{ "id": "7805d605-d0c9-4185-bb78-865e02bed2a3", "created_at": "2026-04-06T00:19:07.983518Z", "updated_at": "2026-04-10T03:37:54.358946Z", "deleted_at": null, "sha1_hash": "259282de423fa65b39e9c6894ab98ec0a85e15a7", "title": "The Chronicles of the Hellsing APT: the Empire Strikes Back", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2581029, "plain_text": "The Chronicles of the Hellsing APT: the Empire Strikes Back\r\nBy Costin Raiu\r\nPublished: 2015-04-15 · Archived: 2026-04-02 11:36:09 UTC\r\nhttps://www.youtube.com/watch?v=gvAUfp4iDw4\r\nIntroduction\r\nOne of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon\r\nplays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our\r\nattention when they hit back at a Naikon attack.\r\nNaikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have\r\ndescribed in detail. The name Naikon comes from a custom user agent string, “NOKIAN95/WEB”, located within\r\nthe backdoor:\r\nNOKIAN string in Naikon backdoor\r\nThe Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam,\r\nMyanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way. What was perhaps one of\r\nthe biggest operations of the Naikon group was launched in March 2014, in the wake of the MH370 tragedy that\r\ntook place on March 8th. By March 11th, the Naikon group was actively hitting most of the nations involved in\r\nthe search for MH370. The targets were extremely wide-ranging but included institutions with access to\r\ninformation related to the disappearance of MH370, such as:\r\nOffice of the President\r\nArmed Forces\r\nOffice of the Cabinet Secretary\r\nNational Security Council(s)\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 1 of 12\n\nOffice of the Solicitor General\r\nNational Intelligence Coordinating Agency\r\nCivil Aviation Authority\r\nDepartment of Justice\r\nNational Police\r\nPresidential Management Staff\r\nThe Naikon group used mostly spear-phished documents for the attacks, with CVE-2012-0158 exploits that\r\ndropped the group’s signature backdoor.\r\nWhile many of these attacks were successful, at least one of the targets didn’t seem to like being hit, and\r\ninstead of opening the documents, decided on a very different course of action.\r\nThe empire strikes back\r\nHere’s a question – what should you do when you receiving a suspicious document from somebody you don’t\r\nknow, or know very little? Choose one:\r\nOpen the document\r\nDon’t open the document\r\nOpen the document on a Mac (everybody knows Mac’s don’t get viruses)\r\nOpen the document in a virtual machine with Linux\r\nBased on our experience, most people would say 2, 3 or 4. Very few would open the document and even fewer\r\nwould actually decide to test the attacker and verify its story.\r\nBut this is exactly what happened when one of the Naikon spear-phishing targets received a suspicious email.\r\nInstead of opening the document or choosing to open it on an exotic platform, they decided to check the story with\r\nthe sender:\r\nNaikon target asks for confirmation of the email\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 2 of 12\n\nIn the email above, we can see the target questioning the authenticity of the Naikon spear-phishing. They ask the\r\nsender if it was their intention to email this document.\r\nThe attacker was, of course, not confused in the slightest, and being very familiar with the internal structure of the\r\ntarget’s government agency, replied claiming that they work for the secretariat division and were instructed to send\r\nit by the organization’s management:\r\nNaikon attacker replies to the target\r\nThe reply is written in poor English and indicates that the attacker is probably not as proficient in the language as\r\nthe intended victim. Seeing the reply, the target obviously decided not to open the document. Moreover, they\r\ndecided to go a bit further and try to learn more about the attacker.\r\nNot long after the first exchange, the following email was sent to the attacker by the target:\r\nThe attachment is a RAR archive with password, which allows it to safely bypass malware scanners associated\r\nwith the free email account used by the attackers. Inside the archive we find two decode PDF files and one SCR\r\nfile:\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 3 of 12\n\nMuch to our surprise, the “SCR” file turned out to be a backdoor prepared especially for the Naikon fraudsters.