{ "id": "d0d5abc6-f6ec-4fd8-916b-e8a1e9dfc26d", "created_at": "2026-04-06T00:20:54.941129Z", "updated_at": "2026-04-10T13:12:41.669712Z", "deleted_at": null, "sha1_hash": "3a252430bcb61f4ad5e4065f398046be8d4a0171", "title": "Two Birds, One STONE PANDA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8179448, "plain_text": "Two Birds, One STONE PANDA\r\nBy kozy\r\nArchived: 2026-04-05 13:25:40 UTC\r\nIntroduction\r\nIn April 2017, a previously unknown group calling itself IntrusionTruth began releasing blog posts detailing individuals\r\nbelieved to be associated with major Chinese intrusion campaigns. Although the group’s exact motives remain unclear, its\r\ninitial tranche of information exposed individuals connected to long-running GOTHIC PANDA (APT3) operations,\r\nculminating in a connection to the Chinese firm Boyusec (博御信息) and, ultimately, Chinese Ministry of State Security\r\n(MSS) entities in Guangzhou. Recently, in July and August 2018, IntrusionTruth has returned with new reporting regarding\r\nactors with ties to historic STONE PANDA (APT10) activity and has ultimately associated them with the MSS Tianjin\r\nBureau (天津市国家安全局). Though CrowdStrike® Falcon Intelligence™ is currently unable to confirm all of the details\r\nprovided in these most recent posts with a high degree of confidence, several key pieces of information can be verified.\r\nSeveral of the named individuals have been active registering domains as recently as June 2018, and they responded\r\nto the IntrusionTruth blog posts by scrubbing their social media or by following IntrusionTruth’s Twitter account.\r\nNamed individuals ZHANG Shilong and GAO Qiang have significant connections to known Chinese hacking\r\nforums, and they have sourced tools currently in use by China-based cyber adversaries.\r\nZHANG has registered several sites with overlapping registrant details that show both his affiliation with several\r\nphysical technology firm addresses as well as his residence in Tianjin.\r\nNamed firm Huaying Haitai has been connected to a Chinese Ministry of Industry and Information Technology\r\n(MIIT) sponsored attack and defense competition; this is similar to GOTHIC PANDA’s ties to an active defense lab\r\nsponsored by China Information Technology Evaluation Center (CNITSEC).\r\nHuaying Haitai has previously hired Chinese students with Japanese language skills; this is significant, as STONE\r\nPANDA has engaged in several campaigns targeting Japanese firms.\r\nThe MSS Tianjin Bureau is confirmed to be located at the described address, not far from many of the registrant\r\naddresses listed by ZHANG as well the firms GAO was likely recruiting for.\r\nMore details that may further illuminate these findings and provide a higher confidence in connecting STONE PANDA to\r\nthe MSS Tianjin Bureau are likely to emerge.\r\nBackground\r\nThroughout May 2017, using a variety of historical information and open-source intelligence (OSINT), IntrusionTruth\r\nreleased several blog posts identifying several individuals connected to Boyusec. Though CrowdStrike's Threat Intelligence\r\nteam had suspected GOTHIC PANDA was an MSS contractor for several years, the IntrusionTruth posts and subsequent\r\nresearch by RecordedFuture into MSS ties to the China Information Technology Evaluation Center (CNITSEC/中国信息安\r\n全测评中心) corroborated additional details from various sources and provided a higher degree of confidence. Confidence\r\nin these findings was further boosted when the U.S. Department of Justice named Boyusec and several of the described\r\nindividuals in an indictment, and detailed GOTHIC PANDA tactics, techniques, and procedures (TTPs) in detail.\r\nCrowdStrike Falcon® Intelligence was able to independently verify the majority of this information and concluded that not\r\nonly is CNITSEC associated with the MSS, but its former director WU Shizhong (吴世忠) was simultaneously dual-hatted\r\nas the director of the MSS Technology/13th Bureau (国家安全部科技局局长)\r\n1 2 3\r\n, implying that the MSS plays a crucial\r\nrole in China’s code review of foreign products and is now able to cherry pick high-value vulnerabilities from its own\r\ncapable domestic bug hunting teams. CNITSEC’s role in code review for foreign entities has led to its access to Microsoft’s\r\nsource code dating back to 2003 and the use by KRYPTONITE PANDA of a high-value vulnerability (CVE-2018-0802),\r\ndiscovered by Chinese firm Qihoo 360, a month before it was publicly revealed.