{ "id": "43ee71bc-3636-4bda-b8d9-0539129a53b3", "created_at": "2026-04-06T00:19:32.336278Z", "updated_at": "2026-04-10T03:36:25.307054Z", "deleted_at": null, "sha1_hash": "4c67eff734757d5fa6e94edab87b7fc3da4cd4a9", "title": "CyberThreatIntel/China/APT/Chimera/Analysis.md at master · StrangerealIntel/CyberThreatIntel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1442254, "plain_text": "CyberThreatIntel/China/APT/Chimera/Analysis.md at master ·\r\nStrangerealIntel/CyberThreatIntel\r\nBy StrangerealIntel\r\nArchived: 2026-04-02 11:14:30 UTC\r\nChimera, APT19 under the radar ?\r\nInitital approach\r\nAt the beginning I studied a suspicious DLL uploaded on Anyrun, this one have been tagged as\r\n\"Malformatted PE header\". By the fact that some Threat Actor let theirs DLL with an invalid header for\r\navoiding to correctly run in sandbox or in AV sandbox and modify it for run by a loader (side-loading with\r\nmultiples files [Header + DLL], script for rebuilding the header...).\r\nAs the first look, we can see the anomaly on the PE header based on redirection to a part of malware.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 1 of 23\n\nThe timestamp is valid if we compare to the other sections (proving that doesn't modified), the internal\r\nname in the import section and the exported functions are the same that used by Meterpreter as reflective\r\nloader method.\r\nOn seeing the assembly code of the header, we can see the multiples operation for parse by the stack pointer\r\nfor load the export section which content the Meterpreter shellcode.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 2 of 23\n\nWe can note the characteristic entrypoint of Cobalt Strike with the three accepts calls and one close socket.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 3 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 4 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 5 of 23\n\nWe can observe the SMB pipe used as pivoting method for the implant to run.\r\n0x18000a7be lea r8, [rbx + 8]\r\n0x18000a7c2 lea r9, str.s__pipe___s ; 0x180023a08\r\n0x18000a7c9 lea rdx, [rbx + 9]\r\n0x18000a7cd mov rcx, rax\r\n0x18000a7d0 mov qword [rsp + 0x28], r14\r\n0x18000a7d5 mov qword [rsi], rax\r\n0x18000a7d8 mov qword [rsp + 0x20], r15\r\n0x18000a7dd call fcn.180015054\r\n0x18000a7e2 mov rcx, qword [rsi + 8]\r\n0x18000a7e6 mov ebx, 0x57 ; 'W' ; 87\r\n0x18000a7eb lea rax, [rcx - 1]\r\n0x18000a7ef cmp rax, 0xfffffffffffffffd\r\n0x18000a7f3 ja 0x18000a812\r\n0x18000a7f5 lea rdx, [rsp + 0x450]\r\n0x18000a7fd xor r9d, r9d\r\n0x18000a800 xor r8d, r8d\r\n0x18000a803 mov dword [rsp + 0x450], edi\r\n0x18000a80a call qword [SetNamedPipeHandleState] ; 0x1800233f8 ; BOOL SetNamedPipeHandleState(HANDLE\r\n0x18000a810 jmp 0x18000a84b\r\nThis collects the system informations and format for send it the previous node.\r\n0x180007ff7 lea rcx, [rsp + 0x40]\r\n0x180007ffc mov edx, 0x104 ; 260\r\n0x180008001 call qword [GetSystemDirectoryW] ; 0x1800232a0 ; UINT GetSystemDirectoryW(LPWSTR lpBuffe\r\n0x180008007 test eax, eax\r\n0x180008009 je 0x1800080ba\r\n0x18000800f lea edx, [rsi + 0x5c]\r\n0x180008012 lea rcx, [rsp + 0x40]\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 6 of 23\n\n0x180008017 mov dword [rsp + 0x480], 0x104 ; 260\r\n0x180008022 call fcn.180015078\r\n0x180008027 mov dword [rsp + 0x38], esi\r\n0x18000802b mov qword [rsp + 0x30], rsi\r\n0x180008030 lea r9, [rsp + 0x488]\r\n0x180008038 lea rcx, [rsp + 0x40]\r\n0x18000803d xor r8d, r8d\r\n0x180008040 xor edx, edx\r\n0x180008042 mov qword [rsp + 0x28], rsi\r\n0x180008047 mov word [rax + 2], si\r\n0x18000804b mov qword [rsp + 0x20], rsi\r\n0x180008050 call qword [GetVolumeInformationW] ; 0x1800232b0 ; BOOL GetVolumeInformationW(LPCWSTR lpR\r\n0x180008056 lea rdx, [rsp + 0x480]\r\n0x18000805e lea rcx, [rsp + 0x250]\r\n0x180008066 call qword [GetComputerNameW] ; 0x1800232b8 ; BOOL GetComputerNameW(LPWSTR lpBuffer, LPDW\r\n0x18000806c mov ecx, dword [rsp + 0x488]\r\n0x180008073 lea r8, [rsp + 0x250]\r\n0x18000807b movzx eax, cx\r\n0x18000807e mov qword [rsp + 0x30], r8\r\n0x180008083 shr ecx, 0x10\r\n0x180008086 mov edx, 0x104 ; 260\r\n0x18000808b mov dword [rsp + 0x28], eax\r\n0x18000808f mov dword [rsp + 0x20], ecx\r\n0x180008093 lea rcx, [rsp + 0x40]\r\n0x180008098 lea r9, str.04x__04x:_s ; 0x180023940 ; Format the data\r\n0x18000809f lea r8d, [rdx - 1]\r\nLooking at the TTPs and the anomaly on the PE header, I make the parallel with the APT chimera report, a\r\ngroup that targeted the semi-conductor sector in Taiwan. I had written the Yara rule with the full part of\r\nthe anomaly and posted on Twitter.