{ "id": "5e30660b-65dd-4691-962b-776277dc95b3", "created_at": "2026-04-06T00:17:00.266025Z", "updated_at": "2026-04-10T03:36:33.895832Z", "deleted_at": null, "sha1_hash": "327deb10163f5e4a72b0839e976e8761e9080d96", "title": "NSPX30: A sophisticated AitM-enabled implant evolving since 2005", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 861008, "plain_text": "NSPX30: A sophisticated AitM-enabled implant evolving since 2005\r\nBy Facundo Muñoz\r\nArchived: 2026-04-02 10:59:13 UTC\r\nESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we\r\nhave named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated\r\nimplant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from\r\nlegitimate software.\r\nKey points in this blogpost:\r\nWe discovered the NSPX30 implant being deployed via the update mechanisms of legitimate software\r\nsuch as Tencent QQ, WPS Office, and Sogou Pinyin.\r\nWe have detected the implant in targeted attacks against Chinese and Japanese companies, as well as\r\nagainst individuals located in China, Japan, and the United Kingdom.\r\nOur research traced the evolution of NSPX30 back to a small backdoor from 2005 that we have named\r\nProject Wood, designed to collect data from its victims.\r\nNSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders,\r\nan orchestrator, and a backdoor. Both of the latter two have their own sets of plugins.\r\nThe implant was designed around the attackers’ capability to conduct packet interception, enabling\r\nNSPX30 operators to hide their infrastructure.\r\nNSPX30 is also capable of allowlisting itself in several Chinese antimalware solutions.\r\nWe attribute this activity to a new APT group that we have named Blackwood.\r\nBlackwood Profile\r\nBlackwood is a China-aligned APT group active since at least 2018, engaging in cyberespionage operations against Chinese\r\nand Japanese individuals and companies. Blackwood has capabilities to conduct adversary-in-the-middle attacks to deliver\r\nthe implant we named NSPX30 through updates of legitimate software, and to hide the location of its command and control\r\nservers by intercepting traffic generated by the implant.\r\nCampaign overview\r\nIn 2020, a surge of malicious activity was detected on a targeted system located in China. The machine had become what we\r\ncommonly refer to as a “threat magnet”, as we detected attempts by attackers to use malware toolkits associated with\r\ndifferent APT groups: Evasive Panda, LuoYu, and a third threat actor we track as LittleBear.\r\nOn that system we also detected suspicious files that did not belong to the toolkits of those three groups. This led us to start\r\nan investigation into an implant we named NSPX30; we were able to trace its evolution all the way back to 2005.\r\nAccording to ESET telemetry, the implant was detected on a small number of systems. The victims include:\r\nunidentified individuals located in China and Japan,\r\nan unidentified Chinese-speaking individual connected to the network of a high-profile public research university in\r\nthe United Kingdom,\r\na large manufacturing and trading company in China, and\r\nthe office in China of a Japanese corporation in the engineering and manufacturing vertical.\r\nWe have also observed that the attackers attempt to re-compromise systems if access is lost.\r\nFigure 1 is a geographical distribution of Blackwood’s targets, according to ESET telemetry.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 1 of 17\n\nFigure 1. Geographical distribution of Blackwood victims\r\nNSPX30 evolution\r\nDuring our research into the NSPX30 implant, we mapped its evolution back to an early ancestor – a simple backdoor we’ve\r\nnamed Project Wood. The oldest sample of Project Wood we could find was compiled in 2005, and it seems to have been\r\nused as the codebase to create several implants. One such implant, from which NSPX30 evolved, was named DCM by its\r\nauthors in 2008.\r\nFigure 2 illustrates a timeline of these developments, based on our analysis of samples in our collection and ESET telemetry,\r\nas well as public documentation. However, the events and data documented here are still an incomplete picture of almost\r\ntwo decades of development and malicious activity by an unknown number of threat actors.\r\nFigure 2. Timeline of major variants of Project Wood, DCM, and NSPX30\r\nIn the following sections we describe some of our findings regarding Project Wood, DCM, and NSPX30.