{
	"id": "b1cd1910-0310-4e53-8a8d-f652ab9fb15f",
	"created_at": "2026-04-06T00:10:42.44776Z",
	"updated_at": "2026-04-10T13:11:55.736377Z",
	"deleted_at": null,
	"sha1_hash": "36901f0ed88b230bb7dd330fe05fb1d160902292",
	"title": "Symantec Exposes Crackerjack Cybercriminal Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97419,
	"plain_text": "Symantec Exposes Crackerjack Cybercriminal Group\r\nBy admin-ectnews\r\nPublished: 2013-09-17 · Archived: 2026-04-05 19:07:48 UTC\r\nSymantec on Tuesday disclosed the existence of a group of 50 to 100 top-rate hackers.\r\nNamed “Hidden Lynx” after a string of code Symantec found in its command-and-control server communications,\r\nthe group is an advanced persistent threat that has skills well ahead of similar organizations in the region, such as\r\nAPT1, Symantec said.\r\n“The Hidden Lynx group is methodical in its approach and leverages zero days quickly, most recently affecting\r\nInternet Explorer and Java, and have used three zero-day vulnerabilities since 2011,” Vikram Thakur, a researcher\r\nat Symantec Security Response, told TechNewsWorld.\r\nHowever, Symantec’s claim that Hidden Lynx has skills superior to those of APT1 — which cybersecurity firm\r\nMandiant has depicted as a unit of the People’s Liberation Army — is suspect, saidTaia Global CEO Jeffrey Carr.\r\nIf Symantec’s claim is true, it means we should be more concerned about a team of 50 Chinese hackers than the\r\nPLA,” he pointed out, “but “I think most analysts would suspect that the reverse is true.”\r\nWhat Hidden Lynx Apparently Did\r\nHidden Lynx’s most notable attack was VOHO, Symantec said. That attack reportedly used watering hole tactics\r\nto infect nearly 1,000 businesses, government agencies and nonprofit organizations. The cybercriminals identified\r\nwebsites their intended victims visited regularly, seeded those sites with code redirecting them to poisoned servers\r\nthat infected their computers, and then pounced on the information in the computers.\r\n“The Hidden Lynx group continued to attack the defense industry post-VOHO,” Thakur pointed out. “In another\r\ncampaign, named SCADEF, manufacturers and suppliers of military-grade computers were observed installing a\r\nTrojanized Intel driver application.”\r\nHidden Lynx steals intellectual property for a fee, Thakur said.\r\nThe Power of the Lynx\r\nHidden Lynx is divided into two teams Symantec has named after the malware they use, Thakur said.\r\nhttps://www.technewsworld.com/story/78982.html\r\nPage 1 of 3\n\nTeam Moudoor launches large-scale campaigns by distributing the backdoor Trojan Moudoor across several\r\nindustries. Team Naid uses the backdoor Trojan Naid, and is reserved for more limited attacks against high-value\r\ntargets.\r\nBoth Moudoor and Naid are reasonably well known Trojans but like other well-known malware, they are still in\r\nuse because they remain effective, thanks to poor patching practices and outdated security software, said NSS\r\nLabs Research Director Randy Abrams.\r\n“The most widespread threats are not necessarily the newest,” he told TechNewsWorld.\r\nThe Moudoor team uses that Trojan liberally without fear of being discovered because it lets the attackers grab\r\nsome information swiftly — and, more importantly, serves as a smokescreen for the Naid attack, Symantec’s\r\nThakur said.\r\nDeconstructing the Lynx\r\nThe Hidden Lynx group pioneered the watering hole attack, according to Symantec.\r\n“No, no, no — they ripped that off from adware and the advertising industry,” NSS Labs’ Abrams maintained.\r\n“Get ’em at the watering hole has been the strategy of advertising since before there were computers.”\r\nThe group’s command-and-control servers are hosted in China, “but we cannot confirm who is actually behind\r\n[it],” Symantec’s Thakur said.\r\nIt’s possible that cybercriminals from other countries have leased C\u0026C servers in China.