{ "id": "b779a4ad-021d-4d73-bc10-867560cdafd1", "created_at": "2026-04-06T00:07:50.323752Z", "updated_at": "2026-04-10T03:29:58.243081Z", "deleted_at": null, "sha1_hash": "75e3239f1df90b57d481fa2017779b3a05a62421", "title": "Who’s Really Spreading through the Bright Star?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 524561, "plain_text": "Who’s Really Spreading through the Bright Star?\r\nBy Kurt Baumgartner\r\nPublished: 2015-03-04 · Archived: 2026-04-05 18:11:50 UTC\r\nSecurity researchers recently announced that that the official website for the Korean Central News Agency of the\r\nDemocratic People’s Republic of Korea has been serving malware disguised as a Flash Player update. The\r\nimmediately conspicuous code is still active on the KCNA front page. The javascript variables at the top of the\r\nfront page source code are part of an interwoven js mechanism meant to check for specific requirements before\r\nredirecting the visitor to a relative location, /download/FlashPlayer10.zip.\r\nThe malware delivery site has been live, although response to connection attempts is intermittent at best. The zip\r\nfile contains two executables with the common Flash installer names.This malware has been around since the end\r\nof 2012.\r\nWhat appears to be rushed attribution and pretty faux-intelligence diagrams proposes the standard hypothesis that\r\nthe malware was placed there by the site’s developers in an attempt to infect the endpoints of those outsiders\r\ninterested in the goings-on of the DPRK. This may not be the case, because incidents are usually more complex\r\nthan they seem. And clearly, this is a significant piece of the puzzle – there was human involvement in adding this\r\nweb page filtering. It is not a part of the viral routines in its handful of components. Instead, the malware’s trigger,\r\nsystem requirements, and technical and operational similarities with the more recent DarkHotel campaigns point\r\nin the direction of an external actor, possibly looking to keep tabs on the geographically dispersed DPRK internet-enabled elite.\r\nThe larger spread of victims include telecommunications network engineering staff, wealth management and\r\ntrading staff, a pharmaceutical’s electrical engineering staff, distributed software development teams, business\r\nmanagement and related school faculty and IT, and many, many more.\r\nWebsite Attack and Geographic Spread\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 1 of 12\n\nOne of the most notable characteristics is that the malware isn’t being delivered to every site visitor. The delivery\r\ntrigger is contingent on the absence of the legitimate Flash Player 10 or newer being present on the target’s\r\nWindows system. If a user attempts to view the videos or picture slideshows linked on the bottom right pane of the\r\nfront page, the user is presented with a gif in place of the desired content indicating that flash player is required.\r\nNaturally, clicking on the gif will redirect to the malicious zip file. It’s also interesting that this malware has no\r\nLinux or OS X variant, deliverables are exclusively Windows executables. It’s also interesting that the malware\r\ncomponents were first detected in Nov of 2012, two months prior to the first known appearance of the Flashplayer\r\nbundle on the kcna.kp website. While we don’t know definitively the exact origin of these infections, at this point,\r\nwe suspect it was in fact the kcna website. There are no other known sources.\r\n \r\nKSN data also includes few select cases where Firefox users were served up the malware while visiting a page\r\nknown for cross-site scripting, described in the following section “Potential XSS-Enabled Watering Hole”.\r\nBasically, the timing and resource location of this vulnerability presents the definite possibility of an external\r\nactor’s intrusion.