{ "id": "b41ff1df-5ceb-448d-a3cc-337db10b2003", "created_at": "2026-04-06T00:16:56.457815Z", "updated_at": "2026-04-10T03:38:20.281435Z", "deleted_at": null, "sha1_hash": "32b9eb688143c2276ecbf88aac04e4ccd252db0f", "title": "Stately Taurus Activity in Southeast Asia Links to Bookworm Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 204752, "plain_text": "Stately Taurus Activity in Southeast Asia Links to Bookworm Malware\r\nBy Robert Falcone\r\nPublished: 2025-02-20 · Archived: 2026-04-05 19:24:13 UTC\r\nExecutive Summary\r\nWhile analyzing infrastructure related to Stately Taurus activity targeting organizations in countries affiliated with the\r\nAssociation of Southeast Asian Nations (ASEAN), Unit 42 researchers observed overlaps with infrastructure used by a\r\nvariant of the Bookworm malware. We also found open-source intelligence that revealed additional Stately Taurus activity in\r\nthe region during the same timeframe, including a January 2024 CSIRT CTI post detailing attacks in Myanmar.\r\nThe earlier Stately Taurus attacks delivered the PubLoad malware and used the DLL sideloading technique to execute the\r\nmalware. Stately Taurus commonly uses DLL sideloading as a technique to execute its payloads and Unit 42 believes that\r\nthe PubLoad malware family is unique to this threat group as well.\r\nBefore discovering these overlaps with known Stately Taurus infrastructure, we hadn't associated any threat actor with\r\nBookworm, which we first published about in 2015. After nearly a decade, we can now confidently state that Stately Taurus\r\nuses this malware.\r\nPalo Alto Networks customers are better protected through the following products and services:\r\nCortex XDR and XSIAM\r\nCloud-Delivered Security Services for the Next-Generation Firewall, including Advanced WildFire, Advanced Threat\r\nPrevention, Advanced URL Filtering and Advanced DNS Security\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.\r\nStately Taurus Ties, Years in the Making\r\nThe Stately Taurus activity impacting Myanmar used a legitimate executable signed by an automation organization to load a\r\nmalicious payload with a filename of BrMod104.dll\r\n(2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87). This malicious payload is a variant of\r\nPubLoad, which is stager malware that communicates with its command and control (C2) server to obtain a second\r\nshellcode-based payload.\r\nThis particular PubLoad payload communicates with its C2 server by directly connecting to the IP address 123.253.32[.]15.\r\nThe payload then issues an HTTP request that looks like that shown in Figure 1.\r\nFigure 1. HTTP POST request sent from PubLoad to its C2.\r\nThe HTTP request includes www.asia.microsoft.com within the host field as an attempt to masquerade as a legitimate\r\nrequest associated with the Windows operating system. Also, the URL pattern seen in these HTTP requests appears to be an\r\nattempt to mimic legitimate URLs accessed by Windows update, one of which looks like the following:\r\nhttp://download.microsoft[.]com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab\r\nWe compared the legitimate URL to that used by PubLoad. The PubLoad’s URL uses v6-winsp1-wuredir, which differs\r\nfrom v6-win7sp1-wuredir used by the legitimate Windows update URL.\r\nWe used this anomaly along with the rest of the URL structure to pivot to several archive files, described in more detail in\r\nthe Indicators of Compromise section. These files were likely used in the delivery phase of the threat actor’s operations.\r\nLab52 discussed these archives within their article discussing Mustang Panda’s targeting of Australia in 2023, which\r\nprovided another linkage between the stated activity and the Stately Taurus actor.\r\nIn addition to these archives, we found three older payloads that had not been previously discussed publicly, shown in Table\r\n1. These files communicated with their C2 servers using the same URL structure.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 1 of 6\n\nCompiled SHA256 Filename Debug Symbol Path\r\nDec. 23,\r\n2021\r\ncf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86 anhlab.exe C:\\Users\\hack\\Desktop\\uuid\\uu\\Release\\u\r\nNov. 9,\r\n2022\r\n5064b2a8fcfc58c18f53773411f41824b7f6c2675c1d531ffa109dc4f842119b ltdis13n.dll E:\\WhiteFile\\LTDIS13n\\Release\\LTDIS13\r\nOct. 26,\r\n2022\r\nfbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81 ltdis13n.dll C:\\Users\\hack\\Documents\\WhiteFile\\LTD\r\nTable 1. Payloads seen using the same URL pattern for C2 communications as Stately Taurus.