{ "id": "f7050b32-4a2e-44aa-bc04-0e566ea17c9d", "created_at": "2026-04-06T01:30:11.498628Z", "updated_at": "2026-04-10T03:32:20.768468Z", "deleted_at": null, "sha1_hash": "703a5ad73d4de0ea87b21bcce1a3ff78c5d2e7e8", "title": "Reptile Malware Targeting Linux Systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1321841, "plain_text": "Reptile Malware Targeting Linux Systems\r\nBy ATCP\r\nPublished: 2023-07-20 · Archived: 2026-04-06 00:41:13 UTC\r\nReptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. [1] Rootkits\r\nare malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and\r\nnetwork communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module\r\nbut also files, directories, file contents, processes, and network traffic.\r\nUnlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a\r\nreverse shell, allowing threat actors to easily take control of systems. Port Knocking is the most notable feature out of those\r\nsupported by Reptile. Port Knocking is a method where the malware opens a specific port on an infected system and goes on\r\nstandby. When the threat actor sends a Magic Packet to the system, the received packet is used as a basis to establish a\r\nconnection with the C\u0026C server.\r\nThis method is similar to that of Syslogk, which was mentioned in a previous report by Avast. [2] One key difference is that\r\nSyslogk was developed based on another open-source Linux kernel rootkit called Adore-Ng. However, there are similarities\r\nbetween Syslogk and the features supported by Reptile, such as being on standby in an infected system before being\r\ntriggered by a Magic Packet, and using a customized TinySHell, known as Rekoobe, as a backdoor for their attack.\r\nAfter becoming publicly available on GitHub as open-source, Reptile has been used consistently in attacks. For example, a\r\nrecent report by Mandiant confirmed that a threat group based in China used Reptile in their ongoing attack using the zero-day vulnerability in Fortinet products. [3] Furthermore, in ExaTrack’s report analyzing the Mélofée malware, Reptile rootkit\r\nwas also identified. ExaTrack attributes this to the activities of the Winnti attack group based in China. [4]\r\nIn this post, we will provide a brief analysis of the basic structure and features of Reptile, followed by a compilation of real-world instances where it was employed in attacks targeting Korean companies. Additionally, it should be noted that ICMP\r\nShell was also used in the attack cases in Korea. At the end, we will summarize the similarities with the Mélofée malware\r\ncases based on the installation paths or disguised directory names of the malware.\r\n1. Analysis of Reptile\r\n1.1. Structure of Reptile\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 1 of 14\n\nFigure 1. Operation structure of Reptile\r\n1.1.1. Threat Actor’s System\r\nIn addition to providing malware to be installed on the infected system, Reptile also supports tools to be used by the threat\r\nactor. Listener is a command line tool that operates by being given the port it has to listen to and its password. It waits for a\r\nconnection from a reverse shell, which will be executed on the infected system. Depending on the options, Reptile can\r\nestablish a reverse shell connection to a specified address after installation. In this case, the listener running on the C\u0026C\r\nserver receives this connection and provides the threat actor with the shell.\r\nEven if the threat actor’s C\u0026C server is not designated, the Port Knocking method can be used to transmit a specific packet\r\nto the infected system to trigger a reverse shell. This is achieved through a command line tool called Packet, which takes\r\narguments such as the address the reverse shell will attempt to connect to and the protocol used in the Port Knocking\r\nmethod. Listener and Packet can be used manually, but they can also be used through a client that provides an interface.