{ "id": "7063c89d-7889-45b0-92c9-aa007612a6b8", "created_at": "2026-04-06T00:18:27.098146Z", "updated_at": "2026-04-10T13:13:00.132808Z", "deleted_at": null, "sha1_hash": "61622eb1a446462e09d1d72284314820c3198578", "title": "Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4378594, "plain_text": "Spot the Difference: Earth Kasha's New LODEINFO Campaign\r\nAnd The Correlation Analysis With The APT10 Umbrella\r\nBy By: Trend Micro Nov 19, 2024 Read time: 19 min (5210 words)\r\nPublished: 2024-11-19 · Archived: 2026-04-02 11:22:18 UTC\r\nThis blog is based on a presentation by the authors at Virus Bulletin 2024open on a new tab.\r\nIntroduction\r\nLODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the\r\ngroup as Earth Kasha. While some vendors suspect that the actor using LODEINFO might be APT10open on a\r\nnew tab, we don’t have enough evidence to fully support this speculation. Currently, we view APT10 and Earth\r\nKasha as different entities, although they might be related. To avoid confusion caused by names, we use a new\r\nterm “APT10 Umbrella,\" which represents a group of intrusion sets related to APT10 (including APT10 itself).\r\nEarth Kasha has been known to have targeted public institutions and academics with spear-phishing emails since\r\ntheir emergence. From early 2023 to early 2024, however, we identified a new campaign with significant updates\r\nto their strategy, tactics, and arsenals.\r\nLODEINFO Since 2023\r\nIn the new campaign starting in early 2023, Earth Kasha expanded their targets into Japan, Taiwan, and India.\r\nBased on the bias of the incident amount, while we believe that Japan is still the main target of Earth Kasha, we\r\nobserved that a few high-profile organizations in Taiwan and India were targeted. The observed industries under\r\nattack are organizations related to advanced technology and government agencies.\r\nEarth Kasha has also employed different Tactics, Techniques, and Procedures (TTPs) in the Initial Access phase,\r\nwhich now exploits public-facing applications such as SSL-VPN and file storage services. We observed that\r\nvulnerabilities of enterprise products, such as Array AG (CVE-2023-28461)open on a new tab, Proself (CVE-2023-45727)open on a new tab and FortiOS/FortiProxy (CVE-2023-27997)open on a new tab, were abused in the\r\nwild. Earth Kasha was changing these vulnerabilities to abuse from time to time. After gaining access, they\r\ndeployed several backdoors in the victim's network to achieve persistence. These include Cobalt Strike,\r\nLODEINFO, and the newly discovered NOOPDOOR, which we will describe later.\r\nObserved TTPs in Post-Exploitation\r\nOur comprehensive analysis of the activities in the Post-Exploitation phase has revealed that the primary\r\nmotivation behind the attack was the theft of the victim’s information and data. Earth Kasha first discovered\r\nActive Directory configuration and domain user information to achieve this goal using legitimate Microsoft tools,\r\nsuch as csvde.exe, nltest.exe and quser.exe. The following are actual commands used by the adversary.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 1 of 28\n\ncsvde.exe  -f all.csv –u\r\nnltest.exe  /domain_trusts\r\n quser.exe \r\nThey then accessed the file server and tried to find documents related to the system information of the customer's\r\nnetwork by simply using \"dir\" commands recursively. Interestingly, upon checking on their activity, the operator\r\nmight check the content of the documents manually. The stolen information may help the adversary find the next\r\nvaluable target.\r\nEarth Kasha then performs several techniques to acquire credentials. One method uses their custom malware,\r\nMirrorStealer, to dump stored credentials in applications. MirrorStealer (originally reported by ESETopen on a\r\nnew tab) is a credential dumper targeting multiple applications such as browsers (Chrome, Firefox, Edge and\r\nInternet Explorer), email clients (Outlook, Thunderbird, Becky, and Live Mail), Group Policy Preferences and\r\nSQL Server Management Studio.\r\nSince MirrorStealer may be designed to dump credentials on client machines, Earth Kasha used another way to\r\ndump OS credentials. We observed that the adversary abused vssadmin to copy registry hives and ntds.dit in the\r\nActive Directory server from volume shadow copy. The SAM registry hive contains the NTLM hash of local\r\nmachine users, while ntds.dit contains the NTLM hash of all the domain users. The following are commands the\r\nadversary uses after creating a volume shadow copy.\r\ncopy  \\\\\u003cAD_SERVER_IP\u003e\\c$\\windows\\temp\\ntds.dit .\r\ncopy  \\\\\u003cAD_SERVER_IP\u003e\\c$\\windows\\temp\\system .\r\ncopy  \\\\\u003cAD_SERVER_IP\u003e\\c$\\windows\\temp\\sam .