{ "id": "09fa0af6-723a-4916-8c5d-f95fd19f6ef2", "created_at": "2026-04-06T00:22:22.940972Z", "updated_at": "2026-04-10T13:13:00.038503Z", "deleted_at": null, "sha1_hash": "689ab0ff0ca52e104721e086aab3508e2ff1d8d9", "title": "Chinese Playful Taurus Activity in Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 122874, "plain_text": "Chinese Playful Taurus Activity in Iran\r\nBy Unit 42\r\nPublished: 2023-01-18 · Archived: 2026-04-05 17:21:25 UTC\r\nExecutive Summary\r\nPlayful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese\r\nadvanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been active\r\nsince at least 2010 and has historically targeted government and diplomatic entities across North and South\r\nAmerica, Africa and the Middle East.\r\nIn June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian.\r\nThis backdoor remains under active development and we assess that it is used exclusively by Playful Taurus\r\nactors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as\r\nnew command and control infrastructure. Analysis of both the samples and connections to the malicious\r\ninfrastructure suggests that several Iranian government networks have likely been compromised by Playful\r\nTaurus.\r\nPalo Alto Networks customers receive protections from the threats described in this blog through Advanced URL\r\nFiltering, DNS Security, Cortex XDR and WildFire malware analysis.\r\nNames for Threat Actor Group\r\nDiscussed\r\nPlayful Taurus, APT15, BackdoorDiplomacy, Vixen Panda,\r\nNICKEL\r\nPlayful Taurus Infrastructure\r\nIn 2021, the domain vpnkerio[.]com was identified as part of a Playful Taurus campaign targeting diplomatic\r\nentities and telecommunications companies across Africa and the Middle East. Since then, this domain and its\r\nassociated subdomains have shifted hosting to several new IP addresses. Notably, several of the subdomains\r\ncurrently resolve to 152.32.181[.]16.\r\nAnalyzing this IP, we identified an expired X.509 certificate that appeared to be associated with Senegal’s\r\nMinistry of Foreign Affairs (MFA), CN=diplosen.gouv[.]sn.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 1 of 10\n\nSuspected Playful Taurus X509 Certificate\r\nSHA-1 cfd9884511f2b5171c00570da837c31094e2ec72\r\nIssued 2020-04-23\r\nExpires 2021-04-29\r\nCommon Name diplosen.gouv[.]sn\r\nOrganization Name DigiCert, Inc.\r\nSSL Version 3\r\nLocality Dakar\r\nCountry SN\r\nTable 1. Suspected Playful Taurus certificate.\r\nDespite expiring in April 2021, this certificate continued to be associated with recent infrastructure. For example,\r\nthis certificate was first observed on 152.32.181[.]16 in April 2022, a full year after it had expired. Coincidentally,\r\nthat same month, subdomains for vpnkerio[.]com began resolving to this IP.\r\nExploring all IP associations with this certificate, we found that this certificate was initially associated with what\r\nwe assess is likely legitimate Senegal government infrastructure. This association remained consistent until the\r\nexpiration of the certificate in April 2021. Following its expiration, this certificate has been associated with nine\r\ndifferent IP addresses. Eight of those nine IPs have hosted Playful Taurus domains.\r\nObserved Activity\r\nMonitoring connections to the malicious infrastructure, we observed the following four Iranian organizations\r\nattempting to connect to 152.32.181[.]16 between July and late December 2022.\r\nIranian Connections to Playful Taurus Infrastructure\r\nIP Address Organization\r\n109.201.27[.]66 Iranian Government Infrastructure\r\n185.4.17[.]10 Foreign Ministry of Iran Infrastructure\r\n37.156.28[.]101\r\n37.156.29[.]172\r\nSuspected Iranian Government Infrastructure\r\n31.47.62[.]201 Iranian Natural Resource Organization\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 2 of 10\n\nTable 2. Iranian connections to Playful Taurus infrastructure.\r\nThe sustained daily nature of these connections to Playful Taurus controlled infrastructure suggests a likely\r\ncompromise of these networks. Moreover, these targets also fit historical targeting patterns by the group.