Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

BLINDINGCAN Remote Access Trojan

First seen in early August, BLINDINGCAN is an advanced remote access trojan developed by the HIDDEN COBRA APT group. It is able to edit or download files and act as a dropper for secondary payloads.

Report a cyber attack: call 0300 303 5222 or email [email protected]


First seen in early August, BLINDINGCAN is an advanced remote access trojan developed by the HIDDEN COBRA APT group. It is able to edit or download files and act as a dropper for secondary payloads.

Affected platforms

The following platforms are known to be affected:

Threat details


BLINDINGCAN is a newly observed remote access trojan created by the HIDDEN COBRA advanced persistent threat group for use in attacks against defence, engineering, and government organisations in Western Europe and the USA.


As with a number of other HIDDEN COBRA developed tools, BLINDINGCAN is initially delivered via Microsoft Office attachments distributed in sophisticated spear-phishing campaigns. These attachments contain a number of XML directory files which, when the file is opened, connect to a delivery URL to download a preliminary DLL file.

This DLL file then unpacks and decodes an embedded secondary DLL file using a hard-coded XOR key, before executing it. Upon execution, the secondary DLL decrypts two further embedded DLL files, containing BLINDINGCAN proper, using a hard-coded AES key before decoding and executing them.


Once installed, BLINDINGCAN will collect user and system information before sending it to a command and control server using HTTP POST requests. By default, BLINDINGCAN is able to:

  • enumerate connected drives
  • create and terminate processes
  • search, edit, execute, or transfer files
  • alter file and directory timestamps

BLINDINGCAN is also able to remove all indicators or artifacts associated with it's operation from an infected system.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 192.99.20[.]39
  • 199.79.63[.]24
  • 51.68.152[.]96
  • 54.241.91[.]49


  • agarwalpropertyconsultants[.]com
  • anca-aste[.]it
  • curiofirenze[.]com
Host indicators


  • iconcache.db

SHA256 hashes

  • 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6
  • 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17
  • 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
  • 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e
  • 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
  • 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971
  • 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd
  • 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
  • b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
  • bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1
  • d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9
  • d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

Last edited: 20 August 2020 3:27 pm