{ "id": "c131e2a0-aee4-42ac-9161-acc54b5ac9a8", "created_at": "2026-04-06T00:15:39.188166Z", "updated_at": "2026-04-10T13:11:21.074328Z", "deleted_at": null, "sha1_hash": "22b8f619c48453c3bfb43cbe2690c7ef43a0737e", "title": "Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2305937, "plain_text": "Top Tier Target | What It Takes to Defend a Cybersecurity\r\nCompany from Today's Adversaries\r\nBy Tom Hegel, Aleksandar Milenkoski \u0026 Jim Walter\r\nPublished: 2025-04-28 · Archived: 2026-04-05 14:09:18 UTC\r\nExecutive Summary\r\nIn recent months, SentinelOne has observed and defended against a spectrum of attacks from financially\r\nmotivated crimeware to tailored campaigns by advanced nation-state actors.\r\nThese incidents were real intrusion attempts against a U.S.-based cybersecurity company by adversaries,\r\nbut incidents such as these are neither new nor unique to SentinelOne.\r\nRecent adversaries have included:\r\nDPRK IT workers posing as job applicants\r\nransomware operators probing for ways to access/abuse our platform\r\nChinese state-sponsored actors targeting organizations aligned with our business and customer base\r\nThis report highlights a rarely-discussed but crucially important attack surface: security vendors\r\nthemselves.\r\nOverview\r\nAt SentinelOne, defending against real-world threats isn’t just part of the job, it’s the reality of operating as a\r\ncybersecurity company in today’s landscape. We don’t just study attacks, we experience them firsthand, levied\r\nagainst us. Our teams face the same threats we help others prepare for, and that proximity to the front lines shapes\r\nhow we think, and how we operate. Real-world attacks against our own environment serve as constant pressure\r\ntests, reinforcing what works, revealing what doesn’t, and driving continuous improvement across our products\r\nand operations. When you’re a high-value target for some of the most capable and persistent adversaries out there,\r\nnothing less will do.\r\nTalking about being targeted is uncomfortable for any organization. For cybersecurity vendors, it’s practically\r\ntaboo. But the truth is security vendors sit at an interesting cross-section of access, responsibility, and attacker ire\r\nthat makes us prime targets for a variety of threat actors, and the stakes couldn’t be higher. When adversaries\r\ncompromise a security company, they don’t just breach a single environment—they potentially gain insight into\r\nhow thousands of environments and millions of endpoints are protected.\r\nIn the past several months alone, we’ve observed and defended against a spectrum of attacks ranging from\r\nfinancially motivated crimeware to tailored campaigns by advanced nation-state actors. They were real intrusion\r\nattempts targeting a U.S.-based cybersecurity company — launched by adversaries actively looking for an\r\nadvantage, access, or leverage. Adversaries included DPRK IT workers posing as job applicants, ransomware\r\noperators probing for ways to access/abuse our platform, and Chinese state-sponsored actors targeting\r\norganizations aligned with our business and customer base.\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 1 of 12\n\nWe are certainly not the only ones facing these threats. In the spirit of furthering collective defenses and\r\nencouraging further collaboration, we’re pulling back the curtain to share some of what we’ve seen, why it\r\nmatters, and what it tells us about the evolving threat landscape—not just for us, but for every company building\r\nand relying on modern security technology.\r\nDPRK IT Workers Seeking Inside Jobs\r\nOne of the more prolific and persistent adversary campaigns we’ve tracked in recent years involves widespread\r\ncampaigns by DPRK-affiliated IT Workers attempting to secure remote employment within Western tech\r\ncompanies– including SentinelOne. Early reports drew attention to these efforts and our own analysis revealed\r\nfurther logistical infrastructure to launder illicit funds via Chinese intermediary organizations. However, neither\r\ngave a sense of the staggering volume of ongoing infiltration attempts. This vector far outpaces any other insider\r\nthreat vector we monitor.\r\nThese actors are not just applying blindly — they are refining their process, leveraging stolen or fabricated\r\npersonas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways. Our\r\nteam has tracked roughly 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations\r\napplying for roles at SentinelOne — even including brazen attempts to secure positions on the SentinelLabs\r\nintelligence engineering team itself.