{ "id": "b6e16562-15da-4772-a4b2-391e6da71153", "created_at": "2026-04-06T00:15:37.815798Z", "updated_at": "2026-04-10T13:12:49.296429Z", "deleted_at": null, "sha1_hash": "04d462641c3db5730e12904d07829ec064027122", "title": "CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2367433, "plain_text": "CL-STA-0048: An Espionage Operation Against High-Value\r\nTargets in South Asia\r\nBy Lior Rochberger, Yoav Zemah\r\nPublished: 2025-01-29 · Archived: 2026-04-05 14:10:22 UTC\r\nExecutive Summary\r\nWe identified a cluster of activity that we track as CL-STA-0048. This cluster targeted high-value targets in South\r\nAsia, including a telecommunications organization.\r\nThis activity cluster used rare tools and techniques including the technique we call Hex Staging, in which the\r\nattackers deliver payloads in chunks. Their activity also includes exfiltration over DNS using ping, and abusing\r\nthe SQLcmd utility for data theft.\r\nBased on an analysis of the tactics, techniques and procedures (TTPs), as well as the tools used, the infrastructure\r\nand the victimology, we assess with moderate-high confidence that this activity originates in China.\r\nThe campaign primarily aimed to obtain the personal information of government employees and steal sensitive\r\ndata from targeted organizations. These objectives bear the hallmarks of a nation-state advanced persistent threat\r\n(APT) espionage operation.\r\nThe threat actor behind this campaign demonstrated a methodical approach to network penetration to establish a\r\nfoothold. We observed systematic attempts to exploit known vulnerabilities on public-facing servers, specifically\r\ntargeting the following services:\r\nIIS\r\nApache Tomcat\r\nMSSQL services\r\nOrganizations that protect sensitive information should focus on patching commonly exploited vulnerabilities.\r\nThey should also follow best practices for IT hygiene, as APTs frequently attempt to gain access using methods\r\nthat have proven successful in the past.\r\nWe are sharing our analysis to provide defenders with means to detect and protect themselves against such\r\nadvanced attacks.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through Cortex XDR\r\nand XSIAM.\r\nCustomers are also better protected through the following products and services:\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 1 of 16\n\nCloud-Delivered Security Services for the Next-Generation Firewall, including Advanced WildFire,\r\nAdvanced URL Filtering and Advanced DNS Security.\r\nCortex Xpanse provides proactive detection of potential adversary entry points\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nTimeline of Activity\r\nThroughout our investigation, we observed a distinct sequence of events that characterized the threat actor's\r\nactivities. Figure 1 illustrates this timeline, showcasing the key stages and progression of the attack.\r\nFigure 1. Activity timeline of CL-STA-0048.\r\nExploiting Multiple Entry Points\r\nWe observed the threat actor attempting to exploit three critical services, one after the other:\r\nIIS\r\nApache Tomcat\r\nMSSQL Services\r\nWith each failure, the threat actor adapted, targeting the next vulnerable asset in this list.\r\nThe Initial Target: Attempting to Exploit IIS Servers\r\nOn the first attempt, the threat actor tried to exploit vulnerabilities on multiple IIS servers in the environment,\r\ntrying to deliver and deploy several web shells. These attempts were blocked by Cortex XDR.\r\nAnti-Webshell and Anti-Exploitation Modules\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 2 of 16\n\nThe attackers’ attempts to deploy a web shell were also prevented by Cortex XDR.\r\nThe Attackers Shift to Apache Tomcat\r\nAfter failing to exploit the IIS servers, the threat actor targeted an internet-facing Apache server, deploying a\r\nColdFusion web shell as shown in Figure 2. This was again blocked by Cortex XDR.\r\nFigure 2. ColdFusion web shell used in the attack.\r\nOne Final Attempt: An MSSQL Server\r\nOn the third attempt, the threat actor was able to compromise an unpatched internet-facing MSSQL server. The\r\nfollowing section details the malicious activity that we observed from the compromised server.\r\nReconnaissance and a Rarely Seen Exfiltration Technique\r\nThe threat actor leveraged PowerShell to download multiple batch scripts from a remote server. These scripts\r\nexecuted commands such as tasklist to enumerate running processes on compromised machines and dir to list the\r\ncontents of directories.\r\nThe scripts exfiltrated command outputs by formatting each line as a string constructed of a series of subdomains\r\nand sending ping requests to these subdomains. Each ping command triggered a DNS request, transmitting the\r\nexfiltrated data to the attackers via DNS.