{ "id": "a360fca4-a1e7-48a5-9dda-ace924ab9e1b", "created_at": "2026-04-06T00:09:48.751985Z", "updated_at": "2026-04-10T03:38:01.725573Z", "deleted_at": null, "sha1_hash": "1729fb83b35e14e874d718d7a23a58ef058613f9", "title": "Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84657, "plain_text": "Tactics, Techniques, and Procedures of Indicted APT40 Actors\r\nAssociated with China’s MSS Hainan State Security Department |\r\nCISA\r\nPublished: 2021-07-20 · Archived: 2026-04-05 12:36:14 UTC\r\nThis Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity\r\nand Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat\r\n(APT) group known in open-source reporting as APT40. This advisory provides APT40’s tactics, techniques, and\r\nprocedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate\r\nAPT40 intrusions and established footholds.\r\nAPT40—aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite\r\nPanda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper—is located in Haikou, Hainan\r\nProvince, People’s Republic of China (PRC), and has been active since at least 2009. APT40 has targeted\r\ngovernmental organizations, companies, and universities in a wide range of industries—including biomedical,\r\nrobotics, and maritime research—across the United States, Canada, Europe, the Middle East, and the South China\r\nSea area, as well as industries included in China’s Belt and Road Initiative.\r\nOn July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors\r\nfor their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology\r\nDevelopment Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried\r\nout orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence\r\nofficers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE. Wu’s CNE activities resulted in the\r\ntheft of trade secrets, intellectual property, and other high-value information from companies and organizations in\r\nthe United States and abroad, as well as from multiple foreign governments. These MSS-affiliated actors targeted\r\nvictims in the following industries: academia, aerospace/aviation, biomedical, defense industrial base, education,\r\ngovernment, healthcare, manufacturing, maritime, research institutes, and transportation (rail and shipping).\r\nClick here for indicators of compromise (IOCs) in STIX format. Note: to uncover malicious activity, incident\r\nresponders search for IOCs in network- and host-based artifacts and assess the results—eliminating false positives\r\nduring the assessment. For example, some MD5 IOCs in the STIX file identify legitimate tools—such as Putty,\r\ncmd.exe, svchost.exe, etc.