{ "id": "9539a306-891d-4170-b950-aae608caf928", "created_at": "2026-04-06T00:14:02.876579Z", "updated_at": "2026-04-10T03:37:19.264768Z", "deleted_at": null, "sha1_hash": "39701c74a0b3d35c19f7b4088afeee9b5824cbfc", "title": "IT threat evolution Q2 2020", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2360369, "plain_text": "IT threat evolution Q2 2020\r\nBy David Emm\r\nPublished: 2020-09-03 · Archived: 2026-04-05 13:25:18 UTC\r\nIT threat evolution Q2 2020. PC statistics\r\nIT threat evolution Q2 2020. Mobile statistics\r\nTargeted attacks\r\nPhantomLance: hiding in plain sight\r\nIn April, we reported the results of our investigation into a mobile spyware campaign that we call\r\n‘PhantomLance’. The campaign involved a backdoor Trojan that the attackers distributed via dozens of apps in\r\nGoogle Play and elsewhere.\r\nDr Web first reported the malware in July 2019, but we decided to investigate because the Trojan was more\r\nsophisticated than most malware for stealing money or displaying ads. The spyware is able to gather geo-location\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 1 of 18\n\ndata, call logs and contacts; and can monitor SMS activity. The malware can also collect information about the\r\ndevice and the apps installed on it.\r\nThe earliest registered PhantomLance domain we found dates back to December 2015. We found dozens of related\r\nsamples that had been appearing in the wild since 2016 and one of the latest samples was published in November\r\nlast year. We informed Google about the malware, and Google removed it soon after. We observed around 300\r\nattacks targeting specific Android devices, mainly in Southeast Asia.\r\nDuring our investigation, we discovered various overlaps with reported OceanLotus APT campaigns, including\r\ncode similarities with a previous Android campaign, as well as macOS backdoors, infrastructure overlaps with\r\nWindows backdoors and a few cross-platform characteristics.\r\nNaikon’s Aria\r\nThe Naikon APT is a well-established threat actor in the APAC region. Kaspersky first reported and then fully\r\ndescribed the group in 2015. Even when the group shut down much of its successful offensive activity, Naikon\r\nmaintained several splinter campaigns.\r\nResearchers at Check Point recently published their write-up on Naikon resources and activities related to “Aria-Body”, which we detected in 2017 and reported in 2018. To supplement their research findings, we published a\r\nsummary of our June 2018 report, “Naikon’s New AR Backdoor Deployment to Southeast Asia“, which aligns\r\nwith the Check Point report.\r\nAR is a set of backdoors with compilation dates between January 2017 and February 2018. Much of this code\r\noperates in memory, injected by other loader components without touching disk, making it very difficult to detect.\r\nWe trace portions of this codebase back to “xsFunction” EXE and DLL modules used in Naikon operations going\r\nback to 2012. It’s probably that the new backdoor, and related activity, is an extension of, or a merger with, the\r\ngroup’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 2 of 18\n\nexecutive and legislative offices, law enforcement, government administrative, military and intelligence\r\norganizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously\r\nwith PlugX and other malware.\r\nThe group has evolved since 2015, although it continues to focus on the same targets. We identified at least a half\r\na dozen individual variants from 2017 and 2018.\r\nYou can read our report here.\r\nCOMpfun authors spoof visa application with HTTP status-based Trojan\r\nLast October, we observed malware that we call Reductor, with strong code similarities to COMpfun, which\r\ninfected files on the fly to compromise TLS traffic. The attackers behind Reductor have continued to develop their\r\ncode. More recently, the Kaspersky Threat Attribution Engine revealed a new Trojan with strong code similarities\r\nto COMpfun.\r\nThe new malware, like its predecessor, targeted diplomatic bodies in Europe. To lure their victims, the attackers\r\nused spoofed visa applications that contain malware that acts as a first-stage dropper. This in turn downloads the\r\nmain payload, which logs the target’s location, gathers host- and network-related data, performs keylogging and\r\ntakes screenshots. The Trojan also monitors USB devices and can infect them in order to spread further, and\r\nreceives commands from the C2 server in the form of HTTP status codes.\r\nIt’s not entirely clear which threat actor is behind COMpfun. However, based mostly on the victims targeted by\r\nthe malware, we associate it, with medium-to-low confidence, with the Turla APT.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 3 of 18\n\nMind the [air] gap\r\nIn June, we published our report on the latest tools and TTPs (Tactics Techniques and Procedures) of Cycldek (aka\r\nGoblin Panda, APT 27 and Conimes), a threat actor that has targeted governments in Southeast Asia since 2013.