{ "id": "a0e0465f-a327-45db-b508-61b20cadb3d3", "created_at": "2026-04-06T00:17:47.666252Z", "updated_at": "2026-04-10T13:11:45.356193Z", "deleted_at": null, "sha1_hash": "2872378333867bab6b83ad0fd2094406c87b3198", "title": "PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 896443, "plain_text": "PeckBirdy: A Versatile Script Framework for LOLBins\r\nExploitation Used by China-aligned Threat Groups\r\nBy By: Ted Lee, Joseph C Chen Jan 26, 2026 Read time: 10 min (2756 words)\r\nPublished: 2026-01-26 · Archived: 2026-04-05 13:10:49 UTC\r\nKey takeaways\r\nPeckBirdy is a JScript-based command-and-control (C\u0026C) framework used by China-aligned APT actors\r\nsince 2023, designed to execute across multiple environments, enabling flexible deployment.\r\nTwo modular backdoors, HOLODONUT and MKDOOR, extend PeckBirdy’s attack capabilities beyond its\r\ncore functionality.\r\nMeanwhile, the SHADOW-VOID-044 and SHADOW-EARTH-045 campaigns demonstrate coordinated\r\nChina-aligned threat group activity that use PeckBirdy across multiple attack vectors.\r\n One of campaigns leverage stolen code-signing certificates Cobalt Strike payloads, and exploits (CVE-2020-16040) hosted across multiple C\u0026C domains and IP addresses to maintain persistent access.\r\nTrendAI Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and\r\nprovides customers with tailored threat hunting queries, threat insights, and intelligence reports.\r\nIntroduction\r\nSince 2023, we have been observing threat campaigns employing a previously unseen script-based command-and-control (C\u0026C) framework which we named PeckBirdy, being used against Chinese gambling industries, as well as\r\nmalicious activities targeting Asian government entities and private organizations. While tracking this framework,\r\nwe identified at least two campaigns using PeckBirdy, which we were able to link to several China-aligned\r\nadvanced persistent threat (APT) actors. Note that we’ve previously discussed these campaigns during the HitCon\r\nconference last August 2025, and are now publishing this entry to share our findings to a wider audience.\r\nPeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using\r\nJScript, an old script language. This is to ensure that the framework could be launched across different execution\r\nenvironments via LOLBins (Living off the land binaries). This flexibility allowed us to observe PeckBirdy in\r\nvarious kill chain stages, including being used as a watering-hole control server during the initial attack phase, as\r\na reverse shell server during the lateral movement phase, and as a C\u0026C server during the backdoor phase.\r\nIn this entry, we will provide our detailed analysis of PeckBirdy, its attack campaigns, and a pair of new\r\nbackdoors, “HOLODONUT” and “MKDOOR” which we found being used in related operations. In addition, we\r\nwill also discuss the attribution of the corresponding campaign.\r\nIn-the-wild activities\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 1 of 11\n\nBeginning in 2023, we noticed multiple Chinese gambling websites being injected with malicious scripts with\r\nlinks to remote servers. Further investigation into the injections and servers led us to discover the PeckBirdy script\r\nframework. When victims visit these gambling websites, the injected scripts download and execute the main script\r\nof the PeckBirdy routine, allowing attackers to remotely deliver and execute JavaScript.\r\nThe primary goal of this routine is to display fake software update webpages for Google Chrome to entice victims\r\ninto downloading and executing malicious update files, which are backdoors prepared by the attackers. This\r\nconstitutes the first campaign we identified, which we are tracking under the name SHADOW-VOID-044.\r\nFigure 1. PeckBirdy launched via different vectors\r\nDuring July 2024, we observed another campaign primarily targeting Asian government entities and private\r\norganizations, which we tracked under the campaign name SHADOW-EARTH-045. We discovered that this\r\ncampaign injects PeckBirdy links into government websites, likely to deliver scripts for credential harvesting on\r\nthe website.\r\nIn one case, the injection was on a login page of a government’s system, while in another incident, we noticed the\r\nattacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private\r\norganization. The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with\r\nScriptControl. These findings demonstrate the versatility of PeckBirdy’s design, which enables it to serve multiple\r\npurposes.