{ "id": "a8aac620-890b-4aa8-8119-2fee62af16e9", "created_at": "2026-04-06T00:13:40.602611Z", "updated_at": "2026-04-10T03:36:33.698628Z", "deleted_at": null, "sha1_hash": "0581ca5035847437db82691c8ad3b4f8bfe04325", "title": "Separating the bee from the panda: CeranaKeeper making a beeline for Thailand", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 314137, "plain_text": "Separating the bee from the panda: CeranaKeeper making a\r\nbeeline for Thailand\r\nBy Romain Dumont\r\nArchived: 2026-04-05 14:46:31 UTC\r\nESET researchers observed several campaigns targeting governmental institutions in Thailand, starting in 2023.\r\nThese attacks leveraged revamped versions of components previously attributed by other researchers to the China-aligned advanced persistent threat (APT) group Mustang Panda, and later, a new set of tools that abuse service\r\nproviders such as Pastebin, Dropbox, OneDrive, and GitHub to execute commands on compromised computers\r\nand exfiltrate sensitive documents.\r\nBased on our findings, we decided to track this activity cluster as the work of a separate threat actor. The\r\nnumerous occurrences of the string [Bb]ectrl in the code of the group’s tools inspired us to name it CeranaKeeper;\r\nit is a wordplay between the words beekeeper and the bee species Apis Cerana, or the Asian honey bee.\r\nKey points of this blogpost:\r\nESET researchers discovered a new China-aligned threat actor, CeranaKeeper, targeting\r\ngovernmental institutions in Thailand. Some of its tools were previously attributed to Mustang\r\nPanda by other researchers.\r\nThe group constantly updates its backdoor to evade detection and diversifies its methods to aid\r\nmassive data exfiltration.\r\nCeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and\r\nOneDrive to implement custom backdoors and extraction tools.\r\nThe group uses GitHub’s pull request and issue comment features to create a stealthy reverse\r\nshell, leveraging GitHub, a popular online platform for sharing and collaborating on code, as a\r\nC\u0026C server.\r\nCeranaKeeper has been active since at least the beginning of 2022, mainly targeting governmental entities in\r\nAsian countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan; we believe it is aligned with\r\nChina’s interests. The group’s relentless hunt for data is remarkable, with its attackers deploying a wide array of\r\ntools aimed at extracting as much information as possible from compromised networks. In the operation we\r\nanalyzed, the group turned compromised machines into update servers, devised a novel technique using GitHub’s\r\npull request and issue comment features to create a stealthy reverse shell, and deployed single-use harvesting\r\ncomponents when collecting entire file trees.\r\nWe briefly introduced CeranaKeeper in the ESET APT Activity Report Q4 2023–Q1 2024, which was released in\r\nMay 2024. In this blogpost, we describe these previously undocumented, custom tools deployed by CeranaKeeper\r\nand share more of our findings about the operations of this threat actor.\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 1 of 10\n\nWe presented some of our findings about CeranaKeeper and the compromise in Thailand at the Virus Bulletin\r\nconference on October 2nd, 2024, and in our white paper, which you can read in full here. This month, Virus\r\nBulletin will also publish our white paper about this topic on its website.\r\nAttribution\r\nWhile some of CeranaKeeper’s activities had previously been attributed to Mustang Panda (aka Earth Preta or\r\nStately Taurus) by Talos, Trend Micro, and Palo Alto Networks Unit 42, we have decided to track this activity\r\ncluster as the work of CeranaKeeper. We believe CeranaKeeper uses the publicly documented toolset called\r\nbespoke stagers (or TONESHELL), heavily relies on the side-loading technique, and uses a specific sequence of\r\ncommands to exfiltrate files from a compromised network. Furthermore, we consider the use of political lures and\r\nPlugX components to be the work of MustangPanda. Despite some similarities in their activities (similar side-loading targets, archive format), we observed distinct organizational and technical differences between the two\r\ngroups, such as differences in their toolsets, infrastructure, operational practices, and campaigns. We also noted\r\ndifferences in the way the two groups accomplish similar tasks.