{ "id": "6154e90e-d95c-42e9-ac1d-e19ec4c3acff", "created_at": "2026-04-06T00:13:52.751293Z", "updated_at": "2026-04-10T13:13:02.366356Z", "deleted_at": null, "sha1_hash": "5a68bd822c2d30873ab0d93e2f0f27a652758001", "title": "Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1614415, "plain_text": "Tracking the Progression of Earth Hundun's Cyberespionage\r\nCampaign in 2024\r\nBy By: Pierre Lee, Cyris Tseng May 16, 2024 Read time: 10 min (2665 words)\r\nPublished: 2024-05-16 · Archived: 2026-04-05 13:13:55 UTC\r\nSummary\r\nEarth Hundun is known for targeting the Asia-Pacific and now employs updated tactics for infection spread\r\nand communication.\r\nThis report details how Waterbear and Deuterbear operate, including the stages of infection, command and\r\ncontrol (C\u0026C) interaction, and malware component behavior.\r\nDeuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as\r\nincluding support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for\r\nC\u0026C communication.\r\nComparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory\r\nscanning, and shares a traffic key with its downloader unlike Waterbear.\r\nThe evolution of Waterbear into Deuterbear indicates the development of tools for anti-analysis and\r\ndetection evasion in Earth Hundun's toolbox.\r\nIntroduction\r\nIn our previous report, we introduced the sophisticated cyberespionage campaign orchestrated by Earth Hundun, a\r\nthreat actor known for targeting the Asia-Pacific region using the Waterbear malware and its latest iteration,\r\nDeuterbear. We first observed Deuterbear being used by Earth Hundun in October 2022, and it has since been part\r\nof the group’s subsequent campaigns. \r\nFigure 1. The industry distribution of endpoints infected by Waterbear and Deuterbear since 2022.\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 1 of 14\n\nOur analysis provided insights into the intricate workings of the downloader, detailing its infection flow, traffic\r\nbehavior, anti-analysis techniques, and evolutionary trajectory.\r\nIn this entry, we examine the behavior of the final Remote Access Trojan (RAT) that we recently managed to\r\ndownload from a C\u0026C server, based on an Earth Hundun campaign from 2024.\r\nIn our first entry, we focused on the Waterbear downloader (the first stage) and examined its network behavior.\r\nThis report uses a case study to describe how the threat actor uses the Waterbear RAT and plugin during the\r\nsecond stage and how Waterbear downloaders are spread to other machines, making it more difficult to detect and\r\ntrack.\r\nFurthermore, we examine the major updates to Deuterbear, including the ability to accept plugins with shellcode\r\nformats and the ability to function even without handshakes during RAT operation.\r\nFinally, we will share our findings about the interaction between Earth Hundun and its victims through the\r\nWaterbear and Deuterbear malware, showcasing the sophisticated tactics employed by this threat actor.\r\nWaterbear case study\r\nThe following flow chart from a previous campaign illustrates how Waterbear operates in the victim's environment\r\nand then spreads more Waterbear downloaders across the internal network.\r\nFigure 2. One of the Waterbear campaign attack chains\r\nFirst stage\r\nWaterbear usually employs a group of three files for downloading purposes during the first stage of an attack (as\r\nmentioned in the previous report). These include the patched legitimate executable, the loader, and the encrypted\r\ndownloader.\r\nSecond stage\r\n1. After connecting to the C\u0026C server, we downloaded the Waterbear RAT (A) in memory, which contains\r\nseveral command codes inside (see Table 1 for the list of RAT commands). In this case, the Waterbear RAT\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 2 of 14\n\n(A) was only used to download the Waterbear plugin via RAT command 1010 and activate the first export\r\nfunction, “Start”, in the plugin to inject the chosen process.\r\n2. The Waterbear plugin contains Waterbear downloader versions 0.27 and 0.28, both unencrypted, varying\r\nbased on the process's bit version. If the process is 32-bit, version 0.27 of the Waterbear downloader will\r\nrun. On the other hand, version 0.28 will execute to facilitate further downloads on the 64-bit process.