{ "id": "d3494cf2-809e-4c17-9b89-e9c93cf8fd93", "created_at": "2026-04-06T00:17:02.875034Z", "updated_at": "2026-04-10T03:33:03.180611Z", "deleted_at": null, "sha1_hash": "3b7af17385d3cd84c68ffdfa9e2e1ccb37dab2fc", "title": "Donot Team Leverages New Framework | NETSCOUT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1235874, "plain_text": "Donot Team Leverages New Framework | NETSCOUT\r\nArchived: 2026-04-05 17:03:58 UTC\r\nAuthors: Dennis Schwarz and Jill Sopko\r\nSpecial thanks to Richard Hummel and Hardik Modi for their contributions on this post. \r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 1 of 30\n\nFigure 1: Pakistan themed decoy document\r\nKey Findings\r\nASERT discovered a new modular malware framework, we call yty, that focuses on file collection,\r\nscreenshots, and keylogging.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 2 of 30\n\nWe believe the threat actors, Donot Team, who created EHDevel, also created the yty framework.\r\nWith medium confidence, ASERT believes this new malware framework will pick up where EHDevel left\r\noff and continue to focus on targets in South Asia.\r\nOverview\r\nIn late January 2018, ASERT discovered a new modular malware framework we call \"yty\". The framework shares\r\na striking resemblance to the EHDevel framework. We believe with medium confidence that a team we call\r\ninternally as \"Donot Team\" is responsible for the new malware and will resume targeting of South Asia.\r\nIn a likely effort to disguise the malware and its operations, the authors coded several references into the malware\r\nfor football—it is unclear whether they mean American football or soccer. The theme may allow the network\r\ntraffic to fly under the radar.\r\nWhile we believe this framework and its components are new, it shares many Tactics, Techniques, and Procedures\r\n(TTPs) and Indicators of Compromise (IOCs) with the EHDevel malware framework. In September 2017,\r\nBitdefender released a white paper describing EHDevel and some of the campaigns that used it. Some of the\r\nhighlights of it included the following:\r\nLabeled as an APT (advanced persistent threat) and active since at least 2016.\r\nModular architecture with malware functionality spread over multiple components.\r\nComponents used a variety of programming languages (C++, .NET, Python, VBS, and AutoIt).\r\nFunctionality included: file collection, screenshots, key logging, and gathering system information.\r\nCommand and control (C2) hosts stored in a document hosted on Google Docs.\r\nDecoy documents, timestamp analysis, and C2 server log analysis showed a focus on Pakistan. \r\nWe assess with medium confidence that the yty framework is a replacement for the EHDevel framework and that\r\nthe Donot Team may start using it in campaigns in a similar manner as EHDevel. The evolution from EHDevel to\r\nyty shows the threat actors are continually improving and modifying their malware framework, adding to their\r\nsophistication.\r\nCampaign Analysis\r\nDonot Team campaigns use multiple methods to mimic legitimate applications, organizations, and services like\r\nAdobe, Gmail or news outlets. They also including seemingly benign domains that likely raise minimal suspicion\r\nto a human observer. The following domains are a few examples:\r\nabodeupdater[.]com\r\nAdobe update services\r\nqmails[.]org\r\nGmail webmail service\r\nserviceupports[.]com\r\nGeneric services domains\r\nsundayobserver[.]net\r\nMimics weekly English-language newspaper in Sri Lanka\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 3 of 30\n\nthebangladeshtoday[.]net\r\nEnglish version of the national daily newspaper in Bangladesh\r\nThe actors use false personas to register their domains instead of opting for privacy protection services. \r\nDepending on the registrar service chosen, this could be seen as another cost control measure.  The actors often\r\nused typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used\r\naccurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant\r\nusually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a\r\nsimilar pattern across domains. Looking at shared IP infrastructure, it was easy to see the registration patterns and\r\nexpand the network used by the attackers. The Donot Team relies heavily on subdomains.  