{ "id": "b25c3cc5-428b-4e50-a877-0650103feb00", "created_at": "2026-04-06T00:17:27.107829Z", "updated_at": "2026-04-10T13:12:54.093439Z", "deleted_at": null, "sha1_hash": "812fab2a9498760768de019c8e75848af55663d3", "title": "Malware Transmutation! - Unveiling the Hidden Traces of BloodAlchemy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4728101, "plain_text": "Malware Transmutation! - Unveiling the Hidden Traces of\r\nBloodAlchemy\r\nPublished: 2024-05-23 · Archived: 2026-04-05 14:48:49 UTC\r\nIntroduction\r\nMalware group History\r\nAnalysis of BloodAlchemy\r\nInitial infection vector and infection flow\r\nAnalysis of malicious DLL\r\nAnalysis of shellcode\r\nAnalysis of payload (BloodAlchemy)\r\nStructures\r\nFunctions\r\nCreation of VFT associated with each communication protocol\r\nBackdoor commands\r\nThe code similarities with Deed RAT\r\nSummary\r\nAppendix\r\nThis post is also available in: 日本語\r\nIntroduction\r\nThis article examines the analysis of a malware called \"BloodAlchemy\" that we observed in an attack campaign.\r\nIn October 2023, BloodAlchemy was named by Elastic Security Lab 1 as a new RAT (Remote Access Trojan).\r\nHowever, our investigation has revealed that BloodAlchemy is not an entirely new malware but an evolved\r\nversion of Deed RAT, the successor to ShadowPad.\r\nMalware group History\r\nLet's look at ShadowPad first. ShadowPad is a particularly notorious malware family used in APT (Advanced\r\nPersistent Threat) campaigns. It was first reported in a software supply chain attack in July 2017. At that time,\r\nShadowPad was embedded in one of the code libraries of a server management software for enterprise networks\r\nprovided by NetSarang 2.\r\nIn the early stages of 2019, it was believed that only APT41 was using ShadowPad. However, since 2020, many\r\nsecurity researchers reported that it may have been utilized by various APT groups 3.\r\nMoving on to Deed RAT, it is believed to have been used as a RAT by the threat group called Space Pirates, active\r\nsince at least 2017, based on its implementation. Additionally, Positive Technologies’ security team suggests that\r\nDeed RAT shows a high degree of code similarity with ShadowPad4.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 1 of 17\n\nNow, let's delve into BloodAlchemy, the malware in question. According to Elastic Security Lab’s analysis, this\r\nmalware exhibits several characteristics, such as using legitimate binaries to load malicious DLLs, multiple run\r\nmodes, persistence mechanisms, and importing specific functions of various communication protocols when\r\ncommunicating with its command and control (C2) server. These traits indicate that BloodAlchemy is a new\r\nvariant of Deed RAT that is still being actively developed by attackers.\r\nThe public information of ShadowPad, Deed RAT, and BloodAlchemy is as follows:\r\nFigure 1. Public information on ShadowPad, Deed RAT, and BloodAlchemy\r\nReferences of Figure 1\r\n[1] ShadowPad in corporate networks\r\n[2] Operation ShadowHammer: a high-profile supply chain attack\r\n[3] Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of\r\n2019\r\n[4] Space Pirates: analyzing the tools and connections of a new hacker group\r\n[5] ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage\r\n[6] Operation StealthyTrident: corporate software under attack\r\n[7] APT Threat Landscape in Japan 2020\r\n[8] RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale\r\n[9] Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using\r\nWinnti and Other Tooling\r\n[10] Attacks on industrial control systems using ShadowPad\r\n[11] Redfly: Espionage Actors Continue to Target Critical Infrastructure\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 2 of 17\n\n[12] Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools\r\n[13] Introducing the ref5961 intrusion set\r\nAnalysis of BloodAlchemy\r\nInitial infection vector and infection flow\r\nIn this case, we analyzed that the attacker used a file set to infect targets with BloodAlchemy by taking over a\r\nvender-use-only maintenance account on a VPN device. Figure 2 shows the infection flow.