{ "id": "7683cf88-15a2-41ac-be7b-1fd7775cb623", "created_at": "2026-04-06T00:08:54.457645Z", "updated_at": "2026-04-10T03:35:58.915935Z", "deleted_at": null, "sha1_hash": "2c9321d90b7ad0c450f6f4ff08e87b53d06374bc", "title": "WINNTI GROUP: Insights From the Past", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 860151, "plain_text": "WINNTI GROUP: Insights From the Past\r\nBy Allison Ebel\r\nPublished: 2020-04-20 · Archived: 2026-04-05 19:37:15 UTC\r\nNewly uncovered DNS tunnelling technique, and new campaign against South\r\nKorean gaming company\r\nFigure 1: Timeline of attacks located in Germany and attributed to Winnti\r\nHASHES\r\nCompilation\r\nTimestamp\r\nFilename\r\nMD5: c893a12ff72698f09f89f778e4c9cd2b\r\nSHA1: 06256946a69409cd18859bfa429184a282374d76\r\nSHA256:\r\ndf6af36626d375c5e8aff45c64bfc1975d753b109e126a6cb30ee0523550329c\r\n2015-08-06\r\n01:52:51\r\nTmPfwRVS.dll\r\nTable 1 – Winnti sample\r\nHASHES\r\nCompilation\r\nTimestamp\r\nFilename\r\nMD5: c893a12ff72698f09f89f778e4c9cd2b\r\nSHA1: 06256946a69409cd18859bfa429184a282374d76\r\n2015-08-06\r\n01:52:51\r\nTmPfwRVS.dll\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 1 of 11\n\nSHA256: \r\ndf6af36626d375c5e8aff45c64bfc1975d753b109e126a6cb30ee0523550329c\r\nMD5: cf140dc4cad9e8216545593a4c08c7be\r\nSHA1: 2b319b44451abb0596b9187e06f1fb7b4ace969d\r\nSHA256:\r\nbfa8948f72061eded548ef683830de068e438a6eaf2da44e0398a37ac3e26860\r\n2015-08-05\r\n12:08:00\r\ndriver1.sys\r\nMD5: cc95391d75ce2443740f60114fe30ae9\r\nSHA1: 30d1dd1dd4f0ace7a4f2c24e31fb6a0ee33e8a3a\r\nSHA256:\r\n8ddc6dd9fc3640cd786dfbc72212cd001d9369817aa69e0a2fa25e29560badcf\r\n2015-05-05\r\n11:31:13\r\ndriver2.sys\r\nMD5: b4e66b445b39d0368bbe4b91a3cd98ff\r\nSHA1: 2bc358ddc72f59ba0373b8635ab08ad747c12180\r\nSHA256:\r\n1865013aaca0f12679e35f06c4dad4e00d6372415ee8390b17b4f910fee1f7a2\r\n2014-12-15\r\n16:06:41\r\ndsefix.exe\r\nMD5: eaea9ccb40c82af8f3867cd0f4dd5e9d\r\nSHA1: 7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c\r\nSHA256:\r\ncf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986\r\n2008-May-31 02:18:53\r\nUTC\r\nvboxdrv.sys\r\nTable 2 – Additional artifacts contained by\r\nbfa8948f72061eded548ef683830de068e438a6eaf2da44e0398a37ac3e26860\r\nAnalysis of dsefix.exe\r\nThis is essentially Windows x64 Driver Signature Enforcement Overrider (DSEFix), used   to temporarily disable\r\nthe driver signature enforcement on Windows systems by using an included old, legit VirtualBox driver, both\r\nsigned and exploitable. By running dsefix.exe, the malware can bypass driver verification and install its own\r\ndrivers. We identified the following two drivers which were embedded in the earlier described main artifact. To\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 2 of 11\n\nnote that this technique does not work on moden Windows (e.g. Windows 10) – yet another piece of evidence that\r\nthis malware was designed and used multiple years ago.\r\nAnalysis of vboxdriver\r\nThis is the vulnerable, correctly signed with a digital certificate, VirtualBox driver that is used for exploitation. It\r\nis used regularly by various threat actors, and by the previously highlighted dsefix.exe. The driver can also be\r\nused to perform the Turla Driver Loader (TDL) exploitation technique, a similar technique as DSEFix.\r\nAnalysis of driver1.sys\r\nIn late 2019, ExaTrack released their analysis of a signed Winnti rootkit previously observed in the wild, which\r\nwe confirm is essentially the same rootkit driver.  The sample is capable of injecting raw packets into the network\r\nand receiving special formatted packets. In comparison, our variant has the same exact number of bytes, and there\r\nare large parts exactly matching.\r\nAnalysis of driver2.sys\r\nThis rootkit driver seems to be largely the same as driver1.sys with the same characteristics including structure,\r\nI/O control, and device strings. However, this driver supports different versions of Windows. It checks for ranges\r\nof Windows New Technology (NT) build numbers and returns early.