{ "id": "05062a4d-8179-49d1-a5f6-84bfdcd61db5", "created_at": "2026-04-29T02:21:52.882828Z", "updated_at": "2026-04-29T08:22:29.571854Z", "deleted_at": null, "sha1_hash": "62499afddeef15790dac8d0b3c64667b2ba00670", "title": "PowerPoint Presentation", "llm_title": "", "authors": "", "file_creation_date": "2024-01-25T06:43:31Z", "file_modification_date": "2024-01-25T06:43:31Z", "file_size": 1302372, "plain_text": "Unmasking HiddenFace\r\nMirrorFace’s most complex backdoor yet\r\nDominik Breitenbacher\r\nMalware Researcher\n\nUnmasking NOOPDOOR\r\nMirrorFace’s most complex backdoor yet\r\nDominik Breitenbacher\r\nMalware Researcher\n\nDominik Breitenbacher\r\n• Malware researcher @ ESET since 2019\r\n• Research focus\r\n• MirrorFace – LODEINFO\r\n• Kimsuky\r\ndominik.breitenbacher@eset.com @dbreitenbacher dbreitenbacher\n\nAgenda\r\nMirrorFace overview\r\nHiddenFace (NOOPDOOR)\r\n▪ Introduction\r\n▪ Execution chain\r\n▪ Technical details\n\nMirrorFace\n\nMirrorFace\r\nChina-aligned threat actor\r\nActive at least since 2019\r\n▪ Activity often attributed to APT10\r\nLODEINFO malware unique for the group\r\nExclusively targeting Japanese entities (?)\n\nVictimology\r\nMedia Defense-related\r\ncompanies\r\nThink tanks\r\nPolitical entities Academic institutes\n\nHiddenFace\r\n(NOOPDOOR)\n\nHiddenFace\r\n \r\nshellcode modular evasive\r\nactive and passive\r\ncommunication\r\ndata categorization\r\nsystem\r\ndomain generation\r\nalgorithm\r\nOverall complexity and versatility surpasses LODEINFO\n\nVictimology\r\nMedia Defense-related\r\ncompanies\r\nThink tanks\r\nPolitical entities Academic institutes\n\nHow we discovered HiddenFace\r\nAugust 2023\r\nJapanese research institute\r\nExploited a vulnerability in FortiOS/FortiProxy\r\n→ NOT via spearphishing\r\nLODEINFO deployed\r\n→ MirrorFace\r\nHiddenFace deployed\n\nExecution Chain\n\nExecution chain - Installation\r\nScheduled task\r\nExample: automatic-device-check or createobject\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild\r\nMalicious XML file\r\nuses as argument\r\nExample: diskmgmt.config, BrowserSettingSync.xml, or BluetoothDesktopHandlers.xml\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file\r\nbuilds and\r\nexecutes\r\nuses as argument\r\nFaceXInjector = NOOPLDR\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nExample: ActivationManager.tlb, LaunchWinApp.dat, or Windows.Devices.Custom.dat\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nFile content: SHA-256(AES(payload)) AES material AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nFile content: SHA-256(AES(payload)) AES material AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nSHA-256( ) AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nSHA-256(AES(payload)) = SHA-256( ) ? AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nSHA-256(AES(payload)) = SHA-256( ) AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nSHA-256(AES(payload)) AES material AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nSHA-384( ) AES material\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nDecrypt( ) AES(payload)\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nMachine-specific encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\ncreates\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nMachine-specific encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\ncreates\r\nHKLM\\Software\\Microsoft\\SQMClient\\MachineId + hostname\n\nExecution chain - Installation\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nMachine-specific encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\ncreates\r\nSHA-384(HKLM\\Software\\Microsoft\\SQMClient\\MachineId + hostname)\n\nExecution chain - Installation\r\n \r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Encrypted\r\nHiddenFace\r\nMachine-specific encrypted\r\nHiddenFace\r\nRegistry key with machine-specific encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\ncreates\r\ncreates\r\nis stored into\r\nHKCU|HKLM\\Software\\License\\{\u003c16 hex characters\u003e}\n\nExecution chain - Injection\r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file\r\nbuilds and\r\nexecutes\r\nuses as argument\n\nExecution chain - Injection\r\n \r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Registry key with machine-specific encrypted\r\nHiddenFace\r\nbuilds and\r\nexecutes\r\nuses as argument reads\n\nExecution chain - Injection\r\n \r\nScheduled task\r\nlaunches\r\nMSBuild FaceXInjector\r\nMalicious XML file Registry key with machine-specific encrypted\r\nHiddenFace\r\nDefined Windows utility\r\nbuilds and\r\nexecutes\r\nuses as argument reads\r\nExample: perfmon.exe, wermgr.exe, or powercfg.exe\r\ninjects payload\r\ninto\r\nis injected into\n\nStartup\n\nStartup\r\nDynamically resolves Windows APIs\r\nPerforms few defensive actions\r\n▪ Removes API resolution code\r\n→ Memory dump is malformed\r\n▪ Restricts DLL loading to Microsoft-signed ones\r\n▪ Sleeps randomly in between 30 and 60 seconds\r\n→ Likely to avoid behavioral analysis by sandbox or security solutions\r\n▪ Periodically checks running processes against a list of blacklisted applications\r\n• Debuggers, process monitors, network analysis tools …\n\nStartup\r\nCreates mutex\r\n→ Only one instance at a time\r\nLoads external modules\r\nInitializes internal framework\r\nStarts network communications\n\nModular System\n\nModular system\r\nCore feature of HiddenFace\r\nModule:\r\nBuilt-in functions or shellcode labeled by ID numbers\r\nHiddenFace contains several built-in modules\r\nExternal modules are loaded from a file\r\nAdditional modules can be sent by an operator\r\n▪ Internal framework provided to a module received from a C\u0026C server\n\nExternal Modules\n\nExternal modules\r\nStored in a file – AES-256-CBC-encrypted\r\nUser-specific filename\r\nUser-specific AES key and IV\r\nAlgorithmically determined\r\n▪ Hostname and username is used\r\nNote: Most of the assets that are usually hardcoded in malware (e.g., encryption keys, filenames),\r\nare generated by HiddenFace.\n\nExternal modules – Module Entry\r\nName Description\r\nType Module type (immediate, specific minute, etc.)\r\nID ID to identify the module\r\nTag (Optional) Additional label for the module\r\nTime Describes a specific time or a period; used for scheduled execution\r\nShellcode / Parameters Contains either the module’s shellcode or parameters for a built-in module\n\nExternal modules – Execution\r\nEach module is executed based on its type\r\nType Description\r\nImmediate Immediately and only once\r\nSpecific minute Specified minute every hour\r\nSpecific time Specified time every day\r\nPeriodic Every X minutes\r\nProcess monitor periodic X minutes after the last check for running processes\n\nInternal Framework\n\nInternal framework\r\nProvided to every module received from the C\u0026C server\r\nFeatures:\r\n▪ Access and modify external modules\r\n▪ Utilize internal memory storage\r\n▪ List running modules\r\n▪ Changes to the framework itself\r\nAllows to create a