{
	"id": "9a615d76-1ac1-49e4-9c2e-4003dabc1cb9",
	"created_at": "2026-04-06T00:17:37.803627Z",
	"updated_at": "2026-04-10T03:37:00.264323Z",
	"deleted_at": null,
	"sha1_hash": "1ad2e0d008a92f42a96ed089ae091ac971f52ba6",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1664923,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-02 11:29:04 UTC\r\nOverview\r\nFor a long time, security vendors have had limited coverage in researching espionage incidents related to Linux\r\nsystems. Many disclosed APT attacks focused on office machines (i.e. Windows platforms), result in data theft\r\nprimarily involving non-sensitive internal documents. We believe that this type of espionage attack garners more\r\nattention than the actual harm it poses. However, in the field of scientific research, Linux servers often host critical\r\ndata, making their security of utmost importance. Therefore, strengthening security research and event monitoring\r\nfor Linux systems is a crucial task in safeguarding the high-quality development of national science and\r\ntechnology.\r\nSince the initiation of “UTG” (Unknown Threat Group) numbering, QiAnXin Threat Intelligence Center has\r\nclosely monitored attacks targeting server environments within government and enterprise sectors, and have\r\ndiscovered several threat actors such as UTG-Q-008 and UTG-Q-009, which have caused significant harm to\r\ngovernment and enterprise entities. Among them, UTG-Q-008 is the only threat group exclusively targeting Linux\r\nplatforms for its malicious activities. After a year-long intensive tracking effort, we have finally confirmed\r\nevidence of UTG-Q-008 utilizing the resources of a massive botnet network for espionage activities against the\r\ndomestic research and education sector. Up to 70% of the infrastructure are springboard servers, with a different\r\nbatch of springboard servers being used for each new activity. The domain names controlled by the attackers have\r\nbeen active for at least a decade, displaying an adversarial strength far surpassing mainstream APT groups, which\r\nhas deeply impressed upon us the notion that huge network resources are the best weapons. The attack flowchart\r\nis shown below:\r\nTarget\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 1 of 17\n\nUTG-Q-008 has multiple attack lists for its domestic activities, and we have obtained one of them, which includes\r\nover five thousand domestic network segments:\r\nAfter deduplication, it contains over 17 million target IP addresses within China. Detailed comparisons have\r\nconfirmed that the majority of these target IPs belong to the CN CER (China Education and Research) network\r\nassets, displaying a high level of specificity. In addition to this, UTG-Q-008 has shown a strong interest in top-tier\r\nbiological genetics and RNA immunotherapy research projects in both China and the United States. Threat groups\r\nwith such interests in this field are rare, and similar attack activities are found in Operation HideBear [1].\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 2 of 17\n\nBotnet\r\nFrom the defender's perspective, attackers have virtually unlimited network resources. Each time a large-scale\r\noperation is launched, the domain names for payload requests and the IP addresses for shell bouncing on victim\r\nLinux servers are brand-new springboard servers. The attack activities typically occur between 0-4 a.m., and the\r\nduration of the shell is only 2-3 minutes. Short duration of shell renders traditional IOC (indicators of\r\ncompromise) intelligence ineffective in defending against them.\r\nScanning and Brute-forcing\r\nCurrently, many organizations don’t use default SSH ports any more on their Linux servers located at the network\r\nperimeter. Therefore, UTG-Q-008's first step is to utilize the massive network resources of botnet to perform\r\ndistributed SYN scans to identify open ports on the target networks. We calculated the SYN scan frequency for\r\nindividual IP addresses, averaging 25-35 scans per second. Similarly, in subsequent distributed brute-forcing\r\nactivities, the number of brute-force attempts per second from a single IP does not exceed ten. Under this\r\nadversarial strategy, UTG-Q-008 has managed to create a small brute-forcing footprint. Within a month, they\r\nsuccessfully brute-forced the root passwords of nine servers, including six research servers and three perimeter\r\ndevices, mainly firewalls, routers, and out-of-band management for hosts.\r\nIn our long-term engagement in tracking targeted attacks, this is the first time we observed direct involvement of a\r\nbotnet in espionage. The scale and quality of the affected entities have exceeded our expectations. In previous\r\nAPT cases, achieving such \"impressive results\" in the Linux server domain would not be possible without a few 0-\r\ndays.\r\nDistribution of Botnet Resources\r\nWe conducted a simple analysis of the quantity and geographical distribution of the source IP addresses used for\r\nSSH logins. There are the highest number of controlled nodes in China, followed by the United States.