Nearly every domain\r\ndiscovered through the course of this investigation had multiple, unique subdomains and every malware sample\r\nanalyzed communicated to subdomains.  In at least two instances, the domain never resolved to an IP address.\r\nInstead, the malware used subdomains, which lead to active infrastructure. Many of the sub-domains only\r\nnavigated to the third level, but other samples used overly complex subdomain structures down to the sixth or\r\nseventh level.\r\nupdate.\u003cdomain\u003e[.]com\r\nservice.\u003cdomain\u003e[.]org\r\nmail-live.outlook-com.332dhgka93t-veri9fjg3j-2s33gl.system.thebangladeshtoday[.]net\r\nLooking at registration patterns and passive DNS, many of these domains resolve for as little as three days before\r\ngoing offline. It is possible the attackers use these small windows to test their malware operations. Although we\r\ndid not observe the original distribution of the core binary, we believe the group specifically targeted Pakistani\r\nindividuals based on the decoy documents observed.  They appeared to be official Government of Pakistan\r\nmemos, see Figure 1, above.\r\nAttribution\r\nDonot Team’s TTPs, infrastructure, and the malware code are strikingly similar to the EHDevel malware reported\r\nby BitDefender and is likely the same group of operators.  Bitdefender noted that the EHDevel malware appeared\r\nsimilar to malware analyzed by Blue Coat Labs in their report “Snake in the Grass”.  The “Snake in the Grass”\r\nreport also showed malware similarities and infrastructure overlap with Operation Hangover (also known as the\r\nPatchwork Group).  While Arbor agrees that there are suspicious similarities between the Donot Team and\r\nPatchwork, we did not uncover definitive evidence to link the two groups. Additionally, a malicious document\r\nassociated with yty was tagged by Hybrid Analysis as “Viceroy Tiger”, but there hasn’t been much recent public\r\ninformation on this group that we could find to corroborate.\r\nyty Malware Framework Analysis\r\nOne of the TTPs associated with the Donot Team is the use of modular/plugin-based malware frameworks. We\r\ncall the new malware framework “yty” (based on debugging strings in its components). The components of the\r\nframework are shown in Figure 2: \r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 4 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 5 of 30\n\nFigure 2: yty malware components.\r\nCircular.xls Analysis\r\nThe first piece of the framework is a malicious Excel document named “Cirular.xls”\r\n(9ce56e1403469fc74c8ff61dde4e83ad72597c66ce07bbae12fa70183687b32d). The content of the spreadsheet is\r\nan executable that is extracted and executed by macros, Figure 3.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 6 of 30\n\nFigure\r\n3: Circular.xls macro script\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 7 of 30\n\nThe delivery mechanism for the XLS file is unknown, but evidence suggests it could be a test document as seen in\r\nFigure 4:\r\nFigure 4: XLS document properties \r\n.exe (Downloader 1)  Analysis\r\nSHA256:\r\n8d7eb0b7251bc4a40ebc9142a59ed8af16fb11cf8168e76dca48a78d6d7e4595\r\nCompilation Date: 2018-02-05 09:06:13\r\nPDB Path: C:\\Users\\donot\\Documents\\Visual Studio 2010\\Projects\\downloader\\Debug\\downloader.pdb\r\nDue to a bug in the macro code, the extracted executable is saved as “.exe”. This is a stripped down C++ program\r\nthat, as its PDB path string indicates, downloads and executes another executable, then removes itself. The\r\ndownloader attempts to retrieve and execute the following file (not active at the time of research):\r\nhttp://conf.serviceupdateres[.]com/Setup.exe\r\nThis host is a direct overlap with the EHDevel malware framework as it was also seen distributing\r\npayloads in Bitdefender’s analysis.