\r\nProject Wood\r\nThe starting point in the evolution of these implants is a small backdoor compiled on January 9th, 2005, according to the\r\ntimestamps present in the PE header of its two components – the loader and the backdoor. The latter has capabilities to\r\ncollect system and network information, as well as to record keystrokes and take screenshots.\r\nWe named the backdoor Project Wood, based on a recurring mutex name, as shown in Figure 3.\r\nFigure 3. Project Wood code with a recurring theme in most samples\r\nCompilation timestamps are unreliable indicators, as they can be tampered by attackers; therefore, in this specific case, we\r\nconsidered additional data points. First, the timestamps from the PE header of the loader and backdoor samples; see Table 1.\r\nThere is only a difference of 17 seconds in the compilation time of both components.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 2 of 17\n\nTable 1. PE compilation timestamps in components from the 2005 sample\r\nSHA-1 Filename\r\nPE compilation\r\ntimestamp\r\nDescription\r\n9A1B575BCA0DC969B134\r\n4651F16514660D1B78A6\r\nMainFuncOften.dll\r\n2005-01-09\r\n08:21:22\r\nProject Wood backdoor.\r\nThe timestamp from the Export Table\r\nmatches the PE compilation timestamp.\r\n834EAB42383E171DD6A4\r\n2F29A9BA1AD8A44731F0\r\nN/A\r\n2005-01-09\r\n08:21:39\r\nThe Project Wood loader contains the\r\nbackdoor embedded as a resource.\r\nThe second data point comes from the dropper sample that was compressed using UPX. This tool inserts its version (Figure\r\n4) into the resulting compressed file – in this case, UPX version 1.24, which was released in 2003, prior to the compilation\r\ndate of the sample.\r\nFigure 4. UPX string with tool version in the dropper sample\r\nThe third data point is the valid metadata from the PE Rich Headers (Figure 5) which indicate that the sample was compiled\r\nusing Visual Studio 6.0, released in 1998, prior to the sample’s compilation date.\r\nFigure 5. PE Rich Headers from the dropper sample\r\nWe assess that it is unlikely that the timestamps, Rich Headers metadata, and UPX version were all manipulated by the\r\nattackers.\r\nPublic documentation\r\nAccording to a technical paper published by the SANS Institute on September 2011, an unnamed and unattributed backdoor\r\n(Project Wood) was used to target a political figure from Hong Kong via spearphishing emails.\r\nIn October 2014, G DATA published a report of a campaign it named Operation TooHash, which has since been attributed to\r\nthe Gelsemium APT group. The rootkit G DATA named DirectsX loads a variant of the Project Wood backdoor (see Figure\r\n6) with some features seen in DCM and later in NSPX30, such as allowlisting itself in cybersecurity products (detailed later,\r\nin Table 4).\r\nFigure 6. The recurring theme is present also in samples from Operation TooHash\r\nDCM aka Dark Specter\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 3 of 17\n\nThe early Project Wood served as a codebase for several projects; one of them is an implant called DCM (see Figure 7) by\r\nits authors.\r\nFigure 7. Code using a new mutex name in the DCM implant\r\nThe report from Tencent in 2016 describes a more developed DCM variant that relies on the AitM capabilities of the\r\nattackers to compromise its victims by delivering the DCM installer as a software update, and to exfiltrate data via DNS\r\nrequests to legitimate servers. The last time that we observed DCM used in an attack was in 2018.\r\nPublic documentation\r\nDCM was first documented by the Chinese company Jiangmin in 2012, although it was left unnamed at that point, and was\r\nlater named Dark Specter by Tencent in 2016.\r\nNSPX30\r\nThe oldest sample of NSPX30 that we have found was compiled on June 6th, 2018. NSPX30 has a different component\r\nconfiguration than DCM because its operation has been divided into two stages, relying fully on the attacker’s AitM\r\ncapability. DCM’s code was split into smaller components.\r\nWe named the implant after PDB paths found in plugin samples:\r\nZ:\\Workspace\\mm\\32\\NSPX30\\Plugins\\plugin\\b001.pdb\r\nZ:\\Workspace\\Code\\MM\\X30Pro\\trunk\\MM\\Plugins\\hookdll\\Release\\hookdll.pdb\r\nWe believe that NSP refers to its persistence technique: the persistent loader DLL, which on disk is named msnsp.dll, is\r\ninternally named mynsp.dll (according to the Export Table data), probably because it is installed as a Winsock namespace\r\nprovider (NSP).