{ "id": "85cd7028-ea38-4983-8203-ced9233df961", "created_at": "2026-04-06T00:06:31.190092Z", "updated_at": "2026-04-10T03:36:06.71284Z", "deleted_at": null, "sha1_hash": "5fc8f0edc719046ed5a8e9f4c7654e808c07c705", "title": "ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10603999, "plain_text": "ChinaZ Revelations: Revealing ChinaZ Relationships with other\r\nChinese Threat Actor Groups\r\nBy Ignacio Sanmillan\r\nPublished: 2019-01-07 · Archived: 2026-04-05 22:43:34 UTC\r\nIntroduction\r\nDistributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai\r\nattacks to more sophisticated botnets targeting enterprises. An example of these attacks is the one targeting GitHub\r\nin February 2018, forcing the website to go offline for approximately 10 minutes.\r\nIn researching the current DDoS ecosystem we find threat actors from different regions displaying different\r\nmotivations. Chinese threat actors in particular have predominantly deployed DDoS attacks in their cyber\r\ncampaigns, and China has emerged as having one of the highest rates of DDoS attacks.\r\nIn this blog we will discuss the current state of a well-known Chinese threat actor group known as ChinaZ,\r\nnotorious for targeting Windows and Linux systems with DDoS botnets since November 2014.\r\nWe will explain how we first came across ChinaZ, along with the various methods employed to discover more of\r\nthe group’s servers. Additionally, we will analyze the types of files hosted on the servers and conclude with a\r\ntechnical analysis highlighting potential connections that could relate various Chinese actors in the current DDoS\r\nlandscape such as Nitol, MrBlack and some minor relations to Iron Tiger APT. These relationships will be\r\ndiscussed in the technical analysis section.\r\nInitial ChinaZ Discovery via Honeypot Hit\r\nIn the last few months we have observed a higher volume of attacks from Billgates, a DDoS botnet attributed to\r\nChinaZ, a well-known Chinese threat actor notorious for deploying a series of botnets primarily targeting Linux\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 1 of 30\n\nsystems.\r\nhttps://twitter.com/ulexec/status/1065743509376954368\r\nChinaZ was fairly active in 2018 based on previous hits that were encountered in our honeypots. An example of\r\nan attack vector via SSH/Telnet bruteforce employed by ChinaZ can be seen in the following session log from one\r\nof our honeypots:\r\nThe downloader bash script seems to be fairly simple in logic by changing directories from /root to /tmp once it\r\ndetected that the dropped implant could not be executed after several attempts changing its file permissions.\r\nOnce we accessed where the script was trying to download its corresponding files we found that there were files\r\nbeing hosted in a Chinese Http File Server (HFS) panel. The following is a screenshot of this panel:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 2 of 30\n\nWe discovered the server was online for less than 24 hours, and that all of the files were uploaded on that same\r\nday. We decided to observe this and other servers and conduct a tracking investigation with the intention to collect\r\nall of the information we could about the botnet infrastructure.\r\nObserving ChinaZ\r\nChinaZ is known to use Chinese Http File Server (HFS) instances, and unlike other major DDoS botnets such as\r\nMirai, ChinaZ operates mostly on Windows Servers. In this particular HFS server we see various hosted files. The\r\ntwo Linux prefixed files are both regular Billgates builds. We can confirm this based on code reused from other\r\nsamples:\r\nhttps://analyze.intezer.com/#/analyses/5567e542-c2a1-4cb8-a7f7-f69b9d154ad1\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 3 of 30\n\nhttps://analyze.intezer.com/#/analyses/5442438f-fe2e-478a-bbbe-0ee6dde39df7\r\nSince BillGates is a well-known botnet and there are plenty of well-written technical analysis articles about the\r\nbotnet and its relations to ChinaZ, we have decided to not cover its technical analysis for the sake of simplicity.\r\nThese builds are default BillGates instances. Both of these instances share the same CNC domain which is the\r\nfollowing:\r\nAmong the hosted files in the HFS server we can also find a PE executable labeled as BX.exe, which is a Gh0st\r\nRAT variant.