—as indicators of compromise. Although the tools themselves are not malicious, APT40\r\nattackers placed and used them from non-standard folders on victim systems during computer intrusion activity. If\r\na legitimate tool is identified by an incident responder, then the location of the tool should be assessed to eliminate\r\nfalse positives or to uncover malicious activity. See Technical Approaches to Uncovering and Remediating\r\nMalicious Activity for more incident handling guidance.\r\nThis Joint Cybersecurity Advisory uses the MITRE ATT\u0026CK® framework, version 9. See the ATT\u0026CK for\r\nEnterprise framework for all referenced threat actor tactics and techniques.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 1 of 20\n\nAPT40 [G0065 ] has used a variety of tactics and techniques and a large library of custom and open-source\r\nmalware—much of which is shared with multiple other suspected Chinese groups—to establish initial access via\r\nuser and administrator credentials, enable lateral movement once inside the network, and locate high value assets\r\nin order to exfiltrate data. Table 1 provides details on these tactics and techniques. Note: see the appendix for a list\r\nof the domains, file names, and malware MD5 hash values used to facilitate this activity.\r\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the\r\nthreat and reducing the risk. The following guidance may assist organizations in developing network defense\r\nprocedures.\r\n01234c0e41fc23bb5e1946f69e6c6221\r\n018d3c34a296edd32e1b39b7276dcf7f\r\n019b68e26df8750e2f9f580b150b7293\r\n01fa52a4f9268948b6c508fef0377299\r\n022bd2040ec0476d8eb80d1d9dc5cc92\r\n039d9ca446e79f2f4310dc7dcc60ec55\r\n043f6cdca33ce68b1ebe0fd79e4685af\r\n04918772a2a6ccd049e42be16bcbee39\r\n04dc4ca70f788b10f496a404c4903ac6\r\n060067666435370e0289d4add7a07c3b\r\n062c759d04106e46e027bbe3b93f33ef\r\n07083008885d2d0b31b137e896c7266c\r\n079068181a728d0d603fe72ebfc7e910\r\n0803f8c5ee4a152f2108e64c1e7f0233\r\n09143a14272a29c56ff32df160dfdb30\r\n0985f757b1b51533b6c5cf9b1467f388\r\n09aab083fb399527f8ff3065f7796443\r\n0b7bb3e23a1be2f26b9adf7004fc6b52\r\n0b9a614a2bbc64c1f32b95988e5a3359\r\n0bbe092a2120b1be699387be16b5f8fb\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 2 of 20\n\n0bbe769505ca3db6016da400539f77aa\r\n0c3c00c01f4c4bad92b5ba56bd5a9598\r\n0c4fa4dfbe0b07d3425fea3efe60be1c\r\n0ca936a564508a1f9c91cb7943e07c30\r\n0d69eefede612493afd16a7541415b95\r\n0da08b4bfe84eacc9a1d9642046c3b3c\r\n0dd7f10fdf60fc36d81558e0c4930984\r\n0e01ec14c25f9732cc47cf6344107672\r\n10191b6ce29b4e2bddb9e57d99e6c471\r\n105757d1499f3790e69fb1a41e372fd9\r\n207e3c538231eb0fd805c1fc137a7b46\r\n20e52d2d1742f3a3caafbac07a8aa99a\r\n226042db47bdd3677bd16609d18930bd\r\n22823fed979903f8dfe3b5d28537eb47\r\n2366918da9a484735ec3a9808296aab8\r\n239a22c0431620dc937bc36476e5e245\r\n2499390148fc99a0f38148655d8059e7\r\n24dbcd8e8e478a35943a05c7adfc87cc\r\n25a06ab7675e8f9e231368d328d95344\r\n25b79ba11f4a22c962fea4a13856da7f\r\n25fc4713290000cdf01d3e7a0cea7cef\r\n2639805ae43e60c8f04955f0fe18391c\r\n270df5aab66c4088f8c9de29ef1524b9\r\n280e5a3b9671db31cf003935c34f8cf9\r\n28366de82d9c4441f82b84246369ad3b\r\n28628f709a23d5c02c91d6445e961645\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 