\r\nFinally, to the best of our knowledge, NSPX30 has not been publicly documented prior to this publication.\r\nTechnical analysis\r\nUsing ESET telemetry, we determined that machines are compromised when legitimate software attempts to download\r\nupdates from legitimate servers using the (unencrypted) HTTP protocol. Hijacked software updates include those for\r\npopular Chinese software such as Tencent QQ, Sogou Pinyin, and WPS Office.\r\nAn illustration of the chain of execution as seen in ESET telemetry is shown in Figure 8.\r\nFigure 8. Illustration of the observed chain of execution\r\nIn Table 2, we provide an example of a URL and the IP address to which the domain was resolved on the user’s system at\r\nthe time the download occurred.\r\nTable 2. An observed URL, server IP address, and process name of a legitimate downloader component\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 4 of 17\n\nURL First seen IP address ASN Downloader\r\nhttp://dl_dir.qq[.]com/\r\ninvc/qq/minibrowser.zip\r\n2021‑10‑17 183.134.93[.]171 AS58461 (CHINANET) Tencentdl.exe\r\nAccording to ESET telemetry and passive DNS information, the IP addresses that observed on other cases, are associated\r\nwith domains from legitimate software companies; we have registered up to millions of connections on some of them, and\r\nwe have seen legitimate software components being downloaded from those IP addresses.\r\nNetwork implant hypothesis\r\nHow exactly the attackers are able to deliver NSPX30 as malicious updates remains unknown to us, as we have yet to\r\ndiscover the tool that enables the attackers to compromise their targets initially.\r\nBased on our own experience with China-aligned threat actors that exhibit these capabilities (Evasive Panda and\r\nTheWizards), as well as recent research on router implants attributed to BlackTech and Camaro Dragon (aka Mustang\r\nPanda), we speculate that the attackers are deploying a network implant in the networks of the victims, possibly on\r\nvulnerable network appliances such as routers or gateways.\r\nThe fact that we found no indications of traffic redirection via DNS might indicate that when the hypothesized network\r\nimplant intercepts unencrypted HTTP traffic related to updates, it replies with the NSPX30 implant’s dropper in the form of\r\na DLL, an executable file, or a ZIP archive containing the DLL.\r\nPreviously, we mentioned that the NSPX30 implant uses the packet interception capability of the attackers in order to\r\nanonymize its C\u0026C infrastructure. In the following subsections we will describe how they do this.\r\nHTTP interception\r\nTo download the backdoor, the orchestrator performs an HTTP request (Figure 9) to the Baidu’s website – a legitimate\r\nChinese search engine and software provider – with a peculiar User-Agent masquerading as Internet Explorer on Windows\r\n98. The response from the server is saved to a file from which the backdoor component is extracted and loaded into memory.\r\nFigure 9. HTTP request sent by the orchestrator\r\nThe Request-URI is custom and includes information from the orchestrator and the compromised system. In non-intercepted\r\nrequests, issuing such a request to the legitimate server returns a 404 error code. A similar procedure is used by the backdoor\r\nto download plugins, using a slightly different Request-URI.\r\nThe network implant would simply need to look for HTTP GET requests to www.baidu.com with that particular old User-Agent and analyze the Request-URI to determine what payload must be sent.\r\nUDP interception\r\nDuring its initialization, the backdoor creates a passive UDP listening socket and lets the operating system assign the port.\r\nThere can be complications for attackers using passive backdoors: for instance, if firewalls or routers using NAT prevent\r\nincoming communication from outside of the network. Additionally, the controller of the implant needs to know the exact IP\r\naddress and port of the compromised machine to contact the backdoor.