{
	"id": "a3d6bfef-626d-4ebd-8446-7e91ae40daaa",
	"created_at": "2026-04-06T00:18:15.430997Z",
	"updated_at": "2026-04-10T13:13:07.391167Z",
	"deleted_at": null,
	"sha1_hash": "1e5f071cd183b27c3a9c813f6e6690a2f57872b1",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1879440,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 15:59:09 UTC\r\nBackground\r\nPatchwork, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, and internally tracked as\r\nAPT-Q-36 by QiAnXin, is an group widely believed to have a South Asian origin. Its earliest known cyber-attacks\r\ncan be traced back to November 2009, and it has remained active for over a decade. The group primarily conducts\r\ncyber espionage activities targeting countries in the Asian region, focusing on government, military, power,\r\nindustrial, research and education, diplomatic, and economic groups.\r\nOverview\r\nRecently, during routine sample tracking and analysis, the Threat Intelligence Center at QiAnXin identified a\r\nbatch of malicious samples linked to Patchwork. Surprisingly, the backdoor used by the attackers was not the\r\ntypical Trojan previously associated with the Patchwork group. Coincidentally, foreign security researchers also\r\ndiscovered a few of these samples [1] and named the backdoor \"Spyder\" based on information found in the\r\ncommand-and-control (C2) server login interface. They also noted similarities between the samples and the\r\nWarHawk backdoor. The latter was revealed in a report published by Zscaler in October of the previous year [2],\r\nand it is considered to be an offensive weapon used by another South Asian APT group, Sidewinder.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 1 of 21\n\nBased on the digital signatures used in early Spyder samples and their association with Remcos RAT samples, we\r\nare inclined to believe that the Patchwork group is behind these attacks. Furthermore, we discovered another\r\nlightweight C#-based backdoor used by the attackers through an IP address.\r\nDetailed Analysis\r\nThe captured Spyder samples have the following basic information:\r\n- - - -\r\nMD5\r\nCreation\r\nTime\r\nDigital\r\nSignature\r\nFile Name\r\neb9068161baa5842b40d5565130526b9\r\n2023-04-09\r\n19:36:29\r\nUTC\r\nYes\r\nLIST OF SIGNAL ADDRESSES,\r\nCALL SIGN 10 Apr 2023.exe\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 2 of 21\n\n- - - -\r\n87d94635372b874f18acb3af7c340357\r\n2023-04-13\r\n09:20:42\r\nUTC\r\nYes\r\nPN SHIP OVERSEAS\r\nDEPLOYMENT PLAN TO FAR\r\nEAST CHINA.exe\r\n1fa3f364bcd02433bc0f4d3113714f16\r\n2023-04-30\r\n17:34:16\r\nUTC\r\nYes\r\nRocket Launch System THE\r\nUPDT LIST OF MLRS\r\nPROB-.exe\r\n1f599f9ab4ce3da3c2b47b76d9f88850\r\n2023-06-07\r\n07:24:01\r\nUTC\r\nNo\r\nRead-Me New Naxal VPN\r\nConfigration Settings.exe\r\n53b3a018d1a4d935ea7dd7431374caf1\r\n2023-06-13\r\n09:22:05\r\nUTC\r\nNo\r\nRead-Me New Naxal VPN\r\nConfigration Settings.exe\r\n1f4b225813616fbb087ae211e9805baf\r\n2023-06-13\r\n09:2 22:05\r\nUTC\r\nYes\r\nBAF Operations Report\r\nCamScannerDocument.exe\r\nThe above samples are disguised as Word, Excel, PDF, and other document icons. Based on sample size, creation\r\ntime, and code similarity, they can be classified into two categories: the original version (April samples) and the\r\nnew version (June samples) with some code modifications. Considering the sample names, the location of\r\nVirusTotal uploads, and configuration information within the samples, the targets of the Spyder backdoor include\r\nChina, Pakistan, Nepal Police Department, and the Bangladesh Air Force.\r\nSpyder New Version\r\nThe June attack samples are almost identical, including the C2 information, with only some differences in the\r\nconfiguration data. The following sample will be analyzed as an example:\r\n- -\r\nMD5 1f599f9ab4ce3da3c2b47b76d9f88850\r\nFile Size 380928 bytes (372.00 KB)\r\nFile Type PE32 EXE\r\nTo start, the backdoor retrieves data from the \"TRUETYPE\" category under the \"FONTS\" file resource. It uses\r\n\"ROUND9\" as the XOR decryption key to decrypt a series of configuration data.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 3 of 21\n\nThe decrypted data includes the backdoor agent code (the first 4 bytes in the configuration data, with a value of\r\n\"3\"), mutex name, and C2 communication URL.