{
	"id": "5874db4e-6b98-4dc5-92f4-0f10f26646aa",
	"created_at": "2026-04-06T00:17:30.130409Z",
	"updated_at": "2026-04-10T03:33:40.899113Z",
	"deleted_at": null,
	"sha1_hash": "6a69ee59f3367889738d04e4802efb3a166ca2d8",
	"title": "調查局 08/19 公布中國對台灣政府機關駭侵事件說明",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1222696,
	"plain_text": "調查局 08/19 公布中國對台灣政府機關駭侵事件說明\r\nBy Global Support \u0026 Service\r\nPublished: 2020-08-22 · Archived: 2026-04-05 22:29:14 UTC\r\n前言\r\n法務部調查局綜整近期所偵辦的數起台灣政府機關遭駭案件，於 19 日發表記者會，提到政府部門的委外\r\n資訊服務供應商遭中國駭客組織攻擊現況，目前已知有市政府、水資源局等至少 10 個單位，以及 4 家資\r\n訊服務供應商遇害。\r\n調查局資安工作站也發現，駭客在入侵政府機關內部的主機與伺服器後，為了要長期潛伏以及將獲取資\r\n料傳出，還會安裝 SoftEther VPN 程式，以連線到駭客指定的中繼站。\r\n本次調查局公布的攻擊族群：MustangPanda、APT40、Blacktech 與 Taidoor，皆是 TeamT5 長期追蹤的標\r\n的，我們有信心能夠偵測這些族群使用的後門程式、駭客工具以及攻擊手法。\r\n圖一、駭客透過供應鏈攻擊我政府機關 -1（圖片來源：法務部調查局）\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 1 of 6\n\n圖二、駭客透過供應鏈攻擊我政府機關 -2（圖片來源：法務部調查局）\r\nIOC 情資\r\nTeamT5 長期進行駭客追蹤研究，根據法務部調查局所提供的情資內容，關聯出駭客族群慣用的惡意程式\r\n與相關 IOC 情資供使用者匯入至閘道端或端點防護設備比對使用，詳細惡意程式說明與 IOC 清單如下所\r\n示。\r\n惡意程式家\r\n族\r\n類\r\n型\r\n描述 攻擊族群\r\n首次\r\n出現\r\ndbgPrint RAT\r\ndbgPrint 為中國駭客族群 HUAPI 慣用的後門程\r\n式，其名稱來自於該後門程式早期版本的字串\r\n(strings)內容。dbgPrint 後門程式通常由 PE 型態\r\n的 Loader、插入 shellcode 的 DLL 檔及惡意\r\nPayload 所組成。同時也具備防毒免殺(anti-antivirus)的功能模組。\r\nHUAPI (又稱為\r\nPlead 或\r\nBlacktech)\r\n2009\r\n年\r\nCobaltStrike\r\nBeacon\r\nRAT\r\nCobalt Strike 是一款滲透測試或紅隊演練常使用的\r\n攻擊框架，而 CobaltStrike Beacon 則是從 Cobalt\r\nStrike 攻擊框架所產生的惡意 Payload。雖然\r\nCobalt Strike 為商業付費工具，但是經過破解並流\r\n傳於許多論壇或網站中，因此有許多駭客皆透過\r\n他進行惡意攻擊。\r\n商業付費工\r\n具，無法明確\r\n定義出背後的\r\n攻擊族群\r\n2016\r\n年\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 2 of 6\n\n表一、惡意程式分析說明\r\nIOC 類型 提供來源\r\nmanage.lutengtw.com Domain 法務部調查局\r\ndccpulic.lutengtw.com Domain 法務部調查局\r\ntrust.utoggsv.com Domain 法務部調查局\r\nwg1.inkeslive.com Domain 法務部調查局\r\nk3ad01.rutentw.com Domain 法務部調查局\r\nams05.csksogo.com Domain 法務部調查局\r\nedgekey.whybbot.com Domain 法務部調查局\r\nshed.inkeslive.com Domain 法務部調查局\r\nap21.gckerda.com Domain 法務部調查局\r\ncornerth.com Domain 法務部調查局\r\nteamcorner.nctu.me Domain 法務部調查局\r\n43.240.12.81 IP Address 法務部調查局\r\n45.124.25.31 IP Address 法務部調查局\r\n45.124.25.226 IP Address 法務部調查局\r\n103.193.149.26 IP Address 法務部調查局\r\n103.240.202.34 IP Address 法務部調查局\r\na8373a143a915518a33c4af19fff01e7 MD5 Hash TeamT5\r\n20714b487b5b63ff8e52b911d19d6da1 MD5 Hash TeamT5\r\n6c490c833bfff677c89d9bb81bef0cf5 MD5 Hash TeamT5\r\nd395580fea6fb840798dc1ee65756484 MD5 Hash TeamT5\r\n4a1941df8b251716f66e2777425ac0e5 MD5 Hash TeamT5\r\nc11f40af68c07b309bd103d69b7bb14a