{ "id": "9dc102ab-9ea6-4c93-b2d6-6ef76c78e80d", "created_at": "2026-04-06T00:10:36.32975Z", "updated_at": "2026-04-10T03:36:33.724392Z", "deleted_at": null, "sha1_hash": "2a016643f1a539e03bc88fc5a4500904d83f32ac", "title": "Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3628845, "plain_text": "Operation Diplomatic Specter: An Active Chinese Cyberespionage\r\nCampaign Leverages Rare Tool Set to Target Governmental\r\nEntities in the Middle East, Africa and Asia\r\nBy Lior Rochberger, Daniel Frank\r\nPublished: 2024-05-23 · Archived: 2026-04-02 10:47:45 UTC\r\nExecutive Summary\r\nA Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call\r\nOperation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and\r\nAsia since at least late 2022.\r\nAn analysis of this threat actor’s activity reveals long-term espionage operations against at least seven\r\ngovernmental entities. The threat actor performed intelligence collection efforts at a large scale, leveraging rare\r\nemail exfiltration techniques against compromised servers.\r\nThis collection effort includes attempts to obtain sensitive and classified information about the following entities,\r\nfocusing on current geopolitical affairs:\r\nDiplomatic and economic missions\r\nEmbassies\r\nMilitary operations\r\nPolitical meetings\r\nMinistries of the targeted countries\r\nHigh-ranking officials\r\nAs part of its espionage activities, the group makes use of a previously undocumented family of backdoors,\r\nincluding those that we have named TunnelSpecter and SweetSpecter.\r\nThe threat actor appears to closely monitor contemporary geopolitical developments, attempting to exfiltrate\r\ninformation daily. The threat actor’s modus operandi in cases we observed was to infiltrate targets’ mail servers\r\nand to search them for information. We observed multiple efforts to maintain persistence, including repeated\r\nattempts to adapt and regain access when the actor’s activities were disrupted. They also appear to return to the\r\nwell to search for relevant information when new geopolitical events occur.\r\nWe assess with high confidence that a single threat actor orchestrates Operation Diplomatic Specter, operating on\r\nbehalf of Chinese state-aligned interests. The tactics observed as part of this campaign show the extent to which\r\nChinese state-aligned threat actors attempt to gather information about affairs beyond the Asian region, even\r\nextending into the Middle East and Africa.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 1 of 20\n\nIt is unclear exactly how threat actors are using the intelligence collected as part of this campaign. However, the\r\ntopics the threat actors searched for reveal information about many key players in these regions and their\r\nconnections to China and other parts of the world. The topics they searched for provide researchers a window into\r\nthe possible priorities of Chinese state-aligned threat actors.\r\nIn addition, the threat actor’s repeated use of Exchange server exploits (ProxyLogon CVE-2021-26855 and\r\nProxyShell CVE-2021-34473) for initial access further emphasizes the importance for organizations to harden and\r\npatch sensitive internet-facing assets. This is especially true for known and prominent vulnerabilities, to reduce\r\nthe attack surface and maximize protection efforts.\r\nOrganizations that safeguard sensitive information should pay particular attention to commonly exploited\r\nvulnerabilities. They should also adhere to best practices when it comes to IT hygiene, as APTs often seek to gain\r\naccess through methods they know have been effective in the past.\r\nLastly, we are sharing our analysis to provide defenders with means to detect and protect themselves against such\r\nadvanced attacks.\r\nPalo Alto Networks customers are better protected against Operation Diplomatic Specter through the following:\r\nNetwork Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine\r\nlearning enabled and cloud-delivered security services. This includes Advanced Threat Prevention,\r\nAdvanced URL Filtering, Advanced DNS Security and WildFire, a malware protection engine capable of\r\nidentifying and blocking malicious samples and infrastructure.\r\nSecurity Automation: Delivered through a Cortex XSOAR or XSIAM solution capable of providing SOC\r\nanalysts with a comprehensive understanding of the threat derived by stitching together data obtained from\r\nendpoints, network, cloud and identity systems.