{ "id": "90cef45e-de9e-4291-9f59-47d458c6ec85", "created_at": "2026-04-06T00:16:13.029303Z", "updated_at": "2026-04-10T03:36:33.588065Z", "deleted_at": null, "sha1_hash": "7cc68d204a2b8a862ef1b3307cc938703e49ea1e", "title": "[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117364, "plain_text": "[HITCON 2020 CTI Village] Threat Hunting and Campaign\r\nTracking Workshop.pptx\r\nArchived: 2026-04-05 21:04:11 UTC\r\n1.\r\n2.\r\nThe views andopinions expressed in this slide are those of the authors and do not necessarily reflect the\r\nofficial policy or position of their employers. Any content provided in this training are of their opinion and\r\nare not intended to malign any religion, ethnic group, club, organization, company, individual or anyone or\r\nanything. Disclaimer\r\n3.\r\n● Security Engineer@ Google ● HITCON GIRLS Co-Founder ● Black Hat Asia Review Board 飄洋過海\r\n回來的Google 資安工程師,已經隔離過了很安全。 AshleyShen ● Cyber Security Researcher @\r\nFireEye・Mandiant ● Kaspersky SAS2018, SAS2019 Speaker ● Research focus on threat around Eastern\r\nAsia 誤入資安圈的小白兼Fireeye 研究員。 腦容量很小,總是記不起惡意程式的 名字。 SteveSu\r\n4.\r\nAgenda ThreatHunting101 What is ThreatHunting? Who and why do we do threat hunting?01 How and\r\nwhat tools can we use? 02 What is campaign tracking? How to do it? 03 Case Study. 04\r\nThreatHuntingTools/Techniques CampaignTracking101 CampaignTrackingCaseStudy\r\n5.\r\n6.\r\n7.\r\nWHATISTHREATHUNTING? Threat hunting isthe practice of proactively searching for cyber threats that\r\nare lurking undetected in your network environment. (Crowdstrike \u0026 Me) ● Network ● System ● Service /\r\nPlatform ● Application (Mobile / Desktop) ● Forums\r\n8.\r\n9.\r\nKnowntoSelf NotKnowntoSelf Knowto Others ● Internallydetected threats shared to partners. ● Threat\r\nIntelligence shared by 3rd party. ● Undetected threats discovered by 3rd party and not shared to us. \u003e can\r\nbe makeup by ingesting more intelligence. NotKnownto Others ● Internally detected threats not shared\r\nexternally. ● Undetected threats not discovered by anyone but lurking in the shadow. \u003e Most dangerous\r\nthreat ThreatHuntingfocusThreatDetectionFocus\r\n10.\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 1 of 9\n\n10 ThreatHuntingservesdifferentpurposefordifferentroles. ● Orgs performthreat hunting to discover threats\r\nintruding org environment. ● Leverage Internal telemetry, hunting on internal infrastructure. ProtectingOrg\r\n● Service providers (e.g. Twitter, Facebook, Google) needs to protect services from the abuser and protect\r\nusers/org from abuses. ● Hunting on platforms, applications, services infrastructure. Protecting\r\nServices/Users ● Security vendors perform threat hunting to provide threat intelligence or services (MDR).\r\n● Threat intelligence hunt on external resources (VirusTotal, OSINT...etc). ● Vendors hunts with endpoint\r\ntelemetry and data. Protecting Customers\r\n11.\r\n12.\r\n13.\r\nQuality?ConfidenceLevel?Visibility? Golden Time Operation?Freemilk Operation? Evil New Year\r\nOperation? APT10? Menupass? Or not the same elephant?picture from: https://ltcinsurancece.com/the-blind-leading-the-blind-through-ltc-insurance/\r\n14.\r\nThreatHuntingDrivers Analytics-Driven ● Aggregated data gatheredfrom automatic and analytics tools\r\n(include but not limit to ML systems, User and Entity Behavior Analytics(UEBA). ● Service provider\r\ncreate customized tools to capture threat signals. https://github.com/Cyb3rWard0g/HELK\r\n15.\r\n16.\r\nThreatHuntingProcess Investigate the scenarioswith tools. Investigate improve existing detection\r\nmechanisms with the TTPs and create automatic detection. Create a possible attack scenario that your\r\nhunting is focus on. Inform\u0026Enrich CreateHypothesis From the investigation results, find the techniques\r\nused by attacker and the pattern to build the actor TTPs profile. UncoverTTPs\r\n17.\r\n18.\r\n19.\r\n20.\r\n21.\r\n22.\r\n23.\r\n24.\r\n25.\r\nReconnaissance HuntingReconnaissanceActivities In Reconnaissance stageattacker collects data for the\r\nfollowing campaigns. ● Try to catch the attackers before it enter intrusion stages. Common Techniques ●\r\nBots, crawlers, spiders scrapping ○ e.g. Scraping email addresses for targeted attack ● Port Scan\r\n26.