\r\nMost of the attacks we have seen since 2018 start with phishing emails that contain politically themed, booby-trapped RTF documents that exploit known vulnerabilities. Once the target computer has been compromised, the\r\nattackers install malware called NewCore RAT. There are two variants. The first, BlueCore, appears to have been\r\ndeployed against diplomatic and government targets in Vietnam; while the second, RedCore, was first deployed in\r\nVietnam before being found in Laos.\r\nBot variants download additional tools, including a custom backdoor, a tool for stealing cookies and a tool that\r\nsteals passwords from Chromium-based browser databases. The most striking of these tools is USBCulprit, which\r\nrelies on USB media to exfiltrate data from victims’ computers. This may suggest that Cycldek is trying to reach\r\nair-gapped networks in compromised environments or relies on a physical presence for the same purpose. The\r\nmalware is implanted as a side-loaded DLL of legitimate, signed applications.\r\nLooking at big threats using code similarity\r\nIn June, we announced the release of KTAE (Kaspersky Threat Attribution Engine). KTAE was initially developed\r\nas an internal threat hunting tool by the Global Research and Analysis Team at Kaspersky and was instrumental in\r\nour investigations into the LightSpy, TajMahal, Dtrack, ShadowHammer and ShadowPad campaigns.\r\nHere’s how it works in a nutshell. We extract from a suspicious file something that we call ‘genotypes’ – short\r\nfragments of code selected using our proprietary algorithm – and compare it with more than 60,000 objects of\r\ntargeted attacks from our database, using a wide range of characteristics. Based on the code similarities, KTAE\r\ncalculates a reputational score and highlights the possible origin and author, with a short description and links to\r\nboth private and public resources, outlining the previous campaigns.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 4 of 18\n\nSubscribers to our APT intelligence reports can see a dedicated report on the TTPs used by the identified threat\r\nactor, as well as further response steps.\r\nKTAE is designed to be deployed on a customer’s network, with updates provided via USB, to ensure\r\nconfidentiality. In addition to the threat intelligence available ‘out of the box’, customers can create their own\r\ndatabase and fill it with malware samples found by in-house analysts. In this way, KTAE will learn to attribute\r\nmalware analogous to those in the customer’s database while keeping this information confidential. There’s also\r\nan API (application programming interface) to connect the engine to other systems, including a third-party SOC\r\n(security operations center).\r\nCode similarity can only provide pointers; and attackers can set false flags that can trick even the most advanced\r\nthreat hunting tools – the ‘attribution hell’ surrounding Olympic Destroyer provided an object lesson in how this\r\ncan happen. The purpose of tools such as KTAE is to point experts in the right direction and to test likely\r\nscenarios.\r\nYou can find out more about the development of KTAE in this post by Costin Raiu, Director of the Global\r\nResearch and Analysis Team and this product demonstration.\r\nSixLittleMonkeys\r\nEarlier this year, we observed a Trojan injected into the spooler system process memory of a computer belonging\r\nto a diplomatic body. The malware is implemented like an API using an enterprise-grade programming style –\r\nsomething that is quite rare and is mostly used by advanced threat actors. We attribute this campaign to a threat\r\nactor called SixLittleMonkeys (aka Microcin) because of the re-use of C2 infrastructure, code similarities and\r\nfocus on diplomatic targets in Central Asia.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 5 of 18\n\nThis threat actor uses steganography to deliver malicious modules and configuration data from a legitimate public\r\nresource, in this case from the legitimate public image hosting service cloudinary.com:\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 6 of 18\n\nYou can read our full report here.\r\nOther malware\r\nLoncom packer: from backdoors to Cobalt Strike\r\nIn March, we reported the distribution of Mokes and Buerak malware under the guise of a security certificate\r\nupdate. Following publication of that report, we conducted a detailed analysis of the malware associated with this\r\ncampaign. All of the malware uses legitimate NSIS software for packing and loading shellcode, and the Microsoft\r\nCrypto API for decrypting the final payload.\r\nBesides Mokes and Buerak, which we mentioned in the previous article, we noticed packed specimens of\r\nDarkVNC and Sodin (aka REvil and Sodinokibi). The former is a backdoor used to control an infected machine\r\nvia the VNC protocol; the latter is a ransomware family. However, the most striking find was the Cobalt Strike\r\nutility, which is used both by legal pen-testers and by various APT groups. The command center of the sample that\r\ncontained Cobalt Strike had previously been seen distributing CactusTorch, a utility for running shellcode present\r\nin Cobalt Strike modules, and the same Cobalt Strike packed with a different packer.