{ "id": "d737a7fa-91a2-4de1-ac53-d280c4805f02", "created_at": "2026-04-06T00:06:20.22244Z", "updated_at": "2026-04-10T03:38:09.959373Z", "deleted_at": null, "sha1_hash": "12b0c9320af90e2d3e2b497a11156e41b3310523", "title": "PLA Unit 61486", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155441, "plain_text": "PLA Unit 61486\r\nBy Contributors to Wikimedia projects\r\nPublished: 2014-06-10 · Archived: 2026-04-05 22:05:13 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nUnit 61486\r\nCountry  China\r\nAllegiance Chinese Communist Party[1]\r\nBranch People's Liberation Army Cyberspace Force\r\nType Cyber force\r\nRole\r\nCyber warfare\r\nElectronic warfare\r\nPart of  People's Liberation Army\r\nNickname Putter Panda\r\nPLA Unit 61486 (also known as Putter Panda or APT2) is a People's Liberation Army unit dedicated to\r\nexecuting cyberattacks on American, Japanese, and European corporations focused on satellite and\r\ncommunications technology. It is a unit that takes part in China's campaign to steal trade and military secrets from\r\nforeign targets.[2][3][4][5]\r\nIn 2014, they were exposed to the public by a report made by CrowdStrike, a digital security firm. One member of\r\nUnit 61486 has been identified as Chen Ping, with the online alias of \"cpyy\". Unit 61486 has also been nicknamed\r\n\"Putter Panda\" by the security firm Crowdstrike, in reference to its Chinese origins (\"panda\") and its penchant for\r\ntargeting golf players (\"putter\").[2]\r\nIts exposure came after another PLA unit, PLA Unit 61398, was exposed for similar activity, the previous year, as\r\nwell as the indictment of five members of Unit 61398 by the United States the previous month.[2] Meanwhile,\r\nEdward Snowden's release of information on America's surveillance program would also become a focal point in\r\nChina's response to the accusations of spying, using it as evidence the United States was hypocritical in their\r\naccusations of espionage.[6]\r\nUnit 61486 is a bureau within the Operations arm of the Third Department of the General Staff Department. Its\r\nname, Unit 61486, is a Military Unit Cover Designator (MUCD), these are used to hide the unit's true identity.\r\n[7]\r\nThe earliest signs of the unit's existence comes from 2007.[8] Unit 61486 is the 12th Bureau within the Third\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 1 of 6\n\nDepartment, the majority of their cyber attacks have been focused on targeting American, European, and Japanese\r\nindustries that worked in aerospace and satellite. They are believed to be focused on space technology.\r\n[7][8]\r\nThey primarily have done their work through a technique known as spear-phishing, also known as Remote Access\r\nTools (RAT), targeting members of industries noted above, specifically members that had played golf as major\r\ntargets in their operations.[2] They would use emails that had PDF and word documents that detailed information\r\nrelated to conferences, from there the Remote Access Tool would be installed allowing for the victims computer to\r\nbe accessed.[5] An example of this operation can be seen when an email brochure that appeared to be for a yoga\r\nstudio in Toulouse would steal the personal information of the person who opened the email.[2] From\r\nCrowdstrike's report, they claim that the Unit 61486 used the Adobe Reader and Microsoft office as the vessels for\r\nthe malware.[6] According to Crowdstrike, the attack on the Canadian National Research Council in 2014 could\r\nalso be attributed to Unit 61486. Crowdstrike's Chief Technology Officer Dmitri Alperovitch would say that the\r\nattack was similar to ones that had been conducted by Unit 61486 in the past, claiming \"It certainly looks like one\r\nof the actors we track out of China that we’ve seen going after aircraft manufacturers in the past,\".[9] However,\r\nCanada has only stated the attack was done by state actors working for China, saying \"a highly sophisticated\r\nChinese state-sponsored actor\" had been responsible for the attack. Their statement did not directly attribute it to\r\nUnit 61486.[7][9]\r\nIn response to these allegations, Ministry of Foreign Affairs of the People's Republic of China would demand that\r\nCanada stop making these claims. Foreign ministry spokesman Qin Gang said that they did not have any evidence\r\nto back this claim and this accusation was unjustified provocation.