{ "id": "2e010923-de3e-4eaf-a754-2f36a7c4d99c", "created_at": "2026-04-06T00:09:04.696517Z", "updated_at": "2026-04-10T03:36:06.729424Z", "deleted_at": null, "sha1_hash": "285a8a65c0986c6f084ca9b6c7b1ba98071957f3", "title": "Operation NightScout: Supply-chain attack targets online gaming in Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1704482, "plain_text": "Operation NightScout: Supply-chain attack targets online gaming\r\nin Asia\r\nBy Ignacio Sanmillan\r\nArchived: 2026-04-05 18:27:51 UTC\r\nUPDATE (February 3rd, 2021):\r\nFollowing the publication of our research, BigNox have contacted us to say that their initial denial of the\r\ncompromise was a misunderstanding on their part and that they have since taken these steps to improve security\r\nfor their users:\r\nuse only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks\r\nimplement file integrity verification using MD5 hashing and file signature checks\r\nadopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal\r\ninformation\r\nBigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon\r\nstartup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.\r\nESET assumes no responsibility for the accuracy of the information provided by BigNox.\r\nDuring 2020, ESET research reported various supply-chain attacks, such as the case of WIZVERA VeraPort, used\r\nby government and banking websites in South Korea, Operation StealthyTrident compromising the Able Desktop\r\nchat software used by several Mongolian government agencies, and Operation SignSight, compromising the\r\ndistribution of signing software distributed by the Vietnamese government.\r\nIn January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an\r\nAndroid emulator for PCs and Macs, and part of BigNox's product range with over 150 million users worldwide.\r\nThis software is generally used by gamers in order to play mobile games from their PCs, making this incident\r\nsomewhat unusual.\r\nThree different malware families were spotted being distributed from tailored malicious updates to selected\r\nvictims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.\r\nWe spotted similarities in loaders we have been monitoring in the past with some of the ones used in this\r\noperation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on\r\n2018, and in early 2020 in an intrusion into a Hong Kong university.\r\nAbout BigNox\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 1 of 16\n\nBigNox is a company based in Hong Kong, which provides various products, primarily an Android emulator for\r\nPCs and Macs called NoxPlayer. The company’s official website claims that it has over 150 million users in more\r\nthan 150 countries speaking 20 different languages. However, it’s important to note that the BigNox follower base\r\nis predominantly in Asian countries.\r\nBigNox also wrote an extensive blogpost in 2019 on the use of VPNs in conjunction with NoxPlayer, showing the\r\ncompany’s concern for their users' privacy.\r\nWe have contacted BigNox about the intrusion, and they denied being affected. We have also offered our support\r\nto help them past the disclosure in case they decide to conduct an internal investigation.\r\nAm I compromised?\r\nWho is affected: NoxPlayer users.\r\nHow to determine if I received a malicious update or not: check if any ongoing process has an active\r\nnetwork connection with known active C\u0026C servers, or see if any of the malware based on the file names\r\nwe provided in the report is installed in:\r\nC:\\ProgramData\\Sandboxie\\SbieIni.dat\r\nC:\\ProgramData\\Sandboxie\\SbieDll.dll\r\nC:\\ProgramData\\LoGiTech\\LBTServ.dll\r\nC:\\Program Files\\Internet Explorer\\ieproxysocket64.dll\r\nC:\\Program Files\\Internet Explorer\\ieproxysocket.dll\r\na file named %LOCALAPPDATA%\\Nox\\update\\UpdatePackageSilence.exe not digitally signed by\r\nBigNox.\r\nHow to stay safe:\r\nIn case of intrusion - standard reinstall from clean media.\r\nFor non-compromised users: do not download any updates until BigNox notifies that it has\r\nmitigated the threat.\r\nTimeline\r\nBased on ESET telemetry, we saw the first indicators of compromise in September 2020, and activity continued\r\nuntil we uncovered explicitly malicious activity on January 25th, 2021, at which point we reported the incident to\r\nBigNox.\r\nVictimology\r\nIn comparison to the overall number of active NoxPlayer users, there is a very small number of victims.