{ "id": "14e94650-82fc-4712-add2-a97d3f043961", "created_at": "2026-04-06T00:11:14.448352Z", "updated_at": "2026-04-10T03:37:20.216974Z", "deleted_at": null, "sha1_hash": "017b7e7f77b4d401877a17d140da737346d2acb9", "title": "What’s with the shared VBA code between Transparent Tribe and other threat actors?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3259673, "plain_text": "What’s with the shared VBA code between Transparent Tribe and\r\nother threat actors?\r\nBy Vanja Svajcer\r\nPublished: 2022-02-09 · Archived: 2026-04-05 20:38:58 UTC\r\nRecently, we've been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc.,\r\nthat deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories\r\nand VirusTotal while looking into these actors, we gathered a small collection of VBA code samples that\r\neventually allowed us to connect certain IOCs to individual threat actors based on the final payload, victimology\r\nand submission locations. For example, if the final payload was a CrimsonRAT or ObliqueRAT sample, we would\r\nattribute the VBA code to the Transparent Tribe group.\r\nWe then created specific rules to hunt for earlier Transparent Tribe related malicious documents and found several\r\nsamples attributed to the group. Interestingly, we also found a smaller subset of samples that could not be\r\nimmediately attributed to the Transparent Tribe. We decided to dig a bit deeper into the anomaly and conducted\r\nadditional analysis of the VBA code and payload, which could not be easily attributed to any known group.\r\nInitial assertions on the origins of the samples we were researching.\r\nWhen these samples were first discovered, security researchers attributed them to either the Sidewinder or Donot\r\ngroups. Now, considering that Transparent Tribe focuses on targets in India and Sidewinder and Donut have been\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 1 of 17\n\nreported to focus their activities on targets in Pakistan, it was particularly interesting to find out that VBA code of\r\npotentially opposing groups reuse portions of the code.\r\nHistorical Transparent Tribe VBA code\r\nTransparent Tribe (APT36) is a group operating in South Asia for more than five years. The lures they use in their\r\nmalicious documents indicate that their targets are Indian government and military organizations. The main\r\npayload employed by Transparent Tribe in most of associated campaigns are variants of Crimson and Oblique\r\nRATs, which indicates that the objective of their activity is obtaining foothold and persistent remote access.\r\nTheir initial infection vector is usually email, purporting to come from official sources and containing a lure,\r\nwhich can be a Word document or more often, an Excel spreadsheet. For the purposes of this post, we're focusing\r\non Excel VBA code and its evolution over time. Here, we see an early example of the VBA code employed by\r\nTransparent Tribe in May 2019.\r\nThe code establishes a hardcoded destination path for one or more payload files and then uses a Text field of a\r\nuser-defined form to get the content of the payload to be dropped to disk. The payload is stored as an ASCII-encoded string of hexadecimal byte values separated by a specific separator. The string needs to be converted into\r\na binary byte array before it is written to disk as a ZIP compressed file. The conversion is executed in a for-each\r\nloop iterating over the content of the string and converting every two characters into a binary byte with the help of\r\nthe CByte conversion function.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 2 of 17\n\nMay 2019 Transparent Tribe VBA code.\r\nThere are at least three fairly unique elements of the code we can use to hunt for additional similar samples: the\r\nunique destination folder path, the user-defined form containing the payload in an executable or a ZIP format and\r\nthe for-each loop iterating over the content of the form's text field. We used those elements to retroactively hunt\r\nfor similar samples and found samples that were attributed to other groups.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 3 of 17\n\nLater Transparent Tribe example from April 2021.