{ "id": "d2bc58d7-3b1f-478f-9427-1d785c6b33f3", "created_at": "2026-04-06T00:07:22.111729Z", "updated_at": "2026-04-10T03:35:46.075234Z", "deleted_at": null, "sha1_hash": "40215446a0d90842d74625f3e6ab444efc3f8bbd", "title": "The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142510, "plain_text": "The Importance of Patching: An Analysis of the Exploitation of N-Day\r\nVulnerabilities | Fortinet Blog\r\nPublished: 2024-02-07 · Archived: 2026-04-02 10:58:54 UTC\r\nAffected Platforms: FortiGate\r\nImpacted Users: Government, service provider, consultancy, manufacturing, and large critical infrastructure organizations\r\nImpact: Data loss and OS and file corruption\r\nSeverity Level: High\r\nExecutive Summary\r\nThe following supplementary research provides an analysis of the exploitation of resolved N-Day Fortinet vulnerabilities.\r\n\"N-Day vulnerabilities\" refer to known vulnerabilities for which a patch or fix is available but for which organizations have\r\nnot yet resolved via patching.\r\nFortinet continues to monitor ongoing activity by threat actors targeting known, unpatched vulnerabilities, specifically:\r\nDecember 2022 - FG-IR-22-398 / CVE-2022-42475\r\nJune 2023 - FG-IR-23-097 / CVE-2023-27997\r\nFortinet continues to urge all customers to take immediate action to review the guidance, assess whether affected, and if\r\nappropriate, upgrade their FortiGate devices as advised, and follow Fortinet’s public advisories.\r\nFortinet diligently balances our commitment to the security of our customers and our culture of researcher collaboration and\r\ntransparency.\r\nIn our ongoing communications and work with our customers and third-party public and private partners, we have been able\r\nto collect malware samples and, in some cases, related network traffic specific to these vulnerabilities and collaborate with\r\nthese organizations to share our analysis and advised recommended actions with our customers and the global cyber\r\necosystem.  \r\nWe are sharing this analysis to help customers make informed risk-based decisions and for other threat research and security\r\norganizations to help the industry collaborate on identifying this actor(s)'s activity and aid in detecting and preventing\r\nfurther activity.\r\nThis report was timed to coincide with the report on Volt Typhoon activity from CISA.\r\nN-Day Abuse\r\nThe term “zero-day vulnerability” refers to a software vulnerability exploited by attackers before the software vendor\r\nbecomes aware of it and releases a fix or patch. In contrast, and specific to this analysis, \"N-Day vulnerabilities\" refer to\r\nknown vulnerabilities for which a patch or fix is available but for which organizations have not yet taken appropriate\r\nmeasures to apply the patch, leaving their systems exposed to potential exploitation.\r\nFortinet diligently monitors the abuse of N-Day vulnerabilities where patches have been released, but organizations have not\r\nyet upgraded.\r\nFortiOS - heap-based buffer overflow in sslvpnd\r\nDecember 2022 - FG-IR-22-398 / CVE-2022-42475\r\nFortiOS \u0026 FortiProxy - Heap buffer overflow in sslvpn pre-authentication\r\nJune 2023 - FG-IR-23-097 / CVE-2023-27997\r\nThe best defense against any N-Day vulnerability is following good cyber hygiene, including remediation guidance and\r\ntimely patching. As previously detailed, these vulnerabilities are not trivial to exploit. The complexity of the exploit suggests\r\nan advanced actor, and the fact the attacks are highly targeted at governmental or strategic targets such as critical national\r\ninfrastructure, manufacturing, and service providers in government-adjacent industries suggests nation-state capability.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 1 of 24\n\nIn this write-up, we analyze recently observed malicious N-Day activity. The following research details our investigations\r\ninto the malware and IoCs being observed, which may be useful for organizations tracking adversary activity.\r\nIncident Analysis\r\nFortinet diligently balances our commitment to the security of our customers and our culture of researcher collaboration and\r\ntransparency. We are sharing this information to support impacted organizations, and threat researchers and security\r\norganizations tracing these actors' activity.\r\nThe malware used in these incidents are commonly a variant of a Linux implant customized for FortiOS. The following\r\ninformation was gathered during our forensic filesystem and binary analysis of compromised appliances. However, not all\r\nincidents are identical, so we have broken them down into clusters.\r\nCluster 1\r\nTarget Industries: manufacturing, consulting, local government\r\nld.so.preload:\r\nIn this cluster, /etc/ld.so.preload contained the string /data2/libcrashpad.so. Files listed within ld.so.preload will be preloaded\r\nby any other binary on the system, which results in all FortiOS processes loading and executing the /data2/libcrashpad.so\r\nshared object file on start. Typically, malware will leverage this preloading mechanism to maintain persistence should a\r\nprocess be killed.\r\nFile Path /data2/libcrashpad.so\r\nHashes:\r\nMD5: e3bb54fb78b70d50746082d077cfccba\r\nMD5: 1f7c614bbb75fec9b94efb58404bdeca\r\nMD5: d590aa857efe4623c221a398e953c764\r\nMD5: 5fe8e0625b272cf2bb75023c1ded7b44\r\nFile Type: ASCII Text\r\nlibcrashpad.so:\r\nlibcrashpad.so executes /data2/tftpd under the following conditions:\r\n1. /tmp/tftpd.lock is not present\r\n2. The current process’s command name is ‘ripd’\r\n/tmp/tftpd.lock will be created if libcrashpad.so executes.\r\nFile\r\nPath\r\n/data2/libcrashpad.so\r\nHashes: MD5: e9f64481280c964a6a5dbf551e9cf6f0 / SHA256:\r\n7075c5595ac2b34c8f5cf99aeeae0a99b10df100cfb5362f9a2a033ce4451a0e\r\nMD5: 9db3c6c29b4028ccd63ee38b62620df7 / SHA256:\r\n9af6b6b1ce11ab62a95f3990cdf9b0f3d4bc722f662d80116bcdabdd302f4aee\r\nMD5: aa53393374e3ec355c0071adeba535eb / SHA256:\r\nef7f71ea1c7f35c8a28fc2e98fa9e59b8e2d0f0bea84a527cf2c20ccc4f8b816\r\nMD5: 604d909d4d8d69c07e3474ceaf379f20 / SHA256:\r\nddc68e6647f9abcf23206d2fbcbccb4459d7f545abfc9b2e12ebba2e5a29bcd1\r\nMD5: 78310bad651eff14e5ecefe674630e75 / SHA256:\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 2 of 24\n\n1103c2cd47fd62d2c9353edb5c2dce23173c15770594237b84e01635723b0eec\r\nMD5: 5b2882b0a4de3210e1bfa5db1ed63713 / SHA256:\r\nMD5: dbe0d8d612ad89229cd6175e37157f3c / SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, dynamically linked\r\ntftpd:\r\nThis is the primary executable responsible for dropping additional malware files and other malicious features. The tftpd\r\nbinary performs the following actions:\r\n1. Establish malware persistence for /data2/libcrashpad.so by creating the file /data/etc/ld.so.preload containing a file\r\npath to libcrashpad.so.