{ "id": "dfb26e5a-fd1f-49bf-9c6a-152344c89172", "created_at": "2026-04-06T00:06:33.370786Z", "updated_at": "2026-04-10T03:33:20.161095Z", "deleted_at": null, "sha1_hash": "43aeb55296e8cd21ff13ec65ba4677154af6a9be", "title": "TA413 Uses Malicious Browser to Target Tibetan Organizations | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2837434, "plain_text": "TA413 Uses Malicious Browser to Target Tibetan Organizations |\r\nProofpoint US\r\nBy February 25, 2021 Michael Raggi and the Proofpoint Threat Research Team\r\nPublished: 2021-02-25 · Archived: 2026-04-05 13:16:13 UTC\r\nSince March 2020, Proofpoint Threat Research has tracked low volume phishing campaigns targeting Tibetan organizations\r\nglobally. In January and February 2021, we observed a continuation of these campaigns where threat actors aligned with the\r\nChinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that\r\nfacilitated access and control of users’ Gmail accounts. Proofpoint has named this malicious browser extension “FriarFox”.\r\nWe attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering\r\nboth Scanbox and Sepulcher malware to Tibetan organizations in early 2021. Proofpoint has previously reported on\r\nSepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations. This\r\nactor is believed to be an APT group aligned with the Chinese state with strategic objectives associated with espionage and\r\ncivil dissident surveillance that includes the Tibetan Diaspora. This blog provides a detailed analysis of the JavaScript-based FriarFox browser extension, identifies TA413’s use of the Scanbox framework dating back to June 2020, and\r\nestablishes links to watering hole attacks that targeted Tibetan organizations in 2019. \r\nDelivery and Exploitation  \r\nIn late January 2021 a phishing email was detected which targeted several Tibetan organizations. The email impersonated\r\nthe “Tibetan Women's Association” in the From field and utilized the email subject “Inside Tibet and from the Tibetan exile\r\ncommunity”. Further the email was delivered from a known TA413 Gmail account that has been in use for several years,\r\nwhich impersonates the Bureau of His Holiness the Dalai Lama in India. The email contained the following malicious URL\r\nthat impersonated YouTube:  \r\nhxxps://you-tube[.]tv/  \r\nThis URL once clicked led to a fake “Adobe Flash Player Update” themed landing page which executes several JavaScript\r\n(“JS”) files which profile the user’s system. These scripts determine whether to deliver the malicious FireFox Browser\r\nextension (“.XPI” file) that Proofpoint has named “FriarFox”. XPI files are compressed installation archives used by various\r\nMozilla applications and contain the contents of a FireFox browser extension. The use of landing pages for JS redirection is\r\na technique commonly used in watering hole attacks. In this case, the domain is controlled by the threat actors, and the\r\nredirection is obtained via a malicious URL contained within a phishing email.  \r\n The installation and delivery of the FriarFox browser extension depends on several conditions of the user’s browsing state.\r\nThreat actors appear to be targeting users that are utilizing a Firefox Browser and are utilizing Gmail in that browser. The\r\nuser must access the URL from a FireFox browser to receive the browser extension. Additionally, it appeared that the user\r\nmust be actively logged in to a Gmail account with that browser to successfully install the malicious XPI file. Not all\r\ndetected FriarFox campaigns required an active Gmail session for the successful installation of the browser extension.\r\nAdditionally, Proofpoint analysts could not isolate the functionality that requires an active Gmail login session. Therefore,\r\nanalysts could not definitively determine if a Gmail login was an intended pre-condition of TA413 browser extension\r\ninstallation or if the resulting corrupt file installation error was attributable to another cause. The following three user states\r\nwere tested during Proofpoint’s research of the FriarFox extension. They account for use of varying browsers and Gmail\r\nlogin states tested when accessing the domain, you-tube[.]tv.  \r\nUser accesses the you-tube[.]tv URL with a non-FireFox browser and no Gmail Session  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 1 of 12\n\nThe user is temporarily displayed the Adobe Flash Player landing page at you-tube[.]tv before being redirected to a\r\nlegitimate youtube[.]com login page that attempts to access an active domain cookie in use on the site. Actors may be\r\nattempting to leverage this domain cookie to access the user’s Gmail account in the instance that a GSuite federated login\r\nsession is used to log in to the user’s YouTube account. This user is not served the FriarFox browser extension.   \r\n Figure 01: YouTube redirect attempting to access domain cookie \r\nUser Accesses the you-tube[.]tv URL with a FireFox browser, but is not logged in to Gmail  \r\nThe user is displayed the Adobe Flash Player landing page and prompted to allow the installation of software from the site.\r\nIf the user clicks “Allow”, the browser indicates that the “add-on downloaded from you-tube[.]tv could not be installed\r\nbecause it appears to be corrupt.” The browser extension is served to the user but is not successfully installed. No redirect\r\noccurs. \r\nURL Request for FriarFox Browser Extension  \r\nhxxps://you-tube[.]tv/download.php  \r\n Figure 02: You-tube[.]tv landing page unsuccessful installation of FriarFox browser extension.  \r\nUser Accesses the you-tube[.]tv URL with a FireFox browser and is logged in to Gmail  \r\nThe user is served the FriarFox extension from hxxps://you-tube[.]tv/download.php. They are then prompted to allow the\r\ndownload of software from the site, and they are prompted to “Add” the browser extension named “Flash update\r\ncomponents” by approving the extension’s permissions. If the user clicks “Add” the browser redirects to the benign webpage\r\nhxxps://Tibet[.]net and the message “Flash update components has been added to Firefox.” Will appear in the upper right\r\ncorner of the browser.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 2 of 12\n\nFigure 03: Mozilla Firefox prompt to add malicious FriarFox browser extension. \r\n Figure 04: Browser redirect to Tibet[.]net and installation confirmation for FriarFox browser extension.  \r\nAfter the installation of the FriarFox browser extension, threat actors gain the following access to the user’s Gmail account\r\nand FireFox browser data included below. Additionally, FriarFox contacts a threat actor command and control server to\r\nretrieve the PHP and JS-based payload Scanbox. Here are the Gmail account functionality and FireFox browser\r\nattributes FriarFox attempts to collect:  \r\nGmail Access  \r\nSearch emails  \r\nArchive emails  \r\nReceive Gmail notifications  \r\nRead emails  \r\nAlter FireFox browser audio and visual alert features for the FriarFox extension  \r\nLabel emails  \r\nMarks emails as spam  \r\nDelete messages  \r\nRefresh inbox  \r\nForward emails  \r\nPerform function searches  \r\nDelete messages from Gmail trash  \r\nSend mail from compromised account  \r\nFireFox Browser Access – (Based on Granted browser permissions)  \r\nAccess user data for all websites.  \r\nDisplay notifications  \r\nRead and modify privacy settings  \r\nAccess browser tabs.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 3 of 12\n\nFigure 05: FriarFox browser extension required permissions. \r\nAnalysis of the FriarFox Browser Extension \r\nThe FriarFox browser extension appears to be largely based on an open source tool named “Gmail Notifier (restartless)”.\r\nThis is a free tool available on Github, the Mozilla Firefox Browser ADD-ONS store, and the QQ App store among other\r\nlocations. It allows users to receive notifications and perform certain Gmail actions on up to five Gmail accounts that are\r\nactively logged in simultaneously. There are also versions of this tool that exist for Google Chrome and Opera, but\r\ncurrently FriarFox has been the only browser instance identified targeting FireFox browsers as an XPI file. In recent\r\ncampaigns identified in February 2021, browser extension delivery domains have prompted users to “Switch to the Firefox\r\nBrowser” when accessing malicious domains using the Google Chrome Browser. Further details on the tool’s capabilities\r\ncan be found below: \r\n \r\nFigure 06: Open Source Gmail Notifier (restartless) tool in Firefox Browser ADD-ONS \r\nhttps://addons.mozilla.org/en-US/firefox/addon/gmail-notifier-restartless/ \r\n(Gmail Notifier Demo Video) https://www.youtube.com/watch?v=5Z2huN_GNkA \r\nTA413 threat actors altered several sections of the open source browser extension Gmail Notifier to enhance its malicious\r\nfunctionality, conceal browser alerts to victims, and disguise the extension as an Adobe Flash related tool. The threat actors\r\nconceal FriarFox’s existence and their usage of the tool by altering the following:  \r\nThe PNG file icon appears as an Adobe Flash icon in the browser extension menu, replacing the Gmail icon from the\r\nstandard Gmail Notifier tool.    \r\nThe extension metadata description supports its appearance as a Flash update providing the description displayed in\r\nthe browser extension menu.    \r\nAll audio and visual browser alerts are set not to alert active users after the time of installation. This\r\nconceals FriarFox’s existence and threat actors’ usage from the affected victims.   \r\nThe legitimate Gmail Notifier browser extension consists of approximately 17 independent JS files and additional\r\nconfiguration files that enable functionality for viewing emails, archiving, marking emails as spam, labelling, deleting, and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 4 of 12\n\nvisiting a user’s inbox for up to five accounts at a time. The FriarFox Browser Extension keeps the core functionality of this\r\ntool continuing to leverage many of these scripts in their original form, but also expands the functionality by adding three\r\nmalicious JavaScripts and expanding the maximum number of accounts that can be monitored.  \r\n \r\nFigure 07: FriarFox (modified Gmail Notifier) browser extension XPI directory with actor modifications \r\nTA413 actors added the malicious JS file “tabletView.js” to the existing Gmail Notifier tool. The goal of TA413 in adding\r\nthis file is likely to leverage an active domain cookie value to gain access to an affiliated Gmail account while also causing\r\ninfected users to contact an active Scanbox command-and-control server. This malicious file is responsible for redirecting\r\nusers to the YouTube account login page. This redirect may be an attempt by the threat actors to retrieve the domain cookie\r\nfrom an active YouTube login session that was achieved via a federated G-Suite login. The following URLs were generated\r\nby the script in tabletView.js:   \r\nhxxp://accounts.youtube[.]comhttps://accounts.youtube[.]com/_/AccountsDomainCookiesCheckConnectionHttp/jserror?\r\nscript=hxxps%3A%2F%2Findiatrustdalailama[.]com%2Ffile%2Fi%2F%3F5\u0026error=Permission%20denied%20to%20get%20property%20%22hre\r\norigin%20object\u0026line=61  \r\nAs part of this redirect script, an additional URL is visible. It contains the command-and-control domain information for the\r\nactor-controlled server indiatrustdalailama[.]com which delivers an encoded JavaScript payload Scanbox. Further analysis\r\nof the tabletView.js script indicates that this file is an altered version of a browser extension file created with the copyright\r\nbelonging to “Jason Savard”. Open source research indicates that this individual has created several browser extensions and\r\nplug-ins including a tool called Checker Plus for Gmail. This tool contains similar functionality to the Gmail Notifier tool\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 5 of 12\n\ndiscussed above. The presence of this unrelated copyright in the FriarFox browser extension files may indicate that actors\r\nhave historically experimented with similar tools before modifying the Gmail Notifier tool set.  \r\nIn addition to the redirection JavaScript that attempts to access cookies and communicate with Scanbox servers, threat actors\r\naltered an existing Gmail Notifier browser extension script to display the decoy domain hxxps://tibet[.]net in the browser\r\nupon initial FriarFox installation. This redirection was described earlier in the delivery section of this blog. The use of the\r\nlegitimate Tibet[.]net as a decoy domain further reinforces that the targets of this campaign were narrow and likely selected\r\nbased on their involvement with Tibetan organizations and the Tibetan exile community.   \r\n Lastly, actors also included an additional script entitled default.js that appears to add supplemental malicious capabilities to\r\nthe FriarFox extension that were not included in the initial open source Gmail Notifier tool. While the initial tool includes\r\nthe ability to check settings, access inbox, archive, mark as spam, delete messages, refresh inbox and mark as read, it does\r\nnot include features related to sending or responding to mail. The default.js script adds features like forwarding mail,\r\nperforming function searches, deleting mail, deleting Gmail trash, and sending mail from the compromised account. \r\n Figure 08: Default.js script detail “SendMail” Function \r\n \r\nFigure 09: Default.js script detail “FWmailandDelete” Function \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 6 of 12\n\nFigure 10: Default.js script detail “DeleteMail” Function \r\nAnalysis of ScanBox Malware \r\nAfter the FriarFox browser extension is installed, the JS file TabletView tabletView.js contacts an actor-controlled server to\r\nretrieve the Scanbox framework. Scanbox is a PHP and JavaScript-based reconnaissance framework that dates to 2014. Its\r\nusage of PHP and JS enables a file-less malware approach when targeting victims’ hosts. Scanbox is primarily used by\r\nChinese APT’s and shared across multiple groups. To a lesser degree, Scanbox has been reportedly used by OceanLotus, an\r\nAPT actor who supports the national interests of Vietnam but has no relevance to this analysis. Scanbox has been used in\r\nnumerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups\r\naligned with the Chinese state interests. The tool is capable of tracking visitors to specific websites, performing keylogging,\r\nand collecting user data that can be leveraged in future intrusion attempts. \r\nIn this campaign TabletView.js initiates a request to the actor-controlled domain indiatrustdalailama[.]com via port 443: \r\nhxxps://indiatrustdalailama[.]com:443/file/i?5 \r\nThe request specified in the URI path a project id (“/file/i?5”) which corresponds to the specific Scanbox project code. As a\r\nresult of this request encoded Scanbox JavaScript containing the Scanbox payload is returned in an HTTP response.\r\nFollowing the execution of the Scanbox JavaScript, the below “basicposturl” response can be observed which represents\r\nvictim information being posted to threat actor’s command and control server. This URL was first reported publicly in June\r\nof 2020 on VirusTotal by a user in India which suggests that this actor likely has been leveraging Scanbox against Tibetan\r\nrelated entities in the region since at least mid-2020: \r\nhxxps://indiatrustdalailama[.]com/file/i/recv.php \r\nIn addition to the “basicposturl”, traffic was observed which was identified as the Scanbox “basicliveurl” or the framework’s\r\nheartbeat indicating a live infection and connection with the actor command-and-control server. The Scanbox heartbeat URI\r\n“/file/i/s.php?” is followed by numerical Base64 encoded seed and “alivetime” values that are included in the URI. A\r\nsimulated example of this has been included below:  \r\n hxxps://indiatrustdalailama[.]com/file/i/s.php?\r\nseed=NlAxMFZ3NET3NjIxMCc2OEA=\u0026alivetime=MTYxNUd2NjF1MQ==\u0026r=0.6520957992508899 \r\nA partially decoded portion of the delivered Scanbox JavaScript has been included below. The\r\nstandard Scanbox configuration values first observed in a 2014 watering hole attack are available in open source and have\r\nbeen included on the right of Figure 11 for comparison. Note that the “basicpluginurl” and “basicposturlkeylogs” keys\r\nvisible in the configuration were not observed during Proofpoint analysis. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 7 of 12\n\nFigure 11: Decoded Scanbox configuration comparison to standard Scanbox instance \r\nThe Scanbox code which is JavaScript delivered as part of an HTTP response is heavily encoded in its initial state. De-obfuscation of the JavaScript has proven to be a time intensive endeavor requiring an iterative process. The actors rely on\r\nthree primary layers of obfuscation for the JavaScript:   \r\n Firstly, the threat actors have converted the integer values of the Scanbox code to Base36 which designates these values as\r\nstrings using symbols “0-9” and “A-Z”. By reverting the integer values