{ "id": "949a8b4e-7963-441e-bd60-27975f9362ce", "created_at": "2026-04-06T03:36:11.098534Z", "updated_at": "2026-04-10T13:11:18.370057Z", "deleted_at": null, "sha1_hash": "40b21146d8883a66532a724f0e847cb1cc39e3d5", "title": "Operation RestyLink: APT campaign targeting Japanese companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2172208, "plain_text": "Operation RestyLink: APT campaign targeting Japanese\r\ncompanies\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2022-05-13 · Archived: 2026-04-06 02:58:45 UTC\r\nBy Ryu Hiyoshi\r\nPublished May 13, 2022 | Japanese\r\nThis article is a translation of the \"Operation RestyLink: 日本企業を狙った標的型攻撃キャンペーン\".\r\n---\r\nToday’s artcile is authored by our SOC analyst, Rintaro Koike.\r\n---\r\nOur SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. We think that\r\nthis campaign had already started in March 2022 and related attack might have performed around October 2021. It\r\nimplies that this campaign is not temporary nor intensive, and it could continue from here forward.\r\nIn this article, we report the detailed analysis on this campaign and discuss the attributes of the attacking group.\r\nAttack Overview\r\nThe attack that we observed in mid of April 2022 was as follows:\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 1 of 10\n\nOnce a user accessed the URL in spear phishing email, a ZIP file was downloaded from the server operated by the\r\nattacker. As soon as executing the LNK file included in the ZIP file, a DOT file was downloaded from the server\r\nusing Windows command and placed in Microsoft Word Startup folder. During this phase, a decoy PDF file was\r\ndisplayed to attract user attention.\r\nWhenever the user opens a Word file, the DOT file placed in Startup folder is loaded and embedded macro is\r\nexecuted. The macro then downloads another DOT file from the server and executes the file. However, we could\r\nnot download this DOT file at the time of our research.\r\nDetailed Analysis\r\nLNK file\r\nThe icon image of the LNK file was that of a PDF file, but it used ScriptRunner.exe to execute the following\r\ntasks:\r\n1. Displays a decoy PDF file.\r\n2. Downloads a DOT file and places it in Microsoft Word Startup folder.\r\nThere were two decoy PDF file, both of which were about relation between Japan and South Korea. The redacted\r\nparts contain real person names.\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 2 of 10\n\nDOT file\r\nWhenever a user opens a Word file, the DOT file placed in the Startup folder is loaded. The macro embedded on\r\nthe DOT file was as follows:\r\nThe macro downloads another DOT file and executes the file. The attacker already has user environment\r\ninformation at this stage because username is included in the target file name. We could not download this DOT\r\nfile during our research.\r\nRelated Attacks and Events\r\nAttack Case in Late April 2022\r\nIn late April 2022, we confirmed that we could download an ISO file from the same infrastructure as discussed in\r\nthe previous section. The attack vector was as follows.\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 3 of 10\n\nThe ISO file included a legitimate Microsoft Word EXE file and a malicious DLL file besides a decoy file. The\r\nDLL file is to be sideloaded and executed when the EXE file is executed.\r\nThe DLL file was an UPX packed Golang downloader. The DLL file downloaded Cobalt Strike Stager from the\r\nserver and executed the file. The attacker investigated the environment using various commands provided by\r\nCobalt Strike.\r\nThe Config file used by executed Cobalt Strike Stager was as follows:\r\nRelated Events in Early April 2022\r\nIn early April 2022, we observed outbound access to the infrastructure (IP address) used in discussing campaign.\r\nThe detail was unknown, but we suspect that this access was part of the discussing campaign considering the\r\nattacking target, period and infrastructure.\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 4 of 10\n\nRelated Events in March 2022\r\nAn interesting LNK file that had similar characteristics as the LNK file used in discussing campaign was posted\r\nto VirusTotal by March 2022 from Japan.\r\nThis sample uses cmd.exe instead of ScriptRunner.exe, but the executed commands and the used attacking\r\ninfrastructure are the same. It is highly probable that the attack used this LNK file was the part of the discussing\r\ncampaign.\r\nAt the time of our research, we could not get the first DOT file. The decoy PDF files were about Japanese\r\ndiplomacy in East Asia.