3 of 20\n\n28c6f235946fd694d2634c7a2f24c1ba\r\n29c1b4ec0bc4e224af2d82c443cce415\r\n2b8a06d1de446db3bbbd712cdb2a70ce\r\n2bf998d954a88b12dbec1ee96b072cb9\r\n2c408385acdb04f0679167223d70192b\r\n2c9737c6922b6ca67bf12729dcf038f9\r\n2dd9aab33fcdd039d3a860f2c399d1b1\r\n2de0e31fda6bc801c86645b37ee6f955\r\n2e5b59c62e6e2f3b180db9453968d817\r\n2ee7168c0cc6e0df13d0f658626474bb\r\n2eee367a6273ce89381d85babeae1576\r\n2f0a52ce4f445c6e656ecebbcaceade5\r\n2f9995bc34452c789005841bc1d8da09\r\n30701b1d1e28107f8bd8a15fcc723110\r\n31a72e3bf5b1d33368202614ffd075db\r\n3389dae361af79b04c9c8e7057f60cc6\r\n33d18e29b4ecc0f14c20c46448523fc8\r\n46e80d49764a4e0807e67101d4c60720\r\n480f3a13998069821e51cda3934cc978\r\n48101bbdd897877cc62b8704a293a436\r\n48548309036005b16544e5f3788561dc\r\n4a23e0f2c6f926a41b28d574cbc6ac30\r\n4ab825dc6dabf9b261ab1cf959bfc15d\r\n4b18b1b56b468c7c782700dd02d621f4\r\n4b93159610aaadbaaf7f60bea69f21a4\r\n4beb3f7fd46d73f00c16b4cc6453dcdb\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 4 of 20\n\n4dd6eab0fa77adb41b7bd265cfb32013\r\n4e79e2cade96e41931f3f681cc49b60a\r\n4ef1c48197092e0f3dea0e7a9030edc8\r\n503f8dc2235f96242063b52440c5c229\r\n50527c728506a95b657ec4097f819be6\r\n5064dc5915a46bfa472b043be9d0f52f\r\n513f559bf98e54236c1d4379e489b4bc\r\n51e21a697aec4cc01e57264b8bfaf978\r\n51f31ed78cec9dbe853d2805b219e6e7\r\n52b0f7d77192fe6f08b03f0d4ea48e46\r\n53ceeaf0a67239b3bc4b533731fd84af\r\n56a9ff904b78644dee6ef5b27985f441\r\n56b18ba219c8868a5a7b354d60429368\r\n56d6d3aa1297c62c6b0f84e5339a6c22\r\n57849bb3949b73e2cd309900adafc853\r\n5826e0bd3cd907cb24c1c392b42152ca\r\n5875dfe9a15dd558ef51f269dcc407b5\r\n58e7fd4530a212b05481f004e82f7bc1\r\n5957ef4b609ab309ea2f17f03eb78b2d\r\n5984955cbc41b1172ae3a688ab0246c5\r\n59ce71ffb298a5748c3115bc834335bf\r\n5a8d488819f2072caed31ead6aeaf2fc\r\n5acac898428f6d20f6f085d79d86db9c\r\n5b2cddac9ebd7b0cd3f3d3ac15026ffb\r\n6f6d12da9e5cf8b4a7f26e53cc8e9fbd\r\n700d2582ccb35713b7d1272aa7cfc598\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 5 of 20\n\n70206725df8da51f26d6362e21d8fadb\r\n70e0052d1a2828c3da5ae3c90bc969ea\r\n7204c1f6f1f4698ac99c6350f4611391\r\n72a7fd2b3d1b829a9f01db312fdd1cd7\r\n7327993142260cee445b846a12cf4e85\r\n7525bc47e2828464ce07fa8a0db6844f\r\n76adaa87f429111646a27c2e60bda61e\r\n76c5dca8dc9b1241b8c9a376abab0cc5\r\n782202b09f72b3cfdc93ffb096ca27de\r\n7836c4a36cc66d4bcbd84abb25857d21\r\n78a0af31a5c7e4aee0f9acde74547207\r\n7969dc3c87a3d5e672b05ff2fe93f710\r\n7a09bf329b0b311cc552405a38747445\r\n7a63ea3f49a96fa0b53a84e59f005019\r\n7b3f959ab775032a3ca317ebb52189c4\r\n7b710f9731ad