\r\n2. Perform timestomping on files to evade detection and as an anti-forensics technique:\r\na. For files /bin/smit, /bin/toybox, /data/etc/ld.so.preload, /data2/libcrashpad.so, and /data2/tftpd - their access\r\ntime and modification time are set based on the corresponding values of /bin/init.\r\nb. For file /lib/libaprhelper.so – its access time and modification time are set based on the corresponding values\r\nof /lib/libc.so.6.\r\n3. Enumerate all running processes and check the presence of the sslvpnd process. Once identified, it drops\r\n/lib/libaprhelper.so and injects it into the sslvpnd process. tftpd receives data from the sslvpnd process via the file\r\nsystem socket /tmp/clientsDownload.sock. It may attempt to retrieve data, such as the address of the peer connected\r\nto the socket, from sslvpnd connections via the hooked accept and accept4 syscalls.\r\n4. Drop /bin/smit binary. It then deletes the existing FortiOS symbolic link of /bin/smit, which was originally directed to\r\n/bin/init file.\r\n5. Drop /bin/toybox binary. Following this, it deletes an existing FortiOS symbolic link of /bin/sh, which was originally\r\ndirected to the /bin/sysctl file. It then copies the binary /bin/toybox to be the new /bin/sh. It sometimes creates a new\r\nfolder, /usr/bin.\r\n6. Additional routines are present that may allow stored credentials to be decrypted from the configuration (see\r\nMitigations section for more details)\r\nFile\r\nPath\r\n/data2/tftpd\r\nHashes:\r\nMD5: cf3e6cb8ada288aa2d1bc39d1ce2ad54 SHA256:\r\na322034e610aa07632ade4323d37d55c5c613b155ef51b05ab83de4159c231b2\r\nMD5: 0909a8ee77fbd40ab461df20600ddae0 SHA256:\r\nba0b6b0c6b628dffcf0f34fa78fb61acb6c1b457f7b5addadbe4dba575bac5bd\r\nMD5: 953813bb2137e351709d98a91336eb25 SHA256:\r\n65a9314fc3fac8cc238534d81c12e2080820f86a58299113c164aea4cd18f11c\r\nMD5: b11faf42afeca35920a248001b90e997 SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64, version 1 (SYSV) dynamically linked, stripped\r\nLibaprhelper.so:\r\nLibaprhelper.so is dropped by tftpd and injected into the sslvpnd process. Libaprhelper.so hooks the system calls accept and\r\naccept4 in the process’ Procedure Linkage Table. The accept hook function first calls the true accept syscall. It then receives\r\n48 bytes from the socket, which accepts the connection. Eight bytes located at offset 15 from the received data are compared\r\nwith the byte sequence DA F3 64 13 C2 8D 63 C3. If the pattern matches, the socket may be shared with the tftpd process\r\nvia the file system socket /tmp/clientsDownload.sock.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 3 of 24\n\nFile Path /lib/libaprhelper.so\r\nHashes:\r\nMD5: 9e898f389003f9141831856f021fda3a SHA256:\r\n5bfe16360fb42fa50a56fe8b1140bec202e9345965ddb456a8311b2583d2fe48\r\nMD5: 176220a8ac6f344aaf620efab5c6f276 SHA256:\r\n7a86b793612a6b6a3f27d7c24eec4c75202915c7c2c36b786c39ef95628b1286\r\nMD5: 2349d1d1acb69e91aea5be7767254f81 SHA256:\r\n1209b5ff4755e689e260e680caf33b52ecd3fa8a1bb20ff06d7770828490baee\r\nMD5: 9d7b6fc9a0702381062726f634d0df0f SHA256:\r\n43c1905b2078a8de9d0fa42e16465692066825e3dcb42a17cbf40b77736527c2\r\nMD5: e7ab34f7df83ce3ed6bf287332f7ce73 SHA256:\r\n80d03d5d35a7b9bde7e5e60f0df3baa0c51cbbd9214d875cd1967f589b9df183\r\nMD5: 8b2c08f4e558626f34494b171e21f644 SHA256:\r\na667edc691e9950ec0bc92e9f2cdcb7e99a086286063864040435f26537f9d9b\r\nMD5: 9d2bc4e59357b56199b709a599600fa7 SHA256:\r\nMD5: b32ad75ce0494586a8b278c0413c0406 SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB shared object x86-64, version 1 (SYSV) dynamically linked, stripped\r\nsmit:\r\nOn a clean FortiOS system, /bin/smit is a symbolic link to /bin/init. The standalone malicious smit binary retains the normal\r\nFortiOS function to hide its presence by forking a child process to execute /bin/init with the arguments provided to /bin/smit.\r\nIt performs the following malicious actions after the child process terminates:\r\n1. Establish malware persistence for /data2/libcrashpad.so by creating the file /data/etc/ld.so.preload containing a file\r\npath to libcrashpad.so\r\n2. Perform timestomping on /data/etc/ld.so.preload. The access time and modification time are set based on the\r\ncorresponding values of /bin/init.\r\nFile\r\nPath\r\n/bin/smit\r\nHashes:\r\nMD5: 08039b1cbdf880a3d86f8646bb286709 SHA256:\r\n2b1aa340384b5e889008839bc961fcb438379cc2de8be880664ae41fd9e77084\r\nMD5: 2fc1aa1ab1ecde77eb6724f7385d5749 SHA256:\r\n46ac81f19c996d9a2e257ef584455a721aad15f1cdeb597e8f853e288b3e9070\r\nMD5: cf49feb43667819b880422efbe89fd01 SHA256:\r\n6a92e750eb4e84be875158e6ecb11ac3e4716c04ff32d29206bf7b1a4ec46edc\r\nFile\r\nType:\r\nELF 64-bit LSB shared object x86-64, version 1 (SYSV) dynamically linked, stripped\r\ntoybox:\r\nA toybox binary was dropped by tftpd. tftpd then created a new symbolic link, linking /bin/sh to /bin/toybox.\r\nToybox is a static binary package containing functions such as insmod, iotop, lsmod, lsusb, makedev, mkdir, mkfifo, nc,\r\nnetcat, pivot_root, route, wget, ftpget, shred, and other utilities. These binaries can modify system and network settings,\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 4 of 24\n\nwhich can help accomplish further actions, such as exfiltration, pivoting to other devices, and getting more system\r\ninformation. This toybox might provide convenience to the attacker for their lateral movement.\r\nFile Path /bin/toybox\r\nHashes: MD5: d0a31975a436d0fe3b4f990c5003ca59 SHA256:\r\nFile Type: ELF 64-bit LSB executable x86-64, version 1 (SYSV) statically linked, stripped\r\nCluster 2\r\nTarget Industries: Internet Service Provider\r\n/data/etc/ld.so.preload:\r\nFiles listed within ld.so.preload will be preloaded by any other binary on the system. In these cases, /data/etc/ld.so.preload\r\ncontains the string /data2/flatkc_info, which results in flatkc_info being executed whenever other binaries are run.\r\nFile Path /data/etc/ld.so.preload\r\nHashes:\r\nMD5: 2495159a80aafcdb80bcf8d913d4db80 SHA256:\r\nMD5: b62871b520bd304086da76c729fa5cf7 SHA256:\r\nFile Type: ASCII Text\r\n/data2/flatkc_info:\r\nExecutes /data2/new_alert_info.