\r\nxHelper: the Trojan matryoshka\r\nThe xHelper Trojan remains as active as ever. The most notable feature of this Trojan is its persistence on an\r\nAndroid device: once it gets onto a phone, it’s able to survive even if it’s deleted or the device is restored to\r\nfactory settings.\r\nThe architecture of the latest version resembles a Russian nesting doll (or ‘matryoshka’). The infection starts by\r\ntricking a victim into downloading a fake app – in the case of the version we analyzed, an app that masquerades as\r\na popular cleaner and speed-up utility. Following installation, it is listed as an installed app in the system settings,\r\nbut otherwise disappears from the victim’s view – there’s no icon and it doesn’t show up in search results. The\r\npayload, which is decrypted in the background, fingerprints the victim’s phone and sends the data to a remote\r\nserver. It then unpacks a dropper-within-a-dropper-within-a-dropper (hence the matryoshka analogy). The\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 7 of 18\n\nmalicious files are stored sequentially in the app’s data folder, to which other programs do not have access. This\r\nmechanism allows the malware authors to obscure the trail and use malicious modules that are known to security\r\nsolutions.\r\nThe final downloader in the sequence, called Leech, is responsible for installing the Triada Trojan, whose chief\r\nfeature is a set of exploits for obtaining root privileges on the victim’s device. This allows the Trojan to install\r\nmalicious files directly in the system partition. Normally this is mounted at system startup and is read-only.\r\nHowever, once the Trojan has obtained root access, it remounts the system partition in write mode and modifies\r\nthe system such that the user is unable to remove the malicious files, even after a factory reset.\r\nSimply deleting xHelper isn’t enough to clean the device. If you have ‘recovery’ mode set up on the device, you\r\ncan try to extract the ‘libc.so’ file from the original firmware and replace the infected one with it, before removing\r\nall malware from the system partition. However, it’s simpler and more reliable to completely re-flash the phone. If\r\nthe firmware of the device contains pre-installed malware capable of downloading and installing programs, even\r\nre-flashing will be pointless. In that case, it’s worth considering an alternative firmware for the device.\r\nSpike in RDP brute-force attacks\r\nThe huge increase in remote working due to the COVID-19 pandemic has had a direct impact on cybersecurity\r\nand the threat landscape. Alongside the higher volume of corporate traffic, the use of third-party services for data\r\nexchange and employees working on home computers (, IT security teams also have to grapple with the increased\r\nuse of remote access tools, including the Microsoft RDP (Remote Desktop Protocol).\r\nRDP, used to connect remotely to someone else’s desktop, is used by telecommuters and IT support staff to\r\ntroubleshoot problems. A successful RDP attack provides a cybercriminal with remote access to the target\r\ncomputer with the same permissions enjoyed by the person whose computer it is.\r\nIn the two months prior to our report (i.e. March and April), we observed a huge increase in attempts to brute-force passwords for RDP accounts. The numbers rose from 100,000 to 150,000 per day in January and February to\r\nnearly a million per day at the beginning of March.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 8 of 18\n\n1\r\nGrowth in the number of attacks by the Bruteforce.Generic.RDP family, February–April 2019 (download)\r\nSince attacks on remote infrastructure will undoubtedly continue, it’s important for anyone using RDP to protect\r\ntheir systems. This includes the following.\r\nUse strong passwords.\r\nMake RDP available only through a corporate VPN.\r\nUse NLA (Network Level Authentication).\r\nEnable two-factor authentication.\r\nIf you don’t use RDP, disable it and close port 3389.\r\nUse a reliable security solution.\r\nEven if you use a different remote access protocol, you shouldn’t relax. At the end of last year, Kaspersky\r\nexperts found 37 vulnerabilities in various clients that connected via the VNC protocol, which, like RDP, is used\r\nfor remote access.\r\nGaming during the COVID-19 pandemic\r\nOnline gamers face various threats, including malware in pirated copies, mods and cheats, phishing and other\r\nscams when buying or exchanging in-game items and dangers associated with buying accounts.