LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign

Figure 6: DeepData’s supported Windows versions.

Plugins

Figure 7. DeepData plugins overview (Click to enlarge).

The plugin files all have a similar export functionality. All plugins contain exports for their version, name, command ID, and command execution.

Figure 8: DeepData plugin exports.

Appdata Plugin

(*The Chinese characters in the PDB Path shown above roughly translate as “secret.”)

The appdata plugin contains multiple binaries in its resource section which are used for collecting data from instant messaging clients. The plugin attempts to access applications such as:

• WxWorks – A real-time operating system (RTOS) used by developers, designed for use in embedded systems.
• FeiShu – An enterprise collaboration platform developed by ByteDance, a Chinese internet technology company.
• Signal – An open-source, encrypted messaging service for instant messaging, voice calls, and video calls, based in the U.S.
• WhatsApp – An instant messaging and voice-over-IP (VoIP) service owned by U.S.-based technology conglomerate Meta.

This application technically copies the functionality of the ChatIndexedDb.dll plugin in many ways. The difference is that it tries to access more applications. Perhaps the threat actor, having extended the functionality of this plugin appdata.dll, decided to use it in an attempt to access more applications, since ChatIndexedDb.dll targets only two apps.

We are basing this hypothesis on the fact that ChatIndexedDb.dll was compiled in October 2023, while appdata.dll was built in early January 2024.

The appdata.dll plugin contains two executable libraries: WhatsApp.dll, and Signal.dll. These libraries will be launched when the plugin is running. WhatsApp.dll is essentially a copy of the library included in ChatIndexedDb.dll.

Figure 9: Code that unloads data from different messengers.

Appdata also contains X509 certificates for Windows Phone.

Figure 10: X509 Certificates in appdata.dll.

SystemInfo Plugin

This plugin (SystemInfo.dll) is designed to collect information on the user’s system. It can collect the following information about a user and then send it back to a server that is controlled by the threat actor:

• Information about the processes running on the system, including paths to the executable files running in the system.
• Data about user accounts in the system.
• Network connection information including active port numbers.
• Information about running services on the system.
• List of drivers installed on the system, including their version and developer name.

wifiList Plugin

This plugin (wifiList.dll) is designed to collect information about wireless networks to which the user’s device is connected, and save it in the file WifiList.json. It also collects the list of keys to connect to wireless networks to which the user’s device is connected, and saves them in the file wifiKey.json. The plugin also collects the list of available networks for the victim’s device.

After collecting all of this information, the plugin sends these two files to the threat actor’s server.

WebBrowser Plugin

This plugin (WebBrowser.dll) collects sensitive user information such as cookies, browsing history, passwords, and autocomplete data from popular browsers (Chrome, Firefox, Edge, Opera). It interacts with local browser databases, retrieving data via SQL queries and standard file paths, and processes it by applying cryptographic algorithms for decoding and hashing. At the same time, the plugin also contains error-handling modules to ensure stable operation.

Pass Plugin

This plugin (Pass.dll) attempts to collect account information as well as passwords from the following applications:

• BaiduNetDisk – A cloud storage service provided by Baidu, Inc., headquartered in Beijing.
• QQ – An instant messaging software service and web portal developed by the Chinese technology company Tencent.
• FoxMail –A freeware email client also developed by Tencent.
• MailMaster – An AI-powered email assistant.
• OneDrive – A file-hosting service operated by Microsoft.

This plugin also contains libraries of the “KeeFarce” project, which allows the unauthorized extraction of KeePass 2.x password database information from memory. The libraries are:

• KeeFarce.dll
• Bootstrap.dll
  

Using these libraries, the plugin attempts to extract passwords and other information from the KeePass application installed on the victim’s device. The plugin then sends all collected data to a remote server controlled by the threat actor.

OutlookX32 Plugin

This plugin (OutlookX32.dll) is designed to steal information from the user’s Microsoft’s Outlook application. The plugin attempts to access the following information:

• User emails
• Mail folders in the Outlook client
• User’s contact list

ProductList Plugin

This plugin is designed to collect information about installed applications on the system. It can collect the applications’ names and installation paths and transmit them to a server controlled by the threat actor.

