{ "id": "60189eb1-fc54-4bf6-88b5-a382fff8d01a", "created_at": "2026-04-06T00:14:34.998949Z", "updated_at": "2026-04-10T13:11:53.660084Z", "deleted_at": null, "sha1_hash": "70ccc282b80140029c538fa52290add0b1fe1aeb", "title": "The eagle eye is back: old and new backdoors from APT30", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1491163, "plain_text": "The eagle eye is back: old and new backdoors from APT30\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 17:20:10 UTC\r\nOn April 8, 2020, our pros at the PT Expert Security Center detected signs of life from a well-known\r\ncybercriminal group. Network signatures for dynamic malware analysis on a popular site lit up for APT30—a\r\ngroup that had not been on radar screens for some time. This inspired us to start looking.\r\nNetwork signatures indicated APT30 activity\r\nAPT30 has been in the public eye since a report by our colleagues at FireEye back in 2015. The group primarily\r\nattacks government targets in South and Southeast Asia (including India, Thailand, and Malaysia) for\r\ncyberespionage purposes. Their toolkit has been in development since at least 2005. We find it interesting that we\r\nsee both old and well-known tools dating back over a decade, as well as continuity in network resources.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 1 of 21\n\nIn this article, we will look at new versions of already known Trojans, the features of the group's recently detected\r\nmalware, and network infrastructure.\r\nBACKSPACE and NETEAGLE backdoors\r\nA file named AGENDA.scr from Malaysia was uploaded to VirusTotal on August 25, 2019 (MD5:\r\nf4f8f64fd66a62fc456da00dd25def0d). This is an executable PE file for x86 packed with UPX. The icon of the\r\nsample matches that of a Microsoft Office document (in order to fool users, of course). The resources contain\r\nanother two encrypted objects.\r\nPE file icon and resource objects\r\nBoth objects are decrypted as follows:\r\nfor i, c in enumerate(buffer):\r\n d = c - (i \u0026 0xFF)\r\n d ^= 0xEF\r\n d \u0026= 0xFF\r\n buffer[i] = ((d \u003e\u003e 6) | (d \u003c\u003c 2)) \u0026 0xFF\r\nThe first file (MD5: 634e79070ba21e1e8f08aba995c98112) is written to the Microsoft Office templates folder\r\n(%APPDATA%\\Microsoft\\Windows\\Templates\\AGENDA.docx) and then run. This Office document, with the\r\nagenda for a Malaysian government meeting, is intended to attract the user's interest, of course.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 2 of 21\n\nContents of the decoy document\r\nThe document was created on August 2, 2019 by the user Norehan Binti Nordin.\r\nProperties of the decoy document\r\nThe second file (MD5: 56725556d1ac8a58525ae91b6b02cf2c) is placed in the startup folder\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WINWORD.EXE. The file is not run at\r\nthe time of creation (instead, the attackers arrange for it to run at another time that will be less suspicious, such as\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 3 of 21\n\nafter a restart). This is a NETEAGLE backdoor, modifications of which have been detailed in FireEye reporting.\r\nNote that the string NetEagle, which was found in in 2015 files and gave its name to the whole malware family,\r\nhas now been replaced with JokerPlay.\r\n\"NetEagle\" string in a 2015 sample\r\n\"JokerPlay\" string in a 2019 sample\r\nWe will not rehash here the FireEye report on the workings of NETEAGLE. In the following table, we have listed\r\nstrings encrypted with a Caesar cipher having shift –4.