{ "id": "7d721480-32e3-4aa1-9187-e4a98f887aa3", "created_at": "2026-04-06T00:11:46.461318Z", "updated_at": "2026-04-10T03:37:22.724703Z", "deleted_at": null, "sha1_hash": "81fb34c3572f674828bfd37782c86f6841830ae9", "title": "Walking on APT31 infrastructure footprints", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 311023, "plain_text": "Walking on APT31 infrastructure footprints\r\nBy Felix Aimé\r\nPublished: 2021-11-10 · Archived: 2026-04-02 10:59:28 UTC\r\nTable of contents\r\nA brief on the APT31 creature\r\nBR|INT APT31\r\nHunting in the APT31 infrastructure footprints\r\nImplants seen during the walk\r\nConclusion\r\nExternal references\r\nTactics, Techniques and Procedures (TTPs)\r\nIoCs\r\nDomain names\r\nIP Addresses\r\nYara Rules\r\nChat with our team!\r\nSEKOIA.IO’s Cyber Threat Intelligence team had an in-depth look at  the APT31 intrusion set at the\r\nbeginning of 2021 when the BfV (Bundesamt für Verfassungsschutz)¹ and McAfee² released some new\r\ninformation. A few months later, the French National Cybersecurity Agency (ANSSI) also released a short\r\npublication with several IoCs³, showing that the intrusion set was still active and of concern as multiple national\r\nagencies had been involved. \r\nAll of these IoCs were mainly IP addresses, and many of them seemed to be linked to SOHO routers, mostly\r\nPakedge routers at the time. With that observation, we investigated more deeply to see if we could find more\r\ninfrastructure and implants used by this intrusion set.\r\nA brief on the APT31 creature\r\nAPT31 (aka Zirconium or Judgment Panda) is an Advanced Persistent Threat group whose mission is likely to\r\ngather intelligence on behalf of the Chinese government. Similar to other nation-state actors, the group is\r\nfocusing on data of interest to the PRC (People’s Republic of China) and its strategic and geopolitical\r\nambitions, rather than on specific verticals.\r\nThe Chinese adversaries are considered some of the most prolific state-sponsored cyber actors on the\r\nplanet. According to Microsoft’s observations, from July 2020 to June 2021, China-based threat actors displayed\r\nthe strongest interest in targeting critical infrastructure among all the other nation-state threats⁴.\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 1 of 11\n\nFigure 1. A timeline of the publicly reported APT31-related campaigns\r\nAs shown in Figure 1 and in alignment with available public reports, APT31 has been active since at least 2013\r\nand its 2021 campaign targeting numerous French entities is still ongoing.\r\nBR|INT APT31\r\nDownload PDF version\r\nEven if the public literature on this intrusion set is quite limited, APT31 is known to use — among others vectors\r\n— spear phishing to get a foothold in the victims’ networks. Although their recent campaigns weren’t\r\ntechnically sophisticated, they succeeded in bypassing network defences by employing only legitimate websites\r\nand services to host their implants (GitHub) and interact with them once executed on the victims’ workstation (use\r\nof DropBoxAPI)⁵. It has also been spotted targeting organizations via SQL injection attacks, as well as leveraging\r\nstolen credentials to gain initial access.\r\nAPT31 and other Chinese state–backed actors have been lately the object of several European\r\ngovernments’ attribution statements. Back in July 2021, the UK accused the Chinese Ministry of State Security\r\n(MSS) of supporting the APT31 group’s activities⁶. At nearly the same time, the EU detected malicious cyber\r\nactivities with significant effects that targeted key European industries and linked them to APT31⁷. In both\r\ncases, official statements mentioned APT31 alongside another Chinese attacker group — APT40. \r\nMoreover, authorities suspect APT31 to be a group of contractors working directly for China’s MSS, or even\r\nmembers of the People’s Liberation Army (PLA) Strategic Support Force, as reported by other sources.