{ "id": "8a4fd625-ca48-46c3-99af-a2766883091a", "created_at": "2026-04-06T00:09:22.165068Z", "updated_at": "2026-04-10T03:38:01.680598Z", "deleted_at": null, "sha1_hash": "5448bd180ebda2a99555318853cc81f1bdd50f83", "title": "CHINACHOPPER (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185959, "plain_text": "CHINACHOPPER (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:40:39 UTC\r\nCHINACHOPPER\r\nActor(s): APT41, EMISSARY PANDA, GALLIUM, HAFNIUM, Hurricane Panda, Leviathan\r\na simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows\r\nthe shell to upload and download files, execute applications with web server account permissions, list directory\r\ncontents, access Active Directory, access databases, and any other action allowed by the .NET runtime.\r\nReferences\r\n2025-03-24 ⋅ SYGNIA ⋅\r\nWeaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation\r\nCHINACHOPPER reGeorg\r\n2024-05-23 ⋅ Palo Alto Networks Unit 42 ⋅ Daniel Frank, Lior Rochberger\r\nOperation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to\r\nTarget Governmental Entities in the Middle East, Africa and Asia\r\nAgent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter\r\nTunnelSpecter CL-STA-0043\r\n2024-04-19 ⋅ ⋅ Spiegel Online ⋅ Christoph Giesen, Hakan Tanriverdi, Simon Hage\r\nVW-Konzern wurde jahrelang ausspioniert – von China?\r\nCHINACHOPPER PlugX\r\n2023-06-16 ⋅ Palo Alto Networks: Cortex Threat Research ⋅ Lior Rochberger\r\nThrough the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East\r\nand Africa\r\nCHINACHOPPER Ladon Yasso CL-STA-0043\r\n2023-02-13 ⋅ AhnLab ⋅ kingkimgim\r\nDalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign\r\nGodzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit\r\n2022-12-24 ⋅ Medium (@DCSO_CyTec) ⋅ Denis Szadkowski, Hendrik Baecker, Jiro Minier, Johann Aydinbas\r\nAPT41 — The spy who failed to encrypt me\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 1 of 8\n\nCHINACHOPPER\r\n2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team\r\nWitchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East\r\nCHINACHOPPER Lookback MimiKatz Witchetty\r\n2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team\r\nMalicious IIS extensions quietly open persistent backdoors into servers\r\nCHINACHOPPER MimiKatz\r\n2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nIron Taurus\r\nCHINACHOPPER Ghost RAT Wonknu ZXShell APT27\r\n2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Felipe Duarte, Venkat Rajgor\r\nBackdoor via XFF: Mysterious Threat Actor Under Radar\r\nCHINACHOPPER\r\n2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, Suguru Ishimaru, You Nakatsuru\r\nWhat We Can Do against the Chaotic A41APT Campaign\r\nCHINACHOPPER Cobalt Strike HUI Loader SodaMaster\r\n2021-11-03 ⋅ Cisco Talos ⋅ Caitlin Huey, Chetan Raghuprasad, Vanja Svajcer\r\nMicrosoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk\r\nBabuk CHINACHOPPER\r\n2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Alex Pennino, Andrew Rector, Brendan McKeague, Govand Sinjari, Harris\r\nAnsari, John Wolfram, Joshua Goddard, Yash Gupta\r\nPST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers\r\nCHINACHOPPER HTran\r\n2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Lior Rochberger, Tom Fakterman\r\nDeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos\r\nCHINACHOPPER Cobalt Strike MimiKatz Nebulae\r\n2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nOngoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran\r\nCHINACHOPPER MimiKatz RGDoor\r\n2021-06-10 ⋅ ESET Research ⋅ Adam Burgher\r\nBackdoorDiplomacy: Upgrading from Quarian to Turian\r\nCHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy\r\n2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj\r\nNew Lemon Duck variants exploiting Microsoft Exchange Server\r\nCHINACHOPPER Cobalt Strike Lemon Duck\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 2 of 8\n\n2021-05-07 ⋅ Cisco Talos ⋅ Andrew Windsor, Caitlin Huey, Edmund Brumaghin\r\nLemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs\r\nCHINACHOPPER Cobalt Strike Lemon Duck\r\n2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre\r\nProxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party\r\nBlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei\r\n2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team\r\nMulti-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques\r\nCHINACHOPPER\r\n2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili\r\nHello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability\r\nCHINACHOPPER Cobalt Strike\r\n2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana\r\nCould the Microsoft Exchange breach be stopped?