\r\nAnti-Exploit protection: Delivered through Cortex XSIAM and provides protection against exploitation of\r\ndifferent vulnerabilities including ProxyShell and ProxyLogon.\r\nCloud Security: Prisma Cloud Compute and WildFire integration can help detect and prevent malicious\r\nexecution of the Specter backdoor within Windows-based VM, container and serverless cloud\r\ninfrastructure.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nOperation Diplomatic Specter Motivation and Victimology\r\nThe threat actor behind Operation Diplomatic Specter searches for information on politicians, military operations\r\nand personnel, as well as governmental ministries, with a particular focus on foreign affairs ministries and\r\nembassies. Figure 1 shows the regions where the threat actor targets organizations in the Middle East, Africa and\r\nAsia.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 2 of 20\n\nFigure 1. Regions targeted in Operation Diplomatic Specter.\r\nMoreover, the threat actor appears to closely monitor contemporary geopolitical developments, demonstrating an\r\nintent to acquire information associated with ongoing events. The campaign has been operating since at least late\r\n2022, with automatic exfiltration attempts occurring daily, in addition to periodic efforts involving more hands-on-keyboard attention from the threat actor.\r\nThese events encompass a wide range of subjects, including the following:\r\nMilitary operations\r\nMeetings\r\nSummits\r\nConflicts\r\nOther pertinent aspects of current geopolitical affairs\r\nIn some cases, the threat actor searched for particular keywords and exfiltrated anything they could find related to\r\nthem, such as entire archived inboxes belonging to particular diplomatic missions or individuals. The threat actor\r\nalso exfiltrated files related to topics they were searching for.\r\nIn other cases, the threat actor’s exfiltration appeared more targeted and exfiltration focused on the results of more\r\nspecific searches. Searches observed related to the following topics:\r\nChina-related geopolitical and economic information (meetings, summits, relationship with other countries,\r\ninformation related to President Xi)\r\nOPEC and energy industry\r\nMinistry of Foreign Affairs and embassies worldwide\r\nMinistry of Defense\r\nMilitary (operations, drills, code words, military units and personnel)\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 3 of 20\n\nThe relationship of the targeted countries with the Biden administration\r\nLocal and international political figures\r\nGeopolitical and economical information\r\nTelecommunications technology used by the targeted entities\r\nFigure 2 shows an example of the automated mailbox harvesting of one of the affected countries’ embassies and\r\ndiplomatic missions.\r\nFigure 2. Example of embassies’ email boxes targeted by the threat actor.\r\nFigures 3 and 4 show examples of threat actors targeting mailboxes of the ministry of foreign affairs, ministry of\r\ndefense, as well as military organizations including the navy, air force and specific task forces of the targeted\r\ncountry.\r\nFigure 3. Example of embassies’ email boxes targeted by the threat actor.\r\nFigure 4. Example of embassies’ email boxes targeted by the threat actor.\r\nInvestigating the Actor Behind Operation Diplomatic Specter\r\nOperation Diplomatic Specter is the name we’ve given to the espionage campaign described above. The details\r\nwe’re sharing about this campaign are part of our ongoing investigation into an apparent Chinese state-aligned\r\nAPT group.\r\nSince late 2022, we have been tracking an activity cluster targeting governmental entities in the Middle East,\r\nAfrica and Asia. In earlier stages of our tracking, we referred to the cluster as \"CL-STA-0043,” indicating a cluster\r\nof activity that we suspect is associated with state-backed motivation (as described in “It’s All in the Name: How\r\nUnit 42 Defines and Tracks Threat Adversaries”).\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 4 of 20\n\nWe published on CL-STA-0043 in June 2023 in “Through the Cortex XDR Lens: Uncovering a New Activity\r\nGroup Targeting Governments in the Middle East and Africa.”