\r\nAPT31 is one of the few intrusion sets known to have been seen compromising SOHO routers to compose its\r\noperational infrastructure, since at least November 2019, date on which a sample of the backdoor used on\r\ncompromised routers was uploaded to VirusTotal for analysis (MD5: 77c73b8b1846652307862dd66ec09ebf).\r\nHowever, this implant can be much older as there is no compilation date associated with ELF files. \r\nThe Operational Relay Boxes (ORB) associated with this infrastructure are used as proxies for frontal attacks,\r\nactive and passive reconnaissance and also as command and control servers for several implants. Till today, we\r\ndon’t know how they compromised these routers. It is likely that they used a mix of known and unknown\r\nvulnerabilities to achieve remote code execution in order to drop their implants and other redirector tools. \r\nWe found ways and heuristics to illuminate some parts of their infrastructure and track it over time. The C2\r\ndomains used by this intrusion set have several characteristics such as: \r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 2 of 11\n\nPatterns: lots of domains had technical strings such as “update”, “check”, “cloud” or “service” along with\r\nsome IOT/router’s brands (Mikrotik, Netgear, Qnap, Nec).\r\nDNS configuration: most of them don’t resolve anything without an appropriate subdomain such as\r\n“www”, “api”, “sso” etc.\r\nDNS providers: APT31 mainly uses four DNS providers: Monovm, Cloudflare, Topdns and most recently\r\nHosteons, which we’ve seen used only for two domains so far. \r\nFake registrant and associated email: the name is mostly composed like a real name (eg. Joseph Edwards)\r\nwith an associated email address using protonmail.ch, email.cz, post.cz or inbox.lv.\r\nThe resolution timeframe of these domains doesn’t exceed a few days, which is also relevant from an\r\nanalyst’s point of view. \r\nAs the domains were resolving to SOHO routers, it was also possible to track them using this particularity. Indeed,\r\nit is relatively rare that a domain from these DNS providers points to some domestic autonomous systems.\r\nOn the other hand, the network appliances compromised by APT31 have technical characteristics (eg.\r\nadministration panels, specific certificates or banners) allowing anybody to recover thousands of IP addresses\r\nusing them. By using passive DNS resolutions on these IP addresses, it was possible to discover new C2s when an\r\nobserved FQDN pointing to them had the previously mentioned characteristics.\r\nFinally, we discovered nearly 50 IP addresses and 34 domain names following ANSSI’s publication, with an\r\noverlap of one IP address resolved by the domain www.fwcheck[.]com. The table below summarises the brands of\r\nnetwork appliances that composed the C2 infrastructure used by APT31 until July 2021. The confidence value\r\ndepends on the number of heuristics (explained above) that matched as well as on whether other sources already\r\nmentionned the C2 or not.\r\nBrand seen on C2 Number of C2s Confidence\r\nPakedge 41 High\r\nCyberOAM 3 High\r\nNetgear VPN firewall 2 Low\r\nD-LINK 1 Low\r\nOthers 5 Low\r\nSince July 2021, we have observed a shift in their infrastructure. They left their historical “Pakedge\r\ninfrastructure” and moved it to new clusters composed this time of several other brands and nameservers in\r\norder to avoid infrastructure illumination by analysts. \r\nSince then, it has become more difficult to follow their tracks although we can still see several new C2s such as\r\nneccloud[.]net — resolving to 5.252.176[.]102, a server under the MivoCloud umbrella — or netgearcloud[.]net,\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 3 of 11\n\nresolving to a domestic IP address based in Sweden on September 22, 2021. We link these domains to APT31 with\r\nhigh confidence as they match most of the infrastructure heuristics established during the investigation. \r\nHowever, it’s worth noting that not all their Operational Relay Boxes are resolved by domains names.