[9]\r\nExposing of Operations\r\n[edit]\r\nZhabei District from Pearl Tower, where Unit 61486's headquarters is believed to be located\r\nOn the 9th of June 2014, the security firm Crowdstrike released a report detailing the actions of Unit 61486, as\r\nwell as a potential member of the unit.[8] Crowdstrike states the reason for releasing this report publicly was\r\nbecause of China's statement following the United States indictment of 5 members in Unit 61398. China\r\nresponded to the indictment claiming these were lies, and that the information used was fabricated.[8][6] The CEO\r\nof Crowdstrike, George Kurtz states they publicly released the report to provide irrefutable evidence of China's\r\ninvolvement with cyber espionage, as a means to counter the claims made by the Chinese government.:[5]\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 2 of 6\n\n\"This report is part of our extensive intelligence library and was made available to our intelligence\r\nsubscribers in April 2014, prior to the US Government’s criminal indictment and China’s subsequent\r\nrefusal to engage in a constructive dialog ... We believe the U.S. Government indictments and global\r\nacknowledgment and awareness are important steps in the right direction. In support of these efforts, we\r\nare making this report available to the public to continue the dialog around this ever-present threat.\"[8]\r\nAnother aim of releasing the report was to show the international community that the indictment of 5 individuals\r\nfor cyber espionage was limit of China's cyber espionage program, or that this program was limited to targeting\r\nonly the United States. Rather it was just \"the tip of the iceberg\" as George Kurtz wrote, with campaigns taking\r\nplace across the world.[8]\r\nThe investigation revealed a potential member of the unit under the alias \"cpyy\". Several emails that used this\r\nalias were registered to a person name Chen Ping. On a personal blog on 163.com, it lists this persons\r\nemployment as either military or police, it also lists his birth date as 25 May 1979. The same page also had posts\r\nin an IT category, whilst related a separate blog linked to Chen Ping indicated he had either studied or worked on\r\nnetworking or programming from 2002 to 2003. This report also pointed to several images on their personal\r\nsina.com blog that said they had attended Shanghai Jiao Tong University, a university that allegedly is targeted for\r\nrecruitment into the PLA. In addition, several other posts suggested he was a member of the PLA, from photos\r\nwith PLA uniforms in the background.[10][8] In a personal blog Chen Ping listed his work as military, whilst in a\r\ndifferent blog, a post said \"Soldier’s duty is to defend the country, as long as our country is safe, our military is\r\nexcellent.\", suggesting that Chen held nationalistic ideals that would encourage one to join the armed forces. This\r\nblog also states that Chen Ping lived in Shanghai from 2005 to 2007. However, this page was last updated in 2007\r\nbefore being taken down following the release of Crowdstrike's report.[8]\r\nBased on previous IP addresses and photos from Chen Ping's multiple personal blogs, Crowdstrike states that the\r\nheadquarters for the unit is within the Zhabei District of Shanghai. Furthermore, several of the website domains\r\nregistered by Chen Ping led to an address that was close to a building he took a photo of, and posted under the\r\ncaption of \"office\". Additionally, these personal photos showed large satellite dish installations. From\r\nCrowdstrike's investigations they believed that Unit 61486 was involved in space surveillance and also the\r\ntargeting of western companies that manufactured or researched satellites. Thus the satellite dishes were related to\r\nthis activity. A webpage published by a Chinese government entity that details theatrical performances involving\r\nmembers of the PLA listed an address that also corresponds to an area that has the buildings in Chen Ping's\r\nphotos. With the address from this site as well as the personal photos from Chen Pings blogs, Crowdstrike states\r\nthat they believe that this building is the headquarters for Unit 61486.[10][8]\r\nThis report also suggested that Unit 61486 works alongside Unit 61398, another unit within the Third Department.