tailored environment with needed capabilities\n\nInternal framework\r\nFunction ID Description\r\nCCA8EB22C9E23C5D0577FC1F03060A5E Add framework function\r\n3D75B9B060499764C13527149E89D8DC Remove framework function\r\nCF05E89B7EAF28FE0DBF3B771B6C07B7 Write to memory storage\r\n9BB2D76EDA1355D875D1D53DEEAA85B9 Read from memory storage\r\nAC636E53FA3EC973F0E9535C8358C3E9 Remove data from memory storage\r\nAC2BC61134888753316C1AC63DE465FE Read external modules file\r\n50515EF4F20DAA90B575DFFEAB4A97C0 Add module to external modules file\r\nB5F39B21F0CC65CB1E3C75C6BFB7AB25\r\nWrite data to external modules file\r\nIf no data is provided → file is deleted\r\n1AA52A58C2C7B8E0079FF255D7294E70 Return list of running modules\r\nLookup function is used to obtain and execute desired function\n\nActive Communication\n\nActive communication\r\nActively connects to a C\u0026C server\r\nWorks in sessions\r\nHard-coded list of C\u0026C URLs (templates)\r\nUses domain generation algorithm (DGA)\r\nUses custom protocol over TCP (on port 443)\n\nActive communication – DGA\r\nhttp://$n[].tw8sl.com:443/#180\r\nSymbol Description\r\n$n Variable to replace with a generated string (e.g., sofvgckcmyixg)\r\n[] Use hostname in the algorithm → Creates unique domain\r\n#\u003cnum\u003e Increase domain’s lifespan to \u003cnum\u003e days\r\nTrendMicro’s example:\r\nhttp://$d.hopto.org:443\r\nNote: Some of the domains are under direct MirrorFace control.\n\nActive communication – Establishing a session\r\nAll messages exchanged are encrypted\r\nFirst messages are RSA-2048 encrypted\r\n▪ To send collected information\r\n▪ To exchange key materials for a\r\nsymmetric encryption cipher\r\nSymmetric encryption cipher is used until\r\nthe end of the session\r\nCipher randomly selected by HiddenFace\r\n▪ DES, 3DES, two-key 3DES\r\n▪ AES-CBC (128/192/256)\r\n▪ RC2, RC4\r\nKey negotiation\r\nRSA(secret – part I \u0026 additional info)\r\nRSA(secret – part II)\r\nSelected cipher(SHA-1 (secret))\r\nRSA(secret – part III \u0026 selected cipher \u0026 additional info)\r\nHiddenFace C\u0026C server\n\nActive communication – Commands handling\r\nCommands executed by modules\r\nServer sends module ID and necessary\r\ndata\r\nModule ID not found\r\n→ Additional temporary module\r\n→ Access to internal framework\r\nKey negotiation Requesting commands\r\n⋮\r\nRSA(secret – part I \u0026 additional info)\r\nRSA(secret – part II)\r\nSelected cipher(SHA-1 (secret))\r\nSelected cipher(command)\r\nRSA(secret – part III \u0026 selected cipher \u0026 additional info)\r\nSelected cipher(command request)\r\nSelected cipher(result)\r\nHiddenFace C\u0026C server\n\nActive communication – Commands\r\nNote: msra.tlb contains credentials collected by MSRAStealer – MirrorFace’s\r\npublicly undescribed stealer.\r\nFunction ID Description\r\n3B27D4EEFBC6137C23BD612DC7C4A817 Create a process\r\n9AA5BB92E9D1CD212EFB0A5E9149B7E5 Write to a file\r\n3C7660B04EE979FDC29CD7BBFDD05F23 Exfiltrate a file\r\n12E2FC6C22B38788D8C1CC2768BD2C76\r\nRead content from the file named\r\n%SystemRoot%\\System32\\msra.tlb\r\n2D3D5C19A771A3606019C8ED1CD47FB5 Timestomp directory content\n\nMSRAStealer\r\nPassive credentials stealer\r\nUpon deployment registered as password filter and authentication package\r\nPassword filter\r\n▪ Legitimate use: Enforce password policy\r\n▪ MSRAStealer: collects credentials on a password change\r\nAuthentication package\r\n▪ Legitimate use: Analyze logon data\r\n▪ MSRAStealer: collects credentials on user’s logon\r\nCollected