\r\nC2 DNS Tunneling\r\nBy analyzing the malware, it is possible to find two network indicators within its code:\r\nFigure 3 – observed network IoCs in Winnti sample\r\nThe hardcoded 208.67.222.222 is a legitimate OpenDNS DNS server (resolver1.opendns.com). This IP is pushed\r\ninto a list that is generated by the malware at runtime. Likely, the initiation routine also populates the list with the\r\nsystem’s DNS, and the OpenDNS server is only used as fallback case to ensure the C2 domain gets resolved.\r\nThe dick[.]mooo[.]com FQDN name is offered by FreeDNS, which is a free dynamic DNS service. Notably, in the\r\nlast years, multiple researchers have reported Winnti/PlugX C2 hostnames hosted in the mooo[.]com zone. In the\r\ncode we observed that a dot (.) is enforced before the FQDN. Additional analysis revealed that the malware\r\ngenerates subdomains with base128 encoding, and append them to FQDN. \r\nCode 1 – Hostname length restriction\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 3 of 11\n\nFurther, dots are added into it every 57 characters potentially as a hostname length restriction, suggesting the\r\nexpectation of long hostnames. We confirm the buffer can support FQDN’s up to 2000 characters.\r\nUpon further investigation we found out that the malware includes the open source iodine source code – software\r\nthat enables the tunneling of IPv4 data through a DNS server. Interestingly, we are not aware of any earlier\r\ndocumentation highlighting Winnti specifically leveraging iodine for DNS tunneling. However, researchers at the\r\nRuhr University Bochum, while hunting for DNS tunnels, observed APT32 and Wekby APT groups using NULL\r\nand TXT records as a C2 communication channel, as well as mentioning the mooo[.]com top level domain in their\r\nfindings.\r\nThe implementation of iodine used in the Winnti sample is integrated and uses some custom wrapper, as evidence\r\nby the matching functions we discuss in further detail in the following section.\r\nUse of Iodine for C2 DNS Tunneling\r\nThe iodine DNS tunneling solution is embedded in the DLL that is initially loaded and executed in memory, and\r\nincludes at least the following 15 matching functions:\r\nTable 3 – Malware DLL Functions\r\nFor instance, the 64bit executable contains the build_hostname function (Code 2), which corresponds with the\r\nolder 32bit version (compiled with debug symbols) of iodine 0.6.0 (Code 3):\r\nCode 2- iodine_0-6-0_build_hostname\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 4 of 11\n\nCode 3- iodine_0-6-0_build_hostname\r\nBased on the presence of the functions base128_blksize_enc and base128_blksize_raw, we determined the version\r\nused, while not exactly known, is from before May 2017 when a patch removed those functions. Further,\r\ncomparative analysis indicates that for the implementation of iodine in this Winnti attack operation, there is no\r\nperfect match for the two versions having 64bit pre-compiled binaries. This indicates iodine was compiled from\r\nsource, and it is reasonable it is being used as a library, and not in its normal distribution format of a standalone\r\nexecutable.\r\nThe DNS Tunneling technique adopted by the malware through the use of iodine is detailed in the figure below.\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 5 of 11\n\nFigure 4 – C2 channel over DNS\r\nThe NULL DNS record type\r\nThe implementation of NULL type tunneling can be observed in the following excerpt taken while reversing the\r\nmalware:\r\nThe third argument when calling dns_encode shall be of the type “struct query”\r\nfrom Iodine’s dns.c\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 6 of 11\n\nAccording to common.h, “struct query” is defined as:\r\nSince QUERY_NAME_SIZE equals to 512  (4 *128 – integers are 4 bytes) the query[128] call obtained from the\r\nreversing activity is indeed the DNS query type.