{ "id": "b9e3aa15-ab54-4122-94b6-ac45ff130df4", "created_at": "2026-04-06T01:32:25.461812Z", "updated_at": "2026-04-10T03:38:09.666527Z", "deleted_at": null, "sha1_hash": "1abc6cebd82e7a25ea9c60294009e15bce071e98", "title": "Mandiant APT1 samples categorized by malware families", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 154977, "plain_text": "Mandiant APT1 samples categorized by malware families\r\nArchived: 2026-04-06 00:52:29 UTC\r\nUpdate: May 19, 2018\r\nAPT 1 resources\r\nThreat Actor aliases:\r\nComment Crew, Comment Panda, PLA Unit 61398, TG-8223, APT 1,           BrownFox,Group 3,GIF89a, ShadyRAT,\r\nShanghai Group, Byzantine Candor\r\nhttp://apt.threattracking.com\r\n2010_11_Fireeye_VinSelf - A new backdoor in town! « VinSelf - A new backdoor in town! _ FireEye Inc.pdf\r\n2010_12_Guardian_WikiLeaks cables reveal fears over Chinese cyber warfare _ US news _ The Guardian.pdf\r\n2011_08_Ira Winkler_ Shady Rat Case Shows Vendors As Big a Problem As APT Itself _ CIO.pdf\r\n2011_08_Kaspersky's Thoughts on Operation Shady Rat _ Nota Bene_ Eugene Kaspersky's Official Blog.pdf\r\n2011_10_SANS_detailed-analysis-advanced-persistent-threat-malware-33814.pdf\r\n2011_Mcafee-operation-shady-rat1.pdf\r\n2012_06_Bloomberg_Hackers Linked to China’s Army Seen From EU to D.C. - Bloomberg.pdf\r\n2013_02_NYTimes_China’s Army Is Seen as Tied to Hacking Against U.S.pdf\r\n2013_03_Fireeye_TABMSGSQL and 44 WEBC2-YAHOO_The Dingo and the Baby « The Dingo and the Baby _\r\nFireEye Inc.pdf\r\n2013_05_Fireeye_APT1 Three Months Later.pdf\r\n2013_05_Mandiant-APT1_Exposing One of China’s Cyber Espionage Units.pdf\r\n2014_05_Fireeye_The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1\r\nIntrusion Activity « The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1\r\nIntrusion Activity _ FireEye Inc.pdf\r\n2014_06_Crowdstrike_Hat-tribution to PLA Unit 61486 ».pdf\r\n2014_12_Vinself now with steganography - Airbus CyberSecurity.pdf\r\n2016_BANGAT_malware-signatures_bangat.yara at master · citizenlab_malware-signatures.pdf\r\nGIF89a_Vinselfdecoder_malwaretracker.com_ Command and Control Decoder - Vinself Trojan.pdf\r\nPLA Unit 61398 _ Council on Foreign Relations Interactives.pdf\r\nThese are the samples described in the Mandiant Report APT1, in the Indicators of Compromise\r\n(IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see\r\nhow your naming convention corresponds to the one used by Mandiant.\r\nYou can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.\r\nI added Contagio samples in several families as well.\r\nThe list of binaries and their names, as well as malware families descriptions are provided below for your convenience.\r\nDownload\r\nSample list and information\r\nBelow descirptions are from Mandiant IOC http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 1 of 12\n\n1. AURIGA\r\nThe AURIGA malware family shares a large amount of functionality with the BANGAT backdoor.  The malware family\r\ncontains functionality for keystroke logging, creating and killing processes, performing file system and registry\r\nmodifications, spawning interactive command shells, performing process injection, logging off the current user or shutting\r\ndown the local machine.  The AURIGA malware contains a driver component which is used to inject the malware DLL into\r\nother processes.  This driver can also perform process and IP connection hiding.  The malware family will create a copy of\r\ncmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values.  The\r\nmalware family typically maintains persistence through installing itself as a service.\r\nAURIGA_sample_6B31344B40E2AF9C9EE3BA707558C14E\r\nAURIGA_sample_CDCD3A09EE99CFF9A58EFEA5CCBE2BED\r\n2. BANGAT\r\nThe BANGAT malware family shares a large amount of functionality with the AURIGA backdoor.  The malware family\r\ncontains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications,\r\nspawning interactive command shells, performing process injection, logging off the current user or shutting down the local\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 2 of 12\n\nmachine.  In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to\r\nthe C2 server and accepts keyboard and mouse input.  