\r\nWhile we couldn’t figure out the actual method they abused, we have observed that Earth Kasha successfully\r\ncompromised domain admin in most cases. After compromising domain admin, they deployed backdoors\r\n(LODEINFO or NOOPDOOR) to several machines by copying components over SMB and abusing schetasks.exe\r\nor sc.exe to achieve lateral movement. The following are the adversary's actual commands to deploy malicious\r\ncomponents over admin shares.\r\ncopy SfsDllSample.exe \\\\\u003cIP\u003e\\c$\\windows\\temp\\SfsDllSample.exe \r\ncopy SfsDll32.dll     \\\\\u003cIP\u003e\\c$\\windows\\temp\\SfsDll32.dll\r\ncopy mssitlb.xml  \\\\\u003cIP\u003e\\C$\\Windows\\system32\\UIAnimation.xml\r\ncopy ShiftJIS.dat \\\\\u003cIP\u003e\\C$\\Windows\\system32\\ComputerToastIcon.contrast-white.dat\r\nOnce the intrusion progressed, Earth Kasha started to exfiltrate the stolen information. The adversary gathered\r\ndata, including ntds.dit, SYSTEM, SAM registry hives and other interesting files on a single victim machine and\r\ncompressed these files into a single archive using the makecab command. While we couldn’t confirm how these\r\ndata would be exfiltrated, it might be over the backdoor channel. Earth Kasha also exfiltrated interesting files in\r\nthe victim network over the RDP session. They copied interesting files to the RDP source host over SMB\r\n(“tsclient” is an RDP source host).\r\n\\\\tsclient\\C\\aaa\\All PC List.xlsx\r\n\\\\tsclient\\C\\aaa\\All IP List.xlsx\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 2 of 28\n\n\\\\tsclient\\C\\aaa\\Network Diagram.xlsx\r\nMalware Analysis\r\nIn the previous campaign by Earth Kasha, LODEINFO has been their primary backdoor of choice. In the new\r\ncampaign, however, we have observed several backdoors, such as Cobalt Strike, LODEINFO and previously\r\nundocumented NOOPDOOR. These backdoors were selectively used for each incident.\r\nFigure 2. Observed malware in each incident\r\nPossible Cracked Version of Cobalt Strike\r\nIn the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed\r\nto be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we dubbed\r\nGOSICLOADER. GOSICLOADER is intended to be loaded via DLL side-loading and simply decrypts the\r\nembedded payload in the data section using Based64+AES.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 3 of 28\n\nFigure 3. Execution flow of GOSICLOADER\r\nUpon checking the configuration of the Cobalt Strike beacon, we noticed it could be a cracked version of the\r\nCobalt Strike, known as CSAgent, shared among the Chinese-speaking hacking community. According to the\r\ndeveloper of Cobalt Strikeopen on a new tab, Cobalt Strike beacon embeds watermark and watermark hash to\r\nmake it difficult to tamper with authorization. CSAgent modifies the watermark to include \"666666\" by default\r\nand uses a watermark hash that matches the one embedded in the observed Cobalt Strike beacon for this\r\ncampaign. Since the watermark and its hash can be easily tampered with if the adversary knows the algorithm, this\r\nmodification could be a false flag, but it is still noteworthy.\r\nFigure 4. Watermark and watermark hash in configuration\r\nFigure 5. Watermark and its hash in CSAgent\r\nLODEINFO\r\nLODEINFO is a backdoor exclusively used by Earth Kasha since 2019, serving as their primary backdoor. In this\r\nnew campaign, however, it is just one option among several, showing its adaptability. Since its introduction,\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 4 of 28\n\nLODEINFO has gone through continuous updates, as indicated by its version numbers. In this campaign, we have\r\nobserved versions v0.6.9, v0.7.1, v0.7.2, and v0.7.3\r\nFigure 6. Version number history of LODEINFO\r\nWith the incrementing version number, Earth Kasha has also been updating a procedure to execute LODEINFO.\r\nIn this new campaign, they deployed three components in the victim machine. They registered the legitimate\r\napplication (SfsDllSample.exe in Figure 7) as a scheduled task, which will trigger DLL Side-Loading of malicious\r\nDLL (SfsDll32.dll in Figure 7).\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 5 of 28\n\nFigure 7. Execution sequence of LODEINFO\r\nThis malicious DLL, which we dubbed LODEINFOLDR (aka FaceLoader by ESET), extracts an encrypted\r\npayload embedded in the digital signature of the loaded process and decrypts it by RC4 or XOR. The encrypted\r\npayload is embedded in the legitimate digital signature by abusing MS13-098/CVE-2013-3900open on a new tab.\r\nFigure 8. Embedded encrypted payload and RC4 in digital signature\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 6 of 28\n\nWe distinguish this LODEINFOLDR in the new campaign from the ones we had seen in the previous campaign,\r\nand we call this new loader LODEINFOLDR Type 2. At first glance, we thought LODEINFOLDR Type 2 was\r\ntheir new loader developed for the new campaign. Still, after further investigation, we identified that\r\nLODEINFOLDR Type 2 looks the same as the loader of LODEINFO used in the LiberalFace campaign in 2022,\r\ndisclosed by ESET3. This may infer that the same entity has used the same malware since the previous campaign.