\r\nFile Path /data2/flatkc_info\r\nHashes:\r\nMD5: 5d898fdbe0080f5c4437d834e8c23498 SHA256:\r\n1029ff063f739ebbf8add74313f2cc454f5d14655327d1a1c190b115549173ed\r\nFile\r\nType:\r\nELF 64-bit LSB shared object executable x86-64, version 1 (SYSV) dynamically linked, stripped\r\n/data2/new_alert_info:\r\nNew_alert_info creates and executes the files /bin/smit, /bin/httpsclid, and /bin/httpsng. Upon rebooting, these three files in\r\nthe bin directory will not persist. New_alert_info, however, provides a persistence mechanism for smit, httpsclid, and\r\nhttpsng. The files are embedded within new_alert_info and not downloaded from an external source.\r\nNew_alert_info also reinforces persistence for flatkc_info by creating the file /data/etc/ld.so.preload and adding the string\r\n/data/etc/flatkc_info to it.\r\nThis malware bears similarities to Rekoobe Malware, which is commonly used by APT31.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 5 of 24\n\nFile Path /data2/new_alert_info\r\nHashes:\r\nMD5: 210fcaa8bf95c3c861ee49cca59a7a3d SHA256:\r\n64932db564f8cd3a58f3d019d1967b981fdcf3c59f7f5ff6bb3bdf8ec736c31a\r\nMD5: a5d4b0228beca0f5360049490882683f SHA256:\r\n3b897cf3ef1af97d19d8cc7680235f75ee5cbd431d2f93e7e6ac17f003dd812d\r\nMD5: a1192fca2299c57b122e1ffbadecef37 SHA256:\r\n05ac806a539c0054bbb8774bac63ac75dcbd8c709932ec21b8c5b67693272e3b\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64, version 1 (SYSV) statically linked, stripped\r\nhttpsclid:\r\nHttpsclid contains an embedded ELF file. It writes the file to the device as /tmp/busybox.\r\nA local socket /tmp/ClientSessionData is created for inter-process communication. Httpsclid can perform various actions\r\nbased on what is transmitted through the socket. 1. Exit program, 2. Data exfiltration, 3. Download/write files, 4. Remote\r\nshell. This file also has the additional capability to query AD Servers via LDAP to identify all active user accounts and query\r\nVMWare NSX SecurityTag APIs to mirror switch traffic.\r\nFile\r\nPath\r\n/bin/httpsclid\r\nHashes:\r\nMD5: 944a31cf9936920a3fb947cb29171631 SHA256:\r\n7ff5e0c2ecd6397dcbc013d4c343007f9ebb4099aabda9a7745ab1dd1b215c91\r\nMD5: d84a95d19f19eeee2415f41c2c181db8 SHA256:\r\n5089f545aa94d273d18150102dc65c3a08b4335d6f171d9b3f655599d8589b0e\r\nMD5: 4c375c7ac9ee2f8a04c920381683e811 SHA256:\r\n7edd6af205e748d13641bf3d3209bc69ab062b71db06700277b337f3b026700e\r\nMD5: 60057a831f3498751e37413c45c29c4a SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64 version 1 (SYSV) statically linked, stripped\r\nThis malware also bears similarities to Rekoobe Malware, commonly used by APT31.\r\n/bin/httpsng:\r\nHttpsng masquerades itself by running with the process name [ata/0]. It may introduce additional malware to the system.\r\n/bin/httpsng contains code to use \"/tmp/busybox tar -xvf\" to unpack /tmp/tarlog.tar. However, the origin of /tmp/tarlog.tar is\r\nunknown and was not found in any systems.\r\nHttpsng receives an IP address via an ICMP request and establishes back a connection to that IP address. It can perform\r\nvarious actions based on what is transmitted through the connection. 1. Exit program, 2. Data exfiltration, 3.\r\nDownload/write files, 4. Remote shell\r\nFile Path /bin/httpsng\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 6 of 24\n\nHashes:\r\nMD5: 7454bb4b3dfe4f4386980b63f119c208 SHA256:\r\n1b7af533f32a1c0bb62420be787d9e02c8a71bca77f2b0857dd20599f8833853\r\nMD5: f5caae23ace1ee0b48d02427b08f0bad SHA256:\r\n534632ae386cf4d2190ef03be08a96f25fb3a9537d1c380141d36d797b983705\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64 version 1 (SYSV) statically linked, stripped\r\n/bin/smit:\r\nEstablishes persistence for /data2/flatkc_info by creating the file /data/etc/ld.so.preload containing the file path to\r\nflatkc_info.\r\nFile Path /bin/smit\r\nHashes:\r\nMD5: fc78c1800fbe25e57a7333ca51e183b6 SHA256:\r\nb8bd746e4713e101266d74bbe8cfbf064b5979adb8df68076d295df9e0a215d0\r\nMD5: 247139079d8a1c2534ef0d2b726d8ebb SHA256:\r\n4860b98219177aacb786b1a2d5c68e999c0c8cf6c6400c7fe773fb18f44c78be\r\nMD5: 823ae2645869e4fc9ebcb046aa760440 SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64, version 1 (SYSV) dynamically linked, stripped\r\nbusybox:\r\nA legitimate busybox binary.\r\nFile\r\nPath\r\n/tmp/busybox \u0026 httpsng\r\nHashes:\r\nMD5: ebce43017d2cb316ea45e08374de7315 SHA256:\r\n6e123e7f3202a8c1e9b1f94d8941580a25135382b99e8d3e34fb858bba311348\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64, version 1 (SYSV) statically linked, stripped\r\nCluster 3\r\nTarget Industries: manufacturing, consulting\r\nld.so.preload:\r\nFiles listed within ld.so.preload will be preloaded by any other binary on the system. In these cases, /data/etc/ld.so.preload\r\ncontains the string /data2/libunwind.1.so, which results in libunwind.1.so being executed whenever other binaries are run.\r\nFile Path /tmp/busybox \u0026 httpsng\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 7 of 24\n\nHashes: MD5: 8644b8b1cec97b2f43c89526c3b8aaae SHA256:\r\nFile Type: ASCII Text\r\nlibunwind.1.so:\r\nLibunwind.1.so executes /data2/httpdng under the following conditions:\r\n1. /tmp/httpdng.lock is not present\r\n2. The current process’ command name is ‘ripd’\r\n/tmp/httpdng.lock will be created if libunwind.1.so executes /data2/httpdng.\r\nFile Path /data2/libunwind.1.so\r\nHashes:\r\nMD5: e9c2a3efaa97462168790b2fe234a7ba SHA256:\r\n5700a8d9f00ebeb52536d16701522ecf6a07deb660e442cd67acdfb768e17c39\r\nFile\r\nType:\r\nELF 64-bit LSB shared object x86-64, version 1 (SYSV) dynamically linked, stripped\r\nhttpdng:\r\nHttpdng establishes persistence for /data2/libunwind.1.so by leveraging the file /data/etc/ld.so.preload. It is also responsible\r\nfor dropping files in non-persistent directories (directories in which added files are deleted on reboot). /bin/toybox,\r\n/bin/smit,/data2/libunwind.1.so, /tmp/.ptyagent, and /data/etc/ld.so.preload are created by httpdng. Apart from\r\n/tmp/.ptyagent, the access and modify timestamps of these files are changed to match those of /bin/init.\r\nHttpdng may create the file /lib/libaprsd.so. Its access and timestamps are modified to match those of /lib/libc.so.6. The\r\nmalware may attempt to load this shared object into the sslvpnd process. Httpdng receives data from the process that has\r\nloaded /lib/libaprsd.so via a file system socket, /tmp/clientsDownload.sock. It may attempt to retrieve data from connections\r\nvia the hooked accept and accept4 syscalls.