{ "id": "84deb991-fdad-4b58-9069-edd563d4dfe8", "created_at": "2026-04-06T00:11:16.936362Z", "updated_at": "2026-04-10T03:37:21.720983Z", "deleted_at": null, "sha1_hash": "0d6e2cd5a8c62b5a04344af2b6a6999932c5ab2c", "title": "Operation StealthyTrident: corporate software under attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1169149, "plain_text": "Operation StealthyTrident: corporate software under attack\r\nBy Mathieu Tartare\r\nArchived: 2026-04-05 14:16:28 UTC\r\nUPDATE (December 14, 2020): We have no reason to believe that Able Desktop updates or trojanized installers\r\nare still being used to distribute malware. The last instance we saw occurred in July 2020 as described in our\r\nblogpost. \r\nOn December 11th, Able Soft stated in an email to us that the trojanized installers and Able Desktop’s\r\nupdates have not been used since the incident was reported to them. They also stated that, as a precaution against\r\nfurther attacks, Able Soft halted the Able Desktop updates, and that the last occurrence they observed of such\r\nattacks was in July 2020. \r\nESET has no information that allows us to corroborate or dispute these statements. \r\nESET researchers discovered that chat software called Able Desktop, part of a business management suite popular\r\nin Mongolia and used by 430 government agencies in Mongolia (according to Able), was used to\r\ndeliver the HyperBro backdoor (commonly used by LuckyMouse), the Korplug RAT (also known as PlugX), and\r\na RAT called Tmanger (which was first documented by NTT Security and was used during Operation Lagtime IT\r\ncampaigns attributed to TA428 by Proofpoint). A connection with the ShadowPad backdoor, which is now used\r\nby at least five different threat actors, was also found. \r\nTwo different trojanized installers, as well as a likely compromised update system, were used to deliver the\r\npayloads. theAbleupdate system has beensince at least 2020 and trojanized installers delivered since at least May\r\n2018. \r\nAdditionally, yesterday, Avast published a blogpost documenting a campaign targeting government agencies and a\r\nnational data center in Mongolia. During that campaign, the attackers compromised an unknown company that\r\nwas providing government institutions in East Asia and leveraged that compromise to deliver HyperBro by\r\nemail. We believe that compromised company was Able, as the filename used in\r\nthat malicious email attachment is probably AbleTimeAccess_Update.exe, and we observed such a file being used\r\nto drop the same HyperBro sample as described in Avast's blogpost. \r\nA diagram summarizing the connections between LuckyMouse, TA428 and the ShadowPad backdoor C\u0026C\r\ninfrastructure is shown in Figure 1.\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 1 of 12\n\nFigure 1. Summary of the connections between LuckyMouse, TA428 and the ShadowPad backdoor\r\nRegarding the attribution of Operation StealthyTrident, considering that HyperBro is commonly attributed to\r\nLuckyMouse, that Tmanger was attributed to TA428 and that it uses one of the ShadowPad C\u0026C servers, multiple\r\ncompeting hypotheses exist: \r\nLuckyMouse has access to Tmanger and ShadowPad. \r\nLuckyMouse share its access to the compromised Able Desktop update server with the TA428 group\r\nor some other group having access to Tmanger. \r\nHyperBro is now shared with TA428 or some other group having access to Tmanger and ShadowPad. \r\nLuckyMouse and TA428 are subgroups of the same threat actor. \r\nAlthough originally only known to be used by the Winnti Group, it should also be noted here that since at least\r\nOctober 2019, ShadowPad has been shared amongst multiple threat actors including the Winnti\r\nGroup, CactusPete, TICK, IceFog and KeyBoy. \r\nAdditional elements regarding the connection between Tmanger and TA428 will be published in a second\r\nblogpost documenting another campaign where the attackers used both Tmanger and ShadowPad. \r\nWe called this campaign Operation StealthyTrident because the attackers make extensive use of a three-pronged “trident” side-loading technique. \r\nCompromised Able Desktop  \r\nAble Desktop is chat software included as part of the Able business management suite used in Mongolia. It is\r\na Chromium-based JavaScript app