{ "id": "38909476-6b91-407b-9e11-126fccb3fb50", "created_at": "2026-04-06T00:20:05.076909Z", "updated_at": "2026-04-10T03:37:01.117839Z", "deleted_at": null, "sha1_hash": "2489f8f62792aa98af58ad2b907412db60a2fc2c", "title": "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2248080, "plain_text": "Operation Tainted Love | Chinese APTs Target Telcos in New\r\nAttacks\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-03-23 · Archived: 2026-04-05 17:39:01 UTC\r\nBy Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup\r\nExecutive Summary\r\nIn Q1 of 2023, SentinelLABS observed initial phases of attacks against telecommunication providers in the\r\nMiddle East.\r\nWe assess that this activity represents an evolution of tooling associated with Operation Soft Cell.\r\nWhile it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and\r\nAPT41, the exact grouping remains unclear.\r\nSentinelLABS observed the use of a well-maintained, versioned credential theft capability and a new\r\ndropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with\r\nspecific tasking requirements.\r\nOverview\r\nIn collaboration with QGroup GmbH, SentinelLABS recently observed initial threat activities targeting the\r\ntelecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese\r\ncyberespionage actor related to the Operation Soft Cell campaign.\r\nThe initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used\r\nfor command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance,\r\ncredential theft, lateral movement, and data exfiltration activities.\r\nThe deployment of custom credential theft malware is central to this new campaign. The malware implemented a\r\nseries of Mimikatz modifications on closed-source tooling. This post details the multi-component architecture and\r\nfunctionality of a sample, referred to as mim221.\r\nWe assess that mim221 is a recent version of an actively maintained credential theft capability upgraded with new\r\nanti-detection features. The use of special-purpose modules that implement a range of advanced techniques shows\r\nthe threat actors’ dedication to advancing its toolset towards maximum stealth. These techniques include\r\nin-memory mapping of malicious images to evade EDR API hooks and file-based detections\r\nsurgically terminating Event Log threads instead of the host process to inhibit logging without raising\r\nsuspicions\r\nstaging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 1 of 12\n\nVersion numbers and build timestamps indicate a maintained software project by designated developers. Closer\r\nanalysis reveals an element of pragmatism in that the threat actors use modified publicly available code to achieve\r\ntheir goals.\r\nIn terms of attribution, the tooling suggests an immediate link to the ‘Operation Soft Cell’ campaign but remains\r\nslightly vague on the specific threat actor. That campaign has been publicly associated with Gallium and possible\r\nconnections to APT41 have been suggested by the use of a common code signing certificate and tooling that\r\nshares code similarities. APT41 is also known to target telecommunication providers.\r\nGiven previous target and TTP overlaps, and an evident familiarity with victim environments, we assess with\r\nmedium-confidence that Gallium is involved. However, we also recognize the possibility of closed-source tool-sharing between Chinese state-sponsored threat actors, and the possibility of a shared vendor or digital\r\nquartermaster.\r\nRegardless of clustering specifics, this finding highlights the increased operational tempo of Chinese\r\ncyberespionage actors and their consistent investment in advancing their malware arsenal to evade detection.\r\nInfection Vector and Initial TTPs\r\nAs initial attack indicators, we observed command execution through webshells on compromised Microsoft\r\nExchange server deployments. The threat actors used C:\\MS_DATA as their main working directory for storing\r\nmalware and staging data for exfiltration. Noting that the Microsoft TroubleShootingScript toolset (TSSv2) uses\r\nC:\\MS_DATA for storing log files, we suspect that its use as a working directory is an attempt to make malicious\r\nfile system activities look legitimate.\r\nAfter establishing an initial foothold, the threat actor conducts reconnaissance like querying user and network\r\ninformation using a variety of tools. For example, the attackers used dsquery and query to obtain information\r\nabout Active Directory objects, including user information, and Remote Desktop user sessions. They also used the\r\nLocal Group (LG) tool to enumerate all local groups and members in a domain.\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026dsquery * -limit 0 -filter\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026dsquery * -limit 0 -filter \"\u0026(objectClass=User)(objectCategory=Person\r\n \"cmd\" /c cd /d c:\\windows\\system32\\inetsrv\\\u0026query user\u0026cd\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026lg.exe \\\\[IP ADDRESS] -lu \u003e169.txt\u0026cd\r\nThe attackers then check connectivity with both the Internet and specific local machines of interest.