\r\nFile Path /data2/httpdng\r\nHashes:\r\nMD5: f84a5eff50af2a7bfae49345b3b3ce1e SHA256:\r\n662dd91647c45df0625c011565a60f18e0de47b9e57653763868205f4026593f\r\nMD5: 7aaaf17e4e3638d2f93b1cf5a1579ac6 SHA256:\r\n0088cfd5b4b7195edab836236ba0c6a0c2aded3e4b8a842f11ee4e9c5e4ae3c1\r\nMD5: e1aff3203fd38fc4790157d908ef742a SHA256:\r\nMD5: f66c0c328d40cffdb0d8dfa0444fe923 SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB executable x86-64, version 1 (SYSV) dynamically linked, stripped\r\nlibaprsd.so:\r\nLibaprsd.so hooks the system calls accept and accept4 in the process’ Procedure Linkage Table. The accept hook function\r\nfirst calls the true accept syscall. It then receives 48 bytes from the socket, which accepts the connection. Eight bytes located\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 8 of 24\n\nat offset 15 from the received data are compared with the byte sequence DA F3 64 13 C3 84 C2 80. If the pattern matches,\r\nthe socket may be shared with the httpdng process via the file system socket /tmp/clientsDownload.sock.\r\nFile Path /lib/libaprsd.so\r\nHashes:\r\nMD5: dc95090cca508d1196b972c385dc3405 SHA256:\r\n89e049fd0df33da453fe04d9b2f9619b46dac0fceb7a8156560cce08fce3d8b7\r\nMD5: 9d7a1a536eef0ff1e87ee1d78ac7bc69 SHA256:\r\n1748035e9cb1932bbe6c3aa93c2ae044296e0f0774d0aa0d3eb688cdd2c0b2f2\r\nMD5: 834e542076e7c37e848fb68b3671f7a1 SHA256:\r\nMD5: 62ef5ec4adbd655adcc418d7ba2262ac SHA256:\r\nFile\r\nType:\r\nELF 64-bit LSB shared object x86-64, version 1 (SYSV) dynamically linked, stripped\r\nsmit:\r\nSmit will establish malware persistence by creating the file /data/etc/ld.so.preload containing the string\r\n/data2/libunwind.1.so. This ensures /data2/libunwind.1.so will be executed regularly. The timestamps of\r\n/data/etc/ld.so.preload are modified by smit to mask its presence.\r\nFile Path /bin/smit\r\nHashes:\r\nMD5: bc1bd24e32fb6a778c1e79840e8ec78f SHA256:\r\n51d0d5d83735a3a63a2405b4f9909676fc572827693f34b80799b0786a5f1677\r\nFile\r\nType:\r\nELF 64-bit LSB executable ARM aarch64, version 1 (SYSV) dynamically linked, stripped\r\ntoybox:\r\nToybox binary dropped by httpdng. Toybox is a collection of Linux command line utilities.\r\nFile Path /bin/toybox\r\nHashes: MD5: d0a31975a436d0fe3b4f990c5003ca59 SHA256:\r\nFile Type: ELF 64-bit LSB executable x86-64, version 1 (SYSV) statically linked, stripped\r\nptyagent:\r\nPtyagent may serve as a remote shell. It can create and listen to a network socket. It will also execute /bin/bash or /bin/sh,\r\ndepending on what is present on the system.\r\nFile Path /tmp/.ptyagent\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 9 of 24\n\nHashes:\r\nMD5: 2d88911f67a2cce7fa97cdf0ae59a027 SHA256:\r\n910e7fc043560fbc2757304503de38a8824238765b2d91d87b974fefa253e311\r\nFile\r\nType:\r\nELF 32-bit LSB executable Intel 80386 version 1 (SYSV) statically linked, stripped\r\nCluster 4\r\nlibpe.so:\r\nThis is a file unpacker that unpacks an encoded file into multiple files. This file has the typical hallmark of malware by\r\nbeing able to delay startup by a random amount of time to avoid detection.\r\nFile Path\r\nHashes:\r\nMD5: 90235445d07be98cd0f820b5 SHA256:\r\n50451bb5b6d68115695a6cb277839a6dd2bad8f70bdb8b79670b18dcde188965\r\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped\r\nsmartctl:\r\nThis file name is the same as the legitimate file /bin/smartctl. However, the purpose of this file is to execute shell commands\r\nfrom the FortiGate command line as it redirects its input to /bin/sh.\r\nFile Path /bin/smartctl\r\nHashes: MD5: 205a8c6049061930490b2482855babcd SHA256: \r\nFile Type: ELF 32-bit LSB executable Intel 80386 version 1 (SYSV) statically linked, stripped\r\nauthd:\r\nThis binary provides a process injection feature into a running process and has an API hooking mechanism. We have seen\r\nmalicious binaries that provide similar process injection capabilities. However, this binary seems a little more advanced as it\r\nincludes a built-in API hooking mechanism.\r\nFile Path /bin/authd\r\nHashes:\r\nMD5: 9124ce75319514561156d2013fc9d3be SHA256:\r\nf40c04fb9e2d4157a0bc753925dbc5f757feb77cdd22f90fedf3cc5e095143bc\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-x86-\r\n64.so.2\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 10 of 24\n\nhttpsd:\r\nThis binary has C2 communication capability and can read and write to a configuration.\r\nFile Path /bin/httpsd\r\nHashes:\r\nMD5: 218a3525ab8e46f7afe252d050a86907 SHA256:\r\n3ed99aad5922744b6a75ea90ea6ece81ba0d8eb9935aec38b897e44ac3b36c35\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32,\r\nstripped\r\nThis sample contained an interesting string that led one of our CERT partners to name this cluster COATHANGER\r\n“She took his coat and hung it up.”\r\nThis string is taken from the book Lamb to the Slaughter by Roald Dahl. A search for this string in Virus Total resulted in a\r\nsingle link to an innocuous PDF file containing the same string.\r\nhttps://www.virustotal.com/gui/search/21ce19be794adbcff49c90cfff9eba5189ae0131ac69396ea5544822882b440b%255C/files\r\nThis was not overly unusual, given that the file appears to be a PDF copy of the book. However, the date of the upload was\r\nsuspiciously recent for such an old book. Out of an abundance of caution, we analyzed the file, but it was found not to be\r\nmalicious.\r\nnewcli:\r\nIt uses “authd” binary to inject /lib/preload.so file and replaces the reboot function with a malicious function.\r\nFile Path /bin/newcli\r\nHashes:\r\nMD5: ab89139e3d47fbaba2da33040da95200 SHA256:\r\n2acc6a2a931db63fe3a875780f00192a60955c9794df68fe0ace0012d309b04f\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked\r\nWe have observed in other clusters an injector binary being used to inject into a process with pid=1.\r\npreload.so:\r\nProvides persistence and system functions. It can copy malicious files to memory and write them back to disk when the\r\nsystem reboots. It also provides a malicious function called newreboot.\r\nThis is somewhat similar to previous clusters due to the presence of a “reboot” export function/API hooking, but other\r\nfeatures have not previously been observed.