making use of the NodeJS library. According to Able, their software suite is\r\nused by 430 government agencies in Mongolia. \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 2 of 12\n\nIn mid-2018, we observed a first occurrence of the legitimate Able Desktop application being used to\r\ndownload and execute HyperBro. HyperBro is a backdoor commonly attributed to LuckyMouse (also known as\r\nEmissary Panda or APT27). Able Desktop was also used to download and execute Tmanger; in that case,\r\nthe Able Desktop software itself was not trojanized (i.e. it did not contain malicious code). The most likely\r\nhypothesis is that the Able Desktop update system was compromised. \r\nIn addition to legitimate Able Desktop applications used to drop and execute HyperBro, likely using its update\r\nsystem, we also found two Able Desktop installers that were actually trojanized and contained the HyperBro\r\nbackdoor and the Korplug RAT. The first occurrence of this trojanized Able Desktop installer dates\r\nback to December 2017. A timeline of these events is shown in Figure 2. \r\nFigure 2. Timeline of the various implants used with either a trojanized Able Desktop installer or likely delivered\r\nthrough Able Desktop update\r\nWe notified Able about these compromises. \r\nAble Desktop update mechanism \r\nTo update itself, Able Desktop downloads the update installer through HTTPS. The code responsible for the\r\nupdate is shown in Figure 3. \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 3 of 12\n\nFigure 3. JavaScript code responsible for Able Desktop updates\r\nThe downloaded update installer is saved to %USERPROFILE%\\Documents\\Able\\Able Desktop.exe. Once\r\ndownloaded, the installer is executed. In the case of a legitimate update installer, a new version of Able\r\nDesktop will be installed.  We observed, however, that starting in mid-2018, the executable downloaded wasn’t a\r\nlegitimate installer, but rather the HyperBro backdoor. Since, in that case, the executable is not an Able Desktop\r\ninstaller but plain malware, no update installation takes place and HyperBro is executed instead —and Able\r\nDesktop is not updated anymore. \r\nMultiple elements support the hypothesis of a compromise of the update server: \r\nThe filename and the path used to download HyperBro are the filename and path used by the update\r\nsystem. \r\nThe update is downloaded through HTTPS, so a man-in-the-middle attack is unlikely. \r\nHyperBro was dropped on all computers using Able Desktop during the same timeframe as previous\r\nlegitimate updates. \r\nThe malicious Able Desktop.exe is dropped by the real Able Desktop software and not malware\r\nmasquerading as Able Desktop. \r\nNo legitimate updates have been installed since the beginning of the campaign. \r\nWe believe this is enough to state that the update mechanism was compromised. It should be noted that Able\r\nDesktop has multiple update servers, some of them hosted at customer organizations. Since we have no\r\ninformation on which update server was used by these victims, we don’t know whether Able was compromised, or\r\none of their customer's update servers.  \r\nThe list of update servers used by Able Desktop is shown in Figure 4. We can see from that list that Able Desktop\r\nis indeed used by several government entities such as the Mineral Resource Authority of Mongolia, the Ministry\r\nof Justice and Foreign Affairs, the Ministry of Construction and Urban Development, the Development Bank of\r\nMongolia or the Mongolian State University of Education.\r\nvar urls = [\r\n'https://able[.]mn:8989',\r\n'https://www.able[.]mn:8989',\r\n'https://develop.able[.]mn:8989',\r\n'https://release.able[.]mn:8989',\r\n'https://mail.able[.]mn:8989',\r\n'http://eoffice.police[.]gov:8000',\r\n'http://e-office.dbm[.]mn:8000',\r\n'http://192.168.10[.]37:8000', // Хөгжлийн банк\r\n'http://172.16.200[.]16:8000', // Тээвэр хөгжлийн банк\r\n'http://192.168.10[.]62:8000', // Миний локал\r\n'https://eoffice.president[.]mn:8000',\r\n'https://intranet.gov[.]mn:8000',\r\n'https://intranet.mrpam.gov[.]mn:8080', // Ашигт малтмал\r\n'https://able.audit[.]mn:8989', // Audit\r\n'https://intranet.mojha.gov[.]mn:8989', // Хууль зүйн яам\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 4 of 12\n\n'https://office.msue.edu[.]mn:8989',\r\n'https://mcud.able[.]mn:8989', //Барилга хот байгуулалтын яам\r\n'https://able.tog[.]mn:8989' // Улаанбаатар цахилгаан түгээх сүлжээ ХК\r\nThen, in July 2020, we saw a shift from HyperBro being delivered by the update system to a backdoor attributed\r\nto TA428 and called Tmanger. \r\nTrojanized Able Desktop \r\nIn addition to HyperBro and Tmanger being downloaded by legitimate Able Desktop software, we also found two\r\ndifferent trojanized installers. It is unknown to us whether these installers were downloadable from the Able\r\nwebsite or from another source.  \r\nAble Desktop installers, both legitimate and trojanized, are 7-Zip SFX installers and are not signed. In the case of\r\ntrojanized installers, the legitimate Able Desktop software is bundled with either HyperBro or Korplug. The\r\npayload and its side-loading host are packaged in a data1.dat file which is a 7-Zip SFX archive while Able\r\nDesktop is packaged in a data.dat file which is an Advanced Installer.  The content of the trojanized installer is\r\nsummarized in Figure 5. The same IntgStat.exe side-loading host and pcalocalresloader.dll are used in both the\r\nroot of the Able Desktop.exe archive and data1.dat archive. \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 5 of 12\n\nFigure 5. Trojanized Able Desktop installer content\r\nThe 7-Zip SFX installer first executes IntgStat.exe, a legitimate Symantec executable, which is a DLL side-loading host used to load pcalocalresloader.dll. This DLL is used to decrypt and load the XOR-encoded payload\r\nstored in thumb.db. This payload, XOR encoded with 0x04, once mapped into memory by the payload loader, will\r\ndecompress and execute an embedded, LZNT1-compressed PE executable that is used to rename data.dat (the\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 6 of 12\n\nlegitimate installer) and data1.dat (the malicious payload) as Able\r\nDesktop.exe and data1.exe respectively, and then execute them. \r\nOnce executed, the newly renamed data1.exe 7-Zip SFX archive will extract its contents and execute the\r\nsecond IntgStat.exe side-loading host, which then loads pcalocalresloader.dll. Again pcalocalresloader.dll is used\r\nto load the XOR-encoded payload stored in the thumb.db file. As before,  this payload will decompress and\r\nexecute an embedded LZNT1-compressed PE executable, which is actually HyperBro.  \r\nNote that, in the case of the Able Desktop installer trojanized with Korplug, the same side-loading host and DLL\r\nare used to execute data1.dat, while the side-loading host used to execute Korplog itself is\r\nnot IntgStat.exe, but siteadv.exe – a legitimate executable from McAfee – and the loader DLL is\r\ncalled siteadv.dll. Apart from this change of side-loading host, the payload delivery mechanism is the same. \r\nHyperBro \r\nThe HyperBro backdoor is LuckyMouse’s custom backdoor used since at least 2013 and in continuous\r\ndevelopment. The variant being used here is similar to the variant described by Palo Alto\r\nNetworks and Kaspersky. HyperBro was delivered to victims by both the legitimate Able Desktop software and\r\na trojanized Able Desktop installer. \r\nSimilar to the version used with the trojanized Able Desktop installer, in the case of the HyperBro implant\r\ndownloaded by the legitimate Able Desktop, its first stage consists in a 7-Zip SFX containing: \r\nthinprobe.exe, a legitimate Symantec executable used for DLL side-loading \r\nthinprobe.dll, a HyperBro loader \r\nthumbs.db, the XOR-encoded payload \r\nHyperBro’s loader DLL, thinprobe.dll, is executed by DLL side-loading using the thinprobe.exe executable, which\r\nis a legitimate, signed Symantec executable. While the side-loading host used with the downloaded HyperBro is\r\ndifferent, the DLL used to decode and execute the thumbs.db payload is exactly the same. \r\nThis technique is very similar to the three-pronged trident attack reported by a Kaspersky\r\nresearcher. Both thinprobe.exe and Intgstat.exe side-loading hosts were previously used by LuckyMouse to load\r\nHyperBro. \r\nNote, however, that contrary to previously documented HyperBro droppers employing such a trident, the\r\npayload here is not Shikata Ga Nai encoded but XOR encoded with the value 0x04. \r\nThe C\u0026C URL of the HyperBro implant used with the trojanized Able Desktop installer\r\nis https://developer.firefoxapi[.]com/ajax, while the C\u0026C URL used by the one downloaded by the legitimate Able\r\nDesktop is https://139.180.208[.]225/ajax.