\r\nIn its operations, CeranaKeeper deploys components known as TONEINS, TONESHELL, and PUBLOAD, which\r\nare unique to the group. The group stands out for its creativity and adaptability in its attacks, such as using\r\nrevamped versions of the aforementioned components and new tools that abuse services such as Pastebin,\r\nDropbox, OneDrive, and GitHub. We describe these tools in the Toolset aiding massive exfiltration section.\r\nFurthermore, the group left some metadata in its code that provided us with insights into its development process,\r\nfurther solidifying our separation of the two groups and our attribution to CeranaKeeper. Both threat actors may\r\nrely on the same third party, such as a supplier of tools used in the deployment phase, which is not uncommon\r\namong China-aligned groups, or have some level of information sharing, which would explain the links that we\r\nhave observed. In our opinion, this is a more likely explanation than a single threat actor maintaining two\r\ncompletely separate sets of tools, infrastructure, operational practices, and campaigns.\r\nCompromising machines in the same network\r\nThe compromise vectors that CeranaKeeper used in the case we analyzed have yet to be found. When the group\r\nobtained a foothold in the network of a Thai governmental institution, in the middle of 2023, a compromised\r\nmachine conducted brute-force attacks against a domain controller server in the local area network.\r\nAfter gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a tool to dump\r\ncredentials, and used a legitimate Avast driver and a custom application to disable security products on the\r\nmachine. From this compromised server, they used a remote administration console to deploy and execute their\r\nbackdoor on other computers in the network. Additionally, CeranaKeeper used the compromised server to store\r\nupdates for TONESHELL, turning it into an update server.\r\nThe group deployed a new BAT script across the network, extending its reach to other machines in the same\r\ndomain by exploiting the domain controller to gain domain admin privileges. This enabled CeranaKeeper to move\r\nto the next phase of its operation and achieve the final goal: massive data harvesting.\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 2 of 10\n\nAfter deploying their TONESHELL backdoor and performing a few lateral movements, it appears that the\r\nattackers found and selected a few compromised computers of sufficient interest to deploy previously\r\nundocumented, custom tools. These support tools were used not only to facilitate the exfiltration of documents to\r\npublic storage services but also to act as alternative backdoors. The backdoors and exfiltration tools we describe\r\nwere deployed to highly targeted machines only.\r\nWavyExfiller: A Python uploader abusing Dropbox and PixelDrain\r\nThe first of a series of unknown components we discovered in June 2023 is WavyExfiller, a Python package\r\nbundled into an executable using PyInstaller and a direct Python implementation of the exfiltration method\r\ndescribed by Unit 42. We named this component WavyExfiller due to the .wav extension of a local file that\r\ncontains search masks for identifying and compressing documents ready for export. The PyInstaller-bundled\r\nexecutable is named SearchApp.exe (SHA-256:\r\nE7B6164B6EC7B7552C93713403507B531F625A8C64D36B60D660D66E82646696).\r\nThe module has three main functions: to retrieve an encrypted Dropbox token from a Pastebin page (an online\r\nservice for storing and sharing plain text data), to create password-protected archives of documents found in users’\r\ndirectories, and to upload these archives to Dropbox.\r\nIn October 2023, we observed a variant (SHA-256:\r\n451EE465675E674CEBE3C42ED41356AE2C972703E1DC7800A187426A6B34EFDC) stored under the name\r\noneDrive.exe. Despite its name, this version uses the file-sharing service PixelDrain to exfiltrate the archived files.\r\nJust like SearchApp.exe mentioned above, this variant checks the C drive, which typically contains the operating\r\nsystem, installed programs, and local users’ documents. Additionally, oneDrive.exe attempts to collect files from\r\nmapped drives, if any, ranging from letter D to N (except L) as illustrated in Figure 1, which may represent\r\nconnected external storage devices like USBs and hard drives, networked drives in an office environment, or\r\nvirtual drives created by specific software. This shows that CeranaKeeper stepped up its level of greediness and\r\ntried reaching other potential or known sources of information. However, it’s unclear whether the exfiltration\r\noperation was successful, as checking uploaded files on PixelDrain is not possible via the exposed API.