\r\nThe delivery of a zip file dependent on user interaction and self-infection initially implies a fairly low level of\r\nattack sophistication, but let’s go farther than the social engineering elements of the attack and consider the victim\r\nprofiling too. From this web site in particular, the attackers are initially targeting users with not only a low-level of\r\ntechnical expertise and general knowledge, but also tragically outdated Windows systems. Flash Player version 10\r\nwas released on October 2008, and newer browsers like Google Chrome include a more recent flash plug-in out of\r\nthe box. These attacks took place in the third quarter of 2012 at the earliest.\r\nMost likely, the intended victims are known to use outdated systems that fit these specifications. This is the case in\r\nNorth Korea, where Global Stats places nearly half of desktop computers systems still running Windows XP. In\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 2 of 12\n\ncomparison, South Korea has a steady Windows 7 adoption rate of nearly 80% over the past year.\r\nSo what is the actual geographic spread of the malware? Well, the two main associated components mscaps.exe\r\nand wtime32.dll were detected on systems mostly in China, followed by South Korea, and Russia. We can infer\r\nthat these systems were infected at some point and were victim systems of the kcna.kp spread malware:\r\nChina 450\r\nKorea, Republic of 43\r\nRussian Federation 25\r\nMalaysia 20\r\nItaly 11\r\nIndia 10\r\nKorea, Democratic People’s Republic of 7\r\nGermany 7\r\nHong Kong 6\r\nIran, Islamic Republic of 4\r\nHowever, reading into the geolocation of the top hits is not as straightforward as it may seem. Reports suggest that\r\nNK elites have access to various internet providers that may geolocate their ip in Chinese, Russian, and Hong\r\nKong IP ranges.\r\nPotential XSS-Enabled Watering Hole\r\nGiven the recent branding of NK threat actor as the culprit of the Sony hack, original reporting has had no\r\ndifficulty accepting the idea that this is an attack perpetrated from within the DPRK in order to keep track of those\r\npeople interested in the official state media. Let’s examine the difficulties in arriving at that conclusion.\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 3 of 12\n\nFirst, the site itself was vulnerable to XSS in the early 2013 time frame, when the Flashplayer installer bundle first\r\nappeared on the site. The site’s vulnerability is recorded here by “Hexspirit”  on XSSed in April 2013. As a matter\r\nof fact, the first pages we are aware of that referred to the flashplayer bundle on kcna.kp by the exact same XSS-vulnerable page were seen in Jan 2013:\r\nhxxp://www.kcna.kp/kcna.user.home.photo.retrievePhotoList.kcmsf;jsessionid=xxx\r\nSo, the flashplayer bundle may have been delivered by any APT actor and not simply the site’s governmental\r\nsponsor. Coupling that possibility with the Darkhotel APT’s penchant for delivering Flashplayer installers from\r\ncompromised resources, this scenario holds weight. Also, the strong possibility that the site’s developers\r\nunknowingly maintained infected machines is present.\r\nThe operational angle of placing malware on the state’s official news site is dependent on who is most likely to\r\nview this site or directed to it and be interested in its content – to the point of arriving at the download trigger deep\r\nin the media section. Sure, we can consider that key elements in the international community, like dissidents, think\r\ntanks, and foreign institutions are likely to keep an eye on NK state news but their systems are unlikely to fit the\r\nFlash player requirements for the infection. We also have seen forums maintaining emotionally charged\r\ndiscussions containing links to photo images redirecting to the Flash installer malware. Perhaps forum participants\r\nwere targeted actively in this way as well. So this watering hole attack may be focused inward, intentionally\r\ntargeting the geographically-spread North Korean internet-enabled elite and other interested readers by an external\r\nthreat actor.