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 9 of 18\n\nThe COVID-19 pandemic has led to a marked increase in player activity. For one thing, the sales of games have\r\nincreased:\r\nGrowth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)\r\nThe amount of time spent playing has also increased:\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 10 of 18\n\nGrowth in game sales in the week of March 16-22. Source: gamesindustry.biz (download)\r\nThis hasn’t gone unnoticed by cybercriminals. With the connection of work computers to home networks, and,\r\nconversely, the entry of home devices into work networks that are often poorly prepared for this, attacks on\r\nplayers are becoming not only a way to get to an individual user’s wallet but also a way to access the corporate\r\ninfrastructure. Cybercriminals are actively hunting for vulnerabilities that they can exploit to compromise systems.\r\nFor example, in the first five months of this year alone, the number of vulnerabilities discovered on Steam\r\nexceeded those discovered in any of the previous years.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 11 of 18\n\nVulnerabilities discovered in Steam. Source: cve.mitre.org (download)\r\nOf course, cybercriminals also exploit human vulnerabilities – hence the increase in phishing scams:\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 12 of 18\n\nAn increase in the number of hits on phishing Steam-related topics relative to February 2020. Source: KSN\r\n(download)\r\nAnd the increase in detections on sites with names exploiting the theme of games:\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 13 of 18\n\nThe number of web attacks using game subjects during the period from January to May 2020. Source: KSN\r\n(download)\r\nData from KSN (Kaspersky Security Network) indicate that attackers focus most on Minecraft, followed by CS:\r\nGO and Witcher:\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 14 of 18\n\nThe number of attacks using the theme of an online game, January-May 2020. Source: KSN (download)\r\nYou can read more about this in our full report.\r\nRovnix bootkit back in business\r\nIn mid-April, our threat monitoring systems detected an attempt by cybercriminals to exploit the COVID-19\r\npandemic to distribute the Rovnix bootkit. The infected file, which has an EXE or RAR extension, is called (in\r\nRussian) ‘on the new initiative of the World Bank in connection with the coronavirus pandemic’. The file is a self-extracting archive that contains ‘easymule.exe’ and ‘1211.doc’.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 15 of 18\n\nThe file includes the Rovnix bootkit.\r\nRovnix is well-known and the source code published some time ago. And there’s nothing new about\r\ncybercriminals exploiting the current pandemic to distribute malware. However, Rovnix has been updated with a\r\nUAC (User Account Control) bypass tool, allowing the malware to escalate its privileges without displaying a\r\nUAC request. It also uses DLL hijacking to camouflage itself in the system.\r\nThis version also delivers a loader that is unusual for this malware. Once the malware is installed, the C2 can send\r\ncommands to control the infected computer, including recording sound from the microphone and sending the\r\naudio file to the cybercriminals, turning off or restarting the computer.\r\nOur analysis of this version makes it clear that even well-known threats like Rovnix can throw up surprises when\r\nthe source code goes public. Freed from the need to develop their own protection-bypassing tools from scratch,\r\ncybercriminals can pay more attention to the capabilities of their own malware and add their own ‘goodies’ to the\r\nsource code – in this case, UAC bypass.\r\nYou can read our full analysis here.\r\nWeb skimming with Google Analytics\r\nWeb skimming is a common method of stealing the data of online shoppers. Cybercriminals inject malicious code\r\ninto a target website to harvest the data entered by consumers. They gain access to the compromised site by brute-forcing an administrator account password, exploiting vulnerabilities in the CMS (content management system) or\r\none of its third-party plugins, or by injecting malicious code into an incorrectly coded input form.\r\nOne way to prevent this is to try to block the exfiltration of the harvested data using a Content Security Policy\r\n(CSP) – a technical header that lists all services with the right to collect information on a particular site or page. If\r\nthe service used by the cybercriminals is not listed in the header, they will not be able to withdraw any information\r\nthey harvest.\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 16 of 18\n\nSome attackers are using Google Analytics to work around this. Most online providers today carefully monitor\r\nvisitor statistics; and the most convenient tool for doing this is Google Analytics. The service, which allows data\r\ncollection based on many parameters, is currently used by around 29 million sites. So, there’s a strong likelihood\r\nthat data transfer to Google Analytics is allowed in the CSP header of an online store. To collect website statistics,\r\nall you have to do is configure tracking parameters and add a tracking code to your pages. As far as the service is\r\nconcerned, if you are able to add this code, you are the legitimate owner of the site. So, the malicious script\r\ninjected by the attacker can collect user data and then, using their own tracking code, send it through the Google\r\nAnalytics Measurement Protocol directly to their account.