\r\n\"cmd\" /c cd /d c:\\windows\\system32\\inetsrv\\\u0026ping 8.8.8.8 -n 1\u0026cd\r\n\"cmd\" /c cd /d c:\\windows\\system32\\inetsrv\\\u0026ping -n 1 [IP ADDRESS/HOSTNAME]\u0026cd\r\nThey also retrieve networking information, like network adapters, specific machines, and network services like \r\nRemote Desktop Protocol (RDP).\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 2 of 12\n\n\"cmd\"\r\n/c cd /d C:\\MS_DATA\\\u0026ipconfig /all\u0026cd\r\n \"cmd\"/c cd /d c:\\windows\\system32\\inetsrv\\\u0026net use\u0026cd\r\n \"cmd\" /c cd /d c:\\windows\\system32\\inetsrv\\\u0026netstat.exe -nob\r\n \"cmd\" /c cd /d c:\\windows\\system32\\inetsrv\\\u0026netstat -aon |find \"3389\"\u0026cd\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026netstat -aon |find \"[IP ADDRESS]\"\u0026cd\r\nThe threat actor made use of the native makecab tool to compress information gathered for exfiltration.\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026makecab da.back d.zip \u003e1.txt\u0026cd\r\nFor lateral movement, the attackers made use of the PsExec tool and the net use command for accessing shared\r\nresources on remote machines.\r\n \"cmd\" /c cd /d C:\\MS_DATA\\\u0026net use \\\\[IP ADDRESS] [PASSWORD] /u:[DOMAIN]\\[USERNAME]\r\nA Penchant for Credential Theft\r\nIn order to steal credentials, the attackers employ custom modified versions of Mimikatz, including an executable\r\nnamed pc.exe .\r\nMimikatz publicly available code (top); strings from a Mimikatz modification (bottom)\r\nThe pc.exe executable stages the execution of three other components that ultimately result in stealing\r\ncredentials from the Local Security Authority Subsystem Service (LSASS) process.\r\nWe refer to the four component chain as ‘mim221’ based on the version number that the tool displays (2.2.1).\r\nWe observed the threat actors deploying individual chunks of pc.exe in the working directory and merging these\r\ninto pc.exe using the type command.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 3 of 12\n\npc.exe file chunks\r\nWe noticed that the attackers ceased their activities after stealing credentials. This could indicate a multi-phase\r\nattack strategy, where the deployment of backdoors and further persistence mechanisms is carried out separately\r\nafter credential theft has ensured continued access. The intrusions were detected and interrupted before the\r\nattackers could carry out further phases, such as deploying backdoors.\r\nmim221\r\nThe architecture of mim221 consists of four components: the pc.exe Windows executable, and the\r\nAddSecurityPackage64.dll , pc.dll , and getHashFlsa64.dll DLLs contained therein.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 4 of 12\n\nmim221 execution overview\r\nmim221 Component Size Compilation timestamp\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 5 of 12\n\npc.exe 502 KBs Thu Jun 09 08:02:12 2022 (UTC)\r\nAddSecurityPackage64.dll 119 KB Thu Jun 09 08:01:46 2022 (UTC)\r\npc.dll 297 KB Tue Jun 07 16:55:05 2022 (UTC)\r\ngetHashFlsa64.dll 216 KB Fri May 27 20:56:26 2022 (UTC)\r\npc.exe\r\nThe main binary executed by the threat actor is pc.exe . It decrypts AddSecurityPackage64.dll and pc.dll ,\r\nstores pc.dll on the file system, and then loads and executes AddSecurityPackage64.dll by invoking its\r\nexported function, pathAddPackage .\r\nThe execution of pc.exe requires a password supplied by the operator (in this case, P2sSW0rd1234!@#$C ),\r\nwhich the operator provides through the key command-line parameter.\r\npc.exe decrypts AddSecurityPackage64.dll and pc.dll using the AES encryption algorithm, providing the\r\noperator-provided execution password as an initialization vector.\r\npc.exe loads and executes the decrypted AddSecurityPackage64.dll using reflective image loading. This\r\ntechnique involves first mapping a Windows PE image in memory and then executing the image’s main entry\r\npoint or an export function.\r\nAmong other activities, the image mapping process includes allocating memory for the image, storing the image\r\nheaders and sections in the memory, populating the images’ import and delay import tables, adding exception\r\nhandlers, and executing TLS callback and export routines. The Phant0m tool provides a complete implementation\r\nof this process.\r\nWhile reflective image loading is a known technique at this time, its use was first observed in the DoublePulsar\r\nand subsequently the SlingShot frameworks in 2017 and 2018, respectively. This technique enables the fully\r\nfileless loading and execution of a malicious image without invoking the standard Windows API, such as\r\nLoadLibrary . This eliminates detection based on API hooking and file artifacts.\r\nWhen it is finished executing, pc.exe displays a message indicating a version number and build timestamp:\r\nVersion 2.2.1 - build on Jun 9 2022 16:02:12 .