The malware communicates to its C2 servers using SSL, with self\r\nsigned SSL certificates.  The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the\r\n\"Microsoft corp\" strings in the cmd.exe binary with different values.  The malware family typically maintains persistence\r\nthrough installing itself as a service.\r\nBANGAT_sample_4C6BDDCCA2695D6202DF38708E14FC7E\r\nBANGAT_sample_8E8622C393D7E832D39E620EAD5D3B49\r\nBANGAT_sample_468FF2C12CFFC7E5B2FE0EE6BB3B239E\r\nBANGAT_sample_727A6800991EEAD454E53E8AF164A99C\r\nBANGAT_sample_BD8B082B7711BC980252F988BB0CA936\r\nBANGAT_sample_DB05DF0498B59B42A8E493CF3C10C578\r\nBANGAT_sample_E1B6940985A23E5639450F8391820655\r\nBANGAT_sample_EF8E0FB20E7228C7492CCDC59D87C690\r\nContagio samples for Bangat\r\nCirca 2009-2010\r\n995B44EF8460836D9091A8B361FDE489_rasauto32.dll\r\nF10D145684BA6C71CA2D2F7EB0D89343_rasauto32.dll\r\n43CE605B2584C27064FEBB0474A787A4_irmon32.dll\r\n1966B265272E1660E6F340B19A7E5567_irmon32.dll\r\n423A30C077B12354A4A5C31D4DE99689_irmon32.dll\r\n80CA8B948409138BE40FFBC5D6D95EF1_rasauto16.dll\r\n15138604260B1D27F92BF1EC6468B326_rasauto16.dll\r\n616B0F00DE54D7501CEEE18823F72103_rasauto16.dll\r\nC75D351D86DE26718A3881F62FDDDE99_irmon32.dll\r\nE66DD357A6DFA6EBD15358E565E8F00F_irmon32.dll\r\n0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe\r\n3. BISCUIT\r\nBISCUIT provides attackers with full access to an infected host.  BISCUIT capabilities include launching an interactive\r\ncommand shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files.\r\n BISCUIT communicates using a custom protocol, which is then encrypted using SSL.  Once installed BISCUIT will\r\nattempt to beacon to its command/control servers approximately every 10 or 30 minutes.  It will beacon its primary server\r\nfirst, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).\r\nBISCUIT_sample_5A728CB9CE56763DCCB32B5298D0F050\r\nBISCUIT_sample_5D8129BE965FAB8115ECA34FC84BD7F0\r\nBISCUIT_sample_7CB055AC3ACBF53E07E20B65EC9126A1\r\nBISCUIT_sample_12F25CE81596AEB19E75CC7EF08F3A38\r\nBISCUIT_sample_43B844C35E1A933E9214588BE81CE772\r\nBISCUIT_sample_70A55FDC712C6E31E013E6B5D412B0D6\r\nBISCUIT_sample_268EEF019BF65B2987E945AFAF29643F\r\nBISCUIT_sample_15901DDBCCC5E9E0579FC5B42F754FE8\r\nBISCUIT_sample_034374DB2D35CF9DA6558F54CEC8A455\r\nBISCUIT_sample_DA383CC098A5EA8FBB87643611E4BFB6\r\nContagio samples for  \r\n03B3CCEB253FD782590CF0EFAFD49D5F_AcroRD32.exe\r\n8AA320A3D34CF89EF63BF801DD497490_qmqrproxy.dll\r\n4. BOUNCER\r\nBOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export.  The dump export is called\r\nwith the parameters passed via the command line to the BOUNCER executable.  It requires at least two arguments, the IP\r\nand port to send the password dump information.  It can accept at most five arguments, including a proxy IP, port and an\r\nx.509 key for SSL authentication.  The DLL backdoor has the capability to execute arbitrary commands, collect database\r\nand server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete\r\nfiles, and redirect network traffic.\r\nBOUNCER_sample_6EBD05A02459D3B22A9D4A79B8626BF1\r\nBOUNCER_sample_57353ECBAECE29ECAF8025231EB930E3\r\nBOUNCER_sample_CF038194F0FE222F31EC24CB80941BB1\r\nBOUNCER_sample_D2F1BE7E10ED39AA8BC0F7F671D824D2\r\nBOUNCER_sample_F90DA15F862BB8452FC51D3F0DBB3373\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 3 of 12\n\n5. CALENDAR\r\nThis family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with\r\nGoogle Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted\r\nback to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The\r\nmalware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a\r\npersistence mechanism. Artifacts of this may be found in the registry.\r\n         GCAL_sample_72d4be67abeaa6ab3827784317b1b7e9\r\n6. COMBOS\r\nThe COMBOS malware family is an HTTP based backdoor.  The backdoor is capable of file upload, file download,\r\nspawning a interactive reverse shell, and terminating its own process.  The backdoor may decrypt stored Internet Explorer\r\ncredentials from the local system and transmit the credentials to the C2 server.  The COMBOS malware family does not\r\nhave any persistence mechanisms built into itself.