\r\nWe believe that the attackers solved the latter problem by using the same port on which the backdoor listens for commands\r\nto also exfiltrate the collected data, so the network implant will know exactly where to forward the packets. The data\r\nexfiltration procedure, by default, begins after the socket has been created, and it consists of DNS queries for the\r\nmicrosoft.com domain; the collected data is appended to the DNS packet. Figure 10 shows a capture of the first DNS query\r\nsent by the backdoor.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 5 of 17\n\nFigure 10. DNS query sent by the backdoor; collected information is appended in plaintext\r\nThe first DNS query is sent to 180.76.76[.]11:53 (a server that, at the time of writing, does not expose any DNS service) and\r\nfor each of the following queries, the destination IP address is changed to the succeeding address, as shown in Figure 11.\r\nFigure 11. DNS messages sent by the backdoor; notice that the IP address increases by one with each request\r\nThe 180.76.76.0/24 network is owned by Baidu, and interestingly, some of the servers at these IP addresses do expose DNS\r\nservices, such as 180.76.76.76, which is Baidu’s public DNS service.\r\nWe believe that when the DNS query packets are intercepted, the network implant forwards them to the attackers’ server.\r\nThe implant can easily filter the packets by combining several values to create a fingerprint, for instance:\r\ndestination IP address\r\nUDP port (we observed 53, 4499, and 8000),\r\ntransaction ID of the DNS query matching 0xFEAD,\r\ndomain name, and, \r\nDNS query with extraneous data appended.\r\nFinal thoughts\r\nUsing the attackers’ AitM capability to intercept packets is a clever way to hide the location of their C\u0026C infrastructure. We\r\nhave observed victims located outside of China – that is, in Japan and the United Kingdom – against whom the orchestrator\r\nwas able to deploy the backdoor. The attackers then sent commands to the backdoor to download plugins; for example, the\r\nvictim from the UK received two plugins designed to collect information and chats from Tencent QQ. Therefore, we know\r\nthat the AitM system was in place and working, and we must assume that the exfiltration mechanism was as well.\r\nSome of the servers – for instance, in the 180.76.76.0/24 network – seem to be anycasted, meaning that there might be\r\nmultiple servers geolocated around the world to reply to (legitimate) incoming requests. This suggests network interception\r\nis likely performed closer to the targets rather than closer to Baidu’s network. Interception from a Chinese ISP is also\r\nunlikely because Baidu has part of its network infrastructure outside of China, so victims outside China may not go through\r\nany Chinese ISPs to reach Baidu services.\r\nNSPX30\r\nIn the following sections we will describe the major stages of execution of the malware.\r\nStage 1\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 6 of 17\n\nFigure 12 illustrates the execution chain when the legitimate component loads a malicious dropper DLL that creates several\r\nfiles on disk.\r\nFigure 12. Execution chain initiated by the dropper DLL\r\nThe dropper executes RsStub.exe, a legitimate software component of the Chinese antimalware product Rising Antivirus,\r\nwhich is abused to side-load the malicious comx3.dll.\r\nFigure 13 illustrates the major steps taken during the execution of this component.\r\nFigure 13. Loading chain initiated when RsStub.exe loads the malicious comx3.dll\r\nWhen RsStub.exe calls ExitProcess, the loader function from the shellcode is executed instead of the legitimate API function\r\ncode.\r\nThe loader decrypts the installer DLL from the file comx3.dll.txt; the shellcode then loads the installer DLL in memory and\r\ncalls its entry point.\r\nInstaller DLL\r\nThe installer uses UAC bypass techniques taken from open-source implementations to create a new elevated process. Which\r\none it uses depends on several conditions, as seen in Table 3.\r\nTable 3. Main condition and respective sub-conditions that must be met in order to apply a UAC bypass technique\r\nThe conditions verify the presence of two processes: we believe that avp.exe is a component of Kaspersky’s antimalware\r\nsoftware, and rstray.exe a component of Rising Antivirus.