3d6e265ae67df2758d50\r\n7bd10b5c8de94e195b7da7b64af1f229\r\n7c036ba51a3818ddc8d51cf5a6673da4\r\n7c49efe027e489134ec317d54de42def\r\n7d63f39fb0100a51ba6d8553ef4f34de\r\n7ef6802fc9652d880a1f3eaf944ce4a3\r\n7f7d726ea2ed049ab3980e5e5cb278a3\r\n7fe679c2450c5572a45772a96b15fcb1\r\n83076104ae977d850d1e015704e5730a\r\n8361b151c51a7ad032ad20cecf7316f4\r\n838ceb02081ac27de43da56bec20fc76\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 6 of 20\n\n84865f8f1a2255561175ab12d090da7c\r\n8520062de440b75f65217ff2509120f7\r\n85862c262c087dd4470bb3b055ef8ea5\r\n85e5b11d79a7570c73d3aa96e5a4e84d\r\n85ecef9ca15e25835a9300a85f9bcd2a\r\n9d3fd2ff608e79101b09db9e361ea845\r\n9d5206f692577d583b93f1c3378a7a90\r\n9e592d0918c029aa49635f03947026e8\r\n9f847b3618b31ef05aebd81332067bd8\r\n9fdd77dc358843af3d7b3f796580c29d\r\na025881cd4ae65fab39081f897dc04fd\r\na0e3561633bdf674b294094ffa06a362\r\na13715be3d6cbd92ed830a654d086305\r\na2256f050d865c4335161f823b681c24\r\na26e600652c33dd054731b4693bf5b01\r\na2c66a75211e05b20b86dd90ba534792\r\na2cb95be941b94f5488eab6c2eec7805\r\na320510258668504ed0140e7b58ee31e\r\na34db95c0fcb78d9c5452f81254224eb\r\na3c0151e0b6289376f383630a8014722\r\na42a91354d605165d2c1283b6b330539\r\na4711b8414445d211826b4da3f39de0a\r\na4a70ce528f64521c3cd98dce841f6f3\r\na5ac89845910862cfef708b20acd0e44\r\na67fcb5dcfc9e3cfbfd7890e65d4f808\r\na68bf5fce22e7f1d6f999b7a580ae477\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 7 of 20\n\na6b9bbb87eb08168fc92271f69fa5825\r\na6cab9f2e928d71ed8ecf2c28f03a9a2\r\na7e4f42ad70ddd380281985302573491\r\na83b1aed22de71baee82e426842eeb48\r\na91dca76278cf4f4155eb1b0fc427727\r\na96dca187c3c001cad13440c3f7e77e8\r\naa73e7056443f1dd02480a22b48bdd46\r\naaafb1eeee552b0b676a5c6297cfc426\r\nab662cee6419327de86897029a619aeb\r\nab8f72562d02156273618d1f3746855c\r\nabdb86d8b58b7394be841e0a4da9bec7\r\nace585625de8b3942cc3974cf476f8de\r\nbeea0da01409b73be94b8a3ef01c4503\r\nbefc121916f9df7363fead1c8554df9a\r\nbf250a8c0c9a820cd1a21e3425acfe37\r\nbfb0dcd9ef6ac6e016a8a5314d4ef637\r\nbff56d7e963ea28176b0bcb60033635d\r\nc05e5bc5adb803b8a53cff7f95621c73\r\nc0ad63a680fbdc75d54b270cbedb4739\r\nc0d9f3a67a8df0ed737ceb9e15bacc47\r\nc112456341a1c5519e7039ce0ba960fa\r\nc161f10fccecec67c589cdd24a05f880\r\nc183e7319f07ccc591954068e15095db\r\nc2e023b46024873573db658d7977e216\r\nc380675a29f47dba0b1401c7f8e149dc\r\nc3996bf709cad38d58907da523992e3b\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 8 of 