\r\nDecrypted strings and their offsets in the NETEAGLE backdoor\r\nOffset String\r\n0x40b02c msmsgr.exe\r\n0x40b038 msmsgr\r\n0x40b040 pic4.bmp\r\n0x40b04c pic2.bmp\r\n0x40b058 pic1.bmp\r\n0x40b064 http://www.gordeneyes.com/photo/\r\n0x40b1ac SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nBased on these indicators, we uncovered another two backdoors (MD5: d9c42dacfae73996ccdab58e429548c0 and\r\nMD5: 101bda268bf8277d84b79fe52e25fee4). According to the compilation date, they were created on October\r\n21, 2019; one of them was also uploaded to VirusTotal from Malaysia only in May 2020. This malware belongs to\r\nthe BACKSPACE family, modifications of which have also been described by FireEye. Here we will give\r\ndecrypted strings for each sample together with the relevant algorithm.\r\nString decryption algorithm in the backdoor with MD5 hash d9c42dacfae73996ccdab58e429548c0:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 4 of 21\n\nfor i, c in enumerate(buffer):\r\n d = c - i - 7\r\n buffer[i] = d \u0026 0xFF\r\nDecrypted strings and their offsets in the BACKSPACE backdoor (MD5: d9c42dacfae73996ccdab58e429548c0)\r\nOffset String\r\n0x40c048 *lecnaC*\r\n0x40c054 Software\\Microsoft\\\\PnpSetup\r\n0x40c070 Mutex_lnkword_little\r\n0x40c088 /b.ini\r\n0x40c090 /a.ini\r\n0x40c098 /a1.ini\r\n0x40c0a0 /l.ini\r\n0x40c0a8 \\WordPlug.exe\r\n0x40c0cc /z.ini\r\n0x40c0d4 \\WINWORD.EXE\r\n0x40c0b8 \\WordForVista.exe\r\n0x40c0e4 /d.jpg\r\n0x40c0ec /l.jpg\r\n0x40c0f4 www.kabadefender.com\r\n0x40c10c www.gordeneyes.com\r\n0x40c120 /LGroup1\r\nString decryption algorithm in the backdoor with MD5 hash 101bda268bf8277d84b79fe52e25fee4:\r\nfor i, c in enumerate(buffer):\r\n d = c ^ 0x37\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 5 of 21\n\nd -= i + 27\r\n buffer[i] = d \u0026 0xFF\r\nDecrypted strings and their offsets in the BACKSPACE backdoor (MD5: 101bda268bf8277d84b79fe52e25fee4)\r\nOffset String\r\n0x41104c Compumter\r\n0x411058 *lecnaC*\r\n0x411064 Software\\Microsoft\\Core\r\n0x41107c Mutex_lnkch\r\n0x411088 Event__lnkch__end\r\n0x41109c Event__lnkch__ended\r\n0x4110b0 EventAck__lnkch\r\n0x4110c0 /b.ini\r\n0x4110c8 /c.ini\r\n0x4110d0 /a.ini\r\n0x4110d8 /a1.ini\r\n0x4110e0 /l.ini\r\n0x4110e8 /k.txt\r\n0x4110f0 /l1.ini\r\n0x4110f8 /b1.ini\r\n0x411100 /c1.ini\r\n0x41110f www.gordeneyes.com\r\n0x41118f www.kabadefender.com\r\n0x41120f chrome.exe\r\n0x41128f /group1\r\n0x41130f /d.jpg\r\n0x41138f /l.jpg\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 6 of 21\n\nOffset String\r\n0x411408 System Idle Process\r\n0x41141c \\t.ini\r\n0x411424 \\t.exe\r\n0x41142c \\ue.exe\r\n0x411434 \\ue1.exe\r\n0x411440 Chrome\\BIN\r\n0x41144c chrome.lnk\r\n0x411458 Google Chrome\r\n0x411490 /n09230945.asp\r\n0x4114a0 automation.whatismyip.c\\xffm\r\n0x4114c8 hideipexcept=\r\n0x4114d8 hideip=\r\n0x4114e0 hidehostexcept=\r\n0x4114f0 hidehost=\r\n0x4114fc hidedirexcept=\r\n0x41150c hidedir=\r\n0x411518 hidewebexcept=\r\n0x411528 hideweb=\r\n0x411534 hideall=1\r\n0x411540 killpath=\r\n0x41154c /some/edih.txt\r\n0x41155c www.appsecnic.com\r\n0x411570 www.km153.com\r\n0x411580 www.newpresses.com\r\n0x41159c runipexcept=\r\n0x4115bc runhostexcept=\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 7 of 21\n\nOffset String\r\n0x4115cc runhost=\r\n0x4115d8 rundirexcept=\r\n0x4115e8 runwebexcept=\r\n0x4115f8 runall=1\r\n0x411604 /http/nur.txt\r\nSome of the strings in the backdoor with MD5 hash 101bda268bf8277d84b79fe52e25fee4 are encrypted with the\r\nsame algorithm as the resources in the NETEAGLE dropper. Only the values of constants have been changed.\r\nBesides tools belonging to already known malware families, we also detected several novel samples. We will go\r\ninto these in more detail.\r\nRHttpCtrl backdoor\r\nMD5: ed09b0dba74bf68ec381031e2faf4448\r\nThis is an x86 executable PE file with valid compilation date:\r\nCompilation date of the RHttpCtrl sample\r\nThere is a nugget of debugging information inside, in the project path:\r\nD:\\WorkSources\\RHttpCtrl\\Server\\Release\\svchost.pdb\r\nIt appears that the substring \"RHttpCtrl\" is the name given to the tool by the attackers themselves.