\r\nRegarding LODEINFO, several backdoor commands were newly supported. “pkill”, “ps”, “keylog”, and\r\n“autorun” were added in v0.6.9, and “runas” was newly added in v0.7.1. The backdoor commands supported in\r\nv0.6.9 differed from the old ones since these commands were initially added in the previous version, removed in\r\nv0.6.3 and added again in v0.6.9. On the other hand, “runas” supported in v0.7.1 is a new one that enables running\r\nthe processes as a specific user. Since v0.7.2, the \"config\" command, which is just used to display “Not\r\nAvailable.”, has been fully implemented.\r\nv0.6.9 v0.7.1 v0.7.2 and v0.7.3\r\ncommand\r\nls\r\nrm\r\nmv\r\ncp\r\ncat\r\nmkdir\r\nsend\r\nrecv\r\nmemory\r\nkill\r\ncd\r\nver\r\nprint\r\nransom (not implemented)\r\ncomc\r\nconfig\r\npkill\r\nps\r\nkeylog\r\nautorun\r\ncommand\r\nls\r\nrm\r\nmv\r\ncp\r\ncat\r\nmkdir\r\nsend\r\nrecv\r\nmemory\r\nkill\r\ncd\r\nver\r\nprint\r\nransom (not implemented)\r\ncomc\r\nconfig\r\npkill\r\nps\r\nkeylog\r\nautorun\r\nrunas\r\ncommand\r\nls\r\nrm\r\nmv\r\ncp\r\ncat\r\nmkdir\r\nsend\r\nrecv\r\nmemory\r\nkill\r\ncd\r\nver\r\nprint\r\nransom (not implemented)\r\ncomc\r\nconfig\r\npkill\r\nps\r\nkeylog\r\nautorun\r\nrunas\r\nTable 1. Backdoor commands supported by LODEINFO, newly added commands in italics\r\nAll the LODEINFO we observed in the new campaign were slightly different in the backdoor command process\r\ncompared to the LODEINFO in the previous campaign. This LODEINFO type supports running DLL or shellcode\r\nin memory without backdoor command processing. After further investigation, we concluded that this type of\r\nLODEINF we observed in the new campaign should be the same as the one that ESET calls “The 2nd stage\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 7 of 28\n\nLODEINFO” observed in the LiberalFace campaign. As Figure 9 and Figure 10 show, the LODEINFO in the new\r\ncampaign directly supports running DLL or shellcode in memory without processing backdoor commands. This\r\nevidence may also infer that the same group has been using the same malware since the previous campaign.\r\nFigure 9. C\u0026C server response processing of the LODEINFO in the previous campaign\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 8 of 28\n\nFigure 10. C\u0026C server response processing of the 2nd stage LODEINFO\r\nNOOPLDR\r\nDuring our investigation, we encountered two different shellcode loaders; one is XML containing C#, and the\r\nother is DLL. These two types of shellcode loaders are completely different in the implementation perspective.\r\nHowever, a payload of both is a previously undocumented backdoor that we call NOOPDOOR, which we will\r\ndescribe later. Both loaders adopt a similar strategy to decrypt and store the encrypted payload using the machine's\r\ndevice ID. Based on these similarities, we categorized both as the same variant, which we dubbed NOOPLDR. We\r\ndistinguish the former XML/C# one as “NOOPLDR Type 1” and DLL one as “NOOPLDR Type 2,\" respectively.\r\nNOOPLDR Type 1 is designed to be executed by Windows' trusted utility tool, MSBuild, as shown in Figure 11.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 9 of 28\n\nFigure 11. Execution flow of NOOPLDR Type 1 (XML)\r\nIn most cases, MSBuild and the target XML file are registered as a Scheduled Task for persistence. MSBuild\r\ncompiles the inclined C# in XML project on runtime, a key component of NOOPLDR Type 1. The inclined C#\r\ncode is typically concealed as follows. \r\nFigure 12. Example of NOOPLDR\r\nNOOPLDR Type 1 changes its behavior depending on whether it’s the first-time execution or otherwise. If it’s the\r\nfirst execution, NOOPLDR Type 1 tries to find encrypted data from a hardcoded file path, which differs for each\r\nNOOPLDR sample. If it exists, NOOPLDR Type 1 deletes the file after reading the content. The encrypted data\r\nconsists of a header for checksum, AES key materials and an encrypted body. NOOPLDR Type 1 reads the first 32\r\nbytes, computes the SHA256 hash of the following encrypted body, and then compares the hash with the header to\r\nverify if the data is an expected structure. After completing verification, NOOPLDR Type 1 calculates the\r\nSHA384 hash of the AES key material following behind the checksum header. The first 32 bytes are used as the\r\nAES key, and the later 16 as IV. Finally, NOOPLDR Type 1 decrypts the encrypted payload by AES256-CBC.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 10 of 28\n\nFigure 13. Structure of the encrypted data of NOOPLDR Type 1\r\nThe decrypted data has a header containing a 64-bit flag, the payload size, an offset to the payload and the payload\r\ndata in the following structure.