\r\nFigure 2. The infection flow of BloodAlchemy\r\nThe malicious file set consisted of three files: BrDifxapi.exe , BrLogAPI.dll , and DIFX . These files were\r\nstored under the directory C:\\windows\\ . Additionally, a scheduled task\r\n( C:\\Windows\\System32\\Tasks\\Dell\\BrDifxapi ) was created for persistence.\r\nFigure 3. Discovered malicious file set.\r\nAnalysis of malicious DLL\r\nWhen BrDifxapi.exe is executed on the infected host, it leverages the DLL side-loading technique to load a\r\nmalicious DLL file called BrLogAPI.dll in the same directory. Subsequently, this malicious DLL loads the\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 3 of 17\n\nDIFX file and decrypts shellcode from it, executing the shellcode in memory. The crypto algorithm is AES128\r\n(CBC mode), and the key is the first 16 bytes of the DIFX file.\r\nFigure 4. The decryption process of shellcode in BrLogAPI.dll\r\nFigure 5. The DIFX data (before) and the decrypted shellcode (after)\r\nAnalysis of shellcode\r\nThe decrypted shellcode contains an encrypted and compressed form of BloodAlchemy. This custom decryption\r\nprocess based on the FNV-1a hash algorithm and the lznt1 compression.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 4 of 17\n\nFigure 6. The custom crypto method using FNV-1a hash.\r\nWhat is FNV-1a hash algorithm?\r\nFowler-Noll-Vo (FNV) is a hash algorithm based on an idea originally submitted as reviewer comments\r\nto the IEEE POSIX P1003.2 committee by Glenn Fowler and Phong Vo in 1991. It was later improved\r\nby Noll. \u003e FNV is an abbreviation that combines the names of its creators. FNV is widely used for\r\nvarious purposes, including DNS servers, X (formerly Twitter) services, database index hashing, major\r\nweb search/index engines, Message-ID search functionality in netnews history files, and \u003e spam\r\nfiltering, among others.\r\nThe FNV Non-Cryptographic Hash Algorithm\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 5 of 17\n\nFigure 7. Decompression process using the lznt1.\r\nWhat is LZNT1 compression algorithm\r\nThe compression algorithm that can be easily used by calling the Windows API named\r\nRtlDecompressBuffer.\r\nLZNT1 Algorithm Details | Microsoft Learn\r\nIt has been discovered that the restored BloodAlchemy payload has a unique data format that closely resembles\r\nthe PE format but is different. Below are the data structures of the custom format.\r\noffset Descriptions Data\r\n0x00 magic number 45 AB 45 AB\r\n0x04 plugin id 0x10\r\n0x08 entry point 0x698c\r\n0x0c original base 0x400000\r\n0x10 absolute offset 0\r\n0x14 size of virtualalloc 0x17000\r\n0x18 size of raw data 0x16fab\r\n0x1c size of unknown 0x163bc\r\n0x20 base of code? 0x1000\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 6 of 17\n\noffset Descriptions Data\r\n0x24 section1: virtual address 0x0\r\n0x28 section1: raw data address 0x50\r\n0x2c section1: size of raw data 0x10fa0\r\n0x30 section2: virtual address 0x11000\r\n0x34 etc..\r\nOnce the BloodAlchemy payload is restored, the previous mentioned shellcode interprets this custom format for\r\ndeploying the final payload into memory and executes it as the fireless malware (Figure 8).\r\nFigure 8. The code that interprets the custom format to deploy the BloodAlchemy.\r\nAnalysis of payload (BloodAlchemy)\r\nStructures\r\nBloodAlchemy has several features that are not commonly found in other malware. One of these features is the\r\n'run mode' value. When transferring the processing from the shellcode mentioned earlier to the entry point of the\r\npayload, it is called with six specified arguments.