\r\nFile Path preload.so\r\nHashes:\r\nMD5: a62377c01935f366761846b5ceed5a49 SHA256:\r\n1c437dc9e929669e5a65a1c70afb3107fba471afb9ad35e3848334c9332f2b59\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 11 of 24\n\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked\r\nsh:\r\nThis non-malicious busybox binary provides multiple tools, as seen in other campaigns.\r\nFile Path /bin/sh\r\nHashes:\r\nMD5: 991461b86aebecfd096dc11ff2a04b4b SHA256:\r\ndcd9a5af1c6297ed1a66c851efa305000335d8ade068ba515125a6612f1d5300\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nliblog.so:\r\nThis hook reads APIs and targets /dev/fgtlog to disable reading from /dev/fgtlog. We have not seen malware targeting\r\n/dev/fgtlog in previous clusters.\r\nFile Path /lib/liblog.so\r\nHashes:\r\nMD5: e24d14d3e6c6de0ed3db050dd5c935f0 SHA256:\r\na79f80158ebbf9e34f6a7ec86b564de2fbee783fe6c1e20eefe2832226e2f827\r\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped\r\npackfile:\r\nThis is a container file with malicious files in it that are unpacked as needed. This is unlike previous clusters.\r\nFile Path packfile\r\nHashes:\r\nMD5: 201ee76e996846d5ea3fc03bac3273dd SHA256:\r\n4591b4fb1c93c27203b36c773597fd3f885338ad7641dcebf8ed2395acdf4a5f\r\nFile\r\nType:\r\nELF 32-bit LSB executable Intel 80386 version 1 (SYSV) statically linked, stripped\r\nStandalone Instances\r\nInstance 1\r\nTarget industry: consultancy\r\nld.so.preload:\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 12 of 24\n\nFiles listed within ld.so.preload will be preloaded by any binary on the system. On this system, /data/etc/ld.so.preload\r\ncontains the string /data2/lib/liblpmonitor.so, which results in\r\nliblpmonitor.so being loaded whenever other binaries are run. However, the file\r\n/data2/lib/liblpmonitor.so was not found on the disk at the time of our investigation.\r\nFile Path /data/etc/ld.so.preload\r\nHashes: MD5: 0ef308bacbbc932fa24f10ae2b83a984 SHA256:\r\nFile Type: ASCII Text\r\nptyagent\r\nThis file is based on Chisel, an open-source traffic tunneling tool that can tunnel TCP and UDP connections over HTTP and\r\nestablish a reverse shell. This tooling has been observed to be used by multiple APTs, including the Lorenz Ransomware\r\ngroup and UNC757.\r\nFile Path /tmp/.ptyagent\r\nHashes:\r\nMD5: ca5184d43691ee8d8619377e600fa117 SHA256:\r\n70372f95fa5cf917639007ae25a67a53d0297b67792b00bbea63ce0b170f95b8\r\nFile\r\nType:\r\nKnown malware - Linux/Chisel.D!tr\r\nInstance 2\r\nTarget industry: service provider\r\nld.so.preload:\r\nFiles listed within ld.so.preload will be preloaded by any other binary on the system. On this system, /data/etc/ld.so.preload\r\ncontains the string /data2/liblink.so.1, which results in all the FortiOS processes loading and executing liblink.so.1.\r\nld.so.preload also acts as a persistence mechanism.\r\nFile Path /data/etc/ld.so.preload\r\nHashes: MD5: ee50b080c6209e63a85c60cd3cee52b4 SHA256:\r\nFile Type: ASCII Text\r\nliblink.so.1:\r\nliblink.so.1 performs a check to determine if the file /tmp/fortlinkd.lock exists. If the file is present, it proceeds. It also\r\nensures that only one instance of liblink.so.1 performs malicious activities by verifying it is running under the ripd process.\r\nThis check allows it to prevent multiple instances from engaging in malicious actions. Next, it executes the /data2/fortlinkd\r\nbinary and creates the\r\nfile /tmp/fortlinkd.lock to prevent further executions of /data2/fortlinkd.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 13 of 24\n\nFile Path /data2/liblink.so.1\r\nHashes:\r\nMD5: 031e21168d7e783d26998e63217a365c SHA256:\r\ndfafeb3efaba2c8e5d80ec7a37c00805895df1a47333515082da54e49a388a59\r\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped\r\nfortlinkd:\r\nThe fortlinkd process attaches itself to the /bin/init process (pid=1) and reads the memory of /bin/init into a virtual address\r\nspace. It continues this process until it locates the string /bin/smit and potentially attempts to modify the memory of the\r\n/bin/init process. It then deletes the original /bin/smit binary and replaces it with a new malicious binary as /bin/smit.\r\nTo provide full permissions, fortlinkd employs chmod on the malicious /bin/smit. If the /bin/fgfm file exists, it is removed,\r\nand a new malware file is dropped in its place as /bin/fgfm. The /data2/fortlinkd then executes the newly dropped fgfm\r\nbinary, followed by the creation of /data2/liblink.so.1 and /data/etc/ld.so.preload files.\r\nFile Path /data2/fortlinkd\r\nHashes:\r\nMD5: d97bae365bd4c3fbf2eb834d678dbd11 SHA256:\r\nbfc20c8e21fa4674492576961baedae90f7794a8534d2ad3ef4e230de2fb38ab\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nsmit:\r\nsmit checks for the presence of /data/etc/ld.so.preload file, which is used as a persistence mechanism. It creates a child\r\nprocess that executes /bin/init with smit as its argument.\r\nFile Path /bin/smit\r\nHashes: MD5: 823ae2645869e4fc9ebcb046aa760440 SHA256:\r\nFile Type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked\r\nfgfm:\r\nFgfm binary masquerades itself by running with the process name [ata/0]. The malware may be able to download additional\r\npayloads, including the file /tmp/tmplog.tar. The file gets unpacked using /tmp/busybox tar -xvf. Fgfm can delete files on the\r\nsystem, establish a connection, and perform various actions based on what is transmitted through the connection.\r\n1. Exit program\r\n2. Data exfiltration\r\n3. Download/write files\r\n4. Remote shell\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 14 of 24\n\nFile Path /bin/fgfm\r\nHashes: MD5: 83d5c75bf1d2090a6cceaf2a80d906da SHA256:\r\nFile Type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked\r\nInstance 3\r\nTarget industry: service provider\r\nld.so.preload:\r\nFiles listed within ld.so.preload will be preloaded by any binary on the system. On this FortiGate, /data/etc/ld.so.preload\r\ncontains the string “/data/lib/libav.so”, which results in /data/lib/libav.so being loaded whenever other binaries are executed.\r\nFile Path /data/etc/ld.so.preload\r\nHashes: MD5: 0d4b4c13a6ef8266ed5ef464c6883bf1 SHA256:\r\nFile Type: ASCII Text\r\nlibav.so:\r\nlibav.so executes /data2/.vile/ketg under the following conditions:\r\nThe current process’ command line contains ‘usbmuxd’\r\n/tmp/logx file is not present\r\nThe file /tmp/logx will be created if it doesn’t exist. It is an empty file used as a mark of the execution. Libav.so also\r\nattempts to find the kernel symbol “fos_process_appraise” by iterating all kernel symbols using /proc/kallsyms and seems to\r\nchange a few bytes in the device’s physical\r\nmemory by accessing /dev/mem file to modify/bypass security features.