{ "id": "9c942bbf-968a-475e-8547-6a3ca9dcb318", "created_at": "2026-04-06T00:22:29.26567Z", "updated_at": "2026-04-10T03:36:00.017868Z", "deleted_at": null, "sha1_hash": "0216959614e185c6a6fff8933983768369f5d052", "title": "Evasive Panda APT group delivers malware via updates for popular Chinese software", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 424225, "plain_text": "Evasive Panda APT group delivers malware via updates for popular\r\nChinese software\r\nBy Facundo Muñoz\r\nArchived: 2026-04-05 14:13:16 UTC\r\nESET researchers have discovered a campaign that we attribute to the APT group known as Evasive Panda, where update\r\nchannels of legitimate applications were mysteriously hijacked to deliver the installer for the MgBot malware, Evasive\r\nPanda’s flagship backdoor.\r\nKey points of the report:\r\nUsers in mainland China were targeted with malware delivered through updates for software developed by Chinese\r\ncompanies.\r\nWe analyze the competing hypotheses of how the malware could have been delivered to targeted users.\r\nWith high confidence we attribute this activity to the Evasive Panda APT group.\r\nWe provide an overview of Evasive Panda’s signature backdoor MgBot and its toolkit of plugin modules.\r\nEvasive Panda profile\r\nEvasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at\r\nleast 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong\r\nKong, Macao, and Nigeria. Government entities were targeted in China, Macao, and Southeast and East Asian countries,\r\nspecifically Myanmar, the Philippines, Taiwan, and Vietnam, while other organizations in China and Hong Kong were also\r\ntargeted. According to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia.\r\nThe group implements its own custom malware framework with a modular architecture that allows its backdoor, known as\r\nMgBot, to receive modules to spy on its victims and enhance its capabilities.\r\nCampaign overview\r\nIn January 2022, we discovered that while performing updates, a legitimate Chinese application had received an installer for\r\nthe Evasive Panda MgBot backdoor. During our investigation, we discovered that the malicious activity went back to 2020.\r\nChinese users were the focus of this malicious activity, which ESET telemetry shows starting in 2020 and continuing\r\nthroughout 2021. The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces, as shown in Figure 1.\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 1 of 8\n\nFigure 1. Map of China showing where users were targeted\r\nThe majority of the Chinese victims are members of an international NGO that operates in two of the previously mentioned\r\nprovinces.\r\nOne additional victim was also discovered to be located in the country of Nigeria.\r\nAttribution\r\nEvasive Panda uses a custom backdoor known as MgBot, which was publicly documented in 2014 and has seen little\r\nevolution since then; to the best of our knowledge, the backdoor has not been used by any other group. In this cluster of\r\nmalicious activity, only the MgBot malware was observed deployed on victimized machines, along with its toolkit of\r\nplugins. Therefore, with high confidence we attribute this activity to Evasive Panda.\r\nTechnical analysis\r\nDuring our investigation, we discovered that when performing automated updates, a legitimate application software\r\ncomponent downloaded MgBot backdoor installers from legitimate URLs and IP addresses.\r\nIn Table 1, we provide the URL from where the download originated, according to ESET telemetry data, including the IP\r\naddresses of the servers, as resolved at the time by the user’s system; therefore, we believe that these IP addresses are\r\nlegitimate. According to passive DNS records, all of these IP addresses match the observed domains, therefore we believe\r\nthat these IP addresses are legitimate.\r\nTable 1. Malicious download locations according to ESET telemetry\r\nURL First seen Domain IP ASN Downloader\r\nhttp://update.browser.qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe 2020‑11‑02\r\n123.151.72[.]74 AS58542\r\nQQUrlMgr.exe\r\nQQ.exe\r\nQQLive.exe\r\nQQCall\u003cXX\u003e.exe\r\n \r\n183.232.96[.]107 AS56040\r\n61.129.7[.]35 AS4811\r\nHypotheses of compromise\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 2 of 8\n\nWhen we analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware\r\nthrough legitimate updates, we were left with two scenarios: supply-chain compromise, and adversary-in-the-middle attacks.\r\nFor both scenarios we will also take into account antecedents of similar attacks by other Chinese-speaking APT groups.