\r\nFigure 14. Structure of the decrypted data of NOOPLDR Type 1\r\nOnce the decryption succeeds, NOOPLDR Type 1 tries to store the payload in the registry for stealthy persistence.\r\nThe encryption algorithm is still AES256-CBC, but the AES key and IV are generated based on a machine’s\r\nDevice ID and a hostname. The device ID is retrieved from the registry key\r\n“HKLM\\Software\\Microsoft\\SQMClient\\MachineId,\" which contains the machine's unique GUID. NOOPLDR\r\nType 1 calculates the SHA384 hash of the concatenated Device ID and hostname and follows the same procedure\r\nin the decryption routine, splitting the hash value into chunks of 32 bytes and 16 bytes for AES key and IV\r\nrespectively.\r\nNOOPLDR Type 1 then prepends the SHA256 hash of the encrypted payload and stores it in the registry \"\r\n(HKLM|HKCU)\\Software\\License\\{HEX}”, which “HEX” is a hex string of the last 16 bytes of the SHA256 hash\r\nof the hostname. Since this encryption procedure uses a unique value for each infected machine, we need to\r\npreserve additional info and data, such as registry hive and hostname, to smoothly decrypt the payload. If\r\nNOOPLDR Type 1 successfully stores the payload in the registry, it deletes the encrypted file on a disk. Therefore,\r\nin the second and subsequent execution time, NOOPLDR Type 1 reads the registry key and decrypts the payload\r\nin the same procedure as the encryption routine.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 11 of 28\n\nFigure 15. Procedure to store an encrypted payload in the registry by NOOPLDR Type 1\r\nIn the final step, NOOPLDR Type 1 injects and runs the decrypted payload into a legitimate application, such as\r\nrdrleakdiag.exe and tabcal.exe. If NOOPLDR Type 1 fails to store the payload in the registry, it writes the\r\nencrypted payload into a disk again and overwrites it with the same timestamp as the built-in kernel32.dll.\r\nAnother type of NOOPLDR in the form of a DLL, which we call NOOPLDR Type 2, adopts a similar strategy to\r\nType 1 but implements more stealthy techniques. As Figure 16 illustrates, during the first execution, NOOPLDR\r\nType 2 also decrypts the encrypted payload from a file and stores the encrypted payload in the registry. It injects\r\nthe decrypted payload into the legitimate application.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 12 of 28\n\nFigure 16. Execution flow of NOOPLDR Type 2 (DLL)\r\nOne of the notable features of NOOPLDR Type 2 is the use of multiple anti-analysis techniques. For instance, it is\r\nheavily obfuscated by control flow obfuscation and junk codes, as shown in Figure 17. Earth Kasha has already\r\napplied this type of obfuscation technique in the previous campaignopen on a new tab, but even before that, it’s\r\nbeen popular among China-nexus adversaries, such as APT10open on a new tab and Twisted Pandaopen on a new\r\ntab.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 13 of 28\n\nFigure 17. Control Flow Obfuscation (Left) and Junk Code (Right)\r\nFor the additional anti-analysis technique, most strings are simply encoded by XOR, which is decoded on runtime.\r\nFigure 18. String decoding routine by XOR\r\nNOOPLDR Type 2 is designed to be executed via DLL Side-Loading. NOOPLDR Type 2 supports self-installation as Windows Service by running with the \"-install\" parameter. During the first execution, it loads an\r\nencrypted payload named “\u003cLOADER_PROCESS_NAME\u003e_config” in the current working directory, which will\r\nbe deleted after installation. For instance, if the loader process name is “symstore.exe,\" the encrypted file would\r\nbe \"symstore.exe_config.\" The encrypted blob structure is like the Type 1 but slightly different. It doesn’t have a\r\nchecksum section; it simply has 32-byte AES key materials followed by an encrypted payload, as Figure 19\r\nshows. The encrypted payload is encrypted by AES256-CBC. The AES key is generated based on the SHA1 of the\r\nfirst 32 bytes, and IV is the first 16 bytes.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 14 of 28\n\nFigure 19. Structure of the encrypted data of NOOPLDR Type 2\r\nLike the NOOPLDR Type 1, the decrypted data has a 0x14 bytes header containing several values used to verify if\r\nit’s an expected structure, as Figure 20 shows.\r\nFigure 20. Structure of the decrypted data of NOOPLDR Type 2\r\nAfter verification, NOOPLDR Type 2 encrypts the decrypted data again with AES256-CBC but with a different\r\nkey, which consists of a Device ID string, hardcoded key material in the code section and randomly generated 8-\r\nbyte hex string and stores it in “HKCU\\SOFTWARE\\Microsoft\\COM3\\\u003cRANDOM_HEX_STRTING\u003e,\" as\r\nFigure 21 shows.