{ "id": "c45146ca-2f44-4c65-bd60-f78af2525b7b", "created_at": "2026-04-06T00:07:46.821279Z", "updated_at": "2026-04-10T03:36:33.847834Z", "deleted_at": null, "sha1_hash": "593ca46381c0802486e51d32f10b1726af4abab5", "title": "FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1399110, "plain_text": "FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor |\r\nProofpoint US\r\nBy July 31, 2017 Matthew Mesa, Darien Huss\r\nPublished: 2017-07-31 · Archived: 2026-04-05 14:46:09 UTC\r\nOverview\r\nProofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript\r\nbackdoor called Bateleur and updated macros to its toolkit. We have observed these new tools being used to target\r\nU.S.-based chain restaurants, although FIN7 has previously targeted hospitality organizations, retailers, merchant\r\nservices, suppliers and others. The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox\r\nevasion techniques as they attempt to cloak their activities and expand their victim pool.\r\nSpecifically, the first FIN7 change we observed was in the obfuscation technique found in their usual document\r\nattachments delivering the GGLDR script [1], initially described by researchers at FireEye [2]. In addition,\r\nstarting in early June, we observed this threat actor using macro documents to drop a previously undocumented\r\nJScript backdoor, which we have named “Bateleur”, instead of dropping their customary GGLDR payload. Since\r\nits initial sighting, there have been multiple updates to Bateleur and the attachment macros.\r\nIn this blog we take a deep dive into Bateleur and the email messages and documents delivering it.\r\nDelivery\r\nThe example message (Fig. 1) uses a very simple lure to target a restaurant chain. It purports to be information on\r\na previously discussed check. The email is sent from an Outlook.com account, and the attachment document lure\r\nalso matches that information by claiming “This document is encrypted by Outlook Protect Service”. In other\r\ncases, when the message was sent from a Gmail account, the lure document instead claims “This document is\r\nencrypted by Google Documents Protect Service” (Fig. 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 1 of 11\n\nFigure 1: Phishing email containing JScript document dropper\r\nFigure 2: Malicious “Outlook” document lure (left) and “Google” lure (right)\r\nAnalysis\r\nThe email contains a macro-laden Word document. The macro accesses the malicious payload via a caption:\r\nUserForm1.Label1.Caption (Fig. 3). The caption contains a “|*|”-delimited obfuscated JScript payload (Fig. 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 2 of 11\n\nThe macro first extracts the JScript from the caption then saves the content to debug.txt in the current user’s\r\ntemporary folder (%TMP%). Next, the macro executes the following commands, which are stored in an\r\nobfuscated manner by reversing the character order:\r\n1. schtasks /create /f /tn \"\"GoogleUpdateTaskMachineCorefh5evfbce5bhfd37\"\" /tr \"\"wscript.exe //b /e:jscript\r\n%TMP%\\debug.txt \"\" /sc ONCE /st \"\"05:00\"\" /sd \"\"12/12/1990\"\"\r\n2. Sleep for 3 seconds\r\n3. schtasks /Run /I /TN \"\"GoogleUpdateTaskMachineCorefh5evfbce5bhfd37\"\"\r\n4. Sleep for 10 seconds\r\n5. schtasks /Delete /F /TN \"\"GoogleUpdateTaskMachineCorefh5evfbce5bhfd37\"\"\r\nIn the first step, the macro creates a scheduled task whose purpose is to execute debug.txt as a JScript. The macro\r\nthen sleeps for 3 seconds, after which it runs the scheduled task. Finally, the macro sleeps for 10 seconds then\r\ndeletes the malicious scheduled task. The combined effect of these commands is to run Bateleur on the infected\r\nsystem in a roundabout manner in an attempt to evade detection.\r\nFigure 3: Macro from c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9\r\nFigure 4: Caption containing malicious obfuscated JScript\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 3 of 11\n\nThe malicious JScript has robust capabilities that include anti-sandbox functionality, anti-analysis (obfuscation),\r\nretrieval of infected system information, listing of running processes, execution of  custom commands and\r\nPowerShell scripts, loading of EXEs and DLLs, taking screenshots, uninstalling and updating itself, and possibly\r\nthe ability to exfiltrate passwords, although the latter requires an additional module from the command and control\r\nserver (C\u0026C).\r\nWhen Bateleur first executes it creates a scheduled task “GoogleUpdateTaskMachineSystem” for persistence\r\nusing the following command pattern:\r\nschtasks /Create /f /tn \"GoogleUpdateTaskMachineSystem\" /tr \"wscript.exe //b /e:jscript C:\\Users\\[user\r\naccount]\\AppData\\Local\\Temp\\{[hex]-[hex]-[hex]-[hex]-[hex]}\\debug.txt\" /sc minute /mo 5\r\nBateleur has anti-sandbox features but they do not appear to be used at this time.  