SocialSoft Plugin

This plugin (SocialSoft.dll) is designed to allow unauthorized access to the following applications:

• WeChat – A Chinese instant messaging, social media, and mobile payment app developed by Tencent.
• DingDing – One of the largest mobile enterprise communication and collaboration apps in China, with over 100 million users.
• Telegram – A cloud-based, cross-platform, social media and instant messaging service.
• Feishu – An enterprise collaboration platform developed by ByteDance, a Chinese internet technology company.
• QQ – An instant messaging software service and web portal developed by the Chinese technology company Tencent.
• Skype – An IP-based videotelephony, videoconferencing and voice call service developed by Microsoft.

The plugin attempts to access messages and data stored in application directories. If message theft succeeds, the plugin packages the messages and sends them to a server controlled by the threat actor.

Audio Plugin

This plugin (Audio.dll) is designed to record the audio environment with a microphone on the target system device. At runtime, the plugin extracts another executable library (audio.core.dll) from its body that is packaged by the UPX packer.

Unpacked sample audio.core.dll:

This plugin uses open-source libraries called FFmpeg 4.3.5 to record audio. The plugin records audio in Advanced Audio Encoding (.aac) format and saves the recording to a %temp% folder.  AAC is an audio coding standard for lossy digital audio compression. It achieves higher sound quality than MP3 at the same bit rate.

Along with the command to record audio, the plugin will receive the audio recording duration in seconds. After the recording is complete, the audio file will be transferred to a server controlled by the threat actor.

Figure 11: The code of the plugin that starts the sound recording.

ChatIndexedDb Plugin

This plugin is used by a threat actor to monitor the WhatsApp and Zalo apps installed on Windows. Zalo is a mobile messaging app that is most popular in Vietnam, with an 82% usage rate in 2024, and 77.6 million monthly active users. The plugin will attempt to copy all application data from these apps. It also monitors the data shared by the user in private chats with their other contacts.

It additionally contains the WhatsApp.dll library in its body, which is specially designed to steal data and messages from the WhatsApp application. If the data theft is successful, the plugin packs the data and sends it to a server controlled by the threat actor.

WhatsApp.dll Library

Figure 12: A plugin that uploads WhatsApp data.

Tdm Plugin

This plugin downloads a library called Telegram.dll and injects it into the address space of the “Telegram for Windows” application. This plugin attempts to copy all the information in the user’s chats, including contacts, messages, images, audio, and video. If the copying is successful, the plugin sends the data to a server controlled by the threat actor.

Figure 13: The code that injects the Telegram.dll library into the Telegram for Widows process.

Network Infrastructure

The front-end application programming interface (API) of APT41’s LightSpy implant has an endpoint called cmd_list at the uri /ujmfanncy76211/front_api/cmd_list. This dumps a json blob containing all of the supported commands for a given C2 deployment.

Below is a list of all commands with Windows in the supported operating system (OS) values. It is noteworthy that “Windows Keylogger” is new as of the middle of October 2024.

Researchers at Hunt.io published a great writeup on tracking LightSpy and WyrmSpy C2. Internet intelligence-based threat hunting platform Censys even implemented resource identifiers for both LightSpy and WyrmSpy.

A new SSL certificate is being used on some of the C2 servers: C=CN, ST=BJ, L=BJ, O=Company, emailAddress=admin[at]zb[.]com.

At the time of writing, four of the 10 systems online using this certificate are LightSpy C2s. Many of these C2s have a login page at the uri /qazxswedcvfr/login. Both LightSpy and WyrmSpy C2s have been seen hosting this certificate and login page. The favicon indicates use of the open-source Vue JavaScript framework, which is in line with previous web interfaces created for or by this developer.

Figure 14. Page to login to the C2 control panel.

DeepData is hosted on C2 utilizing this certificate on port 28992 for the plugin server, and port 28993 for command-and-control.

Figure 15: Network locations from DeepData’s config.json.

Another new SSL certificate is shared by a single WyrmSpy C2:

Subject: O=https Project, CN=httpsServer
Issuer: O=https Project Certificate Authority

This certificate is only utilized by three servers also hosted on the same ASN as many of the LightSpy and WyrmSpy C2s.