\r\nIn December 2023, Unit 42 published additional information related to CL-STA-0043 in “New Tool Set Found\r\nUsed Against Organizations in the Middle East, Africa and the US.”\r\nThe tactics, techniques and procedures (TTPs) associated with the threat actor behind this cluster are relatively\r\nunique and rare. Some of these TTPs had not been reported as being used in the wild before, and some were\r\nreported used only a handful of times. For in-depth details of the TTPs observed in association with Operation\r\nDiplomatic Specter, please see Appendix A.\r\nThe threat actor demonstrated adaptability in attempting to thwart various mitigation efforts. They also sought to\r\nmaintain a persistent presence in compromised environments through the use of two novel and previously\r\nundocumented malware strains – SweetSpecter and TunnelSpecter.\r\nWe will cover the key details of these backdoors in the following section, Meet the Specter Family. For a deeper\r\ndive, please see Appendix B.\r\nAfter meticulously monitoring the threat actor's activities, evolution and changes over a year, we graduated the\r\nactivity cluster CL-STA-0043 to a temporary actor group (TGR-STA-0043) according to Unit 42’s cluster\r\nmaturation process. Essentially, the graduation indicates our confidence that a single actor is behind the activity\r\nobserved, and that we’ve established “several correlation points over time and across activity clusters.”\r\nIn relation to this process, we note that the threat actor appears to be aligned with Chinese state interests and bears\r\nthe hallmarks of Chinese APTs. For more details of this attribution, please read the section on Connection to the\r\nChinese Nexus. For more in-depth details, please see Appendix C.\r\nMeet the Specter Family – Cousins of Gh0st RAT\r\nOne of the TTPs that most characterizes TGR-STA-0043 (and Operation Diplomatic Specter) is the use of custom-built backdoors that were not publicly observed before. During our investigation, we uncovered a pair of unique\r\nand stealthy backdoors that we call the Specter family, including TunnelSpecter and SweetSpecter.\r\nWe named the pair the Specter family to acknowledge a similarity to Gh0st RAT (described below).\r\nTunnelSpecter’s name refers to its DNS tunneling functionality and SweetSpecter’s name references similarities to\r\nthe SugarGh0st RAT specifically.\r\nThe attackers used these backdoors to maintain stealthy access to their targets’ networks. The backdoors also\r\nprovided them with the ability to execute arbitrary commands, exfiltrate data, and deploy further malware and\r\ntools on the infected hosts.\r\nAccording to our analysis, we believe with a high level of confidence that these two distinct backdoors borrowed\r\nsmall portions of code from the Gh0st RAT source code that was leaked in 2008. However, these new backdoors\r\nappear to differ from other known Gh0st RAT variants.\r\nTunnelSpecter Key Features\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 5 of 20\n\nCustom tailored for a specific target, it created a rogue user that we found on that specific target\r\nIt implemented data encryption and exfiltration over DNS tunneling for increased stealth\r\nIt executed arbitrary commands and storage of configuration data in a rarely seen registry key\r\nSweetSpecter Key Features\r\nIt communicated with the C2 using encrypted zlib packets transmitted over raw TCP stream, in typical\r\nGh0st RAT fashion\r\nIts compilation time was in correlation with a unique campaign ID format, using a month and year as a\r\ncampaign identifier\r\nIt used unique registry keys to store other configuration data\r\nIt is noteworthy that we found a sample of Gh0st RAT in the same location as the Specter backdoors, further\r\nstrengthening the connection. On top of that, all of these backdoors communicated with the same embedded\r\ninfrastructure – subdomains of microsoft-ns1[.]com, as shown in Figure 5.\r\nFigure 5. The Gh0st RAT sample and Specter malware family used in Operation Diplomatic\r\nSpecter.\r\nFor an in-depth analysis of TunnelSpecter and SweetSpecter, please refer to Appendix B.\r\nA Gh0st RAT Variant Blasts From the Past\r\nOne of the types of malware used during the attacks associated with Operation Diplomatic Specter is the infamous\r\nGh0st RAT malware family. We observed that threat actors attempted to use it to maintain a foothold in the\r\ncompromised environments.