{ "id": "56042d88-a584-47f3-9f73-00b98921759d", "created_at": "2026-04-06T00:17:24.100906Z", "updated_at": "2026-04-10T03:37:32.956173Z", "deleted_at": null, "sha1_hash": "760e14c40a2f98f490e90f5dc8564faed8876f60", "title": "PlugX Meeting Invitation via MSBuild and GDATA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2045275, "plain_text": "PlugX Meeting Invitation via MSBuild and GDATA\r\nPublished: 2026-02-26 · Archived: 2026-04-05 13:38:31 UTC\r\nIn relation to the latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT, LAB52 aims to\r\ncomplement this information with additional observed deployment activity and encryption characteristics in samples\r\nanalyzed by this team.\r\nPlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat\r\nactors and espionage operations worldwide. Since its public identification around 2008, it has been attributed to groups such\r\nas Mustang Panda, APT41, APT10, and Deep Panda, among others. These actors have deployed PlugX in targeted\r\ncampaigns affecting government institutions, diplomatic entities, defense organizations, technology companies, energy\r\nproviders, and NGOs across Europe, Asia, and North America. Its sustained use over more than a decade reflects both its\r\nadaptability and its operational value within China-linked cyber-espionage ecosystems.\r\nFrom an operational standpoint, PlugX is typically delivered through spear-phishing emails carrying malicious attachments,\r\nweaponized Word or Excel documents with macros, executables disguised as legitimate software, or via supply chain\r\ncompromise scenarios. A recurring characteristic of PlugX campaigns is the abuse of DLL side-loading, in which legitimate\r\nand often digitally signed applications are leveraged to load malicious DLLs, thereby reducing suspicion and bypassing\r\ncertain security controls. This combination of social engineering, trusted software abuse, and modular payload design has\r\nenabled PlugX to remain a relevant and frequently observed tool in international cyber-espionage operations.\r\nInitial Deployment\r\nIn this case, during the deployment of PlugX, the G DATA antivirus executable (Avk.exe) is used to load the malicious DLL\r\nAvk.dll via DLL side-loading. In the case analysed by LAB52, the infection chain begins with a phishing email titled\r\n“Meeting Invitation” followed by a date. The content includes two links:\r\nA URL redirecting to the Ministry of Foreign Affairs of Iceland.\r\nA URL allowing the download of a .zip file containing two files:\r\nInvitation_Letter_No.02_2026.csproj\r\nScript used to download and execute artifacts.\r\nInvitation_Letter_No.02_2026.exe\r\nMSBuild.exe, used as a LOLBIN to execute the script that downloads and runs the software (.csproj).\r\nDuring execution, the malware displays a decoy document.\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 1 of 10\n\nThe .csproj file contains three Base64-encoded URLs using the domain:\r\nhttps[:]//onedown[.]gesecole[.]net/download\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 2 of 10\n\nThe downloaded files correspond to:\r\nAVK.exe – a legitimate G DATA Antivirus executable, which fails if executed directly because it requires AVK.dll.\r\nAfter download, it is renamed with a random filename.\r\nAvk.dll – identified by VirusTotal as Korplug (a PlugX variant). It is renamed upon download so it can be loaded via\r\nDLL side-loading by AVK.exe.\r\nAVKTray.dat – an encrypted file not found in VirusTotal, also renamed during download.\r\nDuring execution of the main file (Invitation_Letter_No.02_2026.exe), the following actions occur:\r\nExecution of Invitation_Letter_No.02_2026.csproj, leading to the download of the mentioned files and subsequent\r\nexecution of Avk.dll via DLL side-loading, enabling payload injection.\r\nCreation of files in %TEMP%/[a-b0-9]{8} which are deleted after use. These files share the same random folder name\r\nand use the following extensions: .cs , .cmdline , .pdb , .TMP , .dll , .out .