{ "id": "19b1620f-56f4-4ab6-b13f-81bc898b3c0b", "created_at": "2026-04-06T00:10:09.602824Z", "updated_at": "2026-04-10T03:37:19.182576Z", "deleted_at": null, "sha1_hash": "3eb2e17232845da9783c2f52793a462846f2e7e3", "title": "Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 948308, "plain_text": "Persistent Attempts at Cyberespionage Against Southeast Asian\r\nGovernment Target Have Links to Alloy Taurus\r\nBy Lior Rochberger, Tom Fakterman, Robert Falcone\r\nPublished: 2023-09-22 · Archived: 2026-04-02 11:01:42 UTC\r\nExecutive Summary\r\nWe observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we\r\nattribute with a moderate level of confidence to Alloy Taurus, a group believed to be operating on behalf of\r\nChinese state interests. The multiwave intrusions, which started in early 2022 and persisted throughout 2023,\r\ncapitalized on vulnerabilities in Exchange Servers to deploy a large number of web shells.\r\nThese web shells served as gateways for the introduction of additional tools and malware, some specially crafted\r\nfor the target environments. These incursions were consistent with techniques used for long-term espionage\r\noperations and appeared to be attempts to establish a resilient foothold within the compromised networks.\r\nWe found this activity as part of an investigation into compromised environments within a Southeast Asian\r\ngovernment. We identified this cluster of activity as CL-STA-0045.\r\nDrawing upon available telemetry and threat intelligence, we attribute this cluster of activity with a moderate level\r\nof confidence to the Alloy Taurus group, also known as GALLIUM. This group is widely believed to operate on\r\nbehalf of Chinese state interests and has been observed in multiple espionage campaigns targeting\r\ntelecommunication companies and government entities across Southeast Asia, Europe and Africa.\r\nOur description of this cluster of activity provides deep technical insights into the tools and approaches used by\r\nthe APT and a timeline of activity, providing a rich set of indicators for use by defenders.\r\nPalo Alto Networks customers receive protections against the threats discussed in this article through Advanced\r\nWildFire, Advanced URL Filtering, DNS Security, Cortex XDR and Cortex XSIAM, as detailed in the conclusion.\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.\r\nRelated Unit 42 Topics Government, APTs\r\nAlloy Taurus akas GALLIUM, Softcell\r\nCL-STA-0045 Details\r\nFrom Web Shell to Interactive Attack\r\nEach wave of CL-STA-0045 activity started after the attackers gained access to the network and installed several\r\nweb shells, including China Chopper, on several internet-facing web servers. Using the web shells, the attackers\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 1 of 13\n\nwere able to perform an interactive attack that included running reconnaissance commands and tools (e.g.,\r\nwhoami, ipconfig, dir, arp and net, NBTScan) and creating several administrative accounts (named Admin$,\r\nBack$, infoma$ and testuser).\r\nThe attackers used these accounts to perform additional activities, as shown in Figure 2.\r\nFigure 2. Suspicious administrative actions alert.\r\nThe attackers also used two scanners. The first was Fscan, which is an open-source internal network scanner\r\nwritten by a Mandarin speaker called “shadow1ng.” Various research organizations have reported multiple\r\nChinese APT groups using this tool. The second scanner was\r\nWebScan\r\n, a browser-based network IP scanner and local IP detector.\r\nUndocumented .NET Backdoors\r\nFollowing the creation of the users and the reconnaissance activity, the attackers attempted to execute a previously\r\nundocumented .NET backdoor, which they named windows.exe. We named this threat Reshell based on its\r\nprogram database (PDB) path.\r\nThe attackers configured the backdoor, which is relatively straightforward and simple, to communicate with the IP\r\n23.106.122[.]46. This gave the attackers an easy way to execute arbitrary commands remotely.\r\nFigure 3. Embedded C2 in the Reshell binary.\r\nAfter Cortex XDR prevented execution of the Reshell backdoor, the attackers likely suspected something was not\r\nright and tried to check for the connection using the netstat command. They searched for IP addresses in the range\r\nof 23.106* and they made a connectivity check, as shown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 2 of 13\n\nFigure 4. Reshell execution and connectivity check.