{ "id": "a25a8d5f-f1b0-428f-8114-86afdab5ada5", "created_at": "2026-04-06T00:22:24.650688Z", "updated_at": "2026-04-10T13:13:06.757715Z", "deleted_at": null, "sha1_hash": "2f216e48c38ecae2666eff49ba1caa808e3bc4ef", "title": "IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 674572, "plain_text": "IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB\r\nNetworks to Raise Cost on Defenders\r\nBy Mandiant\r\nPublished: 2024-05-22 · Archived: 2026-04-05 18:02:02 UTC\r\nWritten by: Michael Raggi\r\nMandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where\r\nadvanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box\r\nnetworks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are\r\nmade up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices,\r\nand routers that are often end of life or unsupported by their manufacturers. Building networks of compromised\r\ndevices allows ORB network administrators to easily grow the size of their ORB network with little effort and\r\ncreate a constantly evolving mesh network that can be used to conceal espionage operations. \r\nBy using these mesh networks to conduct espionage operations, actors can disguise external traffic between\r\ncommand and control (C2) infrastructure and victim environments including vulnerable edge devices that\r\nare being exploited via zero-day vulnerabilities. \r\nThese networks often use both rented VPS nodes in combination with malware designed to target routers\r\nso they can grow the number of devices capable of relaying traffic within compromised networks. \r\nMandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise’s\r\nnetwork and shift the advantage toward espionage operators by evading detection and complicating attribution.\r\nMandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating\r\nadversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like\r\nevolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the\r\nthreat landscape.\r\nFor even more on ORB networks, listen to our latest The Defender's Advantage podcast.\r\nIOC Extinction and the Rise of ORB Networks\r\nThe cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the\r\nfunctional implementation of these networks. Less discussed are the implications of broad ORB network usage by\r\na multitude of China-nexus espionage actors, which has become more common over recent years. The following\r\nare three key points and paradigm shifting implications about ORB networks that require enterprise network\r\ndefenders to adapt the way they think about China-nexus espionage actors:\r\nORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are\r\ninfrastructure networks administered by independent entities, contractors, or administrators within the\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 1 of 10\n\nPeople's Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a\r\nnetwork interface, administer a network of compromised nodes, and contract access to those networks to\r\nmultiple APT actors that will use the ORB networks to carry out their own distinct espionage and\r\nreconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily\r\nused by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries.\r\nORB network infrastructure has a short lifespan and IOC extinction is accelerating: Based on\r\nMandiant’s regular tracking of ORB networks, the lifespan of an IPv4 address associated with an ORB\r\nnode can be in an ORB network for as few as 31 days. Each ORB network has different practices for\r\ncycling infrastructure as part of their ORB networks infrastructure. However, a competitive differentiator\r\namong ORB network contractors in China appears to be their ability to cycle significant percentages of\r\ntheir compromised or leased infrastructure on a monthly basis. Therefore, simply blocking infrastructure\r\nobserved in association with ORB network behavior is not as effective as blocking C2 infrastructure would\r\nhave been in the period between 2005 and 2016. As a result, IOC extinction is accelerating and the shelf\r\nlife of network indicators is decreasing.\r\nAttributing espionage operations cannot rely on network infrastructure alone: From a defender’s\r\nperspective, the egress IP address observed in relation to an APT attack has for years been a key artifact\r\nused to research an intrusion's attribution. In the case of China-nexus attacks, attribution is growing both\r\nmore challenging and more non-specific. Infrastructure or the compromised router device communicating\r\nwith a victim environment may now be identifiable to a particular ORB network, while the actor using that\r\nORB network to carry out the attack may be unclear and require investigation of the complex tools and\r\ntactics observed as part of an intrusion. These networks allow actors to egress from devices that have a\r\ngeographic proximity to targeted enterprises, which allows traffic to blend in or otherwise not be\r\nanomalous when being reviewed by analysts or operational personnel making risk-based access decisions.