{ "id": "26314c05-a28b-4ca7-a515-b2048f2caa91", "created_at": "2026-04-06T00:08:31.529694Z", "updated_at": "2026-04-10T03:36:22.052597Z", "deleted_at": null, "sha1_hash": "1d3bddbca4e2ddebe4bf39cec1a21c9cba1cfeb9", "title": "Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1442964, "plain_text": "Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake\r\nFlash Campaign\r\nBy mindgrub\r\nPublished: 2020-03-31 · Archived: 2026-04-02 12:03:47 UTC\r\nBeginning in May 2019, Volexity started tracking a new series of strategic web compromises that have been used\r\nin highly targeted attacks against Tibetan individuals and organizations by a Chinese advanced persistent threat\r\n(APT) actor it tracks as Storm Cloud. While this threat activity appears to have started in mid-2019, Storm Cloud\r\nhas been observed targeting Tibetan organizations since at least 2018. The attacks were launched at a very limited\r\nsubset of visitors to over two dozen different Tibetan websites that Storm Cloud had managed to compromise.\r\nKaspersky has noted they uncovered similar targeted attacks dating back to mid-2019.\r\nUnlike strategic web compromises of the past, this attack activity did not rely on or use exploits. Instead, the\r\nattackers relied on enticing targeted users to install an “update to Adobe Flash” by way of a JavaScript overlay on\r\ntop of the legitimate compromised websites. While there is no relation between the activities and those of\r\nOceanLotus, this type of attack is similar to how OceanLotus was observed launching targeted attacks.\r\nDelivery Overview\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 1 of 13\n\nFor the attack to begin, an unsuspecting user must first visit one of the compromised sites that has been put into\r\noperation by Storm Cloud. These attacks involve adding a new piece of JavaScript to the infected sites with an\r\ninnocuous looking name, for example “jquery-min.js”. The filename used varied between different compromised\r\nsites.\r\nThis sample of code is obfuscated using a library called “sojson.v4” which is also used by legitimate developers to\r\nprotect their intellectual property; you can find the obfuscator here. This initial obfuscated code is recognizable\r\ndue to its opening text:\r\nFigure 1 . An example of the initial JavaScript loaded on compromised pages.\r\nThe purpose of this first script in the chain is to identify if the user in question should receive the second piece of\r\nJavaScript. The internal IP address is retrieved based on the well-documented WebRTC trick, while the external IP\r\naddress is retrieved using api.ipify.org. This information is then sent to an attacker-owned server used solely for\r\nthis purpose, which will respond with a success or fail. A helper script to de-obfuscate these scripts is provided in\r\nAppendix B.\r\nSuccess is denoted by a response of “t” from the server. If this response is given then a secondary piece of\r\nJavaScript is loaded.  The logic described above is shown in Figure 2.\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 2 of 13\n\nFigure 2. A beautified version of the initial script shows the logic that decides whether to load the next JavaScript\r\nfile.\r\nConvincing Users to Install the Payload\r\nThe next sample of JavaScript uses sojson.v5, this time using the v5 encryption mechanism, identifiable by\r\nappearance as shown in Figure 3.\r\nFigure 3. The secondary JavaScript which delivers the payload is encrypted with sojson.v5. \r\nSojson.v5 RC4 encrypts strings using a unique key for each string. These strings can be decoded on a per-script\r\nbasis in a programmatic way to understand the overall workflow of the code. Since this campaign does not use\r\nany exploits, the purpose of the second stage code is to convince users to install the malware by altering the web\r\npage to show a popup or otherwise manipulating the visited page to alert the user to update Adobe Flash Player. In\r\norder to create these popups, Storm Cloud installed SweetAlerts on each of the webservers they compromised.