\r\nAnalysis of the PeckBirdy framework\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 2 of 11\n\nPeckBirdy can be executed in various environments, including browsers, MSHTA, WScript, Classic ASP, Node\r\nJS, and .NET (ScriptControl). Depending on the environment, PeckBirdy’s capabilities and purpose can vary.\r\nFor example, in a browser environment, PeckBirdy can only operate within the scope of the webpage due to\r\nsandboxing mechanisms. However, in other environments such as MSHTA, PeckBirdy can execute more actions\r\ndirectly on a local machine. The PeckBirdy server has defined APIs, which allows clients to obtain landing scripts\r\nfrom the server via a simple HTTP(S) query. The following table shows the PeckBirdy server APIs that we\r\nobserved.\r\nAPI Description\r\nhttps://{domain}/{ATTACK_ID} Downloads the main PeckBirdy script\r\nhttps://{domain}/{ATTACK_ID}/hta Downloads the landing script for MSHTA\r\nhttps://{domain}/{ATTACK_ID}/html Downloads the landing script for MTML\r\nhttps://{domain}/{ATTACK_ID}/wscript Downloads the landing script for WScript\r\nTable 1. The PeckBirdy server APIs to obtain landing scripts\r\nDepending on the ATTACK_ID value attached in the query, each generated PeckBirdy script contains an\r\nembedded configuration (with the ATTACK_ID being a predefined value composed of a random string with 32\r\ncharacters). The configured values are used for controlling the behavior of PeckBirdy during execution, which\r\nincludes the following items.\r\nConfiguration Description\r\n$HOST The PeckBirdy server domain\r\n$PORT The port numbers connected by supported protocols\r\n$ATTACK_ID A 32-character random string produced by the framework\r\n$RETRY The waiting time between retries\r\n$RETRY_TIME The number of retry attempts\r\n$HEARTBEAT The waiting time between heartbeats\r\nTable 2. The configuration embedded in the PeckBirdy script\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 3 of 11\n\nFigure 2. The configuration of the PeckBirdy script\r\nTo extend PeckBirdy’s capability, its developer implemented it using an old script language known as JScript\r\n(followed by ECMAScript 3), and designed it to support multiple communication protocols to ensure\r\ncompatibility in various environments. The built-in functions defined in ECMAScript 5, such as JSON, are also\r\nused when a newer environment is detected. Otherwise, PeckBirdy uses another version of functions implemented\r\nby the framework itself with JScript.\r\nUpon initial execution, PeckBirdy searches for unique objects that exist only in specific environments to\r\ndetermine the current execution context. It checks for the window object in browser environments, the process\r\nobject in NodeJS environment, the response object in ASP environment, and the presence of the APPLICATION\r\ntag within the HTML in HTA environments.\r\nFigure 3. Detecting execution context\r\nAfter determining the current environment, PeckBirdy generates a victim ID using different approaches based on\r\nthe environment. In a local host environment such as HTA, it attempts to retrieve hardware information from the\r\nmotherboard and hard drive on the victim’s machines. It then combines this information with MD5 to generate a\r\nhash value which serves as the victim ID.  If this step fails or if it occurs in other environments that are unable to\r\nretrieve hardware information, it directly generates a 32-character random string as a victim ID instead.\r\nTo preserve the victim ID in browser environments, PeckBirdy adds a prefix Hm_lvt_ (a known cookie prefix used\r\nby a legitimate service) to the victim ID string and writes it into a browser cookie. In other cases, it writes the\r\nvictim ID string to a file called ___unique_id___, which is placed in the temporary folder of Windows. This\r\nallows PeckBirdy to retrieve the victim ID on subsequent executions.