\r\nSeveral domains registered to alleged members of 61486 have the same IP address as ones from Unit 61398. In\r\naddition to the allegations of cooperation with Unit 61398, another unit, Vixen Panda, is mentioned to have a\r\nconnection to unit 61486, as an IP address that had been used by Vixen Panda for one of their sites had also been\r\nassociated with a domain that Unit 61486 had used. Furthermore, \"cpyy\" (Chen Ping) was also found to interact\r\nwith an individual listed as \"linxder\", on cpyy.org, cpyy's site. The individual Linxder is the handle of someone\r\npart of Comment Panda, another hacking group believed to be in Shanghai.[8]\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 3 of 6\n\nFollowing the exposing of Chen Ping or \"cpyy\", his information was all taken down the day after the report was\r\nreleased. Additionally, according to Crowdstrike they believe that Chen Ping has been moved from Shanghai to\r\nKunming in Yunnan province. According to the Project 2049 Institute, the Unit 61486 has a facility in the region.\r\n[citation needed]\r\nThis report had been available to subscribers of Crowdstrike since April 2014 However, only following the public\r\nrelease of the report would there be responses made by the United States as well as the Chinese Foreign Ministry.\r\n[10]\r\nOfficial Response by the Chinese Foreign Ministry\r\n[edit]\r\nIn the previous year, the security firm Mandiant had exposed Unit 61398, for doing similar activity to Unit 61486.\r\nThe month before the report on Unit 61486 was released, the United States had indicted 5 people they believed to\r\nbe members of Unit 61398, of cyber espionage, marking the first time this charge was levelled at state actors.[5]\r\nThe exposing of Unit 61486 raised tensions between the two nations higher. This led to the Foreign Ministry\r\nthreatening to start a trade war with the United States, as well as more inspections and regulations of US\r\nTechnologies coming into the country.\r\n[2]\r\n Additionally, China would pull out of several meetings with the United\r\nStates over the issue of hacking. Additionally, a spokeswoman for China's foreign ministry upon hearing the\r\nallegations over Unit 61486 listed by Crowdstrike's report scorned it as giving her \"déjà vu\", in reference to the\r\nreport made by Mandiant the year before.[6]\r\nEdward Snowden had exposed the United States spying programs conducted by the CIA and NSA the year before\r\nUnit 61486 was revealed by the Crowdstrike report. This was brought up by Foreign Ministry spokeswoman Hua\r\nChunying, as an example of the United States being hypocritical in their accusations of China stealing information\r\nfrom Western corporations. Spokeswoman Hua Chunying would state that the United States had no right to accuse\r\nothers of hacking, as they had been caught doing so. She stated that the United States is a \"Hacker empire\".[2][6]\r\nIn a Press conference Foreign Ministry spokeswoman Hua Chunying states \"The United States cannot\r\npretend that it is the victim. They are a hacker empire. I think everyone in the world knows this.\"[6]\r\nIn addition, earlier in the year it was revealed by The New York Times and Der Spiegel that the NSA had also\r\nhacked Huawei's servers. This was done to see if there was any relationship between the PLA and Huawei,\r\nhowever it quickly expanded to developing exploits that would allow the NSA to access their networks to conduct\r\nsurveillance and \"offensive operations\". This operation known as \"Shotgiant\" was conducted despite a House\r\nIntelligence Committee report in 2012 stated that there was no connection between the PLA and Huawei, along\r\nwith another entity known as ZTF. This also was brought up by the Foreign Ministry as another case of American\r\nhypocrisy in spying allegations.[11] The Foreign Ministry Spokesperson further iterated that the report could not\r\nbe correct, saying it was ridiculous that someone that would do this sort of work would be open about being a\r\nhacker.\r\nIn a news brief, Foreign Ministry spokeswoman Hua Chunying states:\"I think this is both curious and\r\npuzzling. Have you ever seen a thief in the street who advertises on his chest that he is a thief? Honestly\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 4 of 6\n\nspeaking, I think what the U.S. has done here cannot be accepted as correct.