20\n\nc583ae5235ddea207ac11fff4af82d9b\r\nc71f125fb385fed2561f3870b4593f18\r\nc75a2b191da91114ceea80638bc54030\r\nc78ee46ffbe5dd76d84fb6a74bf21474\r\nc79b27fe1440b11a99a5611c9d6c6a78\r\nc808d2ed8bb6b2e3c06c907a01b73d06\r\nc8930a4fd33dcf18923d5cf0835272bd\r\nc8940976a63366f39cfcdc099701093b\r\nc89e8f0bc93d472a4f863a5fa7037286\r\nc8a850a027fa4a3cdae7f87cc1c71ba0\r\ncab21cb7ba1c45a926b96a38b0bdaaef\r\ncbe63b9c0c9ac6e8c0f5b357df737c5e\r\ncbfc1587f89f15a62f049e9e16cccf68\r\ncd049c2b76c73510ae70610fd1042267\r\ncd058dd28822c72360bc9950a6c56c45\r\ncd427b4afea8032c77e907917608148a\r\ncd81267e9c82d24a9f40739fa6bf1772\r\ncdc22f7913eb93d77d629e59ac2dc46a\r\ncdc585a1fd677da07163875cd0807402\r\ne0b7e6c17339945bba43b8992a143485\r\ne119a70f50132ae3afba3995fdf1aca6\r\ne1512a0bf924c5a2b258ec24e593645a\r\ne195d22652b01a98259818cfbab98d33\r\ne1ab3358b5356adefaffbc15bc43a3f9\r\ne1b840bbf5b54aeb19e6396cab8f4c6a\r\ne26a29c0fc11cfb92936ab3374730b79\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 9 of 20\n\ne284c25c50ba59d07a4fa947dc1a914a\r\ne3867f6e964a29134c9ea2b63713f786\r\ne3eb703ef415659f711b6bc5604e131e\r\ne498718fd286aca7bb78858f4636f2db\r\ne4d2c63a73a0f1c6b5e60bde81ac0289\r\ne5478fb5e8d56334d19d43cae7f9224a\r\ne5f7efcee5b15cf95a070a5cd05dbda9\r\ne6348ee5beb9c581eeeaf4e076c5d631\r\ne637f47c4f17c01a68539fcfcc4bc44f\r\ne63fbc864b7911be296c8ee0798f6527\r\ne68f9b39caf116fb108ccb5c9c4ce709\r\ne6a757114c0940b6d63c6a5925ade27f\r\ne6adc73df12092012f8cd246ba619f90\r\ne8881037f684190d5f6cc26aab93d40f\r\ne890fa6fd8a98fec7812d60f65bf1762\r\ne8bc927ee0ae288609e1c37665a3314e\r\ne8e73156316df88dee28214fb203658b\r\ne957c36c9d69d6a8256b6ddf7f806f56\r\ne9ce9b35e2386bf442e22a49243a647e\r\neadcae9ecba1097571c8d08e9b1c1a9c\r\neb06648b43d34f20fc1c40e509521e99\r\neb5e5db77540516e6400a7912ad0ef0d\r\neb5e999753f5ea094d59bdae0c66901c\r\neb5ee94048730b321e35394a0fb10a5d\r\neb64867dc48f757f0afe05dbf605b72d\r\neb88f415336f0dccedfc93405330c561\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 10 of 20\n\nfae03ff044d6bb488e1a6f1c6428c510\r\nfc2142bd72bd520338f776146903be67\r\nfc9b8262905a80cc5381d520813d556d\r\nfccd3de1df131f9d74949d69426c24af\r\nfcd912fd7ed80e2cdf905873c6ced4ad\r\nff804e266a83974775814870cc49b66b\r\n11166f8319c08c70fc886433a7dac92d\r\n1223302912ec70c7c8350268a13ad226\r\n139e071dd83304cdcfd5280022a0f958\r\n13c93dc9186258d6c335b16dc7bb3c8c\r\n14e2b0e47887c3bfbddb3b66012cb6e8\r\n15437cfedfc067370915864feec47678\r\n15e1816280d6c2932ff082329d0b1c76\r\n166694d13ac463ea1c2bed64fbbb7207\r\n16a344cd612cca4f0944ba688609e3ac\r\n16c0011ea01c4690d5e76d7b10917537\r\n1734a2b176a12eba8b74b8ca00ef1074\r\n18144e860d353600bbd2e917aed21fde\r\n1815c3a7a4a6d95f9298abb5855a3701\r\n181a5b55b7987b62b5236965f473ba3b\r\n18c26c5800e9e2482f1507c96804023e\r\n1932ce50b7b6c88014cf082228486e5c\r\n1af78c50aca90ee3d6c3497848ac5705\r\n1b44fb4aaff71b1f96cd049a9461eaf5\r\n1bb8f32e6e0e089d6a9c10737cf19683\r\n1c35a87f61953baace605fff1a2d0921\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 11 of 