\r\nThenceforth, the IoCs list provided at the end of this blogpost is obviously non-exhaustive and shows only a\r\nsmall fraction of their operational infrastructure used for attacks in 2021.\r\nWebinar : How to improve the Analyst Experience with Sigma Correlation\r\nDate : May, 31st – 4:00pm\r\nImplants seen during the walk\r\nBy looking at the implants connecting to this infrastructure in open source, we have been able to get several\r\nimplants, that we assess were used by APT31 during their operations, such as Cobalt Strike beacons and an ELF\r\nimplant dubbed “unifi-video” (MD5: 4640805c362b1e5bee5312514dd0ab2b), impersonating a well known IOT\r\nbrand.\r\nFigure 2. Links between some APT31 campaigns, indicators and malware/tools from SEKOIA.IO Intelligence\r\nCenter.\r\nAmong standard red-teaming tools, APT31 seems to be using Cobalt Strike as an n-stage implant to persist\r\ninside the victim’s network. As shown in the table below, several beacons connecting to the “Pakedge\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 4 of 11\n\ninfrastructure” have been sent to VirusTotal packed in a PE to VirusTotal. It is worth noting that as they have been\r\npacked in an executable file, the corresponding hash can’t be used to hunt for APT31 in your network.\r\nPacked beacons MD5 hashes Associated C2\r\nf707759e05ab58296071ec50cc04c9fc fdexcute[.]com\r\ndc30a177a104717d652a49887851f033 api[.]ontracting[.]com\r\n362057b23605d83130bdeac749d404f2 www[.]cypolicy[.]com\r\n0d71876ba535cde68c21aa9b3bb063d1 www[.]winservicecloud[.]com\r\nLast but not least, our Cobalt Strike trackers spotted two Cobalt Strike listeners on the discovered infrastructure:\r\nBrand seen on C2\r\nNumber of\r\nC2s\r\nDescription\r\nwww[.]gsncloud[.]com 68.146.18[.]127\r\nCobalt Strike Malleable C2 Jquery profile from\r\n22/03/2021 to 29/04/2021\r\napi[.]tfhjugo[.]com 83.81.73[.]23\r\nCobalt Strike default headers on port 443 from\r\n21/04/2021 to 17/05/2021\r\nUnfortunately, the configurations associated with the discovered Cobalt Strike beacons are pretty common and\r\nprevented us from getting more discriminant indicators linked to their use of Cobalt Strike. \r\nDuring the hunting, we found an ELF implant on VirusTotal⁸ which matched the C2 —  hardcoded in the sample\r\n— www[.]moperfectstore[.]com. We attribute this domain with medium to high confidence to APT31 as it\r\nresolved to Pakedge and CyberOAM appliances and matches some domain heuristics described above. As the\r\ndomain didn’t have any existence prior to 2021, we assess with medium to high confidence that the implant was\r\nused by APT31. \r\nThis implant, dubbed “unifi-video” (MD5: 4640805c362b1e5bee5312514dd0ab2b), is a statically-linked stripped\r\n64bits ELF. Unifi-video is a well known legitimate software that describes itself as a “Centralized management\r\nsystem for Ubiquiti UniFi surveillance cameras”. It therefore echoes the compromised-appliance infrastructure\r\nused by APT31. \r\nWhen analysing the file we noticed several routines overlapping with a known minimalistic Unix backdoor named\r\nRekoobe which was covered previously by a few cybersecurity vendors such as Dr Web⁹ and Intezer¹⁰. \r\nHowever, several questions remain unanswered regarding the real APT31 and Rekoobe connection. \r\nFirst, we don’t know at the time of writing whether Rekoobe’s source code is shared between different threat\r\nactors or if Rekoobe has been operated by APT31 since it was first discovered in 2015. Moreover, if APT31\r\noperated this sample of Rekoobe, there is no indication whether this implant is used in the infrastructure or\r\nto persist in an appliance of a final victim, somewhere.