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 7 of 17\n\nThe installer attempts to disable the submission of samples by Windows Defender, and adds an exclusion rule for the loader\r\nDLL msnsp.dll. It does this by executing two PowerShell commands through cmd.exe:\r\ncmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -\r\nSubmitSamplesConsent 0\r\ncmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath “C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\msnsp.dll”\r\nThe installer then drops the persistent loader DLL to C:\\Program Files (x86)\\Common Files\\microsoft\r\nshared\\TextConv\\msnsp.dll and establishes persistence for it using the API WSCInstallNameSpace to install the DLL as a\r\nWinsock namespace provider named msnsp, as shown in Figure 14.\r\nFigure 14. Code that installs a malicious Winsock namespace provider\r\nAs a result, the DLL will be loaded automatically whenever a process uses Winsock.\r\nFinally, the installer drops the loader DLL mshlp.dll and the encrypted orchestrator DLL WIN.cfg to\r\nC:\\ProgramData\\Windows.\r\nStage 2\r\nThis stage begins with the execution of msnsp.dll. Figure 15 illustrates the loading chain in Stage 2.\r\nFigure 15. Loading chain initiated when the system loads the malicious Winsock namespace provider\r\nOrchestrator\r\nFigure 16 illustrates the major tasks carried out by the orchestrator, which includes obtaining the backdoor and loading\r\nplugins.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 8 of 17\n\nFigure 16. Execution chain of the Orchestrator components and its main tasks\r\nWhen loaded, the orchestrator creates two threads to perform its tasks.\r\nOrchestrator thread 1\r\nThe orchestrator deletes the original dropper file from disk, and tries to load the backdoor from msfmtkl.dat. If the file does\r\nnot exist or fails to open, the orchestrator uses Windows Internet APIs to open a connection to the legitimate website of the\r\nChinese company Baidu as explained previously.\r\nThe response from the server is saved to a temporary file subject to a validation procedure; if all conditions are met, the\r\nencrypted payload that is inside the file is written to a new file and renamed as msfmtkl.dat.\r\nAfter the new file is created with the encrypted payload, the orchestrator reads its contents and decrypts the payload using\r\nRC4. The resulting PE is loaded into memory and its entry point is executed.\r\nOrchestrator thread 2\r\nDepending on the name of the current process, the orchestrator performs several actions, including the loading of plugins,\r\nand addition of exclusions to allowlist the loader DLLs in the local databases of three antimalware software products of\r\nChinese origin.\r\nTable 4 describes the actions taken when the process name matches that of a security software suite in which the orchestrator\r\ncan allowlist its loaders.\r\nTable 4. Orchestrator actions when executing in a process with the name of specific security software\r\nProcess\r\nname\r\nTargeted\r\nsoftware\r\nAction\r\nqqpcmgr.exe\r\nqqpctray.exe\r\nqqpcrtp.exe\r\nTencent PC\r\nManager\r\nAttempts to load the legitimate DLL \u003cCURRENT_DIRECTORY\u003e\\TAVinterface.dll to\r\nuse the exported function CreateTaveInstance to obtain an interface. When calling a\r\nsecond function from the interface, it passes a file path as a parameter.\r\n360safe.exe 360\r\nSafeguard\r\nAttempts to load the legitimate DLL\r\n\u003cCURRENT_DIRECTORY\u003e\\deepscan\\cloudcom2.dll to use the exported functions\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 9 of 17\n\nProcess\r\nname\r\nTargeted\r\nsoftware\r\nAction\r\n360tray.exe (aka\r\n360Safe)\r\nXDOpen, XDAddRecordsEx, and XDClose, it adds a new entry in the SQL database\r\nfile speedmem2.hg.\r\n360sd.exe\r\n360\r\nAntivirus\r\nAttempts to open the file \u003cCURRENT_DIRECTORY\u003e\\sl2.db to adds a base64-\r\nencoded binary structure that contains the path to the loader DLL.\r\nkxescore.exe\r\nkxetray.exe\r\nKingsoft\r\nAntiVirus\r\nAttempts to load the legitimate DLL\r\n\u003cCURRENT_DIRECTORY\u003e\\security\\kxescan\\khistory.dll to use the exported\r\nfunction KSDllGetClassObject to obtain an interface. When it calls one of the\r\nfunctions from the vtable, it passes a file path as a parameter.\r\nTable 5 describes the actions taken when the process name matches that of selected instant-messaging software. In these\r\ncases, the orchestrator loads plugins from disk.