\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 1 of 7\n\nWU Shizhong\r\nPresenting on the “Digital Silk Road” at the Second Wuzhen World Internet Conference in 2015\r\nAs research into the IntrusionTruth leads on STONE PANDA continues, Falcon Intelligence has already observed some\r\nconsistencies with known MSS operations.\r\nSinking Like a STONE\r\nGAO Qiang (高/郜 强)\r\nMany of the personal details for GAO were scrubbed shortly after IntrusionTruth’s post introducing him went live, including\r\nhis Tencent QQ account. The blog connects him to the moniker fisherxp via an initial spear-phishing campaign from 2010 previously attributed to STONE PANDA. Multiple sites with profile pictures appear to show\r\nthe owner of the fisherxp accounts, though this has yet to be independently confirmed as GAO. Fisherxp’s QQ shows his\r\nalternate username as 肥猪 or “big porker”. IntrusionTruth later links GAO to several documented Uber rides to the MSS\r\nTianjin Bureau’s office address where both his first name, Qiang/强, and 猪 are used by the app to identify him and tie him\r\nto the QQ number 420192. CrowdStrike cannot confirm the validity of these Uber receipts at this time. However, fisherxp’s\r\naccount on popular Chinese technology forum 51CTO is still active and shows that he has downloaded not only the open-source DarkComet RAT and numerous password cracking tools, but more importantly, several favorite tools used by a\r\nplethora of known Chinese cyber adversaries including Gh0st RAT 3.6, zxarps (an ARP-spoofing tool by legacy hacker\r\nLZX), and lcx.exe (a port-forwarding tool by legacy hacker LCX)4\r\n.\r\nZHANG Shilong (张世龙)\r\nZHANG was originally introduced by IntrusionTruth as a reciprocal follower of fisherxp’s Twitter account via his own\r\n@baobeilong account. Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the\r\nQuasar and Trochilus RATs, two open-source tools historically used by STONE PANDA, but\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 2 of 7\n\nthe account has since been scrubbed. This information was verified by CrowdStrike before being removed completely.\r\nFalcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware used to target numerous\r\nJapanese defense groups and found it was directly sourced from Trochilus code, but it has undergone several evolutions and\r\ncontains prefixes suggesting it could also be used to target Russia and the DPRK. There is no conclusive evidence at this\r\ntime that RedLeaves is solely attributed to STONE PANDA. Baobeilong did maintain a Flickr account with numerous\r\npictures that proved key in identifying his location later, similar to how cpyy’s photos helped identify his affiliation to the\r\nPeople’s Liberation Army (PLA) in CrowdStrike’s PUTTER PANDA report. IntrusionTruth then drew connections from\r\nbaobeilong’s other online accounts to registrant details for xiaohong\u003c.\u003eorg, which dated back to 2007 and revealed\r\nZHANG’s full name—ZHANG Shilong. From there, a trail of overlapping registrant details reveals ZHANG’s hanzi\r\ncharacters for his name (张世龙), likely one of his personal home addresses, potential work addresses and several email\r\naddresses:\r\nlong@xiaohong\u003c.\u003eorg\r\nbaobei@xiaohong\u003c.\u003eorg\r\natreexp@yahoo\u003c.\u003ecom.cn\r\nrobin4700@foxmail\u003c.\u003ecom\r\neshilong@vip.qq\u003c.\u003ecom\r\nSpecifically tracing registrant details from atreexp → robin4700 → eshilong shows that ZHANG was active registering sites\r\nas recently as June 5, 2018, including a personal blog where his picture and name features prominently along with several\r\ntechnology-related blog posts.\r\nA picture from baobeilong’s Flickr account shows a fire at the Tianjin Medical Center 120\r\nLaoying Baichen Instruments\r\nThe original blog post on GAO lists his contact information in recruitment postings for two separate companies, one of\r\nwhich is Laoying Baichen Instruments (characters unknown at the time of this writing). No records could be found for such\r\na firm, however, IntrusionTruth lists the address associated with it as Room 1102, Guanfu Mansion, 46 Xinkai Road,\r\nHedong District, Tianjin (天津市河东区新开路46号冠福大厦1102). During the course of investigating Laoying and the\r\nGuanfu mansion, Falcon Intelligence noticed that the Guanfu Mansion is also the registered address of a firm called Tianjin\r\nHenglide Technology Co., Ltd. (恒利德天津科技有限公司), which is listed as one of only a few “review centers” certified\r\nby CNITSEC in Tianjin5. Laoying and Henglide are listed as being on different floors, however having a CNITSEC review\r\ncenter in the same building is noteworthy given CNITSEC’s connection to MSS and previous linkage to Boyusec/GOTHIC\r\nPANDA.