\r\nThe file “Directory of … Mar 31, 2014.scr” (md5: 198fc1af5cd278091f36645a77c18ffa) drops a blank\r\ndocument containing the error message and a backdoor module (md5: 588f41b1f34b29529bc117346355113f).\r\nThe backdoor connects to the command server located at philippinenews[.]mooo[.]com.\r\nThe backdoor can perform the following actions:\r\ndownload files\r\nupload files\r\nupdate itself\r\nuninstall itself\r\nWe were amazed to see this course of action and decided to investigate the “Empire Strikes Back”-door further;\r\nnaming the actor “Hellsing” (explained later).\r\nThe malware used by the intended victim appears to have the following geographical distribution, according to\r\nKSN data:\r\nMalaysia – government networks\r\nPhilippines – government networks\r\nIndonesia – government networks\r\nUSA – diplomatic agencies\r\nIndia (old versions of malware)\r\nIn addition, we’ve observed the targeting of ASEAN-related entities.\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 4 of 12\n\nVictims of Hellsing attacks\r\nThe actor targets its intended victims using spear-phishing emails with archives containing malware, similar to the\r\none it used against the Naikon group. Some of the attachment names we observed include:\r\n2013 Mid-Year IAG Meeting Admin Circular FINAL.7z\r\nHSG FOLG ITEMS FOR USE OF NEWLY PROMOTED YNC FEDERICO P AMORADA 798085 PN\r\nCLN.zip\r\nHome Office Directory as of May 2012.Please find attached here the latest DFA directory and key position\r\nofficials for your referenece.scr\r\nLOI Nr 135-12 re 2nd Quarter.Scr\r\nLetter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the\r\nPhilippines.7z\r\nLetter to SND_Office Call and Visit to Commander, United States Pacific Command (USPACOM) VER\r\n4.0.zip\r\nPAF-ACES Fellowship Program.scr\r\nRAND Analytic Architecture for Capabilities Based Planning, Mission System Analysis, and\r\nTransformation.scr\r\nUpdate Attachments_Interaction of Military Personnel with the President _2012_06_28.rar\r\nUpdate SND Meeting with the President re Hasahasa Shoal Incident.scr\r\nWashington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 5 of 12\n\nZPE-791-2012\u0026ZPE-792-2012.rar\r\nzpe-791-2012.PDF.scr\r\nWe’ve observed RAR, ZIP and 7ZIP archives in the attacks – the 7ZIP archives with passwords were probably\r\nintroduced as a way to bypass the recent security features on Gmail, which block password-protected archives\r\nwith executables inside.\r\nEach backdoor has a command and control server inside as well as a version number and a campaign or victim\r\nidentifier. Some examples include:\r\nMD5 Date C\u0026C Campaign identifier\r\n2682a1246199a18967c98cb32191230c\r\nMar\r\n31\r\n2014\r\nfreebsd.extrimtur[.]com 1.6.1_MOTAC\r\n31b3cc60dbecb653ae972db9e57e14ec\r\nMar\r\n31\r\n2014\r\nfreebsd.extrimtur[.]com 1.6.1_MOTAC\r\n4dbfd37fd851daebdae7f009adec3cbd\r\nNov\r\n08\r\n2013\r\narticles.whynotad[.]com\r\n1.5_articles.whynotad.com-nsc\r\n015915bbfcda1b2b884db87262970a11\r\nFeb\r\n19\r\n2014\r\nguaranteed9.strangled[.]net 1.5_guaranteed9-nsc\r\n3a40e0deb14f821516eadaed24301335\r\nMar\r\n31\r\n2014\r\nhosts.mysaol[.]com 1.6.1_imi;simple\r\n73396bacd33cde4c8cb699bcf11d9f56\r\nNov\r\n08\r\n2013\r\nweb01.crabdance[.]com 1.5_op_laptop\r\n7c0be4e6aee5bc5960baa57c6a93f420\r\nNov\r\n08\r\n2013\r\nhosts.mysaol[.]com 1.5_MMEA\r\nbff9c356e20a49bbcb12547c8d483352\r\nApr\r\n02\r\n2014\r\nimgs09.homenet[.]org 1.6.1_It\r\nc0e85b34697c8561452a149a0b123435\r\nApr\r\n02\r\n2014\r\nimgs09.homenet[.]org 1.6.1_It\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 6 of 12\n\nf13deac7d2c1a971f98c9365b071db92\r\nNov\r\n08\r\n2013\r\nhosts.mysaol[.]com 1.5_MMEA\r\nf74ccb013edd82b25fd1726b17b670e5\r\nMay\r\n12\r\n2014\r\nsecond.photo-frame[.]com 1.6.2s_Ab\r\nThe campaign identifiers could be related to the organizations targeted by the specific builds of this APT. Some\r\npossible descriptions for these initials could be:\r\nMOTAC – Ministry of Tourism and Culture, Malaysia – http://www.motac.gov.my/en/\r\nNSC – http://www.nsc.gov.my/\r\nMMEA – Malaysian Maritime Enforcement Agency – http://www.mmea.gov.my\r\nArtifacts and overlap with other APTs\r\nInterestingly, some of the infrastructure used by the attackers appears to overlap (although around a year apart)\r\nwith a group tracked internally at Kaspersky Lab as PlayfullDragon (also known as “GREF”); while other aspects\r\nof the infrastructure overlap with a group known as Mirage or Vixen Panda.