{ "id": "f1563e44-82f7-4f3b-89aa-840cce936402", "created_at": "2026-04-06T00:10:02.585735Z", "updated_at": "2026-04-10T03:32:39.09138Z", "deleted_at": null, "sha1_hash": "42b6d108211778e973a6ec2ee98a2e20ce0a7b96", "title": "MirrorFace Attack against Japanese Organisations - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1013348, "plain_text": "MirrorFace Attack against Japanese Organisations - JPCERT/CC\r\nEyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2024-07-15 · Archived: 2026-04-05 13:32:50 UTC\r\nJPCERT/CC has been observing attack activities by MirrorFace LODEINFO and NOOPDOOR malware (since\r\n2022). The actor’s targets were initially media, political organisations, think tanks and universities, but it has\r\nshifted to manufacturers and research institutions since 2023. As for the TTPs, they used to send spear phishing\r\nemails to infiltrate the target’s network, but now they also leverage vulnerabilities in external assets. Figure 1\r\nshows the actor’s attack activity transition.\r\nFigure 1: MirrorFace attack activities timeline\r\n(Based on incident reports submitted to JPCERT/CC and publications by other vendors[1] [2])\r\nJPCERT/CC published a security alert (Japanese) on attack activities exploiting vulnerabilities in November 2023.\r\nWe have confirmed that this actor has leveraged the vulnerabilities in Array AG and FortiGate. Proself may also\r\nbe exploited, but the cases mentioned in this blog post focus on those related to Array AG and Fortigate.\r\nThis blog describes the malware NOOPDOOR and details of the TTPs and tools the actor used in the victim\r\nnetwork.\r\nNOOPDOOR\r\nNOOPDOOR execution flow\r\nNOOPDOOR is a shellcode, and it injects itself into a legitimate application. It runs either by an XML file\r\n(Type1) or a DLL file (Type2). The execution flow of each type is illustrated in Figure 2 and 3.\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 1 of 12\n\nFigure 2: NOOPDOOR launched by an XML file (Type1)\r\nType1 has its obfuscated C# code in an XML file. It builds the C# code with MSBuild and runs by NOOPDOOR’s\r\nloader (hereafter 'NOOPLDR'). Once it runs, it reads specific data file or registry value, decrypts the data loaded\r\nin AES (CBC mode) based on the machine's unique MachineId and ComputerName, and injects the code into a\r\nlegitimate application.\r\nFigure 3: NOOPDOOR launched by a DLL file (Type2)\r\nType2 launches a legitimate application from Windows tasks, and NOOPLDR is loaded to a legitimate application\r\nby DLL side-loading. Similar to Type1, it loads the registry and injects decrypted code into a legitimate\r\napplication. After NOOPDOOR is executed, both Type1 and Type2 encrypt the code, which is stored in a preset\r\nregistry so that it is loaded when it runs again.\r\nTypes of NOOPLDR\r\nThere are several types of NOOPLDR samples with different injection process and functions as follows.\r\nTable 1: Features in NOOPLDR samples\r\nHow it\r\nruns\r\nInjection\r\nprocess\r\nService Storage registry\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 2 of 12\n\nXML lsass.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML tabcal.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML rdrleakdiag.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML svchost.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML wuauclt.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML vdsldr.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nXML prevhost.exe -\r\nHKLM\\Software\\License\\{HEX}, HKCU\\Software\\License\\\r\n{HEX}\r\nDLL wuauclt.exe Yes HKCU\\Software\\Microsoft\\COM3\\{HEX}\r\nDLL None - HKCU\\Software\\Licenses\\{HEX}\r\nDLL svchost.exe - HKCU\\Software\\Licenses\\{HEX}\r\nSome Type2 samples with service registration capability has a function to hide the service by running the\r\nfollowing command.