{ "id": "7c82e1f3-a739-48bf-95f2-1674fce2003f", "created_at": "2026-04-06T00:08:12.625949Z", "updated_at": "2026-04-10T13:12:15.130919Z", "deleted_at": null, "sha1_hash": "7d4bc6204935d78e19cd75929b93b24d328fec15", "title": "PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 121737, "plain_text": "PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense\r\nSector\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 21:45:41 UTC\r\nThe Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the\r\n8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat\r\nactors such as Tick, Tonto Team and TA428, all of which  employ RoyalRoad regularly for spear-phishing in targeted attacks\r\nagainst high-value targets. \r\nWhile analyzing newly discovered RoyalRoad samples observed in-the-wild, the Nocturnus Team detected one that not only\r\nexhibits anomalous characteristics, but also delivers PortDoor malware, a previously undocumented backdoor assessed to\r\nhave been developed by a threat actor likely operating on behalf of Chinese state-sponsored interests.\r\nAccording to the phishing lure content examined, the target of the attack was a general director working at the Rubin Design\r\nBureau, a Russian-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy. \r\nKey Findings\r\nRoyalRoad Variants are Under Development: The variant of the RoyalRoad weaponizer examined altered its\r\nencoded payload from the known “8.t” file to a new filename: “e.o”. More new variants are likely to be under\r\ndevelopment as well.\r\nPreviously Undocumented Backdoor: The newly discovered RoyalRoad RTF variant examined also drops a\r\npreviously undocumented and stealthy backdoor dubbed PortDoor which is designed with obfuscation and\r\npersistence in mind. \r\nHighly Targeted Attack: The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian\r\ndefense sector designing submarines for the Russian Federation’s Navy.\r\nExtensive Malware Capabilities: Portdoor has multiple functionalities, including the ability to do reconnaissance,\r\ntarget profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus\r\nevasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\r\nAPT Group Operating on Behalf of Chinese State Interests: The accumulated evidence such as the infection\r\nvector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly\r\ndiscovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating\r\non behalf of Chinese state-sponsored interests.\r\nAnalysis of the Spear-Phishing Attack: Intro to RoyalRoad\r\nRoyalRoad is a tool that generates weaponized RTF documents that exploit the following vulnerabilities in Microsoft’s\r\nEquation Editor: CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. RoyalRoad is used primarily by threat actors\r\nconsidered to be operating on behalf of Chinese state interests (e.g Tick, Tonto Team, TA428, Goblin Panda, Rancor). \r\nRoyalRoad has rather consistent characteristics and most of the weaponized RTF documents usually drop an encoded file\r\nnamed “8.t”, which - once decoded - can deliver a variety of payloads for different threat actors. \r\nIn this report, we discuss a deviation from the “classic” RoyalRoad characteristics. The dropped object name was changed\r\nfrom the very consistent “8.t” naming convention to the new “e.o” file name.\r\nSpear-Phishing Email Delivers RoyalRoad RTF\r\nThe initial infection vector is a spear-phishing email addressed to the “respectful general director Igor Vladimirovich” at the\r\nRubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg, a national research\r\ncenter that designs underwater weapons like submarines:\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 1 of 11\n\nContent of the spear-phishing e-mail\r\nThe email attachment is a malicious RTF document weaponized with a RoyalRoad payload, with content describing a\r\ngeneral view of an autonomous underwater vehicle:\r\nContent of the weaponized RTF document\r\nThe creation time of the RTF is timestomped to 2007, presumably to thwart investigation or detection efforts. Timestomping\r\nis a known technique used by threat actors to try and remain under the radar:\r\nHistorical RTF data from VirusTotal\r\nOnce the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup\r\nfolder. This technique is used by various actors to bypass detection of automatic execution persistence, since Word must be\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 2 of 11\n\nrelaunched in order to trigger the add-in file, making the persistence mechanism less “noisy”. \r\nContrary to the common “8.t” file name observed in most RoyalRoad payloads, this new RoyalRoad variant uses “e.o”\r\nnaming convention for the temporary file payload, which is eventually written to MS Word startup folder as “winlog.wll”:\r\nWeaponized RTF execution and dropped files on disk\r\nThe malicious execution of the RTF file is detected by the Cybereason Defense Platform: \r\nCybereason Detection of the PortDoor Backdoor\r\nPortDoor Backdoor Analysis\r\nThe dropped payload, named “winlog.wll”, is a previously undocumented backdoor. Its main capabilities include:\r\nGathering reconnaissance and profiling of the victim’s machine\r\nReceiving commands and downloading additional payloads from the C2 server\r\nCommunicating with the C2 server using raw socket as well as HTTP over port 443 with proxy authentication\r\nsupport\r\nPrivilege escalation and process manipulation\r\nDynamic API resolving for static detection evasion \r\nOne byte XOR encryption of sensitive data and configuration strings \r\nThe collected information is AES-encrypted before it is sent to the C2 server\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 3 of 11\n\nDetailed Analysis\r\nThe DLL itself has multiple export functions, going from DllEntry00 to DllEntry33. Most of these exports simply return\r\nsleep loops, a likely anti-analysis measure. The main functionality resides within the DllEntry28 and DllEntry18:\r\nDLL exports of the PortDoor backdoor\r\nIn order to get the configuration information, the backdoor first decrypts the strings using a hardcoded 0xfe XOR key:\r\nStrings decryption routine\r\nThe decrypted data includes the following configuration information:\r\nThe decrypted strings in memory\r\nDecrypted string Purpose\r\n45.63.27[.]162 C2 address\r\nKr*^j4 N/A\r\nB-JDUN Victim identifier\r\n58097616.tmp Data file name written to %temp%\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 4 of 11\n\n0987654321fedcba AES-CBC key\r\nIt is worth noting that, during the analysis, the communication with the C2 was not successful and therefore some analysis\r\ninformation may be incomplete.\r\nFollowing the debugger presence check and the string decryption, the malware then creates an additional file in %temp%\r\nwith the hardcoded name “58097616.tmp”, and writes the GetTickCount value multiplied by a random number to it:\r\nValue written to the “58097616.tmp” file\r\nThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this\r\nmalware.\r\nThe malware then proceeds to attempt to establish a connection with the C2 which supports the transfer of data using TCP\r\nover raw sockets, or HTTPS using the CONNECT method. In addition the backdoor appears to be proxy-aware,\r\ndistinguishing between two HTTP response types: “200” response and “407” (Proxy Authentication Required):\r\nHardcoded HTTP headers with proxy support\r\nPortDoor also has the ability to achieve privilege escalation by applying the Access Token Theft technique to steal\r\nexplorer.exe tokens and run under a privileged security context:\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 5 of 11\n\nAccess token theft from explorer.exe\r\nEventually, the malware awaits for further instructions from the C2 to continue its execution. This is done via the following\r\nswitch case:\r\nSome of the switch case implemented methods\r\nFor example, the get_pc_info() case gathers basic PC info to be sent to the C2, and the “B-JDUN” string is most likely being\r\nused as a unique identifier for the campaign/victim:\r\nThe information gathered on the infected PC\r\nLastly, before sending the information to the C2 server the backdoor uses AES to encrypt the stolen PC information data:\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 6 of 11\n\nAES encrypted information gathered on the PC\r\nThe backdoor’s main C2 command functionality is summarized in the table below:\r\nCase Action\r\n0x08 Get PC info, concat with the “B-JDUN\" identifier\r\n0x30 List running processes\r\n0x31 Open process\r\n0x41 Get free space in logical drives\r\n0x42 Files enumeration\r\n0x43 Delete file\r\n0x44 Move file\r\n0x45 Create process with a hidden window\r\n0x28 Open file for simultaneous operations\r\n0x29 Write to file\r\n0x2a Close handle\r\n0x2b Open file and write directly to disk\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 7 of 11\n\n0x01 Look for the “Kr*^j4” string\r\n0x10 Create pipe, copy data from it and AES encrypt\r\n0x11 Write data to file, append with “\\n”\r\n0x12 Write data to file, append with “exit\\n”\r\nC2 command functionality summarized\r\nAnother anti-analysis technique observed being used by the PortDoor backdoor is dynamic API resolving. The backdoor is\r\nable to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API\r\ncalls instead of using static imports: \r\nDynamic API resolving\r\nThe malicious execution of the PortDoor backdoor DLL is detected by the Cybereason Defense Platform: \r\nPortDoor Backdoor DLL as detected by Cybereason\r\nAttribution\r\nAt the time of this analysis, there was not enough information available to attribute the newly discovered backdoor to a\r\nknown threat actor with reasonable certainty. However, there are a couple of known Chinese APT groups that share quite a\r\nfew similarities with the threat actor behind the new malware samples analyzed in this blog. \r\nBased on previous work done by nao_sec, the Nocturnus Team was able to determine that the RTF file discussed in this blog\r\nwas weaponized with RoyalRoad v7, which bears the indicative “b0747746” header encoding and was previously observed\r\nbeing used by the Tonto Team, TA428 and Rancor threat actors, as can be seen below: \r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 8 of 11\n\nRoyalRoad attribution matrix. Credit: nao_sec\r\nBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more\r\nspecifically attacking research and defense related targets. For example, it was previously reported that Tonto Team is\r\nknown to have attacked Russian organizations in the past using the Bisonal malware.