{ "id": "eb1e2b58-aba4-4579-a2f7-73a6356c04b5", "created_at": "2026-04-06T00:07:35.488539Z", "updated_at": "2026-04-10T03:37:19.242527Z", "deleted_at": null, "sha1_hash": "5007fb82a883c1ba9b478e5e613d028a4538c5b0", "title": "[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by Chi En Shen (Ashley) Oleg Bondarenko", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126405, "plain_text": "[CB19] Cyber Threat Landscape in Japan – Revealing Threat in\r\nthe Shadow by Chi En Shen (Ashley) Oleg Bondarenko\r\nArchived: 2026-04-02 11:55:41 UTC\r\n1.\r\n2.\r\n©2019 FireEye©2019 FireEye OlegBondarenko • Director of International Threat Research at FireEye. •\r\nSupervises international collection and research capabilities with a goal of delivering raw threat data from\r\nnumerous sources from across the globe—including human intelligence, open sources, active community\r\nengagement, threat underground and criminal marketplaces, and real-time data collected from a variety of\r\ntechnical sources. • Previously served as Chief Researcher at iSIGHT Partners with a focus on building the firm’s\r\nglobal research capabilities in multiple languages and locations globally. • Actively participates in\r\ncommunications and collaboration within international communities. He is a co-organizer of UISGCON, a major\r\ninformation security conference in Ukraine. 2 Chi En (Ashley) Shen • Senior researcher at FireEye • Focuses on\r\nthreat intelligence research, threat hunting, malware analysis, reverse engineering, and targeted attack. •\r\nCofounder of “HITCON GIRLS” – the first security community for women in Taiwan. • Serves as a review board\r\nmember of Black Hat Asia, Blue Hat Shanghai and Hack in the Box conferences.\r\n3.\r\n©2019 FireEye©2019 FireEye §Recent Cyber Threat Trends § The Advance Persistent Threats § Underground\r\nThreats § Conclusion Agenda 3\r\n4.\r\n©2019 FireEye©2019 FireEye §Recent Cyber Threat Trends § The Advance Persistent Threats § Underground\r\nThreats § Conclusion Agenda 4\r\n5.\r\n©2019 FireEye |Private \u0026 Confidential Top 10 Malware Families Affecting National Governments (Q3 2019) 5\r\n6.\r\n©2019 FireEye |Private \u0026 Confidential Top 10 Malware Families. 2018-2019 Comparison. 6 Europe 2018 World\r\n2018 World 2019 1 Pony Lokibot Emotet Emotet is modular credential theft Trojan 2 Emotet Emotet Lokibot\r\nLokibot is a credential stealer 3 Lokibot Pony Nanocore NanoCore is a publicly available RAT available for\r\npurchase 4 Formbook Chanitor Formbook FormBook is a data stealer/form grabber - keylogger 5 Chanitor\r\nFormbook Pony Pony is a credential stealer. Chanitor is a downloader malware that has been observed loading\r\nPony, Send-Safe spambot, Vawtrak, or Nymaim malware 6 NanoCore Ursnif Remcos Remcos is a configurable\r\nRAT program written in the C++ language that has a large number of implemented features, including: file\r\nmanagement, screen capture, access to clipboard data, command shell, arbitrary file access, mouse control, and\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 1 of 11\n\nmore 7 Zeus Nanocore Azorult AZORULT is a credential stealer. 8 Adwind Remcos Netwire NetWire is a RAT\r\ncapable of stealing a large number of account details, keylogged data, system information, screen captures, remote\r\nshell, downloads, reverse proxy and more 9 Ursnif Zeus Ursnif Ursnif (aka Gozi and, now, Gozi-ISFB) is a\r\nmodified modular banking malware with backdoor capabilities 10 Remcos Hawkeye Adwind Adwind is a Java-based, cross-platform RAT\r\n7.\r\n©2019 FireEye |Private \u0026 Confidential 7 Top 10 Malware Families. Emotet. ▶ Emotet is a modular credential\r\ntheft Trojan that primarily collects usernames and passwords for accounts at financial institutions. The malware\r\ndownloads and executes various modules from hard-coded C\u0026C servers. The modules are not written to disk but\r\nloaded directly from memory and include web browser and email client credential harvesters, an email scraper for\r\nMicrosoft Outlook, and a spam engine. FireEye iSIGHT Intelligence researchers have recently identified newer\r\nvariants of the Emotet malware that contain a self-propagation module and other notable host- and network-based\r\nindicator changes.