\r\nMalware Similarities to Darkhotel APT Toolset\r\nThe original finding includes a preliminary analysis of the quirky inner workings of the malware dropper, delving\r\ninto the two executables masquerading as Flash Player 10 updates. Let’s go a step further and discuss the\r\nfollowing similarities between the viral code hosted on kcna.kp and the previously documented Darkhotel\r\nmalware in the following categories:\r\nSocial engineering\r\nDistribution\r\nData collection\r\nNetwork configuration and simple obfuscation\r\nInfection and injection behavior\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 4 of 12\n\nTimestamps and timelines\r\nA referent for these malware similarities can be found in descriptions of the malware distributed during the\r\nDarkHotel campaigns. Comparisons follow.\r\nThe most blatant and obvious similarity between these campaigns is the approach of delivering spoofed\r\nFlashPlayer installers bound with backdoors from compromised server resources. This is the first page out of the\r\nDarkhotel playbook and one of its most distinct qualities now replicated in the KCNA attack. The benefits of this\r\napproach are significant, especially when considering that the malware in the case of KCNA is not digitally signed\r\nand requires express user interaction for execution.\r\nData Collection\r\nOn a technical level, it’s interesting to recall the Darkhotel information stealer from 2012. Its purpose is to collect\r\nidentifying data points from victim systems. The data points of interest to the DH information stealer are very\r\nsimilar to that of its KCNA equivalent (shown below):\r\nCoincidentally, the KCNA dropper collects much the same identifying data points from victim systems. The\r\nDarkhotel item missing from this list is the ‘CPU Name and Identifier’, supplanted by ‘time of infection’.\r\nThe Darkhotel stealer maintained the stolen data in a specific internal format of label-colon-value as follows:\r\nThe KCNA stealer maintained the stolen data in the following internal format, very similar to the Darkhotel\r\nformat (label-colon-value):\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 5 of 12\n\nNetwork configuration and simple obfuscation\r\nThis package’s network callback includes several unusual Fully Qualified Domain Names (FQDNs). This network\r\nconfiguration is specifically hardcoded within wtime32.dll:\r\na.gwas.perl.sh\r\na-gwas-01.dyndns.org\r\na-gwas-01.slyip.net\r\nIt’s interesting that the malware is configured with three connectback command \u0026 control servers, just like the\r\nnetwork configuration of tens of the Darkhotel backdoors. Also, a very simple routine locates these strings within\r\nthe wtime32.dll component’s .data section and decodes them as global variables. Those strings are obfuscated\r\nwithin the binary with a simple XOR 0x12 loop. The later Darkhotel samples maintain a somewhat more\r\ncomplicated approach, but not by much. Here are strangely obfuscated strings:\r\nSoftware\\Microsoft\\Active Setup\\Installed Components\r\n{ef2b00e3-19da-4e78-b118-6b6451b719f2}\r\n{a96adc11-e20e-4e21-bfac-3e483c40906e}\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nJREUpdate\r\nmscaps.exe\r\na.gwas.perl.sh\r\na-gwas-01.slyip.net\r\na-gwas-01.dyndns.org\r\nupdate.microsoft.com\r\n20\r\n%SystemRoot%\\system32\r\n%APPDATA%\\Microsoft\\Protect\\SETUP\r\n%SystemRoot%\\system32\\gdi32.dll\r\nTargeting Specificity\r\nThe Darkhotel actor is unusual in the varying degrees of specificity it uses to spread its malware: “This APT\r\nprecisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 6 of 12\n\neffectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large\r\nnumbers of vague targets with peer-to-peer spreading tactics.”\r\nIn other words, the group is surprisingly open to their worms spreading indiscriminately across entire countries,\r\nhitting tens of thousands of systems. This is also the case in the KCNA campaign wherein malware is positioned\r\nin a way meant to attract a specific target audience with uncommon system requirements and yet the malware\r\nitself is designed to spread indiscriminately (via a mechanism described below).