\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 4 of 11\n\nFigure 4. The script to write the victim ID into the “___unique_id___” file\r\nAfter initialization, PeckBirdy detects the communication methods supported in the environment. The default\r\nmethod uses the WebSocket protocol to communicate with the PeckBirdy server. If WebSocket is not supported, it\r\nattempts to detect the presence of Adobe Flash, after which it will create a Flash ActiveX object to establish TCP\r\nsocket communication (for compatibility in older environments, despite Flash itself being discontinued in 2020).\r\nIf neither of these methods are supported, PeckBirdy can use the Comet and LocalComet methods, which are\r\nbased on HTTP(S) and AJAX protocols. While Comet has lower efficiency, it offers broad compatibility across\r\nenvironments.\r\nFigure 5. The script for determining communication protocols\r\nUsing WebSocket in a browser as an example, PeckBirdy initially sends an init request to the remote server to\r\ninitiate communication. This request includes the current website’s domain and URL, as well as the previously\r\nmentioned victim ID, the ATTACK ID, along with a newly generated session ID value (also a 32-character random\r\nstring).\r\nThe server responds with the second-stage script of PeckBirdy, which includes the script execution procedures and\r\nAES encryption and decryption routines. The subsequent communication is encrypted using AES and then\r\nencoded with Base64, with the AES encryption key being the ATTACK ID value from the configuration.\r\nUnfortunately, we could not collect many of the scripts delivered directly from PeckBirdy’s communications with\r\nits server. The only one we received was a short script for stealing the cookie values of injected websites on\r\nbrowsers.\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 5 of 11\n\nFigure 6. The initial C\u0026C message sent to the PeckBirdy server\r\nFigure 7. WebSocket communication for PeckBirdy\r\nFigure 8. The script delivered from a C\u0026C server for stealing website cookies\r\nWe also discovered additional script files hosted on one of PeckBirdy’s server (belonging to SHADOW-VOID-044) which appear to be delivered and executed through PeckBirdy. These provided insight into how the threat\r\nactors use PeckBirdy to carry out their attacks.\r\nThe scripts we found included:\r\nThe exploitation script for the CVE-2020-16040 vulnerability affecting Google Chrome\r\nScripts for social engineering pop-ups designed to deceive victims into downloading and executing\r\nmalicious files.\r\nScripts for delivering additional backdoors that are executed via Electron JS\r\nScripts to establish reverse shells via TCP sockets\r\nBackdoor analysis\r\nBased on the infrastructure owned by the threat actors, we identified two distinct modular backdoors,\r\nHOLODONUT and MKDOOR, linked to SHADOW-VOID-044.\r\nHOLODONUT\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 6 of 11\n\nHOLODONUT is a .NET-based modular backdoor we found within the threat actor’s infrastructure.  To execute\r\nHOLODONUT, the threat actors deployed a customized simple downloader used to retrieve the payload from the\r\nremote server downloader that we tracked as NEXLOAD.  The noteworthy feature of NEXLOAD is that it will\r\nsend a string in a specific format, “{string}#{string}” during the first connection. Next, the retrieved payload is\r\ndecrypted via the XOR algorithm and executed by using the callback function, ”EnumWindows()”.\r\nFor defense evasion, the payload  uses multiple techniques, including disabling AMSI and EtwEvent, as well as\r\nthe use of Donut, an open-source tool used to stealthily execute .NET assemblies. As a result, HOLODONUT can\r\nbe executed in process memory with less visibility.\r\nFigure 9. The HOLODONUT packet types\r\nBased on the code, we can summarize the supported packet types and built-in commands as follows:\r\nThe first packet type is related to the plugin handler, which is used to receive, execute, or unload plugins from\r\nC\u0026C servers. In addition to plugin-related packets, the program provides built-in commands for information\r\ncollection, sleep, and exit. \r\nPacket type Plugin objects (assembly name, assembly bytes, Methodinfo, type, ClientID)\r\n“plugin” Add and load the received plugin (.NET assembly)\r\n“execplugin” Execute the received plugin (.NET assembly)\r\n“Unloadplugin”\r\nRemove the received plugin (.NET assembly) based on the specific “ClientID”\r\nand “Assembly name”\r\n“UnloadClientIDplugin” Remove the installed plugin based on the “ClientID”\r\nTable 3. Supported HOLODONUT packet