{ "id": "7cc7f796-c559-4e31-85e7-4e9c19fcc684", "created_at": "2026-04-06T00:17:39.284211Z", "updated_at": "2026-04-10T13:12:06.450576Z", "deleted_at": null, "sha1_hash": "521d7400db91c347b875768b5f1bbfd9c17ba1df", "title": "In search of the Triangulation: triangle_check utility", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 362405, "plain_text": "In search of the Triangulation: triangle_check utility\r\nBy Igor Kuznetsov\r\nPublished: 2023-06-02 · Archived: 2026-04-05 16:40:07 UTC\r\nSoftware\r\nSoftware\r\n02 Jun 2023\r\n 2 minute read\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 1 of 6\n\nUPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT\u0026CK framework.\r\nIn our initial blogpost about “Operation Triangulation”, we published a comprehensive guide on how to manually\r\ncheck iOS device backups for possible indicators of compromise using MVT. This process takes time and requires\r\nmanual search for several types of indicators. To automate this process, we developed a dedicated utility to scan\r\nthe backups and run all the checks. For Windows and Linux, this tool can be downloaded as a binary build, and\r\nfor MacOS it can be simply installed as a Python package.\r\nHow to back up your device\r\nWindows\r\nOn Windows, the easiest way to do a backup is via iTunes:\r\n1. 1 Connect your device to a computer that has iTunes installed. Unlock your device and, if needed, confirm\r\nthat you trust your computer.\r\nWindow asking to trust the computer\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 2 of 6\n\n2. 2 Your device should now be displayed in iTunes. Right click on it and press “Back Up”.\r\n3. 3 The created backup will be saved to the %appdata%\\Apple Computer\\MobileSync\\Backup directory.\r\nmacOS\r\nIf your macOS version is lower than Catalina (10.15), you can create a backup using iTunes, using instructions for\r\nWindows. Starting from Catalina, backups can be created through Finder:\r\nConnect your device to the computer and, if needed, confirm that you trust the computer.\r\nYour device should now be displayed in Finder. Select it and then click “Create a backup“.\r\nThe created backup will be saved to the ~/Library/Application Support/MobileSync/Backup/ directory.\r\nLinux\r\nTo create a backup on Linux, you will need to install the libimobiledevice library. In order to create backups of\r\ndevices with the latest versions of iOS installed, you will need to compile this library from source code (you can\r\nfind the build instructions in the Installation/Getting Started section).\r\nAfter you install the library and connect your device to the computer, you can create a backup using the\r\nidevicebackup2 backup --full command.\r\nDuring the backup process, you may need to enter your device passcode multiple times.\r\nHow to use our triangle_check utility\r\nAfter you do a backup of your device using the instructions above, you will need to install and launch our\r\ntriangle_check utility.\r\nThe triangle_check Python package\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 3 of 6\n\nNo matter what operating system you have, you can install the triangle_check Python package that we have\r\npublished to the Python Package Index (PyPi). To do that, you need to have internet access as well as have the pip\r\nutility installed.\r\nYou can install the utility using two methods:\r\nFrom PyPI (recommended):\r\nRun the python -m pip install triangle_check command.\r\nBuilding from Github:\r\nRun the following commands:\r\ngit clone https://github.com/KasperskyLab/triangle_check\r\ncd triangle_check\r\npython -m build\r\npython -m pip install dist/triangle_check-1.0-py3-none-any.whl\r\nAfter installing, you can launch the utility with the following command:\r\npython -m triangle_check path to the created backup .\r\nBinary builds\r\nIf you have Windows or Linux, you can also use the binary builds of the triangle_check utility that we have\r\npublished on GitHub. Follow the instructions below to use it:\r\nWindows\r\n1. 1 Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.\r\n2. 2 Launch the command prompt (cmd.exe) or PowerShell.\r\n3. 3 Change your directory to the one with the unpacked archive (e.g. cd\r\n%userprofile%\\Downloads\\triangle_check_win ).\r\n4. 4 Launch triangle_check.exe, specifying the path to the backup as an argument (e.g. triangle_check.exe\r\n\"%appdata%\\Apple Computer\\MobileSync\\Backup\\00008101-000824411441001E-20230530-143718\" ).\r\nLinux\r\n1. 1 Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.\r\n2. 2 Launch the terminal.\r\n3. 3 Change your directory to the one with the unpacked archive (e.g. cd\r\n~/Downloads/triangle_check_linux ).\r\n4. 4 Allow the utility to be executed with the chmod +x triangle_check command.\r\n5. 5 Launch the utility, specifying the path to the backup as an argument (e.g. ./triangle_check\r\n~/Desktop/my_backup/00008101-000824411441001E-20230530-143718 ).\r\nInterpreting the results\r\nThe utility outputs “DETECTED” when it locates specific indicators of compromise, and that would mean that the\r\ndevice was infected.\r\nAlso, it may print out “SUSPICION” that would mean that a combination of less specific indicators points to a\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 4 of 6\n\nlikely infection. Finally, if the message displayed is “No traces of compromise were identified“, then the utility did\r\nnot find any signs of ‘Operation Triangulation’ compromise.\r\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 5 of 6\n\nSource: https://securelist.com/find-the-triangulation-utility/109867/\r\nhttps://securelist.com/find-the-triangulation-utility/109867/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/find-the-triangulation-utility/109867/" ], "report_names": [ "109867" ], "threat_actors": [ { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/521d7400db91c347b875768b5f1bbfd9c17ba1df.pdf", "text": "https://archive.orkl.eu/521d7400db91c347b875768b5f1bbfd9c17ba1df.txt", "img": "https://archive.orkl.eu/521d7400db91c347b875768b5f1bbfd9c17ba1df.jpg" } }