\r\n8.\r\n©2019 FireEye |Private \u0026 Confidential 8 Top 10 Malware Families. Emotet. ▶ collects usernames and passwords\r\nfor accounts at financial institutions; ▶ downloads and executes various modules from hard-coded C2s; ▶ loaded\r\ndirectly from memory; ▶ include Web browser and email client credential harvesters, an email scraper for\r\nMicrosoft Outlook, and a spam engine; ▶ Secondary Payloads in 2018 - Trickbot, IcedID, and ZeusPanda;\r\n9.\r\n©2019 FireEye |Private \u0026 Confidential 9 Top 10 Malware Families. Emotet.\r\n10.\r\n©2019 FireEye |Private \u0026 Confidential 10 Top 10 Malware Families. Lokibot. ▶ LokiBot is a .NET launcher that\r\nexecutes an embedded credential stealer. It can download and then drop, load, or execute other binaries to the\r\nsystem. It is also designed to steal private data from infected machines, and then submit that information to a C\u0026C\r\nhost via HTTP POST. The compromised data includes stored passwords, login credential information from web\r\nbrowsers, FTP/SSH, email, poker clients, and a variety of cryptocurrency wallets. It is designed to work on\r\nWindows XP, Vista, 7, 8, and has a Linux option.\r\n11.\r\n©2019 FireEye |Private \u0026 Confidential 11 Top 10 Malware Families. LokiBot.\r\n12.\r\n©2019 FireEye |Private \u0026 Confidential 12 Top 10 Malware Families. LokiBot.\r\n13.\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 2 of 11\n\n©2019 FireEye |Private \u0026 Confidential 13 Top 10 Malware Families. FormBook. ▶ FormBook is a data\r\nstealer/form grabber that has been advertised on HackForums by its developer \"Ng. Coder\" since early 2016. The\r\nmalware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents,\r\nand extract data from HTTP sessions. The malware can also execute commands from a C\u0026C server. The\r\ncommands include instructing the malware to download and execute files, start processes, shut down and reboot\r\nthe system, and steal cookies and local passwords. It also features a persistence method that randomly changes the\r\npath, filename, file extension, and the registry key used for persistence.\r\n14.\r\n©2019 FireEye |Private \u0026 Confidential 14 Top 10 Malware Families. FormBook. ▶ Coded in C and Assembly;\r\n▶ Lagos Island method; ▶ Persistence; ▶ Exe as a service; ▶ Ng.Coder\r\n15.\r\n©2019 FireEye |Private \u0026 Confidential 15 Top 10 Malware Families. FormBook.\r\n16.\r\n©2019 FireEye |Private \u0026 Confidential 16 Top 10 Malware Families. FormBook.\r\n17.\r\n©2019 FireEye |Private \u0026 Confidential Better Detection, More Evasion 17\r\n18.\r\n©2019 FireEye |Private \u0026 Confidential Multi-stage Sample Delivery \u0026 Hit and Run 18 § Increasing number of\r\nmulti-stage delivery. – Payload removed after compromised (sometimes in 2 days) – Increase the difficulty to do\r\nattribution. – Increase the difficulty to track. – Increase the difficulty of detection on the final payload.\r\nPayloadExploit DocumentsSpear-phishing Emails Script Downloader PE Downloader\r\n19.\r\n©2019 FireEye |Private \u0026 Confidential Old is the New Fashion – Macro +Script 19 Exploit Count Macro / Macro\r\n+ Script 43 CVE 2017-11882 27 Fake document EXE 21 CVE 2018-20250 4 CVE 2015-2545 3 HWP exploit 3\r\nCVE-2017-8291 2 LNK 2 CVE 2017-0199 1 CVE 2017-0261 1 CVE-2017-12824 1 CVE-2017-15399 1 Exploit\r\nCount Macro / Macro + Script 50 CVE 2017-11882 44 Fake document EXE 19 CVE 2017-0199 9 HWP exploit 8\r\nLNK + Script 5 CVE 2017-8570 5 CVE 2017-8291 4 Powershell 3 CVE 2012-0158 2 CVE 2015-1641 2 CVE\r\n2018-0802 2 2018 Jan – Oct (10 months) 2018 Nov – 2019 May ◆More MACRO documents than exploit ▶\r\nNeedless to embed the payload into document. (avoid detection) ▶ Encryption bypass static detection. ▶ Low\r\nsophisticated but still effective. ◆Frequently employ with Powershell script ▶ Because it is “POWER” shell ▶\r\nExecute directly in memory, leaving fewer trace for analysis (most org don’t enable logging) ▶ Mainly as\r\ndownloader to download 2nd stage payload\r\n20.