{ "id": "97f2a62c-62bd-4d02-afb3-16093d48c0b0", "created_at": "2026-04-06T00:09:55.02029Z", "updated_at": "2026-04-10T13:12:03.947107Z", "deleted_at": null, "sha1_hash": "619743bc837f00dd7b73775f4a641b2f675865b8", "title": "APT 40 in Malaysia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48909, "plain_text": "APT 40 in Malaysia\r\nBy Sebdraven\r\nPublished: 2020-02-07 · Archived: 2026-04-05 15:39:06 UTC\r\nThe cert of Malaysia made an advisory the 5th february.\r\nIt’s published many TTPs and IOCs on this group:\r\nThere is many links interessisting:\r\nthe first are this IP 195.12.50.168 and 167.99.72.82. In my yeti, I found many relative observables on it:\r\nPress enter or click to view image in full size\r\nhxxp://195.12.50.168/D2_de2o@sp0/ and hxxp://167.99.72.82/main.dotm\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nthis Urls were used by a campaign discovered by ClearSky\r\ntargeting Malaysia. The victimology is interesting because it’s concerning transport industry.\r\nAnother link interesting with this advisories is the link wit another campaign in November\r\nhttps://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/\r\nfound by\r\nMalware used here is Dadjoke.\r\nAPT40 is an active Chinese group in South Asia, near of the MSS (Intelligence Service of China) according\r\nIntrusion Truth https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/\r\nhttps://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9\r\nPage 1 of 2\n\nSource: https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9\r\nhttps://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9" ], "report_names": [ "apt-40-in-malaysia-61ed9c9642e9" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434195, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/619743bc837f00dd7b73775f4a641b2f675865b8.pdf", "text": "https://archive.orkl.eu/619743bc837f00dd7b73775f4a641b2f675865b8.txt", "img": "https://archive.orkl.eu/619743bc837f00dd7b73775f4a641b2f675865b8.jpg" } }