\r\nInside the Wire\r\nWhile researching the Iranian infrastructure in Table 2, we found that the first IP (109.201.27[.]66) hosted what\r\nappears to be a legitimate Foreign Ministry of Iran domain (pro.mfa[.]ir) between May and November 2019. This\r\nIP also resides on a netblock that hosts other Iranian government domains.\r\nHowever, since September 2021, this IP has hosted the domain mfaantivirus[.]xyz. The use of the .xyz top level\r\ndomain (TLD) seems odd for an IP and netblock that hosts legitimate Iranian government domains.\r\nThe registration record for mfaantivirus[.]xyz shows that it was registered by an organization that has only\r\nregistered eight other domains. Three of those domains, including mfaantivirus[.]xyz, stand out for being hosted\r\non Iranian government netblocks. The two additional domains hosted on Iranian government infrastructure are as\r\nfollows.\r\nRegistration Organization Overlap\r\nIP Domain Owner\r\n109.201.27[.]67 pfs1010[.]xyz\r\nForeign Ministry of Iran\r\nReverse PTR: cp.econsular[.]ir\r\n109.201.19[.]184 pfs1010[.]com Foreign Ministry of Iran\r\nTable 3. Domains sharing a registering organization with mfaantivirus[.]xyz.\r\nThe first IP in Table 3 contains a reverse DNS pointer to cp.econsular[.]ir, and the second IP’s netname is “Foreign\r\nMinistry of Iran.” This suggests that both are affiliated with the Iranian government.\r\nThat said, further analysis of these IPs revealed associations with two X.509 certificates. The earliest certificate\r\nappears to be related to pfSense and was only associated with these IPs for a single day in August 2019. This leads\r\nus to believe that the two pfs1010.* domains are made to resemble pfSense firewalls. The use of the domain name\r\nmfaantivirus[.]xyz loosely fits the security theme as well.\r\nThe second certificate associated with the IPs in Table 3 is a self-signed certificate with a common name of\r\nwww.netgate[.]com. Netgate is the doing business as (DBA) name for Rubicon Communications, who developed\r\npfSense – again sticking with the pfSense theme. Below is the information associated with that certificate.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 3 of 10\n\nNetgate X.509 Certificate\r\nSHA-1 1cf1985aec3dd1f7040d8e9913d9286a52243aca\r\nIssued 2022-04-21\r\nExpires 2032-04-18\r\nCommon Name www.netgate[.]com\r\nOrganization Name netgate\r\nSSL Version 1\r\nLocality New York\r\nState/Province New York\r\nCountry United States\r\nTable 4. Second suspected Playful Taurus certificate.\r\nThere are five additional malicious IPs associated with this certificate, but the two we wish to highlight are the\r\nfollowing.\r\nX509 Certificate Two - IP Associations\r\nIP Owner\r\n151.248.24[.]251\r\nNYNEX satellite OHG\r\nPrevious Cert: portal-Share.mfa[.]new\r\n158.247.222[.]6 Constant Company VPS\r\nTable 5. X509 certificate two – IP associations.\r\nThe first IP contains a historical certificate reference to portal-Share.mfa[.]new, which suggests an ambiguous\r\n“Ministry of Foreign Affairs (MFA)” nexus. The second is a virtual private server (VPS) owned by The Constant\r\nCompany. This second IP (158.247.222[.]6) hosted the domain www[.]delldrivers[.]in from July 7, 2022 to Oct.\r\n11, 2022. This domain is associated with a Turian backdoor sample.\r\nTying this all together, we identified Iranian government infrastructure establishing connections with a known\r\nPlayful Taurus command and control (C2) server. Pivoting on one of the Iranian government IPs, we then\r\nidentified additional infrastructure hosting certificates that overlap with a second Playful Taurus C2 server.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 4 of 10\n\nTurian Backdoor\r\nAnalyzing the domain *.delldrivers[.]in resulted in the identification of the following sample of malware.\r\nFile Details\r\nFilename dellux[.]exe\r\nCreation Time 2022-06-27 01:25:26 UTC\r\nSHA256 67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80\r\nConnections update.delldrivers[.]in\r\nTable 6. File details for Turian sample.\r\nThis sample was uploaded to VirusTotal from submitters in Iran on Nov. 12 and 13, 2022. We further observed\r\nthat these same submitters uploaded files and URLs that suggest a likely affiliation with Iran’s Ministry of Foreign\r\nAffairs.