{ "id": "46d47a8f-aec3-412e-a0f1-abb8dcc904f9", "created_at": "2026-04-06T00:18:11.194553Z", "updated_at": "2026-04-10T03:36:33.393228Z", "deleted_at": null, "sha1_hash": "2b7585da9f910b26ab3e6bdd77c6551c01f7952b", "title": "LuminousMoth APT: Sweeping attacks for the chosen few", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 696750, "plain_text": "LuminousMoth APT: Sweeping attacks for the chosen few\r\nBy Mark Lechtik\r\nPublished: 2021-07-14 · Archived: 2026-04-05 14:19:59 UTC\r\nAPT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of\r\ntargets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and\r\npayloads being tailored to the victims’ identities or environment. It’s not often we observe a large-scale attack\r\nconducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying\r\noperation at risk of being compromised by security products or researchers.\r\nWe recently came across unusual APT activity that exhibits the latter trait – it was detected in high volumes, albeit\r\nmost likely aimed at a few targets of interest. This large-scale and highly active campaign was observed in South\r\nEast Asia and dates back to at least October 2020, with the most recent attacks seen around the time of writing. Most\r\nof the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines,\r\nwhere there are more than 10 times as many known targets.\r\nFurther analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the\r\nHoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections,\r\nand the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and\r\nAvast recently assessed that HoneyMyte was active in the same region. The proximity in time and common\r\noccurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed\r\nfor the activity of LuminousMoth.\r\nMost notably though, we observed the capability of the culprit to spread to other hosts through the use of USB\r\ndrives. In some cases, this was followed by deployment of a signed, but fake version of the popular application\r\nZoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems. The sheer\r\nvolume of the attacks raises the question of whether this is caused by a rapid replication through removable devices\r\nor by an unknown infection vector, such as a watering hole or a supply chain attack.\r\nIn this publication we aim to profile LuminousMoth as a separate entity, outlining the infection chain and unique\r\ntoolset it leverages, the scale and targeting in its campaigns as well as its connections to HoneyMyte through\r\ncommon TTPs and shared resources.\r\nWhat were the origins of the infections?\r\nWe identified two infection vectors used by LuminousMoth: the first one provides the attackers with initial access to\r\na system. It consists of sending a spear-phishing email to the victim containing a Dropbox download link. The link\r\nleads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a\r\nfilename with a .DOCX extension.\r\nhxxps://www.dropbox[.]com/s/esh1ywo9irbexvd/COVID-19%20Case%2012-11-\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 1 of 13\n\n2020.rar?dl=0\u0026file_subpath=%2FCOVID-19+Case+12-11-2020%2FCOVID-19+Case+12-11-2020(2).docx\r\nThe archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files.\r\nWe found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19\r\nCase 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and\r\nCommunications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic\r\nRelations Department (FERD) in Myanmar).\r\nInfection chain\r\nThe second infection vector comes into play after the first one has successfully finished, whereby the malware tries\r\nto spread by infecting removable USB drives. This is made possible through the use of two components: the first is\r\na malicious library called “version.dll” that gets sideloaded by “igfxem.exe”, a Microsoft Silverlight executable\r\noriginally named “sllauncher.exe”. The second is “wwlib.dll”, another malicious library sideloaded by the legitimate\r\nbinary of “winword.exe”. The purpose of “version.dll” is to spread to removable devices, while the purpose of\r\n“wwlib.dll” is to download a Cobalt Strike beacon.\r\nThe first malicious library “version.dll” has three execution branches, chosen depending on the provided arguments,\r\nwhich are: “assist”, “system” or no argument. If the provided argument is “assist”, the malware creates an event\r\ncalled “nfvlqfnlqwnlf” to avoid multiple executions and runs “winword.exe” in order to sideload the next stage\r\n(“wwlib.dll”). Afterwards, it modifies the registry by adding an “Opera Browser Assistant” entry as a run key, thus\r\nachieving persistence and executing the malware with the “assist” parameter upon system startup.