\r\nConsidering HyperBro’s compilation timestamps, the version used with the trojanized installer was compiled Fri\r\nDec 08 05:22:23 2017 while the version downloaded by Able Desktop was compiled Mon Mar 11 03:23:54 2019.\r\nThis suggests that the trojanized installer was used before the version downloaded by the Able Desktop\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 7 of 12\n\nupdater. The trojanized installer was first seen in our telemetry in May 2018, while the version downloaded by\r\nAble Desktop was first seen in June 2020 (see the timeline in Figure 2). \r\nKorplug \r\nThe Korplug RAT (also known as PlugX) is used by multiple different threat groups. In this case, it was only\r\ndelivered via the trojanized Able Desktop installer and we have seen no occurrence of Korplug being downloaded\r\nby legitimate Able Desktop software. \r\nAs mentioned previously, and similar to installers trojanized with HyperBro, Korplug is bundled in the installer\r\nwith the legitimate Able Desktop and executed twice via the trident model by DLL side-loading\r\nusing IntgStat.exe as host executable and then siteadv.exe. The identical DLL is used to decode and execute\r\nthe thumbs.db XOR-encoded payload as the one used with the installer trojanized with HyperBro, providing a\r\nstrong link between these two trojanized installers. \r\nThe C\u0026C address used by Korplug is 45.77.173[.]124:443. Interestingly, this address was also used by\r\na CobaltStrike implant targeting a school in Mongolia during the same timeframe. \r\nIts compilation timestamp (Sun Dec 08 06:22:34 2019) as well as the compilation timestamp of the installer (Wed\r\nSep 04 16:52:04 2019) suggest that it was used after the Able Desktop installer trojanized with HyperBro and\r\nbefore HyperBro was downloaded by legitimate Able Desktop software. See the timeline in Figure 2. \r\nTmanger \r\nTmanger is a RAT that was first documented by NTT Security and that was used in Operation Lagtime IT which\r\nwas attributed to TA428 by Proofpoint. It is called Tmanger because it is apparently the name given by\r\nits developer, as we can see from its PDB path, as an example: \r\nc:\\users\\waston\\desktop\\20190403_tmanger\\20191118 tm_new 1.0\\release\\mloaddll.pdb \r\nConsidering the variant we observed during Operation StealthyTrident no PDB path was present but it is still very\r\nsimilar to the one documented by NTT Security in their blogpost. As an example of similarity between the two\r\nsamples, the connection procedure used by one of the Tmanger samples documented by\r\nNTT Security (14140782A68FF20000C7E9F58336620A65D4D168) and the one dropped by Able Desktop are\r\nshown side-by-side in Figure 6.\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 8 of 12\n\nFigure 6. Comparison of the connection routine in Tmanger sample dropped by legitimate Able Desktop (left) and\r\none of the samples documented by NTT SecurityOne notable difference is that in the case of the Able Desktop\r\nvariant, Tmanger is packaged is one single executable, while the variant described by NTT Security consists of\r\nthree DLLs.\r\nESET telemetry shows the first download of this Tmanger variant by the legitimate Able Desktop software in July\r\n2020. Tmanger replaced HyperBro on that system and HyperBro was not seen downloaded to it after that. \r\nThe C\u0026C addresses used by this Tmanger implant, downloaded by Able Desktop, are stored in an RC4-encrypted\r\nconfiguration and are the following: \r\n45.77.55[.]145:80 \r\n45.77.55[.]145:443 \r\n45.77.55[.]145:8080 \r\nThe communication protocol is TCP and the messages are RC4 encrypted. \r\nInterestingly, the first address is part of the ShadowPad network infrastructure and, to the best of our\r\nknowledge, none of these addresses are overlapping with LuckyMouse infrastructure. \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 9 of 12\n\nConclusion \r\nESET Research discovered a campaign targeting Mongolian organizations that relied on compromised Able\r\nDesktop installers and compromises