{
	"id": "a6c14b2c-3fb8-4876-a1d5-92a8fffeb1c0",
	"created_at": "2026-04-06T00:06:31.041207Z",
	"updated_at": "2026-04-10T03:34:57.062517Z",
	"deleted_at": null,
	"sha1_hash": "00882a67f6527bd086f4ae07e055266cde33ca96",
	"title": "Graphican (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28713,
	"plain_text": "Graphican (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:26:35 UTC\r\nAccording to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was\r\nbased on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as\r\nKetrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to\r\nobtain its command-and-control (C\u0026C) infrastructure.\r\n[TLP:WHITE] win_graphican_auto (20251219 | Detects win.graphican.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.graphican\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican"
	],
	"report_names": [
		"win.graphican"
	],
	"threat_actors": [
		{
			"id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e",
			"created_at": "2022-10-25T15:50:23.453824Z",
			"updated_at": "2026-04-10T02:00:05.28793Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"Ke3chang",
				"APT15",
				"Vixen Panda",
				"GREF",
				"Playful Dragon",
				"RoyalAPT",
				"Nylon Typhoon"
			],
			"source_name": "MITRE:Ke3chang",
			"tools": [
				"Okrum",
				"Systeminfo",
				"netstat",
				"spwebmember",
				"Mimikatz",
				"Tasklist",
				"MirageFox",
				"Neoichor",
				"ipconfig"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7d5531e2-0ad1-4237-beed-af009035576f",
			"created_at": "2024-05-01T02:03:07.977868Z",
			"updated_at": "2026-04-10T02:00:03.817883Z",
			"deleted_at": null,
			"main_name": "BRONZE PALACE",
			"aliases": [
				"APT15 ",
				"BRONZE DAVENPORT ",
				"BRONZE IDLEWOOD ",
				"CTG-6119 ",
				"CTG-6119 ",
				"CTG-9246 ",
				"Ke3chang ",
				"NICKEL ",
				"Nylon Typhoon ",
				"Playful Dragon",
				"Vixen Panda "
			],
			"source_name": "Secureworks:BRONZE PALACE",
			"tools": [
				"BMW",
				"BS2005",
				"Enfal",
				"Mirage",
				"RoyalCLI",
				"RoyalDNS"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7c8cf02c-623a-4793-918b-f908675a1aef",
			"created_at": "2023-01-06T13:46:38.309165Z",
			"updated_at": "2026-04-10T02:00:02.921721Z",
			"deleted_at": null,
			"main_name": "APT15",
			"aliases": [
				"Metushy",
				"Lurid",
				"Social Network Team",
				"Royal APT",
				"BRONZE DAVENPORT",
				"BRONZE IDLEWOOD",
				"VIXEN PANDA",
				"Ke3Chang",
				"Playful Dragon",
				"BRONZE PALACE",
				"G0004",
				"Red Vulture",
				"Nylon Typhoon"
			],
			"source_name": "MISPGALAXY:APT15",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433991,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00882a67f6527bd086f4ae07e055266cde33ca96.pdf",
		"text": "https://archive.orkl.eu/00882a67f6527bd086f4ae07e055266cde33ca96.txt",
		"img": "https://archive.orkl.eu/00882a67f6527bd086f4ae07e055266cde33ca96.jpg"
	}
}