{ "id": "a93bd170-5dcb-4ace-9333-de62a7211a9f", "created_at": "2026-04-06T00:19:23.718368Z", "updated_at": "2026-04-10T13:12:57.449361Z", "deleted_at": null, "sha1_hash": "561b12f0c2eb64af399fe5680385422a3fa099fd", "title": "Cyber Soft Power | China's Continental Takeover", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5715704, "plain_text": "Cyber Soft Power | China's Continental Takeover\r\nBy Tom Hegel\r\nPublished: 2023-09-21 · Archived: 2026-04-05 17:30:29 UTC\r\nExecutive Summary\r\nSentinelLABS has observed sustained tasking towards strategic intrusions by Chinese threat actors in\r\nAfrica, designed to extend influence throughout the continent.\r\nNew attacks include those against telecommunication, finance and government, attributed to the\r\nBackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.\r\nChina’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions\r\nhighlights recent objectives and potential lasting impact in Africa.\r\nTo better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa\r\nand Latin America, we are announcing the formation of the ‘Undermonitored Regions Working Group’.\r\nLaunched today at LABScon, this effort calls upon established security researchers to join analytic\r\ncapabilities, combine telemetry, resources, and local expertise, and promote a unified approach to\r\nanalyzing cyber operations used to support soft power agendas in Africa and Latin America.\r\nIntroduction\r\nIn the evolving cyber threat landscape, it’s always important to constantly challenge our biases. There are large\r\npockets of important threat activity occurring in regions around the world less commonly addressed in Western\r\nthreat research. While much attention has rightfully been drawn to Chinese threat actors targeting the West, the\r\nbroader set of global activity supporting and promoting similar interests remains opaque. At a time of pervasive\r\nforeign activities towards cornering natural resources and co-opting the governance of less represented countries,\r\nwe have to ask– what is happening across the vast African continent?\r\nAs we contemplate where China might stand in the global arena in the next 5 to 10 years, it’s evident that there\r\nexists a considerable gap in the realm of cyber threat intelligence with regards to Africa as a whole, and more\r\nspecifically how it ties into the long term agenda of the People’s Republic of China (PRC). Africa, with its highly\r\ncomplex and dynamic environment, poses a unique challenge for accurately characterizing its cyber threat\r\nlandscape.\r\nIn the threat intelligence industry, we have a habit of overlooking regions where our immediate financial interests\r\ndon’t appear to be at stake. Yet, it is precisely in places like Africa and Latin America that we witness these threat\r\nactors subtly shifting the balance of negotiations and playing pivotal roles in larger geopolitical strategies. There’s\r\nan urgent need to acknowledge the importance of these frequently overlooked regions in the global threat\r\nlandscape and take radical steps to close the gap in our situational awareness. These regions are shaping up to be\r\nthe battlegrounds of the future.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 1 of 9\n\nOur focus is on incentivizing strategic intelligence on the state of cyber operations targeting Africa. We recognize\r\nthat these operations need to be placed in the greater context of multidimensional campaigns that include more\r\ntraditional forms of espionage, market maneuvers, and influence. This is vital in understanding the PRC’s\r\ngeostrategic ambitions and technological investments, and are fundamental in forging a forward-thinking and\r\nholistic defense approach. We’ll highlight key examples including the targeting from Chinese state-sponsored\r\nAPTs, such as Op. Tainted Love and BackdoorDiplomacy, and how they blend into PRC’s soft power agenda\r\nacross Africa.\r\nBackground on Soft Power Engagement\r\nWhile cyber capabilities are important, they are just one of the more recent tools used in implementing broad\r\nnational soft power strategies. Spanning several decades, China’s involvement in the continent has adapted to\r\nembrace economic, political, and cultural dimensions that represent both comprehensive and strategic\r\nopportunities. The establishment of Confucius Institutes and expanding media investments have been a tool in\r\ncrafting narratives that underline the positive aspects of its engagement in Africa.\r\nChina has engaged in significant strategic investments in Africa, considered ‘debt-trap diplomacy’. This refers to a\r\nscenario where a creditor country extends excessive credit to a debtor country with the presumed intention of\r\nextracting economic or political concessions when the debtor country cannot meet its repayment terms.\r\nSpecifically in Africa, China has financed large critical infrastructure projects in many African countries.\r\nCountries pursuing economic and infrastructure development have found China a willing and eager investor over\r\nthe last decade. Future adverse effects are easily brushed aside by the immediate perceived benefits of these\r\ninvestments.