\r\nFile\r\nPath\r\n/data/lib/libav.so.new/libav.so\r\nHashes:\r\nMD5: 30009c9052e588b93fb12e918bbcecfb\r\nSHA256: 6584f614fb0ef864cd5aa5b6ec1b42299f2b639a23e4b1e853caf3b2f2254b14\r\nFile\r\nType:\r\nELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped\r\nketg:\r\nThis is the primary executable for dropping additional malware files and other important malicious features. The ketg binary\r\nhas the following capabilities:\r\n1. Establish persistence: It checks for the existence of the file /data2/.vile/ldzvg and copies it as a persistence file\r\n/data/etc/ld.so.preload that contains the path to /data/lib/libav.so. It also changes the file permission and sets it to “r-https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 15 of 24\n\nxr-xr-x.”\r\n2. File creation:\r\n1. It checks for the existence of file /data2/.vile/libsef.so and copies this shared object as /data/lib/libav.so.new. It\r\nalso changes the file permission and sets it to “r-xr-xr-x.”\r\n2. It checks for the existence of file /data2/.vile/569851 and copies this shared object as /SYSV64564856.\r\n3. It checks for the existence of file /data2/.vile/libsef.so and copies this shared object again in place of the\r\nlegitimate AV Engine file /data/lib/libav.so. It also changes the file permission and sets it to “r-xr-xr-x.”\r\n3. Process injection: It executes the binary /data2/.vile/ith with arguments to inject the shared object file\r\n/SYSV64564856 into the /bin/init process (pid=1). After successful injection, it deletes /SYSV64564856.\r\nFile Path /data2/.vile/ketg\r\nHashes:\r\nMD5: e9ae2188d7a46fdac30b192b7405cba2 SHA256:\r\n8f380a844011daa8854798bf31981b660bf752e95c2e41ae50c0306275b5c0ed\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nSYSV64564856:\r\nThe shared object /SYSV64564856 is injected into the main /bin/init process with the help of a malicious /data2/.vile/ith\r\nbinary. This shared object has API hooking ability and tries to hook the reboot function of FortiOS to execute the\r\n/data2/.vile/ketg binary before calling the original reboot function.\r\nFile Path /SYSV64564856\r\nHashes: MD5: 8771305a111e1b38ada954513af4507c SHA256:\r\nFile Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nith:\r\nThis executable enables injecting a shared object into a running process. This binary performs process injection using\r\nLinux’s ptrace function. We observed that ith is executed by the ketg process using execve(“/data2/.ville/ith”, [1 –p 1\r\n/SYSV64564856] [TERMINFO=/tmp/terminfo, TERM=vt220, and PWD=/, TZ=GMT]), thereby injecting malicious\r\nsharedobject into pid=1, which is the /bin/init process.\r\nFile Path /data2/.vile/ith\r\nHashes:\r\nMD5: 8d4c9b498da847c3690260bb28f046f9 SHA256:\r\n75ce32c1e3ba902f7dcbf5bce63347448a94537682cebdde6d93efb2ede3f81c\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\n/data2/.vile/dnpfmn:\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 16 of 24\n\nThis binary checks for the existence of the file /data2/.vile/lmcdle and executes the fmteld binary (which is very similar to\r\nthe legitimate busybox binary), causing it to wait for 900 seconds and then kill all processes with the name lmcdle.\r\nFile Path /data2/.vile/dnpfmn\r\nHashes:\r\nMD5: 3977f8b8f5ec13604819f45282fd9b71 SHA256:\r\nadb1b6fc93a0225a203ec64a48470072b5d5c43d8f15860ee03f24673d9d97fe\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nlmcdle:\r\nThis binary retrieves and stores kernel information and can communicate with the IP 146.185.214.63 on port 443, an IP in a\r\nCloud Provider in Australia. This IP does not appear in any blocklist. After a connection is established, it sends some\r\nencoded data to this IP and can also receive responses from the server. At the time of investigation, the remote server did not\r\nrespond with meaningful information.\r\nFile Path /data2/.vile/lmcdle\r\nHashes:\r\nMD5: 3fba828577e745c8a51d657cc393f461 SHA256:\r\n20de58db0cfb04ce0abde662ca84b00ca7135bb546e2d32865046c3e4acc1b92\r\nFile\r\nType:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nFmteld and /data2/brodel:\r\nFmteld and brodel appear to be legitimate busybox binaries with no additional extensions.\r\nFile Path /data2/.vile/fmteld\r\nHashes: MD5: 46c59ceb4ded468d692a92e34df75988 SHA256:\r\nFile Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nFile Path /data2/brodel\r\nHashes: MD5: 96e74f0f463eadeded69db5d0efde628 SHA256:\r\nFile Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped\r\nMalware Summary \u0026 Attribution\r\nClusters 1, 2, and 3\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 17 of 24\n\nAll three of the primary activity clusters contain similarities in techniques:\r\nIn all cluster cases, persistence was achieved using the /bin/smit and /data/etc/ld.so.preload\r\nClusters 1 and 3 use toybox as a multipurpose binary (cluster 2 uses a busybox).\r\nClusters 1 and 3 target similar industries, unlike cluster 2.\r\nClusters 2 and 3 use similar naming conventions for very different binaries (httpsng \u0026 httpdng).\r\nCluster3 httpdng contains functionality similar to Cluster2 libcrashpad. It may be a different version of the malware.\r\nUse of /bin/smit and /data/etc/ld.so.preload appear in all the clusters, and this method was used on some single cases\r\nnot listed in this document.\r\nOne file, – /bin/smit, appeared to have been built from the same code and shared between clusters 1 and 2\r\nCluster 2 malware bore many similarities to the Rekoobe Malware commonly used by APT31.\r\nDue to the targeting of critical infrastructure organizations, living-off-the-land (LOTL) binaries, and the similarity of\r\ntechniques employed, we believe Clusters 1 and 3 are from the same threat actor or group of actors and are related to Volt\r\nTyphoon (G1017). While using similar exploitation methods and the previously used Rekoobe Malware, the techniques used\r\nin Cluster 2 and targets are different enough to hypothesize this could be a separate but coordinating APT group.\r\nCluster 4\r\nThis cluster was only seen twice and does not have enough data points to make a clear attribution. There is an overlap in\r\ntechniques similar to Clusters 1 and 3. Still, there are enough differences and regional targeting to assume this is a different\r\nAPT potentially sharing tactics of a related actor. The techniques bear similar hallmarks of previously observed activities by\r\nAPT15.