\r\nCOMBOS_sample_1E3719BBF854417384A3768E4326584BCOMBOS_sample_\r\nEC1E62EF73D844C6C845ACDD4C1F9CE7\r\nCOMBOS_sample_FA14D823A5D1854131DB0DC9EEF27022\r\nhis family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access\r\nto the compromised machine.\r\nCommunication with the Command \u0026 Control (C2) servers uses a combination of single-byte XOR and Base64 encoded\r\ndata in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants\r\ninstall a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in\r\ncommon with several other APT1 families.\r\nCOOKIEBAG_sample_0C28AD34F90950BC784339EC9F50D288\r\nCOOKIEBAG_sample_321D75C9990408DB812E5A248A74F8C8\r\nCOOKIEBAG_sample_543E03CC5872E9ED870B2D64363F518B\r\nCOOKIEBAG_sample_989B797C2A63FBFC8E1C6E8A8CCD6204\r\nCOOKIEBAG_sample_57326CD78A56D26E349BBD4BCC5B9FA2\r\nCOOKIEBAG_sample_DB2580F5675F04716481B24BB7AF468E\r\nCOOKIEBAG_sample_F3611C5C793F521F7FF2A69C22D4174E\r\n7 DAIRY\r\nMembers of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse\r\nshell capabilities.  This malware may also add itself to the Authorized Applications list for the Windows Firewall.\r\nDAIRY_sample_995442F722CC037885335340FC297EA0\r\n8. GETMAIL \r\nMembers of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files.\r\nOne part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.\r\nGETMAIL_sample_909BEF6DB8D33854E983EBCCDD71419F\r\nGETMAIL_sample_E81DB0198D2A63C4CCFC33F58FCB821E\r\nGETMAIL_sample_E212AAF642D73A2E4A885F12EEA86C58\r\n9. GDOCUPLOAD \r\nThis family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with\r\ndocs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The\r\nmalware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an\r\ninfinite loop attempting to parse results from Google that are not present.\r\nGDOCUPLOAD-sample_232d1be2d8cbbd1cf57494a934628504\r\n10 GLOOXMAIL  - aka TROJAN.GTALK http://www.cyberengineeringservices.com/trojan-gtalk/\r\nGLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and\r\npassword.  The malware can accept commands over XMPP that includes file upload and download, provide a remote shell,\r\nsending process listings, and terminating specified processes.  The malware makes extensive use of the open source gloox\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 4 of 12\n\nlibrary (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol.  All communications\r\nwith the Google XMPP server are encrypted.\r\nGLOOXMAIL_sample_3DE1BD0F2107198931177B2B23877DF4\r\nGLOOXMAIL_sample_15A33F8FE11B94BDD38BFF651F6A5CD1\r\nA family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with\r\nthe .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a\r\nservice and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the\r\ndownloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches\r\nit. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\\Temp directory.\r\nGOGGLES_sample_09D372E4259980AC95FDADF1846578D9\r\nGOGGLES_sample_57F98D16AC439A11012860F88DB21831\r\nGOGGLES_sample_51326BF40DA5A5357A143DD9A6E6A11C\r\nGOGGLES_sample_A5B581C0600815B1112CA2FED578928B\r\nGOGGLES_sample_BCB087F69792B69494A3EDAD51A842BB\r\nGOGGLES_sample_BF80DBF969B73790253F683CD723FD71\r\nGOGGLES_sample_DB50416D9E67F4982E89E0FFB0ADE6F3\r\n12 GREENCAT\r\nMembers of this family are full featured backdoors that communicates with a Web-based Command \u0026 Control (C2) server\r\nover SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and\r\nkilling processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some\r\nmembers of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that\r\nallows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use\r\n%SystemRoot%\\Tasks or %WinDir%\\Tasks as working directories, additional malware artifacts may be found there.