The Shrouded Crossbow group has been active since 2010, typically targeting companies that are close to governments and key industries in Asia. Common targets include government contractors, privatized government agencies, companies involved with consumer electronics, the computer industry, the healthcare sector, and financial industries. The malicious team is predicted to be about ten people, equipped with significant resources. Rather than develop its own attack kits and malware, the group uses its significant resources to purchase source code and tools from other authors. Afterward, members of the group improve the code to suit their specifications.
The group employs the BIFROSE/ Bifrost, KIVARS, and XBOW backdoors in their attacks. As an indicator of resources available to the group, Trend Micro notes that BIFROSE backdoor has sold for more than $10,000 on underground sites. BIFROSE backdoor has been around for about a decade and has been used in spam campaigns against NATO and United States government agencies. BIFROSE is a remote access Trojan (RAT) which establishes a persistent presence and then deploys tools to capture keystrokes, screenshots, and confidential information. Trend Micro actually believes that the group purchased the source code of BIFROSE, and then developed a new installer, created unique loader-backdoor pairs, and simplified the backdoor capabilities, thereby resulting in KIVARS. KIVARS is also available as a 64-bit variant.