\r\nFurthermore, this Gh0st RAT instance decodes the same CNC address:\r\nSince both BillGates and the Gh0st RAT instances found in the initially discovered HFS panel shared the same\r\nCNC, we can associate both implants to be components of a single botnet targeting both Linux and Windows\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 4 of 30\n\nsystems. This same scenario was presented by Avast researchers as the Chinese Chicken DDoS botnets by\r\nexposing a series of multi-platform Chinese DDoS tools.\r\nAfter one day threat actors behind this botnet updated the HFS panel by uploading two ChinaZ.DDoSClient\r\nsamples compiled for x86 and x86_64 systems accordingly.\r\nThe following is a code reuse analysis of these new samples:\r\nhttps://analyze.intezer.com/#/analyses/6a088a5e-4630-427b-b8de-806e633a1ccc\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 5 of 30\n\nDDoSClient malware is a DDoS client known to be leveraged by ChinaZ. As an interesting fact about the\r\nprogression of this threat actor group, at some point in time the source code of this client was hosted in GitHub,\r\nalthough DDosClient was originally code of ChinaZ. MalwareMustDie exposed this source code and the actor’s\r\nidentity. The actor behind this client was a student hired by ChinaZ.\r\nFurthermore, we can find a compressed archive labeled as ‘Black Wolf Linux Blasting V4.0’ in Chinese among\r\nthe different binaries hosted in the HFS server. Inside this RAR file we encounter the following files:\r\nMost interestingly, the contents of this compressed file appear to be a Chinese DDoS tool:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 6 of 30\n\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 7 of 30\n\nThe tool enables users to edit which files will be used on deployment, and other related configurations such as the\r\ntime out. We observed this specific DDoS tool advertised in a range of Chinese forums:\r\nIf we analyze one of the scripts inside the zip file and compare it with our initial honeypot hit log, we can assume\r\nthat the attack was deployed using this tool:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 8 of 30\n\nWe are not sure whether this Chinese DDoS tool was distributed by ChinaZ, or if the group purchased this tool in\r\norder to use it in its campaigns.\r\nThe server was online for one more day before it went offline. This behavior suggests that actors behind this\r\nbotnet may have migrated to a different CNC server, they were performing some internal management, or that it\r\nwas merely part of the way they operate since we have seen this same behavior tracking their other servers.\r\nHunting for Additional ChinaZ Servers\r\nWe decided to look up the specific CNC domain name seen in the BillGates and Gh0st RAT instances found in the\r\ninitial HFS server, to see if this domain had multiple resolutions in order to find more potential servers linked to\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 9 of 30\n\nthis botnet. When we searched the domain on RiskIQ we found the following:\r\nAll of the shown IPs in the previous screenshot denote a server that would resolve to “ak-74.top”, the CNC\r\naddress seen in the first HFS server. Based on these resolutions we were able to find other panels like the\r\nfollowing:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 10 of 30\n\nWe instantly recognize the same pattern in terms of the naming convention as well as the types of files that were\r\nhosted in this HFS server. In contrast with the previous HFS server, this server is only hosting Windows binaries\r\nand a zip file.\r\nThe 7z compressed file contained the following files:\r\nThese files appear to be composing a Port Scanner tool written in python that could also be used to deploy DDoS\r\nattacks.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 11 of 30\n\nIn the screenshot above we can observe an executable responsible for the main TCP/SYN flood, and the script\r\nused to deploy DDoS attacks.\r\nWe also used Shodan to hunt for more operative ChinaZ HFS servers. We did this by filtering Shodan’s query for\r\nthe appropriate service and country.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 12 of 30\n\nLeveraging Shodan we were able to find many other ChinaZ linked servers, in which we collected additional\r\nrelevant samples. After we discovered several ChinaZ servers and we collected their correspondent hosted files,\r\nwe found interesting correlations and relationships which we will discuss in the next section.