{ "id": "7c397e6b-afc5-4874-898d-2f55ab83ac7a", "created_at": "2026-04-06T00:21:47.282028Z", "updated_at": "2026-04-10T13:11:25.011717Z", "deleted_at": null, "sha1_hash": "1254633150a1efca21fb7c286b7c3885df459ae6", "title": "Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1142586, "plain_text": "Threat Analysis: Active C2 Discovery Using Protocol Emulation\r\nPart3 (ShadowPad)\r\nBy Takahiro Haruyama\r\nPublished: 2022-10-27 · Archived: 2026-04-05 20:19:42 UTC\r\nShadowPad is a modular malware platform privately shared with multiple PRC-linked threat actors since 2015.\r\nAccording to SentinelOne, ShadowPad is highly likely the successor to PlugX. Due to its prevalence in the cyber\r\nespionage field, the VMware Threat Analysis Unit (TAU) was motivated to analyze the command and control\r\n(C2) protocol to discover active ShadowPad C2s on the Internet.\r\nShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS. In this research, TAU focuses\r\non TCP/HTTP(S)/UDP protocols as others like SSL and DNS are not likely utilized by the recent ShadowPad\r\nsamples.\r\nThe format and encoding algorithm is different between TCP and HTTP(S)/UDP.\r\nTable 1: Difference in packet format\r\nTCP HTTP(S)/UDP\r\nKey size 4 2\r\nHeader size 0x14 8\r\nPayload size in the initial handshake packet Up to 0x3F\r\nHTTP(S): Up to 0x1F,\r\nUDP: 0x10\r\nThe key for the encoding is included in the header. Every integer value in the header is in big endian. Randomly-sized data will be appended as the payload to the initial handshake packet in both cases.\r\nThe immediate values used by the encoding algorithms are different per variant (probably per ShadowPad builder\r\nversion). Analysis was performed on three ShadowPad variants, which TAU was able to collect in August 2021, as\r\ndisplayed in Table 2. The SHA256 hash values are included in the Indicators of Compromise section below.\r\nTable 2: Analyzed ShadowPad variants\r\nVariant name C2 protocol Config size Attribution Source\r\nVariant1\r\n(aka ScatterBee)\r\nTCP/UDP 0x896 APT41 Positive Technologies\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 1 of 13\n\nVariant2 HTTP(S) 0x85C Tonto Team ESET\r\nVariant3 HTTP(S) 0x85C unknown Positive Technologies\r\nTCP Protocol\r\nAnalysis was performed to fully detail the C2 protocol. The TCP protocol header format is displayed as follows.\r\nstruct struc_common_header\r\n{\r\n__int32 session_key;\r\n__int32 plugin_and_cmd_id; // plugin_id (0x68) \u003c\u003c 16 + cmd_id (0x51)\r\n__int32 module_code; // 0\r\n__int32 payload_size_compressed;\r\n__int32 payload_size_original;\r\n};\r\nThe header format has been the same since first analyzed in 2015. The session_key is randomly generated and\r\nthen used for encoding both the header and payload. The plugin_id and cmd_id values included in the\r\nplugin_and_cmd_id field have been updated by variants, some of which are covered in this paper. The values in\r\nthe initial packet created by Variant1 should be 0x68 (Online plugin) and 0x51 (check-in). The module_code of\r\nthe initial packet generated by the sender is always 0 (zero).\r\nIf any payload data exists, it will be compressed with the QuickLZ algorithm. QuickLZ is an older, publicly\r\navailable compression routine that is not commonly seen. The client generates randomly-sized null bytes (up to\r\n0x3F bytes) for the initial packet payload.\r\nThe Variant1’s encoding algorithm for the TCP packet in Python is displayed in Figure 1. Based on the protocol\r\nanalysis results of Variant2 and Variant3, variants of this malware are expected to contain unique immediate\r\nvalues instead of 0x22F4B1BA for the TCP packet encoding.\r\nFigure 1: TCP packet encoding by Variant1\r\nAfter the initial handshake, Variant1 executes the commands of the plugins specified by the C2 server. For more\r\ndetails, review the Dr.WEB white paper explaining the individual command IDs and payload formats. The variant\r\nanalyzed in the paper is older than Variant1 but the formats should be similar.\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 2 of 13\n\nHTTP(S) and UDP Protocols\r\nThe header format for the HTTP(S) and UDP protocols is listed below. In HTTP(S), the data is sent through the\r\nPOST method.