\r\n1.1.2. Affected System\r\nIf no installation path is designated, the malware strains are installed in the /reptile/ directory with the file names reptile,\r\nreptile_shell, and reptile_cmd by default. The loader, known as “reptile”, is responsible for decrypting and loading the\r\nReptile rootkit kernel module that is encrypted within the file. This means the Reptile rootkit does not exist directly as a\r\nkernel module file. Instead, it is installed through a decryption process by the loader.\r\nFigure 2. Installation directory\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 2 of 14\n\nreptile_cmd is responsible for transmitting commands to the Reptile rootkit, and it communicates with the rootkit by\r\nspecifying and executing the target to be concealed as an argument. The reverse shell malware, reptile_shell, is capable of\r\nreceiving command line arguments and is executed by the Reptile rootkit.  \r\nIf the option to attempt a direct connection to the C\u0026C server during the installation process is specified, the command is\r\nassigned to the /reptile/reptile_start script file. The Reptile rootkit operates the reverse shell by executing the mentioned\r\nscript file after loading the kernel module. Furthermore, it can also execute the reverse shell and transmit the decrypted C\u0026C\r\nserver address if an address is received through the Port Knocking method.\r\n1.2. Analysis of the Reptile Rootkit\r\nThe reptile created in the /reptile/ directory is not a kernel module but a user mode application. When the loader is executed,\r\nit decrypts the Reptile kernel module contained within the data section and then loads it into the memory using the\r\ninit_module() function. Additionally, the algorithm used for encryption and decryption is also used when decrypting the\r\nMagic Packet later on. The key value is generated using a random value during the build process, resulting in each generated\r\nfile having a different value.\r\nFigure 3. Encryption function used in Reptile\r\nThe loaded Reptile is a kernel module packed using another open-source tool called kmatryoshka. [5] kmatryoshka is a\r\nLinux kernel module-based packer that is responsible for decrypting the original kernel module, which exists in an\r\nencrypted form. It then utilizes the sys_init_module() function to load it. As such, the original Reptile rootkit exists in a\r\npacked form within both user-mode and kernel-mode.\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 3 of 14\n\nFigure 4. kmatryoshka routine\r\n1.2.1. Analysis of Concealment Feature\r\nReptile uses a Linux kernel function hooking engine called KHOOK to hook on kernel functions. [6] For example, it hooks\r\nthe ip_rcv() kernel function to use the Port Knocking method. By doing so, it can monitor the packets it receives.\r\nWhen delivering commands to the rootkit, Reptile utilizes reptile_cmd, which sends ioctl to the Reptile kernel module. The\r\ninet_ioctl() kernel function is hooked in order to monitor this ioctl. Among the data that is sent to ioctl, cmd represents the\r\ncommand number. Like the process concealing command, if additional data such as the PID is required, the argv variable of\r\nthe control structure is used to transmit the data. During the command delivery process, AUTH and HTUA are random\r\nvalues. Reptile monitors the ioctl and performs corresponding actions when a match is found.\r\nFigure 5. Transmission of ioctl\r\nNumber Command Description\r\n0 hide / show Hides or shows itself and files\r\n1 hide / show Hides or shows processes\r\n2 file-tampering Hides file contents\r\n3 root Grants root privilege\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 4 of 14\n\nNumber Command Description\r\n4 conn hide Hides network communication\r\n5 conn show Hides or shows network communications\r\nTable 1. cmd commands\r\nAside from the concealment and Port Knocking features, Reptile provides a feature where the “root” command can be used\r\nto give the current user root privileges. It also supports persistence through Udev. The following rules file is created in the\r\n/lib/udev/rules.d/ directory and the copied path is designated to ensure that it will be executed even after a reboot.\r\nFigure 6. Created udev rules file\r\nA. File and Directory Concealment\r\nThe Reptile rootkit can hide or show files and directories based on the “hide” and “show” commands. The targets to be\r\nhidden are paths that contain the specified string during the build. To achieve this, it hooks multiple kernel functions\r\nincluding fillonedir(), filldir(), and filldir64(). If the string of the concealment target is present in the path name, the hooking\r\nfunction returns “ENOENT” which is the “no such file or directory” error.\r\nFigure 7. Concealment of files and directories\r\nB. Self Concealment\r\nThe “hide” and “show” commands support concealment for not only files and directories, but also for the Reptile kernel\r\nmodule itself. When the “hide” command is received, the current module is removed from the module list. Accordingly,\r\nusing the lsmod command will not show the currently installed Reptile kernel module.\r\nC. Process Concealment\r\nWhen a PID is given along with the “hide” or “show” command, the process of the PID is concealed. There are four main\r\nmethods used for process concealment. One involves hooking the find_task_by_vpid() function to return NULL for the\r\nconcealment target’s process, and another involves hooking the vfs_statx() function to return an “EINVAL” (Invalid\r\nargument) error. Additionally, the find_task_by_vpid() function is used in system calls like getsid() and getpgid().\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 5 of 14\n\nFurthermore, hooking next_tgid() makes it so that the concealment target’s process is skipped, making it invisible in the\r\n/proc/ list. Lastly, for the sys_kill and __x64_sys_kill system calls, an “ESRCH” (No such process) error is returned, making\r\ntermination impossible. Aside from these, the load_elf_binary() function is hooked and processes that have the path of\r\nreptile_shell are hidden.\r\nD. TCP/UDP Concealment\r\nIf the “conn” command and the concealment target’s IP address are transmitted as an argument, the TCP/UDP network\r\ncommunication can be concealed. The tcp4_seq_show() and udp4_seq_show() functions are hooked for this purpose.\r\nE. File Content Concealment\r\nReptile provides a file tampering feature, which allows the contents of a file to be hidden. When the tags designated during\r\nthe build process, like those shown below, are added to the file content, the strings between these tags are concealed. By\r\ndefault, the tags “#\u003creptile\u003e” and “#\u003c/reptile\u003e” can be used. The command to activate this feature is “file-tampering”, and it\r\ninvolves hooking the vfs_read() function.\r\n1.2.2. PORT KNOCKING\r\nThe Reptile rootkit supports the Port Knocking technique. After being installed on the infected system, instead of\r\nimmediately connecting to the C\u0026C server, it opens a certain port and waits until the threat actor sends a Magic Packet to\r\nthe system, after which it begins to operate. The data received through the Magic Packet contains the C\u0026C server address.\r\nBased on this, a reverse shell connects to the C\u0026C server.\r\nIn Reptile’s defconfig file, there are basic configurations present. By default, the MAGIC_VALUE is set to “hax0r,”\r\nPASSWORD is set to “s3cr3t,” and SRCPORT is set to “666.”\r\nFigure 8. deconfig file\r\nThe Reptile rootkit on the infected system hooks a kernel function and monitors packets incoming through the TCP, UDP,\r\nand ICMP protocols. If a TCP or UDP packet is received, the source port is first checked. The “666” port that was\r\ndesignated in the above configuration file is the target.\r\nFigure 9. Scan of SRCPORT\r\nThreat actors can use a client to transmit the Magic Packet to the infected system. To do this, they can first choose one of the\r\nprotocols, TCP, UDP, or ICMP, to be used as part of the Port Knocking technique. They then have to designate the infected\r\nsystem’s IP address and configuration data set during the above creation of Reptile, which includes MAGIC_VALUE,\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 6 of 14\n\nPASSWORD, and SRCPORT. Afterward, when the run command is executed, Packet encrypts the data and transmits it to\r\nthe infected system.