\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 2 of 12\n\nPublic reporting of DPRK IT workers applying to threat intelligence positions\r\nEngagement and Adversary Interaction\r\nInstead of staying passive, we made a deliberate choice towards intelligence-driven engagement. In coordination\r\nwith our talent acquisition teams, we developed workflows to identify and interact with suspected DPRK\r\napplicants during the early phases of their outreach. This collaboration was key. By embedding lightweight vetting\r\nsignals and monitoring directly into recruiting processes — without overburdening hiring teams — we were able\r\nto surface anomalous patterns tied to DPRK-affiliated personas piped directly into our Vertex Synapse intelligence\r\nplatform for analyst review.\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 3 of 12\n\nOur attempted interactions offered rare insights into the craftiness and persistence of these infiltration campaigns\r\n— particularly the ways in which adversaries adapt to the friction they encounter.\r\nInbound DPRK referral request to strategic employees\r\nThe attackers are honing their craft beyond the job application and recruitment process. An operation of this scale\r\nand nature requires a different kind of backend infrastructure, such as a sprawling network of front companies to\r\nenable further laundering and logistics.\r\nDPRK IT Worker Front Company Network (November 2024)\r\nHelping Hiring Teams Help Us\r\nA key takeaway in working on this investigation was the value of intentionally creating inroads and sharing threat\r\ncontext with different teams not normally keyed into investigations. Rather than cluelessness, we encountered an\r\nintuitive understanding of the situation as recruiters had already been filtering out and reporting ‘fake applicants’\r\nwithin their own processes.\r\nWe brought campaign-level understanding that was combined with tactical insights from our talent team. The\r\npayoff was immediate. Recruiters began spotting patterns on their own, driving an increase in early-stage\r\nescalation of suspicious profiles. They became an active partner that continues to flag new sightings from the\r\nfrontlines. In turn, we are codifying these insights into automated systems that flag, filter, enrich, and proactively\r\nblock these campaigns to lower the burden on our recruiters and hiring managers, and reduce the risk of\r\ninfiltration.\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 4 of 12\n\nMake cross‑functional collaboration standard operating procedure: equip frontline business units—from recruiting\r\nto sales—with shared threat context and clear escalation paths so they can surface anomalies early without\r\nslowing the business. Codifying insights with automation will consistently bring bi-directional benefits.\r\nThe DPRK IT worker threat is a uniquely complex challenge — one where meaningful progress depends on\r\ncollaboration between the security research community and public sector partners.\r\nRansomware Group Capability Development\r\nFinancially motivated threat actors frequently target enterprise security platforms —products designed to keep\r\nthem from making money—for direct access. SentinelOne, like our peers, is no exception. While uncomfortable,\r\nthis is a reality the industry faces continually and should handle with both transparency and urgency.\r\nForum post offering security product access\r\nPrivileged access to administrative interfaces or agent installers for endpoint security products provides tangible\r\nadvantages for adversaries seeking to advance their operations. Console access can be used to disable protections,\r\nmanipulate configurations, or suppress detections. Direct, unmonitored access to the endpoint agent offers\r\nopportunities to test malware efficacy, explore bypass or tampering techniques, and suppress forensic visibility\r\ncritical for investigations. In the wrong hands, these capabilities represent a significant threat to both the integrity\r\nof security products and the environments they protect.\r\nThis isn’t a new tactic. Various high-profile criminal groups have long specialized in social engineering campaigns\r\nto gain access to core security tools and infrastructure—ranging from EDR platforms (including SentinelOne and\r\nMicrosoft Defender) to IAM and VPN providers such as Okta. Their goal: expand footholds, disable defenses, and\r\nobstruct detection long enough to profit.