\r\nSetup.exe (Downloader 2) Analysis\r\nSHA256: 6bbd10ac20782542f40f78471c30c52f0619b91639840e60831dd665f9396365\r\nCompilation Date: 2018-01-04 09:43:28\r\nPDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\Setup.pdb\r\nSetup.exe is another downloader written in C++ but contains more functionality than the “.exe” downloader. First,\r\nit checks/creates a mutex named “toptwo” so that only one copy of itself is running on the victim.\r\nEvasion Techniques\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 8 of 30\n\nTo confuse malware analysts, it mixes in junk code as seen in Figure 5. \r\nFigure 5: Junk code contained in binary.\r\nIt also has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware (example in\r\nFigure 6):\r\n Figure 6: VMWare check.\r\nDebugging Code\r\nSimilar to some components in the EHDevel framework, it creates logs for debugging purposes, though the\r\nmessages are not as verbose as in EHDevel’s samples, Figure 7.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 9 of 30\n\nFigure 7: Debugging log\r\nCommand \u0026 Control Much like EHDevel, in order to get its C2 host, it downloads a file from Google Docs. The\r\ndocument in this case was located at:\r\nhttps://drive.google[.]com/uc?authuser=0\u0026id=1BUuYXU6bLdH_k_NWQIo7n5Uo_7…\r\nAt the time of research, the name of the document was “ip2.txt” and it contained the following IP address:\r\n5.135.199[.]0\r\nPer its metadata, the owner of the document is:\r\nAlfred Vilfi\r\nmasterplan00007@gmail.com\r\nAn example C2 beacon is show in Figure 8:\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 10 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 11 of 30\n\nFigure\r\n8: C2 beacon\r\nBased on the “/football/goal”, “score”, “ball”, and “loose” strings they are using a football theme to help disguise\r\nits traffic. The POST data contains:\r\nCPU information\r\nWindows version\r\nIs a virtual machine?\r\nComputer name\r\nUser name\r\nSerial number of main disk volume\r\nAt the time of analysis, we only elicited a “loose” response from the C2 server. Continued execution is reliant on\r\neliciting a “win” response. If a “win” response does not occur, the malware continues beaconing until it receives\r\nthe appropriate response. Once the correct response is seen, the malware downloads the next component from the\r\nsame C2 using the following URL path:\r\n/football/download/2/boothelp\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 12 of 30\n\nPersistence Mechanism\r\nA secondary macro in circular.xls establishes persistence for the setup.exe download as seen in Figure 9. \r\nFigure 9: Persistence mechanism\r\nUnique Strings\r\nSetup.exe introduces three common names seen in the rest of the malware framework:\r\n“yty”, the name we use for the framework, from the PDB path string.\r\n“bigdata” from the schtasks /tn (taskname) parameter used in the persistence mechanism.\r\nA “bot id” consisting of computer name, user name, and volume serial number separated by dashes.\r\nboothelp.exe – Plugin Downloader\r\nSHA256:\r\na2e9d9a00e7e75ab1d5e96dd327a89b55608a0319461f2866aadada5bd50e728\r\nCompilation Date: 2018-01-03 09:42:00\r\nPDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\boothelp.pdb\r\nAnother TTP used by the Donot Team is the transition from one programming language to another.  We see this\r\nwith boothelp.exe, which is written in .NET--instead of C++ like the other components. boothelp.exe is a\r\ndownloader responsible for retrieving modules/plugins that contain added functionality.\r\nThe plugin downloader uses the same C2 channels as setup.exe by downloading a Google Doc file which contains\r\nthe C2 IP address. It then continues the football theme by beaconing to the “/football/flag” folder on the C2 server,\r\nFigure 10.