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 2 of 13\n\nRegistry value to run the malware at system startup\r\nThen, the malware checks if there are any removable drives connected to the infected system. If any are found, it\r\nenumerates the files stored on the drive and saves the list to a file called “udisk.log”. Lastly, the malware is executed\r\nonce again with the “system” parameter.\r\nIf the provided argument is “system”, a different event named “qjlfqwle21ljl” is created. The purpose of this\r\nexecution branch is to deploy the malware on all connected removable devices, such as USB sticks or external\r\ndrives. If a drive is found, the malware creates hidden directories carrying non ascii characters on the drive and\r\nmoves all the victim’s files there, in addition to the two malicious libraries and legitimate executables. The malware\r\nthen renames the file “igfxem.exe” to “USB Driver.exe” and places it at the root of the drive along with\r\n“version.dll”. As a result, the victims are no longer able to view their own drive files and are left with only “USB\r\nDriver.exe”, meaning they will likely execute the malware to regain access to the hidden files.\r\nCopying the payload and creating a hidden directory on the removable drive\r\nIf no argument is provided, the malware executes the third execution branch. This branch is only launched in the\r\ncontext of a compromised removable drive by double-clicking “USB Driver.exe”. The malware first copies the four\r\nLuminousMoth samples stored from the hidden drive repository to “C:\\Users\\Public\\Documents\\Shared Virtual\r\nMachines\\”. Secondly, the malware executes “igfxem.exe” with the “assist” argument. Finally, “explorer.exe” gets\r\nexecuted to display the hidden files that were located on the drive before the compromise, and the user is able to\r\nview them.\r\nThe second library, “wwlib.dll”, is a loader. It gets sideloaded by “winword.exe” and emerged two months prior to\r\n“version.dll”, suggesting that earlier instances of the attack did not rely on replication through removable drives but\r\nwere probably distributed using other methods such as the spear-phishing emails we observed.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 3 of 13\n\n“Wwlib.dll” fetches a payload by sending a GET request to the C2 address at “103.15.28[.]195”. The payload is a\r\nCobalt Strike beacon that uses the Gmail malleable profile to blend with benign traffic.\r\nDownloading a Cobalt Strike beacon from 103.15.28[.]195\r\nOlder spreading mechanism\r\nWe discovered an older version of the LuminousMoth infection chain that was used briefly before the introduction\r\nof “version.dll”. Instead of the usual combination of “version.dll” and “wwlib.dll”, a different library called\r\n“wwlib.dll” is in fact the first loader in this variant and is in charge of spreading to removable drives, while a second\r\n“DkAr.dll” library is in charge of downloading a Cobalt Strike beacon from the C2 server. This variant’s “wwlib.dll”\r\noffers two execution branches: one triggered by the argument “Assistant” and a second one with no arguments\r\ngiven. When this library is sideloaded by “winword.exe”, it creates an event called “fjsakljflwqlqewq”, adds a\r\nregistry value for persistence, and runs “PrvDisk.exe” that then sideloads “DkAr.dll”.\r\nThe final step taken by “wwlib.dll” is to copy itself to any removable USB device. To do so, the malware checks if\r\nthere are any files carrying a .DOC or .DOCX extension stored on the connected devices. If such a document is\r\nfound, the malware replaces it with the “winword.exe” binary, keeping the document’s file name but appending\r\n“.exe” to the end. The original document is then moved to a hidden directory. The “wwlib.dll” library is copied to\r\nthe same directory containing the fake document and the four samples (two legitimate PE files, two DLL libraries)\r\nare copied to “[USB_Drive letter]:\\System Volume Information\\en-AU\\Qantas”.\r\nIf the malware gets executed without the “Assistant” argument, this means the execution was started from a\r\ncompromised USB drive by double-clicking on the executable. In this case, the malware first executes\r\n“explorer.exe” to show the hidden directory with the original documents of the victim, and proceeds to copy the four\r\nLuminousMoth samples to “C:\\Users\\Public\\Documents\\Shared Virtual Machines\\”. Finally, it executes\r\n“winword.exe” with the “Assistant” argument to infect the new host, to which the USB drive was connected.\r\nSince this variant relies on replacing Word documents with an executable, it is possible that the attackers chose the\r\n“winword.exe” binary for sideloading the malicious DLL due to its icon, which raises less suspicions about the\r\noriginal documents being tampered with. However, this means that the infection was limited only to USB drives that\r\nhave Word documents stored on them, and might explain the quick move to a more pervasive approach that infects\r\ndrives regardless of their content.