\r\nstruct struc_proto_header\r\n{\r\n__int16 session_key;\r\n__int16 type; // 0 in HTTP, req=0x1001/res=(0x2002|0x5005) in UDP\r\n__int16 session_src_id; // random 2 bytes, generated by both client/server\r\n__int16 session_dst_id; // req=0, res=client’s session_src_id\r\n};\r\nThe session_key has the same role as the TCP session_key though the key size is different. The second field type\r\nis always 0 (zero) in the HTTP initial packet while the UDP client and server send 0x1001/0x2002/0x5005. The\r\nsession_src_id field is randomly generated by both client/server. The value sent by the client will be set in the\r\nsession_dst_id field on the server side.\r\nThe initial packet payload data are randomly generated based on QueryPerformanceCounter and other APIs. The\r\nHTTP payload size is also random with a length of up to 31 (0x1F) bytes while the UDP one is fixed at 16 (0x10)\r\nbytes.\r\nEach of the three Variant encoding algorithms in Python is shown below. The immediate values in the code are\r\ndifferent, but the algorithm itself is identical.\r\nFigure 2: UDP packet encoding by Variant1\r\nFigure 3: HTTP(S) packet encoding by Variant2\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 3 of 13\n\nFigure 4: HTTP(S) packet encoding by Variant3\r\nAfter the initial handshake, the payload will contain the same data structure as the TCP packet\r\n(struc_common_header and its QuickLZ-compressed payload) explained in the previous section while the type\r\nfield value in the struc_proto_header will be incremented.\r\nScanner Implementation\r\nTAU decided on the following target protocols/ports based on the configurations extracted from the recent\r\nShadowPad samples. As explained earlier, the scanner per variant had to be implemented due to the difference in\r\nimmediate values used in the encoding.\r\nTable 3: Target protocols/ports\r\nScanning start period Target protocol/port/variant\r\nSeptember 2021 HTTP/443 (Variant2 \u0026 Variant3)\r\nOctober 2021 TCP/443 \u0026 UDP/53 (Variant1)\r\nJune 2022 UDP/443 (Variant1), HTTP/80 (Variant3)\r\nThe following flow chart shows how the ShadowPad C2 servers are detected by the scanners.\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 4 of 13\n\nFigure 5: ShadowPad C2 detection flow\r\nSimilar to our Winnti 4.0 C2 scanning research, first the list of hosts open at targeted ports are created by ZMap.\r\nThen the scanner sends the ShadowPad-formatted packets to all IP addresses on the list. Next, the scanner checks\r\nthat the response packet size is at least more than the header size and the session_key is different from the sending\r\none to exclude honeypots. If the size and key look to be valid, the scanner decodes the response packet. In TCP\r\nprotocol, the scanner validates the payload size fields (payload_size_compressed and payload_size_original). In\r\nHTTP(S) and UDP protocols, the code verifies if the type field value is correct and the response’s session_dst_id\r\nis matched with the session_src_id created by the scanner.\r\nThe following output log shows that eight Variant1 TCP servers were discovered by scanning the list of TCP/443\r\nopen hosts generated by ZMap. The command_id 0x53 from the C2s is a request to send system information of\r\nthe infected host.\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 5 of 13\n\n2022/06/xx xx:00:02,log file opened: scan_results/sp_scan_auto_202206xx_xxxxxx.csv\r\n2022/06/xx xx:00:05,malware options: family = ShadowPad; targeted protocol = tcp (version = Variant1)\r\n2022/06/xx xx:00:09,ShadowPad specific options: version = Variant1; key size = 4; key endian = big; header size\r\n= 0x14; Online plugin ID = 0x68; CMD ID = 0x51; module code = 0x0\r\n2022/06/xx xx:00:16,51576779 open hosts read from corpus/2022-xx-xx_zmap22000ppsVPN_tcp_443.saddr\r\n2022/06/xx xx:43:46,45.137.10.3,active,compressed payload size matched (plugin_id=0x68, command_id=0x53,\r\npayload=None)\r\n2022/06/xx xx:40:28,45.32.248.92,active,compressed payload size matched (plugin_id=0x68, command_id=0x53,\r\npayload=None)\r\n..[SKIPPED]..\r\n2022/06/xx xx:01:05,43.129.188.223,active,compressed payload size-matched (plugin_id=0x68,\r\ncommand_id=0x53, payload=None)\r\n2022/06/xx xx:48:35,51576779 scanned in 1 day, 17:48:32.497550\r\n2022/06/xx xx:48:35,8 suspicious/active servers found (DB new=4 update=4)\r\nIn order to detect the Variant2/Variant3 C2 servers TAU just uses the HTTP protocol scanner, not the HTTPS one,\r\nbecause the ShadowPad C2s can accept multiple protocol requests at a single port. TAU noticed the unique feature\r\nby extracting the C2 server configurations from the sample (SHA256:\r\nd011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025).