{ "id": "37a28dc1-4eda-4f80-b79f-19ac7ff19819", "created_at": "2026-04-06T00:08:34.706897Z", "updated_at": "2026-04-10T13:11:28.842521Z", "deleted_at": null, "sha1_hash": "2e693dd56de6fab128e7ae72fd075a3a0e4f51ce", "title": "You never walk alone: The SideWalk backdoor gets a Linux variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2964532, "plain_text": "You never walk alone: The SideWalk backdoor gets a Linux variant\r\nBy Vladislav HrčkaThibaut PassillyMathieu Tartare\r\nArchived: 2026-04-05 14:06:13 UTC\r\nESET researchers have discovered a Linux variant of the SideWalk backdoor, one of the multiple custom implants used\r\nby the SparklingGoblin APT group. This variant was deployed against a Hong Kong university in February 2021, the\r\nsame university that had already been targeted by SparklingGoblin during the student protests in May 2020. We\r\noriginally named this backdoor StageClient, but now refer to it simply as SideWalk Linux. We also discovered that a\r\npreviously known Linux backdoor – the Specter RAT, first documented by 360 Netlab – is also actually a SideWalk\r\nLinux variant, having multiple commonalities with the samples we identified.\r\nSparklingGoblin is an APT group whose tactics, techniques, and procedures (TTPs) partially overlap with APT41 and\r\nBARIUM. It makes use of Motnug and ChaCha20-based loaders, the CROSSWALK and SideWalk backdoors, along\r\nwith Korplug (aka PlugX) and Cobalt Strike. While the group targets mostly East and Southeast Asia, we have also seen\r\nSparklingGoblin targeting a broad range of organizations and verticals around the world, with a particular focus on the\r\nacademic sector. SparklingGoblin is one of the groups with access to the ShadowPad backdoor.\r\nThis blogpost documents SideWalk Linux, its victimology, and its numerous similarities with the originally discovered\r\nSideWalk backdoor.\r\nAttribution\r\nThe SideWalk backdoor is exclusive to SparklingGoblin. In addition to the multiple code similarities between the Linux\r\nvariants of SideWalk and various SparklingGoblin tools, one of the SideWalk Linux samples uses a C\u0026C address\r\n(66.42.103[.]222) that was previously used by SparklingGoblin.\r\nConsidering all of these factors, we attribute with high confidence SideWalk Linux to the SparklingGoblin APT group.\r\nVictimology\r\nEven though there are various SideWalk Linux samples, as we now know them, on VirusTotal, in our telemetry we have\r\nfound only one victim compromised with this SideWalk variant: a Hong Kong university that, amidst student protests,\r\nhad previously been targeted by both SparklingGoblin (using the Motnug loader and the CROSSWALK backdoor) and\r\nFishmonger (using the ShadowPad and Spyder backdoors). Note that at that time we put those two different clusters of\r\nactivity under the broader Winnti Group denomination.\r\nSparklingGoblin first compromised this particular university in May 2020, and we first detected the Linux variant of\r\nSideWalk in that university’s network in February 2021. The group continuously targeted this organization over a long\r\nperiod of time, successfully compromising multiple key servers, including a print server, an email server, and a server\r\nused to manage student schedules and course registrations.\r\nThe road to Sidewalk Linux\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 1 of 12\n\nSideWalk, which we first described in its Windows form in our blogpost on August 24th\r\n, 2021, is a multipurpose\r\nbackdoor that can load additional modules sent from the C\u0026C server. It makes use of Google Docs as a dead-drop\r\nresolver, and Cloudflare workers as its C\u0026C server. It can properly handle communication behind a proxy.\r\nThe compromise chain is currently unknown, but we think that the initial attack vector could have been exploitation. This\r\nhypothesis is based on the 360 Netlab article describing the Specter botnet targeting IP cameras, and NVR and DVR\r\ndevices, and the fact that the Hong Kong victim used a vulnerable WordPress server, since there were many attempts to\r\ninstall various webshells.\r\nWe first documented the Linux variant of SideWalk as StageClient on July 2nd, 2021, without making the connection at\r\nthat time to SparklingGoblin and its custom SideWalk backdoor. The original name was used because of the repeated\r\nappearances of the string StageClient in the code.\r\nWhile researching StageClient further, we found a blogpost about the Specter botnet described by 360 Netlab. That\r\nblogpost describes a modular Linux backdoor with flexible configuration that uses a ChaCha20 encryption variant –\r\nbasically a subset of StageClient’s functionality. Further inspection confirmed this hypothesis; we additionally found a\r\nhuge overlap in functionality, infrastructure, and symbols present in all the binaries.