{ "id": "571bd97c-29c2-4250-ad70-3ebf86e20192", "created_at": "2026-04-06T01:31:01.781227Z", "updated_at": "2026-04-10T13:12:33.556038Z", "deleted_at": null, "sha1_hash": "632db8148c2b720064e419a4dc414f7f03b560a3", "title": "Manjusaka: A Chinese sibling of Sliver and Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1238542, "plain_text": "Manjusaka: A Chinese sibling of Sliver and Cobalt Strike\r\nBy Asheer Malhotra\r\nPublished: 2022-08-02 · Archived: 2026-04-06 00:27:59 UTC\r\nTuesday, August 2, 2022 08:00\r\nCisco Talos recently discovered a new attack framework called \"Manjusaka\" being used in the wild that\r\nhas the potential to become prevalent across the threat landscape. This framework is advertised as an\r\nimitation of the Cobalt Strike framework.\r\nThe implants for the new malware family are written in the Rust language for Windows and Linux.\r\nA fully functional version of the command and control (C2), written in GoLang with a User Interface in\r\nSimplified Chinese, is freely available and can generate new implants with custom configurations with\r\nease, increasing the likelihood of wider adoption of this framework by malicious actors.\r\nWe recently discovered a campaign in the wild using lure documents themed around COVID-19 and the\r\nHaixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the\r\ndelivery of Cobalt Strike beacons on infected endpoints.\r\nWe have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka\r\nframework.\r\nIntroduction\r\nCisco Talos has discovered a relatively new attack framework called \"Manjusaka\" (which can be translated to\r\n\"cow flower\" from the Simplified Chinese writing) by their authors, being used in the wild.\r\nAs defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that\r\nenterprises can effectively defend against attacks employing these tools. Although we haven't observed\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 1 of 17\n\nwidespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the\r\nworld. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail\r\nthe framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.\r\nThe research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS)\r\nbeacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in\r\nthe Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos\r\nfound no direct link between the campaign and the framework developers, aside from the usage of the framework\r\n(which is freely available on GitHub). However, we could not find any data that could support victimology\r\ndefinition. This is justifiable considering there's a low number of victims, indicating the early stages of the\r\ncampaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.\r\nWhile investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections,\r\ncontacting the same IP address as the CS beacon. This implant is written in the Rust programming language and\r\nwe found samples for Windows and Linux operating systems. The Windows implant included test samples, which\r\nhad non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2\r\nexecutable — a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese —\r\non GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer\r\nadvertises it has an adversary implant framework similar to Cobalt Strike or Sliver.\r\nThe developers have provided a design diagram of the Manjusaka framework illustrating the communications\r\nbetween the various components. A lot of these components haven't been implemented in the C2 binary available\r\nfor free. Therefore, it is likely that either:\r\nThe framework is actively under development with these capabilities coming soon OR\r\nThe developer intends to or is already providing these capabilities via a service/tool to purchase - and the\r\nC2 available for free is just a demo copy for evaluation.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 2 of 17\n\nManjusaka design\r\nManjusaka attack framework\r\nThe malware implant is a RAT family called \"Manjusaka.\" The C2 is an ELF binary written in GoLang, while the\r\nimplants are written in the Rust programming language, consisting of a variety of capabilities that can be used to\r\ncontrol the infected endpoint, including executing arbitrary commands. We discovered EXE and ELF versions of\r\nthe implant. Both sets of samples catering to these platforms consist of almost the same set of RAT functionalities\r\nand communication mechanisms.\r\nCommunications\r\nThe sample makes HTTP requests to a fixed address http[:]//39[.]104[.]90[.]45/global/favicon.png that contains a\r\nfixed session cookie defined by the sample rather than by the server. The session cookie in the HTTP requests is\r\nbase64 encoded and contains a compressed copy of binary data representing a combination of random bytes and\r\nsystem preliminary information used to fingerprint and register the infected endpoint with the C2. The image\r\nbelow shows the information used to generate such a session cookie.