Threat Actor Analysis: LightSpy Timeline Context

Pre-2022

• Initial development of LightSpy malware
• Early targeting and deployment phases
• Establishment of basic infrastructure

2022

August 19, 2022

• Compilation of wifiList.dll plugin
• Initial development of network reconnaissance capabilities

2023

July 2023

• July 8: Compilation of Audio.dll (7:43:13 UTC)
• July 8: Compilation of audio.core.dll with FFmpeg 4.3.5 integration (8:51:34 UTC)

October 2023

• October 13: Compilation of SocialSoft.dll (11:35:41 UTC)
  • Introduction of social media monitoring capabilities
  • Unauthorized infiltration of WeChat, DingDing, Telegram, Feishu, QQ, and Skype
• October 20: Compilation of ProductList.dll (13:24:30 UTC)
  • Application enumeration functionality added
• October 23: Initial WhatsApp.dll compilation (03:14:00 UTC)
• October 26: Multiple component updates
  • SystemInfo.dll compilation (11:37:28 UTC)
  • ChatIndexedDb.dll compilation (10:23:30 UTC)
  • Enhanced messaging platform surveillance capabilities
• October 27: Compilation of Pass.dll (08:55:22 UTC)
  • Integration of password stealing capabilities
  • Implementation of KeePass targeting functionality

November 2023

• November 16: Compilation of WebBrowser.dll (09:03:55 UTC)
  • Browser credential theft capabilities added

December 2023

• December 5: Compilation of Tdm.dll (06:58:05 UTC)
  • Telegram-specific monitoring capabilities introduced

2024

January 2024

• January 4: Compilation of Signal.dll (02:49:18 UTC)
  • Signal messenger monitoring capability added
• January 6: Updated WhatsApp.dll compilation (07:52:25 UTC)
• January 15: Compilation of appdata.dll (11:26:12 UTC)
  • Enhanced data collection capabilities
  • Integration with multiple messaging platforms

February 2024

• February 27: Multiple significant updates
  • Compilation of Frame.exe (02:04:24 UTC)
  • Compilation of OutlookX32.dll (02:04:24 UTC)
  • Implementation of email surveillance capabilities

March 2024

• March 19: Compilation of Data.dll (03:47:44 UTC)
  • Core component of DeepData framework

April 2024

• Mid-October: Introduction of new “Windows Keylogger” functionality
  • Identification of new SSL certificates in use
  • Discovery of expanded C2 infrastructure

Infrastructure Evolution

Current Active C2 Infrastructure

• 22 identified C2 servers across multiple ASNs
• Implementation of new SSL certificates:
  • Certificate with admin[at]zb[.]com
  • Certificate from “https Project”
  • Deployment of Vue Javascript-based control panel
  • Implementation of specialized login pages at /qazxswedcvfr/login

Key Observations

Development Acceleration

• Intense development period from October 2023 to April 2024
• Significant expansion of capabilities and modules
• Regular updates and improvements to core components

Capability Evolution

• Progressive addition of new messaging platform support
• Enhanced data collection capabilities
• Improved stealth and persistence mechanisms

Infrastructure Development

• Continuous expansion of C2 infrastructure
• Implementation of new security certificates
• Enhanced operational security measures

Operational Sophistication

• Module-based development approach
• Regular updates to core components
• Strategic timing of capability rollouts

Conclusions

Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering. Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access.

The sophisticated modular architecture, comprehensive surveillance capabilities, and robust infrastructure detailed in this report suggest a well-resourced and technically proficient threat actor with strategic objectives.

Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures. The continued evolution of tools like DeepData indicates a persistent threat that will likely expand in both capability and scope as time goes on.

Victimology

Based on the victims that the threat actor hiding behind LightSpy has targeted in the past, and also based on the applications DeepData attempts to access, we believe that the intended targets are located in Southeast Asia, and, with a medium degree of probability, can be associated with political activists, politicians and journalists.

Countermeasures

Arctic Wolf® customers are protected against the DeepData Indicators of Compromise (IOCs) listed in this blog post by endpoint protection solutions such as Arctic Wolf® Aurora™ Endpoint Defense. Aurora™ Endpoint Defense leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.

Recommendations for Defenders

1. Block identified command-and-control (C2) infrastructure.
2. Monitor network and devices for unauthorized audio recording activities.
3. Use secure communications platforms for business sensitive data.
4. Deploy detection rules for DeepData components.
5. Review logs for indicators of compromise.
6. Assess exposure of sensitive communication channels.