\r\n[*] config size = 0x85c\r\n..\r\n[+] C2 Entry 0 (offset 0xbc): ‘HTTPS://wwa1we.wbew.amazon-corp.wikaba.com:443’\r\n[+] C2 Entry 1 (offset 0xed): ‘HTTP://wwa1we.wbew.amazon-corp.wikaba.com:443’\r\n..\r\nThe hostnames and ports in the entries matched exactly but the protocols were different. In fact, TAU could verify\r\nthat another active ShadowPad C2 can accept both protocols at the same port.\r\n$ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp http Variant2\r\n..\r\n[*] malware options: family = ShadowPad; targeted protocol = http (version = Variant2)\r\n[*] ShadowPad specific options: version = Variant2; key size = 2; key endian = big; header size = 0x8; header type\r\n= 0x0; client session ID = 53978\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 6 of 13\n\n[D] POST: http://137.220.185.203:443/ (proxy={}, stream=True, timeout=30)\r\n[+] 137.220.185.203,active,client session ID matched (type=0x0)\r\n..\r\n$ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp https Variant2\r\n..\r\n[*] malware options: family = ShadowPad; targeted protocol = https (version = Variant2)\r\n[*] ShadowPad specific options: version = Variant2; key size = 2; key endian = big; header size = 0x8; header type\r\n= 0x0; client session ID = 52256\r\n[D] POST: https://137.220.185.203:443/ (proxy={}, stream=True, timeout=30)\r\n[+] 137.220.185.203,active,client session ID matched (type=0x0)\r\n..\r\nThe same behavior may be seen in other protocol combinations such as TCP/SSL and UDP/DNS. However, it’s\r\nimpossible to test because TAU has not obtained any samples of the variants with the multiple C2 protocol plugins\r\nyet.\r\nResult\r\nBetween September 2021 to September 2022, TAU identified 83 ShadowPad C2 servers (75 unique IPs) on the\r\nInternet. The percentage of each variant is shown in Figure 6. During the tracking period, we witnessed that\r\nVariant1 had become more active.\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 7 of 13\n\nFigure 6: ShadowPad population by variant\r\nThe change in the number of active ShadowPad C2s is shown in Figure 7.\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 8 of 13\n\nFigure 7: Change in the number of active ShadowPad C2s\r\nCompared with 2021, the active C2s in 2022 has been on a declining trend, though the sharp drop in February\r\n2022 was due to the system issue. The scanner may have missed a new variant lately as ShadowPad changes the\r\nimmediate values used in the packet encoding per variant. TAU will continuously improve the scanner as TAU\r\nobtains new variant samples.\r\nMalware Samples Sharing C2 IPs\r\nTAU identified three samples communicating with the ShadowPad C2 IP addresses on VirusTotal. The sample\r\ninformation is listed in Table 4.\r\nTable 4: Samples communicating with the ShadowPad C2 IPs\r\nSample\r\nMalware family\r\nC2 IP address\r\nC2\r\nProtocol/Port\r\nused by sample\r\nSample\r\nsubmission\r\ndate\r\nC2 first-seen\r\ndate by\r\nscanner\r\nC2 last-seen\r\ndate by\r\nscanner\r\nSpyder 156.240.104.149 TLS/443 2021/10/26 2021/10/16 2021/10/16\r\nReverseWindow 43.129.188.223 TCP/10333 2022/02/27 2021/10/17 2022/10/04\r\nShadowPad 213.59.118.124 UDP/443 2022/03/20 2022/03/06 2022/09/27\r\nSpyder and ReverseWindow are APT malware utilized by PRC-linked cyber espionage threat actors (respectively\r\nAPT41 and LuoYu). All C2s were discovered by the TCP/443 Variant1 scanner, but the samples communicated\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 9 of 13\n\nwith a different protocol or port.  Except the Spyder sample case, the C2s had accepted multiple protocols/ports at\r\nthat time. The scanning system caught the C2s prior to the sample submissions in all cases.\r\nSpyder Code Similarity with Winnti 4.0\r\nIncidentally, it should be noted that the above-referenced Spyder sample contains the code handling the same C2\r\ncommand data structure as Winnti 4.0 Worker which TAU reported three years ago in 2019.