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 3 of 17\n\nThe information on the cookie is arranged as described in the table below before it is compressed and encoded\r\ninto base64.\r\nThe communication follows a regular pattern of communication, the implant will make a request to an URL which\r\nin this case is '/global/favicon.png', as seen in the image below.\r\nEven though the request is an HTTP GET, it sends two bytes that are 0x191a as data. The reply is always the\r\nsame, consisting of five bytes 0x1a1a6e0429. This is the C2 standard reply, which does not correspond to any kind\r\nof action on the implant.\r\nIf the session cookie is not provided, the server will reply with a 302 code redirecting to http[:]//micsoft[.]com\r\nwhich is also redirected, this time with a 301, to http[:]//wwwmicsoft[.]com. At the time of publishing, the\r\nredirection seems like a trick to distract researchers. Talos could not find any direct correlation between the\r\ndomains and the authors and/or operators of this C2.\r\nImplant capabilities\r\nThe implant consists of a multitude of remote access trojan (RAT) capabilities that include some standard\r\nfunctionality and a dedicated file management module.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 4 of 17\n\nSwitch cases for handling various requests received by the C2.\r\nCOMMANDS SERVICED BY THE RAT\r\nThe implant can perform the following functions on the infected endpoint based on the request and accompanying\r\ndata received from the C2 server:\r\nExecute arbitrary commands: The implant can run arbitrary commands on the system using \"cmd.exe /c\".\r\nGet file information for a specified file: Creation and last write times, size, volume serial number and file\r\nindex.\r\nGet information about the current network connections (TCP and UDP) established on the system,\r\nincluding Local network addresses, remote addresses and owning Process IDs (PIDs).\r\nCollect browser credentials: Specifically for Chromium-based browsers using the query: SELECT\r\nsignon_realm, username_value, password_value FROM logins ; Browsers targeted: Google Chrome,\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 5 of 17\n\nChrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.\r\nCollect Wi-Fi SSID information, including passwords using the command: netsh wlan show profile\r\n\u003cWIFI_NAME\u003e key=clear\r\nObtain Premiumsoft Navicat credentials: Navicat is a graphical database management utility that can\r\nconnect to a variety of DB types such as MySQL, Mongo, Oracle, SQLite, PostgreSQL, etc. The implant\r\nenumerates through the installed software's registry keys for each configured DB server and obtains the\r\nvalues representing the Port, UserName, Password (Pwd).\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 6 of 17\n\nTake screenshots of the current desktop.\r\nObtain comprehensive system information from the endpoint, including:\r\nSystem memory global information.\r\nProcessor power information.\r\nCurrent and critical temperature readings from WMI using \"SELECT * FROM\r\nMSAcpi_ThermalZoneTemperature\"\r\nInformation on the network interfaces connected to the system: Names\r\nProcess and System times: User time, exit time, creation time, kernel time.\r\nProcess module names.\r\nDisk and drive information: Volume serial number, name, root path name and disk free space.\r\nNetwork account names, local groups.\r\nWindows build and major version numbers.\r\nActivate the file management module to carry out file-related activities.\r\nFILE MANAGEMENT CAPABILITIES\r\nThe file management capabilities of the implant include:\r\nFile enumeration: List files in a specified location on disk. This is essentially the \"ls\" command.\r\nCreate directories on the file system.\r\nGet and set the current working directory.\r\nObtain the full path of a file.\r\nDelete files and remove directories on disk.\r\nMove files between two locations. Copy the file to a new location and delete the old copy.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 7 of 17\n\nCopy file operation done and part of the move.\r\nRead and write data to and from the file.\r\nELF variant\r\nThe ELF variant consists of pretty much the same set of functionalities as its Windows counterpart. However, two\r\nkey functionalities missing in the ELF variant are the ability to collect credentials from Chromium-based browsers\r\nand harvest Wi-Fi login credentials.\r\nJust like the Windows version, the ELF variant also collects a variety of system-specific information from the\r\nendpoint:\r\nGlobal system information such as page size, clock tick count, current time, hostname, version, release,\r\nmachine ID, etc.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 8 of 17\n\nSystem memory information from /proc/meminfo including cached memory size, free and total memory,\r\nswap memory sizes and Slab memory sizes.\r\nSystem uptime from /proc/uptime: System uptime and idle time of cores.\r\nOS identification information from /proc/os-release and lsb-release.\r\nKernel activity information from /proc/stat.