\r\nThe payloads shown in Table 1 are loaders that contain embedded shellcode formatted and ultimately executed in an\r\ninteresting way by following these steps:\r\n1. Using ASCII or decoded Base64 strings that represent UUID strings\r\n2. Calling UuidFromStringA to convert the decoded UUIDs to binary data, each of which represents 16 bytes of\r\nshellcode\r\n3. Creating a buffer on the heap using HeapCreate and HeapAlloc\r\n4. Copying shellcode to buffer on the heap\r\n5. Using a callback function of a legitimate API function, such as EnumChildWindows or\r\nEnumSystemLanguageGroupsA to execute the shellcode on the heap\r\nWhile the process to load and run shellcode seems quite unique, the NCC group thoroughly documented it in their January\r\n2021 analysis of a macro-enabled document the Lazarus group used in Operation In(ter)ception. We do not believe Stately\r\nTaurus is related to Operation In(ter)ception. However, the NCC group included source code of the shellcode loading\r\nprocess written in C within their article. We believe Stately Taurus developers used this as a basis to create the three samples\r\nin Table 1 above.\r\nThe decoded shellcode decrypts and loads dynamic-link libraries (DLLs) that comprise the Bookworm malware, which we\r\nwill discuss further in the next section. The Bookworm module responsible for communicating with its C2 server will issue\r\nHTTP POST requests to either www.fjke5oe[.]com or update.fjke5oe[.]com with the URL path previously seen in the\r\nPubLoad sample, as shown in Figure 2.\r\nFigure 2. HTTP POST to Bookworm C2 from\r\nfbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81.\r\nOverlaps Between Bookworm and ToneShell\r\nWhile analyzing the Bookworm samples, we found a variant of the ToneShell backdoor\r\n(b382cc85eee95a620fc11370309ff76de9a3bcaefb645790434d8251a3b9fce1) that had the same debug symbol path as the\r\nBookworm loader. Its developers compiled the two samples 8 weeks apart.\r\nThe ToneShell variant was compiled Sep. 1, 2022, and the Bookworm sample was compiled on Oct. 26, 2022. The close\r\nproximity in compile times and the shared debug path between the two samples suggests that the same developer could have\r\ncreated samples of the two malware families. The debug path seen in both the ToneShell and Bookworm variants was\r\nC:\\Users\\hack\\Documents\\WhiteFile\\LTDIS13n\\Release\\LTDIS13n.pdb.\r\nIn addition to this debug symbol overlap, we also observed an infrastructure overlap. This overlap included the Bookworm\r\nsamples shown in Table 1 and the ToneShell variant used in the targeted attack on the government organizations in Southeast\r\nAsia that we discussed in our August 2023 article.\r\nThe Bookworm payloads in Table 1 communicate with either www.fjke5oe[.]com or update.fjke5oe[.]com, both of which\r\nresolved to 103.27.202[.]80. The latter URL switched to 103.27.202[.]68 in December 2022.\r\nEarlier in January 2022, the IP address 103.27.202[.]68 resolved to the domain www.uvfr4ep[.]com. This domain hosted the\r\nC2 server for a ToneShell sample (a08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc) installed\r\nby Stately Taurus at the Southeast Asian government compromise discussed in our previous post.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 2 of 6\n\nThis reinforces the link between the two malware families and their use by Stately Taurus. Further strengthening this\r\nconnection, the ToneShell C2 domain www.uvfr4ep[.]com also resolved to 103.27.202[.]87, an IP address linked to the\r\nknown Bookworm C2 domain www.hbsanews[.]com.\r\nWe also found a recent ToneShell sample compiled on Jan. 24, 2024, that used the UUID format to represent its shellcode.\r\nThis sample also used the same publicly available source code created by the NCC group as the Bookworm samples\r\nmentioned in the previous section.\r\nThe main difference between the ToneShell loader using UUIDs from the Bookworm samples is the legitimate API\r\nfunctions whose callback functions they used to execute the shellcode. The Bookworm samples used either\r\nEnumSystemLanguageGroupsA or EnumChildWindows to run their shellcode from the API function’s callback function,\r\nwhile the ToneShell sample used the legitimate API EnumSystemLocalesA instead.