\r\nHunting\r\nFew times after release a compact analysis, I think to use my Yara rule for hunting additionals samples with\r\ndifferents levels on condition, for detect if by example, a new variant reuse a part of the indicators (which\r\ncan be the oldest or more recent). By the way of improving this specter of results and reduce the load on the\r\nYara rule, I have removed a part of the anomaly just before the manipulation of the RSP (stack pointer).\r\nDue to the numbers of results, I had only got last month of hits on Virustotal but quickly some different\r\ntypes of Cobalt Strike are identified in two major famillies :\r\nWith the standard ReflectiveLoader reference in export table.\r\nHave not the reference but use custom way by ordinal or execute function.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 7 of 23\n\nThe last one has been splited between recent (2019-2020) and old (2017-2018) for links to the period of\r\nsamples analyzed on the chimera report (maybe a variant not analysed).\r\nThe first result in the compiled the informations on the samples in the different groups, show that multiple\r\npairs of samples can observed with the same VHash, date of compilation of the DLL and size of the files.\r\nVHash being based on imports, exports and the header for the PE, this insensitive unlike a simple\r\nmodification of an IP address of a payload and allow to confirm that reuse the code.\r\nNow, this the time that each analyst hate, the time to found the samples (Ask to Virustotal theirs prices for\r\nget the samples and cry). Fortunately, almost a sample of each pair could be found on the public sandbox\r\n(36 samples on 74).\r\nAt the first sample analysed, the sample content the same combo Cobalt Strike and Meterpreter but have a\r\npersistence method by .NET client by local IP, localhost (in the infrastructure) or with an external IP or\r\ndomain (initial compromisation point).\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 8 of 23\n\nIn searching in the archives that match with the TTPs and the strings, I found the Yara rule of APT19 that\r\nuse a combo Cobalt Strike + Meterpreter as implant for pivoting the infrastructure of the victim.\r\nThis uses an well-known fileless UAC bypass using Event Viewer technique and maintain the persistence in\r\nthe key, this spawn a Meterpreter instance in loading the DLL inside the beacon, we can recognize the part\r\nfor initiating the communication in getting the system informations.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 9 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 10 of 23\n\nBut now this beginning to become interesting, in comparing the both PE, we can observe a lot of differences\r\non the structures of the payload due to the comparison is between each byte on the sequence order but the\r\nstructure have common bytes in the anomaly in the header path.\r\nWe can see the differences on the implementation of the stack pointer in using destination index for copy\r\nthe data of the instructions for load the shellcode of the Meterpreter DLL.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 11 of 23\n\nAfter this I have created a little script for extract each first part of PE header (4D 5A to 00 00 00 0E), get all\r\nunique the signature, attribute an ID to the signature an this time, attribute all the ID generated to the\r\nsamples that have the same signature for display pairs of samples with the same modifications. On the\r\nresults, we note all the samples have splited in two sections in having the same similarities in the header of\r\nthe PE (here on the samples with content the ReflectiveLoader reference).