\r\nFor instance, one of the PlayfullDragon’s Xslcmd backdoors described by our colleagues from FireEye (md5:\r\n6c3be96b65a7db4662ccaae34d6e72cc) beams to cdi.indiadigest[.]in:53. One of the Hellsing samples we\r\nanalysed (md5: 0cbefd8cd4b9a36c791d926f84f10b7b) connects to the C\u0026C server at webmm[.]indiadigest[.]in.\r\nAlthough the hostname is not the same, the top level domain suggests some kind of connection between the\r\ngroups. Several other C\u0026C subdomains on “indiadigest[.]in” include:\r\naac.indiadigest[.]in\r\nld.indiadigest[.]in\r\nlongc.indiadigest[.]in\r\nAnother overlap we observed is with an APT known as Cycldek or Goblin Panda. Some of the Hellsing samples\r\nwe analysed in this operation (e.g. md5: a91c9a2b1bc4020514c6c49c5ff84298) communicate with the server\r\nwebb[.]huntingtomingalls[.]com, using a protocol specific to the Cycldek backdoors\r\n(binup.asp/textup.asp/online.asp).\r\nIt appears that the Hellsing developer started with the Cycldek sources and worked together with the operators\r\nfrom other APT groups. Nevertheless, it is sufficiently different to warrant classification as a stand-alone\r\noperation.\r\nSo, where does the Hellsing name come from? One of the samples we analysed (md5:\r\n036e021e1b7f61cddfd294f791de7ea2) appears to have been compiled in a rush and the attacker forgot to remove\r\nthe debug information. One can see the project name is Hellsing and the malware is called “msger”:\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 7 of 12\n\nOf course, Hellsing can have many different meanings, including the famous doctor from Bram Stoker’s Dracula.\r\nHowever, according to Wikipedia, “Hellsing (ヘルシング Herushingu) is also a Japanese manga series written\r\nand illustrated by Kouta Hirano. It first premiered in Young King Ours in 1997 and ended in September 2008″.\r\nThe Hellsing series chronicles the efforts of the mysterious and secret Hellsing Organization, as it combats\r\nvampires, ghouls, and other supernatural foes; which makes it perhaps an appropriate name for our group.\r\nIn addition to the Hellsing/msger malware, we’ve identified a second generation of Trojan samples which appear\r\nto be called “xweber” by the attackers:\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 8 of 12\n\n“Xweber” seems to be the more recent Trojan, taking into account compilation timestamps. All the “msger”\r\nsamples we have seen appear to have been compiled in 2012. The “Xweber” samples are from 2013 and from\r\n2014, indicating that at some point during 2013 the “msger” malware project was renamed and/or integrated into\r\n“Xweber”.\r\nDuring our investigation we’ve observed the Hellsing APT using both the “Xweber” and “msger” backdoors in\r\ntheir attacks, as well as other tools named “xrat”, “clare”, “irene” and “xKat”.\r\nOnce the Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering\r\nfurther information about the victim or doing lateral movement. One such tool is “test.exe”:\r\nName test.exe\r\nSize 45,568 bytes\r\nMD5 14309b52f5a3df8cb0eb5b6dae9ce4da\r\nType Win32 PE i386 executable\r\nThis tool is used to gather information and test available proxies. Interestingly, it also contains the Hellsing debug\r\npath:\r\nAnother attack tool deployed in a victim’s environment was a file system driver, named “diskfilter.sys”, although\r\ninternally it claims to be named “xrat.sys”. The driver is unsigned and compiled for 32-bit Windows. It was used\r\nbriefly in 2013, before being abandoned by the attackers, possibly due to Windows 7 driver signing requirements:\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 9 of 12\n\nAnother tool used by the attackers is called “xKat”:\r\nName xkat.exe\r\nSize 78,848 bytes\r\nMD5 621e4c293313e8638fb8f725c0ae9d0f\r\nType Win32 PE i386 executable\r\nThis is a powerful file deletion and process killer which uses a driver (Dbgv.sys) to perform the operations. We’ve\r\nseen it being used by the attackers to kill and delete malware belonging to their competitors.