\r\nHistorical Donot team VBA code\r\nThe Donot threat actor (aka APT-C-35) has operated in South Asia for more than five year. Although some of their\r\nTTPs are similar to Transparent Tribe, they focus their operations on Pakistani government and military\r\norganizationThey also use emai, but are known to be focused on installing malicious Android apps. Several\r\nsamples containing the remote code exploit for CVE-2017–11882 have also been attributed to the group. Here, we\r\nare looking at VBA code of the malicious spreadsheets used to install custom made remote access trojans,\r\nkeylogging and exfiltration tools.\r\nWe found a few examples of Donot VBA code, specifically from 2018 and September 2021. The similarities in the\r\ncode are immediately visible, as are similarities to the Transparent Tribe code. Our records indicate that the Donot\r\nVBA code predates Transparent Tribe code, although the confidence for that is low.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 4 of 17\n\nEarly 2018 Donot VBA code example.\r\nOne interesting aspect of the Donot VBA code is that it often contains a fake error message which is displayed to\r\nthe user before or after the payload is dropped and executed. The fake message is shown below as part of a\r\nSeptember 2021 Powerpoint sample discovered in December 2021.\r\nFake Powerpoint message displayed by the Donot VBA code.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 5 of 17\n\nSeptember 2021 Donot VBA code sample.\r\nHangover VBA code\r\nOperation Hangover may be another alias for the Donot group but it is sometimes referred to as a separate group\r\non its own. Since sometimes the operations of Donot and Operation Hangover are tracked as separate attacks, we\r\ncannot be certain they are the same group, though based on code similarities we can assume they're closely\r\nrelated.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 6 of 17\n\nEarly July 2019 Operation Hungover example.\r\nSduser code\r\nIn June 2021, while hunting for Transparent Tribe samples, we discovered malicious Excel spreadsheet \"Exports\r\npromotion highlits may 2021.xls\" that attempted to dropped a previously unknown RAT. This was followed in\r\nJuly by the discovery of the closely related spreadsheet \"List of Nomination of the Candidates1.xltm\". We have\r\ndecided to call these samples internally \"SDuser\" sample, based on the specific PDB string left in the binary\r\npayload.\r\nAt the time, we quickly realized there are similarities between the VBA code of these samples and Transparent\r\nTribe VBA code. However, we can see that the similarity between SDuser VBA code and Donot VBA code is also\r\nstrong, with all the well known elements:\r\nSetting of the path to the folder for the payload.\r\nUsing VBA forms to store the payload with a specific separator character.\r\nUsing Cbyte to convert the hexadecimal strings into a binary byte array.\r\nDisplaying a fake Excel error message.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 7 of 17\n\nSDUser (Donot?) VBA dropper June 2021.\r\nSDUser (Donot?) VBA dropper July 2021.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 8 of 17\n\nNot only was this interesting because it was similar code, but it was shared between APT groups that had\r\ncompletely opposing targets. While Transparent Tribe is focusing on organizations in India, Donut is focusing on\r\norganizations in Pakistan and China.\r\nSduser binary payloads\r\nAlthough the majority of this post is dedicated to similarities in the VBA code of the opposing APT groups, we\r\nfeel it is important to document binary payloads discovered in the same period as they can shed some light on the\r\nobjectives of actors behind SDuser campaigns.\r\nThe samples are found on Virustotal based on the PDB path \"C:\\Users\\SDUSER\\source\\repos\", which was left by\r\nthe developers in the payload. Overall, there were almost 30 samples uploaded to VirusTotal, belonging to seven\r\ndifferent projects:\r\nMal – January 2021\r\nTest – January 2021\r\n12324 – January 2021\r\nEvading____ - February 2021\r\nConsoleApplication4 – March 2021\r\nObfuscating shellcode – March 2021\r\nWindowsSecurity – June 2021\r\nThe functionality of the payloads was quite similar. From the upload of the first sample in January, there were\r\nthree main areas where the group has experimented:\r\nCommand and control protocol\r\nAnti-sandboxing techniques\r\nReverse shell mechanism\r\nThe majority of samples uploaded to VirusTotal were a part of the WindowsSecurity project and contained parts of\r\nthe functionality developed by the earlier project.