\r\nFigure 8: Code handling C2 commands\r\nThe command IDs used by the malware families are shown in Table 5. The commands are decided based on a\r\ncombination of two numbers. Dr.WEB defined the numbers as tag and id in the Spyder report while TAU defined\r\nthem as cmd_ID and dispatch_ID in the Winnti 4.0 Worker analysis. Both have almost the same C2 command\r\nfunctions.\r\nTable 5: Spyder and Winnti 4.0 command IDs\r\nCommand\r\nSpyder Winnti 4.0 Worker\r\ntag id cmd_ID dispatch_ID\r\nVerify the client 1 1 1 1\r\nSend victim information 5 3 5 1\r\nSend plugins information 6 1 6 9 or 13\r\nSave plugin parameters 6 2 6 2\r\nSave plugin data 6 3 6 3\r\nLoad and run plugin entrypoint and export function #1 6 4 6 6\r\nRun plugin export function #4 and unload the plugin 6 5 6 7\r\nHeartbeat 6 6 6 8\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 10 of 13\n\nRun plugin export function #2 6 7 6 10\r\nRun plugin export function #3 6 8 6 11\r\nSend current connection information 7 2\r\n–\r\n(no\r\ncommand)\r\n–\r\nRun function pointer of the 2nd parameter obtained by\r\nrunning export function #1\r\n11 – 11 –\r\nOn the other hand, the total code similarity between them is just 37% when analyzed with the BinDiff utility.\r\nOther data structures like configuration block and C2 protocol header are much different. Based on the\r\ncomparison displayed in Table 5, TAU hypothesizes that Spyder is a lightweight version of Winnti 4.0 Worker.\r\nTable 6: Comparison of Spyder and Winnti 4.0 Worker\r\nSpyder Winnti 4.0\r\nPayload encoding /\r\nencryption\r\nsingle-byte\r\nXOR\r\nAES in CTR mode\r\n(key given as a cmdline\r\nargument)\r\nC2 Protocol TLS TCP/TLS/HTTP(S)/UDP\r\nServer-mode support No Yes\r\n3rd-party library\r\nuthash, Mbed\r\nTLS\r\nuthash\r\nReported year 2020 2019\r\nEndpoint Detection\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 11 of 13\n\nLast year the discovery of the use of a discovered C2 IP (107.155.50.198) triggered an incident response. The\r\nadvanced and sophisticated attack had bypassed many methods of detection but was ultimately alerted upon\r\nsimply because of the pre-identified C2 IP.\r\nFigure 9: Alert based on the ShadowPad C2\r\nConclusion\r\nBy emulating the ShadowPad C2 protocols then scanning the C2 servers on the Internet, TAU has discovered over\r\n80 C2 servers. The IOCs has been published on the GitHub page with discovered date ranges which are more\r\nhelpful than just IP address information since the C2s are typically found on hosted servers. Approximately 10\r\nC2s have always been active. TAU sees little possibility of false positives because the C2 protocol formats and\r\nencoding algorithms are fairly unique.\r\nScanning APT malware C2s on the Internet is sometimes like finding a needle in a haystack. However, once the\r\nC2 scanning works, it can become a game changer as one of the most proactive threat detection approaches.\r\nAcknowledgment\r\nTAU appreciates Leon Chang’s expertise and advice regarding ShadowPad. Chang shared his knowledge to gain a\r\nmore complete, bigger picture of the variants.\r\nIndicators of Compromise (IOC)\r\nIndicator Type Context\r\n03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4 SHA256\r\nShadowPad\r\nVariant1\r\naef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db83b6be63f7ada2cc0 SHA256\r\nShadowPad\r\nVariant2\r\nd011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025 SHA256\r\nShadowPad\r\nVariant3\r\n1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f SHA256 Spyder\r\ncommunicating\r\nwith the\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 12 of 13\n\nShadowPad C2\r\n(156.240.104.149)\r\n536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3 SHA256\r\nReverseWindow\r\ncommunicating\r\nwith the\r\nShadowPad C2\r\n(43.129.188.223)\r\n9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a SHA256\r\nShadowPad\r\nVariant1\r\ncommunicating\r\nwith the\r\nShadowPad C2\r\n(213.59.118.124)\r\nSource: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nhttps://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html" ], "report_names": [ "threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html" ], "threat_actors": [ { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1254633150a1efca21fb7c286b7c3885df459ae6.pdf", "text": "https://archive.orkl.eu/1254633150a1efca21fb7c286b7c3885df459ae6.txt", "img": "https://archive.orkl.eu/1254633150a1efca21fb7c286b7c3885df459ae6.jpg" } }