{
	"id": "a8431a65-6f49-4ce7-9348-eb7b56f45cd7",
	"created_at": "2026-04-06T00:09:40.677072Z",
	"updated_at": "2026-04-10T13:11:43.576069Z",
	"deleted_at": null,
	"sha1_hash": "6334806dd0432eac1530a599f02e993881e0a5f2",
	"title": "Bitdefender Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7551990,
	"plain_text": "Bitdefender Labs\r\nBy Bitdefender\r\nArchived: 2026-04-02 10:45:07 UTC\r\nConsumer Insights Labs Business Insights\r\nAnti-Malware Research\r\nWindows and macOS Malware Spreads via Fake “Claude Code” Google Ads\r\nIonut Alexandru BALTARIU Silviu STAHIE\r\nMarch 11, 2026\r\n5 min read\r\nTop Stories\r\nScam Research\r\nActive Subscription Scam Campaigns Flooding the Internet\r\nAnti-Malware Research\r\nInfected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware\r\nIoT Research\r\nWhitepapers\r\nVulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series\r\nlatest Anti-Malware Research\r\nView all posts\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 1 of 13\n\nAnti-Malware Research\r\nWindsurf IDE Extension Drops Malware via Solana Blockchain\r\nRaul Vasile BUCUR Silviu STAHIE\r\nMarch 18, 2026\r\n5 min read\r\nAnti-Malware Research\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 2 of 13\n\nWindows and macOS Malware Spreads via Fake “Claude Code” Google Ads\r\nIonut Alexandru BALTARIU Silviu STAHIE\r\nMarch 11, 2026\r\n5 min read\r\nAnti-Malware Research\r\nLummaStealer Is Getting a Second Life Alongside CastleLoader\r\nBogdan Ionut Lazar Manuel Dragomir Janos Gergo SZELES\r\nFebruary 11, 2026\r\n18 min read\r\nlatest IoT Research\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 3 of 13\n\nIoan Alexandru MELNICIUC Paul SATMAREAN\r\nDecember 09, 2025\r\n4 min read\r\nIoT Research\r\nCVE-2025-55182 Exploitation Hits the Smart Home\r\nWhitepapers IoT Research\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 4 of 13\n\nVulnerabilities Identified in Dahua Hero C1 Smart Cameras\r\nBitdefender\r\nJuly 30, 2025\r\n4 min read\r\nIoT Research Whitepapers\r\n60 Hurts per Second – How We Got Access to Enough Solar Power to Run the United States\r\nIoan Alexandru MELNICIUC Alexandru LAZĂR George CABĂU Radu Alexandru BASARABA\r\nAugust 07, 2024\r\n9 min read\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 5 of 13\n\nIoT Research\r\nNotes on ThroughTek Kalay Vulnerabilities and Their Impact on the IoT Ecosystem\r\nBitdefender\r\nMay 15, 2024\r\n3 min read\r\nAll\r\nAnti-Malware Research\r\nFree Tools\r\nWhitepapers\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 6 of 13\n\nAnti-Malware Research\r\nWindsurf IDE Extension Drops Malware via Solana Blockchain\r\nRaul Vasile BUCUR Silviu STAHIE\r\nMarch 18, 2026\r\n5 min read\r\nAnti-Malware Research\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 7 of 13\n\nWindows and macOS Malware Spreads via Fake “Claude Code” Google Ads\r\nIonut Alexandru BALTARIU Silviu STAHIE\r\nMarch 11, 2026\r\n5 min read\r\nScam Research\r\nGlobal Scam Machines: Inside a Meta-Powered Investment Fraud Ecosystem Spanning 25\r\nCountries\r\nAlecsandru Cătălin DAJ Alexandra-Svetlana Dinulica (Bocereg) Alina BÎZGĂ\r\nMarch 09, 2026\r\n16 min read\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 8 of 13\n\nAnti-Malware Research\r\nLummaStealer Is Getting a Second Life Alongside CastleLoader\r\nBogdan Ionut Lazar Manuel Dragomir Janos Gergo SZELES\r\nFebruary 11, 2026\r\n18 min read\r\nAnti-Malware Research\r\nHelpful Skills or Hidden Payloads? Bitdefender Labs Dives Deep into the OpenClaw Malicious\r\nSkill Trap\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 9 of 