\r\nInfection and Injection Behaviors\r\nMuch like the Darkhotel toolset, the KCNA malware includes viral code. The routine is maintained in the fil.dll\r\ncode. After sleeping for a couple of minute intervals, the code repeatedly looks through attached network drives\r\nfor executables to infect. It infects these files with its explorer shellcode and the @AE1.tmp dropper itself. It’s a\r\nstrange infection strategy – notably, the shellcode blob does not transfer control back into the original file.\r\nThe injection behavior is both intricate and indiscriminate as the malware not only infects executables on network\r\nshares but also locally. As an example, the size of an infected Skype installer on a network drive increased in size\r\nfrom its original 1,513 kb to 3,221 kb.\r\nGreat strides, however inelegant, were taken in adding to the malware’s injection capabilities beyond simple\r\nexecutables. For this purpose, the malware drops a copy of command-line WinRar version 4.1.0 (released January\r\n2012) in %USERS%\\AppData\\Roaming\\Microsoft\\Identities\\\\Rar.exe. This Winrar software is used in order to\r\naccess ZIP, RAR, ISO, and 7Z files in search of any executable contents to infect. Archives in the aforementioned\r\nformats containing executables are infected and then repackaged under their original filenames but with their new\r\nexecutable contents under the Daws.awfy scheme.\r\nAll resultant infected files are detected by our products as Trojan-Dropper.Win32.Daws.awfy. Several networks\r\nwere affected by this viral code, and almost one thousand unique md5s representing related infected files across\r\nvarious systems were recorded as “Trojan-Dropper.Win32.Daws.awfy”.\r\nViral Victimology\r\nGiven the malware’s viral propagation capabilities, we can distinguish the infection spread data above, which\r\nrelates directly to the Flashplayer hosted on KCNA, from the malware’s viral spread through network shares and\r\nremovable drives. While each count in this list represents a unique organization or system that detected a set of\r\nKCNA-viral infected files on their drives, the total infected file detection count is almost 20,000 files. Focusing on\r\nthe Daws.awfy spread, we get a different picture of the malware’s reach:\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 7 of 12\n\nCountry Systems and organzations encountering infected files\r\nChina 481\r\nMalaysia 51\r\nRussia 47\r\nKorea, Republic of 34\r\nTaiwan 14\r\nSenegal 14\r\nKorea, Democratic People’s Republic of 11*\r\nIndia 9\r\nMexico 9\r\nQatar 9\r\nIt’s important to note the different conditions that apply to North Korea. First of all, the limited IP space means\r\nthat multiple unique systems share IP addresses –in the case of DPRK victims above, the number is based on\r\nunique systems instead of unique IP addresses. Next, we attribute the relatively low number of network-based\r\ninfections to the restrictive policies that keep many users from connecting to the larger Internet from KP ip ranges\r\nin the first place. A network- and usb-based viral infector is a great tool for a malicious actor to use the few front-facing systems in order to infect computers on an isolated intranet, like the one connecting most machines inside\r\nNK. However, that very isolation makes it impossible to precisely quantify the malware’s success inside that\r\nintranet at this time.\r\nTimestamps and timelines\r\nKCNA malware dropper compilation timestamp: Tue, 13 Mar 2012 02:24:49 GMT.\r\nDarkhotel information stealer compilation timestamp: Mon, 30 Apr 2012 00:25:59 GMT.\r\nAlso interesting is that mostly all of the additional KCNA malware related components were compiled in mid-March 2012.\r\nThe first Darkhotel APT spoofed flashplayer installer incidents recorded in our KSN data began in 2012 and\r\npeaked in 2013. This KCNA incident would fall in the peak timeframe for this type of offensive activity for\r\nDarkhotel.