\r\nFigure 1. Traversing and collecting files from a list of drives\r\nDropboxFlop: A Python backdoor abusing Dropbox\r\nIn October 2023, around the same time that we found the PixelDrain variant, we discovered a new PyInstaller\r\nbundled executable with SHA-256 hash\r\nDAFAD19900FFF383C2790E017C958A1E92E84F7BB159A2A7136923B715A4C94F. It seems that\r\nCeranaKeeper created it based on a publicly available project called Dropflop, which is a reverse shell with upload\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 3 of 10\n\nand download capabilities. The compiled Python file is called dropboxflop.pyc. The backdoor retrieves an\r\nencrypted Dropbox token and depends on files present in the remote Dropbox repository to execute commands on\r\nthe machine. It creates a unique folder locally and generates a “heartbeat” by updating the remote file called\r\nlasttime every 15 seconds. It also checks for a file named tasks that, if found, is downloaded and parsed as a JSON\r\nfile. There are two types of tasks implemented: command execution and file upload. Once completed, the\r\nbackdoor sends the results by updating the content of the file output.\r\nOneDoor: A C++ backdoor abusing OneDrive\r\nA few days after deploying the Python backdoor DropboxFlop, CeranaKeeper returned with a statically linked\r\nC/C++ backdoor abusing OneDrive that we have named OneDoor. The sample (SHA-256:\r\n3F81D1E70D9EE39C83B582AC3BCC1CDFE038F5DA31331CDBCD4FF1A2D15BB7C8) is named\r\nOneDrive.exe. The file mimics the legitimate executable from Microsoft, as shown in the properties view in\r\nFigure 2.\r\nFigure 2. OneDoor file properties\r\nOneDoor behaves in a similar fashion to the DropboxFlop backdoor, but uses the OneDrive REST API of the\r\nMicrosoft Graph API to receive commands and exfiltrate files.\r\nOneDoor creates a log file and attempts to access a file named config.ini. If it’s not present, OneDoor uses a\r\nhardcoded buffer. The file or buffer starts with a key and an initialization vector, which are used to decrypt the rest\r\nof the data using AES-128 in CBC mode. The plaintext contains a URL, which the malware uses in an HTTP GET\r\nrequest. The response contains a OneDrive token, which is used in subsequent requests to Microsoft OneDrive.\r\nOneDoor also retrieves the ID of a folder called approot, which is used to store application data.\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 4 of 10\n\nSimilar to the config.ini file, the malware attempts to access a file named errors.log. If the file doesn’t exist, it uses\r\na hardcoded buffer. The content of the file or buffer is decrypted; the plaintext data contains a 1024-bit RSA\r\npublic key. A key-IV pair is generated, encrypted with RSA, and uploaded to the remote approot folder. This pair\r\nis used for encrypting and decrypting data.\r\nFinally, the malware retrieves lists of files from two folders located on OneDrive, E and F. A thread is started for\r\neach list, which downloads and decrypts the files. The files stored under the E folder contain commands to be\r\nexecuted, while the ones stored under the F folder contain a list of files to be uploaded. The results of these\r\noperations are encrypted and stored in a third OneDrive folder, D. The original files are then deleted from\r\nOneDrive.\r\nBingoShell: A Python backdoor abusing GitHub\r\nWe observed the latest specimen of the group’s exfiltration toolset in February 2024 and named it BingoShell\r\nbecause of the string bingo# used in the title of a GitHub pull request (PR) it creates. The analyzed sample (SHA-256: 24E12B8B1255DF4E6619ED1A6AE1C75B17341EEF7418450E661B74B144570017) is a file named\r\nUpdate.exe that uses a Microsoft Office logo as its icon, as observed in Figure 3. According to its PE compilation\r\ntimestamp, apparently it was built in late January 2024.