{ "id": "0f8c175c-8b4a-4a65-a02c-b5f9e6686e20", "created_at": "2026-04-06T00:22:30.429171Z", "updated_at": "2026-04-10T03:38:01.7715Z", "deleted_at": null, "sha1_hash": "780a4500d98e3d80cdcd39c6938772c17342af2d", "title": "My Tea’s not cold. An overview of China’s cyber threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 541924, "plain_text": "My Tea’s not cold. An overview of China’s cyber threat\r\nBy Sekoia TDR\r\nPublished: 2023-09-07 · Archived: 2026-04-05 14:18:25 UTC\r\nThis blogpost is an overview of recent malicious cyber activities associated to China-nexus Intrusion Sets. It is\r\nbased on open-source documents and Sekoia.io TDR analysts research and does not intend to present an\r\nexhaustive list of campaigns aligned on China’ strategic interests. Information cut off date is 13, July 2023.\r\nTable of contents\r\nChinese doctrine on my wall\r\nA room full of your posters\r\nPanda is such a sudden rush for me\r\nPS – we should anticipate together too\r\nChinese doctrine on my wall\r\nSince at least 2006, China leveraged cyber capabilities to support its strategic objectives. Since then, cyber threats\r\naligning on China’s interests were continuously reported on, with observed maturing in capabilities and Tactics,\r\nTechniques and Procedures (TTPs), as well as changes in its underlying organisation and doctrine. China’ strategic\r\ninterests notably reside in the following:\r\nPreserving the existence and legitimacy of the Communist Party of China (CPC).\r\nProtecting China’s national interest security, including its territorial integrity.\r\nAsserting China’s power globally, including in the cyber domain.\r\nThese strategic interests are operationalised through:\r\nEconomic coercion of neighbours and partners, notably through cyberespionage and Intellectual Property\r\n(IP) theft;\r\nLeverage of a wide array of organisations and instruments of national power, including intelligence and\r\ncyber capabilities as well as technological investment and censorship;\r\nInfluencing international standards and policy making related to cyber.\r\nCyber is also used as a force multiplier in the land, air, sea, and space domains and almost certainly combined to\r\nSignal Intelligence (SIGINT) and Human Intelligence (HUMINT) capabilities.\r\nChina’s cyber offensive apparatus includes military and state security intelligence entities, alongside\r\ncontractors, front companies, and universities. China is actively reforming its national security apparatus\r\nincluding its civilian and military intelligence agencies which notably use cyber capabilities, both separately and\r\njointly, to carry out cyber malicious activities. Most prominent agencies include the Ministry of State Security, and\r\nthe People Liberation Army Strategic Support Force, reorganised between 2017 and 2020. Sekoia.io’s\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 1 of 14\n\nrepresentation of the Chinese cyber offensive apparatus is as follow (Note that we are showing only the most\r\nactive intrusion sets):\r\nSeveral sources report that both agencies use “proxies“, such as information and technology companies as well as\r\nuniversities to conduct their cyber operations. Since the 1920s, the CPC developed a strategic concept known as\r\n“United Front”, a network of social, professional, political, and academic organisations, to support the CPC’s\r\ninterests and suspected to be involved in supporting Chinese intelligence activities, including cyber. This results in\r\na vast number of stakeholders disconnecting China from malicious cyber operations, providing the State with\r\nplausible deniability, and further complexifying the threat landscape.\r\nSince 2020, observed Chinese cyber espionage campaigns exhibited an increased risk tolerance in TTPs as well\r\nas increased activities’ tempo, echoing the country’s wolf warrior diplomacy. Between 2022 and 2023, we\r\nobserved China-nexus intrusion sets continuously updating their TTPs and toolsets.\r\nDomestically, China’s approach to cyberspace is driven by a technological imperative of self-reliance and\r\nensuring long-term innovation-led growth, and a political drive of controlling the flow of information within\r\ncyberspace to safeguard regime legitimacy and social stability. The latter is notably reflected through China’s\r\nengagement in global cyber initiatives and its promotion of cyber sovereignty.\r\nChina-nexus intrusion sets notably conduct upstream collection campaigns through Managed Services Providers\r\n(MSP) and supply chain compromises to collect large amounts of data such as Personal Identifiable Information\r\n(PII). Primary targets of China-aligned cyber offensive activities include entities related to governments,\r\ntelecommunications, manufacturing (including semiconductors and chip makers), and more recently\r\nfinancial institutions worldwide.\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 2 of 14\n\nA room full of your posters\r\nBetween 2022 and 2023, China aligned cyber malicious campaigns were increasingly reported in open sources.\r\nWhile it is not clear whether this is due to an actual increased tempo of Beijing tasked cyber malicious activity or\r\na particular effort from vendors and governmental agencies to disclose their findings considering the heightened\r\ntensions between China and the international community, it remains helpful to the broader cyber intelligence\r\ncommunity to gain better insight into Chinese offensive cyber campaigns. Between 2022 and 2023, Sekoia.io\r\nanalysts observed China-nexus intrusion sets continued focusing on entities notably related to the South China\r\nsea and the Indo Pacific regions and expanding their victimology to include more European targets.\r\nAdditionally, while not new, China was also reported increasingly targeting critical national infrastructure, as\r\nwell as the finance sector.\r\nYou dare me to spy?