\r\nTable 5. Ochestrator actions when executing in a process with the name of specific instant-messaging software\r\nProcess\r\nname\r\nTargeted software Action\r\nqq.exe Tencent QQ\r\nAttempts to create a mutex named GET QQ MESSAGE LOCK\r\n\u003cPROCESS_ID\u003e. If the mutex does not already exist, it loads the\r\nplugins c001.dat, c002.dat, and c003.dat from disk.\r\nwechat.exe WeChat Loads plugin c006.dat.\r\ntelegram.exe Telegram Loads plugin c007.dat.\r\nskype.exe Skype\r\nLoads plugin c003.dat.\r\ncc.exe\r\nUnknown; possibly\r\nCloudChat.\r\nraidcall.exe RaidCall\r\nyy.exe\r\nUnknown; possibly an\r\napplication from YY social\r\nnetwork.\r\naliim.exe AliWangWang Loads plugin c005.dat.\r\nAfter completing the corresponding actions, the thread returns.\r\nPlugins group “c”\r\nFrom our analysis of the orchestrator code, we understand that at least six plugins of the “c” group might exist, of which\r\nonly three are known to us at this time.\r\nTable 6 describes the basic functionality of the identified plugins.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 10 of 17\n\nTable 6. Description of the plugins from group “c”\r\nPlugin\r\nname\r\nDescription\r\nc001.dat Steals information from QQ databases, including credentials, chat logs, contact lists, and more.\r\nc002.dat\r\nHooks several functions from Tencent QQ’s KernelUtil.dll and Common.dll in the memory of the QQ.exe\r\nprocess, enabling interception of direct and group messages, and SQL queries to databases.\r\nc003.dat\r\nHooks several APIs:\r\n- CoCreateInstance\r\n- waveInOpen\r\n- waveInClose\r\n- waveInAddBuffer\r\n- waveOutOpen\r\n- waveOutWrite\r\n- waveOutClose\r\nThis enables the plugin to intercept audio conversations in several processes.\r\nBackdoor\r\nWe have already shared several details on the basic purpose of the backdoor: to communicate with its controller and\r\nexfiltrate collected data. Communication with the controller is mostly based around writing plugin configuration data into an\r\nunencrypted file named license.dat, and invoking functionality from loaded plugins. Table 7 describes the most relevant\r\ncommands handled by the backdoor.\r\nTable 7. Description of some of the commands handled by the backdoor\r\nCommand ID Description\r\n0x04 Creates or closes a reverse shell and handles input and output.\r\n0x17 Moves a file with paths provided by the controller.\r\n0x1C Uninstalls the implant.\r\n0x1E Collects file information from a specified directory, or collects drive’s information.\r\n0x28 Terminates a process with a PID given by the controller.\r\nPlugin groups “a” and “b”\r\nThe backdoor component contains its own embedded plugin DLLs (see Table 8) that are written to disk and give the\r\nbackdoor its basic spying and information-collecting capabilities.\r\nTable 8. Descriptions of plugin groups “a” and “b” embedded in the backdoor\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 11 of 17\n\nPlugin name Description\r\na010.dat Collects installed software information from the registry.\r\nb010.dat Takes screenshots.\r\nb011.dat Basic keylogger.\r\nConclusion\r\nWe have analyzed attacks and capabilities from a threat actor that we have named Blackwood, which has carried out\r\ncyberespionage operations against individuals and companies from China, Japan, and the United Kingdom. We mapped the\r\nevolution of NSPX30, the custom implant deployed by Blackwood, all the way back to 2005 to a small backdoor we’ve\r\nnamed Project Wood.\r\nInterestingly, the Project Wood implant from 2005 appears to be the work of developers with experience in malware\r\ndevelopment, given the techniques implemented, leading us to believe that we are yet to discover more about the history of\r\nthe primordial backdoor.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIOCs\r\nFiles\r\nSHA-1 Filename ESET detection name Description\r\n625BEF5BD68F75624887D732538B7B01E3507234 minibrowser_shell.dll Win32/Agent.AFYI NSPX30 initial dropp\r\n43622B9573413E17985B3A95CBE18CFE01FADF42 comx3.dll Win32/Agent.AFYH Loader for the installe\r\n240055AA125BD31BF5BA23D6C30133C5121147A5 msnsp.dll Win32/Agent.AFYH Persistent loader.\r\n308616371B9FF5830DFFC740318FD6BA4260D032 mshlp.dll Win32/Agent.AFYH Loader for the orchest\r\n796D05F299F11F1D78FBBB3F6E1F497BC3325164 comx3.dll.txt Win32/TrojanDropper.Agent.SWR Decrypted installer.\r\n82295E138E89F37DD0E51B1723775CBE33D26475 WIN.cfg Win32/Agent.AFYI Decrypted orchestrato\r\n44F50A81DEBF68F4183EAEBC08A2A4CD6033DD91 msfmtkl.dat Win32/Agent.VKT Decrypted backdoor.