{ "id": "d1254afb-f594-447e-b273-d12c233c883f", "created_at": "2026-04-06T00:06:38.622919Z", "updated_at": "2026-04-10T13:12:01.226083Z", "deleted_at": null, "sha1_hash": "48db23b2a718e0c5a1a9e603bcf0423c5a3c8dea", "title": "Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1072648, "plain_text": "Burning Umbrella: An Intelligence Report on the Winnti Umbrella\r\nand Associated State-Sponsored Attackers\r\nPublished: 2018-05-03 · Archived: 2026-04-05 23:08:16 UTC\r\nNote: Indicators can be found in the PDF version of this report and our GitHub Detection IOC repository.\r\nKey Judgements\r\nWe assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence\r\napparatus, with at least some elements located in the Xicheng District of Beijing.\r\nA number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected\r\npublicly are in fact linked to curso UX design the Winnti umbrella.\r\nWe assess with high confidence that multiple publicly reported threat actors operate with some shared\r\ngoals and resources as part of the Chinese state intelligence apparatus.\r\nInitial attack targets are commonly software and gaming organizations in United States, Japan, South\r\nKorea, and China. Later stage high profile targets tend to be politically motivated or high value technology\r\norganizations.\r\nThe Winnti umbrella continues to operate highly successfully in 2018. Their tactics, techniques, and\r\nprocedures (TTPs) remain consistent, though they experiment with new tooling and attack methodologies\r\noften.\r\nOperational security mistakes during attacks have allowed us to acquire metrics on the success of some\r\nWinnti umbrella spear phishing campaigns and identify attacker location with high confidence.\r\nThe theft of code signing certificates is a primary objective of the Winnti umbrella’s initial attacks, with\r\npotential secondary objectives based around financial gain.\r\nReport Summary\r\nThe purpose of this report is to make public previously unreported links that exist between a number of Chinese\r\nstate intelligence operations. These operations and the groups that perform them are all linked to the Winnti\r\numbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about\r\npreviously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese\r\nintelligence apparatus over the past decade. Based on our findings, attacks against smaller organizations operate\r\nwith the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against\r\nhigher value targets. Our primary telemetry consists of months to years of full fidelity network traffic captures.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 1 of 11\n\nThis dataset allowed us to investigate active compromises at multiple organizations and run detections against the\r\nhistorical dataset, allowing us to perform a large amount of external infrastructure analysis.\r\nBackground\r\nThe Winnti umbrella and closely associated entities has been active since at least 2009, with some reports of\r\npossible activity as early as 2007. The term \"umbrella\" is used in this report because current intelligence indicates\r\nthat the overarching entity consists of multiple teams/actors whose tactics, techniques, and procedures align, and\r\nwhose infrastructure and operations overlap. We assess that the different stages of associated attacks are operated\r\nby separate teams/actors, however in this report we will show that the lines between them are blurred and that they\r\nare all associated with the same greater entity. The Winnti and Axiom group names were created by Kaspersky\r\nLab and Symantec, respectively, for their 2013/2014 reports on the original group. The name “Winnti” is now\r\nprimarily used to refer to a custom backdoor used by groups under the umbrella. Multiple sources of public and\r\nprivate threat intelligence have their own names for individual teams. For example, LEAD is a common alias for\r\nthe group targeting online gaming, telecom, and high tech organizations. Other aliases for groups related include\r\nBARIUM, Wicked Panda, GREF, PassCV, and others. This report details how these groups are linked together and\r\nserve a broader attacker mission. The many names associated with actors in the greater intelligence mission are\r\ndue to the fact that they are built on telemetry of the intelligence provider which is typically unique and dependent\r\non their specific dataset. This report focuses heavily on networking related telemetry.