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 13 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 14 of 30\n\nFigure\n10: C2 communications to retrieve modules\nUsing an HTML\n\nelement labeled “pcinfo”—possibly displayed verbatim in the C2 panel—the malware\nbeacon message contains various pieces of system information outlined below:\nUser name\nComputer name\nWindows version\nNumber of processors\nSystem directory\nDomain name\n.NET version\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\nPage 15 of 30\n\nInformation on drives\r\nCPU information\r\nThe response from the C2 is an odd string containing multiple pieces, delimited by various characters, but boils\r\ndown to what plugins to download/run and their file sizes. The plugins for this framework were downloaded from\r\nthe same URI path (“/football/download/2/”) where boothelp.exe was located. As of February 2018, we observed\r\nthe following plugins:\r\nvstservice.exe – document listing plugin\r\nabode.exe – file exfiltration plugin\r\nmdriver.exe – key logger plugin\r\ndspcheck.exe – screenshot plugin\r\nmboard.exe – system information plugin\r\nThese modules share functionality with components of the EHDevel framework, creating further overlap between\r\nthe two malware frameworks. boothelp.exe has an interesting but unused function that takes a list of benign URLs\r\nand opens connections to them. As noted previously, we believe the actors are still testing the malware framework\r\nand it’s possible these URLs will become an anti-analysis feature to hide C2 communication among benign traffic.\r\nSome of the interesting benign URLs listed below:\r\nhttps://www.google[.]co.in/\r\nhttp://www.imdb[.]com/title/tt3501632/\r\nhttps://www.rottentomatoes[.]com/m/thor_ragnarok_2017\r\nvstservice.exe – File Listing Plugin\r\nSHA256: e3fb0ab2f3d11f12c11b3ee1e1781eaec5581def820afe7e01902f31ba9e1936\r\nCompilation Date: 2018-01-03 08:14:32\r\nPDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\vstservice.pdb The vstservice.exe plugin is .NET file\r\nresponsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file\r\nlike the previous binaries. The file was located at the following location:\r\nhttps://docs.google[.]com/uc?id=0B42CqDoBbigYM1lEamRDRjhFbGc\u0026export=dow…\r\nAt the time of research, the Google Doc was named “domain.txt” and contained the following C2 host:\r\nupload.cloudsekurity[.]online\r\nPer its metadata, it is owned by the same owner as the document above. The plugin sends two file listings. The\r\nfirst one focuses on files with the following extensions:\r\nppt\r\npdf\r\ndoc\r\nxls\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 16 of 30\n\ndocx\r\nxlsx\r\npptx\r\ndocm\r\nrtf\r\ninp\r\nxlsm\r\ncsv\r\nodt\r\npps\r\nvcf\r\nThe second one contains all other files. An example is shown in Figure 11.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 17 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 18 of 30\n\nFigure\r\n11: C2 file list name exfiltration\r\nThe URL path for this C2 references the “bigdata” string observed in the macro persistence mechanism. Some of\r\nthe POST parameters are unclear, but contain the following items:\r\nstatus – hardcoded to “Found”\r\npath – hardcoded to “Unknown”\r\npc – bot ID\r\ntype – unclear\r\nfname – file name\r\ncnumber – a number representative of large files broken into chunks\r\norname – unclear\r\nofid – order ID for files broken into chunks\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 19 of 30\n\nSimilar to the plugin downloader, this plugin includes an unused function that connects to benign URLs. Some of\r\nthe URLs are listed below:\r\nhttps://www.livechart[.]me/fall-2017/tv\r\nhttps://500px[.]com/editors\r\nhttps://paytm[.]com/metro-card-recharge\r\nabode.exe – File Exfiltration Plugin\r\nSHA256: 4d0114b1292714a13d43a4c0de3ea4498fa752354ad4f5b73a8ba441af6064ae\r\nCompilation Date: 2018-01-03 08:14:46\r\nPDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\abode.pdb abode.exe is a .NET file  capable of file\r\nexfiltration. It uses the same Google Doc document and C2 as the vstservice.exe plugin. Two sets of files can be\r\nexfiltrated. The first set is a periodic sending of files generated by other plugins that do not include a C2\r\nmechanism themselves. The second set of files is specified by the C2 as seen in Figure 12.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 20 of 30\n\nFigure\r\n12: C2 response specifying file for exfiltration\r\nThe “id” parameter is hardcoded and the “pc” parameter is the bot ID. The file is then sent to the C2 as seen in\r\nFigure 13.