\r\nDB6AEC90367203CAAC9D9321FDE2A7F2FE2A0FB6 c001.dat Win32/Agent.AFYI Credentials and data s\r\n9D74FE1862AABAE67F9F2127E32B6EFA1BC592E9 c002.dat Win32/Agent.AFYI Tencent QQ message \r\n8296A8E41272767D80DF694152B9C26B607D26EE c003.dat Win32/Agent.AFYI Audio capture plugin.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 12 of 17\n\nSHA-1 Filename ESET detection name Description\r\n8936BD9A615DD859E868448CABCD2C6A72888952 a010.dat Win32/Agent.VKT Information collector\r\nAF85D79BC16B691F842964938C9619FFD1810C30 b011.dat Win32/Agent.VKT Keylogger plugin.\r\nACD6CD486A260F84584C9FF7409331C65D4A2F4A b010.dat Win32/Agent.VKT Screen capture plugin\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n104.193.88[.]123 www.baidu[.]com\r\nBeijing Baidu Netcom\r\nScience and Technology\r\nCo., Ltd.\r\n2017‑08‑04\r\nLegitimate website contacted by\r\nthe orchestrator and backdoor\r\ncomponents to download\r\npayloads. The HTTP GET\r\nrequest is intercepted by AitM.\r\n183.134.93[.]171 dl_dir.qq[.]com IRT‑CHINANET‑ZJ 2021‑10‑17\r\nPart of the URL from where the\r\ndropper was downloaded by\r\nlegitimate software.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nBlackwood used a custom implant called NSPX30.\r\nInitial Access T1195 Supply Chain Compromise\r\nNSPX30’s dropper component is delivered when\r\nlegitimate software update requests are intercepted via\r\nAitM.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nNSPX30’s installer component uses PowerShell to\r\ndisable Windows Defender’s sample submission, and\r\nadds an exclusion for a loader component.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nNSPX30’s installer can use cmd.exe when attempting\r\nto bypass UAC.\r\nNSPX30’s backdoor can create a reverse shell.\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nNSPX30’s installer can use VBScript when attempting\r\nto bypass UAC.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 13 of 17\n\nTactic ID Name Description\r\nT1106 Native API\r\nNSPX30’s installer and backdoor use\r\nCreateProcessA/W APIs to execute components.\r\nPersistence T1574 Hijack Execution Flow\r\nNSPX30’s loader is automatically loaded into a process\r\nwhen Winsock is started.\r\nPrivilege\r\nEscalation\r\nT1546 Event Triggered Execution\r\nNSPX30’s installer modifies the registry to change a\r\nmedia button key value\r\n(APPCOMMAND_LAUNCH_APP2) to point to its\r\nloader executable.\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User\r\nAccount Control\r\nNSPX30’s installer uses three techniques to attempt\r\nUAC bypasses.\r\nDefense\r\nEvasion T1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nNSPX30’s installer, orchestrator, backdoor, and\r\nconfiguration files are decrypted with RC4, or\r\ncombinations of bitwise and arithmetic instructions.\r\nT1562.001\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nNSPX30’s installer disables Windows Defender’s\r\nsample submission, and adds an exclusion for a loader\r\ncomponent.\r\nNSPX30’s orchestrator can alter the databases of\r\nsecurity software to allowlist its loader components.\r\nTargeted software includes: Tencent PC Manager, 360\r\nSafeguard, 360 Antivirus, and Kingsoft AntiVirus.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nNSPX30 can remove its files.\r\nT1070.009\r\nIndicator Removal: Clear\r\nPersistence\r\nNSPX30 can remove its persistence.\r\nT1202\r\nIndirect Command\r\nExecution\r\nNSPX30’s installer executes PowerShell through\r\nWindows’ Command Shell.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nNSPX30’s components are stored in the legitimate\r\nfolder %PROGRAMDATA%\\Intel.\r\nT1112 Modify Registry\r\nNSPX30’s installer can modify the registry when\r\nattempting to bypass UAC.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nNSPX30’s components are stored encrypted on disk.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 14 of 17\n\nTactic ID Name Description\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nNSPX30’s dropper contains embedded components.\r\nNSPX30’s loader contains embedded shellcode.\r\nT1218.011\r\nSystem Binary Proxy\r\nExecution: Rundll32\r\nNSPX30’s installer can be loaded through rundll32.exe.\r\nCredential\r\nAccess\r\nT1557 Adversary-in-the-Middle\r\nThe NSPX30 implant is delivered to victims through\r\nAitM attacks.