\r\nCPU information from /proc/cpuinfo and /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq\r\nTemperature information from /sys/class/hwmon and /sys/class/thermal/thermal_zone*/temp\r\nNetwork interfaces information and statistics from /sys/class/net.\r\nDevice mount and file system information. SCSI device information.\r\nAccount information from /etc/passwd and group lists of users.\r\nBoth versions contain functionally equivalent file management modules that are used exclusively for managing\r\nfiles and directories on the infected system.\r\nEXE vs ELF versions of the implant containing functionally equivalent file management modules.\r\nEXE vs ELF versions of the implant containing functionally equivalent file management modules.\r\nCommand and control server\r\nDuring the course of our investigation, we discovered a copy of the C2 server binary for Manjusaka hosted on\r\nGitHub at hxxps://github[.]com/YDHCUI/manjusaka.\r\nIt can monitor and administer an infected endpoint and can generate corresponding payloads for Windows and\r\nLinux. The payloads generated are the Rust implants described earlier.\r\nThe C2 server and admin panel are primarily built on the Gin Web Framework which is used to administer and\r\nissue commands to the Rust-based implants/stagers.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 9 of 17\n\nC2 server implant generation prompt.\r\nAfter filling in the several options, the operator presses the \"generate\" button. This fires a GET request to the C2\r\nfollowing the format below.\r\nhttp://\u003cC2_IP_ADDRESS\u003e:\u003cPort\u003e/agent?c=\u003cC2_IP_ADDRESS\u003e:\u003cPORT\u003e\u0026t=\r\n\u003cEXTENDED_URL_for_C2\u003e\u0026k=\u003cENCRYPTION_KEY\u003e\u0026w=true\r\nThe C2 server will then generate a configured Rust-based implant for the operator. The C2 uses packr to store the\r\nunconfigured Rust-based implant within the C2 binary consisting of a single packaged C2 binary that generates\r\nimplants without any external dependencies.\r\nThe C2 will open a \"box\" — i.e., a virtual folder within the GoLang-based C2 binary — that consists of a dummy\r\nRust implant at location \"plugins/npc.exe\". This executable is a pre-built version of the Rust implant that is then\r\nhot-patched by the C2 server based on the C2 information entered by the operator via the Web UI.\r\nThe skeleton Rust implant contains placeholders for the C2 IP/domain and the extended URLs in the form of\r\nrepeated special characters \"$\" and \"*\" respectively, 0x21 repetitions.\r\nE.g. The place holder for the C2 IP/Domain in the dummy implant is (hex):\r\n24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24\r\nwhich is then replaced by the C2 with an IP address such as:\r\n33 39 2E 31 30 34 2E 39 30 2E 34 35 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24\r\nThe hot-patched binary is then served to the operator to download in response to the HTTP GET request from\r\nearlier.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 10 of 17\n\nTHE CAMPAIGN: INFECTION CHAIN\r\nWe've also discovered a related campaign that consisted of a distribution of a maldoc to targets leading to the\r\ndeployment of Cobalt Strike beacons on the infected systems.\r\nThe infection chain involves the use of a maldoc masquerading as a report and advisory on the COVID-19\r\npandemic in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture,\r\nQinghai Province — specifically citing a case of COVID-19 and the subsequent contact tracing of individuals.\r\nMaldoc lure masquerading as a report on a COVID-19 case in Golmud City.\r\nMaldoc analysis\r\nThe maldoc contains a VBA macro that executes rundll32.exe and injects Metasploit shellcode (Stage 1) into the\r\nprocess to download and execute the next stage (Stage 2) in memory.\r\nThe Stage 1 shellcode reached out to 39[.]104[.]90[.]45/2WYz.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 11 of 17\n\nStage 1 shellcode downloading the next stage (Stage 2) from a remote location.\r\nStage 2 analysis\r\nThe next stage payload downloaded from the remote location is yet another shellcode that consists of:\r\nXOR-encoded executable: Cobalt Strike.\r\nShellcode for decoding and reflectively loading the Cobalt Strike beacon into memory.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 12 of 17\n\nCode for decoding Stage 3 (Cobalt Strike beacon) in memory and executing it from the beginning of\r\nthe MZ.\r\nStage 3: Cobalt Strike beacon\r\nThe Cobalt Strike beacon decoded by the previous stage is then executed from the beginning of the MZ file. The\r\nbeacon can reflectively load itself into the memory of the current process.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 13 of 17\n\nBeacon calculating and calling into the address of the DLL export enables it to reflectively load into\r\nthe current process.