{ "id": "d6af7750-7197-4565-9f46-e4cbb4eb0418", "created_at": "2026-04-06T00:11:32.618794Z", "updated_at": "2026-04-10T03:37:54.460659Z", "deleted_at": null, "sha1_hash": "6be239e2c8c43b73ef0949e9d240b8e8776aeba5", "title": "GitHub - nccgroup/Royal_APT: Royal APT - APT15 - Related Information from NCC Group Cyber Defense Operations Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 141892, "plain_text": "GitHub - nccgroup/Royal_APT: Royal APT - APT15 - Related\r\nInformation from NCC Group Cyber Defense Operations\r\nResearch\r\nBy pengwinsurf\r\nArchived: 2026-04-02 11:31:38 UTC\r\nRoyal APT - APT15 - Related Information from NCC Group Cyber Defense Operations Research\r\nSharepoint tool\r\nAmong the tools developed by the group for the victim, APT15 created a .net tool to enumerate the victim's\r\nsharepoint database. Below is an screen-shot from the decompiled binary.\r\nDecoding scripts\r\nDecoder scripts for BS2005 and RoyalCLI samples found by NCC Group can be found in the scripts directory.\r\nBS2005\r\nhttps://github.com/nccgroup/Royal_APT\r\nPage 1 of 2\n\nbs_decoder.py will extract and decrypt commands included in html files sent to the sample\r\n6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f ; namely Alive.htm and\r\nContents.htm . It will also decode beacons sent to the C2.\r\nUsage:\r\nbs2005_decoder.py html \u003chtmlPath\u003e/\u003chtmlsDir\u003e\r\nbs2005_decoder.py beacon \u003cbeaconString\u003e\r\nRoyalCLI\r\nrcli_decoder.py will decode RoyalCli config, RoyalCli html commands and the uris.\r\nUsage:\r\nroyalcli_decoder.py html \u003chtmlPath\u003e/\u003chtmlsDir\u003e\r\nroyalcli_decoder.py cfg \u003cconfigPath\u003e\r\nroyalcli_decoder.py uri \u003cbeaconString\u003e `\r\nYara signatures\r\nYara signatures for the RoyalCLI, RoyalDNS and BS2005 samples found by NCC Group can be found in\r\napt15.yara in the signatures folder.\r\nSuricata Signatures\r\nSuricata signatures for RoyalCLI, RoyalDNS and BS2005 samples found by NCC Group can be found in\r\nids_signatures_apt15_royal.txt in the signatures folder.\r\nSource: https://github.com/nccgroup/Royal_APT\r\nhttps://github.com/nccgroup/Royal_APT\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://github.com/nccgroup/Royal_APT" ], "report_names": [ "Royal_APT" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434292, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6be239e2c8c43b73ef0949e9d240b8e8776aeba5.pdf", "text": "https://archive.orkl.eu/6be239e2c8c43b73ef0949e9d240b8e8776aeba5.txt", "img": "https://archive.orkl.eu/6be239e2c8c43b73ef0949e9d240b8e8776aeba5.jpg" } }