\r\nThe attackers tried to execute another undocumented .NET backdoor, which we call Zapoa. This backdoor opens\r\nan HTTP listener, specifically looking for inbound requests to the server that match the following UrlPrefix, which\r\ncontains a wildcard to match all hostnames within the URL: https://*:443/256509101/.\r\nThis backdoor uses the string P88smzTpVBDjwiUv within the HTTP POST data to authenticate its C2. It\r\nprovides the operator a wide range of capabilities, including:\r\nExtracting system information\r\nRunning the supplied shell code in a new thread\r\nRunning processes\r\nManipulating the file system\r\nTimestamping files with a supplied date\r\nLoading additional .NET assembly to enhance its capabilities\r\nPreparing the Ground\r\nThe attackers continued to perform additional activities to maintain a foothold in the environment. To prepare the\r\nground, bypass security mitigation efforts and hide from the security team, the attackers installed SoftEther VPN\r\nsoftware.\r\nThe attacker renamed the SoftEther VPN file to Taskllst.exe, as shown in Figure 5. In other instances, they\r\nrenamed it to fonts.exe and vmtools.exe.\r\nUsing this software, the attackers connected to different hosts inside and outside the network such as GitHub (as\r\nobserved in Figure 5). They also downloaded additional tools such as Kerbrute, LsassUnhooker and\r\nGoDumpLsass, which they used in the next phase of the attack.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 3 of 13\n\nFigure 5. Connection to GitHub by SoftEther VPN - taskllst.exe.\r\nStealing Credentials\r\nSince the attackers had already gained a local administrator account, the next step was to gain domain credentials\r\nto move laterally inside the network. To do so, the attackers tried different techniques and tools.\r\nBrute Forcing Credentials: As shown in Figure 6, the attackers tried to brute force different usernames\r\nand passwords using Kerbrute. They used this tool to quickly brute force and enumerate valid Active\r\nDirectory accounts through Kerberos pre-authentication.\r\nFigure 6. Detection and prevention of Kerbrute and GoDumpLsass execution.\r\nSave SAM Key Hive: The attackers created a scheduled task named updatevmtoolss, which they set to run\r\na .bat file that executes a command to steal credentials from the Security Account Manager (SAM) registry\r\nkey hive. Figure 7 shows the execution for this activity.\r\nLocally Stored Passwords: The attackers tried to steal stored passwords. To do so, they ran the cmdkey /l\r\ncommand that lists the stored usernames and passwords. They then tried to access the login data folders of\r\nChrome and searched within configuration files for password=.\r\nDumping Lsass: The attackers tried to dump the Lsass process using the procdump tool.\r\nThe attackers also tried other tools to dump the Lsass process, including the following:\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 4 of 13\n\nLsassUnhooker\r\nTaskManager\r\nGoDumpLsass (named 123.exe)\r\nMimikatz: The attackers tried using the credential harvesting tool Mimikatz.\r\nLaZagne: The attackers tried using the open source local password extractor tool named LaZagne.\r\nNTLM Downgrade Attack: Finally, the attackers tried a less common method of stealing credentials,\r\nwhich was to downgrade the Windows New Technology LAN Manager (NTLM) version to extract the\r\nNTLM hashes. To do so, the attackers used the tool InternalMonologue.exe and changed related registry\r\nvalues, as shown in Figure 7.\r\nFigure 7. Detection and prevention of NTLM downgrade attack and credential theft.\r\nTargeting Critical Assets\r\nAfter obtaining credentials, the attackers attempted to move laterally inside the network, aiming specifically at\r\nweb servers and domain controllers.\r\nThe attackers first tried using the SoftEther VPN, attempting to create connections to the targets on SMB (port\r\n445). Later in the attack, the attackers changed their tactic and moved laterally by abusing the remote\r\nadministration tool AnyDesk. This tool was already present in the compromised environment.