\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 3 of 17\n\nThere is no significant uniform characteristic among the hundreds of controlled nodes. Only a few dozen nodes\r\nhost web servers with Zabbix PowerMTA monitoring. During the rollback process in QiAnXin's botnet\r\nmonitoring system, we discovered three nodes associated with the Perlbot botnet, three nodes associated with\r\nOutlaw, and one node was linked to the Mirai botnet. The Nanobot released by the attackers during lateral\r\nmovement is very similar to Perlbot. Since Perlbot itself is a simple script Trojan that anyone can use, we can only\r\nconfirm that the botnet network resources targeting domestic entities can be accessed by UTG-Q-008. We cannot\r\nattribute the Mirai nodes' cluster to a specific entity, since the occurrence of overlap between nodes from two\r\ndifferent botnet is considered normal.\r\nThe involvement of botnets in espionage activities is not uncommon. The key lies in the extent of their\r\nparticipation. For example, in 2024, the Moobot botnet provided network proxies to APT28 for spear-phishing\r\nemail delivery [2]. In 2019, Lazarus utilized the TrickBot botnet to distribute exclusive malware for attack\r\nactivities [3]. However, based on our a-year-long tracking of UTG-Q-008, we believe that the botnet behind this\r\nthreat group is directly involved in espionage activities, because it’s deeply engaged in the aspects from target\r\nreconnaissance, brute-forcing, vulnerability exploitation, Trojan components delivery to C\u0026C infrastructure. Now,\r\nhow does it perform on the Windows platform?\r\nConnection Between UTG-Q-006 and UTG-Q-008\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 4 of 17\n\nUTG-Q-006 is a threat group that primarily targets Windows devices exposed on the public Internet. It also relies\r\non a large botnet. Although we don't have the target list for UTG-Q-006, attackers managed to successfully brute-force the RDP (Remote Desktop Protocol) ports of critical entities within half a month using eight-character non-weak passwords. During lateral movement, UTG-Q-006 demonstrated sophisticated LOLbins techniques, roaming\r\nwithin the internal network using legitimate tools such as AnyDesk, Chisel, and Advanced Port Scanner,\r\nultimately infiltrating the MES (Manufacturing Execution System) server. This activity poses potential\r\nimplications for industrial production processes.\r\nWe compared the brute-forcing nodes of UTG-Q-006 with those of UTG-Q-008 and discovered several\r\noverlapping nodes. Furthermore, it is noteworthy that several hundred brute-forcing nodes controlled by UTG-Q-006 also exhibited activity related to dozens of Outlaw botnet nodes within the botnet monitoring system.\r\nDue to the complexity of botnets, we can only confirm the overlap between UTG-Q-008, UTG-Q-006, and the\r\nOutlaw network. We cannot determine whether they have an employer-employee relationship or a hierarchical\r\nrelationship. The overlap of nodes from different attack groups is as follows:\r\nDuring our monitoring period over a year, these botnet nodes targeting domestic entities have never initiated any\r\nDDoS activities, which is highly unusual for traditional botnets.\r\nWeapon Components\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 5 of 17\n\nUTG-Q-008’s weapons are usually packaged in tar format and stored on the springboard servers. The\r\ninfrastructure does not overlap with the aforementioned botnet nodes. The services running on the compromised\r\nservers are mostly disorganized, with only the WordPress framework being identifiable. Additionally, most of the\r\nspringboard servers have domain names, including a legitimate domain name in China that has been active for 14\r\nyears. Therefore, attackers typically operate using domains of springboard servers. The distribution of springboard\r\nservers by country is as follows:\r\nNanobot\r\nOnce the attackers gains control of a server, they typically download the Nanobot component from the\r\nspringboard server using wget or CURL. The startup process is as follows:\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 6 of 17\n\nThe attacker refers to the executed Run64 in the comments as Nanobot. After analyzing the ELF executable, it was\r\ndetermined that it is packaged with Python and has a core logic very similar to the open-source Perlbot.\r\nFrom the continuous network traffic, we can confirm that once the Nanobot establishes a C2 (Command and\r\nControl) connection, the attacker chooses to initiate new reverse shells or SSH reverse tunnels to download\r\nsubsequent plugins. These temporary shells connecting to the springboard server C2 do not overlap with the\r\naforementioned botnet nodes or the springboard servers storing weapons. Furthermore, the shells only persist for\r\n2-3 minutes, making it difficult to capture and analyze them. The distribution of the springboard server IP types\r\nfor the reverse shells includes Ubiquiti routers, unknown smart home devices, exchange servers, etc.