\r\nRelated Events in January 2022\r\nThe Golang downloader used in late April 2022 attack case downloaded Cobalt Strike Stager from\r\n“/Events” with odd User-Agent. This User-Agent was that of Yandex Browser which was uncommon in Japan. We\r\nfound a sample that had same characteristics was posted to VirusTotal from Japan in January 2022. Because there\r\nare similarities in their infrastructure, this event could also be related to the discussing campaign.\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 5 of 10\n\nDuring the investigation on the IP addresses corresponding to other subdomains, we found the trace of Covenant,\r\nknown as an open source C2 framework. The attacker might have used Covenant in addition to Cobalt Strike.\r\nRelated Events in November 2021\r\nThe domain differentfor[.]com registered in November 2021 was related to the Cobalt Strike activity observed in\r\nJanuary and late April 2022. Because its infrastructure, domain, file path, HTTP header and Cobalt Strike Config\r\nare the same as those of discussing campaign, it could relate to the campaign.\r\nRelated Events in October 2021\r\nDuring our research on this attacking campaign, we found that the attacks using similar attacking infrastructure\r\nmight have performed in late October 2021.\r\nAt the time of our research, we could not get the files used in this attack. However, malicious files could have\r\nbeen downloaded from the Web server pretended to be SASAKAWA USA.\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 6 of 10\n\nAttribution\r\nThe following figure summarizes the characteristics that we found related to the discussing campaign.\r\nThere are various characteristics, but what we should pay attention to is the fact that this campaign clearly targets\r\nJapan. The attacker selected target users carefully, prepared decoy files written in\r\nnatural Japanese and leveraged Japanese IP addresses. It was apparent that Japan was not attacked just by\r\naccident, and the attacker was highly motivated to attack Japan. The access to the Web server used in this\r\ncampaign might have been limited based on geological information, which suggests the attacker’s carefulness and\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 7 of 10\n\nslyness. Because there are only a few APT groups that have capability and motivation to attack Japan, the\r\ncandidate APT groups are limited.\r\nBased on our research, we would like to name four APT groups that we think are related to this campaign. Taking\r\nthe other trivial information not mentioned in this article into consideration, we think that DarkHotel is the\r\nstrongest suspect at the time of writing this article. Because there is no convincing evidence, this assumption could\r\nchange depending on future research.\r\nDarkHotel\r\nDarkHotel is an APT group said to attribute to South Korea [1] and their attacks have been rather frequently\r\nobserved in Japan [2][3][4][5][6]. They are continuously attacking Japanese media companies or think tanks. They\r\nperform spear phishing attacks using Japanese emails and decoy files, execute multistage downloaders and loaders\r\nusing LNK files. Based on the similarities of these characteristics, we suspect that DarkHotel is related to the\r\ndiscussing campaign.\r\nKimsuky\r\nKimsuky is an APT group said to attribute to North Korea [7] and their attacks have been sometimes observed in\r\nJapan [8][9]. It is said that Kimsuky targets North Korean refugees and related organizations, but Japanese media\r\ncompanies had also been targeted in the past. It is reported that they used LNK files in their recent attacks [10].\r\nThese characteristics have several points in common with the discussing campaign.\r\nAPT29\r\nAPT29 is an APT group said to attribute to Russia [11] and their attacks have been rarely reported in Japan.\r\nHowever, recent Ukraine situation could motivate them to attack Japan. It is already reported that APT29 used\r\nLNK [12] or ISO files [13] in their attacks. They are also known as leveraging Cobalt Strike [14] or Golang\r\nmalwares [15]. These characteristics have some points in common with the discussing campaign.\r\nTA416\r\nTA416 is an APT group said to attribute to China [16] and the attacks have been sometimes observed in Japan. It\r\nis known that TA416 uses LNK files or Cobalt Strike [17][18]. These characteristics have similarity with the\r\ndiscussing campaign.