\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 3 of 11\n\n©2019 FireEye |Private \u0026 Confidential Automobile 1% Cryptocurrency 6% Defense 3% Dissident/defect or 2%\r\nEducation 3% Energy 9% Finance 6% Gov 50% Healthcare 1% Media 1%NGO 1% Professional Service 1%\r\nResearch Institute 2% Telecommunicati on 3% Information Technology 10% TOTAL Increasing Targeted Attack\r\non IT, Cryptocurrency and Energy 20 Aerospace 1% Crytocurrency 1% Defense 1% Dissidents 1% Education 4%\r\nEnergy 2% Financial 8% Gov 60% Healthcare 1% Human Right 1% Media 3% NGO 1% Professional Service 1%\r\nSocial Enterprise 1% Technology 6% Telecom 6% Think Tank 2% Automobile 1% 2018 Jan – 2018 Oct 2018\r\nNov – 2019 May\r\n21.\r\n©2019 FireEye©2019 FireEye §Recent Cyber Threat Trends § The Advance Persistent Threats § Underground\r\nThreats § Conclusion / Takeaway Agenda 21\r\n22.\r\n23.\r\n©2019 FireEye |Private \u0026 Confidential Temp.Overboard (aka BlackTech) Group 23 ◆ Temp.Overboard’s target\r\nactive since at least 2016, main focus was Taiwan and Hong Kong before 2017. ◆ Starting from 2017 the group\r\nwas observed expanding target scale to include Japan and Europe. ◆ We also observed samples suspected target\r\nChinese financial institute. ◆ Targeted industry: ▶ Education/Academia/Research Institutions ▶\r\nMedia/Entertainment/Publishing ▶ Aerospace \u0026 Defense ▶ Governments ▶ Media ▶ Think tank ▶\r\nGovernment ▶ Telecommunication ▶ Conglomerate (Transportation)\r\n24.\r\n©2019 FireEye |Private \u0026 Confidential Malware Observed in Temp.Overboard’s Recent Campaigns 24 FIREEYE\r\nNaming JPCERT Naming Malware Type Description FRONTSHELL TSCOOKIE loader Launcher\r\nFRONTSHELL is a loader decrypts and loads the payload and inject into memory. TSCOOKIE TSCOOKIE\r\nDownloader TSCOOKIE is an MFC-based downloader with persistence capability. WORKMATE\r\nTSCOOKIERAT (overlap code) Backdoor WORKMATE is a backdoor which provides many commands\r\nincluding remote shell, command execution, file transfer, file searching, process enumeration and termination,\r\nwindow enumeration and closing, screen capture, and time stamp manipulation DRAWDOWN PLEAD\r\n(downloader) Downloader DRAWDOWN is a downloader that makes an HTTP request and decrypts and\r\ndecompresses the response. The results is expected to be a PE file that is manually loaded and executed.\r\nGOODTIMES PLEAD module Backdoor GOODTIMES will attempt to send a variety of information about the\r\ninfected host back to the C\u0026C . It has the ability to upload, download, execute and delete files, execute\r\ncommands, and gather system information CAVEMAN N/A Downloader CAVEMAN is a downloader that has the\r\nability to download and execute malware from a hardcoded C\u0026C server. TINYSHELL (public) Backdoor\r\nTINYSHELL is an open source unix backdoor. we observed a Tinyshell linux sample activity connecting to\r\nTEMP.Overboard infrastructure. ◆ Temp.Overboard’s most frequently used backdoor and downloader tools in\r\nrecent years.\r\n25.\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 4 of 11\n\n©2019 FireEye |Private \u0026 Confidential FRONTSHELL v.s. TSCOOKIE ? 25 Launcher Payload Injector\r\nFRONTSHELL. standalone Downloader Backdoor FRONTSHELL.fused Shellcode + DLL RC4 Encrypted File\r\nLoads FRONTSHELL. Injector (MyNewInjector_Atla ntis_[Mark].dll) TSCOOKIE (FrontShell_[Mark].dl l)\r\n(FrontShell_Avria.dll) WORKMATE Loads Downloads DLL DLLShellcode +\r\n26.\r\n27.\r\n28.