\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 3 of 7\n\nZhang is believed to have taken the photo of the fire from the Wanchan Meizhuan Mansion. This is relatively close to both\r\nthe Yuyang Complex (one of Zhang’s listed registrant addresses) and the Guanfu Mansion, Laoying Baichen’s listed address.\r\nTianjin Huaying Haitai Science and Technology Development Company\r\nThe other firm GAO appears to have been recruiting for is Huaying Haitai (天津华盈海泰科技发展有限公司). As the\r\nIntrusionTruth blog post mentions, it is a registered firm with two listed representatives, Fang Ting (方亭) and Sun Lei (孙\r\n杰), and a listed address of 1906 Fuyu Mansion (天津市河西区解放南路中段西侧富裕大厦1-1906). Searches for more\r\ninformation on Huaying Haitai turned up two interesting government documents. One is a recruitment Excel sheet detailing\r\nrecent graduates, their majors and their new employers and addresses. Huaying Haitai is listed as having hired a recently\r\ngraduated female student from Nankai University in 2013 who majored in Japanese. This is interesting considering STONE\r\nPANDA’s extensive targeting of Japanese defense firms after this time period, but it is by no means conclusive evidence that\r\nthe firm is connected to STONE PANDA.\r\nThe second government document lists Huaying Haitai as the co-organizer of a Network Security Attack and Defense\r\ncompetition with the Ministry of Industry and Information Technology’s (MIIT) national training entity, NSACE6. It was\r\nopen for all students of Henan Province. NSACE appears to be a national education body that teaches network information\r\nsecurity, including offensive activity7. This information is particularly interesting given Boyusec’s previous work at\r\nCNITSEC’s Guangdong subsidiary setting up a joint active defense lab8.\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 4 of 7\n\nIt suggests that these technology firms act as both shell companies and recruitment grounds for potential MSS use in cyber\r\noperations.\r\nMSS Tianjin Bureau\r\nThe most recent IntrusionTruth post assesses that GAO’s Uber rides frequently took him from Huaying’s address at the Fuyu\r\nMansion to 85 Zhujiang Road (珠江道85号).\r\nWhen observed closely, the compound is a striking one complete with towers, a fenced perimeter with surveillance cameras,\r\nguarded entrances, and a building with a significant number of satellite dishes.\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 5 of 7\n\nThere are no markers on the building and no government listed address; however, it is apparently difficult for locals to\r\ndetermine where the Tianjin Bureau’s location is as well. There are several Baidu questions asking what transportation\r\nroutes are best to get to that specific address. Three separate ones specifically mention the 85 Zhujiang Road address as the\r\nheadquarters for the MSS’s Tianjin Bureau and the difficulty in finding its location9 10 11.\r\nAs with most cyber-enabled operations, satellite arrays are often indicative of installations with significant signals\r\nintelligence (SIGINT) capabilities. The Tianjin Bureau appears to have the potential for such capabilities, housing several\r\nlarge arrays that appear to have existed since at least January 2004.\r\nBarely visible satellite dishes from the street view of 85 Zhujiang Road outside the compound\r\nConclusion\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 6 of 7\n\nThere are still significant intelligence gaps that prevent Falcon Intelligence from making an assessment about STONE\r\nPANDA’s potential connections to the MSS Tianjin Bureau with a high degree of confidence. However, additional\r\ninformation is likely to materialize either directly from IntrusionTruth or from other firms in the infosec community who are\r\nundoubtedly looking at this material as well and may have unique insight of their own. Ultimately, IntrusionTruth’s prior\r\nreleases on GOTHIC PANDA proved