\r\nGREENCAT_sample_0C5E9F564115BFCBEE66377A829DE55F\r\nGREENCAT_sample_1F92FF8711716CA795FBD81C477E45F5\r\nGREENCAT_sample_3E6ED3EE47BCE9946E2541332CB34C69\r\nGREENCAT_sample_3E69945E5865CCC861F69B24BC1166B6\r\nGREENCAT_sample_5AEAA53340A281074FCB539967438E3F\r\nGREENCAT_sample_6D2320AF561B2315C1241E3EFD86067F\r\nGREENCAT_sample_30E78D186B27D2023A2A7319BB679C3F\r\nGREENCAT_sample_36C0D3F109AEDE4D76B05431F8A64F9E\r\nGREENCAT_sample_55FB1409170C91740359D1D96364F17B\r\nGREENCAT_sample_57E79F7DF13C0CB01910D0C688FCD296\r\nGREENCAT_sample_120C2E085992FF59A21BA401EC29FEC9_different\r\nGREENCAT_sample_390D1F2A620912104F53C034C8AEF14B\r\nGREENCAT_sample_871CC547FEB9DBEC0285321068E392B8\r\nGREENCAT_sample_7388D67561D0A7989202AD4D37EFF24F\r\nGREENCAT_sample_A99E06E2F90DB4E506EF1347A8774DD5\r\nGREENCAT_sample_A565682D8A13A5719977223E0D9C7AA4\r\nGREENCAT_sample_AB208F0B517BA9850F1551C9555B5313\r\nGREENCAT_sample_B3BC979D8DE3BE09728C5DE1A0297C4B\r\nGREENCAT_sample_B5E9CE72771217680EFAEECFAFE3DA3F\r\nGREENCAT_sample_B8F61242E28F2EDF6CB1BE8781438491\r\nGREENCAT_sample_BA0C4D3DBF07D407211B5828405A9B91\r\nGREENCAT_sample_C044715C2626AB515F6C85A21C47C7DD\r\nGREENCAT_sample_E54CE5F0112C9FDFE86DB17E85A5E2C5\r\nGREENCAT_sample_E83F60FB0E0396EA309FAF0AED64E53F\r\nGREENCAT_sample_F4ED3B7A8A58453052DB4B5BE3707342\r\nGREENCAT_sample_FAB6B0B33D59F393E142000F128A9652\r\n13. HACKFASE\r\nThis family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process\r\nenumeration, and process termination capabilities.\r\nThis family is designed to be a service DLL and does not contain an installation mechanism.\r\nIt usually communicates over port 443. Some variants use their own encryption, others use SSL.\r\nHACKFASE_sample_0D0240672A314A7547D328F824642DA8\r\nHACKFASE_sample_1A0C7E61BCC50D57B7BCF9D9AF691DE5\r\nHACKFASE_sample_9E860622FEE66074DFE81DCFCC40C4E2\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 5 of 12\n\nHACKFASE_sample_17199DDAC616938F383A0339F416C890\r\nHACKFASE_sample_BCBDEF1678049378BE04719ED29078D2\r\n14. HELAUTO\r\nThis family of malware is designed to operate as a service and provides remote command execution and file transfer\r\ncapabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL.\r\nThis family can be installed as a service DLL. Some variants allow for uninstallation.\r\nHELAUTO_sample_47E7F92419EB4B98FF4124C3CA11B738\r\nHELAUTO_sample_DA6B0EE7EC735029D1FF4FA863A71DE8\r\n15. KURTON \r\nThis family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates\r\nwith a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with\r\na service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.\r\nNo Mandiant samples available.\r\nThese are Contagio samples dated 2009\r\n57C69FECFECDCB5288687DF2AC96E44F_iprinp.dll\r\n7C136A9E8D94BF117288D9B5388019D6_iprinp.dll\r\n82C39E6979022E57B93B719793B39A30_iprinp.dll\r\nA327B9D97CA479B89297F438F87816A0_iprinp.dll\r\nA6C1595BD7B1A85C42FBD674460DC35D_iprinp.dll\r\n15. LIGHTBOLT\r\nLIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of\r\nthe HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to\r\nuse software certificates for authentication.\r\nLIGHTBOLT_sample_2E86A9862257A0CF723CEEF3868A1A12\r\n16 LIGHTDART \r\nLIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The\r\ntool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed\r\nand uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will\r\nexecute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a\r\nregular basis. Examples of targeted information include weather information or ship coordinates.\r\nNo samples\r\n17. LONGRUN  \r\nLONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom\r\ninteractive shell.  It supports file uploads and downloads, and executing arbitrary commands on the compromised machine.\r\n When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section.\r\nThe distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm.  When the\r\nconfiguration data string is decoded it is parsed and treated as an IP and port number.  The malware then connects to the host\r\nand begins interacting with it over a custom protocol.\r\nNo samples\r\n18. MANITSME \r\nThis family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute\r\narbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.\r\nMANITSME_sample_e97ebb5b2050b86999c55797c2348ba7 \r\nThis malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an\r\nExchange server. In order to operate successfully, these programs require authentication credentials for a user on the\r\nExchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent\r\nsoftware that provides the Microsoft 'Messaging API' (MAPI) service).