APT438
May 18, 2026
APT438
Overview
APT438 was an endpoint forensics challenge built around a Windows triage dataset. The task was to answer 21 platform questions about initial compromise, malware activity, exfiltration, persistence, lateral-movement tooling, event log clearing, credential material, and a Windows Hello PIN.
All 21 questions were solved. Concrete checkpoint flags are redacted in this public version.
Dataset
The provided archive was extracted locally and analyzed as a mounted triage tree. The most useful artifact families were:
- Firefox history and downloads
- PowerShell history
- SRUM network/application usage data
- Windows Search index metadata
- Prefetch and MFT evidence
- Scheduled task XML
- Defender detection history
- Offline registry hives
- Windows Hello NGC and CNG key material
Final Answers
| Q | Answer |
|---|---|
| 1 | 2026-04-06 03:57:59 |
| 2 | adobe-dwonload-mirror |
| 3 | 2026-04-06 03:58:42 |
| 4 | f5dfafb759ef9dce7aac23eefaf5061b14c18820 |
| 5 | 2026-04-06 04:09:59 |
| 6 | 720002 |
| 7 | 454360 |
| 8 | 64.110.118.12:8080 |
| 9 | important_info.rtf |
| 10 | bigboss@mail.com |
| 11 | C:\Users\Public\Documents\Temp.ps1 |
| 12 | AutoUpdate |
| 13 | {E7F3E295-66C6-4A5D-BB04-92986BDC5431} |
| 14 | B85ACC36-9C0A-44C8-B5CB-1090C298715A |
| 15 | 2026-04-06 04:09:26 |
| 16 | powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Public\Documents\Temp.ps1 |
| 17 | 192.168.10.129 |
| 18 | https://raw.githubusercontent.com/fortra/impacket/master/examples/secretsdump.py |
| 19 | 2026-04-06 04:26:59 |
| 20 | c2bdd32cd948737221eb41bf41d7a010 |
| 21 | 1505 |
Checkpoint flags recovered during the solve are redacted:
[redacted APT438 checkpoint flag 1]
[redacted APT438 checkpoint flag 2]Initial Compromise
Firefox history showed the initial download timestamp and S3 bucket name. The malicious source used the bucket adobe-dwonload-mirror, which intentionally looks like a typo-squatted Adobe mirror.
Execution and deletion indicators were then correlated through prefetch, MFT, and Defender artifacts. The malware binary hash was confirmed as:
f5dfafb759ef9dce7aac23eefaf5061b14c18820Exfiltration And Attacker Commands
PowerShell history was the highest-signal artifact for attacker activity. It showed manual exfiltration to:
64.110.118.12:8080SRUM provided high-confidence execution duration and byte counts. That made it useful for questions that needed numeric validation instead of just timeline inference.
Deleted Document Recovery
One question asked for an email address from a deleted document. The file itself was gone, but Windows Search metadata had indexed useful document properties inside Windows.edb.
The preserved summary string contained:
Name : Bigboss
Email: bigboss@mail.comPersistence
The scheduled task at C:\Windows\System32\Tasks\AutoUpdate was UTF-16LE XML. It revealed both the persistence mechanism and the command line:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Public\Documents\Temp.ps1MFT resident strings preserved the reverse shell script and callback host, which answered the internal callback question.
Lateral Movement Tooling
Artifact strings around attacker tooling traces exposed a public Impacket URL:
https://raw.githubusercontent.com/fortra/impacket/master/examples/secretsdump.pyThis tied the later credential-focused activity to known tooling rather than only generic PowerShell execution.
Event Log Clearing
The event log clearing timestamp came from EventLog/System-style records around clear operations. The validated UTC timestamp was:
2026-04-06 04:26:59NT Hash And Windows Hello PIN
Offline parsing of the SAM and SYSTEM hives yielded the victim NT hash shown in the final answer table.
The Windows Hello PIN required correlating NGC and CNG key artifacts. The relevant protector GUID was:
{F729BA81-46A7-4FEE-A2FD-70012EF0539C}An offline brute-force path against the Microsoft Software Key Storage Provider material recovered the PIN 1505.
Useful Artifact Paths
C/Users/bello/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txtC/ProgramData/Microsoft/search/data/applications/windows/Windows.edbC/Windows/System32/SRU/SRUDB.datC/Windows/System32/Tasks/AutoUpdateC/$MFTC/Windows/System32/config/{SAM,SYSTEM,SECURITY}C/Windows/ServiceProfiles/LocalService/AppData/Local/Microsoft/Ngc/C/Windows/ServiceProfiles/LocalService/AppData/Roaming/Microsoft/Crypto/Keys/
Takeaways
The challenge rewarded cross-artifact correlation. Browser history established the intrusion start, PowerShell history explained attacker intent, SRUM validated quantitative answers, Windows Search preserved deleted-document metadata, and registry plus NGC/CNG artifacts closed the credential-recovery portion.