\r\nFigure 3. BingoShell backdoor mimics Microsoft Office application\r\nBingoShell is a backdoor written in Python that uses GitHub to control compromised machines. Once run, it uses\r\na hardcoded token to access a private GitHub repository. According to the initial commit of the main branch, the\r\nrepository was probably created on January 24th, 2024. BingoShell creates a new branch in the repository and a\r\ncorresponding pull request. The backdoor reads comments on the newly created PR to receive commands to\r\nexecute on the compromised machine, as illustrated in Figure 4. \r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 5 of 10\n\nFigure 4. Code retrieving commands stored in issue comments\r\nThis demonstrates a new covert technique to leverage GitHub as a command and control (C\u0026C) server, showing\r\nthe sophistication of the attackers, who cleaned up after themselves by closing pull requests and removing\r\ncomments from the repository.\r\nEach new branch created by BingoShell on the private GitHub repository should represent an access to a\r\ncompromised machine. Because we discovered 25 closed pull requests (shown in Figure 5), we could infer that\r\nCeranaKeeper had access, via BingoShell, to 25 compromised machines.\r\nFigure 5. Enumerating the pull requests\r\nConclusion\r\nThe threat actor behind the attacks on the Thailand government, CeranaKeeper, seems particularly relentless, as\r\nthe plethora of tools and techniques the group uses keeps evolving at a rapid rate. The operators write and rewrite\r\ntheir toolset as needed by their operations and react rather quickly to keep avoiding detection. This group’s goal is\r\nto harvest as many files as possible and it develops specific components to that end. CeranaKeeper uses cloud and\r\nfile-sharing services for exfiltration and probably relies on the fact that traffic to these popular services would\r\nmostly seem legitimate and be harder to block when it is identified.\r\nThroughout our research, we were able to establish strong connections between the previously documented and\r\nnew toolsets and one common threat actor. The review of the tactics, techniques and procedures (TTPs), code, and\r\ninfrastructure discrepancies leads us to believe that tracking CeranaKeeper and MustangPanda as two separate\r\nentities is necessary. However, both China-aligned groups could be sharing information and a subset of tools in a\r\ncommon interest or through the same third party.\r\nThe targeted campaign we investigated gave us insights into CeranaKeeper’s operations and future campaigns will\r\nlikely reveal more, as the group’s quest for sensitive data continues.\r\nFor a more detailed analysis of the tools deployed by CeranaKeeper, you can access the full ESET Research white\r\npaper here.\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 6 of 10\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-256 Filename Detection Description\r\nB25C79BA507A256C9CA12A9BD34DEF6A\r\n33F9C087578C03D083D7863C708ECA21\r\nEACore.dll Win32/Agent.VJO\r\nYK0130\r\nreverse shell.\r\nE7B6164B6EC7B7552C93713403507B53\r\n1F625A8C64D36B60D660D66E82646696\r\nSearchApp.exe Python/Agent.AGT WavyExfiller.\r\n3F81D1E70D9EE39C83B582AC3BCC1CDF\r\nE038F5DA31331CDBCD4FF1A2D15BB7C8\r\nOneDrive.exe Win32/Agent.VKV OneDoor.\r\nDAFAD19900FFF383C2790E017C958A1E\r\n92E84F7BB159A2A7136923B715A4C94F\r\ndropbox.exe Python/Agent.AQN\r\nPyInstaller\r\nDropFlop.\r\n24E12B8B1255DF4E6619ED1A6AE1C75B\r\n17341EEF7418450E661B74B144570017\r\nUpdate.exe Python/Agent.AJJ BingoShell.\r\n451EE465675E674CEBE3C42ED41356AE\r\n2C972703E1DC7800A187426A6B34EFDC\r\noneDrive.exe Python/Agent.AGP\r\nWavyExfiller\r\nPixelDrain\r\nvariant.\r\nE6AB24B826C034A6D9E152673B911592\r\n01577A3A9D626776F95222F01B7C21DB\r\nMsOcrRes.orp Win32/Agent.AFWW\r\nTONESHELL\r\ntype B.\r\n6655C5686B9B0292CF5121FC6346341B\r\nB888704B421A85A15011456A9A2C192A\r\navk.dll Win32/Agent.VJQ\r\nTONESHELL\r\nvariant.\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 7 of 10\n\nSHA-256 Filename Detection Description\r\nB15BA83681C4D2C2716602615288B7E6\r\n4A1D4A9F4805779CEBDF5E6C2399AFB5\r\nTurboActivate.dll Win32/Agent.AFWX\r\nTONESHELL\r\nloader.