\r\nWe assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence\r\napparatus. This assessment is based on attacker TTPs, observed attack infrastructure, and links to previously\r\npublished intelligence. Their operations against gaming and technology organizations are believed to be\r\neconomically motivated in nature. However, based on the findings shared in this report we assess with high\r\nconfidence that the actor’s primary long-term mission is politically focused. It’s important to note that not all\r\npublicly reported operations related to Chinese intelligence are tracked or linked to this group of actors. However,\r\nTTPs, infrastructure, and tooling show some overlap with other Chinese-speaking threat actors, suggesting that the\r\nChinese intelligence community shares human and technological resources across organizations. We assess with\r\nmedium to high confidence that the various operations described in this report are the work of individual teams,\r\nincluding contractors external to the Chinese government, with varying levels of expertise, cooperating on a\r\nspecific agenda.\r\nIn 2015 the People’s Liberation Army of China (PLA) began a major reorganization which included the creation\r\nof the Strategic Support Force (SSF / PLASSF). SSF is responsible for space, cyber, and electronic warfare\r\nmissions. Some of the overlap we observed from groups could potentially be related to this reorganization.\r\nNotably, key incident details below include attacker mistakes that likely reveal the true location of some attackers\r\nas the Xicheng District of Beijing.\r\nTactics Techniques and Procedures (TTPs):\r\nThough the TTPs of the attacking teams vary depending on the operation, their use of overlapping resources\r\npresents a common actor profile. Key interests during attacks often include the theft of code signing certificates,\r\nsource code, and internal technology documentation. They also may attempt to manipulate virtual economies for\r\nhttps://401trg.com/burning-umbrella/\r\nPage 2 of 11\n\nfinancial gain. While unconfirmed, the financial secondary objective may be related to personal interests of the\r\nindividuals behind the attacks.\r\nInitial attack methods include phishing to gain entry into target organization networks. The group then follows\r\nwith custom malware or publicly available offensive tooling (Metasploit/Cobalt Strike), and may use a number of\r\nmethods to minimize their risk of being detected. Such techniques include a particular focus on “living off the\r\nland” by using a victim's own software products, approved remote access systems, or system administration tools\r\nfor spreading and maintaining unauthorized access to the network.\r\nWe have observed incidents where the attacker used other victim organizations as a proxy for unauthorized remote\r\naccess. In these cases, organization 1 had been compromised for a long period of time, and the attacker accessed\r\nvictim organization 2 via the organization 1 network.\r\nDelivery and C2 domains routinely have subdomains which resemble target organizations. Additionally, their C2\r\ndomains are used across many targets, while subdomains tend to be created and removed quickly and are unique\r\nto a particular target or campaign. Also noteworthy is that the actors set their domains to resolve to 127.0.0.1 when\r\nnot in use, similar to what was originally reported on by Kaspersky Lab (see below).\r\nThe actor often uses TLS encryption for varying aspects of C2 and malware delivery. As noted in the\r\n“Infrastructure Analysis” section of this report, the actor primarily abuses Let’s Encrypt to sign SSL certificates.\r\nWe also observed many cases in which self-signed certificates were used in attacks.\r\nOverall, the Winnti umbrella and linked groups are lacking when it comes to operational security. However, some\r\nactivities linked to these groups follow better operational security and infrastructure management approaches. This\r\nmay be a clue to the division of responsibilities by team and skill level within the broader organization.\r\nTargets:\r\nThe Winnti umbrella and linked groups’ initial targets are gaming studios and high tech businesses. They primarily\r\nseek code signing certificates and software manipulation, with potential financially motivated secondary\r\nobjectives. These targets have been identified in the United States, Japan, South Korea, and China.\r\nBased on the infrastructure, links to previous reporting, and recently observed attacks, the broader organization’s\r\nmain targets are political. Historically this has included Tibetan and Chinese journalists, Uyghur and Tibetan\r\nactivists, the government of Thailand, and prominent international technology organizations.\r\nOne example of a politically focused lure by the Winnti umbrella and linked groups is an end of 2017 document\r\ntitled “Resolution 2375 (2017) Strengthening Sanctions on DPR of KOREA” which is a malicious file associated\r\nwith the C2 infrastructure described here - see MD5: 3b58e122d9e17121416b146daab4db9d.