\r\nChina continuously demonstrates efforts to increase its role as a major global power, notably through\r\ngovernment programs (5 years plan aka FYP) and plans such as the Belt and Road Initiative (BRI 10, aka New\r\nSilk Road) and Made in China 2025 (MIC2025).\r\nIn November 2022, Mandiant published their report on UNC4191 ‘s cyberespionage campaign targeting Southeast\r\nAsia, with a strong focus on Philippines, as well as Europe, the U.S, and Asia Pacific and Japan. In December\r\n2022, Recorded Future reported on a Mustang Panda (aka Temp.Hex) campaign called SmugX against Vietnam,\r\ncontinuing until mid-2023, notably targeting the UK, Ukraine, Czech Republic, and Hungary Foreign Affairs\r\nministries and embassies by leveraging documents purportedly originating from France, and Sweden. In our\r\nFLINT 2022-060- Mustang Panda’s Ode to joy, we documented this intrusion set cyberespionage campaign also\r\ntargeting the Czech Ministry of Industry and Trade, the Serbian Ministry of Interior and Hungary. China aligned\r\ncyberespionage campaigns also include Dark Pink (aka Saaiwc Group), an emerging intrusion set particularly\r\nactive since mid-2022, conducting spearphishing campaigns against government, military, and non-profit\r\norganisations in Brunei, Cambodia, Indonesia, Malaysia, Thailand, the Philippines, Vietnam, Bosnia and\r\nHerzegovina, as well as an education organisation in Belgium, and a European state development agency based in\r\nVietnam. Of note, the targeting of Vietnam is particularly interesting, as this country observes a non-committal\r\nstance towards the BRI. We assess competing infrastructure projects, including European’s, likely are of high\r\ninterest to China. Furthermore, it is likely countries considering withdrawing from the BRI project, as Italy\r\nrecently did will also be targets for Chinese cyberespionage campaigns.\r\nAdditionally, we observed an increased targeting of finance related entities by China-nexus intrusion sets since\r\nDecember 2020. Recent examples of this trend notably includes Tropic Trooper (aka Keyboy) targeting Taiwanese\r\nfinancial institutions, Witchetty targeting [6] an African stock exchange between February and September 2022,\r\nWorok targeting [8] a bank in Central Asia, APT41 targeting a German financial company in March 2022,\r\nKe3chang targeting a government finance department in the Americas between March 2022 and early 2023, and\r\nGallium targeting an organisation that finances long-term urban infrastructure development projects in Nepal in\r\nApril 2023. These activities almost certainly aim at collecting strategic intelligence, possibly linked to the\r\nfinancing of BRI-related projects, and/or competing infrastructure projects.\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 3 of 14\n\nSekoia.io analysts assess these activities highly likely pertain to China’s economic interests, notably targeting BRI\r\nstakeholders and competitors, likely to ensure economic goals are achieved. We further assess it is almost certain\r\ncyberespionage campaigns targeting organisations involved in the BRI project, as well as entities involved in\r\nfinancing BRI projects and competing projects will continue in the short term.\r\nI’m almost at the bridge now\r\nSince 2022, official statements cautioning against China’s targeting Critical National Infrastructure are on the rise\r\nand ever more alarming. In parallel, there were allegations 11 that China would leverage equipment located in\r\nproximity of critical infrastructures for intelligence purposes.\r\nBetween 2022 and 2023, China intrusion sets continuously targeted the telecom vertical, historically a target\r\nof interest to Beijing, notably to conduct upstream collection. Gallium (aka Alloy Taurus, an intrusion set sharing\r\nsimilarities with APT10 and APT41) notably targeted telecommunication entities in the Middle East during the\r\nSoftCell campaign, and DaggerFly conducted a cyber espionage campaign [3] against an African\r\ntelecommunications organisation between November 2022 and April 2023. In June 2022, Kaspersky ICS CERT\r\nresearchers reported on a campaign targeting manufacturing and telecom organisations in Pakistan and\r\nAfghanistan and a port in Malaysia. In June 2023, a threat actor was reported compromising CCTV cameras of the\r\nDirectorate General of Highways in Taiwan. Of particular interest was Volt Typhoon’s campaign documented in\r\nMay 2023. Since mid-2021, Volt Typhoon (aka Vanguard Panda) targeted critical infrastructure sectors including\r\nmanufacturing, utility, maritime, government entities in the United States, notably in Guam. Of note, Guam not\r\nonly hosts U.S. military bases (whose expansion was announced12 earlier this year, it is also a submarine cables\r\nhub13 connecting the U.S. to the Asia-Pacific region. Sekoia.io analysts assess these activities almost certainly\r\npertain to strategic intelligence collection, and China could plausibly leverage these accesses to conduct\r\ndisruptive activities in the event of a rise in tension in the medium to long term.\r\nOverall, Sekoia.io TDR analysts assess recent China aligned cyber activities echo the ongoing political and\r\neconomical confrontation between NATO countries and Beijing, notably including the U.S. Indo Pacific\r\nStrategy and the AUKUS pact, the European Global Gateway initiative, often seen as the European\r\ncountermeasure to the BRI, in a context of “arms race” and sanctions, all of them almost certainly perceived as\r\nthreats to Beijing’ strategic interests, domestically, regionally, and globally.\r\nI talk about you 24/7\r\nChina continuously demonstrates efforts to increase its international influence and role as a regional leader,\r\nnot only economically but politically as well. Sekoia.io analysts identified multiple cyber campaigns aligning on\r\nthis objective.