\r\nTable 2 shows the ToneShell and Bookworm samples that used the UUID technique to represent their respective shellcode,\r\nalong with the API function they use to run the shellcode. This technique is not unique to this actor as the source code of the\r\ntechnique is publicly available. We include it in our analysis to increase our confidence in the relationship between\r\nBookworm and ToneShell. It’s believed that only Stately Taurus uses ToneShell.\r\nSHA256 Family Callback Function Called By\r\nUUID\r\nFormat\r\nab9d8f1021f2a99c74aa66f8ddb52996ac2337da9de2676d090b87e19ce93033 ToneShell EnumSystemLocalesA ASCII\r\ncf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86 Bookworm EnumSystemLanguageGroupsA ASCII\r\n5064b2a8fcfc58c18f53773411f41824b7f6c2675c1d531ffa109dc4f842119b Bookworm EnumChildWindows Base64\r\nfbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81 Bookworm EnumChildWindows Base64\r\nTable 2. ToneShell and Bookworm samples using UUID to represent their shellcode and the API functions used to run the\r\nshellcode.\r\nUpdates to Bookworm\r\nIn our first public post on Bookworm, we did a thorough analysis of the malware family and its unique modular design. We\r\nwill reference this analysis in this section, and we suggest referencing the previous post for additional context.\r\nAt a high level, the Bookworm malware has had minimal changes from the original samples analyzed in 2015 and those\r\nmentioned in the previous section. Its developers compiled these samples in late 2021 and in the fall of 2022.\r\nIn our original analysis, the Bookworm family used DLL sideloading to load an actor-developed DLL called Loader.dll to\r\ndecrypt and run shellcode within a file named readme.txt. In contemporary Bookworm samples, the malware no longer uses\r\nthe Loader.dll and readme.txt files. Rather, the Bookworm shellcode within readme.txt is now the shellcode represented as\r\nUUID parameters as discussed in the previous sections of this post.\r\nThe reuse of the shellcode in a different form factor shows the flexibility of Bookworm. This flexibility allows the actor to\r\ncontinue using this malware family years after public exposure.\r\nThe Bookworm malware family consists of multiple modules, each of which support the main Leader.dll module by\r\nproviding additional functionality. Older Bookworm modules had an exported function named ProgramStartup that the\r\nLeader module would call to obtain a data structure that acted as a list of available functions within the module.\r\nThe Leader.dll module would use this data structure to call specific functions within the supporting modules to carry out\r\nspecific functionality. Contemporary Bookworm modules no longer have the ProgramStartup exported function. Instead,\r\neach module’s DllEntryPoint function returns a pointer to a function that is identical to the ProgramStartup function, which\r\nthe Leader module will call to obtain the data structure with the module’s functions.\r\nFigure 3 shows a comparison of the original ProgramStartup function for the AES.dll module on the right. The function\r\nreturned by the DllEntryPoint of the contemporary AES.dll module is on the left.\r\nFigure 3. Code comparison between the original AES.dll ProgramStartup function to its contemporary.\r\nBesides the lack of a ProgramStartup exported function, the Bookworm modules themselves are very similar from a\r\nfunctionality perspective. The module identifier numbers used by Bookworm’s loader line up exactly between the original\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 3 of 6\n\nBookworm modules and their contemporary counterparts. However, the malware authors changed all but two of the DLL\r\nnames extracted from the module’s export address table (EAT) between old and new Bookworm modules.\r\nFor instance, while the Leader.dll and Coder.dll module names remained the same from old to new Bookworm, the\r\ndevelopers changed from legible module names like Resolver.dll to illegible names like dafdsafdsaa3. The developer also\r\nremoved the timestamps from the EAT as well to make it difficult to determine when they created the module.