{
	"id": "ff27f777-f6bf-4a31-84ff-bc8454e9e6b0",
	"created_at": "2026-04-06T00:13:56.726795Z",
	"updated_at": "2026-04-10T13:11:27.463285Z",
	"deleted_at": null,
	"sha1_hash": "4bbbe2065d649f4d8f1841a88e9d1b2e244f426c",
	"title": "DADJOKE (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29446,
	"plain_text": "DADJOKE (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:22:10 UTC\r\nDADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is\r\ndelivered as an embedded EXE file in a Word document using remote templates and a unique macro using\r\nmultiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender\r\nexecutable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by\r\nKaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with\r\nmedium confidence to APT40.\r\n[TLP:WHITE] win_dadjoke_auto (20251219 | Detects win.dadjoke.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke"
	],
	"report_names": [
		"win.dadjoke"
	],
	"threat_actors": [
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4bbbe2065d649f4d8f1841a88e9d1b2e244f426c.pdf",
		"text": "https://archive.orkl.eu/4bbbe2065d649f4d8f1841a88e9d1b2e244f426c.txt",
		"img": "https://archive.orkl.eu/4bbbe2065d649f4d8f1841a88e9d1b2e244f426c.jpg"
	}
}