{ "id": "ea91acc6-f4d8-45e8-bd93-1e1f34b19b43", "created_at": "2026-04-06T00:11:11.353328Z", "updated_at": "2026-04-10T13:11:21.487221Z", "deleted_at": null, "sha1_hash": "12669999d61a6f37c95c79ffe7c041e87480c03d", "title": "Dark Pink APT Group Strikes Government Entities in South Asian Countries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5111780, "plain_text": "Dark Pink APT Group Strikes Government Entities in South Asian\r\nCountries\r\nArchived: 2026-04-05 23:38:17 UTC\r\nExecutive Summary \r\nIn February 2023, EclecticIQ researchers identified multiple KamiKakaBot malwares which are very likely used to\r\ntarget government entities in ASEAN (Association of Southeast Asian Nations) countries.\r\nThe latest attacks, which took place in February 2023, were almost identical to previous attacks reported by Group-IB on January 11, 2023 (1). In January 2023, the threat actors used ISO images to deliver KamiKakaBot, which\r\nwas executed using a DLL side-loading technique. The main difference in the February campaign is that the\r\nmalware's obfuscation routine has improved to better evade anti-malware measures. Multiple overlaps in this new\r\ncampaign aided EclecticIQ analysts in attributing it very likely to the Dark Pink APT group.\r\nDark Pink is an Advanced Persistent Threat (APT) group active in the ASEAN region. Group-IB originally named\r\nthis group \"Dark Pink,” and it has also been referred to as “Saaiwc” by Chinese cybersecurity researchers (1,2).\r\nAccording to Group-IB, Dark Pink is thought to have started operations as early as mid-2021 with increasing\r\nactivity in 2022.  \r\nKamiKakaBot's primary function is to steal data stored in web browsers such as Chrome, Edge, and Firefox. This\r\nincludes saved credentials, browsing history, and cookies. Additionally, the threat actors can gain initial access on\r\ninfected devices to execute remote code.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 1 of 20\n\nDevelopers of KamiKakaBot employ various evasion techniques to remain undetected while executing malicious\r\nactions on infected devices. For example, they use Living-off-the-Land binaries (LOLBINs), such as MsBuild.exe,\r\nto run the KamiKakaBot malware on victims' devices (7).\r\nAttribution  \r\nThere are multiple overlaps between adversary techniques and tactics used in this campaign and the previous\r\ncampaign. For this reason, EclecticIQ analysts assess that the February 2023 campaign is very likely attributed to\r\nDark Pink, though they acknowledge there is a chance this activity could be the word of a group with similar TTPs.\r\nAccording to EclecticIQ researchers, the KamiKakaBot and loader is a generic malware type and it’s\r\ncurrently only used by Dark Pink APT group.\r\nThe same command and control infrastructure was used in the February activity as was used previously in\r\nJanuary 2023 activity (1).\r\nMalware delivery and execution techniques like DLL side loading with Winword.exe are identical to\r\nprevious cyber-attacks done by Dark Pink group (1).\r\nKey Judgments\r\nAdvanced Persistent Threat (APT) groups are almost certainly a significant cyber threat to ASEAN countries. APT\r\ngroups like Dark Pink often target military and government organizations to steal sensitive information, including\r\nconfidential data and intellectual property.\r\nThe increasing digitization of economies and relationships between Europe and the ASEAN region have very\r\nlikely increased the risk of cyberattacks and the need for effective cyber defense measures (8).\r\nIn this new campaign, the relationship between Europe and ASEAN countries is very likely being exploited in the\r\nform of social engineering lures against military and government entities in Southeast Asian nations.\r\nEclecticIQ researchers observed overlaps in malware delivery and adversary techniques between Earth Yako and\r\nDark Pink threat groups, such as usage of Winword.exe for DLL Hijacking (2,3). Although researchers lack the\r\nconclusive proof needed to attribute the nationality of this group, the objectives of the attackers and some of the\r\npatterns suggest that the Dark Pink group could possibly be a Chinese APT group.  \r\nMalware Execution Flow\r\nKamiKakaBot is delivered via phishing emails that contain a malicious ISO file as an attachment. The malicious\r\nISO file contains a WinWord.exe which is legitimately signed by Microsoft, which is exploited for DLL side-loading technique. When a user clicks on WinWord.exe, the KamiKakaBot loader (MSVCR100.dll), located in the\r\nsame folder as the WinWord file, automatically loads and is executed into the memory of WinWord.exe.