\r\nRecent leaks related to Black Basta further underscore this trend. The group’s operators were observed testing\r\nacross multiple endpoint security platforms—including SentinelOne, CrowdStrike, Carbon Black, and Palo Alto\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 5 of 12\n\nNetworks—before launching attacks, suggesting a systematic effort to evaluate and evade security tools prior to\r\ndeployment.\r\nBlack Basta leak excerpts\r\nEconomy/Ecosystem\r\nThere is an increasingly mature and active underground economy built around the buying, selling, and renting of\r\naccess to enterprise security tools. For the right price, aspiring threat actors continually attempt to obtain time-bound or persistent access to our EDR platform and administrative consoles. Well-known cybercrime forums are\r\nfilled with vendors openly advertising such access—and just as many buyers actively seeking it. This includes\r\nlong-established forums like XSS[.]is , Exploit[.]in and RAMP.\r\nThat said, more of this activity has been moving to confidential messaging platforms as well (Telegram, Discord,\r\nSignal). For example, Telegram bots are used to automate trading this access, and Signal is often used by threat\r\nactors to discuss nuance, targeting and initial access operations.\r\nThis supply-and-demand dynamic is not only robust but also accelerating. Entire service offerings have emerged\r\naround this ecosystem, including “EDR Testing-as-a-Service,” where actors can discreetly evaluate malware\r\nagainst various endpoint protection platforms.\r\nProposed Private EDR testing service\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 6 of 12\n\nWhile these testing services may not grant direct access to full-featured EDR consoles or agents, they do provide\r\nattackers with semi-private environments to fine-tune malicious payloads without the threat of exposure—\r\ndramatically improving the odds of success in real-world attacks.\r\nProspective buyer for EDR installs\r\nAccess isn’t always bought, however. Threat actors frequently harvest legitimate credentials from infostealer logs\r\n—a common and low-cost method of acquiring privileged access to enterprise environments. In cases where\r\nexisting customers reuse credentials, this can translate into a threat actor also gaining access to security tools. In\r\nmore targeted operations, actors have also turned to bribery, offering significant sums to employees willing to sell\r\nout their account access.\r\nThese insider threats are not hypothetical. For instance, some groups have been observed offering upwards of\r\n$20,000 to employees at targeted companies in exchange for insider assistance—an approach openly discussed in\r\nthe same dark web forums where compromised credentials and access are routinely traded.\r\nOn the defensive side, this requires constant monitoring and maintenance. Situational awareness has to be\r\nprioritized in order to maintain platform integrity and protect our legitimate customers. Our research teams are\r\nconstantly monitoring for this style of abuse and access ‘leakage’, focusing on anomalous console access and site-token usage, and taking necessary actions to revoke these access vectors. This prohibits threat actors from fully\r\ninteracting with the wider platform, and essentially orphans leaked agent installs, limiting the use of the agent in\r\nthe hands of the threat actor.\r\nNitrogen — Threat Operators ‘Leveling Up’\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 7 of 12\n\nSome ransomware operations are now bypassing the underground market altogether—opting instead for more\r\ntailored, concentrated-effort impersonation campaigns to gain access to security tools. This approach is epitomized\r\nby the Nitrogen ransomware group.\r\nNitrogen is believed to be operated by a well-funded Russian national with ties to earlier groups like Maze and\r\nSnatch. Rather than purchasing illicit access, Nitrogen impersonates real companies—spinning up lookalike\r\ndomains, spoofed email addresses, and cloned infrastructure to convincingly pose as legitimate businesses.\r\nNitrogen then purchases official licenses for EDR and other security products under these false pretenses.\r\nThis kind of social engineering is executed with precision. Nitrogen typically targets small, lightly vetted resellers\r\n—keeping interactions minimal and relying on resellers’ inconsistent KYC (Know Your Customer) practices to\r\nslip through the cracks.\r\nThese impersonation tactics introduce a new layer of complexity for defenders. If a threat actor successfully\r\nacquires legitimate licenses from a real vendor, they can weaponize the product to test, evade, and potentially\r\ndisable protections—without ever having to engage with criminal markets.