\r\nSince the first time Volexity observed this chain in May 2019, the code that creates this download dialogue has\r\nevolved from iteration to iteration. In the earliest versions, the attackers had a fairly basic way of displaying and\r\nshowing the message. Over time, this code evolved to support multiple browsers, including mobile devices, with\r\ncustomized messages according to the browser used. Despite the support of mobile devices in the code, Volexity\r\nhas only identified delivery of Windows payloads for this particular aspect of the campaign. A comparison of\r\nearlier and later versions of the splash screens presented are given in Figure 4.\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 3 of 13\n\nFigure 4. Examples of splash screens presented to users visiting compromised sites in order to convince them to\r\ndownload and install malware.\r\nFor most of the campaign, the attackers used GitHub to host the malicious Flash installer. Specifically, Volexity\r\nhas observed the following repositories used to host binaries:\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 4 of 13\n\ngithub.com/AdobeFlash32/ (this repository has since been removed from GitHub)\r\ngithub.com/AlexanderHilton/\r\nIt’s unclear what the rationale for using GitHub was; however, for a user who isn’t familiar with GitHub, a quick\r\nsearch for “GitHub” may help convince them that the download is authentic. After the main GitHub account was\r\nin use, the attackers switched to hosting their payloads on various Dynamic DNS hosts from changeip.com to host\r\ntheir payloads (these are given in Appendix A).\r\nIn addition to hosting payloads for this campaign, the AlexanderHilton repository also contains a certificate\r\nrelated to Indian telecommunications company BSNL; Volexity does not have any further insight as to the use or\r\norigin of this certificate.\r\nPayloads\r\nOver time, Volexity was able to observe a wide variety of payloads distributed using the mechanism described\r\nabove, with the attackers frequently changing the malware they used.\r\nBelow are some of the payloads seen from the live campaigns, and the frequency with which they have been\r\nobserved:\r\nSIMPLE DOWNLOADERS\r\n# Samples 7\r\nFirst Seen: 2019-05-05\r\nLast Seen: 2020-01-20\r\nExample Hash: b658a0b0b5cce77ce073d857498a474044657daec50c3c246f661f3790a28b13\r\nOn a number of occasions, the attackers employed simple downloaders compiled as NSIS scripts, written in\r\nGoLang or compiled with Py2Exe. The sole objective of these downloaders is to download and execute a further\r\npayload from a remote C2. As such, they are not worth describing in detail. In some cases, the payload\r\ndownloaded was GOSLU which is described later.\r\nPLUGDAT\r\n# Samples: 1\r\nFirst Seen: 2019-06-19\r\nLast Seen: 2019-06-19\r\nExample Hash: ec377ad3defd360c7c7f9c4f4d94188739bdb8ad82b2ea7d94725c68dc2838d9\r\nThis is a plugin-based backdoor written in C++.\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 5 of 13\n\nThe malware performs an initial check to see if the infected machine is already infected (based on the mutex\r\n‘Fourhdsjfhakj’). The malware also performs initial checks to determine if the infected system is a client, a\r\nWindows server that is not a domain controller, or a Windows server that is a domain controller. In addition to the\r\nsystem type, the system’s hostname and exact Windows version, including the build number, are also collected.\r\nIt connects to a pre-configured C2 to download a plugin which it expects to return an encoded PE file which is\r\ndecoded by the malware. The decoded PE file should be a DLL file with exports matching the following names:\r\nregistPlugin\r\nRecvData\r\nGetPluginID\r\nVersion\r\nAssuming this is the case, the malware will then call the “registPlugin” export on the downloaded PE file. The\r\ndownloaded file will never be saved to disk and may exist only in memory (assuming the plugin itself does not\r\nsave itself to disk).