types\r\nMKDOOR\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 7 of 11\n\nDuring our long-term monitoring of SHADOW-VOID-044, we found a phishing webpage used to lure users into\r\ndownload a fake Google Chrome updater. After downloading and analyzing the file, we identified another\r\nmodularly-designed backdoor, MKDOOR, which is composed of two different modules: the downloader and the\r\nbackdoor. During the first initiation, the downloader will connect to the C\u0026C server and download the backdoor\r\nmodule. For defense evasion, it will try to bypass Microsoft Defender by  adding itself to the exclusion list and\r\nmake its contacted URL appear like a Microsoft support page.\r\nhttps://{C\u0026C address}/en-us/howtotell/default[.]aspx\r\nAfter the backdoor module is initiated, it will retrieve the network configuration embedded in the downloader\r\nmodule and launch another connection to the C\u0026C server. The URL path used by the backdoor module is\r\nsimilarly disguised as being related to Windows activation.\r\nhttps://{C\u0026C address}/en-us/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227\r\nAs a modular backdoor, the capabilities of MKDOOR depend on the modules received from the C\u0026C server.\r\nUnfortunately, we were unable to collect the module from the server during our investigation. Hence, we can only\r\nprovide the malware’s supported commands, which are shown in the following table:\r\nCommands Description\r\nINSTALL Install the received module\r\nUNINSTALL Uninstall the received module\r\nEXECUTE Execute the received module\r\nSHOW Status feedback\r\nSLEEP Sleep (Sleeping time depends on the time received from the attacker)\r\nEXIT Exit\r\nUNDATE No function defined (in this case)\r\nTable 4.  The supported commands of MKDOOR\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 8 of 11\n\nFigure 10. MKDOOR adds itself to the exclusion list to bypass Microsoft defender\r\nFigure 11. The main function of the MKDOOR downloader\r\nCampaign attribution\r\nWe discovered two threat campaigns that used  PeckBirdy in their operations. Based on victimology and the tools,\r\ntactics, and procedures (TTPs) used in the respective campaigns, we attributed them under two temporary\r\nintrusion sets: SHADOW-VOID-044 and SHADOW-EARTH-045. Our investigation revealed that these two\r\ncampaigns could be linked to different China-aligned APT actors.\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 9 of 11\n\nIn the case of SHADOW-VOID-044, we noticed the GRAYRABBIT backdoor (previously reported to be utilized\r\nby UNC3569) was hosted on a server (47[.]238[.]219[.]111) operated by this campaign. The GRAYRABBIT\r\nsample we observed was slightly different, using a DLL sideloading technique combined with the\r\nUuidFromStringA function of PowerShell to read, decode, and execute the backdoor payload. Despite the\r\ndifferent execution methods, the C\u0026C server center[.]myrnicrosoft[.]com was the same as the C\u0026C domain used\r\nby UNC3569. In addition, both SHADOW-VOID-044 and UNC3569 targeted the Chinese gambling industry.\r\nThese findings give us a moderate to high level of confidence to attribute this campaign to UNC3569.\r\nWe also discovered that SHADOW-VOID-044 used the HOLODONUT backdoor, which is likely linked to\r\nanother backdoor, WizardNet, previously reported being used by an APT group called TheWizard. Interestingly,\r\nsome of the HOLODONUT samples used by SHADOW-VOID-044 connected to the same C\u0026C server\r\n(mkdmcdn[.]com), which is the same used by TheWizard. While we didn’t see any additional connections between\r\nCampaign Alpha and TheWizard, it’s worth noting that TheWizard also used the DarkNimbus backdoor which\r\nwas developed by the Earth Minotaur threat actor we discussed in a previous blog entry.\r\nAnother discovery during our research was a Cobalt Strike sample (SHA256:\r\n162cc325ab7b6e70edb6f4d0bc0e52130c56903f) hosted on the SHADOW-VOID-044 server oss-cdn[.]com. We\r\ndiscovered that this sample was signed using a certificate (thumbprint, SHA1:\r\nbbd2b9b87f968ed88210d4261a1fe30711e8365b) stolen from a South Korean gaming company. This certificate\r\nwas also used in the BIOPASS RAT campaign that we also reported on.