APPENDIX

Indicators of Compromise

Applied Countermeasures

YARA Rule 

rule DeepData_Spy_tool {

meta:
    description = "Rule to detect LightSpy-DeepData Windows files"
    author = "The Arctic Wolf Labs team"
    last_modified = "2024-11-12"
    version = "1.0"

strings:
    $a1 = {78 6d 68 5f 6d 69 71 75 5f 6b 65 79 5c 78 6d 68 5c e5 af 86} // \xmh_miqu_key\xmh\密
    $a2 = "CodeS\\compile\\tg471\\desktop" ascii wide
    $a3 = "zyx\\dll\\ProductList\\Debug" ascii wide
    $a4 = "Users\\GT1\\source\\repos\\Audio_miqu" ascii wide
    $a5 = "\\Code\\OtherWork\\DeepDataH\\" ascii wide
    $a6 = "\\tmpWork\\deepdata-v2\\deepdata" ascii wide
    $a7 = "\\Code\\project\\MiQuH\\MiQuH" ascii wide
    $b1 = "WiFi Tool ExecuteCommand without" ascii wide
    $b2 = "\\zyx\\dll\\Dll1\\Debug" ascii wide

condition:
    uint16(0) == 0x5a4d and (filesize < 25000KB) and ((any of ($a*)) or (all of ($b*)))}

Suricata Rules

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Arctic Wolf Labs - APT41 DeepData qweasdzxc api request"; flow:established,to_server; content:"qweasdzxc/api/"; http_uri; classtype:command-and-control; sid:1; rev:1; metadata:created_at 2024_11_11;)