from their Base36 form we were able to de-obfuscate the decoding function present in the Scanbox JavaScript which details the second layer of obfuscation it uses. The\r\ndecoding function indicates that actors took an array of integers and generated ASCII character codes from each of them by\r\nsubtracting charset value 398 and then concatenating the resulting characters together. By performing the equivalent of the\r\ndecoding function on the integer array values analysts were able to de-obfuscate them. So finally, because of this de-obfuscation we were able to replace references to the array integer values with the corresponding decoded strings. Many of\r\nwhich were function values. This revealed a mostly decoded Scanbox code base.  \r\n In addition to these methods Proofpoint analysts were able to draw parallels between the encoded JavaScript and open\r\nsource examples of Scanbox code. This combination of separate efforts allowed for partial decoding of\r\nthe Scanbox JavaScript. \r\nFigure 12: Encoded Scanbox JavaScript with sections mapped to open source Scanbox code \r\n Figure 13: Scanbox decoding function with strings reverted from Base36 \r\n \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 8 of 12\n\nFigure 14: Decoded Scanbox Integer Array \r\nThe encoding used in this Scanbox code appears to be consistent with a historic instance of Scanbox used to target Pakistani\r\nand Tibetan government websites in March 2019. This campaign reported by Recorded Future detailed watering hole attacks\r\nthat delivered Scanbox after redirecting users from the domain tibct[.]net. That domain replicated the legitimate content\r\npresent on Tibet[.]net to entice victims who would be redirected to a Scanbox delivery domain. The FriarFox campaign also\r\nleveraged Tibet[.]net as a decoy redirection prior to delivering Scanbox via the malicious browser extension. While the\r\nvictimology, use of the Scanbox tool, and encoding are shared between these campaigns it is important to note again\r\nthat Scanbox is a shared tool in use since 2014. Proofpoint cannot definitively attribute the 2019 campaign reported by\r\nRecorded Future to TA413 at this time, but analysts note similar tactics have been used against the Tibetan Diaspora in the\r\nrecent past. \r\nLinks to Previous TA413 Campaigns \r\nIn addition to the observation of a known sender email address that has been used by TA413 in the Exile Rat campaign\r\ndating back several years, an examination of the FriarFox manifest.json file contained within the XPI archive indicated\r\nfurther ties to known TA413 activity. The manifest.json file included an update URL for the FriarFox browser extension.\r\nThe URL address hxxps://nagnsihistory[.]vip/update.json was included. The domain nangsihistory[.]vip had previously been\r\nobserved by Proofpoint in TA413 phishing campaigns targeting Tibetan organizations on January 12, 2021 and January 15,\r\n2021. The emails used the domain in the following URLs which delivered malicious RTF files that ultimately installed\r\nSepulcher malware.  \r\nhxxp://www.nangsihistory[.]vip/doc/Protect%20yourself%20and%20others%20from%20COVID-19(Masks).doc \r\nhxxp://www.nangsihistory[.]vip/doc/Self%20Immolations%20inside%20Tibet.doc \r\n  \r\nFigure 15: FriarFox Manifest.json update URL \r\nThe malicious RTF files utilized COVID-19 and self-immolation themed social engineering lures while also containing\r\nmalicious embedded objects that installed subsequent stage malware. The files appeared to be built by the well-known\r\nshared Chinese APT tool referred to as “Royal Road” in open source publications. Specifically, the embedded objects within\r\nthe Royal Road RTF’s in this campaign once extracted were found to be the Microsoft Word Add-In file “winor.wll”. This\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 9 of 12\n\nfile name has previously been observed as the embedded object file within Royal Road RTF attachments that are then\r\nexecuted by being saved to the Microsoft Word startup directory. Notably in March 2020 TA413 was observed using Royal\r\nRoad RTF attachments to deliver Sepulcher malware.  \r\n Figure 16: COVID-19 Themed TA413 Malicious RTF File \r\n Figure 17: Self Immolation Themed TA413 Malicious RTF File \r\nConclusion \r\nThe introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited\r\nrepertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery\r\nof Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities\r\nhave a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and\r\ntechniques while continuing to rely on proven social engineering techniques. Their degrees of success may vary among\r\nmore sophisticated targets, however, the limited resources afforded to dissident organizations globally may allow for success\r\nwith the patchwork of tooling and techniques TA413 displays. While not conventionally sophisticated when compared to\r\nother active APT groups, TA413 combines modified open source tools, dated shared reconnaissance frameworks, a variety\r\nof delivery vectors, and very targeted social engineering tactics. The result is that this group finds mileage from previously\r\ndisclosed tools like Scanbox and Royal Road by varying the method of their introduction to the victim environment. Apart\r\nfrom the custom toolsets observed in Exile Rat, Sepulcher, and other now dated implants, TA413 appears to be pivoting to\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 10 of 12\n\nmodified open source tooling to compromise the global dissident organizations they have been tasked with surveilling.\r\nUnlike many APT groups, the public disclosure of campaigns, tools, and infrastructure has not led to significant TA413\r\noperational changes. Accordingly, we anticipate continued use of a similar modus operandi targeting members of the Tibetan\r\nDiaspora in the future.   \r\nIndicators of Compromise \r\nIOC \r\nhxxps://you-tube[.]tv \r\nhxxps://you-tube[.]tv/download.php \r\nhxxps://vaccine-icmr[.]org/ \r\nhxxps://vaccine-icmr[.]net/ \r\nhxxp://accounts.youtube[.]comhxxps://accounts.youtube[.]com/_/AccountsDomainCookiesCheckConnectionHttp/jserror?\r\nscript=hxxps%3A%2F%2Findiatrustdalailama[.]com%2Ffile%2Fi%2F%3F5\u0026error=Permission%20denied%20to%20get%20property%20%22href%22\r\norigin%20object\u0026line=61 \r\nhxxps://indiatrustdalailama[.]com:443/file/i?5 \r\nhxxps://indiatrustdalailama[.]com/file/i/recv.php \r\nhxxps://indiatrustdalailama[.]com/file/i/s.php?seed=\u003cvalue\u003e=\u0026alivetime=\u003cvaue\u003e==\u0026r=\u003cvalue\u003e \r\nhxxp://www.nangsihistory[.]vip/doc/Protect%20yourself%20and%20others%20from%20COVID-19(Masks).doc \r\nhxxp://www.nangsihistory[.]vip/doc/Self%20Immolations%20inside%20Tibet.doc \r\nhxxps://167.179.99[.]136/Fw9f \r\nyou-tube[.]tv \r\nvaccine-icmr[.]org \r\nvaccine-icmr[.]net \r\nindiatrustdalailama[.]com \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 11 of 12\n\nwww.nangsihistory[.]vip \r\n115.126.6[.]47 \r\n118.99.9[.]47 \r\n167.179.99[.]136 \r\nd4bca797b5d40618dcf72ff471b325860bd1830cbd74012e9d643512f93c5778 \r\nb918318506cffe468bbe8bf57aacbe035fe1242dafc14696682c42656ffb2582 \r\n5adce130e28cfac30253f0532ffff0f80280af2f236234825a5954267e2fdc06 \r\n555ec25f872108af2daab488d8ec62c4e6a8c43c43a92cb572b0d2a7dc891bd1  \r\ne1501a0297a3d7fc326d3923fdc8f9156ed954602ba34e6b435158d39956dce4 \r\n91d19b7b44d4e286a40bd28e269e4d172b642ea792c018551bcc5ca8efceb54c \r\n0469df3f6a8d3e05927f0739e8af9c84e995e3813ad78e18c78a333cf086ef08  \r\n00099b0c4b664ed872ad4db5d28f2a0a1875a86c756f497562be825a7074757d \r\nET Signatures  \r\n2019094 ET EXPLOIT_KIT ScanBox Framework used in WateringHole Attacks Initial (POST) \r\n2019096 ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive\r\nSID: 2021542 ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1\r\nSID: 2021543 ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1\r\nSID: 2021544 ET EXPLOIT_KIT ScanBox Jun 06 2015 M3 T1\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" ], "report_names": [ "ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf", "created_at": "2022-10-25T16:07:24.273478Z", "updated_at": "2026-04-10T02:00:04.918037Z", "deleted_at": null, "main_name": "TA413", "aliases": [ "White Dev 9" ], "source_name": "ETDA:TA413", "tools": [ "Exile RAT", "ExileRAT", "Sepulcher" ], "source_id": "ETDA", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43aeb55296e8cd21ff13ec65ba4677154af6a9be.pdf", "text": "https://archive.orkl.eu/43aeb55296e8cd21ff13ec65ba4677154af6a9be.txt", "img": "https://archive.orkl.eu/43aeb55296e8cd21ff13ec65ba4677154af6a9be.jpg" } }