\r\nIn addition to obtaining key strings from the configuration data, the backdoor commonly uses XOR encryption to\r\ndecrypt required strings.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 4 of 21\n\nAfter creating a mutex using CreateMutexA, the backdoor begins collecting information related to the infected\r\ndevice. The collected information, as well as the methods used to obtain them, are as follows:\r\n- -\r\nInformation\r\nType\r\nMethod of Retrieval\r\nMachine GUID\r\nQuerying the data from HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid in\r\nthe registry\r\nHostname Calling GetComputerNameExW\r\nUsername Calling GetUserNameW\r\nSystem Version\r\nQuery the data from HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion in the\r\nregistry, under ProductName.\r\nSystem\r\nArchitecture\r\nCall the GetNativeSystemInfo function.\r\nAntivirus\r\nInformation\r\nRetrieve the data through WMI query in root\\SecurityCenter2\r\nProfile Retrieve from the decrypted configuration data in the resource section\r\nMail Retrieve from the decrypted configuration data in the resource section\r\nEncode the above information separately using the Y64 variant of Base64 encoding.\r\nSend a POST request to the URL used for C2 communication (\"hxxp://plainboardssixty.com/drive/bottom.php\"),\r\nand the transmitted information includes the Machine GUID and the email address from the configuration data. If\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 5 of 21\n\nthe response is \"1,\" the backdoor enters a sleep state directly.\r\nCopy the current file as the \"DllHostcache\" file under the directory \"C:\\Users[user_name]\\AppData\\Roaming\" and\r\ncreate a series of scheduled tasks that run at a specified time on the next day.\r\nReturn the collected information before.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 6 of 21\n\n- -\r\nField Name Meaning\r\nhwid Machine GUID\r\nusername Username\r\ncompname Hostname\r\nosname System Version\r\narch System Architecture\r\nav Antivirus Information\r\nagent Backdoor Agent Code in the configuration data (with a value of \"3\")\r\nprofile Profile Information in the configuration data\r\nmail Email Address in the configuration data\r\nThen enter a while loop. In each iteration, first download a file from another URL in the configuration data,\r\n\"hxxp://plainboardssixty.com/drive/chilli.php,\" and save it in the Startup directory. If the download is successful,\r\nrun the file.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 7 of 21\n\nAfter that, there are multiple interactions with C2 to download and execute subsequent payloads. The interaction\r\nprocess is as follows.\r\n(1) Retrieve instructions\r\nSend \"hwid=%s\u0026deploy=1\" to C2 to receive the returned instructions. The backdoor provides three types of\r\ninstructions: \"1,\" \"2,\" and \"3.\" All three instructions are used to obtain and execute subsequent payloads.\r\n(2) Obtain the compressed package name and extraction password containing the subsequent payload\r\nAfter selecting a specific instruction, send \"hwid=%s\u0026deploy=%d\u0026bakmout=1\" to C2. The \"hwid\" field is still\r\nthe encoded Machine GUID, and the \"deploy\" field corresponds to the selected instruction number.\r\nThe response message is a JSON string that contains the \"name\" and \"pass\" fields, which correspond to the\r\ncompressed package name and extraction password, respectively.\r\n(3) Download and extract the compressed package\r\nDownload the compressed package from the URL \"hxxp://plainboardssixty.com/drive/[name].zip\" using the\r\npassword stored in the \"pass\" field. The downloaded compressed package and the extracted files are saved in the\r\n\"C:\\Users[user_name]\\AppData\\Local\" directory. Then, run the extracted file.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 8 of 21\n\n(4) Notify C2 of the completion of the operation\r\nSend \"hwid=%s\u0026deploy=0\" to C2 to indicate that the downloaded payload has been executed. Delete the\r\ndownloaded compressed package, sleep for 2 seconds, and proceed to the next iteration of the loop.