\r\nVolexity has not been able to recover any plugins at present.\r\nSTITCH\r\n# Samples: 7\r\nFirst Seen: 2019-06-24\r\nLast Seen: 2019-11-06\r\nExample Hash: 2e8a34aa4e887ba413735d3ece7863921eaabdc5a494ff6354fb551f26dc561b\r\nStitch is a Python-based malware which is available on GitHub. The attackers likely use this as a “throwaway”\r\nbackdoor which they replace with something custom after identifying a victim of interest. Despite its availability\r\non GitHub, this malware is not frequently used in the wild, and most of the samples available on VirusTotal appear\r\nto relate to this campaign based on infrastructure analysis.\r\nGOSLU\r\n# Samples: 2\r\nFirst Seen: 2020-01-19\r\nLast Seen: 2020-01-19\r\nExample Hash: 6501f16cfda78112c02fd6cc467b65adc0ef1415977e9a90c3ae3ab34f30cc29\r\nGOSLU is a malware family written in GoLang which uses Google Drive for command and control, and it\r\nsupports a number of commands. Volexity has observed versions for both Windows and Linux, but only Windows\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 6 of 13\n\nversions were observed as being dropped by the web compromises. The Linux variant has been observed in\r\nconjunction with implants dropped on servers by Storm Cloud post-compromise.\r\nThe backdoor starts with an initalization routine that gets the OS version info (“ver” on Windows, “uname -a” on\r\nLinux) and the MAC address.  The MAC address is base64 encoded and then the MD5 hash is taken of that value.\r\nThis MD5 is used as the base name of a series of files the backdoor uses.  The files are written to the appropriate\r\ntemporary directory on the system (typically /tmp or C:\\WINDOWS\\Temp). The three files created are:\r\n\u003chash\u003e-lk.txt — host info\r\n\u003chash\u003e-cs.txt — commands\r\n\u003chash\u003e-rf.txt — results\r\nThe content within these files is the base64-encoded output of 3DES ECB data using a key stored in the backdoor.\r\nThe encrypted data in the host info file is the hostname, IP address, MAC address, OS version info, and a\r\ntimestamp of the last time this was updated. The core of the C2 used by GOSLU is wrapped around Google Drive\r\nusing the Go Google Drive library at https://github.com/gdrive-org/gdrive. Some information the backdoor needs\r\nto authenticate to GDrive is hard coded in the file, including the refresh-token, client_id, and client_secret.\r\nAfter initialization, GOSLU enters a loop.  At a high level, during every pass, this loop does the following:\r\nUpload its info (lk.txt) file (main_upload_info) as a form of C2 checkin\r\nCheck for a command (main_command_check) by searching for a cs.txt file\r\nUpload the results of any commands (main_upload_result) in an rf.txt file\r\nSleep\r\nIn main_upload_info, the data in the lk.txt file is updated and uploaded to GDrive.  \r\nThen, main_command_check will look for a cs.txt file and download it. When checking for files on GDrive, it will\r\nexecute a GDrive API query like “name contains ‘\u003chash\u003e.cs.txt'”.\r\nIn main_upload_result, it will first read in the cs.txt file, then look for what command was given.  Some\r\ncommands observed include:\r\nget – download a file from GDrive\r\nput – upload a file to GDrive\r\ngettime/settime – get or set the main loop sleep interval\r\ncd – change directory\r\ngdos – execute a GDrive command; there is a main_gdrive_handle function that corresponds to the GDrive\r\ncommands available at https://github.com/gdrive-org/gdrive/blob/master/gdrive.go\r\ndos – execute a system command\r\ndosnw – execute a system command without waiting\r\ndownexec – download a file and execute it\r\nAs an example, an encrypted cs.txt file might contain the command:\r\ndos taskkill /im  process.exe /f\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 7 of 13\n\nAnd the subsequent rf.txt file would decrypt to \r\nSUCCESS: The process “process.exe” with PID 12346 has been terminated.