{
	"id": "d7421d45-ca79-4b15-8c95-7ad9e3b06dee",
	"created_at": "2026-04-06T00:20:55.043214Z",
	"updated_at": "2026-04-10T13:13:05.796382Z",
	"deleted_at": null,
	"sha1_hash": "62619a8c42581dd6f02a9cc209334d5d79143154",
	"title": "PLATINUM (cybercrime group)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96926,
	"plain_text": "PLATINUM (cybercrime group)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-06-09 · Archived: 2026-04-05 20:01:27 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nPLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related\r\norganizations in South and Southeast Asia.\r\n[1]\r\n They are secretive and not much is known about the members of the\r\ngroup.[2] The group's skill level is such that its attacks sometimes go without detection for many years.[1]\r\nThe group, considered an advanced persistent threat, has been active since at least 2009,[3] targeting victims via\r\nspear-phishing attacks against government officials' private email addresses, zero-day exploits, and hot-patching\r\nvulnerabilities.[4][5] Upon gaining access to their victims' computers, the group steals economically sensitive\r\ninformation.[1]\r\nPLATINUM succeeded in keeping a low profile until their abuse of the Microsoft Windows hot patching system\r\nwas detected and publicly reported in April 2016.[2] This hot patching method allows them to use Microsoft's own\r\nfeatures to quickly patch, alter files or update an application, without rebooting the system altogether. This way,\r\nthey can maintain the data they have stolen while masking their identity.\r\n[2]\r\nIn June 2017, PLATINUM became notable for exploiting the serial over LAN (SOL) capabilities of Intel's Active\r\nManagement Technology to perform data exfiltration.[6][7][8][9][10][11][12][13]\r\nPLATINUM's techniques\r\n[edit]\r\nPLATINUM has been known to exploit web plugins, at one point infiltrating the computers of several Indian\r\ngovernment officials 2009, using a website that provided an email service.[1]\r\nOnce in control of a target's computer, PLATINUM actors can move through the target's network using specially\r\nbuilt malware modules. These have either been written by one of the multiple teams working under the Platinum\r\ngroup umbrella, or they could have been sold through any number of outside sources that Platinum has been\r\ndealing with since 2009.[1]\r\nBecause of the diversity of this malware, the versions of which have little code in common, Microsoft's\r\ninvestigators have taxonomised it into families.[1]\r\nThe piece of malware most widely used by PLATINUM was nicknamed Dispind by Microsoft.[1] This piece of\r\nmalware can install a keylogger, a piece of software that records (and may also be able to inject) keystrokes.\r\n[citation needed]\r\nhttps://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group)\r\nPage 1 of 3\n\nPLATINUM also uses other malware like \"JPIN\" which installs itself into the %appdata% folder of a computer so\r\nthat it can obtain information, load a keylogger, download files and updates, and perform other tasks like\r\nextracting files that could contain sensitive information.[1]\r\n\"Adbupd\" is another malware program utilised by PLATINUM, and is similar to the two previously mentioned. It\r\nis known for its ability to support plugins, so it can be specialised, making it versatile enough to adapt to various\r\nprotection mechanisms.[1]\r\nIn 2017, Microsoft reported that PLATINUM had begun to exploit a feature of Intel CPUs.\r\n[14]\r\n The feature in\r\nquestion is Intel's AMT Serial-over-LAN (SOL), which allows a user to remotely control another computer,\r\nbypassing the host operating system of the target, including firewalls and monitoring tools within the host\r\noperating system.[14]\r\nMicrosoft advises users to apply all of their security updates to minimize vulnerabilities and to keep highly\r\nsensitive data out of large networks.[1] Because PLATINUM targets organizations, companies and government\r\nbranches to acquire trade secrets, anyone working in or with such organizations can be a target for the group.[15]\r\nIntel AMT § Known vulnerabilities and exploits\r\nTitanium (malware)\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \"PLATINUM Targeted attacks in South and Southeast Asia (PDF)\" (PDF).