{ "id": "ec17fd39-82b8-4a27-8923-b38632e188dc", "created_at": "2026-04-06T00:11:42.523542Z", "updated_at": "2026-04-10T13:11:35.791231Z", "deleted_at": null, "sha1_hash": "0dbf6231490c24f493afe7cdf6770892a36df9d1", "title": "Bitter APT adds Bangladesh to their targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1984610, "plain_text": "Bitter APT adds Bangladesh to their targets\r\nBy Chetan Raghuprasad\r\nPublished: 2022-05-11 · Archived: 2026-04-05 16:31:27 UTC\r\nCisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group\r\nthat appears to target users in Bangladesh, a change from the attackers' usual victims.\r\nAs part of this, there's a new trojan based on Apost Talos is calling \"ZxxZ,\" that, among other features,\r\nincludes remote file execution capability.\r\nBased on the similarities between the C2 server in this campaign with that of Bitter's previous campaign,\r\nwe assess with moderate confidence that this campaign is operated by the Bitter APT group.\r\nExecutive Summary\r\nCisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August\r\n2021. This campaign is a typical example of the actor targeting South Asian government entities.\r\nThis campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate\r\nto the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to\r\nhigh-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain\r\neither a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities.\r\nOnce the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded\r\nobjects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798\r\nand CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it\r\non the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious\r\nactor to perform remote code execution, opening the door to other activities by installing other tools. In this\r\ncampaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.\r\nSuch surveillance campaigns could allow the threat actors to access the organization's confidential information\r\nand give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.\r\nBitter threat actor\r\nBitter, also known as T-APT-17, is a suspected South Asian threat actor. They have been active since 2013,\r\ntargeting energy, engineering and government sectors in China, Pakistan and Saudi Arabia. In their latest\r\ncampaign, they have extended their targeting to Bangladeshi government entities.\r\nBitter is mainly motivated by espionage. The adversary typically downloads malware onto compromised\r\nendpoints from their hosting server via HTTP and uses DNS to establish contact with the command and control.\r\nBitter  is known for exploiting known vulnerabilities in victims' environments. For example, in 2021, security\r\nresearchers discovered that the adversary was exploiting the zero-day vulnerability CVE-2021-28310, a security\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 1 of 19\n\nflaw in Microsoft's Desktop Manager. Bitter is known to target both mobile and desktop platforms. Their arsenal\r\nmainly contains Bitter RAT, Artra downloader, SlideRAT and AndroRAT.\r\nInfrastructure\r\nThe actor's infrastructure consists of the C2 server (helpdesk[.]autodefragapp[.]com) and several domains that host\r\nthe adversary's malware, which is outlined below.\r\nDomains hosting Bitter APT malware.\r\nThe SSL thumbprints are unique for each domain's certificate. We compiled a list of these SSL thumbprints in the\r\nIOCs section of the report. The timeline below shows the various domains based on their certificate creation date.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 2 of 19\n\nThe C2 host is helpdesk[.]autodefragapp[.]com. Its WhoIs record indicates that the domain autodefragapp[.]com\r\nregistered it in November 2020, and later updated it on Nov. 3, 2021. We have seen the actor use this C2 in\r\nprevious campaigns.\r\nThe C2 domain resolved to 99[.]83[.]154[.]118 during the period of the campaign. This is a legitimate IP address\r\nfor the AWS Global Accelerator networking service. Usually, the AWS Global Accelerator provides static IPs to\r\nthe registrant, which allows the user to redirect traffic to their application or host for improved performance. In\r\nthis case, we believe that the actor is using the AWS Global Accelerator to redirect traffic to their actual C2 host,\r\nwhich is parked behind the legitimate AWS service. We believe that the actor has employed this technique to\r\nconceal their identity.\r\nAttribution\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 3 of 19\n\nWe assess with moderate confidence that this campaign is operated by Bitter based on the use of the same C2 IP\r\naddress from previous campaigns and similarities in the decrypted strings of the payload, such as module names,\r\npayload executable name, paths and the constants.