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 7 of 17\n\nThe first argument set the value of run mode, and the BloodAlchemy's behavior varies significantly based on this\r\nvalue. The following table summarizes the values for each run mode and their corresponding behaviors:\r\nrun\r\nmode\r\nBehavior corresponding to each run mode\r\n0\r\nCommunication with C2 and backdoor functionality, creation of specified process for code\r\ninjection, code injection into specified processes, anti-debugging, anti-sandbox techniques,\r\nPersistence\r\n1 Communication with C2 and backdoor functionality\r\n2 Creation of thread for Communication with C2 and backdoor functionality\r\n3\r\nCommunication with C2 and backdoor functionality, code injection into specified processes, anti-debugging, anti-sandbox techniques, Persistence\r\n4 Creation of specified process for code injection\r\n5 Creation of named pipes\r\n6 Installation of malware\r\nIt has been confirmed that BloodAlchemy exhibits the ability to load a malware configuration. This configuration\r\nis embedded in an encrypted state within the previous shellcode and, it is decrypted and utilized during\r\nBloodAlchemy’s execution (Figure 9).\r\nFurthermore, if a file with a 15-character filename consisting of [a-zA-Z] exists within the directory\r\nC:\\ProgramData\\Store , it will be loaded as the malware configuration. The same decryption algorithm used in\r\nthe previously mentioned payload was utilized for this decryption process.\r\nFigure 9. The decryption and loading code of the malware configuration.\r\nThe malware configuration contains important data related to malicious code processing. This data includes values\r\nto manipulate the behavior set in the run mode, the URL of the C2 server, process names specified for code\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 8 of 17\n\ninjection, and more. Some important data such as a MUTEX value, C2 server, target process name etc., are\r\nprimarily encrypted. Additionally, it also includes offset values indicating the positions of these encrypted data\r\nlike ShadowPad.\r\nFigure 10. The encrypted data and the offset values indicating their positions in the configuration.\r\nEach of these encrypted data is stored in the following order: the size of the encrypted data, a byte key, and the\r\nencrypted data itself.\r\noffset descriptions data\r\n0x00 size of data 0x25\r\n0x01 a byte key 0x41\r\n0x02 encrypted data 1E 9D 09 19 7A D0 9D 9D …\r\nThe decryption is performed using another custom algorithm with the stored key. We created a simple Python\r\nscript to decrypt the encrypted data.\r\nimport struct\r\ndef dec_cmt(offset):\r\n s = struct.unpack(\"B\", ida_bytes.get_bytes(offset, 1))[0]\r\n data = ida_bytes.get_bytes(offset, s + 2)\r\n iv = data[1]\r\n enc = data[2:]\r\n dec = \"\"\r\n for i in range(s):\r\n dec += chr(iv ^ enc[i] \u0026 0xFF)\r\n ku0 = iv \u003c\u003c (i % 5 + 1) \u0026 0xFF\r\n ku1 = iv \u003e\u003e (7 - i % 5) \u0026 0xFF\r\n iv = (iv + (ku0 | ku1)) \u0026 0xFF\r\n return dec[:-1]\r\nAs an example, the resolved offsets and decrypted data for each value in malware configuration using the Python\r\nscript is as follows:\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 9 of 17\n\nFigure 11. Example of resolving offsets and decrypted data.\r\nNot only malware configuration, but the same encryption is also used for other embedded data, such as important\r\ndata related to some specific file paths. This Python script can also decrypt these data as well.\r\nFigure 12. Example of decrypting data other than the malware configuration.\r\nFunctions\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 10 of 17\n\nAs mentioned above, BloodAlchemy behaves differently depending on the run mode and the values in the\r\nmalware configuration. From this characteristic, we believe the BloodAlchemy is a rather unique sample. The\r\nmain function of BloodAlchemy is communication with a C2 server and controlling the infected host through the\r\nimplemented backdoor commands.\r\nThe individual functionalities implemented in BloodAlchemy are introduced here.