{ "id": "e9985cf3-7128-4cf9-885d-7592aaa9ef15", "created_at": "2026-04-06T00:21:28.898991Z", "updated_at": "2026-04-10T03:37:26.430031Z", "deleted_at": null, "sha1_hash": "6eb21f4f8c2ac81264f9ff5548b47d5593882d6c", "title": "Exploring Bergard: Old Malware with New Tricks | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1381867, "plain_text": "Exploring Bergard: Old Malware with New Tricks | Proofpoint US\r\nBy January 28, 2016 Darien Huss\r\nPublished: 2016-01-28 · Archived: 2026-04-05 12:49:02 UTC\r\nUpdated 06/24/2016\r\nThe Bergard Trojan and the C0d0so group that made it famous with the November 2014 watering hole attack [1]\r\nvia Forbes.com have received renewed attention recently, with other researchers [2] potentially linking emerging\r\ntools and recent attacks to the group. Proofpoint researchers conducted a historical analysis of samples related to\r\nthis research and uncovered new malware variants and likely origins and methods of infection.\r\nMany of these samples have not been discussed publicly and several have very little or no anti-virus coverage.\r\nThe analysis that follows is of completed, historical attacks as well as an extremely recent and ongoing attack,\r\nproviding insight into the volume and timeline of infections, as well as a timeline for attacker-initiated actions\r\nusing a novel malware family.\r\nCommon link\r\nIn the malware used in the Forbes watering hole attack (the Bergard Trojan [3]), a simple single-byte XOR\r\nencoding technique (Fig. 1) was used to encode potentially suspicious strings, along with 5-byte padding prior to\r\neach string (Fig. 2).\r\nFigure 1: String deobfuscation in sample: 3e92802ba89f3f2f66ce04311e0f3882\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 1 of 19\n\nFigure 2: Deobfuscated strings in sample: 3e92802ba89f3f2f66ce04311e0f3882\r\nAdditionally, some of the variants contain a common PRNG algorithm that is used along with GetTickCount as a\r\nseed (Fig. 3) to pseudo-randomly generate lowercase letters (Fig. 4). By leveraging these two techniques utilized\r\nby Bergard, we were able to uncover new malware families and several adversary campaigns.\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 2 of 19\n\nFigure 3: PRNG algorithm in sample: 3e92802ba89f3f2f66ce04311e0f3882\r\nFigure 4: PRNG algorithm usage in sample: 3e92802ba89f3f2f66ce04311e0f3882\r\nRelated variants\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 3 of 19\n\nThere are several unique strings embedded in the first samples we analyzed which were also found in completely\r\ndifferent malware families. In most of the samples we analyzed, they were found encoded using the same\r\nencoding mentioned in the previous section, however some older variants contained no XOR encoding but still\r\nused a 5-byte padding layout for interesting/suspicious strings. To further research possibly related samples as\r\nwell as find completely new malware families, we developed a “shotgun yara” [4] approach that, when coupled\r\nwith unique strings found commonly in related samples, allowed us to discover completely new malware families.\r\nIn the next sub-sections we discuss several of the already known malware families and clusters we have found, as\r\nwell as several previously unreported malware families that may exist in currently active attack campaigns.\r\nPGV_PVID Variant\r\nWe refer to this family as the PGV_PVID variant based on the cookie variable utilized in the network beacons\r\ngenerated by these samples (Fig. 5). The samples that we were able to find with similar string encoding, PRNG\r\nalgorithm, and similarly structured C2 beacon may be found in the IOCs section as well as a graph of the samples\r\nand their associated C2 in Figure 6.\r\nFigure 5: PGV_PVID variant C2 beacon\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 4 of 19\n\nFigure 6: Maltego graph of PGV_PVID variants\r\nIn numerous samples in at least the PGV_PVID family, the domain www.nsa[.]org[.]cn may be found encoded\r\nseparate from the typical 5-byte padded obfuscated strings. For example, in sample\r\n76259880a346ac1c3c8a9795af134f59 the following string is embedded in an encoded state using XOR key 0x90:\r\n[hxxp://www[.]nsa.org[.]cn/pwninfo[.]php]. This domain appears in an article citing a July 2, 2015 internal\r\nDepartment of Homeland Security report claiming that it was used in one of the breaches listed in the internal\r\nreport [5]. We have been unable to confirm whether or not the domain appeared in the cited report, nor were we\r\nable to determine which breach the domain was related to, if any.\r\nUID_SID Variant\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 5 of 19\n\nSimilar to the last variant, we refer to this one based on the Cookie variables that are used in the C2 beacons (Fig.\r\n7,8). Unlike the last cluster however, this variant appears to have been used in an extensive DDNS cluster of\r\ninfrastructure dating back to at least 2013. Tool usage in this cluster includes Gh0st, PlugX, Jolob, and Bergard\r\n(Fig. 9).\r\nFigure 7: UID_SID variant GET C2 beacon\r\nFigure 8: UID_SID variant POST C2 beacon\r\nFigure 9: Maltego graph of UID_SID variant and related activity\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 6 of 19\n\nIn one instance related to this cluster of activity, we observed Bergard (md5:\r\nd778f8d822376ccd4d2e9dd7f2f0f947) receive instructions from its C2 to retrieve a PNG file (Fig. 10) containing\r\nan encoded PlugX payload (md5: 5c36e8d5beee7fbc0377db59071b9980). For an explanation of values received\r\nin the instructions from C2, refer to Table 1.\r\nFigure 10: Bergard retrieving commands and encoded payload\r\nTable 1: Description of Bergard C2 response\r\nItem Description\r\nsrc= Location of encoded payload\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 7 of 19\n\ntest1 Payload offset\r\ntest2 Payload end\r\ntest3 XOR key\r\ntest4 Unknown\r\ntest5 Command. Supported commands: !info, !axel, !exec\r\nTXER\r\nWhile hunting for additional payloads that may be related to the previously mentioned Bergard samples, we came\r\nacross what appears to be a malicious payload that utilizes the Tox protocol [6] to connect to a controller. In the\r\ntwo samples we found, they both contained identical string encoding to previous samples that we analyzed (Fig.\r\n11). This payload is still being analyzed to determine its full capabilities, however it appears to at least be capable\r\nof receiving and executing additional payloads. We may provide an update at a later time once this payload is fully\r\nunderstood.\r\nFigure 11: TXER string encoding and decoded strings\r\nBassos Campaign\r\nDuring our research, we came across a recent campaign that is connected to a different currently active and\r\nongoing campaign with potentially thousands of compromised victims. We are referring to this campaign as\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 8 of 19\n\nBassos. We first discovered this threat after analyzing a compressed archive that was uploaded to VirusTotal (VT)\r\non January 5th, 2016. Several items of importance were located in this archive, including VBS downloaders, a\r\nJava backdoor, and two Trojans containing identical string encoding with 5-byte padding: a custom Trojan  (aka,\r\nCustomTCP) that beacons to port 22 and a new Trojan we refer to as Rekaf (Table 2).\r\nTable 2. Description of archive contents\r\nFilename MD5 Hash Description\r\ntmp.vbs 9fc086b05787fb2e6c201de63e6e0698 VBS Downloader. Payload: likely CustomTCP\r\nmc.vbs 5029b0d6f6621bf8e8f524fcea69d2b8 VBS Downloader. Payload: Rekaf\r\nMcAltLib.dll b06a3a9744e9d4c059422e7ad729ef90 CustomTCP Trojan\r\ndbgeng.dll 2123c5c24d8c06a10807458630751ded Rekaf\r\ntk.jar 9d863756a69401765252f5133023240c Java Backdoor\r\nAlthough we did not discover these samples in the wild, they potentially provide a glimpse into how the custom\r\ndownloader and Rekaf are delivered to victims. Both VBS scripts operate very similarly, with one primary\r\ndifference being that the mc.vbs script contains status reporting functionality to the following domain:\r\nwww.jweblogic.com (Fig. 12) as well as checks if the “360rp” service is running (if found, it will not continue).\r\nFigure 12: VBS Downloader reporting system information to status server\r\nAn additional, slightly different version of mc.vbs was also found (md5: 9f47f04aa9eb72f749cbf4bb7e40c446).\r\nOf the payload locations observed in the VBS scripts, we were able to retrieve payloads only from\r\n210.181.184.64. We were also able to retrieve mcs.exe (md5: 1501eed51578e795af7f2f5fb3078178) and\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 9 of 19\n\nMcAltLib.dll (md5: 26e863f917da0b3f7a48304eb6d1b1d3) from 218.54.139.20, however we found no VBS\r\nscript referencing that download location. The exact same or similar mcs.exe/McAltLib.dll combination was also\r\nlikely hosted on 42.200.18.194 [2] (Fig. 13).\r\nFigure 13: Locations hosting 1501eed51578e795af7f2f5fb3078178 reported by VT\r\nAll three locations appear to be legitimately compromised websites in addition to hosting Jboss Application Server\r\n(JAS). It is our hypothesis that these legitimate compromised sites were all compromised sometime after early\r\nNovember using CVE-2015-7501 [7,8] and publicly available exploit code [9]. Several items support this\r\nhypothesis:\r\nMany samples have compile times between November and now\r\nMany samples first appeared in our sample exchange and on VT between November and now\r\nCVE-2015-7501 received significant media attention in early November\r\nThe java backdoor contained in the archive found on VT appeared in public exploit code for CVE-2015-\r\n7501 [10]\r\nThe archive found on VT contains JAS logs of what appears to be a vulnerable version of JAS\r\nJboss themed C2 infrastructure\r\nWithout having analyzed the compromised servers, nor observing the first stage in any of the campaigns, it is\r\nimpossible to know for certain if that is the vector of compromise for these legitimate websites. A broad overview\r\nof this campaign is provided in Maltego graph form in Figure 14.\r\nFigure 14: Maltego graph of Bassos campaign\r\nRekaf\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 10 of 19\n\nLike the custom downloader/McAltLib.dll payload, Rekaf/dbgeng.dll utilizes a signed, legitimate executable\r\n(iefix.exe) and DLL Search Order Hijacking [11] for execution. Upon successful execution, Rekaf first collects\r\nvarious system information in the format found in Figure 15. As shown in the image, this is likely the first version\r\nof Rekaf according to the ver0.0.1 indicator that is hardcoded in the sample.\r\nFigure 15: Rekaf collected information exfiltrated to C2\r\nPrior to submitting the collected information to C2, the information is encoded with the first byte in the MAC\r\naddress, which is appended after the keyid variable in the URI (Fig. 16).\r\nFigure 16: Rekaf HTTP POST C2 Beacon\r\nIf the server responds with an encoded string “Login Server Success” then the Rekaf bot will continue to perform\r\nHTTP GET requests to the server until it receives a command. Supported commands are listed in Table 3. Rekaf\r\nalso stores detailed debug information in the following file appended to the result of WinAPI GetTempPath:\r\nMSHelper.bin. We have observed the adversaries retrieve this log from an infected machine with a timezone of\r\nGMT+8 on at least one occasion using the download command.\r\nTable 3: Rekaf supported commands and descriptions\r\nCommand Description\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 11 of 19\n\nupload Download file from C2\r\ndownload Upload file to C2\r\ncmdshell Perform issued command using cmd.exe\r\nupdate Retrieve an updated payload\r\nLastly, Rekaf contains several encoded PEs embedded inside itself which may be dropped and executed in certain\r\nsituations. Their functionality is still being analyzed and will not be covered in this report.\r\nMonitoring Rekaf C2: 108.171.240.208\r\nUpon discovering Rekaf, we began passively monitoring the C2 to gain insight into their operation. During our\r\nmonitoring, we were able to collect information related to botnet volume in addition to a timeline of certain\r\nactions the adversaries conducted. While monitoring the Rekaf C2 we observed over two thousand unique\r\ninfections. Figure 17 shows a frequency graph of new and duplicate infections occurring by date. Two dates,\r\n12/22/15 and 1/19/16, have enormous peaks that could have occurred for a number of reasons including:\r\n12/22/15 was the beginning of a new campaign that may have stretched through to 12/30/15\r\n1/19/16 (and possibly 12/22/15): the botnet was updated, re-initialized, or C2 data was wiped\r\nThere could be another explanation for the peaks, however due to our monitoring beginning in the middle of a\r\ncampaign our picture of the C2 may not be complete.\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 12 of 19\n\nFigure 17: Volume graph of Rekaf infections by date (GMT)\r\nIn addition to monitoring infection volume, we also compiled a list of various actions we observed the adversaries\r\ntake including: executables placed onto C2, executed commands sent to bots, large infection spikes, and compiled\r\ntimestamps for related executables (Fig. 18).\r\nFigure 18: Adversary actions graph by time of day\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 13 of 19\n\nThis is useful from an attribution standpoint as it could potentially reveal a normal working day for the adversary\r\ngroup. Our analysis of the available data suggests that this adversary group is located geographically somewhere\r\nin or near a GMT+8 timezone assuming they maintain normal working hours from 9am-10am to 6pm-8pm. An\r\nadditional result from our analysis is that no observed actions were ever performed on a weekend (GMT),\r\nproviding further evidence that this is most likely an organized outfit that functions during a standard work week.\r\nUnfortunately the method we used for data collection could have resulted in us analyzing doctored data, including\r\nmodified PE compile timestamps. Based on observed activity by this adversary group however, at this time we do\r\nnot believe that timestamps were modified in any of the data we analyzed.\r\nVirdetDoor\r\nWhile monitoring the Rekaf C2 we observed the adversaries prepare what appears to be a new implant for\r\ndelivery to already infected bots. We have named this backdoor VirdetDoor as it utilizes a signed WinDivert driver\r\n[12] for part of its operation. This executable may take two different command line arguments, -v which enables\r\nverbose logging to a file named msocache7.log, and –l [port] which changes the default listener port from 6666 to\r\nthe specified port. The payload first listens for the string “Aabac” to initiate a connection. This payload is still\r\nbeing analyzed to determine its full capabilities and to confirm that it is in fact malicious in nature. We may\r\nprovide an update at a later time once this payload is fully understood.\r\nCustomTCP\r\nThe CustomTCP Trojan was covered in a recent article and tentatively attributed to C0d0s0, while also explaining\r\nthe same similarities we discussed earlier to the November 2014 Forbes watering hole attack (aka, Port 22 Variant)\r\n[2]. The adversaries controlling the 108.171.240.208 C2 appear to be utilizing this malware extensively, as we\r\nobserved them prepare four different CustomTCP payloads for delivery to already infected bots. This is in\r\naddition to other payloads we discovered while conducting our hunting research.\r\nAttribution\r\nRecently the Bassos campaign has already been attributed to ‘C0d0s0’ (aka, Codoso) [2]. Based on the mail-news.eicp.org cluster of activity, that campaign appeared to have slightly different tactics, techniques, and\r\nprocedures (TTPs), including potentially target-themed domain infrastructure as well as heavily relying on\r\ndynamic DNS for C2 domains. Due to the varying TTPs in infrastructure, we think it is possible that the Bergard\r\nand the related toolset could now be shared by multiple adversary groups. If that is the case, observing Bergard\r\nusage and related families do not provide clear indication that the C0d0s0 group is involved. Attribution becomes\r\nincreasingly difficult as adversaries evolve and adapt so we have provided the data available to us to better assist\r\norganizations in formulating their own attribution.\r\nConclusion\r\nThe historical analysis conducted by Proofpoint researchers on recently completed campaigns revealed actions by\r\nwhat appear to be well-organized actors consistent with advanced persistent threats. Additionally, the in-depth\r\nanalysis above on a currently ongoing campaign, Bassos, being conducted by possibly the same actor (‘C0d0s0’,\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 14 of 19\n\n‘Codoso’) as the Forbes watering hole attack in 2014, provides insight into the adversary's activities and infection\r\nvolume related to the Bassos campaign. Additionally, the email-news campaign, PGV_PVID campaign, and\r\nUID_SID variants may also be linked to C0d0s0 as well. However, the differences in TTP could indicate that the\r\nBergard toolset is now available to multiple adversary groups. Regardless of the exact attribution for the attack,\r\norganizations, researchers, and vendors should take note of the growing potential footprint of the Bergard toolset.