\r\nConclusion\r\nAs of April 2022, an APT campaign targeting Japanese companies has been observed. Though we named several\r\ncandidate APT groups that can be active behind the campaign, there is no clear evidence that tells which one.\r\nBecause the similar attacks could have been performed for several months, it is necessary to monitor the situation\r\ncontinuously.\r\nIoCs\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 8 of 10\n\n*.disknxt[.]com\r\n*.officehoster[.]com\r\n*.youmiuri[.]com\r\n*.spffusa[.]org\r\n*.sseekk[.]xyz\r\n*.mbusabc[.]com\r\n*.differentfor[.]com\r\n103[.]29.69.155\r\n149[.]28.16.63\r\n172[.]104.122.93\r\n172[.]105.229.93\r\n172[.]105.229.216\r\n207[.]148.91.243\r\n45[.]77.179.110\r\nReferences\r\n[1] MITRE ATT\u0026CK, \"Darkhotel\", https://attack.mitre.org/groups/G0012/\r\n[2] NTTセキュリティ・ジャパン, \"マルウエアが含まれたショートカットファイルをダウンロードさせ\r\nる攻撃のさらにその先\", https://techblog.security.ntt/102fmlc\"EN-US\"\u003e[3] JPCERT/CC, \"Attack Convincing\r\nUsers to Download a Malware-Containing Shortcut File\",https://blogs.jpcert.or.jp/en/2019/06/darkhotel-lnk.html\r\n[4] マクニカ, \"標的型攻撃の実態と対策アプローチ 第3\r\n版\", https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_2_nopw.pdf\r\n[5] Macnica Networks Crop., \"APT Threat Landscape in Japan\r\n2020\", https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5_en.pdf\r\n[6] IPA, \"サイバーレスキュー隊(J-CRAT) 活動状況 [2019 年度下半\r\n期]\", https://www.ipa.go.jp/files/000083013.pdf\r\n[7] Mandiant, \"Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government\r\nOrganizations\", https://www.mandiant.com/resources/mapping-dprk-groups-to-government\r\n[8] IPA, \"サイバーレスキュー隊(J-CRAT) 活動状況 [2021 年度上半\r\n期]\", https://www.ipa.go.jp/files/000094548.pdf\r\n[9] Cybereason, \"Back to the Future: Inside the Kimsuky KGH Spyware Suite\",\r\nhttps://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\n[10] Stairwell, \"The ink-stained trail of GOLDBACKDOOR\", https://stairwell.com/news/threat-research-the-ink-stained-trail-of-goldbackdoor/\r\n[11] MITRE ATT\u0026CK, \"APT29\", https://attack.mitre.org/groups/G0016/\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 9 of 10\n\n[12] Volexity, \"Suspected APT29 Operation Launches Election Fraud Themed Phishing\r\nCampaigns\", https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\n[13] Microsoft, \"Breaking down NOBELIUM’s latest early-stage\r\ntoolset\", https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\n[14] Mandiant, \"Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing\r\nCampaign\", https://www.mandiant.com/resources/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\r\n[15] JPCERT/CC, \"Malware “WellMess” Targeting Linux and Windows\",\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\n[16] Proofpoint, “The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European\r\nGovernments as Conflict in Ukraine Escalates”, https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\n[17] CrowdStrike, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG\r\nPANDA”, https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/\r\n[18] Cisco, “Mustang Panda deploys a new wave of malware targeting\r\nEurope”, https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html\r\nSource: https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\r\nPage 10 of 10\n\n[10] Stairwell, stained-trail-of-goldbackdoor/ \"The ink-stained trail of GOLDBACKDOOR\", https://stairwell.com/news/threat-research-the-ink\u0002 \n[11] MITRE ATT\u0026CK, \"APT29\", https://attack.mitre.org/groups/G0016/ \n Page 9 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "report_names": [ "operation-restylink-apt-campaign-targeting-japanese-companies" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "46818902-c96d-445c-afdb-075ef6b4afab", "created_at": "2023-02-18T02:04:24.443028Z", "updated_at": "2026-04-10T02:00:04.828275Z", "deleted_at": null, "main_name": "Operation RestyLink", "aliases": [ "Earth Yako", "Operation Enelink" ], "source_name": "ETDA:Operation RestyLink", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "65e1eee1-bc35-4093-9554-1a668e1bc30a", "created_at": "2024-02-08T02:00:04.320426Z", "updated_at": "2026-04-10T02:00:03.583546Z", "deleted_at": null, "main_name": "Earth Yako", "aliases": [ "Operation RestyLink", "Enelink" ], "source_name": "MISPGALAXY:Earth Yako", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446571, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40b21146d8883a66532a724f0e847cb1cc39e3d5.pdf", "text": "https://archive.orkl.eu/40b21146d8883a66532a724f0e847cb1cc39e3d5.txt", "img": "https://archive.orkl.eu/40b21146d8883a66532a724f0e847cb1cc39e3d5.jpg" } }