\r\nOne such example would be traffic from a residential ISP that is in the same geographic location as the\r\ntarget that is regularly used by employees and would be less likely to get picked up for manual review. The\r\nweaponization phase of the cyber kill chain now appears to be administered by third-party providers,\r\ncomplicating the definitive attribution of cyberattacks using network indicators and increasing the\r\ndifficulty of detecting anomalous traffic.  \r\nThe Anatomy of an ORB Network\r\nORB networks are always made up of network infrastructure nodes. These nodes can be compromised routers,\r\nleased VPS devices, or often a mixture of both. While earlier commercial incarnations of ORB networks date back\r\nto 2016, the modern incarnation of networks like ORB1 / ORBWEAVER can be tracked back to at least 2020. The\r\nnodes in any given ORB network are usually distributed globally across the world and are not geographically\r\nspecific to any one location. ORB network administrators rely on ASN providers in different parts of the world to\r\nreduce exposure or dependence on any one nation’s internet infrastructure. An example of global distribution of an\r\nORB network can be seen as follows in what Mandiant tracks as ORB3 or SPACEHOP, a very active network\r\nleveraged by multiple China-nexus threat actors. The high volume of APT-related traffic through globally\r\ndistributed nodes indicates that this network is utilized to target a wide array of geographic targets colocated in the\r\ngeographies of observed exit nodes. Notably, this network maintains a robust volume of nodes in Europe, the\r\nMiddle East, and the United States. These geographies have been observed as targets of APT15 and UNC2630 (a\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 2 of 10\n\ncluster of activity with suspected links to APT5) and have previously been observed using this network. This\r\nnetwork also diversifies its nodes by registering VPS-based devices with multiple commercially available\r\nAutonomous System providers.\r\nFigure 1: Country heatmap of ORB3 / SPACEHOP nodes 2023\r\nAutonomous System Percent of Observed SPACEHOP Nodes\r\nShenzhen Tencent Computer Systems Company Limited (CN) 7.73%\r\nHangzhou Alibaba Advertising Co.,Ltd. (CN) 4.55%\r\nTencent Building, Kejizhongyi Avenue (CN) 4.24%\r\nOVH SAS (FR) 4.02%\r\nStark Industries Solutions Ltd (UK) 2.95%\r\nBrainStorm Network, Inc (CA) 2.50%\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 3 of 10\n\nTWC (US) 2.42%\r\nGreen Floid LLC (PL) 2.12%\r\nKaopu Cloud HK Limited (HK) 2.12%\r\nAS-CHOOPA (US) 1.82%\r\nTable 1: Top 10 Autonomous System providers and percent composition of ORB3 / SPACEHOP network\r\nORB Network Classifications\r\nMandiant classifies ORB networks into two fundamental types. Networks can be provisioned networks, which\r\nare made up of commercially leased VPS space that are managed by ORB network administrators, or they can be\r\nnon-provisioned networks, which are often made up of compromised and end-of-life router and IoT devices. It is\r\nalso possible for an ORB network to be a hybrid network combining both leased VPS devices and compromised\r\ndevices. Mandiant notes that it has observed both a wide diversity of China-nexus threat actors using each kind of\r\nORB network. The type of threat actor organization does not appear to limit which type of network threat actors\r\nutilize, despite historic indications that military-related entities have preferred procured networks in the past.\r\nAlternatively, threat actors with a civilian intelligence background have proven more likely to utilize non-provisioned networks consisting of routers compromised by custom malware.\r\nProvisioned Networks Non-Provisioned Networks\r\nLeased VPS devices via commercial services Compromised routers and IoT devices\r\nActor administration of nodes\r\nActor augmentation of network through custom router-based payloads\r\nProvisioned networks require actors to manage\r\nvirtual images or operating systems on leased\r\ndevices.