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 15 of 28\n\nFigure 21. Procedure to store an encrypted payload in the registry by NOOPLDR Type 2\r\nIn the second and subsequent execution time, NOOPLDR Type 2 will be executed without the \"-install\"\r\nparameter. Therefore, it skips self-installation and proceeds to the payload decryption routine from the registry. It\r\nsearches registry data in the registry (HKCU\\SOFTWARE\\Microsoft\\COM3), and if found, it decrypts the\r\nencrypted data by the same method in Figure 21 but using the HEX string in the registry key as a part of AES key\r\nmaterial.\r\nAt last, NOOPLDR Type 2 injects the decrypted payload into legitimate applications, such as wuauclt.exe. This\r\nprocess injection technique is classic, but leverages direct Syscall using NtProtectVirtualMemory,\r\nNtWriteVirtualMemory and NtCreateThreadEx. Since Syscall ID can be different on running OS versions, Syscall\r\nID is calculated on runtime.\r\nFigure 22. Example of usage of NtWriteVirtualMemory\r\nNOOPDOOR\r\nNow, let’s step into the final payload, NOOPDOOR. NOOPDOOR (aka HiddenFace by ESET) is a sophisticated\r\nand complex backdoor with the following characteristics:\r\nFully position independent code\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 16 of 28\n\nSupporting active and passive mode communication\r\nC\u0026C domain changed daily by a DGA (by default)\r\nProxy-aware TCP communication during working time\r\nRSA + multiple symmetric cipher to encrypt the entire C\u0026C communication\r\nSupporting build-in functions + additional modules for backdoor capabilities\r\nEvading in-memory detection by encrypting/decrypting specific functions on runtime\r\nAnti-analysis\r\nDue to its complexity, NOOPDOOR should be designed as another backdoor choice, especially for a high-profile\r\ntarget. Based on our records, NOOPDOOR was first observed as a second-stage payload of LODEINFO in 2021,\r\nbut only in limited cases. And we have not encountered NOOPDOOR until 2023. One of the interesting features\r\nof NOOPDOOR is that it supports two channels to communicate with the C\u0026C server, which we call the active\r\nand passive modes.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 17 of 28\n\nFigure 23. Overview architecture of NOOPDOOR\r\nFigure 23 shows that NOOPDOOR in active mode communicates over TCP/443 by polling the C\u0026C server.\r\nNOOPDOOR in passive mode listens on TCP/47000 to receive commands from remote adversaries. Interestingly,\r\nthe active and passive modes use different encryption algorithms and backdoor commands, respectively, which\r\nmeans that both channels are incompatible and independent methods of communication from each other. The\r\nactive mode is executed in a primary thread of NOOPDOOR. Before starting communications with the C\u0026C\r\nserver, NOOPDOOR checks if the specific analysis tools listed in Appendix A are running in the current machine.\r\nIf any are found, NOOPDOOR will terminate itself. NOOPDOOR then generates the C\u0026C server's domain using\r\na custom Domain Generation Algorithm (DGA). NOOPDOOR has template URLs like\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 18 of 28\n\n“http://$j[].srmbr\\.com/#180” (defanged) that are used to generate the domain, and NOOPDOOR embeds a\r\nrandomly generated string based on the runtime date into the template URLs. Therefore, a domain can be changed\r\ndaily (by default, but the lifespan of domains can be changed based on the option). A detailed DGA logic is as\r\nfollows.\r\nFigure 24. Detailed logic of DGA\r\nWe have also observed a few samples of NOOPDOOR that embed slightly different types of URLs. The\r\nplaceholder “$\u003cKEY\u003e,\" which is a single letter (such as “j”) in most cases, can be a \"word.\" In the case we\r\nobserved, the template URL was like “hxxp://$earth[.]hopto[.]org:443/”, in which the \"$earth\" part is the\r\nplaceholder. In such a case, the generated domain will be as follows:\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 19 of 28\n\nFigure 25. DGA generation using “word” as the placeholder\r\nWith the generated domain, NOOPDOOR initiates C\u0026C communication. NOOPDOOR supports HTTP proxy in\r\nthe victim’s environment during business hours (8:30~19:30 from Monday to Friday). C\u0026C communication in the\r\nactive mode is fully encrypted by a combination of RSA-2048 and symmetric cipher. On initializing a session,\r\nNOOPDOOR sends a challenge and randomly selected symmetric cipher ID to the C\u0026C server with encryption\r\nby RSA-2048 to negotiate a key for encrypting packets during the following module/command processing.\r\nSupported ciphers are DES, 3DES, 2-key 3DES, AES-128-CBC, AES-192-CBC, AES-256-CBC, RC2, and RC4.\r\nAfter key negotiation, it starts to receive commands and sends a result with encryption by the selected cipher.