This includes detection of\r\nVirtualbox, VMware, or Parallels via SMBIOSBIOSVersion and any of the following strings in DeviceID:\r\nvmware\r\nPCI\\\\VEN_80EE\u0026DEV_CAFE\r\nVMWVMCIHOSTDEV\r\nThe backdoor also contains a process name blacklist including:\r\nautoit3.exe\r\ndumpcap.exe\r\ntshark.exe\r\nprl_cc.exe\r\nBateleur also checks its own script name and compares it to a blacklist which could indicate that the script is being\r\nanalyzed by an analyst or a sandbox:\r\nmalware\r\nsample\r\nmlwr\r\nDesktop\r\nThe following Table describes the commands available in the backdoor.\r\nCommand Description\r\nget_information\r\nReturn various information about the infected machine, such as computer and domain\r\nname, OS, screen size, and net view\r\nget_process_list Return running process list (name + id)\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 4 of 11\n\nkill_process Kill process using taskkill\r\nuninstall\r\nDelete installation file and path and remove scheduled task\r\nGoogleUpdateTaskMachineSystem\r\nupdate Overwrite JScript file with response content\r\nexe\r\nPerform a “load_exe” request to the C\u0026C to retrieve an EXE, save it as debug.backup in\r\nthe install_path, write a cmd.exe command to a file named debug.cmd and then execute\r\ndebug.cmd with cmd.exe\r\nwexe\r\nPerform a “load_exe” request to C\u0026C to retrieve an EXE, save it as debug.log and then\r\nexecute the EXE via WMI\r\ndll\r\nPerform a “load_dll” request to the C\u0026C to retrieve a DLL, save it as debug.backup in the\r\ninstall_path, write a regsvr32 command to a file named debug.cmd and then execute\r\ndebug.cmd with cmd.exe\r\ncmd\r\nPerform a “load_cmd” request to the C\u0026C to retrieve a command to execute, create temp\r\nfile named log_[date].cmd containing command to execute, execute the command and\r\nsleep for 55 seconds. Send file output to the C\u0026C via a POST request and remove the\r\ntemporary command file\r\npowershell\r\nPerform a “load_powershell” request to the C\u0026C to retrieve a command to execute, create\r\na temp file named log_[date].log containing a PowerShell command to execute, execute\r\nthe command, and sleep for 55 seconds. Send file output to the C\u0026C via a POST request\r\nand remove the temporary command file\r\napowershell\r\nSame as powershell command but instead executes a PowerShell command directly with\r\npowershell.exe\r\nwpowershell Same as powershell command but instead executes a PowerShell command via WMI\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 5 of 11\n\nget_screen Take a screenshot and save it as screenshot.png in the install_path\r\nget_passwords\r\nPerform a “load_pass” request to the C\u0026C to retrieve a PowerShell command containing a\r\npayload capable of retrieving user account credentials\r\ntimeout Do nothing\r\nTable 1: List of commands available in the Bateleur backdoor\r\nThe Bateleur C\u0026C protocol occurs over HTTPS and is fairly straightforward with no additional encoding or\r\nobfuscation. Bateleur uses HTTP POST requests with a URI of “/?page=wait” while the backdoor is waiting for\r\ninstructions. Once an instruction is received from the controller (Fig.  5), the backdoor will perform a new request\r\nrelated to the received command (Fig. 6).\r\nFigure 5: Bateleur HTTP POST “wait” request\r\nFigure 6: Bateleur HTTP POST receiving command from C\u0026C\r\nAfter each command the backdoor will respond with typically either an OK for many commands, or send the\r\nresults back to the C\u0026C with a final POST request.\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 6 of 11\n\nAlthough Bateleur has a much smaller footprint than GGLDR/HALFBAKED, lacks basic features such as\r\nencoding in the C\u0026C protocol, and does not have backup C\u0026C servers, we expect the Bateleur developer(s) may\r\nadd those features in the near future. In less than one month, we have observed Bataleur jump from version 1.0 to\r\n1.0.4.1; the newer version of the backdoor adds several new commands including the wexe, apowershell, and\r\nwpowershell (Table 1) that did not exist in version 1.0.\r\nAttribution\r\nProofpoint researchers have determined with a high degree of certainty that this backdoor is being used by the\r\nsame group that is referred to as FIN7 by FireEye [3] and as Carbanak by TrustWave [4] and others. In this section\r\nwe will discuss each datapoint that connects this backdoor with previous FIN7 activity.\r\nEmail Message/Campaign Similarity\r\nIn June we observed similar messages separately delivering GGLDR and Bateleur to the same target, with some\r\neven sharing very similar or identical attachment names, subject lines, and/or sender addresses. The timing and\r\nsimilarity between these campaigns suggest that they were sent by the same actor.