\r\nTechnical Analysis\r\nWe found that this sample is packed with VMProtect. However, the final payload is not virtualized and is\r\nultimately unpacked into the .text, .data and .rdata sections of the payload. Unfortunately, VMProtect obfuscates\r\nall API calls within the sample. So whenever an API call is made, execution jumps to the .vmp0 section to resolve\r\nthe import and execute it.\r\nWhile the functionality of the sample becomes increasingly difficult to analyze due to the API obfuscation, the\r\nstrings within the unpacked .data section provide a useful pivot point for identifying additional samples that\r\ncontain the same functionality but are not packed with VMProtect.\r\nAlongside the strings, the sample also contains a fairly unique XOR decryption function (shown in Figure 1). This\r\nis used to decrypt the embedded C2 server, update.delldrivers[.]in.\r\nFigure 1. Fairly unique decryption algorithm.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 5 of 10\n\nA similar algorithm has been seen within the Neshta file infector, back in 2014. Data encrypted with this algorithm\r\ncan be decrypted with the Python snippet shown in Figure 2.\r\nFigure 2. Python data decryptor.\r\nPivoting on the algorithm’s byte pattern {69 D2 05 84 08 08 8A 1C 30 42 32 DA 88 1C 30} allows us to identify\r\ntwo additional malware samples.\r\nFile Details\r\nFilename scm[.]exe\r\nType EXE\r\nCreation Time 2022-04-28 02:56:26 UTC\r\nSHA256 8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3\r\nConnections scm.oracleapps[.]org\r\nTable 7. File details of the first sample located via pivoting on algorithm byte pattern.\r\nFile Details\r\nType DLL\r\nCreation Time 2022-06-18 14:43:13 UTC\r\nSHA256 ad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58\r\nConnections update.adboeonline[.]net\r\nTable 8. File details of the second sample located via pivoting on algorithm byte pattern.\r\nThe Turian Link\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 6 of 10\n\nAside from the C2 infrastructure being very similar in naming convention, comparing the code bases of these\r\nsamples to the unpacked VMProtect sample indicates clear overlap between the functionality.\r\nDue to the almost identical code base, we opted to focus our analysis on the executable, rather than the DLL.\r\nBefore doing so, we had a look at the DLL and noticed several cleartext strings.\r\nSearching for samples with similar strings, we identified two additional samples.\r\nFile Details\r\nType DLL\r\nCreation Time 2022-04-28 02:56:26 UTC\r\nSHA256 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5\r\nConnections 127.0.0.1\r\nTable 9. File details of the first sample located via pivoting on registry strings.\r\nFile Details\r\nType x64 DLL\r\nCreation Time 2022-06-18 14:43:13 UTC\r\nSHA256 6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa\r\nConnections mail.indiarailways[.]net\r\nTable 10. File details of the second sample located via pivoting on registry strings.\r\nThese samples have been tagged in VirusTotal as being APT_MAL_LNX_Turian_Jun21_1, which is a Linux\r\nversion of the Turian backdoor. However, these samples are clearly not for Linux systems. This tag did point us\r\ntoward previous reporting on the Turian/Quarian backdoors, which established a link between our dellux.exe\r\nsample and Turian.\r\nAn Updated Variant\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 7 of 10\n\nKey differences between our samples and the previously documented Turian samples indicated that we were likely\r\nlooking at a newer version, with some additional obfuscation and a modified network protocol.\r\nThe first key difference was the C2 decryption algorithm. In prior Turian samples, the C2s were decrypted with an\r\nXOR against a hard coded byte, such as 0xA9.\r\nWhereas in the dellux.exe sample, the algorithm has clearly been updated.\r\nAdditionally, the network protocol in use by Turian and Quarian backdoors has historically been very distinct,\r\nespecially during the initial key exchange. In this variant, the network protocol has been altered to instead make\r\nuse of the Security Support Provider Interface (SSPI).\r\nOn startup, Turian will retrieve a pointer to the SSPI Dispatch Table via a call to InitSecurityInterfaceA(), before\r\ncalling AcquireCredentialsHandleA(). A socket is then opened to the remote C2, using standard Winsock API,\r\nwith connect() being called to establish a connection.