\r\nThe threat actor used dnslog.pw, a Chinese DNS logging tool for pen testers, to capture the output. Figure 3 below\r\nillustrates this data exfiltration technique.\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 3 of 16\n\nFigure 3. Process tree of the data exfiltration using the ping command.\r\nIn addition, the threat actor attempted to save the output of the dir command into text files and then uploaded the\r\noutput file to their command and control (C2) server using PowerShell. Figure 4 below shows the command they\r\nused.\r\nFigure 4. Exfiltration command.\r\nPreparing the Ground: The “Hex Staging” Method and Delivering Malware\r\nPlugX as the Attacker's Main Backdoor\r\nThe initial and primary backdoor the threat actor used in this attack was the PlugX backdoor. PlugX is a well-known remote access tool (RAT) with modular plugins and customizable settings that has been popular for over a\r\ndecade, primarily among Chinese-speaking threat groups.\r\nThe threat actor abused certutil to download the PlugX component from a remote domain under the following\r\nURL path:\r\nhttps://h5.nasa6[.]com/shell/\r\nThe attackers dropped and executed the following payloads:\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 4 of 16\n\nAcrobat.exe - A legitimate Adobe Acrobat binary\r\nAcrobat.dxe - An encrypted PlugX payload\r\nAcrobat.dll - A PlugX loader\r\nThe payloads were saved under the path C:\\ProgramData\\DSSM\\\r\nThe threat actor then used the DLL sideloading technique and exploited vulnerable legitimate binaries\r\n(Acrobat.exe) to initiate the PlugX loader Acrobat.dll. This technique was detected by Cortex XDR.\r\nWhen the legitimate binary successfully sideloaded the PlugX loader, it searched for the payload Acrobat.dxe in\r\nthe system. Once it found the payload, the PlugX loader proceeded to load, decrypt and then inject it into a\r\nlegitimate instance of svchost.exe.\r\nThe PlugX payload then connected to the C2 server mail.tttseo[.]com, executing in memory as a detection evasion\r\nattempt.\r\nTalos mentioned similar TTPs including the same file names, several hashes and the C2 address in their\r\nSeptember 2024 blog about a Chinese threat actor called DragonRank. Figure 5 shows how Cortex XDR captured\r\nthe PlugX execution flow.\r\nFigure 5. Detection of PlugX execution flow, as shown in Cortex XDR.\r\nHex Staging: Another Rarely Seen Technique Used by the Threat Actor\r\nOnce the threat actor gained a foothold inside the network, they attempted to upload additional tools. They\r\nemployed a stealthy and uncommon technique to do this, in which the attackers deliver payloads in chunks\r\n(T1027: Obfuscated Files or Information). We call this technique Hex Staging.\r\nIn Hex Staging, an attacker incrementally writes hex-encoded data into a temporary file piece by piece, using\r\ncommands passed to cmd.exe. This method avoids detection systems that scan for direct file writes.\r\nOnce the file is assembled in hex format, the attacker uses a tool like certutil to decode the hex data back into\r\nASCII. This content could be either binary executables or scripts. This method bypasses conventional security\r\ndetection by using native Windows utilities to covertly deliver and execute malicious code.\r\nFigure 6 shows an example of the Hex Staging commands used by the threat actor.\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 5 of 16\n\nFigure 6. Hex Staging commands.\r\nThe threat actor attempted to deliver multiple files using this method. This included binary files such as Cobalt\r\nStrike loaders and implants, as well as a .sql script, which we will describe later in this post.\r\nA PowerShell script that loaded Cobalt Strike (shown in Figure 7) was among the payloads they wrote using that\r\ntechnique. It was detected and prevented by Cortex XDR.\r\nFigure 7. Alert for the malicious PowerShell script, as shown in Cortex XDR.\r\nPrivilege Escalation Tools\r\nSspiUacBypass\r\nAfter establishing a foothold in the environment, we observed the threat actor attempting to bypass User Account\r\nControl (UAC), leveraging the SspiUacBypass tool. This technique exploits the Windows Security Support\r\nProvider Interface (SSPI) to sidestep UAC prompts, allowing the actor to run high-privileged processes without\r\nuser consent.\r\nThe Potato Suite\r\nTo successfully execute certain tools, the threat actors needed to run their tools and commands with adequate\r\nprivileges, such as Admin or SYSTEM. To do so, they used different tools from the popular Potato Suite, a\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 6 of 16\n\ncollection of various native Windows privilege escalation tools.