{ "id": "40ed1b7e-8fe8-43ea-8822-b7f6ca443143", "created_at": "2026-04-06T00:12:12.357584Z", "updated_at": "2026-04-10T13:12:16.50835Z", "deleted_at": null, "sha1_hash": "1d9b1a3eb8c513e274c6a63038d98e1216c92ae1", "title": "Chinese PlugX Malware Hidden in Your USB Devices?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 952311, "plain_text": "Chinese PlugX Malware Hidden in Your USB Devices?\r\nBy Mike Harbison, Jen Miller-Osborn\r\nPublished: 2023-01-26 · Archived: 2026-04-05 16:11:50 UTC\r\nExecutive Summary\r\nRecently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered\r\nseveral tools and malware samples on the victim's machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample. The PlugX malware stood out to us as this variant infects any\r\nattached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB\r\nis later plugged into.\r\nThis PlugX malware also hides actor files in a USB device using a novel technique that works even on the most\r\nrecent Windows operating systems (OS) at the time of writing this post. This means the malicious files can only be\r\nviewed on a Unix-like (*nix) OS or by mounting the USB device in a forensic tool.\r\nWe also discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF\r\nand Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created\r\nby the malware.\r\nPlugX is a second-stage implant used not only by multiple groups with a Chinese nexus but also by several\r\ncybercrime groups. It has been around for over a decade and has been observed in some high-profile cyberattacks,\r\nincluding the U.S. Government Office of Personnel Management (OPM) breach in 2015. It is a modular malware\r\nframework, supporting an evolving set of capabilities throughout the years.\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this blog by products\r\nincluding Cortex XDR and WildFire.\r\nIntroduction\r\nIt's not uncommon for multiple malware samples to be discovered during an investigation, as occurred in this\r\nsituation with GootLoader, Brute Ratel C4 and PlugX. Numerous threat actors compromise targets and can coexist\r\nsimultaneously on the affected machine.\r\nBecause we can’t conclusively say whether these malware samples were left by one group or several, we can't\r\nattribute these tools to the Black Basta ransomware group. However, the version of Brute Ratel C4 used in this\r\ncase is the same one reported by Trend Micro, which also involved the Black Basta ransomware group.\r\nPlugX Malware Infection\r\nHistorically, a PlugX infection begins by hijacking a known and trusted, digitally signed software application to\r\nload an actor-created encrypted payload. This technique has been used since 2010 and is listed in the MITRE\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 1 of 12\n\nATT\u0026CK techniques as Hijack execution flow DLL-Side loading ID: T1574.002 Sub-technique T1574.\r\nIn this case, the threat actors decided to hijack a popular and free open source debugging tool for Windows called\r\nx64dbg, which is used by the malware analysis/reverse engineering community. X64dbg applications are digitally\r\nsigned by \"Open Source Developer Duncan Ogilvie.\"\r\nThe developers of this tool offer two types of debugger applications: x64 for 64-bit applications and x32 for 32-bit\r\napplications. In this case, the actors used x32dbg.exe, which is the 32-bit debugger of x64dbg.\r\nUpon execution of x32dbg.exe, Microsoft Windows will attempt to resolve any dependency files necessary to run\r\nthe application. That search starts locally (i.e., in the current working directory). If found, the necessary files are\r\nloaded and executed.\r\nX32bridge.dll is a Windows Dynamic Link Library (DLL) dependency file of x32dbg.exe. A legitimate\r\nx32bridge.dll also carries the same digital signature. In this case, the file is not signed.\r\nOnce loaded, the malware searches locally for an actor-created encrypted payload file: x32bridge.dat (SHA256:\r\ne72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172).\r\nX32bridge.dat was first submitted to VirusTotal on Jan. 22, 2021. As of Dec. 15, 2022, it has a detection score of\r\neight out of 61 engines. None of the engines identify the file as PlugX malware.\r\nOnce loaded and decrypted in memory, the malware infects the host and any removable USB devices attached\r\nwith the PlugX malware. Figure 1 below illustrates PlugX DLL side loading using x64dbg DLL hijacking.