\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 2 of 9\n\nHypothesis ● Attackers aredoing scrapping on webpage to collects target’s email address. Investigate ●\r\nIdentify data sources: ○ Proxy logs ○ IIS logs ○ reCaptcha logs ● What is abnormal activities ○ known\r\nscripting JA3 fingerprints, known bad IPs from Intelligence ○ Identical outdated User-Agent ○ Traffic\r\nwithout referrers ○ Short sessions and high frequency / high bounce rate https://github.com/puppeteer/pupp\r\neteer https://engineering.salesforce.com/tls-finge rprinting-with-ja3-and-ja3s-247362855967\r\nhttps://www.youtube.com/\r\n27.\r\nUncover TTPs ● IPswith high solve rate, frequency and speed. ● Comparing request IPs with internal intel,\r\nsome scrapping IPs were used to send phishing emails. ● Attackers are using reCaptcha farm service to\r\nsolve reCaptcha. Inform \u0026 Enrich ● Leverage phishing emails sender IPs to detect scraping activities or\r\nvice versa. ● Using the collected reCaptcha farm solving score to improve reCaptcha service and detection.\r\n● Using the JA3 to detect scripting. https://datadome.co/bot-detection/how-to-detect-captcha-farms-and-block-captcha-bots/ https://anti-captcha.com/\r\n28.\r\nJA3/JA3SFingerprint What is this? ●The JA3 algorithm extracts SSL handshake settings for fingerprinting\r\nthe SSL stack. ● JA3 - client SSL setting fingerprint ● JA3S - server SSL setting fingerprint How can it be\r\nuseful for threat hunting? ● Detect / identify malware traffic. ● Fingerprint attacker. (Note, not 100% high\r\nconfident. ) https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967\r\n29.\r\n30.\r\nReconnaissance HuntingReconnaissanceActivities What to hunt? ●IP address ○ Comparing access IPs with\r\nintelligence. ○ Attacker use the scraping IP to send phishing emails ● User-Agent ● JA3 SSL Fingerprint.\r\n(identify what kind of tools, or custom tools used by attacker) ● Customized signals\r\n31.\r\nHuntingWeaponizationActivities Common Techniques ● Uploadmalware sample to public scanning\r\nservice (e.g. VirusTotal) for testing anti-detection. How to hunt? ● With known intelligence, writing Yara\r\nrule to hunt on scanning service. ● Monitoring underground with intelligence service. Weaponized\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\n32.\r\nVirusTotal ● The \"Google\"of malware. One of the world’s largest malware intelligence services. ○ 2+\r\nBillion malware samples ○ 1 Million files uploaded per day ● Basic and advanced research capabilities. ●\r\nCrowdsourced verdicts (basic, free). ● Threat hunting, investigation, relationship analysis (advanced, paid\r\ntiers) ● Powerful intelligence tools: YARA, Hunt, Graph. ● Part of Chronicle, Alphabet’s cybersecurity\r\ncompany.\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 3 of 9\n\n33.\r\n34.\r\nExample1:FindingnewmalwarehostedonDrive itw:docs.google.com p:20+ fs:2020-09-01T00:00:00+\r\nfirstSeen Filters the files to be returned according to the first submission datetime to VirusTotal. positives\r\nFilters the files to be returned according to the number of antivirus vendors that detected it upon scanning\r\nwith VirusTotal. itw Return all those files that have been downloaded from a URL containing the literal\r\nprovided.\r\n35.\r\nExample2:FindingAttackerstestingActivities p:20+ type:peexe subspan:500-pets:2020-09-0500:00:00+\r\nsubmissions:2+ sources:1 type Type of file. (e.g. pdf, doc..etc) pets Filter PE according to their compilation\r\ntimestamp. submissions number of times they were submitted to VirusTotal. subspan The difference (in\r\nseconds) between the first submission time and the compilation timestamp. source Number of distinct\r\nsources that submitted the file to VirusTotal\r\n36.\r\nUpload in ~2mins ~ 7 mins difference Same Submitter 10 times bigger?? https://www.virustotal.com/\r\n37.\r\nMalwareAnalysis Importantskillforathreathunter! Why doing malwareanalysis? ● Understand malware\r\ncapability to understand the motivation and threat levels. (infostealer? RAT? miner?). ● Extract IoC\r\n(indicator of compromise) to hunt in the network environment, track the campaign and attribution. ●\r\nIdentify malware family to understand attacker’s TTPs. (Is this malware only use by Group A? or shared\r\namong different groups?) ● Produce detection rules. To hunt in the network and deploy detection.