\r\nAccording to ESET telemetry, more than 100,000 of our users have Noxplayer installed on their machines. Among\r\nthem, only 5 users received a malicious update, showing that Operation NightScout is a highly targeted operation.\r\nThe victims are based in Taiwan, Hong Kong and Sri Lanka.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 2 of 16\n\nFigure 1. Asia victimology map\r\nWe were unsuccessful finding correlations that would suggest any relationships among victims. However, based\r\non the compromised software in question and the delivered malware exhibiting surveillance capabilities, we\r\nbelieve this may indicate the intent of collecting intelligence on targets somehow involved in the gaming\r\ncommunity.\r\nIt is important to highlight that, in contrast with similar previous operations such as the Winnti Group activity\r\ntargeting the gaming industry in 2019, we haven’t found indicators that would suggest indiscriminate proliferation\r\nof malicious updates among a large number NoxPlayer users, reinforcing our belief that this is a highly targeted\r\noperation.\r\nUpdate mechanism\r\nIn order to understand the dynamics of this supply-chain attack, it’s important to know what vector was used in\r\norder to deliver malware to NoxPlayer users. This vector was NoxPlayer’s update mechanism.\r\nOn launch, if NoxPlayer detects a newer version of the software, it will prompt the user with a message box\r\n(Figure 2) to offer the option to install it.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 3 of 16\n\nFigure 2. NoxPlayer update prompt\r\nThis is done by querying the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve\r\nspecific update information, as seen in  Figure 3.\r\nFigure 3. NoxPlayer client update API request\r\nThe response to this query contains update-specific information such as the update binary URL, its size, MD5\r\nhash and other additional related information as seen in Figure 4.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 4 of 16\n\nFigure 4. NoxPlayer server API reply\r\nUpon pressing the “Update now” button from Figure 1, the main NoxPlayer binary application Nox.exe will\r\nsupply the update parameters received to another binary in its toolbox NoxPack.exe, which is in charge of\r\ndownloading the update itself, as can be seen in Figure 5.\r\nFigure 5. NoxPlayer execution chain on update\r\nAfter this is done, the progress bar in the message box will reflect the state of the download (Figure 6), and when\r\ncompleted the update has been performed.\r\nFigure 6. NoxPlayer update ongoing via NoxPack.exe\r\nSupply-chain compromise indicators\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 5 of 16\n\nWe have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host\r\nmalware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised.\r\nIn some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This\r\nsuggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers. The\r\nintrusion flow observed is depicted in Figure 7.\r\nFigure 7. Intrusion flow sequence diagram\r\nAn overview of what's shown in the sequence diagram above is the following:\r\n1. On launch, the primary NoxPlayer executable Nox.exe sends a request via the API to query update\r\ninformation.\r\n2. The BigNox API server responds to the client request with specific update information, including the URL\r\nto download the update from BigNox legitimate infrastructure.\r\n3. Nox.exe provides the appropriate parameters to NoxPlayer.exe to download the update.\r\n4. The legitimate update stored in BigNox infrastructure could have been replaced with malware, or it may be\r\na new filename/URL not used by legitimate updates.\r\n5. Malware is installed on the victim’s machine. Contrary to legitimate BigNox updates, the malicious files\r\nare not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just\r\nits systems that distribute updates.\r\n6. Some reconnaissance of the victim is performed and information sent to the malware operators.\r\n7. The perpetrators tailor malicious updates to specific victims of interest based on some unknown filtering\r\nscheme.\r\n8. Nox.exe will perform sporadic update requests.\r\n9. The BigNox API server responds to the client with update information, which states that the update is\r\nstored in the attacker-controlled infrastructure.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 6 of 16\n\n10. Further malware gets delivered to selected victims.