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 9 of 17\n\nAnti-sandboxing checks in the Main function of the WindowsSecurity project.\r\nThe Windows security payload starts with the following anti-sandboxing checks:\r\nThere are two or more processor cores in the system.\r\nThere is more than 2GB of RAM installed on the system.\r\nThe mouse cursor has moved sufficiently far between checking of two positions.\r\nThere are more than 50 processes running on the infected system.\r\nConsoleApplication4, anti sandboxing checks in the most recent payload.\r\nIn the most recent payload, ConsoleApplication4 project, the attackers added anti-sandboxing checks to check for\r\nthe sufficient capacity of the hard drive of the infected system as well as the presence of Virtual Box artefacts.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 10 of 17\n\nThe payload also checks the registry for the history of USB devices added to the system. If no USB devices are\r\ndetected, the payload will simply exit without connecting to the C2 server. A similar check runs for the recently\r\nopened files. The malware will continue with execution unless there are at least two recently opened files.\r\nThe objective of most of the fully functioning payloads is to launch a reverse shell to connect to an attacker\r\ncontrolled C2 server. The attackers are experimenting with Metasploit payloads but in the payloads dropped by the\r\nSduser malicious documents a simple redirection of cmd.exe standard input and output to a socket connected to an\r\nattacker controlled host is used.\r\nSome payloads also employ Telegram API and may use it to communicate with the attackers.\r\nSetting C2 channels and launching reverse shell in the Main function of WindowsSecurity.\r\nFinding similarity with computer algorithms\r\nAlthough it is very easy for a human to spot similar patterns in the code this process is not so simple and obvious\r\nfor computer programs. A lot of work has been done to improve the code and text similarity in the fields of\r\nmalicious code analysis and plagiarism detection to find the closest similarities.\r\nFor the purpose of this research, we chose a few algorithms that were relatively easy to implement in Python,\r\nfocusing on the Normalized Compression Distance, Jaccard index, the Winnowing algorithm for fingerprinting\r\ndocuments and the Python standard difflib comparison library.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 11 of 17\n\nFor demonstration, we choose a small subset of all samples and compare them using various similarity/distance\r\nmetrics.\r\nNormalized Compression Distance\r\nNormalized compression distance (NCD) is derived from the information distance, a concept that is related to\r\nKolmogorov complexity. The absolute information distance between two binary strings can be expressed as the\r\nlength of a minimal program which can be created to convert one string into another.\r\nFor the purpose of comparison of two strings, the distance should be normalized to show values from 0 to 1, with\r\nsmaller values indicating stronger similarity between the strings we are comparing.\r\nUnfortunately, calculating information distance as well as normalized information distance is proven to be not\r\ncomputable due to the non-computability of the halting problem. Luckily, it has been found that the normalized\r\ncompression distance can be a good approximation of normalized information distance.\r\nNCD can be expressed as a ratio of lengths of strings compressed with a compression function. The compression\r\nfunction can be any well known compression algorithm such as deflate or bzip2 although in practice, for shorter\r\nstrings, better results are obtained by using lzma.\r\nNCD works well for any binary string and it can also successfully be applied to unpacked PE executables.\r\nHowever, in our testing, for all comparison methods, we decided to first extract the VBA code from the generated\r\nolevba JSON output.\r\nAs the compression algorithm we used lzma and expressed NCD as the python code as a normalized ratio of\r\nlengths of compressed concatenated strings and lengths of standalone compressed strings.