\r\nTechnical Analysis\r\nThroughout the investigation we found several interesting facts among the artifacts we collected and analyzed.\r\nThe following is a brief summary of our findings:\r\nGh0st RAT Clients:\r\nThe Gh0st RAT clients we discovered among several HFS servers all appear to be modified instances of Gh0st\r\nRAT that share notable characteristics. These Gh0st RAT variants are found hosted in different HFS servers with\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 13 of 30\n\nthe names BX.exe or shadow.exe.\r\nWe can observe similarities in different functions from the open-source version hosted in GitHub. The following is\r\na brief comparison of both files’ WinMain function:\r\nRegarding this Gh0st RAT variant, if we take a closer look we observe that it has similarities with the Gh0st RAT\r\ninstance deployed on Operation PZCHAO by Iron Tiger APT, an APT group with also alleged Chinese origin. The\r\nRC4 key used to decrypt the CNC is the same as the one used in the PZCHAO campaign, “Mother360”.\r\nBased on a Bitdefender blog post about operation PZCHAO, this same cryptographic key was not only used to\r\ndecode the malware’s CNC addresses but also was the key used to decrypt traffic between the client and the CNC.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 14 of 30\n\nWe also see code similarities from both Gh0st RAT variants apart from the used RC4 function. The following code\r\nsimilarity comparisons are portions of the main function:\r\nAlthough these two Gh0st RATs may share common code, it is important to understand how to interpret these\r\nsimilarities. ChinaZ has been known to employ DDoS botnets in its campaigns as previously mentioned. Usually\r\nAPT groups do not rely on DDoS attacks. These similarities may not necessarily correlate ChinaZ and Iron Tiger\r\nAPT, but instead it may be evidence of the existence of a common Gh0st RAT variant shared within the Chinese\r\ncommunity, by having the possibility to have ‘Mother360’ as one of the default hard-coded keys. The reason for\r\nthis interpretation is based on the fact that APT groups are rarely involved with DDoS operations since the mere\r\nthought of correlating these two models does not seem practical and the probability unlikely.\r\nInfected Compressed Files with Nitol Artifacts:\r\nAmong some of the HFS panels found, we observed that some of the panels were hosting DDoS tools.\r\nInside these compressed files we can see that they contain varying components. However, among all of the files\r\nfound in these compressed files, the most notable file was a DLL labelled as lpk.dll that appeared in every hosted\r\ncompressed archive that we found. This DLL has been known to be hijacked in the past by Nitol, a Chinese DDoS\r\nbotnet targeting Windows systems that propagated infected trusted software by exploiting the Windows Module\r\nLoading process. This was achieved by placing a malicious lpk.dll within the file system meant to take precedence\r\nagainst the genuine lpk.dll on load-time since this DLL is known to be loaded in every process by being a\r\ncomponent of Microsoft Language Pack.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 15 of 30\n\nWe can confirm this lpk.dll instance is the Nitol DLL from code reuse:\r\nhttps://analyze.intezer.com/#/analyses/da7374a4-1574-4986-aeda-c0ce567e4a4d\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 16 of 30\n\nThis finding may lead to different interpretations. One may directly link Nitol to ChinaZ and argue that they are\r\nhosting infected compressed archives as a way to spread and compromise systems. However, it is known that the\r\nNitol botnet was seized by Microsoft in 2012, although there are reports that document Nitol activity from 2016\r\nonwards.\r\nTherefore, we can interpret this finding from a different standpoint, and raise the possibility that actors behind this\r\nbotnet are operating on infected physical Windows systems, and consequently deploying malware infected with\r\nprevious malware belonging to older campaigns, therefore indirectly linking Nitol and ChinaZ.