\r\nPersistence\r\nThe payload incorporates a persistence capability. If the run_mode is 0 or 3 and the execution file path is not for\r\npersistence, and if the persistence_flag (a value of 0x34 in the malware configuration) is not 0, the persistence\r\nmethod will be chosen based on the value of the persistence_flag from 1 to 4.\r\n1: service + startup + taskschd (COM obj)\r\n2: service\r\n3: startup\r\n4: taskschd (COM obj)\r\nFigure 13. The calling a function of persistence depending on the persistence_flag.\r\nThe persistence mechanism is designed for the malware set consisting of test.exe, BrLogAPI.dll, and DIFX to be\r\ncreated within one of the corresponding directories based on the infected environment.\r\n%AUTOPATH%\\Test\\\r\n%LocalAppData%\\Programs\\Test\\\r\n%ProgramFiles%\\Test\\\r\n%ProgramFiles(x86)%\\Test\\\r\nAnti Sandbox\r\nThe payload also has anti-sandbox capabilities to evade analysis in sandbox environments. This feature only\r\nfunctions when the run_mode is 0, the executable file path is not for persistence, and the value of 0x1c in the\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 11 of 17\n\nconfiguration is 1. It checks the process_name, files, and DNS results. It is speculated that the purpose of this\r\nfeature is to avoid detection from Trellix sandbox functionality, based on the checked process names.\r\nFigure 14. The anti-sandbox capabilities are enabled by the value of configuration.\r\nProcess Injection\r\nThe process injection feature was implemented with following conditions which were the run_mode is 0 or 3 and\r\nthe value of 0x54 in the configuration is 1, it attempts to inject the previous shellcode into the following processes\r\nspecified in the configuration from 0x58 to 0x64.\r\n%windir%\\system32\\SearchIndexer.exe\r\n%windir%\\system32\\wininit.exe\r\n%windir%\\system32\\taskhost.exe\r\n%windir%\\system32\\svchost.exe\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 12 of 17\n\nIn order to set the injected shellcode as a queue for asynchronous procedure calls (APC), the QueueUserAPC()\r\nfunction is used. This technique is known as Early Bird Injection.\r\nWhat is Asynchronous Procedure Call (APC)\r\nA function that is executed asynchronously in the context of a specific thread. Each thread has its own\r\nAPC queue, and an application can register an APC in the queue by calling the QueueUserAPC()\r\nfunction. This \u003e will result in the execution of the APC function and the occurrence of a software\r\ninterrupt during the next scheduled thread.\"\r\nAsynchronous Procedure Calls | Microsoft Learn\r\nFigure 15. The process injection using QueueUserAPC() function.\r\nAs related feature of the payload, if the run_mode is 0 or 4 and the value of 0x68 in the configuration is 1, it\r\ncreates the following processes specified from 0x6c to 0x74 and attempts to inject the shellcode into those\r\nprocesses using QueueUserAPC() too.\r\n%windir%\\system32\\wininit.exe\r\n%windir%\\system32\\taskeng.exe\r\n%windir%\\system32\\taskhost.exe\r\n%windir%\\system32\\svchost.exe\r\nCreation of VFT associated with each communication protocol\r\nThe BloodAlchemy was designed for up to 10 C2 destinations. However, interestingly, in the samples we\r\nobserved, only one C2 information was in there. Based on the C2 information, the communication protocol is\r\nextracted, and the Protocol ID to be used within the malware is set. Based on this Protocol ID, the functions\r\nnecessary for communication are imported, and a Virtual Function Tables (VFT) is created..\r\nWhat is Virtual Function Tables (VFT)\r\nA table that stores pointers to virtual functions within a class. If a class has one or more virtual\r\nfunctions, the compiler creates a virtual function table for that class. Each instance of the class holds\r\npointers to this \u003e table.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 13 of 17\n\nVirtual Function Tables | Microsoft Learn\r\nFigure 16. A VFT is created in the malware to handle the corresponding protocol based on the\r\nProtocol ID.