\r\nThe detailed explanations of the backdoor instructions are as follows:\r\n- -\r\nInstruction Description\r\n\"1\"\r\nThe locally saved name for the downloaded compressed package is \"slr.zip.\" The \"1.bin\" file\r\nin the package is extracted and saved as \"slb.dll,\" and the exported function \"CreateInterface\"\r\nof the DLL is run using rundll32.\r\n\"2\"\r\nThe locally saved name for the downloaded compressed package is \"slr_2.zip.\" The \"2.bin\"\r\nfile in the package is extracted and saved as \"sihost.exe,\" and the EXE file is run.\r\n\"3\"\r\nThe locally saved name for the downloaded compressed package is \"slr_3.zip.\" The \"3.bin\"\r\nfile in the package is extracted and saved as \"secd.exe,\" and the EXE file is run.\r\nOther No operation.\r\nTwo additional samples in June are almost identical to the previous sample, with the following differences:\r\n(1).The names of the mutex, profile, and email in the configuration data are different.\r\n(2).The saved name for the downloaded file from \"hxxp://plainboardssixty.com/drive/chilli.php\" at the beginning\r\nof the loop is \"gameinput.exe.\"\r\n(3).The file release names for instructions \"2\" and \"3\" are \"Microsoft.Web.PageInspector.exe\" and\r\n\"DocumentFormat.OpenXml.exe,\" respectively, and they are saved in the \"Microsoft.Web\" subdirectory under\r\n\"AppData\\Local.\"\r\nSpyder Original Version\r\nThe original version from April has minimal differences compared to the updated version in June, as outlined\r\nbelow:\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 9 of 21\n\n(1). The critical strings used in the configuration are XOR decrypted in the initialization function, rather than\r\nbeing decrypted from the resource area as in the updated version.\r\n(2). There is no interaction with C2 and no operation to select whether to enter a sleep state before creating\r\nscheduled tasks and returning collected information.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 10 of 21\n\n(3).The loop for communication with C2 does not involve downloading and executing payloads from an\r\nadditional URL.\r\n(4). Although both versions have a consistent format for returning information, the profile in the original version is\r\njust a code, and the mail field does not contain an email name, unlike the updated version where they have clear\r\nreferences.\r\nThe configuration data for the April sample is as follows:\r\n- -\r\nMD5 eb9068161baa5842b40d5565130526b9\r\nC2\r\n(Communication) hxxp://gclouddrives.com/spyder/smile.php\r\n(Download URL) hxxp://gclouddrives.com/spyder/[name].zip\r\nprofile TS-001\r\nmail N\r\n- -\r\nMD5 87d94635372b874f18acb3af7c340357\r\nC2\r\n(Communication) hxxp://alibababackupcloud.com/spyder/smile.php\r\n(Download URL) hxxp://alibababackupcloud.com/spyder/[name].zip\r\nprofile TS-002\r\nmail N\r\n- -\r\nMD5 1fa3f364bcd02433bc0f4d3113714f16\r\nC2\r\n(Communication) hxxp://cloudplatfromservice.one/cpidr/balloon.php\r\n(Download URL) hxxp://cloudplatfromservice.one/cpidr/[name].zip\r\nprofile TS-004\r\nmail N\r\nIt is worth noting that the C2 path in the early samples also contains the string \"spyder,\" and the profiles in the\r\nsamples follow the \"TS-\" format. The missing codes in between suggest that the April attack likely had other\r\nvictims as well.\r\nComparison With WarHawk\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 11 of 21\n\nThe Spyder backdoor shares some similarities with the WarHawk backdoor disclosed by Zscaler [2]\r\n, but there are\r\nsignificant differences in the operations corresponding to the backdoor instructions.\r\n1. Similarities\r\n(1) Both backdoors utilize similar functions to send POST requests to C2, and they use the same User Agent.\r\n(2) The collected device information is similar, and both backdoors use the hwid (Machine GUID) as the victim\r\nidentifier in C2 communication.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 12 of 21\n\n(3) The C2 instructions for both backdoors use numeric characters to differentiate different operations, and the\r\nissued C2 instructions are in JSON format.