\r\nNetwork\r\nIP  Domain  Hosting provider  First seen  Details \r\n104.21.81[.]233 \r\n172.67.165[.]197 \r\nwww.toptipvideo[.]com \r\nCLOUDFLARENET\r\n(AS13335) \r\n2023‑08‑14 \r\nC\u0026C server for\r\nthe YK0130\r\nreverse shell. \r\n103.245.165[.]237 \r\ndljmp2p[.]com \r\ninly5sf[.]com \r\nBangmod Enterprise\r\nadministrator\r\n(AS58955) \r\n2023‑04‑21 \r\nC\u0026C servers for\r\nTONESHELL\r\nvariants. \r\n103.27.202[.]185  www.dl6yfsl[.]com \r\nBangmod Enterprise\r\nadministrator\r\n(AS58955) \r\n2023‑08‑10 \r\nC\u0026C server for\r\nTONEINS\r\nvariant. \r\n103.27.202[.]185  www.uvfr4ep[.]com \r\nBangmod Enterprise\r\nadministrator\r\n(AS58955) \r\n2023‑09‑22 \r\nC\u0026C server for\r\nTONEINS\r\nvariant. \r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic  ID  Name  Description \r\nResource\r\nDevelopment \r\nT1583.001  Acquire Infrastructure: Domains \r\nCeranaKeeper acquired domains for\r\nsome of its C\u0026C servers. \r\nT1583.003 \r\nAcquire Infrastructure: Virtual\r\nPrivate Server \r\nCeranaKeeper acquired access to a\r\nVPS to serve as a C\u0026C server. \r\nT1587.001  Develop Capabilities: Malware \r\nCeranaKeeper develops its own\r\ncomponents. \r\nT1585.003 \r\nEstablish Accounts: Cloud\r\nAccounts \r\nCeranaKeeper acquired cloud\r\naccounts for exfiltration purposes. \r\nExecution  T1072  Software Deployment Tools  CeranaKeeper abuses the ESET\r\nRemote Administration console to\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 8 of 10\n\nTactic  ID  Name  Description \r\nperform lateral movement. \r\nPersistence \r\nT1547.001 \r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder \r\nThe YK0130 reverse shell\r\nestablishes persistence via the\r\nregistry Run key. \r\nT1574.002 \r\nHijack Execution Flow: DLL\r\nSide-Loading \r\nMost components come as side-loaded libraries along with the\r\nlegitimate program. \r\nDefense\r\nEvasion \r\nT1140 \r\nDeobfuscate/Decode Files or\r\nInformation \r\nConfiguration files used by the\r\nOneDrive backdoor are encrypted. \r\nT1036.005 \r\nMasquerading: Match Legitimate\r\nName or Location \r\nCeranaKeeper uses legitimate\r\nlibrary names to blend in. \r\nCollection \r\nT1560.001 \r\nArchive Collected Data: Archive\r\nvia Utility \r\nWavyExfiller uses WinRAR to\r\ncompress collected data. \r\nT1005  Data from Local System \r\nWavyExfiller collects data from the\r\nlocal drive (C:). \r\nT1039 \r\nData from Network Shared\r\nDrive \r\nWavyExfiller collects data from\r\nnetwork shares. \r\nT1074.001  Data Staged: Local Data Staging \r\nCollected data is archived in a\r\nspecial folder before being\r\nuploaded. \r\nCommand and\r\nControl \r\nT1071.001 \r\nApplication Layer Protocol: Web\r\nProtocols \r\nThe different backdoors\r\ncommunicate using HTTP/S. \r\nT1132.002 \r\nData Encoding: Non-Standard\r\nEncoding \r\nThe network protocol used by the\r\nYK0130 reverse shell employs\r\ncustom, XOR-based encoding. \r\nT1573.001 \r\nEncrypted Channel: Symmetric\r\nCryptography \r\nAES-128 mode CBC is used by the\r\nOneDrive backdoor to encrypt\r\nnetwork communication. \r\nT1573.002 \r\nEncrypted Channel: Asymmetric\r\nCryptography \r\nThe generated key and IV for the\r\nOneDrive backdoor are encrypted\r\nvia RSA. \r\nT1090.001  Proxy: Internal Proxy  One of the variants of the YK0130\r\nreverse shell implements a reverse\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 9 of 10\n\nTactic  ID  Name  Description \r\nproxy. \r\nT1102.002 \r\nWeb Service: Bidirectional\r\nCommunication \r\nOneDrive and Dropbox are used as\r\nC\u0026C servers. \r\nExfiltration  T1567.002 \r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage \r\nCollected data are exfiltrated via\r\ncloud services. \r\nSource: https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nhttps://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" ], "report_names": [ "separating-bee-panda-ceranakeeper-making-beeline-thailand" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e75b11d-f74c-4721-958e-f5a831ae85dc", "created_at": "2024-10-25T02:02:07.623446Z", "updated_at": "2026-04-10T02:00:04.608517Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "ETDA:CeranaKeeper", "tools": [ "ClaimLoader", "PUBLOAD", "TONEINS", "TONESHELL" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "eeea8091-668c-4e89-9c67-e688fd599365", "created_at": "2024-10-08T02:00:04.464686Z", "updated_at": "2026-04-10T02:00:03.723141Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "MISPGALAXY:CeranaKeeper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434420, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0581ca5035847437db82691c8ad3b4f8bfe04325.pdf", "text": "https://archive.orkl.eu/0581ca5035847437db82691c8ad3b4f8bfe04325.txt", "img": "https://archive.orkl.eu/0581ca5035847437db82691c8ad3b4f8bfe04325.jpg" } }