\r\n©2019 FireEye |Private \u0026 Confidential Case 2: Thread Hijacking Email Target Japanese Conglomerate (April\r\n2019) 28 Targeted Company A Affiliate Company B ◆In April 2019, FireEye detected a spear-phishing email sent\r\nto Japanese conglomerate oversea office. ◆Based on the email content and targeted department, the actor is\r\npotentially interested in railway system. Actor XLSM Malicious macro encrypted with default password\r\n“VelvetSweatshop” TSCOOKIE\r\n29.\r\n©2019 FireEye |Private \u0026 Confidential 29 Embedded PE Extracted as OneDrive.exe Stolen certificate ◆Binary\r\nsigned with stolen certificate. (previous stolen certificate used by this group included D-link and Changin)\r\n◆C\u0026C: ▶ http://185.227.153.186/t3445851474.aspx ▶\r\nhttp://www.microsoftonline.com.organiccrap.com/t167918 7984.aspx\r\n30.\r\n©2019 FireEye |Private \u0026 Confidential Case 3: Sample Compiled in March 2019 linked to Old Campaign (2017)\r\n30 FRONTSHELL asiainfo.hpcloudnews.com 122.115.49.247 c2452dea557e3d6fc8ac61b8126f8ea2 ntt.capital-db.com acer.microsoftmse.com adc.microsoftmse.com chtd.microsoftmse.com dlink.microsoftmse.com\r\nhtctrans.microsoftmse.com hk.microsoftmse.com kr.microsoftmse.com sonet.microsoftmse.com Potential Target\r\nCountry NTT Japan Acer Taiwan Acer eDC Taiwan Chunghwa Telecom Co Taiwan D-link Taiwan HTC Taiwan\r\nHong Kong South Korea Sony Network Communications Inc. Japan, Taiwan\r\n31.\r\n32.\r\n©2019 FireEye |Private \u0026 Confidential SWEETCANDLE Downloader 32 ◆Also called ABK downloader\r\nbecause of the pdb string. ◆The downloader search for Trend Micro AV (PccNT.exe) and terminate it before\r\nrunning. ◆The downloader sends beacons includes CPU model information to C\u0026C server. ▶ Examples: –\r\nhttp://\u003cserver\u003e//shop//img//marks_escrow//index.php?uid=\u003cDWORD_1 (ascii hex)\u003e\u003cDWORD_2 (ascii hex)\u003e\r\n◆If receive an ascii “y” from C\u0026C, it download a file (usually a fake picture) from C\u0026C to %TEMP% folder.\r\n◆Files observed downloaded by SWEETCANDLE downloader: ▶ Reconnaissance tool ▶ Benign Notepad.exe\r\nwith language zh-cn ▶ POISONPLUG\r\n33.\r\n©2019 FireEye |Private \u0026 Confidential Case1: Spear-phishing Email targeted Manufacturing and Financial\r\nIndustries in JP 33 Spear-phishing email Attachment 中国_投資概況.zip Password protected archive Contains\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 5 of 11\n\nPPSX 中国投資概況.ppsx CVE 2017-8759 Compromised C\u0026C Connects Download Malicious script forged as\r\nPNG Drops SWEETCANDLE Downloader Compromised C\u0026C Connect Download Reconnaissance Tool\r\n34.\r\n©2019 FireEye |Private \u0026 Confidential Reconnaissance Tool Downloaded by SWEETCANDLE 34 Also checks\r\nfor the Trend Micro OfficeScan antivirus process “PCCNTMon.exe” and terminates “PccNT.exe”. Using dir\r\ncommands to collect directory information Send result.txt to C\u0026C with HTTP Compromised server\r\nMD5:680f481a477a709b2ef4ddf66c25cdc0 PDB: c:usersxfdocumentsvisual studio\r\n2010Projects123Release123.pdb\r\n35.\r\n©2019 FireEye |Private \u0026 Confidential 35 PPSX 中国投資概況.ppsx CVE 2017-8759 Compromised C\u0026C\r\nConnects Download Malicious script forged as PNG Drops IRONHALO Downloader Variant Another Sample\r\nDownload a New Variant of IRONHALO Downloader Sample using same exploit, sharing same decoy File and\r\nfile name with SWEETCANDLE sample 0987a57e2da9294d7bb9bd798999efd2 www.114pr.co.kr\r\n36.\r\n©2019 FireEye |Private \u0026 Confidential 36 IRONHALO Downloader Variant IRONHALO in 2018:\r\na8ccb2fc5fec1b89f778d93096f8dd65 IRONHALO Variant: 0987a57e2da9294d7bb9bd798999efd2 Sample string\r\ncopy routine for different EXE file name IRONHALO Variant IRONHALO 2018 IRONHALO\r\nVariantIRONHALO 2018 Sample constant value for the size to read from C\u0026C Same decode routine, different\r\nB64 table IRONHALO Variant IRONHALO 2018 Both check MZ header before run Different User Agent\r\nIRONHALO 2018 IRONHALO Variant\r\n37.