This report provides an analysis of the MsnMM campaign, which is believed to be the earliest known Naikon APT campaign. The report discusses the shared exploit generation kit, strings, functionality, targets, and infrastructure across the campaigns. It also examines the backdoors and lateral movement toolset used by the campaign, including SslMM, WinMM, and INJECTv1/INJECTRESOURCE. The report also explores the links between Naikon and APT30, and the use of the xsPlus/nokian backdoor and keylogger. The report concludes with a discussion of Sys10, which is believed to be related to the campaign.