\r\nThis highlights a growing challenge for the security industry: reseller diligence and KYC enforcement are clearly\r\npart of the threat surface. When those controls are weak or absent, adversaries like Nitrogen gain powerful new\r\nways to elevate their campaigns—often at a lower cost and lower risk than the black market.\r\nLessons Learned and Internal Collaboration\r\nOne of the most impactful lessons from tracking adversaries targeting our platform has been the value of deep,\r\nearly collaboration across internal teams — particularly those not traditionally pulled into threat response efforts.\r\nFor example, by proactively engaging with our reseller operations and customer success teams, we can surface\r\nvaluable signals on questionable license requests, reseller behavior anomalies, and business inconsistencies that\r\ncould have otherwise gone unnoticed.\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 8 of 12\n\nBy creating shared playbooks, embedding lightweight threat context, and establishing clear escalation paths,\r\nreactive processes turn into proactive signal sources. Now, suspicious licensing activity—especially when paired\r\nwith evasive behaviors or mismatched domain metadata—can surface much earlier in the workflow.\r\nTo scale this effort, we increasingly lean into automation. By codifying threat patterns—such as domain\r\nregistration heuristics, behavioral metadata mismatches, and reseller inconsistencies—organizations can automate\r\nenrichment and risk-scoring for incoming licensing requests. This can then be used to dynamically filter, flag, and\r\nin some cases, auto-block high-risk activity before it reaches onboarding.\r\nThe growing trend of adversaries exploiting sales processes—whether through impersonation, social engineering,\r\nor brute-force credential use—means security vendors must treat every access vector, including commercial and\r\noperational pipelines, as part of the attack surface. Making cross-functional threat awareness standard operating\r\nprocedure and integrating detection logic at the edge of business systems is essential.\r\nWe’re continuing to improve this work in quiet ways. And while we won’t share every detection logic here (for\r\nobvious reasons), we encourage others in the industry to pursue similar internal partnerships. Sales and support\r\nteams may already be seeing signs of abuse—security teams just need to give them the lens to recognize it.\r\nChinese State-Sponsored Adversaries\r\nOne notable set of activity, occurring over the previous months, involved reconnaissance attempts against\r\nSentinelOne’s infrastructure and specific high value organizations we defend. We first became aware of this threat\r\ncluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services\r\nfor SentinelOne employees. We refer to this cluster of activity as PurpleHaze, with technical overlaps to multiple\r\npublicly reported Chinese APTs.\r\nThe PurpleHaze Activity Cluster\r\nOver the course of months, SentinelLABS observed the threat actor conduct many intrusions, including into a\r\nSouth Asian government supporting entity, providing IT solutions and infrastructure across multiple sectors. This\r\nactivity involved extensive infrastructure, some of which we associate with an operational relay box (ORB)\r\nnetwork, and a Windows backdoor that we track as GoReShell. The backdoor is implemented in the Go\r\nprogramming language and uses functionalities from the open-source reverse_ssh tool to establish reverse SSH\r\nconnections to attacker-controlled endpoints.\r\nSentinelLABS collectively tracks these activities under the PurpleHaze moniker. We assess with high confidence\r\nthat PurpleHaze is a China-nexus actor, loosely linking it to APT15 (also known as Nylon Typhoon, or other\r\nvarious outdated aliases). This adversary is known for its global targeting of critical infrastructure sectors, such as\r\ntelecommunications, information technology, and government organizations – victimology that aligns with our\r\nmultiple encounters with PurpleHaze.\r\nWe track the ORB network infrastructure observed in the attack against the South Asian government organization\r\nas being operated from China and actively used by several suspected Chinese cyberespionage actors, including\r\nAPT15. The use of ORB networks is a growing trend among these threat groups, since they can be rapidly\r\nexpanded to create a dynamic and evolving infrastructure that makes tracking cyberespionage operations and their\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 9 of 12\n\nattribution challenging. Additionally, GoReShell malware and its variations, including the deployment mechanism\r\non compromised machines and obfuscation techniques have been exclusively observed in intrusions that we\r\nattribute with high confidence to China-nexus actors.