{ "id": "6446ba3d-5140-412a-bc58-c3dcc176cb69", "created_at": "2026-04-06T00:13:31.411151Z", "updated_at": "2026-04-10T03:36:06.730744Z", "deleted_at": null, "sha1_hash": "0f276d28e67ebfc180c8bc9536f13afd5696a876", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 255979, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy mohdrennis\r\nArchived: 2026-04-02 10:50:12 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 1 of 8\n\nTokyoX: DLL side-loading an unknown artifact (Part 2)\r\nFileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 3 | URL: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 2 of 8\n\nA security researcher has identified and identified a threat that is being used to infect a computer and send it to the\r\ncommand and control server (C2) in Mexico, where the attacker is based.\r\n354 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 3 of 8\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\n17 Subscribers\r\nAuthor Url\r\n88 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 4 of 8\n\nThreat Group-3390 | HttpBrowser Malware\r\nThe full list of partners has been announced by the US-based company, Secure.com, which aims to bring together\r\nmore than 1,000 companies across the world to develop a range of security solutions.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 5 of 8\n\n354 Subscribers\r\nAuthor Url\r\nAPT group leveraging HT exploits to target a Financial Services\r\nCVE: 1 | Hostname: 1\r\nAs predicted following the leak of Hacking Team exploit codes covered here, the Zscaler security research team\r\nhas recently started seeing a Chinese cyber espionage group weaponizing malware payloads using the 0-day\r\nexploits found in the leaked Hacking Team archives. As such, this new attack represents a dangerous new hybrid\r\ncombining the work of a notorious cyber criminal gang with Chinese cyber espionage group to attack a financial\r\nservices firm. Zscaler's cloud sandboxes recently detected a Remote Access Trojan (RAT) being delivered by a\r\nwell-known Chinese cyber espionage group using the Hacking Team’s 0-day exploits. This attack was specifically\r\ntargeting a well-known financial services firm. The exploit files involved were identical to the Hacking Team's\r\nleaked exploit HTML, JavaScript, and ShockWave Flash 0-day files. The end payload that was installed is the\r\nHttpBrowser RAT, known to be used by the Chinese group in previous targeted attacks against governments.\r\n373,184 Subscribers\r\nAuthor Url\r\nThreat Group-3390 Targets Organizations for Cyberespionage\r\nCVE: 2 | FileHash-MD5: 102 | FileHash-SHA256: 37 | YARA: 8 | Domain: 4 | Hostname: 61\r\nDell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat\r\nGroup-3390[1] (TG-3390). Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess\r\nwith moderate confidence the group is located in the People's Republic of China. The threat actors target a wide\r\nrange of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense\r\nmanufacturing projects, but also targeting other industry verticals and attacking organizations involved in\r\ninternational relations. The group extensively uses long-running strategic web compromises[2] (SWCs), and relies\r\non whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its\r\ntendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.\r\n373,184 Subscribers\r\nAuthor Url\r\nAn analysis of exploit supply chains and digital quartermasters\r\nCVE: 2 | FileHash-MD5: 81 | URL: 39 | Domain: 3 | Hostname: 34\r\nOn July 5, 2015 an unknown hacker publicly announced on Twitter that he had breached the internal network of\r\nHacking Team – an Italian pentesting company known to purchase 0-day exploits and produce their own trojans.\r\nThe hacker proceeded to leak archives of internal Hacking Team tools and communications. A number of tools\r\nand previously unknown exploits were discovered in the trove of data posted online. In the attached paper we will\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 6 of 8\n\nfocus on two exploits which at the time of discovery in the Hacking Team archives were unpatched. The two 0-\r\ndays in question targeted Adobe Flash and were subsequently labeled CVE-2015-5119 and CVE-2015-5122.\r\n373,184 Subscribers\r\nAuthor Url\r\nEVASIVE MANEUVERS BY THE WEKBY GROUP\r\nFileHash-MD5: 3 | URL: 2 | Hostname: 4\r\nThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby\r\nthreat actors (a/k/a TG-0416, APT-18, Dynamite Panda). The Wekby actors have recently been observed\r\ncompromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long\r\nstanding interest in the HealthCare industry. This campaign uses obfuscated variants of the HTTPBrowser tool\r\nthat use DNS as a control channel.\r\n373,184 Subscribers\r\nAuthor Url\r\nChinese APT activity\r\nThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence?\r\n474 Subscribers\r\nAuthor Url\r\nEvasive Maneuvers by Wekby with Rop-packing, DNS Covert Channels\r\nThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby\r\nthreat actors (a/k/a TG-0416, APT-18, Dynamite Panda). The Wekby actors have recently been observed\r\ncompromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long\r\nstanding interest in the HealthCare industry. This campaign uses obfuscated variants of the HTTPBrowser tool\r\nthat use DNS as a control channel. This recent campaign exhibits many of the groups key characteristics to deliver\r\na more technically advanced version of their toolkit than has previously been found. The Wekby group is keen on\r\nusing phishes that purport to be from the IT helpdesk, often with links or attachments claiming to be vpn or citrix\r\nupgrades. This specific instance used a “cisco” vpnclient theme.\r\n86 Subscribers\r\nAuthor Url\r\n267 Subscribers\r\nAuthor Url\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 7 of 8\n\n86 Subscribers\r\nIndicators Search\r\nShow expired indicators\r\nWe've found 97 indicators\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER\r\nPage 8 of 8\n\nTokyoX: DLL side-loading https://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER an unknown artifact (Part 2)\nFileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 3 | URL: 1\n Page 2 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:HTTPBROWSER" ], "report_names": [ "pulses?q=tag:HTTPBROWSER" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434411, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f276d28e67ebfc180c8bc9536f13afd5696a876.pdf", "text": "https://archive.orkl.eu/0f276d28e67ebfc180c8bc9536f13afd5696a876.txt", "img": "https://archive.orkl.eu/0f276d28e67ebfc180c8bc9536f13afd5696a876.jpg" } }