\r\nThe beacon's config is XOR encoded with the 0x4D single byte key. The configuration is:\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 60000\r\nMaxGetSize - 1048576\r\nJitter - 0\r\nMaxDNS - Not Found\r\nPublicKey -\r\nb'0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\x81\\x81\\x00\\x95\\xe2\\xd1\\x\r\nC2Server - 39[.]104[.]90[.]45,/IE9CompatViewList.xml\r\nUserAgent - Not Found\r\nHttpPostUri - /submit.php\r\nHttpGet_Metadata - Not Found\r\nHttpPost_Metadata - Not Found\r\nSpawnTo - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\rundll32.exe\r\nSpawnto_x64 - %windir%\\sysnative\\rundll32.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark - 999999\r\nbStageCleanup - False\r\nbCFGCaution - False\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 14 of 17\n\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - True\r\nbProcInject_MinAllocSize - 0\r\nProcInject_PrependAppend_x86 - Empty\r\nProcInject_PrependAppend_x64 - Empty\r\nProcInject_Execute - CreateThread\r\nSetThreadContext\r\nCreateRemoteThread\r\nRtlCreateUserThread\r\nProcInject_AllocationMethod - VirtualAllocEx\r\nbUsesCookies - True\r\nATTRIBUTION\r\nBefore even thinking about the attribution, it's important to distinguish between the developer of the malware and\r\nthe campaign operators. The C2 binary is fully functional (although limited in features), self contained and\r\npublicly available, which means that anyone could have downloaded it and used it in the campaign we discovered.\r\nAs such, we have decided to list the data points that could be interpreted as a possible indicator and encourage the\r\ncommunity to perform the analysis and add other data points that might contribute to the attribution, either for the\r\ncampaign or for the developers behind the framework.\r\nFor this campaign, there isn't much to lead to formal attribution with any confidence, besides the fact that the\r\nmaldoc refers to a COVID-19 outbreak in Golmud City, offering a detailed timeline of the outbreak.\r\nFor the developer of Manjusaka, we have several indicators:\r\nThe Rust-based implant does not use the standard crates.io library repository for the dependency resolving.\r\nInstead, it was manually configured by the developers to use the mirror located at ustc[.]edu[.]cn, which\r\nstands for the University Science and Technology of China.\r\nThe C2 menus and options are all written in Simplified Chinese.\r\nOur OSINT suggests that the author of this framework is located in the GuangDong region of China.\r\nCONCLUSION\r\nThe availability of the Manjusaka offensive framework is an indication of the popularity of widely available\r\noffensive technologies with both crimeware and APT operators. This new attack framework contains all the\r\nfeatures that one would expect from an implant, however, it is written in the most modern and portable\r\nprogramming languages. The developer of the framework can easily integrate new target platforms like MacOSX\r\nor more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully\r\nfunctional version of the C2 available increases the chances of wider adoption of this framework by malicious\r\nactors.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 15 of 17\n\nOrganizations must be diligent against such easily available tools and frameworks that can be misused by a variety\r\nof threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the\r\nprevention. However, this should always be complemented by a good incident response plan which has been not\r\nonly tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.\r\nCOVERAGE\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 16 of 17\n\nIOCS\r\nIOCs for this research can also be found at our Github repository here.\r\nHashes\r\nMALDOC AND CS BEACON SAMPLES\r\n58a212f4c53185993a8667afa0091b1acf6ed5ca4ff8efa8ce7dae784c276927\r\n8e7c4df8264d33e5dc9a9d739ae11a0ee6135f5a4a9e79c354121b69ea901ba6\r\n54830a7c10e9f1f439b7650607659cdbc89d02088e1ab7dd3e2afb93f86d4915\r\nRUST SAMPLES\r\n8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8\r\na8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f\r\n3f3eb6fd0e844bc5dad38338b19b10851083d078feb2053ea3fe5e6651331bf2\r\n0b03c0f3c137dacf8b093638b474f7e662f58fef37d82b835887aca2839f529b\r\nC2 BINARIES\r\nfb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64\r\n955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1\r\nURLs\r\nhttps[://]39[.]104[.]90[.]45/2WYz\r\nhttp[://]39[.]104[.]90[.]45/2WYz\r\nhttp[://]39[.]104[.]90[.]45/IE9CompatViewList.xml\r\nhttp[://]39[.]104[.]90[.]45/submit.php\r\nUSER-AGENTS\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\r\nMozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58\r\nMozilla/5.0 (Windows NT 8.0; WOW64; rv:40.0) Gecko\r\nIPs\r\n39[.]104[.]90[.]45\r\nSource: https://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nhttps://blog.talosintelligence.com/manjusaka-offensive-framework/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/manjusaka-offensive-framework/" ], "report_names": [ "manjusaka-offensive-framework" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439061, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/632db8148c2b720064e419a4dc414f7f03b560a3.pdf", "text": "https://archive.orkl.eu/632db8148c2b720064e419a4dc414f7f03b560a3.txt", "img": "https://archive.orkl.eu/632db8148c2b720064e419a4dc414f7f03b560a3.jpg" } }