\r\nWaterbear downloader versions 0.27 and 0.28 are the latest that we know of. Their behaviors are the same\r\nas the versions before 2020.\r\n3. In this case, the Waterbear plugin injects into a 64-bit process, which results in version 0.28 of the\r\nWaterbear downloader trying to connect to the new C\u0026C IP address — which is assigned by Waterbear\r\nRAT (A)  —  and download Waterbear RAT (B), which is almost the same as the previous one, just with a\r\ndifferent RSA key inside.\r\n4. Waterbear RAT (B) will be used to collect the information from the infected machine, including the list of\r\ndrives and files, and then further spread the Waterbear downloader to other machines. Interestingly, Earth\r\nHundun will replace the C\u0026C string with an internal IP address after downloading the new stage of the\r\nRAT or downloader. This is to erase activity traces or connect to other C\u0026C servers in the victim's\r\nenvironment, showing that the threat actor can arbitrarily choose its connection targets.\r\nWaterbear RAT command\r\nSince discussing Waterbear’s functions in our previous blog entry, there have been more that have been\r\nimplemented, with the latest version shown in the following table:\r\nCommand\r\ngroup\r\nCommand\r\ncode (Hex)\r\nCommand\r\ncode (Dec)\r\nCapability\r\nFile management\r\n2 2 Enumerate disk drives\r\n3 3 List files\r\n4 4 Upload file to C\u0026C server\r\n5 5 Download file from C\u0026C server\r\n6 6 Rename file\r\n7 7 Create folder\r\n8 8 Delete file\r\nA 10 Execute file\r\nB 11 Move file\r\nC 12 Disguise file metadata\r\nD 13 File operation\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 3 of 14\n\nOther 326 806\r\nGet system language, system time, and Windows\r\ninstallation date\r\nWindow\r\nmanagement\r\n327 807 Enumerate windows\r\n329 809 Hide window\r\n32A 810 Show window\r\n32B 811 Close window\r\n32C 812 Minimize window\r\n32D 813 Maximize window\r\n32F 815 Take a screenshot\r\n330 816 Set screenshot event signaled\r\n331 817 Remote desktop\r\nProcess\r\nmanagement\r\n332 818 Enumerate process\r\n333 819 Terminate process\r\n335 821 Suspend process with pID\r\n336 822 Resume process with pID\r\n337 823 Retrieve process module information\r\n338 824\r\nRetrieve process module information (for files or\r\nobjects using the authenticode policy provider)\r\nNetwork\r\nmanagement\r\n339 825 Get extended TCP table\r\n33A 826\r\nSetTcpEntry Set state of the TCP connection with\r\nMIB_TCP_STATE_DELETE_TCB\r\nService\r\nmanagement\r\n33B 827 Enumerate services\r\n33C 828\r\nManipulate service\r\n33D 829\r\n33E 830\r\n33F 831\r\n340 832\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 4 of 14\n\nConfiguration\r\nmanagement\r\n341 833 Get C\u0026C in downloader configuration\r\n342 834 Set C\u0026C in downloader configuration\r\nRemote shell 3EE 1006 Start remote shell\r\nmanagement 3EF 1007 Exit remote shell\r\n  3F0 1008 Get remote shell PID\r\n  3F2 1010\r\nDownload plugin and execute the export function\r\n“Start”\r\nUnknown 514 1300 Unknown\r\nRegistry\r\nmanagement\r\n7DB 2011 Enumerate registry\r\n7DC 2012 Enumerate registry value\r\n7DD 2013 Create registry key\r\n7DE 2014 Set registry value\r\n7DF 2015 Delete registry key\r\n7E0 2016 Delete registry value\r\nBasic control\r\n1F41 8001 Get current window\r\n1F44 8004\r\nSet the infection mark in registry\r\nHKCU\\Console\\Quick\\Edit\r\n1F45 8005 Terminate connection and RAT process\r\nProxy 2332 9010 Update C\u0026C IP address\r\n2333 9011 Proxy data to the connected server\r\n2334 9012 Shutdown all connections\r\n2335 9013 Shutdown the given connection\r\n2336 9014 Listen port\r\n2337 9015 Proxy data via the specified socket handle\r\n2338 9016 Close the specified socket handle\r\n2339 9017\r\nShutdown both sending and receiving of a specific\r\nsocket handle\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 5 of 14\n\n233A 9018\r\nProxy the data from the socket back to the C\u0026C\r\nserver\r\nTable 1. List of Waterbear RAT commands\r\nBefore receiving the backdoor command, the