\r\nWindows Defender Advanced Threat Hunting Team (Microsoft). 2016. Retrieved 2017-06-10.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Osborne, Charlie. \"Platinum hacking group abuses Windows patching system in active\r\ncampaigns\". ZDNet. Retrieved 2017-06-09.\r\n3. ^ Eduard Kovacs (2017-06-08). \"\"Platinum\" Cyberspies Abuse Intel AMT to Evade Detection\".\r\nSecurityWeek.Com. Retrieved 2017-06-10.\r\n4. ^ Eduard Kovacs (2016-04-27). \"\"Platinum\" Cyberspies Abuse Hotpatching in Asia Attacks\".\r\nSecurityWeek.Com. Retrieved 2017-06-10.\r\n5. ^ msft-mmpc (2016-04-26). \"Digging deep for PLATINUM – Windows Security\".\r\nBlogs.technet.microsoft.com. Retrieved 2017-06-10.\r\n6. ^ Peter Bright (2017-06-09). \"Sneaky hackers use Intel management tools to bypass Windows firewall\".\r\nArs Technica. Retrieved 2017-06-10.\r\n7. ^ Tung, Liam (2014-07-22). \"Windows firewall dodged by 'hot-patching' spies using Intel AMT, says\r\nMicrosoft\". ZDNet. Retrieved 2017-06-10.\r\n8. ^ msft-mmpc (2017-06-07). \"PLATINUM continues to evolve, find ways to maintain invisibility – Windows\r\nSecurity\". Blogs.technet.microsoft.com. Retrieved 2017-06-10.\r\n9. ^ Catalin Cimpanu (2017-06-08). \"Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid\r\nFirewalls\". Bleepingcomputer.com. Retrieved 2017-06-10.\r\n10. ^ Juha Saarinen (2017-06-08). \"Hackers abuse low-level management feature for invisible backdoor -\r\nSecurity\". iTnews. Retrieved 2017-06-10.\r\n11. ^ Richard Chirgwin (2017-06-08). \"Vxers exploit Intel's Active Management for malware-over-LAN.\r\nPlatinum attack spotted in Asia, needs admin credentials\". The Register. Retrieved 2017-06-10.\r\nhttps://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group)\r\nPage 2 of 3\n\n12. ^ Christof Windeck (2017-06-09). \"Intel-Fernwartung AMT bei Angriffen auf PCs genutzt | heise Security\".\r\nHeise.de. Retrieved 2017-06-10.\r\n13. ^ \"PLATINUM activity group file-transfer method using Intel AMT SOL | Windows Security Blog | Channel\r\n9\". Channel9.msdn.com. 2017-06-07. Retrieved 2017-06-10.\r\n14. ^ Jump up to: a\r\n \r\nb\r\n \"Platinum hacker group uses Intel AMT\", Tad Group, 2017-09-25\r\n15. ^ Liu, Jianhong (2017-07-15). Comparative Criminology in Asia. Springer. ISBN 9783319549422.\r\nSource: https://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group)\r\nhttps://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group)\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group)"
	],
	"report_names": [
		"PLATINUM_(cybercrime_group)"
	],
	"threat_actors": [
		{
			"id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4",
			"created_at": "2023-01-06T13:46:38.595679Z",
			"updated_at": "2026-04-10T02:00:03.033762Z",
			"deleted_at": null,
			"main_name": "PLATINUM",
			"aliases": [
				"TwoForOne",
				"G0068",
				"ATK33"
			],
			"source_name": "MISPGALAXY:PLATINUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a",
			"created_at": "2022-10-25T16:07:24.061767Z",
			"updated_at": "2026-04-10T02:00:04.854503Z",
			"deleted_at": null,
			"main_name": "Platinum",
			"aliases": [
				"ATK 33",
				"G0068",
				"Operation EasternRoppels",
				"TwoForOne"
			],
			"source_name": "ETDA:Platinum",
			"tools": [
				"AMTsol",
				"Adupib",
				"Adupihan",
				"Dipsind",
				"DvDupdate.dll",
				"JPIN",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"RedPepper",
				"RedSalt",
				"Titanium",
				"adbupd",
				"psinstrc.ps1"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33f527a5-a5da-496a-a48c-7807cc858c3e",
			"created_at": "2022-10-25T15:50:23.803657Z",
			"updated_at": "2026-04-10T02:00:05.333523Z",
			"deleted_at": null,
			"main_name": "PLATINUM",
			"aliases": [
				"PLATINUM"
			],
			"source_name": "MITRE:PLATINUM",
			"tools": [
				"JPIN",
				"Dipsind",
				"adbupd"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434855,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62619a8c42581dd6f02a9cc209334d5d79143154.pdf",
		"text": "https://archive.orkl.eu/62619a8c42581dd6f02a9cc209334d5d79143154.txt",
		"img": "https://archive.orkl.eu/62619a8c42581dd6f02a9cc209334d5d79143154.jpg"
	}
}