\r\nVolexity has observed this malware in use in other incidents and currently suspects this tool is specific to Storm\r\nCloud at this time.\r\nBRAINDAMAGE\r\n# Samples: 1\r\nFirst Seen: 2020-03-11\r\nLast Seen: 2020-03-11\r\nExample Hash: c0af38f02e845866ce14f28b894a866ba1d02b5faaef2b310eeb9b84b8b2846e\r\nBrainDamage is another Python-based malware family which is available on GitHub. It supports a wide range of\r\nfunctionality natively but in the same vein as STITCH, i.e., it is used as a throwaway backdoor.\r\nIn addition to these families, there are others which appear to be related based on infrastructure analysis. For\r\nbrevity, and since Volexity has not observed these as being delivered in this way, they have not been included in\r\nthis write-up.\r\nPossible Related APK Campaign\r\nWhile investigating related attack infrastructure, Volexity identified some files which indicate that some aspect of\r\nthis campaign, or at least the same attackers, have supported for delivery and installation of malware on Android\r\noperating systems.\r\nSpecifically, three files submitted to VirusTotal indicate this may be the case. The relationship between these and\r\nthe wider infrastructure is briefly shown in Figure 5:\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 8 of 13\n\nFigure 5. APKs that appear related to the delivery of Windows malware.\r\nAll three APKs appear to be variants of the paid-for Android RAT known as ‘SpyNote‘:\r\nSHA256 App name\r\n657ca139a76e46b88fa86b4b4160de0abe0278342c83d11b10108cb1ba5c130d Media Player\r\nece28cae02345069e6b6c2346aaac0eeafa308b3840420f669070ef01b591ae7 –\r\na3dadf5414471cb8e0395b81889af5e660a0c151d65fa078a5bf80373aa81b8f TibTermAssistant\r\nWhile the timings do not exactly overlap with the related Windows malware using the same IP address for C2, the\r\nnature of the third application in the table (which imitates the Tibetan Dictionary app “TibTerm”) indicates that\r\nthese are likely also related to this campaign.\r\nConclusion\r\nThe Tibetan community, both within and outside of China, is under constant digital surveillance as they seek to\r\ngain an upper hand against those seeking the formation of an independent Tibet. This issue has been highlighted\r\nby CitizenLab on multiple occasions. The nature of this campaign may seem basic, but the resources to\r\ncontinuously update infrastructure, write new malware, and maintain these attacks across more than one platform\r\nshould not be understated. It is a glimpse into the gap in resources between those seeking to identify and prevent\r\nthese attacks, and those conducting them.\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 9 of 13\n\nAppendix A – IOCs\r\nObserved Files\r\n1261f67286c3edc49e415c9e9773e876867dd0755fce8d3637fb343e11206e0c\r\nad505cbc942a0a0b71f2bc2508250464c648b436cf2c762899e385971c955519\r\n3a1bb3e88c4dfeccb02481f656802431fc387a6952911e19e030d6ccef6c181f\r\n3288208b5c3372a2f0ef20f54fd52378177bb29a036fcf0166e64327380448c4\r\n97e0589348f6dbcf9eb59d8011aaf87fe97fa735f372abfc225d168cb296376a\r\n5652e83af9a36c985139f4b35d8162a4764bdeb00c5af573fa9e736c7fb1f90a\r\n6df5ddf7d4bd5fb57ee8588447f8565a9591bdd7a113c638d52f7e767998c747\r\n56857be1565973640f14e8c0ad0358d80081c94761b92dab21eb212d619c7737\r\n263a01c7d5cde9c14865b707e78cfd87bac18251eeef0201df04d5d8f4329798\r\n3858e141537485aefd8bb563553c725f4bb9beba64c7ee81d87ec7e2cff9eddb\r\n11e5100db6b36d1c78f535bc75544640846834d019551f52c61d71629ce8eef6\r\n00012d71558fea9429a305e8dda7d0720deeaf84ae4d432dff6441befa64033f\r\n6fba0c7c74e6f9092f5ecc78064e6a158392df32a4134ef99ec399ea4e771f4b\r\nfab653516b446cfc5bbb8c5f44dd20006d43101b4afba27a8fc655ba6d2f48b1\r\n8ddeeba82364e2629264b1d71693d8a42006e0c7d012ab5d2256ff027b2f5f75\r\na6f6091d67c3f2434e523745384fc09c5b53b3265b8c8ddf3dd1390c95152e12\r\nf7540f46f5dc5f55793c3c7130024591bbd4d8cae679f8816b17b8b655c9b796\r\n0033c7c2b7542bad0fbce198bee704f6b97010a820b5e8cb86574e8e400f7d81\r\ne026cb5d1f6472ff56648cb3e48257ef449713d6331023ae1f3b29863a4680a4\r\nb658a0b0b5cce77ce073d857498a474044657daec50c3c246f661f3790a28b13\r\n215c79344c1b7c761edd2026914dfee10cbefed6271da35c64db1699a0212493\r\nfc9c8d1b051e5db41a44f77d597c3981c88de987b85b8bb258229eeb73cc0f43\r\nc5ddd77d147246d53684d9eb5bd5b6734af12e2f790847b73b7ed716dce407b4\r\n5862862ce64b0b396384786ca7340dbf30030ec6ee8d54af6b5f1af21b492b97\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 