\r\nPointing to China could be simple misdirection. “Given the revelations of the NSA’s collusion with big players, it\r\nis not beyond the realm of believability that attribution to the Chinese serves a [U.S.] governmental purpose,”\r\nsuggested NSS Labs’ Abrams.\r\nAs for Symantec’s report, “it’s a marketing piece rather than a serious research report,” Carr stated. “The authors\r\ndon’t provide any evidence to support their conjecture regarding the number of teams involved or who they are.”\r\nProtecting Against the Lynx\r\nMultiple layers of security have to be used to protect against a targeted attack “and sometimes the defenses will\r\nstill fail,” NSS Labs’ Abrams said.\r\nhttps://www.technewsworld.com/story/78982.html\r\nPage 2 of 3\n\n“You need multiple levels of protection mechanisms — data loss prevention, encryption, network and endpoint\r\nsecurity solutions are a few,” Symantec’s Thakur said.\r\n“Security is a lot like a windshield,” Abrams remarked. “One small pit can spiderweb out and cause irreparable\r\ndamage.”\r\nSource: https://www.technewsworld.com/story/78982.html\r\nhttps://www.technewsworld.com/story/78982.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.technewsworld.com/story/78982.html"
	],
	"report_names": [
		"78982.html"
	],
	"threat_actors": [
		{
			"id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9",
			"created_at": "2022-10-25T16:07:23.708745Z",
			"updated_at": "2026-04-10T02:00:04.720108Z",
			"deleted_at": null,
			"main_name": "Hidden Lynx",
			"aliases": [
				"Aurora Panda",
				"Group 8",
				"Heart Typhoon",
				"Hidden Lynx",
				"Operation SMN"
			],
			"source_name": "ETDA:Hidden Lynx",
			"tools": [
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"BlackCoffee",
				"HiKit",
				"MCRAT.A",
				"Mdmbot.E",
				"Moudoor",
				"Naid",
				"PNGRAT",
				"Trojan.Naid",
				"ZoxPNG",
				"gresim"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dabb6779-f72e-40ca-90b7-1810ef08654d",
			"created_at": "2022-10-25T15:50:23.463113Z",
			"updated_at": "2026-04-10T02:00:05.369301Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"APT1",
				"Comment Crew",
				"Comment Group",
				"Comment Panda"
			],
			"source_name": "MITRE:APT1",
			"tools": [
				"Seasalt",
				"ipconfig",
				"Cachedump",
				"PsExec",
				"GLOOXMAIL",
				"Lslsass",
				"PoisonIvy",
				"WEBC2",
				"Mimikatz",
				"gsecdump",
				"Pass-The-Hash Toolkit",
				"Tasklist",
				"xCmd",
				"pwdump"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a7aefdda-98f1-4790-a32d-14cc99de2d60",
			"created_at": "2023-01-06T13:46:38.281844Z",
			"updated_at": "2026-04-10T02:00:02.909711Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"BRONZE KEYSTONE",
				"G0025",
				"Group 72",
				"G0001",
				"HELIUM",
				"Heart Typhoon",
				"Group 8",
				"AURORA PANDA",
				"Hidden Lynx",
				"Tailgater Team"
			],
			"source_name": "MISPGALAXY:APT17",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def",
			"created_at": "2025-08-07T02:03:24.626625Z",
			"updated_at": "2026-04-10T02:00:03.605175Z",
			"deleted_at": null,
			"main_name": "BRONZE KEYSTONE",
			"aliases": [
				"APT17 ",
				"Aurora Panda ",
				"DeputyDog ",
				"Group 72 ",
				"Hidden Lynx ",
				"TG-8153 ",
				"Tailgater Team"
			],
			"source_name": "Secureworks:BRONZE KEYSTONE",
			"tools": [
				"9002",
				"BlackCoffee",
				"DeputyDog",
				"Derusbi",
				"Gh0stHTTPSDropper",
				"HiKit",
				"InternalCMD",
				"PlugX",
				"PoisonIvy",
				"ZxShell"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434242,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36901f0ed88b230bb7dd330fe05fb1d160902292.pdf",
		"text": "https://archive.orkl.eu/36901f0ed88b230bb7dd330fe05fb1d160902292.txt",
		"img": "https://archive.orkl.eu/36901f0ed88b230bb7dd330fe05fb1d160902292.jpg"
	}
}