accurate and led to a U.S. Department of Justice indictment resulting in the\r\ndismantling of Boyusec. From their latest post, which contains GAO’s Uber receipts, it is clear the group’s information\r\nlikely goes beyond merely available OSINT data. It cannot be ignored that there are striking similarities between the entities\r\nassociated with GOTHIC PANDA and the actors and firms mentioned in the blogs about STONE PANDA. In addition,\r\nFalconIntelligence notes that following the late 2015 Sino-U.S. brief cyber detente, much of the responsibility for western\r\ncyber intrusion operations was handed to the MSS as the PLA underwent an extensive reform that is still currently\r\nunderway, and which is consolidating its military cyber forces under the Strategic Support Force. Though the detente saw an\r\ninitial drop in Chinese intrusion activity, it has steadily been increasing over the past several years, with a majority of the\r\nintrusions into western firms being conducted by suspected contractors. These adversaries are tracked by CrowdStrike as\r\nGOTHIC PANDA, STONE PANDA, WICKED PANDA, JUDGMENT PANDA, and KRYPTONITE PANDA. Many of\r\nthese adversaries have begun targeting supply chain and upstream providers to establish a potential platform for future\r\noperations and enable the collection of larger sets of data. While the APT1, PUTTER PANDA, and Operation CameraShy\r\nreports all exposed PLA units at a time when Chinese military hacking against western firms was rampant, the attention has\r\nnow swung toward identifying MSS contractors. The exposure of STONE PANDA as an MSS contractor would be another\r\nblow to China’s current cyber operations given STONE PANDA’s prolific targeting of a variety of sectors, and may prompt\r\nan additional U.S. investigation at a tenuous time for Sino-U.S. relations during an ongoing trade war. However, it is\r\nimportant to note that such public revelations often force these actors to cease operations, improve their operational security\r\n(OPSEC), and then return stronger than before. As such, CrowdStrike Falcon® Intelligence assesses that although Boyusec\r\nmay have shuttered, elements of GOTHIC PANDA are likely to still be active. The same is likely to be true for STONE\r\nPANDA following a period of silence.\r\nThe activities of STONE PANDA impact entities in the Aerospace \u0026 Defense, Government,\r\nHealthcare, Technology, Telecommunications Services of several nations. For more information on how to incorporate\r\nintelligence on threat actors like STONE PANDA into your security strategy, please visit the Falcon Intelligence product\r\npage.\r\nFootnotes\r\n1. http://kjbz.mca.gov\u003c.\u003ecn/article/mzbzhzcwj/201106/20110600157934.shtml\r\n2. http://bjgwql\u003c.\u003ecom/a/hezuojiaoliu/2011/0422/288.htm\r\n3. http://alumni.ecnu.edu\u003c.\u003ecn/s/328/t/528/3b/02/info80642.htm\r\n4. http://down.51cto\u003c.\u003ecom/424761/down/1/\r\n5. http://www.djbh\u003c.\u003enet/webdev/web/LevelTestOrgAction.do?p=nlbdLv3\u0026id=402885cb35d11a540135d168e41e000c\r\n6. http://rjzyjsxy.zzia.edu\u003c.\u003ecn/picture/article/25/27/01/6c8b24a143f9959a85301d4527f0/801f81cf-8f30-4aa4-8428-\r\n7f9d4e778e76.doc\r\n7. http://www.yingjiesheng\u003c.\u003ecom/job-001-607-536.html\r\n8. https://www.recordedfuture.com/chinese-mss-behind-apt3/\r\n9. https://zhidao.baidu\u003c.\u003ecom/question/1046720364336588899.html?\r\nfr=iks\u0026word=%CC%EC%BD%F2%CA%D0%D6%E9%BD%AD%B5%C085%BA%C5%CA%C7%CA%B2%C3%B4%B5%A5%CE%BB\r\n10. https://zhidao.baidu\u003c.\u003ecom/question/146035392.html?\r\nfr=iks\u0026word=%CC%EC%BD%F2%CA%D0%D6%E9%BD%AD%B5%C085%BA%C5%CA%C7%CA%B2%C3%B4%B5%A5%CE%BB\r\n11. https://zhidao.baidu\u003c.\u003ecom/question/223614321.html?\r\nfr=iks\u0026word=%CC%EC%BD%F2%CA%D0%D6%E9%BD%AD%B5%C085%BA%C5%CA%C7%CA%B2%C3%B4%B5%A5%CE%BB\r\nSource: https://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nhttps://www.crowdstrike.com/blog/two-birds-one-stone-panda/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/" ], "report_names": [ "two-birds-one-stone-panda" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434854, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a252430bcb61f4ad5e4065f398046be8d4a0171.pdf", "text": "https://archive.orkl.eu/3a252430bcb61f4ad5e4065f398046be8d4a0171.txt", "img": "https://archive.orkl.eu/3a252430bcb61f4ad5e4065f398046be8d4a0171.jpg" } }