10 of 13\n\n1f8bac00e4f611d0feec7255eeb88038460000002a0a0fe7c4ac0ee9a1b9f79c\r\n61fbeedeed65e5e86948594dc26e44cb5163f543204e39b55010e9159082cf62\r\n2e8a34aa4e887ba413735d3ece7863921eaabdc5a494ff6354fb551f26dc561b\r\n9846498c53c4f528edc173da2f70938ea93de4b8615c97ee040f36d356a15eee\r\nf15d95bb81860bccb6676c91752cc2feae3d0cc6c8f7959684c30c8b2c1d0768\r\n1d9ca05b3d4eef1034991cc4f020852f563e25b541bf5cb40db11b01c49231d1\r\nc7dae984195717c76a9b221081b9c9a20de8d20b55b68add647ee34685b93fb9\r\n88f6af2559db239dc975212dd58b4eb633db5068a5d558126675c1058ffd25dd\r\nec377ad3defd360c7c7f9c4f4d94188739bdb8ad82b2ea7d94725c68dc2838d9\r\nf0e5e95e6bdc5b2f47ba20709a97244cdebd63117bcf82c15e613b5856e8e41d\r\nNetwork IOCs\r\n199.247.3.4\r\n95.179.171.173\r\n45.32.154.111\r\n45.63.114.152\r\n207.148.117.159\r\n45.32.118.198\r\nroot20system20macosxdriver.serveusers.com\r\nairjaldinet.ml\r\nubntrooters.serveuser.com\r\nsystem0_update04driver_roots.dynamic-dns.net\r\nsys_andriod20_designer.dynamic-dns.net\r\nloginwebmailnic.dynssl.com\r\nctmail.dns-dns.com\r\nadobeflash31_install.ddns.info\r\ngetadobeflashdownloader.proxydns.com\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 11 of 13\n\nwindows-report.com\r\nbrowserservice.zzux.com\r\nAppendix B – Helper Script to decode sojson_v4 JavaScript\r\n# use this on a .js file with so_jsonv4 encoded content\r\nimport sys, re, subprocess, os\r\ndef recursive_walk_directory(target_dir):\r\n”’\r\ninput:\r\ntarget_dir (str) : A path to the directory you want to walk\r\noutput:\r\nfiles (list) : A list of files in that directory\r\n”’\r\nfiles = []\r\nfor d, s, file_list in os.walk(target_dir):\r\nfor f in file_list:\r\nfiles.append(os.path.join(d,f))\r\nreturn files\r\n# https://github.com/beautify-web/js-beautify\r\nimport jsbeautifier\r\nif os.path.isfile(sys.argv[1]):\r\nfiles = [sys.argv[1]]\r\nelse:\r\ntmp_files = recursive_walk_directory(sys.argv[1])\r\nfiles = []\r\nfor fil in tmp_files:\r\nif fil.endswith(“.js”):\r\nfiles.append(fil)\r\nprint(“Found {0} files with .js extensions to try and parse”.format(len(files)))\r\nfor f in files:\r\nwith open(f, ‘r’) as infile:\r\ndata = infile.read()\r\npattern = re.compile(“\\]\\(null,.*\\[‘”,)\r\nmatches = pattern.findall(data)\r\nif len(matches) \u003c 1:\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 12 of 13\n\nprint(“File: {0} does not match delivery kit”.format(f))\r\ncontinue\r\nfor match in matches:\r\nmatch_data = match[8:-3] # these are the characters from the match that correspond to the string we\r\nneed to decode\r\ncontinue\r\nchar_code_array = []\r\nthis_element = “”\r\nfor char in match_data:\r\ntry:\r\na = int(char)\r\nthis_element += char\r\nexcept:\r\nchar_code_array.append(this_element)\r\nthis_element = “”\r\nout = f + ‘.decoded’\r\nprint(“Writing output to: {0}”.format(out))\r\nout_data = “”\r\nprint(len(char_code_array))\r\nfor cc in char_code_array:\r\nout_data += chr(int(cc))\r\nout_data = jsbeautifier.beautify(out_data)\r\nwith open(out, ‘w’) as outfile:\r\noutfile.write(out_data)\r\nSource: https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nhttps://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "report_names": [ "storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d3bddbca4e2ddebe4bf39cec1a21c9cba1cfeb9.pdf", "text": "https://archive.orkl.eu/1d3bddbca4e2ddebe4bf39cec1a21c9cba1cfeb9.txt", "img": "https://archive.orkl.eu/1d3bddbca4e2ddebe4bf39cec1a21c9cba1cfeb9.jpg" } }