\r\nFigure 1. PlugX DLL sideloading using x64dbg.\r\nBoth the hijacking of x64dbg and the association of this behavior with the PlugX malware were reported by\r\nSophos back in November 2020. Their blog refers to this malware as KilllSomeOne, based on a Program Database\r\n(PDB) string found in one of the binaries.\r\nSophos performed an excellent analysis of the samples and touched on the USB infection. We confirmed that our\r\nsample matched the behaviors described in their report. From there, we wanted to expand our research by focusing\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 2 of 12\n\non the USB infection, other USB variants in the wild and links to the PlugX malware.\r\nPlugX Malware USB Overview\r\nThe technique used by the PlugX malware to hide files in a USB device involves using a certain Unicode\r\ncharacter. This hinders Windows Explorer and the command shell (cmd.exe) from displaying the USB directory\r\nstructure and any files, concealing them from the victim.\r\nThe Unicode character used by this PlugX malware for the directories is 00A0 (a whitespace character called a no-break space). The whitespace character prevents the Windows Operating System from rendering the directory\r\nname, concealing it rather than leaving a nameless folder in Explorer.\r\nTo achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on\r\nthe root folder of the USB device. The shortcut path to the malware contains the Unicode whitespace character,\r\nwhich is a space that does not cause a line break, but this is not visible when viewed via Windows Explorer, as\r\nshown below in Figure 2.\r\nFigure 2. Windows shortcut properties for accessing the hidden directory.\r\nWhen the shortcut file is viewed in a hex editor, the hex representation of these characters is shown as highlighted\r\nbelow in Figure 3.\r\nFigure 3. Windows shortcut properties shown in a hex editor display.\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 3 of 12\n\nThe PlugX malware uses the Component Object Model (COM) interface to create the .lnk files and includes the\r\nUnicode character 00A0. It does this by creating an instance of a shell desktop to create the associated Windows\r\nshortcut files. The ShellLink SetArguments method is used to set the command line arguments, which include the\r\nwhite space no break Unicode character, as shown in Figure 4 below.\r\nFigure 4. COM ShellLink::SetArguments.\r\nFinally, the ShellLink::Save method saves the shortcut file with all the changes.\r\nPlugX Malware USB Infection\r\nThe PlugX malware x32bridge.dll loads x32bridge.dat, which is responsible for implanting the host with malware\r\nand infecting any attached removable media USB devices such as floppy, thumb or flash drives. If a removable\r\nmedia device is found, the following steps are performed:\r\n1. It creates the following directory structure:\r\n\u003cusb volume\u003e:\\u00A0\\u00A0\\RECYCLER.BIN\\files. Example: F:\\ \\ \\RECYCLER.BIN\\files.\r\n2. It creates a hidden file named desktop.ini in each folder, which specifies the icon for the folder. This file\r\ncontains the following data:\r\n[.ShellClassInfo]\r\nIconResource=%systemroot%\\system32\\SHELL32.dll,7\r\nThe Windows OS uses a single file to retrieve icon images that are displayed on the desktop as shortcuts or from\r\nWindows Explorer files and folders. The Shell32.dll file contains a list of icons and a unique number. In this case,\r\nthe drive icon and the number 7 are used, as shown below in Figure 5.\r\nFigure 5. Drive icon number 7.\r\nThe use of this drive icon makes the directories appear as drives within Windows Explorer when viewed with\r\nhidden files enabled. If deleted, the directories appear as folders.\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 4 of 12\n\n3. In the second directory, it creates a subfolder named RECYLER.BIN. This directory acts as a recycle bin.\r\nIn that directory is a subdirectory named files and a hidden desktop.ini file. This desktop.ini file contains\r\nthe following data:\r\n[.ShellClassInfo]\r\nCLSID = {645FF040-5081-101B-9F08-00AA002F954E}\r\nThis CLSID instructs Windows Explorer to display the created RECYCLER.BIN folder as a recycle bin directory\r\nby giving it the recycle bin icon. This is shown in Figure 11 as an example.