\r\nFor instance, in August 2022, Malwarebytes reported on APT41’s campaign targeting governmental entities in Sri\r\nLanka. Sekoia.io analysts link this activity to the nomination of the Sri Lankan Prime Minister Dinesh\r\nGunawardena in July 2022, whose family had strong ties with India, when, on the other hand China was accused\r\nof engaging in “debt trap diplomacy”. We further assess the docking of Yuan Wang 5, also called a “spy ship” was\r\nalmost certainly designed as a “power move” towards both Sri Lanka and India. In November 2022, as reported\r\nby Elastic Security Labs, China-nexus REF2924 targeted the foreign ministry of a Southeast Asia nation, aiming\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 4 of 14\n\nat collecting intelligence pertaining to the victim’s relationship with the Association of Southeast Asian Nations\r\n(ASEAN) . Mustang Panda (aka Temp.Hex) was reported targeting Australia, as well as NGOs, military and\r\npolice entities in Myanmar, and the Myanmar embassy in Serbia. Of note, China is a vocal supporter of\r\nMyanmar’s sovereignty, the country being led by a junta regime since the 2021 coup. In addition, Myanmar\r\nprovides China with access to the Bay of Bengal, a strategic position in the Indian Ocean Region.\r\nMustang Panda also was observed leveraging the Russo-Ukrainian conflict to target European and Asia Pacific\r\ncountries with the PlugX malware to collect intelligence. While Russia’s targeting was already observed in the\r\npast, Sekoia.io analysts noticed an increase in reported China-nexus intrusion sets targeting of Moscow in the\r\ncontext of the conflict. We assess that while China and Russia ties keeps on deepening, it is highly likely Beijing\r\nis interested in anticipating how the conflict would impact Chinese interests in the region and globally, as\r\nillustrated by the targeting of G20 Nations in the SharpPanda campaign.\r\nAnother noticeable impact of the Russo-Ukrainian conflict on China was the multiple public declarations, notably\r\noriginating from U.S. officials, warning against a similar development between Taiwan and China, as part of\r\nBeijing’s “one China principle” , renewed in August 2022. Sekoia.io observed a stable targeting of Taiwan\r\noriginating from China, including by DragonSpark, Lucky Mouse, Tropic Trooper, and Mustang Panda, with an\r\nuptick directly related to political events, such as the visit of the speaker of the U.S. House of Representatives in\r\nTaiwan in August 2022.\r\nWhile this certainly pertains to China’s continuous intelligence collection, notably as part of its territorial integrity,\r\nit is also likely that Taiwan’s renewed position as a key player in the region both as a strategic supplier[1] and a\r\nU.S. and European political ally is and will continue to be a strong driver for Chinese aligned cyber espionage\r\ncampaigns. Sekoia.io analysts further assess Taiwanese and foreign entities involved in the semiconductors supply\r\nchain, the chip manufacturing vertical and the logistics industry, including maritime companies, will almost\r\ncertainly remain targets of high interest to Beijing.\r\nAs interesting as Russia’s targeting, Pakistan, considered as a Chinese regional partner (both countries being\r\nnotably involved in territorial disputes and regional influence competition with India) was also increasingly\r\ntargeted by China-nexus intrusion sets. Recent campaigns notably include the targeting of manufacturing and\r\ntelecom organisations, a campaign against the Pakistan International Maritime Expo \u0026 Conference (PIMEC-2023)\r\nparticipants, and the leveraging of the E-Office application developed by Pakistan National Information\r\nTechnology Board (NITB) in July 2023. This latest campaign is particularly intriguing, as the NITB partnered\r\nwith the Chinese company H3C to build a digital government base. Sekoia.io analysts assess these activities\r\nalmost certainly enable China to ensure their military and defence (including naval cooperation) and\r\neconomical relationship to Pakistan is secured, Islamabad also being a U.S. partner.\r\nA similar dynamic can be observed with Japan, both countries expressing their willingness to deepen their ties,\r\nwhile Japan organisations are continuously targeted in cyberespionage campaigns. TA410 (aka Witchetty, loosely\r\nlinked to APT10) notably targeted Japanese organisations with FlowCloud, and MirrorFace (tracked as APT10 by\r\nTDR analysts) continued targeting media, diplomatic, government and public sector organisations, think-tanks and\r\npolitical entities in Japan. Of note, Japan is part of the Quadrilateral Security Dialogue (QSD), and considered a\r\nthreat to China when it comes to Taiwan, especially in the light of a possible recognition of Japan’s right of\r\nbelligerency in their Constitution.\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 5 of 14\n\nHit me back just to chat\r\nIn addition to alleged spying14, Very High Frequency (VHF) interference and multiple military drills and in\r\nrelation to military cyber operations, PLA publications indicate that improving computer network exploitation and\r\nattack capabilities in order to degrade adversaries’ networks and information environments is seen as critical\r\nto winning future wars.\r\nAs previously mentioned, the Russo-Ukrainian conflict was a driver for China aligned cyberespionage, as\r\nillustrated by Tonto Team’s campaign against Russian agencies in July 2022. In March 2023, ESET colleagues\r\nreported on a Tick (aka Bronze Butler) operation compromising the update server of an East Asian Data Loss\r\nPrevention (DLP) company notably catering government and military entities. These findings were corroborated\r\nby Ahnlab, which associated the targeting of Korean government organisations (called operation Triple Tiang) to\r\nthe same intrusion set, based on their use of the Shadowy downloader. While we have very little information on\r\nthese activities, and solely since we associate Tick and Tonto Team to the PLA-SSF, we assess it is likely these\r\ncampaigns pertain to military intelligence collection. Of note, while South Korea is a consistent target of interest\r\nto China (notably due to Seoul’s use of U.S.-deployed Terminal High Altitude Area Defense (THAAD) anti-missile systems since 2017) it is also plausible the renegotiation of defence cost-sharing was an additional driver\r\nfor the operation Triple Tiang.\r\nA tattoo with your IP across the chest\r\nChinese cyber espionage operations present a continuous threat to intellectual property. Observed\r\ncampaigns carried out by suspected China-nexus threat actors in the past notably targeted Western technologies\r\nsuch as high-tech, oil and gas, agriculture, manufacturing, biotechnology, pharmaceuticals, energy, aviation,\r\naerospace, defence industrial bases, dual-use military application technologies, and telecommunications\r\nworldwide. Sekoia.io analysts assess industrial espionage almost certainly enable Chinese indigenous production\r\nand support Chinese industrial policies, such as the 14th Five-Year Plan (2021-2025). It is also assessed that\r\nstrategic information collected through cyber espionage are likely passed on to China champions for commercial\r\ncompetition on international markets as well as gaining strategic know-how.\r\nChina-nexus intrusion sets continued carrying out cyber malicious campaigns against industries notably\r\noperating in the manufacturing, healthcare, and logistics verticals. This notably includes Tropic Trooper\r\ntargeting [2] a manufacturing company and semiconductors industry in Taiwan, APT41 targeting [9] an Asian\r\nconglomerate operating in the materials and composites sector, Dalbit targeting at least 50 South Korean\r\ncompanies since 2022, including in the semiconductors manufacturing vertical, technology and chemical\r\nindustries, and Hydrochasma carrying out a campaign [5] against shipping companies and medical laboratories\r\nthat may be involved in Covid 19 research in Asia since October 2022. Sekoia.io analysts assess these activities\r\nalmost certainly pertain to intellectual property theft.\r\nBetween April and mid-June 2022, APT40 (aka Red Ladon) was observed targeting Australian government\r\nagencies and industry manufacturers conducting maintenance of fleets of wind turbines in the South China Sea\r\nregion during the ScanBox campaign. Sekoia.io analysts identified one of the companies to be the German\r\ncompany Skyborn Renewables GmbH. South China Sea is a site for oil and gas exploitation, and a critical\r\nlogistics route for oil and natural gas imports, transporting energy resources through strategic choke points, such\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 6 of 14\n\nas the Strait of Malacca. Of note, the PRC also started prioritising green energy opportunities through the Green\r\nSilk Road project since 2021, as part of its own goal of reaching carbon neutrality by 2060 and display a good\r\nrecord in the frame of UN’s 2030 Agenda for Sustainable Development Goals. We assess that China’s\r\ndecarbonization strategy is almost certainly already a driver for cyber enabled espionage campaigns\r\noriginating from China, notably in parallel to HUMINT. China continuously demonstrated its interest in the\r\nenergy vertical, including nuclear energy, an interest recently renewed in the Global Security Initiative. Energy\r\ntargeting by China-nexus will almost certainly continue at a global scale in the short to medium term.\r\nSekoia.io analysts further assess that China increasing designations on their Unreliable Entities List (UEL), the\r\nbanning of Chinese companies and initiatives such as the CHIPS and Science Act as well as China’s efforts to\r\nachieve self-reliance, including in the technology industry, will ultimately highly likely concur to an increase of\r\nChinese cyber enabled IP theft. Of note, since 2020, Chinese courts granted “anti-suit injunctions (ASIs15),\r\npreventing foreign companies from taking legal action to protect their Intellectual Property.\r\nThis is my spyware I’m sending you\r\nDomestically, China-nexus Intrusion Sets carry out multiple surveillance campaigns against what is called “the\r\nFive poisons”, including Taiwan independence movement, the Tibetan Independence movement, the Uygur ethnic\r\ngroup, the Chinese democratic movement and the Falun Gong. Abroad, surveillance operations target the Chinese\r\ndiaspora, including Chinese citizens, dissident groups, and members of China’s ethnic minority communities.\r\nTo that purpose, China-nexus intrusion sets notably leverage mobile applications. In November 2022, APT15\r\nwas reported targeting the Uyghur community in China mainland and abroad including in Turkey and\r\nAfghanistan, leveraging the BadBazaar malware masquerading as Android mobile applications and the\r\nMOONSHINE app-based Android surveillance tooling. As documented in April 2023, DaggerFly targeted\r\nmembers of an NGO operating in the Gansu and Guangdong provinces with the MgBot backdoor installed via the\r\nupdate of legitimate applications between 2020 and 2022. Of note, the Greater Bay Area comprises the two\r\nSpecial Administrative Regions of Hong Kong and Macao and nine municipalities in the Guangdong Province,\r\nMacao and Hong Kong being consistent targets of this intrusion set. One additional victim was also located in\r\nNigeria.\r\nIn December 2022, Amnesty International Canada disclosed their IT network was breached by a China-originating\r\ncyberespionage campaign in October 2022. In 2022, LuckyCat (aka TA413) continuously targeted Tibetan people,\r\norganisations involved with the Tibetan community and the exiled Tibetan government. Sekoia.io analysts also\r\nobserved Mustang Panda leveraging immigration-related topics, notably the Austrian Red-White-Red program. It\r\nis possible this targeting pertains to surveillance operations. In December 2022, Avast reported on their findings\r\non a Mustang Panda-owned FTP server, where they notably retrieved scans of passports from citizens and\r\ndiplomats from countries, such as France, China, Australia, Czech Republic, Israel, Netherlands, the UK, and the\r\nU.S.\r\nOf note, China’ surveillance over the Internet also occurs through its infrastructure, notably through the\r\nGolden Shield Project (aka the Great China Firewall in line with its view on cyber sovereignty and attempts to\r\nshape international standards in the cyberspace, as illustrated by Xi Jinping ‘s declarations in 2022. Cyber enabled\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 7 of 14\n\nsurveillance is also conducted in parallel of coercive actions including intimidation and repression. Policy wise,\r\nthe Cyberspace Administration of China updated its “Real-name registration regulation” (Article 24 of the\r\nCybersecurity Law) in 2021 and specific regulations apply to ethnic minorities. Sekoia.io analysts assess\r\nsurveillance targeting ethnic and religious minorities in mainland China and abroad will almost certainly\r\ncontinue in the short term. We further assess that as non-military foreign intelligence falls under the MSS\r\nmandate, Mustang Panda or any other MSS linked intrusion set will almost certainly carry on conducting\r\nsurveillance of high value targets, including diplomats.\r\nSometimes I scribble addresses too sloppy\r\nChinese information operations pose a high-volume threat globally. Initially focusing on regional targets and\r\nmatters, it sensibly expanded to Western countries in 2020. It is almost certain that Covid-19 and China’s role\r\nin the global pandemic led China to intensify their efforts in increasing its information operations capabilities to\r\nreach a broader audience. Observed campaigns used a wide range of social media platforms and websites and\r\nwere two-folded – containing or censuring negative comments towards China and the CPC, and conveying\r\nnegative narratives against European countries, the U.S or any country considered as hostile. Targeted audiences\r\ninclude the Chinese diaspora as well as international media, economy and political stakeholders.\r\nA common technique used in Chinese information operations is cyber harassment with fake accounts, as\r\nobserved in the targeting of a Chinese human rights activist and a political dissident in April 2023. Other\r\ntechniques include using personas to dox individuals, as observed with the HKLEAKS websites used between\r\nAugust 2019 and mid-2021 to dox protesters and journalists by leaking their personal identifiable information\r\n(PII), amidst Hong Kong’s anti extradition protests. Sekoia.io analysts assess it is almost certain data collected\r\nduring surveillance campaigns, as well as SIGINT and HUMINT activities contributed to this operation. As stated\r\nby Citizen Lab, it is almost certain this type of activities not only aim at influencing an online audience, but it also\r\naims at silencing their targets.\r\nIn July 2022, Google reported on China originating Coordinated Inauthentic Behaviour (CIB) notably resorting to\r\nYouTube to spread Chinese and English content pertaining to China and U.S. affairs, as well as English content\r\nabout the origins of Covid-19 . Of note, while we still observe quite a limited impact of China nexus info ops\r\nworldwide, notably in NATO countries, it seems efforts are being made to further refine their techniques, as\r\nrecently observed in Taiwan. In October 2022, Mandiant documented the continuation of the DragonBridge\r\ncampaign, an information operation ongoing since 2019 and in line with China’ strategic interests. Throughout\r\n2022, fake online accounts notably promoted the narrative that the U.S. was responsible for bombing the Nord\r\nStream gas pipelines for its own economic benefit and attempted to discourage Americans from voting in the U.S.\r\n2022 midterm elections. Fake accounts impersonating the Intrusion Truth collective also claimed APT41 was a\r\nU.S.-nexus intrusion set. This last observation is complementary to China’ s recent more aggressive stance in\r\nnaming and shaming the U.S. for cyber malicious activities and publicly reacting to suspicions of Beijing-assigned\r\ncyber operations. To Sekoia.io analysts, this can also be considered as part of information operations to shape the\r\nopinion of online audiences.\r\nVery few reports indicate disruptive activities led by China-nexus intrusion sets, and Sekoia.io analysts did\r\nnot find any information related to destructive campaigns. Of interest are the low intensity / low advancement\r\ndisruptive campaigns targeting Taiwan, in August 2022, including Distributed Denial of Service against\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 8 of 14\n\ngovernment websites and public screen defacements. Sekoia.io analysts assess these activities were almost\r\ncertainly part of a demonstration rather than intended to actually disrupt activities in Taiwan, hence\r\nplausibly falling in the info ops category.\r\nPanda is such a sudden rush for me\r\nWe don’t know you, no one does.\r\nReflecting involved stakeholders in the Chinese cyber offensive apparatus, China-nexus intrusion set landscape\r\nis heterogeneous and opaquely state-linked, characterised by dynamic and evolving relationships between\r\nthreat actors and state bodies across spectrum of direct government sponsorship and independent moonlighting\r\nactivities. Additionally, it is suspected that these intrusion sets would resort to quartermasters (i.e. mutualized\r\nmalware developers, possibly initial access brokers) which further blurs the lines. While this has a limited impact\r\nfor detection, this hinders Cyber Threat Intelligence (CTI) efforts. As of the time of writing, here is Sekoia.io TDR\r\nanalysts’ understanding of a few China-nexus intrusion sets and their links to the Beijing cyber apparatus.\r\nBased on our current visibility into recent China-nexus cyber malicious activities, we identified a strong\r\npredominance of MSS-linked intrusion sets activities, including Mustang Panda (conflated with RedDelta and\r\nCamaro Dragon), APT10 (conflated with Witchetty and MirrorFace), and APT41. Another identifiable trend in the\r\nrecent reporting of China aligned cyber activities is the increasing number of clusters tracked as standalone\r\ngroups. One hypothesis is that this is a possible reflection of changes in resource allocations (both human and\r\nfinancial), in mandates or in processes in China’s offensive cyber apparatus and/ or across its contractor’s base.\r\nAnother explanation is a growing trend in the CTI industry where researchers opted for documentation of\r\nactivities rather than playing the attribution game, something China CTI analysts like to call the WinnTI effect.\r\nMustang Panda’s victimology and toolset\r\nThat’s my toolset lying in the trunk\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 9 of 14\n\nChina-nexus intrusion sets leverage malware originating from China’s hacking community, commodity\r\nmalware, customised or repurposed tools, signature malware, and zero-day software vulnerabilities. Open\r\nsources indicate that through steady investment in developing custom malware for privilege escalation, lateral\r\nmovement, and network reconnaissance, as well as improvements in command-and-control infrastructure,\r\nChinese-linked intrusion sets departed from historically less advanced and “noisy” behaviour to becoming\r\nstealthier and more persistent. MSS-linked cyber espionage operators notably secured persistent access to victim\r\norganisations through compromises in third-party trusted supply chains including chat applications,\r\nleveraging living-off-the-land techniques, and exploitation of Internet exposed edge devices.\r\nOf note, this FLINT was finalised on 18, July 2023 and dated for publication on 20, July 2023. We welcome that\r\nparts of their findings align with Mandiant’s report on Chinese Cyber Espionage tactics, issued on 18, July 2023.\r\nLeveraging zero-day vulnerabilities\r\nIn addition to heavily targeting Remote Code Execution (RCE) vulnerabilities, China-nexus intrusion sets were\r\nreported using zero-day vulnerabilities, as illustrated by Mandiant’s publications including the exploitation of\r\nzero-day vulnerabilities (CVE-2021-44207 and CVE-2021-44228) by APT41, the leveraging of a local zero-day\r\nvulnerability in FortiOS (CVE-2022-41328) to deploy custom malware families on Fortinet and VMware systems\r\nby UNC3886 in September 2022, and UNC4841 targeting Barracuda ESG Zero-Day Vulnerability (CVE-2023-\r\n2868) to gain access to ESG appliances and deploy additional malware. In September 2022, two Microsoft\r\nExchange zero-day vulnerabilities (aka ProxyNotShell) tracked as CVE-2022-41040 and CVE-2022-41082 were\r\nexploited by an unidentified China-nexus intrusion set. In January 2023, Mandiant also reported on China-nexus\r\nintrusion sets leveraging CVE-2022-42475 since at least October 2022.\r\nOf note, Sekoia.io TDR analysts concur to the broader CTI community’s assessment that acquisition of zero-day\r\nvulnerabilities is almost certainly supported by the Chinese Regulations on the Management of Network\r\nProduct Security Vulnerabilities promulgated in July 2021. Interestingly this notably resulted in Chinese\r\nsecurity researchers trying to find opportunities on other markets, including in Russia. Sekoia.io analysts assess\r\nthat this trend is likely to impact the broader cyber threat landscape, notably contributing to further\r\nproliferation in cyberspace.\r\nDevelopment of cross platform capabilities\r\nBetween 2022 and 2023, Sekoia.io analysts observed China-nexus intrusion set developing cross-platforms\r\ncapabilities. Such instances include LuckyMouse using an Rshell Mach-o implant to target MacOS users in\r\naddition to Linux users, APT15 developing an iOS version of its signature BadBazaar malware, Gallium\r\ndeveloping a Linux variant of their signature malware PingPull and ChamelGang now targeting Linux users with\r\ntheir variant of ChamelDoH. This likely reflects China-nexus intrusion sets’ intent and capability to further\r\nexpand their victimology.\r\nDeveloping variants and new attack capabilities\r\nChina-nexus intrusion sets continued dedicating efforts to develop their malicious cyber capabilities including\r\nmalware and frameworks. Notable developments include the Manjusaka framework, presented as a potential\r\nCobalt Strike successor. It is developed in Rust and targets Windows and Linux platforms, with a C2 written in\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 10 of 14\n\nGolang, and would be used by China-nexus intrusion sets since at least June 2022. Other developments of interest\r\nare Gallium new Linux backdoor Sword2033, WinnTI’s Mélofée malware, Ke3chang’s Graphican’s [4] backdoor,\r\nan evolution of its Ketrican signature malware. Of note, while Symantec associate this toolset to APT15, Sekoia.io\r\nanalysts’ delineation of APT15 and APT25 leads us to associate both backdoors to Ke3chang, in line with ESET.\r\nSimilarly to their tempo of activity, Mustang Panda was one of the most prolific intrusion sets when it comes\r\nto malware development between 2022 and 2023. Mustang Panda’s recent developments notably include the\r\nMQsTTang backdoor (aka QMAGENT),TONESHELL, Horse Shell and NUPAKAGE.\r\nUpdating TTPs\r\nChinese intrusion sets, including APT41 [7], DaggerFly, Mustang Panda, Tonto Team, Lucky Mouse and Dark\r\nPink were reported increasingly using a technique known as DLL side-loading (T1574.002) to load their malware\r\non targeted machines. As this technique usually leverages legitimate applications or executables, it decreases the\r\nrisk of detection hence increasing the rate of success of a campaign.\r\nOf particular interest is Mustang Panda’s recent TTPs shift. As per TrendMicro findings, since October 2022,\r\nMustang Panda used Google accounts to send email messages with lures to trick their targets into downloading\r\npassword-protected archives containing a malware from Google Drive links. Mustang Panda was also seen\r\nresorting to ISO files containing a simplified shortcut (LNK) file to deliver an encrypted PlugX payload.