\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 5 of 11\n\nERRATUM (12/11/2021): While we initially thought that the implant (4640805c362b1e5bee5312514dd0ab2b)\r\nwas linked to Rekoobe, the security researcher Billy Leonard pointed out on Twitter [Billy Leonard’s tweet] that it\r\nwas actually Tiny SHell [GitHub repo] which we definitely agree. Tiny SHell has been used by multiple threat\r\nactors since several years now and it is not surprising to see APT31 using it.\r\nConclusion\r\nDespite the lack of open source literature on this intrusion set, APT31 remains a prolific threat for years for\r\nmany occidental entities working on government and strategic issues. As of today, we don’t have a clear view\r\nof what they are looking for once they compromised the networks if it is for pre-positioning or data theft.\r\nThis blog post aimed to disclose some of their operational infrastructure and tools used this year so that you can\r\nlook for possible compromises in your networks. \r\nIf you are also investigating APT31, don’t hesitate to share your thoughts with us at threatintel@sekoia.fr to better\r\nunderstand and track down their infrastructure.\r\nExternal references\r\n¹ Bedrohung deutscher Stellen durch Cyberangriffe der Gruppierung APT31\r\n² MVISION Insights: Potential APT31 Activity Against Political Targets,\r\n³ Campagne d’attaque du mode opératoire APT31 ciblant la France\r\n⁴ FY21 Microsoft Digital Defense Report\r\n⁵ APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services\r\n⁶ UK and allies hold Chinese state responsible for a pervasive pattern of hacking\r\n⁷ China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to\r\ntake action against malicious cyber activities undertaken from its territory\r\n⁸ Sample 4640805c362b1e5bee5312514dd0ab2b\r\n⁹ Linux.Rekoobe.1\r\n¹⁰ Linux Rekoobe Operating with New, Undetected Malware Samples\r\nTactics, Techniques and Procedures (TTPs)\r\nExploit Public-Facing Application (T1190)\r\nNon-Application Layer Protocol (T1095)\r\nApplication Layer Protocol (T1071)\r\nProcess Injection (T1055)\r\nPhishing (T1566)\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 6 of 11\n\nCompromise Infrastructure (T1584)\r\nAcquire Infrastructure (T1583)\r\nDevelop Capabilities: Malware (T1587.001)\r\nObtain Capabilities: Malware (T1588.001)\r\nIoCs\r\nThe IOCs are provided “as is”. Even if the domain names are a reliable way to hunt APT31 in your network logs,\r\nthe IP addresses can produce false positives as they rely mostly on legit home routers. All the IOCs can be\r\ndownloaded in JSON STIX2.1 and CSV formats on the SEKOIA.IO Github: https://github.com/SEKOIA-IO/Community/tree/main/IOCs\r\nDomain names\r\nnetgearcloud[.]net\r\nneccloud[.]net\r\nnetgear-update[.]com\r\nwww[.]netgearupdatecheck[.]com\r\nns[.]netgear-update[.]com\r\nwww[.]winserviceupdate[.]com\r\nwinserviceupdate[.]com\r\nwww[.]pi-hole[.]us\r\nwww[.]qnapphoto[.]com\r\nupdate[.]hardis-software[.]com\r\nwww[.]moperfectstore[.]com\r\ninfo[.]miksupport[.]com\r\napi[.]ontracting[.]com\r\nwww[.]fwcheck[.]com\r\nportal[.]icb-transer[.]com\r\nwww[.]cypolicy[.]com\r\nremotetimecheck[.]com\r\napi[.]tfhjugo[.]com\r\nwww[.]camupdatecheck[.]com\r\nwww[.]jsonamazon[.]com\r\nwww[.]serverupdatecheck[.]com\r\nwww[.]nas-timesync[.]com\r\nwww[.]mikupdate[.]com\r\nwww[.]mikrotikupdate[.]com\r\nwww[.]winservicecloud[.]com\r\nwww[.]sophosfwupdate[.]com\r\nwww[.]deviceupdatecheck[.]com\r\nsso[.]futuremixed[.]com\r\nfuturemixed[.]com\r\nsupport[.]deviceupdatecheck[.]com\r\nwww[.]figaro-news[.]com\r\nwww[.]switch-netgear[.]com\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 