\r\nAs noted, reversing activity detailed the query[128] value to be 0xa. From Iodine’s windows.h T_NULL is\r\nDNS_TYPE_NULL\r\nFinally, from Windows’s documentation, DNS_TYPE_NULL is actually a Windows constant equal to 0xa\r\nWinnti Signed Code With Digital Certificate from IQ Technology\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 7 of 11\n\nDuring our analysis of the Winnti sample configured to target the German chemical company, our comparative\r\nanalysis of other Winnti related drivers revealed a digital certificate issued to IQ Technology, a Taiwanese\r\ncompany producing Natural language processing (NLP) and Artificial Intelligence (AI) software. The rootkit\r\ndriver aligns with the already known driver1.sys. While it is a known TTP that Winnti attributed attacks have\r\ninvolved stolen digital certificates for code signing its malware components, the use of this certificate is not\r\npublicly discussed, except for a brief report from a security researcher apparently associated with a Vietnamese\r\nsecurity company. Although the report is no longer online,  the discussed sample contains a compilation timestamp\r\nof August 2015, which is the earliest one observed in the wild that we identified using this digital certificate. At\r\nthe time of analysis, the digital certificate was already revoked.\r\nThe sample’s structure, debug symbols, and explanatory debug messages included within suggests it is highly\r\nlikely be a development version. Additionally, the compilation timestamp indicates the sample was created 20\r\nminutes prior to the driver1.sys.  Both samples are highly related, and its contents combined with the date of\r\n analysis and reporting essentially solidify that it existed in 2015; however, this does not necessarily corroborate to\r\nan attack timeframe.\r\nSample Targeting South Korean Gaming Company\r\nHASHES\r\nCompilation\r\nTimestamp\r\nMD5: 00961922e22e6a5d30b1d6fbd667d3c4\r\nSHA1: 0fd54c26b593bd9e9218492d50d8873521c0ec0d\r\nSHA256:\r\n4209b457f3b42dd2e1e119f2c9dd5b5fb1d063a77b49c7acbae89bbe4e284fb9\r\n2016-03-07 09:44:01\r\nTable 3 – observed network IoCs in Winnti sample\r\nOn 21 February, we detected the new submission of a 64-bit Winnti executable to a public online malware\r\nscanning service. As multiple researchers have reported, Winnti operators embed the name of their target directly\r\ninto the malware, but in an obfuscated manner.\r\nBinary Analysis\r\nThe sample resembles the Winnti Dropper Install.exe described by ESET, since it is a command line executable\r\nused to drop and load additional encrypted payload:\r\nUnfortunately we were not able to find the payload meant to be decrypted by this dropper.\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 8 of 11\n\nHowever, we were able to extract the malware’s configuration file and identify the intended target. In this case, the\r\nfollowing string was included within the extracted configuration:\r\nBased on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to\r\ntarget Gravity Co., Ltd., a South Korean video game company. The company is known for its Massive Multiplayer\r\nOnline Role Playing Game (MMORPG) Ragnarok Online, which is also offered as a mobile application. As we\r\nhave also reported in the past, the video game industry is one of the preferred targets of the Winnti Group,\r\nespecially for those companies operating in South Korea and Taiwan. Interestingly, ESET researchers, while\r\nreporting on multiple Winnti Group campaigns targeting the video game industry, listed in their report a C2 server\r\nhaving a Campaign ID GRA KR 0629.\r\nAt this time, we do not have any further evidence supporting a potential link between the sample we analysed and\r\nthe C2 detailed by ESET, but the coincidence between the C2 Campaign ID/Location with the Campaign ID we\r\nextracted from the Winnti dropper is worth noting.