\"[6]\r\nIn addition to these allegations, the week before the report was released, the Chinese government criticised the\r\nUnited States Department of Defense for releasing a report that said they believed China's actual military spending\r\nwas an estimated $145 billion US dollars. The report additionally warned that China was speeding up its military\r\nmodernisation program. However, even though tensions and relations between the two nations were already poor,\r\nand increasing from these events and allegations, China would still accept an invitation to participate in RIMPAC\r\nwhich was to occur within the month. This would mark the first time China would participate in an American led\r\nnaval drill, though they had previously participated in 1998 as observers. They would send 4 ships in total, a\r\ndestroyer, frigate, a supply ship and a hospital ship.[6][12]\r\nPLA Unit 61398\r\nChinese information operations and information warfare\r\n1. ^ \"The PLA Oath\" (PDF). Defense Technical Information Center. February 2009. Archived (PDF) from the\r\noriginal on September 24, 2015. Retrieved October 30, 2015. “I am a member of the People's Liberation\r\nArmy. I promise that I will follow the leadership of the Communist Party of China...”\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n Perlroth, Nicole (9 June 2014). \"2nd China Army Unit Implicated in Online\r\nSpying\". The New York Times. Archived from the original on 10 June 2014. Retrieved 9 June 2014.\r\n3. ^ \"Second China unit accused of cyber crime\". Financial Times. 10 June 2014. Archived from the original\r\non 30 April 2024. Retrieved 10 June 2014.\r\n4. ^ \"Cyber Spies Targeting U.S. Defense, Tech Firms Linked to China's PLA: Report\". SecurityWeek.com.\r\nArchived from the original on 28 December 2017. Retrieved 18 December 2017.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Cyber conflict escalates: Second Chinese PLA hacking group accused -\". Defense\r\nSystems. Archived from the original on 28 December 2017. Retrieved 18 December 2017.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n Menn, Joseph (10 June 2014). \"Private U.S. report accuses another Chinese\r\nmilitary unit of hacking\". Reuters. Archived from the original on 17 October 2020. Retrieved 15 October\r\n2020.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Cheng, Dean (14 November 2016). Cyber Dragon:Inside China's Information Warfare\r\nand Cyber Operations. ABC-CLIO, LLC, 2017. ISBN 978-1440835643.\r\n8. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \"Crowdstrike Intelligence Report: Putter Panda\" (PDF). Crowd Strike.\r\nArchived (PDF) from the original on 11 November 2020. Retrieved 2 November 2020.\r\n9. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Sharp, Alastaire; Ljunggren, David (1 August 2014). \"Hacking attack in Canada bears\r\nsigns of Chinese army unit: expert\". Reuters. Archived from the original on 16 May 2021. Retrieved 2\r\nNovember 2020.\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Frizell, Sam. \"How to Hunt a Chinese Hacker\". Time Magazine. Archived from the\r\noriginal on 2021-01-22. Retrieved 2020-11-02.\r\n11. ^ Perloth, Nicole; Sanger, David (22 March 2014). \"N.S.A. Breached Chinese Servers Seen as Security\r\nThreat\". The New York Times. The New York Times. Archived from the original on 18 February 2017.\r\nRetrieved 2 November 2020.\r\n12. ^ \"China confirms attendance at U.S.-hosted naval exercises in June\". Reuters. 9 June 2014. Archived from\r\nthe original on 8 March 2020. Retrieved 2 November 2020.\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 5 of 6\n\nSource: https://en.wikipedia.org/wiki/PLA_Unit_61486\r\nhttps://en.wikipedia.org/wiki/PLA_Unit_61486\r\nPage 6 of 6\n\nUnit 61486 name, Unit is a bureau within 61486, is a Military the Operations Unit Cover arm of the Third Designator (MUCD), Department of the these are used General Staff to hide the unit's Department. Its true identity. [7]\nThe earliest signs of the unit's existence comes from 2007.[8] Unit 61486 is the 12th Bureau within the Third\n Page 1 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/PLA_Unit_61486" ], "report_names": [ "PLA_Unit_61486" ], "threat_actors": [ { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12b0c9320af90e2d3e2b497a11156e41b3310523.pdf", "text": "https://archive.orkl.eu/12b0c9320af90e2d3e2b497a11156e41b3310523.txt", "img": "https://archive.orkl.eu/12b0c9320af90e2d3e2b497a11156e41b3310523.jpg" } }