\r\nsc start [SERVICE_NAME] \u0026\u0026 sc sdset [SERVICE_NAME] D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLC\r\nNOOPLDR obfuscation\r\nNOOPLDR (Type2) uses Control Flow Flattening (CFF) technique as in Figure 4 (left). The code can be partially\r\nanalysed with D810[3] and other CFF deobfuscator tools, but it is not possible to fully deobfuscate the entire code\r\nas it also has many meaningless Windows API calls. To make this process easier, JPCERT/CC developed a tool to\r\nhelp this analysis. The code can be deobfuscated by applying this tool and then D810 and other deobfuscator tools\r\nas in Figure 4 (right).\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 3 of 12\n\nFigure 4: CFF obfuscated function (Left) and deobfuscated function (Right)\r\nJPCERT/CC's tool to support NOOPLDR deobfuscation is available on the below Github repository.\r\nGitHub: JPCERTCC/aa-tools/Deob_NOOPLDR.py\r\nhttps://github.com/JPCERTCC/aa-tools/blob/master/Deob_NOOPLDR.py\r\nNOOPDOOR functions\r\nNOOPDOOR has several functions such as communicating to Port 443 with the destination generated by the DGA\r\nbased on the system time and receiving commands by TCP Port 47000. On top of the basic malware behaviour\r\nincluding uploading/downloading files and executing additional commands, it also has commands to alter file time\r\nstamps, which may confuse forensic analysis.\r\nPlease refer to the presentation material[4] by Dominik Breitenbacher at JSAC2024 for more details on the\r\nNOOPDOOR command structure and behaviour.\r\nThreat actors activity on the network\r\nThe following sections explain the commands, tools and defense evasion techniques used by the attackers.\r\nAccess credentials\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 4 of 12\n\nThe attackers attempt accessing Windows network credentials by multiple methods.\r\n(1) From Lsass memory dump\r\nThey aim to extract credentials by accessing the memory dump of a currently running Lsass process by\r\nusing a tool.\r\nAccess to Lsass memory dump can be detected in an environment with Microsoft Defender. (Event log\r\nWindows Defender/Operational: Event ID 1011: Detection name Trojan:Win32/LsassDump)\r\n(2) From NTDS.dit\r\nThey aim to extract credentials by accessing the domain controller database file (NTDS.dit).\r\nThey aim to access NTDS.dit by Vssadmin command etc.\r\nAccess to NTDS.dit is recorded in the event logs. (Please refer to JPCERT/CC's Tool Analysis Result\r\nSheet[5] [6].)\r\n(3) From registry hives\r\nThey also aim to access SYSTEM, SAM, SECURITY registry hives to retrieve credentials from SAM\r\ndatabase.\r\nThese activities can be detected depending on the EDR products.\r\nLateral Movement\r\nThe attackers attempt to access a wide range of clients and servers by leveraging Windows network admin\r\nprivilege. It is especially recommended to carefully look at servers that are managed by privileged users such as\r\nfile servers, AD, anti-virus software management servers. Attackers carry out lateral movement by copying the\r\nmalware via SMB and registering it to the tasks (by schtasks command).\r\nThe series of activities can be recorded and monitored by Windows event logs. Creation of a new scheduled task is\r\nrecorded with the Event ID 4698. Additionally, if \"Audit Detailed File Share\" is enabled, copying the malware via\r\nSMB is recorded in the Security event log with the Event ID 5145. (Please see Appendix D for setting details.)\r\nBelow is sample event log recorded when a file is copied by an attacker (Event ID 5145).