\r\nIn addition, as a fact supporting this theory was that after analysis, this specific DLL failed to connect to its\r\ncorrespondent CNC, but at some point in the infection chain a parite file infector was also dropped from both, the\r\nNitol DLL implants as well as from the hosted windows Gh0st RATs.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 17 of 30\n\nhttps://analyze.intezer.com/#/analyses/47f52891-e2a3-4a9c-96b6-8184ce1c2e87\r\nIt is known that in 2010 there was a strong infection wave of Chinese servers that are still operative deploying\r\ninfected malware. This may be why we can find parite drops from files hosted in these servers:\r\nhttps://twitter.com/benkow_/status/961713159630393346\r\nIt should be noted how minimal effort is shown from the actors to maintain a clean development environment for\r\ntheir newer malware campaigns, if the theory explained above is indeed true.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 18 of 30\n\nFurther Connections between ChinaZ and Nitol:\r\nMrBlack is an IoT botnet also known to have Windows variants. As documented by MalwareMustDie, MrBlack is\r\nthe simplified version of AES.DDoS, an ELF DDoS tool with Chinese origin that was on circulation before\r\nChinaZ was ever established. Therefore, there are not direct correlations between MrBlack and ChinaZ.\r\nHowever, we spotted MrBlack samples being hosted along with known ChinaZ malware. In addition, if we\r\nanalyze the results on string reuse of MrBlack samples, often we can see a high volume of strings reused from\r\nChinaZ malware.\r\nBelow is a code reuse analysis of the different files found in the following HFS server:\r\nThe following is the code reuse analysis of one of the hosted linux files, both of them being ChinaZ.DdosClient:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 19 of 30\n\nhttps://analyze.intezer.com/#/analyses/ab5e016c-288b-433e-aae4-a0120e55509b\r\nThe following is a code reuse analysis of the hosted windows binary demonstrating that the file is a\r\nWin32/MrBlack instance:\r\nhttps://analyze.intezer.com/#/analyses/9ebd8c3d-2995-4bee-b5a7-6a8ae97854eb\r\nWe can see that this instance of MrBlack shares 10 genes with ServStart, a trojan associated with the Nitol family.\r\nAfter analysis of these 10 genes we observed that this instance of MrBlack shares the exact SYN flood function as\r\nin the ServStart instance.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 20 of 30\n\nWe can observe that there are slight variations present throughout the code.\r\nMost of the function is identical, specifically the main flood loop:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 21 of 30\n\nTo reinforce this connection between MrBlack and ServStart, we discovered the following panel:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 22 of 30\n\nIn this panel we found two instances of Linux/MrBlack along with seven instances of a variant of ServStart. We\r\nhave identified the MrBlack instances based on code reuse:\r\nhttps://analyze.intezer.com/#/analyses/59ee92b0-3641-4ae0-a04e-7a4e0d21f5ce\r\nRegarding the ServStart variants, we can see that they share a substantial amount of code with respect to previous\r\nServStart variants:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 23 of 30\n\nhttps://analyze.intezer.com/#/analyses/5fa8efdc-49e7-41e9-bc69-173c23246fb1\r\nIt is important to note that these newer ServStart variants have a recent compilation time stamp, and it was only\r\nsubmitted to VirusTotal one week ago from today:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 24 of 30\n\nWe found several nearly identical functions reused from previous variants of ServStart. The following is an\r\nexample of one of these common functions.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 25 of 30\n\nWithin the common code we found exact code fragments like the one below:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 26 of 30\n\nOn the other hand, we found common code, although there are noticeable differences between the new and old\r\nServStart versions. An example of this is shown in the screenshot below:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 27 of 30\n\nThe relationships described above validate the previous linkage between Nitol and ChinaZ, which could insinuate\r\nthat these two threat actor groups may be related or may have collaborated together. So far we have gathered the\r\nfollowing links between them:\r\nThese two groups share the same goals in their campaigns with an emphasis on the deployment of DDoS\r\nbotnets.