\r\n4. The files subfolder contains copies of the PlugX malware x32dbg.exe, any encrypted actor .dat files and\r\nthe actor’s malicious DLL. An example of this is shown in Figure 6 below.\r\nFigure 6. Infected UBS removable device displayed via WinHex.\r\nIt should be noted that pre-infection of the USB device, existing files or directories on the root of the removable\r\ndevice are moved to the second hidden folder on the USB device, as shown below in Figure 7.\r\nFigure 7. Side-by-side comparison of the root directories of a non-infected versus infected USB\r\ndevice.\r\n5. Whenever the shortcut file from the infected USB device is clicked, the PlugX malware launches Windows\r\nExplorer and passes the directory path as a parameter. This then displays the files on the USB device from\r\nwithin the hidden directories and also infects the host with the PlugX malware. The victim sees their files\r\nand assumes all is working as expected.\r\nFigure 8 below illustrates how an infected USB thumb drive would appear to a victim in Windows Explorer using\r\ndefault settings (i.e., not displaying hidden files).\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 5 of 12\n\nFigure 8. Windows Explorer showing infected USB Removable Device. (Show hidden files not\r\nenabled.)\r\nAn infected PlugX USB device has no files or directories in the root folder and contains only a .lnk file.\r\nFigure 9 shows that the shortcut file is TESTDRIVE, which matches the USB device name. The shortcut file is\r\nresponsible for infecting the host and navigating to the hidden directory on the USB device each time it is clicked.\r\nFor example, the shortcut file referenced in Figure 9 contains the following data:\r\n%comspec% /q /c \" \\ \\RECYCLER.BIN\\files\\x32dbg.exe\"\r\nOnce the target clicks the shortcut, x32dbg.exe is launched via cmd.exe from the hidden files directory on the\r\nUSB device. The host the USB is attached to is now infected with the PlugX malware.\r\nWhen viewing the contents of the infected USB device with Windows Explorer and hidden items enabled, a\r\nvictim would see the following images:\r\nFigure 9. Windows Explorer showing infected USB Removable Device (root folder).\r\nThey would then see the following, as shown in Figure 10, within the first hidden directory:\r\nFigure 10. Windows Explorer showing an infected USB removable device (hidden directory number\r\none).\r\nAs shown in Figure 11, Windows Explorer displays another hidden directory along with a shortcut file. The\r\nshortcut file has the same properties to launch x32dbg.exe and will infect the host with the USB device attached.\r\nWhen viewing the contents of the next hidden folder, Windows Explorer shows the following directory structure:\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 6 of 12\n\nFigure 11. Windows Explorer showing infected USB Removable Device (hidden directory number\r\ntwo).\r\nThis directory contains a RECYLER.BIN folder that masquerades as a Windows recycle bin, along with any files\r\nor directories that existed in the root folder of the USB device at the time of infection. When viewing the contents\r\nof the RECYLER.BIN with Windows Explorer, a victim will see what’s shown in Figure 12:\r\nFigure 12. Windows Explorer showing infected USB Removable Device (RECYLER.BIN folder).\r\nSince the default setting for Windows Explorer is not to show hidden items, the only item visible to the victim is\r\nthe shortcut file, as shown in Figure 8. Even with hidden files enabled, Windows Explorer or cmd.exe cannot\r\nshow the malware files that reside in the files subdirectory.\r\nThe malware files can only be viewed on a *nix OS or by mounting the USB device in a forensic tool. Figure 13\r\nshows how the USB device looks once it’s mounted in Ubuntu, browsing to it via File Explorer.\r\nFigure 13. Ubuntu File Explorer viewing an infected USB device.\r\nPlugX Malware Post USB Infection\r\nWhen a host is infected with this variant of the PlugX malware, the malware continuously monitors for USB\r\nremovable devices. Once a USB device is discovered and infected, any new files written to the USB device root\r\nfolder post-infection are moved to the hidden folder within the USB device. Since the Windows shortcut file\r\nresembles that of a USB device and the malware displays the victim's files, they unwittingly continue to spread the\r\nPlugX malware.