\r\nThe 99[.]83[.]154[.]118 IP also hosts mswsceventlog[.]net, according to Cisco Umbrella, a domain that was\r\npreviously reported as Bitter's C2 server in a campaign against Pakistani government organizations.\r\nThe campaign\r\nCisco Talos observed an ongoing campaign operated by the Bitter APT group since August 2021 targeting\r\nBangladeshi government personnel with spear-phishing emails. The email contains a maldoc attachment and\r\nmasquerades as a legitimate email. The sender asks the target to review or verify the attached maldoc, which is\r\neither a call data record (CDR), a list of phone numbers, or a list of registered cases. We have seen the actor use\r\nthese themes in phishing emails in the past.\r\nThe maldocs are an RTF document and Microsoft Excel spreadsheets. Examples of the specific subjects of the\r\nphishing emails are below.\r\nSubject: CDR\r\nSubject: Application for CDR\r\nSubject: List of Numbers to be verified\r\nSubject: List of registered cases\r\nThe maldocs' file names are consistent with the phishing emails' themes, as seen in the list of file names below:\r\nPassport Fee Dues.xlsx\r\nList of Numbers to be verified.xlsx\r\nASP AVIJIT DAS.doc\r\nAddl SP Hafizur Rahman.doc\r\nAddl SP Hafizur Rahman.xlsx\r\nRegistered Cases List.xlsx\r\nBelow are two spear-phishing email samples of this campaign.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 4 of 19\n\nPhishing email sample 1\r\nPhishing email sample 2\r\nThe actor is using JavaMail with the Zimbra web client version 8.8.15_GA_4101 to send the emails. Zimbra is a\r\ncollaborative software suite that includes an email server and a web client for messaging.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 5 of 19\n\nPhishing email header information.\r\nThe originating IP address and header information indicates the emails were sent from mail servers based in\r\nPakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani\r\ngovernment organizations. The actor exploited a possible vulnerability in the Zimbra mail server. By modifying\r\nthe Zimbra mail server configuration file, a user can send emails from a non-existing email account/domain. We\r\nhave compiled a list of fake sender email addresses from this campaign:\r\ncdrrab13bd@gmail[.]com\r\narc@desto[.]gov[.]pk\r\nso.dc@pc[.]gov[.]pk\r\nmem_psd@pc[.]gov[.]pk\r\nchief_pia@pc[.]gov[.]pk\r\nrab3tikatuly@gmail[.]com\r\nddscm2@pof[.]gov[.]pk\r\nThe infection chain\r\nThe infection chain begins with the spear-phishing email and either a malicious RTF document or an Excel\r\nspreadsheet attachment. When the victim opens the attachment, it launches the Microsoft Equation Editor\r\napplication to execute the equations in the form of OLE objects and connects to the hosting server to download\r\nand run the payload.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 6 of 19\n\nMalicious RTF infection chain summary.\r\nIn the case of a malicious Excel spreadsheet, when the victim opens the file, it launches the Microsoft Equation\r\nEditor application to execute the embedded equation object and launches the task scheduler to configure two\r\nscheduled tasks. One of the scheduled tasks downloads the trojan \"ZxxZ\" into the public user's account space,\r\nwhile the other task runs the \"ZxxZ\".\r\nMalicious Excel infection chain summary.\r\nThe payload runs as a Windows security update service on the victim's machine and establishes communication\r\nwith the C2 to remotely download and execute files in the victim's environment.\r\nRTF document\r\nThe Malicious RTF document is weaponized to exploit the stack overflow vulnerability CVE-2017-11882, which\r\nenables arbitrary code execution on victims' machines running vulnerable versions of Microsoft Office. Our\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 7 of 19\n\nprevious blog outlines how this particular exploit works in the victim's environment.\r\nMalicious RTF document sample.\r\nThe RTF document is embedded with an OLE object with the class name \"Equation 3.0.\" It contains the shellcode\r\nas an equation formula created using Microsoft Equation Editor.\r\nEmbedded Microsoft Equation object.\r\nWhen the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes\r\nthe equation formula containing the Return-Oriented Programming (ROP) gadgets. The ROP loads and executes\r\nthe shell code located at the end of the maldocs in an encrypted format that connects to the malicious host\r\nolmajhnservice[.]com and downloads the payload from the URL hxxp[:]//olmajhnservice[.]/nxl/nx. The payload is\r\ndownloaded in the folder \"C:\\$Utf\" created by the shellcode and runs as a process on the victim's machine.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 8 of 19\n\nDownload URL captured during runtime of the maldoc.\r\nExcel spreadsheet\r\nThe malicious Excel spreadsheet is weaponized to exploit the Microsoft Office memory corruption vulnerabilities\r\nCVE-2018-0798 and CVE-2018-0802.