\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 6 of 12\n\nMAPIGET_sample_C627E595C9EC6DC2199447AEAB59AC03\r\nMAPIGET_sample_F3C6C797EF80787E6CBEEAA77496A3CB\r\nContagio samples for MAPIGET\r\n09E25BB934D8523FCCD27B86FBF4F8CE_m.exe\r\nC57902ACE7FF4173AE41F1292EA85E2A_MAPI.exe\r\n20. MINIASP\r\nThis family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable\r\nof downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified\r\ninterval.\r\nMINIASP_77FBFED235D6062212A3E43211A5706E\r\nMINIASP_81B03CBCFC4B9D090CD8F5E5DA816895\r\nMINIASP_E476E4A24F8B4FF4C8A0B260AA35FC9F\r\n21 NEWSREELS\r\nThe NEWSREELS malware family is an HTTP based backdoor.  When first started, NEWSREELS decodes two strings\r\nfrom its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and\r\nthe second URL is used to get commands (receiving).  The NEWSREELS malware family is capable of performing file\r\nuploads, downloads, creating processes or creating an interactive reverse shell.\r\nNEWSREELS_sample_02C65973B6018F5D473D701B3E7508B2\r\nNEWSREELS_sample_2C49F47C98203B110799AB622265F4EF\r\nNEWSREELS_sample_270D42F292105951EE81E4085EA45054\r\nNEWSREELS_sample_0496E3B17CF40C45F495188A368C203A\r\nNEWSREELS_sample_523F56515221161579EE6090C962E5B1\r\nNEWSREELS_sample_933B11BC4799F8D9F65466FB2E3EA659\r\nNEWSREELS_sample_A2CD1189860B9BA214421AAB86ECBC8A\r\nNEWSREELS_sample_A639F598D4C0B9AA7A4691D05F27D977\r\nNEWSREELS_sample_AF2F7B070245C90BD2A0A0845314173A\r\nNEWSREELS_sample_B8277CCE81E0A372BC35D33A0C9483C2\r\nNEWSREELS_sample_BAABD9B76BFF84ED27FD432CFC6DF241\r\nNEWSREELS_sample_D4C7F1F80883412F9796F1270ACCFF50\r\nNEWSREELS_sample_D271AE0F4E9230AF3B61EAFE7F671FDE\r\nNEWSREELS_sample_EF6C375E3E6930E2B50E1E97FE6FBCC9\r\n22. SEASALT\r\nThe SEASALT malware family communicates via a custom binary protocol.  It is capable of gathering some basic system\r\ninformation, file system manipulation, file upload and download, process creation and termination, and spawning an\r\ninteractive reverse shell.  The malware maintains persistence by installing itself as a service.\r\nSEASALT_sample_5E0DF5B28A349D46AC8CC7D9E5E61A96\r\nSEASALT_sample_F0726AADCF5D66DAF528F79BA8507113\r\n23. STARSYPOUND\r\nSTARSYPOUND provides an interactive remote shell over an obfuscated communications channel.  When it is first run, it\r\nloads a string (from the executable PE resource section) containing the beacon IP address and port.  The malware sends the\r\nbeacon string \"*(SY)# \u003cHOSTNAME\u003e\" to the remote system, where \u003cHOSTNAME\u003e is the hostname of the victim system.\r\n The remote host responds with a packet that also begins with the string \"*(SY)# cmd\". This causes the malware to launch a\r\nnew cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands\r\nsent to the shell and their responses are obfuscated when sent over the network.\r\nSTARSYPOUND_sample_2BA0D0083976A5C1E3315413CDCFFCD2STARSYPOUND_sample_2DD892986B2249B5214639ECC8AC0223STAR\r\n24. SWORD\r\nThis family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host\r\nand offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.\r\nSWORD_sample_052F5DA1734464A985DCD669BFF62F93\r\nThis malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs,\r\nand providing a remote interactive command shell.\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 7 of 12\n\nAll communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the\r\nrequest. Some variants use a slightly different URL.\r\nTABMSGSQL_sample_001DD76872D80801692FF942308C64E6\r\nTABMSGSQL_sample_2F930D92DC5EBC9D53AD2A2B451EBF65\r\nTABMSGSQL_sample_3E87051B1DC3463F378C7E1FE398DC7D\r\nTABMSGSQL_sample_8A86DF3D382BFD1E4C4165F4CACFDFF8\r\nTABMSGSQL_sample_052EC04866E4A67F31845D656531830D\r\nTABMSGSQL_sample_002325A0A67FDED0381B5648D7FE9B8E\r\nTABMSGSQL_sample_55886D571C2A57984EA9659B57E1C63A\r\nContagio sample for TABMSDSQL - LETSGO\r\nDC1286AAC46B0EAD7B27F045E5B09EFF Conference Materials.zip (dropper) \r\n26. TARSIP-ECLIPSE\r\nThe TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers.  Typical\r\nTARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address.  