\r\nThe first Gh0st RAT binary that we encountered during the attacks was a large file (approximately 280 MB) by the\r\nname Tpwinprn.dll. This file that the web shell dropped under the SysWOW64 folder was executed using a\r\nrenamed rundll32.exe process.\r\nWhen investigating this binary, we found that it has a notable string in memory: Game Over Good Luck By Wind.\r\nFigure 6 shows that this string was also observed in the Gh0st RAT variant used in Operation Iron Tiger [PDF]\r\nback in 2015. Iron Taurus, aka APT27, carried out this operation.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 6 of 20\n\nFigure 6. Game Over Good Luck By Wind mentioned in Operation Iron Tiger. Source: “Operation\r\nTiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors” [PDF]\r\n(p. 29).\r\nConnection to the Chinese Nexus\r\nOur investigation revealed strong connections and overlaps that tie the group behind Operation Diplomatic\r\nSpecter to the Chinese nexus of espionage-focused threat actors. These connections and overlaps, covered in\r\ngreater detail in Appendix C, consist of the following facets:\r\nInfrastructure: The activity in Operation Diplomatic Specter originated from a shared Chinese APT\r\noperational infrastructure, exclusively used by Chinese nation-state threat actors, such as Iron Taurus (aka\r\nAPT27), Starchy Taurus (aka Winnti) and Stately Taurus (aka Mustang Panda).\r\nActivity time frame: Statistical breakdown analysis of the hands-on-keyboard interactive activity of the\r\nthreat actors, corresponds to 09:00-17:00 working hours in UTC +8. This corresponds to several Asian\r\ncountries, including China. Historically, many Chinese nation-state threat actors have been observed\r\noperating in this time frame.\r\nLinguistic artifacts: Several tools and files dropped by the threat actors included numerous comments and\r\ndebug strings in Mandarin, suggesting that the scripts’ creators may be Mandarin-speaking individuals.\r\nTools and malware commonly used by Chinese APTs: Aside from the unique tools and malware, the\r\nthreat actor also extensively used tools that are popular among Chinese threat actors, such as:\r\nCustomized Gh0st RAT samples\r\nPlugX\r\nHtran\r\nChina Chopper\r\nWhile any threat actor can use these tools, they are mostly observed being used (especially together) in attacks\r\ninvolving Chinese threat actors.\r\nUse of Chinese VPS: The attackers used Chinese VPS providers, such as Cloudie Limited and Zenlayer,\r\nfor several of their C2 servers.\r\nConclusion\r\nThe exfiltration techniques observed as part of Operation Diplomatic Specter provide a distinct window into the\r\npossible strategic objectives of the threat actor behind the attacks. The threat actor searched for highly sensitive\r\ninformation, encompassing details about military operations, diplomatic missions and embassies and foreign\r\naffairs ministries.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 7 of 20\n\nOur research spanned over a year and tightly monitored this activity, revealing that the threat actor (which we\r\ntrack as TGR-STA-0043) possesses potential motivation and modus operandi aligned with Chinese APT groups.\r\nBesides using a rare set of tools TGR-STA-0043 stands out for its persistence and adaptability. The threat actor\r\nunabashedly resumes operations even after exposure, displaying a flagrant element to its nature.\r\nNotably, TGR-STA-0043 continues to leverage known vulnerabilities in internet-facing servers. This underscores\r\nthe need for heightened vigilance and fortified cybersecurity measures across global governments and\r\norganizations.\r\nA resilient defense mechanism is not only essential for thwarting evolving cyberthreats but also for preserving the\r\nconfidentiality, integrity and availability of critical information. In cultivating a strong security posture, nations\r\ncan better safeguard their interests, protect against potential vulnerabilities and ensure the overall resilience of\r\ntheir cybersecurity frameworks.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nWildFire cloud-delivered malware analysis service accurately identifies the known samples as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify domains associated with this group as\r\nmalicious.