\r\nMany non-provisioned networks will use leased VPS\r\ndevices as adversary-controlled operations servers\r\n(“ACOS nodes”)\r\nTable 2: Characteristics of provisioned and non-provisioned ORB networks\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 4 of 10\n\nORB Network Universal Anatomy\r\nAfter continuous analysis of numerous ORB networks spanning years, Mandiant has designed a universal\r\nanatomy for analyzing and labeling ORB network components. This anatomy is intended to serve as a guide for\r\nenterprise defenders when identifying malicious ORB network node infrastructure. All networks that are identified\r\nwill have a universal set of identifiable components. While the configuration of these components may differ\r\nbetween networks and the traversal path through an ORB network may appear different on a case by case basis,\r\nthe following components are essential for an ORB network to function:\r\nAdversary Controlled Operations Server (“ACOS”): This is an adversary-controlled server used to\r\nadminister nodes within an ORB network. \r\nRelay Node: This is most commonly a leased VPS node at a major China or Hong Kong-based cloud\r\nprovider. This node allows users of an ORB network to authenticate to the network and relay traffic\r\nthrough the larger traversal pool on ORB nodes.\r\nTraversal Nodes: These are the primary volume of nodes that make up an ORB network. These can be\r\neither provisioned or non-provisioned nodes and are used to relay traffic across an ORB network\r\nobfuscating the origin of network traffic. Some networks may utilize multiple types of traversal nodes or\r\ninclude multiple traversal layers.\r\nExit/Staging Nodes: These are actor-controlled nodes often exhibiting the same characteristics as traversal\r\nnodes that are used to egress from an ORB network into a victim environment.\r\nVictim Server: The targeted victim’s infrastructure communicating with the ORB network node.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 5 of 10\n\nFigure 2: Diagram of the Universal Anatomy of an ORB network\r\nMandiant notes that the ACOS servers and relay nodes are most commonly hosted in PRC-affiliated and Hong\r\nKong-based IP space. Analysts believe that by placing these critical servers behind the Great Firewall, ORB\r\nnetwork administrators may limit their exposure to both legal and disruptive actions of targeted entities.\r\nExamples of Active ORB Networks in the Wild\r\nORB3 / SPACEHOP - Provisioned Network\r\nA primary example of a provisioned ORB network leveraged in the wild by numerous APTs is a network tracked\r\nby Mandiant as ORB3 / SPACEHOP. This network consists of servers provisioned by a single entity operating in\r\nChina. The network has facilitated network reconnaissance scanning and vulnerability exploitation conducted by\r\nChina-nexus threat actors, including APT5 and APT15.\r\nThe infrastructure present in the ORB3 network represents a threat to entities that have historically been targeted\r\nby APT15 and APT5, including entities in North America, Europe, and the Middle East. Active since at least 2019,\r\nUNC2630 (with suspected links to APT5), used a known SPACEHOP node to exploit CVE-2022-27518 in late\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 6 of 10\n\nDecember 2022. The National Security Agency (NSA) linked exploitation of CVE-2022-27518 within the same\r\ntime frame to APT5. \r\nThis ORB network’s topography is rather flat when compared to more complex ORB networks. It leverages a\r\nrelay server hosted in either Hong Kong or China by cloud providers and installs a C2 framework available on\r\nGitHub for the administration of downstream relay nodes. The relay nodes are often cloned Linux-based images,\r\nwhich are used to proxy malicious network traffic through the network to an exit node that communicates with\r\ntargeted victim environments.\r\nFigure 3: ORB3 / SPACEHOP network diagram\r\nORB2 FLORAHOX - Non-Provisioned Network\r\nFLORAHOX is an example of both a non-provisioned and a hybrid ORB network. It is composed of an ACOS\r\nnode, compromised network router and IOT devices, and leased VPS servers that interface with a customized\r\nTOR relay network layer. The network is used to proxy traffic from a source and relay it through a TOR network\r\nand several compromised router nodes to obfuscate the source of the traffic. It is believed to be used in cyber\r\nespionage campaigns by a diverse set of China-nexus threat actors.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 7 of 10\n\nThe network appears to contain several subnetworks composed of compromised devices recruited by the router\r\nimplant FLOWERWATER as well as other router-based payloads. Subnetworks are capable of being used in an\r\noverlapping manner to relay malicious traffic through the network segments. FLORAHOX appears to be multi-tenanted with several distinct router compromise payloads being used for the augmentation of the network and\r\nseveral APT threat actors leveraging the network. While it appears several actors may utilize the FLORAHOX\r\nnetwork, China-nexus threat actors including clusters of activity publicly tracked as APT31 and Zirconium have\r\nbeen reported by multiple trusted third-party sources to utilize the network.