{ "id": "fce90d00-cbf3-4c4f-b783-ce3734e7b59e", "created_at": "2026-04-06T00:15:37.854865Z", "updated_at": "2026-04-10T03:33:45.994009Z", "deleted_at": null, "sha1_hash": "27fe2f01f15c917d48e37dc831f2f0b5e39dcbab", "title": "FlowCloud (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49097, "plain_text": "FlowCloud (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:10:13 UTC\r\nThere is no description at this point.\r\n2024-06-05 ⋅ ⋅ Sekoia ⋅ Charles Meslay\r\nThe reverse engineering of malicious code in the ITC - Analysis of the evolution of a chain of infection (Slides)\r\nFlowCloud 2024-06-05 ⋅ ⋅ Sekoia ⋅ Charles Meslay\r\nReverse engineering of malicious code in CTI - Analysis of the evolution of an infection chain (Paper)\r\nFlowCloud 2024-06-05 ⋅ ⋅ SSTIC ⋅ Charles Meslay\r\nReverse engineering of malicious code in CTI - Analysis of the evolution of an infection chain (Video)\r\nFlowCloud 2023-04-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr, Matthieu Faou\r\nTA410: APT10’s distant cousin\r\nFlowCloud Lookback PlugX Quasar RAT Tendyron Witchetty 2022-04-27 ⋅ ESET Research ⋅ Alexandre Côté Cyr, Matthieu\r\nFaou\r\nA lookback under the TA410 umbrella: Its cyberespionage TTPs and activity\r\nFlowCloud Lookback Witchetty 2021-04-26 ⋅ Dragos ⋅ Dragos\r\nNew ICS Threat Activity Group: TALONITE\r\nFlowCloud Lookback 2021-01-04 ⋅ nao_sec blog ⋅ nao_sec\r\nRoyal Road! Re:Dive\r\n8.t Dropper Chinoxy FlowCloud FunnyDream Lookback 2020-12-24 ⋅ IronNet ⋅ Adam Hlavek\r\nChina cyber attacks: the current threat landscape\r\nPLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti 2020-06-10 ⋅ Proofpoint ⋅ Dennis Schwarz\r\nFlowCloud Version 4.1.3 Malware Analysis\r\nFlowCloud 2020-06-08 ⋅ Proofpoint ⋅ Dennis Schwarz, Georgi Mladenov, Michael Raggi, Proofpoint Threat Research Team\r\nTA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware\r\nFlowCloud Lookback APT10 TA410\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud" ], "report_names": [ "win.flowcloud" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434537, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27fe2f01f15c917d48e37dc831f2f0b5e39dcbab.pdf", "text": "https://archive.orkl.eu/27fe2f01f15c917d48e37dc831f2f0b5e39dcbab.txt", "img": "https://archive.orkl.eu/27fe2f01f15c917d48e37dc831f2f0b5e39dcbab.jpg" } }