\r\nPersistence via the Run registry key “G DATA”, executing Avk.exe as follows (numeric values may vary; examples\r\nshown): \"C:\\Users\\Public\\GDatas\\Avk.exe\" 865 322\r\nCommunications with:\r\nhttps[:]//decoraat[.]net:443\r\nObfuscation Capabilities\r\nThrough analysis of the infection procedure, the following encryption-related capabilities were identified:\r\nAvk.dll obtains the name of the file to be loaded (AVKTray.dat) from an XOR-encoded string hardcoded in the .rdata\r\nsection using key 0x7F.\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 3 of 10\n\nIt is possible that other loaders use the same procedure while varying the filename and corresponding value, but maintaining\r\nthe same structure.\r\nIn addition to key 0x7F, analysis of Avk.dll code revealed that key 0x98 could also be used in other scenarios,\r\nalthough it is not activated for these files.\r\nAvk.dll decrypts AVKTray.dat using XOR with key 0x4F.\r\nThe payload includes the decoy PDF within the overlay section. Embedding the decoy as part of the overlay is\r\ncommon in PlugX.\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 4 of 10\n\nThe configuration can also be observed in the decrypted payload. In this case, the RC4 key is as follows:\r\nOffset Description Value\r\n0x00 RC4 key length 0Bh (11 bytes)\r\n0x04 RC4 key (12 bytes) fzsbnWTgLLqp\r\n0x16 Start of encrypted data\r\nWhen decrypted using the key according to its length (fzsbnWTgLLq), hexadecimal strings are obtained and interpreted\r\nsimilarly to what was explained in IIJ-SECT, using the same algorithm to obtain the C2, which in this case is\r\ndecoorat[.]net. The configuration also indicates the use of HTTPS over port 443 (BB01).\r\nAPI Hashing\r\nBoth Avk.dll and the injected payload use API hashing to obfuscate module and function addresses invoked during\r\nexecution.\r\nAvk.dll uses DJB2-based API hashing.\r\nThe injected payload uses API hashing based on ROL-19 plus cumulative character summation.\r\nThe list of hashes used by the attackers has been provided. Notably, the list for Avk.dll enables identification of these files in\r\nmemory and facilitated the discovery of additional hashes. However, the hash list used by the payload would only be\r\nobservable in memory in this case.\r\nIt cannot be ruled out that unrelated malware samples may also use the same API hashing algorithm.\r\nMeeting Invitation from APT Groups\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 5 of 10\n\nThere are precedents of advanced persistent threat (APT) campaigns using themed invitations (events, receptions,\r\nconferences) as spear-phishing lures to distribute malware or sophisticated loaders and compromise strategic targets.\r\nFor example, UNC6384 (with tactical and infrastructure overlaps with Mustang Panda) exploited vulnerability ZDI-CAN-25373 to deploy PlugX, using a supposed European Commission meeting agenda as an infection lure.\r\nAPT29 (also known as Cozy Bear / Midnight Blizzard, linked to Russia) sent emails containing fake invitations to dinners\r\nor diplomatic events that directed victims to malicious links or documents deploying loaders such as ROOTSAW,\r\nWINELOADER, or GRAPELOADER against political parties and government entities in Europe. These campaigns\r\nleveraged the trust associated with formal invitations to deceive victims and deploy persistent malware.\r\nA campaign documented by FireEye showed that APT34 used spoofed LinkedIn invitations to entice recipients into opening\r\nmalicious documents that installed backdoors such as TONEDEAF and credential-stealing tools.\r\nThere are also historical reports of groups such as Lotus Blossom using emails offering invitations to cybersecurity\r\nconferences to deliver trojans such as Emissary, although this corresponds to an earlier phase of APT activity.