\r\nInstance 1\r\nThis individual instance does not show the hallmarks of the other cases. The use of Bash Scripts and off-the-shelf Chisel\r\nmalware indicates a different actor, possibly UNC757, as described by CISA.\r\nInstance 2\r\nThis individual instance bears the hallmark of the actor responsible for Cluster 1 and 3, based on atomic indicators.\r\nHowever, the evidence is weak.\r\nConclusion\r\nFortinet’s culture of proactive, transparent, and responsible PSIRT disclosure is one of many ways we show up as a\r\nresponsible member of a larger cybersecurity ecosystem and demonstrate our commitment to helping customers make\r\ninformed risk-based decisions. Fortinet is sharing this follow-on research and related details to help the industry collaborate\r\non identifying this actor(s)'s activity and aid in detecting and preventing further activity.\r\nThese attacks demonstrate the use of already resolved N-day vulnerabilities and subsequent LOTL techniques, which are\r\nhighly indicative of the behavior employed by the cyber actor or group of actors known as Volt Typhoon, which has been\r\nusing these methods to target critical infrastructure and potentially other adjacent actors. This report also further highlights\r\nthe need for organizations to have a robust patch management program in place and to follow best practices to ensure a\r\nsecure infrastructure.\r\nRecommended actions\r\nCISA has today provided additional guidance for securing your network against this activity in their white paper, Identifying\r\nand Mitigating Living Off the Land Techniques joint guidance.\r\nThis blog further highlights the need for organizations to follow good cyber hygiene, including industry guidance offered by\r\nthe Network Resilience Coalition, of which Fortinet is a founding member. Fortinet strongly recommends the following\r\nactivities:\r\nMonitor Fortinet Security Advisories and immediately patch affected systems.\r\nIf you suspect your device may have been compromised, please follow the recommended advice by\r\nperforming a clean install of the latest patch version and audit your configuration for any unauthorized\r\nchanges.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 18 of 24\n\nFortinet has implemented additional measures to prevent the exploitation of unpatched systems in the wild.\r\nFortinet has implemented hardware-based firmware and filesystem integrity checking, including virtual\r\npatching of the local management interface and real-time file system integrity checking, and continues to\r\nencourage customers to upgrade to the latest firmware version(s) to take advantage of these features.\r\nFollow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide\r\nMinimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever\r\npossible.\r\nMaintain good cyber hygiene and follow vendor patching recommendations.\r\nIOCs\r\nAs this is a post-compromise forensic static analysis on the malware samples, only file sample IoCs are included and not IP\r\nIoCs.\r\nFile Hash Detection\r\nlamb_to_the_slaughter_story.pdf\r\nMD5: a9fcd43714f33da1711dfb651fae5b17\r\nSHA1: 34326088f095580209a74832fd68f8d1a91e7cc5\r\nSHA256: 21ce19be794adbcff49c90cfff9eba5189ae0131ac69396ea5544822882b440b\r\nN/A\r\nld.preeload\r\nMD5: 2495159a80aafcdb80bcf8d913d4db80\r\nMD5: b62871b520bd304086da76c729fa5cf7\r\nMD5: e3bb54fb78b70d50746082d077cfccba\r\nMD5: 1f7c614bbb75fec9b94efb58404bdeca\r\nMD5: d590aa857efe4623c221a398e953c764\r\nMD5: 5fe8e0625b272cf2bb75023c1ded7b44\r\nMD5: 8644b8b1cec97b2f43c89526c3b8aaae\r\nMD5: 0ef308bacbbc932fa24f10ae2b83a984\r\nMD5: 0d4b4c13a6ef8266ed5ef464c6883bf1\r\nMD5: ee50b080c6209e63a85c60cd3cee52b4\r\nN/A\r\n/data2/flatkc_info MD5: 5d898fdbe0080f5c4437d834e8c23498 ELF/Agent\r\ndata2/new_alert_info\r\nMD5: 210fcaa8bf95c3c861ee49cca59a7a3d ELF/Agent\r\nMD5: a5d4b0228beca0f5360049490882683f ELF/Agent\r\nMD5: a1192fca2299c57b122e1ffbadecef37 ELF/Agent\r\n/bin/httpsclid MD5: 944a31cf9936920a3fb947cb29171631\r\nSHA256: 7ff5e0c2ecd6397dcbc013d4c343007f9ebb4099aabda9a7745ab1dd1b215c91\r\nELF/Agent\r\nMD5: 60057a831f3498751e37413c45c29c4a TBC\r\nMD5: d84a95d19f19eeee2415f41c2c181db8\r\nSHA256: 5089f545aa94d273d18150102dc65c3a08b4335d6f171d9b3f655599d8589b0e\r\nELF/Agent\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 19 of 24\n\nMD5: 4c375c7ac9ee2f8a04c920381683e811\r\nSHA256: 7edd6af205e748d13641bf3d3209bc69ab062b71db06700277b337f3b026700e\r\nELF/Agent\r\n/bin/httpsng\r\nMD5: 7454bb4b3dfe4f4386980b63f119c208\r\nSHA256: 1b7af533f32a1c0bb62420be787d9e02c8a71bca77f2b0857dd20599f8833853\r\nELF/Agent\r\nMD5: f5caae23ace1ee0b48d02427b08f0bad\r\nSHA256: 534632ae386cf4d2190ef03be08a96f25fb3a9537d1c380141d36d797b983705\r\nELF/Agent\r\n/bin/smit\r\nMD5: fc78c1800fbe25e57a7333ca51e183b6\r\nSHA256: b8bd746e4713e101266d74bbe8cfbf064b5979adb8df68076d295df9e0a215d0\r\nELF/Agent\r\nMD5: 247139079d8a1c2534ef0d2b726d8ebb\r\nSHA256: 4860b98219177aacb786b1a2d5c68e999c0c8cf6c6400c7fe773fb18f44c78be\r\nELF/Agent\r\nMD5: 2fc1aa1ab1ecde77eb6724f7385d5749\r\nSHA256: 46ac81f19c996d9a2e257ef584455a721aad15f1cdeb597e8f853e288b3e9070\r\nELF/Agent\r\nMD5: 2fc1aa1ab1ecde77eb6724f7385d5749\r\nSHA256: 46ac81f19c996d9a2e257ef584455a721aad15f1cdeb597e8f853e288b3e9070\r\nELF/Agent\r\nMD5: cf49feb43667819b880422efbe89fd01\r\nSHA256: 6a92e750eb4e84be875158e6ecb11ac3e4716c04ff32d29206bf7b1a4ec46edc\r\nELF/Agent\r\nMD5: 08039b1cbdf880a3d86f8646bb286709\r\nSHA256: 2b1aa340384b5e889008839bc961fcb438379cc2de8be880664ae41fd9e77084\r\nELF/Agent\r\nMD5: bc1bd24e32fb6a778c1e79840e8ec78f\r\nSHA256: 51d0d5d83735a3a63a2405b4f9909676fc572827693f34b80799b0786a5f1677\r\nELF/Agent\r\nMD5: 823ae2645869e4fc9ebcb046aa760440 TBC\r\n/tmp/busybox MD5: ebce43017d2cb316ea45e08374de7315 N/A\r\n/data2/libcrashpad.so MD5: e9f64481280c964a6a5dbf551e9cf6f0\r\nSHA256: 7075c5595ac2b34c8f5cf99aeeae0a99b10df100cfb5362f9a2a033ce4451a0e\r\nELF/Agent\r\nMD5: 9db3c6c29b4028ccd63ee38b62620df7\r\nSHA256: 9af6b6b1ce11ab62a95f3990cdf9b0f3d4bc722f662d80116bcdabdd302f4aee\r\nELF/Agent\r\nMD5: 5b2882b0a4de3210e1bfa5db1ed63713\r\nSHA256: ef7f71ea1c7f35c8a28fc2e98fa9e59b8e2d0f0bea84a527cf2c20ccc4f8b816\r\nELF/Agent\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 20 of 24\n\nMD5: aa53393374e3ec355c0071adeba535eb\r\nSHA256: \r\nELF/Agent\r\nMD5: dbe0d8d612ad89229cd6175e37157f3c