\r\nFigure 10. Reverse shell using Port Knocking\r\nIf Reptile, which is listening on port 666, receives a packet through this port, it scans the data in the received packet to check\r\nfor the value “hax0r,” which is designated by MAGIC_VALUE and TOKEN. When the process reaches this point, Reptile\r\ndecrypts the packet and obtains the address and port number of the C\u0026C server. It then uses these values as arguments to\r\nexecute reptile_shell, which is a reverse shell.\r\nFigure 11. Scan of MAGIC_VALUE\r\n1.3. Reverse Shell\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 7 of 14\n\nThe reverse shell executed by the Reptile rootkit connects to the C\u0026C server based on the received address and provides\r\nshell access. Additionally, the reverse shell is executed with the argument “s3cr3t”, which is specified as PASSWORD in the\r\nconfiguration data. This PASSWORD serves as the session key for communication with the listener that is waiting on the\r\nC\u0026C server.\r\nReverse shell is a command line tool that operates based on the provided arguments, and it can be executed in two different\r\nways, depending on the conditions. The first method is the Port Knocking technique covered above. The second method\r\ninvolves executing during the installation process of the Reptile rootkit kernel module.\r\nFigure 12. Argument structure of reptile_shell\r\nAfter installation, the Reptile rootkit executes the startup script named reptile_start during the initialization process. This can\r\ncontain numerous commands, a notable one being the command to execute reverse shells.\r\nFigure 13. The make process and the created reptile_start script file\r\nThe reverse shell of Reptile is based on TinySHell, an open-source Linux backdoor. Rekoobe is a backdoor malware based\r\non TinySHell and is known to be predominantly used by Chinese threat groups. [7] Additionally, according to a report from\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 8 of 14\n\nAvast, the Syslogk rootkit also supports the Port Knocking method triggered by a Magic Packet. It also utilizes a customized\r\nversion of TinySHell, known as Rekoobe, as a backdoor. Based on these similarities, it is speculated that the Syslogk threat\r\nactor might have adopted the structure of Reptile in their malware.\r\nWhen compared to TinySHell, Reptile’s reverse shell shows a remarkable similarity, with most of the code being identical\r\nalong with the supported commands.  In particular, the use of the HMAC SHA1 algorithm and AES-128 key to encrypt the\r\ncommunication data with the C\u0026C server and the data used for integrity verification during the communication process are\r\nalso the same.\r\nFigure 14. Comparison between TinySHell (left) and Reptile reverse shell (right) routines\r\nSpecifically, the Reptile reverse shell supports a delay command in addition to file download/upload and command\r\nexecution. Moreover, it includes a built-in feature to send concealment commands to the Reptile rootkit via ioctl, effectively\r\nhiding communications with the C\u0026C server.\r\n2. Cases of Attacks\r\n2.1. VirusTotal Hunting\r\nDue to it being an open-source malware that is publicly available on GitHub, Reptile has been utilized by a diverse range of\r\nthreat actors over time. Even if the recent zero-day vulnerability attack case on Fortinet products by a China-based threat\r\ngroup, which was reported on by Mandiant, [8] is excluded, the periodic uploads of Reptile rootkit malware on the\r\nVirusTotal platform can still be observed.\r\nWhile it is not certain whether they were used in actual attacks, numerous Reptile rootkits have been regularly uploaded to\r\nVirusTotal over the past few years. In this section, the configuration data from a portion of these Reptile samples were\r\nextracted and categorized. When inspecting the vermagic of the kernel modules, a notable characteristic is that most of them\r\nspecifically target RHEL or CentOS Linux, either for attacking or testing purposes.\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 9 of 14\n\nDate Name Port MAGIC_VALUE PASSWORD Location vermagic\r\n2020.05.22 rxp.ko 666 smoke smoker666 /rxp/\r\n2.6.32-\r\n696.18.7.el6.x86_64\r\n2021.06.05 falc0n.ko 41302 7313F4lc0n4710n F4lc0nFly1n9d00r /usr/falc0n/\r\n3.10.0-\r\n1127.10.1.el7.x86_64\r\n2022.04.27 N/A 2307 hA30r x5s3rt /opttest/\r\n3.10.0-\r\n1160.59.1.el7.x86_64\r\n2022.11.21 myshell.ko 666 xiaofangzi xiaofangzi /myshell/\r\n2.6.32-\r\n431.el6.x86_64\r\nTable 2. Reptile rootkits uploaded to VirusTotal\r\n2.2. Attack Cases in Korea\r\nReptile has been used in past attacks against Korean companies. The initial method of infiltration remains unidentified, but\r\nupon examination, the Reptile rootkit, reverse shell, Cmd, and startup script were all included, allowing the basic\r\nconfiguration to be ascertained.\r\nIn this particular attack case, apart from Reptile, an ICMP-based shell called ISH was also utilized by the threat actor. ISH is\r\na malware strain that uses the ICMP protocol to provide the threat actor with a shell. Typically, reverse shells or bind shells\r\nuse protocols like TCP or HTTP, but it is speculated that the threat actor opted for ISH to evade network detection caused by\r\nthese communication protocols.\r\n2.2.1. Analysis of Reptile\r\nThe malware is presumed to be installed in the “/etc/intel_audio/” directory, and the threat actor used “intel_audio” as their\r\nkeyword instead of “reptile”.\r\nFigure 15. intel_audio_start script\r\nFurthermore, the absence of any command lines to execute the reverse shell in the intel_audio_start file suggests that the\r\nreverse shell is likely to be used through the Port Knocking method. Alternatively, the threat actor could have used the bind\r\nshell, ISH, which will be covered later. Aside from these, the threat actor activated the file-tampering feature.\r\nNext, upon examining the rc.local autorun script, it is evident that a command to ensure persistence exists between the tags\r\n“#\u003cintel_audio\u003e” and “#\u003c/intel_audio\u003e”, which have been marked for concealment with the file-tampering feature. A\r\nnotable point is the fact that the threat actor used Reptile in the form of a kernel module rather than a loader. As a result, they\r\nload “/etc/intel_audio/intel_audio.ko” by manually inputting the insmod command.\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 10 of 14\n\nFigure 16. Autorun scrip within rc.local\r\nIntel_audio.ko is a kernel module packed with kmatryoshka before being packed by a loader. Upon inspecting the vermagic\r\nof the kernel module, “3.10.0-514.el7.x86_64,” it is estimated that the infected system was likely Red Hat or a CentOS-based Linux system.\r\nThe extracted rootkit contains various hard-coded configuration data. For example, in the reptile_init() function, the path\r\nname of the startup script file, “/etc/intel_audio/intel_audio_start,” was identified. A notable characteristic is that the threat\r\nactor set the MAGIC_VALUE and PASSWORD strings to glibc-related strings to disguise it as a normal program.\r\nFigure 17. reptile_init() function\r\nItem Data\r\nInstallation path /etc/intel_audio/intel_audio.ko\r\nPort number 5214\r\nMAGIC_VALUE “glibc_0.1.5.so”\r\nPASSWORD “glibc_0.1.6.so”\r\nStartup script path /etc/intel_audio/intel_audio_start\r\nReverse shell path /etc/intel_audio/intel_audio_reverse\r\nvermagic 3.10.0-514.el7.x86_64\r\nTable 3. Configuration data of Reptile used in attacks in Korea\r\n2.2.2. Analysis of ICMP SHELL\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 11 of 14\n\nThe file executed and targeted to be concealed in the “rc.local” autorun script, located at “/etc/intel_audio/gvfs-gdb-volume-monitor,” is an ICMP Shell known as ISH. ISH consists of the server module ishd and the client module ish. The “gvfs-gdb-volume-monitor” file, operating as ishd, is executed by the Reptile rootkit and kept in a listening state. It is presumed that\r\nwhen the attacker establishes a connection using ish, the ICMP Shell is provided. The command line option identified in\r\n“gvfs-gdb-volume-monitor” is the same as ishd.\r\nFigure 18. Main routine of ishd\r\nAdditionally, when the threat actor created the ishd malware, they opted not to use the source code as-is. Instead, they made\r\nmodifications to disguise it as a normal program so that it could avoid file detection. In the following figure, the left side\r\ndisplays the usage() function identified in the original ishd source code, while the right side shows the usage() function in\r\n“gvfs-gdb-volume-monitor. This allows the malware to be perceived as a normal program instead of a bind shell since it\r\noutputs the string “ICMP Debug Tool” when executed without any specific arguments.