\r\nTo prevent these issues, webmasters should do the following:\r\nAdopt a strict CMS access policy that restricts user rights to a minimum.\r\nInstall CMS components from trusted sources only.\r\nCreate strong passwords for all administrator accounts.\r\nApply updates to all software.\r\nFilter user-entered data and query parameters, to prevent third-party code injection.\r\nFor e-commerce sites, use PCI DSS-compliant payment gateways.\r\nConsumers should use a reliable security solution – one that detects malicious scripts on payment sites.\r\nYou can read more about this method here.\r\nThe Magnitude Exploit Kit\r\nExploit kits are not as widespread as they used to be. In the past, they sought to exploit vulnerabilities that had\r\nalready been patched. However, newer and more secure web browsers with automatic updates simply prevent this.\r\nThe decline in the use of Adobe Flash Player has also reduced the opportunities for cybercriminals. Adobe Flash\r\nPlayer is a browser plug-in: so even if the browser was up-to-date, there was a possibility that Adobe Flash was\r\nstill vulnerable to known exploits. The end of life date for Adobe Flash is fast approaching. It is disabled by\r\ndefault in all web browsers and has pretty much been replaced with open standards such as HTML5, WebGL, and\r\nWebAssembly.\r\nNevertheless, exploit kits have not disappeared completely. They have adapted and switched to target people\r\nrunning Internet Explorer that haven’t installed the latest security updates.\r\nAlthough Edge replaced Internet Explorer as the default web browser with the release of Windows 10, Internet\r\nExplorer is still installed for backward compatibility on machines running Windows 10; and has remained the\r\ndefault web browser for Windows 7, 8 and 8.1. The switch to Microsoft Edge development also meant that\r\nInternet Explorer would no longer be actively developed and would only receive vulnerability patches without\r\ngeneral security improvements. Notwithstanding this, Internet Explorer remains a relatively popular web browser.\r\nAccording to NetMarketShare, as of April 2020, Internet Explorer is used on 5.45% of desktop computers (for\r\ncomparison, Firefox accounts for 7.25%, Safari 3.94% and Edge 7.76%).\r\nDespite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a\r\nnumber of legacy script engines. CVE-2018-8174 is a vulnerability in a legacy VBScript engine that was\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 17 of 18\n\noriginally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their\r\nprimary exploit. Since its discovery, a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days – CVE-2018-8653, CVE-2019-1367, CVE-2019-1429 and CVE-2020-0674. All of them\r\nexploited another legacy component of Internet Explorer – a JScript engine. It felt like it was just a matter of time\r\nuntil exploit kits adopted these new exploits.\r\nExploit kits still play a role in today’s threat landscape and continue to evolve. We recently analyzed the evolution\r\nof one of the most sophisticated exploit kits out there – the Magnitude Exploit Kit – for a whole year. We\r\ndiscovered that this exploit kit continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising.\r\nStudy of the exploit kit’s activity over a period of 12 months showed that the Magnitude Exploit Kit is actively\r\nmaintained and undergoes continuous development. In February this year, the exploit kit switched to an exploit for\r\nthe most recent vulnerability in Internet Explorer – CVE-2019-1367 – originally discovered as an exploited zero-day in the wild. Magnitude Exploit Kit also uses a previously unknown elevation of privilege exploit for CVE-2018-8641, developed by a prolific exploit writer.\r\nYou can read more about our findings here.\r\nWhile the total volume of attacks performed using exploit kits has decreased, it’s clear that they still exist, remain\r\nactive, and continue to pose a threat. Magnitude is not the only active exploit kit and we see other exploit kits that\r\nare also switching to newer exploits for Internet Explorer. We recommend that people install security updates,\r\nmigrate to a supported operating system (and make sure you stay up-to-date with Windows 10 builds) and also\r\nreplace Internet Explorer as their web browser.\r\nSource: https://securelist.com/it-threat-evolution-q2-2020/98230\r\nhttps://securelist.com/it-threat-evolution-q2-2020/98230\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/it-threat-evolution-q2-2020/98230" ], "report_names": [ "98230" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434442, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39701c74a0b3d35c19f7b4088afeee9b5824cbfc.pdf", "text": "https://archive.orkl.eu/39701c74a0b3d35c19f7b4088afeee9b5824cbfc.txt", "img": "https://archive.orkl.eu/39701c74a0b3d35c19f7b4088afeee9b5824cbfc.jpg" } }