\r\nThese campaigns represent just one example of how threat actors leverage social engineering techniques based on calendar\r\nevents or invitations, using seemingly legitimate contexts to lower victims’ defenses and encourage them to open files or\r\nfollow links that ultimately trigger sophisticated infection chains.\r\nConclusions\r\nThe analysis of this campaign reinforces how PlugX continues to evolve while maintaining many of its historically\r\nconsistent tradecraft elements. In this case, the use of legitimate G DATA antivirus components — particularly a freely\r\navailable executable — highlights the actors’ continued reliance on DLL side-loading to blend malicious execution with\r\ntrusted software. Avk.dll functions as a relatively simple yet effective loader, structured around a minimal set of core\r\nroutines and a localized junk function to hinder static analysis. Its responsibility is clear: retrieve and decrypt the payload\r\nstored in AVKTray.dat, whose filename is embedded within the DLL in XOR-encoded form. Although two potential XOR\r\nkeys are present in the code, only one is actively used in this sample. This detail opens an interesting analytical avenue, as\r\nthe structured method of storing encoded filenames inside DLLs could provide valuable leads for identifying related activity\r\nor future variants.\r\nFrom a defensive perspective, understanding this filename obfuscation approach may support the development of preventive\r\ndetection rules, particularly if patterns in naming conventions or encoding logic can be generalized. Further comparative\r\nanalysis across samples could determine whether a reusable script or shared development methodology underpins these\r\nloaders.\r\nOperationally, the loader triggers a context change event to initiate payload execution within the same process, maintaining\r\nstealth and reducing behavioral anomalies. Its consistent use of DJB2-based API hashing ensures that all function calls are\r\nresolved indirectly, complicating static detection efforts. Detection rules have already been defined based on this behavior,\r\nand initial results suggest the possibility that this sample represents one of the most recent operational instances observed.\r\nAdditional analysis of newly identified artifacts will be necessary to confirm this hypothesis.\r\nFinally, the injected DLL — decrypted from AVKTray.dat — embeds a decoy PDF within its overlay section, a technique\r\nthat aligns with long-standing operational patterns associated with PlugX. Incorporating the decoy directly into the overlay\r\nallows the malware to present a convincing lure to the victim while keeping the malicious logic tightly coupled within the\r\nsame artifact. This dual-purpose design reflects a mature development approach in which social engineering and technical\r\nexecution are carefully integrated. Given the recurring use of PDF decoys in recent activity, this choice appears deliberate\r\nand consistent with the broader objective of maintaining credibility while minimizing suspicion during the early stages of\r\ncompromise.\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 6 of 10\n\nIntelligence Availability Notice\r\nThis article presents selected insights derived from our broader threat intelligence operations and coverage. Additional\r\ndetails related to this campaign, as well as other investigations and ongoing intelligence activities, are enriched and available\r\nthrough our private intelligence feed.\r\nIndicators of Compromise (IOC)\r\nFiles\r\nName Hash SHA256\r\nSiz\r\n(kb\r\nAVKTray.dat e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17 673\r\nAvk.dll 46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc 5,1\r\nAVK.exe 8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99 943\r\nInvitation_Letter_No.02_2026.zip 29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad 113\r\nInvitation_Letter_No.02_2026.csproj de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1 3,24\r\nInvitation_Letter_No.02_2026.exe 5f9af68db10b029453264cfc9b8eee4265549a2855bb79668ccfc571fb11f5fc 255\r\nName Hash sha256\r\nSize\r\n(KB)\r\nDescription\r\nAVKTray.dat\r\ndecrypted\r\nd293ded5a63679b81556d2c622c78be6253f500b6751d4eeb271e6500a23b21e 658\r\nAVKTray.dat\r\nfile\r\ndecrypted\r\nwith XOR\r\nkey 0x4F\r\nName Hash sha256\r\nSize\r\n(KB)\r\nDescription\r\nPdf\r\n(decoy)\r\n6df8649bf4e233ee86a896ee8e5a3b3179c168ef927ac9283b945186f8629ee7 57\r\nPdf inside\r\nthe overlay\r\nof the dll\r\ninjected.