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 3 of 11\n\nSome Key Public Reports:\r\n2013:\r\nKaspersky Lab publicly reported on the original Winnti group, technical details around the Winnti samples, and\r\nvarious honeypot analysis methods. Most noteworthy is the Winnti umbrella’s targeting of gaming organizations\r\nin search of code signing certificates, virtual currencies, and updating mechanisms which could potentially be\r\nused to attack victims’ clients. Interestingly, this was the first identified trojan for the 64-bit Microsoft Windows\r\noperating system with a valid digital signature as noted by the author. The abuse of signed applications is a very\r\neffective attack approach that the entity continues to use.\r\n2014:\r\nNovetta released an outstanding report detailing “Operation SMN,” in which they collaborated with a number of\r\nprivate organizations on a large scale malware eradication operation which is linked to the original Winnti group\r\nby the malware being delivered. In the report, the actor is named Axiom. Novetta reported links to publications\r\nfrom as far back as 2009 that also link the group to the Chinese state intelligence apparatus with high confidence.\r\nLinks exist to various known attacks and actor groups, such as “Operation Aurora,” Elderwood Group’s successful\r\n2010 attack against Google and many other organizations. Another link exists to the successful compromise of the\r\nsecurity organization Bit9 in 2013, where their own product was used to sign and spread malware to their\r\ncustomers. In addition, FireEye’s “Operation DeputyDog” detailed attacks on Japanese targets from the same\r\nattacker infrastructure. Many other incidents are detailed in the Operation SMN report. Following all of these\r\ndetails back in time, we can see an overlap in TTPs and targets from the APT1 report by Mandiant, which serves\r\nas a great historical example of Chinese intelligence cyber operations in their most basic form.\r\n2016:\r\nhttps://401trg.com/burning-umbrella/\r\nPage 4 of 11\n\nCylance released a blog post reporting on digitally signed malware used in targeted attacks against gaming\r\norganizations in China, Taiwan, South Korea, Europe, Russia, and the United States. Cylance refers to the\r\nattacking entity as “PassCV” in their reporting. Cylance successfully identified a large quantity of malware\r\nbinaries which were signed with valid certificates stolen from a number of gaming studios in East Asia. In\r\naddition to detailing the individual certificates and signed malware, they identified a significant amount of\r\nnetwork infrastructure which contain various interesting links to our own findings.\r\n2017 - March/April:\r\nTrend Micro reported on attacks that abused GitHub for use in malware command and control, which they\r\nattributed to the original Winnti group. Amusingly, Trend Micro later reported on an individual linked to the group\r\nand the attacks who happens to be a fan of pigs.\r\n2017 - July 5th:\r\nCitizen Lab reported on attacks against journalists by an actor mimicking China-focused news organizations\r\nHK01, Epoch Times, Mingjing News, and Bowen Press. As Citizen Lab noted, these news organizations are\r\nblocked in China for their political views. The report notes that malware used in these attacks was linked to a\r\nstolen code signing certificate mentioned in the Cylance PassCV post. That overlap, in addition to infrastructure\r\nlinks from a Palo Alto Unit 42 blog post, strongly links this attack to the previously mentioned reports as well as\r\nto our own. As Unit 42 reports, the attacks against entities in the government of Thailand used the “bookworm”\r\ntrojan.\r\n2017 - July/October:\r\nProtectWise 401TRG published our own findings and an update on LEAD using open source and public tooling in\r\nattacks against Japanese gaming organizations. These attacks are linked with high confidence to ongoing\r\noperations in the United States and East Asia.\r\nOther Noteworthy Events:\r\nIn 2017, multiple supply-chain attacks occurred which had some similarities to the Winnti umbrella and associated\r\nentities. For example, Kaspersky reported on ShadowPad, a large-scale compromise of NetSarang, which\r\nresembles the Winnti and PlugX malware. In addition, Kaspersky and Intezer identified notable code similarities\r\nto the Winnti umbrella and APT17 in the compromise of Piriform, which allowed attackers to sign and spread\r\naltered versions of the CCleaner software to a large customer base.\r\nAnalysis of Attacks on Initial Targets\r\nThroughout 2017 and 2018, ProtectWise 401TRG was involved in a number of detection and incident response\r\nengagements with our customers that linked back to the Winnti umbrella and other closely associated entities.\r\nThrough the analysis of public and private intelligence, we have successfully identified similar attacks, which\r\nallow us to assess with high confidence that the details below follow a global attack trend as the Chinese\r\nintelligence operations have evolved over time.