{ "id": "1d5fa54e-32aa-413d-a0cb-214273ea8c5f", "created_at": "2026-04-06T00:16:55.137258Z", "updated_at": "2026-04-10T03:37:01.040815Z", "deleted_at": null, "sha1_hash": "28f271617373ab20f6c2a4d4b3f82008f2378701", "title": "Daggerfly: APT Actor Targets Telecoms Company in Africa", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66367, "plain_text": "Daggerfly: APT Actor Targets Telecoms Company in Africa\r\nBy About the Author\r\nArchived: 2026-04-02 10:43:08 UTC\r\nA telecommunications organization in Africa appears to be among the latest targets for the Daggerfly (aka Evasive\r\nPanda, Bronze Highland) advanced persistent threat (APT) group, with the group’s most recent campaign using\r\npreviously unseen plugins from the MgBot malware framework.\r\nThe first indications of malicious activity on this victim’s network were seen in November 2022, but there are\r\nindications the activity is likely still ongoing. Researchers from the Threat Hunter Team at Symantec, by\r\nBroadcom Software, found multiple unique plugins associated with the MgBot modular malware framework on\r\nthe victim’s network. The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk\r\nremote desktop software. Use of the MgBot modular malware framework and PlugX loader have been associated\r\nin the past with China-linked APTs.\r\nAssociation between this activity and Daggerfly is based in part on details in a 2020 blog about activity that\r\nMalwarebytes attributed to Evasive Panda. Crossovers in the activity included:\r\nOne of the MgBot samples found appears in both sets of activity\r\nBoth sets of activity include a renamed Rundll32.exe file named \"dbengin.exe\" in the\r\nProgramData\\Microsoft\\PlayReady directory\r\nThe loader DLL \"pMsrvd.dll\" in the csidl_common_appdata\\microsoft\\playready\\mdie942.tmp directory\r\nappears in both sets of activity\r\nThe folders and file names used in this recent activity, as well as the use of DLL side-loading, also support the\r\nattribution. The activity documented by Malwarebytes occurred in 2020, and Daggerfly is believed to have been\r\nactive since at least 2014.\r\nAttack Chain\r\nSuspicious AnyDesk connections spotted on a Microsoft Exchange mail server in November 2022 were among the\r\nfirst signs of suspicious activity on the victim network targeted in this recent Daggerfly activity. AnyDesk is a\r\nlegitimate remote desktop software but it is commonly abused by threat actors for remote access and other\r\npurposes.\r\nThe WannaMine crypto-mining malware was also seen on the same Exchange server, though it appears likely that\r\nthis activity was not linked to the Daggerfly group. The presence of WannaMine, however, does indicate that the\r\nserver it was found on may have been unpatched and vulnerable to the EternalBlue exploit, as well as more recent\r\nexploits targeting this web server.\r\nThe legitimate, free Rising antivirus software was also used to side-load the PlugX loader onto victim machines.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 1 of 6\n\nWe will go through the attack chain in further detail below.\r\nFile downloads\r\nThreat actors used the living-off-the-land tools BITSAdmin and PowerShell to download files onto victim\r\nsystems. The attackers downloaded the legitimate AnyDesk executable and the GetCredManCreds tool in this\r\nway.\r\nCredential dumping\r\nThe attackers used the previously downloaded GetCredManCreds script to retrieve the usernames and passwords\r\nof web services stored in the credential manager using PowerShell.\r\nThey also dumped the SAM (Security Account Manager), System, and Security hives of the Windows registry\r\nusing the reg.exe tool. This allowed the adversaries to extract credentials from the SAM database.\r\nPersistence with local account\r\nDaggerfly also created a local account to maintain access to victim systems with the following command line:\r\nMgBot modular malware framework\r\nMgBot is a well-designed modular framework that is actively maintained. The components of the framework are\r\nthe following:\r\nMgBot EXE dropper\r\nMgBot DLL Loader\r\nMgBot Plugins\r\nThe MgBot plugins that were deployed in this activity have numerous capabilities that can provide the attackers\r\nwith a significant amount of information about compromised machines. Among the unique plugins that were\r\ndeployed during this activity were:\r\nNetwork scanner – innocence.dll\r\nCapabilities include: arp scan, http scan, determining the type of server (e.g. SQL, WebLogic,\r\nRedis, etc.) it is running on.