\r\n2. Differences\r\nThe differences between the two backdoors lie in the distribution and specific functionality of the backdoor\r\ninstructions. The WarHawk backdoor calls functions to implement each instruction in a sequential manner. Each\r\nfunction first queries the C2 server to determine whether to perform the operation and then executes or skips it\r\nbased on the server's response. The following code snippet illustrates the relevant code for the WarHawk\r\nbackdoor.\r\nThe WarHawk backdoor supports functionalities such as downloading and executing subsequent payloads,\r\ncommand execution, collecting and returning file information, and file downloading. In contrast, the Spyder\r\nbackdoor primarily focuses on downloading and executing subsequent payloads.\r\nSource Attribution\r\nOwnership\r\nThe early sample of the Spyder backdoor (MD5: eb9068161baa5842b40d5565130526b9) carries a digital\r\nsignature of \"Integrated Plotting Solutions Limited,\" which has also been used by other samples associated with\r\nthe Mokha Grass threat actor.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 13 of 21\n\nAdditionally, another sample of the Spyder backdoor (MD5: 87d94635372b874f18acb3af7c340357) is associated\r\nwith a Remcos trojan sample based on the digital signature \"HILLFOOT DEVELOPMENTS (UK) LTD.\"\r\n- -\r\nFile Name smss.exe\r\nMD5 acbae6919c9ce41f45ce0d1a3f3fedd4\r\nCreation Time 2023-04-17 15:47:39 UTC\r\nDigital Signature Time 2023-04-18 07:24:00 UTC\r\nFile Size 1026840 bytes (1002.77 KB)\r\nThis sample initially creates a series of scheduled tasks, similar to the behavior observed in the Spyder backdoor.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 14 of 21\n\nThen, decrypt the PE file data of the Remcos trojan and load it into memory for execution.\r\nThe Mokha Grass group has also been known to use the Remcos trojan in their previous attack campaigns.\r\nConsidering these pieces of evidence, we believe that the group behind the Spyder backdoor attack activities is\r\nlikely the Mokha Grass group.\r\nOther Associated Samples\r\nThe C2 for the aforementioned Remcos trojan sample is 192[.]169.7.142:80.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 15 of 21\n\nAnother sample is associated with communication to the same IP and is a lightweight backdoor written in C#.\r\n- -\r\nFile Name -\r\nMD5 e3b37459489a863351d855e594df93bf\r\nCreation Time 2075-03-07 02:18:38 UTC\r\nVT Upload Time 2023-05-26 20:26:23 UTC\r\nFile Size 17408 bytes (17.00 KB)\r\nThe configuration data is as follows, and the URL format for communication with the C2 server is\r\n\"hxxps://192.169.7.142:4546/search?q=search[\u003chost_name\u003e\".\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 16 of 21\n\nThe Main_Load function calls the Fetch and Reply methods to implement basic backdoor functionality.\r\nThe Fetch method retrieves instruction data from the C2 server through a GET request, and then processes the\r\nretrieved data, including reversing the order, GZ decompression, and removing the string\r\n\"XXPADDINGXXPADDINGXXPADDINGXX\". It creates a cmd.exe process with code page set to 437 and\r\nexecutes the processed instruction data.\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 17 of 21\n\nThe Reply method processes the result of the cmd.exe process execution and sends it back to the C2 server\r\nthrough a POST request. The processing includes adding the string\r\n\"XXPADDINGXXPADDINGXXPADDINGXX\", GZ compression, and reversing the order.\r\nThis lightweight backdoor has extremely simple functionality and is likely used in conjunction with other malware\r\nduring the attack process.\r\nFurthermore, we have discovered other samples of this C# backdoor that have been uploaded to VT, with slight\r\nvariations in the implementation code.\r\n- -\r\nFile Name not_default_config.exe\r\nMD5 4a25a52244f3360b0fffd0d752833bf1\r\nCreation Time 2098-11-29 07:58:55 UTC\r\nVT Upload Time 2023-05-09 10:01:52 UTC\r\nFile Size 56320 bytes (55.00 KB)\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 18 of 21\n\nThe C2 server in the configuration data is an internal IP, indicating that this sample may be a test version.