\r\nThe main tools that we observed during the investigation were:\r\nBadPotato: A local privilege escalation tool that elevates user privileges to SYSTEM for command\r\nexecution\r\nRasmanPotato: This tool exploits the Windows Remote Access Connection Manager (RASMAN) service\r\nto gain system-level access, allowing high-privilege operations without user interaction\r\nCommand-and-Control Tools\r\nSoftEther VPN\r\nAnother tool that we observed the threat actor using is a renamed version of the open-source SoftEther VPN. This\r\nsoftware is flexible and has multi-protocol support. Threat actors, particularly those in Chinese groups, frequently\r\nabuse it for stealthy communications and bypassing network restrictions.\r\nFigure 8 shows the command the threat actors used to download the client and configuration file.\r\nFigure 8. The command used to download the SoftEther VPN client and configuration file.\r\nWinos4.0-Based Downloader\r\nThe threat actor also attempted to use a downloader built using the advanced malicious framework Winos4.0. The\r\ndownloader, placed under drivers\\etc masquerading as hosts.exe, attempted to connect to the IP address\r\n154.201.68[.]57.\r\nAfter a successful connection, it downloads the payload and saves it into the registry key\r\nd33f351a4aeea5e608853d1a56661059. It then executes the payload. Fortinet observed similar behavior as part of\r\nthe execution of another malware called ValleyRAT, which we believe the threat actor built using the same\r\nframework.\r\nThe downloader variant we discovered also leverages the KCP Protocol. This is a fast and reliable automatic\r\nrepeat-request (ARQ) protocol that provides low-latency and faster communications.\r\nChinese threat actors were the main users of this protocol [PDF] in the past, including the infamous APT41. This\r\ncorresponds with the fact that the main GitHub page is written in Mandarin, suggesting it mainly addresses\r\nMandarin-speaking hackers.\r\nCobalt Strike Execution\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 7 of 16\n\nThe threat actor deployed Cobalt Strike to execute additional malicious activities within the compromised\r\nenvironment. Using the Hex Staging technique mentioned earlier, the loader was dropped onto the SQL server.\r\nUpon execution, it injected the Cobalt Strike beacon into winlogon.exe, initiating communication with the\r\nconfigured C2 server sentinelones[.]com.\r\nOne of their initial objectives was dumping the LSASS process. This attempt was detected and successfully\r\nblocked by Cortex XDR, preventing the harvesting of credentials.\r\nThe threat actor also used the Cobalt Strike implant to deliver additional payloads. Those payloads were two sets\r\nof legitimate binaries and DLLs:\r\nThe first pair was a legitimate ecmd.exe and the malicious DLL msvcp140.dll\r\nThe second pair was the AppLaunch.exe application and the malicious DLL mscoree.dll\r\nThe threat sideloaded the malicious DLLs to the legitimate binaries to load Stowaway, a multi-hop proxy tool,\r\nshown in Figure 9 below. The threat actor used this tool to create a connection back to one of its main C2 servers:\r\n43.247.135[.]106.\r\nAfter failing to load the malicious DLLs, the threat actor tried to use another tool for the same purpose: iox, a port\r\nforward and intranet proxy tool.\r\nFinally, the actor attempted to create a new database user through the Cobalt Strike beacon. We will explore this\r\nstep and its implications in detail in the following section.\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 8 of 16\n\nFigure 9. Execution flow of Cobalt Strike, as shown in Cortex XDR.\r\nAiming Toward the Database: Stealing Tables Data\r\nCreating a Privileged Database User\r\nOnce the threat actor established their presence in the network, they attempted to exfiltrate sensitive data from\r\nSQL servers.\r\nThe threat actor initially attempted to create a database user with the username webuseraa and password\r\nteasd$%!FFr. They granted the user System Administrator privileges on the main database using the command\r\nshown in Figure 10.\r\nFigure 10. Creation of database user.\r\nDeploying a Malicious SQL Script\r\nThe attacker also created an SQL script named 1.sql.tmp using the Hex Staging technique mentioned earlier in this\r\npost. They first decoded the hex file into ASCII using certutil and saved the file as 1.sql (shown in Figure 11).\r\nFigure 11. The malicious SQL script.\r\nThen they executed the script and saved the output into the text file shown in Figure 12 below.\r\nFigure 12. Execution of the malicious SQL script.\r\nThis script identifies and exfiltrates sensitive contact information stored across multiple databases by searching for\r\ncolumns that could contain phone-related data, such as those named “phone,” “Mobile” or “TEL.” The script then\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 9 of 16\n\naggregates results across databases, generating a list with the database name, schema, table, column names and\r\ntotal row count for each match.