Django Debugging Dump From DeepData API Endpoint

qweasdzxc/api/ ^user/$ [name='user-list']
qweasdzxc/api/ ^user/change_password/$ [name='user-change-password']
qweasdzxc/api/ ^user/clear/$ [name='user-clear']
qweasdzxc/api/ ^user/group_permission/$ [name='user-group-permission']
qweasdzxc/api/ ^user/info/$ [name='user-info']
qweasdzxc/api/ ^user/load_all/$ [name='user-load-all']
qweasdzxc/api/ ^user/update_state/$ [name='user-update-state']
qweasdzxc/api/ ^user/(?P<pk>[^/.]+)/$ [name='user-detail']
qweasdzxc/api/ ^sys_log/$ [name='syslog-list']
qweasdzxc/api/ ^sys_log/clear/$ [name='syslog-clear']
qweasdzxc/api/ ^sys_log/load_all/$ [name='syslog-load-all']
qweasdzxc/api/ ^sys_log/(?P<pk>[^/.]+)/$ [name='syslog-detail']
qweasdzxc/api/ ^log/$ [name='log-list']
qweasdzxc/api/ ^log/clear/$ [name='log-clear']
qweasdzxc/api/ ^log/load_all/$ [name='log-load-all']
qweasdzxc/api/ ^log/serial_del/$ [name='log-serial-del']
qweasdzxc/api/ ^log/(?P<pk>[^/.]+)/$ [name='log-detail']
qweasdzxc/api/ ^file/$ [name='file-list']
qweasdzxc/api/ ^file/add_upsert_file/$ [name='file-add-upsert-file']
qweasdzxc/api/ ^file/celery_start_file/$ [name='file-celery-start-file']
qweasdzxc/api/ ^file/celery_status/$ [name='file-celery-status']
qweasdzxc/api/ ^file/clear/$
[name='file-clear']
qweasdzxc/api/ ^file/count/$ [name='file-count']
qweasdzxc/api/ ^file/download/$ [name='file-download']
qweasdzxc/api/ ^file/load_all/$ [name='file-load-all']
qweasdzxc/api/ ^file/serial_del/$ [name='file-serial-del']
qweasdzxc/api/ ^file/update_priority/$ [name='file-update-priority']
qweasdzxc/api/ ^file/upload/$ [name='file-upload']
qweasdzxc/api/ ^file/(?P<pk>[^/.]+)/$ [name='file-detail']
qweasdzxc/api/ ^setting/$ [name='settings-list']
qweasdzxc/api/ ^setting/clear/$ [name='settings-clear']
qweasdzxc/api/ ^setting/clear_mem/$ [name='settings-clear-mem']
qweasdzxc/api/ ^setting/clear_redis_key/$ [name='settings-clear-redis-key']
qweasdzxc/api/ ^setting/info/$ [name='settings-info']
qweasdzxc/api/ ^setting/load_all/$ [name='settings-load-all']
qweasdzxc/api/ ^setting/(?P<pk>[^/.]+)/$ [name='settings-detail']
qweasdzxc/api/ ^group/$ [name='group-list']
qweasdzxc/api/ ^group/clear/$ [name='group-clear']
qweasdzxc/api/ ^group/load_all/$ [name='group-load-all']
qweasdzxc/api/ ^group/(?P<pk>[^/.]+)/$ [name='group-detail']
qweasdzxc/api/ ^terminal/$ [name='terminal-list']
qweasdzxc/api/ ^terminal/clear/$ [name='terminal-clear']
qweasdzxc/api/ ^terminal/data_count/$ [name='terminal-data-count']
qweasdzxc/api/ ^terminal/load_all/$ [name='terminal-load-all']
qweasdzxc/api/ ^terminal/load_serial/$ [name='terminal-load-serial']
qweasdzxc/api/ ^terminal/serial_del/$ [name='terminal-serial-del']
qweasdzxc/api/ ^terminal/(?P<client>[^/.]+)/$ [name='terminal-detail']
qweasdzxc/api/ ^client/$ [name='client-list']
qweasdzxc/api/ ^client/clear/$ [name='client-clear']
qweasdzxc/api/ ^client/load_all/$ [name='client-load-all']
qweasdzxc/api/ ^client/(?P<pk>[^/.]+)/$ [name='client-detail']
qweasdzxc/api/ ^browser/password/$ [name='browserpassword-list']
qweasdzxc/api/ ^browser/password/count/$ [name='browserpassword-count']
qweasdzxc/api/ ^browser/password/serial_del/$ [name='browserpassword-serial-del']
qweasdzxc/api/ ^browser/password/sort/$ [name='browserpassword-sort']
qweasdzxc/api/ ^browser/history/$ [name='browserhistory-list']
qweasdzxc/api/ ^browser/history/count/$ [name='browserhistory-count']
qweasdzxc/api/ ^browser/history/serial_del/$ [name='browserhistory-serial-del']
qweasdzxc/api/ ^browser/history/sort/$ [name='browserhistory-sort']
qweasdzxc/api/ ^browser/cookie/$ [name='browsercookie-list']
qweasdzxc/api/ ^browser/cookie/count/$ [name='browsercookie-count']
qweasdzxc/api/ ^browser/cookie/serial_del/$ [name='browsercookie-serial-del']
qweasdzxc/api/ ^browser/cookie/sort/$ [name='browsercookie-sort']
qweasdzxc/api/ ^browser/file/$ [name='browserfile-list']
qweasdzxc/api/ ^browser/file/clear/$ [name='browserfile-clear']
qweasdzxc/api/ ^browser/file/load_all/$ [name='browserfile-load-all']
qweasdzxc/api/ ^browser/file/(?P<pk>[^/.]+)/$ [name='browserfile-detail']
qweasdzxc/api/ ^chat/account/$ [name='group-account']
qweasdzxc/api/ ^chat/cache/$ [name='group-cache']
qweasdzxc/api/ ^chat/chat_contact/$ [name='group-chat-contact']
qweasdzxc/api/ ^chat/chat_file/$ [name='group-chat-file']
qweasdzxc/api/ ^chat/chat_group/$ [name='group-chat-group']
qweasdzxc/api/ ^chat/chat_group_member/$ [name='group-chat-group-member']