\r\nThe ISO file also contains a decoy Word document that has an XOR-encrypted section. The KamiKakaBot loader\r\nuses this section to decrypt the XOR-encrypted content from the decoy file then writes the decrypted XML\r\nKamiKakaBot payload into the disk (C:\\Windows\\temp) and executes it via a living-off-the-land binary called\r\nMsBuild.exe (7).\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 2 of 20\n\nBefore the execution of the decrypted XML payload, KamiKakaBot loader writes a registry key into\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell to abuse features of Winlogon (Windows\r\ncomponent) for establishing persistent access (5).\r\nKamiKakaBot can extract sensitive information from Chrome, MS Edge, and Firefox web browsers. The stolen\r\nbrowser data is then sent to attackers' Telegram bot channel in a compressed ZIP format. Upon initial infection, the\r\nattacker can upgrade the malware or perform remote code execution on the targeted device, enabling them to carry\r\nout further post-exploitation activities. All of the command and control communication takes place via a Telegram\r\nbot controlled by the threat actor.\r\nFigure 1 - Execution flow of KamiKakaBot.\r\nAnalysis of the ISO Image\r\nThreat actors used different lures in each decoy Word document to trick their victims into opening the malicious\r\nattachment as shown in figure 2. The executable file named “Concept Note Strategic Dialog Version 30.1” is\r\noriginally a Microsoft signed legitimate WinWord.exe.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 3 of 20\n\nFigure 2 - Content of the ISO image.\r\nThe metadata in the delivered ISO image contains the file creation date and time (2023-02-01), which is helpful for\r\nresearchers to determine the time of the campaign. This file was uploaded to VirusTotal on 2023-02-01 from\r\nIndonesia (5).  \r\nFigure 3 - Metadata of ISO file.\r\nEclecticIQ researchers identified multiple ISO images that contained different decoy documents using phishing\r\nlures related to military or diplomacy in the ASEAN countries. Analysts assess the content of the decoy documents\r\nis designed to target government entities in ASEAN countries. Figure 4 illustrate the attempt by threat actors to\r\nleverage ASEAN-Europe relationships in their phishing lures (more examples of their attempts). \r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 4 of 20\n\nFigure 4 – Decoy Document File Name: “Concept paper Strategic Dialogue DEU-IDN\" (The lure plays off the\r\nrelationship between Europe and ASEAN countries).\r\nThe KamiKakaBot loader is designed to load the KamiKakaBot malware as stealthily as possible by performing\r\nthe DLL side loading technique and incorporating other anti-malware evasion tactics, such as payload encryption\r\nand the use of living-off-the-land binaries.\r\nDLL Side Loading by Winword.exe\r\nIn this latest KamiKakaBot campaign, threat actors used DLL side loading technique to bypass anti-malware\r\ndetection by loading the malware into the memory of Winword.exe (legitimate Microsoft Office binary used for\r\nopening Word documents).\r\nFigure 8 - KamiKakaBot loader loaded into the memory of WinWord.exe (MSVCR100.dll).\r\nDLL side loading is not a new technique, as the search-order hijacking vulnerability in Windows has existed since\r\nWindows XP. Due to the default search order built into Windows, threat actors can abuse the legitimate and signed\r\nbinaries to load the malicious DLL.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 5 of 20\n\nDecryption of KamiKakaBot XML Payload Inside Decoy Word Document\r\nDuring the initial infection, the KamiKakaBot loader is executed in the memory of the WinWord.exe binary and\r\nthen it reads data from an XOR-encrypted section inside a decoy Word document. Figure 9 shows the XOR\r\nencrypted section inside decoy Word document.\r\nFigure 9 - XOR encrypted section inside decoy word document.\r\nXOR decryption routine of KamiKakaBot Loader in disassembler:\r\nUse Windows API ReadFile() to read the .doc file that contains a (~) tilde symbol inside the ISO image.\r\nFigure 10 - The decoy Word document inside ISO image is highlighted in yellow.\r\nDecrypt the XOR encrypted data by using a static key “0xCA” and writing it into disk.\r\nFigure 11 - XOR decryption.\r\nGaining Persistent Access on Victim Device by Abusing Winlogon Helper DLL\r\nAfter initial infection, the loader used a widely used persistence technique by abusing Winlogon Helper.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 6 of 20\n\nWinlogon.exe is a Windows component responsible for actions at logon/logoff. Registry entries in\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon are used to manage additional helper programs\r\nand functionalities that support Winlogon.