\r\nFigure 13 shows the execution flow of the SQL script.\r\nFigure 13. Execution flow of the SQL script, as shown in Cortex XDR.\r\nAfter executing the script, the threat actor attempted to exfiltrate the output text file containing the results to their\r\nC2 server, as shown in Figure 14. They then deleted the script from the server.\r\nFigure 14. Exfiltration command.\r\nThe Abuse of Sqlcmd.exe for Data Exfiltration\r\nBy leveraging the sqlcmd utility, the attacker connected to the local SQL server instance (127.0.0[.]1) on port\r\n1434 and executed a dynamic SQL query. Such a query creates a temporary table to store metadata about all tables\r\nacross accessible databases.\r\nThe script dynamically generates SQL commands to iterate through all user databases (excluding system\r\ndatabases) and retrieves details like database name, schema name and table name. Figure 15 below shows the\r\ndatabase harvesting command.\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 10 of 16\n\nFigure 15. DB harvesting command-line execution.\r\nThe results are then sorted and written into an output file (C:\\users\\public\\123.txt), which the threat actors tried to\r\nexfiltrate later, as shown in Figure 16 below. After that, the threat actor deleted the temporary table.\r\nFigure 16. Exfiltration command.\r\nFinally, the threat actor attempted to extract personally identifiable information (PII) and sensitive client data from\r\none of the databases, specifically targeting details such as:\r\nClient names\r\nMobile numbers\r\nGender\r\nBirth dates\r\nEmail IDs\r\nResidential addresses\r\nThe command groups this data by mobile number and saves the output as a .zip file, as shown in Figure 17.\r\nFigure 17. Database theft command-line execution.\r\nConnection to the Chinese Nexus\r\nOverlaps with DragonRank\r\nThe threat actor behind this cluster of activity employed PlugX as one of its primary backdoors. They used\r\nspecific components (notably the loader and payload), exhibiting an overlap with those used by DragonRank, a\r\nrecently identified Chinese threat group.\r\nWe lack sufficient data on DragonRank to definitively link it to CL-STA-0048. However, we acknowledge the\r\nsimilarities between the two while keeping CL-STA-0048 as a distinct cluster for tracking purposes. This allows\r\nus to monitor for potential connections without making premature conclusions.\r\nActivity Time Frame\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 11 of 16\n\nDuring our investigation, we successfully traced the time frame of the threat actor's interactive sessions. We\r\nfocused on hands-on-keyboard commands executed on the compromised SQL server, as well as commands sent to\r\nthe different active backdoors. A thorough review of the activity's time over several months revealed a notable and\r\nconsistent pattern.\r\nOur findings, as illustrated in Figure 18 below, demonstrate a correlation with typical 9-to-5 working hours in the\r\nUTC+8 time zone. This time period notably aligns with the business hours of various Asian nations, with China\r\nbeing a prominent example.\r\nFigure 18. Comparison of activity time frame between UTC and UTC+8.\r\nDNS Logging Service\r\nFigure 19 shows that the threat actor used a DNS logging service primarily designed for a Chinese-speaking\r\naudience to exfiltrate command output, as we mentioned earlier in this article. Although this service is globally\r\naccessible, its usage patterns and associated tool ecosystems suggest a predominant adoption within Chinese\r\ncybersecurity circles, where it closely aligns with local security testing practices.\r\nFigure 19. DNSlog System web description.\r\nKCP Protocol\r\nThe threat actor’s use of a Winos4.0-based Downloader leveraging the KCP Protocol could suggest a Chinese\r\norigin. The protocol has been historically associated with Chinese threat actors like APT41 and is documented\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 12 of 16\n\nprimarily in Mandarin, indicating its intended audience is Chinese-speaking developers. This linguistic and\r\noperational context points to a likely connection to the Chinese cyberthreat ecosystem.\r\nSupershell Panel\r\nDuring our investigation, we observed the attackers downloading several files from the IP address 206.237.0[.]49.\r\nElastic disclosed this IP address in January 2024 as part of the Supershell C2 platform. While Supershell is openly\r\navailable on GitHub, its interface and documentation are primarily tailored to a Mandarin-speaking audience,\r\nfurther solidifying the connection to the Chinese nexus.