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware, and also prevent the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtect against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtect against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics, through\r\nCortex XDR Pro.\r\nPrisma Cloud Compute and WildFire integration can help detect and prevent malicious execution of the\r\nSpecter backdoor within Windows-based VM, container and serverless cloud infrastructure.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 8 of 20\n\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nMalware\r\nTunnelSpecter\r\nLoader:\r\n0e0b5c5c5d569e2ac8b70ace920c9f483f8d25aae7769583a721b202bcc0778f\r\nEncrypted payload\r\n62dec3fd2cdbc1374ec102d027f09423aa2affe1fb40ca05bf742f249ad7eb51\r\nDecrypted payload:\r\n22d556db39bde212e6dbaa154e9bcf57527e7f51fa2f8f7a60f6d7109b94048e\r\nMutex:\r\n“blogs.bing.com”\r\nSweetSpecter\r\nLoader:\r\n0b980e7a5dd5df0d6f07aabd6e7e9fc2e3c9e156ef8c0a62a0e20cd23c333373\r\nEncrypted payload:\r\n8198c8b5eaf43b726594df62127bcb1a4e0e46cf5cb9fa170b8d4ac2a4dad179\r\nDecrypted payload:\r\n0f72e9eb5201b984d8926887694111ed09f28c87261df7aab663f5dc493e215f\r\nGh0st RAT\r\nd5a44380e4f7c1096b1dddb6366713aa8ecb76ef36f19079087fc76567588977\r\nInfrastructure\r\nDomains\r\nhome.microsoft-ns1[.]com\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 9 of 20\n\ncloud.microsoft-ns1[.]com\r\nstatic.microsoft-ns1[.]com\r\napi.microsoft-ns1[.]com\r\nupdate.microsoft-ns1[.]com\r\nlabour.govu[.]ml\r\ngovm[.]tk\r\nIPs\r\n103.108.192[.]238\r\n103.149.90[.]235\r\n192.225.226[.]217\r\n194.14.217[.]34\r\n103.108.67[.]153\r\nAdditional Resources\r\nThrough the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle\r\nEast and Africa\r\nSpace Pirates: analyzing the tools and connections of a new hacker group\r\nOperation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors\r\n[PDF]\r\nUncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations [PDF]\r\nOperation Earth Berberoka: An Analysis of a Multivector and Multiplatform APT Campaign Targeting\r\nOnline Gambling Sites [PDF]\r\nStorm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign\r\nHoly water: ongoing targeted water-holing attack in Asia\r\nOperation Exorcist: 7 years of targeted attacks against the Roman catholic church [PDF]\r\nNew Tool Set Found Used Against Organizations in the Middle East, Africa and the US\r\nAppendix A: Main TTPs Observed in Operation Diplomatic Specter\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 10 of 20\n\nFigure 7. TGR-STA-0043’s characteristics broken down by the attack lifecycle observed as part of\r\nOperation Diplomatic Specter.\r\nAs part of our observations of Operation Diplomatic Specter, we saw a distinctive set of TTPs. These TTPs\r\nindicate a high level of coordination, technical skill and determination – characteristics often associated with a\r\nnation-state threat actor. We previously wrote a deep technical analysis of the flow of the attack and the main\r\nTTPs.\r\nOverview of TGR-STA-0043’s Tools and Malware\r\nTable 1. TGR-STA-0043’s tools and malware.\r\nA review of the main TTPs follows:\r\nTargeted Data Exfiltration From Exchange Servers\r\nIn the context of targeted data exfiltration, TGR-STA-0043 exhibited a meticulous approach, particularly when\r\nabusing the Exchange Management Shell for stealing hundreds of emails and adding PowerShell snap-in\r\n(PSSnapins) to steal emails through a script. The threat actor strategically used those techniques to steal sensitive\r\nemails by employing specific keywords for data identification. Those keywords served as critical indicators\r\nenabling us, as researchers, to gain a precise understanding of the information targeted by TGR-STA-0043.\r\nCredential Theft Using Network Providers\r\nWithin the realm of credential theft, TGR-STA-0043 showcased a variety of credential theft methodologies. While\r\ndeploying well-known techniques such as Mimikatz and dumping the Sam key, the threat actor also introduced an\r\nuncommon credential theft tactic.\r\nThis novel approach involved the execution of a PowerShell script to register a new network provider, a method\r\nrecognized as a proof of concept (PoC) named NPPSpy, and alternatively known as Ntospy by Unit 42. This\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 11 of 20\n\ntechnique is rare and has been reported only a handful of times in the past.