\r\nHowever, a notable exception involves the Coder.dll module that had a timestamp of 2017-08-04 05:24:49. This suggests\r\nthat the contemporary Bookworm modules are using a module created in August 2017.\r\nTable 3 shows the modules within contemporary Bookworm samples with their module identifier, module name and the\r\noriginal name of the module compared to those of older Bookworm samples.\r\nSHA256\r\nCurrent\r\nModule Name\r\nRelated\r\nBookworm\r\nModule\r\nCurrent\r\nModule\r\nID\r\nf7b024196ac50bd0f7ed362a532e83edf154bb60fcf24d0ab5297d0c6beaca0f Leader.dll Leader.dll 0x0\r\nbbf12ee2cd71dbcf2948adf64f354ad7c69d6b6ff0b78ea76b3df2d02b08ed0f dafdsafdsaa3 Resolver.dll 0x1\r\nfa739724a4b6f7a766a2d7695d7da7b33a6ac834672c1b544dd555c93600a637 fjdasljguafa KBLogger.dll 0x5\r\nd7dbfb2b755418842fea4fca5628f0b36bbd128a71ddcd858b4b3c67ba78f516 Coder.dll Coder.dll 0xA\r\n6804b10aefe8fdb2b33ecf3bc5a93f49413ef66001b561e6fc121990d703d780 999999.000 Digest.dll 0xB\r\n72aa72a4a4bdb09146c587304c6639eae65900cb2ea26911540a77d1f9b7acf6 AES.dll AES.dll 0xC\r\nfb25a69ffc18b79ee664462e0717cf5e70820948d5d2ca4c192fac8b1ede91c2 yyrtytr.565 Network.dll 0xE\r\ndcc349a1b624f6b949f181a7dd859a82715b4d3b6c37c7e5be1b729cd8e6f01f feareade HTTP.dll 0x13\r\n51bf329ba04a042789bad3b395092488a3d89130dc72818985cde11fb85f8389 fdafgravfdrafra WinINetwork.dll 0x17\r\nTable 3. Contemporary Bookworm modules, their names and the modules they relate to in original Bookworm samples.\r\nTable 3 shows that none of the more recent Bookworm samples have the Mover.dll module, which our previous post\r\ndescribed as being responsible for moving Bookworm files to a new location upon initial installation. While this module is\r\nno longer included as part of the installation, the main module (Leader.dll) in contemporary Bookworm samples contains\r\nartifacts that suggest it still supports use of a Mover.dll module. For instance, current Leader.dll modules still attempt to\r\nresolve an exported function named iar, which is the exported function name within the original Mover.dll modules that\r\ncarries out its functionality.\r\nConclusion\r\nStately Taurus remains highly active in targeting organizations associated with ASEAN. Based on overlaps sourced from\r\nthis recent activity to the Bookworm malware family, Unit 42 has associated previously unattributed attacks on government\r\norganizations in Southeast Asia from nine years ago.\r\nDevelopers appear to have created these related Bookworm samples in 2021 and 2022, which show only slight changes from\r\nthe core components from the Bookworm samples analyzed in 2015. Bookworm’s use of shellcode to load additional\r\nmodules allows the actors to package it in different form factors, which were the main difference seen between samples from\r\n2015 and 2021-2022.\r\nThe Bookworm malware has proven to be very versatile and a threat actor can repackage it to meet their operational\r\nrequirements. This versatility suggests Bookworm will show up again in future attacks, which reiterates the same parting\r\nwords from the conclusion from the Bookworm Trojan: A Model of Modular Architecture article from 2015. However this\r\ntime we can reference the threat actor by name:\r\n“We believe that it is likely that Stately Taurus will continue developing Bookworm and will continue to use it for the\r\nforeseeable future.”\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following products:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the known samples as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this\r\nactivity as malicious.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with\r\nbest practices. Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in\r\nreal time.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 4 of 6\n\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware, and also prevent the execution of unknown malware\r\nusing Behavioral Threat Protection and machine learning based on the Local Analysis module.\r\nProtect against credential gathering tools and techniques using the new Credential Gathering Protection\r\navailable from Cortex XDR 3.4.\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell Protection,\r\nnewly released in Cortex XDR 3.4.\r\nProtect against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics, through Cortex\r\nXDR Pro.