20\n\n1c945a6b0deccc6cd2f63c31f255d0ec\r\n1cb216777039fe6a8464fc6a214c3c86\r\n1d3a10846819a07eef66deefcc33459a\r\n1dd6c80b4ea5d83aff4480dcbbef520c\r\n1e91f0f52994617651e9b4a449af551a\r\n1eb568559e335b3ed78588e5d99f9058\r\n1ef9c42efe6e9a08b7ebb16913fa0228\r\n1f2befede815fcf65c463bf875fcf497\r\n1f9bdc0435ff0914605f01db8ca77a65\r\n1ffd883095ff3279b31650ca3a50ad3c\r\n34521c0f78d92a9d95e4f3ff15b516db\r\n34681367cbcc3933f0f4b36481bde44e\r\n34aa195c604d0725d7dd2aa4cc4efe28\r\n354b95e858bcaced369ecbfdec327e2b\r\n35f456afbe67951b3312f3b35d84ff0a\r\n3647d11c155d414239943c8c23f6e8ec\r\n37578c69c515f1d0d49769930fba25ce\r\n375cbb0a88111d786c33510bff258a21\r\n37b9b4ed979bd2cf818e2783499bfb5e\r\n3810a18650dbacecd10d257312e92f61\r\n3975740f65c2fa392247c60df70b1d6d\r\n3a4ec0d0843769a937b5dadbe8ea56b1\r\n3ab6bf23d5d244bc6d32d2626bd11c08\r\n3bf8bb90d71d21233a80b0ec96321e90\r\n3c2fe2dbdf09cfa869344fdb53307cb2\r\n3c3d453ecf8cc7858795caece63e7299\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 12 of 20\n\n3cbb46065f3e1dccbd707c340f38ce6b\r\n3cf9dc0fdc2a6ab9b6f6265dc66b0157\r\n3e89c56056e5525bf4d9e52b28fbbca7\r\n3eb6f85ac046a96204096ab65bbd3e7e\r\n3f50eedf4755b52aa7a7b740bd21daa6\r\n3fefa55daeb167931975c22df3eca20a\r\n4012acd80613aaa693a5d6cd4e7239ba\r\n40528e368d323db0ac5c3f5e1efe4889\r\n407c1ea99677615b80b2ffa2ed81d513\r\n417949c717f78dc9e55ca81a5f7ade3e\r\n4260e71d89f622c6a3359c5556b3aad7\r\n429c10429a2ebb5f161e04159a59cf5b\r\n4315975499cdc50098dbdb5b8aa4a199\r\n44fa9c5df4ae20c50313aae02ba8fb95\r\n4519b5d443a048a8599144900c4e1f28\r\n45eb058edde4e5755a5ea1aff3ce3db7\r\n460dc00ce690efacb5db8273c80e2b23\r\n5b3050df93629f2f6cb3801ed19963c5\r\n5b37ac4d642b96c4bf185c9584c0257a\r\n5b3e945cd32a380f09ea98746f570758\r\n5b72df8f6c110ae1d603354fcd8fe104\r\n5c6f5cd81b099014718056e86b510fa2\r\n5d63a3a02df2beda9d81f53abbd8264a\r\n5d9c3cb239fa24bed2781bcf2898f153\r\n5e353d1d17720c0f7c93f763e3565b3f\r\n5f1c7f267fbe12210d3c80944f840332\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 13 of 20\n\n5f393838220a6bf0cd9fd59c7cf97f5b\r\n5f771966ef530ee0c2b42ef5cc46ad3a\r\n6034ff91b376d653dc30f79664915b4e\r\n603935efa89d93ea39b4b4d4a52ec529\r\n607ea06890a6eedd723f629133576f20\r\n60b2ce5ef4a076d1fa8675b584c27987\r\n60cff7381b8fb64602816f9e5858930b\r\n614909c72fa811ae41ea3d9b70122cee\r\n6372d578e881abf76a4ec61e7a28da7d\r\n63bf28f5dc6925a94c8b4e033a95be10\r\n646cbeb4233948560ac50de555ea85ca\r\n64db8e54d9a2daaa6d9cf156a8b73c18\r\n675fe822243dfd1c3ace2a071d0aa6dd\r\n67dbecfb5e0f2f729e57d0f1eda82c67\r\n685cbba8cf2584a3378d82dec65aa0bb\r\n693a4c2fcaa67fb87e62f150fb65e00e\r\n6ad33ab8b9ff3f02964a8aab2a40ebb5\r\n6b540be7ac7159104b0ffa536747f1bf\r\n6b7276e4aa7a1e50735d2f6923b40de4\r\n6b930be55ed4bf8e16b30eadc3873dfd\r\n6c67f275d50f6bfee4848de6d4911931\r\n6c9cfada134ede220b75087c7698ebf2\r\n6e843ef4856336fe3ef4ed27a4c792b1\r\n6e97bf1b7c44edc66622b43e81105779\r\n86e50d6dc28283dbd295079252787577\r\n870fbad5b9a54cb6720c122d1fa321ec\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 14 of 