\r\nIn-Memory VBS Implant\r\nTo infiltrate the network, TGR-STA-0043 strategically focused on exploiting vulnerabilities within Microsoft\r\nExchange servers and public-facing web servers. The threat actor successfully gained access to specific targeted\r\nenvironments through the deployment of in-memory VBScript implants. This tactic not only underscored TGR-STA-0043's technical proficiency but also highlighted their ability to execute web shells in a clandestine manner\r\non-the-fly, while attempting to bypass security mitigations.\r\nDebut of the Yasso Penetration Tool Set\r\nThe emergence of a relatively new penetration testing tool set, Yasso, marked a shift in the tactics employed by\r\nTGR-STA-0043. This tool set encompassed a range of functionalities, including the following:\r\nScanning\r\nBrute forcing\r\nRemote interactive shell capabilities\r\nArbitrary command execution\r\nWhat set Yasso apart was its unique feature set, incorporating powerful SQL penetration functions and database\r\ncapabilities. Until the time of this article, this had not been publicly reported as being used in the wild by another\r\nthreat actor.\r\nAppendix B: Additional Technical Details on the Backdoors\r\nTunnelSpecter\r\nTunnelSpecter is a previously undocumented custom backdoor that the threat authors specifically customized for\r\nthe target. Figure 8 shows that threat authors hard-coded this backdoor with a unique username,\r\nSUPPORT_388945c0. Notably, this username is a deliberate attempt to mimic the default account\r\nSUPPORT_388945a0, commonly associated with the Windows Remote Assistance feature.\r\nAn indication of the tailored nature of this malware is the preemptive creation of the same account\r\n(SUPPORT_388945c0). The threat actor created this account using a web shell within the compromised\r\nenvironment several weeks prior to the deployment of TunnelSpecter. The threat actor used TunnelSpecter to\r\ncreate the user, in the event that they failed to create it using the web shell. They then added the user (newly or\r\npreviously created) to the Administrators group.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 12 of 20\n\nFigure 8. Embedded username and password in TunnelSpecter.\r\nThe main functionality of TunnelSpecter includes:\r\nFingerprinting the infected machine and creating a unique identifier for each infected host, based on the\r\nCRC32 hash of the machine's cpuid value.\r\nExecuting arbitrary commands by implementing a remote command-line interface. The supported\r\ncommands can gather different information about the infected machine, such as the operating system\r\nversion or host details.\r\nDNS tunneling C2 communication while encrypting communication using a hard-coded Caesar cipher on\r\ntop of hex encoding. When transmitting data, TunnelSpecter prepends the unique machine identifier\r\nfollowed by a predetermined flag (b, c, d or z) and then the stolen data content. Figure 9 below shows this\r\ncommunication.\r\nFigure 9. DNS tunneling communication implemented in TunnelSpecter.\r\nAs shown in Figure 10, Cortex XDR prevented TunnelSpecter, recognizing it as a suspicious DLL.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 13 of 20\n\nFigure 10. Prevention alert for TunnelSpecter, raised by Cortex XDR.\r\nAlthough we could not see a clear similarity between TunnelSpecter and Gh0st RAT, the malware shared\r\nsimilarity with the second backdoor discovered, SweetSpecter (described below).\r\nSweetSpecter\r\nBased on our analysis of the SweetSpecter malware, we believe it was written by the same author as\r\nTunnelSpecter. We found that it shares code similarities with TunnelSpecter and SugarGh0st RAT. This RAT is a\r\nrelatively new variant of Gh0st RAT that emerged in November 2023 and that researchers at Talos observed\r\ntargeting governments in Asia.\r\nSweetSpecter implements Gh0st RAT’s known TCP communication scheme by sending a zlib compressed TCP\r\npacket to the command and control server. SweetSpecter also performs add and xor operations with the value 0x5f\r\nto add an encryption layer and thwart network-based signatures.\r\nThe “Gh0st” header is absent in this variant, and it is randomized instead based on the seed value received from\r\nGetTickCount. Figure 11 below shows an example of the transmitted data:\r\n1. The aforementioned random value.