\r\nThis is a\r\ndecoy that\r\nwill be\r\nshown to\r\nthe user.\r\nCommunications\r\nhttps[:]//onedow[.]gesecole[.]net/download\r\nhttps[:]//decoraat[.]net:443\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 7 of 10\n\nPersistence\r\nFiles saved in:\r\nC:\\Users\\Public\\GDatas\r\nModification of key:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nAPI Hashing\r\nAVK.dll\r\nModules\r\nHash Module\r\n0x7040EE75 Kernel32.dll\r\n0x22D3B5ED ntdll.dll\r\nAPIs\r\nHash Kernel32.dll\r\n0x13B8A163 GetModuleFileNameW\r\n0x382C0F97 VirtualAlloc\r\n0x668FCF2E VirtualFree\r\n0x5D01F1B2 CreateEventW\r\n0x877EBBD3 SetEvent\r\n0x0E19E5FE Sleep\r\nHash ntdll.dll\r\n0x15A5ECDB NtCreateFile\r\n0x4725F863 NtQueryInformationFile\r\n0x8B8E133D NtClose\r\n0x2E979AE3 ReadFile\r\n0x1703AB2F NtTerminateProcess\r\n0x082962C8 NtProtectVirtualMemory\r\n0x0E4DA1C11 RegisterWait\r\n0x0C0D8989A RtlDeregisterWait\r\nInyected Payload from AVKTray.dat\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 8 of 10\n\nModules\r\nHash Module\r\n0x794D2C1B ntdll.dll\r\n0x7C0A2A4A kernel32.dll\r\n0x534AE0B8 kernelbase.dll\r\n0x6A47F6BB winhttp.dll\r\n0x3CF5E5AD ws2_32.dll\r\nAPIs\r\nHash ntdll.dll\r\n0xEC0E4D4E NtAllocateVirtualMemory\r\n0x0306F0EC NtProtectVirtualMemory\r\n0x91AF6E44 NtFreeVirtualMemory\r\n0x794D2C1B NtQueryInformationProcess\r\n0x534AE0B8 NtSetInformationThread\r\nHash Kernel32.dll\r\n0x7C0A2A4A LoadLibraryA\r\n0x794F23CA GetProcAddress\r\n0x57B0B568 VirtualAlloc\r\n0x5C28F480 VirtualProtect\r\nHash winhttp.dll\r\n0x534AE0B8 WinHttpOpen\r\n0x0306F0EC WinHttpConnect\r\n0x0D56A5E9 WinHttpOpenRequest\r\n0xE8560C81 WinHttpSendRequest\r\n0xF0B8EEC9 WinHttpReceiveResponse\r\nHash ws2_32.dll\r\n0x3CF5E5AD socket\r\n0x793C2E6A connect\r\n0x1B7FBEC4 send\r\n0x47F8F21D recv\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 9 of 10\n\nSource: https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nhttps://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/\r\nPage 10 of 10\n\n https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/ \nModules \nHash Module\n0x794D2C1B ntdll.dll\n0x7C0A2A4A kernel32.dll\n0x534AE0B8 kernelbase.dll\n0x6A47F6BB winhttp.dll\n0x3CF5E5AD ws2_32.dll\nAPIs \nHash ntdll.dll \n0xEC0E4D4E NtAllocateVirtualMemory \n0x0306F0EC NtProtectVirtualMemory \n0x91AF6E44 NtFreeVirtualMemory \n0x794D2C1B NtQueryInformationProcess \n0x534AE0B8 NtSetInformationThread \nHash Kernel32.dll\n0x7C0A2A4A LoadLibraryA\n0x794F23CA GetProcAddress\n0x57B0B568 VirtualAlloc\n0x5C28F480 VirtualProtect\nHash winhttp.dll \n0x534AE0B8 WinHttpOpen \n0x0306F0EC WinHttpConnect \n0x0D56A5E9 WinHttpOpenRequest \n0xE8560C81 WinHttpSendRequest \n0xF0B8EEC9 WinHttpReceiveResponse \nHash ws2_32.dll\n0x3CF5E5AD socket\n0x793C2E6A connect\n0x1B7FBEC4 send\n0x47F8F21D recv\n Page 9 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata/" ], "report_names": [ "plugx-meeting-invitation-via-msbuild-and-gdata" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e09a03a6-ce6c-4f6b-b8c6-38c3edecd743", "created_at": "2026-01-20T02:00:03.665377Z", "updated_at": "2026-04-10T02:00:03.915084Z", "deleted_at": null, "main_name": "UNC6384", "aliases": [], "source_name": "MISPGALAXY:UNC6384", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434644, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/760e14c40a2f98f490e90f5dc8564faed8876f60.pdf", "text": "https://archive.orkl.eu/760e14c40a2f98f490e90f5dc8564faed8876f60.txt", "img": "https://archive.orkl.eu/760e14c40a2f98f490e90f5dc8564faed8876f60.jpg" } }