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 4 of 13\n\nPost exploitation tool: Fake Zoom application\r\nThe attackers deployed an additional malicious tool on some of the infected systems in Myanmar. Its purpose is to\r\nscan the infected systems for files with predefined extensions and exfiltrate them to a C2 server. Interestingly, this\r\nstealer impersonates the popular Zoom video telephony software. One measure to make it seem benign is a valid\r\ndigital signature provided with the binary along with a certificate that is owned by Founder Technology, a subsidiary\r\nof Peking University’s Founder Group, located in Shanghai.\r\nValid certificate of the fake Zoom application\r\nTo facilitate the exfiltration of data, the stealer parses a configuration file called “zVideoUpdate.ini”. While it is\r\nunclear how the malware is written to disk by the attackers, it is vital that the .ini file is dropped alongside it and\r\nplaced in the same directory in order to work. The configuration parameters that comprise this file are as follows:\r\nParameter\r\nName\r\nPurpose\r\nmeeting Undetermined integer value that defaults to 60.\r\nssb_sdk Undetermined integer value that defaults to 60.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 5 of 13\n\nzAutoUpdate URL of the C2 server which the stolen data will be uploaded to.\r\nXmppDll Path to the utility used to archive exfiltrated files.\r\nzKBCrypto\r\nList of exfiltrated file extensions that are searched in target directories. The extensions of\r\ninterest are delimited with the ‘;’ character.\r\nzCrashReport\r\nSuffix string appended to the name of the staging directory used to host exfiltrated files\r\nbefore they are archived.\r\nzWebService Path prefix for the exfiltration staging directory.\r\nzzhost\r\nPath to the file that will hold a list of hashes corresponding to the  files collected for\r\nexfiltration.\r\nArgName AES key for configuration string encryption.\r\nVersion AES IV for configuration string encryption.\r\nzDocConverter Path #1 to a directory to look for files with the extension intended for exfiltration\r\nzTscoder Path #2 to a directory to look for files with the extension intended for exfiltration\r\nzOutLookIMutil Path #3 to a directory to look for files with the extension intended for exfiltration\r\nEach field in the configuration file (with the exception of Version, ArgName and zCrashReport) is encoded with\r\nBase64. While the authors incorporated logic and parameters that allow the decryption of some of the fields\r\nspecified above with the AES algorithm, it remains unused.\r\nThe stealer uses the parameters in order to scan the three specified directories (along with root paths of fixed and\r\nremovable drives) and search for files with the extensions given in the zKBCrypto parameter. Matching files will\r\nthen be copied to a staging directory created by the malware in a path constructed with the following structure:\r\n“\u003czWebService\u003e\\%Y-%m-%d %H-%M-%S\u003czCrashReport\u003e”. The string format in the directory’s name represents\r\nthe time and date of the malware’s execution.\r\nIn addition, the malware collects the metadata of the stolen files. One piece of data can be found as a list of original\r\npaths corresponding to the exfiltrated files that is written to a file named ‘VideoCoingLog.txt’. This file resides in\r\nthe aforementioned staging directory. Likewise, a second file is used to hold the list of hashes corresponding to the\r\nexfiltrated files and placed in the path specified in the zzhost parameter.\r\nAfter collection of the targeted files and their metadata, the malware executes an external utility in order to archive\r\nthe staging directory into a .rar file that will be placed in the path specified in the zWebService parameter. The\r\nmalware assumes the existence of the utility in a path specified under the XmppDll parameter, suggesting the\r\nattackers have prior knowledge of the infected system and its pre-installed applications.\r\nFinally, the malware seeks all files with a .rar extension within the zWebService directory that should be transmitted\r\nto the C2. The method used to send the archive makes use of a statically linked CURL library, which sets the\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 6 of 13\n\nparameters specified below when conducting the transaction to the server. The address of the C2 is taken from the\r\nzAutoUpdate parameter.