MD5 Hash TeamT5\r\n387fe30ffc270939c299d1eaebcdcd4d MD5 Hash TeamT5\r\n93bfdce35e3ab86508e09deedca6552f MD5 Hash TeamT5\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 3 of 6\n\nIOC 類型 提供來源\r\n1857fbce5c5269a1d4e40204ccccd7d1 MD5 Hash TeamT5\r\nwww.kaspersky-security.net Domain TeamT5\r\nwww.symantec-endpoint.net Domain TeamT5\r\nwww.symantec-product.com Domain TeamT5\r\nupdate.symantec-product.com Domain TeamT5\r\nupdate.trendmicro-service.com Domain TeamT5\r\ngoogleupdatesrv.com Domain TeamT5\r\n103.234.96.213 IP Address TeamT5\r\n103.242.0.152 IP Address TeamT5\r\n43.240.12.80 IP Address TeamT5\r\n43.240.12.82 IP Address TeamT5\r\n43.240.12.83 IP Address TeamT5\r\n45.32.43.59 IP Address TeamT5\r\n45.76.189.109 IP Address TeamT5\r\n表二、IOC 清單\r\nThreatSonar 惡意威脅鑑識分析平臺的用戶，可將上方表二之 IOC 匯入以強化威脅偵測與識別，亦可追溯\r\n比對過去資料是否命中 IOC。示意圖如下。\r\n圖三、ThreatSonar 支援 Hash、IP 及 Domain IOC 情資匯入\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 4 of 6\n\n如何透過威脅狩獵找出 SoftEther VPN 程式\r\n根據法務部調查局的偵辦結果，駭客為了長期潛伏於受害環境，因此會透過 SoftEther 這類的合法 VPN 程\r\n式進行遠端控制。ThreatSonar 具備主動威脅狩獵（Threat Hunting）功能，故可以快速地在環境中找出\r\nSoftEther VPN 程式。\r\n其步驟為在威脅狩獵（Hunter）功能中，切換 Scope 至憑證（Certificate），搜尋 \"filename ~\r\nsoftether\"（請選擇 Engine Version 為全選），可依憑證內容搜尋環境內符合條件的 SoftEther 憑證及其對應\r\n的端點與程式清單。其流程步驟示意圖如下。\r\n圖四、以 filename 查詢符合條件的 SoftEther 憑證\r\n圖五、具備 SoftEther 憑證的端點與程式清單\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 5 of 6\n\n圖六、駭客將 SoftEther VPN 程式偽裝成 svchost.exe\r\n*圖片來源：Unsplash\r\nSource: https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nhttps://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/\r\nPage 6 of 6\n\n103.193.149.26 103.240.202.34 IP Address IP Address 法務部調查局 法務部調查局\na8373a143a915518a33c4af19fff01e7 MD5 Hash TeamT5\n20714b487b5b63ff8e52b911d19d6da1 MD5 Hash TeamT5\n6c490c833bfff677c89d9bb81bef0cf5 MD5 Hash TeamT5\nd395580fea6fb840798dc1ee65756484 MD5 Hash TeamT5\n4a1941df8b251716f66e2777425ac0e5 MD5 Hash TeamT5\nc11f40af68c07b309bd103d69b7bb14a MD5 Hash TeamT5\n387fe30ffc270939c299d1eaebcdcd4d MD5 Hash TeamT5\n93bfdce35e3ab86508e09deedca6552f MD5 Hash TeamT5\n Page 3 of 6",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/"
	],
	"report_names": [
		"mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775792020,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a69ee59f3367889738d04e4802efb3a166ca2d8.pdf",
		"text": "https://archive.orkl.eu/6a69ee59f3367889738d04e4802efb3a166ca2d8.txt",
		"img": "https://archive.orkl.eu/6a69ee59f3367889738d04e4802efb3a166ca2d8.jpg"
	}
}