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 20 of 28\n\nFigure 26. C\u0026C communication flow of NOOPDOOR\r\nThe NOOPDOOR operator can execute a loaded module or built-in function through backdoor commands in\r\nactive mode. The built-in functions that are currently supported are as follows:\r\nID (active mode) Action\r\n3B27D4EEFBC6137C23BD612DC7C4A817 Run program\r\n9AA5BB92E9D1CD212EFB0A5E9149B7E5 Download a file (received from the C\u0026C server)\r\n3C7660B04EE979FDC29CD7BBFDD05F23 Upload a file (sending to the C\u0026C server)\r\n12E2FC6C22B38788D8C1CC2768BD2C76 Read specific file (%SystemRoot%\\System32\\msra.tlb)\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 21 of 28\n\n2D3D5C19A771A3606019C8ED1CD47FB5 Change the timestamp of the specified file\r\nOn the other hand, C\u0026C communication in passive mode is much simpler. NOOPDOOR creates a new thread for\r\npassive mode communication and prepares an incoming connection. NOOPDOOR initially tries to add a new\r\nWindows Firewall rule named “Cortana” to allow inbound connection to TCP/47000. C\u0026C communication in\r\npassive mode is encrypted by AES-128-CBC with key and IV generated based on the current running datetime.\r\nBackdoor commands are also different from the ones in active mode as follows.\r\nID (passive mode) Action\r\n3049 (0x0BE9) Keep alive\r\n9049 (0x2359) Run program\r\n9050 (0x235A) Upload a file (sending to the C\u0026C server)\r\n9051 (0x235B) Download a file (received from the C\u0026C server)\r\n9052 (0x235C) Change working directory\r\n9053 (0x235D) Run shellcode\r\nelse Returns a message “This function is not supported by server!”\r\nHowever, it should be noted that the passive mode may be useless in most cases since the operator can’t directly\r\naccess the listening instance of NOOPDOOR due to a firewall or other network devices in a modern network. The\r\npassive mode might be designed for NOOPDOOR being placed in a publicly exposed server (although all the\r\nNOOPDOOR have been observed only in a local network so far) or just for testing purposes. In fact, we have\r\nobserved a few samples of NOOPDOOR that do not implement the passive mode.\r\nAs another feature of NOOPDOOR, it supports loading modules from a disk. During initialization, NOOPDOOR\r\nlooks for a file like \"%temp%\\{HEX}.tmp,\" in which the \"{HEX}\" part is generated from a portion of the\r\nSHA256 hash of a combination of the current computer name and username (in UTF-16le). This file contains the\r\nmodules encrypted by AES-256-CBC. Module blobs consist of metadata, such as information for scheduling,\r\nmodule ID, parameters, and module payload. Due to this feature, NOOPDOOR allows them to execute additional\r\nfunctions at various times (on demand or regularly).\r\nMirrorStealer\r\nMirrorStealer, originally documented by ESET3, is a multi-purpose credential stealer. It is often used in\r\nconjunction with NOOPDOOR in cyberattacks. We have observed MirrorStealer in the recent campaign as well.\r\nCurrently targeted applications are the following.\r\nStored credentials in browsers (Chrome, Firefox, Edge, InternetExplorer)\r\nStored credentials in email clients (Outlook, Thunderbird, Becky, Live Mail)\r\nStored credentials in Group Policy Preferences\r\nRecently accessed server and stored credentials\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 22 of 28\n\nin SQL Server Management Studio (mru.dat, SqlStudio.bin)\r\nAll the results of stolen credentials are stored in %temp%\\31558.TXT as plain text. We observed that the\r\nadversary manually checked the outputs using the \"touch” command and deleted them with the “del” command\r\nvia cmd.exe.\r\nAttribution\r\nAs mentioned earlier, we assess the spear-phishing campaign from 2023 to early 2024 to be attributed to Earth\r\nKasha with medium confidence. To explain the reasoning behind our conclusion, we will analyze several\r\ncampaigns.\r\nLODEINFO Campaign #1 and #2\r\nThe following image illustrates the Diamond Model of two campaigns by Earth Kasha. For convenience, we call\r\nthe campaign being conducted in 2019 to 2023 using spear-phishing as “LODEINFO Campaign #1” and the\r\ncampaign being conducted since 2023 targeting public-facing applications as “LODEINFO Campaign #2”. The\r\nDiamond Model highlights the overlaps between the LODEINFO Campaign #1 and #2, leading us to speculate\r\nthat these campaigns are operated by the same group because exclusive malware was used in both campaigns.\r\nThere are no major contradictions in victimology and some parts of TTP.\r\nFigure 27. Comparison between the LODEINFO Campaign #1 and #2 by using the Diamond Model\r\nOn the other hand, there are several differences between the LODEINFO Campaign #1 and #2, especially in\r\nInitial Access methods, which are completely updated. In Campaign #1, they were using spear-phishing for Initial\r\nAccessopen on a new tab, but in Campaign #2, they were exploiting public-facing applications for Initial Access.