\r\nAddSecurityPackage64.dll\r\nAddSecurityPackage64.dll , which is the original filename of this mim221 component, is responsible for:\r\nObtaining the SeDebugPrivilege and SYSTEM privilege by access token impersonation. This allows\r\nmim221 to inspect and extract credentials from the LSASS process.\r\nDisabling Windows event logging in an attempt to evade detection; and\r\nInjecting pc.dll into LSASS as a Security Package. Security Packages are used to extend the Windows\r\nauthentication mechanism and can be abused to execute malicious code in the context of LSASS.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 6 of 12\n\nIn an attempt to remain undetected, AddSecurityPackage64.dll disables Windows event logging by killing\r\nthreads of the Windows Event Log service without stopping the execution of the service itself. This is achieved\r\nby locating the process that hosts the Event Log , enumerating the processes’ threads, identifying the threads\r\nassigned to the service by their service tag ( eventlog ), and terminating them.\r\nQuerying service tag information\r\nAddSecurityPackage64.dll injects pc.dll into LSASS by deploying pc.dll as a Security Package. To this\r\nend, AddSecurityPackage64.dll issues an RPC call to LSASS – to the ncalrpc:[lsasspirpc] RPC endpoint,\r\nproviding the file path to pc.dll to LSASS. This call instructs LSASS to load and execute pc.dll , which then\r\nstages the getHashFlsa64.dll credential theft component.\r\ngetHashFlsa64.dll conducts credential theft in the context of LSASS\r\npc.dll and getHashFlsa64.dll\r\nIn the context LSASS, pc.dll decrypts, reflectively loads, and executes the code credential theft component\r\ngetHashFlsa64.dll in a manner similar to pc.exe . pc.dll and getHashFlsa64.dll share the same original\r\nfilename: getHashFlsa64.dll .\r\npc.dll is implemented such that its main routine returns FALSE, making LSASS execute pc.dll and then\r\nunload it. This is a detection evasion technique making LSASS load pc.dll while avoiding appearing as an\r\nadded (registered) Security Package. LSASS normally creates registry entries when adding Security Packages and\r\ndoes not unload them once loaded. This provides an opportunity for defenders to detect the loading of malicious\r\nSecurity Packages. Previous research provides more detail on this topic.\r\ngetHashFlsa64.dll accesses the memory of its host LSASS process and stores stolen credentials in a Mimikatz\r\nlog file named pc.log for later exfiltration.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 7 of 12\n\nExample pc.log content\r\ngetHashFlsa64.dll exports a function named GetMyVersion , which displays a version number and build\r\ntimestamp ( Version 2.2.0 - build on May 28 2022 04:56:23 ), in a format consistent with the output from\r\npc.exe . The credential theft functionality of getHashFlsa64.dll is implemented in its export function\r\nGetLogonInfo .\r\nThe GetMyVersion function\r\nAdditional Information\r\nError Messages and Public Code Reuse\r\nThe mim221 components implement error logging. The error messages follow a consistent output format.\r\nExample error messages\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 8 of 12\n\nIt is important to note that we observed code segments that seem to be modified versions of publicly available\r\ncode. For example, the implementation of AddSecurityPackage64.dll looks like an adaptation of public code\r\nthat demonstrates injection of a Security Package into LSASS using RPC calls.\r\nSimilarity between publicly available code (top) and AddSecurityPackage64.dll (bottom)\r\nTimestamp Information\r\nThe mim221 components that reflectively load other executables, pc.exe and pc.dll , patch beforehand a\r\nstring in the loaded executable, which provides further timestamp  information: ====A!B@C#0-2022-05-23\r\n16:33:03S . The patching involves replacing the string with configuration information, such as the mim221\r\nexecution password and a path to the log file for storing stolen credentials.\r\nPatched timestamp string\r\nAttribution Analysis\r\nWe assess it is highly likely the initial attack phases we observed were conducted by Chinese threat actors with\r\ncyberespionage motivations. Telecommunication providers are frequent targets of espionage activity due to the\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 9 of 12\n\nsensitive data they hold. Our analysis identified indicators that point to the operation Soft Cell actors.\r\nOperation Soft Cell has been associated with the Gallium group based on TTPs and some of the domains the\r\ngroup has been using.\r\nActive since at least 2012, Gallium is likely a Chinese state-sponsored group that is targeting telecommunication,\r\nfinancial, and government entities in Southeast Asia, Europe, Africa, and the Middle East. While the group’s\r\noriginal focus has been on telecommunication providers, recent reports suggest that Gallium has recently\r\nexpanded targeting across other sectors.