\r\nWith this information we can highlight several things:\r\nLegitimate BigNox infrastructure was delivering malware for specific updates. We observed that these\r\nmalicious updates were only taking place in September 2020.\r\nFurthermore, we observed that for specific victims, malicious updates were downloaded from attacker-controlled infrastructure subsequently and throughout the end of 2020 and early 2021.\r\nWe are highly confident that these additional updates were performed by Nox.exe supplying specific\r\nparameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised\r\nto deliver tailored malicious updates.\r\nIt could also suggest the possibility that victims were subjected to a MitM attack, although we believe this\r\nhypothesis is unlikely since the victims we discovered are in different countries, and attackers already had\r\na foothold on the BigNox infrastructure.\r\nFurthermore, we were able to reproduce the download of the malware samples hosted on res06.bignox.com\r\nfrom a test machine and using https. This discards the possibility that a MitM attack was used to tamper\r\nwith the update binary.\r\nIt is also important to mention that malicious updates downloaded from the attacker-controlled infrastructure\r\nmimicked the path of legitimate updates:\r\nMalicious update to attacker-controlled infrastructure:\r\nhttp://cdn.cloudfronte[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe\r\nLegitimate NoxPlayer update:\r\nhttp://res06.bignox[.]com/player/upgrade/202012/1b31bced0a564bed9f60264f061dcdae.exe\r\nFurthermore, registered attacker-controlled domain names mimicked the BigNox CDN network domain name,\r\nthat being cloudfront.net.\r\nThese indicators suggest that attackers were trying to avoid detection so that they could remain under the radar\r\nand achieve long-term persistence.\r\nMalware\r\nA total of three different malicious update variants were observed, each of which dropped different malware.\r\nThese variants are the following:\r\nMalicious Update variant 1\r\nThis variant is one of the preliminary updates pointing to compromised BigNox infrastructure. Our analysis is\r\nbased on the sample with SHA-1 CA4276033A7CBDCCDE26105DEC911B215A1CE5CF.\r\nThe malware delivered does not seem to have been documented before. It is not extremely complex, but it has\r\nenough capabilities to monitor its victims. The initial RAR SFX archive drops two DLLs into C:\\Program\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 7 of 16\n\nFiles\\Internet Explorer\\ and runs one of them, depending on architecture, via rundll32.exe. The names of these\r\nDLLs are the following:\r\nieproxysocket64.dll\r\nieproxysocket.dll\r\nIt also drops a text file named KB911911.LOG to disk, into which the original name of the SFX installer will be\r\nwritten. The DLL attempts to open and read this log file, and if not found will stop execution, therefore\r\nimplementing an execution guardrail.\r\nThe DLL will then check whether it has been loaded by any of the following processes; if it has, it will stop its\r\nown execution:\r\nsmss.exe\r\nwinlogon.exe\r\ncsrss.exe\r\nwininit.exe\r\nservices.exe\r\nexplorer.exe\r\nThe IP address of the machine will be checked to verify that it is neither 127.0.0.1 nor 0.0.0.0; if it is, it will be\r\nrechecked in an infinite loop until it changes. Otherwise, it will proceed to extract the UUID of the current\r\nmachine via a WMI object query. This returned UUID is hashed using MD5 to serialize the current victim.\r\nAccount name information will also be retrieved and saved.\r\nAn encrypted configuration will be retrieved from the DLL’s resource. This configuration is encrypted using a\r\ntwo-byte XOR with 0x5000. The encrypted configuration is partially visible given the weakness of the key used:\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 8 of 16\n\nFigure 8. Encrypted configuration in resources\r\nThe format of this configuration is the following (roughly):\r\nOffset Size Comment\r\n0x00 0x08 Fake JPG header magic\r\n0x08 0x12C Buffer holding tokenized C\u0026C information\r\n0x134 0x14 Buffer holding port for C\u0026C communication\r\n0x148 0x14 Sleep time\r\n0x15C 0x14 Operate flag; don’t operate with network monitoring tools deployed or if this flag is set\r\n0x170 0x14 N/A\r\n0x184 0x14\r\nDNS flag; append a token at the end of a hostname