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 21 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 22 of 30\n\nFigure\r\n13: File exfiltration\r\nThis plugin also includes unused, benign URLs as seen below:\r\nhttps://www.gamespot[.]com/\r\nhttps://www.rottentomatoes[.]com/tv/mr_robot/s03\r\nmdriver.exe – Keylogger Plugin\r\nSHA256: 600e7cfeea0ef8bd23cf95602a6b873898aa51848909aad1a7e8d4c5403797af\r\nCompilation Date: 2018-01-03 08:14:19\r\nPDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\mdriver.pdb This plugin is written in C++ and is a key\r\nlogger. It checks/creates a mutex named “twotwo“, uses the Windows SetWindowsHookEx and\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 23 of 30\n\nSetWinEventHook APIs to perform its key logging, and then relies on abobe.exe to exfiltrate the captured key\r\nstrokes. Figure 14 shows an example of exfiltrated key log data.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 24 of 30\n\nFigure\r\n14: Key log exfiltration\r\ndspcheck.exe – Screenshot Plugin\r\nSHA256: 7d893d4f077e8e76a44a7830c5c3806dc956a6ef1a06c9f2dc33477c70f8cc9b\r\nCompilation Date: 2018-01-09 08:33:36\r\nPDB Path: D:\\Soft\\DevelopedCode\\yty 2.0\\Release\\dspcheck.pdb\r\ndspcheck.exe is a screenshot plugin written in .NET. This plugin also shows evidence that the actors are\r\ncontinuing their testing efforts as seen in Figure 15. \r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 25 of 30\n\nFigure 15: Screenshot code shows testing evidence\r\nIt has the beginnings of C2 functionality, but this sample still relies on abobe.exe to send screenshots back to the\r\nC2, see Figure 16. \r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 26 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 27 of 30\n\nFigure 16: Screenshot exfiltration\r\nmboard.exe – System Information Plugin\r\nPacked SHA256: 50281cdd1b22f2b85de5809bf69ebd10e399410f519e357c1cb941c5dc7c95e1\r\nThe last plugin seen in this framework was mboard.exe. It is written in Golang and is packed with UPX. The\r\npurpose of this plugin is to gather various system information such as the following:\r\nDrive information\r\nOutput of systeminfo command\r\nInstalled software\r\nOutput of ipconfig /all command\r\nOutput of net view command\r\nOutput of tasklist command\r\nThe collected is saved into multiple files with a “qr” extension appended. They are then sent to the C2 via\r\nabobe.exe. An example showing the running process list being sent to the C2 is shown in Figure 17.\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 28 of 30\n\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 29 of 30\n\nFigure\r\n17: Running process list exfiltration\r\nAppendix A (IOCs):\r\nSHA256 Hashes 9ce56e1403469fc74c8ff61dde4e83ad72597c66ce07bbae12fa70183687b32d\r\n8d7eb0b7251bc4a40ebc9142a59ed8af16fb11cf8168e76dca48a78d6d7e4595\r\n6bbd10ac20782542f40f78471c30c52f0619b91639840e60831dd665f9396365\r\na2e9d9a00e7e75ab1d5e96dd327a89b55608a0319461f2866aadada5bd50e728\r\ne3fb0ab2f3d11f12c11b3ee1e1781eaec5581def820afe7e01902f31ba9e1936\r\n4d0114b1292714a13d43a4c0de3ea4498fa752354ad4f5b73a8ba441af6064ae\r\n600e7cfeea0ef8bd23cf95602a6b873898aa51848909aad1a7e8d4c5403797af\r\n7d893d4f077e8e76a44a7830c5c3806dc956a6ef1a06c9f2dc33477c70f8cc9b\r\n50281cdd1b22f2b85de5809bf69ebd10e399410f519e357c1cb941c5dc7c95e1 C2 Domains\r\nconf[.]serviceupdateres[.]com upload[.]cloudsekurity[.]online abodeupdater[.]com qmails[.]org\r\nserviceupports[.]com thebangladeshtoday[.]net sundayobserver[.]net C2 IP Addresses 5[.]135[.]199[.]0\r\n89[.]33[.]246[.]99\r\nSource: https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nhttps://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia" ], "report_names": [ "donot-team-leverages-new-modular-malware-framework-south-asia" ], "threat_actors": [ { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434622, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b7af17385d3cd84c68ffdfa9e2e1ccb37dab2fc.pdf", "text": "https://archive.orkl.eu/3b7af17385d3cd84c68ffdfa9e2e1ccb37dab2fc.txt", "img": "https://archive.orkl.eu/3b7af17385d3cd84c68ffdfa9e2e1ccb37dab2fc.jpg" } }