13\n\nAndrei ANTON-AANEI Ingrid Stoleru Alina BÎZGĂ\r\nFebruary 05, 2026\r\n8 min read\r\nAnti-Malware Research\r\nAndroid Trojan Campaign Uses Hugging Face Hosting for RAT Payload Delivery\r\nAlecsandru Cătălin DAJ Silviu STAHIE\r\nJanuary 29, 2026\r\n7 min read\r\nRight now Top posts\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 10 of 13\n\nScam Research\r\nActive Subscription Scam Campaigns Flooding the Internet\r\nApril 30, 2025\r\nAnti-Malware Research\r\nInfected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware\r\nJune 08, 2023\r\nIoT Research\r\nWhitepapers\r\nVulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series\r\nMay 02, 2023\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 11 of 13\n\nAnti-Malware Research Whitepapers\r\nEyeSpy - Iranian Spyware Delivered in VPN Installers\r\nJanuary 11, 2023\r\nAnti-Malware Research Free Tools\r\nBitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor\r\nJanuary 05, 2023\r\nAnti-Malware Research Whitepapers\r\nBackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign\r\nDecember 06, 2022\r\nBookmarks\r\nYou have no bookmarks yet. Tap\r\nto read it later.\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 12 of 13\n\nSource: https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nhttps://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/"
	],
	"report_names": [
		"operation-pzchao-a-possible-return-of-the-iron-tiger-apt"
	],
	"threat_actors": [
		{
			"id": "709ceea7-db99-405e-b5a7-a159e6c307e0",
			"created_at": "2022-10-25T16:07:23.373699Z",
			"updated_at": "2026-04-10T02:00:04.571971Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [],
			"source_name": "ETDA:BackdoorDiplomacy",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3b56d733-88da-4394-b150-d87680ce67e4",
			"created_at": "2023-01-06T13:46:39.287189Z",
			"updated_at": "2026-04-10T02:00:03.274816Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [
				"BackDip",
				"CloudComputating",
				"Quarian"
			],
			"source_name": "MISPGALAXY:BackdoorDiplomacy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c",
			"created_at": "2022-10-25T15:50:23.819113Z",
			"updated_at": "2026-04-10T02:00:05.354598Z",
			"deleted_at": null,
			"main_name": "Threat Group-3390",
			"aliases": [
				"Threat Group-3390",
				"Earth Smilodon",
				"TG-3390",
				"Emissary Panda",
				"BRONZE UNION",
				"APT27",
				"Iron Tiger",
				"LuckyMouse",
				"Linen Typhoon"
			],
			"source_name": "MITRE:Threat Group-3390",
			"tools": [
				"Systeminfo",
				"gsecdump",
				"PlugX",
				"ASPXSpy",
				"Cobalt Strike",
				"Mimikatz",
				"Impacket",
				"gh0st RAT",
				"certutil",
				"China Chopper",
				"HTTPBrowser",
				"Tasklist",
				"netstat",
				"SysUpdate",
				"HyperBro",
				"ZxShell",
				"RCSession",
				"ipconfig",
				"Clambling",
				"pwdump",
				"NBTscan",
				"Pandora",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "401a2035-ed5a-4795-8e37-8b7465484751",
			"created_at": "2022-10-25T15:50:23.616232Z",
			"updated_at": "2026-04-10T02:00:05.304705Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [
				"BackdoorDiplomacy"
			],
			"source_name": "MITRE:BackdoorDiplomacy",
			"tools": [
				"Turian",
				"China Chopper",
				"Mimikatz",
				"NBTscan",
				"QuasarRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434180,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6334806dd0432eac1530a599f02e993881e0a5f2.pdf",
		"text": "https://archive.orkl.eu/6334806dd0432eac1530a599f02e993881e0a5f2.txt",
		"img": "https://archive.orkl.eu/6334806dd0432eac1530a599f02e993881e0a5f2.jpg"
	}
}