\r\nWhen the victim opens the Excel spreadsheet, it launches the Microsoft Equation Editor application to execute the\r\nembedded Microsoft Equation 3.0 objects.\r\nMalicious Excel spreadsheet.\r\nOnce the Microsoft Equation Editor service executes the embedded objects, it invokes the scheduled task service\r\nto configure the task scheduler with the commands shown below:\r\nTask 1: Rdx\r\nTask 2: RdxFac\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 9 of 19\n\nThe actor creates the folder \"RdxFact '' in the Windows tasks folder and schedules two tasks with the task names\r\n\"Rdx '' and \"RdxFac '' to run every five minutes. When the first task runs, the victim's machine attempts to connect\r\nto the hosting server through the URL and, using the cURL utility, downloads the \"RdxFactory.exe\" into the\r\npublic user profile's music folder. RdxFactory.exe is the trojan downloader.\r\nAfter five minutes of execution of the first task, \"Rdx,\", the second task, \"RdxFac,\"runs to start the payload.\r\nBased on other related samples we discovered, the actor also uses different folder names, tasks names and dropper\r\nfile names in their campaigns.\r\nWe noticed that the actor is using the cURL command-line utility to download the payload in the Windows\r\nenvironment. Systems running Windows 10 and later have the cURL utility, which the actor abuses in this\r\ncampaign.\r\nThe payload\r\nThe payload is a 32-bit Windows executable compiled in Visual C++ with a timestamp of Sept. 10, 2021. We\r\nnamed the trojan \"ZxxZ\" based on the name of a separator that the payload uses while sending information to the\r\nC2. This trojan is a downloader that downloads and executes the remote file. The executables were seen with the\r\nfilenames \"Update.exe\", \"ntfsc.exe\" or \"nx\" in this campaign. They are either downloaded or dropped into the\r\nvictim's \"local application data\" folder and run as a Windows Security update with medium integrity to elevate the\r\nprivileges of a standard user.\r\nThe actor uses common encoding techniques to obfuscate strings in the WinMain function to hide its behavior\r\nfrom static analysis tools.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 10 of 19\n\nWinMain function snippet.\r\nThe decryption function receives the encrypted strings and decrypts each character with the XOR operation and\r\nstores the result in an array that will be returned to the caller function.\r\nDecryption function.\r\nThe malware searches for the Windows Defender and Kaspersky antivirus processes in the victim's machine by\r\ncreating the snapshot of running processes using CreateToolhelp32Snapshot and iterates through each process\r\nusing API Process32First and Process32Next.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 11 of 19\n\nWinMain() snippet showing antivirus process detection.\r\nThe information-gathering function gathers the victim's hostname, operating system product name, and the\r\nvictim's username and writes them into a memory buffer.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 12 of 19\n\nInformation-gathering function.\r\nThe C2 communicating function at offset 401C50 is called from the two other requests making functions to send\r\nthe victim's information with the decrypted strings  \"xnb/dxagt5avbb2.php?txt=\" and \"data1.php?id=\" to C2 and\r\nreceive the response.\r\nThe received response is a remote file saved into the \"debug\" folder and executed with the API \"ShellExecuteA\".\r\nIn our research debugging environment, the remote file is similar to the trojan.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 13 of 19\n\nRequests making function 1 at offset 00401E00.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 14 of 19\n\nRequests making function 2 at offset 00402130.\r\nC2 communication\r\nFor C2 communication, first, the trojan sends the victim's computer name, user name, a separator \"ZxxZ\" and the\r\nWindows version pulled from the registry. The server responds back with data in the format  \u003cid\u003e\u003cuser\u003e:\"\r\n\u003cProgram name\"\u003e.\r\nNext, the malware requests the program data. The server sends back the data of the Portable Executable\r\neffectively matching the pattern:\u003czero or more bytes\u003eZxxZ\u003cPE data minus the MZ\u003e. It then saves the file to\r\n %LOCALAPPDATA%\\Debug\\\u003cprogram name\u003e.exe and tries to execute it.\r\nRequest sent to C2.\r\nIf the download is successful, the server sends back the request with the opcode DN-S and, in case of a failure, the\r\nopcode RN_E in their response. Based on our analysis, the opdoce DN-S means \"download successful\" and RN_E\r\nstands for run error. If failed, the malware attempts to download the program data 225 times, and after that, it will\r\nlaunch itself and exit.