\r\nConclusion\r\nThe Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack\r\noperations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits. While\r\nattribution is not concrete due to the complexity of the group, there are links that can be drawn between operations\r\nwhich suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least\r\nsharing resources.\r\nThe detection of this unreported Winnti variant uploaded to VirusTotal and targeting a German chemical company\r\naligns with our prior observations and research from previous intelligence reporting highlighting Winnti Group’s\r\ninterest in German DAX companies. As a result, organizations of all sizes, but especially small to medium sized\r\ncompanies, including Germany’s hidden champions, should prepare against such threats as they are vital to the\r\neconomic ecosystem and continuous development of niche markets. Government oversight (local, regional, and\r\nacross the EU) should ensure susceptible organizations such as these are following regulation and implementing\r\nsecurity best practices to protect against future attacks.\r\nAppendix\r\nIndicators of Compromise\r\n4209b457f3b42dd2e1e119f2c9dd5b5fb1d063a77b49c7acbae89bbe4e284fb9\r\ncf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986\r\n1865013aaca0f12679e35f06c4dad4e00d6372415ee8390b17b4f910fee1f7a2\r\n8ddc6dd9fc3640cd786dfbc72212cd001d9369817aa69e0a2fa25e29560badcf\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 9 of 11\n\nbfa8948f72061eded548ef683830de068e438a6eaf2da44e0398a37ac3e26860\r\ndf6af36626d375c5e8aff45c64bfc1975d753b109e126a6cb30ee0523550329c\r\n4209b457f3b42dd2e1e119f2c9dd5b5fb1d063a77b49c7acbae89bbe4e284fb9\r\ncf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986\r\n1865013aaca0f12679e35f06c4dad4e00d6372415ee8390b17b4f910fee1f7a2\r\n8ddc6dd9fc3640cd786dfbc72212cd001d9369817aa69e0a2fa25e29560badcf\r\nbfa8948f72061eded548ef683830de068e438a6eaf2da44e0398a37ac3e26860\r\ndf6af36626d375c5e8aff45c64bfc1975d753b109e126a6cb30ee0523550329c\r\n*.dick[.]mooo[.]com\r\n208[.]67[.]222[.]222\r\n45[.]248[.]85[.]200\r\nMITRE ATT\u0026CK\r\nTactic Technique Recommended Course of Action\r\nPersistence /\r\nPrivilege\r\nEscalation\r\nT1215 Kernel\r\nModules and\r\nExtensions\r\nT1068 Exploitation\r\nfor Privilege\r\nEscalation\r\nAnti-Virus software and Advanced End-Point solution can\r\ndrastically reduce the risk of both techniques.\r\nDefense Evasion\r\nT1009 Binary\r\nPadding\r\nT1014 Rootkit\r\nT1116 Code Signing\r\nMany of the samples analysed were signed with expired /\r\nrevoked certificate. Enforce signature validation via Group\r\nPolicies for executables\r\nExfiltration\r\nT1022 Data\r\nEncrypted\r\nT1048 Exfiltration\r\nOver Alternative\r\n– For DNS Tunnel, ensure that DNS logs are collected and\r\nreviewed.\r\n– DNS telemetic data should be also collected in order to spot\r\nfrequent and  heavy loaded DNS communication that are\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 10 of 11\n\nProtocol definitely not related to an usual DNS query.\r\n– FreeDNS and DynDNS servers should be\r\nblacklisted/synkholed if not strictly required\r\n– DNS NULL type queries should not be avoided. Only the\r\nrequired record types should be allowed.\r\nSource: https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nhttps://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/" ], "report_names": [ "winnti-group-insights-from-the-past" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434134, "ts_updated_at": 1775792158, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c9321d90b7ad0c450f6f4ff08e87b53d06374bc.pdf", "text": "https://archive.orkl.eu/2c9321d90b7ad0c450f6f4ff08e87b53d06374bc.txt", "img": "https://archive.orkl.eu/2c9321d90b7ad0c450f6f4ff08e87b53d06374bc.jpg" } }