\r\nTencent QQ is a popular Chinese chat and social media service. In the next sections, we will use the Tencent QQ Windows\r\nclient software updater, QQUrlMgr.exe (listed in Table 1), for our examples, given that we have the highest number of\r\ndetections from downloads by this particular component.\r\nSupply-chain compromise scenario\r\nGiven the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update\r\nservers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users\r\nand delivering them legitimate updates – we registered cases where legitimate updates were downloaded through the same\r\nabused protocols.\r\nWhile not an Evasive Panda case, a prime example of this type of compromise is in our report Operation NightScout:\r\nSupply‑chain attack targets online gaming in Asia, where attackers compromised the update servers of a software developer\r\ncompany based in Hong Kong. According to our telemetry, more than 100,000 users had the BigNox software installed, but\r\nonly five had malware delivered through an update. We suspect that the attackers compromised the BigNox API on the\r\nupdate server to reply to the updater component on the machines of targeted users with a URL to a server where the\r\nattackers hosted their malware; non-targeted users were sent the legitimate update URL.\r\nBased on that antecedent, in Figure 2 we illustrate how the supply-chain compromise scenario could have unfolded\r\naccording to observations in our telemetry. Still, we must warn the reader that this is purely speculation and based on our\r\nstatic analysis, with very limited information, of QQUrlMgr.exe (SHA-1:\r\nDE4CD63FD7B1576E65E79D1D10839D676ED20C2B).\r\nFigure 2. Sequence diagram of the hypothesized supply-chain compromise\r\nIt is also worth noting that during our research we were never able to retrieve a sample of the XML “update” data – neither a\r\nlegitimate, nor a malicious, XML sample – from the server contacted by QQUrlMgr.exe. The “update check” URL is\r\nhardcoded, in obfuscated form, in the executable, as shown in Figure 3.\r\nFigure 3. Obfuscated URL in the legitimate QQUrlMgr.exe binary\r\nDeobfuscated, the complete update check URL is:\r\nhttp://c.gj.qq[.]com/fcgi-bin/busxml?\r\nbusid=20\u0026supplyid=30088\u0026guid=CQEjCF9zN8Zdyzj5S6F1MC1RGUtw82B7yL+hpt9/gixzExnawV3y20xaEdtektfo\u0026dm=0\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 3 of 8\n\nThe server responds with XML-formatted data encoded with base64 and encrypted with an implementation of the TEA\r\nalgorithm using a 128-bit key. This data contains instructions to download and execute a file, along with other information.\r\nSince the decryption key is also hardcoded, as shown in Figure 4, it could be known to the attackers.\r\nFigure 4. Hardcoded key in the legitimate QQUrlMgr.exe binary\r\nQQUrlMgr.exe then downloads the indicated file, unencrypted, via HTTP and hashes its contents with the MD5 algorithm.\r\nThe result is checked against a hash present in the update check response XML data, as seen in Figure 5. If the hashes\r\nmatch, QQUrlMgr.exe executes the downloaded file. This reinforces our hypothesis that the attackers would need to control\r\nthe XML server-side mechanism in the update server to be able to provide the correct MD5 hash of the malware installer.\r\nFigure 5. QQUrlMgr.exe code that orchestrates the download of the update\r\nWe believe that this scenario would explain our observations; however, many questions are left unanswered. We reached out\r\nto Tencent’s Security Response Center to confirm the legitimacy of the full URL from where the malware was downloaded;\r\nupdate.browser.qq[.]com is – at the time of writing – unreachable, but Tencent could not confirm whether the full URL was\r\nlegitimate.\r\nAdversary-in-the-middle scenario\r\nOn 2022-06-02, Kaspersky published a research report about the capabilities of the Chinese-speaking LuoYu APT group and\r\ntheir WinDealer malware. Similar to what we observed on this cluster of Evasive Panda victims, their researchers found that,\r\nsince 2020, victims of LuoYu had received the WinDealer malware through updates via the legitimate application\r\nqgametool.exe from the PPTV software, also developed by a Chinese company.\r\nWinDealer has a puzzling capability: instead of carrying a list of established C\u0026C servers to contact in case of a successful\r\ncompromise, it generates random IP addresses in the 13.62.0.0/15 and 111.120.0.0/14 ranges from China Telecom AS4134.\r\nAlthough a small coincidence, we noticed that the IP addresses of the targeted Chinese users at the time of receiving the\r\nMgBot malware were on the AS4134 and AS4135 IP addresses ranges.