{ "id": "e0f1504b-23fc-41b9-a2ad-db3b380f588c", "created_at": "2026-04-06T00:07:01.491554Z", "updated_at": "2026-04-10T13:13:08.659938Z", "deleted_at": null, "sha1_hash": "6d685eb465754b8576514093c47dc5a6e13e4b5a", "title": "The Icefog APT: A Tale of Cloak and Three Daggers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 663248, "plain_text": "The Icefog APT: A Tale of Cloak and Three Daggers\r\nBy GReAT\r\nPublished: 2013-09-25 · Archived: 2026-04-05 13:25:51 UTC\r\nAPT reports\r\nAPT reports\r\n25 Sep 2013\r\n 2 minute read\r\nhttps://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nPage 1 of 5\n\nThe emergence of small groups of cyber-mercenaries available for hire to perform\r\nsurgical hit and run operations.\r\nThe world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile\r\nvictims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens\r\nor even hundreds of people, going through terabytes or even petabytes of exfiltrated data.\r\nAlthough there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much\r\nis known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and\r\ncompromising targets with surgical precision.\r\nSince 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this\r\nis a relatively small group of attackers that are going after the supply chain — targeting government institutions,\r\nmilitary contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high\r\ntechnology companies and mass media, mainly in South Korea and Japan. This Icefog campaigns rely on custom-made cyber-espionage tools for Microsoft Windows and Apple Mac OS X. The attackers directly control the\r\ninfected machines during the attacks; in addition to Icefog, we noticed them using other malicious tools and\r\nbackdoors for lateral movement and data exfiltration.\r\nKey findings on the Icefog attacks:\r\nThe attackers rely on spear-phishing and exploits for known vulnerabilities (eg. CVE-2012-0158, CVE-2012-1856, CVE-2013-0422 and CVE-2012-1723). The lure documents used in the attacks are specific to\r\nthe target’s interest; for instance, an attack against a media company in Japan used the following lure:\r\nhttps://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nPage 2 of 5\n\nLure document shown to the victim upon successful execution of the exploit\r\nBased on the profiles of known targets, the attackers appear to have an interest in the following\r\nsectors: military, shipbuilding and maritime operations, research companies,\r\ntelecomoperators, satellite operators, mass media and television.\r\nResearch indicates the attackers were interested in targeting defense industry contractors such asLig\r\nNex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy\r\nIndustries or telecom operators such as Korea Telecom.\r\nThe attackers are hijacking sensitive documents and company plans, e-mail account credentials, and\r\npasswords to access various resources inside and outside the victim’s network.\r\nhttps://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nPage 3 of 5\n\nDuring the operation, the attackers are using the “Icefog” backdoor set (also known as “Fucobha”).\r\nKaspersky Lab identified versions of Icefog for both Microsoft Windows and Mac OS X.\r\nWhile in most other APT campaigns, victims remain infected for months or even years and attackers are\r\ncontinuously exfiltrating data, Icefog operators are processing victims swiftly and in a surgical\r\nmanner — locating and copying only specific, targeted information. Once the desired information is\r\nobtained, they abandon the infection and move on.\r\nIn most cases, the Icefog operators appear to already know very well what they need from the\r\nvictims. They look for specific file names, which are identified and transferred to the C\u0026C.\r\nKaspersky Lab would like to thank KISA (Korea Internet \u0026 Security Agency) and INTERPOL for their support in\r\nthis investigation.\r\nWe’re sharing Indicators of Compromise based on the OpenIOC framework for Icefog. This way organizations\r\nhave an alternative way of checking their network for presence of (active) Icefog infections.\r\nYou can download the IOC file (.zip) here.\r\nA detailed FAQ on Icefog is available.\r\nYou can read our full Icefog report here:\r\n[Click to download]\r\nhttps://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nPage 4 of 5\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nhttps://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/\r\nPage 5 of 5\n\nKey findings on The attackers the Icefog attacks: rely on spear-phishing and exploits for known vulnerabilities (eg. CVE-2012-0158, CVE\u0002\n2012-1856, CVe-2013-0422 and CVe-2012-1723). The lure documents used in the attacks are specific to\nthe target’s interest; for instance, an attack against a media company in Japan used the following lure:\n Page 2 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/" ], "report_names": [ "57331" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434021, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d685eb465754b8576514093c47dc5a6e13e4b5a.pdf", "text": "https://archive.orkl.eu/6d685eb465754b8576514093c47dc5a6e13e4b5a.txt", "img": "https://archive.orkl.eu/6d685eb465754b8576514093c47dc5a6e13e4b5a.jpg" } }