credentials are dumped into msra.tlb – AES-256-CBC encrypted\r\nHiddenFace used to exfiltrate the credentials\n\nPassive Communication\n\nPassive communication\r\nHard-coded list of ports to listen on (e.g., 47000)\r\nWindows firewall reconfigured to allow communication\r\nCommunication AES-128-CBC encrypted\r\nAES key and IV generated on:\r\n\u003cyear\u003e\u003chour (utc)\u003e\u003cday\u003e\u003cmonth\u003e\r\nSHA-256 hash = AES key\r\nSHA-1 hash = AES IV\n\nPassive communication – Commands\r\nNote: Execute shellcode – Shellcode is turned into a module first. Not added to the list of\r\navailable modules and not provided with the access to the internal framework.\r\nCommand ID Description\r\n0x0BE9 Keep-Alive\r\n0x2359 Create a process\r\n0x235A Exfiltrate a file\r\n0x235B Write to a file\r\n0x235C Set working directory\r\n0x235D Execute shellcode\n\nData Structuring System\n\nData structuring system\r\nHiddenFace uses system to structure data\r\nFor communication, but also internally\r\nEvery structured data blob consists of:\r\n▪ Header\r\n▪ Metadata\r\n▪ Actual data\n\nData structuring system\r\nHeader\r\nOffset Size (bytes) Description\r\n0 4 Total size in bytes\r\n4 4 Data section size in bytes\r\n8 4 Number of metadata entries\r\n12 4 Maximum possible number of metadata entries\r\nMetadata\r\nOffset Size (bytes) Description\r\n0 4 Data size in bytes\r\n4 4 Data type\n\nData structuring system – Data\r\nConsists of arbitrary content\r\nHeavily depends on the data’s purpose\r\nEvery data item is categorized and defined in metadata\r\nHiddenFace distinguishes more than 80 data types\n\nExample 1 – “Exfiltrate a file” command\r\nData type Description\r\n0x0BD1 Randomly generated data\r\n0x03E8\r\nType of message\r\nAlways set to 0xBE3, representing “Command request”\r\n0x03EA Receiving thread ID\r\n0x0FA1\r\nModule ID\r\nAlways set to 3C7660B04EE979FDC29CD7BBFDD05F23, representing “Exfiltrate a file”\r\n0x1389 (Optional) Request tag\r\n0x138C Item of unknown purpose\r\n0x1772 Name of the file to exfiltrate\r\n0x0BC2 (Optional) Base directory if the filename is relative\r\n0x1774 (Optional) Known file size\r\n0x1775 (Optional) Known last write time\r\n0x1776 (Optional) Chunk information (file offsets)\r\n0x1779 (Optional) Known SHA-1 hash of the file\n\nExample 2 – Data passed internally to run a module\r\nData type Description\r\n0x0FA1 Module ID\r\n0x0FA2 (Optional) Module’s shellcode\r\n0x1389 (Optional) Tag\r\n0x1390 (Optional) Event name; to limit module’s execution to one instance only\r\n0x138C Item of unknown purpose\r\n0x1398 Internal framework’s lookup function\n\nConclusion\n\nConclusion\r\nHiddenFace (NOOPDOOR) – Backdoor developed and exclusively used by MirrorFace\r\nThe most complex malware in MirrorFace’s arsenal\r\nDeveloped with heavy focus on modularity\r\n→ Can be tailored to current needs\r\nUtilizes other interesting techniques and mechanisms\r\n▪ DGA, data structuring approach, various anti-detection/-analysis techniques\r\nProtective execution chain shows HiddenFace is especially valuable to MirrorFace\r\nHiddenFace is a reasonably big project\n\nThank you.\r\ndominik.breitenbacher@eset.com @dbreitenbacher dbreitenbacher\r\nNote: IOCs after this slide.