\r\n2. The random value from (1) XORed with 0x2341, another value hard-coded in SweetSpecter.\r\n3. The length of the compressed buffer including the preliminary 12 header bytes.\r\n4. The length of the decompressed buffer.\r\n5. The zlib magic bytes 0x789c that are added by and XORed with 0x5f.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 14 of 20\n\nFigure 11. The content of the zlib compressed and encrypted TCP packet.\r\nSimilarities with SugarGh0st RAT include:\r\nUsing the HKLM\\SOFTWARE\\WOW6432Node\\ODBC registry key\r\nUsing the GPINFO registry key and default value as a second campaign identifier\r\nCampaign ID format, using a string representing a month and a year (i.e., 2023.03) as shown in Figure 12\r\nFigure 12. Campaign ID string similarity between SweetSpecter and SugarGh0st RAT.\r\nFinally, similarities with TunnelSpecter include:\r\nUsing the HKLM\\SOFTWARE\\WOW6432Node\\ODBC registry key\r\nGenerating the same user identifier by using the cpuid command\r\nGenerating a mutex containing a domain name\r\nSimilar initial system profiling and data sent to the C2\r\nAs shown in Figure 13, Cortex XDR prevented SweetSpecter, recognizing it as a suspicious DLL.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 15 of 20\n\nFigure 13. Prevention alert for SweetSpecter, raised by Cortex XDR.\r\nAppendix C: Additional Details on the Attribution to the Chinese Nexus\r\nInfrastructure\r\nOver the span of a year, we have been tracking and monitoring the infrastructure intricacies related to TGR-STA-0043. We noticed the changes in the C2 servers used by the threat actor, and we monitored these alterations.\r\nIn addition, we were able to uncover additional servers that are part of this complex operational infrastructure by\r\npivoting on strategic data points, based on the already established knowledge of the infrastructure.\r\nOur investigation revealed indications that threat actors employed a substantial portion of the correlated\r\ninfrastructure, either presently or historically, as C2 servers for two prominent pieces of malware: PlugX and\r\nTrochilus RAT. These two pieces of malware (especially PlugX) are largely associated with Chinese threat actors.\r\nHowever, other threat actors can access and use them as well.\r\nAs depicted in Figure 14 below, we found multiple IP addresses related to the infrastructure, as well as domains\r\nand subdomains. A particularly noteworthy facet of our observations pertains to the threat actor's deliberate\r\nendeavors to assume the guise of both legitimate Microsoft servers (e.g., *.microsoft-ns1[.]com) and\r\ngovernmental entities. For example, *.govu[.]ml masquerades as a Mali-government address. (The threat actor’s\r\nimpersonation does not imply any issues with the legitimate servers or governmental entities.)\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 16 of 20\n\nFigure 14. Maltego graph of the pivoting on the infrastructure used in Operation Diplomatic\r\nSpecter.\r\nOverlaps\r\nAs shown in the Maltego graph above, there are multiple overlaps between the infrastructure leveraged in\r\nOperation Diplomatic Specter and different operations, all associated with Chinese APTs.\r\nIP Address Overlaps\r\nThe first overlap observed involves the IP address 192.225.226[.]217, used as one of the main C2 servers for the\r\nthreat actor to communicate with at least one target. This IP was also observed in three different operations:\r\nSpace Pirates, which was not formally attributed to any specific group, but it was attributed to Chinese\r\nthreat actors\r\nOperation Iron Tiger [PDF], which was attributed to Iron Taurus\r\nOperation Exorcist [PDF], which was not formally attributed to a specific Chinese APT, though the authors\r\nof that report found overlaps with Stately Taurus (aka Mustang Panda)\r\nSSL/TLS Certificate Overlaps/Pivoting\r\nThe other overlaps observed are related to the use of the same SSL certificate (SHA256:\r\n3d74df40e3d2730941ff64f275217ae6d46b20d7fbbd04123bc156daf8f6e85c). This certificate was observed in\r\nmultiple servers, some of which were overlapping with different activities, all associated with Chinese APTs.\r\nThe certificate pivoting led to the following IP addresses overlaps:\r\nThe IP address 27.255.79[.]17 resolves to the domain poer.whoamis[.]info. It was mentioned in the context\r\nof Operation Earth Berberoka [PDF], which was attributed to Iron Taurus. It was also mentioned in\r\nconnection to Starchy Taurus (aka Winnti).