\r\nSome of the debug paths found in the binaries include:\r\ne:\\Hellsing\\release\\clare.pdb\r\ne:\\Hellsing\\release\\irene\\irene.pdb\r\nd:\\hellsing\\sys\\irene\\objchk_win7_x86\\i386\\irene.pdb\r\nd:\\hellsing\\sys\\xkat\\objchk_win7_x86\\i386\\xKat.pdb\r\nd:\\Hellsing\\release\\msger\\msger_install.pdb\r\nd:\\Hellsing\\release\\msger\\msger_server.pdb\r\nd:\\hellsing\\sys\\xrat\\objchk_win7_x86\\i386\\xrat.pdb\r\nD:\\Hellsing\\release\\exe\\exe\\test.pdb\r\nAttribution\r\nIn general, the attribution of APTs is a very tricky task which is why we prefer to publish technical details and\r\nallow others to draw their own conclusions.\r\nThe Hellsing-related samples appear to have been compiled around the following times:\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 10 of 12\n\nAssuming normal work starts at around 9 am, the attacker seems to be most active in a time-zone of GMT+8 or\r\n+9, considering a work program of 9/10 am to 6/7pm.\r\nConclusions\r\nThe Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea\r\narea, with a focus on Malaysia, the Philippines and Indonesia. The group has a relatively small footprint compared\r\nto massive operations such as “Equation“. Smaller groups can have the advantage of being able to stay under the\r\nradar for longer periods of time, which is what happened here.\r\nThe targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we’ve\r\nseen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing\r\neveryone on each of these lists. But, considering the timing and origin of the attack, the current case seems more\r\nlikely to be an APT-on-APT attack.\r\nTo protect against a Hellsing attack, we recommend that organisations follow basic security best practices:\r\nDon’t open attachments from people you don’t know\r\nBeware of password-protected archives which contain SCR or other executable files inside\r\nIf you are unsure about the attachment, try to open it in a sandbox\r\nMake sure you have a modern operating system with all patches installed\r\nUpdate all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 11 of 12\n\nKaspersky Lab products detect the backdoors used by the Hellsing attacker as: HEUR:Trojan.Win32.Generic,\r\nTrojan-Dropper.Win32.Agent.kbuj, Trojan-Dropper.Win32.Agent.kzqq.\r\nDeny the Hellsing APT by default\r\nAppendix:\r\nHellsing Indicators of Compromise\r\nSource: https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nhttps://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/\r\nPage 12 of 12\n\nMD5 Date Mar C\u0026C Campaign identifier\n2682a1246199a18967c98cb32191230c 31 freebsd.extrimtur[.]com 1.6.1_MOTAC\n 2014 \n Mar \n31b3cc60dbecb653ae972db9e57e14ec 31 freebsd.extrimtur[.]com 1.6.1_MOTAC\n 2014 \n Nov \n 1.5_articles.whynotad.com\u0002\n4dbfd37fd851daebdae7f009adec3cbd 08 articles.whynotad[.]com \n nsc\n 2013 \n Feb \n015915bbfcda1b2b884db87262970a11 19 guaranteed9.strangled[.]net 1.5_guaranteed9-nsc\n 2014 \n Mar \n3a40e0deb14f821516eadaed24301335 31 hosts.mysaol[.]com 1.6.1_imi;simple\n 2014 \n Nov \n73396bacd33cde4c8cb699bcf11d9f56 08 web01.crabdance[.]com 1.5_op_laptop\n 2013 \n Nov \n7c0be4e6aee5bc5960baa57c6a93f420 08 hosts.mysaol[.]com 1.5_MMEA\n 2013 \n Apr \nbff9c356e20a49bbcb12547c8d483352 02 imgs09.homenet[.]org 1.6.1_It\n 2014 \n Apr \nc0e85b34697c8561452a149a0b123435 02 imgs09.homenet[.]org 1.6.1_It\n 2014 \n Page 6 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" ], "report_names": [ "69567" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434747, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/259282de423fa65b39e9c6894ab98ec0a85e15a7.pdf", "text": "https://archive.orkl.eu/259282de423fa65b39e9c6894ab98ec0a85e15a7.txt", "img": "https://archive.orkl.eu/259282de423fa65b39e9c6894ab98ec0a85e15a7.jpg" } }