\r\nA Chrome and Firefox infostealer that can gather information such as bookmarks and browsing history –\r\nbkmk.dll\r\nLogging module – famdowm.dll\r\nBased on the open-source easylogging++, which can carry out basic logging, track performance and\r\nmore.\r\nQQ messages infostealer – qmsdp.dll\r\nBased on this blog, which details how a chat tool message database was cracked by hackers.\r\nActive Directory enumeration – ceeeb.dll\r\nCollects the following information from Active directory:\r\nMembers info\r\nComputers \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 2 of 6\n\nLocal Admins\r\nRemote Desktop Users\r\nDcom Users\r\nPassword dumper – cpfwplgx.dll\r\nDrops a file to call the MiniDumpWriteDump API to dump a process memory.\r\nQQ Keylogger – kstrcs.dll\r\nKeylogger that targets QQEdit.exe and QQ.exe processes.\r\nScreen and clipboard grabber – cbmrpa.dll\r\nCaptures clipboard and drag and drop data and saves it to a file.\r\nOutlook and Foxmail credentials stealer – maillfpassword.dll\r\nAudio capture – prsm.dll\r\nCaptures audio from the infected system.\r\nUses COM objects IMMDeviceEnumerator, IAudioCaptureClient.\r\nProcess Watchdog – ansecprocesskeep.dll\r\nRegistered as service AnsecProcessKeep.\r\nConfirmed to be a watchdog that keeps a process running.\r\nThe process name is found in an .ini file.\r\nAll of these capabilities would have allowed the attackers to collect a significant amount of information from\r\nvictim machines. The capabilities of these plugins also show that the main goal of the attackers during this\r\ncampaign was information-gathering.\r\nDaggerfly’s development of these previously unseen plugins demonstrates that the attack group is continuing to\r\nactively develop its malware and the tools it can use to target victim networks.  \r\nContinuation of a Trend\r\nTelecoms companies will always be a key target in intelligence gathering campaigns due to the access they can\r\npotentially provide to the communications of end-users.\r\nSymantec’s Threat Hunter team also spotted some other recent activity targeting telecoms companies that was\r\nlinked with moderate confidence to the threat actor Othorene (aka Gallium), in what appeared to be a continuation\r\nof an intelligence-gathering campaign first reported on by SentinelOne under the name Operation Tainted Love in\r\nMarch. SentinelOne reported that in that campaign Othorene was targeting telecoms companies in the Middle\r\nEast.\r\nOthorene has been active since around 2014, and it is believed to be a relatively small group that has a strong\r\nfocus on the surveillance of individuals. There are some indications that Othorene may have links with the APT41\r\n(aka Blackfly, Grayfly) APT group also. Overlap of both personnel and tactics, techniques, and procedures (TTPs)\r\namong Chinese APT groups is not uncommon, and can mean that attributing activity to one group with high\r\nconfidence is difficult.\r\nIn the activity Symantec saw, we found three additional victims of the same campaign that SentinelOne detailed,\r\nlocated in Asia and Africa. Two of the three were subsidiaries of the same Middle Eastern telecoms firm. The\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 3 of 6\n\nattackers had been active on victim networks since November 2022. Symantec saw attackers dumping credentials\r\nand scanning the network using NbtScan.\r\nThe main malware (pc.exe dubbed mim221) in this campaign was used to dump credentials, and it had the same\r\npassword as the malware used in the activity documented by SentinelOne. The attackers also moved laterally\r\nacross victims’ networks, used Scheduled Task for persistence, and dumped SAM and System hives from the\r\nregistry. There were indications that the attackers may have exported the Active Directory database on victim\r\nmachines, and they were also able to gain access to domain controllers, giving them deep access to victim\r\nnetworks.