\r\nWe compared the StageClient sample E5E6E100876E652189E7D25FFCF06DE959093433 with Specter samples\r\n7DF0BE2774B17F672B96860D013A933E97862E6C and found numerous similarities, some of which we list below.\r\nFirst, there is an overlap in C\u0026C commands. Next, the samples have the same structure of configuration and encryption\r\nmethod (see Figure 1 and Figure 2).\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 2 of 12\n\nFigure 1. StageClient’s configuration with modified symbols\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 3 of 12\n\nFigure 2. Specter’s configuration with modified symbols\r\nAdditionally, the samples’ modules are managed in almost the same way, and the majority of the interfaces are identical;\r\nmodules of StageClient only need to implement one additional handler, which is for closing the module. Three out of the\r\nfive known modules are almost identical.\r\nLastly, we could see striking overlaps in the network protocols of the compared samples. A variant of ChaCha20 is used\r\ntwice for encryption with LZ4 compression in the very same way. Both StageClient and Specter create a number of\r\nthreads (see Figure 3 and Figure 4) to manage sending and receiving asynchronous messages along with heartbeats.\r\nFigure 3. A part of StageClient’s StageClient::StartNetwork function\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 4 of 12\n\nFigure 4. A part of Specter’s StartNetwork function\r\nDespite all these striking similarities, there are several changes. The most notable ones are the following:\r\nThe authors switched from the C language to C++. The reason is unknown, but it should be easier to implement\r\nsuch modular architecture in C++ due to its polymorphism support.\r\nAn option to exchange messages over HTTP was added (see Figure 5 and Figure 6).\r\nFigure 5. Sending a message in StageClient\r\nFigure 6. Sending a message in Specter\r\nDownloadable plugins were replaced with precompiled modules that fulfill the same purpose; a number of new\r\ncommands and two new modules were added.\r\nAdded the module TaskSchedulerMod, which operates as a built-in cron utility. Its cron table is stored in memory;\r\nthe jobs are received over the network and executed as shell commands.\r\nAdded the module SysInfoMgr, which provides information about the underlying system such as the list of\r\ninstalled packages and hardware details.\r\nThese similarities convince us that Specter and StageClient are from the same malware family. However, considering the\r\nnumerous code overlaps between the StageClient variant used against the Hong Kong university in February 2021 and\r\nSideWalk for Windows, as described in the next section, we now believe that Specter and StageClient are both Linux\r\nvariants of SideWalk, so we have decided to refer to them as SideWalk Linux.\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 5 of 12\n\nSimilarities with the Windows variant\r\nSideWalk Windows and SideWalk Linux share too many similarities to describe within the confines of this blogpost, so\r\nhere we only cover the most striking ones.\r\nChaCha20\r\nAn obvious similarity is noticeable in the implementations of ChaCha20 encryption: both variants use a counter with an\r\ninitial value of 0x0B, which was previously mentioned in our blogpost as a specificity of SideWalk’s ChaCha20\r\nimplementation.\r\nSoftware architecture\r\nOne SideWalk particularity is the use of multiple threads to execute one specific task. We noticed that in both variants\r\nthere are exactly five threads executed simultaneously, each of them having a specific task. The following list describes\r\nthe function of each; the thread names are from the code:\r\nStageClient::ThreadNetworkReverse\r\nIf a connection to the C\u0026C server is not already established, this thread periodically attempts to retrieve the local\r\nproxy configuration and the C\u0026C server location from the dead-drop resolver. If the previous step was successful,\r\nit attempts to initiate a connection to the C\u0026C server.\r\nStageClient::ThreadHeartDetect\r\nIf the backdoor did not receive a command in the specified amount of time, this thread can terminate the\r\nconnection with the C\u0026C server or switch to a “nap” mode that introduces minor changes to the behavior.\r\nStageClient::ThreadPollingDriven\r\nIf there is no other queued data to send, this thread periodically sends a heartbeat command to the C\u0026C server that\r\ncan additionally contain the current time.