\r\nA network share object was checked to see whether client can be granted desired access\r\nSubject:\r\n Security ID: [ID]\r\n Account Name: [User name]\r\n Account Domain: [Domain name]\r\n Logon ID: [Logon ID]\r\nNetwork Information:\r\n Object Type: File\r\n Source Address: [IP address]\r\n Source Port: [Port]\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 5 of 12\n\nShare Information:\r\n Share Name: \\\\*\\C$\r\n Share Path: \\??\\C:\\\r\n Relative Target Name: WINDOWS\\SYSTEM32\\UIANIMATION.XML\r\nAccess Request Information:\r\n Access Mask: 0x120089\r\n Accesses: READ_CONTROL\r\n SYNCHRONIZE\r\n ReadData (or ListDirectory)\r\n ReadEA\r\n ReadAttributes\r\nReconnaissance command\r\nAfter the intrusion, the attackers were carrying out reconnaissance activities by using Windows commands as\r\nbelow. This includes commands that are not used by general users, which may be a clue to detect malicious\r\nactivities.\r\nat\r\nauditpol\r\nbitsadmin\r\ndel\r\ndir\r\ndfsutil\r\ndsregcmd\r\nhostname\r\nipconfig\r\nnbtstat\r\nnet\r\nnetstat\r\nntfrsutl\r\nnslookup\r\nmountvol\r\nping\r\npowercfg\r\nqprocess\r\nquser\r\nqwinsta\r\nreg\r\nsc\r\nsetspn\r\nschtasks\r\nsysteminfo\r\ntasklist\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 6 of 12\n\nvdsldr\r\nver\r\nvssadmin\r\nwevtutil\r\nwhoami\r\nwmic\r\nInformation exfiltration\r\nAside from NOOPDOOR, the attackers used the following tools to exfiltrate information.\r\nWinRAR\r\nSFTP\r\nThe attackers attempt to exfiltrate information after reviewing file contents. We have confirmed that they ran dir\r\n/s commands to see the list of files in the file server and stored the results in a RAR file. In addition, the\r\nattackers also used the following commands to see the list of files, including the folders in OneDrive, Teams, IIS,\r\netc.\r\ncmd.exe /c dir c:\\\r\ncmd.exe /c dir c:\\users\\\r\ncmd.exe /c dir c:\\users\\\\Desktop\r\ncmd.exe /c dir c:\\users\\\\Documents\r\ncmd.exe /c dir \"c:\\users\\\\OneDrive\" /s /a\r\ncmd.exe /c dir \"c:\\users\\\\OneDrive\\Microsoft Teams\\\"\r\ncmd.exe /c dir \"c:\\users\\\\OneDrive\\Microsoft Teams チャット ファイル\\[redacted].docx\"\r\ncmd.exe /c dir \"c:\\Program Files\\\"\r\ncmd.exe /c dir \"c:\\Program Files (x86)\"\r\ncmd.exe /c dir c:\\Intel\r\ncmd.exe /c dir c:\\inetpub\r\ncmd.exe /c dir c:\\inetpub\\wwwroot\r\nOther tools\r\nThe attackers also use tools other than LODEINFO and NOOPDOOR. In some cases, we confirmed that GO\r\nSimple Tunnel (GOST), a HTTP/SOCKS5 proxy tool, was leveraged.\r\nGitHub: ginuerzh/gost\r\nhttps://github.com/ginuerzh/gost\r\nWe also saw cases where GOST was running on Linux servers. Also, Linux servers may also be infected with\r\nTinyShell-based malware.\r\nDefense Evasion\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 7 of 12\n\nThe attackers used various techniques for defense evasion including the following. (Please see Appendix C for\r\nmore details on TTPs.)\r\n(1) Leverage MSBuild\r\nExecute a malicious XML file (NOOPLDR) by using a legitimate MSBuild\r\n(2) Store malicious data in a registry\r\nLoad encrypted malware file, store the data in the registry and delete the original file\r\n(3) Alter time stamp\r\nChange the creation date of the malware and tools older than the actual attack date\r\n(4) Add a rule to a firewall\r\nAdd a new setting to allow communication to specific ports that NOOPDOOR uses\r\nRecorded in Event log Firewall With Advanced Security/Firewall with the Event ID 2004\r\n(5) Hide registered services\r\nSet access control so that the registered services are not displayed\r\n(6) Delete Windows Event logs\r\nDelete system logs\r\nRecorded with Event ID 1102\r\n(7) Disable Windows Defender\r\nRecorded in Windows Defender/Operational with the Event ID 5001\r\n(8) Delete files\r\nDelete the malware file\r\nAfter completing the series of reconnaissance activities, the attackers deleted the malware and stopped its own\r\nprocesses. This is supposed to be conducted for a purpose of covering up the traces to allow long-term persistence.