\r\nOffensive Cyber Operations as a Support Tool of Soft Power Agendas\r\nIn recent years, we have tracked targeted intrusions against key industrial sectors in various African nations. These\r\nattacks conspicuously align with China’s broader soft power and technological agenda in the region, focusing on\r\ncritical areas such as the telecommunication sector, financial institutions, and governmental bodies. Three\r\nsignificant sets of activity best exemplify this dynamic across the larger set of China-aligned activity in Africa.\r\nOperation Tainted Love\r\nIn March 2023, we shared details of Operation Tainted Love, a case centered on targeted attacks against\r\ntelecommunications providers predominantly located in the Greater Middle East region. This discovery marked an\r\nevolution of the toolkit involved in Operation Soft Cell, forging immediate connections to previous China-attributed activities.\r\nFrom Operation Tainted Love, we highlighted the use of a rigorously maintained and version-controlled system\r\nfor credential theft, accompanied by a novel dropper mechanism. The overall findings are suggestive of a\r\nconcerted development effort undertaken by a threat actor, or threat actors support structure, driven by specific\r\nobjectives.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 2 of 9\n\nOperation Tainted Love\r\nUnnoted in our initial report, we identified the compromise of a telecommunications entity based in North Africa\r\nby the same threat actor. The timing of this activity aligned closely with Chinese telecommunication soft power\r\ninterests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic\r\nobjectives in such intrusions highlight interest from China in internal business knowledge on negotiations,\r\nproviding competitive advantage, or prepositioning for retained technical access for intelligence collection.\r\nBackdoor Diplomacy\r\nFor several years, another APT primarily referred to as BackdoorDiplomacy has operated across Africa. Recently,\r\nfresh revelations emerged spotlighting the group’s sustained three-year endeavor targeting governmental\r\norganizations in Kenya. Delving into prior public technical reports by ESET, Unit42, and BitDefender unveils a\r\ntargeting paradigm bearing resemblance to those employed in Operation Tainted Love.\r\nBackdoorDiplomacy seemingly concentrates efforts on government entities, along with high-priority\r\ntelecommunications and finance organizations. The group has orchestrated a series of notable espionage\r\ncampaigns across Africa in recent years. Through analysis of infrastructure tied to this actor, we assess multiple\r\nAfrican countries are experiencing targeting over the last few years, including at least South Africa, Kenya,\r\nSenegal, and Ethiopia. As noted by previous reporting, the threat actor does maintain operations throughout the\r\nmiddle east, and can be found in other regions of particular PRC interest.\r\nOur current perspective suggests a close relationship between BackdoorDiplomacy and another Chinese state\r\nsponsored threat actor, APT15.\r\nThreat Actors Ambiguity\r\nA broader set of China-aligned campaigns has been active across Africa, as emphasized by recent reports on\r\nFamousSparrow and Earth Estries. Pinpointing precise clustering for these groups remains challenging due to a\r\nprevalence of shared technical resources. However, TTPs and targeting objectives are somewhat related to the\r\nAPT41 umbrella.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 3 of 9\n\nIn a separate case, Chinese espionage efforts against the African Union (AU) was allegedly discovered in 2017.\r\nAccording to initial reports, for a period of five years, from 2012 to 2017, the Chinese government maintained\r\nbackdoor access into servers for the African Union’s headquarters in Ethiopia. The $200 million dollar\r\nheadquarters was funded and built by China between 2009 and 2012. Notably, the network infrastructure and\r\nservices were reportedly Huawei technology since the initial construction.\r\nAfrican Union Headquarters, Addis Ababa\r\nMore recently in 2020, Japan’s CERT notified AU IT staff of an intrusion they attributed to the Bronze President\r\nAPT, a separately tracked Chinese threat actor. In this intrusion, Bronze President was observed exfiltrating\r\nsurveillance footage from the AU headquarters facility. This case may highlight how much of a real priority\r\nintelligence inside the AU is to Beijing, ultimately forcing their hand on moving away from backdoored\r\nequipment to performing actual intrusions through well tracked APTs.\r\nIn both the 2017 and 2020 case, African Union and Chinese officials denied any sort of intrusions. As quoted by\r\nReuters, a former AU official told them “Attacking the Chinese, for us, it’s a very bad idea,”. A review of specifics\r\naround China’s technological soft power in Africa highlights some reasons why the official may have said that.\r\nTechnological Soft Power, Reliance, and Abuse Opportunities\r\nThe digital landscape of Africa has undergone a seismic transformation, largely facilitated through Chinese tech\r\ngiants deploying extensive resources to meet the continent’s critical technological needs.