\r\nAn additional tool that was determined to be a MIPS router tunneler payload (PETALTOWER) and related\r\ncontroller Bash scripts, which provide command-line inputs to the PETALTOWER payload (SHIMMERPICK),\r\nwere identified in January 2023. The purpose of these tools appears to be providing a configuration for the\r\ntraversal of the network and traversing the network of pre-existing FLORAHOX nodes based on command-line\r\ninputs.\r\nORB2 represents a more complicated design including the relay of traffic through TOR nodes, provisioned VPS\r\nservers, and different types of compromised routers including CISCO, ASUS, and Draytek end-of-life devices.\r\nThe network embodies years of continual augmentation and several generations of distinct router-based payloads\r\nused simultaneously to recruit vulnerable devices into the FLORAHOX traversal node pool.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 8 of 10\n\nFigure 4: ORB2 / FLORAHOX network diagram\r\nThe Defender’s Dilemma \r\nThe widespread adoption of ORB networks by China-nexus espionage actors introduces a new layer of\r\ncomplexity to defending enterprise environments from malicious infrastructure. Rather than earlier practices\r\nallowing for the outright blocking of adversary infrastructure, defenders must now consider:\r\nTemporality: What Infrastructure is part of the ORB network right now?\r\nMultiplicity of Adversaries: Which adversaries are using this ORB network and am I seeing one of them\r\ntargeting my network?\r\nEphemerality: How long is this infrastructure part of the ORB network being defended against and are\r\nchanging characteristics of infrastructure indicative of new tactics?\r\nMandiant asserts that the best way to rise to the challenge posed by ORB networks is to stop tracking espionage\r\nC2 infrastructure as an inert indicator of compromise and start tracking it as an entity with distinct TTPs. We no\r\nlonger operate in the world of “block and move on” where IPs are part of APT’s weaponization and C2 kill chain\r\nphase. Instead, infrastructure is a living artifact of an ORB network that is a distinct and evolving entity where the\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 9 of 10\n\ncharacteristics of IP infrastructure itself, including ports, services, and registration/hosting data, can be tracked as\r\nevolving behavior by the adversary administrator responsible for that ORB network.\r\nBy shifting awareness and our enterprise defender paradigm toward treating ORB networks like APTs instead of\r\nIOCs, defenders can begin to turn their dilemma into a defender’s advantage. \r\nConclusion\r\nUse of ORB networks to proxy traffic in a compromised network is not a new tactic, nor is it unique to China-nexus cyber espionage actors. However, its ubiquity that has evolved over the past four years now requires\r\ndefenders to meet this challenge head on to keep pace with adversaries in the cyber espionage landscape. We have\r\ntracked China-nexus cyber espionage using these tactics as part of a broader evolution toward more purposeful,\r\nstealthy, and effective operations. In addition to wanting to be stealthy, actors want to increase the cost and\r\nanalytical burden on defenders of enterprise environments. The rise of the ORB network industry in China points\r\nto long-term investments in equipping China-nexus cyber operators with more sophisticated tactics and tools that\r\nfacilitate enterprise exploitation to achieve higher success rates in gaining and maintaining access to high-value\r\nnetworks. Whether defenders will rise to this challenge depends on enterprises applying the same deep tactical\r\nfocus to tracking ORB networks as has been done for APTs over the last 15 years. Mandiant is equipped to\r\nprovide enterprise defenders with the capability to meet this challenge and scale to overcome it.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nPage 10 of 10\n\nChina-nexus The infrastructure threat actors, including present in the APT5 and ORB3 network APT15. represents a threat to entities that have historically been targeted\nby APT15 and APT5, including entities in North America, Europe, and the Middle East. Active since at least 2019,\nUNC2630 (with suspected links to APT5), used a known SPACEHOP node to exploit CVe-2022-27518 in late\n Page 6 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks" ], "report_names": [ "china-nexus-espionage-orb-networks" ], "threat_actors": [ { "id": "7e75ee53-c4d3-4260-8106-ed7b61d35f02", "created_at": "2023-12-08T02:00:05.765868Z", "updated_at": "2026-04-10T02:00:03.497413Z", "deleted_at": null, "main_name": "UNC2630", "aliases": [], "source_name": "MISPGALAXY:UNC2630", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434944, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f216e48c38ecae2666eff49ba1caa808e3bc4ef.pdf", "text": "https://archive.orkl.eu/2f216e48c38ecae2666eff49ba1caa808e3bc4ef.txt", "img": "https://archive.orkl.eu/2f216e48c38ecae2666eff49ba1caa808e3bc4ef.jpg" } }