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 8 of 21\n\nThe malware starts off by trying to extract the value of the random key of the registry branch\r\nHKCU\\Software\\HttpDiv. If that doesn't work, the WinAPI function GetSystemTimeAsFileTime provides the\r\nsystem time, which is then used as the seed for random number generation. The random number is saved in the\r\nregistry and used later. A separate thread, which will contain the actions described next, is created.\r\nGetSystemTimeAsFileTime API call\r\nA GET request to hxxp://www.kabadefender.com/plugins/r.exe gives the malware the legitimate unpacker\r\nWinRAR (or at least its CLI component, MD5: 4fdfe014bed72317fa40e4a425350288). After saving WinRAR, the\r\nmalware takes a fingerprint of the system based on the computer's name, IP address, and operating system version.\r\nThis information is sent by POST request to hxxp://www.kabadefender.com/clntsignin.php.\r\nSending of the system fingerprint\r\nSome of the values of the other fields are interesting. The \"1\" in the version field suggests the start of development\r\nof this malware family. Practically all calls are logged.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 9 of 21\n\nLogging\r\nThe id field remains empty. random contains the random number described already. Note that the User-Agent\r\nvalue specified here is Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0.\r\nIncoming commands are handled by the KernelManager class. Thanks to RTTI, we can guess the malware's\r\nactions based on the names of the objects.\r\nRTTI object names\r\nThe backdoor's capabilities are narrow:\r\nRHttpCtrl commands and descriptions\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 10 of 21\n\nCommand Type Description\r\n0 shell Run command with cmd.exe\r\n3 download Download file from C2 server\r\n4 snap Take and send screenshot\r\n5 upload Upload file to C2 server\r\nHandling for commands 1 and 2 is not present. The REP marker, which is expected for all commands, acts as\r\ndelimiter between the command number and arguments. The results of command execution are sent to\r\nhxxp://www.kabadefender.com/clntcmd.php with the type value matching the command in question.\r\nCommand 0: shell\r\nThis command is handled by ShellManager, which creates the process cmd.exe with interaction by means of\r\nplacing input commands and getting the output. Results are read in portions, to which the number of read bytes is\r\nadded; this is then sent as the value of output.\r\nCreation of input + output pipes and launch of cmd.exe\r\nWriting of commands to the input pipe\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 11 of 21\n\nReading the command output\r\nCommand 3: download\r\nThis command type is handled by the Download component. By means of URLDownloadToFileA, it downloads\r\nthe additional component at the indicated address from the command and control (C2) server and writes it to file.\r\nDownloading file from C2 server\r\nCommand 4: snap\r\nThis command type is handled by the Download component. With the help of gdiplus.dll APIs, it takes a\r\nscreenshot, writes it to file, and sends it to the C2 server.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 12 of 21\n\nSaving screenshot to file\r\nSending screenshot to the C2 server\r\nCommand 5: upload\r\nThe Upload component is responsible for handling this command type. With the already downloaded WinRAR\r\nutility Rar.exe, the component packs the specified file in an archive and sends it to the C2 server.\r\nArchiving a file prior to sending\r\nRCtrl backdoor\r\nMD5: 95fde34187552a2b0b7e3888bfbff802\r\nThis executable PE file for x86 was developed with the MFC library and packed with UPX. The compilation date\r\nis plausible:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 13 of 21\n\nCompilation date of RCtrl sample\r\nA bit of debugging information is found inside, in the form of the project path:\r\nD:\\WorkSources\\MyProjects\\RCtrl\\Release\\Server.pdb\r\nAs with RHttpCtrl, we took the backdoor's name from the project name assigned by the malware developers\r\nthemselves.