\r\nPlugX Malware USB Variant Two\r\nArmed with this knowledge, we wondered if other similar PlugX USB infection malware existed in the wild. File\r\nSHA256: 5b496972a86cea66aeecaac6e3f67a92e22f35cd5d2a98d54a2f1218fcd5dfc5 in VirusTotal matches the\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 7 of 12\n\nbehaviors of x32bridge.dat, specifically the creation of the Windows Scheduled Task and PDB string referenced in\r\nthe Sophos blog.\r\nThis file is a Windows x86 PE file (DLL), the in-memory equivalent of x32bridge.dat. Our analysis shows the\r\nruntime behavior is identical to the x32bridge.dat USB infection detailed earlier, but it has an added capability. It\r\ncopies documents from the host machine to a new hidden USB subfolder named da520e5.\r\nThe malware specifically copies all Adobe PDF and Microsoft Word documents from the host to this directory.\r\nFigure 14 below shows an example of the directory and files copied from our host.\r\nFigure 14. PlugX malware variant with two exfil files.\r\nThis PlugX USB malware variant was designed to exfiltrate specific files from its target that could be retrieved\r\nlater, as this directory and files are not used by the malware or displayed to the victim.\r\nAssociation With PlugX Malware\r\nIn addition to USB infection, both x32bridge.dat and the second PlugX malware variant discovered in VirusTotal\r\ncheck the target for specific running processes. If found, it terminates them and deletes the directories from which\r\nthey were executed.\r\nX32bridge.dat seeks out process names starting with AAM and, if found, terminates the process and deletes\r\nspecific directories associated with the process. The Sophos blog speculated that this behavior likely removed\r\nolder PlugX malware variants. Previous variants attributed to PlugX started with AAM file names (i.e., AAM\r\nUpdates.exe).\r\nThe second variant we discovered in VirusTotal also performs this check, including one for the specific process\r\nfile name AAM Updates.exe. Additionally, if AAM Updates.exe is found, it deletes the directory AAM\r\nUpdatesikB, which is a folder that has also been associated with the PlugX malware family.\r\nSince both x32bridge.dat and the second PlugX malware variant discovered in VirusTotal share the same USB\r\ninfection method along with other runtime behaviors, we can conclusively state that it is indeed associated with\r\nPlugX.\r\nConclusion\r\nPlugX malware has been used for over a decade and was historically extensively associated with Chinese nation-state APT groups. Over the years, it has been adopted and used by other threat groups, from nation-states to\r\nransomware actors.\r\nThe typical tradecraft of PlugX uses benign files to achieve code execution, also known as DLL side loading, that\r\nmany security vendors now detect and prevent. This might be part of why the actors added the capability to infect\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 8 of 12\n\nany attached removable media USB devices such as floppy, thumb or flash drives as well as any additional\r\nsystems the USB is later plugged into.\r\nAny host infected with this variant of the PlugX malware will continuously monitor for new USB removable\r\ndevices to infect. This PlugX malware also hides attacker files in a USB device with a novel technique, which\r\nmakes the malicious files only viewable on a *nix OS or by mounting the USB device in a forensic tool. Because\r\nof this ability to evade detection, the PlugX malware can continue to spread and potentially jump to air-gapped\r\nnetworks.\r\nAdditionally, we discovered a similar variant of PlugX in VirusTotal with the added capability of copying all\r\nAdobe PDF and Microsoft Word documents from the infected host to the USB device's hidden folder created by\r\nthe PlugX malware. The discovery of these samples indicates PlugX development is still alive and well among at\r\nleast some technically skilled attackers, and it remains an active threat.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ncampaign:\r\nCortex XDR customers receive protection at the endpoints from the malware techniques described in this\r\nblog.\r\nWildFire cloud-based threat analysis service accurately identifies the malware described in this blog as\r\nmalicious.