\r\n©2019 FireEye |Private \u0026 Confidential TTP Similar with TEMP.TICK Group 37 ◆Use compromised server as\r\n1st stage C\u0026C. ◆Enlarge malware binary to bypass detection. ◆Same targeted region (Japan). ◆Similar\r\ninterests in economic, banks, manufacturing, foreign affairs specially between US and China. ▶ Example lure\r\ntheme: – 中国投資概況 – 2019年昇給率参考資料 ◆Embedded 2nd stage malware in image files (JPG, IMG,\r\nPNG). ◆SWEETCANDLE potentially downloaded SPACEPANTS (aka Dapter)\r\n38.\r\n©2019 FireEye |Private \u0026 Confidential Case 2: Spear-phishing Email Targets Japanese Conglomerate 38 ◆In\r\nFebruary 2019, FireEye devices detected and blocked a malicious archive file sent via spear-phishing email to a\r\nJapanese conglomerate. ◆Sample leverage US-China Trade Friction-themed lure. ◆The SWEETCANDLE\r\ndownloader was observed to download and execute a POISONPLUG variant SWEETCANDLE Downloader\r\nSpear-phishing email Fake document EXE Sender Email: shao.**@**-inc.co.jp POISONPLUG backdoor\r\n114.118.21.146 Attacker’s C\u0026C Attachment Contain Drops Connects Compromised C\u0026C Download\r\nwww.86coding.com (compromised server)%TEMP%taskmor.exe %APPDATA%MicrosoftInternet\r\nExplorerUserDatamscoree.dll\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 6 of 11\n\n39.\r\n©2019 FireEye |Private \u0026 Confidential Decoy dropped by fake PDF 39\r\n40.\r\n©2019 FireEye |Private \u0026 Confidential POISONPLUG Backdoor Variant 40 ◆POISONPLUG is a highly\r\nobfuscated modular backdoor with plug- in capabilities. The backdoor has been observed leveraged in APT41’s\r\ncampaign. ◆This variant of POISONPLUG has been recharacterized and many of the internal details have\r\nchanged, likely rendering existing signatures ineffective. Suspected attribution: China Overview: APT41 is a\r\nprolific cyber threat group that carries out Chinese state- sponsored espionage activity in addition to financially\r\nmotivated activity potentially outside of state control. ID Name Role 100 Root Loads / initializes plugins,\r\nexecutes Install plugin 101 Plugins Handles creation, removal, updating, and removal of plugins 102 Config\r\nCapable of reading, updating, and deleting config 103 Install Handles installation and removal of malware 104\r\nOnline Creates a C\u0026C thread capable of sending a host survey and random number between 0 and 31 201 HTTP\r\nPerforms C\u0026C communication\r\n41.\r\n©2019 FireEye |Private \u0026 Confidential C\u0026C Server Certificate Linked to Potentially APT41 41 ◆114.118.21.146\r\nused two self-signed SSL certificates serials. ◆The two SSL certificates combined were associated to 4 servers\r\nattributed to APT41, connected by malware POISONPLUG. ◆1 was reported by Avast as being related to\r\nSHADOWPAD. 146.118.21.146 MyServer MyCA 117.16.142.35 POISONPLUG Backdoor attributed to APT41\r\n85.204.74.94 85.204.74.108 89.32.40.199\r\n42.\r\n©2019 FireEye |Private \u0026 Confidential PDB Found in This Case 42 Fake PDF Dropper\r\nC:UsersFrankDesktopABKReleasePretender.pdb SWEETCANDLE Downloader C:UsersFrankDesktopABK-oldReleaseABK.pdb POISONPLUG Dropper C:UsersFrankDocumentsVisual Studio\r\n2010ProjectsRunCasperReleaseRunCasper.pdb PDB Found in Other SWEETCANDLE Samples Dropper\r\nC:UsersFrankDesktopdoc_dllReleaseDocDll.pdb C:UsersFrankDesktopABKReleaseHidder.pdb\r\nSWEETCANDLE Downloader C:UsersXFDocumentsVisual Studio 2010ProjectsABKDLLReleaseABKDLL.pdb\r\nC:UsersXFDocumentsVisual Studio 2010ProjectsABKReleaseABK.pdb C:UsersFrankDesktopABK-oldReleaseABK.pdb C:UsersFrankDesktopABKReleaseABK.pdb C:UsersFrankDocumentsVisual Studio\r\n2010ProjectsavengerReleaseavenger.pdb Reconnaissance tool download by SWEETCANDLE\r\nc:usersxfdocumentsvisual studio 2010Projects123Release123.pdb\r\n43.\r\n©2019 FireEye |Private \u0026 Confidential Attribution? 