\r\nThe attackers set the password for AnyDesk to be J9kzQ2Y0qO, which is the same password reported multiple\r\ntimes as being used in Conti ransomware attacks.\r\nWe observed no attempt to execute ransomware.\r\nInstalling Additional Tools\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 5 of 13\n\nIn addition to the already installed tools mentioned above, the attackers attempted to install other tools and\r\nmalware to help perform malicious activities and maintain a foothold in the environment. Among these tools were\r\nthe following:\r\nCobalt Strike\r\nPuTTY's Plink\r\nHTran\r\nQuasar remote access Trojan (RAT)\r\nCobalt Strike\r\nThe attackers attempted to create a connection to the domain images.cdn-sina[.]tw to download a file named\r\nscvhost.txt. This file was a Cobalt Strike beacon, which Figure 8 shows Cortex XDR prevented from executing.\r\nFigure 8. Blocked execution of payloads from images.cdn-sina[.]tw.\r\nIn another attempt to execute Cobalt Strike, the attackers created services to run the beacon (\r\nReset.cpl\r\n,\r\nhelp.exe\r\n) using the\r\nliving-off-the-land binaries and scripts (LOLBAS) method\r\nof abusing the Windows Shell Common DLL (\r\nShell32.dll\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 6 of 13\n\n), as highlighted in the below code snippet and shown in full in Figure 9.\r\nFigure 9. Blocked execution of Cobalt Strike by abusing the Windows Shell Common DLL.\r\nReverse SSH Tunneling\r\nAttackers established a reverse Secure Shell (SSH) tunnel that allowed direct Remote Desktop Protocol (RDP)\r\nconnection to the compromised host so they could interact with AnyDesk remotely. To do this, the attackers tried\r\nto use HTran (lcx.111) to tunnel RDP connections to its C2 (154.55.128[.]129, as shown in Figure 10).\r\nIn an attempt to overcome the mitigation efforts, the attackers also tried using another tool to perform this SSH\r\ntunneling called PuTTY. The attackers downloaded a file named result.txt from the same domain mentioned above\r\n(images.cdn-sina[.]tw), which is the PuTTY binary.\r\nUsing the PuTTY binary in one compromised environment, the attackers attempted to create an SSH tunnel to\r\n159.223.85[.]37. In another compromised environment, the attackers tried to tunnel to both that IP and\r\n156.251.162[.]29.\r\nThe attackers kept using those tools, sometimes with the same naming convention and the same infrastructure,\r\nacross multiple victims in the government sector in the Southeast Asian country.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 7 of 13\n\nFigure 10. Detection and prevention of HTran and Plink execution.\r\nDownloading Additional Tools via PowerShell\r\nIn addition to Cobalt Strike and PuTTY, which the attackers downloaded from images.cdn-sina[.]tw, they also\r\nused another subdomain (Shell.cdn-sina[.]tw, resolved to 78.142.246[.]117). Attackers used it to store additional\r\ntools including victim-specific scripts.\r\nTo access those tools, the attackers used Windows Management Instrumentation (WMI) and PowerShell with the\r\nfollowing command line.\r\nAttackers tried to bypass some antivirus detection of download string operations (i.e., searching for certain\r\nkeywords, such as DownloadString).\r\nThe attackers also downloaded PowerCat (the PowerShell version of the networking utility netcat) from the same\r\ndomain, using the IP this time. They then ran this utility with the same IP previously used by the attackers as a\r\nparameter for Plink.\r\nQuasar RAT\r\nAnother type of malware that the attackers attempted to use is Quasar RAT. Different threat actors around the\r\nworld use this off-the-shelf tool. The malware provides its operator with a wide set of capabilities, including the\r\nfollowing:\r\nCapturing screenshots\r\nRecording the victim’s webcam\r\nKeylogging\r\nStealing passwords\r\nAs observed in Figure 11, the actor put the Quasar RAT dropper (l.exe) in the C:/Recovery folder, which dropped\r\nthe Quasar RAT loader (loader.any) and tried to execute it.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 8 of 13\n\nFigure 11. Prevention of Quasar RAT execution.\r\nHDoor\r\nThe attacker also used a customized version of the Chinese backdoor HDoor. HDoor has been publicly available\r\nin Chinese forums since at least 2008. Various research organizations have reported that multiple Chinese APT\r\ngroups have used this threat, such as Growing Taurus (aka Naikon) and Parched Taurus (aka Goblin Panda).