{ "id": "03cdda3f-23b1-4853-9f66-44d2290494dd", "created_at": "2026-04-06T00:22:30.119588Z", "updated_at": "2026-04-10T03:37:26.400655Z", "deleted_at": null, "sha1_hash": "27826d1d5dadda30005ee99013eed4c483f62cb3", "title": "Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64600, "plain_text": "Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak\r\nBy Mandiant\r\nPublished: 2015-07-13 · Archived: 2026-04-05 17:22:12 UTC\r\nWritten by: FireEye Threat Intelligence\r\nThe FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced\r\npersistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a\r\nzero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team’s internal data.\r\nAdobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched\r\nphishing campaigns against multiple companies in the aerospace and defense, construction and engineering,\r\neducation, energy, health and biotechnology, high tech, non-profit, telecommunications, and transportation\r\nindustries.\r\nAs of publication, we have no reason to believe APT3 and APT18 are working together. Their opportunism\r\ndemonstrates each group’s flexibility, organization, and awareness of developments in the information security\r\ncommunity.\r\nAPT3’s Campaign\r\nAPT3 actors targeted at least 10 organizations in the following industries:\r\nAerospace and Defense\r\nConstruction and Engineering\r\nEnergy\r\nHigh Tech\r\nNon-Profit\r\nTelecommunications\r\nTransportation\r\nAn example of an APT3 phishing email is below in Figure 1:\r\nFROM: \"\u003cfirst.last\u003e\" \u003cfirst.last\u003e@perrydale.com\r\nSUBJECT:  \u003cTarget\u003e Analysis report- 2015\r\nURLs:\r\nhxxp://report.perrydale[.]com/ema/RR201507[.]pdf\r\nhxxp://vic.perrydale[.]com/logo2.jpg\r\nhttps://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nPage 1 of 4\n\nhxxp://rpt.perrydale[.]com/en/rep201507101[.]pdf\r\nFigure 1: An example of APT3 phishing email using CVE-2015-5119\r\nAs of July 8, all three domains observed in the URLs resolved to 194.44.130.179. Similar to APT3’s activity in\r\nOperation Clandestine Wolf, the URLs redirect to JavaScript profilers and a malicious Adobe Flash file. The Flash\r\nfile downloads an obfuscated GIF, which contains a SHOTPUT payload compiled the day APT3 sent the phishing\r\nemails. SHOTPUT is a DLL backdoor that that communicates over HTTP and may be capable of uploading or\r\ndownloading files, managing processes, executing system commands, and collecting system information.\r\nSHOTPUT may also be detected as Backdoor.APT.CookieCutter. The SHOTPUT backdoor communicates to the\r\nfollowing command and control (CnC) addresses, which are hardcoded into the malware:\r\npsa.perrydale[.]com\r\nlink.angellroofing[.]com\r\n107.20.255.57\r\n23.99.20.198\r\nThis is the third time since mid-2014 that we have observed APT3 using a zero-day, which attests to its ability to\r\ncapitalize on new exploits.\r\nAPT18’s Campaign\r\nAPT18 actors targeted at least 13 organizations in the following industries:\r\nAerospace and Defense\r\nConstruction and Engineering\r\nEducation\r\nHealth and Biotechnology\r\nHigh Tech\r\nTelecommunications\r\nTransportation\r\nAn example of an APT18 phishing email is shown in Figure 2:\r\nFROM:  \u003cvarious\u003e @duwrt.com\r\nSUBJECT: Important:Flash Update\r\nBody:\r\nDear,\r\nIf you already have Flash installed on your computer, you'll be asked to download and install update. Once the\r\nnew update is installed, Flash should function normally. Update Outlook Many Flash problems can be solved by\r\nupdating your client software to the latest version. Please verify that you have all the latest updates available for\r\nyour version of Adobe flash software. Here's how:\r\nhttps://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nPage 2 of 4\n\n1.Download update hxxp://get[.]adobe[.]com/ (masked URL: hxxp://137.175.4[.]132/index.htm)\r\n2.Click Check for Updates.\r\n3.Restart your computer after you have verified that all updates are installed. You must have administrative\r\nprivileges on your computer to install any Flash. Please contact your desktop support staff if you need assistance.\r\nFigure 2: An example of APT18 phishing email using CVE-2015-5119\r\nOnce the victim clicks the URL, the system downloads a malicious Adobe Flash (.swf) file with the properties\r\nshown in Figure 3.\r\nFilename: movie.swf\r\nMD5: 079a440bee0f86d8a59ebc5c4b523a07\r\nFilesize: 214976\r\nFigure 3: APT18 Malicious SWF Properties\r\nUpon exploitation, a GH0ST RAT variant is delivered to the victims’ system, which calls out to a previously\r\nknown APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public source code. It may\r\nalso be detected as Backdoor.APT.Gh0stRat. The compiled source code provides attackers with many ways to\r\ncontrol a victim’s system, including the ability to create, manipulate, delete, launch, or transfer files; perform\r\nscreen or audio capture; enable a webcam; list or kill processes; open a command shell; and wipe event logs.\r\nHowever, since the source code is public, threat groups may tailor the code by removing or adding functionality.\r\nComparing the Campaigns\r\nAPT3 and APT18 took a slightly different approach in employing the exploit, which demonstrates they likely\r\nwork independently. As usual, APT3 used compromised infrastructure, while APT18 relied on procured\r\ninfrastructure. APT3 used customized phishing emails that sometimes contained the names of the targeted\r\norganizations, whereas APT18’s emails were nonspecific and likely crafted to be used on multiple targets.\r\nQuick Turnaround Time Demonstrates Adaptability and Opportunism\r\nThe groups demonstrated their adaptability and skill by quickly employing Hacking Team’s leaked zero-day\r\nbefore the vulnerability was patched. Both groups likely monitor information from security research to learn what\r\nexploits are available and how network defenders are reacting to them. We have previously observed APT3\r\nmonitoring and quickly changing tactics based on public research. After we exposed details about Operation\r\nClandestine Wolf, APT3 changed its phishing emails, modified filenames, and updated its backdoor.\r\nIn the past, APT3 and APT18 have frequently developed or adapted zero-day exploits for operations, which were\r\nlikely planned in advance. Using data from the Hacking Team leak demonstrates how they can shift resources—\r\nselecting targets, preparing infrastructure, crafting messages, and updating tools—to take advantage of unexpected\r\nopportunities like newly exposed exploits.\r\nhttps://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nPage 3 of 4\n\nRecommendations\r\nFireEye maintains endpoint and network detection for CVE-2015-5119, the backdoors used in these campaigns,\r\nand other tools used by these groups. Additionally, we highly recommend:\r\nApplying Adobe’s patch for Flash immediately,\r\nQuerying for additional activity by source addresses or email indicators,\r\nBlocking CnC addresses via outbound communications, and\r\nScope the environment to prepare for incident response.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nhttps://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" ], "report_names": [ "demonstrating_hustle.html" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27826d1d5dadda30005ee99013eed4c483f62cb3.pdf", "text": "https://archive.orkl.eu/27826d1d5dadda30005ee99013eed4c483f62cb3.txt", "img": "https://archive.orkl.eu/27826d1d5dadda30005ee99013eed4c483f62cb3.jpg" } }