\r\nBoth groups have alleged Chinese origins.\r\nA range of ChinaZ’s Windows clients have been infected by old Nitol artifacts.\r\nThese two families share relevant code with one another such as DDoS flood implementations.\r\nNew ServStart variants have been spotted being hosted alongside with MrBlack Linux instances.\r\nConclusion\r\nWe have covered how we have tracked ChinaZ and collected some up to date information about this threat actor\r\ngroup. We have found potential connections that could relate various Chinese actors in the current DDoS\r\nlandscape.\r\nChinaZ is hosting instances of Linux and Windows builds of MrBlack, and Windows versions have shown code\r\nreuse connections with old ServStart variants. Furthermore, we have spotted newer versions of ServStart being\r\nhosted along with MrBlack Linux instances. Therefore there may be a relationship between MrBlack and\r\nServStart actors, indicating a potential relationship between ChinaZ and Nitol families.\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 28 of 30\n\nIn addition, ChinaZ Windows components have been seen infected with Nitol components, suggesting that these\r\nactors may have been operating in servers already infected with Nitol. This enforces the hypothesis that there may\r\nbe deeper relationships between these two threat groups. ChinaZ has always been a relatively active threat actor\r\ngroup that is slowly evolving in sophistication even though it is not making many changes to its overall\r\ninfrastructure from early stages. To reflect the most relevant relationships discussed in this blog we have decided\r\nto present them with the following diagram:\r\nIOCs\r\nChinaZ Gh0st RAT variant with ‘Mother360’ key:\r\nA9c54bdba780bcdc34f15b62f0ac1da8bcf4d65b4587d0d95bd2a9b5be5dfee6\r\n908d817f81f9276f5afad1a33a7e2de7566fd5c967ad95782a4d904ca0e5efdd\r\n9e24ba7304ae7c4f153fa8e97d2e6779d0e4377cee270b83d20d91afef7fe6f4\r\nIron Tiger APT gh0st RAT:\r\nD4262bbfe779d18b83b950bb993d3d46154bf1da5a4868ff6fa3e54c167eed71\r\nBillGates:\r\n92c191c41bcc701de5d633a0edb8cab6085ea13ede079651a2cc4a4ae54b29bb\r\n6fd7aab3faabd5f071d1bc9bb039146c01acf67d941c24e99813b1375114e908\r\nInfected ChinaZ DDoS tools with Nitol:\r\nB883b32264bcafd0c5ede5ff7399388feb51dbdf183f7ad52024c08cd221d574\r\n23c69edc4695f6c2184484682757f024f0e20573dba599030fde1cdaeae9915c\r\nChinaZ.DDoSClient:\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 29 of 30\n\n80952e211eb98773909f0f3e7ce783ce2f410327058a4760efad2ff0dbebcb88\r\nD97ffba4169df8b206f6fc588ba594e84539b321fae9247723d6b42940116fa5\r\nA8d0928098cc43e7b9e8ba3b03507d342489dea832816dfc083c356b346f8a3d\r\n7495be154047e2c3c3b9735d61c6f1256eea776eb536e42f2ea76d5c11fc7f84\r\nWin32/MrBlack:\r\nD793e629df1b73b054f763106fcfedaaafadd8a0919192fc7d1925752a1d64fe\r\nLinux/MrBlack:\r\nF025b6d531e7dcba68a309636f622fbe8ee212d457c9cc00e7bf339dca65fec2\r\nFb69075f4383f3537af46d2098b3bcdcb7c1bdd6896c580cd9ead6f56fb5219c\r\nServStart:\r\n4f4f24f0333ed6e8883971129f216fab608b6e4d0c97c58a2b3b6a1106c77bf7\r\n7db53e95a1339d4d023d61087907a5b07bf6720a2dd88b12882a2c5c201a92ea\r\n7e6a2448e06a1d97ff317a5dc4ed969cef077a3568fd214cbe61854b7ff1a6d1\r\nNew ServStart:\r\n774af1499fa1558d0b31272b84b4fbbfcc6fea578898325610524aa3853b669d\r\nE3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nD104daec5e990de0233efdde8747a1d829c90b7b9a2169a7bcf5744fa1d95e6e\r\nSource: https://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nhttps://www.intezer.com/blog/malware-analysis/chinaz-relations/\r\nPage 30 of 30\n\n https://www.intezer.com/blog/malware-analysis/chinaz-relations/ \nWe can observe that there are slight variations present throughout the code.\nMost of the function is identical, specifically the main flood loop:\n Page 21 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intezer.com/blog/malware-analysis/chinaz-relations/" ], "report_names": [ "chinaz-relations" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433991, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5fc8f0edc719046ed5a8e9f4c7654e808c07c705.pdf", "text": "https://archive.orkl.eu/5fc8f0edc719046ed5a8e9f4c7654e808c07c705.txt", "img": "https://archive.orkl.eu/5fc8f0edc719046ed5a8e9f4c7654e808c07c705.jpg" } }