\r\nHDoor is equipped with full backdoor capabilities, allowing the operator to perform a variety of tasks, including\r\nthe following:\r\nKeylogging\r\nFile and process manipulation\r\nScanning\r\nActing as a proxy client\r\nConnecting to other endpoints in the network\r\nStealing credentials in various methods\r\nExfiltrating data\r\nHDoor was executed using the following command line arguments:\r\nGh0stCringe RAT\r\nAnother piece of malware that the attackers tried to use is Gh0stCringe, which is based on the source code of\r\nGh0st RAT. The attackers tried to execute this tool twice, with a gap of over 10 days between executions.\r\nIn the first execution, the attackers attempted to execute the malware dropper, which was named Cssrs.exe. This\r\ndropped the Gh0stCringe binary, named moon.exe, and executed it. Figure 12 shows this activity.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 9 of 13\n\nFigure 12. Gh0stCringe process tree.\r\nThe second time, the attackers tried to execute Gh0stCringe by the name conhost.exe as shown in Figure 13. They\r\ncreated the malware under the ESET folder C:\\ProgramData\\ESET\\RemoteAdministrator\\Agent\\conhost.exe.\r\nAlthough this folder is legitimate and contains ESET-related files that were legitimately installed in the victim’s\r\nenvironment, the use of this folder to store malicious payloads is not common.\r\nHowever, we note that in the same environment, we saw the threat actors behind a different cluster, CL-STA-0044\r\nabusing ERAAgent.exe to execute the ToneShell malware.\r\nFigure 13. Executing Gh0stCringe from the ESET folder.\r\nA Variant of the Winnti Malware\r\nIn January 2023, we observed the actors attempting to install a variant of the Winnti malware family. According to\r\nan April 11, 2013, blog written by Kaspersky, Winnti is a prominent malware family used by multiple Chinese\r\nthreat groups since at least 2011.\r\nTo install this particular variant of Winnti, the actor saved two files (rs.exe and s.dll) to the system within the\r\nfolder D:\\HPEOneView\\\u003credacted\u003e\\admin\\.!\\.dump. The rs.exe executable is a loader that copies the s.dll payload\r\nto the location %SYSTEM%\\lscsrv.dll and creates a service named Lscsrv with it.\r\nThis beacon leads us to believe this is a variant of the Winnti malware. This beacon has several overlaps compared\r\nto the beacon created by the Winnti malware discussed in Kaspersky’s blog:\r\nThe first four bytes within the beacon data are hard-coded as 0xDF1F1ED3.\r\nThe beacon data is 1,360 bytes in length before compression.\r\nThe beacon data is compressed using zlib with a compression level of 8.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 10 of 13\n\nThe packet structure is the same including:\r\nthe compressed data length\r\na hard-coded null value\r\na random byte\r\nthe compressed data\r\nThe structure of the beacon data itself is identical, with the field types at the same offsets\r\nAt a high level, this Winnti variant has the following capabilities available for the actor to use:\r\nFile system modifications\r\nRegistry modifications\r\nService modifications\r\nUploading and downloading of files\r\nCreating and acting as a proxy\r\nReverse shell\r\nKeylogging\r\nScreen control functionality, including key typing and mouse movement\r\nEnumerating network resources and file shares\r\nAttribution\r\nWe identified CL-STA-0045 activity on multiple entities of the same government in Southeast Asia around the\r\nsame time frame. The clustering of the activity was based on the use of the same tools, malware, similar\r\ntechniques and tactics, and in some cases shared infrastructure.\r\nAnalysis of activity of the threat actor behind CL-STA-0045, in combination with third-party reporting, presents\r\nnoteworthy overlaps with the reported modus operandi of Alloy Taurus (aka GALLIUM).\r\nThe threat actor used a combination of tools and malware during its operation that, when grouped together in a\r\nsingle operation, presents a rather unique playbook.