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 5 of 11\n\n2017 Operations:\r\nOne of the most common tactics used by the Winnti umbrella and related entities is phishing users whose\r\ncredentials may provide elevated access to a target network. We have observed spear-phishing campaigns that\r\ntarget human resources and hiring managers, IT staff, and internal information security staff, which are generally\r\nvery effective.\r\nIn 2017 the entity focused most of its efforts around technical job applicant email submissions to software\r\nengineering, IT, and recruiting staff, which we originally reported on at our 401trg.com blog. The phishing lures\r\nused multiple languages, including Japanese as in the below example:\r\nThe approximate translation is as follows:\r\nI saw your job posting. My main languages are Object-C, JAVA, and Swift, and I have 7 years\r\nexperience with Ruby and 6 years experience with PHP. I have 5 years experience developing iOS apps,\r\nas well as Android apps, AWS, Jenkins, Microsoft Azure, ZendFramework, and smartphone application\r\npayment processing. I also have 5 years experience with MSSQL, Mysql, Oracle, and PostgreSQL.\r\nPlease see here: [malicious link]\r\nThe process that followed a target clicking the malicious link evolved as the attacker progressed through the\r\ncampaigns. The links consistently sent the victim to a fake resume, but the exact format of that resume changed\r\nover time; we have observed resumes being delivered as DOC, XLS, PDF, and HTML files. Once opened, the\r\nfake resumes performed various actions in an effort to download malware onto the victim host. During the same\r\ntime period, we also observed the actor using the Browser Exploitation Framework (BeEF) to compromise victim\r\nhosts and download Cobalt Strike. In this campaign, the attackers experimented with publicly available tooling for\r\nattack operations. During this infection process, the actor was known to check the target operating system and\r\ndeliver malware, signed by a previously stolen key, for the appropriate host environment. In some cases, valid\r\nApple certificates stolen from victims were used in this process, which linked the attack to additional victim\r\norganizations.\r\nPost-compromise actions by the attacker followed a common pattern. First they attempted to spread laterally in the\r\nnetwork using stolen credentials and various reconnaissance efforts, such as manually examining shares and local\r\nfiles. The primary goal of these attacks was likely to find code-signing certificates for signing future malware. The\r\nsecondary goals of the attackers depended on the type of victim organization, but were often financial. For\r\nexample, gaming organizations tended to fall victim to manipulation or theft of in-game virtual currencies. Non-gaming victims may have experienced theft of intellectual property such as user or technology data.\r\n2018 Operations:\r\nhttps://401trg.com/burning-umbrella/\r\nPage 6 of 11\n\nMore recently, various attack campaigns from the Winnti umbrella and associated groups have been very\r\nsuccessful without the use of any exploits or malware. Phishing remains the initial infection vector but the\r\ncampaign themes have matured. In 2018, the campaigns have largely been focused on common services such as\r\nOffice 365 and Gmail.\r\nIt is important to note that attackers likely have additional information on their target organizations' preferred\r\nemail solutions based on previous incidents or open source intelligence.\r\nIn more recent phishing campaigns conducted by the Winnti umbrella and associated groups, URL shortening\r\nservices have been used. For example, Google’s URL shortening service goo.gl was used over the past weeks,\r\nallowing us to gain insight into the scale of this campaign using publicly available analytics.\r\nAs you can see from the above screenshot, this particular phishing campaign ran from March 20th to March 28th,\r\n2018. Notably, the link was created on February 23rd, 2018, indicating roughly three weeks of preparation for the\r\nattacks. These metrics allow us to gain insight into who clicked the link in a phishing email and was directed to a\r\nphishing or malware delivery landing page. According to Google analytics, there were a total of 56 clicks. 29 were\r\nfrom Japan, 15 from the United States, 2 from India, and 1 from Russia. 33 of the clicks were from Google\r\nChrome, and 23 were from Safari. 30 were from Windows OS hosts, and 26 were macOS hosts.\r\nIn general, the attackers phish for credentials to a user’s cloud storage, and would be expected to later attempt\r\nmalware delivery in the cases of a failed credential phish or valueless cloud storage.