\r\nBased on our findings, both BIOPASS RAT and MKDOOR employ the same technique: opening an HTTP server\r\non a high-numbered port on the local host to listen. This is to allow a watering hole attack script to scan for the\r\npresence of the port on the local host and determine whether the victim has been infected with the backdoor. The\r\nBIOPASS RAT campaign is linked to another threat actor, Earth Lusca.\r\nFor SHADOW-EARTH-045, we observed malicious activities targeting a Philippine educational institution in July\r\n2024. The threat actor executed an MSHTA command connecting to github[.]githubassets[.]net to launch\r\nPeckBirdy on a compromised Internet Information Services (IIS) server. The threat actor also simultaneously\r\ndownloaded files from 47[.]238[.]184[.]9, an IP address has been previously linked to Earth Baxia.  Note that the\r\nattribution linking SHADOW-EARTH-045 to Earth Baxia remains low confidence for now. However, it’s worth\r\nnoting that the same PeckBirdy domain and the IP address used was also mentioned in another report on attacks\r\nagainst an African government IT organization.\r\nConclusion\r\nThis report outlines two campaigns that highlight the growing sophistication and adaptability of current China-align threat actors. These campaigns make use of a dynamic JavaScript framework, PickBirdy, to abuse living-off-the-land binaries and deliver modular backdoors such as MKDOOR and HOLODONUT. Detecting malicious\r\nJavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected\r\ncode and the absence of persistent file artifacts, enabling them to evade traditional endpoint security controls. In\r\nthis environment, adaptability and continuous refinement of defensive strategies are no longer optional, but\r\nfundamental to maintaining operational integrity in an increasingly hostile digital landscape.\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 10 of 11\n\nProactive security with TrendAI Vision One™\r\nTrendAI Vision One™one-platform is the industry-leading AI cybersecurity platform that centralizes cyber risk\r\nexposure management, security operations, and robust layered protection.\r\nTrendAI Vision One™ Threat Intelligence Hubproducts provides the latest insights on emerging threats and threat\r\nactors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed\r\nin the TrendAI Vision One™ platform.\r\nEmerging Threats:\r\nPeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups\r\nPeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups\r\nThreat actor profiles:\r\nSHADOW-VOID-044 \r\nSHADOW-EARTH-045\r\nEarth Baxia\r\nEarth Minotaur\r\nEarth Lusca\r\nHunting Queries \r\nmalName: (*MKDOOR* OR *HOLODONUT* OR *GRAYRABBIT* OR *PECKBIRDY*) AND eventName:\r\nMALWARE_DETECTION\r\nTrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.    \r\nMore hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. \r\nIndicators of Compromise (IoCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nhttps://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html" ], "report_names": [ "peckbirdy-script-framework.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f45af9e4-5037-4a5a-82c1-4627845eea49", "created_at": "2024-09-26T02:00:04.286721Z", "updated_at": "2026-04-10T02:00:03.707415Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "MISPGALAXY:Earth Baxia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1", "created_at": "2024-12-28T02:01:54.748213Z", "updated_at": "2026-04-10T02:00:04.669444Z", "deleted_at": null, "main_name": "Earth Minotaur", "aliases": [], "source_name": "ETDA:Earth Minotaur", "tools": [ "DarkNimbus", "MOONSHINE" ], "source_id": "ETDA", "reports": null }, { "id": "4b7f4f69-7c56-4691-9071-9365884a7f30", "created_at": "2024-10-25T02:02:07.672671Z", "updated_at": "2026-04-10T02:00:04.660715Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "ETDA:Earth Baxia", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EAGLEDOOR", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d24c2548-d163-4a73-865f-0d4cb917fee7", "created_at": "2024-04-20T02:00:03.580316Z", "updated_at": "2026-04-10T02:00:03.628323Z", "deleted_at": null, "main_name": "UNC3569", "aliases": [], "source_name": "MISPGALAXY:UNC3569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434667, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2872378333867bab6b83ad0fd2094406c87b3198.pdf", "text": "https://archive.orkl.eu/2872378333867bab6b83ad0fd2094406c87b3198.txt", "img": "https://archive.orkl.eu/2872378333867bab6b83ad0fd2094406c87b3198.jpg" } }