\r\nMalicious modifications to registry keys may cause Winlogon to load and execute malicious DLLs and/or\r\nexecutables on every time when user opens the device.  \r\nFigure 12 shows KamiKakaBot loader using Windows environment variables to perform command line\r\nobfuscation to execute the KamiKakaBot on every time when infected device is started.\r\nFigure 12 - Shell registry key modified by loader.\r\nBelow are a few of the new environment variables which KamiKakaBot writes into infected system (this data can\r\nbe changed on each different campaign):\r\nName of the environment\r\nvariable \r\nCommand line argument \r\n%PSS%  powershell \r\n$env:MS \r\nC:\\Windows\\Microsoft.NET\\Framework64\\\u003cversion-number\u003e\\MSBuild.exe \r\n$env:TMPT  C:\\Windows\\TEMP\\wct\u003crandom-number-and-words\u003e.tmp \r\nFigure 13 shows that environment variables are stored as encrypted inside the data section of the loader and the\r\nXOR decryption key (“0xa7”) is used as statically to perform decryption during execution time.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 7 of 20\n\nFigure 13 - Content of the environment variable and Command line arguments are stored inside the data section as\r\nXOR encrypted.\r\nA decryption key can be used to decrypt the data and examine the environment variables used by the loader\r\nwithout the execution of the malware during analysis (as shown in figure 14).  \r\nFigure 14 - Decrypted environment variable used by KamiKakaBot loader.  \r\nExecution of decrypted KamiKakaBot by Living of the Land Binary\r\nExecution of the KamiKakaBot malware happens after the persistence stage. The detailed execution flow is\r\ndescribed below:  \r\nThe decrypted XML payload, which was dropped into the disk, still contains some XOR encrypted data\r\nobfuscated with Base64. It is decrypted during execution time via PowerShell.\r\nFigure 15 - Decrypted KamiKakaBot as XML format.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 8 of 20\n\nExecution of XML payload via MSBuild.exe shows the loaded malware named as svchost.\r\nFigure 16 - KamiKakaBot loaded into MSBuild.exe.\r\nTechnical Analysis of KamiKakaBot\r\nCapabilities of KamiKakaBot\r\nEclecticIQ researchers identified and analyzed new samples of .NET written malware in a February 2023\r\ncampaign.\r\nThe malware capabilities of KamiKakaBot are as follows:\r\nStealing web credentials and cookies from Web browsers  \r\nFigure 17 - KamiKakaBot reading web browser data inside victim device.\r\nPerforming remote code execution over cmd.exe.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 9 of 20\n\nFigure 18 - Disassembled KamiKakaBot has a run_command() function to execute remote commands to the victim\r\ndevice and receive the result of the command line data back to the attackers.\r\nStoring the Telegram API key and URL in an encrypted format. A new version of KamiKakaBot uses an\r\nopen-source .NET obfuscation engine to hide itself from anti-malware solutions (7).  \r\nFigure 19 - Decrypted telegram URL used by malware.\r\nAfter the successful infection, threat actors can update the malware itself. Figure 20 shows features of the malware,\r\nincluding details about delay time and commands like “COLLECTBRW’, “UPDATENEWXML” and\r\n“UPDATENEWTOKEN” very likely used for waiting these commands from attackers' C2 server.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 10 of 20\n\nFigure 20 - Static variables used as config file inside the malware.\r\nCommand and Control Connection by Telegram Services\r\nWhen the victim device is infected with KamiKakaBot, it starts with uploading stolen web browser data to a\r\nTelegram bot in a ZIP format and names the ZIP files with the hostname of the infected device to categorize the\r\nvictim.  \r\nFigure 21 - Stolen browser data sent to Telegram bot.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 11 of 20\n\nFigure 22 shows the decompiled KamiKakaBot function named as sendFile() to perform the same feature also\r\ndescribed in figure 21.\r\nFigure 22 - Decompiled sendFile() function.\r\nAfter uploading browser data from Chrome, Edge and Firefox, KamiKakaBot beacons (sends signals) to the\r\nTelegram bot showing the infected device is online and available to receive remote commands.\r\nFigure 23 - Sending beaconing signals to Telegram bot C2 channel.\r\nEclecticIQ researchers obtained examples of stolen web browser data from a Telegram bot controlled by the threat\r\nactors:\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 12 of 20\n\nFigure 24 - Example of stolen web browser data.