\r\n38.\r\nStaticAnalysis Examining any givenmalware sample without actually running or executing the code.\r\nDynamicAnalysis Analysis while running the code in a controlled environment. https://www.amazo\r\nn.ca/Practical-Mal ware-Analysis-Han ds-Dissecting/dp/1 593272901 https:// tenor.c om/vie w/pand a-offic\r\ne-pisse d-tantr um-ma d-gif-5 14682 5\r\n39.\r\n40.\r\n41.\r\nSandboxAnalysis Automatethedynamicanalysis,detectionandhuntingpipeline. ● Execute aprogram in an\r\ninstrumented environment and monitor their execution. ● They are increasingly used as the core of\r\nautomated detection processes. https://www.hybrid-analysis.com/ https://any.run/\r\nhttps://twitter.com/joe4security https://cuckoosandbox.org/\r\n42.\r\n43.\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 4 of 9\n\n44.\r\n45.\r\nIngestOSINTwithCriticalThinking Whatinformationhavewegotsofar? ● Potential attackerfrom Brazilian IP.\r\n● C\u0026C domain resolved to a Brazilian IP. MoreinformationaboutXtremeRAT. ● Xtreme RAT is a\r\ncommodity RAT that was first publicly sighted in 2010. ● The RAT is available for free and the source\r\ncode for it has been leaked. Wedon’thaveenoughinformationforattributioninthiscase!\r\n46.\r\nYaraRule What is Yara? ●Tool to assist malware researchers identify and classify malware ● Identify\r\nmalware in string or binary patterns ● YARA rule = strings + condition ● Useful to catalog threat actors\r\nand associated IOCs\r\n47.\r\n48.\r\n49.\r\nUndergroundForumMonitoring Some attackers (speciallycrime) are not low-profile ● Recruiting hackers. ●\r\nBuying ransomware, malwares, stealers..etc. ● Selling stolen data, accounts. How to hunt? ● 3rd party\r\nintelligence. ● Monitoring service. ● Forum crawlers.\r\n50.\r\nHoneypotHunting Present opportunity insteadof finding needle in haystack ● Honeypot mimics a target for\r\nhackers, and uses their intrusion attempts to gain information about attacker’s intrusion techniques. ●\r\nHoneypot can be a virtual system, a fake database, a fake email address, or a webpage. ● Collects\r\nintelligence from monitoring attacker’s behaviors in the pot. ○ TTPs ○ IoC ○ What are they most\r\ninterested?\r\n51.\r\n52.\r\nIsCampaignTrackingUseless??? Purpose High level intelligencecould be useless in tactical level.\r\nUnderstand your purpose and use proper intelligence Ingest Without ingest, intelligence report won’t be\r\nyour security assets. Note: Definition of Operation Level \u0026 Tactical Level might swap in other materials.\r\n53.\r\n54.\r\n55.\r\nCyberAttributionModel CyberAttackInvestigation ● 3W1H :Who / Why / What / How ● Four Components\r\n○ Victimology / Adversary ○ Infrastructure ○ Capabilities ○ Motivation [1]\r\nhttps://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00048-4\r\n56.\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 5 of 9\n\nCyberAttributionModel CyberThreatActorProfiling ● Who couldbe the perpetrator ● What infrastructure\r\nhave they used for the attack and What capabilities and motivation might they have. [1]\r\nhttps://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00048-4\r\n57.\r\nASolidGroundforStart? OSINT Report Communities Resource SecurityConference/Summit Company\r\nOnline Seminar Incident Response Report IngestInformation AttributionAnchor Attributes that are\r\nrelatively unique, would be difficult for an adversary to change, and exist across multiple phases of the kill\r\nchain.\r\n58.\r\nCAMPAIGNTrackingAttributes ● Any intrusioncan be modeled into 7 phases (Kill Chain) ● An intrusion\r\ncan be considered as a highly-dimensional set of indicators, called “attributes” Nowadays, signatures are\r\nfar from sufficient to detect malicious files Against high-value targets for specific purpose Backdoor\r\nC2INFRASTRUCTURE TargetScope EXPLOITTOOL Zero-day exploits are rarer and more expensive\r\nthan ever Adversaries might use same infrastructure for years\r\n59.