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 7 of 11\n\nIn cases where the victim uses O365 and/or G-suite for enterprise file storage, the attackers manually review the\r\ncontents for data of value. If code signing certificates are stored here, the primary mission has been accomplished,\r\nas they may be easily downloaded. In other cases, the attackers attempt to use other files and documentation in the\r\ncloud storage to help them traverse or gain privileges on the network. The targets in 2018 include IT staff, and\r\ncommonly sought out files include internal network documentation and tooling such as corporate remote access\r\nsoftware.\r\nOnce the attackers gain remote access to the network via malware or stolen remote access tooling and credentials,\r\nthe operation continues as we’ve seen, though their post-compromise actions have become more efficient and\r\nautomated. Internal reconnaissance is performed by scanning the internal network for open ports 80, 139, 445,\r\n6379, 8080, 10022, and 30304. The choice of ports by the attacker indicates a strong interest in internal web and\r\nfile storage services. An interesting addition is the use of 30304, which is the peer discovery port for Ethereum\r\nclients.\r\nIn the attackers’ ideal situation, all remote access occurs through their own C2 infrastructure, which acts as a\r\nproxy and obscures their true location. However, we have observed a few cases of the attackers mistakenly\r\naccessing victim machines without a proxy, potentially identifying the true location of the individual running the\r\nsession. In all of these cases, the net block was 221.216.0.0/13, the China Unicom Beijing Network, Xicheng\r\nDistrict.\r\nVisualizing Attacker Infrastructure\r\nBased on the various incidents we have been involved in, in addition to past public reporting and open-source\r\nintelligence, we can construct a map representing the infrastructure most closely associated with the Winnti\r\numbrella and closely related entities. For the sake of producing an accurate representation of the infrastructure, we\r\nare excluding any shared infrastructure (such as hosting provider IPs used for many unrelated domains) and low\r\nconfidence indicators. Please note this is not an exhaustive list of all active infrastructure in use by the group.\r\nAs detailed below, this infrastructure spans at least eight years of activity by the Winnti umbrella and related\r\ngroups. Please note, as this section heavily references the “Some Key Public Reports” section, above, we\r\nrecommend reading that first. Indicators are provided in Appendix A of PDF (see top of page).\r\n1. The area of the map labeled #1 is the phishing, malware delivery, fake resume, and C2 infrastructure. This\r\nincludes domains, IPs, malware hashes, SSL certificates, and WHOIS information. In this section of the\r\ninfrastructure, we primarily observe the network and file indicators which would be used against targets valued for\r\ncode signing certificates, software manipulation, and potential financial manipulation. The indicators detailed in\r\nthe 2017 \u0026 2018 Initial Target section of this report are located in #1. Infrastructure in this area is currently in use\r\nand not entirely historical.\r\n2. This area is a network that we assess is associated with the umbrella with low confidence. The most interesting\r\nfindings here are the large number of Let’s Encrypt SSL certificates in use and the overlap with attacker exclusive\r\ninfrastructure. This proposed relationship is generated by infrastructure links alone, as no malicious activity has\r\nbeen confirmed to or from region #2. Infrastructure in this area is currently in use and not historical.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 8 of 11\n\n3. Area #3 is linked to the initial attack infrastructure (#1) by domain WHOIS details, likely from operational\r\nsecurity mistakes. We assess with high confidence that these infrastructures are linked. Based on the lax structure\r\nand naming of this section, it is highly probable that it is used for attacker experimenting and development. Some\r\nexamples include domains such as “nobody.will.know.whoami[.]la”, “secret.whoami[.]la”, and\r\n“no.ip.detect.if.using.ipv6[.]la”. Infrastructure in this area is currently in use and not historical.\r\n4. This area has various links to #3 in which an individual software developer is identified. We asses this\r\nconnection with low to medium confidence and will refrain from publicly sharing details in this report. This area\r\ncontains many personally operated domains and SSL certificates. Infrastructure in this area is currently in use and\r\nnot historical.\r\n5. Area #5 of the map is part of what Novetta reported on as Operation SMN in 2014. Infrastructure in this area is\r\npurely historical and based on Novetta’s reporting, which we can link to area #1 via known umbrella\r\ninfrastructure. The vast majority of indicators in this area are the many associated hashes, combined with their C2\r\ndestination domains and IPs.