TBC\r\nMD5: 604d909d4d8d69c07e3474ceaf379f20\r\nSHA256: ddc68e6647f9abcf23206d2fbcbccb4459d7f545abfc9b2e12ebba2e5a29bcd1\r\nELF/Agent\r\nMD5: 78310bad651eff14e5ecefe674630e75\r\nSHA256: 1103c2cd47fd62d2c9353edb5c2dce23173c15770594237b84e01635723b0eec\r\nELF/Agent\r\n/data2/tftpd\r\nMD5: cf3e6cb8ada288aa2d1bc39d1ce2ad54\r\nSHA256: a322034e610aa07632ade4323d37d55c5c613b155ef51b05ab83de4159c231b2\r\nELF/Agent\r\nMD5: 0909a8ee77fbd40ab461df20600ddae0\r\nSHA256: ba0b6b0c6b628dffcf0f34fa78fb61acb6c1b457f7b5addadbe4dba575bac5bd\r\nELF/Agent\r\nMD5: 953813bb2137e351709d98a91336eb25\r\nSHA256: 65a9314fc3fac8cc238534d81c12e2080820f86a58299113c164aea4cd18f11c\r\nELF/Agent\r\nMD5: b11faf42afeca35920a248001b90e997 N/A\r\n/lib/libaprhelper.so\r\nMD5: 9e898f389003f9141831856f021fda3a\r\nSHA256: 80d03d5d35a7b9bde7e5e60f0df3baa0c51cbbd9214d875cd1967f589b9df183\r\nELF/Agent\r\nMD5: 9d2bc4e59357b56199b709a599600fa7\r\nMD5: 176220a8ac6f344aaf620efab5c6f276\r\nSHA256: 7a86b793612a6b6a3f27d7c24eec4c75202915c7c2c36b786c39ef95628b1286\r\nELF/Agent\r\nMD5: 2349d1d1acb69e91aea5be7767254f81\r\nSHA256: 1209b5ff4755e689e260e680caf33b52ecd3fa8a1bb20ff06d7770828490baee\r\nELF/Agent\r\nMD5: 9d7b6fc9a0702381062726f634d0df0f\r\nSHA256: 43c1905b2078a8de9d0fa42e16465692066825e3dcb42a17cbf40b77736527c2\r\nELF/Agent\r\nMD5: b32ad75ce0494586a8b278c0413c0406 N/A\r\nMD5: e7ab34f7df83ce3ed6bf287332f7ce73\r\nSHA256: 80d03d5d35a7b9bde7e5e60f0df3baa0c51cbbd9214d875cd1967f589b9df183\r\nELF/Agent\r\nMD5: 8b2c08f4e558626f34494b171e21f644\r\nSHA256: a667edc691e9950ec0bc92e9f2cdcb7e99a086286063864040435f26537f9d9b\r\n/data2/libunwind.1.so\r\nMD5: e9c2a3efaa97462168790b2fe234a7ba\r\nSHA256: 5700a8d9f00ebeb52536d16701522ecf6a07deb660e442cd67acdfb768e17c39\r\nELF/Agent\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 21 of 24\n\n/data2/httpdng\r\nMD5: f84a5eff50af2a7bfae49345b3b3ce1e\r\nSHA256: 662dd91647c45df0625c011565a60f18e0de47b9e57653763868205f4026593f\r\nELF/Agent\r\nMD5: e1aff3203fd38fc4790157d908ef742a\r\nMD5: f66c0c328d40cffdb0d8dfa0444fe923\r\nMD5: 7aaaf17e4e3638d2f93b1cf5a1579ac6\r\nSHA256: 0088cfd5b4b7195edab836236ba0c6a0c2aded3e4b8a842f11ee4e9c5e4ae3c1\r\nELF/Agent\r\n/lib/libaprsd.so\r\nMD5: dc95090cca508d1196b972c385dc3405\r\nSHA256: 89e049fd0df33da453fe04d9b2f9619b46dac0fceb7a8156560cce08fce3d8b7 ELF/Agent\r\nMD5: 834e542076e7c37e848fb68b3671f7a1\r\nMD5: 62ef5ec4adbd655adcc418d7ba2262ac\r\nMD5: 9d7a1a536eef0ff1e87ee1d78ac7bc69\r\nSHA256: 1748035e9cb1932bbe6c3aa93c2ae044296e0f0774d0aa0d3eb688cdd2c0b2f2\r\nELF/Agent\r\n/bin/toybox MD5: d0a31975a436d0fe3b4f990c5003ca59 Clean\r\n/tmp/.ptyagent\r\nMD5: 2d88911f67a2cce7fa97cdf0ae59a027\r\nSHA256: 910e7fc043560fbc2757304503de38a8824238765b2d91d87b974fefa253e311\r\nELF/Agent\r\nMD5: ca5184d43691ee8d8619377e600fa117\r\nSHA256: 70372f95fa5cf917639007ae25a67a53d0297b67792b00bbea63ce0b170f95b8\r\nLinux/Chis\r\n/data/lib/libav.so.new/libav.so MD5: 30009c9052e588b93fb12e918bbcecfb\r\nSHA256: 6584f614fb0ef864cd5aa5b6ec1b42299f2b639a23e4b1e853caf3b2f2254b14\r\nELF/Agent\r\n/data2/.vile/ketg\r\nMD5: e9ae2188d7a46fdac30b192b7405cba2\r\nSHA256: 8f380a844011daa8854798bf31981b660bf752e95c2e41ae50c0306275b5c0ed\r\nAgent.CBA\r\n/SYSV64564856\r\nMD5: 8771305a111e1b38ada954513af4507c\r\nSHA256: a25a7a7e3bcdc66545db1d62d3b09339ea7abef2a9731707f521a10338b5f563\r\nELF/Agent\r\n/data2/.vile/ith\r\nMD5: 8d4c9b498da847c3690260bb28f046f9\r\nSHA256: 75ce32c1e3ba902f7dcbf5bce63347448a94537682cebdde6d93efb2ede3f81c\r\nELF/Agent\r\n/data2/.vile/dnpfmn\r\nMD5: 3977f8b8f5ec13604819f45282fd9b71\r\nSHA256: adb1b6fc93a0225a203ec64a48470072b5d5c43d8f15860ee03f24673d9d97fe\r\nELF/Agent\r\n/data2/.vile/lmcdle\r\nMD5: 3fba828577e745c8a51d657cc393f461\r\nSHA256: 20de58db0cfb04ce0abde662ca84b00ca7135bb546e2d32865046c3e4acc1b92\r\nELF/Agent\r\n/data2/.vile/fmteld MD5: 46c59ceb4ded468d692a92e34df75988\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 22 of 24\n\n/data2/brodel MD5: 96e74f0f463eadeded69db5d0efde628\r\n/data2/liblink.so.1\r\nMD5: 031e21168d7e783d26998e63217a365c\r\nSHA256: dfafeb3efaba2c8e5d80ec7a37c00805895df1a47333515082da54e49a388a59\r\nELF/Agent\r\n/data2/fortlinkd:\r\nMD5: d97bae365bd4c3fbf2eb834d678dbd11\r\nSHA256: bfc20c8e21fa4674492576961baedae90f7794a8534d2ad3ef4e230de2fb38ab\r\nELF/Agent\r\n/bin/fgfm MD5: 83d5c75bf1d2090a6cceaf2a80d906da\r\n/data2/lib/* (Bash Scripts)\r\nMD5: 33423931a013dfc4a41beb3c5faee2a8\r\nMD5: 559b728ba316528a21b80e87447c2f47\r\nMD5: 2d973c9863e70cd41578a4046990501a\r\nMD5: 93104b1c37cb4478df45b5ba8ea0ff62\r\nN/A\r\nAuthd\r\nMD5: 9124ce75319514561156d2013fc9d3be\r\nSHA256: f40c04fb9e2d4157a0bc753925dbc5f757feb77cdd22f90fedf3cc5e095143bc\r\nELF/Agent\r\nHttpsd\r\nMD5: 218a3525ab8e46f7afe252d050a86907\r\nSHA256: 3ed99aad5922744b6a75ea90ea6ece81ba0d8eb9935aec38b897e44ac3b36c35\r\nELF/Agent\r\nLiblog.so\r\nMD5: e24d14d3e6c6de0ed3db050dd5c935f0\r\nSHA256: a79f80158ebbf9e34f6a7ec86b564de2fbee783fe6c1e20eefe2832226e2f827\r\nELF/Agent\r\nLibpe.so\r\nMD5: 6c0adca790235445d07be98cd0f820b5\r\nSHA256:\r\n50451bb5b6d68115695a6cb277839a6dd2bad8f70bdb8b79670b18dcde188965\r\nELF/Agent\r\nNewcli\r\nMD5: ab89139e3d47fbaba2da33040da95200\r\nSHA256: 2acc6a2a931db63fe3a875780f00192a60955c9794df68fe0ace0012d309b04f\r\nELF/Agent\r\nPackfile\r\nMD5: 201ee76e996846d5ea3fc03bac3273dd\r\nSHA256: 4591b4fb1c93c27203b36c773597fd3f885338ad7641dcebf8ed2395acdf4a5f\r\nData/Agen\r\nPreload.so\r\nMD5: a62377c01935f366761846b5ceed5a49\r\nSHA256: 1c437dc9e929669e5a65a1c70afb3107fba471afb9ad35e3848334c9332f2b59\r\nELF/Agent\r\nSh\r\nMD5: 991461b86aebecfd096dc11ff2a04b4b\r\nSHA256: dcd9a5af1c6297ed1a66c851efa305000335d8ade068ba515125a6612f1d5300\r\nNA\r\nSmartctl\r\nMD5: 205a8c6049061930490b2482855babcd\r\nSHA256: 4519baebba73827e2b33f36f835d6cb704755abf1312d8d197be635f4d9ffade\r\nNA\r\nFor details of the Fortinet PSIRT Policy and to report a vulnerability:  https://www.fortiguard.com/psirt_policy.\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 23 of 24\n\nSource: https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nhttps://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities" ], "report_names": [ "importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775792146, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40215446a0d90842d74625f3e6ab444efc3f8bbd.pdf", "text": "https://archive.orkl.eu/40215446a0d90842d74625f3e6ab444efc3f8bbd.txt", "img": "https://archive.orkl.eu/40215446a0d90842d74625f3e6ab444efc3f8bbd.jpg" } }