\r\nBuildagoodattributevector? Malware Customized Hacking tool UniquesStrings Publicly Available Tools\r\nActor Controlled Domain Resolution Watering Hole Compromised IP/Port Combination DNS provider\r\nSame Netblock Unique Password Unique Code Snippet Overall Methodology Spear-Phishing Sender\r\nDomain Registrant Email Phishing Target Methodology Spear-PhishingEmail Infrastructure\r\n60.\r\n61.\r\n62.\r\n63.\r\nMalware Analysis Monitoring System Incident Response System forensic reportfor Lateral movement\r\ntools, Rootkit, Deleted scripts/ malware/logs ... Information from Firewall, EDR, SIEM, UTM, WAF, or\r\neven SOAR... ExpandYourAttributes Malware triage, Operational IoCs, C2 Infrastructure, Modified\r\nregistries... Honeypot DarkForumTracking C2Tracker Passive Proactive yarahunting\r\n64.\r\n65.\r\n* Actor profiling -Ability of intrusion - Purpose \u0026 target - TTPs * Victim profiling - Affected industry -\r\nScale of damage - Root cause of the intrusions DataPreprocess Investigation For identify all of the possible\r\nvictims in the leaked data, information likes IP, domain, organization name, personal credentials are useful.\r\n* Separated IPs by GEO-location information. * Separated Domains by WhoIs information. * Back trace\r\nrouting path. Routing server name might reveal host identity. * Credential Analysis Triage\r\nRetrieveIndicator\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 6 of 9\n\n66.\r\nInfrastructureInvestigation What matters? ● ServerType ○ VPS ○ Webhosting server ○ CDN server ○\r\nCompromised site ○ Sinkholed ○ Private server ● Timestamp ○ Resolve timestamp ○ Info update\r\ntimestamp ● Registrant information ○ Registrant name, organization, address, phone ● Certificate ○ Hash /\r\nSerial Number ○ Organization Name ○ Common Name PassiveDNSRecords Passive DNS records can\r\nhelp you to trace back domains which associated to the IP address https://community.riskiq.com/\r\n67.\r\nVictimInvestigation PassiveDNSRecords Passive DNS recordscan help you to trace back domains which\r\nassociated to the IP address RegistrantInformation Most of the registrant info. might be masked due to\r\nGDPR regulation. Information still available for normal company, service provider. [3]\r\nhttps://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en https://www.nic.ad.jp/ https://community.riskiq.com/\r\n68.\r\nVictimInvestigation CertificateInformation SSL certificate serialnumber, contact name, email, address,\r\n...etc are useful indicators RegistrantInformation Most of the registrant info. might be masked due to\r\nGDPR regulation. Information still available for normal company, service provider. PassiveDNSRecords\r\nPassive DNS records can help you to trace back domains which associated to the IP address\r\nhttps://community.riskiq.com/\r\n69.\r\nVictimInvestigation CertificateInformation SSL certificate serialnumber, contact name, email, address,\r\n...etc are useful indicators RegistrantInformation Most of the registrant info. might be masked due to\r\nGDPR regulation. Information still available for normal company, service provider. PassiveDNSRecords\r\nPassive DNS records can help you to trace back domains which associated to the IP address\r\n70.\r\n* Malicious EXEfile disguised with Doc Icon in June * Use “Hong Kong security law” related issue as lure\r\ntheme * Lure document is a letter from Vatican ThreatDetected CampaignTrackingCaseStudy * A delicate\r\nmalware downloader for infecting system by 2nd stage. * The 2nd stage backdoor is a variant of PlugX. *\r\nPlugX is a malware widely used by many APT groups. MalwareAnalysis * Abuse Google Drive for deliver\r\ncompressed malicious files * Use service from CN based service providers * Infrastructure appears in\r\nmany Mustang Panda related report InfrastructureAnalysis source: any.run sandboxsource: FireEye\r\n71.\r\nCampaignTrackingCaseStudy * User IDcould be found in many programing forum, blogger, github...etc *\r\nFrom the self-introduction page of the services above, we found the surname overlap. Got you! * Personal\r\nCV found in the wild. PossiblePersona * A personal blog domain associated to the C2 infrastructure used\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 7 of 9\n\nfor this operation. * Registrant Name: “Ma Ge Bei Luo Xiang Gang Jiu Dian” InterestingOverlap [4]\r\nwww.xuepojie.com\r\n72.