\r\ncmd.exe /c del c:\\Windows\\system32\\UIAnimation.xml /f /q\r\ntaskkill.exe\r\nIn closing\r\nMirrorFace has been conducting attacks against Japanese organisations for a long period of time. Activities related\r\nto this actor is expected continue, and it is advised to continuously look out for information on this actor. Please\r\nrefer to Appendix A for detailed IoC information.\r\nIn some cases, early detection based on IoCs may be difficult. In order to detect this kind of incidents with\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 8 of 12\n\nsecurity products and services in an early stage, we believe it is crucial to maintain information sharing among\r\nsecurity vendors about malware and TTPs for some extent. JPCERT/CC is committed to continue working with\r\npartner organisations and security vendors for timely information sharing about such attack activities.\r\nAcknowledgement\r\nJPCERT/CC would like to acknowledge the support by the organisations for this publication.\r\nSecurity vendors who supported this publication\r\nITOCHU Cyber \u0026 Intelligence Inc.\r\nMacnica, Inc.\r\nSecureworks, Inc.\r\nWe also referred to the report from the following companies:\r\nLAC Co., Ltd.\r\nTrend Micro Incorporated\r\nYuma Masubuchi, Kota Kino, Shusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] JSAC2024: Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha\r\nhttps://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf\r\n[2] ITOCHU Cyber \u0026 Intelligence Inc.: 分析官と攻撃者の解析回避を巡る終わりなき戦い: LODEINFO\r\nv0.6.6 - v0.7.3 の解析から (Japanese)\r\nhttps://blog.itochuci.co.jp/entry/2024/01/24/134047\r\n[3] GitHub: D-810\r\nhttps://github.com/joydo/d810\r\n[4] JSAC2024: Unmasking HiddenFace: MirrorFace’s most complex backdoor yet\r\nhttps://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_8_Breitenbacher_en.pdf\r\n[5] JPCERT/CC: Tool Analysis Result Sheet ntdsutil\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\r\n[6] JPCERT/CC: Tool Analysis Result Sheet vssadmin\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/vssadmin.htm\r\nAppendix A: IoC\r\n45.66.217.106\r\n89.233.109.69\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 9 of 12\n\n45.77.12.212\r\n108.160.130.45\r\n207.148.97.235\r\n95.85.91.15\r\n64.176.214.51\r\n168.100.8.103\r\n45.76.222.130\r\n45.77.183.161\r\n207.148.90.45\r\n207.148.103.42\r\n2a12:a300:3600::31b5:2e02\r\n2001:19f0:7001:2ae2:5400:4ff:fe0a:5566\r\n2400:8902::f03c:93ff:fe8a:5327\r\n2a12:a300:3700::5d9f:b451\r\nAppendix B: Malware hash values\r\nNOOPLDR Type1\r\n93af6afb47f4c42bc0da3eedc6ecb9054134f4a47ef0add0d285404984011072\r\nbcd34d436cbac235b56ee5b7273baed62bf385ee13721c7fdcfc00af9ed63997\r\n43349c97b59d8ba8e1147f911797220b1b7b87609fe4aaa7f1dbacc2c27b361d\r\n4f932d6e21fdd0072aba61203c7319693e490adbd9e93a49b0fe870d4d0aed71\r\n0d59734bdb0e6f4fe6a44312a2d55145e98b00f75a148394b2e4b86436c32f4c\r\n9590646b32fec3aafd6c648f69ca9857fb4be2adfabf3bcaf321c8cd25ba7b83\r\n572f6b98cc133b2d0c8a4fd8ff9d14ae36cdaa119086a5d56079354e49d2a7ce\r\nNOOPLDR Type2\r\n7a7e7e0d817042e54129697947dfb423b607692f4457163b5c62ffea69a8108d\r\n5e7cd0461817b390cf05a7c874e017e9f44eef41e053da99b479a4dfa3a04512\r\nb07c7dfb3617cd40edc1ab309a68489a3aa4aa1e8fd486d047c155c952dc509e\r\nAppendix C: MITRE ATT\u0026CK\r\nTable C-1: MirrorFace ATT\u0026CK