\r\nCURL logic used to issue the archive of exfiltrated files to the C\u0026C\r\nPost exploitation tool: Chrome Cookies Stealer\r\nThe attackers deployed another tool on some infected systems that steals cookies from the Chrome browser. This\r\ntool requires the local username as an argument, as it is needed to access two files containing the data to be stolen:\r\nC:\\Users\\[USERNAME]\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies\r\nC:\\Users\\[USERNAME]\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\r\nThe stealer starts by extracting the encrypted_key value stored in the “Local State” file. This key is base64 encoded\r\nand used to decode the cookies stored in the “Cookies” file. The stealer uses the CryptUnprotectData API function\r\nto decrypt the cookies and looks for eight specific cookie values: SID, OSID, HSID, SSID, LSID, APISID,\r\nSAPISID and ACCOUNT_CHOOSER:\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 7 of 13\n\nCookie values the stealer looks for\r\nOnce found, the malware simply displays the values of those cookies in the terminal. The Google policy available\r\nhere explains that these cookies are used to authenticate users:\r\nGoogle policy explaining the purpose of the cookies\r\nDuring our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies.\r\nWe can therefore conclude this post exploitation tool is dedicated to hijacking and impersonating the Gmail sessions\r\nof the targets.\r\nCommand and Control\r\nFor C2 communication, some of the LuminousMoth samples contacted IP addresses directly, whereas others\r\ncommunicated with the domain “updatecatalogs.com”.\r\n103.15.28[.]195\r\n202.59.10[.]253\r\nInfrastructure ties from those C2 servers helped reveal additional domains related to this attack that impersonate\r\nknown news outlets in Myanmar, such as MMTimes, 7Day News and The Irrawaddy. Another domain “mopfi-ferd[.]com” also impersonated the Foreign Economic Relations Department (FERD) of the Ministry of Planning,\r\nFinance and Industry (MOPFI) in Myanmar.\r\nmmtimes[.]net\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 8 of 13\n\nmmtimes[.]org\r\n7daydai1y[.]com\r\nirrawddy[.]com\r\nmopfi-ferd[.]com\r\n“Mopfi-ferd[.]com” resolved to an IP address that was associated with a domain masquerading as the Zoom API.\r\nSince we have seen the attackers deploying a fake Zoom application, it is possible this look-alike domain was used\r\nto hide malicious Zoom traffic, although we have no evidence of this.\r\nPotentially related Zoom look-alike domains\r\nWho were the targets?\r\nWe were able to identify a large number of targets infected by LuminousMoth, almost all of which are from the\r\nPhilippines and Myanmar. We came across approximately 100 victims in Myanmar, whereas in the Philippines the\r\nnumber was much higher, counting nearly 1,400 victims. It seems however that the actual targets were only a subset\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 9 of 13\n\nof these that included high-profile organizations, namely government entities located both within those countries\r\nand abroad.\r\nIt is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading\r\nmechanism, as the malware propagates by copying itself to removable drives connected to the system. Nevertheless,\r\nthe noticeable disparity between the extent of this activity in both countries might hint to an additional and unknown\r\ninfection vector being used solely in the Philippines. It could, however, simply be that the attackers are more\r\ninterested in going after targets from this region.\r\nConnections to HoneyMyte\r\nOver the course of our analysis, we noticed that LuminousMoth shares multiple similarities with the HoneyMyte\r\nthreat group. Both groups have been covered extensively in our private reports, and further details and analysis of\r\ntheir activity are available to customers of our private APT reporting service. For more information, contact:\r\nintelreports@kaspersky.com.\r\nLuminousMoth and HoneyMyte have similar targeting and TTPs, such as the usage of DLL side-loading and Cobalt\r\nStrike loaders, and a similar component to LuminousMoth’s Chrome cookie stealer was also seen in previous\r\nHoneyMyte activity. Lastly, we found infrastructure overlaps between the C2 servers used in the LuminousMoth\r\ncampaign and an older one that has been attributed to HoneyMyte.\r\nSome of LuminousMoth’s malicious artifacts communicate with “updatecatalogs[.]com”, which resolves to the\r\nsame IP address behind “webmail.mmtimes[.]net”. This domain was observed in a campaign that dates back to early\r\n2020, and was even found on some of the systems that were later infected with LuminousMoth. In this campaign, a\r\nlegitimate binary (“FmtOptions.exe”) sideloads a malicious DLL called “FmtOptions.dll”, which then decodes and\r\nexecutes the contents of the file “work.dat”. This infection flow also involves a service called “yerodns.dll” that\r\nimplements the same functionality as “FmtOptions.dll”.