{ "id": "5ce47da2-948c-4b7b-a0a8-a8dd01f2b2c3", "created_at": "2026-04-06T00:06:44.489124Z", "updated_at": "2026-04-10T03:32:21.69596Z", "deleted_at": null, "sha1_hash": "752efcb79af1b1ff5108336797b331bbf9bf3e7f", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 238067, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 18:47:03 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nPage 1 of 5\n\nMISSION2025 - APT41.\r\nCVE: 6\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nPage 2 of 5\n\nAPT41, also known as MISSION2025, is a Chinese state-sponsored advanced persistent threat group that has been\r\nactive since at least 2012. The group is particularly focused on cyberespionage and financially motivated attacks,\r\nusing sophisticated techniques to target a wide range of industries globally. Their operations are aligned with\r\nChina's economic strategy, notably the \"Made in China 2025\" initiative, emphasizing intellectual property theft\r\nand corporate espionage.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nPage 3 of 5\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nPage 4 of 5\n\n17 Subscribers\r\nAuthor Url\r\nHDRoot Bootkit\r\nFileHash-MD5: 27 | URL: 5\r\n(Kaspersky) Some time ago while tracking Winnti group activity we came across a suspicious 64-bit sample. It\r\nwas a standalone utility with the name HDD Rootkit for planting a bootkit on a computer. Once installed the\r\nbootkit infects the operating system with a backdoor at the early booting stage. The principles of this bootkit’s\r\nwork, named HDRoot, have been described in the first part of our article. During our investigation we found\r\nseveral backdoors that the HDRoot bootkit used for infecting operating systems. These backdoors are described in\r\nthis part of the article.\r\n373,972 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:hdroot\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:hdroot" ], "report_names": [ "pulses?q=tag:hdroot" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434004, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/752efcb79af1b1ff5108336797b331bbf9bf3e7f.pdf", "text": "https://archive.orkl.eu/752efcb79af1b1ff5108336797b331bbf9bf3e7f.txt", "img": "https://archive.orkl.eu/752efcb79af1b1ff5108336797b331bbf9bf3e7f.jpg" } }