\r\nIf you think you may have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nUnit 42 Managed Threat Hunting Queries\r\n// Detecting potential DLL side loading\r\nconfig case_sensitive = false timeframe = 30d\r\n| dataset = xdr_data\r\n| filter event_type = ENUM.LOAD_IMAGE and action_module_signature_status = 3 and\r\n((action_module_path contains \"mpsvc.dll\" and actor_process_image_name = \"aug.exe\") or\r\n(action_module_path contains \"dismcore.dll\" and actor_process_image_name = \"aug.exe\" ) or\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 9 of 12\n\n(action_module_path contains \"\\hex.dll\" and actor_process_image_name = \"SafeGuard.exe\") or\r\n(action_module_path contains \"x32bridge.dll\" and actor_process_image_name = \"x32dbg.exe\") or\r\n(action_module_path contains \"x32bridge.dll\" and actor_process_image_name = \"Mediae.exe\"))\r\n| comp count() as counter by actor_process_image_path , action_module_path , action_module_sha256\r\n// Adding registry persistence\r\nconfig case_sensitive = false timeframe = 30d\r\n| dataset = xdr_data\r\n| filter event_type = ENUM.REGISTRY and event_sub_type = ENUM.REGISTRY_SET_VALUE and\r\naction_registry_key_name contains \"Microsoft\\Windows\\CurrentVersion\\Run\" and (action_registry_data\r\ncontains \"x32dbg.exe\" or action_registry_data contains \"aug.exe\" or action_registry_data contains\r\n\"SafeGuard.exe\")\r\n| fields action_registry_data , action_registry_file_path , action_registry_key_name ,\r\nactor_process_command_line , agent_hostname\r\n// Payload execution with rundll32.exe\r\nconfig case_sensitive = false timeframe = 30d\r\n| dataset = xdr_data\r\n| filter event_type = ENUM.PROCESS and action_process_image_path contains \"rundll32\" and\r\n(action_process_image_command_line contains \"\\akm.dat\" or action_process_image_command_line\r\ncontains \"\\precious.dat\")\r\n| fields action_process_image_command_line , actor_process_image_command_line , agent_hostname\r\nIndicators of Compromise\r\nKnown PlugX Samples:\r\n8ec37dac2beaa494dcefec62f0bf4ae30a6ce44b27a588169d8f0476bbc94115\r\ne72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172\r\n0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799\r\n39280139735145ba6f0918b684ab664a3de7f93b1e3ebcdd071a5300486b8d20\r\n41a0407371124bcad7cab56227078ccd635ba6e6b4374b973754af96b7f58119\r\n02aa5b52137410de7cc26747f26e07b65c936d019ee2e1afae268a00e78a1f7f\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 10 of 12\n\n2a07877cb53404888e1b6f81bb07a35bc804daa1439317bccde9c498a521644c\r\n5d98d1193fcbb2479668a24697023829fc9dc1f7d31833c3c42b8380ef859ff1\r\nKnown File Directories\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\user\\Desktop\\\r\nC:\\Users\\Public\\Public Mediae\\\r\n\u003cusb volume\u003e:\\u00A0\\u00A0\\RECYCLER.BIN\\files\r\n\u003cusb volume\u003e:\\u00A0\\u00A0\\RECYCLER.BIN\\files\\da520e5\r\nKnown Windows Mutex Names\r\nLKU_Test_0.1\r\nLKU_Test_0.2\r\nTCP_0.1\r\nKnown PlugX Encrypted Payload File Names\r\nakm.dat\r\nprecious.dat\r\nx32bridge.dat\r\nGroza_1.dat\r\nKnown Windows Scheduled Task Names\r\nLKUFORYOU_1\r\nPRECIOUS_0.1\r\nKnown Windows Process Names (Observed Abused Benign Files)\r\nx32dbg.exe\r\nx32dbge.exe\r\nMediae.exe\r\nAug.exe\r\nPrecious.exe\r\nSafeGuard.exe\r\nDism.exe\r\nMITRE ATT\u0026CK Techniques\r\nATOM PlugX Malware\r\nAdditional Resources\r\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by\r\nPKPLUG Group\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 11 of 12\n\nBrute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors\r\nNJCCIC Alert Gootloader Malware Platform Uses Sophisticated Techniques to Deliver Malware\r\nA new APT uses DLL side-loads to “KilllSomeOne” – Sophos News\r\nBlack Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike\r\n(trendmicro.com)\r\nInside the OPM Hack, The Cyberattack that Shocked the US Government | WIRED\r\nASCII Codes\r\nASCII Table\r\nSource: https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nhttps://unit42.paloaltonetworks.com/plugx-variants-in-usbs/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/" ], "report_names": [ "plugx-variants-in-usbs" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d9b1a3eb8c513e274c6a63038d98e1216c92ae1.pdf", "text": "https://archive.orkl.eu/1d9b1a3eb8c513e274c6a63038d98e1216c92ae1.txt", "img": "https://archive.orkl.eu/1d9b1a3eb8c513e274c6a63038d98e1216c92ae1.jpg" } }