\r\nThe domain “webmail.mmtimes[.]net” previously resolved to the IP “45.204.9[.]70”. This address is associated with\r\nanother MMTimes look-alike domain used in a HoneyMyte campaign during 2020: “mmtimes[.]org”. In this case,\r\nthe legitimate executable “mcf.exe” loads “mcutil.dll”. The purpose of “mcutil.dll” is to decode and execute\r\n“mfc.ep”, a PlugX backdoor that communicates with “mmtimes[.]org”. Parts of this campaign were also covered in\r\none of our private reports discussing HoneyMyte’s usage of a watering hole to infect its victims.\r\nTherefore, based on the above findings, we can assess with medium to high confidence that the LuminousMoth\r\nactivity is indeed connected to HoneyMyte.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 10 of 13\n\nConnection between HoneyMyte and LuminousMoth C2s\r\nConclusions\r\nLuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As\r\ndescribed in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in\r\nprevious activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature –\r\nlarge-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.\r\nOn the same note, this group’s activity and the apparent connections may hint at a wider phenomenon observed\r\nduring 2021 among Chinese-speaking actors, whereby many are re-tooling and producing new and unknown\r\nmalware implants. This allows them to obscure any ties to their former activities and blur their attribution to known\r\ngroups. With this challenge in mind, we continue to track the activity described in this publication with an eye to\r\nunderstanding its evolution and connection to previous attacks.\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 11 of 13\n\nIndicators of Compromise\r\nVersion.dll payloads\r\nHashes Compilation Date\r\n0f8b7a64336b4315cc0a2e6171ab027e\r\n2d0296ac56db3298163bf3f6b622fdc319a9be23\r\n59b8167afba63b9b4fa4369e6664f274c4e2760a4e2ae4ee12d43c07c9655e0f\r\nDec 24 09:20:16 2020\r\n37054e2e8699b0bdb0e19be8988093cd\r\n5e45e6e113a52ba420a35c15fbaa7856acc03ab4\r\na934ae0274dc1fc9763f7aa51c3a2ce1a52270a47dcdd80bd5b9afbc3a23c82b\r\nDec 24 09:19:51 2020\r\nc05cdf3a29d6fbe4e3e8621ae3173f08\r\n75cd21217264c3163c800e3e59af3d7db14d76f8\r\n869e7da2357c673dab14e9a64fb69691002af5b39368e6d1a3d7fda242797622\r\nDec 29 11:45:41 2020\r\n5ba1384b4edfe7a93d6f1166da05ff6f\r\n6d18970811821125fd402cfa90210044424e223a\r\n857c676102ea5dda05899d4e386340f6e7517be2d2623437582acbe0d46b19d2\r\nJan 07 11:18:38 2021\r\nafb777236f1e089c9e1d33fce46a704c\r\ncf3582a6cdac3e254c017c8ce36240130d67834a\r\n1ec88831b67e3f0d41057ba38ccca707cb508fe63d39116a02b7080384ed0303\r\nJan 14 11:18:50 2021\r\nwwlib.dll payloads\r\nHashes Compilation Date\r\n4fbc4835746a9c64f8d697659bfe8554\r\nb43d7317d3144c760d82c4c7506eba1143821ac1\r\n95bcc8c3d9d23289b4ff284cb685b741fe92949be35c69c1faa3a3846f1ab947\r\nDec 24 10:25:39 2020\r\nHashes Name\r\nCompilation\r\nDate\r\nb31008f6490ffe7ba7a8edb9e9a8c137\r\nc1945fd976836ba2f3fbeafa276f60c3f0e9a51c\r\n4a4b976991112b47b6a3d6ce19cc1c4f89984635ed16aea9f88275805b005461\r\nFmtOptions.dll\r\nJan 11\r\n10:00:42\r\n2021\r\nac29cb9c702d9359ade1b8a5571dce7d\r\n577ad54e965f7a21ba63ca4a361a3de86f02e925\r\nd8de88e518460ee7ffdffaa4599ccc415e105fc318b36bc8fe998300ee5ad984\r\nyerodns.dll\r\nOct 29\r\n10:33:20\r\n2019\r\nafe30b5dd18a114a9372b5133768151c\r\n9a6f97300017a09eb4ea70317c65a18ea9ac49bd\r\nmcutil.dll Jun 13\r\n16:35:46\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 12 of 13\n\ncf757b243133feab2714bc0da534ba21cbcdde485fbda3d39fb20db3a6aa6dee 2019\r\n95991f445d846455b58d203dac530b0b\r\ncee6afa1c0c8183900b76c785d2989bd1a904ffb\r\nf27715b932fb83d44357dc7793470b28f6802c2dc47076e1bc539553a8bfa8e0\r\nmcutil.dll\r\nFeb 21\r\n09:41:11\r\n2020\r\nPost exploitation tools\r\nHashes Name\r\nCompilation\r\nDate\r\nc727a8fc56cedc69f0cfd2f2f5796797\r\n75d38bf8b0053d52bd5068adf078545ccdac563f\r\n361ccc35f7ff405eb904910de126a5775de831b4229a4fdebfbacdd941ad3c56\r\nZoomVideoApp.exe\r\nMar 02\r\n10:51:31\r\n2021\r\nDomains and IPs\r\n103.15.28[.]195\r\n202.59.10[.]253\r\nupdatecatalogs[.]com\r\nmopfi-ferd[.]com\r\nmmtimes[.]net\r\nmmtimes[.]org\r\n7daydai1y[.]com\r\nirrawddy[.]com\r\nSource: https://securelist.com/apt-luminousmoth/103332/\r\nhttps://securelist.com/apt-luminousmoth/103332/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/apt-luminousmoth/103332/" ], "report_names": [ "103332" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434691, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b7585da9f910b26ab3e6bdd77c6551c01f7952b.pdf", "text": "https://archive.orkl.eu/2b7585da9f910b26ab3e6bdd77c6551c01f7952b.txt", "img": "https://archive.orkl.eu/2b7585da9f910b26ab3e6bdd77c6551c01f7952b.jpg" } }