\r\nChina has taken a lead role in Africa’s telecommunication, finance, and surveillance technology sectors. This\r\ninitiative ties into China’s Digital Silk Road project, announced in 2015.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 4 of 9\n\nTelecommunication Networks\r\nAt the forefront of technology investment in Africa are Huawei and ZTE, powerhouses steering efforts to bridge\r\nthe connectivity divide separating urban and rural landscapes of the continent. These corporations have brought\r\nthe boon of digital connectivity to the remotest corners of Africa.\r\nIn the two decades since Huawei began expanding into Africa, it has grown to become the leading\r\ntelecommunication technology and service provider across much of the continent.\r\nYet, underneath the altruistic veneer may lie a strategy anchored on fostering an overwhelming dependence on\r\nChinese technology. Through a sweeping range of initiatives that span from mobile networks to broadband\r\ninfrastructure, the strategy envisions a society deeply tied to China’s digital ecosystem, guiding future socio-political paths and holding significant sway over personal freedoms.\r\nThis rise isn’t merely a route to economic enrichment; it empowers China to shape policies and narratives aligned\r\nwith its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa’s digital\r\nevolution.Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation\r\nTainted Love indicate a level intention directed at supporting such agendas.\r\nInstances of infringement on internet rights and the misuse of technology are already evident in countries such as\r\nSudan, Ethiopia, Zimbabwe, Gabon, and the Democratic Republic of Congo. In some of these nations, the\r\ngovernments have resorted to shutting down social media and internet services as a strategy to suppress civil\r\nunrest, or even spying on the network communications of its citizens.\r\nChina has also ventured to enhance its command over the underwater fiber networks connected to the African\r\ncontinent. Leveraging significant investments in projects such as the PEACE cable initiative, China has been\r\nlaying cables that aim to rejuvenate Africa’s digital connectivity, ostensibly offering the continent much needed\r\ninformation accessibility.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 5 of 9\n\nPeace Cable Map, TeleGeography\r\nThese underwater pathways hold enormous significance in dictating the flow of information between continents.\r\nIn taking ownership of them, China stands in a position to potentially orchestrate and steer digital dialogues on the\r\nAfrican continent, forging a narrative that aligns seamlessly with its geopolitical objectives.\r\nControlling these undersea networks gives China the capacity to monitor the data flowing through them, raising\r\nserious concerns regarding data privacy and national sovereignty. To gauge the potential for misuse, we only need\r\nto examine how China manages its own domestic networks, offering a window into the possible ramifications of\r\ngranting them such control.\r\nMobile Payment Platforms\r\nIn recent years, digital mobile banking platforms like M-Pesa have revolutionized Africa’s financial landscape,\r\npromoting unprecedented financial inclusion especially in areas underserved by traditional banks. With 51 million\r\nusers processing over $314 billion in transactions annually, its footprint is substantial.\r\nM-Pesa has since been migrated to Huawei’s Mobile Money Platform. Similarly, China-backed entities OPay and\r\nPalmPay have seized a considerable market share, facilitating a large portion of the continent’s financial\r\ntransactions.\r\nThis should raise apprehensions around the nature of China’s influence, with potential avenues for financial\r\nmonopolies and the control it gives to Chinese stakeholders in the dictation of economic trajectories across the\r\nAfrican continent.\r\nThe intensive data mining, user surveillance, and user disruption that are characteristic of Chinese tech giants\r\npresent a significant risk of exploitation, infringing upon the privacy rights of individuals and potentially\r\nundermining the sovereignty of African nations. The depth and breadth of data these platforms can amass and\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 6 of 9\n\ncontrol raise serious concerns about how it might be utilized, perhaps to shape consumer behavior, influence\r\npublic opinion, or even foster dependencies that go beyond financial transactions.\r\nWhile services offered by these platforms are undeniably bringing about a financial revolution, it’s creating a\r\nscenario where a foreign power has an overwhelming influence over the financial stability, habits, and preferences\r\nof a significant portion of the African populace. Financial inclusion and potential manipulation hang in a\r\nprecarious balance, necessitating a critical appraisal of the long-term implications of this growing influence.