\r\nSummary\r\nThere are intricate connections among several APT groups in the South Asia region, and the Spyder backdoor,\r\nwhich targeted multiple countries in this attack, is an example. It shares many similarities with the previously\r\ndisclosed WarHawk backdoor associated with the Rattlesnake group. Based on the digital certificates found in\r\nearly samples and the associated Remcos trojan samples, it is more likely that the Spyder backdoor originates\r\nfrom the Mokha Grass group. Furthermore, we have identified other backdoors through the infrastructure used by\r\nthe attackers, indicating their continuous expansion of their arsenal.\r\nProtection Recommendations\r\nQiAnXin Threat Intelligence Center reminds users to be cautious of phishing attacks, avoid opening links from\r\nunknown sources shared on social media, refrain from executing email attachments from unknown origins, avoid\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 19 of 21\n\nrunning unknown files with exaggerated titles, and avoid installing apps from unofficial sources. It is important to\r\nregularly back up important files and keep software up to date with the latest patches.\r\nIf it is necessary to run an application from an unknown source, it is recommended to first use the QiAnXin Threat\r\nIntelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for verification. The\r\nplatform currently supports in-depth analysis of various file formats, including Windows and Android platforms.\r\nCurrently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin\r\nThreat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC,\r\nand QiAnXin Situational Awareness, support precise detection of such attacks.\r\nIOC\r\nMD5\r\n(Spyder)\r\neb9068161baa5842b40d5565130526b9\r\n87d94635372b874f18acb3af7c340357\r\n1fa3f364bcd02433bc0f4d3113714f16\r\n1f599f9ab4ce3da3c2b47b76d9f88850\r\n53b3a018d1a4d935ea7dd7431374caf1\r\n1f4b225813616fbb087ae211e9805baf\r\n(Remcos)\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 20 of 21\n\nacbae6919c9ce41f45ce0d1a3f3fedd4\r\n(C# Backdoor)\r\ne3b37459489a863351d855e594df93bf\r\n4a25a52244f3360b0fffd0d752833bf1\r\nC\u0026C\r\nplainboardssixty.com\r\ngclouddrives.com\r\nalibababackupcloud.com\r\ncloudplatfromservice.one\r\n192[.]169.7.142:80\r\n192[.]169.7.142:4546\r\nURL\r\nhxxp://plainboardssixty.com/drive/\r\nhxxp://gclouddrives.com/spyder/\r\nhxxp://alibababackupcloud.com/spyder/\r\nhxxp://cloudplatfromservice.one/cpidr/\r\nhxxps://192.169.7.142:4546/search?q=search[\u003chost_name\u003e\r\nReferences\r\n[1]. https://twitter.com/Axel_F5/status/1669794530592170001\r\n[2]. https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0\r\nSource: https://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-C\r\nountries-EN/\r\nhttps://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/"
	],
	"report_names": [
		"Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e",
			"created_at": "2023-01-06T13:46:39.080551Z",
			"updated_at": "2026-04-10T02:00:03.206572Z",
			"deleted_at": null,
			"main_name": "RAZOR TIGER",
			"aliases": [
				"APT-C-17",
				"T-APT-04",
				"SideWinder"
			],
			"source_name": "MISPGALAXY:RAZOR TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6b9fc913-06c6-4432-8c58-86a3ac614564",
			"created_at": "2022-10-25T16:07:24.185236Z",
			"updated_at": "2026-04-10T02:00:04.893541Z",
			"deleted_at": null,
			"main_name": "SideWinder",
			"aliases": [
				"APT-C-17",
				"APT-Q-39",
				"BabyElephant",
				"G0121",
				"GroupA21",
				"HN2",
				"Hardcore Nationalist",
				"Rattlesnake",
				"Razor Tiger",
				"SideWinder",
				"T-APT-04"
			],
			"source_name": "ETDA:SideWinder",
			"tools": [
				"BroStealer",
				"Capriccio RAT",
				"callCam"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "173f1641-36e3-4bce-9834-c5372468b4f7",
			"created_at": "2022-10-25T15:50:23.349637Z",
			"updated_at": "2026-04-10T02:00:05.3486Z",
			"deleted_at": null,
			"main_name": "Sidewinder",
			"aliases": [
				"Sidewinder",
				"T-APT-04"
			],
			"source_name": "MITRE:Sidewinder",
			"tools": [
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e5f071cd183b27c3a9c813f6e6690a2f57872b1.pdf",
		"text": "https://archive.orkl.eu/1e5f071cd183b27c3a9c813f6e6690a2f57872b1.txt",
		"img": "https://archive.orkl.eu/1e5f071cd183b27c3a9c813f6e6690a2f57872b1.jpg"
	}
}