\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 17 of 20\n\nThe IP address 108.61.178[.]125 that resolves to airjaldinet[.]ml, was mentioned in two operations: Storm\r\nCloud and Holy water. These two operations were linked to Chinese APTs with different confidence levels,\r\nbut they were not attributed to any specific group. In addition, the IP address 192.225.226[.]196, resolves\r\nto safer.ddns[.]us. It was also mentioned in the analysis of Operation Exorcist [PDF] mentioned above.\r\nActivity Time Frame\r\nDuring our analysis of compromised assets, we successfully traced the time frame of the threat actor's interactive\r\nsessions, focusing on hands-on-keyboard commands received from web shells and backdoors. Extensive mapping\r\nof the activity's working hours over several months revealed a notable and consistent pattern.\r\nFigure 15 below shows our findings indicate a strong alignment with a standard 9-to-5 workday within the UTC+8\r\ntime zone. This time frame notably corresponds to the working hours of several Asian countries, including but not\r\nlimited to China.\r\nFigure 15. TGR-STA-0043 hourly breakdown of activity.\r\nLinguistic Artifacts\r\nDuring our investigation, we acquired several scripts and files that prominently feature numerous comments and\r\ndebug strings in Mandarin, suggesting that the scripts’ creators are Mandarin-speaking individuals. One of those\r\nfiles is a web shell found on one compromised environment.\r\nFurther inspection of the code revealed a subtle resemblance between the code in the web shell we obtained and a\r\nGitHub repository of a penetration testing PoC tool. This tool is named GetShell, and was created three years ago.\r\nIt is possible that the web shell used by the threat actor borrowed code from this existing repository. However, the\r\nthreat actor appears to tailor the code to suit specific targets, modifying it based on the nature of the targeted data.\r\nIn particular, we identified a customized version of this web shell deployed on the Exchange servers of one of the\r\ntargets. This modified version, named ManagementMailboxPicker.aspx, demonstrated functionalities focused on\r\nfile uploads and not limited to images, as shown in Figure 16.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 18 of 20\n\nOur analysis suggests that the threat actor leveraged this web shell to manage the upload of files, potentially .pst\r\nand archive files containing email data. The nomenclature ManagementMailboxPicker.aspx further implies its role\r\nin the manipulation of mailbox-related activities.\r\nFigure 16. Mandarin strings observed in the sample.\r\nTools and Malware Commonly Used by Chinese APTs\r\nAnother facet of strengthening the connection to a Chinese threat actor lies in the tools and malware employed\r\nduring the operation. We observed multiple tools and malware commonly associated with a diverse range of\r\nChinese threat actors, including:\r\nGh0st RAT\r\nPlugX\r\nChina Chopper\r\nHtran\r\nWhile many Chinese threat actors seem to favor these tools, it's crucial to emphasize that the mere presence of\r\nthese tools and malware does not singularly establish a link or attribution to Chinese threat actors. While these\r\ntools are prevalent among such actors, they are not exclusive to this context and are accessible for use by other\r\nthreat actors as well.\r\nUse of Chinese VPS\r\nThe attackers used Chinese VPS providers, such as Cloudie Limited and Zenlayer, for several of their C2 servers.\r\nIt is interesting to note that some of those VPS services are offered in Yuan only. The fact that the service is\r\noffered only in Yuan can strengthen the connection to Chinese operators, but of course it’s not limited to them.\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 19 of 20\n\nSource: https://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nhttps://unit42.paloaltonetworks.com/operation-diplomatic-specter/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" ], "report_names": [ "operation-diplomatic-specter" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a016643f1a539e03bc88fc5a4500904d83f32ac.pdf", "text": "https://archive.orkl.eu/2a016643f1a539e03bc88fc5a4500904d83f32ac.txt", "img": "https://archive.orkl.eu/2a016643f1a539e03bc88fc5a4500904d83f32ac.jpg" } }