\r\nShadowPad Intrusions\r\nIn June 2024, approximately four months prior to PurpleHaze targeting SentinelOne, SentinelLABS observed\r\nthreat actor activity targeting the same South Asian government entity that was also targeted in October 2024.\r\nAmong the retrieved artifacts, we identified samples of ShadowPad, a modular backdoor platform used by\r\nmultiple suspected China-nexus threat actors to conduct cyberespionage. Recent ShadowPad activity has also\r\nincluded the deployment of ransomware, though the motive remains unclear — whether for financial gain or as a\r\nmeans of distraction, misattribution, or removal of evidence.\r\nThe ShadowPad samples we retrieved were obfuscated using ScatterBrain, an evolution of the ScatterBee\r\nobfuscation mechanism. Our industry partner, Google Threat Intelligence Group (GTIG), have also observed the\r\nuse of ScatterBrain-obfuscated ShadowPad samples since 2022 and attribute them to clusters associated with the\r\nsuspected Chinese APT actor, APT41.\r\nGTIG APT41 Use of ScatterBrain\r\nInvestigations continue in determining the specific actor overlap between June 2024 ShadowPad intrusions and\r\nthe later PurpleHaze activity. We do not rule out the involvement of the same threat cluster, particularly given the\r\nextensive sharing of malware, infrastructure, and operational practices among Chinese threat groups, as well as the\r\npossibility of access transfer between different actors.\r\nBased on private telemetry, we identified a large collection of victim organizations compromised using\r\nScatterBrain-obfuscated ShadowPad. Between July 2024 and March 2025, this malware was used in intrusions at\r\nover 70 organizations across various regions globally, spanning sectors such as manufacturing, government,\r\nfinance, telecommunications, and research. We assess that the threat actor primarily gained initial foothold in the\r\nmajority of these organizations by exploiting an n-day vulnerability in CheckPoint gateway devices, which aligns\r\nwith previous research on ShadowPad intrusions involving the deployment of ransomware.\r\nAmong the victims, we identified the previously mentioned IT services and logistics organization that was at the\r\ntime responsible for managing hardware logistics for SentinelOne employees. Victim organizations were promptly\r\ninformed of intrusion specifics, which were swiftly investigated. At this point, it remains unclear whether the\r\nperpetrators’ focus was solely on the compromised organization or if they intended to extend their reach to client\r\norganizations as well.\r\nA detailed investigation into SentinelOne’s infrastructure, software, and hardware assets found no evidence of\r\nsecondary compromise. Nevertheless, this case underscores the fragility of the larger supplier ecosystem that\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 10 of 12\n\norganizations depend upon and the persistent threat posed by suspected Chinese threat actors, who continuously\r\nseek to establish strategic footholds to potentially compromise downstream entities.\r\nSentinelLABS will share a detailed public release on this topic in due course, providing further technical\r\ninformation on these activities, including observed TTPs, malware, and infrastructure.\r\nLessons Learned While Hardening Our Operational Ecosystem\r\nOur analysis of the PurpleHaze cluster, and more specifically the potential indirect risk introduced via\r\ncompromised third-party service providers, has reinforced several key insights around operational security and\r\nsupply chain monitoring. Even when our own infrastructure remained untouched, the targeting of an external\r\nservice provider previously associated with business logistics surfaced important considerations.\r\nOne immediate reminder is the necessity of maintaining real-time awareness not only over internal assets but also\r\nover adjacent service providers—particularly those with past or current access to sensitive employee devices or\r\nlogistical information. When incidents occur near your supply chain, don’t wait for confirmation of compromise.\r\nProactively trigger internal reviews of asset inventories, procurement workflows, OS images and onboarding\r\ndeployment scripts, and segmentation policies to quickly identify any exposure pathways and reduce downstream\r\nrisk.