The\r\ncapability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process\r\nenumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of\r\n'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain\r\npersistence.\r\nTARSIP-ECLIPSE_sample_0B506C6DDE8D07F9EEB82FD01A6F97D4\r\nTARSIP-ECLIPSE_sample_4A54D7878D4170C3D4E3C3606365C42C\r\nTARSIP-ECLIPSE_sample_4F763B07A7B8A80F1F9408E590F79532\r\nTARSIP-ECLIPSE_sample_3107DE21E480AB1F2D67725F419B28D0\r\nTARSIP-ECLIPSE_sample_8934AEED5D213FE29E858EEE616A6EC7\r\nTARSIP-ECLIPSE_sample_123505024F9E5FF74CB6AA67D7FCC392\r\nTARSIP-ECLIPSE_sample_CA327BC83FBE38B3689CD1A5505DFC33\r\n27. TARSIP-MOON\r\nThe TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers.  Typical\r\nTARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address.  The\r\ncapability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process\r\nenumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon'\r\nin .pdb debug strings present in the malware samples.  It does not provide a built in mechanism to maintain persistence.\r\nTARSIP-MOON_sample_2BD02B41817D227058522CCA40ACD390\r\nTARSIP-MOON_sample_95F25D3AFC5370F5D9FD8E65C17D3599\r\nTARSIP-MOON_sample_0908D8B3E459551039BADE50930E4C1B\r\nTARSIP-MOON_sample_6808EC6DBB23F0FA7637C108F44C5C80\r\nTARSIP-MOON_sample_A5D4EBC0285F0213E0C29D23BC410889\r\nTARSIP-MOON_sample_C91EACAB7655870764D13BA741AA9A73\r\n28. WARP\r\nThe WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from\r\nsource code available in the public domain.  Network communications are implemented using the same WWW client library\r\n(w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html.  The malware has system survey functionality\r\n(collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from\r\nwww.bo2k.com.  It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp.  When\r\nthe WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\\system32\\cmd.exe? file as\r\n'%USERPROFILE%\\Temp\\~ISUN32.EXE'.  The version signature information of the duplicate executable is zeroed out.\r\n Some WARP variants maintain persistence through the use of DLL search order hijacking.\r\nno sample\r\n29 WEBC2-ADSPACE\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware\r\n is capable of downloading and executing a file. All variants represented here are the same file with different MD5\r\nsignatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set\r\nof HTML tags, part of which are in the File Strings indicator term below.\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 8 of 12\n\nWEBC2-ADSPACE_sample_AB00B38179851C8AA3F9BC80ED7BAA23\r\n30. WEBC2-AUSOV\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a\r\nonly a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to\r\ndownload, decompress, and execute compressed binaries.\r\nWEBC2-AUSOV_sample_6E442C5EF460BEE4C9457C6BF7A132D6\r\nWEBC2-AUSOV_sample_097B5ABB53A3D84FA9EABDA02FEF9E91\r\nWEBC2-AUSOV_sample_A40E20FF8B991308F508239625F275D8\r\nWEBC2-AUSOV_sample_D262CB8267BEB0E218F6D11D6AF9052E\r\n31 WEBC2-BOLID\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is\r\na backdoor capable of downloading files and updating its configuration.\r\nCommunication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded\r\ndata wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.\r\nWEBC2-BOLID_sample_1EA61A0945BDE3C6F41E12BC01928D37\r\nWEBC2-BOLID_sample_5FF3269FACA4A67D1A4C537154AAAD4B\r\nWEBC2-BOLID_sample_53B263DD41838AA178A5CED338A207F3\r\nWEBC2-BOLID_sample_9675827A495F4BA6A4EFD4DD70932B7C\r\nWEBC2-BOLID_sample_D8238E950608E5ABA3D3E9E83E9EE2CC\r\n32. WEBC2-CLOVER\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware\r\nprovides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the\r\nsystem, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are\r\nencrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a\r\ntemporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware\r\nalso attempts to delete previous copies of the Updatasched.exe file.\r\nWEBC2-CLOVER_sample_2FCCAA39533DE02490B1C6395878DD79\r\nWEBC2-CLOVER_sample_29C691978AF80DC23C4DF96B5F6076BB\r\nWEBC2-CLOVER_sample_065E63AFDFA539727F63AF7530B22D2F\r\n33. WEBC2-CSON\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family\r\nof malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server,\r\nreading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are\r\nDLLs which can be attached to services or loaded through search order hijacking.