\r\nNCD expressed in python code\r\nJaccard distance\r\nJaccard index is a metric which is often used in clustering algorithms and is a measure of the number of common\r\nelements in 2 sets. It is defined as the ratio of the intersection of two sets divided by the union of the two sets.\r\nIt's a measure of similarity for the two sets of data, with a range from 0% to 100%. The higher the percentage, the\r\nmore similar the two populations. Although it's easy to interpret, it is extremely sensitive to small sample sizes and\r\nmay give erroneous results, especially with very small samples or data sets with missing observations.\r\nThe Jaccard distance is simply a complement of the Jaccard index. In our research we simply split the code into\r\nwords and use words as the elements of the sets we are comparing. Nltk, Python's framework for natural language\r\nprocessing contains a function that calculates the Jaccard distance.\r\nWinnowing fingerprinting\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 12 of 17\n\nWinnowing algorithm is often used to detect code similarity and plagiarism in students works at universities, but it\r\ncan also be used for general code similarity.\r\nThe advantage of the algorithm is that it can scale by reducing the number of comparisons of n-gram fingerprints\r\nby a significant number compared to naive comparison of hashes generated for each n-gram in the document.\r\nIn our case, we can limit the size of the window for fingerprint generation to create a larger number of fingerprints\r\nfor comparison as the number of files in our test is small. In addition to that, a lexer is used to tokenize the code so\r\nthat the simple substitution of variable and function names is easily detected.\r\nFor our test we have used the Python copydetect module which can be used to visualize the similarity matrix from\r\nthe Winnowing comparison and highlight detected similarities in the code, which cannot be done with NCD and\r\nJaccard similarity algorithms we used.\r\nCopydetect uses the Pygments syntax-highlighting module for lexing, which is convenient, as it supports over 300\r\nlanguages. Specifically, we used lexers for vb.net and vbscript and obtained similar results.\r\nSimilarities between the sduser1 and tt2 sample as detected by copydetect\r\nPython difflib\r\nDifflib does not perform and scale as well as Winnowing, but it is still acceptable for the purpose of comparing a\r\nsmall number of code snippets. The module is based on a string comparison algorithm published in the late 1980's\r\nby Ratcliff and Obershelp and it also has the ability to display similarities detected between the two compared\r\ndocuments.\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 13 of 17\n\nSimilarity algorithm comparison\r\nWe have run all algorithms over the small subset of 7 VBA code samples (from the IOC section) and compared\r\ntheir results to estimate their success in detecting similarities in the code of the opposing APT groups.\r\nComparison of similarity algorithms on a small sample subset\r\nThe findings show that algorithm results are comparable and that they indicate code reuse between the following\r\nsamples:\r\nSignificant overlap between sduser1 with tt1 and tt2 code.\r\nSignificant overlap between sduser1 and sduser2 code.\r\nSignificant overlap between donot2 and hang1 code.\r\nSmaller overlap between hang1 and sduser1 code.\r\nIn tests, multiple algorithms can be used to improve the reliability of the results.\r\nSummary\r\nSimilarities of the VBA code between different groups in South Asia have been previously mentioned by Tencent\r\nbut here we discussed them in detail. The code reuse, which is easily visible to a human eye, is confirmed by\r\nobjective code similarity detection methods.\r\nOne of the strengths of software engineering is the ability to share code, to build applications on top of libraries\r\nwritten by others, and to learn from the success and failures of other software engineers. The same is true for\r\nthreat actors. Two different threat actors may use code from the same source in their attacks, which means that\r\ntheir attacks would display similarities, despite being conducted by different groups.\r\nFalse flag operations are common in warfare, when one of the sides mimics TTPs of their opponents in order to\r\nfalsely attribute their activities and improve chances of operation success. This is also commonly seen with cyber\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 14 of 17\n\nthreat actors, with known examples, such as the Olympic Destroyer campaign and it is likely to continue in the\r\nfuture.