RAT sends the victim’s information to the C\u0026C server via command\r\ncode 8002:\r\nData offset Data size Data content\r\n0x00 0x01 IsUserAnAdmin\r\n0x01 0x9C GetVersionExA\r\n0x9D 0x10 gethostbyname\r\n0xAD 0x44 gethostname\r\n0xF1 0x18 GetUserNameA\r\n0x109 0x04 GetLastInputInfo\r\n0x10D 0x50 GetWindowTextA \r\n0x15D 0x12 GetAdaptersInfo\r\n0x16F 0x10 Downloader version\r\n0x17F 0x30 Drive of information in current process\r\n0x1AF 0x04 Infection mark in HKCU\\Control Panel\\Colors\r\n0x1B3 0x04 GetCurrentProcessId\r\n0x1B7 0x01 RAT version\r\nTable 2. The structure of victim information that Waterbear sends to the C\u0026C server\r\nThis section will explain Earth Hundun's use of Deuterbear and provide a comprehensive analysis of the\r\nDeuterbear RAT.\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 6 of 14\n\nFigure 3. Installation pathway of Deuterbear\r\nThe installation pathway of Deuterbear is depicted in Figure 3. Note that it is similar to Waterbear, which\r\nimplements two stages to install the backdoor.\r\nIn the first stage, the loader employs a basic XOR calculation to decrypt the downloader, facilitating the retrieval\r\nof the first stage RAT from the C\u0026C server. Subsequently, the threat actor applies the first stage RAT to survey the\r\nvictim’s system and identify an appropriate folder for persistence. This is where the second-stage Deuterbear\r\ncomponents will be installed, including the loader with CryptUnprotectData decryption, the encrypted\r\ndownloader, and associated registries (the decryption flow was discussed in the previous blog entry).\r\nIn most of the infected systems, only the second stage Deuterbear is available. Our monitoring indicates that all\r\ncomponents of the first stage Deuterbear are totally removed after the “persistence installation” is completed. It\r\nseems that Earth Hundun prefers to keep the loaders using CryptUnprotectData decryption, even in cases where\r\nthe successful installation of Deuterbear is achieved during the first stage. This strategy effectively protects their\r\ntracks and prevents the malware from easily being analyzed by threat researchers, particularly in simulated\r\nenvironments rather than real victim systems.\r\nDeuterbear RAT\r\nThe Deuterbear RAT directly inherits several components from the downloader, including:\r\nAll anti-analysis techniques (please refer to our previous report for more details).\r\nHTTPS tunnel.\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 7 of 14\n\nRoutine to receive and send traffic.\r\nRC4 key to decrypt and encrypt traffic.\r\nRoutine to decrypt and encrypt the desired function.\r\nKey to decrypt and encrypt the desired function.\r\nDue to having the same HTTPS channel and RC4 traffic key, Deuterbear RAT doesn't require a handshake with\r\nthe C\u0026C server to update communication protocols. This enables the threat actor to seamlessly control the client,\r\nregardless of whether the process is in the downloader or RAT status. Prior to executing backdoor commands, the\r\nDeuterbear RAT transmits victim information to the C\u0026C server via RAT command 975 with the structure (Table\r\n3) highly reminiscent of the Waterbear RAT (Table 2).\r\nData offset Data size Data content\r\n0x00 0x04 Signature in configuration of downloader (00 00 01 00)\r\n0x04 0x01 IsUserAnAdmin\r\n0x05 0x20 GetUserNameA\r\n0x25 0x80 OS version\r\n0xA5 0x04 gethostbyname\r\n0xA9 0x46 gethostname\r\n0xEF 0x50 GetWindowTextA\r\n0x13F 0x04 GetLastInputInfo\r\n0x143 0x26 GetAdaptersInfo\r\n0x169 0x04 GetCurrentProcessId\r\n0x16D 0x01 RAT Version\r\n0x16E 0x04 Infection mark in HKCU\\Control Panel\\Colors\r\n0x172 0x08 Last write time of temp folder in system folder\r\nTable 3. The structure of victim information that Deuterbear sends to the C\u0026C server\r\nDeuterbear RAT command\r\nComparing Deuterbear with Waterbear reveals several functionalities directly replicated from the Waterbear RAT,\r\nsuch as process management, file management, and remote shell capabilities. \r\nAlthough Deuterbear streamlines its capabilities, retaining only 20 RAT commands (Table 4) compared to over 60\r\nfor Waterbear (Table 1), the Deuterbear RAT accepts more plugins to enhance flexibility and accommodate\r\nadditional functionalities, including two shellcodes and a portable executable (PE) DLL via RAT command 979.