\r\nPossible explanations for what enables these capabilities for its C\u0026C infrastructure are that LuoYu either control a large\r\namount of devices associated with the IP addresses on those ranges, or that they are able to do adversary-in-the-middle\r\n(AitM) or attacker-on-the-side interception on the infrastructure of that particular AS.\r\nAitM styles of interception would be possible if the attackers – either LuoYu or Evasive Panda – were able to compromise\r\nvulnerable devices such as routers or gateways. As an antecedent, in 2019 ESET researchers discovered that the Chinese\r\nAPT group known as BlackTech was performing AitM attacks through compromised ASUS routers and delivering the Plead\r\nmalware through ASUS WebStorage software updates.\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 4 of 8\n\nWith access to ISP backbone infrastructure – through legal or illegal means – Evasive Panda would be able to intercept and\r\nreply to the update requests performed via HTTP, or even modify packets on the fly. In April 2023, Symantec researchers\r\nreported on Evasive Panda targeting a telecommunications organization in Africa.\r\nWrap-up\r\nUltimately, without further evidence, we cannot prove or discard one hypothesis in favor of the other, given that such\r\ncapabilities are at hand for Chinese APT groups.\r\nToolset\r\nMgBot\r\nMgBot is the primary Windows backdoor used by Evasive Panda, which according to our findings has existed since at least\r\n2012 and, as mentioned in this blog post, was publicly documented at VirusBulletin in 2014. It was developed in C++ with\r\nan object-oriented design, and has the capabilities to communicate via TCP and UDP, and extend its functionality via plugin\r\nmodules.\r\nMgBot’s installer and backdoor, and their functionality, have not changed significantly since it was first documented. Its\r\nchain of execution is the same as described in this report by Malwarebytes from 2020.\r\nMgBot Plugins\r\nMgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised\r\nmachine. Table 2 lists the known plugins and their functionality. It is important to note that the plugins don’t have unique\r\ninternal identification numbers; therefore we are identifying them here by their DLL names on disk, which we have never\r\nseen change.\r\nTable 2. List of plugin DLL files\r\nPlugin DLL name Overview\r\nKstrcs.dll\r\nKeylogger.\r\n  It only actively logs keystrokes when the foreground window belongs to a process named\r\nQQ.exe and the window title matches QQEdit. It's likely target is the Tencent QQ chat\r\napplication.\r\nsebasek.dll\r\nFile stealer.\r\n  Has a configuration file that enables the collection of files from different sources: HDDs, USB\r\nthumb drives, and CD-ROMs; as well as criteria based on the file properties: filename must\r\ncontain a keyword from a predefined list, file size must be between a defined a minimum and\r\nmaximum size.\r\nCbmrpa.dll Captures text copied to the clipboard and logs information from the USBSTOR registry key.\r\npRsm.dll Captures input and output audio streams.\r\nmailLFPassword.dll\r\nCredential stealer.\r\n  Steals credentials from Outlook and Foxmail email client software.\r\nagentpwd.dll\r\nCredential stealer.\r\n  Steals credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP,\r\namong others.\r\nqmsdp.dll\r\nA complex plugin designed to steal the content from the Tencent QQ database that stores the\r\nuser’s message history. This is achieved by in-memory patching of the software component\r\nKernelUtils.dll and dropping a fake userenv.dll DLL.\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 5 of 8\n\nPlugin DLL name Overview\r\nwcdbcrk.dll Information stealer for Tencent WeChat.\r\nGmck.dll Cookies stealer for Firefox, Chrome, and Edge.\r\nThe majority of the plugins are designed to steal information from highly popular Chinese applications such as QQ, WeChat,\r\nQQBrowser, and Foxmail – all of them applications developed by Tencent.\r\nConclusion\r\nWe discovered a campaign that we attribute to the Evasive Panda APT group, targeting users in mainland China, delivering\r\ntheir MgBot backdoor through update protocols of applications from well-known Chinese companies. We also analyzed the\r\nplugins of the MgBot backdoor and found the majority of them are designed to spy on users of Chinese software by stealing\r\ncredentials and information.