buffer with either |UDP or |DNS,\r\ndepending on the value of this field\r\n0x198 0x38 Variable holding offset start of decoded configuration buffer\r\nAfter the configuration has been parsed, the backdoor will check several times for network monitoring processes\r\nbefore transferring execution to the C\u0026C loop. Operation stops if the Operate flag is set or if either of the\r\nfollowing processes is running:\r\nnetman.exe\r\nwireshark.exe\r\nThe backdoor can use either a raw IP address or a domain name to communicate with the C\u0026C server. After\r\nsuccessful connection to the C\u0026C, the malware will be able to perform the following commands:\r\nCommand ID Specification\r\ngetfilelist-delete Delete specified files from the disk\r\ngetfilelist-run Run a command via the WinExec API\r\ngetfilelist-upload Upload a file via ScreenRDP.dll::ConnectRDServer\r\ngetfilelist-downfile1 Download a specific file\r\ngetfilelist-downfile2 Download a specific directory\r\ngetfilelist-downfile3 Same as getfilelist-downfile2\r\n\u003cdefault\u003e \\\\tsclient drive redirection of certain directories (starting with A: for range(0x1A))\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 9 of 16\n\nFigure 9. Anatomy of malicious update variant 1\r\nMalicious Update variant 2\r\nThis malware variant was also spotted being downloaded from legitimate BigNox infrastructure. Our analysis is\r\nbased on the sample with SHA-1 E45A5D9B03CFBE7EB2E90181756FDF0DD690C00C.\r\nIt contains several files comprising what is known as a trident bundle, in which a signed executable is used to load\r\na malicious DLL, which will decrypt and load a shellcode, implementing a reflective loader for the final payload.\r\nThe theme for this trident bundle was to disguise the malware as Sandboxie components. The names of the\r\nbundled components are the following:\r\nFilename Description\r\nC:\\ProgramData\\Sandboxie\\SandboxieBITS.exe Signed Sandboxie COM Services (BITS)\r\nC:\\ProgramData\\Sandboxie\\SbieDll.dll Malicious hijacked DLL\r\nC:\\ProgramData\\Sandboxie\\SbieIni.dat\r\nMalicious encrypted payload; decrypts a\r\nreflectively loaded instance of Gh0st RAT\r\nC:\\Users\\Administrator\\AppData\\Local\\Temp\\delself.bat Script to self-delete the initial executable\r\nC:\\Windows\\System32\\wmkawe_3636071.data Text file containing the sentence Stupid Japanese\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 10 of 16\n\nWe have encountered other instances of this same text file, dropped by a very similar loader in a supply-chain\r\ncompromise involving the Myanmar presidential office website in 2018, and in an intrusion into a Hong Kong\r\nuniversity in 2020.\r\nThe deployed final payload was a variant of Gh0st RAT with keylogger capabilities.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 11 of 16\n\nFigure 10. Anatomy of malicious update variant 2\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 12 of 16\n\nMalicious Update variant 3\r\nThis update variant was only spotted in activity subsequent to initial malicious updates, downloaded from\r\nattacker-controlled infrastructure. Our analysis is based on the sample with SHA-1\r\nAA3D31A1A6FE6888E4B455DADDA4755A6D42BEEB.\r\nSimilarly, as with the previous variant, this malicious update comes bundled in an MFC file, and extracts two\r\ncomponents: a benign signed file and a dependency of it. The components are:\r\nFilename Description\r\nC:\\ProgramData\\LoGiTech\\LoGitech.exe Signed Logitech binary\r\nC:\\ProgramData\\LoGiTech\\LBTServ.dll\r\nMalicious DLL decrypts and reflectively loads an instance of\r\nPoisonIvy\r\nOn the most recently discovered victims, the initial downloaded binary was written in Delphi, while for previous\r\nvictims the same attacker-controlled URL dropped a binary written in C++. These binaries are the initial\r\npreliminary loaders. Although the loaders were written in different programming languages, both versions\r\ndeployed the same final payload, that being an instance of the PoisonIvy RAT.\r\nFigure 11. Anatomy of malicious update variant 3\r\nConclusion\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 13 of 16\n\nWe have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of\r\nAble Desktop among others. However, the supply-chain compromise involved in Operation NightScout is\r\nparticularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations\r\ntargeting online gamers.