{ "id": "cd69becd-a1af-4f16-9eaa-32d019a9bd65", "created_at": "2026-04-06T00:17:25.381021Z", "updated_at": "2026-04-10T13:12:29.109511Z", "deleted_at": null, "sha1_hash": "7f3a04624a72922dac14409f3e0308acfc18ae8a", "title": "HenBox (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37719, "plain_text": "HenBox (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:39:46 UTC\r\napk.henbox (Back to overview)\r\nHenBox\r\nActor(s): HenBox\r\nThere is no description at this point.\r\nReferences\r\n2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe\r\nPulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary\r\nHenBox Farseer PlugX Poison Ivy\r\n2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe\r\nPKPLUG: Chinese Cyber Espionage Group Attacking Asia\r\nHenBox Farseer PlugX\r\n2018-03-13 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Jen Miller-Osborn, Mike Harbison, Tom Lancaster\r\nHenBox: The Chickens Come Home to Roost\r\nHenBox\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox" ], "report_names": [ "apk.henbox" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434645, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f3a04624a72922dac14409f3e0308acfc18ae8a.pdf", "text": "https://archive.orkl.eu/7f3a04624a72922dac14409f3e0308acfc18ae8a.txt", "img": "https://archive.orkl.eu/7f3a04624a72922dac14409f3e0308acfc18ae8a.jpg" } }