\r\nConclusion\r\nThe CL-STA-0048 campaign represents a significant threat, targeting government and telecom entities in South\r\nAsia with a clear focus on espionage. The threat actor behind it leverages tactics to evade detection, bypass\r\nsecurity measures and exfiltrate sensitive data from high-value targets.\r\nCL-STA-0048 exploits unpatched vulnerabilities in widely used services such as IIS, Apache Tomcat and\r\nMSSQL. It adapts to new defenses and deploys rarely seen techniques, adjusting its methods to overcome\r\ndefenses and achieve its objectives.\r\nOur analysis indicates a strong link between this group and the Chinese nexus based on the observed tools,\r\ntechniques and victimology.\r\nThese findings emphasize the critical need for organizations to prioritize proactive cybersecurity measures.\r\nAddressing known vulnerabilities, maintaining robust IT hygiene and employing vigilant threat monitoring are\r\nessential to counter adversaries like CL-STA-0048. Organizations can better protect sensitive data and defend\r\nagainst advanced and persistent threats by strengthening security measures and staying informed about emerging\r\nthreats.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\nactivity cluster:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the PlugX and\r\nCobaltStrike samples mentioned in this article as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify domains associated with this group as\r\nmalicious.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware and also prevent the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtect against exploitation of different vulnerabilities using the Anti-Exploitation modules as well\r\nas Behavioral Threat Protection.\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 13 of 16\n\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics through\r\nCortex XDR Pro and XSIAM.\r\nDetect user and credential-based threats by analyzing anomalous user activity from multiple data\r\nsources.\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection.\r\nCortex Xpanse is able to detect internet-exposed Microsoft IIS, Apache Tomcat and MSSQL Servers,\r\namong hundreds of other types of enterprise applications.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nCobalt Strike Loaders\r\n525540eac2d90c94dd3352c7dd624720ff2119082807e2670785aed77746301d\r\naf0baf0a9142973a3b2a6c8813a3b4096e516188a48f7fd26ecc8299bce508e1\r\nCobalt Strike C2\r\nsentinelones[.]com\r\nPlugX\r\n3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb\r\n0f85b67f0c4ca0e7a80df8567265b3fa9f44f2ad6ae09a7c9b7fac2ca24e62a8\r\nPlugX C2\r\nmail.tttseo[.]com\r\nPotatoSuite\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 14 of 16\n\nc5af6fd69b75507c1ea339940705eaf61deadd9c3573d2dec5324c61e77e6098\r\n8dfc107662f22cff20d19e0aba76fcd181657255078a78fb1be3d3a54d0c3d46\r\nSspiUacBypass\r\n336892ff8f07e34d18344f4245406e001f1faa779b3f10fd143108d6f30ebb8a\r\nWinos4.0-based Malware\r\n35da93d03485b07a8387e46d1ce683a81ae040e6de5bb1a411feb6492a0f8435\r\nWinos4.0-based Malware C2\r\n154.201.68[.]57\r\nStowaway\r\na09179dec5788a7eee0571f2409e23df57a63c1c62e4b33f2af068351e5d9e2d\r\nedc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185\r\nC2 Servers\r\n43.247.135[.]106\r\n38.54.30[.]117\r\n38.54.56[.]88\r\n65.20.69[.]103\r\n52.77.234[.]115\r\n192.227.180[.]124\r\n107.174.39[.]125\r\n18.183.94[.]114\r\n206.237.0[.]49\r\nDomains\r\nh5.nasa6[.]com\r\ntest.nulq5r.ceye[.]io\r\nweb.nginxui[.]cc\r\nAdditional Resources\r\nDragonRank, a Chinese-speaking SEO manipulator service provider – Talos\r\nUnmasking a Financial Services Intrusion: REF0657 – Elastic Security Labs\r\nA Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers – FortiGuard Labs, Fortinet\r\nBehind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C\u0026C\r\nFramework – Trend Micro\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 15 of 16\n\nSource: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nhttps://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/" ], "report_names": [ "espionage-campaign-targets-south-asian-entities" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3", "created_at": "2024-10-04T02:00:04.754794Z", "updated_at": "2026-04-10T02:00:03.712878Z", "deleted_at": null, "main_name": "DragonRank", "aliases": [], "source_name": "MISPGALAXY:DragonRank", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-10T02:00:03.89438Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434537, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04d462641c3db5730e12904d07829ec064027122.pdf", "text": "https://archive.orkl.eu/04d462641c3db5730e12904d07829ec064027122.txt", "img": "https://archive.orkl.eu/04d462641c3db5730e12904d07829ec064027122.jpg" } }