\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 8 of 14\n\nAfter installing the plugins, the threat actor sends the next traffic to determine which plugin is launched. There are\r\nthree kinds of protocols:\r\nExecute the first shellcode and the first export function of PE(DLL)\r\nExecute the second shellcode and the first export function of PE(DLL)\r\nOnly execute the first export function of PE(DLL)\r\nCommand group\r\nCommand code\r\n(Hex)\r\nCommand code\r\n(Dec)\r\nCapability\r\nFile management\r\n0x27 39 List files (date, size, name)\r\n0x28 40 Upload file to C\u0026C server\r\n0x29 41 Download file from C\u0026C server\r\n0x2A 42 Rename file\r\n0x2C 44 SHFileOperationA\r\n0x2E 46 Execute File\r\nProcess\r\nmanagement\r\n0xE7 231 Enumerate process\r\n0xE8 232 Terminate targeted process\r\nConfiguration\r\nmanagement\r\n0x1FF 511\r\nCollect data in the downloader\r\nconfiguration\r\n\u003eC\u0026C string\r\n\u003eExecution time\r\n0x200 512\r\nUpdate data in the downloader\r\nconfiguration\r\n\u003eC\u0026C string\r\n\u003eExecution time\r\nRemote shell\r\nmanagement \r\n0x2FC 764 Start remote shell\r\n0x2FD 765 Exit remote shell\r\n0x2FE 766 Get PID of remote shell\r\nBasic control\r\n0x3CE 974 Get current window\r\n0x3D1 977\r\nSet infection mark in HKCU\\Control\r\nPanel\\Colors\r\n0x3D2 978 Terminate connection and RAT process\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 9 of 14\n\nPlugins\r\nmanagement\r\n0x3D3 979\r\nDownload plugins from C\u0026C server:\r\n\u003ePE (DLL)\r\n\u003eFirst Shellcode (Encrypted by key\r\nfromconfig of downloader)  \r\n\u003eSecond shellcode(Encrypted by key from\r\nconfig of downloader) \r\n0x3D4 980 Uninstall plugins\r\n0x3E8~0x578 1000~1400\r\nExecute plugins\r\n\u003eFirst shellcode\r\n\u003eFirst export function of PE (DLL) \r\n\u003e 0x578 \u003e 1400\r\nExecute plugins\r\n\u003eSecond shellcode\r\n\u003eFirst export function of PE (DLL)\r\nOther Other\r\nExecute plugins\r\n\u003eFirst export function of PE (DLL)\r\nTable 4. List of Deuterbear RAT commands\r\nExamples of similarities in backdoor commands between Waterbear and Deuterbear are shown in the images from\r\nFigure 4 to Figure 6.\r\nFigure 4. The function that starts remote shell in Waterbear RAT (left) and Deuterbear RAT (right)\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 10 of 14\n\nFigure 5. The function that enumerates disk drives in Waterbear RAT (left) and Deuterbear RAT\r\n(right)\r\nFigure 6. The function that lists files in Waterbear RAT (left) and Deuterbear RAT (right)\r\nComparison\r\nComparing the Waterbear and Deuterbear downloaders, Table 5 shows the differences in the RAT part:\r\nProperties Waterbear RAT Deuterbear RAT\r\nFormat PE file Shellcode\r\nAnti-Memory scanning No Yes\r\nC\u0026C communication HTTP HTTPS\r\nSize of packet header 10 5\r\nShare the same traffic key with downloader No Yes\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 11 of 14\n\nFormat of Plugin PE file PE file and shellcode\r\nRegistry of infection mark HKCU\\Console\\Quick\\Edit HKCU\\Control Panel\\Colors\r\nCounts of backdoor command 60+ 20\r\nFunctionality of backdoor command\r\nFile management\r\nProcess management\r\nConfiguration management\r\nRemote Shell management\r\nWindows management\r\nRegistry management\r\nService management\r\nNetwork management\r\nProxy\r\nFile management\r\nProcess management\r\nConfiguration management\r\nRemote Shell management\r\nPlugins management\r\nTable 5. Differences between the Waterbear RAT and Deuterbear RAT\r\nConclusion and recommendations\r\nWaterbear has gone through continuous evolution, eventually giving rise to the emergence of a new malware,\r\nDeuterbear. Interestingly, both Waterbear and Deuterbear continue to evolve independently, rather than one simply\r\nreplacing the other.