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DD wcdbcrk.dll Win32/Agent.VFT MgBot information st\r\nE5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2 sebasek.dll Win32/Agent.VFT MgBot file stealer plu\r\nD60EE17418CC4202BB57909BEC69A76BD318EEB4 kstrcs.dll Win32/Agent.VFT MgBot keylogger plug\r\n2AC41FFCDE6C8409153DF22872D46CD259766903 gmck.dll Win32/Agent.VFT MgBot cookie stealer\r\n0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FF qmsdp.dll Win32/Agent.VFT MgBot information st\r\n9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8 pRsm.dll Win32/Agent.VFT MgBot audio capture\r\n22532A8C8594CD8A3294E68CEB56ACCF37A613B3 cbmrpa.dll Win32/Agent.ABUJ MgBot clipboard text \r\n970BABE49945B98EFADA72B2314B25A008F75843 agentpwd.dll Win32/Agent.VFT MgBot credential stea\r\n8A98A023164B50DEC5126EDA270D394E06A144FF maillfpassword.dll Win32/Agent.VFT MgBot credential stea\r\n65B03630E186D9B6ADC663C313B44CA122CA2079 QQUrlMgr_QQ88_4296.exe Win32/Kryptik.HRRI MgBot installer.\r\nNetwork\r\nIP Provider First seen Details\r\n122.10.88[.]226 AS55933 Cloudie Limited 2020-07-09 MgBot C\u0026C server.\r\n122.10.90[.]12 AS55933 Cloudie Limited 2020-09-14 MgBot C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.004 Acquire Infrastructure: Server\r\nEvasive Panda acquired servers to be used for C\u0026C\r\ninfrastructure.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nEvasive Panda develops its custom MgBot\r\nbackdoor and plugins, including obfuscated loaders.\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nMgBot’s installer launches the service from BAT\r\nfiles with the command net start AppMgmt\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 6 of 8\n\nTactic ID Name Description\r\nT1106 Native API\r\nMgBot’s installer uses the CreateProcessInternalW\r\nAPI to execute rundll32.exe to load the backdoor\r\nDLL.\r\nT1569.002\r\nSystem Services: Service\r\nExecution MgBot is executed as a Windows service.\r\nPersistence T1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nMgBot replaces the path of the existing Application\r\nManagement service DLL with its own.\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User\r\nAccount Control\r\nMgBot performs UAC Bypass.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMgBot's installer decrypts an embedded CAB file\r\nthat contains the backdoor DLL.\r\nT1112 Modify Registry MgBot modifies the registry for persistence.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nMgBot’s installer contains embedded malware files\r\nand encrypted strings. MgBot contains encrypted\r\nstrings. MgBot plugins contain embedded DLL\r\nfiles.\r\nT1055.002\r\nProcess Injection: Portable\r\nExecutable Injection\r\nMgBot can inject Portable Executable files to\r\nremote processes.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nMgBot plugin module agentpwd.dll steals\r\ncredential from web browsers.\r\nT1539 Steal Web Session Cookie MgBot plugin module Gmck.dll steals cookies.\r\nDiscovery\r\nT1082 System Information Discovery MgBot collects system information.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nMgBot has the capability to recover network\r\ninformation.\r\nT1083 File and Directory Discovery MgBot has the capability of creating file listings.\r\nCollection T1056.001 Input Capture: Keylogging MgBot plugin module kstrcs.dll is a keylogger.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nMgBot’s plugin module sebasek.dll uses aPLib to\r\ncompress files staged for exfiltration.\r\nT1123 Audio Capture MgBot’s plugin module pRsm.dll captures input\r\nand output audio streams.\r\nT1119 Automated Collection MgBot’s plugin modules capture data from various\r\nsources.\r\nT1115 Clipboard Data MgBot’s plugin module Cbmrpa.dll captures text\r\ncopied to the clipboard.\r\nT1025 Data from Removable Media\r\nMgBot’s plugin module sebasek.dll collects files\r\nfrom removable media.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nMgBot’s plugin modules stage data locally on disk.\r\nT1114.001\r\nEmail Collection: Local Email\r\nCollection\r\nMgBot’s plugin modules are designed to steal\r\ncredentials and email information from several\r\napplications.\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nT1113 Screen Capture MgBot can capture screenshots.\r\nCommand and\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nMgBot communicates with its C\u0026C through TCP\r\nand UDP protocols.\r\nExfiltration T1041 Exfiltration Over C2 Channel MgBot performs exfiltration of collected data via\r\nC\u0026C.\r\nSource: https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nhttps://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" ], "report_names": [ "evasive-panda-apt-group-malware-updates-popular-chinese-software" ], "threat_actors": [ { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0216959614e185c6a6fff8933983768369f5d052.pdf", "text": "https://archive.orkl.eu/0216959614e185c6a6fff8933983768369f5d052.txt", "img": "https://archive.orkl.eu/0216959614e185c6a6fff8933983768369f5d052.jpg" } }