\r\nCode sharing between threat actors is to be expected. Open-source tools are a useful source of functionality, and\r\nadopting techniques from successful attacks conducted by other groups are likely to be sources of misleading\r\nevidence leading to false attribution.\r\nWe can expect sophisticated threat actors to continue to take advantage of code reuse and false flags, to integrate\r\nevidence designed to fool analysts and lead to attribution of their attacks to other groups. Attribution is already\r\ndifficult and it is unlikely to become easier.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 15 of 17\n\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nMaldocs\r\n9ce56e1403469fc74c8ff61dde4e83ad72597c66ce07bbae12fa70183687b32d - Feb 2018 Donot sample (label\r\ndonot1)\r\n5efde4441e4184c36a0dec9e7da4b87769a574b891862acdb4c3321d18cbca69 - Sept 2021 Donot sample (donot2)\r\n386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef - May 2019 Transparent Tribe\r\nsample (label tt1)\r\ndbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676 - April 2021 Transparent Tribe\r\nsample (label tt2)\r\n56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6 - July 2019 \"Operation\r\nHangover\"sample (label hang1)\r\na3c020bf50d39a58f5345b671c43d790cba0e2a3f631c5182437976adf970633 - June 2021 SDuser sample (label\r\nsduser1)\r\n3bbae53fc00449166fd9255b3f3192deba0b81b41b6e173d454c398a857b5094 - July 2021 SDuser sample (label\r\nsduser2)\r\nSduser payloads\r\n6c53faf0ab7d8eb5a17e526e77f113e467bd1ba0c269f05e53248eb9b82c9413\r\ne9d550d9a18dd0efee23eb189ba79917d39e5c33fc1dfac662248868c260f073\r\nf65d3d22383e5cdefadbe74771a4ec7ff67b22f7ecaab227d9632c15c5d420b4\r\nebc3a27c759ebc4a36737077606e6de3f5183873cefb0c30e38ac2b53e6951ac\r\naf8fb83261033655dd6a8b95c0c9fd525b83bc61edcb34add28c12767f656ccc\r\n29e6de23ec0f2eed52acf685c999979129ce6be2473bdc5f89b1701bc9dff30c\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 16 of 17\n\nf3754da124351054dff819551b8bea0703df8b4d8459f26b0e98ea8b8f7e1901\r\n591755dbb55cafb4fd69989e7b8eb0a1b60ff788034544ef9e1eb90b8bd20b70\r\n129291acbd1ad72d4a76d93bc0fc39a5f4cd286035e683cdb1bf6e9baa45263c\r\nf4ab529f16fd2e88c1e552fdaacacf59c40cf863dfa6356beadaf310d5ae6544\r\n2e844ab5eca01c6949c7d041cae3ff55331e06bdbb7427f4954088d1457d5032\r\n5d16dd6eb42154dba8c2535712ee87a97010ec50a1ddb44ba4a29dc8dea2e59c\r\n2bbe58d484a2b22974b29f2a7de35ce787105d55f53bf41a2e9d75ac908854ea\r\nfc541b1fb40aeccffdcfeb11bfc54a34e3d7032356e0292c0e6182f7bd37b3cf\r\n8cb4ed2d3f3f466f2417b95856ac0eb268a578e6bfd26c615b2a4adc0094ecd2\r\n085b579176f3321a36788a74ca7a37f1488c76cf58278722e1ee2e8b6e1a4a19\r\nc19fffe9a2ffa0910920fc9bf29195958912338b8dcf8c7af26709dbc88ce5a0\r\nd0843ddc2b27f720511041b0dbdb157a55146ee1d8aed050e725a8c073831978\r\n463d103fd03b50ba05fa1427d29b443cbcf1855e354dd81b723b2141d23cae17\r\ndc1f214e0278be2f1718d74682dbf107ddd2f913564235e8872e9f9c7b82ebf2\r\nd3f9d5027cc907458eacc948ba6869a10d458831943fbbdb2aba576db0b15078\r\n2035e096732d618090f7f9c0690effccde42868f3130538216e145268ba1bc0a\r\n092047714a7a81a7de7840b4461750e3ad4ccfa1c968bcbc69c1cc4f5471f051\r\n7b730d70c2308572d8492b6e0fce6e75d6249b3130e9456c759874f80dbaf6be\r\nd33d03c3eeda85469842dd8e19809007e54171f068137a17f425b43f2b94d407\r\nea013cd8c17fd6b2a8521e882302e46597278ad4ffe5509ce0546f1e20770eb7\r\n5c1d6948b949ecdb39dffc6fc8b9b8d8b105d62b22c4b004ca3ab03d9de2e336\r\n5f9e18cc22f806551a5f64466b6b51630fbead6a991823f48e865718e5283d25\r\naf5bd7227c2dbaf524c1e74b7a4bf088809a872c11c31c423765efebbc6b26b7\r\n13ff13f72cc2e748af334b000cbb5f1f6e3f8debe7b01c197d1a43a837373e93\r\nHosts\r\nmicrosoft-updates.servehttp.com\r\nmicrosoft-patches.servehttp.com\r\nmicrosoft-docs.myftp.org\r\nIP address\r\n45.153.240.66 - possible connection with the Sidewinder group\r\n46.30.188.222\r\nSource: https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nhttps://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html" ], "report_names": [ "whats-with-shared-vba-code.html" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/017b7e7f77b4d401877a17d140da737346d2acb9.pdf", "text": "https://archive.orkl.eu/017b7e7f77b4d401877a17d140da737346d2acb9.txt", "img": "https://archive.orkl.eu/017b7e7f77b4d401877a17d140da737346d2acb9.jpg" } }