RoyalCLI and RoyalDNS Backdoors

The Chinese Advanced Persistent Threat group APT15 has been found responsible for compromising a UK government contractor using two new backdoors, RoyalCLI and RoyalDNS, during 2016/17.

RoyalCLI establishes communication with Command and Control (C2) servers using the IWebBrowser2 Command Object Model interface in Internet Explorer. RoyalDNS uses text records in the Domain Name System for C2 instead.

When C2 is established the group then conducts network enumeration and reconnaissance activities, as well as lateral movement through the network. This usually involves manual remote execution of built-in Windows utilities including task list, ping, netstat, net, system info, ipconfig _and _bcp.


The RoyalCli backdoor was attempting to communicate to the following domains:

  • News.memozilla[.]org
  • video.memozilla[.]org

The BS2005 backdoor utilised the following domains for C2:

  • Run.linodepower[.]com
  • Singa.linodepower[.]com
  • log.autocount[.]org

RoyalDNS backdoor was seen communicating to the domain:

  • andspurs[.]com

Possible linked APT15 domains include:

  • Micakiz.wikaba[.]org
  • cavanic9[.]net
  • ridingduck[.]com
  • zipcodeterm[.]com
  • dnsapp[.]info

Affected platforms 

Microsoft Windows – All versions

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: