{ "id": "0b628cd5-2039-4196-bae1-e65201d99c90", "created_at": "2026-04-06T00:07:37.608536Z", "updated_at": "2026-04-10T13:12:00.401135Z", "deleted_at": null, "sha1_hash": "6de9b7c574c2748bf992eeceb184093824621449", "title": "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 132340, "plain_text": "Business as Usual: Falcon Complete MDR Thwarts Novel\r\nVANGUARD PANDA (Volt Typhoon) Tradecraft\r\nBy Falcon Complete Team\r\nArchived: 2026-04-05 20:39:08 UTC\r\nVANGUARD PANDA Background\r\nOn May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor\r\ndubbed Volt Typhoon targeted U.S.-based critical infrastructure entities. CrowdStrike Intelligence tracks this actor\r\nas VANGUARD PANDA.\r\nSince at least mid-2020, the CrowdStrike Falcon® Complete managed detection and response (MDR) team and\r\nthe CrowdStrike® Falcon OverWatch™ threat hunting team have observed related historical activity in multiple\r\nsectors. The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access,\r\nfollowed by custom webshells for persistent access, and living-off-the-land (LOTL) techniques for lateral\r\nmovement.\r\nCollaboration between Falcon Complete, Falcon OverWatch and the CrowdStrike Intelligence team is a force\r\nmultiplier protecting customers from the latest threats to ultimately stop breaches.\r\nIncident Case Study\r\nOne specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a\r\ndetection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web\r\nserver running ManageEngine ADSelfService Plus.\r\nThe malicious activity detailed in the detection included listing processes, network connectivity testing, gathering\r\nuser and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over\r\nWMI. VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid\r\nsuccession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to\r\nmount, and plaintext credentials to use for WMI.\r\ncmd /C \"tasklist /svc\"\r\ncmd /C \"ping -n 1 [redacted]\"\r\ncmd /C \"ping -n 1 -a [redacted]\"\r\ncmd /C \"net group \"domain controllers\" /dom\"\r\ncmd /C \"net use \\\\[redacted]\\admin$ REDACTED /u:[redacted]\"\r\ncmd /C \"dir \\\\[redacted]\\c$\\Users\"\r\ncmd /C \"wmic /node:[redacted] /user:[redacted] /password:\"\" process call create \"cmd /c nltest /DOMAIN_TRUSTS \u003e\u003e\r\ncmd /C \"dir \\\\[redacted]\\c$\\users\\[redacted]\\AppData\\Local\\Temp\\[redacted].tmp\"\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 1 of 9\n\ncmd /C \"type \\\\[redacted]\\c$\\users\\[redacted]\\AppData\\Local\\Temp\\[redacted].tmp\"\r\ncmd /C \"wmic /node:[redacted] /user:[redacted] /password:\"\" process call create \"cmd /c Dnscmd . /EnumZones \u003e\u003eC:\r\ncmd /C \"dir \\\\[redacted]\\c$\\users\\[redacted]\\AppData\\Local\\Temp\\[redacted].tmp\"\r\ncmd /C \"type \\\\[redacted]\\c$\\users\\[redacted]\\AppData\\Local\\Temp\\[redacted].tmp\"\r\nUpon notification from Falcon OverWatch of the reconnaissance activity taking place underneath the\r\nManageEngine AD SelfService Plus process, Falcon Complete quickly contained the host using the CrowdStrike\r\nFalcon® sensor’s Network Containment capability. In doing so, Falcon Complete isolated the host and prevented\r\nthe adversary from interacting with it.\r\nFollowing successful containment, Falcon Complete quickly triaged the host, ultimately calling the impacted\r\ncustomer to notify them of this critical incident and the measures being taken to defend against the suspected\r\nadversary tradecraft.\r\nSimultaneously, Falcon Complete began technical analysis of the Apache Tomcat access logs located in\r\nC:\\ManageEngine\\ADSelfService Plus\\logs.\r\nUpon review of the access logs, multiple HTTP POST requests to /html/promotion/selfsdp.jspx were found\r\nwith timestamps matching the enumeration and reconnaissance commands seen spawning from the Apache\r\nTomcat web server.\r\n- /html/promotion/selfsdp.jspx \"-\" POST 203 2043 200 \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/201\r\nBased on the URI from the access logs, Falcon Complete identified the folder and file on disk located at\r\nC:\\ManageEngine\\ADSelfService Plus\\webapps\\adssp\\html\\promotion\\selfsdp.jspx.\r\nUpon analysis of the .jspx file, Falcon Complete identified it to be a webshell. This is based on Java code that\r\nconverts the bytes 99, 109 and 100, respectively, into cmd ; and the bytes 47 and 67 into /C . Execution of the\r\ncommand cmd /C is a common method by which webshells run commands under the Command Prompt process.\r\nProcessBuilder pb = new ProcessBuilder(new String(new byte\u003c\u003e{99, 109, 100}), new String(new byte\u003c\u003e{47, 67}), co\r\nAdditionally, the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService\r\nPlus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk\r\nsoftware http[:]//www.manageengine[.]com/products/adself-service/help-desk-software.html and ADSelfService\r\nhttp[:]//www.manageengine[.]com/products/adself-service/index.html.\r\nNow, a retrospective review of the selfsdp.jspx webshell will return successful matches of the EncryptJSP\r\nYARA rule released by CISA reporting on Volt Typhoon activity.\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 2 of 9\n\nrule EncryptJSP {\r\n strings:\r\n $s1 = \"AEScrypt\"\r\n $s2 = \"AES/CBC/PKCS5Padding\"\r\n $s3 = \"SecretKeySpec\"\r\n $s4 = \"FileOutputStream\"\r\n $s5 = \"getParameter\"\r\n $s6 = \"new ProcessBuilder\"\r\n $s7 = \"new BufferedReader\"\r\n $s8 = \"readLine()\"\r\n condition:\r\n filesize \u003c 50KB and 6 of them\r\n}\r\nCISA also now reports that the following User-Agent (spaces included) was used by VANGUARD PANDA.\r\nHowever, at the time of CrowdStrike’s initial investigation, this information had not yet been reported.\r\nMozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)Gecko/20100101 Firefox/68.0\r\nRetrospective review of the User-Agent that Falcon Complete observed making POST requests to the webshell is\r\nan exact match for this User-Agent without the mistake in spacing.\r\nMozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0\r\nFalcon Complete assessed the activity was malicious and rapidly remediated the webshell on behalf of the\r\ncustomer and provided the customer with further actionable recommendations for patching and user credential\r\nresets.\r\nInvestigation Follow-Through\r\nThis is where an investigation might typically end, but the expected access log artifacts that would indicate CVE-2021-40539 were not present, even though the TTPs of the malicious activity were a match for this CVE.\r\nAdditionally, Falcon Complete’s experience with similar advanced intrusions combined with VANGUARD\r\nPANDA’s apparent familiarity with the target environment and potential indicators of log tampering, Falcon\r\nComplete determined a deeper dive into the associated activity was an important next step to determine if other\r\nartifacts remained and could confirm the use of CVE-2021-40539 or possibly indicate another form of\r\nexploitation altogether.\r\nMore Tradecraft Unearthed\r\nThe number of remaining loose ends at this point in the investigation relative to a typical event became a red flag\r\nin itself, warranting further investigation because:\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 3 of 9\n\n1. VANGUARD PANDA had clearly performed extensive prior recon and enumeration (based on its\r\nknowledge and use of remote hosts within the environment);\r\n2. Administrator credentials had already been acquired/compromised;\r\n3. Expected access log artifacts for CVE-2021-40539 did not appear to exist; and\r\n4. The Falcon sensor was only recently installed on the targeted host\r\nA review of existing evidence showed the identified webshell selfsdp.jspx was written to disk almost 6 months\r\nprior to the installation of the Falcon sensor as well as the witnessed hands-on-keyboard adversary activity.\r\nUsing the Apache Tomcat access logs, CrowdStrike was able to correlate the timing of the selfsdp.jspx disk\r\nwrite to a HTTP POST request to a URI /html/error.jsp , where the actor then performed an HTTP GET\r\nrequest to /html/promotion/selfsdp.jspx to confirm its presence.\r\nFalcon Complete investigated the host for the suspected webshell at /html/error.jsp , but this file was not on\r\ndisk — an important fact that will come up later in the investigation.\r\nEven though the timing of this activity lined up with CVE-2021-40539 exploitation, no such exploitation artifacts\r\nwere left in the access logs, ManageEngine serverOut logs, or the ManageEngine adslog. The lack of all of these\r\nlog artifacts combined with the lack of error.jsp on disk suggested that the adversary might be attempting to\r\ncover their tracks.\r\nFurther review of the Apache Tomcat access logs showed the use of the selfsdp.jspx webshell across multiple\r\nmonths. On one particular day the access log was wiped clean for the first 12 hours of the day, and the first log\r\nmessage recorded of that day being to the selfsdp.jspx webshell.\r\nNow with a specific 12-hour time period in focus, Falcon Complete triaged the host for any further signs of\r\nmalicious activity that might be connected to the intrusion. This is where CrowdStrike discovered the adversary's\r\nmisstep.\r\nThe Giveaway: JSP Compilation\r\nA component of Apache Tomcat, the Jasper 2 JSP Engine, is responsible for the generation of Java source code\r\nfrom JSP files and the subsequent compilation of those files into classes.\r\nThe Jasper 2 JSP Engine has a configuration setting named “keepGenerated” with the following description:\r\n“Should we keep the generated Java source code for each page instead of deleting it? true or false, default tru\r\nAn important piece of information is that these Java and Class files get created in a separate directory structure.\r\nWhere HTML and JSP files may be in C:\\ManageEngine\\ADSelfService Plus\\webapps\\adssp\\html.\r\nThe Java and Class files are written to a separate directory, C:\\ManageEngine\\ADSelfService\r\nPlus\\work\\Catalina\\localhost\\ROOT\\org\\apache\\jsp\\\r\nVANGUARD PANDA went through extensive lengths to clear out multiple log files and remove excess files from\r\ndisk — but they didn’t clear out the generated Java source or compiled Class files. As a result, Falcon Complete\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 4 of 9\n\ndiscovered numerous webshells and backdoors all connected to this same attack.\r\nOne Java source code file, ListName_jsp.java , was critically important. The Jasper Engine generated this source\r\ncode file just prior to known log clearing via the selfsdp.jspx webshell.\r\ni.e.\r\nListName_jsp.java\r\n/*\r\n* Generated by the Jasper component of Apache Tomcat\r\n* Version: Apache Tomcat/@VERSION@\r\n* Generated at: 11:UTC\r\n* Note: The last modified time of this file was set to\r\n* the last modified time of the source file after\r\n* generation to assist with modification tracking.\r\n*/\r\nJSP Backdoor Preparation\r\nListName_jsp.java is the generated Java source code for a deleted file that was named ListName.jsp . Analysis\r\nof ListName.jsp reveals its purpose is to deploy a backdoored version of the tomcat-websocket.jar Apache\r\nTomcat library containing a webshell.\r\nFirst, ListName.jsp tries to load the following three Classes:\r\n/org/apache/tomcat/websocket/server/A.class\r\n/org/apache/tomcat/websocket/server/B.class\r\n/org/apache/tomcat/websocket/server/C.class\r\nThen ListName.jsp moves the following Class files from a JAR archive C:/users/public/tomcat-ant.jar to\r\nC:/users/public/tomcat-websocket.jar :\r\n/org/apache/tomcat/websocket/server/WsSci.class\r\n/org/apache/tomcat/websocket/server/A.class\r\n/org/apache/tomcat/websocket/server/B.class\r\n/org/apache/tomcat/websocket/server/C.class\r\nArmed with this knowledge, Falcon Complete confirmed that the version of tomcat-websocket.jar installed in\r\nthe Apache Tomcat library on disk was backdoored. The tomcat-websocket.jar file timestamp was\r\ntimestomped to appear unmodified, but unpacking the Java Archive showed the A, B, and C class files with\r\ntimestamps matching the ListName.jsp timeframe.\r\nThe C:/users/public/tomcat-ant.jar was not available on disk, and not located anywhere within the installed\r\nApache Tomcat directory structure.\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 5 of 9\n\nWhile unconfirmed due to log clearing and occurring prior to the Falcon sensor installation, VANGUARD\r\nPANDA’s workflow likely follows these approximate steps to backdoor apache-tomcat.jar :\r\n1. Use webshell to retrieve ListName.jsp from a remote source, and place in web server directory\r\n2. Use webshell to retrieve tomcat-ant.jar from a remote source and move to C:/users/public/\r\n3. Use webshell to copy tomcat-websocket.jar out of the Apache Tomcat library directory into\r\nC:/users/public\r\n4. Make an HTTP GET request to ListName.jsp , which would move A, B, and C classes from tomcat-ant.jar to tomcat-websocket.jar\r\n5. Use webshell to replace the tomcat-websocket.jar in the Apache Tomcat library with the backdoored\r\nversion\r\n6. Cleanup\r\n1. Delete JARs out of C:/users/public\r\n2. Delete ListName.jsp out of the web server directory\r\n3. Clear Apache Tomcat access logs\r\nJAR Backdoor\r\nFalcon Intelligence reviewed the backdoored tomcat-websocket.jar to understand its purpose. The backdoored\r\nlibrary provided VANGUARD PANDA with several possible commands triggered via HTTP URIs containing\r\n/addEndpoint/html/lookup.gif .\r\nC.class adds a new endpoint for B.class, which is reachable under /addEndpoint/html/lookup.gif .\r\nB.class instantiates A.class, which will handle requests to the previously registered endpoint under\r\n/addEndpoint/html/lookup.gif .\r\nA.class acts as the webshell. The webshell command data is Base64-encoded and AES-encrypted using the\r\nprovided key. Command arguments are split using the ampersand (‘ \u0026 ’) character.\r\nCommand Description\r\nfirst\u0026\u003caes_key\u003e\r\nInitializes the webshell class using the given data as the AES key for future requests\r\nand responses.\r\n\u003ccommand_data\u003e\u00260\r\nExecutes the decrypted shell command and returns encrypted command output via the\r\nwebshell session.\r\nexit\u00260 If the decrypted command is exit, the webshell session is terminated\r\n\u003cstring_data\u003e\u00261 Writes the decrypted value of the string to the log file C:/users/public/tmp.log\r\nThe use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by\r\nVANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to\r\nhigh-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.\r\nCrowdStrike Intelligence’s assessment is made with moderate confidence based on:\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 6 of 9\n\nThe additional session management options provided by this backdoor compared to the webshell\r\nassociated with VANGUARD PANDA initial access operations\r\nExtensive use of log clearing and artifact deletion to hinder forensic analysis\r\nUse of filenames masquerading as legitimate server files to avoid detection\r\nThe Falcon Complete MDR Way\r\nFalcon Complete’s subject matter expertise in responding to sophisticated adversaries allowed for the quick\r\ncontainment, identification and remediation of this pre-sensor-installation VANGUARD PANDA intrusion. The\r\nfirst time VANGUARD PANDA became active after the Falcon sensor was installed, Falcon Complete was\r\nprepared to investigate, contain and remediate.\r\nFalcon Complete, Falcon OverWatch and CrowdStrike Intelligence continually partner to proactively hunt,\r\nidentify, and remediate malicious activity from adversaries. By working together, these teams take full advantage\r\nof CrowdStrike’s expertise and keep CrowdStrike customers protected 24/7/365.\r\nRecommendations to Detect and Defend against VANGUARD PANDA\r\nFalcon Complete recommends the following indicators and rules to detect and defend against the malicious\r\nVANGUARD PANDA components outlined in this blog.\r\nIn ManageEngine ADSelfService Plus, or Apache Tomcat access logs, any requests to the following URI:\r\n/addEndpoint/html/lookup.gif\r\nFiles on disk:\r\nC:/users/public/*.jar\r\nC:/users/public/tmp.log\r\nReview for unexpected .java or .class files or unexpected timestamps in the following directory and its\r\nsubdirectories:\r\nC:\\ManageEngine\\ADSelfService Plus\\work\\Catalina\\localhost\\ROOT\\org\\apache\\jsp\\\r\nYARA rule from CISA AA23-144a\r\nrule EncryptJSP {\r\n strings:\r\n $s1 = \"AEScrypt\"\r\n $s2 = \"AES/CBC/PKCS5Padding\"\r\n $s3 = \"SecretKeySpec\"\r\n $s4 = \"FileOutputStream\"\r\n $s5 = \"getParameter\"\r\n $s6 = \"new ProcessBuilder\"\r\n $s7 = \"new BufferedReader\"\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 7 of 9\n\n$s8 = \"readLine()\"\r\n condition:\r\n filesize \u003c 50KB and 6 of them\r\n}\r\nCrowdStrike Intelligence YARA rules:\r\nrule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda\r\n{\r\n meta:\r\n copyright = \"(c) 2023 CrowdStrike Inc.\"\r\n description = \"Timewarp Java webshell in malicious Tomcat module\"\r\n version = \"202306131008\"\r\n last_modified = \"2023-06-13\"\r\n actor = \"VANGUARD PANDA\"\r\n strings:\r\n $ = \"setKey\"\r\n $ = \"ProcessBuilder\"\r\n $ = \"AES/ECB/PKCS5Padding\"\r\n $ = \"tmp.log\"\r\n $ = \"byteKey\"\r\n $ = \"method0\"\r\n $ = \"failed to read output from process\"\r\n condition:\r\n filesize\u003c50KB and 4 of them\r\n}\r\nrule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda\r\n{\r\n meta:\r\n copyright = \"(c) 2023 CrowdStrike Inc.\"\r\n description = \"JAR file containing Timewarp webshell\"\r\n version = \"202306131011\"\r\n last_modified = \"2023-06-13\"\r\n actor = \"VANGUARD PANDA\"\r\n strings:\r\n $WsSci = \"/WsSci.class\"\r\n $abc1 = \"/A.class\"\r\n $abc2 = \"/B.class\"\r\n $abc3 = \"/C.class\"\r\n $timewarp1 = \"/Timewarp.class\"\r\n $timewarp2 = \"/Timewarp2.class\"\r\n $timewarp3 = \"/Timewarp3.class\"\r\n condition:\r\n uint16(0)==0x4b50 and filesize\u003c1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))\r\n}\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 8 of 9\n\nrule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda\r\n{\r\n meta:\r\n copyright = \"(c) 2023 CrowdStrike Inc.\"\r\n description = \"ClassLoader - Java webshell install and execute script\"\r\n version = \"202306131012\"\r\n last_modified = \"2023-06-13\"\r\n actor = \"VANGUARD PANDA\"\r\n strings:\r\n $ = \"\"\r\n $ = \"customEndpoint1\"\r\n $ = \"move true\r\n\"\r\n $ = \"inject true\r\n\"\r\n $ = \"ListName_jsp\"\r\n $ = \"photohelp_jsp\"\r\n $ = \"photoparse_jsp\"\r\n $ = \"Timewarp.class\"\r\n $ = \"WsSci.class\"\r\n $ = \"/A.class\"\r\n $ = \"srcZipfs.getPath\"\r\n condition:\r\n filesize\u003c50KB and 4 of them\r\n}\r\nAdditional Resources\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the\r\nproduct webpage.\r\nRequest a free CrowdStrike Intelligence threat briefing and learn how to stop adversaries targeting your\r\norganization.\r\nThe industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo\r\nto see the Falcon platform in action.\r\nExperience how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start\r\nyour 15-day free trial today.\r\nSource: https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nhttps://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/" ], "report_names": [ "falcon-complete-thwarts-vanguard-panda-tradecraft" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6de9b7c574c2748bf992eeceb184093824621449.pdf", "text": "https://archive.orkl.eu/6de9b7c574c2748bf992eeceb184093824621449.txt", "img": "https://archive.orkl.eu/6de9b7c574c2748bf992eeceb184093824621449.jpg" } }