\r\nInternal Network Detection Component\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 7 of 17\n\nUTG-Q-008 possesses multiple types of internal network scanners, typically used to scan designated ports on\r\nmachines within the B segment of the internal network.\r\nOnce the attacker gathers the network segments within the internal network, they deploy lateral movement\r\ncomponents.\r\nLateral Movement Component\r\nThe process of deploying lateral movement component is as follows:\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 8 of 17\n\nThe overall process consists of two stages. In the first stage, based on the results generated by the B segment\r\nscanner, attackers grabs SSH port banner on the target's Linux servers. They compare the results “banner.log” with\r\nthe built-in “exclude.lst” file in the toolkit to exclude those Linux servers with specific SSH banners from next\r\nsteps. The attacker's brute-forcing program may be optimized for certain SSH versions.\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 9 of 17\n\nThe main function of the second stage is to use “pfile” program to read the /etc/passwd file of the Linux servers,\r\nretrieve usernames, and generate additional password dictionaries by appending weak passwords to the\r\nusernames. For example, \"root+1234\". The newly generated password dictionary is added to the built-in “pass”\r\nfile in the toolkit.\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 10 of 17\n\nThe original “pass” file is a password dictionary specifically designed by UTG-Q-008 for targets in China,\r\ncontaining over 4,000 account-password combinations, with the majority being based on Chinese Pinyin.\r\nAfter a detailed analysis, we believe these account-password combinations are not randomly generated but\r\naccumulated by the attacker over many years of attack activities in China. It is conservatively estimated that\r\nthousands of servers in China have been compromised in UTG-Q-008's historical activities. The “parse” program\r\nis then initiated to start brute-forcing the internal network servers. First, an HTTP request is made to read data\r\nfrom the built-in springboard server URL to validate the parameters passed in the “lan” script. The brute-forcing\r\nprocess only proceeds after successful network validation.\r\nThe attacker may find the six ELF executables written in Golang in the toolkit too cumbersome, so they released a\r\nlightweight Python script during lateral movement on other machines. This script abandons the SSH banner\r\ngrabbing process and retains only the logic of the second stage.\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 11 of 17\n\nDue to the years of effort that UTG-Q-008 put in China, this component designed by them has achieved\r\nremarkable results in lateral movement within Linux server networks.\r\nFRP Component\r\nWhen the attacker wants to access machines within the internal network, they generally start the FRP reverse\r\nproxy on the boundary server. The execution process is as follows:\r\nFRP also serves another purpose: when the lateral movement component within the internal network has limited\r\neffectiveness, FRP can be used to leverage the computing power of external botnets to brute force critical\r\nmachines within the internal network.\r\nEspionage Plugin\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 12 of 17\n\nAfter infiltrating the internal network to a certain extent, the attacker will choose to install an espionage plugin on\r\nimportant servers. When the ELF is executed, it runs an embedded bash script. The bash file contains numerous\r\nregular expressions used to collect sensitive information stored on Linux servers. The functionality of these\r\nregular expressions can be divided into several parts, each with around ten matching rules. We will introduce some\r\nselected rules.\r\n1. Parsing various historical and hidden files on Linux to identify potential commands containing sensitive\r\ninformation, such as SSH and FTP.\r\n2. Searching for VNC credentials and downloading decryption plugins for decryption.\r\n3. Extracting credentials from sshpass, GitHub, and other types of credential files.\r\n4. Searching for multiple files that meet certain criteria and using corresponding regular expressions to extract\r\nsensitive information from the files. For example, searching for .gitconfig files in specific directories to\r\nextract email information.\r\n5. Analyzing system logs and code, such as searching for plaintext account-password combinations in files\r\nunder the /usr/include/ directory.\r\nDuring the analysis, it was discovered that UTG-Q-008 has implemented independent filtering conditions for files\r\nunder the \"postech\" directory with a size of less than 15k. Through further investigation, \"postech\" seems to refer\r\nto a research-oriented university in South Korea. It is unclear why this rule is used among activities targeting\r\nChina's research system. It could be that the attackers forgot to remove it or they wanted to obtain information on\r\ncooperative projects between \"postech\" and domestic entities.