\r\nOnce a connection has been made, Turian then performs an SSL handshake with the C2. This is done through a\r\ncall to InitializeSecurityContextA(), which will return a token to send to the C2 server.\r\nOnce sent, Turian waits for a 5 byte response (the SSL/TLS record header). This response contains the length of\r\ndata also to be received from the C2 server, after the initial header. The remaining data is then passed into another\r\ncall to InitializeSecurityContextA(), before returning. At this point, the handshake has been successful and secure\r\ncommunications can begin.\r\nAll packets sent to the C2 server are encrypted using the EncryptMessage() API, but are also XORed with the key\r\n0x56 beforehand. The same functionality is performed on received packets, with the data being decrypted with\r\nDecryptMessage(), followed by XORing with 0x56.\r\nThe updated backdoor offers fairly generic functionality, from updating the C2 to communicate with, to executing\r\ncommands and spawning reverse shells. The main differences with this compared to other variants of Turian are\r\nthe command IDs. Whereas before, the IDs started at 0x01 and followed an order, the IDs in this variant appear to\r\nbe randomized.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 8 of 10\n\nCommands Table\r\n0xBC5B Clean up\r\n0xA8CB Update C2\r\n0x9D58 Execute Command\r\n0x9A3C Spawn File Explorer Thread\r\n0x7C0D (Unknown)\r\n0x6394 Set Flag\r\n0x74D2 (Unknown)\r\n0x53A6 Get System Info\r\n0x26CD Spawn Reverse Shell Thread\r\nTable 11. Updated Turian commands.\r\nConclusion\r\nPlayful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new\r\nC2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns. Our\r\nanalysis of the samples and connections to the malicious infrastructure suggest that Iranian government networks\r\nhave likely been compromised. At the same time, we would also caution that Playful Taurus routinely deploys the\r\nsame tactics and techniques against other government and diplomatic entities across North and South America,\r\nAfrica and the Middle East.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nWildFire cloud-based threat analysis service accurately identifies the Turian malware described in this blog\r\nas malicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with Playful Taurus as malicious.\r\nCortex XDR prevents the execution of known malware samples as malicious. It also prevents the execution\r\nof Turian malware using Behavioral Threat Protection and the new in-memory shellcode protection\r\nreleased in Cortex 3.5.\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 9 of 10\n\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nInfrastructure\r\n152.32.181[.]16\r\n158.247.222[.]6\r\nvpnkerio[.]com\r\nupdate.delldrivers[.]in\r\nscm.oracleapps[.]org\r\nupdate.adboeonline[.]net\r\nmail.indiarailways[.]net\r\nPlayful Taurus Certificate SHA-1\r\ncfd9884511f2b5171c00570da837c31094e2ec72\r\n1cf1985aec3dd1f7040d8e9913d9286a52243aca\r\nTurian Sample SHA-256\r\n67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80\r\n8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3\r\n5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5\r\nad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58\r\n6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa\r\nAdditional Resources\r\nKe3chang (APT15) | MITRE\r\nBackdoorDiplomacy: Upgrading from Quarian to Turian | ESET\r\nOkrum and Ketrican: An Overview of recent Ke3chang Group Activity | ESET\r\nOperation Saffron Rose | FireEye\r\nA Targeted Attack Against The Syrian Ministry of Foreign Affairs | Secure List: Kaspersky\r\nCyber-Espionage in the Middle East: Investigating a New BackdoorDiplomacy Threat Actor Campaign |\r\nBitdefender\r\nSource: https://unit42.paloaltonetworks.com/playful-taurus/\r\nhttps://unit42.paloaltonetworks.com/playful-taurus/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "report_names": [ "playful-taurus" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-10T02:00:04.700158Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/689ab0ff0ca52e104721e086aab3508e2ff1d8d9.pdf", "text": "https://archive.orkl.eu/689ab0ff0ca52e104721e086aab3508e2ff1d8d9.txt", "img": "https://archive.orkl.eu/689ab0ff0ca52e104721e086aab3508e2ff1d8d9.jpg" } }