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nFile Indicators – Daggerfly\r\nMgBot Dropper\r\nc89316e87c5761e0fc50db1214beb32a08c73d2cad9df8c678c8e44ed66c1dab\r\n90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe\r\nMgBot – aasrvd.dll, pmsrvd.dll\r\n706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36\r\n017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7\r\nMgBot Plugins\r\ncb8aede4ad660adc1c78a513e7d5724cac8073bea9d6a77cf3b04b019395979a\r\n2dcf9e556332da2a17a44dfceda5e2421c88168aafea73e2811d65e9521c715c\r\na6ed16244a5b965f0e0b84b21dcc6f51ad1e413dc2ad243a6f5853cd9ac8da0b\r\nee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024\r\n585db6ab2f7b452091ddb29de519485027665335afcdb34957ff1425ecc3ec4b\r\n29df6c3f7d13b259b3bc5d56f2cdd14782021fc5f9597a3ccece51ffac2010a0\r\nea2be3d0217a2efeb06c93e32f489a457bdea154fb4a900f26bef83e2053f4fd\r\n54198678b98c2094e74159d7456dd74d12ab4244e1d9376d8f4d864f6237cd79\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 4 of 6\n\nd9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934\r\ncb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5\r\n2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc\r\na16a70b0a1ac0718149a31c780edb126379a0d375d9f6007a6def3141bec6810\r\n0bcdcc0515d30c28017fd7931b8a787feebe9ee3819aa2b758ce915b8ba40f99\r\nPlugX Loader – proccom.dll, djcu.dll\r\nc31b409b1fe9b6387b03f7aedeafd3721b4ec6d6011da671df49e241394da154\r\ndb489e9760da2ed362476c4e0e9ddd6e275a84391542a6966dbcda0261b3f30a\r\n632cd9067fb32ac8fbbe93eb134e58bd99601c8690f97ca53e8e17dda5d44e0e\r\nDumpCredStore – dumpcredstore.ps1, a.ps1\r\nc1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350\r\n5a0976fef89e32ddcf62c790f9bb4c174a79004e627c3521604f46bf5cc7bea2\r\nAnyDesk – anydesk.exe\r\n7bcff667ab676c8f4f434d14cfc7949e596ca42613c757752330e07c5ea2a453\r\nFile Indicators – Othorene\r\n3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195 – pc.exe, rpc.exe (Main malware)\r\n1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4 – get.exe (used to print Syskey and\r\nSamkey)\r\n03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e – pc.dll\r\nae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd – pc.dll\r\nf6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21 – pc.exe\r\n2f4a97dc70f06e0235796fec6393579999c224e144adcff908e0c681c123a8a2 – pc.dll\r\n22069984cba22be84fe33a886d989b683de6eb09f001670dbd8c1b605460d454 – pc.dll\r\n7b945fb1bdeb27a35fab7c2e0f5f45e0e64df7821dd1417a77922c9b08acfdc3 – rpc.dll\r\ne8be3e40f79981a1c29c15992da116ea969ab5a15dc514479871a50b20b10158 – pc.dl\r\nb5c46c2604e29e24c6eb373a7287d919da5c18c04572021f20b8e1966b86d585 – rpc.dll\r\n53d2506723f4d69afca33e90142833b132ed11dd0766192a087cb206840f3692 – test.exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 5 of 6\n\n26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d – g.dll\r\nb45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292 – g.dll\r\n17dce65529069529bcb5ced04721d641bf6d7a7ac61d43aaf1bca2f6e08ead56 – getHashFlsa64.dll\r\n98b6992749819d0a34a196768c6c0d43b100ef754194308eae6aaa90352e2c13 – getHashFlsa64.dll\r\n6d5be3e6939a7c86280044eebe71c566b48981a3341193aa3aff634a3a5d1bbd – getHashFlsa64.dll\r\n1cf04c3e8349171d907b911bc2a23bdb544d88e2f9b8fcc516d8bcf68168aede – getHashFlsa64.dll\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot" ], "report_names": [ "apt-attacks-telecoms-africa-mgbot" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aea3239c-a222-4b7f-8ac0-349222078817", "created_at": "2024-12-28T02:01:54.867096Z", "updated_at": "2026-04-10T02:00:04.840444Z", "deleted_at": null, "main_name": "Operation Tainted Love", "aliases": [], "source_name": "ETDA:Operation Tainted Love", "tools": [ "Mimikatz", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434615, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28f271617373ab20f6c2a4d4b3f82008f2378701.pdf", "text": "https://archive.orkl.eu/28f271617373ab20f6c2a4d4b3f82008f2378701.txt", "img": "https://archive.orkl.eu/28f271617373ab20f6c2a4d4b3f82008f2378701.jpg" } }