\r\nConclusion\r\nOrganizations should be vigilant about the highly motivated threat actors who are known to conduct targeted\r\nattacks in their region. Threat actors usually emerge with smart techniques to accomplish their adversarial\r\nobjectives and we have seen such an attempt in this campaign with the addition of a new variant to their arsenal.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 15 of 19\n\nIn this current campaign, upon compromising the victim's machine and implanting the trojan ZxxZ - which has\r\nremote file execution capability - the adversary can deploy and run other tools from their arsenal to achieve their\r\nmalicious objective.\r\nOrganizations should have a layered defense strategy with the implementation of the latest detection rules and\r\nbehavioral protections in their endpoint defense solutions - not only with technical controls, but the organizations\r\nshould have matured incident response plans and have the organization's security posture streamlined to protect\r\ntheir environment against the latest threats.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 16 of 19\n\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nThe following ClamAV signatures have been released to detect this threat:\r\nOle2.Exploit.ZxxZDownloader-9944376-0\r\nWin.Downloader.ZxxZ-9944378-0\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSnort SIDs for this threat are 59736 and 300132.\r\nIOC\r\nDomains\r\nolmajhnservice[.]com\r\nlevarisnetqlsvc[.]net  \r\nurocakpmpanel[.]com\r\ntomcruefrshsvc[.]com\r\nautodefragapp[.]com\r\nhelpdesk[.]autodefragapp[.]com\r\nURLs\r\nhttp[://]autodefragapp[.]com/\r\nhxxp[://]olmajhnservice[.]com/updateReqServ10893x[.]php?x=035347\r\nhxxp[://]olmajhnservice[.]com/\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-BKP\u0026ct=BKP\r\nhxxp[://]olmajhnservice[.]com/nxl/nx\r\nhxxp[://]olmajhnservice[.]com/nxl/nx/\r\nhxxp[://]olmajhnservice[.]com/nt[.]php/?dt=\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-2\u0026ct=2\r\nhxxps[://]olmajhnservice[.]com/\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1\u0026amp\r\nhxxp[://]olmajhnservice[.]com/nt[.]php?dt=%25computername%25-ex-1\u0026amp\r\nhxxp[://]olmajhnservice[.]com/nt[.]php\r\nhxxp[://]olmajhnservice[.]com/nt[.]php/\r\nhxxp[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3ct=1\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1\u0026ct=1\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1\u0026amp;ct=1\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 17 of 19\n\nhxxps[://]olmajhnservice[.]com/nt[.]php/\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-3\u0026ct=3\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3\u0026ct=1\r\nhxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3\u0026amp;ct=1\r\nhxxp[://]levarisnetqlsvc[.]net/drw/drw\r\nhxxp[://]levarisnetqlsvc[.]net/lt[.]php\r\nhxxp[://]levarisnetqlsvc[.]net/\r\nhxxps[://]levarisnetqlsvc[.]net/lt[.]php\r\nhxxp[://]levarisnetqlsvc[.]net/jig/gij\r\nhxxps[://]levarisnetqlsvc[.]net/lt[.]php/?dt=%25computername%25-LT-2\u0026ct=LT\r\nhxxp[://]urocakpmpanel[.]com/axl/ax\r\nhxxp[://]urocakpmpanel[.]com/nt[.]php?dt=%25computername%25-****\r\nhxxps[://]urocakpmpanel[.]com/\r\nhxxp[://]urocakpmpanel[.]com/nt[.]php/?dt=%25computername%25-****\r\nhxxps[://]urocakpmpanel[.]com/nt[.]php/?dt=%25computername\r\nhxxp[://]urocakpmpanel[.]com/\r\nhxxp[://]urocakpmpanel[.]com:33324/\r\nhxxps[://]urocakpmpanel[.]com/nt[.]php\r\nSSL Certificates Thumbprints\r\n0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b\r\n25092b60d972e574ed593a468564de2394fa008b\r\n4fbde39a0735d1ad757038072cf541dfdc65faa3\r\n5a972665b590cc77dcdfb4500c04acda5dc1cc4e\r\n530f597666afc147886f5ad651b5071d0cc894ba\r\n04a75df9b60290efb1a2d934570ad203a23f4e9c\r\naeb02ac0c0f0793651f32a3c0f594ce79ba99e82\r\nDocuments\r\nb0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82\r\nf7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db\r\n490e9582b00e2622e56447f76de4c038ae0b658a022e6bc44f9eb0ddf0720de6\r\nb7765ff16309baacff3b19d1a1a5dd7850a1640392f64f19353e8a608b5a28c5\r\nce922a20a73182c18101dae7e5acfc240deb43c1007709c20ea74c1dd35d2b12\r\ne4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8\r\nPayload\r\nfa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92\r\n3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 18 of 19\n\n69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61\r\n90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787\r\nSource: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nhttps://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" ], "report_names": [ "bitter-apt-adds-bangladesh-to-their.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434302, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0dbf6231490c24f493afe7cdf6770892a36df9d1.pdf", "text": "https://archive.orkl.eu/0dbf6231490c24f493afe7cdf6770892a36df9d1.txt", "img": "https://archive.orkl.eu/0dbf6231490c24f493afe7cdf6770892a36df9d1.jpg" } }