\r\nT1555\r\nCredentials from Password\r\nStores\r\nNSPX30 plugin c001.dat can steal credentials from\r\nTencent QQ databases.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nNSPX30’s backdoor and plugins can list files.\r\nT1012 Query Registry\r\nNSPX30 a010.dat plugin collects various information\r\nof installed software from the registry.\r\nT1518 Software Discovery\r\nNSPX30 a010.dat plugin collects information from the\r\nregistry.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nNSPX30’s backdoor collects system information.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nNSPX30’s backdoor collects various network adapter\r\ninformation.\r\nT1049\r\nSystem Network\r\nConnections Discovery\r\nNSPX30’s backdoor collects network adapter\r\ninformation.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nNSPX30’s backdoor collects system and user\r\ninformation.\r\nCollection T1056.001 Input Capture: Keylogging NSPX30 plugin b011.dat is a basic keylogger.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nNSPX30 plugins compress collected information using\r\nzlib.\r\nT1123 Audio Capture\r\nNSPX30 plugin c003.dat records input and output\r\naudio streams.\r\nT1119 Automated Collection\r\nNSPX30’s orchestrator and backdoor automatically\r\nlaunch plugins to collect information.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 15 of 17\n\nTactic ID Name Description\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nNSPX30’s plugins store data in local files before\r\nexfiltration.\r\nT1113 Screen Capture NSPX30 plugin b010.dat takes screenshots.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nNSPX30’s orchestrator and backdoor components\r\ndownload payloads using HTTP.\r\nT1071.004\r\nApplication Layer\r\nProtocol: DNS\r\nNSPX30’s backdoor exfiltrates the collected\r\ninformation using DNS.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nCollected data for exfiltration is compressed with zlib.\r\nT1001 Data Obfuscation\r\nNSPX30’s backdoor encrypts its C\u0026C\r\ncommunications.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nNSPX30’s backdoor uses UDP for its C\u0026C\r\ncommunications.\r\nT1090 Proxy\r\nNSPX30’s communications with its C\u0026C server are\r\nproxied by an unidentified component.\r\nExfiltration\r\nT1020 Automated Exfiltration When available, NSPX30’s backdoor automatically\r\nexfiltrates any collected information.\r\nT1030 Data Transfer Size Limits\r\nNSPX30’s backdoor exfiltrates collected data via DNS\r\nqueries with a fixed packet size.\r\nT1048.003\r\nExfiltration Over\r\nAlternative Protocol:\r\nExfiltration Over\r\nUnencrypted Non-C2\r\nProtocol\r\nNSPX30’s backdoor exfiltrates the collected\r\ninformation using DNS.\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 16 of 17\n\nSource: https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nhttps://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/" ], "report_names": [ "nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c13153a4-8dda-4cc5-ac31-c9ca25f3563c", "created_at": "2024-02-01T02:00:04.227755Z", "updated_at": "2026-04-10T02:00:03.522787Z", "deleted_at": null, "main_name": "Blackwood", "aliases": [], "source_name": "MISPGALAXY:Blackwood", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "86adb59b-9acc-4dac-b7f1-7ac9214c4b97", "created_at": "2025-06-29T02:01:57.19934Z", "updated_at": "2026-04-10T02:00:04.936171Z", "deleted_at": null, "main_name": "TheWizards", "aliases": [], "source_name": "ETDA:TheWizards", "tools": [ "Spellbinder", "WizardNet" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "0770ba43-efad-4f73-a5e4-21621a5ac86e", "created_at": "2024-03-08T02:02:14.61239Z", "updated_at": "2026-04-10T02:00:04.585473Z", "deleted_at": null, "main_name": "Blackwood", "aliases": [], "source_name": "ETDA:Blackwood", "tools": [ "NSPX30" ], "source_id": "ETDA", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "06f59286-7fc1-4cae-8088-a26543643247", "created_at": "2025-11-07T02:00:03.494055Z", "updated_at": "2026-04-10T02:00:03.893442Z", "deleted_at": null, "main_name": "TheWizards", "aliases": [], "source_name": "MISPGALAXY:TheWizards", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/327deb10163f5e4a72b0839e976e8761e9080d96.pdf", "text": "https://archive.orkl.eu/327deb10163f5e4a72b0839e976e8761e9080d96.txt", "img": "https://archive.orkl.eu/327deb10163f5e4a72b0839e976e8761e9080d96.jpg" } }