\r\nIndicators of Compromise (IOC’s)\r\nTXER\r\n16652d4213991ae58e268ae03a4c4e97\r\ne81f9dadbdc7eea937e586afc9fb59f8\r\nPGV_PVID Samples\r\n5d806ec66b172734a65f04d8588ef8f8\r\n17b0af26d2253528595d6ab6a85db539\r\nb5c32b44961c7400bd08bc4ca12a83a1\r\n86340ce88ced1c9c67be335caad8bf9f\r\ne8e70c707e7b2411056074781d405e3f\r\n2fa3688d9325601dab3606685d9caa34\r\nd31cc850e8e5a373e081ac8226c12183\r\ne2b6958c1b13d2311a47c9b70ab94cfa\r\n7c2890024f574a8b902b5d8ea8b63a0c\r\nf54870c6ac4757271f94fdfded9fa2c1\r\n4979e819d3ffbea81c7111fb515c1c76\r\n76259880a346ac1c3c8a9795af134f59\r\nPGV_PVID Domains\r\nwww.svsk.net\r\npadview.chickenkiller.com\r\nhost02.jacosb.com\r\ncorpnt.crabdance.com\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 15 of 19\n\npluslinkera.appspot.com\r\nlic03.verhosts.com\r\ncss.advicdesign.com\r\nweb01.kruul.com\r\ncorpnt.crabdance.com\r\nMail-news campaign\r\nBergard samples\r\nd778f8d822376ccd4d2e9dd7f2f0f947\r\nc0b0330eb869e2bf0b6cb15bfbf4cd92\r\nUID_SID samples\r\n495877d3c5066ef80184ba53079067cb\r\n7c5e4b0da9350c27c8f0b3435d983fcd\r\nGh0st samples\r\nac2f55cefd715937e9584752b706712b\r\n62c6f595b570eafda24cab01dc2e18a2\r\n6b7cfb983a2dc2338b89cbadd837c801\r\n4e2d8ca775d0214e2532acd778b91424\r\nJolob samples\r\nfeb0a1aa99f086401109b3fcea6d2feb\r\n57063db0c5e76624b7f947759d396596\r\nPlugX samples\r\n2c7bad4f4a4df3025aa1345db27c7408\r\nd80e3af7732993ceba88bce377d4be1a\r\na0e157729a765dcdb92d9a28b0a4025d\r\n74fa8ec55482ca81b41dfd356af9b187\r\n5c36e8d5beee7fbc0377db59071b9980\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 16 of 19\n\nConfirmed Mail-news Domains\r\nmail-news.eicp.net\r\nmail-news.eicp.net\r\nmail-ru.3322.org\r\nras-ru.eatuo.com\r\nria-ru.xicp.net\r\nras-ru.oicp.net\r\nBassos Campaign\r\nVBS Downloader\r\n5029b0d6f6621bf8e8f524fcea69d2b8\r\n9f47f04aa9eb72f749cbf4bb7e40c446\r\n9fc086b05787fb2e6c201de63e6e0698\r\nCustomTCP samples\r\nb06a3a9744e9d4c059422e7ad729ef90\r\n2d5d0d991999610457c562532b21209f\r\n26e863f917da0b3f7a48304eb6d1b1d3\r\na35b22e2743bf9206b06cbd8f80fe29a\r\nab108484b1e75f5562525145cecb4f4a\r\n1a7fcb0b406a64c3aea050ea58529596\r\nf6de770ad52015f18d0a2344815e408d\r\naa2c1bdeff0076ccd79d4cb6ae29f1d8\r\ncd8c2bb644496d46bf1e91ad8a8f882b\r\nCustomTCP Domains\r\nsupermanbox.org\r\nwww.supermanbox.org\r\nwww.jbossas.org\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 17 of 19\n\nRekaf samples\r\n2123c5c24d8c06a10807458630751ded\r\n138437593145610a477e14b9a6560ee1\r\nc684507f37a207ffe8a67afdaf4adcc1\r\nRekaf Domains\r\nwww.xjjboss.com\r\nwww.office365e.com\r\nwww.ukoffering.com\r\nBergard samples\r\n1cb673679f37b6a3f482bb59b52423ab\r\n8afecc8e61fe3805fdd41d4591710976\r\n2161c859b21c1b4b430774df0837da9d\r\nBergard Domains/IP\r\nwww.microsoft-cache.com\r\n106.185.43.96\r\nJava Backdoor\r\n9d863756a69401765252f5133023240c\r\nVirdetDoor\r\n135d00ece30efd46cf279645771f6f92\r\ncf488e31889546b5f1688d271ca0d51f\r\n5d0dbadf8ef50fb6c18ac4b0ea1b5562\r\nAdditional CustomTCP Payloads\r\n40a00b89365c739950140697a6474286\r\nea8545992806966484baafbcdf79bfdc\r\n7ddf02a5afaab8e03ebd9af04b76603a\r\n885c5eb20c3b40eed76fd3c48b912697\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 18 of 19\n\na4fe7449dae9a1a38497069c2a574309\r\nd7e2c212ffc8f1639fc0120888ea30cd\r\nUnclustered Bergard\r\nSamples\r\ne5274ff02184a304d45d42ca953148ce\r\n7f466312a3b1176f052f8c05f7781715\r\nDomains\r\nf1a9d91a738041a8.appspot.com\r\nf5310cff818ea0e7.appspot.com\r\nReferences\r\n1. http://www.isightpartners.com/2015/02/codoso/\r\n2. https://github.com/darienhuss/shotgunyara/blob/master/shotgunyara.py\r\n3. http://freebeacon.com/national-security/opm-hack-part-of-large-scale-cyber-attack-on-personal-data/\r\n4. https://en.wikipedia.org/wiki/Tox_%28protocol%29\r\n5. http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/\r\n6. http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\r\n7. https://access.redhat.com/solutions/2045023\r\n8. https://github.com/Xyntax/JBoss-exp/\r\n9. https://github.com/Xyntax/JBoss-exp/blob/master/iswin.jar\r\n10. https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html\r\n11. https://reqrypt.org/windivert.html\r\nSource: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nhttps://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "report_names": [ "exploring-bergard-old-malware-new-tricks" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434888, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eb21f4f8c2ac81264f9ff5548b47d5593882d6c.pdf", "text": "https://archive.orkl.eu/6eb21f4f8c2ac81264f9ff5548b47d5593882d6c.txt", "img": "https://archive.orkl.eu/6eb21f4f8c2ac81264f9ff5548b47d5593882d6c.jpg" } }