\r\nSupply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and\r\nits complexity may impact the discovery and mitigation of these type of incidents.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.\r\nAcknowledgement\r\nThe author would like to give special credit to Matthieu Faou for his support and feedback during the\r\ninvestigation.\r\nIndicators of Compromise (IoCs)\r\nFiles\r\nSHA-1 ESET detection name Decription\r\nCA4276033A7CBDCCDE26105DEC911B215A1CE5CF Win32/Agent.UOJ\r\nMalicious Update\r\nvariant 1\r\nE45A5D9B03CFBE7EB2E90181756FDF0DD690C00C Win32/GenKryptik.ENAT\r\nMalicious Update\r\nvariant 2\r\nAA3D31A1A6FE6888E4B455DADDA4755A6D42BEEB Win32/Kryptik.HHBQ\r\nMalicious Update\r\nvariant 3\r\n5732126743640525680C1F9460E52D361ACF6BB0 Win32/Delf.UOD\r\nMalicious Update\r\nvariant 3\r\nC\u0026C servers\r\n210.209.72[.]180\r\n103.255.177[.]138\r\n185.239.226[.]172\r\n45.158.32[.]65\r\ncdn.cloudistcdn[.]com\r\nq.cloudistcdn[.]com\r\nupdate.boshiamys[.]com\r\nMalicious update URLs\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 14 of 16\n\nhttp://cdn.cloudfronter[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe\r\nhttp://cdn.cloudfronter[.]com/player/upgrade/ext/20201101/1/bf571cb46afc144cab53bf940da88fe2.exe\r\nhttp://cdn.cloudfronter[.]com/player/upgrade/ext/20201123/1/2ca0a5f57ada25657552b384cf33c5ec.exe\r\nhttp://cdn.cloudfronter[.]com/player/upgrade/ext/20201225/7c21bb4e5c767da80ab1271d84cc026d.exe\r\nhttp://cdn.cloudfronter[.]com/player/upgrade/ext/20210119/842497c20072fc9b92f2b18e1d690103.exe\r\nhttps://cdn.cloudfronte[.]com/player/upgrade/ext/20201020/1/c697ad8c21ce7aca0a98e6bbd1b81dff.exe\r\nhttp://cdn.cloudfronte[.]com/player/upgrade/ext/20201030/1/35e3797508c555d5f5e19f721cf94700.exe\r\nhttp://res06.bignox[.]com/player/upgrade/202009/6c99c19d6da741af943a35016bb05b35.exe\r\nhttp://res06.bignox[.]com/player/upgrade/202009/42af40f99512443cbee03d090658da64.exe\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access T1195.002\r\nSupply Chain Compromise:\r\nCompromise Software Supply\r\nChain\r\nMalware gets delivered via NoxPlayer\r\nupdates.\r\nExecution T1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nMalicious update variant 3 instances\r\nwill be executed via Scheduled task.\r\nExecution T1569.002\r\nSystem Services: Service\r\nExecution\r\nMalicious update variant 2 instances\r\nwill be executed via service execution.\r\nPersistence T1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nMalicious update variant 2 instances\r\nwill create a scheduled task to\r\nestablish persistence.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMalicious update variant 2 and 3 will\r\nbe contained in \"trident\" bundles for\r\nevasion purposes.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nMalicious updates shipped as \"trident\"\r\nbundles will perform DLL side\r\nloading.\r\nCollection T1056.001 Input Capture:Keylogging\r\nSome of the final payloads such as\r\nPoisonIvy and Gh0st RAT have\r\nkeylogging capabilities.\r\nCommand and\r\nControl T1090.001 Proxy: Internal Proxy\r\nThe PoisonIvy final payload variant\r\nhas capabilities to authenticate with\r\nproxies.\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1095 Non-Application Layer Protocol\r\nAll malicious update instances\r\ncommunicate over raw TCP or UDP.\r\nT1573 Encrypted Channel\r\nBoth PosionIvy and Gh0st RAT use\r\nencrypted TCP communication to\r\navoid detection.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nExfiltration in all malicious updates\r\ninstances is done over a Command and\r\nControl channel.\r\nSource: https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nhttps://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/" ], "report_names": [ "operation-nightscout-supply-chain-attack-online-gaming-asia" ], "threat_actors": [ { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bbdb2d7d-4bf4-4100-a108-f4742cfd69ff", "created_at": "2022-10-25T16:07:24.01101Z", "updated_at": "2026-04-10T02:00:04.836112Z", "deleted_at": null, "main_name": "Operation SignSight", "aliases": [], "source_name": "ETDA:Operation SignSight", "tools": [ "Mimikatz", "PhantomNet", "SManager" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/285a8a65c0986c6f084ca9b6c7b1ba98071957f3.pdf", "text": "https://archive.orkl.eu/285a8a65c0986c6f084ca9b6c7b1ba98071957f3.txt", "img": "https://archive.orkl.eu/285a8a65c0986c6f084ca9b6c7b1ba98071957f3.jpg" } }