\r\nThreat Actor Using VPN Services to Hide Their Identities\r\nEclecticIQ researchers used Telegram C2 channel for sending decoy URLs that contain Canary Tokens (9) instead\r\nof real victim data, by that way when the threat actor obtained the decoy URL researchers can obtained IP\r\naddresses that is very likely used by the threat actor.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 13 of 20\n\nFigure 25 - Shows command and control traffic of KamiKakaBot manipulated by the researchers to send decoy\r\nCanary Token URL.\r\nFigure 26 shows that the decoy URL is now received by Telegram C2 channel and then clicked by the threat actor\r\nwhich is ended up exposing their IP address after a short period of time. EclecticIQ researchers identified one of\r\nthe IP addresses (206[.]123[.]151[.]133) is associated with a VPN service called PureVPN which is very likely\r\nused by the threat actor to hide their real IP address.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 14 of 20\n\nFigure 26 – Triggered Canary Tokens.\r\nAlthough there is some metadata that suggest Dark Pink could be attributed to China. However, the lack of\r\nconclusive proof means this assessment of attribution is at low confidence.\r\nEclecticIQ researchers followed the latest activities carried out by the Dark Pink APT group and identified how the\r\ngroup further honed its technical skills to bypass security controls, scale TTPs for, blend in with victim\r\nenvironments, and hinder detection across all aspects of its operations.\r\nEclecticIQ researchers are assets that Dark Pink APT group will likely continue to evolve its behavioral evasion\r\ntechniques based on its ability to creatively employ TTPs and tools to gain persistent access to targets.\r\nOutlook\r\nEclecticIQ researchers analyzed the latest malware delivery campaign, very likely carried out by the Dark\r\nPink APT group. The result of the analysis showed that the threat actors are still utilizing the same\r\nadversary tactics, techniques, and procedures (TTPs) to deliver and execute the KamiKakaBot malware,\r\nwith only small changes made to the obfuscation routine to increase the infection rate and evade anti-malware solutions.\r\nTo learn more about how considering TTP applications can protect\r\nagainst future attacks, download our white paper \"Beyond the IOC\".\r\nThe use of legitimate web services as a Command and Control (C2) server, such as Telegram, remains the\r\nnumber one choice for different threat actors, ranging from regular cyber criminals to advanced persistent\r\nthreat actors. According to EclecticIQ researchers, it is very likely threat actors will continue to conduct\r\ncommand and control operations while hiding behind legitimate web services.\r\nBased on the TTPs used in this campaign, EclecticIQ researchers strongly believe that the Dark Pink APT\r\ngroup is very likely a cyber espionage-motivated threat actor that specifically exploits relations between\r\nASEAN and European nations to create phishing lures during the February 2023 campaign.\r\nAdversary techniques like DLL side loading and use of living of the land binaries are on the rise among\r\ndifferent threat actors to avoid being detected during the infection chain (8).\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 15 of 20\n\nProtections and Mitigations  \r\nUse safe DLL search mode. By default, Windows searches for DLLs in the current directory before\r\nsearching in other directories. This can be changed by enabling the SafeDllSearchMode feature, which will\r\nonly search in the system directory and trusted directories.\r\nDisable mounting ISO images via group policy (GPO). Add a simple registry key under\r\nHKEY_CLASSES_ROOT\\Windows.IsoFile\\shell\\mount called ProgrammaticAccessOnly which would\r\nremove the context menu item when you right clicked an ISO. It also removed the functionality of double-clicking to auto-mount ISOs.\r\nDisable browser password saving via group policy (GPO), Set the following policies below then close the\r\nGroup Policy Management Editor:  \r\n- Disable saving browser history: Enabled\r\n- Enable AutoFill: Disabled\r\n- Enable saving password to the password manager: Disabled\r\n- Default cookies setting: Enabled: Keep cookies for the duration of the session\r\n- Enable saving password to the password manager: Disabled\r\nAlways deploy the highest level of protection on your firewall and endpoints. In particular:  \r\n- Ensure the firewall has TLS 1.3 inspection, next-gen IPS, and streaming DPI with machine learning and\r\nsandboxing for protection from the latest threats.  \r\n- Ensure endpoints have modern next-gen protection capabilities to guard against downloading malicious\r\nfiles from untrusted sources.  \r\nDetections  \r\nWhen some of the above-mentioned protections and mitigations cannot be implemented, the detection ideas below\r\ncould help to identify potential threats early on.\r\nMonitor new file creations with double extension ending with executable file extensions (.exe, .vbs, .bat and\r\netc.).\r\nMonitor modification and creation of Windows registry keys and sub-keys under Winlogon registry\r\nlocations (HKLM\\Software[\\Wow6432Node\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\). Establishing a baseline for the values\r\nof often abused registry key locations could also improve detection accuracy.\r\nEstablish command line baselines for command line commands of common executables, such as\r\npowershell, cmd, and other LOLBINs (including MSBuild), to identify potential malicious usage of the\r\nbuilt-in tools. \r\nMITRE ATT\u0026CK\r\nTactic: Technique    ATT\u0026CK Code   \r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 16 of 20\n\nExecution: User Execution Malicious File   T1204   \r\nExecution: PowerShell  T1059.001 \r\nDefense Evasion: Deobfuscate/Decode Files or Information    T1140   \r\nDefense Evasion: Masquerading Double File Extension    T1036.007   \r\nDefense Evasion: Trusted Developer Utilities Proxy Execution MSBuild   T1127.001 \r\nDefense Evasion: HTML Smuggling   T1027.006  \r\nDefense Evasion: DLL Side-Loading  T1574.002 \r\nCommand and Control:  Bidirectional Communication  T1102.002 \r\nInitial Access: Spearphishing Attachment   T1566.001  \r\nPersistence: Winlogon Helper DLL  T1547.004 \r\nCredential Access: Credentials from Web Browsers  T1555.003 \r\nHunting Resources: Yara Rules\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services.\r\nHeadquartered in Amsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe and\r\nthe U.S. with decades of experience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in:\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 17 of 20\n\nQakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature\r\nSecurity Service of Ukraine and NATO Allies Potentially Targeted by Russian State-Sponsored Threat Actor\r\nMustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware\r\nAppendix A\r\n1. https://www.group-ib.com/blog/dark-pink-apt/\r\n2. https://www.trendmicro.com/ja_jp/research/23/a/targeted-attack-campaign-earth-yako.html\r\n3. https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw\r\n4. https://attack.mitre.org/techniques/T1547/004/\r\n5. https://www.virustotal.com/gui/file/205f6808ab05ff3932ee799f37c227a7a950e07ea97f51d206e0563c83592e60\r\n6. https://github.com/Charterino/AsStrongAsFuck\r\n7. https://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\n8. https://www.eeas.europa.eu/asean/european-union-and-asean_en\r\n9. https://canarytokens.org/generate\r\nAppendix B\r\n1. Figure 5 - File Name: Another Lure, “Invitation from Perwakins Norway”, plays off the Indonesia-Norway\r\nRelationship.\r\n2. Figure 6 - File Name: Visit of Norwegian senior diplomats to Jakarta 6-9 February.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 18 of 20\n\n3. Figure 7 - File Name: Concept note - A Sustainable Forum - Building the Research Capacity of the EAMF\r\n(ASEAN Maritime Forum) 16 Dec 2022.\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 19 of 20\n\nSource: https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nhttps://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries" ], "report_names": [ "dark-pink-apt-group-strikes-government-entities-in-south-asian-countries" ], "threat_actors": [ { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "46818902-c96d-445c-afdb-075ef6b4afab", "created_at": "2023-02-18T02:04:24.443028Z", "updated_at": "2026-04-10T02:00:04.828275Z", "deleted_at": null, "main_name": "Operation RestyLink", "aliases": [ "Earth Yako", "Operation Enelink" ], "source_name": "ETDA:Operation RestyLink", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "65e1eee1-bc35-4093-9554-1a668e1bc30a", "created_at": "2024-02-08T02:00:04.320426Z", "updated_at": "2026-04-10T02:00:03.583546Z", "deleted_at": null, "main_name": "Earth Yako", "aliases": [ "Operation RestyLink", "Enelink" ], "source_name": "MISPGALAXY:Earth Yako", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "fbe45970-1e9e-4a82-bc06-46317a248479", "created_at": "2026-02-03T02:00:03.45132Z", "updated_at": "2026-04-10T02:00:03.947304Z", "deleted_at": null, "main_name": "DarkPink", "aliases": [ "Saaiwc" ], "source_name": "MISPGALAXY:DarkPink", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12669999d61a6f37c95c79ffe7c041e87480c03d.pdf", "text": "https://archive.orkl.eu/12669999d61a6f37c95c79ffe7c041e87480c03d.txt", "img": "https://archive.orkl.eu/12669999d61a6f37c95c79ffe7c041e87480c03d.jpg" } }