\r\nSurveillance\r\nHuawei’s Smart City venture is also emerging as a central pillar in China’s escalating soft power influence in\r\nAfrica. This initiative pivots on a suite of surveillance services including facial recognition, artificial intelligence,\r\ndata analytics, and 5G network deployments, all purportedly claimed to enhance urban management, augment\r\npublic safety, and spur economic development. Yet, the flipside of this technological investment is the possibility\r\nof a surveillance era of unparalleled scope, exploiting a diverse array of data from daily life to cultivate a society\r\nwhere personal privacy could soon become obsolete.\r\nAcross Africa, nations like Kenya, Mauritius, Uganda, and Zambia have embraced Huawei, infusing surveillance\r\ntechnology into the heartbeat of their urban landscapes. In Kenya, the Safe City project — powered by Huawei’s\r\nsystem encompassing CCTV and facial recognition technologies — monitors Nairobi and other primary cities. In\r\nUganda, one such case of surveillance reportedly led to the regime seeking to silence political opponent Bobi\r\nWine, accomplished through the help of Huawei staff and services. These same capabilities can be found in many\r\nother countries throughout Africa.\r\nBobi Wine, source: Bloomberg\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 7 of 9\n\nOther noteworthy activity includes the Chinese business CloudWalk Technology providing facial recognition\r\nsurveillance technology to Zimbabwe. CloudWalk has been accused of being involved in human rights violations\r\nand transgressions perpetrated during China’s campaign targeting Uighurs, ethnic Kazakhs, and other Muslim\r\nminority groups in the Xinjiang Uighur Autonomous Region. This campaign is characterized by widespread\r\nrepression, indiscriminate detentions, enforced labor, and intensive high-tech surveillance.\r\nOnce these smart cities come to fruition, they will operate fundamentally on Chinese technology, often granting\r\nBeijing real-time insights into these nations, lacking consequences for personal privacy and national safeguarding\r\nmeasures. Moreover, these nations steer towards further reliance on Chinese expertise and technical resources for\r\nthe use and administration of these systems into the future.\r\nA Force for Good\r\nAfrican nations face the delicate task of leveraging Chinese tech innovations while preserving their autonomy and\r\ndigital rights, a tightrope walk exacerbated by limited alternatives. Concurrently, it’s imperative for the\r\ncybersecurity community to deepen our understanding of China’s cyber activities in Africa to prevent unwanted\r\nencroachment.\r\nDue to escalating cyber threats in overlooked areas such as Africa and Latin America, we are launching the\r\nUndermonitored Regions Working Group (URWG). This initiative is focused on addressing the unique\r\ncybersecurity hurdles faced in these regions, frequently sidelined in mainstream global cyber discussions.\r\nOur mission transcends geographical boundaries as we track state-sponsored threats emerging globally from\r\nnations be it China, Russia, or Egypt. We are determined to cultivate a technical research collaboration, harnessing\r\nour collective expertise to identify new threats, and devise effective countermeasures against them.\r\nSentinelLABS embodies our commitment to sharing openly – providing tools, context, and insights to strengthen\r\nour collective mission of a safer digital life for all. We are seeking out security researchers, intelligence analysts,\r\nand those passionate about understanding and improving the cyber threat narrative to grow these efforts through\r\nunconventional means. By pooling our knowledge and technical prowess, we strive to nurture a digital future in\r\nsupport of less monitored parts of the world.\r\nConclusion\r\nAs we have navigated through the complexities of Chinese influence in Africa, the role of offensive cyber actions,\r\nand the broader implications of tech dominance, it becomes evident that this intricate web of geopolitics and cyber\r\nthreats demands attention across the cybersecurity industry.\r\nRecognizing Africa’s centrality in the future of global cyber dynamics helps not only the safeguarding of the\r\ncontinent’s digital freedoms but fortifies the global ecosystem against sophisticated threat actors.\r\nThe story of Africa’s digital landscape today is, in essence, the precursor to the global narrative of tomorrow. We\r\nshould work in tandem to craft it as one of security, prosperity, and shared progress.\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 8 of 9\n\nSource: https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nhttps://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/" ], "report_names": [ "cyber-soft-power-chinas-continental-takeover" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aea3239c-a222-4b7f-8ac0-349222078817", "created_at": "2024-12-28T02:01:54.867096Z", "updated_at": "2026-04-10T02:00:04.840444Z", "deleted_at": null, "main_name": "Operation Tainted Love", "aliases": [], "source_name": "ETDA:Operation Tainted Love", "tools": [ "Mimikatz", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/561b12f0c2eb64af399fe5680385422a3fa099fd.pdf", "text": "https://archive.orkl.eu/561b12f0c2eb64af399fe5680385422a3fa099fd.txt", "img": "https://archive.orkl.eu/561b12f0c2eb64af399fe5680385422a3fa099fd.jpg" } }