7 of 11\n\nwww[.]veritasdiag[.]com\r\nfdexcute[.]com\r\nwww[.]fdexcute[.]com\r\nwww[.]miksupport[.]com\r\nstatus[.]veritasdiag[.]com\r\nwww[.]deviceupdatesupport[.]com\r\nwww[.]keys-networks[.]com\r\nsrv[.]keys-networks[.]com\r\nkeys-networks[.]com\r\nwww[.]oslookup[.]com\r\nwww[.]gsncloud[.]com\r\nIP Addresses\r\n213[.]21[.]100[.]188\r\n108[.]46[.]133[.]103\r\n108[.]54[.]184[.]30\r\n116[.]86[.]137[.]232\r\n158[.]174[.]170[.]19\r\n184[.]75[.]129[.]113\r\n185[.]129[.]252[.]187\r\n185[.]130[.]165[.]59\r\n185[.]89[.]55[.]24\r\n185[.]96[.]198[.]75\r\n188[.]165[.]73[.]52\r\n189[.]121[.]150[.]254\r\n213[.]238[.]234[.]249\r\n217[.]210[.]180[.]113\r\n217[.]211[.]53[.]251\r\n45[.]147[.]229[.]194\r\n50[.]71[.]100[.]164\r\n58[.]182[.]61[.]137\r\n58[.]96[.]237[.]98\r\n71[.]64[.]151[.]132\r\n73[.]229[.]137[.]54\r\n78[.]82[.]247[.]37\r\n81[.]227[.]88[.]108\r\n81[.]232[.]51[.]161\r\n81[.]234[.]227[.]62\r\n81[.]236[.]182[.]199\r\n81[.]83[.]4[.]48\r\n82[.]127[.]26[.]151\r\n82[.]136[.]76[.]142\r\n83[.]253[.]189[.]234\r\n83[.]81[.]73[.]23\r\n84[.]23[.]132[.]127\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 8 of 11\n\n85[.]166[.]160[.]50\r\n85[.]226[.]191[.]68\r\n85[.]229[.]70[.]242\r\n86[.]4[.]247[.]233\r\n88[.]129[.]239[.]96\r\n88[.]129[.]39[.]248\r\n88[.]88[.]141[.]177\r\n89[.]31[.]225[.]131\r\n89[.]31[.]228[.]228\r\n89[.]31[.]228[.]238\r\n90[.]224[.]137[.]58\r\n91[.]117[.]133[.]53\r\n91[.]235[.]247[.]248\r\n93[.]240[.]145[.]166\r\n95[.]236[.]16[.]215\r\n95[.]34[.]0[.]182\r\n96[.]89[.]114[.]192\r\n98[.]128[.]185[.]162\r\n99[.]252[.]170[.]14\r\n68[.]146[.]18[.]127\r\n5[.]252[.]176[.]102\r\nYara Rules\r\nrule unk_apt31_tsh_2021 {\r\n meta:\r\n description = \"Detect APT31-linked TSH sample. This rule is quite specific with the $s3 string. We would\r\n version = \"1.0\"\r\n creation_date = \"2021-10-11\"\r\n modification_date = \"2021-10-11\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"4640805c362b1e5bee5312514dd0ab2b\"\r\n source=\"SEKOIA.IO\"\r\n version=\"1.0\"\r\n strings:\r\n $s1 = { C6 00 48 C6 40 05 49 C6\r\n 40 01 49 C6 40 06 4C C6\r\n 40 02 53 C6 40 07 45 C6\r\n 40 03 54 C6 40 08 3D C6\r\n 40 04 46 C6 40 09 00 }\r\n $s2 = { C6 00 54 C6 40 03 4D C6\r\n 40 01 45 C6 40 04 3D }\r\n $s3 = \"www.moperfectstore.com\"\r\n condition:\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 9 of 11\n\nint32be(0) == 0x7f454c46 and\r\n filesize \u003c 1MB and filesize \u003e 900KB and\r\n all of them\r\n}\r\nrule apt_misp_apt31_orb_2021 {\r\n meta:\r\n description = \"Detects APT31 ORB implant\"\r\n version = \"1.0\"\r\n creation_date = \"2021-10-11\"\r\n modification_date = \"2021-10-11\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"77c73b8b1846652307862dd66ec09ebf\"\r\n source=\"SEKOIA.IO\"\r\n version=\"1.0\"\r\n strings:\r\n $s1 = \"mv -f %s %s ;chmod 777 %s\"\r\n $s2 = \"GET /plain HTTP/1.1\"\r\n $s3 = \"exc_cmd time out\"\r\n $s4 = \"exc_cmd pipe err\"\r\n $s5 = { 2e 2f [1-10] 20 20 64 65 6c }\r\n condition:\r\n int32be(0) == 0x7f454c46 and\r\n filesize \u003c 800KB and filesize \u003e 400KB and\r\n 4 of ($s*)\r\n}\r\nThank you for reading this article. You can also read our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solutions\r\nAPT CTI\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 10 of 11\n\nShare this post:\r\nSource: https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nhttps://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/" ], "report_names": [ "walking-on-apt31-infrastructure-footprints" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434306, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81fb34c3572f674828bfd37782c86f6841830ae9.pdf", "text": "https://archive.orkl.eu/81fb34c3572f674828bfd37782c86f6841830ae9.txt", "img": "https://archive.orkl.eu/81fb34c3572f674828bfd37782c86f6841830ae9.jpg" } }