\r\nRegarding victimology, there are some differences in the targeted industry. The public sector, individuals\r\nassociated with international affairs, politicians, and researchers in the academic sector were targeted in Campaign\r\n#1. However, the private sector, including manufacturing and aviation, hi-tech-related organizations, and\r\ngovernment agencies, were targeted in Campaign #2.\r\nA41APT Campaign and LODEINFO Campaign #2\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 23 of 28\n\nWe analyzed another campaign, known as “A41APT Campaignopen on a new tab” by Earth Tengshe, which is\r\nalso believed to be related to APT10. This group conducted a campaign targeting several countries, including\r\nJapan and Taiwan. The following image uses the Diamond Model to highlight the overlaps between the A41APT\r\nCampaign and the LODEINFO Campaign #2.\r\nFigure 28 Comparison between the A41APT Campaign and the LODEINFO Campaign #1 by using\r\nthe Diamond Model\r\nInterestingly, the A41APT Campaign has a lot of overlaps, especially in TTPs of the Post-Exploitation phase. As\r\nthe presentation on the A41APT Campaign in JSAC2021 shows, there are similar TTPs in both campaigns, such\r\nas exploiting SSL-VPN for Initial Access, schedule task abuse for Persistence, RDP by domain admin account for\r\nLateral Movement, abusing csvde.exe to collect Active Directory account information, and dumping registry hives\r\nfor Credential Access.\r\nFigure 29. Highlighting the overlapped TTPs from the presentation “A41APT Case” in JSAC2021\r\n10\r\nThe major difference in these campaigns is the toolsets. Earth Tengshe used custom malware, such as SigLoader,\r\nSodaMaster, P8RAT, FYAnti, and Jackpot, which completely differ from Earth Kasha's use in LODEINFO\r\nCampaign #2.\r\nConsidering that Earth Tengshe and Earth Kasha are believed to be associated with APT10, both groups may have\r\nrelationships in TTPs or may share operator resources. Here is a summary of the comparison between the A41APT\r\nCampaign, the LODEINFO Campaign #1 and #2.\r\n  A41APT Campaign LODEINFO Campaign #1\r\nLODEINFO\r\nCampaign #2\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 24 of 28\n\nAttribution Earth Tengshe Earth Kasha Earth Kasha\r\nTimeline 2020 - 2021 2019 – present 2023 – present\r\nRegion\r\nJapan, Taiwan, Thailand,\r\nand the United States (but\r\nthe main target is the entity\r\nin Japan)\r\nJapan\r\nJapan, Taiwan, and\r\nIndia\r\nIndustry\r\nprivate sector, including\r\nelectronics, energy,\r\nautomotive, and defense\r\nindustries\r\npublic sector, individuals\r\nassociated with international\r\naffairs, politicians and researchers\r\nin the academic sector\r\n- private sector,\r\nincluding\r\nmanufacturing and\r\naviation\r\n- Hi-tech related\r\norganizations\r\n- government agencies\r\nTTPs\r\n- Exploit public-facing\r\napplication\r\n- DLL Side-Loading\r\n- MS13-098/CVE-2013-\r\n3900 to embed encrypted\r\npayload\r\n- Spear-phishing email\r\n- DLL Side-Loading\r\n- MS13-098/CVE-2013-3900 to\r\nembed encrypted payload\r\n- Exploit public-facing\r\napplication\r\n- DLL Side-Loading\r\n- MS13-098/CVE-2013-3900 to embed\r\nencrypted payload\r\nTools\r\n- SigLoader\r\n- HUI Loader\r\n- SodaMaster\r\n- P8Rat\r\n- FYAnti\r\n- Cobalt Strike\r\n- Jackpot\r\n- LODEINFO\r\n- NOOPDOOR\r\n- DOWNIISSA\r\n- Lilim RAT\r\n- MirrorStealer\r\n- LODEINFO\r\n- NOOPDOOR\r\n- Cobalt Strike\r\n- MirrorStealer\r\nOther Campaigns\r\nAdding to these campaigns, we have observed a few other campaigns that slightly show some overlaps with the\r\nLODEINFO Campaign #2.\r\nOur first observation in 2023 shows that the Initial Access and Target methods resemble those of the LODEINFO\r\nCampaign #2. This unclustered campaign targeted mainly Japan and abused an exploitation against public-facing\r\napplications for Initial Access. Additionally, we confirmed that both campaigns used the same IPs as the origin of\r\nexploitation. On the other hand, we didn’t observe any malware or hacking tools during this unclustered\r\ncampaign. The adversary employed LOLBins in Post-Exploitation, not malware.\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 25 of 28\n\nFigure 30. Infrastructure overlap with the unclustered campaign\r\nFurthermore, Volt Typhoon, which is a state-sponsored actor based in China documented by Microsoftopen on a\r\nnew tab, was reportedly carrying out the exploit against FortiOS/FortiProxy (CVE-2023-27997), which was also\r\nused in the LODEINFO Campaign #2 in 2023. However, TTPs and toolsets in Post-Exploitation were totally\r\ndifferent between Volt Typhoon and Earth Kasha (instead, the previously mentioned unclustered campaign looks\r\nsimilar, but no commonalities have been confirmed so far). The vulnerability of CVE-2023-27997 was 0-day at\r\nthe time of usage in both campaigns by Volt Typhoon and Earth Kasha, leading us to the assumption that the 0-day\r\nvulnerability was possibly shared or there might be a third-party entity, such as access brokers, specialized in\r\nfacilitating Initial Access. This is not the only case indicating the possibility of 0-day vulnerability sharing.