\r\nNoteworthy Components\r\nIn addition to the legitimate flash player upgrade that this archive maintains, the backdoor components that it\r\ndrops to disk and executes seem to be clustered as Windows Live components (i.e.: Defender, IM Messenger). The\r\ntwo most interesting dropped files are the following:\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 8 of 12\n\n78d3c8705f8baf7d34e6a6737d1cfa18,c:\\windows\\system32\\mscaps.exe\r\n978888892a1ed13e94d2fcb832a2a6b5,c:\\windows\\system32\\wtime32.dll\r\nThe mscaps.exe component’s reboot persistence setting is added to the registry\r\nhere: HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{a96adc11-e20e-4e21-bfac-3e483c40906e}, where its stubpath is set to ‘”C:\\WINDOWS\\system32\\mscaps.exe”  /s /n /i:U shell32.dll’. This\r\nsetting ensures that every time the explorer.exe shell is started or restarted on the system, this executable injects its\r\ncode.\r\nOther analyses of this malware failed to mention the presence of Madshi’s madCodeHook. It is a legitimate\r\ncommercial DLL injection and api hooking framework, in this case used to inject the att.dll spyware component\r\nspecifically into the following communications applications:\r\nInternet Explorer – iexplore.exe, ieuser.exe\r\nMozilla Firefox, firefox.exe\r\nGoogle Chrome, chrome.exe\r\nMicrosoft Outlook Express, msimn.exe\r\nMicrosoft Outlook, outlook.exe\r\nWindows Mail, winmail.exe\r\nWindows Live Mail, wlmail.exe\r\nMSN Messenger, msnmsgr.exe\r\nYahoo! Messenger, yahoomessenger.exe\r\nWindows FTP Client, ftp.exe\r\nThe LoadLibraryExW hook is placed here:\r\nThe hook jmp listed here:\r\nRelated string parsing loop here:\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 9 of 12\n\nOther analysis notes that ws2_32.dll, or the winsock2 library, is dropped to disk and copied to mydll.dll. The\r\nreason for this is most likely to maintain stable Winsock2 hooks across Windows OS. In the past, some\r\nmadCodeHooks set on Winsock2 api proved to be unstable, so these guys just include one that they know works.\r\nThis implementation throws a wrench in the works, it is certainly a dissimilarity. The madCodeHook library was\r\nnot observed in Darkhotel malware.\r\nThe wtime32.dll component is dropped to disk and loaded at startup into explorer.exe. It is then injected into each\r\nof the listed “interesting” processes. It is a very interesting bot component, communicating with its three c2\r\ndomains and listening for further commands. It maintains 13 primitive interactive bot commands:\r\nCommand Command Description\r\ncmd\r\nrun provided cmd and output to file as a part of newly created and killed process, i.e. “cmd /c\r\ntree \u003e file 2\u003e\u00261”\r\ninf\r\ncollect system information – operating system version, username, computername, system drive,\r\nlocal time, all connected drives and properties, network adapter properties, disk free space,\r\nenumerate all installed programs as per-user or per-machine\r\ncap capture screenshot and send to c2\r\ndlu ncomplete function\r\ndll\r\nopen a process with all access, write a dll to memory and remotely create thread (load a dll into\r\na remote process)\r\nput receive, decrypt, and write specified file to disk\r\ngot report status on retrieved file\r\nget collect, encrypt, and retrieve specified file\r\nexe run provided executable name with WinExec\r\ndel record file attributes to specified c2 and delete specified file\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 10 of 12\n\ndir\r\nrecord and report to c2 all files in current directory tree and their attributes: filename, file size,\r\nlast write time, archive or directory, hidden, system\r\nquit exit thread\r\nprc process request\r\nIts functionality includes older technologies used here that we just don’t see anymore. Not only does it provide for\r\nNTFS, FAT32, FAT16, and FAT filesystem I/O routines, but it implements the older FAT12 I/O routines as well.\r\nLow level Windows95 raw disk access is enabled with CreateFileA on \\\\.\\vwin32 through the vwin32 virtual\r\ndriver.