\r\nIn summary, this sophisticated espionage script brings significant benefits to the attackers. After obtaining git\r\ncredentials, they directly pull source code from the internal code server and package it together with scientific\r\nresearch data from the server, transmitting it to the springboard server.\r\nxmrig\r\nNo attacker can resist installing a mining component on a Linux server equipped with five RTX4090 or eight\r\nRTX3090 graphics cards. Although our research team is not filled with geopolitical nationalists, this behavior\r\nmakes us ponder whether the attackers intend to hinder the development of science and technology in our country.\r\nFrom the results, the presence of the xmrig component effectively conceals the true purpose of UTG-Q-008. After\r\nall, the various components mentioned above typically remain on the compromised machines for a maximum of\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 13 of 17\n\nfive minutes during the actual attack process, while the xmrig component continues to run until we arrive to\r\ncollect digital forensic evidence.\r\nScope of Impact\r\nBased on QiAnXin's telemetry data, the number of affected IP addresses (specifically identifiable units) in the past\r\nthree years has reached over 1500+. The highest proportion belongs to the Education Network (CER), aligning\r\nwith the content of the UTG-Q-008 attack list.\r\nWe have also monitored some overseas affected IP addresses. However, due to the lack of sufficient localization\r\nmethods, we can only identify overseas important units through IP reverse lookup:\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 14 of 17\n\nOverseas affected industries include educational contractors, universities, United Nations organizations, research\r\ninstitutes, information technology companies and so on.\r\nAttribution\r\nUTG-Q-008 follows standard working hours. In the UTC+8 time zone, attackers generally work from 14:00 to\r\n19:00. However, overtime situations frequently occur during late nights, predominantly between 22:00 and 04:00\r\nthe next morning. It is speculated that the attackers are located in Eastern Europe. We are more inclined to believe\r\nthat the botnet is of an outsourced or cooperative nature, while the actual \"client\" with a demand for scientific\r\nresearch data and source code remains hidden in the shadow.\r\nDuring the expansion of the infrastructure, we discovered on a third-party platform that some payload from the\r\nNishang framework had connected to some same springboard IP.\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 15 of 17\n\nReviewing the internal reports of the past three years, we found that the usage of this framework in espionage\r\nactivities targeting domestic entities is very rare. Only APT-Q-78 employed the Nishang framework in 0-day\r\nattacks targeting China's scientific research field during the period of 2022-2023. This dual coincidence of target\r\nindustry and weapon is intriguing, but it is not sufficient to be considered as highly reliable attribution.\r\nSummary\r\nCurrently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin\r\nThreat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC,\r\nand QiAnXin Situation Awareness, fully support accurate detection of such attacks.\r\nIOC\r\nFor commercial reports and victims related to UTG-Q-008, please contact QiAnXin Threat Intelligence Center\r\n(ti.qianxin.com).\r\nReference link\r\n[1].https://ti.qianxin.com/blog/articles/The-Nightmare-of-EDR-Storm-0978-Utilizing-New-Kernel-Injection-Technique-Step-Bear-CN\r\n[2].https://www.bleepingcomputer.com/news/security/fbi-disrupts-russian-moobot-botnet-infecting-ubiquiti-routers/\r\n[3].https://www.sentinelone.com/press/sentinellabs-identifies-hidden-link-between-trickbot-anchor-purported-north-korea-lazarus-tool-deployment/\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 16 of 17\n\nSource: https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-E\r\nN/\r\nhttps://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/"
	],
	"report_names": [
		"Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN"
	],
	"threat_actors": [
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9a881562-c4cd-4f9f-96eb-77b92c09050c",
			"created_at": "2024-06-19T02:00:04.367352Z",
			"updated_at": "2026-04-10T02:00:03.649859Z",
			"deleted_at": null,
			"main_name": "UTG-Q-008",
			"aliases": [],
			"source_name": "MISPGALAXY:UTG-Q-008",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775792220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ad2e0d008a92f42a96ed089ae091ac971f52ba6.pdf",
		"text": "https://archive.orkl.eu/1ad2e0d008a92f42a96ed089ae091ac971f52ba6.txt",
		"img": "https://archive.orkl.eu/1ad2e0d008a92f42a96ed089ae091ac971f52ba6.jpg"
	}
}