\r\nLAC reported the multiple campaignsopen on a new tab, abusing Array AG (CVE-2023-28461) and Citrix (CVE-2023-3466, CVE-2023-3467, CVE-2023-3519), which were abused in the LODEINFO Campaign #2 in 2023 as\r\nwell. Besides the vulnerabilities, however, there are no overlaps in malware and TTPs in Post-Exploitation\r\nbetween the LODEINFO Campaign #2 and these campaigns. This case suggests the possibility of 0-day sharing or\r\nthe presence of an access broker, indicating that Earth Kasha may be part of such an ecosystem.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can proactively\r\nprotect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 26 of 28\n\nSpot the difference: Earth Kasha's new LODEINFO campaign and the correlation analysis with the APT10\r\numbrella\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actors:\r\nEarth Kasha\r\nEarth Tengshe\r\nEmerging Threats: Spot the difference: Earth Kasha's new LODEINFO campaign and the correlation\r\nanalysis with the APT10 umbrella\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nMalware Detection Associated with Earth Kasha\r\neventName:MALWARE_DETECTION AND malName:(*NOOPLDR* OR *NOOPDOOR* OR *LODEINFO*)\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nConclusion\r\nWe have revealed the new campaign by Earth Kasha and provided an in-depth analysis of LODEINFO,\r\nNOOPDOOR and other malware. Additionally, we have analyzed several campaigns in the past and present,\r\nsuggesting a connection with the previous LODEINFO campaign (LODEINFO Campaign #1) and interesting\r\noverlaps with the A41APT Campaign by Earth Tengshe, which is also believed to belong to APT10 Umbrella.\r\nThese findings lead us to conclude that the same group that conducted the previous LODEINFO campaign also\r\nconducted the recent LODEINFO campaign (LODEINFO Campaign #2) with significant TTPs updates. The\r\ngroup may be incorporating or sharing TTPs and tools with Earth Tengshe. Furthermore, our correlational analysis\r\nof several campaigns, including the ones by the Volt Typhoon and other unclustered groups, suggested that the 0-\r\nday vulnerabilities may be shared among China-nexus actors, or there may be third-party access brokers.\r\nOur research on the recent activity by Earth Kasha highlighted the current complex situation and potential\r\ncooperative relationships among China-nexus threat actors. Such a situation will likely continue because it’s\r\nbeneficial for the adversaries on effective operation and hard for threat intelligence analysts on the attribution. We\r\nall need to understand the current complex background and carefully work on the attribution process.\r\nAppendix A: Checked Applications for Anti-Analysis by NOOPDOOR\r\nx32dbg**.exe\r\nx64dbg**.exe\r\nllydbg**.exe\r\nwindbg**.exe\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 27 of 28\n\nida*.exe\r\nidaq*.exe\r\nImmunityDebugger*.exe\r\nProcessHacker*.exe\r\nStud_PE*.exe\r\npexplorer*.exe\r\nAutoruns*.exe\r\nprocexp*.exe\r\nProcmon*.exe\r\nTcpview*.exe\r\n010Editor*.exe\r\nWinHex*.exe\r\nWireshark*.exe\r\nzenmap*.exe\r\nProcessHacker*.exe\r\nvmmap*.exe\r\nload_sc*.exe\r\nHttpAnalyzerStd*.exe\r\nFiddler*.exe\r\nAppendix B: Indicators of Compromise (IoCs)\r\nThe indicators of compromise can be found here: \r\nSource: https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nhttps://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html\r\nPage 28 of 28\n\nverify if the data is SHA384 hash of the an expected structure. AES key material following After completing verification, behind the checksum NOOPLDR header. Type 1 The first 32 calculates the bytes are used as the\nAES key, and the later 16 as IV. Finally, NOOPLDR Type 1 decrypts the encrypted payload by AES256-CBC.\n Page 10 of 28 \n\nNOOPDOOR sends by RSA-2048 to negotiate a challenge and randomly a key for encrypting selected packets symmetric cipher during the following ID to the C\u0026C module/command server with processing. encryption\nSupported ciphers are DES, 3DES, 2-key 3DES, AES-128-CBC, AES-192-CBC, AES-256-CBC, RC2, and RC4.\nAfter key negotiation, it starts to receive commands and sends a result with encryption by the selected cipher.\n Page 20 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html" ], "report_names": [ "lodeinfo-campaign-of-earth-kasha.html" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434707, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61622eb1a446462e09d1d72284314820c3198578.pdf", "text": "https://archive.orkl.eu/61622eb1a446462e09d1d72284314820c3198578.txt", "img": "https://archive.orkl.eu/61622eb1a446462e09d1d72284314820c3198578.jpg" } }