\r\nFinally, the KCNA malware does have a unique trick up its sleeve. Its dropped components’ ability to scan\r\nconnected drives and network shares to copy their contents and deliver a special something to further its spread.\r\nSo in its own crude way, this malware could hop across usb-enabled air-gapped networks by infecting both\r\nexecutables and archives on usb sticks.\r\nConclusions\r\nThe KCNA incident and the related viral bot’s spread leaves more questions than solid answers. Chalking this\r\ncampaign up to DPRK operations is certainly a simplistic thing to do and unsupported here. The possibility for the\r\nspread of an internal network virus or the possibility of an XSS-enabled website compromise are both high. Some\r\nsimilarities with the Darkhotel toolset are present, including the network configuration, spoofing technique, as\r\nwell as the format and selection of stolen data. Were these to be related campaigns, particularities of the KCNA\r\nmalware show that the Darkhotel actor may still have some tricks up its sleeve.\r\nAppendix\r\nComponents Dropped by the KCNA Malware\r\n78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe, Tue, 12 Apr 2011 09:15:59 GMT\r\n978888892a1ed13e94d2fcb832a2a6b5, wtime32.dll, 213kb, Trojan.Win32.Agent.hwgw, CompiledOn:Wed, 29\r\nFeb 2012 00:50:36 GMT\r\n2d9df706d1857434fcaa014df70d1c66, arc.dll, 1029kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar\r\n2012 02:34:00 GMT\r\nfffa05401511ad2a89283c52d0c86472, att.dll, 229KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012\r\n02:24:32 GMT\r\n1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll, 120.kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012\r\n02:24:36 GMT\r\nd0c9ada173da923efabb53d5a9b28d54, fil.dll, 126kb, UDS:DangerousObject.Multi.Generic, CompiledOn:Tue, 13\r\nMar 2012 02:24:41 GMT\r\ndaac1781c9d22f5743ade0cb41feaebf, launch.exe, 172KB, HEUR:Trojan.Win32.Generic, CompiledOn:Tue, 13\r\nMar 2012 02:24:52 GMT\r\n6a9461f260ebb2556b8ae1d0ba93858a, sha.dll, 89KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 11 of 12\n\n2012 02:24:43 GMT\r\nf1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll, 99KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012\r\n02:24:46 GMT\r\n59ee2ff6dbac2b6cd3e98cb0ff581bdb, WdExt.exe, 1.66MB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar\r\n2012 02:24:49 GMT\r\nf415ea8f2435d6c9656cc6525c65bd3c, wtmps.exe, 1.94MB, Trojan-Dropper.Win32.Daws.awfy,\r\nCompiledOn:Mon, 05 Mar 2012 08:37:55 GMT\r\nRelated MD5s, Domains, and Detections\r\nTrojan.Win32.Agent.hwgw\r\n78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe\r\n2d9df706d1857434fcaa014df70d1c66, arc.dll\r\n1e7c6907b63c4a485e7616aa04351da7, @aedf66.tmp.exe\r\n1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll\r\n523b4b169dde3bcab81311cfdee68e92, wdext.exe\r\n541989816355fd606838260f5b49d931, wdext.exe\r\n5e34f85278bf3504fc1b9a59d2e7479b, wdext.exe\r\n6a9461f260ebb2556b8ae1d0ba93858a, sha.dll\r\n78ba5b642df336009812a0b52827e1de, wdexe.exe\r\n7f15d9149736966f1df03fc60e87b8ac, wdext.exe\r\n7f3a38093bd60da04d0fa5f50867d24f\r\n82206de94db9fb9413e7b90c2923d674\r\na59d9476cfe51597129d5aec64a8e422, @ae465f.tmp.exe\r\nf1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll\r\nfffa05401511ad2a89283c52d0c86472, att.dll\r\nd0c9ada173da923efabb53d5a9b28d54, fil.dll\r\nTrojan-Dropper.Win32.Daws.awfy\r\n2f7b96b196a1ebd7b4ab4a6e131aac58\r\n8948f967b61fecf1017f620f51ab737d\r\n…and almost 800 other executables that were infected on network shares and attached drives\r\nc2 Domains\r\na.gwas.perl.sh,211.233.75.83\r\na-gwas-01.dyndns.org\r\na-gwas-01.slyip.net\r\nSource: https://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nhttps://securelist.com/whos-really-spreading-through-the-bright-star/68978/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/" ], "report_names": [ "68978" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75e3239f1df90b57d481fa2017779b3a05a62421.pdf", "text": "https://archive.orkl.eu/75e3239f1df90b57d481fa2017779b3a05a62421.txt", "img": "https://archive.orkl.eu/75e3239f1df90b57d481fa2017779b3a05a62421.jpg" } }