\r\nWEBC2-CSON_sample_7D3140BD028F70F1FA865364B69C5999\r\nWEBC2-CSON_sample_50F35B7C86AEDE891A72FCB85F06B0B7\r\nWEBC2-CSON_sample_73D125F84503BD87F8142CF2BA8AB05E\r\nWEBC2-CSON_sample_575836EBB1B8849F04E994E9160370E4\r\nWEBC2-CSON_sample_4192479B055B2B21CB7E6C803B765D34\r\nWEBC2-CSON_sample_277964807A66AEEB6BD81DBFCAA3E4E6\r\nWEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD\r\nWEBC2-CSON_sample_D22863C5E6F098A4B52688B021BEEF0A\r\nWEBC2-CSON_sample_F1E5D9BF7705B4DC5BE0B8A90B73A863\r\nWEBC2-CSON_sample_F802B6E448C054C9C16B97FF85646825\r\n34. WEBC2-DIV \r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nDIV variant searches for the strings \"div safe:\" and \" balance\" to delimit encoded C2 information. If the decoded string\r\nbegins with the letter \"J\" the malware will parse additional arguments in the decoded string to specify the sleep interval to\r\nuse.  WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 9 of 12\n\nWEBC2-DIV_sample_1E5EC6C06E4F6BB958DCBB9FC636009D\r\n35 WEBC2-GREENCAT\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant\r\non the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command\r\nexecution, file transfer, process and service enumeration and manipulation.  It installs itself persistently through the current\r\nuser's registry Run key.\r\nWEBC2-GREENCAT_sample_1CE4605E771A04E375E0D1083F183E8E\r\nWEBC2-GREENCAT_sample_36C0D3F109AEDE4D76B05431F8A64F9E\r\nWEBC2-GREENCAT_sample_55FB1409170C91740359D1D96364F17B\r\nWEBC2-GREENCAT_sample_BA0C4D3DBF07D407211B5828405A9B91\r\nWEBC2-GREENCAT_sample_E54CE5F0112C9FDFE86DB17E85A5E2C5\r\nWEBC2-GREENCAT_sample_E83F60FB0E0396EA309FAF0AED64E53F\r\n36.  WEBC2-HEAD\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nHEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the\r\nC2 server.  WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of\r\nthe compromised machine running the malware.\r\nWEBC2-HEAD_sample_7B42B35832855AB4FF37AE9B8FA9E571\r\nWEBC2-HEAD_sample_88C7C50CD4130561D57A1D3B82C5B953\r\nWEBC2-HEAD_sample_165EF79E7CAA806F13F82CC2BBF3DEDD\r\nWEBC2-HEAD_sample_649D54BC9EEF5A60A4B9D8B889FEE139\r\nWEBC2-HEAD_sample_973F4A238D6D19BDC7B42977B07B9CEF\r\nWEBC2-HEAD_sample_B74022A7B9B63FDC541AE0848B28A962\r\nWEBC2-HEAD_sample_C4C638750526E28F68D6D71FD1266BDF\r\nWEBC2-HEAD_sample_C9172B3E83C782BC930C06B628F31FA5\r\nWEBC2-HEAD_sample_EC8C89AA5E521572C74E2DD02A4DAF78\r\nWEBC2-HEAD_sample_F627990BBE2EC5C48C180F724490C332\r\n37 WEBC2-KT3\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nKT3 variant searches for commands in a specific comment tag.  Network traffic starting with *!Kt3+v| may indicate\r\nWEBC2-KT3 activity.\r\nWEBC2-KT3_sample_EC3A2197CA6B63EE1454D99A6AE145AB\r\n38 WEBC2-QBP\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nQBP variant will search for two strings in a HTML comment. The first will be \"2010QBP \" followed by \" 2010QBP//--\".\r\n Inside these tags will be a DES-encrypted string. \r\nWEBC2-QBP_sample_929802A27737CEBC59D19DA724FDF30A\r\nWEBC2-QBP_sample_C04C796EF126AD7429BE7D55720FE392\r\nWEBC2-QBP_sample_CF9C2D5A8FBDD1C5ADC20CFC5E663C21\r\n39 WEBC2-RAVE\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware\r\nwill set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage.\r\nThe later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first\r\ncommands will sleep the malware for N number of hours. The second command will download a binary from the encoded\r\nHTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified\r\nlocation and port.\r\nWEBC2-RAVE_sample_5BCAA2F4BC7567F6FFD5507A161E221A\r\nWEBC2-RAVE_sample_9F11BC08AF048C5C3A110E567082FE0B\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 10 of 12\n\nWEBC2-RAVE_sample_438983192903F3FECF77500A39459EE6\r\nWEBC2-RAVE_sample_A2534E9B7E4146368EA3245381830EB0\r\nWEBC2-RAVE_sample_BDD2AD4C0E1E5667D117810AE9E36C4B\r\nWEBC2-RAVE_sample_BF0EE4367EA32F8E3B911C304258E439\r\n40. WEBC2-TABLE\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-\r\nTABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web\r\npage.  