\r\nStageClient::ThreadBizMsgSend\r\nThis thread periodically checks whether there is data to be sent in the message queues used by all the other threads\r\nand, if so, processes it.\r\nStageClient::ThreadBizMsgHandler\r\nThis thread periodically checks whether there are any pending messages received from the C\u0026C server and, if so,\r\nhandles them.\r\nConfiguration\r\nAs in SideWalk Windows, the configuration is decrypted using ChaCha20.\r\nChecksum\r\nFirst, before decrypting, there is a data integrity check. This check is similar in both implementations of SideWalk (see\r\nFigure 7 and Figure 8): an MD5 hash is computed on the ChaCha20 nonce concatenated to the encrypted configuration\r\ndata. This hash is then checked against a predefined value, and if not equal, SideWalk exits.\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 6 of 12\n\nFigure 7. SideWalk Linux: Configuration integrity check\r\nFigure 8. SideWalk Windows: Configuration integrity check\r\nLayout\r\nFigure 9 presents excerpts of decrypted configurations from the samples that we analyzed.\r\nFigure 9. Configuration parts from E5E6E100876E652189E7D25FFCF06DE959093433 (left) and\r\nFA6A40D3FC5CD4D975A01E298179A0B36AA02D4E (right)\r\nThe SideWalk Linux config contains less information than the SideWalk Windows one. This makes sense because the\r\nmajority of the configuration artifacts in SideWalk Windows are used as cryptography and network parameters, whereas\r\nmost of these are internal in SideWalk Linux.\r\nDecryption using ChaCha20\r\nAs previously mentioned, SideWalk uses a main global structure to store its configuration. This configuration is first\r\ndecrypted using the modified implementation of ChaCha20, as seen in Figure 10.\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 7 of 12\n\nFigure 10. ChaCha20 decryption call in SideWalk Windows (left) and in SideWalk Linux (right)\r\nNote that the ChaCha20 key is exactly the same in both variants, strengthening the connection between the two.\r\nDead-drop resolver\r\nThe dead-drop resolver payload is identical in both samples. As a reminder from our blogpost on SideWalk, Figure 11\r\ndepicts the format of the payload that is fetched from the dead-drop resolver.\r\nFigure 11. Format of the string hosted in the Google Docs document\r\nFor the first delimiter, we notice that the PublicKey: part of the string is ignored; the string AE68[…]3EFF is directly\r\nsearched, as shown in Figure 12.\r\nFigure 12. SideWalk Linux’s first delimiter routine (left), end delimiter and middle delimiter routines (right)\r\nThe delimiters are identical, as well as the whole decoding algorithm.\r\nVictim fingerprinting\r\nIn order to fingerprint the victim, different artifacts are gathered on the victim’s machine. We noticed that the fetched\r\ninformation is exactly the same, to the extent of it even being fetched in the same order.\r\nAs the boot time in either case is a Windows-compliant time format, we can hypothesize that the operators’ controller\r\nruns under Windows, and that the controller is the same for both Linux and Windows victims. Another argument\r\nsupporting this hypothesis is that the ChaCha20 keys used in both implementations of SideWalk are the same.\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 8 of 12\n\nCommunication protocol\r\nData serialization\r\nThe communication protocol between the infected machine and the C\u0026C is HTTP or HTTPS, depending on the\r\nconfiguration, but in both cases, the data is serialized in the same manner. Not only is the implementation very similar,\r\nbut the identical encryption key is used in both implementations, which, again, accentuates the similarity between the two\r\nvariants.\r\nPOST requests\r\nIn the POST requests used by SideWalk to fetch commands and payloads from the C\u0026C server, one noticeable point is\r\nthe use of the two parameters gtsid and gtuvid, as seen in Figure 13. Identical parameters are used in the Linux variant.\r\nPOST /M26RcKtVr5WniDVZ/5CDpKo5zmAYbTmFl HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: close\r\nPragma: no-cache\r\nUser-Agent: Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36\r\ngtsid: zn3isN2C6bWsqYvO\r\ngtuvid: 7651E459979F931D39EDC12D68384C21249A8DE265F3A925F6E289A2467BC47D\r\nContent-Length: 120\r\nHost: update.facebookint.workers[.]dev\r\nFigure 13. Example of a POST request used by SideWalk Windows\r\nAnother interesting point is that the Windows variant runs as fully position-independent shellcode, whereas the Linux\r\nvariant is a shared library. However, we think the malware’s authors could have just taken an extra step, using a tool such\r\nas sRDI to convert a compiled SideWalk PE to shellcode instead of manually writing the shellcode.