\r\nFirst, a data buffer of around 200 bytes is created. This buffer acts as configuration file. The buffer is filled in\r\nportions, out of sequence, in a way that leaves many fields unused.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 14 of 21\n\nPartial structure of the configuration file (fields whose names start with \"field_\" are not used)\r\nThe malware performs a single-byte XOR with 0x23 to decrypt the address of the attacker's main C2 server:\r\n103.233.10\\.152. The connection with the server (on TCP port 4433) is checked. If the connection is unsuccessful,\r\nthe malware uses additional data to obtain a working server address.\r\nThe additional data in question is the addresses hxxp://www.gordeneyes.com/infos/p and\r\nhxxp://www.techmicrost.com/infos/p, which have been encrypted by means of a single-byte XOR with 0x25.\r\nOnce the two addresses are decoded, the malware attempts to connect to each of the two in sequence with a GET\r\nrequest. It expects an 8-byte response from the server, containing the server IP address and port. In following\r\nfigure, these are 172.247.197\\.189 and 443.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 15 of 21\n\nGetting the C2 address: ‘0xAC 0xF7 0xC5 0xBD’ → ‘172 247 197 189’, ‘0xBB 0x01 0x00 0x00’\r\n→ 0x1BB → 443\r\nThe attempt to obtain a C2 address by means of these secondary addresses is recorded in the registry under the\r\nbranch HKCU\\Software\\PickMill by saving the current date in the Y, M, and D keys.\r\nRecording the current date in the registry\r\nAfter obtaining a working C2 IP address, the malware re-connects to the server and waits for the string\r\nJo*Po*Hello. This string is encrypted in the body of the malware (single-byte XOR with 0x24). Interestingly, the\r\nTrojans tend to initiate data exchange themselves.\r\nWhen a string has been received, the malware creates a system fingerprint based on the OS version, IP address,\r\nCPU manufacturer and clock rate, and disk size. This data is encrypted with a unique algorithm based on circular\r\nshifts and XOR (more specifically: leftward circular shift by 4 + 3 = 7 bits and XOR with 0x23) and sent to the C2\r\nserver.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 16 of 21\n\nEncryption algorithm\r\nThen a separate thread is created to send the same data buffer to the server every 30 seconds. The buffer is\r\nstructured as follows:\r\n4100 bytes of memory are allocated.\r\nThe first byte takes the value 0x25.\r\nThe remaining bytes are zeros.\r\nThe result is encrypted with the same algorithm as described already\r\nTherefore, only the first byte will undergo any big changes; the other bytes will equal 0x23, so any circular shifts\r\nwill not affect the zero bytes.\r\nThen control passes to the command handling function, which decrypts the input (using the inverse steps to the\r\nencryption algorithm) and extracts the command number.\r\nDecryption algorithm\r\nRCtrl commands and descriptions\r\nCommand Description\r\n3 Get disk information\r\n4 Get folder listing\r\n5 Read file\r\n6 Open file for read/write\r\n7 Write to file\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 17 of 21\n\nCommand Description\r\n8 Run file\r\n9 Same as 4\r\n16 Create folder\r\n17 Delete folder contents\r\n18 Delete configuration file\r\n19 Copy file\r\n20 Move file\r\n21 Get file information\r\n22 Read pipe\r\n23 Log result\r\n25 Get process list\r\n32 End process\r\n33 Take screenshot\r\n36 Shut down computer\r\n39 Read clipboard\r\n40 Write to registry\r\n41 Copy file to startup folder\r\nWe will not delve into the implementation of each command, since the techniques used for each are atomic and\r\nunremarkable. We do note that handling is absent for a variety of command numbers (1–2, 10–15, 24, 26–31, 34–\r\n35, 37–38). Command output is encrypted (in the same way) and sent to the C2 server.