{ "id": "da3c0f58-303b-4b0b-acd5-d30f2330d787", "created_at": "2026-04-06T03:36:35.436757Z", "updated_at": "2026-04-10T13:12:49.329367Z", "deleted_at": null, "sha1_hash": "72396d6af1d42d8e81b26513e7baa1acfa3029e7", "title": "XServer (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34883, "plain_text": "XServer (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 03:11:23 UTC\r\nwin.xserver (Back to overview)\r\nXServer\r\naka: Filesnfer\r\nActor(s): UPS, Violin Panda\r\nThere is no description at this point.\r\nReferences\r\n2019-12-19 ⋅ Fox-IT ⋅ Erik Schamper, Maarten van Dantzig\r\nOperation Wocao: Shining a light on one of China’s hidden hacking groups\r\nXServer\r\n2019-05-07 ⋅ One Night in Norfolk ⋅ Kevin Perlow\r\n“Filesnfer” Tool (C#, Python)\r\nXServer\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xserver\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver" ], "report_names": [ "win.xserver" ], "threat_actors": [ { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7cb83fe-4412-40b3-8757-ace5107599b6", "created_at": "2023-01-06T13:46:39.08347Z", "updated_at": "2026-04-10T02:00:03.207564Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [], "source_name": "MISPGALAXY:Operation Wocao", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dd583696-3de6-4c23-bfb6-e675a38a7000", "created_at": "2022-10-25T16:07:23.338398Z", "updated_at": "2026-04-10T02:00:04.548798Z", "deleted_at": null, "main_name": "APT 20", "aliases": [ "APT 20", "APT 8", "Crawling Taurus", "Operation Wocao", "TH3Bug", "Violin Panda" ], "source_name": "ETDA:APT 20", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Filesnfer", "Gen:Trojan.Heur.PT", "Kaba", "KeeThief", "Kerberoast", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "Poison Ivy", "ProcDump", "PsExec", "RedDelta", "SMBExec", "SPIVY", "SharpHound", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "XServer", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4b48d9e2-ef19-44fb-938b-30a9078d9e49", "created_at": "2022-10-25T15:50:23.314139Z", "updated_at": "2026-04-10T02:00:05.317785Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [ "Operation Wocao" ], "source_name": "MITRE:Operation Wocao", "tools": [ "netstat", "dsquery", "Mimikatz", "PowerSploit", "Impacket" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446595, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72396d6af1d42d8e81b26513e7baa1acfa3029e7.pdf", "text": "https://archive.orkl.eu/72396d6af1d42d8e81b26513e7baa1acfa3029e7.txt", "img": "https://archive.orkl.eu/72396d6af1d42d8e81b26513e7baa1acfa3029e7.jpg" } }