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use\r\nthis intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn\r\nmore about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nBookworm Samples\r\ncf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86\r\nfbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81\r\n5064b2a8fcfc58c18f53773411f41824b7f6c2675c1d531ffa109dc4f842119b\r\n243b92959cd9aa03482f3398fbe81b4874c50a5945fe6b0c0abb432a33db853f\r\na0887fa90f88dd002b025a97b3a57e4fdb7f5fdd725490d96776f8626f528ef2\r\na2452456eb3a1a51116d9c2991aae3b0982acc1a9b30efee92a4f102dc4d2927\r\n3e137da41cb509412ee230c6d7aac3d69361358b28c3a09ec851d3c0f3853326\r\nfdad627a21a95ea2a6136c264c6a6cc2f0910a24881118b6eabc2d6509dc8dd7\r\nab54af1dbe6a82488db161a7f57cd74f2dd282a9522587f18313b4e9835dc558\r\n3cef0b5f069cc1d15d36aa83d54d2a7be79b29b02081b6592dd4714639ad0a66\r\n43de1831368e6420b90210e15f72cea9171478391e15efdd608ad22fe916cea8\r\n2bae8b07f5098e1ca8fb5a5776eb874072ace4e19734cba4af4450eeccde7f89\r\na229a2943cf8d1b073574f0c050ca06392d0525b2028f4b4b04d1e4b40110c66\r\n9192a1c1ab42186a46e08b914d66253440af2d2be6b497c34fe4b1770c3b5e01\r\n4a92fa725adc57d7b501f33e87230a8291cf8ad22d4d3a830293abcc0ac10d12\r\nda8ef50fe5e571d0143a758c7c66bb55653f1f2d04f16464fc857226441d79b2\r\nf0df09513dcf292264b3336269952c7e9ff685df8180a2035bee9f3143b36609\r\nBookworm Modules\r\nSHA256 Module\r\nfa739724a4b6f7a766a2d7695d7da7b33a6ac834672c1b544dd555c93600a637 KBLogger.dll\r\nfb25a69ffc18b79ee664462e0717cf5e70820948d5d2ca4c192fac8b1ede91c2 Network.dll\r\nbbf12ee2cd71dbcf2948adf64f354ad7c69d6b6ff0b78ea76b3df2d02b08ed0f Resolver.dll\r\ndcc349a1b624f6b949f181a7dd859a82715b4d3b6c37c7e5be1b729cd8e6f01f HTTP.dll\r\n51bf329ba04a042789bad3b395092488a3d89130dc72818985cde11fb85f8389 WinINetwork.dll\r\nd7dbfb2b755418842fea4fca5628f0b36bbd128a71ddcd858b4b3c67ba78f516 Digest.dll\r\n6804b10aefe8fdb2b33ecf3bc5a93f49413ef66001b561e6fc121990d703d780 Digest.dll\r\n72aa72a4a4bdb09146c587304c6639eae65900cb2ea26911540a77d1f9b7acf6 AES.dll\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 5 of 6\n\nf7b024196ac50bd0f7ed362a532e83edf154bb60fcf24d0ab5297d0c6beaca0f Leader.dll\r\nBookworm Infrastructure\r\nwww.fjke5oe[.]com\r\nupdate.fjke5oe[.]com\r\nwww.i5y3dl[.]com\r\nwww.hbsanews[.]com\r\nwww.b8pjmgd6[.]com\r\nwww.zimbra[.]page\r\nwww.ggrdl4[.]com\r\nwww.gm4rys[.]com\r\nArchives Related to PubLoad Using V6-winsp1-wuredir\r\nSHA256 Filename C2\r\nb7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18\r\nanalysis of the third meeting of\r\nndsc.zip\r\n123.253.32[.]15\r\n41276827827b95c9b5a9fbd198b7cff2aef6f90f2b2b3ea84fadb69c55efa171 april 27 updated party list.zip 123.253.35[.]231\r\n167a842b97d0434f20e0cd6cf73d07079255a743d26606b94fc785a0f3c6736e notice re uec, (04-25-2023 day).zip 123.253.35[.]231\r\n4fbfbf1cd2efaef1906f0bd2195281b77619b9948e829b4d53bf1f198ba81dc5\r\nbiography of senator the hon don\r\nfarrell.zip\r\n123.253.35[.]231\r\n4e8717c9812318f8775a94fc2bffcf050eacfbc30ea25d0d3dcfe61b37fe34bb analysisofthethirdmeetingofndsc.zip 123.253.32[.]15\r\n98d6db9b86d713485eb376e156d9da585f7ac369816c4c6adb866d845ac9edc7 0228-2023.zip 123.253.35[.]231\r\na02766b3950dbb86a129384cf9060c11be551025a7f469e3811ea257a47907d5\r\nnational security priority\r\nprograms.zip\r\n123.253.35[.]231\r\n4b6f0ae4abc6b73a68d9ee5ad9c0293baa4e7e94539ea43c0973677c0ee7f8cb nsd.zip 123.253.32[.]15\r\neb176117650d6a2d38ff435238c5e2a6d0f0bb2a9e24efed438a33d8a2e7a1ea\r\nSAC has some instructional\r\nrequirements for the general\r\nelection(2).zip\r\n123.253.35[.]231\r\nAdditional Resources\r\nStately Taurus Targets the Philippines As Tensions Flare in the South Pacific – Unit 42, Palo Alto Networks\r\nCyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda – Unit\r\n42, Palo Alto Networks\r\nBookworm Trojan: A Model of Modular Architecture – Unit 42, Palo Alto Networks\r\nThreat Actor Groups Tracked by Palo Alto Networks Unit 42 – Unit 42, Palo Alto Networks\r\nHunting for Unsigned DLLs to Find APTs – Unit 42, Palo Alto Networks\r\nSource: https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/" ], "report_names": [ "stately-taurus-uses-bookworm-malware" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434616, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32b9eb688143c2276ecbf88aac04e4ccd252db0f.pdf", "text": "https://archive.orkl.eu/32b9eb688143c2276ecbf88aac04e4ccd252db0f.txt", "img": "https://archive.orkl.eu/32b9eb688143c2276ecbf88aac04e4ccd252db0f.jpg" } }