\r\nBackdoor commands\r\n15 backdoor commands were implemented to control victim machine. The operations performed by each\r\ncommand ID are as follows:\r\ncommand id descriptions\r\n0x1101 update config\r\n0x1102 get current config\r\n0x1201 update test.exe\r\n0x1202 update BrLogAPI.dll\r\n0x1203 update DIFX\r\n0x1204 uninstall and terminated\r\n0x1205 launch persistence_dir\\test.exe\r\n0x1301 unknown\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 14 of 17\n\ncommand id descriptions\r\n0x1302 load received payload and store it into registry value\r\n0x1303 delete registry value\r\n0x1304 unknown\r\n0x1401 get proxy info\r\n0x1402 update proxy info\r\n0x1501 gather victim info\r\n0x1502 echo 0x1502\r\nFigure 17. Branching of processing based on the backdoor command ID\r\nThe code similarities with Deed RAT\r\nBased on our reversing results, we have discovered multiple similarities between BloodAlchemy and Deed RAT.\r\nHere are some examples of code similarities that we consider particularly significant:\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 15 of 17\n\nThe first remarkably similar point is the unique data structures of the payload header in both BloodAlchemy and\r\nDeed RAT. Although there are differences in values such as magic number and plugin ID and other values. This\r\ndata structure is designed based on the PE header which maps the payload into memory based on its respective\r\nvalues.\r\nFigure 18. Comparison of custom data structures between Deed RAT and BloodAlchemy\r\nIn relation to above example, some similarities have been found in the loading process of shellcode, and the DLL\r\nfile used to read the shellcode as well. Regarding the payload, various similarities have been confirmed with high\r\nconfidence:\r\nException handling after the entry point\r\nLoading start functions for each plugin\r\nPlugin names\r\nPlugin information\r\nStructure of the malware configuration (offset of encrypted data)\r\nHardcoded directories and a specific file name used for persistence\r\nFigure 19. Comparison of exception handling after the entry point.\r\nWe have concluded that BloodAlchemy is highly likely to be a variant of Deed RAT, based on our deeply analysis\r\nand comparison results.\r\nSummary\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 16 of 17\n\nIn this article, we have explained the analysis results of BloodAlchemy. The origin of BloodAlchemy and Deed\r\nRAT is ShadowPad and given the history of ShadowPad being utilized in numerous APT campaigns, it is crucial\r\nto pay special attention to the usage trend of this malware.\r\nOne more thing, our experts presented a talk titled \"Into the Vapor to Tracking Down Unknown Panda's Claw\r\nMarks\" at the Botconf 2024 held in Nice, France, discussing the analysis of BloodAlchemy.\r\nThe slide of presentation is available here, if you interested in the BloodAlchemy research, please check it.\r\n[Slide] Into the Vapor to Tracking Down Unknown Panda’s Claw Marks\r\nAppendix\r\nSource: https://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nhttps://blog-en.itochuci.co.jp/entry/2024/05/23/090000\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog-en.itochuci.co.jp/entry/2024/05/23/090000" ], "report_names": [ "090000" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ec9542a-2245-466b-86e3-cd345819b09b", "created_at": "2023-11-04T02:00:07.67045Z", "updated_at": "2026-04-10T02:00:03.388063Z", "deleted_at": null, "main_name": "Redfly", "aliases": [], "source_name": "MISPGALAXY:Redfly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6957eadc-136d-4e6c-b158-4035175b2db4", "created_at": "2023-11-07T02:00:07.106754Z", "updated_at": "2026-04-10T02:00:03.410616Z", "deleted_at": null, "main_name": "REF5961", "aliases": [], "source_name": "MISPGALAXY:REF5961", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/812fab2a9498760768de019c8e75848af55663d3.pdf", "text": "https://archive.orkl.eu/812fab2a9498760768de019c8e75848af55663d3.txt", "img": "https://archive.orkl.eu/812fab2a9498760768de019c8e75848af55663d3.jpg" } }