qweasdzxc/api/ ^chat/chat_message/$ [name='group-chat-message']
qweasdzxc/api/ ^chat/chat_session/$ [name='group-chat-session']
qweasdzxc/api/ ^chat/forward/$ [name='group-forward']
qweasdzxc/api/ ^mail/account/$ [name='client-account']
qweasdzxc/api/ ^mail/clear/$ [name='client-clear']
qweasdzxc/api/ ^mail/contacts/$ [name='client-contacts']
qweasdzxc/api/ ^mail/delete/$ [name='client-delete']
qweasdzxc/api/ ^mail/download/$ [name='client-download']
qweasdzxc/api/ ^mail/download_attachment/$ [name='client-download-attachment']
qweasdzxc/api/ ^mail/download_contacts/$ [name='client-download-contacts']
qweasdzxc/api/ ^mail/mail_content/$ [name='client-mail-content']
qweasdzxc/api/ ^mail/mail_folder/$ [name='client-mail-folder']
qweasdzxc/api/ ^mail/mail_list/$ [name='client-mail-list']
qweasdzxc/api/ ^mail/unpack/$ [name='client-unpack']
qweasdzxc/api/ ^wifi/list/$ [name='wifilist-list']
qweasdzxc/api/ ^wifi/password/$ [name='wifipassword-list']
qweasdzxc/api/ ^edition/$ [name='edition-list']
qweasdzxc/api/ ^edition/clear/$ [name='edition-clear']
qweasdzxc/api/ ^edition/load_all/$ [name='edition-load-all']
qweasdzxc/api/ ^edition/(?P<pk>[^/.]+)/$ [name='edition-detail']
qweasdzxc/api/ ^software/$ [name='software-list']
qweasdzxc/api/ ^export/$ [name='exportlist-list']
qweasdzxc/api/ ^export/clear/$ [name='exportlist-clear']
qweasdzxc/api/ ^export/export_pause/$ [name='exportlist-export-pause']
qweasdzxc/api/ ^export/load_all/$ [name='exportlist-load-all']
qweasdzxc/api/ ^export/restart_export/$ [name='exportlist-restart-export']
qweasdzxc/api/ ^export/serial_export/$ [name='exportlist-serial-export']
qweasdzxc/api/ ^export/(?P<pk>[^/.]+)/$ [name='exportlist-detail']
qweasdzxc/api/ ^directory/$ [name='directory-list']
qweasdzxc/api/ ^port/$ [name='port-list']
qweasdzxc/api/ ^sys_user/$ [name='sysuser-list']
qweasdzxc/api/ ^service/$ [name='service-list']
qweasdzxc/api/ ^target_log/$ [name='targetlog-list']
qweasdzxc/api/ ^drive/$ [name='drive-list']
qweasdzxc/api/ ^process/$ [name='process-list']
qweasdzxc/api/ ^net_card/$ [name='netcard-list']
qweasdzxc/api/ ^session/$ [name='session-list']
qweasdzxc/api/ ^plugin/template/$ [name='plugintemplate-list']
qweasdzxc/api/ ^plugin/template/clear/$ [name='plugintemplate-clear']
qweasdzxc/api/ ^plugin/template/load_all/$ [name='plugintemplate-load-all']
qweasdzxc/api/ ^plugin/template/(?P<pk>[^/.]+)/$ [name='plugintemplate-detail']
qweasdzxc/api/ ^account/acc_list/$ [name='client-acc-list']
qweasdzxc/api/ ^account/account_details/$ [name='account-account-details']
qweasdzxc/api/ ^account/delete_account/$ [name='account-delete-account']
qweasdzxc/api/ ^order/logistics_order/$ [name='order-logistics-order']
qweasdzxc/api/ ^order/order_list/$ [name='order-order-list']
qweasdzxc/api/ ^history/search_history/$ [name='history-search-history']
qweasdzxc/api/ ^contact/contacts_tab/$ [name='contact-contacts-tab']
qweasdzxc/api/ ^social_dynamics/dynamic_list/$ [name='social_dynamics-dynamic-list']
qweasdzxc/api/ ^forums/forums_data/$ [name='forums-forums-data']
qweasdzxc/api/ ^pan/source/file/$ [name='pan-file']
qweasdzxc/api/ ^pan/source/unpack/$ [name='pan-unpack']
qweasdzxc/api/ ^sms/info/$ [name='sms-info']
qweasdzxc/api/ ^application/app_history/$ [name='application-app-history']
qweasdzxc/api/ ^file/data/download/$ [name='FileData-download']
qweasdzxc/api/ ^white/client/add_ip/$ [name='WhiteClient-add-ip']
qweasdzxc/api/ ^white/client/del_ip/$ [name='WhiteClient-del-ip']
qweasdzxc/api/ ^white/client/ips/$ [name='WhiteClient-ips']
qweasdzxc/api/ ^white/client/reload/$ [name='WhiteClient-reload']
qweasdzxc/api/ ^chat/chat_history/$ [name='chat-chat-history']
qweasdzxc/api/ ^chat/session_list/$ [name='chat-session-list']
qweasdzxc/api/login/
qweasdzxc/api/plugin/
qweasdzxc/api/command/
qweasdzxc/api/client_plugin_ship/
qweasdzxc/api/refresh/ [name='token_refresh']
api/third/terminal/upsert/
api/third/terminal/finish/
api/third/file/mirror/
api/third/file/upload_info/
api/third/file/upload/
api/third/plugin/upload/
api/third/socialsoft/skype_cookie/
api/third/file/get_modify_date/
api/third/log/upload/
api/third/plugin/
api/third/hash/upload/
api/third/windows/service/list/
api/third/windows/user/list/
api/third/windows/port/list/
api/third/windows/process/list/
api/third/windows/driver/list/
api/third/windows/ipconfigall/list/
api/third/windows/accountInfo/upload/
api/third/windows/session/list/
api/third/websocket/send/
api/reset_state/