\r\n6. This area of the map is what Cylance reported on as PassCV in 2016. The vast majority of infrastructure and\r\nindicators here are stolen code signing certificates, malware signed with the certificates, and C2 domains. This\r\narea contains information on many victims of campaigns related to area #1. Infrastructure in this area is historical.\r\nWe assess that this area is linked to the Winnti umbrella with high confidence.\r\n7. This section represents infrastructure identified by Citizen Lab in their July 5th 2017 reporting on attacks\r\nagainst journalists. As they originally identified, one of the NetWire binaries was signed with a stolen certificate\r\nlinked to #6, the Cylance PassCV report. We were able to further expand this section by pivoting off of additional\r\ndomain WHOIS information.\r\n8. Lastly is area #8, which links back with high confidence to #7 (Citizen Lab reporting) and #6 (PassCV). This\r\narea consists of domains, IPs, MD5 file hashes, and further WHOIS operational security mistakes. This area is\r\nsimilar in functionality to #1 and #3, serving as infrastructure for both high-value politically focused attacks and\r\ndeveloper personal use. This section links to the online identities of an individual we asses to be associated with\r\nthe Winnti umbrella or a closely related group at a medium to high confidence. Infrastructure in this area is\r\ncurrently in use and not historical. One example of malicious activity in this area was the document detailing the\r\nstrengthening of sanctions against North Korea, above. These activities are similar to the type of politically\r\nmotivated targeted attacks Citizen Lab reported on. Some infrastructure in this area is currently in use and is not\r\ncompletely historical.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 9 of 11\n\nInvestigative Findings\r\nBased on incident response engagements, research into the associated attacker infrastructure, and previously\r\nreported research, we can summarize our findings as follows:\r\n1. The Chinese intelligence apparatus has been reported on under many names, including Winnti, PassCV, APT17,\r\nAxiom, LEAD, BARIUM, Wicked Panda, and GREF.\r\n2. The overlap of TTPs and infrastructure between the Winnti umbrella and other groups indicates the use of\r\nshared human and technology resources working towards an overarching goal. Operational security mistakes\r\nallow the linking of attacks on lower value targets to higher value campaigns. Reuse of older attack infrastructure,\r\nlinks to personal networks, and observed TTPs play a role in this overlap.\r\n3. The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block\r\n221.216.0.0/13.\r\n4. Initial attack targets are commonly software organizations in the United States, Japan, South Korea, and China.\r\nLater stage high profile targets tend to be political organizations or high-value technology companies.\r\nhttps://401trg.com/burning-umbrella/\r\nPage 10 of 11\n\n5. The attackers grow and learn to evade detection when possible, but lack operational security when it comes to\r\nthe reuse of some tooling. Living off the land and adaptability to individual target networks allow them to operate\r\nwith high rates of success.\r\nConclusion\r\nWe hope the information we’ve shared in this report will help potential targets and known victims in addition to\r\nthe greater information security community. Though they have at times been sloppy, the Winnti umbrella and its\r\nassociated entities remain an advanced and potent threat. We hope that the information contained within this report\r\nwill help defenders thwart this group in the future.\r\nWe’d like to extend a special thank you to all the victims, targets, researchers, and security vendors who have\r\nshared their own findings over the years.\r\nIndicators\r\nIndicators can be found in the PDF version of this report and our GitHub Detection IOC repository. Enjoy!\r\nSource: https://401trg.com/burning-umbrella/\r\nhttps://401trg.com/burning-umbrella/\r\nPage 11 of 11\n\nOne example titled “Resolution of a politically 2375 (2017) focused lure by the Strengthening Sanctions Winnti umbrella on DPR and linked groups of KOREA” which is an end of is a malicious 2017 document file associated\nwith the C2 infrastructure described here-see MD5: 3b58e122d9e17121416b146daab4db9d.\n Page 3 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://401trg.com/burning-umbrella/ " ], "report_names": [ " " ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433998, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48db23b2a718e0c5a1a9e603bcf0423c5a3c8dea.pdf", "text": "https://archive.orkl.eu/48db23b2a718e0c5a1a9e603bcf0423c5a3c8dea.txt", "img": "https://archive.orkl.eu/48db23b2a718e0c5a1a9e603bcf0423c5a3c8dea.jpg" } }