43 ◆Connection to APT41: ▶ Same malware family ▶\r\nSimilar delivery method ▶ Overlapping infrastructure ◆Connection to Temp.TICK: ▶ Similar TTP ▶ Similar\r\ncode ▶ Potential connection with SPACEPANTS (aka Dapter) ◆Theories: A. TEMP.TICK also applied\r\nPOISONPLUG in their attack B. APT41 conducted all the SWEETCANDLE campaigns with similar TTP with\r\nTemp.TICK. C. SWEETCANDLE is a shared tool among Chinese APT group\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 7 of 11\n\n44.\r\n45.\r\n©2019 FireEye |Private \u0026 Confidential SOURCANDLE Downloader 45 ◆This sample is is a downloader that\r\nexecutes the decoded payload via a call to CreateProcess(). Also try to terminate Trend Micro Office Scan Client\r\nhttp://\u003cserver\u003e/phpcms/modules/block/block_modules.php?UID=\u003cencoded value\u003e\u0026ws=\u003cBase64 value\u003e\r\nHostname + MAC address XOR 0x01, 0x02, 0x03, 0x04, 0x05 Base64 encode Get system OS version Base64\r\nencoded\r\n46.\r\n©2019 FireEye |Private \u0026 Confidential SOURCANDLE Campaign Attack Vector 46 SOURCANDLE\r\nDownloader Spear-phishing email Attachment Connects Actor’s C\u0026C Exploit CVE 2017-11882 Document\r\nDropper SOURCANDLE Downloader Compromised C\u0026C ConnectsDropDrop RTLO TRICK Binary\r\nSOURCANDLE Downloader \u003cFile name\u003e\u003c202E\u003excod.scr Delivery Exploitation Social Engineering\r\n47.\r\n©2019 FireEye |Private \u0026 Confidential Leverage Chemical, 5G and Electronic as Lure 47 ◆Lure: ▶ カード管\r\n理体制TCL様.doc ▶ 亚洲化学工业现状研究.scr ▶ 各国の化学大手の5G材料分野における構築 ◆Target:\r\n▶ Japanese Chemical company ▶ Japanese Conglomerate\r\n48.\r\n©2019 FireEye |Private \u0026 Confidential SOURCANDLE Downloader 48 Block.css %TEMP%/Temp1.dat decode\r\nXOR 0x A9 decode %TEMP%/Temp2.dat offset Date type Data 0x00 int name_flag 0x04 int filesize 0x08\r\nwchar[0x8 0] filename 0x88 var len data, PE file expected Temp2.dat data structure The dropped files Value\r\nOperation 0x00 Write PE to %TEMP%temp3.dat, and then copied to %TEMP%\u003cattacker filename\u003e. Other Write\r\nPE to %TEMP%\u003cattacker filename\u003e • All Dat deleted after file write to the final destination. • File run with\r\nCreateProcess()\r\n49.\r\nLeverage the ExploitCVE-2017-11882 Document Template Shared among Other Groups Shellcode decode\r\nroutine Open Document Encoded (0xFC) Dropper (8.t) Drops into %temp% Shellcode decode \u0026 execute Malware\r\nCan be hunted by the RTF Object Dropper MD5: ac845ad6a5ac75842ead069f5daf29a1 MD5:\r\ned6c250309b7d60d03023ecce69f546a (8.t) C:UsersabcDocumentsVisual Studio\r\n2010Projects0103Release0103.pdb SOURCANDLE MD5: 5d105cd33be63400c9e36a9d74d1c564 Compromised\r\nC\u0026C\r\n50.\r\n©2019 FireEye |Private \u0026 Confidential The Shared Exploit Builder • Actually, shared among at least 3 different\r\ngroups. (APT40, Conimes team aka Goblin Panda, ICEFOG Operators) Threat Group Hash Malware Create Date\r\nAuthor Targeted Region APT40 d5a7dd7441dc2b05464a 21dd0c0871ff BEACON 2017-12-07 08:17:00 Windows\r\nUser USA Temp.CONIMES f223e4175649fa2e34271d b8c968db12 TEMPFUN 2018-01-15 14:47:00 Windows\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 8 of 11\n\nUser LAO Temp.CONIMES 07544892999b91ae2c928 0d8ee3c663a TEMPFUN 2018-01-17 09:04:00 Windows\r\nUser VNM Temp.CONIMES 45a94b3b13101c932a72d 89ff5eb715a TEMPFUN 2018-01-31 11:24:00 Windows\r\nUser VNM ICEFOG Operator 46d91a91ecdf9c0abc7355 c4e7cf08fc ICEFOG 2018-02-22 20:07:00 T TUR\r\nICEFOG Operator 80883df4e89d5632fa72a 85057773538 ICEFOG 2018-02-22 20:07:00 T KZ, RU\r\nSOURCANDLE Operator ac845ad6a5ac75842ead0 69f5daf29a1 SOURCANDL E 2019-01-24 13:24:00\r\nWindows [ U [ JP\r\n51.\r\n52.\r\n©2019 FireEye |Private \u0026 Confidential Case: Spear-phishing Campaign Targeted Japanese Conglomerate\r\nInvolved Energy Sector 52 Data Type Information Campaign timeframe June 2018 - November 2018 Associated\r\nActor APT33 Targeted Sectors Energy Utilities Insurance Manufacturing Higher education Chemical\r\nTelecommunication Targeted Country/Region Middle East US Japan South Korea. Delivery Method Spear-phishing + malicious link Malware Discovered METERPRETER, POSHC2, PUPYRAT, PowerShell Empire\r\nSuspected attribution: Iran Overview: APT33 has targeted organizations, spanning multiple industries,\r\nheadquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in\r\nthe aviation sector involved in both military and commercial capacities, as well as organizations in the energy\r\nsector with ties to petrochemical production.