20\n\n88b3b94574ba1eeb711a66eb04021eed\r\n8956a045306b672d3cc852419a72c4b0\r\n8a9ac1b3ef2bf63c2ddfadbbbfd456b5\r\n8b3b96327fbddebefe727ac2edad5714\r\n8baa499b3e2f081ff47f8cf06a5e7809\r\n8bc20fcd09adb7ea86dda2c57477633b\r\n8be0c21b6ee56d0f68e0d90f7d0a26d7\r\n8c80dd97c37525927c1e549cb59bcbf3\r\n8d2416d9f6926fb0dc12ab5dafef691d\r\n8d74922b2b31354ce588cefac71d9a9b\r\n8e8fb7632c3a7e96cf0ea5299d564018\r\n8ee6c9e1adb71b2623d5e7aa45df5f4d\r\n8efaa987959ef95179a0f5be05c10faf\r\n8fbf53f77c98daba277dae7661b86f02\r\n8fc825df73977eeffaaa1587565f7505\r\n90a3e3a2049c6eb9e39d113d9451a83f\r\n932d355d9f2df2e8d8449d85454fc983\r\n9450980a4413dfdbc60a62b257a7b019\r\n947892152b8419a2dfe498be5063c1da\r\n94d42ff06a588587131c2cd8a9b2fe96\r\n95c15b7961e2d6fad96defa7ff2c6272\r\n96ba4bf00d8b4acee9f550286610dcc7\r\n97004f1962e2aed917dc2be5c908278f\r\n972077c1bb73ca78b7cad4ac6d56c669\r\n991ebcd03ace627093acc860fae739b5\r\n99949240bc4eae33cac4bbb93b72349d\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 15 of 20\n\n9a0a8048d53dedc763992fff32584741\r\n9a0e3e80cd7c21812de81224f646715e\r\n9a61ed5721cf4586abd1d49e0da55350\r\n9b26999182ea0c2b2cac91919697289e\r\n9c656ce22c93ca31c81ff8378a0a91ee\r\nace620a0cc2684347e372f7e40e245d5\r\nad3b9e45192ec7c8085c3588cacb9c58\r\nadb4f6ecb67732b7567486f0cee6e525\r\nafa03ddb9fc64a795aadb6516c3bc268\r\nb0269263ce024fc9de19f8f30bd51188\r\nb04e895827c24070eb7082611ab79676\r\nb059c9946ff67c62c074d6d15f356f6e\r\nb07299a907a4732d14da32b417c08af3\r\nb1dadfcf459f8447b9ec44d8767da36d\r\nb2f1d2fefe9287f3261223b4b8219d03\r\nb36f3e12cb88499f8795b8740ae67057\r\nb4204f08c1a29fd4434e28b6219bfbc6\r\nb4878c233d7f776a407f55a27b5effbc\r\nb6c12d88eeb910784d75a5e4df954001\r\nb7ab5c6926f738dbe8d3a05cb4a1b4f5\r\nb80dcd50e27b85d9a44fc4f55ff0a728\r\nb8a61b1fda80f95a7dcdb0137bc89f67\r\nb9642c1b3dbcccc9d84371b3163d43e0\r\nb9647f389978f588d977ef6ef863938f\r\nb977bed98ae869a9bb9bf725215ef8e5\r\nb9b627c470de997c01fdef4511029219\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 16 of 20\n\nba629216db6cf7c0c720054b0c9a13f3\r\nbadf0957c668d9f186fb218485d0d0f6\r\nbb165b815e09fe95fa9282bce850528d\r\nbbfb478770a911cf055b8dfd8dcb36e4\r\nbc4c189e590053d2cf97569c495c9610\r\nbc9089c39bcdb1c3ef2e5bd25c77ed68\r\nbd42303e7c38486df2899b0ccf3ce8f7\r\nbd452dc2f9490a44bcff8478d875af4b\r\nbd6031dd85a578edf0bf1560caf36e02\r\nbd63832e090819ea531d1a030fb04e9b\r\nbe39ff1ec88a1429939c411113b26c02\r\nbe88741844bf7c47f81271270abe82dc\r\nce26e91fc13ccb1be4b6bf6f55165410\r\nce449d7cb0a11b53b0513dde3bd57b1c\r\nceba742bccb23304cf05d6c565dc53f8\r\ncebe44b8a9a2d6e15a03d40d9e98e0ed\r\ncf946bc0faecb2dc8e8edc9e6ce2858f\r\nd09fcd9fa9ed43c9f28bcd4bd4487d22\r\nd0b5c11ee5df0d78bdde3fdc45eaf21d\r\nd0d8243943053256bc1196e45fbf92d2\r\nd0efc042ba4a6b207cf8f5b6760799d8\r\nd20d01038e6ea10a9dcc72a88db5e048\r\nd31596fe58ca278be1bb46e2a0203b34\r\nd3df8c426572a85f3afa46e4cd2b66cd\r\nd59a77a8da7bec1f4bad7054a41b3232\r\nd76b1c624e9227131a2791957955dddc\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 