\r\nFigure 19. Modified output string\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 12 of 14\n\n3. Similarities to Mélofée\r\nExaTrack conducted an analysis of the malware strains that have recently been targeting Linux servers and named them\r\nMélofée. Based on the malware and infrastructure used in the attacks, they identified connections to the Winnti (APT41)\r\nthreat group, which operates from China. [9]\r\nThe threat actor also used the Reptile rootkit during their attack process, and a notable characteristic was the installation of\r\nthe rootkit in the path name “/etc/intel_audio/intel_audio.ko”. For reference, the path “/etc/intel_audio/intel_audio.ko” is\r\nidentical to the installation path of the Reptile rootkit in the previously mentioned Linux server attack case that targeted\r\nKorean companies.\r\nThe use of the Reptile rootkit in the attack process, the identical installation path, and the direct installation of the kernel\r\nmodule through the “insmod” command instead of the conventional methods provided by Reptile are common factors\r\nbetween these two attack cases.\r\nFigure 20. rc.modules file created by Mélofée\r\nHowever, there are differences as well. In the Mélofée attack case, the Reptile used had only the file concealment feature\r\nactivated, and the hidden paths were hardcoded to two locations: “intel_audio” and “rc.modules.”\r\nFigure 21. Hard-coded path to concealment target\r\nDue to the limited available information in the Korean attack case, aside from the malware, there is a limit to how much\r\ninformation can be gathered. However, it is worth noting that the keyword “intel_audio”, though only used to disguise itself\r\nas a normal kernel module path, is an uncommon string and stands out as a distinctive characteristic in both attack cases.\r\n4. Conclusion\r\nReptile is a Linux kernel mode rootkit malware that provides a concealment feature for files, directories, processes, and\r\nnetwork communications. Due to being open-source, Reptile can be easily utilized by various threat actors, which has led to\r\nnumerous attack cases being discovered. Considering the nature of rootkits, they are often used in conjunction with other\r\nmalware. However, Reptile itself also provides a reverse shell, making systems with Reptile installed susceptible to being\r\nhijacked by threat actors.\r\nTo prevent such security threats, systems must be checked for vulnerable configurations and relevant systems must always\r\nbe kept up to date to protect them from attacks. Also, V3 should be updated to the latest version so that malware infection\r\ncan be prevented.\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 13 of 14\n\nAhnLab’s anti-malware solution, V3, detects and blocks these malware strains with the following detection names.\r\nFile Detection\r\n– Trojan/Script.Config (2023.07.20.03)\r\n– Rootkit/Linux.Reptile.644496 (2020.05.31.00)\r\n– Trojan/Linux.Reptile.10416 (2020.05.31.00)\r\n– Trojan/Linux.Rvshell.55784 (2020.05.31.00)\r\n– Backdoor/Linux.Ishell.10576 (2020.05.31.00)\r\n– Rootkit/Linux.Reptile.560980 (2023.07.18.00)\r\n– Rootkit/Linux.Reptile.802168 (2023.07.18.00)\r\n– Rootkit/Linux.Reptile.799432 (2023.07.18.00)\r\n– Rootkit/Linux.Reptile.569740 (2023.07.18.00)\r\nMD5\r\n1957e405e7326bd2c91d20da1599d18e\r\n246c5bec21c0a87657786d5d9b53fe38\r\n5b788feef374bbac8a572adaf1da3d38\r\n977bb7fa58e6dfe80f4bea1a04900276\r\nbb2a0bac5451f8acb229d17c97891eaf\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/55785/\r\nhttps://asec.ahnlab.com/en/55785/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/55785/" ], "report_names": [ "55785" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439011, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/703a5ad73d4de0ea87b21bcce1a3ff78c5d2e7e8.pdf", "text": "https://archive.orkl.eu/703a5ad73d4de0ea87b21bcce1a3ff78c5d2e7e8.txt", "img": "https://archive.orkl.eu/703a5ad73d4de0ea87b21bcce1a3ff78c5d2e7e8.jpg" } }