\r\n53.\r\n©2019 FireEye |Private \u0026 Confidential Case: Spear-phishing Campaign Targeted Japanese Conglomerate\r\nInvolved Energy Sector 53 Spear-phishing email Subject: Job Opening Sender Email: careers@[REDACTED].ga\r\njobs@[REDACTED].ga Malicious link HTA HTA Script\r\nhttp://[REDACTED]..ddns.net:880/SIPCHEMJobOpenning.hta Decoded PowerShell Download POSHC2\r\nPUPYRAT PowerShell Empire Create task to download payloads at different time\r\n54.\r\n55.\r\n©2019 FireEye |Private \u0026 Confidential Other APT Activities 55 Group Recent Activity Timeframe Recent\r\nActivity APT28 Nov 2018 – Jan 2019 Leverage TRICKSHOW samples to target suspected Japan Military.\r\nFALLOUT (aka Darkhotel) Feb, 2018 Targeted Japanese media industry with SANNY sample APT32 April, 2019\r\nLeverage METALJACK and ASEAN related decoy to target suspected Japan. APT10 N/A Since the indictment,\r\nmonitoring of numerous attack surfaces, sensitive-source feeds, public repositories, and open-source reporting has\r\nnot resulted in the detection of new APT10 activity. North Korea nexus July, 2019 Actor leveraged LEADLIFT\r\n(aka Dtrack) backdoor targeted Japanese manufacturing company. Unknown July, 2019 Leveraged “北朝鮮非核\r\n化の行方と制裁の課題” as lure with ZEROCHECKER downloader to target Japanese research institute.\r\n56.\r\n©2019 FireEye©2019 FireEye §Recent Cyber Threat Trends § The Advance Persistent Threats § Underground\r\nThreats § Conclusion Agenda 56\r\n57.\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 9 of 11\n\n58.\r\n©2019 FireEye©2019 FireEye Threattracking. Compromised databases. October 2018-March 2019 58 Advertised\r\ndatabases by country Advertised databases by industry\r\n59.\r\n60.\r\n61.\r\n©2019 FireEye©2019 FireEye 61 Accessto your infrastructure. Fxmsp – POS Terminals in Europe, MENA, and\r\nSouth Asia; – Government Establishment in UAE; – UAE-based lighting company; – Access to 3 AV companies;\r\nAntony Moricone/BigPetya: – Back after some time; – Access to UAE-based mining company; – Hotel in\r\nPhilippines; – Aircraft manufacturer;\r\n62.\r\n©2019 FireEye©2019 FireEye Actor Numberof Databases Advertised Between Oct. 2018 and March 2019\r\nForum/Language Reputation Gnosticplayers 37 Dream Market/English New Downloading 18 RAID/English New\r\nLenfoire 14 Dream Market/English Established the.joker 10 Jabber/English \"Trusted Seller\" NetFlow 6\r\nExploit.in/Russian Established KelvinSecurity 6 RAID and Facebook/Spanish and English Established DB ads\r\nposted by the most prolific actors 62\r\n63.\r\n64.\r\n©2019 FireEye©2019 FireEye 64 Accessto your infrastructure. PII leak ▶ Japanese PII on Chinese Underground\r\nback in 2017-2018; ▶ Extremely low price point - ¥1,000 CNY;\r\n65.\r\n66.\r\n©2019 FireEye©2019 FireEye 66 MobileMalware. Cerberus ▶ RAT, Android bot rental service that includes\r\nbanking Trojan capabilities. ▶ Available for a larger audience since June 2019; ▶ Price: $2000-$12000; ▶\r\nTargets: – jp.coxxxxxk.android.html jp.co.rxxxxx_bank.rxxxxxxbank.html\r\n67.\r\n68.\r\n©2019 FireEye©2019 FireEye 68 ATMJackpotting Operations ▶ ATM jackpotting kit in August 2019: – Based\r\non Raspberry Pi; – RCE in Diebold Nixdorf ATMs; ▶ Actors are seeking for partnerships; ▶ Original software\r\nATM NCR and Wincor with a wired lifetime key; ▶ Known targeting across India, Taiwan and Japan;\r\n69.\r\n©2019 FireEye©2019 FireEye §Recent Cyber Threat Trends § The Advance Persistent Threats § Cyber Crime and\r\nUnderground Threats § Conclusion Agenda 69\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 10 of 11\n\n70.