\r\nThe initial intrusion vector and the majority of the TTPs we observed closely match those conducted by, or\r\nassociated with, the Soft Cell actors. This includes deploying webshells at Microsoft Exchange servers for\r\nestablishing an initial foothold, following same file naming conventions, using the LG tool and the net , query ,\r\nand tasklist Windows built-in tools for gathering user and process information, and the PsExec Windows\r\nSysinternals tool and net for lateral movement and exploration, respectively.\r\nIt is worth noting that the attackers’ activities at one of the targets suggested previous knowledge of the\r\nenvironment. We had observed activity at the same target a few months prior, which we attributed to Gallium\r\nprimarily based on the use of the group’s PingPull backdoor and TTPs.\r\nBy pivoting on the original filename of mim221’s getHashFlsa64.dll , we observed another sample that steals\r\ncredentials from LSASS. This sample has the PDB path of\r\ne:\\vs_proj\\mimkTools\\getHashFlsa\\getHashFlsa\\x64\\release\\getHashFlsa64.pdb and has been first submitted\r\nto VirusTotal from Vietnam on January 04, 2023.\r\nThe path partially overlaps with the PDB path of a Mimikatz Soft Cell executable\r\n( E:\\vs_proj\\simplify_modify\\Win32\\simplify.pdb ) and another Mimikatz executable of a Chinese threat actor\r\nthought to be part of the Soft Cell activity group arsenal\r\n( E:\\vs_proj\\mimkTools\\dcsync_new\\x64\\dcsync64.pdb ). This indicates that mim221 and these binaries may\r\noriginate from the same source.\r\nCloser analysis confirms that the sample we pivoted to is a previous, less-advanced version of mim221 – Version\r\n2.2.0 – that does not include some mim221 components, such as AddSecurityPackage64.dll and pc.dll . We\r\nrefer to this sample as mim220.\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 10 of 12\n\nOutput from mim220 (top) and mim221 (bottom)\r\nPrevious research indicates possible connections between the Soft Cell actors and APT41, which is known to\r\nconduct Chinese state-sponsored espionage activity as well as financially motivated activity targeting multiple\r\nsectors with a broad geographical coverage, including telecommunication providers.\r\nThe connection between the Soft Cell actors and APT41 that most relates to the activities that we observed is\r\nbased on the Whizzimo, LLC certificate of the Soft Cell binary with a PDB path\r\nE:\\vs_proj\\simplify_modify\\Win32\\simplify.pdb , a binary that possibly originates from the same source as\r\nmim221. This certificate has been reported to be used by APT41. Pivoting on this certificate reveals further\r\nMimikatz modifications, some with filenames very similar to those we observed.\r\nConclusions\r\nChinese cyberespionage threat actors are known to have a strategic interest in the Middle East. This is evident\r\nfrom their consistent targeted attacks on various entities including government, finance, entertainment, and\r\ntelecommunication organizations. The recent activities targeting the telecommunication sector this post discusses\r\nare some of the latest such attacks.\r\nOur analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage\r\nmalware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new\r\ntechniques for evading detection, including integrating and modifying publicly available code.\r\nSentinelLABS continues to monitor espionage activities and hopes that defenders will leverage the findings\r\npresented in this post to bolster their defenses.\r\nIndicators of Compromise\r\nSHA1 Note\r\nf54a41145b732d47d4a2b0a1c6e811ddcba48558 pc.exe\r\n1c405ba0dd99d9333173a8b44a98c6d029db8178 AddSecurityPackage64.dll (unpatched)\r\ndf4bd177b40dd66f3efb8d6ea39459648ffd5c0e AddSecurityPackage64.dll (patched)\r\n814f980877649bc67107d9e27e36fba677cad4e3 pc.dll\r\n508408edda49359247edc7008762079c5ba725d9 getHashFlsa64.dll (unpatched)\r\n97a7f1a36294e5525310f121e1b98e364a22e64d getHashFlsa64.dll (patched)\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 11 of 12\n\nSource: https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nhttps://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/" ], "report_names": [ "operation-tainted-love-chinese-apts-target-telcos-in-new-attacks" ], "threat_actors": [ { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aea3239c-a222-4b7f-8ac0-349222078817", "created_at": "2024-12-28T02:01:54.867096Z", "updated_at": "2026-04-10T02:00:04.840444Z", "deleted_at": null, "main_name": "Operation Tainted Love", "aliases": [], "source_name": "ETDA:Operation Tainted Love", "tools": [ "Mimikatz", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434805, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2489f8f62792aa98af58ad2b907412db60a2fc2c.pdf", "text": "https://archive.orkl.eu/2489f8f62792aa98af58ad2b907412db60a2fc2c.txt", "img": "https://archive.orkl.eu/2489f8f62792aa98af58ad2b907412db60a2fc2c.jpg" } }