\r\nThe intrusion set was also observed using HTLM Smuggling (T1027.006) a well-known technique, also used by\r\nNOBELIUM. These techniques notably allow intrusion sets to evade detection and hinder static analysis. It is\r\npossible these instances are attempts by intrusion sets to experiment new TTPs and maintain their tempo of\r\nactivity.\r\nTargeting network devices\r\nChina-aligned intrusion sets continued targeting network devices, including routers, Internet exposed and\r\nvulnerable servers and edge devices, by leveraging vulnerabilities (see the “leveraging zero-day vulnerabilities”\r\nhereinabove) and developing custom malware.This includes Gallium’s BlackMould, a native webshell for\r\nservers running Microsoft IIS and based on China Chopper. In January 2023, Mandiant documented a new\r\nbackdoor called BOLDMOVE, first observed in December 2022, specifically designed to run on FortiGate\r\nFirewalls and associated with the exploitation of the FortiOS vulnerability CVE-2022-49475. Additional examples\r\ninclude Horse Shell, a malicious C++ firmware implant tailored for TP-Link routers according to the technique\r\n“Bring Your Own Firmware” to compromise read only file systems.\r\nHorse Shell share similarities (but no code overlap) with APT31’s Pakdoor. In certain cases, including Pakdoor’s,\r\ncompromised assets are leveraged as an anonymization layer, allowing the intrusion set to use them as proxy\r\nhops or C2s. Dalbit and Volt Typhoon and GobRAT were also recently observed leveraging this technique.\r\nSekoia.io analysts assess targeting network devices not only enable malicious operators to achieve their objective\r\nwithout user interaction and provide lateralisation opportunities (notably targeting hypervisors), it also\r\nprovides them stealthiness (no supervision) and consequently, persistence.\r\nUSB as an intrusion vector\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 11 of 14\n\nA more recent trend in China-nexus intrusion sets malicious cyber campaign is the revival of USB devices both\r\nas an intrusion vector and a propagation means. This is notably illustrated by Mustang Panda’s leveraging of\r\nHUIPAN, a USB worm, and ACNSHELL reverse shell used to replicate themselves over USB devices, as well as\r\ntheir use of USB device as an infection vector to deliver the PlugX backdoor. Dark Pink was also observed\r\nconducting lateral movement over USB devices and reported infecting USB devices attached to compromised\r\ncomputers. Additional Chinese intrusion sets leveraging USB devices include UNC4698, UNC4191, and TA410.\r\nSekoia.io analysts assess these activities are likely to result in collateral damages, and are an illustration of\r\nChina’s even more aggressive stance in cyberspace.\r\nPS – we should anticipate together too\r\nConsidering China-nexus recent cyber enabled activities, Sekoia.io analysts would like to highlight how\r\ngeopolitics shape cyber offensive doctrine and cyber malicious activities. China’s current position on the\r\ninternational scene is particularly challenged, notably on the economical and political fronts. Beijing certainly\r\nperceives these challenges as significant threats to their strategic interests, the primary one being the existence and\r\nlegitimacy of the CCP.\r\nAs highlighted in this document, China-nexus cyber malicious campaigns mostly pertain to the full spectrum of\r\ncyberespionage activity. We assess China-aligned cyberespionage operations will almost certainly continue in the\r\nshort term, notably conducted by MSS-associated intrusion sets.\r\nWe expect China-nexus intrusion sets will carry on dedicating efforts to develop their toolset and update their\r\nTTPs to continue conducting cyber malicious activities, with a strong focus on stealthiness and persistence.\r\nBased on past observed activities, Sekoia.io analysts assess that while China-nexus intrusion sets demonstrated\r\ntheir intent and capability to conduct cyber malicious activities worldwide, Asia, Europe and the U.S. will\r\nremain primary targets. We further assess China-nexus intrusion sets will almost certainly continue targeting\r\ngovernment, including embassies and foreign ministries, telecommunication companies, manufacturing including\r\nsemiconductors industry and high technology, aerospace and defence entities, organisations involved in the\r\nmilitary and the defence industrial base (DIB), as well as the logistics ecosystem.\r\nThe ongoing Sino-U.S. confrontation will continue to be a strong driver for China-nexus cyber campaigns in\r\nthe short term, especially in the Southeast Asia region, highly likely impacting NATO Countries and Partners, as\r\nwell as NATO aligned nations. Domestically, China will almost certainly continue conducting operations against\r\ncivil rights defenders, journalists, dissidents, NGOs, as well as ethnic and religious minorities.\r\nSekoia.io analysts assess that complementary to their aggressive stance in cyberspace, China will almost\r\ncertainly continue leveraging economic, financial, and legal instruments to assert their position and be\r\nrecognized as a leader internationally.\r\nTo anticipate the threat posed by Chinese cyber malicious activities, Sekoia.io TDR analysts will continue tracking\r\ntheir operations and report through our Intelligence Centre and welcome any feedback that could provide further\r\nvisibility into this threat.\r\nExternal references\r\n[1] https://ig.ft.com/taiwan-economy/. Accessed September 7, 2023\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 12 of 14\n\n[2] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks. Accessed September 7, 2023\r\n[3] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot.\r\nAccessed September 7, 2023\r\n[4] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15.\r\nAccessed September 7, 2023\r\n[5] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering. Accessed September 7, 2023\r\n[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage.\r\nAccessed September 7, 2023\r\n[7] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments.\r\nAccessed September 7, 2023\r\n[8] https://www.welivesecurity.com/2022/09/06/worok-big-picture/}{targeting. Accessed September 7, 2023\r\n[9] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials.\r\nAccessed September 7, 2023\r\n[10] https://www.oecd.org/finance/Chinas-Belt-and-Road-Initiative-in-the-global-trade-investment-and-finance-landscape.pdf. Accessed September 7, 2023\r\n[11] https://www.wsj.com/articles/pentagon-sees-giant-cargo-cranes-as-possible-chinese-spying-tools-887c4ade.\r\nAccessed September 7, 2023\r\n[12] https://www.wsj.com/articles/new-u-s-base-on-guam-is-aimed-at-deterring-china-11674731857. Accessed\r\nSeptember 7, 2023\r\n[13] https://www.guampdn.com/news/local/guam-has-growing-role-in-telecommunications/article_d0709628-\r\n80eb-57e5-87ce-80fdb37b2099.html. Accessed September 7, 2023\r\n[14] https://www.wsj.com/articles/chinese-balloon-used-american-tech-to-spy-on-americans-2e3f5039. Accessed\r\nSeptember 7, 2023\r\n[15] https://www.wsj.com/articles/china-wields-new-legal-weapon-to-fight-claims-of-intellectual-property-theft-11632654001. Accessed September 7, 2023\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 13 of 14\n\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nAPT China CTI\r\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also\r\nresponsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers,\r\ndetection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence\r\nanalysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic to a technical\r\nperspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their\r\nanalysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account.\r\nYou may also come across some of our analysts and experts at international conferences (such as BotConf, Virus\r\nBulletin, CoRIIN and many others), where they present the results of their research work and investigations.\r\nShare this post:\r\nSource: https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nhttps://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "report_names": [ "my-teas-not-cold-an-overview-of-china-cyber-threat" ], "threat_actors": [ { "id": "4434c71b-c424-4c06-b923-4f3f54f24f40", "created_at": "2022-10-25T16:07:23.453526Z", "updated_at": "2026-04-10T02:00:04.611408Z", "deleted_at": null, "main_name": "ChamelGang", "aliases": [ "CamoFei" ], "source_name": "ETDA:ChamelGang", "tools": [ "7-Zip", "Agentemis", "BeaconLoader", "Cobalt Strike", "CobaltStrike", "DoorMe", "FRP", "Fast Reverse Proxy", "ProxyT", "Tiny SHell", "cobeacon", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9", "created_at": "2022-10-25T16:07:24.42571Z", "updated_at": "2026-04-10T02:00:04.984213Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "ETDA:Worok", "tools": [ "CLRLoad", "Mimikatz", "NBTscan", "PNGLoad", "PowHeartBeat", "SAMRID", "nbtscan", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6360ea44-b90d-435c-b3cd-9724751b8294", "created_at": "2023-01-06T13:46:39.304451Z", "updated_at": "2026-04-10T02:00:03.281303Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "MISPGALAXY:Antlion", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "d61cd7ed-6d16-491f-90a1-6323aae8f67f", "created_at": "2022-12-27T17:02:23.610663Z", "updated_at": "2026-04-10T02:00:04.9586Z", "deleted_at": null, "main_name": "UNC4191", "aliases": [], "source_name": "ETDA:UNC4191", "tools": [ "BLUEHAZE", "DARKDEW", "HIUPAN", "MISTCLOAK", "NCAT" ], "source_id": "ETDA", "reports": null }, { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e294737b-6aa7-480e-841d-cbed102c356c", "created_at": "2023-07-20T02:00:08.787855Z", "updated_at": "2026-04-10T02:00:03.368575Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "MISPGALAXY:Worok", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0673493-5872-49a0-8d0d-4391302cff01", "created_at": "2023-03-04T02:01:54.10107Z", "updated_at": "2026-04-10T02:00:03.358084Z", "deleted_at": null, "main_name": "Chamelgang", "aliases": [ "CamoFei" ], "source_name": "MISPGALAXY:Chamelgang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "6ad5ab33-9a45-43d3-b0e4-70b7f9d836f8", "created_at": "2022-10-25T16:07:23.309518Z", "updated_at": "2026-04-10T02:00:04.535597Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "ETDA:Antlion", "tools": [ "CheckID", "EHAGBPSL", "EHAGBPSL Loader", "ENCODE MMC", "JpgRun", "JpgRun Loader", "LOLBAS", "LOLBins", "Living off the Land", "NERAPACK", "NetSessionEnum", "ProcDump", "PsExec", "WinRAR", "xPack" ], "source_id": "ETDA", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "b0f6e3c5-5424-463a-ada3-532ca52e5940", "created_at": "2023-11-17T02:00:07.60381Z", "updated_at": "2026-04-10T02:00:03.45747Z", "deleted_at": null, "main_name": "UNC4191", "aliases": [], "source_name": "MISPGALAXY:UNC4191", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf", "created_at": "2022-10-25T16:07:24.273478Z", "updated_at": "2026-04-10T02:00:04.918037Z", "deleted_at": null, "main_name": "TA413", "aliases": [ "White Dev 9" ], "source_name": "ETDA:TA413", "tools": [ "Exile RAT", "ExileRAT", "Sepulcher" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a7e1c40-e88e-49ca-97d1-ec65a306eb7a", "created_at": "2023-04-27T02:04:44.903564Z", "updated_at": "2026-04-10T02:00:04.724185Z", "deleted_at": null, "main_name": "Hydrochasma", "aliases": [], "source_name": "ETDA:Hydrochasma", "tools": [ "Agentemis", "BrowserGhost", "Cobalt Strike", "CobaltStrike", "GO Simple Tunnel", "GOST", "HackBrowserData", "LOLBAS", "LOLBins", "Living off the Land", "ProcDump", "SoftEther VPN", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "fbe45970-1e9e-4a82-bc06-46317a248479", "created_at": "2026-02-03T02:00:03.45132Z", "updated_at": "2026-04-10T02:00:03.947304Z", "deleted_at": null, "main_name": "DarkPink", "aliases": [ "Saaiwc" ], "source_name": "MISPGALAXY:DarkPink", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/780a4500d98e3d80cdcd39c6938772c17342af2d.pdf", "text": "https://archive.orkl.eu/780a4500d98e3d80cdcd39c6938772c17342af2d.txt", "img": "https://archive.orkl.eu/780a4500d98e3d80cdcd39c6938772c17342af2d.jpg" } }