{ "id": "43361147-39b4-4e95-8838-3de2988e9fb8", "created_at": "2026-04-06T00:11:58.789445Z", "updated_at": "2026-04-10T13:13:06.541571Z", "deleted_at": null, "sha1_hash": "56e81b475c654f9aa7ba6b4cf6ddb92797fa8305", "title": "Hidden Lynx – Professional Hackers for Hire", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1154475, "plain_text": "Hidden Lynx – Professional Hackers for Hire\r\nArchived: 2026-04-05 12:51:25 UTC\r\nFor the past few years, reports have continued to emerge detailing the activities of actors behind various targeted\r\nattacks or Advanced Persistent Threats (APTs). Here at Symantec Security Response, we’ve been keeping our\r\neyes on a group that we believe are among the best of breed. We’ve given them the name of Hidden Lynx—after a\r\nstring that was found in the command and control server communications. This group has a hunger and drive that\r\nsurpass other well-known groups such as APT1/Comment Crew. Key characteristics of this group are:\r\ntechnical prowess\r\nagility\r\norganized\r\nsheer resourcefulness \r\npatience\r\nThese attributes are shown by the relentless campaigns waged against multiple concurrent targets over a sustained\r\nperiod of time. They are the pioneers of the “watering hole” technique used to ambush targets, they have early\r\naccess to zero-day vulnerabilities, and they have the tenacity and patience of an intelligent hunter to compromise\r\nthe supply chain to get at the true target. These supply chain attacks are carried out by infecting computers at a\r\nsupplier of an intended target and then waiting for the infected computers to be installed and call home, clearly\r\nthese are cool calculated actions rather than impulsive forays of amateurs.\r\nThis group doesn’t just limit itself to a handful of targets; instead it targets hundreds of different organizations in\r\nmany different regions, even concurrently. Given the breadth and number of targets and regions involved, we infer\r\nthat this group is most likely a professional hacker-for-hire operation that are contracted by clients to provide\r\ninformation. They steal on demand, whatever their clients are interested in, hence the wide variety and range of\r\ntargets.\r\nWe also believe that to carry out attacks of this scale, the group must have considerable hacking expertise at its\r\ndisposal, perhaps 50 to 100 operatives are employed and organized into at least two distinct teams both tasked\r\nwith carrying out different activities using different tools and techniques. These types of attacks require time and\r\neffort to carry out, some of the campaigns require research and intelligence gathering before any successful\r\nattacks can be mounted.\r\nAt the front line of this group is a team that uses disposable tools along with basic but effective techniques to\r\nattack many different targets. They may also act as intelligence collectors too. This team we call Team Moudoor\r\nafter the name of the Trojan that they use. Moudoor is a back door Trojan that the team uses liberally without\r\nworry about discovery by security firms. The other team acts like a special operations unit, elite personnel used to\r\ncrack the most valuable or toughest targets. The elite team uses a Trojan named Naid and are therefore referred to\r\nas Team Naid. Unlike Moudoor, the Naid Trojan is used sparingly and with care to avoid detection and capture,\r\nlike a secret weapon that is only used when failure is not an option.\r\nhttps://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire\r\nPage 1 of 4\n\nSince 2011, we have observed at least six significant campaigns by this group. The most notable of these\r\ncampaigns is the VOHO attack campaign of June, 2012. What was particularly interesting about this attack was\r\nthe use of the watering hole attack technique and the compromise of Bit9’s trusted file signing infrastructure. The\r\nVOHO campaign was ultimately targeting US defense contractors whose systems were protected by Bit9’s trust-based protection software but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they\r\nreconsidered their options and found that the best way around the protection was to compromise the heart of the\r\nprotection system itself and subvert it for their own purpose. This is exactly what they did when they diverted their\r\nattention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file\r\nsigning infrastructure that was the foundation of the Bit9 protection model, they then used this system to sign a\r\nnumber of malware files and then these files were used in turn to compromise the true intended targets.\r\nFor those interested in more in-depth information, we have published a whitepaper that describes the group and\r\nthe attack campaigns carried out by them.\r\nWe have also put together an infographic that summarizes the key information about this prolific Hidden Lynx\r\ngroup.\r\nhttps://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire\r\nPage 2 of 4\n\nhttps://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire\r\nPage 3 of 4\n\nSource: https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire\r\nhttps://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire" ], "report_names": [ "hidden-lynx-professional-hackers-hire" ], "threat_actors": [ { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434318, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56e81b475c654f9aa7ba6b4cf6ddb92797fa8305.pdf", "text": "https://archive.orkl.eu/56e81b475c654f9aa7ba6b4cf6ddb92797fa8305.txt", "img": "https://archive.orkl.eu/56e81b475c654f9aa7ba6b4cf6ddb92797fa8305.jpg" } }