\n\nIOCs\n\nIOCs – Files\r\nSHA-1\r\n41ACA6FCF8DF6599764DA638B2BAFDFD5E3EAD8B\r\n512F3C8953AC079B57D1E13F3B8E97F99A054CE9\r\n85E831EAC0AD5A308394BEB1CB7CE702C754FDB6\r\nD96B05E516E9BB3E0AD8702D162440139E33D972\r\nScheduled Tasks\r\nc:\\windows\\system32\\tasks\\microsoft\\windows\\user profile service\\hiveupload\r\nc:\\windows\\system32\\tasks\\microsoft\\windows\\wininet\\cachetask\r\nc:\\windows\\system32\\tasks\\microsoft\\windows\\shell\\createobject\r\nc:\\windows\\system32\\tasks\\microsoft\\windows\\workplace join\\automatic-device-check\r\nc:\\windows\\system32\\tasks\\microsoft\\windows\\media center\\pbdadiscoveryw3\n\nIOCs - Files\r\nFaceXInjector XMLs\r\nC:\\Windows\\system32\\diskmgmt.config\r\nC:\\Windows\\system32\\MusNotification.xml\r\nC:\\Windows\\system32\\NetMgmtIF.xml\r\nC:\\Windows\\system32\\BrowserSettingSync.xml\r\nC:\\Windows\\system32\\BluetoothDesktopHandlers.xml\r\nEncrypted HiddenFace\r\nC:\\Windows\\system32\\ActivationManager.tlb\r\nC:\\Windows\\system32\\ksetup.dat\r\nC:\\Windows\\system32\\LaunchWinApp.dat\r\nC:\\Windows\\system32\\win32k.tlb\r\nC:\\Windows\\system32\\Windows.Devices.Custom.dat\n\nIOCs - Network\r\nMirrorFace-controlled servers\r\n5.180.44[.]139\r\n202.182.118[.]157\r\n207.148.97[.]235\r\nC\u0026C domains\r\nvtfraznzdcns.myvnc[.]com\r\nokzhfafcyumv.foeake[.]org\r\ngjeyxinbutely.torefrog[.]com\r\nhopekxpjyqloj.torefrog[.]com\r\nkcxtdemxszlb.torefrog[.]com\r\nlrsjvqxvzqua.torefrog[.]com\r\nogxzarazhzgu.torefrog[.]com\r\norufdqjuirceapb.torefrog[.]com\r\nsmfyuxgkeqiwgqw.torefrog[.]com", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_8_Breitenbacher_en.pdf" ], "report_names": [ "JSAC2024_2_8_Breitenbacher_en.pdf" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-29T06:58:56.168941Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Purple Typhoon", "Menupass Team", "Red Apollo", "Cloud Hopper", "BRONZE RIVERSIDE", "G0045", "Granite Taurus", "STONE PANDA", "happyyongzi", "POTASSIUM", "CVNX", "HOGFISH", "ATK41", "TA429" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-29T06:58:56.683931Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T06:58:57.705351Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-29T06:58:58.066484Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-29T06:58:57.4761Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "AysncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-29T06:58:56.291188Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "THALLIUM", "Sparkling Pisces", "Velvet Chollima", "Black Banshee", "Operation Stolen Pencil", "APT43", "Emerald Sleet", "Springtail", "Thallium" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "RevClient", "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "35cd247a-6d42-4ff7-80a0-42650f241ce4", "created_at": "2026-04-29T02:00:04.608394Z", "updated_at": "2026-04-29T06:58:57.775817Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "MirrorFace", "Earth Kasha" ], "source_name": "MITRE:MirrorFace", "tools": [ "Cobalt Strike", "MirrorStealer", "UPPERCUT", "Nltest", "BITSAdmin", "Tasklist", "ipconfig", "LODEINFO", "ROAMINGHOUSE", "DOWNIISSA", "nbtstat", "HiddenFace", "Wevtutil", "NOOPLDR" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-29T06:58:57.620982Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-29T06:58:57.765592Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-29T06:58:57.969738Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429312, "ts_updated_at": 1777450949, "ts_creation_date": 1706165011, "ts_modification_date": 1706165011, "files": { "pdf": "https://archive.orkl.eu/62499afddeef15790dac8d0b3c64667b2ba00670.pdf", "text": "https://archive.orkl.eu/62499afddeef15790dac8d0b3c64667b2ba00670.txt", "img": "https://archive.orkl.eu/62499afddeef15790dac8d0b3c64667b2ba00670.jpg" } }