\r\nNetwork infrastructure\r\nThe decrypted strings of one of the fresh BACKSPACE backdoors contain several domains (newpresses\\.com,\r\nappsecnic\\.com, km153\\.com) used by the group more than 10 years ago. Highlights of the WHOIS data are given\r\nin following table.\r\nWHOIS lookups for newpresses\\.com, appsecnic\\.com, and km153\\.com\r\nWHOIS field newpresses\\.com appsecnic\\.com km153\\.com\r\nName yuefen che heng cai Zhong yong\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 18 of 21\n\nOrganization cheyuefen\r\nTrade Client Ministry of Kunming\r\nTelecom,Yunnan\r\nCity kunming Kun ming\r\nState yunnan Yunnan\r\nStreet SongMingrenmingroad panlongqubeichengzhonglu\r\nYunnan Wenshan WenBi lu 241\r\nhao\r\nCountry CN\r\nWHOIS lookup for newpresses\\.com\r\nA few patterns are obvious: namely, yunnan, kunming, and cheyuefen in different forms.\r\nThe newer domains (gordeneyes\\.com, kabadefender\\.com, techmicrost\\.com) have identical fields:\r\nRegistrar: Alibaba Cloud Computing (Beijing) Co., Ltd.,\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 19 of 21\n\nState: yun nan,\r\nCountry: CN.\r\nThe value yun nan, of course, is reminiscent of the domains.\r\nASNs for the hosting providers preferred by the group are as follows:\r\nCNSERVERS LLC (40065),\r\nABCDE GROUP COMPANY LIMITED (133201),\r\nZenlayer Inc (21859).\r\nConclusion\r\nBoth new and modernized tools from APT30 have caught our attention. The group stays true to its habits and\r\ntools, selectively adding new ones as it pursues its targets. One would be hard pressed to call the group's malware\r\nextremely well written or skilled at stealth and evasion. On the other hand, the targets may not be changing either,\r\nso such relatively crude tools may still get the job done. We notice that the toolkit is still in progress. Perhaps the\r\ngroup is testing fresh malware in the field to identify any gaps. We expect to see improved versions of RHttpCtrl\r\nand RCtrl in the future, likely with added stealth and anti-analysis techniques.\r\nAuthor: Alexey Vishnyakov, Positive Technologies\r\nIOCs\r\nf4f8f64fd66a62fc456da00dd25def0d [NETEAGLE dropper]\r\n634e79070ba21e1e8f08aba995c98112 [AGENDA.docx]\r\n56725556d1ac8a58525ae91b6b02cf2c [NETEAGLE]\r\nhxxp://www.gordeneyes.com/photo/\r\nd9c42dacfae73996ccdab58e429548c0 [BACKSPACE]\r\n101bda268bf8277d84b79fe52e25fee4 [BACKSPACE]\r\ned09b0dba74bf68ec381031e2faf4448 [RHttpCtrl]\r\nhxxp://www.kabadefender.com/plugins/r.exe\r\n4fdfe014bed72317fa40e4a425350288 [WinRAR, Rar.exe]\r\nhxxp://www.kabadefender.com/clntsignin.php\r\nkabadefender\\.com\r\n95fde34187552a2b0b7e3888bfbff802 — [RCtrl]\r\n103.233.10\\.152:4433\r\nhxxp://www.gordeneyes.com/infos/p\r\nhxxp://www.techmicrost.com/infos/p\r\n172.247.197\\.189:443\r\ngordeneyes\\.com\r\ntechmicrost\\.com\r\n9cb8a0cb778906c046734fbe67778c61\r\nc9b1c8b51234265983cf8427592b0a68\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 20 of 21\n\nnewpresses\\.com\r\nkm153\\.com\r\nappsecnic\\.com\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "report_names": [ "eagle-eye-is-back-apt30" ], "threat_actors": [ { "id": "a9ee8219-1882-4b1b-bac8-641b1603787d", "created_at": "2022-10-25T15:50:23.78263Z", "updated_at": "2026-04-10T02:00:05.351155Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "APT30" ], "source_name": "MITRE:APT30", "tools": [ "SHIPSHAPE", "FLASHFLOOD", "NETEAGLE" ], "source_id": "MITRE", "reports": null }, { "id": "30ed778d-15b3-484e-a90b-e1e05b36a42f", "created_at": "2023-01-06T13:46:38.290626Z", "updated_at": "2026-04-10T02:00:02.91411Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "G0013" ], "source_name": "MISPGALAXY:APT30", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70ccc282b80140029c538fa52290add0b1fe1aeb.pdf", "text": "https://archive.orkl.eu/70ccc282b80140029c538fa52290add0b1fe1aeb.txt", "img": "https://archive.orkl.eu/70ccc282b80140029c538fa52290add0b1fe1aeb.jpg" } }