\r\nCommands\r\nOnly four commands are not implemented or implemented differently in the Linux variant, as listed in Table 1. All the\r\nother commands are present – even with the same IDs.\r\nTable 1. Commands with different or missing implementation in the Linux version of SideWalk\r\nCommand\r\nID (from\r\nC\u0026C)\r\nWindows variants Linux variants\r\n0x7C Load a plugin sent by the C\u0026C server.\r\nNot implemented in SideWalk\r\nLinux.\r\n0x82\r\nCollect domain information about running processes, and\r\nowners (owner SID, account name, process name, domain\r\ninformation).\r\nDo nothing.\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 9 of 12\n\nCommand\r\nID (from\r\nC\u0026C)\r\nWindows variants Linux variants\r\n0x8C Data serialization function.\r\nCommands that are not handled,\r\nbut fall in the default case, which\r\nis broadcasting a message to all\r\nthe loaded modules.\r\n0x8E\r\nWrite the received data to the file located at\r\n%AllUsersProfile%\\UTXP\\nat\\\u003cfilename\u003e, where\r\n\u003cfilename\u003e is a hash of the value returned by VirtualAlloc at\r\neach execution of the malware.\r\n#rowspan#\r\nVersioning\r\nIn the Linux variant, we observed a specificity that was not found in the Windows variant: a version number is computed\r\n(see Figure 14).\r\nFigure 14. Versioning function in SideWalk Linux\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 10 of 12\n\nThe hardcoded date could be the beginning or end of development of this version of SideWalk Linux. The final\r\ncomputation is made out of the year, day, and month, from the value Oct 26 2020. In this case, the result is\r\n1171798691840.\r\nPlugins\r\nIn SideWalk Linux variants, modules are built in; they cannot be fetched from the C\u0026C server. That is a notable\r\ndifference from the Windows variant. Some of those built-in functionalities, like gathering system information\r\n(SysInfoMgr, for example) such as network configuration, are done directly by dedicated functions in the Windows\r\nvariant. In the Windows variant, some plugins can be added through C\u0026C communication.\r\nDefense evasion\r\nThe Windows variant of SideWalk goes to great lengths to conceal the objectives of its code. It trimmed out all data and\r\ncode that was unnecessary for its execution and encrypted the rest. On the other hand, the Linux variants contain symbols\r\nand leave some unique authentication keys and other artifacts unencrypted, which makes the detection and analysis\r\nsignificantly easier.\r\nAdditionally, the much higher number of inlined functions in the Windows variant suggests that its code was compiled\r\nwith a higher level of compiler optimizations.\r\nConclusion\r\nThe backdoor that was used to attack a Hong Kong university in February 2021 is the same malware family as the\r\nSideWalk backdoor, and actually is a Linux variant of the backdoor. This Linux version exhibits several similarities with\r\nits Windows counterpart along with various novelties.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of Indicators of Compromise and samples can be found in our GitHub repository.\r\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\nFA6A40D3FC5CD4D975A01E298179A0B36AA02D4E ssh_tunnel1_0 Linux/SideWalk.L\r\nSideWalk\r\nLinux\r\n(StageClient\r\nvariant)\r\n7DF0BE2774B17F672B96860D013A933E97862E6C hw_ex_watchdog.exe Linux/SideWalk.B\r\nSideWalk\r\nLinux\r\n(Specter\r\nvariant)\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 11 of 12\n\nNetwork\r\nDomain IP First seen Notes\r\nrec.micosoft[.]ga 172.67.8[.]59 2021-06-15 SideWalk C\u0026C server (StageClient variant)\r\n66.42.103[.]222 2020-09-25\r\nSideWalk C\u0026C server (Specter variant from 360 Netlab’s\r\nblogpost)\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nSparklingGoblin uses its own malware arsenal.\r\nDiscovery T1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nSideWalk Linux has the ability to find the network\r\nconfiguration of the compromised machine, including\r\nthe proxy configuration.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nSideWalk Linux communicates via HTTPS with the\r\nC\u0026C server.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nSideWalk Linux uses ChaCha20 to encrypt\r\ncommunication data.\r\nSource: https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nhttps://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/" ], "report_names": [ "you-never-walk-alone-sidewalk-backdoor-linux-variant" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e693dd56de6fab128e7ae72fd075a3a0e4f51ce.pdf", "text": "https://archive.orkl.eu/2e693dd56de6fab128e7ae72fd075a3a0e4f51ce.txt", "img": "https://archive.orkl.eu/2e693dd56de6fab128e7ae72fd075a3a0e4f51ce.jpg" } }