\r\nTinymet\r\nA small Meterpreter downloader script, called Tinymet by the actor(s) (possibly inspired by [5]), has repeatedly\r\nbeen observed being utilized by this group at least as far back as 2016 [6] as a Stage 2 payload. In at least one\r\ninstance, we observed Bateleur downloading the same Tinymet Meterpreter downloader (Fig. 7).\r\nFigure 7: Beginning snippet from Tinymet downloaded by Bateleur\r\nMoreover, the GGLDR/HALFBAKED backdoor was recently equipped with a new command tinymet (Fig. 8)\r\nwhich was used in at least one occasion (Fig. 9) to download a JScript version of the Tinymet Meterpreter\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 7 of 11\n\ndownloader (Fig. 10).\r\nFigure 8: GGLDR is updated with a Tinymet command\r\nFIgure 9: GGLDR receiving Tinymet command from C\u0026C (after decoding base64 with custom alphabet)\r\nFigure 10: Snippet from Tinymet downloaded by GGLDR tinymet command\r\nWe have also observed Tinymet delivered via the runps1 (Fig. 11) and runvbs (Fig. 12) commands, resulting in the\r\nsame version of Tinymet downloaded by Bateleur (Fig. 13). All observed instances of Tinymet have utilized the\r\nsame XOR key of 0x50.\r\nFigure 11: GGLDR receiving Tinymet via runps1 command\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 8 of 11\n\nFigure 12: GGLDR receiving Tinymet via runvbs command\r\nFigure 13: Snippet from decoded Tinymet downloaded by GGLDR runps1 and runvbs commands\r\nPassword Grabber\r\nDuring our analysis we observed that the Powershell password grabber utilized by Bateleur contained an identical\r\nDLL (stealer_component_refl.dll - 8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a)\r\nas the one we found embedded in a powershell contained in recent GGLDR samples. This further demonstrates\r\nthe payload re-use between instances using the two different backdoors.\r\nConclusion\r\nWe continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and\r\nevade detection. The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the\r\ngroup’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing\r\ncapabilities for stealing information and executing commands directly on victim machines.\r\nReferences\r\n[1] https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control\r\n[2] https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\r\n[3] https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\n[4] https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-Evolve--Quietly-Creeping-into-Remote-Hosts/\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 9 of 11\n\n[5] https://github.com/SherifEldeeb/TinyMet\r\n[6] https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/\r\n[7] https://www.trustwave.com/Resources/SpiderLabs-Blog/Operation-Grand-Mars--a-comprehensive-profile-of-Carbanak-activity-in-2016/17/\r\nIndicators of Compromise (IOCs)\r\nBateleur Document Droppers\r\ncf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8\r\nc91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9\r\nFIN7 Password Stealer Module\r\n8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a\r\nBateleur C\u0026C\r\n195.133.48[.]65:443\r\n195.133.49[.]73:443\r\n185.154.53[.]65:443\r\n188.120.241[.]27:443\r\n176.53.25[.]12:443\r\n5.200.53[.]61:443\r\nTinymet C\u0026C\r\n185.25.48[.]186:53\r\n46.166.168[.]213:443\r\n188.165.44[.]190:53\r\nET and ETPRO Suricata/Snort Coverage\r\n2825129,ETPRO TROJAN Carbanak VBS/GGLDR v2 Checkin\r\n2825130,ETPRO TROJAN Carbanak VBS/GGLDR v2 CnC Beacon\r\n2826201,ETPRO TROJAN Carbanak VBS/GGLDR v2 CnC Beacon 2\r\n2826592,ETPRO TROJAN Carbanak VBS/GGLDR v3 CnC Beacon\r\n2826631,ETPRO TROJAN Carbanak/FIN7 Bateleur SSL Certificate Detected\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 10 of 11\n\n2826167,ETPRO TROJAN Carbanak/FIN7 Tinymet Downloader Receiving Payload\r\n2826674,ETPRO TROJAN Carbanak/FIN7 Bateleur CnC Beacon\r\nSource: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nhttps://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor\r\nPage 11 of 11\n\nAnalysis The email contains a macro-laden Word document. The macro accesses the malicious payload via a caption:\nUserForm1.Label1.Caption (Fig. 3). The caption contains a “|*|”-delimited obfuscated JScript payload (Fig. 4).\n Page 2 of 11 \n\n https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor \n2826167,ETPRO TROJAN Carbanak/FIN7 Tinymet Downloader Receiving Payload\n2826674,ETPRO TROJAN Carbanak/FIN7 Bateleur CnC Beacon\nSource: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor \n Page 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "report_names": [ "fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434066, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/593ca46381c0802486e51d32f10b1726af4abab5.pdf", "text": "https://archive.orkl.eu/593ca46381c0802486e51d32f10b1726af4abab5.txt", "img": "https://archive.orkl.eu/593ca46381c0802486e51d32f10b1726af4abab5.jpg" } }