\r\nAs part of this cluster of activity, some of the main tools used together include the following:\r\nThe renamed SoftEther VPN using a similar naming convention with files and/or folders\r\nChina Chopper web shell being installed after web server exploitation\r\nHTran being used for RDP tunneling\r\nNBTScan\r\nA Gh0st RAT variant being used to establish a foothold\r\nThe combination of these tools in a single operation has only been previously reported as part of Alloy Taurus\r\noperations.\r\nIn addition, our analysis of the activity showed a repetitive style of attack, in which the threat actor attacked in\r\nwaves. Each wave started with web server exploitation as well as installation of web shells and reconnaissance.\r\nThis was then followed by the deployment of additional tools. This manner of operation, with the tools listed\r\nabove, overlaps with the behavior reported in Operation SoftCell.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 11 of 13\n\nFurthermore, the Unit 42 internal telemetry we’ve presented included an infrastructure overlap with the activity\r\ndescribed in CL-STA-0045, and it was observed on one of the compromised entities belonging to the same\r\ngovernment. The threat actor behind this cluster used a renamed SoftEther VPN to hide their connection to its C2\r\nserver.\r\nIn one instance of this activity cluster, the communication we observed was to an infrastructure that overlaps with\r\nthe IP address 196.216.136[.]139 that we mentioned in our post Chinese Alloy Taurus Updates PingPull Malware.\r\nOur telemetry also suggests that Alloy Taurus was active in the same environment in Q3 and Q4 of 2022, which\r\naligns with CL-STA-0045 activity from a timeline perspective.\r\nWe observed the activity specifically associated with CL-STA-0045 targeting the government sector in Southeast\r\nAsia. Alloy Taurus was previously reported to target the government sector in that region.\r\nThe combination of tools used in CL-STA-0045, the analysis of the threat actor’s modus operandi, the victimology\r\nof this cluster and overlaps with Unit 42 internal telemetry led us to estimate with a moderate level of confidence\r\nthat the threat actor behind CL-STA-0045 is likely the Alloy Taurus APT group.\r\nConclusion\r\nCL-STA-0045 activity represents a significant threat to government entities in South East Asia. The threat actor\r\nbehind this cluster employed a mature approach, utilizing multiwave intrusions and exploiting vulnerabilities in\r\nExchange Servers as their main penetration vector. We estimate that the main goal behind the activity was to\r\nfacilitate long-term espionage operations.\r\nBased on the available telemetry, we attribute this cluster of activity with a moderate level of confidence to the\r\nAlloy Taurus group. This threat actor poses a significant threat to regional security and warrants heightened\r\nattention from affected organizations and governments in the region.\r\nThe findings of this investigation underscore the urgent need for enhanced security measures, vigilant monitoring\r\nand proactive threat intelligence sharing among government entities and affected industries in Southeast Asia. By\r\nadopting a multilayered defense approach and staying informed about emerging threats, organizations can better\r\nprotect themselves against the persistent and evolving tactics employed by threat actors such as Alloy Taurus.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with the\r\nthreats described above:\r\nWildFire cloud-delivered malware analysis service accurately identifies the known samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nCortex XDR and XSIAM\r\nPrevents the execution of known malicious malware, and also prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 12 of 13\n\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects post exploit activity, including credential-based attacks, with behavioral\r\nanalytics.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nSource: https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "report_names": [ "alloy-taurus-targets-se-asian-government" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434209, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3eb2e17232845da9783c2f52793a462846f2e7e3.pdf", "text": "https://archive.orkl.eu/3eb2e17232845da9783c2f52793a462846f2e7e3.txt", "img": "https://archive.orkl.eu/3eb2e17232845da9783c2f52793a462846f2e7e3.jpg" } }