\r\n©2019 FireEye Conclusion 70 § Espionageactors from various countries still having a lot interests in targeting\r\nJapan. § With the improving dwell time, actor are devoting extra effort on bypassing detection products. §\r\nOrganizations should consider thread hijacking as a possible attack vector in their red/blue/purple team scenarios.\r\n§ We see actor shows increasing interests in chemical, 5G technology, manufacturing and energy sectors. §\r\nInternational events such as the 2019 Rugby World Cup and the 2020 Tokyo Olympics / Paralympics will continue\r\nto attract attack groups to Japan. § The threat hunting and monitoring should not overlook the underground forums\r\naspect.\r\n71.\r\nAlso Credit toour awesome collogues and friends! Thanks for your help Dominik Weber, Marcos Alvares Barbosa\r\nJunior, Cian Lynch, Nobuya Chida, Alex C. Lanstein, Jacob Christie Jakub Jozwiak,\r\n72.\r\nSource: https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-ol\r\neg-bondarenko\r\nhttps://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko\r\nPage 11 of 11\n\nThreats § Conclusion 5. Agenda 4 \n©2019 FireEye |Private \u0026 Confidential Top 10 Malware Families Affecting National Governments (Q3 2019) 5\n6. \n©2019 FireEye |Private \u0026 Confidential Top 10 Malware Families. 2018-2019 Comparison. 6 Europe 2018 World\n2018 World 2019 1 Pony Lokibot Emotet Emotet is modular credential theft Trojan 2 Emotet Emotet Lokibot\nLokibot is a credential stealer 3 Lokibot Pony Nanocore NanoCore is a publicly available RAT available for\npurchase 4 Formbook Chanitor Formbook FormBook is a data stealer/form grabber-keylogger 5 Chanitor \nFormbook Pony Pony is a credential stealer. Chanitor is a downloader malware that has been observed loading\nPony, Send-Safe spambot, Vawtrak, or Nymaim malware 6 NanoCore Ursnif Remcos Remcos is a configurable \nRAT program written in the C++ language that has a large number of implemented features, including: file\nmanagement, screen capture, access to clipboard data, command shell, arbitrary file access, mouse control, and\n Page 1 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "report_names": [ "cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1609af91-e258-4058-9caa-59e7d171aecb", "created_at": "2022-10-25T16:07:24.491691Z", "updated_at": "2026-04-10T02:00:05.008935Z", "deleted_at": null, "main_name": "Gnosticplayers", "aliases": [], "source_name": "ETDA:Gnosticplayers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "ab5dc2a3-16dc-421e-af45-d60c8b4aafac", "created_at": "2023-01-06T13:46:39.012588Z", "updated_at": "2026-04-10T02:00:03.180595Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [], "source_name": "MISPGALAXY:Fxmsp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "56d15cc7-f9c1-451f-bdde-8c283e3cf15b", "created_at": "2023-01-06T13:46:39.015288Z", "updated_at": "2026-04-10T02:00:03.181411Z", "deleted_at": null, "main_name": "Gnosticplayers", "aliases": [], "source_name": "MISPGALAXY:Gnosticplayers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "63f532e6-4b4a-4f17-bbff-8517f0dd1868", "created_at": "2024-01-09T02:00:04.192588Z", "updated_at": "2026-04-10T02:00:03.507424Z", "deleted_at": null, "main_name": "KelvinSecurity", "aliases": [], "source_name": "MISPGALAXY:KelvinSecurity", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "312b7781-5501-4c1e-a9d5-9b75e9ad8455", "created_at": "2022-10-25T16:07:24.488292Z", "updated_at": "2026-04-10T02:00:05.006738Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [ "ATK 134", "TAG-CR17" ], "source_name": "ETDA:Fxmsp", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434055, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5007fb82a883c1ba9b478e5e613d028a4538c5b0.pdf", "text": "https://archive.orkl.eu/5007fb82a883c1ba9b478e5e613d028a4538c5b0.txt", "img": "https://archive.orkl.eu/5007fb82a883c1ba9b478e5e613d028a4538c5b0.jpg" } }