\r\nCHINACHOPPER\r\n2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone\r\nActor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials\r\nCHINACHOPPER\r\n2021-03-26 ⋅ Imperva ⋅ Daniel Johnston\r\nImperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures\r\nCHINACHOPPER\r\n2021-03-25 ⋅ Microsoft ⋅ Tom McElroy\r\nWeb Shell Threat Hunting with Azure Sentinel\r\nCHINACHOPPER\r\n2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nAnalyzing attacks taking advantage of the Exchange Server vulnerabilities\r\nCHINACHOPPER\r\n2021-03-21 ⋅ Twitter (@CyberRaiju) ⋅ Jai Minton\r\nTwitter Thread with analysis of .NET China Chopper\r\nCHINACHOPPER\r\n2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund\r\nMicrosoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\r\nCHINACHOPPER MimiKatz\r\n2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon\r\nHAFNIUM, China Chopper and ASP.NET Runtime\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 3 of 8\n\nCHINACHOPPER\r\n2021-03-11 ⋅ DEVO ⋅ Fran Gomez\r\nDetection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service\r\nCHINACHOPPER MimiKatz\r\n2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell\r\nYou Don't Know the HAFNIUM of it...\r\nCHINACHOPPER Cobalt Strike PowerCat\r\n2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nMicrosoft Exchange Server Attack Timeline\r\nCHINACHOPPER\r\n2021-03-10 ⋅ DomainTools ⋅ Joe Slowik\r\nExamining Exchange Exploitation and its Lessons for Defenders\r\nCHINACHOPPER\r\n2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan\r\nTactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers\r\nCHINACHOPPER\r\n2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon\r\nMicrosoft Exchange \u0026 the HAFNIUM Threat Actor\r\nCHINACHOPPER\r\n2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond\r\nHAFNIUM - Post-Exploitation Analysis from Microsoft Exchange\r\nCHINACHOPPER\r\n2021-03-09 ⋅ Red Canary ⋅ Brian Donohue, Katie Nickels, Tony Lambert\r\nMicrosoft Exchange server exploitation: how to detect, mitigate, and stay calm\r\nCHINACHOPPER\r\n2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber\r\nReproducing the Microsoft Exchange Proxylogon Exploit Chain\r\nCHINACHOPPER\r\n2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nRemediation Steps for the Microsoft Exchange Server Vulnerabilities\r\nCHINACHOPPER\r\n2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White\r\nAnalyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells\r\nCHINACHOPPER\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 4 of 8\n\n2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team\r\nHow Symantec Stops Microsoft Exchange Server Attacks\r\nCHINACHOPPER MimiKatz\r\n2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund\r\nTracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM\r\nCHINACHOPPER\r\n2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs\r\nOperation Exchange Marauder\r\nCHINACHOPPER\r\n2021-03-05 ⋅ Wired ⋅ Andy Greenberg\r\nChinese Hacking Spree Hit an ‘Astronomical’ Number of Victims\r\nCHINACHOPPER\r\n2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs\r\nOperation Exchange Marauder\r\nCHINACHOPPER\r\n2021-03-04 ⋅ FireEye ⋅ Andrew Thompson, Chris DiGiamo, Matt Bromiley, Robert Wallace\r\nDetection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities\r\nCHINACHOPPER HAFNIUM\r\n2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team\r\nFalcon Complete Stops Microsoft Exchange Server Zero-Day Exploits\r\nCHINACHOPPER HAFNIUM\r\n2021-03-03 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nHAFNIUM\r\nCHINACHOPPER HAFNIUM\r\n2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs\r\nMass exploitation of on-prem Exchange servers :(\r\nCHINACHOPPER HAFNIUM\r\n2021-03-03 ⋅ Huntress Labs ⋅ John Hammond\r\nRapid Response: Mass Exploitation of On-Prem Exchange Servers\r\nCHINACHOPPER HAFNIUM\r\n2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research\r\nTweet on Exchange RCE\r\nCHINACHOPPER HAFNIUM\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 5 of 8\n\n2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian\r\nRapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day\r\nCHINACHOPPER HAFNIUM\r\n2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster\r\nOperation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities\r\nCHINACHOPPER HAFNIUM\r\n2021-03-02 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security, Microsoft Threat Intelligence\r\nCenter (MSTIC)\r\nHAFNIUM targeting Exchange Servers with 0-day exploits\r\nCHINACHOPPER HAFNIUM\r\n2021-01-29 ⋅ Trend Micro ⋅ Trend Micro\r\nChopper ASPX web shell used in targeted attack\r\nCHINACHOPPER MimiKatz\r\n2021-01-01 ⋅ DomainTools ⋅ Joe Slowik\r\nConceptualizing a Continuum of Cyber Threat Attribution\r\nCHINACHOPPER SUNBURST\r\n2020-11-27 ⋅ PTSecurity ⋅ Alexey Vishnyakov, Denis Goydenko\r\nInvestigation with a twist: an accidental APT attack and averted data destruction\r\nTwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz\r\n2020-10-01 ⋅ US-CERT ⋅ US-CERT\r\nAlert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions\r\nCHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy\r\n2020-09-15 ⋅ US-CERT ⋅ US-CERT\r\nAlert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities\r\nCHINACHOPPER Fox Kitten\r\n2020-09-15 ⋅ US-CERT ⋅ US-CERT\r\nMalware Analysis Report (AR20-259A): Iranian Web Shells\r\nCHINACHOPPER\r\n2020-07-21 ⋅ Department of Justice ⋅ Department of Justice\r\nTwo Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion\r\nCampaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19\r\nResearch\r\nCHINACHOPPER BRONZE SPRING\r\n2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR\r\nAPT10 Threat Analysis Report\r\nCHINACHOPPER HTran MimiKatz PlugX Quasar RAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 6 of 8\n\n2020-01-01 ⋅ FireEye ⋅ Mandiant, Mitchell Clarke, Tom Hall\r\nMandiant IR Grab Bag of Attacker Activity\r\nTwoFace CHINACHOPPER HyperBro HyperSSL\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE UNION\r\n9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell\r\nAPT27\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE ATLAS\r\nSpeculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz\r\nPlugX Winnti APT41\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE PRESIDENT\r\nCHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE MOHAWK\r\nAIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll\r\nAPT40\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE EXPRESS\r\n9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26\r\n2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center\r\nGALLIUM: Targeting global telecom\r\nCHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM\r\n2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser\r\nAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions\r\nMESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost\r\nRAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell\r\n2019-09-23 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAPT41\r\nDerusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi\r\nEmpire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41\r\n2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer\r\nChina Chopper still active 9 years later\r\nCHINACHOPPER\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 7 of 8\n\n2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley\r\nGAME OVER: Detecting and Stopping an APT41 Operation\r\nACEHASH CHINACHOPPER HIGHNOON\r\n2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus\r\nOPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS\r\nPROVIDERS\r\nCHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell\r\n2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster\r\nEmissary Panda Attacks Middle East Government Sharepoint Servers\r\nCHINACHOPPER HyperSSL\r\n2019-01-01 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nTool description: China Chopper\r\nCHINACHOPPER\r\n2018-03-16 ⋅ FireEye ⋅ FireEye\r\nSuspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime\r\nIndustries\r\nbadflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40\r\n2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy\r\nAn End to “Smash-and-Grab” and a Move to More Targeted Approaches\r\nCHINACHOPPER\r\n2013-08-07 ⋅ FireEye ⋅ Dennis Hanzlik, Ian Ahl, Tony Lee\r\nBreaking Down the China Chopper Web Shell - Part I\r\nCHINACHOPPER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper" ], "report_names": [ "win.chinachopper" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4636526b-b3f7-4e75-8ad9-fb7ef0261b76", "created_at": "2023-01-06T13:46:38.295889Z", "updated_at": "2026-04-10T02:00:02.91629Z", "deleted_at": null, "main_name": "HURRICANE PANDA", "aliases": [], "source_name": "MISPGALAXY:HURRICANE PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8210e297-e5a7-4830-b7a3-1c8abc8e862f", "created_at": "2023-01-06T13:46:39.407579Z", "updated_at": "2026-04-10T02:00:03.316455Z", "deleted_at": null, "main_name": "BRONZE SPRING", "aliases": [ "UNC302" ], "source_name": "MISPGALAXY:BRONZE SPRING", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9d5075e3-9fa3-40f8-9c2b-9cd1fc7a6ffe", "created_at": "2025-08-07T02:03:24.670367Z", "updated_at": "2026-04-10T02:00:03.801961Z", "deleted_at": null, "main_name": "BRONZE SPRING", "aliases": [ "UNC302" ], "source_name": "Secureworks:BRONZE SPRING", "tools": [ "China Chopper", "Mimikatz", "OwaAuth" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "722b693d-cfdc-489e-a540-78c7d52ac5a8", "created_at": "2022-10-25T16:07:23.713768Z", "updated_at": "2026-04-10T02:00:04.7232Z", "deleted_at": null, "main_name": "Hurricane Panda", "aliases": [ "Operation Poisoned Hurricane" ], "source_name": "ETDA:Hurricane Panda", "tools": [ "CHINACHOPPER", "China Chopper", "Mimikatz", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5448bd180ebda2a99555318853cc81f1bdd50f83.pdf", "text": "https://archive.orkl.eu/5448bd180ebda2a99555318853cc81f1bdd50f83.txt", "img": "https://archive.orkl.eu/5448bd180ebda2a99555318853cc81f1bdd50f83.jpg" } }