Erdman Group, OriginalFilename 1080pprotocol_1695.exe ^[sample fa16b64a/exiftool.json:36-44]
Obfuscation: Semantic export obfuscation (~500 ML/networking/game-dev names mapping to ~21 stub RVAs) ^[/intel/analyses/fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce.html]

Capabilities

authenticode-fake-identity
empty-iat-runtime-api-resolution
peb-walking-hash-lookup
semantic-jargon-export-obfuscation
parent-process-sandbox-gate
debugger-detection-system-information
version-info-masquerade
encrypted-data-section-high-entropy

Deploy / TTPs

Technique	ID	Evidence
Obfuscated Files or Information	T1027	Semantic export obfuscation: 503 names → <21 unique thunks ^[sample fa16b64a/pefile.txt:338-500]
Masquerading	T1036.002	"1080p protocol Business Suite" by Erdman Group ^[sample fa16b64a/exiftool.json:36-44]
Native API	T1106	PEB-walking export hash resolution, NtQuerySystemInformation equivalent ^[/intel/analyses/fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce.html]
Evade Detection	T1497	Debugger / sandbox gate via process enumeration and hardcoded hash checks ^[/intel/analyses/fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce.html]
Code Signing	T1553.002	Authenticode with fabricated Erdman Group certificate ^[sample fa16b64a/binwalk.txt:10-14]

Variants / Aliases

sunwukong — OpenCTI / MalwareBazaar filename label
hippamsascom — same core build cluster under different masquerade identity (Emard LLC / "JBOD monitor" and Hane Group / "redundant alarm"). Confirmed shared techniques: zero IAT, semantic export obfuscation, fabricated intermediate CA, PEB-walking API resolution, self-loading encrypted payload. See hippamsascom.
1080p protocol — internal masquerade name

Notable Analyses

/intel/analyses/fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce.html — fa16b64a, MSVC x64, signed Erdman Group, semantic export obfuscation, static-only

semantic-jargon-export-obfuscation — specific build/RE technique observed in this family
peb-walking-api-resolution — shared runtime API resolution technique
menomoushop — separate family sharing the sunwukong label (Go infostealer, not this MSVC loader)

> Family · sunwukong_