\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 12 of 23\n\nBy seeing the comparison between several samples of the same pair, we can note a code reuse at 98%\r\nbetween each sample, only the 2% which remains are due to the declaration or not of the IP address or\r\ndomain for the pivot. This explains by the fact of the sample as compiled at the same time or use the same\r\ntemplate like Cobalt Strike is a template that can be edited for use a custom DLL to load. Here on a pair of\r\nthe Chimera samples :\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 13 of 23\n\nSame result on a pair of the APT19 samples :\r\nLiking said previously only the configuration change but the rest is the same due to this build on a template.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 14 of 23\n\nFew times after the report of APT19, the group have deleted the export reference in using ordinal way used\r\nfor allow to use the beacon of Cobalt Strike with a custom DLL. This has by example rename as \"execute\".\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 15 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 16 of 23\n\nThe group use this way only for changing the static reference in the export table but kept the Meterpreter\r\nDLL as implant to run.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 17 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 18 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 19 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 20 of 23\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 21 of 23\n\nSome samples tagged as APT 19 have the EICAR-TEST string to suggest a detection of a test software for\r\nthe SOC managers of the targeted companies.We must not forget that if now this technique can be trival\r\nand should be notified to fight against distraction measures towards the detection of the tool, in 2016 - 2017,\r\nit isn't so well known and was very effective during the pentests so for APT, I'll let you guess.\r\nThe most recent samples on the same family of APT 19 hide theirs references to the ReflectiveLoader\r\nreference in going to the Ordinal way for the custom DLL few time after have been reported by Threat\r\nIntelligences companies on theirs reports.The most recent Chimera samples have done the same\r\nmodification since 1st August 2020 in using External domain or IP, Internal IP or localhost for have an\r\nelevated session like on Active Directory machines.\r\nhttps://112.213.98.44:8443/yolZSbt0qhZjjGKOPOXInwsGAF4fh-ug_DJWthkcIw248sAYaksYdEMF9AfLWAxNLZeL0cqpKH90RWpcWyun\r\ntcp://192.168.233.129:4444\r\ntcp://hash-37257.portmap.io:37257\r\nDifficult to say if the both groups are the same but a lot of commons behaviour and TTPs can be observed. I\r\nestimated that more 200 samples have been detected by the Thor rule as Chimera in the last six months can\r\nbe also linked to APT19 samples that detected by the common part of the anomaly on the header. On\r\ncompiling all the data, we can see the common part and the little variant code but also that match with the\r\nVHash and pairs that we have detected at the beginning of the analysis.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 22 of 23\n\nA list of data that can be queried is available here\r\nIt should be remembered that the way groups linked to government work are sporadic groups linked only\r\nto a project like small teams. With this in mind, it is easy to recognize similarities because they are probably\r\nthe same people and as soon as there is a different news, this classed as a new APT group but nobody\r\nremembers Thrip, Calypso ... that use lot similatires with APT10 or APT3 but have just a RAT or a small\r\nmodification of a PE ?\r\nReferences\r\nMeterpreter - Memory Indicators, Detection \u0026 Tooling\r\nRef Yara APT19\r\nPrivileges and Credentials: Phished at the Request of Counsel\r\nCustom DLL injection with Cobalt Strike's Beacon Object Files\r\nSource: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md\r\nPage 23 of 23\n\n https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md \nFew times after the report of APT19, the group have deleted the export reference in using ordinal way used\nfor allow to use the beacon of Cobalt Strike with a custom DLL. This has by example rename as \"execute\".\n Page 15 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md" ], "report_names": [ "Analysis.md" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c67eff734757d5fa6e94edab87b7fc3da4cd4a9.pdf", "text": "https://archive.orkl.eu/4c67eff734757d5fa6e94edab87b7fc3da4cd4a9.txt", "img": "https://archive.orkl.eu/4c67eff734757d5fa6e94edab87b7fc3da4cd4a9.jpg" } }