\r\nBased on the downloader analysis presented in April 2024. We made a comprehensive examination of the RAT,\r\nwhich is a component seldom downloaded from the C\u0026C server due to temporary port openings. Through a\r\nsystematic comparison of Deuterbear and Waterbear in the loader, downloader, RAT and behavioral aspects, we\r\ngained insights into the evolution of the techniques employed by Earth Hundun. While the Waterbear and\r\nDeuterbear family represent just one facet of the group’s arsenal, we believe that continuous refinement of tools\r\nwill be implemented in other malware for anti-analysis, and detection evasion, particularly in traffic and file\r\nhandling.\r\nOrganizations can defend themselves from Earth Hundun attacks by performing a memory scan for downloads\r\nand the Waterbear and Deuterbear RATs. Furthermore, detecting the registry used to decrypt the Deuterbear\r\ndownloader can help scan for its presence within the system.\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Description\r\nExecution\r\nShared Modules T1129  \r\nDynamically loads the DLLs through the\r\nshellcode\r\nNative API T1106  \r\nDynamically loads the APIs through the\r\nshellcode\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 12 of 14\n\nPersistence  \r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nT1574.002\r\nUses modified legitimate executable to load\r\nthe malicious DLL\r\nBoot or Logon Autostart\r\nExecution: Print Processors\r\nT1547.012\r\nDeuterbear abuses print processors to run\r\nmalicious DLLs during system \r\nPrivilege\r\nEscalation\r\nProcess Injection T1055\r\nWaterbear and Deuterbear inject the\r\ntargeted process\r\nDefense\r\nEvasion\r\nDeobfuscate/Decode Files or\r\nInformation\r\nT1140\r\nUses RC4 or CryptUnprotectData to\r\ndecrypt encrypted downloader\r\nExecution Guardrails T1480\r\nTargets specific path/registry in the victim’s\r\nenvironment\r\nVirtualization/Sandbox\r\nEvasion: Time Based Evasion\r\nT1497.003\r\nDeuterbear checks sandbox by API, Sleep,\r\nwhether normal operation.\r\nDebugger Evasion T1622\r\nDeuterbear checks debugger mode by\r\nprocess time.\r\nDiscovery\r\nFile and Directory Discovery T1083\r\nWaterbear and Deuterbear RAT searches\r\nfiles and directories or in specific locations.\r\nSystem Network\r\nConfiguration Discovery:\r\nInternet Connection\r\nDiscovery\r\nT1016.001\r\nDownloaders check for internet\r\nconnectivity on compromised systems.\r\nSystem Network Connections\r\nDiscovery\r\nT1049\r\nWaterbear and Deuterbear RAT lists\r\nnetwork connections to or from the\r\ncompromised system they are currently\r\naccessing or from remote systems by\r\nquerying for information over the network.\r\nProcess Discovery T1057\r\nWaterbear and Deuterbear RAT searches\r\nspecific process.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nWaterbear and Deuterbear RAT get detailed\r\ninformation about the operating system and\r\nhardware, including version, username, and\r\narchitecture.\r\nQuery Registry T1012\r\nQueries data from registry to decrypt\r\ndownloader\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 13 of 14\n\nLateral\r\nMovement\r\nRemote Services: Windows\r\nRemote Management\r\nT1021.006\r\nWaterbear and Deuterbear RAT control\r\nremote shell\r\nCollection Data from Local System T1005 Collects basic information of victim\r\nExfiltration\r\nExfiltration Over Command-and-Control Channel\r\nT1041 Sends collected data to C\u0026C\r\nCommand\r\nand Control\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001\r\nDownloaders communicate with C\u0026C by\r\nHTTP/HTTPS\r\nEncrypted Channel T1573\r\nEmploys a RC4/RSA to conceal command\r\nand control traffic\r\nData Encoding: Non-Standard\r\nEncoding\r\nT1132.002\r\nEncodes traffic with a non-standard RC4 to\r\nmake the content of traffic more difficult to\r\ndetect\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found on this link.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html" ], "report_names": [ "earth-hundun-2.html" ], "threat_actors": [ { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434432, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a68bd822c2d30873ab0d93e2f0f27a652758001.pdf", "text": "https://archive.orkl.eu/5a68bd822c2d30873ab0d93e2f0f27a652758001.txt", "img": "https://archive.orkl.eu/5a68bd822c2d30873ab0d93e2f0f27a652758001.jpg" } }