\r\nIn August, anew sample with Tibet-Ladakh Relationship lure content discovered in the wild... What we\r\nlearn from tracking? ◂ Get updated anchors for future reference ◂ Understand the whole landscape not\r\nseparated incidents. ◂ Learning history is helpful in that we can review the past and predict the future.\r\nAfterstory... BackwardTracing * Found related sample on google drive from the same account with file title\r\n“QUM, IL VATICANO DELL'ISLAM”. * They used Middle East related lure in June as well. Lure\r\nDocument source: FireEye\r\n73.\r\n74.\r\n75.\r\n● Source Reliability/ Fidelity ● Mixing Fact with Assessment ○ Differentiate KNOW \u0026 THINK ○ Public\r\nresearch \u0026 Media might not differentiate them ● Failure to Consider Visibility ● Failure to Account for\r\nHuman Action ● Failure to Consider Alternate Explanations CommonErrors\r\n76.\r\n● Depends tooheavily on an initial piece of information offered to make subsequent judgments during\r\ndecision making. ○ Quick Tweet from Community ○ Similar Exploit Template ○ Same Malware/Hacking\r\nTool from forensic ○ Detect Code Snippet Overlapped ○ Detect C2 Infrastructure Overlapped ● Don’t\r\nignore evidence conflict with your initial vector Decide attribution when you have sufficient evidence !\r\nAnchoringEffect\r\n77.\r\n78.\r\nCiscoTalos OlympicDestroyer shared same techniquesin Badrabbit and NotPetya Intezer They found code\r\nin the OlympicDestroyer that connects to known Chinese threat actors. RecordedFuture Found similarities\r\nto malware loaders from BlueNoroff/Lazarus.A North Korea based APT group. FalseFlag\u0026Disinformation\r\n[6] Securelist Mar. 2018 https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\n79.\r\n80.\r\n81.\r\nAttributionGuide Best Practices forDetermining Attribution ● Looking for Human Error ○ Almost all cyber\r\nattribution successes have resulted from attackers’ operational security errors ● Timely Collaboration,\r\nInformation Sharing, and Documentation. ○ Acquisition, documentation, and recovery of data within\r\ntwenty-four hours of a cyber incident ● Rigorous Analytic Tradecraft ○ Must be careful to avoid cognitive\r\nbias [7] A Guide to Cyber Sep. 2018\r\nAttributionhttps://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 8 of 9\n\n82.\r\nAttributionGuide Best Practices forPresenting Attribution Analysis ● De-layer the Judgment ● Provide\r\nConfidence Level ○ High: The totality of evidence and context with no reasonable alternative ○ Moderate:\r\nThe totality of evidence and context to be clear and convincing, with only circumstantial cases for\r\nalternatives ○ Low: More than half of the body of evidence points to one thing, but there are significant\r\ninformation gaps ● Identify Gaps ○ Do not have enough data for a judgment or confidence statement\r\n83.\r\nAttributionGuide [7] A Guideto Cyber Sep. 2018\r\nAttributionhttps://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf\r\n84.\r\nSummary ● Threat Hunting ○Threat hunting serve different purposes from different roles. ○ Create\r\nhypothesis before developing a threat hunting program. ○ Threats do not started from intrusion.\r\nReconnaissance and weaponization stages are also threat hunting’s playgrounds. ● Campaign Tracking ○\r\nDecide a solid anchor as reference base for tracking. ○ Attribution is a very delicate topic. It should be\r\nhandled with great care. ○ Avoid possible cognitive bias and de-layer your Judgment ○ NO rush with\r\nattribution.\r\n85.\r\n86.\r\nReference/Resource ◂ Icon materialattribution: ◂ Flaticon ◂ smalllikeart ◂ Nhor Phai ◂ Freepik ◂ Xtreme\r\nRAT ◂ https://malpedia.caad.fkie.fraunhofer.de/de tails/win.extreme_rat\r\nSource: https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nhttps://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1" ], "report_names": [ "1" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7cc68d204a2b8a862ef1b3307cc938703e49ea1e.pdf", "text": "https://archive.orkl.eu/7cc68d204a2b8a862ef1b3307cc938703e49ea1e.txt", "img": "https://archive.orkl.eu/7cc68d204a2b8a862ef1b3307cc938703e49ea1e.jpg" } }