\r\nThis leads to several defense recommendations:\r\nDistribute Threat Intelligence Across Operational Stakeholders\r\nOrganizations should proactively share campaign-level threat intelligence with business units beyond the\r\ntraditional security org—particularly those managing vendor relationships, logistics, and physical\r\noperations. Doing so enables faster detection of overlap with compromised third parties and supports early\r\nreassessment of exposure through external partners.\r\nIntegrate Threat Context Into Asset Attribution Workflows\r\nInfrastructure and IT teams should collaborate with threat intelligence functions to embed threat-aware\r\nmetadata into asset inventories. This enables more responsive scoping during incident response and\r\nenhances the ability to trace supply chain touchpoints that may be at risk.\r\nExpand Supply Chain Threat Modeling\r\nOrganizations should refine their threat modeling processes to explicitly account for upstream supply chain\r\nthreats, especially those posed by nation-state actors with a history of leveraging contractors, vendors, or\r\nlogistics partners as indirect access vectors. Tailoring models to include adversary-specific tradecraft\r\nenables earlier identification of unconventional intrusion pathways.\r\nWhile attribution continues to evolve and victim impact remains diverse, one thing is clear: well-resourced threat\r\nactors are increasingly leaning on indirect routes into enterprise environments. Investigations like this help us\r\nsharpen our defenses—not just around traditional digital perimeters but around the full operational footprint of our\r\norganization.\r\nThe Strategic Value of Cyber Threat Intelligence\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 11 of 12\n\nIn today’s threat landscape, threat intelligence has evolved from a niche function into an essential pillar of\r\nenterprise defense—particularly for private sector organizations operating in the security space. As threat actors\r\nincreasingly target security vendors for insider access, abuse of legitimate channels, and supply chain infiltration,\r\nthe role of CTI in anticipating and disrupting these tactics has become more critical than ever.\r\nOne of the most tangible examples of this value is in internal talent acquisition and insider threat defense.\r\nIntelligence has become a frontline asset in identifying attempts by North Korean IT workers and other state-backed operatives to embed themselves in organizations under false pretenses. By flagging suspicious applicant\r\npatterns, cross-referencing alias histories, and tracking known tradecraft, CTI teams help hiring managers and HR\r\navoid potential insider incidents before they start.\r\nOur CTI capabilities must also directly support sales and channel operations. As criminal groups increasingly\r\nimpersonate legitimate businesses to acquire security products through trusted resellers, intelligence plays a key\r\nrole in verifying customer legitimacy and identifying anomalous purchase behaviors. By integrating intelligence\r\ninsights into pre-sale vetting workflows, a crucial layer of protection is helping to ensure adversaries cannot\r\nsimply “buy” their way into our technology stack.\r\nInternally, threat intelligence informs and enhances how we defend our own technology and supply chain against\r\nhighly targeted APT activity. From understanding how adversaries reverse-engineer our software to uncovering\r\nwhich parts of our technology stack they seek to compromise, CTI enables proactive hardening, smarter telemetry\r\nprioritization, and meaningful collaboration with product and engineering teams. In essence, intelligence acts as\r\nan early-warning system and a strategic guide—ensuring our defenses stay one step ahead of evolving threats.\r\nAcross every function—whether it’s HR, Sales, Engineering, or Security—cyber threat intelligence is no longer a\r\nbackroom function. It’s embedded in the fabric of how we defend, operate, and grow as a business.\r\nSource: https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nhttps://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/" ], "report_names": [ "top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0ae281f0-886a-46ab-b413-e2db5c0f3142", "created_at": "2025-05-29T02:00:03.217545Z", "updated_at": "2026-04-10T02:00:03.869082Z", "deleted_at": null, "main_name": "PurpleHaze", "aliases": [], "source_name": "MISPGALAXY:PurpleHaze", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434539, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22b8f619c48453c3bfb43cbe2690c7ef43a0737e.pdf", "text": "https://archive.orkl.eu/22b8f619c48453c3bfb43cbe2690c7ef43a0737e.txt", "img": "https://archive.orkl.eu/22b8f619c48453c3bfb43cbe2690c7ef43a0737e.jpg" } }