If the data in these tags are formatted correctly, the malware will decode a second URL and a filename.  This URL is\r\nthen retrieved, written to the decoded filename and executed.\r\nWEBC2-TABLE_sample_7A7A46E8FBC25A624D58E897DEE04FFA\r\n41 WEBC2-TOCK\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nTOCK variant looks for tags which include the name of the system in them as a parameter.  If those tags are formed\r\ncorrectly, the malware will decode the payload URL from the web page, then download and execute the payload.\r\nno samples\r\n42. WEBC2-UGX\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family\r\nof malware provide remote command shell and remote file download and execution capabilities.\r\nThe malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command.\r\nThe contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a\r\nspecific host and port number, or to sleep for a period of time. \r\nWEBC2-UGX_sample_4B19A2A6D40A5825E868C6EF25AE445E\r\nWEBC2-UGX_sample_54D5D171A482278CC8EACF08D9175FD7\r\nWEBC2-UGX_sample_56DE2854EF64D869B5DF7AF5E4EFFE3E\r\nWEBC2-UGX_sample_75DAD1CCABAE8ADEB5BAE899D0C630F8\r\nWEBC2-UGX_sample_8462A62F13F92C34E4B89A7D13A185AD\r\n43. WEBC2-Y21K\r\nA WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain\r\nspecial HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family\r\nof backdoor malware talk to specific Web-based Command \u0026 Control (C2) servers. The backdoor has a limited command\r\nset, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited\r\ncommand set, including changing local directories, downloading and executing additional files, sleeping, and connecting to\r\na specific IP \u0026 port not initially included in the instruction set for the malware. Each version of the malware has at least one\r\nhardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with\r\nthe malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core\r\ncode is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a\r\nspecific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a\r\nservice), and hardcoded strings used in communication with C2 servers to issue commands to the implant.\r\nWEBC2-Y21K_sample_4CABFAEF26FD8E5AEC01D0C4B90A32F3\r\nWEBC2-Y21K_sample_225E33508861984DD2A774760BFDFC52\r\nWEBC2-Y21K_sample_2479A9A50308CB72FCD5E4E18EF06468\r\n44. WEBC2-YAHOO\r\nThe WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to\r\ncontain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-\r\nYAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded\r\nURL.  The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'.\r\n The embedded link can direct the malware to download and execute files.\r\nWEBC2-YAHOO_sample_2B659D71AE168E774FAAF38DB30F4A84\r\nWEBC2-YAHOO_sample_4C9C9DBF388A8D81D8CFB4D3FC05F8E4\r\nWEBC2-YAHOO_sample_7A670D13D4D014169C4080328B8FEB86\r\nWEBC2-YAHOO_sample_36D5C8FC4B14559F73B6136D85B94198\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 11 of 12\n\nWEBC2-YAHOO_sample_37DDD3D72EAD03C7518F5D47650C8572\r\nWEBC2-YAHOO_sample_0149B7BD7218AAB4E257D28469FDDB0D\r\nWEBC2-YAHOO_sample_1415EB8519D13328091CC5C76A624E3D\r\nWEBC2-YAHOO_sample_A8F259BB36E00D124963CFA9B86F502E\r\nWEBC2-YAHOO_sample_AA4F1ECC4D25B33395196B5D51A06790\r\nWEBC2-YAHOO_sample_CC3A9A7B026BFE0E55FF219FD6AA7D94\r\nWEBC2-YAHOO_sample_F7F85D7F628CE62D1D8F7B39D8940472\r\nSource: http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nhttp://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html" ], "report_names": [ "mandiant-apt1-samples-categorized-by.html" ], "threat_actors": [ { "id": "b7aa23d0-65c8-49f4-8052-837ce6251b63", "created_at": "2022-10-25T16:07:24.006105Z", "updated_at": "2026-04-10T02:00:04.831292Z", "deleted_at": null, "main_name": "Operation Shady RAT", "aliases": [], "source_name": "ETDA:Operation Shady RAT", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439145, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1abc6cebd82e7a25ea9c60294009e15bce071e98.pdf", "text": "https://archive.orkl.eu/1abc6cebd82e7a25ea9c60294009e15bce071e98.txt", "img": "https://archive.orkl.eu/1abc6cebd82e7a25ea9c60294009e15bce071e98.jpg" } }