mapping\r\nTechniques ID Name Description\r\nInitial Access T1133 External Remote Services\r\nExploit VPN product vulnerability and\r\naccess network\r\nExecution T1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nExecute NOOPLDR by a scheduled task\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 10 of 12\n\nPersistence T1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nSet a scheduled task to execute malware\r\nautomatically\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nRegister a service and execute malware\r\nautomatically\r\nPrivilege\r\nEscalation\r\nT1134.002\r\nAccess Token Manipulation:\r\nCreate Process with Token\r\nManipulate access tokens to create a process\r\nDefense\r\nEvasion\r\nT1055 Process Injection\r\nUse a legitimate EXE file under\r\nC:\\windows\\system32, perform\r\nNOOPDOOR process injection and execute\r\nT1070.001 Clear Windows Event Logs Delete system logs\r\nT1070.004 File Deletion Delete malware and tools\r\nT1070.006 Timestomp Change the file creation date\r\nT1112 Modify Registry Store NOOPDOOR in a registry\r\nT1127.001\r\nTrusted Developer Utilities\r\nProxy Execution: MSBuild\r\nUse a legitimate MSBuild.exe to run a\r\nmalicious XML file\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nDecrypt NOOPDOOR and execute in the\r\ninjected process\r\nT1562.001 Disable or Modify Tools Disable Windows Defender\r\nT1562.004\r\nDisable or Modify System\r\nFirewall\r\nAdd a rule to allow communication to the\r\nports that NOOPDOOR uses\r\nT1564 Hide Artifacts\r\nSet access restriction so that the services\r\nrelated to autorun NOOPDOOR are not\r\nvisible\r\nCredential\r\nAccess\r\nT1003 OS Credential Dumping Dump credentials from lsass and ntds.dit\r\nDiscovery T1087 Account Discovery Collect account information\r\nT1083 File and Directory Discovery Collect file information\r\nLateral\r\nMovement\r\nT1021.002\r\nSMB/Windows Admin\r\nShares\r\nSpread malware to other systems via SMB\r\nCollection T1560.001\r\nArchive Collected Data:\r\nArchive via Utility\r\nCompress data witih WinRAR\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 11 of 12\n\nT1039\r\nData from Network Shared\r\nDrive\r\nCollect data stored in Network Shared Drive\r\nCommand\r\nand Control\r\nT1568.002\r\nDynamic Resolution:\r\nDomain Generation\r\nAlgorithms\r\nChange destination based on DGA\r\nAppendix D: Enable \"Audit Detailed File Share\"\r\nThe audit policy on Windows OS can be configured in Group Policy Editor (gpedit.msc). Please enable it from\r\nComputer Configuration \u003e\u003e Windows Settings \u003e\u003e Security Settings \u003e\u003e Advanced Audit Policy Configuration \u003e\u003e\r\nSystem Audit Policies \u003e\u003e Object Access \u003e\u003e \"Audit Detailed File Share\".\r\nFigure 5: Group Policy Editor configuration\r\nSource: https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nhttps://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\r\nPage 12 of 12\n\nNOOPDOOR NOOPDOOR execution flow is a shellcode, and it injects itself into a legitimate application. It runs either by an XML file\n(Type1) or a DLL file (Type2). The execution flow of each type is illustrated in Figure 2 and 3.\n Page 1 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html" ], "report_names": [ "mirrorface-attack-against-japanese-organisations.html" ], "threat_actors": [ { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434202, "ts_updated_at": 1775791959, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/42b6d108211778e973a6ec2ee98a2e20ce0a7b96.pdf", "text": "https://archive.orkl.eu/42b6d108211778e973a6ec2ee98a2e20ce0a7b96.txt", "img": "https://archive.orkl.eu/42b6d108211778e973a6ec2ee98a2e20ce0a7b96.jpg" } }