to the Able update system to deliver HyperBro, Korplug and\r\nTmanger malware. \r\nThis campaign shows a connection with the ShadowPad backdoor, as we observed network infrastructure\r\noverlaps between the ShadowPad C\u0026C network infrastructure and one of the Tmanger C\u0026C addresses. \r\nApart from the use of HyperBro, developed and commonly used by LuckyMouse, we found no significant overlap\r\nwith the LuckyMouse toolset or network infrastructure. Does this mean that LuckyMouse has access to\r\nShadowPad and Tmanger or did LuckyMouse share their access to a compromised Able Desktop update\r\nserver with the TA428 group? Another hypothesis could be that, similarly to\r\nShadowPad, HyperBro is now shared with other threat actors. Finally, one last hypothesis could be that\r\nLuckyMouse and TA428 are closely related threat actors or are actually the same. \r\nIndicators of Compromise can also be found on GitHub. For any inquiries, or to make sample submissions related\r\nto the subject, contact us at: threatintel@eset.com. \r\nAcknowledgment \r\nThe author would like to thank Matthieu Faou, who contributed to this research. \r\nIoCs \r\nESET detection names \r\nWin32/HyperBro.AD \r\nWin32/LuckyMouse.BL \r\nWin32/Korplug.ND \r\nWin32/Korplug.QD\r\nWin64/Spy.Tmanger.A\r\nTrojanized Able Desktop \r\n0B0CF4ADA30797B0488857F9A3B1429F44335FB6\r\nB51835A5D8DA77A49E3266494A8AE96764C4C152 \r\nPayload loader \r\n23A227DD9B77913D15735A25EFB0882420B1DE81\r\n2A630E25D0C1006B6DBD7277F8E52A3574BEFFEC \r\nHyperBro \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 10 of 12\n\n8FFF5C6EB4DAEE2052B3578B73789EB15711FEEE\r\n0550AAE6E3CEABCEF2A3F926339E68817112059A \r\nKorplug \r\n5D066113534A9E31F49BEFDA560CF8F8890496D0 \r\nTmanger \r\nED6CECFDAAEB7F41A824757862640C874EF3F7AE \r\nC\u0026C domains \r\ndeveloper.firefoxapi[.]com \r\nC\u0026C IP addresses \r\n45.77.173[.]124\r\n45.77.55[.]145\r\n139.180.208[.]225 \r\nC\u0026C URLs \r\nhttps://developer.firefoxapi[.]com/ajax\r\nhttps://139.180.208[.]225/ajax \r\nMITRE ATT\u0026CK techniques \r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework. \r\nTactic  ID  Name  Description \r\nInitial Access  T1195.002\r\nSupply Chain\r\nCompromise: Compromise\r\nSoftware Supply Chain \r\nOne of the Able update servers was\r\nlikely compromised in order to deploy\r\nHyperBro and Tmanger. \r\nExecution  T1204.002 User Execution: Malicious File \r\nAble Desktop trojanized installer is\r\nexecuted by the user. \r\nPersistence  T1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading \r\nHyperBro, Korplug and Tmanger\r\nare executed via DLL side-loading. \r\nDefense\r\nEvasion \r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation \r\nHyperBro and Korplug payloads are\r\nXOR encoded. \r\n#rowspan# #rowspan#\r\nTmanger configuration is\r\nRC4 encrypted. \r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 11 of 12\n\nTactic  ID  Name  Description \r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading \r\nHyperBro and Korplug side-loading\r\nhosts are legitimate, signed\r\nexecutables from trusted security\r\nvendors. \r\nCollection \r\nT1056.001 Input Capture: Keylogging  Tmanger supports keylogging. \r\nT1113 Screen Capture  Tmanger supports screen capture. \r\nCommand\r\nAnd Control \r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography \r\nTmanger messages are\r\nRC4 encrypted. \r\nT1008 Fallback Channels \r\nTmanger can fallback to a secondary\r\nC\u0026C. \r\nT1095 Non-Application Layer Protocol \r\nTmanger communicates using raw\r\nTCP. \r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols \r\nHyperBro communication protocol is\r\nHTTP. \r\nExfiltration  T1041 Exfiltration Over C2 Channel \r\nTmanger can exfiltrate files via a\r\ndedicated command. \r\nSource: https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nhttps://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/" ], "report_names": [ "luckymouse-ta428-compromise-able-desktop" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434276, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d6e2cd5a8c62b5a04344af2b6a6999932c5ab2c.pdf", "text": "https://archive.orkl.eu/0d6e2cd5a8c62b5a04344af2b6a6999932c5ab2c.txt", "img": "https://archive.orkl.eu/0d6e2cd5a8c62b5a04344af2b6a6999932c5ab2c.jpg" } }