17 of 20\n\nd79477c9c688a8623930f4235c7228f6\r\nd8a483d21504e73f0ba4b30bc01125d3\r\nda46994fee26782605842005aabcd2fe\r\ndaa232882b74d60443dfec8742401808\r\ndab45ac39e34cfee60dcb005c3d5a668\r\ndbc583d6d5ec8f7f0c702b209af975e2\r\ndbe92b105f474efc4a0540673da0eb9c\r\ndbee8be5265a9879b61853cd9c0e4759\r\ndc15ca49b39d1d17b22ec7580d32d905\r\ndc386102060f7df285e9498f320f10e0\r\ndd43cd0eddbb6f7cb69b1f469c37ec35\r\ndd4e0f997e0b2cc9df28dca63ded6816\r\nddbdc6a3801906de598531b5b2dac02a\r\ndde4ff4e41f86426051f15da48667f5f\r\nddecce92a712327c4068fabf0e1a7ff1\r\nde608439f2bcc097b001d352b427bb68\r\ndeeb9b4789ac002aa8b834da76e70d74\r\ndf6475642f1fe122df3d7292217f1cff\r\ne011784958e7a00ec99b8f2320e92bf4\r\nec4cdc752c2ecd0d9f97491cc646a269\r\nedb648f6c3c2431b5b6788037c1cd8ef\r\nee3e297abd0a5b943dce46f33f3d56fb\r\nee4862bc4916fc22f219e1120bea734a\r\nef14448bf97f49a2322d4c79e64bb60b\r\nef2738889e9d041826d5c938a256bc45\r\nef6fcdd1b55adf8ad6bcdf3d93fd109e\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 18 of 20\n\nefb5499492f08c1f10fecdeb703514d5\r\nf0098aab593b65d980061a2df3a35c21\r\nf073de9c169c8fcb2de5b811bff51cee\r\nf0881d5a7f75389deba3eff3f4df09ac\r\nf172ad4e906d97ed8f071896fc6789dc\r\nf2b6bffa2c22420c0b1c848b673055ed\r\nf446d8808a14649bddcc412f9e754890\r\nf4dbe32f3505bc17364e2b125f8dd6df\r\nf4dd628f6c0bc2472d29c796ee38bf46\r\nf4e67343e13c37449ada7335b9c53dd1\r\nf53e332b0a6dbe8d8d3177e93b70cb1e\r\nf5ae03de0ad60f5b17b82f2cd68402fe\r\nf5ce889a1fa751b8fd726994cdb8f97e\r\nf5fdbfce1a5d2c000c266f4cd180a78d\r\nf7202dea71cc638e0c2dbeb92c2ce279\r\nf7cef381c4ee3704fc8216f00f87552a\r\nf7ffbbbc68aadcbfbace55c58b6da0a7\r\nf8b91554d221fe8ef4a4040e9516f919\r\nf906571d719828f0f4b6212fc2aa7705\r\nf9155052a43832061357c23de873ff9f\r\nf9abacc459e5d50d8582e8c660752c4e\r\nf9f608407d551f49d632bd6bd5bd7a56\r\nf9fc9359dc5d1d0ac754b12efb795f79\r\nfa27742b87747e64c8cb0d54aa70ef98\r\nfa3c8d91ef4a8b245033ddb9aa3054a2\r\nfad93907d5587eb9e0d8ebc78a5e19c2\r\n \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 19 of 20\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by email at CyWatch@fbi.gov . When available, please include the following information regarding\r\nthe incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-200a\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-200a" ], "report_names": [ "aa21-200a" ], "threat_actors": [ { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434188, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1729fb83b35e14e874d718d7a23a58ef058613f9.pdf", "text": "https://archive.orkl.eu/1729fb83b35e14e874d718d7a23a58ef058613f9.txt", "img": "https://archive.orkl.eu/1729fb83b35e14e874d718d7a23a58ef058613f9.jpg" } }