\r\nWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing\r\nemails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the\r\nlinguistic and visual style used by the attackers in the phishing emails and documents. \r\nThe newly discovered backdoor does not seem to share significant code similarities with previously known malware used by\r\nthe abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the\r\nconclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently. \r\nLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the\r\ndevelopment of the PortDoor backdoor. We hope that as time goes by, and with more evidence gathered, the attribution\r\ncould be more concrete. \r\nConclusion\r\nRoyalRoad has been one of the most used RTF weaponizers in the Chinese threat actors sphere in recent years. It is mostly\r\nobserved in the initial compromise phase of targeted attacks where spear-phishing is used to lure victims into opening\r\nmalicious documents which in turn exploit Microsoft Equation Editor vulnerabilities to drop different malware. \r\nIn this report, we discussed the latest changes that were made to the RoyalRoad weaponizer that deviate from some of its\r\nwell-documented and predictable indicators. It is perhaps an indication that the threat actors who are operating it are\r\nattempting to avoid “low hanging fruit” detections.\r\nIn addition, we reported the discovery of the novel PortDoor backdoor, a previously undocumented and stealthy tool\r\ndesigned to grant the attackers access to their targets’ machines, collect information, and deploy additional payloads. \r\nAt the time of writing this report, it is still unclear which threat actor is behind the new backdoor, however we have\r\nidentified two potential suspects that fit the profile. Currently there is not enough information available to prove the stated\r\nhypothesis with a high level of certainty.\r\nLOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN.\r\nVIEW THE IOCS »\r\nMITRE ATT\u0026CK Matrix\r\nReconnaissance Initial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery\r\nGather Victim\r\nHost\r\nPhishing:\r\nSpearphishing\r\nCommand\r\nand\r\nOffice\r\nApplication\r\nProcess Injection Masquerading: Match\r\nLegitimate Name or\r\nVirtualization/Sandbox\r\nEvasion\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 9 of 11\n\nInformation Attachment Scripting\r\nInterpreter:\r\nWindows\r\nCommand\r\nShell\r\nStartup:\r\nAdd-ins\r\nLocation\r\n       \r\nAccess Token\r\nManipulation:\r\nToken\r\nImpersonation/Theft\r\nVirtualization/Sandbox\r\nEvasion\r\nFile and Directory\r\nDiscovery\r\n          Process Injection\r\nSystem Information\r\nDiscovery\r\n         \r\nObfuscated Files or\r\nInformation\r\nSystem Time\r\nDiscovery\r\n         \r\nAccess Token\r\nManipulation: Token\r\nImpersonation/Theft\r\nProcess Discovery\r\n         \r\nSigned Binary Proxy\r\nExecution: Rundll32\r\n \r\nAbout the Researchers:\r\nDANIEL FRANK\r\nDaniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5\r\nNetworks and RSA Security. \r\nHis core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing\r\nsecurity-driven code. Frank has a BSc degree in information systems.\r\nASSAF DAHAN\r\nAssaf Dahan is the Senior Director and Head of Threat Research at Cybereason. He has over 15 years in the InfoSec\r\nindustry. \r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 10 of 11\n\nHe started his career in the Military forces where he developed extensive experience in offensive security. Later in his career\r\nhe led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse\r\nengineering.\r\nPortDoor | Indicators of Compromise\r\nIndicator Type Comment\r\n48a312bfbcd1674501a633fbdcaa99a487e6260414a6e450a19982578b128a52 SHA256 Phishing email\r\n774a54300223b421854d2e90bcf75ae25df75ba9f3da1b9eb01138301cdd258f\r\nb60c9b59e03101277196bce597701eab5cfb0fd6b37442a5029673a11ffb9295\r\naec6271de4436ddf0067e67c389cbddb82f73d749e4713f5c8b375ad0ee7da9c\r\nSHA256\r\nWeaponized\r\nRTFs\r\n2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c SHA256 Backdoor\r\n45.63.27[.]162 IP C2\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nhttps://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector" ], "report_names": [ "portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d4bc6204935d78e19cd75929b93b24d328fec15.pdf", "text": "https://archive.orkl.eu/7d4bc6204935d78e19cd75929b93b24d328fec15.txt", "img": "https://archive.orkl.eu/7d4bc6204935d78e19cd75929b93b24d328fec15.jpg" } }